The Data Availability and Transparency Bill 2020 and the Data Availability and Transparency (Consequential Amendments) Bill 2020 seeks to establish a new data sharing scheme which will serve as a pathway and regulatory framework for sharing public sector data. The bill would enable data custodians (Commonwealth bodies which control the relevant data and have a right to deal with it) to share data with accredited users, either directly or via an intermediary termed an ‘accredited data service’. The bill defines data broadly to mean ‘any information in a form capable of being communicated, analysed or processed (whether by an individual or by a computer or other automated means).’
The bill would establish a National Data Commissioner (the Commissioner), who would serve as statutory regulator for the scheme and whose role would include advocating for the sharing and release of data more generally. The Commissioner would enforce the scheme through assessing, monitoring and investigating data scheme entities. The Commissioner would have enforcement powers, including suspension or cancellation of accreditation, injunctions, giving binding directions and seeking civil and criminal penalties where appropriate.
Interactions with government services creates thousands of points of data, many of them deeply personal and sensitive. The capacity for that information to be stored, shared, processed and, in some cases, abused is greatly expanding through the development of technologies such as Artificial Intelligence. By expanding the ability for citizen’s data to be shared across the public service and some third parties, the measures proposed in this bill engages and limits the right to privacy. The right to privacy may be subject to limitations where the limitation:
Pursues a legitimate objective;
Is rationally connected to that objective; and
Is a proportionate means of achieving that objective
Labor Senators are of the view that the bill is deeply flawed. While there is a clear need for an effective scheme for the management and regulation of public data, and clear public benefits from using such data, the measures outlined in this bill do not represent a proportionate means of achieving that objective. If passed, the scheme outlined in the bill would undermine current privacy protections, most notably the Privacy Act 1988. The regulatory structure designed to oversee the scheme is weak, poorly designed and subject to abuse. This bill violates community standards about the protection of private data and, if passed, would erode public trust in the government’s ability to protect the privacy of its citizens.
Privacy Act 1988 and Australian Privacy Principles
Labor Senators have concerns about the way that this bill would interact with existing privacy legislation, specifically the Privacy Act 1988 and the Australian Privacy Principles (APPs). In their testimony to the committee, the Office of the National Data Commission insisted that the bill was designed to complement and not to duplicate the Privacy Act. The Interim National Data Commissioner described the bill’s relation to the Privacy Act as follows:
Ms Anton: The bill relates to an express authorisation to disclose, collect and to use personal information, where the requirements DAT bill are met. Basically, it’s an authorised exemption, an expressed authorisation to use the bill under the Privacy Act. The Privacy Act provides for, essentially, secondary use frameworks to be met, and this bill creates a very complex set of controls about what is reasonable and practical in those instances.
The Privacy Impact Assessment commissioned by the Office of the National Data Commission argues that the provisions of existing legislation will continue to provide substantial privacy protections. Chapter 5.1 provides this description of how the proposed bill will interact with the Privacy Act:
When reviewing the privacy impacts of the DATB, it is important to understand that the Data Sharing Scheme will not operate in a vacuum. Existing protections provided by the Privacy Act and its APPs continue to apply. The DATB makes clear that all entities participating in the Data Sharing Scheme must ‘maintain privacy coverage’ either under the Privacy Act or comparable state or territory law.
One particular aspect of the bill that raised concerns in both submissions and the public hearing relates to regulation of consent. In his Second Reading speech introducing the Data Availability and Transparency Bill to the House of Representatives, Minister Roberts emphasised that ‘the bill’s approach to consent mirrors the approach in the Privacy Act, requiring consent be sought for the sharing of personal information, unless unreasonable and objectionable’.
The Minister’s words reflect paragraph 16(2)(c) of the bill, which states that the sharing of personal information is to be done with the consent of the individuals concerned, unless it is ‘unreasonable or impracticable’ to do so. This language was criticized in the Parliamentary Joint Committee on Human Right’s report on the bill, which argued that the bill is not clear about how broadly such an exception would be applied.
The explanatory memorandum states that ‘the question of whether seeking consent is reasonable or impracticable may depend on the amount, nature and sensitivity of the data involved, and whether individuals gave informed consent for uses including the proposed sharing at the point the data was originally collected. The PJCHR Report found:
(I)t is questionable whether an individual could be said to have voluntarily consented to the onward sharing of their data under this scheme if their original consent had been provided to meet their basic needs (for example, providing personal information to Medicare or Services Australia)… In addition, no comprehensive guidance is provided as to the circumstances in which it may be deemed unreasonable and impracticable to seek the consent of affected individuals in order to share their personal information.
