Bills Digest no. 55,
2016–17
PDF version [704KB]
Mary Anne Neilsen
Law and Bills Digest Section
25
January 2017
Contents
Purpose of the Bill
Structure of the Bill
Privacy Act: outline.
De-identification of personal information.
Committee consideration
Senate Standing Committee on Legal
and Constitutional Affairs
Senate Standing Committee for the
Scrutiny of Bills
Policy position of non-government
parties/independents
Position of major interest groups
Financial implications
Statement of Compatibility with Human
Rights
Parliamentary Joint Committee on
Human Rights
Key issues and provisions
Re-identification of de-identified
personal information
Application
Offences and civil penalty provisions
Comment
Retrospective application of the offences
and civil penalties
Threshold issue—criminalisation v
civil penalties alone
Elements of the prohibitions in
proposed subsections 16D(1) and 16E(1)
‘Publication’ v ‘disclosure’—proposed
section 16E
Remedies—compensation orders against
persons convicted of offences
Exemptions for research and other
purposes
Comment
Absence of explanation of more
limited delegation of legislative power
Other exemptions
Information Commissioner: functions
and powers
Comment
Concluding comments
Date introduced: 12
October 2016
House: Senate
Portfolio: Attorney-General
Commencement: The
substantive provisions commence the day after Royal Assent. However the new
offences operate retrospectively from 29 September 2016, the day after the
Government announced its intention to introduce the Bill.
Links: The links to the Bill,
its Explanatory Memorandum and second reading speech can be found on the
Bill’s home page, or through the Australian
Parliament website.
When Bills have been passed and have received Royal Assent,
they become Acts, which can be found at the Federal Register of Legislation
website.
All hyperlinks in this Bills Digest are correct as
at January 2017.
Purpose of
the Bill
The purpose of the Privacy Amendment
(Re-identification Offence) Bill 2016 (the Bill) is to amend the Privacy
Act 1988 in order to introduce provisions which
prohibit conduct related to the re-identification of de-identified personal
information published or released by Commonwealth entities.
Structure
of the Bill
The
Bill contains one Schedule of amendments to the Privacy Act. The main amendment in
Schedule 1 is item 5 which inserts into Part III new Division 3 titled ‘Re-identification of de-identified personal
information’. This new Division contains the substantive elements of the
re-identification offence provisions.
Background
The Privacy Act regulates how personal
information is handled. Personal information is defined under the Act as:
... information or an opinion, whether true or
not, and whether recorded in a material form or not, about an identified
individual, or an individual who is reasonably identifiable.[1]
Common examples are an individual’s name, signature,
address, telephone number, date of birth, medical records, bank account details
and commentary or opinion about a person.
The Australian Privacy Principles (APPs),
which are contained in Schedule 1 of the Privacy Act, outline how most
Australian Government agencies, all private sector and not-for-profit
organisations with an annual turnover of more than $3 million, all private
health service providers and some small businesses (collectively called ‘APP
entities’) must handle, use and manage personal information. (Section 15 of the
Privacy Act provides that an APP entity must not do an act, or engage in
a practice that breaches an APP. Contravention of the APPs may be the subject
of a complaint to the Privacy Commissioner and potential investigation under
Part V. In some cases, contraventions may be subject to the civil penalty
provision in section 13G for serious and repeated interferences with privacy,
which is subject to a maximum pecuniary penalty of 2,000 penalty units or $360,000.)
The Privacy Act also includes a wide range of
exemptions and exceptions for particular acts and practices and they are found
throughout the Act, in the definition of some terms, in specific exemption provisions,
and in the AAPs themselves. Some of these exemptions, such as the small
business exemption, the political party exemption, the employee record
exemption, exemptions relating to journalists and members of parliament were
controversial when introduced and enacted in 2000 and have remained so since
then.[2]
The APPs support de-identification of
personal information in specified circumstances. For example, if an entity to
which the Privacy Act applies no longer needs personal information for
any purpose for which it was collected or may be used, the entity must take
reasonable steps to destroy or de-identify the information (APP 11.2). The
credit reporting scheme in Part IIIA also contains civil penalty provisions in
relation to credit reporting bodies that fail to destroy certain credit-related
information or ensure it is de-identified at the end of a mandatory retention
period prescribed by Part IIIA. These provisions impose a maximum pecuniary
penalty of 1,000 penalty units or $180,000.[3]
De-identification
of personal information
It has been said that de-identification is
one of the most contentious contemporary privacy issues. The debate centres on
whether personal information can ever be truly de-identified.[4]
Under the Privacy Act personal
information is ‘de-identified’ if the information is no longer about an identifiable
individual or an individual who is reasonably identifiable.[5]
De-identification involves removing or
altering information that identifies an individual or is reasonably likely to
do so. Generally, de-identification includes two steps:
- removing personal identifiers, such as an individual’s name,
address, date of birth or other identifying information, and
- removing or altering other information that may allow an individual
to be identified, for example, because of a rare characteristic of the individual,
or a combination of unique or remarkable characteristics that enable
identification.[6]
De-identified data is also known as anonymised
data.
The Office of the Australian Information
Commissioner (OAIC) states that while de-identification can be effective in
preventing re-identification of an individual, it may not remove that risk
altogether. There may, for example, be a possibility that another dataset or
other information could be matched with the de-identified information. OAIC therefore
advises that the risk of re-identification must be actively assessed and
managed to mitigate this risk. This should occur both before an information
asset is de-identified and after disclosure of a de-identified asset.[7]
Re-identification is the process of associating an
identity with information that has previously been de-identified. It is one of
the greatest challenges to the integrity of the de-identification process and
generally occurs through:
- poor
de-identification: where
identifying information is inadvertently left in the data
- data
linkage: it can be
possible to re-identify individuals by linking a de-identified dataset with an
‘auxiliary dataset’.[8]
The benefits of responsible, appropriate and effective
de-identification processes are said to be that they can enable the publication
of major datasets enabling ‘the government, policymakers,
researchers, and other interested persons to take full advantage of the
opportunities that new technology creates to improve research and policy
outcomes’.[9]
On 7 December 2015, the Australian
Government released its Public Data Policy Statement as part of the National
Innovation and Science Agenda. The Policy Statement
commits Commonwealth Government entities to:
- specific actions designed to optimise the use and reuse of public data
- release non-sensitive data as open by default
- collaborate with the private and research sectors to extend the value
of public data for the benefit of the Australian public.
The Statement points to the benefits of use
of public data stating:
The data security and privacy of all
Australians is of the highest importance. The government will always adhere to
privacy laws and the highest possible security standards. Non-sensitive public
data can, however, be of enormous benefit to the Australian economy.[10]
On 28 September 2016 the Attorney-General
announced that the Privacy Act would be amended in order to improve
protections of anonymised datasets published by the Commonwealth Government. The amendment would
create a new criminal offence of re-identifying de-identified government data.
It would also be an offence to counsel, procure, facilitate, or encourage
anyone to do this, and to publish or communicate any re-identified dataset. The
legislative change, which the Attorney-General said would be introduced in the
Spring Sittings of Parliament, would provide that these offences take effect
from the day of this announcement.[11]
In justifying the need for these amendments,
the Attorney-General referred to the Government’s Public Data Policy Statement
and also to the need to balance open data with privacy protection:
Our ability to deliver better policies and to
solve many of the great challenges of our time rests on the effective sharing
and analysis of data. For this reason, the Coalition Government has promoted
the benefits of open government data, in accordance with the Australian
Government Public Data Policy Statement, and published anonymised data on data.gov.au.
...
In accepting the benefits of the release of
anonymised datasets, the Government also recognises that the privacy of
citizens is of paramount importance.
It is for that reason that there is a strict
and standard government procedure to de-identify all government data that is
published. Data that is released is anonymised so that the individuals who are
the subject of that data cannot be identified.
