Chapter 1



1.1        The Privacy Amendment (Re-identification Offences) Bill 2016 (the bill) was introduced into the Senate on 12 October 2016 by the Attorney-General, Senator the Hon George Brandis QC.[1] On 10 November 2016, the Senate referred the bill to the Senate Legal and Constitutional Affairs Legislation Committee for inquiry and report by 7 February 2017.[2]

Background and purpose of the bill

1.2        In December 2015, the Prime Minister, the Hon Malcom Turnbull MP, released the Australian Government Public Data Policy Statement, which recognised that data held by the Australian Government is a national resource and noted its importance for the growing economy, improving service delivery, and transforming policy outcomes for Australia.[3] The Prime Minister committed the Australian government to, as a default, make publicly available non-sensitive data to allow the private and research sectors to also benefit from the data. In releasing information, the government recognised the importance of effectively managing the data and 'upholding the highest standard of security and privacy for the individual, national security and commercial confidentiality'.[4]

1.3        In line with the Public Data Policy Statement, the Attorney-General announced on 28 September 2016 amendments to the Privacy Act 1988 (Privacy Act) to strengthen the protections of data published by the Australian government:

In accepting the benefits of the release of anonymised datasets, the Government also recognises that the privacy of citizens is of paramount importance.

...However, with advances of technology, methods that were sufficient to de‑identify data in the past may become susceptible to re-identification in the future.

The amendment to the Privacy Act will create a new criminal offence of re‑identifying de-identified government data...

The legislative change, which will be introduced in the Spring sittings of Parliament, will provide that these offences will take effect from today's announcement.[5]

1.4        In his second reading speech, the Attorney-General explained that the publication of major datasets is an important part of 21st century government, and of the government's Digital Transformation Agenda.[6]

1.5        In response to a request from the Senate Standing Committee for the Scrutiny of Bills, the Attorney-General provided further explanation for this bill:

The recently identified vulnerability in the Department of Health's Medicare and Pharmaceutical Benefits Scheme dataset brought to the Government's attention the existence of a gap in privacy legislation regarding the re-identification of de-identified data. Once aware of this gap, the Government acted immediately to strengthen protections for personal information against re-identification by introducing these offences.[7]

Overview of the provisions of the bill

1.6        The scope of the bill is limited to personal information which has been de‑identified by an agency and is generally made available. The bill, if passed, would operate retrospectively and prohibit intentional conduct by an entity that occurred from 29 September 2016 which:

1.7        An entity that contravenes the above provisions may be subject to a criminal penalty of up to two years imprisonment or 120 penalty units, or a civil penalty of 600 penalty units.

1.8        Additionally, regardless of the intentions of the entity, where de-identified personal information has been re-identified, the entity must notify the responsible agency that the information is no longer de-identified, cease any use or disclosure of the re-identified information, and comply with the directions of the agency about the handling of the information (proposed section 16F). The entity may be subject to a civil penalty of up to 200 penalty units for failing to notify the responsible agency in writing, or for using or disclosing the information after it becomes aware that the information is no longer de-identified (proposed subsections 16F(3) and (4)).

1.9        Transitional arrangements exist for proposed section 16F so that an entity that becomes aware that de-identified information has been re-identified on or after 29 September 2016 and prior to the commencement of this item, must notify the responsible agency as soon as practicable after the commencement of this item (item 21).

1.10      While the Privacy Act is generally limited to agencies, the bill applies to organisations, small businesses and individuals (proposed section 16CA). The Explanatory Memorandum (EM) explains that the broader scope of the bill is necessary 'due to the need for a general deterrent to the re‑identification of de‑identified personal information'.[8]

1.11      The bill provides some exclusions which enable entities to continue to engage in their ordinary functions and activities. Specifically, the bill does not apply to agencies, Commonwealth contracted service providers and entities that enter into agreements with agencies if re-identification or disclosure:

1.12      Additionally, the bill reverses the evidentiary burden of proof so that entities are required to show that the re-identification or disclosure was done in connection with one of the exclusions as outlined above.

1.13      The bill provides for the Minister, following consultation with the Australian Information Commissioner (the Commissioner), to make a determination to exempt an entity from the offences and civil penalties on the basis of public interests (proposed section 16G). While the Minister's determination is a legislative instrument it is not subject to disallowance under section 42 of the Legislation Act 2003.

1.14      The bill proposes amendments to the Commissioner's functions and powers which enable the Commissioner to conduct an assessment of whether methods used by agencies for de-identifying personal information are effective to protect individuals from being identifiable or reasonably identifiable (item 6). The bill also confers powers on the Commissioner to investigate actions relating to the re-identification of personal information which was de‑identified, make determinations in relation to the investigations, and require an entity to comply with such determinations (proposed subsection 40(2A)).

Financial implications

1.15      The EM notes that the bill has no significant impact on Commonwealth expenditure or revenue.[9]

Compatibility with human rights and freedoms

1.16      The EM states that the bill engages in various rights and freedoms expressed in the International Covenant on Civil and Political Rights (ICCPR), including the right to privacy, the right to freedom of expression, the right to a fair trial, and the prohibition on retrospective criminal laws.[10] The bill's compatibility with human rights and freedoms will be discussed in chapter two of this report.

Conduct of inquiry

1.17      In accordance with usual practice, the committee advertised the inquiry on its website and also wrote to organisations and individuals inviting written submissions by 16 December 2016. The committee received 15 submissions, listed at Appendix 1. The committee also sought additional clarification on particular provisions of the bill from the Attorney-General's Department.

Structure of this report

1.18      This report consists of two chapters:


1.19      The committee thanks all submitters to this inquiry.

Navigation: Previous Page | Contents | Next Page