Bills Digest No. 18, 2021–22

Data Availability and Transparency Bill 2020 [and] Data Availability and Transparency (Consequential Amendments) Bill 2020

Prime Minister and Cabinet

Author

David Markham

Go to a section

Introductory Info Date introduced: 9 December 2020
House: House of Representatives
Portfolio: Prime Minister
Commencement: The primary Bill commences on the day after Royal Assent. The consequential Bill commences at the same time.

Purpose of the Bill

The purpose of the Data Availability and Transparency Bill 2020 (the Bill) is to establish a new data sharing scheme (‘the scheme’) which will serve as a pathway and regulatory framework for sharing public sector data.[1] The Bill also establishes a new independent regulator, the National Data Commissioner, to oversee this process, and an Advisory Committee to assist the Commissioner. The purpose of the Data Availability and Transparency (Consequential Amendments) Bill 2020 (the consequential Bill) is to make amendments to other existing Acts. These amendments are necessitated by provisions in the Bill.

Structure of the Bill

The Bill is structured in six chapters, with each referring to a separate subject. They are:

  • Chapter 1 – Preliminary
  • Chapter 2 – Authorisations to share data
  • Chapter 3 – Responsibilities of data scheme entities
  • Chapter 4 – National Data Commissioner and National Data Advisory Council
  • Chapter 5 – Regulation and Enforcement
  • Chapter 6 – Other matters

The consequential Bill has a single Schedule, with amendments to the Administrative Decisions (Judicial Review) Act 1977, the Australian Security Intelligence Organisation Act 1979, the Freedom of Information Act 1982 and the Privacy Act 1988.

Background

Current uses of data

Public sector agencies collect a large amount of data in the course of fulfilling their legislative functions—data which could be readily available for other uses if that were considered appropriate. This has particularly been the case over recent decades because of the digitisation of information.[2]

Australian government agencies already share data for a number of purposes. Some examples include:

  • in the administration of welfare payments—for example, Services Australia and the Australian Taxation Office compare income data
  • in monitoring suspicious financial transactions by collecting and analysing financial reports and information (AUSTRAC) and
  • in emergency situations, to quickly identify vulnerable people through the use of, for instance, aged care records.[3]

A wide range of datasets compiled by various agencies are contained on the website data.gov.au. However, this website does not contain data that includes identifiable personal information.

In response to a Question on Notice in April 2021, the current interim National Data Commissioner stated:

In 2010, the Australian Government Secretaries Board endorsed a set of principles to govern integration of Commonwealth data, as well as a set of governance and institutional arrangements to support these principles. Details of these arrangements are available publicly at https://toolkit.data.gov.au/Statistical_Data_Integration.html  

An important part of the governance and institutional arrangements is being able to hold one agency accountable for the safe implementation of a data integration project. To make this happen, an integrating authority must be appointed for every data integration project involving Commonwealth data. For data integration proposals that involve Commonwealth data and are considered 'high risk', an accredited Integrating Authority must be used.

There are four Commonwealth Integrating Authorities accredited under these arrangements to undertake high risk data integration projects involving Commonwealth data:

  • Australian Bureau of Statistics
  • Australian Institute of Health and Welfare
  • Australian Institute of Family Studies
  • Department of Social Services.[4]

History of Reviews

The uses to which the data held by public sector agencies could be put has been the subject of consideration by government for some time. Following recommendations contained in the 2014 Financial System Inquiry Final Report and the 2015 Harper Competition Policy Review: Final Report, then Treasurer Scott Morrison commissioned a Productivity Commission inquiry into data availability and use in March 2016.[5]

The Terms of Reference for the inquiry asked the Productivity Commission to:

  • look at the benefits and costs of making public and private datasets more available
  • examine options for collection, sharing and release of data
  • identify ways consumers can use and benefit from access to data, particularly data about themselves
  • consider how to preserve individual privacy and control over data use.[6]

The Commission issued its final report to Government on 31 March 2017.[7] The Commission noted on its website a number of key points that had arisen in its inquiry. These included indications that:

  • Extraordinary growth in data generation and usability has enabled a kaleidoscope of new business models, products and insights. Data frameworks and protections developed prior to sweeping digitisation need reform. This is a global phenomenon and Australia, to its detriment, is not yet participating.
  • Improved data access and use can enable new products and services that transform everyday life, drive efficiency and safety, create productivity gains and allow better decision making.
  • The substantive argument for making data more available is that opportunities to use it are largely unknown until the data sources themselves are better known, and until data users have been able to undertake discovery of data.
  • Lack of trust by both data custodians and users in existing data access processes and protections and numerous hurdles to sharing and releasing data are choking the use and value of Australia's data. In fact, improving trust community-wide is a key objective.[8]