Similar concerns about consent in relation to data created through the provision of public services were raised by the Australian Privacy Foundation Submission:
Australians dealing with governments typically have no choice. They are often legally obligated to provide data and to ensure that the data is correct. They are increasingly forced to provide that data through portals such as MyGov that are badly designed, badly supported and coercive. It is, at best, naïve for government representatives to state that if you don’t want benefits you don’t need to use those portals and you don’t need to share your private lives with government.
Whether this bill adequately reflects the consent protocols in existing legislation is complicated by the review of the Privacy Act currently being conducted by the Attorney General’s Department. The review was a recommendation of the Australian Consumer Commission’s (ACCC) Digital Platforms Inquiry and announced on 12 December 2019. Submissions for the review have closed – and a discussion paper is expected to be released this year. The inquiry’s Terms of Reference clearly relate to matters that are of direct concern to this bill, including:
The scope and application of the Privacy Act including in relation to:
The definition of ‘personal information’
General permitted situations for the collection, use and disclosure of personal information.
Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices including in relation to:
Consent requirements including default privacy settings
The effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other Commonwealth regulatory frameworks.
It is unusual that a bill that relies on the mechanisms outlined in the Privacy Act would be developed and introduced to the Parliament before a major review of the Privacy Act is completed. During the public hearing, a number of witnesses commented on these circumstances:
Mr Gadir: This bill is a really big carve-out from the protections of the Privacy Act applying to a very high-risk activity of data sharing. This is happening at the same time that another arm of the government is telling us that they want to strengthen the Privacy Act.
Dr Arnold: With respect, I think the bill should not be passed until we’ve looked at and, ultimately, fixed the existing weak regime.
Ms Ganopolsky: There is a risk that you are putting the cart before the horse. What is contemplated under this bill is a very large data-sharing arrangement that is systemic in nature. What is contemplated under the review of the Privacy Act is, potentially, an overhaul of the regime… So, from the point of view of building a series of infrastructure, you are, potentially, putting the cart before the horse in that it will have to respond to a brand new regime.
Ms Krahulcova: It does not make I think policy sense to be passing this legislation while money is being spent reviewing the Privacy Act, especially if this legislation as primary legislation will be exempt from the resulting rules and standards in that review.
The Privacy Act’s approach to consent appears to be a subject of the Privacy Act Review. The Issues Paper for the review, released in October 2020, includes several references to consent and includes an outline of the way consent operates under the Act. It describes Australian Privacy Principle (APP) 6 – which outlines the use or disclosure of personal information – as follows:
APP 6 permits an entity to use or disclose the collected personal information without obtaining consent provided it is for the primary purpose for which it was collected, or for a secondary purpose if the individual would reasonably expect the entity to use or disclose their personal information was collected.
Question 42 of the Review’s questions for consideration is: ‘Should reforms be considered to restrict uses and disclosures of personal information? If so, how should any reforms be balanced to ensure that they do not have an undue impact on the legitimate uses of personal information by entities?’.
It is concerning that the bill pre-empts the Privacy Act Review because it is precisely those consent protocols regarding personal information, outlined in the Privacy Act 1988 and APP 6 in particular, that are contested by the bill’s critics:
Mr Gadir: Earlier, the witnesses from the government were explaining how the Privacy Act would continue to apply, but that is not correct. The fundamental disclosure from the government agency to some private company that would be enabled by this bill is actually a carve-out from Australian Privacy Principle 6… It says you can only use or disclose personal information where it’s reasonably expected by the individual and it’s related to the primary purpose of collection.
Ms Krahulcova: In our submission we brought up the fact that privacy principle 6 is essentially being rewritten, and that the primary [inaudible] definition. There are exceptions to that in the existing privacy principles, but this is a top-down override of privacy principle 6 and it is a blunt approach that dilutes legal protections and remedies currently available to Australians, and there are not many to begin with.
Labor Senators note that there are substantial problems in the way the bill interacts with the Privacy Act 1988, most notably with regard to Australian Privacy Principle 6 as it relates to the treatment of consent in the collection and distribution of personal information. Further, it is the view of Labor Senators that attempting to pass such measures before the completion of the Attorney General’s review of the Privacy Act is reckless, and undermines claims that the bill was developed through a ‘privacy-by-design’ process.
