Privacy czar out of data breach game
David Watts: Government taking data seriously but with no strategy
The government has finally recognised the importance of data and security but has no effective strategy to oversee it, creating widespread confusion in Canberra, according to former Victorian privacy commissioner David Watts.
Mr Watts, who is now professor of information law and policy at La Trobe University, said that with no extra funding to oversee the mandatory data breach notification scheme and no additional funds in this month’s budget, the government is moving beyond the Office of the Australian Information Commissioner (OAIC) in dealing with data.
“The reason the OAIC has received virtually nothing extra is that the landscape is moving away from them. They got no funding for the data breach notification stuff, and to be frank, they aren’t an effective regulator. That’s widely thought but maybe not widely said,” Mr Watts told InnovationAus.com.
“You’ve got to ask yourself, in this new regulatory environment and new data environment, what value do they add?”
The federal budget did allocate $12.9 million from 2018-19 to the OAIC to “assess the privacy impact of designating sectors subject to the National Consumer Data Right and to ensure consistency of rule-making with the Privacy Act 1988”, and staff levels increased by 18 full-time workers year-on-year.
But the agency received no extra funding, despite a significantly increased workload thanks to the data breach regime and a jump in FOI reviews, along with a much-publicised inquiry into Facebook’s data handling techniques.
The government has sidelined the OAIC with a lack of funding and resources, he said, and placed the responsibility of overseeing data and its security to the big economic departments and regulators.
“Essentially the government has now recognised that data is really important and that its importance transcends the province of the data or information commissioner. It’s now a concern of serious economic departments, plus the competition regulators,” Mr Watts said.
But without a viable strategy or vision, this important transition will be fruitless, Mr Watts said.
“At the same time, the regulatory landscape is fragmenting. You now have consumer data rights, the possibility of data portability and a new data commissioner. It’s a really interesting transitional stage where data is involving the heavy economic hitters and therefore they’re now taking an interest in it,” he said.
“They’re having money spent on them, but no-one has articulated a new regulatory vision for all of it. They’re all wandering around in Canberra not knowing what they’re doing. No-one can put together a big picture strategy. The problem with it all is that this new regulatory environment is increasingly fragmented and complex. From a public policy point of view, how do you navigate this stuff? It’s becoming increasingly difficult.”
Late last year, the government confirmed it would be moving to legislate a National Consumer Data Right, giving customers access to their data in certain sectors in order for it to be passed on to third party providers. Banking, telecommunications and energy will be the first industries subject to this data right.
The budget allocated $44.6 million over four years from 2018-19 to establish the consumer data right, with this funding spread out across a number of agencies. More than $20 million will be given to the ACCC to “assist in determining the costs and benefits of designating sectors that will be subject to the CDR, and to develop and implement rules to govern the data right and the content of data standards”.
The CSIRO also received $11.5 million in extra funding for its role as the data standards setter in the scheme.
The Consumer Data Right has fallen under the Treasury portfolio, but many public servants there are not ready to oversee such a data scheme, Mr Watts said. A National Data Commissioner will also be established to oversee the new data right.
The government needs to formulate a whole-of-government strategy for this department, and move these policies outside of the innovation portfolio, he said.
“At the moment everything is atomised - economic departments are looking at it, competition regulators are looking at it, maybe the OAIC is looking at it. But it needs to sit outside innovation and disruption and all of that stuff and look at all of the issues with what we want to do with the data for the future,” he said.
“We need to do a lot better than what we’ve been doing. We need to have a serious think about what our data future is. At the moment it’s too fragmented and it’s being held hostage to some pretty powerful interests. It sits within an innovation-type portfolio and that’s just simply not serious enough and doesn’t have enough firepower to deal with these sort of issues.”