The Commission made a number of recommendations relevant to this Bill under the heading ‘A risk-based approach to data sharing and release’.[9] These included that:

  • the Australian Government should establish an Office of the National Data Custodian to take overall responsibility for the implementation of data management policy (Recommendation 6.6)[10]
  • selected public sector and public interest entities should be accredited as release authorities (ARAs), with responsibility for, among other things, deciding whether a dataset is available for public release or limited sharing with trusted users (Recommendation 6.8)[11]
  • ARAs should be given responsibility to grant, on a continuing program-wide basis, data access to trusted users (Recommendation 6.12)[12]
  • ARAs and data custodians should be required to refer suspected and actual violations of data use conditions that have system-wide implications to the National Data Custodian (Recommendation 6.13)[13]
  • Privacy Act exceptions that allow access to identifiable information in certain circumstances, without seeking the individuals’ agreement, be expanded to apply to all research determined by the National Data Custodian to be in the public interest (Recommendation 6.16).[14]

In its response to the Productivity Commission’s report, the Australian Government agreed that:

… a network of Accredited Data Authorities will be integral to a reformed Australian data system. These Authorities will be catalysts for efficient and safe sharing and release of data.

…Data sharing agreements between data custodians, Accredited Data Authorities and data users will be a key part of the governance framework.[15]

Following this the Government in 2018, through the Department of Prime Minister and Cabinet, published the Review of Australian Government Data Activities 2018.[16] The Department noted that ‘efficient collection, use and re-use of data is key to improving the efficiency of government spending and delivering more effective and better targeted—evidence-based—government policies, programs and services’.[17]

In 2018 the Minister for Human Services and Minister Assisting the Prime Minister for Digital Transformation announced that an interim National Data Commissioner, Deborah Anton, had been appointed to lead the Office of the National Data Commissioner (the ONDC),[18] which was established as a unit within the Department of the Prime Minister and Cabinet PM&C.[19]

In 2019 the ONDC, as part of the PM&C, published its Best Practice Guide to Applying Data Sharing Principles. The purpose of this Guide was ‘to assist agencies holding Australian Government data (data custodians) to safely and effectively share the data they are responsible for by using five Data Sharing Principles (the Principles)’.[20]

On 14 September 2020 an Exposure Draft of the Bill and a Discussion Paper on the draft Accreditation Framework, were released.[21] This followed consultation processes through an issues paper in 2018 and a discussion paper in 2019.[22] At each stage input from interested parties was sought and taken into account.

The ONDC published 71 submissions on its website in response to the 2020 Accreditation Discussion Paper.[23] Submissions to the earlier papers are also available through the links in this Digest. Finally, 31 submissions were made to the Senate Finance and Public Administration Committee Inquiry (see following section), a number of which contained information previously submitted, and some of the submissions will be discussed later in this Digest.

The ONDC has also published three Privacy Impact Assessments. The ONDC states that the Bill has been developed using a ‘privacy-by-design’ approach, which means that data privacy and security has been considered at every stage of the development of the legislation.[24]

Committee consideration

Senate Finance and Public Administration Committees

The Senate referred the Bills to the Senate Finance and Public Administration Committee for inquiry and Report by 29 April 2021 (the Senate inquiry). On the Committee’s home page, there are links to:

  • 31 submissions to the inquiry
  • four documents from the National Data Commissioner
  • a transcript of the public hearings held on 20 April 2021 and
  • the Committee’s Report.[25]

Submissions

The submissions to the Senate inquiry contained many of the same arguments as were considered in response to the Discussion Papers and the exposure draft. Indeed, some of the submissions to the exposure draft process were resubmitted to the Senate inquiry. The submissions to the Senate inquiry, and some in the Exposure Draft process, are considered in the section ‘Position of major interest groups’ below.

Transcript of public hearings

The information provided in the public hearings on 20 April 2021 largely expounded on information provided in submissions to the inquiry and to the Exposure Draft.[26]

Documents from NDC

These included two documents tabled at public hearing on 20 April 2021, a follow up response dated 22 April 2021 and the response to a Question on Notice dated 22 April 2021.[27]

The Committee’s Report

The Committee reported on 29 April 2021.[28] The majority examined and discussed many of the issues, and made three recommendations, namely that:

  • assurances are provided to Parliament regarding appropriate ongoing oversight by security agencies of data sharing agreements and potential security risks
  • any relevant findings of the Parliamentary Joint Committee on Intelligence and Security inquiry into national security risks affecting the Australian higher education and research sector are taken into account as part of the development of any additional data codes and guidance material and inform continued engagement with the national security community and
  • consideration is given to whether amendments could be made to the Bill, or further clarification added to the Explanatory Memorandum to provide additional guidance regarding privacy protections, particularly in relation to the de-identifying of personal data that may be provided under the Bill’s data-sharing scheme.[29]

Unusually, the Committee did not make a recommendation on whether the Bill should be passed.

