New laws that “fundamentally change” the way the federal government handles the personal data of Australians will have “enormous consequences” for individual privacy, civil and digital rights groups have warned.
The data-sharing plan, which expands the sharing of data between public sector agencies and the private organisations, is “fundamentally flawed and violates community expectations”, according to the NSW Council for Civil Liberties, while Digital Rights Watch says the scheme “threatens to further erode” the legislative privacy protections of Australians.
The government introduced the Data Availability and Transparency Act to Parliament in December last year after nearly three years of development and consultations. It is now the subject of a Senate committee inquiry.
The act provides a “new path” for the sharing of data which is currently blocked by secrecy provisions or other laws and would lead to more identifiable data being shared among agencies and departments, and for de-identified data to be shared with universities and think-tanks.
Consent would be required for the sharing of data unless it is “unreasonable or impracticable to obtain”.
The law changes enable “the robodebt scenario in an accelerated form”, the NSW Council for Civil Liberties (NSW CCL) said in a submission to the senate inquiry.
“This bill ignores the real-world experience and gives unjustified priority to a technocratic vision of ‘improved service delivery’. This will have enormous consequences for individuals and is unnecessary to achieve the aims of delivering better government services, informing government programs and research,” the NSW CCL submission said.
“Basic fairness and civil liberties are under threat when personal information we are compelled to disclose to get one outcome from a government agency is then spread silently, behind the scenes, to other agencies or private companies and is able to be used in surprising and unexpected ways when we engage with those other agencies for some other purpose.”
The government needs to make some “fundamental changes” to the legislation, including the exclusion of personal information, the introduction of minimum standards for anonymisation, and improved independence for the Commissioner who will oversee the scheme, the organisation said.
“There must be a purpose exclusion preventing personal information being shared without express consent and preventing it being used to make an administrative decision about a person which harms or disadvantages a person,” the submission said.
In its submission, Digital Rights Watch raised concerns that the legislation was being debated alongside the review of the Privacy Act the government is currently undertaking and said it “threatens to further erode the limited protections enshrined in the existing Privacy Act”.
“This bill would make it easier for government agencies to share data containing personal information with each other, allowing any government entity to access any and all the information the government holds about an individual,” the Digital Rights Watch submission said.
The organisation is particularly concerned about the potential for much of this data to be shared without the consent of individuals, as it was willingly given to government for another service.
“This completely fails to secure individuals’ control of their data because the overwhelming majority of personal data shared with government agencies is legally mandatory to engage in those services,” Digital Rights Watch said.
“This bill seems to glaze over the right of the individuals to give informed consent any number of times over the course of their lifetimes.”
The new law “threatens to fundamentally alter how personal data is treated and viewed in Australia”, the submission said, which may lead to “ending trust in government services and completely removing the notion of ‘informed’ form consent”.
The Privacy Act review should be completed, and the legislation updated before the new law is passed, and the reliable anonymisation of personal information should be required, the organisation suggested. Consent should also be defined in line with the European Union’s General Data Protection Rule, it said.
Electronic Frontiers Australia warned that the new sharing powers would create a “backdoor” for accessing data that is currently protected, or that was given to government on the assumption it would be protected.
“This bill risks further undermining Australians’ right to privacy and to have their data protected from unauthorised access. In a time of increasing threats to data security and privacy, it is strange that the government would seek to further increase the risks to Australians by proposing a bill such as this,” the Electronic Frontiers Australia submission said.
The legislation is focused on the economic benefits of the increased sharing of data rather than on upholding the privacy of individuals, the organisation said.
“It appears that data about people is viewed as a naturally occurring resource to be exploited rather than as the often sensitive and personal information about individuals that it actually is,” Electronic Frontiers Australia said.
“By treating citizens interacting with their government, often mandatorily, as an opportunity to obtain a valuable commodity for free, the bill converts people into mere passive things from which money – in the form of data – can be extracted, often by threat of force.
“This approach inverts the relationship between the individual and the state so that the individual services the economic needs of the state, rather than the state operating in service of the needs of the populace. Australians’ data should not be used for profit.”
The legislation does not include adequate safeguards and would instead “erode an already weak data protection regime”, the Australian Privacy Foundation said in a separate submission.
“The regime exacerbates ongoing balkanisation of privacy law, something that is of particular concern given the mandatory nature of much data collection, the incapacitation of watchdogs and the unavailability to Australians of specifics regarding what data is being shared,” the group said.
“Civil society has deep and substantive concerns regarding the potential for inappropriate commercialisation as a secondary consequence of gifting researchers with data that is then aggregated for commercial gain.”
It’s not just civil and digital rights groups sounding the alarm on the new data-sharing scheme, with the Australian Medical Association also slamming the legislation for not including minimum privacy protections and for potentially allowing the sharing of sensitive health information with insurance firms.