However, with advances of technology, methods
that were sufficient to de-identify data in the past may become susceptible to
re-identification in the future. [12]
Media and other reports suggested that the Attorney-General’s
announcement was in fact triggered by a recent Department of Health data breach
involving Medicare and Pharmaceutical Benefit Scheme (PBS) data. On 29 September
2016, the day after the Attorney-General’s announcement, the Department of
Health issued a media release stating it had removed a research dataset
based on Medicare and PBS claims from its open data portal after a team of
Melbourne researchers alerted the Department that their research revealed that medical
practitioner details could be decrypted.[13]
In a separate statement the researchers explained their research methods, also
stating that publishing data can be a great risk to privacy:
Publishing data can bring great benefits to
research but also great risks to privacy. The mathematical details matter: it’s
a technically challenging task to understand whether a particular algorithm
securely encrypts data or not. Datasets containing sensitive information about
individuals clearly deserve more caution than others, and may not always be
suitable for open public release.
The Australian Government’s open data program
provides numerous benefits, allowing better decisions to be made based on
evidence, careful analysis, and widespread access to accurate information.
Decisions about data publication itself should
follow the same philosophy.
We have some important decisions to make about
what personal data to publish and how it should be anonymised, encrypted or
linked. Making good decisions requires accurate technical information about the
security of the system and the secrecy of the data.[14]
Committee
consideration
Senate
Standing Committee on Legal and Constitutional Affairs
On 9 November 2016, the Selection of Bills Committee referred
the Bill to the Legal and Constitutional Affairs Legislation Committee for
inquiry and report by 7 February 2017.[15]
Details are available at the inquiry
webpage.[16]
Submissions to this inquiry are referred to below.
Senate
Standing Committee for the Scrutiny of Bills
The Senate Standing Committee for the Scrutiny of Bills
reported on the Bill in its Alert Digest of 9 November 2016.[17]
The Committee raised some concerns with the Bill. In particular, the Committee
sought from the Attorney-General:
• further advice on why the retrospective criminal offences are
appropriate
• further
justification for reversing the evidential burden of proof for a person relying
on the defences to offences for re-identifying de-identified personal
information and the disclosure of re-identified information
• further justification as to the breadth of the Minister’s
discretionary power to determine that an entity is exempt for the purposes of
the criminal and civil penalty provisions relating to the re-identification of
personal information and its use; and whether consideration has been given to
whether it is possible to more narrowly define the offence and civil penalty
provisions so that research which is in the public interest is less likely to
fall within them.[18]
The Attorney-General, in response, reiterated views put in
the Explanatory Memorandum and his Ministerial press release.[19]
In relation to the retrospective criminal offences the
Attorney-General defended them arguing that the retrospective application was
made very clear in his Ministerial statement of 28 September and as a result
‘entities were clearly given notice that this particular conduct will be made
subject to offences from that time’.[20]
The Committee responded reiterating its long-standing scrutiny concern that
‘legislation by press release’ challenges a basic value of the rule of law. The
Committee therefore draws its concerns about the retrospective aspect of these
criminal offences to the attention of the Senate as a whole.[21]
In justifying the reversal of the
evidential burden of proof for the various exceptions to the offence provisions,
the Minister argued that an accused entity is in the best position to discharge
the burden of proof for these exceptions and furthermore this reversal is
consistent with the principles set out in the Guide to Framing Commonwealth
Offences, Infringement Notices and Enforcement Powers (the Guide). The
Committee in response argued that it appears the reversals of the evidential burden
of proof may not be framed in accordance with the relevant principles in the Guide.
The Committee also requested that the key information provided by the
Attorney-General to the Committee be included in the Explanatory Memorandum to
the Bill.[22]
In relation to the Minister’s discretionary
power to determine exemptions in proposed section 16G, the Attorney-General
argued that the current breadth of the exemption is appropriate. He is of the
view that given the narrow scope of the proposed offences, he does not expect
there will be a large number of entities who will need exemptions for research
in the public interest. The Committee in response asked that the information
provided by the Attorney-General be included in the Explanatory Memorandum and
reiterated its previous view that it is appropriate that Parliament define the
boundaries of criminal wrong-doing rather than leaving these boundaries to
depend (in part) on executive decision-making.[23]
Policy
position of non-government parties/independents
At the time of writing, the Labor Party has not expressed a
public view on the Bill, however, Shadow Minister for Health Catherine King was
critical of the Government’s handling of the health data breach that occurred
in September 2016. Ms King said that ‘the Government’s 17 day delay in
admitting to a breach of health data under their watch is unacceptable’.[24]
Ms King stated:
According to reports today, there were 1500 downloads of the
data set, with the records containing details of prescriptions and procedures that
could reveal extremely sensitive health information.
The Health Minister's failure to stand up and give
Australians basic details about this breach is appalling.
It's no wonder the Attorney-General is dragging his feet to
introduce mandatory reporting of data breaches, when his own Government waits
17 days to admit to a data breach, and doesn't commit to informing everyone
affected.[25]
At the time of writing the position of the cross bench
members and senators is not known.
Position of
major interest groups
At the time of the Attorney-General’s initial policy announcement,
some IT journalists expressed concern focusing mainly on the impact of the
proposed offences on genuine researchers such as the group from Melbourne
University who had discovered the Department of Health data breach.
For example, Digital Rights Watch, a non-profit
organisation established in 2016 to promote human rights in the digital
environment, was quoted as saying the policy announcement was deeply
concerning:
Digital Rights Watch have raised deep concerns over proposed
changes to the Privacy Act, citing the need for community and expert
consultation before any legislation is introduced.[26]
Digital Rights Watch Chair, Mr Tim Singleton Norton
stated:
This move is extremely concerning and seems to be preemptive
of the work of the Productivity Commission and its inquiry into data
availability and use. The Minister is alluding to potentially a very broad
offence of ‘facilitating’ re-identification ...
The specific wording of ‘counsel, procure, facilitate or
encourage’ will need to be framed carefully to exclude innocent acts, such as
rigorous penetration testing of encryption software. Likewise, the whole area
of research into de-identification research, such as that undertaken by the
CSIRO, could be jeopardised through heavy-handed legislation.
The Attorney General states that with advances of technology,
methods that were sufficient to de-identify data in the past may become
susceptible to re-identification in the future. That’s absolutely correct – the
SLK581 keys purported to be used in the recent Census have already been shown
to be ineffective at anonymising personal data ...
Criminalising security testing is the wrong way to increase
security. The Government should instead focus on ensuring that data is not
collected or stored in forms that allow re-identification. Rather than
concentrating on best practices to address this important issue, this
Government is instead opting to punish anyone who discovers flaws in its
methods.
People in the community who identify weaknesses in government
data management practices, either innocently or actively in the public
interest, should not be treated as criminals. We are all worse off if
vulnerabilities are not disclosed.
As with most legislation, the detail of how these amendments
are framed will be key. This is an important element of privacy law in this
country and must be drafted in consultation with privacy experts and the wider
public that it impacts.[27]
Media, Entertainment & Arts Alliance
(MEAA), the union and industry advocate for Australia’s journalists, also opposed
the Attorney-General’s announcement, stating such a move would undermine
legitimate research, scrutiny and security testing of anonymised data. In a
MEAA media release, the CEO Paul Murphy stated:
Journalists should be able to
scrutinise and report on flaws in government security measures. Proposed
changes to the Privacy Act would now act as a catch-all that would
criminalise legitimate scrutiny and testing of those measures.
Of particular concern is the proposed change
that would make it an offence to ‘counsel, procure, facilitate or encourage’
anyone to re-identify data as well as to publish or communicate a re-identified
data set.