The Labor Senators on the Committee issued a dissenting report, stating that there were ‘of the view that the bill is deeply flawed’, commenting that:

… while there is a clear need for an effective scheme for the management and regulation of public data, and clear public benefits from using such data, the measures outlined in this bill do not represent a proportionate means of achieving that objective. If passed, the scheme outlined in the bill would undermine current privacy protections, most notably the Privacy Act 1988. The regulatory structure designed to oversee the scheme is weak, poorly designed and subject to abuse. This bill violates community standards about the protection of private data and, if passed, would erode public trust in the government’s ability to protect the privacy of its citizens.[30]

Assuming that the views expressed by the Labor Senators on the Committee are the views of Labor more generally, it seems clear that the Opposition will not support the Bill in its current form.

Senate Standing Committee for the Scrutiny of Bills

The Senate Standing Committee for the Scrutiny of Bills (Scrutiny Committee) made substantial comments on the primary Bill, and requested further ministerial advice in its first Scrutiny Digest of 2021.[31] Concerned about the Bill’s potential impact on the right to privacy, the Scrutiny Committee sought the Minister’s advice on whether the Bill could be amended to:

  • include a public interest test which prioritises privacy interests in decision-making under the scheme
  • provide guidance on the face of the Bill about the circumstances in which it will be ‘unreasonable or impracticable’ to seek an individual’s consent for sharing their personal information
  • require that, where possible, data that includes personal information is shared in a de‑identified way
  • clarify the scope of the permitted data sharing purposes, and include guidance on the face of the Bill about precluded purposes and
  • provide minimum standards for ethics approvals for private entities seeking to use data that includes personal information.[32]

The Scrutiny Committee also made other comments, including in relation to personal review rights for persons whose data was allegedly misused; the extensive use in the scheme of delegated legislation; and the broad delegation of investigatory powers in the Bill.[33]

Minister Stuart Robert responded to the Scrutiny Committee addressing the points raised.[34]

In relation to privacy issues, he said that the Bill has been developed using a privacy-by-design approach to identify, minimise and mitigate privacy impacts wherever possible.[35] The Bill works with the Privacy Act to protect the information of individuals shared under the scheme, and includes a range of ‘privacy-positive’ measures.[36]

He also noted that two of the three permitted purposes for data sharing, namely government policies and programs, and research and development, would ordinarily involve the sharing of aggregate rather than personal data.[37]

He further implied that the use of stricter definitions could limit the future use of the scheme – saying ‘[c]onsistent with other laws, the Bill and its Explanatory Memorandum do not define the public interest to ensure the Bill can adapt to changing community expectations’.[38] He also noted that the term ‘unreasonable or impractical’ was already used in a similar context in the Privacy Act,[39] and that guidance on their use would be provided by the Australian Information Commissioner.[40]

In response to the Minister’s advice on privacy issues, the Scrutiny Committee requested that an addendum to the Explanatory Memorandum, containing the additional information provided by the Minister, be tabled in Parliament. The Committee remained concerned about the possible breadth of the ‘unreasonable or impractical’ exception to requiring consent for the sharing of personal information and requested the Minister’s further advice on whether:

  • the requested addendum to the Explanatory Memorandum can provide specific examples of current guidance on the meaning of 'unreasonable or impracticable' and provide information on where this current guidance can be accessed and
  • why it is considered necessary and appropriate for guidelines on aspects of the data sharing scheme, which may play an important role in minimising the risk of interpretations of the operation of the scheme that trespass on personal privacy, to be included in non-legislative instruments that are not subject to parliamentary scrutiny.[41]

In response, the Minister advised that he has approved an addendum to the Explanatory Memorandum to address the Scrutiny Committee’s concerns and provide further information about the meaning of the expression ‘unreasonable or impracticable’.[42] At the time of writing this Digest, the addendum has not yet been tabled. In relation to why it is considered necessary and appropriate for guidelines on aspects of the data sharing scheme to be included in non-legislative instruments that are not subject to parliamentary scrutiny, the Minister advised:

The Bill establishes a framework of resources, of scaled legal weight, to assist its interpretation and application. These resources range from fact sheets, guidelines on aspects of the Bill which entities must have regard to when engaging with the sharing scheme, to legislative instruments subject to Parliamentary scrutiny that set binding legal requirements…