Inadequate Regulation of Data Matching
Labor Senators are concerned that the regulatory mechanism outlined by this bill is insufficient for the scope of the data-matching scheme it creates. Datasets created through government data-matching are highly valuable, and the practice of data sharing is considered high risk. As the bill’s Privacy Impact Assessment outlines – the DATB’s expansion of such practices requires stronger controls:
What is significant are changes to processes and scale. Also significant is the social and technological environment in which the DATB’s Data Sharing Scheme would operate. The advent of new technologies like data analytics, artificial intelligence, face recognition – and indeed the combination of these technologies – as well as increased inherent security risks when sharing data must also be considered.
The bill provides for the establishment of the National Data Commissioner as a statutory regulator for the scheme, while at the same time ‘advocating for the sharing and release of data more generally’. The Commissioner would be empowered to enforce the scheme, including by assessing, monitoring and investigating data scheme entities. Their enforcement powers would include the ability to suspend, cancel or impose conditions on an entity’s accreditation; issue written directions to a data scheme entity; impose a civil penalty; issue infringement notices; accept and enter into enforceable undertakings and apply for injunctions.
The Commissioner’s dual role as both ‘advocate’ and ‘regulator’ is an immediate weakness in the scheme’s regulatory structure. The PJCHR report on the bill raised concerns about whether the Commissioner could provide genuine independent regulatory oversight of the scheme. As the Electronic Frontiers Australia submission states:
These two objectives are inherently in opposition. Regulation and oversight of the scheme should be performed by a body that is fully independent of a body tasked with promoting greater data sharing. The National Data Commissioner can perform either one of those roles effectively, but not both.
The Australian Privacy Foundation raised concerns about the relationship of the National Data Commissioner to existing regulatory bodies:
Dr Arnold: The bills are not accompanied by a strengthening of the Office of the Australian Information Commissioner, our regrettably inward looking and grossly under-resourced privacy and FOI watchdog. The bills obfuscate recurrent civil society requests for privacy protection. They do that by Balkanising responsibility, with the new Data Commissioner sitting alongside the information commissioner and other agencies.
The regulatory role of the Commissioner is further complicated by the limited scope to review and overturn its decisions. The bill’s Explanatory Memorandum states that regulatory decisions by the Commissioner may be reviewed for their merits or legality through standard administrative review processes. However, the EM also outlines how a number of the Commissioner’s decisions will not be subject to such a review:
Decisions made under the Commissioner’s advice, guidance, advocacy, and incidental functions are not appropriate for merits review… Delegation decisions are also unsuitable for merits review… Decisions to appoint persons to undertake specified functions, such as to appoint members of the National Data Advisory Council, are also generally not appropriate for review.
The central role of the Commissioner in the regulation of this scheme, including the power to delegate concerns to other regulators, while having significant exclusions to judicial review, ultimately means that critical decisions about privacy rights will be delegated to senior public servants, overseen by an appointed commissioner rather than any judicial process. Those public servants, referred to in the bill as ‘data custodians’, will also be responsible for designing and implementing data matching schemes. Despite this clear conflict of interest, the regulator maintains that they are capable of making informed and appropriate decisions:
Ms Anton: So, while we haven’t imported the Privacy Act into the bill, those really important links under 28 and the capacity to refer things out to the Privacy Commissioner do maintain the importance of privacy in the work that we’re doing and still rest that control, where it’s most appropriately dealt by with the Privacy Commissioner, with her.
Senator AYRES: It does put a lot of power in the hands of the Data Commissioner, many of whose decisions will be non-reviewable.
Ms Anton: I would just note that the decisions to share the data are ultimately left with the data custodians. So they’re left with senior public servants. Our view was that, in terms of sharing, they are in the best position to make an appropriate risk assessment.
While the regulator is relying on the judgement of senior public servants to make decisions about data sharing in line with community expectations and their legal responsibilities under the Privacy Act and the Australian Privacy Principles, the Explanatory Memorandum of the bill indicates that those critical decisions will be exempt from judicial review:
Data sharing decisions by data custodians will not be reviewable on their merits under this scheme. Such decisions are best made by data custodians as they have a full understanding of the risks of and public interest in sharing their data.
