The Commonwealth Government releases the exposure draft of the Data Availability and Transparency Bill 2020

September 17, 2020 |

Yesterday the Australian Government released a Consultation Paper with the exposure draft of the Data Availability and Transparency Bill 2020 (the “DAT Bill”).

The Consultation Paper is a mere 33 pages.  The exposure draft of the DAT Bill comes in at 104 pages with the explanatory memorandum coming in at a relatively slender 74 pages.  The enactment of the DAT Bill will give rise to consequential amendments which are found in the Data Availability and Transparency (Consequential Amendments) Bill 2020 and accompanying explanatory memorandum.

The consultation period, for comments and submissions, closes at 5pm on 6 November 2020.  Given the breadth and depth of the DAT Bill that is quite a short time frame in the age of COVID.

The road has been smoothed for the introduction of this quite radical, on one view, and transformative, on another, change to the usage of data collected by public agencies.  The interim National Data Commissioner has framed the proposal, in her press release Modernising government data sharing, in terms of being a modern development to suit the modern times. It is described in terms of a clean up of multitudinous laws which prevent “agencies from sharing information and coordinating efficiently to deliver better health, education and other important community and social services.”  It is all about efficiency.  That is a familiar refrain from public servants for an eon.  To read the Minister’s release  Enshrining privacy and security regime for data use key to the delivery of simple and accessible government services, one would expect it to deal with a key concern, privacy and data security, in the DAT Bill.  In fact the statement talks about improvement in provision of government of services with  the sole reference to privacy and cyber security being “..this legislation will put in place the strong privacy and security foundations.” The statement  relevantly provides:

A major milestone in the Morrison Government’s reforms to government services was reached today with the release of the Data Availability and Transparency Bill for public comments.

The Bill will establish the foundations of a seamless and proactive experience of government services, by enshrining in legislation privacy and security safeguards that set out modern foundations for use of data across the Commonwealth government.

The changes are key to ensuring Australians are able to access modern government services that address their needs and provide a single view of the government for every person and business.

‘When Australians reach out for government services it is often at times of great need,’ Mr Robert said.

‘We have to do our best to provide seamless services that meet the needs of Australians, wherever they are, whether it is to receive some assistance at a difficult time, get a job or start a business.’

‘Australians rightly expect different parts of the government to talk to one another and this legislation will put in place the strong privacy and security foundations to make this happen.’

‘The Data Availability and Transparency Bill is a key reform that will enable us to make government smarter and deliver more responsive services to the needs of Australians.’

The immediate commentary is somewhat more sceptical about the proposal. The ABC’s Draft legislation proposed by Federal Government would allow your personal data to be shared between government agencies highlights the prior history of poor history of Government departments in managing data and the limited real ability to withhold consent.  The report also makes the point that the DAT Bill does not improve Australian’s limited right to access government data.

The article provides:

If it sometimes seems like different arms of the government don’t talk to each other, it might be because they can’t.

There are a raft of laws covering departments, agencies and other government bodies that mean they can’t share the data they collect about you.

It’s designed to protect your privacy, but the Federal Government thinks it’s outdated and has drafted legislation to allow more data-sharing.

What will change?

The Data Availability and Transparency Bill would override the different laws and provisions covering data collected by government bodies.

Instead, the National Data Commissioner would oversee a regime to allows data-sharing across the public sector, provided various protections are kept in place.

That would include the likes of Centrelink, the Australian Tax Office, the Department of Home Affairs Department and the Bureau of Statistics, as well as bodies such as the Australian Institute of Health and Welfare.

But it could also see public sector information shared with other “accredited” bodies, including universities, think-tanks, businesses and not-for-profit groups.

Under what circumstances could data about me be shared?

Government departments and agencies would only be able to share data for three purposes: to deliver government services, to help develop government policies, and for research and development.

The bill specifically excludes sharing information for the purposes of law enforcement, compliance, national security and targeted commercial marketing.

The Minister for Government Services Stuart Robert says it will allow government agencies to streamline their services and cut down on duplication.

“If you apply for a Disability Support Pension, we will ask you a whole range of questions — some of them quite intrusive and difficult, for obvious reasons.”

“And then we’ll do exactly the same thing if you are applying for NDIS and then we’ll do the same thing when you apply for the age pension.”

Sounds good, what’s the problem?

Well, there’s not a lot of trust in government departments and agencies to handle sensitive personal data.

Privacy advocates have pointed to a blunder by the Health Department in 2016 that meant personal Medicare information could be extracted from data published online as an example of what could go wrong.

They also point to the growing number of government agencies allowed to access people’s metadata as evidence privacy protections aren’t always as strong as they seem.

So, what protections would there be for personal information in this case?

Each of the organisations involved would be responsible for having strong privacy safeguards for personal information and report any breaches.

They’d be expected to provide specific data to other departments and agencies, not just hand over all their information.

There are fines and even jail terms for people who misuse personal data.

Digital rights advocacy group Electronic Frontiers Australia (EFA) is concerned there is no way for individuals to object or appeal decisions to share data across the public sector.