This approach is consistent with that of other principles-based legislative schemes, in particular the AIC’s powers and framework of instruments to support understanding of, and compliance with, privacy law. It is also supported by findings from a review of the Public Interest Disclosure Act 2013, which found a principles-based, graduated approach to regulation to be well adapted to achieving cultural change in data handling, and to driving fair and outcomes-focussed conversations between regulators and decision makers…

Learning from this experience, the approach taken in the Bill enables the National Data Commissioner to produce both informal guidance material, and more formal “guidelines”. Scheme entities must have regard for the guidelines however they are not binding. The guidelines do not alter the law but provide clear guidance from the Commissioner about their view of law applied and better practice. It is not appropriate for such guidance to be disallowable. Data codes made by the Commissioner, and rules made by the Minister, are binding on scheme entities and are legislative instruments subject to disallowance. [emphasis added][43]

In response, the Scrutiny Committee welcomed the promised addendum to the Explanatory Memorandum and left to the Senate as a whole the appropriateness of leaving guidelines on aspects of the data sharing scheme to non-legislative instruments that are not subject to parliamentary scrutiny or disallowance.[44]

In relation to review rights, the Minister commented that individuals will have access to current complaints and administrative review processes, stating that this would reduce duplication and overlap.[45] After considering the Minister’s response, the Committee drew its scrutiny concerns to the attention of senators and left to the Senate as a whole the appropriateness of the complaint mechanisms available to individuals whose privacy interests may be affected by the scheme.[46]

As to delegated legislation, the Minister noted that allowing Rules to provide for procedures, requirements and other matters relating to accreditation was consistent with the Department of the Prime Minister and Cabinet’s Legislative Handbook, which states that matters of detail and matters that may change frequently are best dealt with in delegated legislation. He stated that the information to be included in the Accreditation Rules fell into these categories.[47] The Scrutiny Committee requested that the addendum to the Explanatory Memorandum include the information provided by the Minister on the expected content of the Accreditation Rules. It drew its scrutiny concerns to the attention of senators and left to the Senate as a whole the appropriateness of leaving procedures, requirements and other matters relating to the accreditation of entities for the purposes of the data sharing scheme to delegated legislation.[48]

Finally, the Minister advised that, while investigatory powers could be widely exercised, the Bill adopts the standard approach to the exercise of regulatory powers to promote an efficient, flexible and accountable approach to regulation. He also noted that persons assisting must act under the direction of the Commissioner and that any valid actions that they took would be taken to be the actions of the Commissioner.[49] After considering the Minister’s response, the Committee drew its scrutiny concerns to the attention of senators and left to the Senate as a whole the appropriateness of allowing authorised persons who are exercising monitoring and investigation powers to be assisted by other persons with no requirement on the face of the Bill that the other person has appropriate training or experience.[50]

Policy position of non-government parties/independents

The policy position of the Opposition is summed up in the Labor Senators’ Dissenting Report to the Senate Committee, quoted above. Senator Roberts of Pauline Hanson’s One Nation Party was a member of the Senate Finance and Public Administration Committee that reported on the Bill, making the three recommendations discussed above. At the time of writing, no statement of position from other non-government parties or independents could be located.

Position of major interest groups

Health bodies

Research Australia, which describes itself as the national peak body representing the whole of the health and medical research pipeline, said:

Research Australia believes the Bill will improve the access of researchers to information held by the Australian Government, leading to improvements in the health of Australians which would otherwise not be possible. This benefit is the opportunity the Bill provides; it is not risk free, but the risks are worth it. [51]

In discussing privacy concerns, Research Australia also said:

The potential for privacy breaches or for trespass on individuals’ privacy already exists, and data is already being shared for a range of different purposes. The Bill does not create this potential, and Research Australia believes the Bill has the capacity to reduce the risk to individuals’ privacy.[52]

The George Institute for Global Health Australia said:

The George Institute recommends the Senate support the passage of the bills. We believe they will mitigate risk and create opportunity for accredited users, that will most definitely include Australian health and medical researchers, to undertake research and development in line with community expectations.[53]

However, the Australian Medical Association (AMA) and the National Aboriginal Community Controlled Health Organisation (NACCHO) were less enthusiastic about the Bill.