Legitimate public interest journalism and
genuinely well-intentioned innocent activities could be caught up by these
proposed changes ... Journalists working with experts in data security would all
be caught up by these changes simply for seeking to determine if there are
flaws in the security of government data sets. Government should be subject to
legitimate scrutiny and the Privacy Act should not be used to prevent
legitimate investigations in the public interest.[28]
The Senate Legal and Constitutional Affairs Legislation Committee
inquiry into the Bill has received 15 submissions with the majority of these raising
concerns about the Bill.
For example the Law Council of Australia argues there are a
number of concerning features with the Bill. In particular the Law Council noted
that the move to a criminal approach of punishment for re-identification of
data warrants further investigation and testing, not least because of the
higher onus of proof required and the reverse onus provisions. This it is
argued ‘will make enforcement difficult and in some cases virtually
impossible’.[29]
The Law Council, like many submitters to the inquiry, is also opposed to the
enactment of legislation with retrospective effect, particularly in cases that
create retroactive criminal offences or which impose additional punishment for
past offences.[30]
Nor does the Law Council consider the reverse onus provisions are appropriate
and argues they should be removed.[31]
The Office of the Australian Information Commissioner (OAIC),
while ‘recognising that the Bill has the potential to be a privacy-enhancing
tool by providing a deterrent against the intentional re-identification of
certain datasets’, is of the view that ‘the introduction of new criminal
offences and civil penalties, in and of itself, is unlikely to eliminate the
privacy risks associated with the publication of de-identified datasets.[32]
Rather, the OAIC believes that additional measures will be required for the
policy objective of the Bill to be supported. In particular, agencies need to
implement practices, procedures and systems to ensure that they comply with the
Privacy Act. That includes taking reasonable steps to ensure personal
information is not disclosed through open publication.[33]
The Australian Privacy Foundation is highly critical of
the Bill stating that the proposed offences in the Bill are an ‘inadequate
response to underlying intrinsic vulnerabilities associated with current
de-identification methods which have the potential for re identification of
personal information as re-identification becomes feasible’. It argues:
The proposed law is misconceived as blunt criminal
prohibitions will inhibit legitimate data security research, including research
into de-identification and re-identification technologies.[34]
The Australian Privacy Foundation raises a number of
specific criticisms including:
- The
vesting of too much power in the Attorney-General to approve or disapprove of
entities conducting data security work
- The
proposed law will be inapplicable in practice to entities operating overseas
who may be able to re‑identify Australian government data released
publicly
- The
measures are a risky policy experiment internationally, given no other
jurisdiction comparable to Australia has any similar laws currently in place
- The
measures do not provide any incentives for Australian government agencies to
increase their data security, or investigate and adopt data minimisation, nor
for researchers to announce a vulnerability or breach.[35]
Instead of this Bill, the Australian Privacy Foundation
argues the Australian Government and Parliament should adopt a range of privacy
protective measures including:
[...] introduce tougher data and personal information security
measures and practices in the form of legislation for Australian government
agencies and private sector entities, rewarding discovery of weaknesses in
protection and creative ‘data minimisation’ strategies, with strong penalties
for these organisations in the event of data breaches.[36]
The Committee received a submission from Chris
Culnane, Benjamin Rubinstein and Vanessa Teague, the team of Melbourne
researchers that had alerted the Department of Health to the data breach involving Medicare and PBS data. They argue against the Bill stating:
The threat of jail time discourages
law-abiding Australian researchers and journalists from making the simplest and
most convincing demonstration that a de-identification method has failed. If
the new rules had been in place in September, we would not have discovered the
problem in the MBS/PBS dataset encryption, the dataset would probably still be
up, and the government could be unaware it was insecure.[37]
While agreeing that some uses of re-identified
or incompletely de-identified data should be prohibited, the researchers submit
that there is no good reason to prohibit re-identification itself. Their
submission concludes:
Criminalizing re-identification without a clear and explicit
exemption for research or a defence on the grounds of public interest will be
bad for privacy and information security. It will make the government far less
likely to learn about a problem before criminals and foreign governments do.
The best way to improve protections of anonymised datasets is
to permit free and open re-identification combined with responsible disclosure.[38]
Another report on the Bill suggests a
contradiction in the Government’s policy regarding access to data versus
personal privacy:
One criticism of the ... Bill has been that the
government, while professing its concern for privacy, has been quick to
introduce legislation regulating data access but slow to implement measures
designed to provide checks and balances for such regulation of data.
An example of this is cited by the ZDNet
technology site, which says that while the AG and the government profess
"commitment to Australian citizens' privacy . . ." they have yet to
amend the Privacy Act to implement ". . . a mandatory data-breach
notification scheme for [their] data-retention legislation". In that
respect the Telecommunications (Interception and Access) Amendment (Data
Retention) Act 2015 (Cth), passed by the Australian government in March
2015, came into effect in October 2015 and will result in citizen's ". . .
call records, location information, IP addresses, billing information, and
other data stored for two years by telecommunications carriers, accessible
without a warrant by law-enforcement agencies" and as yet data-breach
notification laws are not in place and it is feared the same might be the case
with respect to the ... Bill. [39]
Financial
implications
The Explanatory Memorandum states that the Bill has no
significant impact on Commonwealth expenditure or revenue.[40]
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights
(Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the
Bill’s compatibility with the human rights and freedoms recognised or declared
in the international instruments listed in section 3 of that Act. The
Government considers that the Bill is compatible.[41]
Parliamentary
Joint Committee on Human Rights
The Parliamentary Joint Committee on Human Rights
considered the Bill in its ninth report of 2016.[42]
Its main focus was on the retrospective effect of the criminal offences of
re-identifying de-identified government data in proposed sections 16D and 16E.
The Committee observed that Article 15 of the International Covenant on Civil
and Political Rights prohibits retrospective criminal laws and that this
prohibition is absolute and can never be permissibly limited. Accordingly the
Committee requested advice from the Attorney-General as to whether
consideration has been given to amending paragraphs 16D(1)(c) and 16E(1)(c)
such that the offences in these sections operate prospectively, that is from or
after the date of Royal Assent.[43]
The Committee also considered the reverse onus of proof exemptions
to the offences in proposed section 16D and 16E noting that they engage and
limit the right to the presumption of innocence. However, the Committee
concluded that given ‘the nature of the matters to be proven by the defendant
pursuant to the proposed sections, and that the sections impose an evidentiary
burden only ... the measures are likely to be a proportionate limitation on the
presumption of innocence’.[44]
Key issues
and provisions
Re-identification
of de-identified personal information
Item 5 of Schedule 1 inserts into Part III of the Privacy
Act new Division 3 titled ‘Re-identification of de-identified
personal information’. The new Division, consisting of proposed sections
16CA, 16D, 16E, 16F and 16G, contains the substantive elements of
new re-identification offence provisions prohibiting conduct related to re-identification
of de-identified personal information published or released by Commonwealth
entities.
Application
Proposed section 16CA is an application provision.
Its purpose is to bring certain entities normally exempt from the scope of the Privacy
Act within the scope of the re-identification offence provisions.
Specifically, subsection 7B(1) and paragraph 7(1)(ee) exempt
individuals acting in a non-business capacity from regulation under the Privacy
Act. Proposed paragraph 16CA(1)(a) has the effect of bringing such individuals
within the scope of the re-identification offence and civil penalty provisions
in proposed sections 16D to 16F.
Similarly paragraphs 7B(2)(a) and (b) and paragraph
7(1)(ee) exempt small businesses working as contracted service providers for a
Commonwealth contract from regulation under the Privacy Act in relation
to activities that are not for the purposes of a Commonwealth contract. Proposed
paragraph 16CA(1)(b) has the effect of bringing such small businesses within
the scope of the offence and civil penalty provisions in proposed sections 16D
to 16F.
Note that while small business operators are generally
excluded from the operation of the Privacy Act,[45]
small businesses are to be covered by the re-identification offence provisions.[46]
Offences
and civil penalty provisions
Proposed section 16D is a dual offence and civil
penalty provision providing that de-identified personal information must not be
re-identified. More specifically an entity (that is an agency, organisation or a
small business operator[47])
contravenes subsection 16D(1) if it re-identifies de-identified personal
information in the following circumstances:
- information
has been published by an agency in a generally available publication[48]
and published on the basis that it was de-identified personal information,[49]
and
- on
or after 29 September 2016, the entity does an act with the intention of
de-identifying the information,[50]
and
- the
act has the result that the information is no longer de-identified.[51]
Proposed subsection 16D(6) provides that
contravention of subsection 16D(1) is an offence, punishable by a maximum penalty
of imprisonment for two years or a fine of 120 penalty units ($21,600).[52]
Note 1 to subsection 16D(1) states that the ancillary offence provisions
in Part 2.4 of the Criminal Code (aiding, abetting, counselling,
procuring, incitement, attempt and conspiracy) apply in relation to this
offence. Note 1 is not legally necessary, as it is declaratory of the
application of the extensions of criminal responsibility in Part 2.4 of the Criminal
Code to Commonwealth offences by reason of section 11.6.[53]
The Explanatory Memorandum does not explain why Note 1 has been included. One
possible reason, however, may be a policy intention to give express effect to
the Attorney-General's announcement ‘it will also be an offence to counsel,
procure, facilitate or encourage anyone to do this’.[54]
Proposed subsection 16D(7) provides that an entity
is liable to a maximum civil penalty of 600 penalty units ($108,000) if the
entity contravenes subsection 16D(1). As the Explanatory Memorandum explains,
the civil penalty is intended as an alternative to the criminal penalty for the
same conduct.[55]
Note 2 to subsection 16D(1) confirms that section 80V of the Privacy
Act, dealing with ancillary contraventions of civil penalty provisions also
applies (including aiding, abetting, counselling or procuring a contravention).
The Explanatory Memorandum does not contain an explanation of why this note was
included. The note is legally unnecessary as section 80V applies automatically
to all civil penalty provisions in the Privacy Act. The reference to
section 80V of the Privacy Act in Note 2 will need to be amended
if the Regulatory
Powers (Standardisation Reform) Bill 2016[56]
(presently before the Senate) is passed (Regulatory Powers Bill).[57]
Proposed subsections 16D(2) to 16D(5) set
out the exemptions for the offence and civil penalty provisions. The
prohibition on re-identifying de-identified data will not apply if:
- in
the case of an agency, the re-identification was done in connection with the
performance of the agency’s functions or activities; or was required or
authorised under an Australian law or a court/tribunal order (proposed subsection
16D(2))
- in
the case of a Commonwealth contracted service provider to the responsible
agency, the re-identification was done for the purposes of meeting (directly or
indirectly) a contractual obligation (proposed subsection 16D(3))
- in
the case of an entity who has an agreement with the responsible agency, the act
was done in accordance with the agreement (proposed subsection 16D(4))
- the
entity is exempt because of a section 16G Ministerial determination providing exemptions
for research or other purposes the Minister considers appropriate (see below) (proposed
subsection 16D(5)).
The defendant to criminal proceedings brought under
proposed subsection 16D(6) would bear an evidential burden in proving that any
of these exemptions applies.[58]
It is also of note that the Regulatory Powers (Standardisation Reform) Bill 2016
(presently before the Senate and referred to above) would, if passed, have some
impact on the exemptions and the required burden of proof in civil penalty
proceedings.[59]
Proposed section 16E is a dual offence and civil
penalty provision, providing that re‑identified personal information must
not intentionally be disclosed. More specifically an entity contravenes subsection
16E(1) if:
- information
has been published by an agency in a generally available publication on the
basis that it was de-identified personal information and
- on
or after 29 September 2016, the entity does an act that has the result that the
information is no longer de-identified and
- the
entity is aware that the information is no longer de-identified and
- on
or after 29 September 2016, the entity discloses the information to a person or
entity other than the responsible agency.
The maximum penalty for this offence is imprisonment for
two years or 120 penalty units ($21,600) (proposed subsection 16E(7)). Note
1 to subsection 16E(1) states that the ancillary offence provisions
in Part 2.4 of the Criminal Code (aiding, abetting, counselling,
procuring, incitement, attempt and conspiracy) apply in relation to this
offence. As with subsection 16D(1) above, this note is not legally necessary.[60]
Proposed subsection 16E(8) provides that an entity
is liable to a civil penalty of 600 penalty units ($108,000) if it contravenes
subsection 16E(1). The civil penalty is intended as an alternative to the
criminal penalty for the same conduct. Note 2 to subsection 16E(1)
confirms that the provisions of section 80V of the Privacy Act, dealing
with ancillary contraventions of civil penalty provisions, also apply
(including aiding, abetting, counselling or procuring a contravention). Again
this note is not legally necessary.[61]
Proposed subsections 16E(3) to 16E(6) set
out the exemptions from the offence and civil penalty provisions. The
prohibition on disclosing re-identified data will not apply if:
- in
the case of an agency, the disclosure was done in connection with the
performance of the agency’s functions or activities; or was required or
authorised under an Australian law or a court/tribunal order (proposed subsection
16E(3))
- in
the case of a Commonwealth contracted service provider to the responsible
agency, the disclosure was done for the purposes of meeting a contractual
obligation (proposed subsection 16E(4))
- in
the case of an entity who has an agreement with the responsible agency, the
disclosure was done in accordance with the agreement (proposed subsection
16E(5))
- the
entity is exempt because of a section 16G Ministerial determination providing
exemptions for research and purposes the Minister considers appropriate (proposed
subsection 16E(6)).
The defendant to criminal proceedings brought under
proposed subsection 16E(7) would bear an evidential burden in proving any of
these exemptions applies.[62]
Proposed subsection 16F provides that an entity
that re-identifies de-identified data, either intentionally or unintentionally
must notify the responsible agency as soon as practicable after becoming aware
the of the re-identification. A maximum civil penalty of 200 penalty units ($36,000)
applies for failure to notify. The provision applies to personal information
re-identified on or after 29 September. The same penalty would also apply for
informing or disclosing to a person or entity other than the responsible
agency. There are exemptions to these offences which essentially replicate the
exemptions that apply in relation to the offences for re-identifying personal
information and for disclosure (described above).
Proposed subsection 16F(9) provides that when an
entity notifies the responsible agency of the re‑identification, the
agency may give the entity written directions for dealing with the information.
Failure to comply with a written direction would incur a maximum civil penalty
of 200 penalty units ($36,000) (proposed subsection 16F(10)). The
responsible agency must also notify the Information
Commissioner of what has occurred (proposed subsection 16F(9)).
Comment
Retrospective
application of the offences and civil penalties
Both the offence and the civil penalty provisions relating
to re-identification will apply retrospectively to any contraventions occurring
on or after 29 September 2016, the day after the Government announced the
introduction of the Bill.
While retrospective offences challenge a key element of
the rule of law[63]
and are prohibited under article 15 of the International Covenant on Civil
and Political Rights (ICCPR),[64]
the Government argues that these measures are reasonable and necessary and are
consistent with the prohibition on retrospective criminal laws. They are said
to be reasonable because the Attorney-General’s press release of 28 September
made it abundantly clear that the offences would take effect from the day of that
announcement.[65]
They are argued to be necessary because:
... releases of private information can have significant
consequences for individuals beyond their privacy and reputation, which cannot
be easily remedied. This warrants swift and decisive action by the Government
to prohibit such conduct. Further, the retrospective commencement of the offences
creates a strong disincentive for entities to engage in such conduct while the
Parliament considers the Bill.[66]
However, it could also be argued that until the Bill is
enacted by the Parliament, the exemptions that might be provided for genuine
research via ministerial determination remain unknown and therefore this
retrospective application will in the meantime cause undue inconvenience and
uncertainty for genuine research.
