Australia: To boldly go: much is promised for the proposed Data Sharing and Release Bill, but questions remain about its ability to encourage behavioural change

Last Updated: 23 May 2019
Article by Catherine Whitby

Introduction

A major shift in the way the Australian Government plans to use data could further strain the public's trust in government and raises concerns about enforcement, personal privacy, data security and procedural fairness that warrant further discussion.

While during the current election campaign neither political party has indicated what its stance is on the reforms to data sharing proposed in a May 2018 Issues Paper, an exposure draft bill is expected sometime later this year.1

The proposed Data Sharing and Release Bill (DS&R Bill) is expected to authorise the sharing and release of data by "data custodians" (agency chief executives or their delegates) to "trusted users", under individual data sharing agreements. A set of five Data Sharing Principles will form the centrepiece of the proposed DS&R Bill; these require the data custodian to conduct a holistic analysis of any sharing request, to identify the controls necessary to safeguard data. If after applying the Data Sharing Principles, sharing or release of the data still gives rise to risks, the data custodian may, under the proposed DS&R Bill, either:

  • re-visit the application of the Data Sharing Principles; or
  • reject the data sharing or release request.2

At present, most agencies avoid sharing, whether actively or by convention. The reforms described in the Issues Paper seek to reverse this and to derive greater value from Australian Government data holdings. This represents a fundamental change in approach, which to date — given the potential impact of the proposed changes — has been subject to relatively little public discussion.

This article, the first in a series of four, considers a threshold issue that does not appear to have been addressed at any point in the lead up to the release of the Issues Paper or, indeed, in the consultation process that has followed: whether the sharing by government of data obtained through routine administrative activity has the support of Australians. It also identifies a number of key questions/issues arising from the approach proposed.

The second article will consider the experience of South Australia in adopting legislation relying on a scheme similar to that proposed for the DS&R Bill. The third article will consider the application of the Data Sharing Principles, with the final article focussing on the role of the National Data Advisory Council.

Community support for data sharing and release

Research undertaken by the Australian Privacy and Information Commissioner suggests that trust in government is low. On being asked how trustworthy they considered 14 different types of organisations, survey recipients rated health service providers and financial institutions ahead of state and federal government departments.3 Reuse of data for a secondary purpose – which is effectively what is being proposed in the Issues Paper – was considered a misuse of information by 86 per cent of those surveyed.4

More recently, the Independent Review of the APS5 in its Priorities for Change interim report, refers to a survey conducted by the Australian National University which found that:

only 28 per cent of respondents agreed that the Australian Government can be trusted to use data responsibly.

only 26 per cent of respondents agreed that the Australian Government is open and honest about how data is collected, used and shared

only 29 per cent of respondents agreed that the Australian Government has the ability to prevent data being hacked or leaked.

This environment has implications for the success of the proposed DS&R Bill.

Scope of authorisation

The absence of a clear community mandate for data sharing heightens the risk that the purposes for which the proposed DS&R Bill will authorise sharing or release will be challenged. As proposed, the DS&R Bill will authorise sharing or release:

  • to inform government policy making;
  • to support the efficient delivery of government services or government operations;
  • to assist in the implementation and assessment of government policy; and
  • to research and development with clear and direct public benefits.6

"Supporting the efficient delivery of government services or government operations" is defined to encompass:

  • the evaluation of existing programs;
  • modelling of program interventions;
  • targeting programs based on user needs;
  • improving services such as by pre-filling forms; and
  • administering or enforcing compliance requirements.

The last bullet point – "administering or enforcing compliance requirements" – is of greatest concern. It suggests that agencies may potentially be authorised to use administrative data (collected as part of routine government activity) for enforcement purposes. The scope of this particular purpose is potentially vast and could encompass, for example, the sharing of data held by one Commonwealth agency with private sector debt collectors engaged by another Commonwealth agency in connection with the recovery of outstanding amounts owed.

From a legal perspective, secondary use of data for enforcement purposes is problematic. To the extent that data includes personal information, use may be in contravention of Australian Privacy Principle (APP) 6.1, which limits secondary uses to those circumstances which an agency has obtained an individual consent to this or an exception applies. While APP 6.2(e) offers such an exception – it permits an agency to use or disclose personal information where it "reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by or on behalf of an enforcement body" – it requires an agency to hold a "reasonable belief" and to make an assessment that the use or disclosure is "reasonably necessary" for the enforcement activities proposed.

Disclosure of the data in this context also raises procedural fairness questions, particularly if the data was originally obtained coercively. In Johns v Australian Securities Commission7 , Brennan CJ found that the then Australian Securities Commission's exercise of its power to release confidential transcripts of a compulsory examination was invalid, on the basis that the power was exercised in breach of the rules of natural justice. In that case, the court found that Mr Johns should have been offered the opportunity to be heard, on the basis that the power exercised by the ASC was apt to adversely affect his interests.

Safeguarding

Quite apart from the issue of mandate, there is a question as to whether the DS&R Bill, as proposed, will adequately address concerns about government's ability to safeguard data.

The Issues Paper proposes that the Data Sharing Principles will be used by data custodians to identify the controls that should be placed on data to ensure its safe sharing or release. The Data Sharing Principles require the data custodian to consider, for the purpose of applying controls on the data or the sharing or release environment, the:

  • Project Principle – is the intended purposes or use of the data appropriate?
  • People Principle – can the recipients of the data use and/or store data appropriately?
  • Settings Principle – can the access environment prevent unauthorised use?
  • Data Principle – does the data that is being considered for sharing or release present risks that cannot be addressed through the Project, People or Settings Principles (eg does the data disclose identity)?
  • Outputs Principle – what will happen to the data (output) created?

The Data Sharing Principles are, in fact, a rebranding of the "Five Safes Framework".8 The Five Safes Framework was originally developed to facilitate the sharing and/or release of statistical data by National Statistical Institutions, and is presently used by the Australian Bureau of Statistics. The issue, with respect to the proposed DS&R Bill, is that:

  • the data that may potentially be released by Commonwealth agencies under that Bill, once it becomes law, are likely to be substantially more varied in character than purely statistical data; and
  • there is no evidence that the application of the Data Sharing Principles will ensure that information is subject to an appropriate level of protection.

It is notable that the UK Digital Economy Act,9 which also relies on the Data Sharing Principles/Five Safes to manage disclosure risk arising from the sharing of government data for research purposes, does not appear to regard that framework as sufficient to ensure the protection of sensitive data. Neither does South Australian public sector data sharing legislation (in which the Five Safes Framework is described as a set of "trusted access principles").10 In the UK, data held by health services or care facilities is excluded from the general authorisation provision of which the Data Sharing Principles/Five Safes form part.11 In South Australia, sharing or release of certain highly sensitive health data is subject to the additional requirement of Ministerial prior approval.12

The ability of the National Data Commissioner to take action where data is released without appropriate safeguards having been applied is likely to be constrained by the DS&R Bill's reliance on the Data Sharing Principles. While the Issues Paper identifies that misapplication of the Data Sharing Principles will be subject to penalties, the National Data Commissioner will need to apply "a margin of appreciation" in assessing whether or not a data custodian has applied the Data Sharing Principles in accordance with the Best Practice Guide.

This is because the Data Sharing Principles are principles, and not bright-line, easily applied rules. As it is, exceeding the margin of appreciation will not necessarily expose a data custodian to the full measure of potential liability; the Issues Paper proposes that data custodians, who "release data defensibly in good faith", have the benefit of an immunity from criminal liability. A misguided but well-intentioned attempt at applying the Data Sharing Principles could, therefore, fall within the scope of the indemnity.13

That outcome will be of little comfort to the individual citizen whose personal information may have been released as a consequence of the inadequate placement of controls on data. Some relief may be available to an aggrieved citizen under the Privacy Act; release of data for a secondary purpose may be a contravention by the data custodian's employing agency (the "APP entity") of APP 6.1 (unauthorised use of personal information for a secondary purpose) and also APP 11.1 (failure to take steps that are reasonable in the circumstances to protect personal information from misuse, inference or loss or unauthorised access, modification or disclosure).

Bold, but not capable of achieving change?

While the proposed approach to the DS&R Bill has been described as "bold",14 it is not clear that it is capable of achieving behavioural change. Although an open data philosophy has the potential to improve policy making and to deliver efficiencies, the proposed approach fails to recognise that there is significant distrust in government.

The lead up to the release of an exposure draft of the DS&R Bill offers the National Data Commissioner, assisted by the National Data Advisory Council, the opportunity to explore these concerns and to ensure that the DS&R Bill is focused not only on facilitation of sharing but also on addressing the genuine concerns of the community with respect to data management by government. The lead up also offers the National Data Commissioner the opportunity to address a number of key questions/issues as how the approach proposed for the DS&R Bill will work in practice.