The AMA raised a number of specific concerns, which included that the Bill does not afford a level of privacy protection for health data that is equivalent to the protections in the Privacy Act, the National Health Act 1953 and the Health Insurance Act 1973.[54]

The AMA submitted:

  • there is no minimum privacy protection in the Bill, with the data sharing principles in section 16 being ‘inherently subjective’[55]
  • there is no complaint mechanism for affected individuals[56] and
  • the dual roles of the Commissioner, as effectively both the regulator and promoter of the scheme, are inconsistent.[57]

NACCHO expressed concern about the ownership of data, stating:

There must be laws and policies that recognise the rights of Aboriginal and Torres Strait Islander people to access to data and regulate the behaviour of institutions and individuals involved in gathering, disseminating, and sharing data and knowledge. Aboriginal and Torres Strait Islander people and organisations have been given little historic and current opportunity to contribute to decision making on what data should be collected about them and their communities and why. This Bill presents an opportunity to begin the reforms agreed to in the National Agreement [this refers to the National Agreement on Closing the Gap][58]

NACCHO also recommended that the National Data Advisory Council should contain an Aboriginal or Torres Strait Islander representative.[59]

Tertiary Institutions

The Group of Eight Australia, representing eight of Australia’s senior universities, said:

The Go8 endorses the Data Availability and Transparency Bill’s goal to improve how Australia shares and uses its public sector data to enhance research and policy outcomes for the benefit of all Australians. We also welcome the Australian Government’s commitment to establishing a safe, accountable, and transparent pathway to share public sector data. [60]

The Group of Eight expressed some concern that the new scheme should not supplant current data access arrangements that are functioning well.[61] 

While Universities Australia ‘supports the concept of data availability and transparency, and appreciates the Commonwealth’s efforts to make data available for research and development’, it also expressed concern that decisions by data custodians are not subject to internal or external merit review.[62]

It also expressed some concern about the fee charging proposals in the Bill, concerned that this may dissuade university researchers from conducting valuable research.[63]

The University of Sydney made similar comments and expressed similar concerns.[64] Like Universities Australia, it also expressed concern that significant portions of the scheme will be contained in subordinate legislation which is not yet available, so that the likely impact of the legislation on universities was difficult to gauge at this time.

In earlier submissions in relation to the Bill’s Exposure Draft, submissions from universities and other research-based organisations were generally supportive of the policy basis of the proposed legislation.[65] For example, the Australian National University said:

The ANU congratulates your office on their efforts to address the issue of data availability and transparency. We believe the intended steps towards standardisation will substantially enhance access to public data for research purposes.[66]

Privacy Concerns

A number of other submissions expressed deep concerns about privacy issues. The information gathered by agencies frequently includes information that would be defined as personal information in terms of the Privacy Act 1988.[67] In accordance with Australian Privacy Principle 6 (APP 6) personal information can generally only be used for the purpose for which it is collected (for example, the assessment of a claim), or where the use or disclosure of the information is required or authorised by law.[68]

While the Bill would represent a law authorising the use or disclosure of personal information, there is concern that such a wide-ranging law on data sharing and use effectively overrides the privacy protections in APP 6 in relation to public sector data.

The Australian Privacy Foundation said:

The proposed regime provides transparency about Australians but not about government and the partners of government. Despite reference to ‘safes’ and supervision by a statutory body it does not provide adequate safeguards, instead eroding an already weak data protection regime. It does not provide transparency about how governments (and the partners of those governments) are sharing and using information about people, in particular data that was collected on a mandatory basis. The Bills should accordingly be rejected.[69]

The Foundation also questioned the premise behind the legislation claiming that:

There is no evidence that the erosion of privacy protection will indeed support our ‘modern data-based society’.

There is no evidence that the sharing within government and indeed sharing by government with non-government entities will substantively drive innovation. The mantra under successive ministers that ‘new’ equals better and ‘digital’ necessarily results in innovation has not been substantiated and is indeed questioned by authoritative analysts such as Robert J Gordon and Nicholas Carr. What’s good for service providers such as Oracle and KPMG and IBM is not necessarily good for ordinary Australians.[70]

Similarly, the NSW Council for Civil Liberties stated:

It must be remembered the ‘robodebt’ scheme, now recognised as unlawful and responsible for untold stress and suffering, was an automated data-matching scheme using data shared between two government agencies – Centrelink and the Australian Taxation Office (ATO).

This Bill ignores that real world experience and gives unjustified priority to a technocratic vision of ‘improved service delivery’.

The Bill gives a green light for government agencies to share data with each other and the private sector exempt from the law (Australian Privacy Principle 6) which governs and limits how personal information is used and shared. This will have enormous consequences for individuals and is unnecessary to achieve the aims of delivering better government services, informing government programs and research.

