Govt has another go at criminalising data re-identification

Denham Sadler
National Affairs Editor

The federal government will again attempt to pass legislation criminalising the illegitimate re-identification of public sector data sets, despite its attempt to do this five years ago stalling due to concerns it could lead to the jailing of researchers.

The discussion paper for the broad-ranging review of the Privacy Act includes a proposal that the controversial Re-Identification Offence Bill be re-introduced to Parliament with amendments.

The bill, first tabled in 2016, introduces new civil and criminal penalties for individuals or companies who re-identified data that has been de-identified and released by public sector organisations.

Dr Vanessa Teague

The legislation included exemptions for government agencies and their service providers, but drew the ire of the research community and privacy advocates, who argued the government should instead better ensure the security of the data they release, and that the new penalties would deter public interest research.

The legislation stalled after Labor and the Greens signaled their opposition to it, saying it was “disproportionate”, and it lapsed in 2019.

The federal government is now considering re-introducing the legislation, along with a proposal to require that data is fully anonymised rather than just de-identified.

The original bill was unveiled soon after researchers Vanessa Teague, Chris Culnane and Benjamin Rubinstein revealed that de-identified patient data released by the federal Department of Health could be re-identified.

The same researchers also later showed that data released by the Victorian government on the public transport system could be re-identified using just two data points.

Professor Teague said the proposed re-introduction of the bill is concerning and would do nothing to improve data security in Australia.

“Jailing data scientists for re-identifying incompetently released data is as helpful for preventing data breaches as banning geiger counters downwind of Chernobyl is for preventing nuclear accidents,” Professor Teague told InnovationAus.

“The incompetently released inadequately de-identified data will still be out there, you just won’t hear about it from Australian scientists because we’ll be in jail. They still haven’t notified the people whose easily-identifiable Medicare and PBS data was published online in 2016.”

The Privacy Act review discussion paper proposes that the Re-Identification Offence bill be introduced to Parliament with “appropriate amendments”.

“The purpose of the bill was to deter the re-identification of publicly-released data sets and support the government’s Public Data Policy Statement, which recommended that non-sensitive government data be made ‘open by default’,” the discussion paper says.

“Re-introducing this bill, with appropriate amendments to support the review’s reforms and address concerns raised by the Senate Committee, could be a useful tool to support the broader change to anonymisation.”

The discussion paper also proposes that data sets released by government agencies be anonymised rather than de-identified.

“While anonymisation would mitigate privacy risk before information is publicly released, this offence could address concerns about malicious re-identification of information that has already been publicly released,” it said.

The original legislation did allow for ministerial discretion to exempt an individual from punishment for “research involving cryptography, information security or data analysis”, but Professor Teague at the time said this wasn’t enough to not deter research.

“Researchers might well be left in the ridiculous situation of being unable to tell the government what they had discovered during the time that they had thought the investigation was legal, for fear of going to jail over a misunderstanding,” Professor Teague said in a submission to government.

“Criminalising re-identification without a clear and explicit exemption for research or a defence on the grounds of public interest will be bad for privacy and information security. It will make the government far less likely to learn about a problem before criminals and foreign governments do.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories