A major shift in the way the Australian Government plans to use data could further strain the public’s trust in government and raises concerns about enforcement, personal privacy, data security and procedural fairness that warrant further discussion.
While during the current election campaign neither political party has indicated what its stance is on the reforms to data sharing proposed in a May 2018 Issues Paper, an exposure draft bill is expected sometime later this year.1
The proposed Data Sharing and Release Bill (DS&R Bill) is expected to authorise the sharing and release of data by “data custodians” (agency chief executives or their delegates) to “trusted users”, under individual data sharing agreements. A set of five Data Sharing Principles will form the centrepiece of the proposed DS&R Bill; these require the data custodian to conduct a holistic analysis of any sharing request, to identify the controls necessary to safeguard data. If after applying the Data Sharing Principles, sharing or release of the data still gives rise to risks, the data custodian may, under the proposed DS&R Bill, either:
- re-visit the application of the Data Sharing Principles; or
- reject the data sharing or release request.2
At present, most agencies avoid sharing, whether actively or by convention. The reforms described in the Issues Paper seek to reverse this and to derive greater value from Australian Government data holdings. This represents a fundamental change in approach, which to date — given the potential impact of the proposed changes — has been subject to relatively little public discussion.
This article, the first in a series of four, considers a threshold issue that does not appear to have been addressed at any point in the lead up to the release of the Issues Paper or, indeed, in the consultation process that has followed: whether the sharing by government of data obtained through routine administrative activity has the support of Australians. It also identifies a number of key questions/issues arising from the approach proposed.
The second article will consider the experience of South Australia in adopting legislation relying on a scheme similar to that proposed for the DS&R Bill. The third article will consider the application of the Data Sharing Principles, with the final article focussing on the role of the National Data Advisory Council.
Community support for data sharing and release
Research undertaken by the Australian Privacy and Information Commissioner suggests that trust in government is low. On being asked how trustworthy they considered 14 different types of organisations, survey recipients rated health service providers and financial institutions ahead of state and federal government departments.3 Reuse of data for a secondary purpose – which is effectively what is being proposed in the Issues Paper – was considered a misuse of information by 86 per cent of those surveyed.4
More recently, the Independent Review of the APS5 in its Priorities for Change interim report, refers to a survey conducted by the Australian National University which found that:
only 28 per cent of respondents agreed that the Australian Government can be trusted to use data responsibly.
only 26 per cent of respondents agreed that the Australian Government is open and honest about how data is collected, used and shared.
only 29 per cent of respondents agreed that the Australian Government has the ability to prevent data being hacked or leaked.
Source: Independent Review of the APS. Priorities for Change. 19 March 2019
This environment has implications for the success of the proposed DS&R Bill.
Scope of authorisation
The absence of a clear community mandate for data sharing heightens the risk that the purposes for which the proposed DS&R Bill will authorise sharing or release will be challenged. As proposed, the DS&R Bill will authorise sharing or release:
- to inform government policy making;
- to support the efficient delivery of government services or government operations;
- to assist in the implementation and assessment of government policy; and
- to research and development with clear and direct public benefits.6
“Supporting the efficient delivery of government services or government operations” is defined to encompass:
- the evaluation of existing programs;
- modelling of program interventions;
- targeting programs based on user needs;
- improving services such as by pre-filling forms; and
- administering or enforcing compliance requirements.
The last bullet point – “administering or enforcing compliance requirements” – is of greatest concern. It suggests that agencies may potentially be authorised to use administrative data (collected as part of routine government activity) for enforcement purposes. The scope of this particular purpose is potentially vast and could encompass, for example, the sharing of data held by one Commonwealth agency with private sector debt collectors engaged by another Commonwealth agency in connection with the recovery of outstanding amounts owed.
