The federal government only addressed three out of 13 recommendations from a Privacy Impact Assessment of its sweeping new data-sharing scheme in the final legislation presented to Parliament.
The Data Availability and Transparency Bill (DATB), which would herald a significant expansion of the sharing of public sector data between agencies, departments and private sector organisations, is currently the subject of a senate inquiry.
The new scheme would present a “new path” for the sharing of data that is currently blocked by secrecy or privacy provisions.
A Privacy Impact Assessment (PIA) of the final legislation introduced to Parliament late last year by Information Integrity Solutions has now been released publicly by the government.
In the assessment, Information Integrity Systems found that the overall risks of the new data-sharing schemes are “potentially high”, with a “very wide” range of information in play. But the company found the framework is “strong”, and that it’s “layers of defence have the potential to work together to identify and carefully manage privacy risks”.
“Data sharing of the sort that the DATB would authorise, where it involves personal information, carries high inherent privacy risks. It could involve large volumes of data used in a new context, removed from the settings in which the information was originally collected,” the PIA said.
“It will be taking place in a rapidly changing technological and social environment and in an expansive and distributed system with many players. While the framework is strong, its elements alone will not be sufficient to protect privacy; whether it stands up to the task will critically depend on its implementation and assurance.”
The PIA makes one key recommendation to government, that agencies and departments should not automatically be accredited to receive data under the scheme, and the National Data Commissioner (NDC), who will oversee the scheme, should be able to request further evidence of compliance.
The report also revealed that the government only fully acted on three of the 13 recommendations from a previous Privacy Impact Assessment completed by the same company, in developing the final version of the legislation.
The three recommendations the government did introduce to the bill include the exclusion of the sharing of data for compliance and assurance purposes, defining the meaning of “permitted purposes” in the bill’s explanatory memorandum and specifying “privacy” in the NDC’s advisory functions.
The other 10 recommendations were not acted on in the final piece of legislation, with the government arguing that many will be delivered in regulations and frameworks to be produced after the bill is passed by Parliament, and only agreeing to others in principle.
A key disagreement between the privacy company and the federal government is around the accreditation process for non-corporate Commonwealth entities.
In the final version of the legislation, Commonwealth entities would be automatically accredited to receive data under the scheme, without having to pass the same accreditation process that will be applied to private sector businesses.
This change blindsided the Australian Information Commissioner, who said the “significant change” was made with no consultation.
The PIA also blasted the change, calling for the NDC to have more scope in accrediting government departments and agencies.
“While it may be reasonable to streamline the accreditation process for non-corporate Commonwealth bodies, there must still be a process for accessing these bodies’ data handling practices and arrangements against the accreditation criteria,” the report said.
“If the NDC cannot seek evidence to support an accreditation application or refuse an accreditation application, the whole framework is weakened.”
The company conducting the assessment called on the government to allow the NDC to seek evidence from an agency to support their application under the scheme, and to refuse accreditation if there are “sufficient grounds” to do so.
In response, the government agreed “in part” to this recommendation, but made no changes to the accreditation process in the final version of the legislation.
The government said that the NDC can move to impose a condition on government agencies and departments under the scheme, and this is enough to ensure they are compliant with privacy provisions.
“The imposition of a condition of accreditation could, to a significant degree, manage the risk this recommendation seeks to address, so the Office of a National Data Commissioner does not consider that amendments to the DATB are required,” it said.
The Office of the Australian Information Commissioner (OAIC) was also highly critical of this change in its submission to the senate inquiry, saying it risks “undermining” the entire scheme.
“Accreditation plays an important role in ensuring that entities have appropriate processes, systems and procedures in place to support safe personal information handling practices,” the OAIC submission said.
“The effectiveness of an accreditation framework rests on the accreditation criteria being set at an appropriate level and accreditation standards and process being applied consistently across the scheme.”
In the PIA, concerns were also raised about the NDC being housed within PM&C rather than being a separate entity, and its dual roles to promote data sharing and also protect privacy.
The report raised “reservations” with the structure of the Commissioner’s office.
“While there is no intrinsic reason why such a model will not work well, experience has shown it does not always work in practice,” the PIA said.
“Where an office holder does not have full control of their budget or staff, there is potential for conflicts or situations to arise that can impede their ability to do the job. Additionally, there is at least potential for the National Data Commissioner to have, or be perceived to have, less standing or autonomy because of its location.”
The senate committee is expected to table its report on the data-sharing legislation on Friday.
Do you know more? Contact James Riley via Email.