The scheme’s emphasis on allowing senior public servants to make critical decisions about the appropriateness of data-matching was criticised by several witnesses during the public hearing:
Mr Wong: Ms Anton also emphasized the role of data custodian and for clarification that really means the Commonwealth government agency who holds that information. They have outsized power and a level of discretion in determining who gets access to what data, what data can be shared, what data falls within the purposes, whether the data can fall within the purpose of improving government policy or research and development, which can be very broadly interpreted, as well as whether it is unreasonable or impracticable for them to obtain consent and, then, the circumstances in which the data is shared and to what agencies they may share this information… There isn’t really any form of oversight in that sharing and there are no merits review processes.
Dr Arnold: We have nice language that government agencies will be custodians… They regard this data as their data: ‘It’s government data. We can do with it what we like.’ We will in practice have very weak oversight of what’s happening.
Mr Payne: A key concern to the university is the absence of a definition for the term ‘public benefit’ in the main bill, even though data custodians across the Commonwealth will be required to apply this test each time they consider a request for data.
Further, there are concerns that the bill lacks substantial enforcement mechanisms. Considering the value of the datasets being created and the sensitive nature of the data being shared, the civil and criminal penalties included in the bill are relatively small:
Mr Menzies-McVey: For breach of the mandatory terms of a data sharing agreement, which include the requirement to only use it for the agreed purpose, it’s a civil penalty of 300 penalty units… there are general penalties applying for if the sharing or use was purporting to rely on the authorization in the bill and the bill doesn’t cover that, in fact. There are both civil penalties, which are the 300 penalty units, and criminal penalties, which is imprisonment for two years, for intentional reckless breaches.
The civil penalties included in this bill are not proportional to the value of the data, the probity risks that such a scheme would create nor the harm that a breach of such sensitive data would have. As the Electronic Frontiers Australia witness said:
Mr Warren: … data privacy, like life, once it’s gone, it’s lost forever. Intent is the difference between murder and manslaughter: the victim is still dead. In this case, our privacy has still been invaded; it’s still been lost. We can’t ever get that back, and what we see here are things like civil penalties of 300 penalty rates, which at the current rate works out at around $66 000. Personal information is extremely valuable. If I managed to get hold of a data leak of every Australian’s medical record, 66 grand sounds like a pretty fair fee. You can pay more than that to various brokers to get access to datasets… we need to have a system that deals with bad intents and bad outcomes.
Labor Senators agree with the findings of the Parliamentary Joint Committee for the Scrutiny of Bills that the Explanatory Memorandum lacks a comprehensive justification for the penalties outlined in the bill.
Labor Senators are of the view that 300 penalty units (currently $66 000) is an insufficient disincentive for breaching the law. Effective penalties for the misuse of data should be a substantial order of magnitude higher than the value of the data shared.
It is the view of Labor Senators that the regulatory scheme outlined in this bill is weak, poorly designed and ultimately unable to protect the right to privacy under this scheme. Both the National Data Commissioner and the data custodians they are entrusted to regulate have substantial conflicts of interest by design. Excluding the decisions of senior public servants entrusted with valuable personal data from judicial review is of particular concern. Such a scheme is inadequate to the scale of its exemptions to the Privacy Act and the Australian Privacy Principles.
Robodebt, Compliance and the National Disability Insurance Scheme
Labor Senators have concerns that the data-sharing scheme created by this legislation could be abused to create new forms of inequity and neglect. The recent ‘Robodebt’ scandal, in which the government attempted to recover ‘overpayments’ made to social security recipients through its Online Compliance Initiative (OCI), provides a clear example. The scheme was found to be unlawful - and resulted in the largest class action settlement in Australian history. It is currently the subject of another Senate Inquiry, which is due to report in 2021.
As outlined in the 2017 report of the Senate Standing Committee on Community Affairs, the ‘debts’ were calculated from the cross-referencing of Centrelink recipient data with records from the Australian Tax Office. Cross-referencing using Tax File Numbers (TFNs) had been longstanding practise in Centrelink - having been facilitated by the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act). This act allowed the Officer of the Australian Information Commissioner (OAIC) to make legally binding rulings on how such data can be matched.
However, as part of the introduction of the Online Compliance Initiative (OCI) program in 2016, the Department of Human Services stopped the practice of using TFNs to make their calculations, meaning that the program was not legally bound by the Data-matching Program Act. Instead, they were subject to voluntary, non-binding guidelines issued by the OAIC on data-matching, which allow for greater flexibility as to how data-matching activities may be conducted and did not restrict the volume of data matching activity. The increased volume of data matching - particularly through full automation – and the loosened restrictions on the quality of the data used created the basis of the Robodebt scheme.