From a legal perspective, secondary use of data for enforcement purposes is problematic. To the extent that data includes personal information, use may be in contravention of Australian Privacy Principle (APP) 6.1, which limits secondary uses to those circumstances which an agency has obtained an individual consent to this or an exception applies. While APP 6.2(e) offers such an exception – it permits an agency to use or disclose personal information where it “reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by or on behalf of an enforcement body” – it requires an agency to hold a “reasonable belief” and to make an assessment that the use or disclosure is “reasonably necessary” for the enforcement activities proposed.
Disclosure of the data in this context also raises procedural fairness questions, particularly if the data was originally obtained coercively. In Johns v Australian Securities Commission7 , Brennan CJ found that the then Australian Securities Commission’s exercise of its power to release confidential transcripts of a compulsory examination was invalid, on the basis that the power was exercised in breach of the rules of natural justice. In that case, the court found that Mr Johns should have been offered the opportunity to be heard, on the basis that the power exercised by the ASC was apt to adversely affect his interests.
Quite apart from the issue of mandate, there is a question as to whether the DS&R Bill, as proposed, will adequately address concerns about government’s ability to safeguard data.
The Issues Paper proposes that the Data Sharing Principles will be used by data custodians to identify the controls that should be placed on data to ensure its safe sharing or release. The Data Sharing Principles require the data custodian to consider, for the purpose of applying controls on the data or the sharing or release environment, the:
- Project Principle – is the intended purposes or use of the data appropriate?
- People Principle – can the recipients of the data use and/or store data appropriately?
- Settings Principle – can the access environment prevent unauthorised use?
- Data Principle – does the data that is being considered for sharing or release present risks that cannot be addressed through the Project, People or Settings Principles (eg does the data disclose identity)?
- Outputs Principle – what will happen to the data (output) created?
The Data Sharing Principles are, in fact, a rebranding of the “Five Safes Framework”.8 The Five Safes Framework was originally developed to facilitate the sharing and/or release of statistical data by National Statistical Institutions, and is presently used by the Australian Bureau of Statistics. The issue, with respect to the proposed DS&R Bill, is that:
- the data that may potentially be released by Commonwealth agencies under that Bill, once it becomes law, are likely to be substantially more varied in character than purely statistical data; and
- there is no evidence that the application of the Data Sharing Principles will ensure that information is subject to an appropriate level of protection.
It is notable that the UK Digital Economy Act,9 which also relies on the Data Sharing Principles/Five Safes to manage disclosure risk arising from the sharing of government data for research purposes, does not appear to regard that framework as sufficient to ensure the protection of sensitive data. Neither does South Australian public sector data sharing legislation (in which the Five Safes Framework is described as a set of “trusted access principles”).10 In the UK, data held by health services or care facilities is excluded from the general authorisation provision of which the Data Sharing Principles/Five Safes form part.11 In South Australia, sharing or release of certain highly sensitive health data is subject to the additional requirement of Ministerial prior approval.12
The ability of the National Data Commissioner to take action where data is released without appropriate safeguards having been applied is likely to be constrained by the DS&R Bill’s reliance on the Data Sharing Principles. While the Issues Paper identifies that misapplication of the Data Sharing Principles will be subject to penalties, the National Data Commissioner will need to apply “a margin of appreciation” in assessing whether or not a data custodian has applied the Data Sharing Principles in accordance with the Best Practice Guide.
This is because the Data Sharing Principles are principles, and not bright-line, easily applied rules. As it is, exceeding the margin of appreciation will not necessarily expose a data custodian to the full measure of potential liability; the Issues Paper proposes that data custodians, who “release data defensibly in good faith”, have the benefit of an immunity from criminal liability. A misguided but well-intentioned attempt at applying the Data Sharing Principles could, therefore, fall within the scope of the indemnity.13
That outcome will be of little comfort to the individual citizen whose personal information may have been released as a consequence of the inadequate placement of controls on data. Some relief may be available to an aggrieved citizen under the Privacy Act; release of data for a secondary purpose may be a contravention by the data custodian’s employing agency (the “APP entity”) of APP 6.1 (unauthorised use of personal information for a secondary purpose) and also APP 11.1 (failure to take steps that are reasonable in the circumstances to protect personal information from misuse, inference or loss or unauthorised access, modification or disclosure).