There’s also no provision for judicial review, with the regime to be overseen by the independent National Data Commissioner.

EFA board member Justin Warren suggests the Federal Government follow up an Australian Law Reform Commission recommendation to establish a tort of privacy, which would allow someone to seek civil damages if their privacy is breached.

“That would go a long way to providing us with some recourse — and some deterrence — for entities that don’t do this (privacy protection) well.”

What if I don’t want data about me to be shared?

There’s not much you can do, if this becomes law.

The Federal Government considered the idea of consent when consulting on the issue before drafting the legislation.

Minister for Government Services Stuart Robert has told the ABC consent is implied when someone uses a government service.

“If an Australian wants a service by a government, they obviously have to consent to having that service delivered to them,” he said.

“If they don’t want a service (from) government, they don’t have to.”

The government has data about me. What if I want data from the government?

There’s nothing in this legislation that gives Australians more access to government data.

“They want to share data between government entities about citizens, what about the other way?” EFA’s Justin Warren asks.

“Data about individuals — you and me — is quite sensitive and has lots of privacy implication,” he said.

“But there is lots of data about government that could be made more available that doesn’t have any of the same safety or security problems that data about individuals does.”

He believes the Government should be focusing on sharing the non-personal data, such as making public how much money is spent on social security every week, or publishing more frequent inflation data.

The Federal Government will be taking feedback on the draft law for the next eight weeks and hopes to introduce it to parliament early next year.

The always innovation Aus provides a very useful overview in Govt unveils public sector data-sharing regime which provides:

The federal government has finally unveiled draft legislation outlining a new data-sharing regime for public sector information, which would involve far more data being shared across agencies and to the private sector, at times without consent of the individual.

The exposure draft of the Data Availability and Transparency Act introduces a new scheme for public sector entities to share data on individuals that is currently prevented by secrecy provisions or other non-disclosure prohibitions on sharing.

It will enable much easier and more widespread sharing of data between departments and agencies, and other accredited entities, which may include universities, think tanks or not-for-profits.

The reforms stem from a 2017 Productivity Commission report on the issue, and the Coalition has been consulting on them since 2018. The government had planned to introduce the final legislation to Parliament earlier this year but this was put on hold due to the ongoing COVID-19 pandemic.

Consultations will be held on the draft legislation until November, but the government has not committed to when the bill will be introduced to Parliament.

Government Services Minister Stuart Robert said the draft legislation is an “important milestone” and will ensure the government makes better use of the data it already holds.

“For too long, there has been a lack of consistent and clear framework for making good use of data. We need to make sure the information the government collects and holds can be accessed in a safe and timely way to respond to the needs of Australians,” Mr Robert said.

“We need to accelerate this government’s commitment to creating a seamless digital experience for the Australian public, now and into the future.”

According to the government, the new laws will allow for easier sharing of data, with adequate protections and safeguards to be put in place.

“Currently, sharing is done in an ad hoc manner, with users potentially having to establish their credentials every time they interact with the system. Sharing is subject to legislative protections and the individual agencies’ interpretations of them. Often interpretations are not revisited as technology evolves and community expectations around reasonable use and reuse of data change,” the government said.

“This sharing space is ripe for reform. Modernising the safeguards and regulating the sharing space can enable Australians to benefit from better services, policies, programs and research.”

The legislation allows for the sharing of public sector data by data custodians – agencies and departments – with accredited users, for the purpose of delivering government services, informing policy and programs and for research and development.

The draft bill expressly prohibits the sharing of data for enforcement-related purposes.

The legislation also formalises the position of the National Data Commissioner, who will be responsible for oversight of the data sharing scheme and annually reporting on it.

This commissioner will be responsible for accrediting entities looking to receive data, and its decisions will be able to be subject for merits and judicial reviews, but individuals will be powerless to challenge the decisions made by departments or agencies.

The issue of consent was central during the government’s consultations on the planned reforms. Earlier this year the government indicated that consent would not be required for the sharing of data, saying that while “consent is important in certain situations, the societal outcomes of fair and unbiased government policy, research and programs can outweigh the benefits of consent, provided privacy is protected”.

The latest version of the bill requires consent unless it is “unreasonable or impracticable to obtain”, and that this may depend on the “amount, nature and sensitivity of the data involved, and whether individuals gave informed consent for uses including the proposed sharing at the point the data was originally collected”.

Speaking to ABC Radio, Mr Robert appeared to indicate that by using a government service, Australians were consenting to their data being used and shared.

“If an Australian wants a service by a government, they obviously have to consent to having that service delivered to them. If they don’t want a service [from] government, they don’t have to,” Mr Robert said.

The sharing of data under the new scheme will be based on four principles: that it is for an appropriate project, is made available to only the appropriate people, is done in a controlled environment and with protections in place.

The privacy protections in place are based on the existing Australian Privacy Principles and the notifiable data breach scheme, and will be up to the individual agencies and departments to uphold.

Submissions on the draft legislation are due by 6 November.

In the itnews Govt elevates consent in proposed public data sharing laws the focus is on the National Data Commissioner position will be to embed within one of the five data sharing principles as opposed to the previous position that it will be encouraged.

The always insightful Bruce Arnold highlights the weakness of the DAT Bill and the underlying premise in his Towards a post-privacy world: proposed bill would spur open data sharing between agencies which provides:

The federal government has announced a plan to increase the sharing of citizen data across the public sector.

This would include data sitting with agencies such as Centrelink, the Australian Tax Office, the Department of Home Affairs, the Bureau of Statistics and potentially other external “accredited” parties such as universities and businesses.

The draft Data Availability and Transparency Bill released today will not fix ongoing problems in public administration. It won’t solve many problems in public health. It is a worrying shift to a post-privacy society.

It’s a matter of arrogance, rather than effectiveness. It highlights deficiencies in Australian law that need fixing.

Making sense of the plan

Australian governments on all levels have built huge silos of information about us all. We supply the data for these silos each time we deal with government.

It’s difficult to exercise your rights and responsibilities without providing data. If you’re a voter, a director, a doctor, a gun owner, on welfare, pay tax, have a driver’s licence or Medicare card – our governments have data about you.

Much of this is supplied on a legally mandatory basis. It allows the federal, state, territory and local governments to provide pensions, elections, parks, courts and hospitals, and to collect rates, fees and taxes.

The proposed Data Availability and Transparency Bill will authorise large-scale sharing of data about citizens and non-citizens across the public sector, between both public and private bodies. Previously called the “Data Sharing and Release” legislation, the word “transparency” has now replaced “release” to allay public fears.

The legislation would allow sharing between Commonwealth government agencies that are currently constrained by a range of acts overseen (weakly) by the under-resourced Australian Information Commissioner (OAIC).

The acts often only apply to specific agencies or data. Overall we have a threadbare patchwork of law that is supposed to respect our privacy but often isn’t effective. It hasn’t kept pace with law in Europe and elsewhere in the world.

The plan also envisages sharing data with trusted third parties. They might be universities or other research institutions. In future, the sharing could extend to include state or territory agencies and the private sector, too.

Any public or private bodies that receive data can then share it forward. Irrespective of whether one has anything to hide, this plan is worrying.

Why will there be sharing?

Sharing isn’t necessarily a bad thing. But it should be done accountably and appropriately.

Consultations over the past two years have highlighted the value of inter-agency sharing for law enforcement and for research into health and welfare. Universities have identified a range of uses regarding urban planning, environment protection, crime, education, employment, investment, disease control and medical treatment.

Many researchers will be delighted by the prospect of accessing data more cheaply than doing onerous small-scale surveys. IT people have also been enthusiastic about money that could be made helping the databases of different agencies talk to each other.

However, the reality is more complicated, as researchers and civil society advocates have pointed out.

Why should you be worried?

The plan for comprehensive data sharing is founded on the premise of accreditation of data recipients (entities deemed trustworthy) and oversight by the Office of the National Data Commissioner, under the proposed act.

The draft bill announced today is open for a short period of public comment before it goes to parliament. It features a consultation paper alongside a disquieting consultants’ report about the bill. In this report, the consultants refer to concerns and “high inherent risk”, but unsurprisingly appear to assume things will work out.

Federal Minister for Government Services Stuart Roberts, who presided over the tragedy known as the RoboDebt scheme, is optimistic about the bill. He dismissed critics’ concerns by stating consent is implied when someone uses a government service. This seems disingenuous, given people typically don’t have a choice.

However, the bill does exclude some data sharing. If you’re a criminologist researching law enforcement, for example, you won’t have an open sesame. Experience with the national Privacy Act and other Commonwealth and state legislation tells us such exclusions weaken over time

Outside the narrow exclusions centred on law enforcement and national security, the bill’s default position is to share widely and often. That’s because the accreditation requirements for agencies aren’t onerous and the bases for sharing are very broad.

This proposal exacerbates ongoing questions about day-to-day privacy protection. Who’s responsible, with what framework and what resources?

Responsibility is crucial, as national and state agencies recurrently experience data breaches. Although as RoboDebt revealed, they often stick to denial. Universities are also often wide open to data breaches.

Proponents of the plan argue privacy can be protected through robust de-identification, in other words removing the ability to identify specific individuals. However, research has recurrently shown “de-identification” is no silver bullet.

Most bodies don’t recognise the scope for re-identification of de-identified personal information and lots of sharing will emphasise data matching.

Be careful what you ask for

Sharing may result in social goods such as better cities, smarter government and healthier people by providing access to data (rather than just money) for service providers and researchers.

That said, our history of aspirational statements about privacy protection without meaningful enforcement by watchdogs should provoke some hard questions. It wasn’t long ago the government failed to prevent hackers from accessing sensitive data on more than 200,000 Australians.

It’s true this bill would ostensibly provide transparency, but it won’t provide genuine accountability. It shouldn’t be taken at face value.

Leave a Reply