in

Critics label data-sharing Bill as 'eroding privacy in favour of bureaucratic convenience'

Australia’s pending data-sharing Act has been touted by the government as allowing the public service to make better use of the data it already holds, but Dr Bruce Baer Arnold from the Australian Privacy Foundation would argue it does so at the cost of privacy protections.

“The Honourable Stuart Robert has promoted the legislation as providing, ‘Strong privacy and security foundations for sharing within government’. It’s both deeply regrettable and very unsurprising that the Bills do not provide those foundations,” he told the Senate Committee probing the Data Availability and Transparency Bill 2020.

“The Bill reflects the ongoing erosion of Australian privacy law in favour of bureaucratic convenience.”

He added that he believed the Bill would obfuscate recurrent civil society requests for privacy protections.

Also facing the committee was Jonathan Gadir from the NSW Council for Civil Liberties, who highlighted the discrepancy between the goals of the Bill and what it actually allows to occur.

“The term ‘public sector data’ is really giving the impression that data contemplated by the Bill is aggregated statistics of some kind — the definition in the Bill is far broader than the goals would require, encompassing ‘all data collected, created, or held by the Commonwealth or on its behalf’,” he said.

“This obviously includes detailed personal information. And this kind of information is often intimate and sensitive.”

Such information, Gadir explained, includes information about relationships and finances, which is disclosed to Centrelink to receive a pension, or disclosed to Immigration as part of a visa application.

“People are revealing most intensely intimate parts of their lives right now to Border Force as they beg for permission to be allowed to leave the country,” he said. “So the broad definition of public sector data is not really the right one for this Bill.”

He said that if the Bill was really just to improve service delivery, inform policymaking, and allow for research, then there should be a definition of public sector data to reflect that.

“Let’s exclude personal information from the definition of public sector data and say that it must be anonymous. Let’s also say the permitted purposes should not include making administrative decisions that will affect individuals,” he continued.

“Basic fairness and civil liberties are really under threat when personal information we’re compelled to disclose to a government agency is then spread silently behind the scenes to other agencies or private companies, and is able to be used in surprising and unexpected ways.”

Chadwick Wong, senior solicitor at the Public Interest Advocacy Centre, similarly said a fundamental reconsideration of the intention of the legislation was needed.

He said the Bill seemed to be “cutting both ways”, that it covered the provision of government services through the use of sharing personal information to enable the “tell us once” idea; while simultaneously covering research and development, which interim National Data commissioner Deborah Anton declared would be largely de-identified data.

“That’s two entirely different purposes and you can’t, I would submit, that you can’t really capture them both in the same piece of legislation, especially if one of the proposals is de-identified data,” Wong said.

Gadir also raised concerns that the Bill’s passage could come before the completion of the review of the Privacy Act 1988 by the Attorney-General.

“This Bill is a really big carve out from the protections of the Privacy Act, applying to a very high risk activity of data-sharing. And this is happening at the same time that another arm of the government is telling us that they want to strengthen the Privacy Act,” he said.

Anton earlier stated the Privacy Act would continue to apply, saying that the scheme would not override or change any elements of that.

But Gadir said Anton’s characterisation was “not correct”.

“I think the Bill should not be passed until we’ve looked at, and ultimately, we’ve fixed, the existing weak regime,” Baer Arnold said of holding off until the Privacy Act review is complete. “This Bill is being driven by institutional imperatives, political convenience, without any regard for human rights.”

Baer Arnold said the legislation, as currently drafted, provides very little transparency.

“We’re very much relying on individual agencies doing the right thing; individual agencies may well have very different views about what’s appropriate and what’s not,” he said.

“We have nice language that government agencies will be custodians.”

Baer Arnold is fearful the current Bill, much like what he’s witnessed with previous legislation, could become weakened even if it started out as promising.  

“What we see as we start off with sort of lovely motherhood statements from people like Stuart Robert, ‘it will be good, it’s in the national interest, you don’t need to worry, trust us’, and over time, we see a creep, we see an erosion,” he said.

“It’s opened up to a range of bodies that we would consider to be inappropriate, it’s opened up to uses that we would consider to be inappropriate, but administratively convenient, and possibly punitive.”

He said trust would be misplaced if people believed entities such as the Office of Australian Information Commissioner would somehow “come to the rescue” if a breach occurs.

Wong also shared his concerns that it is unknown exactly what particularly sensitive data would be excluded from the regime.

Anton earlier testified that COVIDSafe data, as well as that from the electoral roll data and My Health Record, would be prohibited from sharing under the regime.

Wong said that without knowing what sort of data would be excluded from the Bill, nor seeing the full suite of regulations and guidelines, it would be hard to determine if the Bill was at odds with human rights privacy obligations.

“I think what we need is the full package of proposed reforms before we’re able to comment on some of these privacy issues,” he said.

HERE’S MORE

Commissioner content transparency measures are enough to deter data-sharing Act breaches

Australia’s pending data-sharing Act will require Commonwealth entities to be satisfied with a proposal before sharing data and the reason for obtaining that data will need to be made public.

Privacy Commissioner wants more protections for individuals in Data Availability Bill

Additionally, the Australian Information Commissioner and Privacy Commissioner’s office is concerned about the proposed exemption of scheme data from the Freedom of Information Act.

Bill giving government the nod to share data enters Parliament

Australian Parliament has risen for 2020, introducing a bunch of Bills, including the Data Availability and Transparency Bill 2020.


Source: Information Technologies - zdnet.com

Commissioner content transparency measures are enough to deter data-sharing Act breaches

Remote code execution vulnerabilities uncovered in smart air fryer