Bold, but not capable of achieving change?
While the proposed approach to the DS&R Bill has been described as “bold”,14 it is not clear that it is capable of achieving behavioural change. Although an open data philosophy has the potential to improve policy making and to deliver efficiencies, the proposed approach fails to recognise that there is significant distrust in government.
The lead up to the release of an exposure draft of the DS&R Bill offers the National Data Commissioner, assisted by the National Data Advisory Council, the opportunity to explore these concerns and to ensure that the DS&R Bill is focused not only on facilitation of sharing but also on addressing the genuine concerns of the community with respect to data management by government. The lead up also offers the National Data Commissioner the opportunity to address a number of key questions/issues as how the approach proposed for the DS&R Bill will work in practice.
These questions/issues include:
- It is not clear, at this point in time, whether a decision made by the data custodian to share (or not share) data under the DS&R Bill, once passed, would be a reviewable decision for administrative law purposes. It is possible to imagine a potential data user wanting to challenge a decision by a data custodian not to share data. What role, if any, will the ordinary principles of administrative decision making (consistency, reasonableness, procedural fairness) play with respect to the making of decisions regarding release or sharing?
- What support will there be for low to middle management agency staff delegated with responsibility for making data sharing and release decisions?
Once the DS&R Bill becomes law, the volume of sharing requests received by some agencies will become unwieldy, resulting in the need to delegate data sharing decision making authority (vested in agency chief executives) within the agency. The approach proposed for the DS&R Bill, at its heart, relies on the making of assessments under the Data Sharing Principles. These assessments will not necessarily be clear-cut, but will require the exercise of judgement, and the ability to balance competing interests. They may require, for example, data custodians to assess data users’ trustworthiness.
At present, it is not clear what systems, frameworks, processes or guidance material will be available to agency staff, both to assist with this assessment and to ensure a degree of consistency in approach across the Commonwealth. While the Issues Paper envisages that the Australian Bureau of Statistics, the Australian Institute of Health and Welfare and other agencies accredited by the National Data Commissioner on the basis of their lengthy experience of data sharing would play a role in educating agencies and disseminating best practice, there is no mention of whether this assistance should be budget-funded or made available on a cost recovery basis.
- The consequences of a data user’s failure to comply with the terms of data sharing agreement with the Commonwealth require consideration.
Although the Issues Paper notes (and appears to endorse) the Productivity Commission’s view that punitive sanctions are not effective in encouraging data users to comply with their obligations,15 agencies will require some rights against data users in the event of a breach of the data sharing agreement to manage their legal, financial and reputational risks.
Those rights might be limited to pursuing the user for common law damages for breach of contract (a data sharing agreement being a contract between the Commonwealth and the user). They could also, however, be supplemented by statutory rights and remedies.
In particular, the rights to be afforded to an individual citizen whose personal information is misused following a failure to comply with the terms of the data sharing agreement should be considered. The individual citizen – not being a party to the data sharing agreement – will not have contractual rights under that agreement against either the Commonwealth or the data user. He or she may have rights against the Commonwealth and/or user under the Privacy Act and potentially, depending on the facts, in equity for breach of confidence.
Supplementation of these rights may provide a more appropriate balance between open data and the protection of individual privacy.
The benefit offered by the proposed immunity is not in respect of all criminal liability, since it only operates where the data custodian has acted in good faith. The immunity will offer data custodians protection from strict liability offences (ie those in which state of mind is not an element required to prove the offence). A data custodian acting in good faith would not meet the mens rea for non strict liability offences.
APRA commissioned self-assessments of governance, accountability and culture
APRA’s recently released Information Paper indicates focus areas for APRA in the upcoming period of regulatory supervision.