Robodebt represented a failure to appropriately regulate data sharing between government departments, and its example has implications for the Data Availability and Transparency Bill 2020. It was noted in the hearings that the bill nominally precludes sharing data for compliance purposes in Clause 15. As the Explanatory Memorandum states:
… subclause (3)(b) precludes sharing for the purpose of detecting, investigating or addressing (a compendious phrase) deliberate actions that are detrimental to public revenue, like fraud. While enforcement related activities are legitimate functions of government, they are best carried out under dedicated laws.
The bill as drafted does not resolve issues of data matching across agencies in existing legislation, such as the Data Matching Program Act 1990. As the chart tabled by the National Data Commissioner indicates, data that can be shared under existing authority can be shared through existing processes. The Data Availability and Transparency Bill 2020 is only implemented when those existing authorities and processes do not apply. It therefore fails to improve the management of current privacy risks.
Further, there is concern that the protections against the use of the bill for compliance purposes are weak given the broadly-framed purposes for which data can be shared under the scheme. These concerns were raised in clause 1.23 of the Parliamentary Joint Committee on Human Rights report on the legislation:
(I)t is unclear whether the ‘delivery of government services would encompass the sharing of data for purposes related to the withholding of government services (such as identifying ways in which to reduce certain social security payments).
During the public hearing the example of the National Disability Insurance Scheme was raised. Recent press reports have indicated that the National Disability Insurance Agency is planning to use ‘data matching and analytics’ to ‘identify high-risk activities, non-compliant participant plan usage and other potential areas of risk.’ The question was put to the Office of the National Data Commissioner whether information shared through the bill would be able to be used in such a process.
Ms Anton: I don’t see how enforcement action under NDIS would be supported by the bill as drafted.
However, through questioning it was established that the breadth of information that can be collected would allow data to be used to determine the appropriate level of support a NDIS recipient would receive. As the PJCHR report indicates, there is a close relationship between this information and the potential for enforcing a compliance regime – creating a loophole in the bill’s stated protections.
Senator AYRES: Is it possible for the NDIA to use this framework to collect data that is then used to make assessments about the level of support that’s provided to individuals?
Ms Anton: I think that goes to individual identified information. The bill contemplates that, where individual information is provided, it’s also relevant to make reference to probably the exit clause, which does include a step where individuals are importantly required to validate that the information there is correct for that to go on and be used for other purposes. So, yes.
Concern about the role data collected through the scheme could play in the proposed NDIS compliance scheme were also raised by the Public Interest Advocacy Centre:
Mr Wong: What we’ve seen proposed, for example, in the NDIS is around clawing back funds that have been used by participants in ways that the agency considers to be inappropriate… that is an example of something which may not be in contravention of the law and may not be captured by the exclusions in the act.
It is the opinion of Labor Senators that given the recent example of the Robodebt scheme, the potential for data-matching collected under this bill to be misused in a compliance function by the NDIA is of great concern. It is a practice that would disproportionately harm the most vulnerable in our society, and potentially deny them the government services they need to live with dignity. The stated protections against the use of the data collected by this act are ultimately negated by its broad scope.
Labor Senators agree with the findings of the Parliamentary Joint Committee for Human Rights that the bill seeks to establish a framework that overrides existing laws to facilitate the sharing of, and controlled access to, public sector data held by Commonwealth bodies with accredited entities. Labor Senators agree with the findings of the PJCHR that, in doing so, the measure engages and limits the right to privacy and notes that this right may be subject to permissible limitations if they are shown to be reasonable, necessary and proportionate.
Labor Senators do not believe that the measures outlined in this bill represent a reasonable, necessary or proportionate limitation on the right to privacy. The failures of this legislation can be effectively summarised by a single exchange from the public hearing:
Senator AYRES: Who do you think owns the data?
Ms Anton: My general sense is we, the government, hold the data in trust for the public. They do provide that information, and it’s a responsibility, as with many functions of the government, to hold that in good faith for the public.
Citizens are entitled to trust their government with the data they provide, often without their consent. They are entitled to believe that their data will be appropriately respected and protected, and that any scheme that holds or shares their data would be subject to appropriate judicial review. The scheme outlined in this bill does not deserve their confidence. This bill would undermine the existing privacy protections in favour of a poorly regulated system that is widely open for abuse. It amounts to a reckless treatment of public trust.
That the bill not be passed.
Senator Tim Ayres