The Privacy Amendment (Re-identification Offences) Bill 2016 (the
bill) was introduced into the Senate on 12 October 2016 by the
Attorney-General, Senator the Hon George Brandis QC.
On 10 November 2016, the Senate referred the bill to the Senate Legal and
Constitutional Affairs Legislation Committee for inquiry and report by 7
Background and purpose of the bill
In December 2015, the Prime Minister, the Hon Malcom Turnbull MP,
released the Australian Government Public Data Policy Statement, which
recognised that data held by the Australian Government is a national resource
and noted its importance for the growing economy, improving service delivery,
and transforming policy outcomes for Australia.
The Prime Minister committed the Australian government to, as a default, make
publicly available non-sensitive data to allow the private and research sectors
to also benefit from the data. In releasing information, the government
recognised the importance of effectively managing the data and 'upholding the
highest standard of security and privacy for the individual, national security
and commercial confidentiality'.
In line with the Public Data Policy Statement, the Attorney-General
announced on 28 September 2016 amendments to the Privacy Act 1988
(Privacy Act) to strengthen the protections of data published by the Australian
In accepting the benefits of the release of anonymised
datasets, the Government also recognises that the privacy of citizens is of
...However, with advances of technology, methods that were
sufficient to de‑identify data in the past may become susceptible to
re-identification in the future.
The amendment to the Privacy Act will create a new criminal
offence of re‑identifying de-identified government data...
The legislative change, which will be introduced in the
Spring sittings of Parliament, will provide that these offences will take
effect from today's announcement.
In his second reading speech, the Attorney-General explained that
the publication of major datasets is an important part of 21st
century government, and of the government's Digital Transformation Agenda.
In response to a request from the Senate Standing Committee for
the Scrutiny of Bills, the Attorney-General provided further explanation for
The recently identified vulnerability in the Department of
Health's Medicare and Pharmaceutical Benefits Scheme dataset brought to the
Government's attention the existence of a gap in privacy legislation regarding
the re-identification of de-identified data. Once aware of this gap, the
Government acted immediately to strengthen protections for personal information
against re-identification by introducing these offences.
Overview of the provisions of the bill
The scope of the bill is limited to personal information which has
been de‑identified by an agency and is generally made available. The bill,
if passed, would operate retrospectively and prohibit intentional conduct by an
entity that occurred from 29 September 2016 which:
re-identifies personal information that was de-identified by the
responsible agency (proposed subsection 16D(1)); or
discloses the re-identified personal information (proposed subsection
An entity that contravenes the above provisions may be subject to
a criminal penalty of up to two years imprisonment or 120 penalty units, or a
civil penalty of 600 penalty units.
Additionally, regardless of the intentions of the entity, where
de-identified personal information has been re-identified, the entity must
notify the responsible agency that the information is no longer de-identified,
cease any use or disclosure of the re-identified information, and comply with
the directions of the agency about the handling of the information (proposed
section 16F). The entity may be subject to a civil penalty of up to 200 penalty
units for failing to notify the responsible agency in writing, or for using or
disclosing the information after it becomes aware that the information is no
longer de-identified (proposed subsections 16F(3) and (4)).
Transitional arrangements exist for proposed section 16F so that
an entity that becomes aware that de-identified information has been
re-identified on or after 29 September 2016 and prior to the commencement
of this item, must notify the responsible agency as soon as practicable after
the commencement of this item (item 21).
While the Privacy Act is generally limited to agencies, the bill
applies to organisations, small businesses and individuals (proposed section 16CA).
The Explanatory Memorandum (EM) explains that the broader scope of the bill is
necessary 'due to the need for a general deterrent to the re‑identification
of de‑identified personal information'.
The bill provides some exclusions which enable entities to
continue to engage in their ordinary functions and activities. Specifically, the
bill does not apply to agencies, Commonwealth contracted service providers and
entities that enter into agreements with agencies if re-identification or
was done in connection with the agency's functions or activities
or was required or authorised to be done by or under Australian law (proposed
subsections 16D(2), 16E(3) and 16F(5));
was done for the purposes of meeting (directly or indirectly) an
obligation under a Commonwealth contract (proposed subsections 16D(3), 16E(4)
and 16F(6)); and
was done for the purposes of an agreement with the agency
(proposed subsections 16D(4), 16E(5) and 16F(7)).
Additionally, the bill reverses the evidentiary burden of proof
so that entities are required to show that the re-identification or disclosure was
done in connection with one of the exclusions as outlined above.
The bill provides for the Minister, following consultation with
the Australian Information Commissioner (the Commissioner), to make a
determination to exempt an entity from the offences and civil penalties on the basis
of public interests (proposed section 16G). While the Minister's determination
is a legislative instrument it is not subject to disallowance under section 42
of the Legislation Act 2003.
The bill proposes amendments to the Commissioner's functions and
powers which enable the Commissioner to conduct an assessment of whether
methods used by agencies for de-identifying personal information are effective
to protect individuals from being identifiable or reasonably identifiable (item
6). The bill also confers powers on the Commissioner to investigate actions
relating to the re-identification of personal information which was de‑identified,
make determinations in relation to the investigations, and require an entity to
comply with such determinations (proposed subsection 40(2A)).
The EM notes that the bill has no significant impact on
Commonwealth expenditure or revenue.
Compatibility with human rights and freedoms
The EM states that the bill engages in various rights and
freedoms expressed in the International Covenant on Civil and Political
Rights (ICCPR), including the right to privacy, the right to freedom of
expression, the right to a fair trial, and the prohibition on retrospective
The bill's compatibility with human rights and freedoms will be discussed in
chapter two of this report.
Conduct of inquiry
In accordance with usual practice, the committee advertised the
inquiry on its website and also wrote to organisations and individuals inviting
written submissions by 16 December 2016. The committee received 15
submissions, listed at Appendix 1. The committee also sought additional
clarification on particular provisions of the bill from the Attorney-General's
Structure of this report
This report consists of two chapters:
Chapter 1 outlines the background and provides an overview of the
bill, including the administrative details of the inquiry.
Chapter 2 sets out the key issues raised in submissions, and
provides the committee's views and recommendation.
The committee thanks all submitters to this inquiry.
Navigation: Previous Page | Contents | Next Page