The Privacy Act was initially enacted to regulate the activities of Commonwealth agencies – only later was it extended to the private sector. To exempt agencies from a key principle would fundamentally undermine the original purpose of the Act. [71]

In submissions on the Exposure Draft, the Information and Privacy Commission New South Wales said:

Greater clarity is required in the Bill as to its relationship with the Privacy Act 1988 (Cth) …

It appears that the scheme will authorise release of personal information regardless of whether the disclosure falls within one of the specific exemptions provided for under Australian Privacy Principle (APP) 6 of the Privacy Act. Given the very broad nature of the permitted purposes under the Bill, this would effectively appear to nullify the operation of APP 6 in respect of disclosure by Australian government agencies in a broad range of circumstances.[72]

In its submission on the Exposure Draft, the Australian Medical Association similarly said:

… the AMA’s main concern with the fundamental structure of the proposed new data sharing powers is that, although the five data sharing principles have the potential to protect sensitive identified or potential re-identifiable health data, there is no guarantee that individuals’ privacy will be protected in all circumstances.[73]

Media

In February 2020 the Canberra Times reported that almost half of Australians were uncomfortable about their personal data being used to inform research and policy. The report also quoted the Boston Consulting Group as saying that the satisfaction of people with the standard of government online services was falling and undermining trust.[74]

Bruce Baer Arnold writing in The Conversation stated that the Draft (exposure) Bill:

… will not fix ongoing problems in public administration. It won’t solve many problems in public health. It is a worrying shift to a post-privacy society.

While noting that:

Consultations over the past two years have highlighted the value of inter-agency sharing for law enforcement and for research into health and welfare. Universities have identified a range of uses regarding urban planning, environment protection, crime, education, employment, investment, disease control and medical treatment.

Mr Arnold also stated:

Outside the narrow exclusions centred on law enforcement and national security, the bill’s default position is to share widely and often. That’s because the accreditation requirements for agencies aren’t onerous and the bases for sharing are very broad.

This proposal exacerbates ongoing questions about day-to-day privacy protection. Who’s responsible, with what framework and what resources? Responsibility is crucial, as national and state agencies recurrently experience data breaches.

Although as RoboDebt revealed, they often stick to denial. Universities are also often wide open to data breaches.

Proponents of the plan argue privacy can be protected through robust de-identification, in other words removing the ability to identify specific individuals. However, research has recurrently shown “de-identification” is no silver bullet.

Most bodies don’t recognise the scope for re-identification of de-identified personal information and lots of sharing will emphasise data matching.[75]

Financial implications

The Government notes that the Bill will have a financial impact on the Government of $20.5 million from 2018–19 to 2021–22; $11.1 million from 2020–21 over four years and $0.7 million ongoing from 2024–25.[76]

The Bill will also result in compliance costs. The measure will increase average regulatory costs by $0.11 million over two years, comprising a cost to business of $0.2 million per year, to community organisations of $0.06 million, and to individuals of $0.02 million per year.

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bills’ compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bills are compatible.[77]

Parliamentary Joint Committee on Human Rights

The Committee expressed a number of concerns on the principal Bill, particularly in relation to privacy.[78] There was however no comment on the consequential Bill.[79]

The Committee commented that the Bill would facilitate the sharing of an extremely wide range of data, and that the terms ‘public sector data’ and ‘data’ itself are very broadly defined.[80] In addition, the scheme would override a range of existing secrecy provisions preventing the sharing of data, to facilitate the sharing of data.[81] Noting that the right to privacy is multi-faceted, comprising respect for informational privacy, including the right to respect for private and confidential information, particularly in relation to the storing, use and sharing of such information, the Committee sought the Minister’s advice on a number of issues. Among these, the Committee sought information on the specific objectives of the scheme, and whether these were pressing and substantial enough to warrant limiting the right to privacy;[82] and asked for further information on data sharing purposes.[83] The Committee raised many of the same privacy concerns as had the Scrutiny Committee, such as in relation to defining the terms ‘public interest’ and ‘unreasonable or impracticable’ and in relation to the making of complaints. The Committee also asked for information on the ongoing monitoring of accredited entities, and to what extent the scheme would be compromised by not sharing personal information.[84]

The Minister advised that the Bill’s objective of promoting greater data sharing will remove legislative barriers to sharing, and will support informed decision-making and timely delivery of government services to people in need; pointing out that the natural disasters and health and economic crises of the recent past demonstrated the advantages of greater data sharing.[85] He also advised that there had been extensive public consultation on data sharing purposes, which were considered as part of three Privacy Impact Assessments.[86]

The Minister’s responses in relation to definitions and complaints were essentially the same as his responses to the Scrutiny Committee (see above).[87] As to the ongoing monitoring of accredited agencies, he noted that provisions in the Bill empowered the Commissioner to undertake such activities, and that the Commissioner would receive information about entities’ handling of data through the Bill’s data breach notification and information transfer provisions.[88]

In response to the question about to what extent the scheme would be compromised by not sharing personal information, the Minister advised:

Sharing of personal information will generally be reasonably necessary to support delivery of government services to particular individuals. Sharing of personal information may also be required some data integration projects for a permitted purpose, as certain personal information may be necessary to support the integration of datasets. In these circumstances, data custodians will still be required to share only the personal information necessary to facilitate the data integration project, and would be expected to apply appropriate protections to the data. There are well-established conventions for integrated data, including to maintain functional separation of identifying information (e.g. name or date of birth) from content information (e.g. clinical information or benefit details) throughout the data integration process. These safeguards work with the project principle, under which data custodians must consider engaging a technical data expert, an accredited data service provider, to perform the data integration.[89]

The Minister also noted that the ‘statutory override’ provisions were necessary as it would be complex and impractical to amend over 500 secrecy provisions in other legislation to give effect to the limited override provisions contained in the Bill.[90]

In its comments on the Minister’s response the Committee noted the legitimate objectives of the scheme, but also reiterated that the data sharing purposes are framed very broadly and could capture disclosure of personal information in an extremely wide range of circumstances.[91] In its summary the Committee said:

This bill appears to be directed towards the legitimate objective of facilitating controlled access to public sector data for specific purposes in the public interest, and would appear to be rationally connected to that objective. However, it is not clear that the measure would constitute a proportionate means by which to achieve that objective.[92]

The Committee also expressed particular concern about the ‘statutory override’ provisions, noting:

… this scheme would permit a Commonwealth body to disclose personal data regardless of any law that currently prohibits this, and without parliamentary oversight of the specific privacy implications of sharing that type of data.

… no information has been provided to demonstrate that a less rights restrictive mechanism–such as amending individual pieces of legislation to invoke this umbrella data sharing scheme–would not be equally as effective to achieve the scheme’s objectives. While the committee appreciates that this may be a complex undertaking this does not, itself, indicate that it would not be effective to achieve the objective of facilitating controlled access to public sector data, Accordingly, the committee considers it has not been established that this data sharing scheme would constitute a permissible limitation on the right to privacy.[93]

Accordingly, the Committee recommended:

… that consideration be given to establishing overarching data sharing legislation which does not override existing secrecy provisions but which requires that the data sharing powers must be specifically invoked by individual pieces of legislation, to ensure appropriate regard is had to whether these broad data sharing powers are appropriate in each specific context.[94]

The Committee advised that it considered that the proportionality of the measure may be assisted if the Bill was amended to provide that:

  • determining if 'the sharing of information can reasonably be expected to serve the public interest', requires consideration of the impact on an individual’s right to privacy, the potential for serious harm to the public, and whether those impacts are reasonable, necessary and proportionate, as well as the potential benefits to the community that would arise from the project
  • the application of appropriate protections to the data includes, where possible, ensuring personal information is shared in a manner that does not allow for the identification of individuals
  • it is a condition of accreditation that an entity which is required to provide evidence for accreditation must provide updated evidence at specified intervals to support its continued suitability for accreditation and
  • the Commissioner may consider complaints from individuals with respect to the scheme, and establish a mechanism for dealing with such complaints.[95]

Key issues and provisions

The basic premise of the Bill

The Bill establishes a data sharing scheme so that data held by many Commonwealth agencies can be shared with bodies who seek and obtain accreditation within a framework, and for purposes, set out in the Bill.

The entities that will be part of the scheme are to be collectively known as data scheme entities.[96] These are Commonwealth bodies (other than excluded entities)[97] that hold and control data (a data custodian),[98] and accredited entities.[99] The latter will be known as either an accredited user, or an accredited data service provider (ADSP).[100] A simple explanation of these terms is that the data custodian is the entity that shares the data, the accredited user is an entity with whom the data is shared, and an ADSP is a body that frequently acts as an intermediary in the process.

As noted, some Commonwealth bodies are excluded from the scheme. These bodies are listed in the Bill and can generally be classified as agencies that operate in investigatory or national security fields.[101] For regulatory and advisory purposes, the Bill establishes a new statutory office and advisory committee, as follows.

New office and advisory council

The Bill establishes the statutory office of the National Data Commissioner (the Commissioner).[102] However, it does not establish a corresponding new statutory agency–rather the Commissioner is an official in the relevant Department (being the Department of the Prime Minister and Cabinet),[103] and will have staff provided by that Department.[104] The Commissioner will be able to hire contractors and consultants,[105] and will not be subject to direction in relation to the exercise of their functions and powers.[106]

The Commissioner has the function of being an advocate for the scheme, to promote understanding and acceptance of the benefits of, and best practice in, sharing and releasing public sector data, and of safe data handling practices.[107]

The Commissioner also has three-pronged administrative functions:

  • providing advice to the Minister, including on the operation of the Act (note—references to ‘the Act’ here and in following parts of this Digest mean the Data Availability and Transparency Act, once enacted)[108]
  • providing guidance on the actions to be taken by data scheme entities to comply with the Act,[109] by making codes of practice about the data sharing scheme,[110] and by making written guidelines[111] and
  • performing the regulatory functions as set out in Chapter 5.[112]