These questions/issues include:

  • It is not clear, at this point in time, whether a decision made by the data custodian to share (or not share) data under the DS&R Bill, once passed, would be a reviewable decision for administrative law purposes. It is possible to imagine a potential data user wanting to challenge a decision by a data custodian not to share data. What role, if any, will the ordinary principles of administrative decision making (consistency, reasonableness, procedural fairness) play with respect to the making of decisions regarding release or sharing?
  • What support will there be for low to middle management agency staff delegated with responsibility for making data sharing and release decisions?
  • Once the DS&R Bill becomes law, the volume of sharing requests received by some agencies will become unwieldy, resulting in the need to delegate data sharing decision making authority (vested in agency chief executives) within the agency. The approach proposed for the DS&R Bill, at its heart, relies on the making of assessments under the Data Sharing Principles. These assessments will not necessarily be clear-cut, but will require the exercise of judgement, and the ability to balance competing interests. They may require, for example, data custodians to assess data users' trustworthiness.

    At present, it is not clear what systems, frameworks, processes or guidance material will be available to agency staff, both to assist with this assessment and to ensure a degree of consistency in approach across the Commonwealth. While the Issues Paper envisages that the Australian Bureau of Statistics, the Australian Institute of Health and Welfare and other agencies accredited by the National Data Commissioner on the basis of their lengthy experience of data sharing would play a role in educating agencies and disseminating best practice, there is no mention of whether this assistance should be budget-funded or made available on a cost recovery basis.

  • The consequences of a data user's failure to comply with the terms of data sharing agreement with the Commonwealth require consideration.
  • Although the Issues Paper notes (and appears to endorse) the Productivity Commission's view that punitive sanctions are not effective in encouraging data users to comply with their obligations,15 agencies will require some rights against data users in the event of a breach of the data sharing agreement to manage their legal, financial and reputational risks.

    Those rights might be limited to pursuing the user for common law damages for breach of contract (a data sharing agreement being a contract between the Commonwealth and the user). They could also, however, be supplemented by statutory rights and remedies.

    In particular, the rights to be afforded to an individual citizen whose personal information is misused following a failure to comply with the terms of the data sharing agreement should be considered. The individual citizen – not being a party to the data sharing agreement – will not have contractual rights under that agreement against either the Commonwealth or the data user. He or she may have rights against the Commonwealth and/or user under the Privacy Act and potentially, depending on the facts, in equity for breach of confidence.

    Supplementation of these rights may provide a more appropriate balance between open data and the protection of individual privacy.

Footnotes

1 Department of the Prime Minister and Cabinet. New Australian Government Data Sharing and Release Legislation: Issues Paper for Consultation. May 2018.
2 Department of the Prime Minister and Cabinet. Best Practice Guide to Applying Data Sharing Principles. 15 March 2019 at 29
3 Office of the Australian Information Commissioner. Australian Community Attitudes to Privacy Survey 2017. May 2017 at i
4 Above n4 at ii
5 Australian Public Service
6 Australian Government. New Australian Government Data Sharing and Release Legislation: Issues Paper for Consultation. May 2018, page 14
7 [1993] HCA 56
8 See for example, Ritchie. The "Five Safes": a framework for planning designing and evaluating data access solutions. Available at: https://www.researchgate.net/publication/320010758_The_'Five_Safes'_a_framework_for_planning_designing_and_evaluating_data_access_solutions
9 Digital Economy Act 2017 (UK)
10 See section 7(7) of the Public Sector (Data Sharing) Act 2019 (SA)
11 See sections 64 and 65 of the Digital Economy Act 2017 (UK)
12 See section 6 of the Public Sector (Data Sharing) Regulations 2017 (SA).
13 The benefit offered by the proposed immunity is not in respect of all criminal liability, since it only operates where the data custodian has acted in good faith. The immunity will offer data custodians protection from strict liability offences (ie those in which state of mind is not an element required to prove the offence). A data custodian acting in good faith would not meet the mens rea for non strict liability offences.
14 Ritchie, F. Australia's bold proposals for data sharing. Bristol Centre of Economic and Finance blog. 25 September 2018.
Available at: https://blogs.uwe.ac.uk/economics-finance/australias-bold-proposals-for-government-data-sharing/ 15 Above n2 at 21

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions