As the federal government reviews privacy legislation, privacy and legal groups have sounded the alarm over a new bill that would make it easier for government agencies to share information with other government and non-government organisations, including businesses and researchers.
On Tuesday the Senate Standing Committee on Finance and Public Administration held a hearing into the bill at which interim national data commissioner Deborah Anton argued the changes would open up existing data to improve government.
“The bill seeks to progress a necessary set of reforms to modernise [public service] data-sharing practices, to set higher and consistent standards, and to add additional transparency to ensure the public know what is being done with their data,” she said.
Under the proposed act, a national data commissioner would oversee the implementation of the scheme, which would allow “data custodians” — the government body that possesses the data — to grant access to third parties only for the reasons of improving government services, informing policy, and research and development.
There are a number of exemptions, including precluding sharing data for national security or enforcement actions.
Anton said the bill would enable people to have to give information to government only once, rather than over and over with different agencies.
“If the public have told us something and it’s held in silos and we can’t share it,” she said, “wouldn’t it be simpler and easier for them if we could actually pick it up and reuse it where they’re comfortable with that?”
Carve-out of Privacy Act
Privacy and legal groups were unanimous in their concerns. Many said the bill represented a carve-out of the Privacy Act.
Olga Ganopolsky from the Law Council of Australia said it was “weird” the government would push forward with the bill while the Attorney-General’s Department was running a review of the Privacy Act.
“From the point of view of building a series of infrastructure, you are potentially putting the cart before the horse in that it will have to respond to a brand new regime,” she said.
Another major concern was the broadness of the bill. Speakers said the draft legislation could allow the powers to be used in unintended ways, including to circumvent protections.
Jonathan Gadir from the NSW Council for Civil Liberties spoke about the definition of data as “all data collected, created or held by the Commonwealth”, saying that that encompassed much more than necessary to achieve the bill’s goals.
“This kind of information is often intimate and sensitive,” he said. “It includes information about living arrangements, about relationships, about finances that is disclosed to Centrelink to receive a pension, or disclosed to immigration as part of a visa application.”
Labor senator and committee member Tim Ayres repeatedly asked if the bill was drafted in a way that would allow the powers to be used for enforcement, hinting at a reluctance from the opposition.
“The problem from their perspective is that the bill is drafted by true believers in the overwhelming public purpose and that it doesn’t take into account the privacy concerns in any way approaching that,” Ayres told Anton.
He also asked if the powers could be used by the National Disability Insurance Agency to seek data on those in the National Disability Insurance Scheme.
“If data sharing is used to determine the appropriate level of support for an individual, there’s a very close relationship between that and subsequent compliance activity,” he said.
Despite the idea of mandating that shared data would be anonymised, Digital Rights Watch’s executive director Lucie Krahulcova was not reassured.
“We have seen cases where security researchers have been able to de-anonymise data that had been leaked in Australia and there was very little done by government,” she said.
Data sets created by the government would be highly sought after both by private companies and by foreign interests, she said, and citizens expect government will protect their information.
Justin Warren from Electronic Frontiers Australia agreed and said civil penalties — currently capped at 300 penalty units or $66,000 — would not dissuade bad actors from ignoring protections in the bill.
“Personal information is extremely valuable,” he said. “If I managed to get hold of a data leak of every Australian’s medical record, 66 grand sounds like a pretty fair fee.”
Data grabs and privacy fails
Warren also said government should have to prove its proficiency at protecting the public’s privacy — citing problems with the census and robodebt — before embarking on these reforms.
The Australian Privacy Foundation’s Dr Bruce Arnold said he was weary of years of pushing back against governments’ requests for more information and data from citizens.
“We start off with lovely motherhood statements from people like Stuart Robert: ‘It will be good. It’s in the national interest. You don’t need to worry. Trust us.’ But over time we see a creep; we see an erosion,” he said.
“We may start off, potentially, with this legislation, which doesn’t look too bad, but over time it will be weakened.”
The Senate committee will publish a report on the bill on April 29.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.