As noted above, the Senate Standing Committee for the
Scrutiny of Bills raised concerns with the retrospective nature of the new
offences, arguing that the rationale provided in the explanatory materials for
the retrospective application of these offences appears to be overly broad and
that the conclusion expressed in the statement of compatibility that the
measures in the Bill are consistent with the prohibition on retrospective
criminal laws has not been adequately explained.[67]
Threshold
issue—criminalisation v civil penalties alone
A question that Parliament might consider is whether the
prohibitions in proposed sections 16D and 16E should be the subject of criminal
offences at all, as distinct from the use of civil penalty provisions alone?
The Explanatory Memorandum refers to the general objective
of deterrence but does not specifically address why it is considered necessary
to criminalise the mischief sought to be addressed by the enactment of offences
in proposed subsections 16D(6) and 16E(7), and in particular why it is considered
that such mischief could not be addressed adequately through the imposition of
civil penalties alone.
The proposed offences in subsections 16D(6) and 16E(7)
appear to be a material change to the regulatory approach taken by the Privacy
Act, which utilises civil penalties for the majority of contraventions of
prohibitions or obligations imposed under the Act, with the exception of credit
reporting offences and the offence for unauthorised secondary disclosures of
information in emergencies and disasters.[68]
Further, these offences are arguably exceptional. For
example, the Australian Law Reform Commission (ALRC), in its 2008 report on
privacy recommended that the credit reporting offences should be repealed and
replaced with civil penalty provisions, primarily because it considered that
civil penalties were adequate.[69]
In October 2009, the (then) Government announced that it accepted that ALRC recommendation.[70]
Accordingly, the present Bill raises a broader conceptual question about the
appropriate form of redress (civil versus criminal, or both) for contraventions
of obligations under the Privacy Act.
While the ALRC and the (then) Government’s views on other
offence provisions in the Privacy Act are not conclusive of the case for
(or against) the enactment of the proposed offences in the present Bill, they
arguably suggest a need for a specific justification of the proposal to
criminalise contraventions of proposed subsections 16D(1) and 16E(1),
rather than reliance on civil penalty provisions alone.
Elements of
the prohibitions in proposed subsections 16D(1) and 16E(1)
‘Publication’
v ‘disclosure’—proposed section 16E
Proposed paragraph 16E(1)(e) prohibits the disclosure of
re-identified information which has been published by or on behalf of the
responsible agency. This may have some unintended consequences, arising from
potential ambiguity in the meaning of the term ‘disclose’ for the purpose of
this provision. In particular:
The prohibition on ‘disclosure’ rather than ‘publication’
of information may technically capture ‘internal’ disclosures (for example, by
one researcher within an institution to another).
The prohibition on ‘disclosure’ rather than
‘communication’ might potentially capture the making available of information
without being required to intend that it is seen, read or heard by a specific
third person or persons. The term ‘disclose’ is undefined in the Privacy Act.
However, the OAIC has provided the following interpretation of the ordinary
meaning of the term ‘disclose’ for the purpose of the APPs—although it is not
clear that this interpretation is (a) authoritative, or (b) capable of
application to the proposed offence provisions.
An APP entity ‘discloses’ personal
information where it makes it accessible to others outside the entity and releases
the subsequent handling of the information from its effective control. This
focuses on the act done by the disclosing party. The state of mind or
intentions of the recipient does not affect the act of disclosure. Further,
there will be a disclosure in these circumstances even where the information is
already known to the recipient.[71]
The Explanatory Memorandum does not explain why the
prohibition (and consequently criminal and civil liability) should extend to
all disclosures (other than those within the exemptions) rather than being
limited to ‘publications’ or ‘communications’. It is also of note that the
Attorney-General’s media release of 29 September specifically referred to a
prohibition on ‘publication’ and ‘communication’ which are arguably narrower
than the OAIC’s interpretation of ‘disclosure’ for the purpose of the APPs.
Breadth of application
of proposed sections 16D and 16E—potential unintended consequences
The prohibitions in proposed paragraphs 16D(1)(a) and
16E(1)(a) apply to information that has been published by or on behalf
of an agency. The use of the term information would seem broader than
the policy intent identified in the Attorney-General’s media release of 29
September (which referred to improving ‘protections of anonymised datasets
that are published by the Commonwealth government’). The Australian
Government’s data.gov.au site explains that a
dataset is ‘simply a structured presentation of data, such as a spreadsheet,
with some special features’.[72]
However, the application of the prohibitions in
subsections 16D(1) and 16E(1) (and consequently the offence and civil penalty
provisions) to information published by or on behalf of an agency could extend
far more broadly—including, for example:
- The
release of documents under FOI with redactions made under section 47F of the Freedom of Information
Act 1982 (personal privacy) where those redactions were made in a
non-secure way and the redacted text is visible simply by changing the colour /
contrast settings on a document, or selecting the redacted passage with the
mouse. These documents would clearly have been published if uploaded to the
agency’s FOI disclosure log, and there may be some argument as to whether they
have been published by making them available to the applicant (as a member of
the public). The FOI applicant who received that information could potentially
be subject to liability under sections 16D and 16E and the duty to notify the
agency in section 16F.
- The
publication of an image of an individual that is pixelated to protect that
person’s identity, but the pixilation is done in a non-secure way with the
result that it can be reversed.
While this potential breadth of application is not
necessarily problematic, the Explanatory Memorandum does not seem to explain
why a broader application than datasets is considered appropriate.
Remedies—compensation
orders against persons convicted of offences
The Bill does not appear to make consequential amendments
to sections 25 and 25A of the Privacy Act. Currently those provisions confer
jurisdiction on the Federal Court and Federal Circuit Court to make an order
that an entity provide financial or other compensation to a person for loss or
damage arising from contravention of the credit reporting provisions in Part
IIIA, if the entity is found guilty of an offence under those sections. The
power to award compensation would not extend to the proposed offence provisions
in new sections 16D, 16E or 16G because it is limited to offences against Part
IIIA.
However in contrast, sections 25 and 25A confer
jurisdiction on the courts to award compensation for contravention of a civil
penalty provision in the Privacy Act. This is not limited to credit
reporting and would extend to the proposed civil penalty provisions in sections
16D, 16E and 16F.
To remove arbitrariness or inconsistency it is suggested
that there may be a need for consequential amendments to existing subparagraphs
25(1)(a)(ii) and 25A(1)(a)(ii) to extend the application of the compensation
provisions to offences against new Division 3 of Part III (that is sections
16D, 16F or 16G).
Alternatively, it may be desirable for the Government to
amend the Explanatory Memorandum to explain why it is not considered
appropriate to allow persons who are adversely affected by a re-identification
of their personal information to obtain compensation from the convicted entity
under the Privacy Act rather than reliance upon private civil
proceedings, noting the absence of a Commonwealth victims of crime compensation
scheme.
Exemptions
for research and other purposes
Proposed
16G provides that the Minister may by determination exempt from the
offence provisions in new Division 3, certain entities for the purposes of research
involving cryptology, information security or data analysis or for any other appropriate
purpose as determined by the Minister. The Minister must also be satisfied it
is in the public interest to make such a determination and he/she must consult
the Information Commissioner before making the determination. Such a
determination is a legislative instrument but would not be subject to
disallowance.
The Explanatory Memorandum justifies this determinations
power stating it:
... will ensure that an appropriate range of research
activities can still be undertaken to test or otherwise assess the
effectiveness of de‑identification techniques, and advise agencies of any
shortcomings in those techniques, without engaging the offence provisions.[73]
Comment
Absence of
explanation of more limited delegation of legislative power
As noted above, there has been criticism that the Bill
fails to live up to the Attorney-General’s promise to adequately protect
researchers from prosecution and in particular that the exemption for genuine
academics and researchers should not be reliant on a Ministerial determination.
