As the federal government reviews privacy legislation, privacy and legal groups have sounded the alarm over a new bill that would make it easier for government agencies to share information with other government and non-government organisations, including businesses and researchers.
On Tuesday the Senate Standing Committee on Finance and Public Administration held a hearing into the bill at which interim national data commissioner Deborah Anton argued the changes would open up existing data to improve government.
“The bill seeks to progress a necessary set of reforms to modernise [public service] data-sharing practices, to set higher and consistent standards, and to add additional transparency to ensure the public know what is being done with their data,” she said.
Under the proposed act, a national data commissioner would oversee the implementation of the scheme, which would allow “data custodians” — the government body that possesses the data — to grant access to third parties only for the reasons of improving government services, informing policy, and research and development.
There are a number of exemptions, including precluding sharing data for national security or enforcement actions.
Anton said the bill would enable people to have to give information to government only once, rather than over and over with different agencies.
“If the public have told us something and it’s held in silos and we can’t share it,” she said, “wouldn’t it be simpler and easier for them if we could actually pick it up and reuse it where they’re comfortable with that?”
Carve-out of Privacy Act
Privacy and legal groups were unanimous in their concerns. Many said the bill represented a carve-out of the Privacy Act.
Olga Ganopolsky from the Law Council of Australia said it was “weird” the government would push forward with the bill while the Attorney-General’s Department was running a review of the Privacy Act.
“From the point of view of building a series of infrastructure, you are potentially putting the cart before the horse in that it will have to respond to a brand new regime,” she said.
Another major concern was the broadness of the bill. Speakers said the draft legislation could allow the powers to be used in unintended ways, including to circumvent protections.
Jonathan Gadir from the NSW Council for Civil Liberties spoke about the definition of data as “all data collected, created or held by the Commonwealth”, saying that that encompassed much more than necessary to achieve the bill’s goals.
“This kind of information is often intimate and sensitive,” he said. “It includes information about living arrangements, about relationships, about finances that is disclosed to Centrelink to receive a pension, or disclosed to immigration as part of a visa application.”
Labor senator and committee member Tim Ayres repeatedly asked if the bill was drafted in a way that would allow the powers to be used for enforcement, hinting at a reluctance from the opposition.
“The problem from their perspective is that the bill is drafted by true believers in the overwhelming public purpose and that it doesn’t take into account the privacy concerns in any way approaching that,” Ayres told Anton.
He also asked if the powers could be used by the National Disability Insurance Agency to seek data on those in the National Disability Insurance Scheme.
“If data sharing is used to determine the appropriate level of support for an individual, there’s a very close relationship between that and subsequent compliance activity,” he said.
Despite the idea of mandating that shared data would be anonymised, Digital Rights Watch’s executive director Lucie Krahulcova was not reassured.
“We have seen cases where security researchers have been able to de-anonymise data that had been leaked in Australia and there was very little done by government,” she said.
Data sets created by the government would be highly sought after both by private companies and by foreign interests, she said, and citizens expect government will protect their information.
Justin Warren from Electronic Frontiers Australia agreed and said civil penalties — currently capped at 300 penalty units or $66,000 — would not dissuade bad actors from ignoring protections in the bill.
“Personal information is extremely valuable,” he said. “If I managed to get hold of a data leak of every Australian’s medical record, 66 grand sounds like a pretty fair fee.”
Data grabs and privacy fails
Warren also said government should have to prove its proficiency at protecting the public’s privacy — citing problems with the census and robodebt — before embarking on these reforms.
The Australian Privacy Foundation’s Dr Bruce Arnold said he was weary of years of pushing back against governments’ requests for more information and data from citizens.
“We start off with lovely motherhood statements from people like Stuart Robert: ‘It will be good. It’s in the national interest. You don’t need to worry. Trust us.’ But over time we see a creep; we see an erosion,” he said.
“We may start off, potentially, with this legislation, which doesn’t look too bad, but over time it will be weakened.”
The Senate committee will publish a report on the bill on April 29.
“But over time we see a creep.”
Seeing plenty of them right now. Oh, that’s not what you meant, oops!
Certainly do not trust the LNP, what is their real motive for this,?
No data is secure for long, whether medical, political or personal. The CIA can view your colonoscopy if they want. So lets keep our shit secret as long as we can, please.
Thanks for the heads up.
what privacy – look at eHealth everyone thought it a bad idea for years – but successive governments spent so much money on it that Hunt made it pseudo compulsory to save face for spending so much money on a bad idea. Then the government will sell off the data to insurers and employers It already has been hacked and if anyone wants access it is easy enough for free.
Data is needed to understand, forecast, plan and manage policy or agency outcomes through sharing e.g. traffic, community health etc.; but data privacy and related penalties may be prone to sub-optimal application in Australia’s political media environment.
The issue or concern for most is individual privacy protections, while the data would be more aggregated or datasets for analysis, without a need for any individual identification.
Data privacy or protection is the issue in Australia which has weak penalties (for large agencies or firms) for misuse of personal data whether media, AFP, NDIS etc..
This is opposed to the EU’s GDPR (General Data Protection Regulation) which seems to be more robust and make large global organisations pause for thought:
‘The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements. However, not all GDPR infringements lead to data protection fines.‘
Like many nations do, and also due to the ‘Brussels Effect’ (e.g. carbon emissions tariffs on imports), it would be simpler to replicate the EU GDPR but….. does not cater to Australian players whether in media, politics, PS or corporate
An example in Oz was cited by MWM regarding the allegation that a well known pollster for the Libs was able to access millions of unlisted mobile numbers…… under the guise of ‘research’.
In MWM article ‘A Pushy Number: Libs’ pollster Crosby Textor granted access to 27 million unlisted mobiles’ by Jommy Tee, Oct 16, 2020