The Attorney-General’s power to determine exempt entities
or classes of entity seems to be very broad, applying to any entity or class of
entity for any purpose that the Attorney-General considers is in the public
interest. The Senate Standing Committee for the Scrutiny of Bills confirms this
view and also suggests that the need for such a broad power of exemption may
indicate that the offence and civil penalty provisions have been drawn too
broadly. The Committee states that, in general, it is appropriate that
Parliament define the boundaries of criminal wrong-doing rather than leaving
these boundaries to depend (even in part) on executive decision‑making.[74]
The Explanatory Memorandum does not identify why greater
statutory guidance or limitation on the exercise of Ministerial discretion
could not be provided in primary legislation. Such guidance or limitation might
be considered important to avoid arbitrariness in determining the exposure of
regulated entities to criminal and civil liability, particularly noting the
non-disallowable status of the instrument.
For example, the Explanatory Memorandum gives no
explanation of why it would be inappropriate to enact alternatives that could
offer greater certainty and strengthen safeguards against arbitrariness, while
permitting flexibility, such as:
- mandatory,
statutory considerations to which the Attorney-General must have regard in
assessing whether a possible exemption is in the public interest
- statutory
circumstances in which the Attorney-General must grant an exemption
- a
statutory application process by which entities can seek an exemption from the
Attorney-General (potentially with provision for procedural fairness and
review)
- amending
the consultation requirement at proposed subsection 16G(4) to also require the
Attorney-General to take into account the Information Commissioner’s opinion on
the proposed determination
- the
statutory designation of classes of exempt entities (for example, certain types
of research, perhaps by reference to subject matter and the existence of
accreditation and/or classes of research institution) with provision for the
Attorney-General to make a legislative instrument excluding a particular
entity or class of entities from the exemption, or adding classes of entities
- the
conferral of a rule-making power on the Privacy Commissioner rather than the
Minister.
An example of an existing exemption scheme from
prohibitions in the Privacy Act is contained in subsections 20M(2)–(4)
(with respect to credit reporting information). Subsection 20M(2) provides for an
exemption from the general prohibition in subsection 20M(1) on using or
disclosing de-identified credit reporting information, for the purpose of
conducting research. This is provided that the credit reporting body complies
with rules made by the Information Commissioner under subsection 20M(3). The
rules may include matters of the kind set out in subsection 20M(4) such as the
kinds of information that may be used, the purpose of the research and the
conduct of the research. Of further interest, the rules made under subsection
20M(3) are subject to disallowance, which may call into question the adequacy
of the justification (referred to above) for the non-disallowable status of the
Attorney-General’s determinations under proposed subsection 16G(5). It is of interest
that the Law Council in its submission has also recommended that this approach
to exemptions may be a preferable option with regard to the prohibitions
regarding re-identified data.[75]
The Explanatory Memorandum also does not identify how the
proposed exemption scheme provides safeguards against the risk of conflicts of
interest (actual, potential or perceived) by the Attorney-General as
rule-maker. For example, if an entity seeks an exemption pertaining to the
re-identification of information published by the Attorney-General’s Department
or an agency within the Attorney-General’s portfolio. Arguably, setting
statutory parameters on the exercise of Ministerial discretion to consider and
grant exemptions may go some way towards managing the risk.
Other exemptions
On a related point regarding exemptions, the Explanatory
Memorandum notes that ‘existing exemptions and exclusions in the Privacy Act
(such as the exclusion of State or Territory Government entities, or the
exemption for media organisations acting in the course of journalism) would
also apply’.[76]
Information
Commissioner: functions and powers
Part IV of the Privacy Act sets out the Information
Commissioner’s functions and section 33C within Part IV deals with the
Commissioner’s function of assessing whether entities comply with their
obligations under the Privacy Act. Item 6 amends section 33C
to add that that the Commissioner has the additional function of conducting an
assessment of whether methods used by agencies for de-identifying personal
information are effective to protect individuals from being identifiable or
reasonably identifiable.
Section 40 sets out the Information Commissioner’s powers
of investigation. Item 10 inserts subsection 40(2A), which
provides that the Commissioner may, on his or her own initiative, investigate
an act that may contravene the re-identification offences in sections 16D to
16F. The Explanatory Memorandum notes that this new investigation power for the
Commissioner supports the Commissioner’s existing power to seek civil penalty
orders in relation to civil penalty offences under Part VIB of the Privacy
Act.[77]
Item 19 inserts new section 53AA which provides that the
Information Commissioner may make a written determination following an
investigation under new subsection 40(2A) that it would be inappropriate for
any further action to be taken in relation to the matter. This determination
power, which is not reviewable, is in addition to the existing determination
power in section 52. The Explanatory Memorandum argues that a new and distinct
non-reviewable power is appropriate in this situation.[78]
Section 49 requires that the Information Commissioner
refer matters to the Commissioner of Police of the Australian Federal Police
(AFP) or the Commonwealth Director of Public Prosecutions (CDPP) in cases where
the Information Commissioner forms an opinion that certain offences may have
been committed.[79]
Items 14–17 amend section 49 with the effect that when the
Information Commissioner is investigating possible re-identification offences
under section 40 and forms the opinion that certain offences may have been
committed under section 16D and 16E then he/she must inform the AFP or the CDPP
and provide all relevant information. Under existing paragraph 49(1)(c) the
Information Commissioner would in this situation also be required to
discontinue the section 40 investigation except to the extent that it concerns
matters unconnected with the possible offence.
Comment
These provisions which set out new functions and powers
for the Information Commissioner would appear to be logical and consequential, given
the new offence provisions in the Bill. However, it might be asked whether the
work involved in providing effective scrutiny of government open data programs
may stretch the limited resources of the OAIC.
On a related matter, there may be potential resource
implications for law enforcement bodies as well as the OAIC in relation to the
proposed new offences, particularly noting the mandatory referral provisions in
section 49.[80]
There will also be a practical question as to whether a
matter should be dealt with as a potential contravention of a civil penalty
provision or an offence under sections 16D and 16E—in particular how law
enforcement decisions will be made in relation to matters referred to the AFP
or CDPP under subsection 49(2). (In practice referrals are made to the AFP rather
than the CDPP.)[81]
The OAIC expressed a number of concerns in its submission
to the ALRC’s privacy inquiry in 2007 about the lack of prioritisation
given by the AFP to matters referred under subsection 49(2) and delays in the
AFP making investigative decisions which required the suspension of the Privacy
Commissioner’s investigations, and making decisions not to investigate due to
resource constraints.[82]
In its report on the Privacy Act (Report 108) the ALRC took the view
that the problems identified by the OAIC could be managed largely via its
recommendation to repeal the credit reporting offences, since this would narrow
the range of offences required to be referred to the AFP—limiting them to tax
file number, healthcare identifier and anti-money laundering and counter-terrorism
offences.[83]
Given that the Bill proposes to expand the range of
offences that must be referred to the AFP under section 49(2), the
Parliament may find it beneficial to obtain more information about how the
proposed expansion would impact upon the resources of the OAIC and the AFP, as
well as the efficacy of the Information Commissioner’s investigations since
they must be suspended until the AFP provides a notice under section 49(2)
indicating that it will not pursue criminal law enforcement action.
The Bill may also exacerbate existing problems in relation
to subsection 49(2) because the offence and civil penalty provisions in proposed
subsections 16D(6)/(7)–16E(7)/(8) are comprised of identical conduct in the
form of a breach of proposed subsections 16D(1) and 16E(1). Therefore, it seems
that the Privacy Commissioner will likely be required under amended subsection
49(1) to refer all contraventions of subsections 16D(1) and 16E(1) to
the AFP and suspend his or her investigation pending receipt of a notice from
the AFP under subsection 49(2).
Concluding comments
The Attorney-General’s initial announcement of the new
re-identification offence provisions in September 2016 caused some concern as
reported in the media, and those initial concerns and criticisms have being
reiterated and reinforced since the Bill’s introduction into Parliament. Two Parliamentary
Committees have raised questions regarding some provisions and most submitters
to the current Senate Committee inquiry into the Bill are critical of at least
some aspects of the Bill. The introduction of criminal offences into the Privacy
Act, the retrospective nature of those offences, the Bill’s possible impact
on genuine data security research and the effect of the research exemption being
reliant on Ministerial determination are amongst the criticisms that have
repeatedly been raised. The controversial retrospective nature of the offences
which will commence from the Attorney-General’s initial announcement rather
than from when the Bill receives Royal Assent, is perhaps indicative of an anxious
response to data security issues that have arisen since the introduction of the
Government’s recent open data program.
More broadly, the Bill raises questions about the risks of
open data to privacy and the importance of good and effective data security.
The Melbourne University researchers who discovered the Department of Health data
breach have raised serious questions about de-identification and data
publication. Amongst their concerns, they say that data sets containing
sensitive information about individuals clearly require more caution than others
and may not always be suitable for open public release.
Another question concerns the additional workload that
presumably this Bill and the Privacy Amendment (Notifiable Data Breaches) Bill
(which is also currently before the Parliament) might bring to the OAIC. It
might be asked whether the work involved in providing effective scrutiny of
government open data programs plus the increased workload arising from the mandatory
data breach notification system may stretch the limited resources of the OAIC.
Members, Senators and Parliamentary staff can obtain
further information from the Parliamentary Library on (02) 6277 2500.
[1]. Section 6 of the Privacy Act.
[2]. Parliament
of Australia, ‘Privacy
Amendment (Private Sector) Bill 2000 homepage’, Australian
Parliament website; Privacy Amendment
(Private Sector) Act 2000.
[3]. For
example, subsection 20V(2) of the Privacy Act.
[4]. Commissioner for Privacy and Data Protection (CPDP), De-identification, Background paper,
CPDP, Melbourne, 2015, p. 1.
[5]. Section 6 of the Privacy Act.
[6]. Office of the Australian
Information Commissioner (OAIC), De-identification of data and information, Privacy
business resource, 4, OAIC, Sydney, April 2014, p. 2.
[7]. Ibid.
[8]. CPDP, De-identification, op. cit.
[9]. G Brandis (Attorney-General), Amendment to the Privacy Act to further protect de-identified data, media release, 28 September 2016.
[10]. Department of the Prime Minister and Cabinet (PM&C), ‘Public
data policy’, PM&C website, December 2015.
[11]. In
fact the Bill provides that the offences take effect from 29 September
2016, the day after this announcement.
[12]. Brandis, Amendment to the Privacy Act to
further protect de-identified data, op. cit.
[13]. Department of Health, Data update, media release, 29
September 2016. See also, P Cowan, ‘Health pulls Medicare dataset after breach of doctor details’, itnews, 29 September 2016.
[14]. C Culnane, B Rubinstein and V Teague, Understanding
the maths is crucial for protecting privacy, Pursuit, University
of Melbourne, Melbourne, 29 September 2016.
[15]. Senate Standing Committee for Selection of Bills, Report,
8, 2016, The Senate, 9 November 2016, p. 3.
[16]. Inquiry
homepage, Senate Legal and Constitutional Affairs Legislation Committee,
‘Privacy Amendment (Re-identification Offence) Bill 2016’.
[17]. Senate
Standing Committee for the Scrutiny of Bills, Alert
digest, 8, 2016, The Senate, 9 November 2016, pp. 32–37.
[18]. Proposed
section 16G.
[19]. Scrutiny
of Bills Committee, Report,
10, 2016, The Senate, Canberra, 30 November 2016, pp. 664–672.
[20]. Ibid.,
p. 671.
[21]. Ibid.,
p. 672.
[22]. Ibid.,
p. 666.
[23]. Ibid.,
p. 669.
[24]. C
King (Shadow Minister for Health and Medicare), 17 days to reveal health data breach simply not good enough, media release, 20 September 2016.
[25]. Ibid.
[26]. Digital Rights Watch,
Concerns
around proposed amendments to Privacy Act, media release, 29 September
2016.
[27]. Ibid.
[28]. Media, Entertainment & Arts Alliance (MEAA), MEAA
urges consultation over privacy changes, media release, 29 September
2016.
[29]. Law
Council of Australia, Submission
to Senate Legal and Constitutional Affairs Legislation Committee, Privacy Amendment (Re-identification Offence) Bill 2016, 16
December 2016, p. 7.
[30]. Ibid.,
p. 8.
[31]. Ibid.,
p. 9.
[32]. Office
of the Australian Information Commissioner (OAIC), Submission
to Senate Legal and Constitutional Affairs Legislation Committee, Privacy Amendment (Re-identification Offence) Bill 2016,
2016, pp. 1–2.
[33]. Ibid.,
p. 2.
[34]. Australian
Privacy Foundation, Submission
to Senate Legal and Constitutional Affairs Legislation Committee, Privacy Amendment (Re-identification Offence) Bill 2016,
16 December 2016, p. 1.
[35]. Ibid.,
pp. 3–4.
[36]. Ibid.,
p. 4.
[37]. C Culnane, B Rubinstein and V Teague, Submission to Senate Legal and
Constitutional Affairs Legislation Committee, Privacy
Amendment (Re-identification Offence) Bill 2016, November 2016, p. 3.
[38]. Ibid.,
p. 4.
[39]. TimeBase,
Re-identifying
de-identified data Bill 2016 introduced, media release, 13 October
2016.
[40]. Explanatory
Memorandum, Privacy Amendment (Re-identification Offence)
Bill 2016, p. 3.
[41]. The
Statement of Compatibility with Human Rights can be found at pages 4–9 of the
Explanatory Memorandum to the Bill.
[42]. Parliamentary
Joint Committee on Human Rights, Report
9 of 2016, 22 November 2016, pp. 23–26.
[43]. Ibid.,
pp. 23–24.
[44]. Ibid.,
p. 26.
[45]. Under the combined operation of sections 6C, 6D and 6DA small
businesses are generally excluded from the Privacy Act.
[46]. Small businesses are brought within the ambit of the new
offence provisions by the use of the term ‘entity’. An entity is defined as an
agency, organisation or small business operator (the Privacy Act, section 6).
[47]. Ibid.
[48]. ‘Generally
available publication’ means a magazine, book, article, newspaper or
other publication that is, or will be, generally available to members of the
public, in print, electronic or in any other form (section 6). The Explanatory
Memorandum explains that circumstances covered by section 16D would not include
other more limited disclosure by an agency, such as discrete disclosure by the
agency to a service provider or research institution (p. 13).
[49]. Under
subsections 5.6(2) and 5.4(1) of the Criminal Code Act
1995, the prosecution must prove that the defendant was reckless as to
each of these circumstances (that is, aware of a substantial risk that each
circumstance existed, and acted unjustifiably in the circumstances known to him
or her at the time by taking the risk and doing the relevant act with the
intention of de-identifying the information).
[50]. Under
subsection 5.6(1) and subsection 5.2(1) of the Criminal Code, the
prosecution must prove that the defendant intended to engage in the relevant
act (for example, that the defendant meant to run a program) and must also
prove that person did so with the ‘ulterior intent’ of achieving the result
that the information is no longer de-identified.
[51]. Personal
information is de-identified if the information is no longer
about an identifiable individual or an individual who is reasonably
identifiable (section 6). Further, under subsection 5.6(2) and subsection
5.4(2) of the Criminal Code, the prosecution must prove that the
defendant was reckless that his or her conduct would have the result of
de-identifying the information. (That is, aware of a substantial risk, but
nonetheless and unjustifiably in the circumstances known to the defendant at
the time, taking the risk by engaging in the act.)
[52]. A penalty unit is currently equal to $180, (subsection
4AA(1) of the Crimes
Act 1914).
[53]. The insertion of notes explaining the application of
the general principles of criminal responsibility is not usual drafting
practice. It raises the risk of creating unintended consequences—for example,
evincing an intention that other offence provisions in the same enactment which
do not contain a note are intended to displace or modify the application of
Part 2.4 of the Criminal Code. One potential risk in relation to Note 1
is that it refers to only some of the ancillary offence provisions in Part 2.4
of the Code. It does not include joint commission in section 11.2A or
commission by proxy in section 11.3. It might be queried whether the Government
means to evince an intention that these extensions of criminal liability should
not apply to subsection 16D(6).
[54]. Brandis, Amendment to the Privacy Act to further
protect de-identified data, op. cit.
[55]. Explanatory Memorandum, Privacy Amendment (Re-identification
Offence) Bill 2016, op. cit., p. 17.
[56]. The
links to the Bill, its Explanatory Memorandum and second reading speech can be
found on the Bill’s home
page.
[57]. Schedule
13 to the Regulatory
Powers (Standardisation Reform) Bill 2016 (item 7) repeals existing Part
VIB of the Privacy Act including existing section 80V and replaces it
with a new part. The proposed new provision corresponding to existing section
80V will be subsection 80U(1) which provides that each civil penalty provision
in the Privacy Act is enforceable under Part 4 of the Regulatory Powers
(Standard Provisions) Act 2014 (Regulatory Powers Act). (Section
92 of the RPA, within Part 4, makes provision for the ancillary contravention
of civil penalty provisions.) Ideally, the Privacy Amendment (Re-identification
Offence) Bill should contain some contingent amendments to deal with the prior
or subsequent enactment and commencement of the Regulatory Powers Bill.
[58]. Generally, where a burden of proof is placed on a
defendant it is an evidential burden only (Criminal Code Act
1995, subsection 13.3(1)). The evidential burden can be discharged by
the defendant adducing or pointing to evidence suggesting there was a
reasonable possibility that a matter existed or did not exist (Criminal Code,
subsection 13.3(6)). The effect of imposing an evidential burden on a defendant
is to defer the point in time at which the prosecution must discharge its legal
burden to disprove the exemption. That is, if the defendant discharges his or
her evidential burden, only then is the prosecution required to negate the
existence of the exemption beyond reasonable doubt.
[59]. If
passed, Schedule 13 to Regulatory Powers Bill (amending item 7, proposed new
subsection 80U(1)) will apply section 96 of the Regulatory Powers Act to
the civil penalty provisions in the Privacy Act with the result that the
respondent to civil penalty proceedings will bear the evidential burden in
relation to exceptions to civil penalty provisions in the Privacy Act.
This will extend to the exceptions in proposed subsections 16D(2)-(5) in the
present Bill. Also of note is that the application of section 94 of the Regulatory
Powers Act to the Privacy Act will mean that the Privacy
Commissioner (as applicant for a civil penalty order) will not be required to
prove the entity (as respondent's) state of mind in relation to each physical
element of the civil penalty provision.
[60]. See
page 11 above and footnote 53.
[61]. See
footnote 57 regarding the impact of the Regulatory Powers Bill.
[62]. Ibid. See also footnote 59 above regarding the impact of the
Regulatory Powers Bill.
[63]. That
‘laws are capable of being known in advance so that people subject to those
laws can exercise choice and order their affairs accordingly’. Quoted in the
Statement of Compatibility with Human Rights, Explanatory Memorandum, Privacy Amendment (Re-identification Offence) Bill 2016, op.
cit., p. 9.
[64]. Article
15 of the International Covenant on Civil and Political Rights (ICCPR)
provides that no one shall be held guilty of any criminal offence on account of
any act or omission which did not constitute a criminal offence at the time
when it was committed. Quoted in the Statement of Compatibility with Human
Rights, ibid.
[65]. Statement
of Compatibility with Human Rights, Explanatory Memorandum, Privacy
Amendment (Re-identification Offence) Bill 2016, op. cit., p. 5.
[66]. Ibid.
[67]. Senate
Standing Committee for the Scrutiny of Bills, Alert digest, op. cit., p.
37.
[68]. The relevant credit reporting provisions are sections
20P, 21R, 24 and 24A—relating generally to the provision or disclosure of false
or misleading credit information and the offences are punishable by a maximum
penalty of 200 penalty units. The offence relating to unauthorised secondary
disclosure of information in an emergency or disaster is set out in Part VIA,
section 80Q and is punishable by a maximum penalty of 60 penalty units and/or
imprisonment for one year.
[69]. Australian Law Reform Commission (ALRC), For
your information: Australian privacy law and practice, Report, 108, ALRC,
Sydney, 12 August 2008, Rec
59–9.
[70]. Australian Government, Enhancing
national privacy protection: first stage response to the Australian Law Reform
Commission Report 108: for your information: Australian privacy law and
practice, Australian Government, Canberra, October 2009, p. 128.
[71]. Office
of the Australian Information Commissioner, APP guidelines: Chapter
6: APP 6 — Use or disclosure of personal information, February 2014. Under the Privacy Act the Australian Information
Commissioner may issue guidelines regarding acts or practices that may have an
impact on the privacy of individuals. The APP guidelines outline the mandatory
requirements of the APPs, how the OAIC will interpret the APPs, and matters the
OAIC may take into account when exercising functions and powers under the Privacy
Act.
[72]. Australian
Government, Open
Government Toolkit: Publishing your Data, September 2016.
[73]. Explanatory
Memorandum, Privacy Amendment (Re-identification Offence) Bill
2016, op. cit., p. 15.
[74]. Senate
Standing Committee for the Scrutiny of Bills, Alert digest, op. cit., p.
34.
[75]. Law
Council of Australia, op. cit., p. 7.
[76]. Explanatory Memorandum, op. cit., p. 15.
[77]. Ibid., p. 28.
[78]. Ibid.,
p. 31.
[79]. These
offences are currently credit reporting offences, healthcare identifier
offences, tax file number offences and anti-money laundering and
counter-terrorism offences.
[80]. For example, in the OAIC’s
2009 submission to the ALRC's inquiry into secrecy laws, the office made
the following comment about the referral of credit reporting and other privacy
related offences to the AFP under section 49 (at p. 9): "In the
Office's experience, few matters referred to the AFP under s 49 as possible
offences are subsequently prioritised for investigation by the AFP". "In
the last six years, the Office is aware of at least nine referrals made to the
AFP. In all instances, the AFP has considered the Office's referral but has
declined to, or has been unable to, investigate for various reasons including
lack of resources or competing operational requirements". Office of
the Privacy Commissioner, Submission
to the Australian Law Reform Commission’s review of secrecy laws, Discussion
paper, 74, Office of the Privacy Commissioner, Sydney, August 2009.
[81]. The
OAIC has indicated in a submission to the ALRC’s inquiry to secrecy laws in
2009 that in practice referrals are made to the AFP as the CDPP advised it
would not accept referrals in the absence of a brief of evidence from the AFP.
Office of the Privacy Commissioner, Submission to the Australian Law Reform
Commission’s Review of Secrecy Laws, Discussion paper, 74, op. cit.
[82]. Office
of the Privacy Commissioner, Submission
to the Australian Law Reform Commission’s Review of Privacy, Issues paper,
31, Office of the Privacy Commissioner, Sydney, February 2007. The OAIC
repeated some of these concerns in its submission to the ALRC’s secrecy inquiry
in 2009. Office of the Privacy Commissioner, Submission to the Australian
Law Reform Commission’s Review of Secrecy Laws, Discussion paper, 74, op.
cit.
[83]. See
ALRC, For your information: Australian privacy law and practice, op.
cit., paragraph 49.108.
For copyright reasons some linked items are only available to members of Parliament.
© Commonwealth of Australia
Creative Commons
With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.
In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.
To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.
Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.
Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.
Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.