The Commissioner is to be appointed by the Governor-General for up to five years at a time,[113] and is to be paid the remuneration set by the Remuneration Tribunal, or in the absence of this remuneration being set, the remuneration prescribed by rules made under the Act.[114] The Commissioner’s employment provisions in the Bill are standard for statutory office holders. The Commissioner’s appointment can only be terminated for cause, relating in general terms to incapacity, misbehaviour or bankruptcy.[115]

Stakeholder comment

A number of parties have questioned whether there is an inherent contradiction in the one office holder being an advocate for the data scheme and the regulator of it. For example, the AMA said:

If an agency seeks advice from the Data Commissioner prior to entering into a data sharing agreement, there is a potential conflict at the point of providing advice between the Data Commissioner’s role of promoting safety and their role of promoting sharing. Moreover, if the data is subsequently re-identified or a complaint is made, the Data Commissioner will be investigating a data sharing agreement that they advised on.[116]

National Data Advisory Council

A National Data Advisory Council is also established.[117] This will contain four ex officio members,[118] being the Commissioner, the Australian Statistician, the Information Commissioner and the Chief Scientist.[119] It will also contain between five and eight directly appointed members.[120] These members will be appointed by the Commissioner on a part-time basis and must have the appropriate qualifications, skills or experience that will help the Council perform its functions.[121] The directly appointed members will be paid the remuneration determined by the Remuneration Tribunal, or in the absence of this remuneration being set, the remuneration prescribed by rules made under the Act.[122]

As is implied by its name, the Council will have an advisory role and will not be a decision-making body. Its function is to provide advice to the Commissioner about:

  • ethics
  • balancing data availability with privacy protection
  • trust and transparency
  • technical best practice
  • industry and international developments and
  • any other matters

as they relate to the sharing and use of public sector data.[123]

Stakeholder Comment

In submissions to the Senate inquiry into the Bill, bodies representing Indigenous views on the legislation, such as NACCHO, considered that the Bill should stipulate that at least one Council member should be an Aboriginal or Torres Strait Islander person.[124]

Data Sharing

Data, for the purposes of the Bill, is a defined term broadly meaning any information in a form capable of being communicated, analysed or processed,[125] and includes data that is a result of the proper use of data (‘output’).[126] ‘Public sector data’ is data lawfully obtained, created or held by or on behalf of a Commonwealth body and includes data that is enhanced from that data.[127] That is to say, a data custodian can only share data under the scheme if they lawfully hold the data in the first place.

Public sector data can only be shared by a data custodian:

  • to an accredited user, either directly or through an ADSP
  • for a defined data sharing purpose and not a precluded purpose
  • where the sharing is consistent with the data sharing principles
  • where the sharing is not excluded and is in accordance with a data sharing agreement and
  • where it is approved by both or all custodians if there is more than one custodian.[128]

It is an offence and a breach of a civil penalty provision to share data other than as permitted by the scheme.[129]

The approved data sharing purposes are for the delivery of government services; informing government policy and programs; and research and development.[130]

A data sharing agreement is one that is properly entered into where the parties include a data custodian of public sector data and an accredited user.[131] Such an agreement must contain certain mandatory terms. The mandatory terms include that the agreement must specify:

  • the parties to the agreement
  • that sharing under the agreement is to be done under the Act
  • the public sector data to be shared and any agreed outputs of that data
  • who is the data custodian of the original data and of the output
  • any law that would be contravened by the proposed sharing, without the authorisation provided by the Act
  • what the relevant data sharing purposes for the agreement are
  • a prohibition on the accredited user using the data for other purposes
  • a description of how the sharing is in the public interest
  • the role of any ADSP to be used, including prohibiting the ADSP from using the data for another purpose
  • the actions the parties will take in relation to any breach
  • the duration of the agreement and how often it will be reviewed and
  • how scheme data will be handled after the agreement ends.[132]

Parties to agreements must comply with these mandatory conditions. A maximum civil penalty of 300 penalty units ($66,600) applies to a breach by an individual.[133] A maximum penalty of 1,500 penalty units ($333,000) applies to a breach by a body corporate.[134]

Precluded purposes

As mentioned above, public sector data cannot be shared for a precluded purpose.

Precluded purposes are:

  • enforcement related purposes
  • a purpose that relates to or prejudices national security or
  • another purpose prescribed by the rules (at this stage, no rules have been made).[135]

An enforcement related purpose means:

  1. detecting, investigating, prosecuting or punishing:
    1. an offence; or
    2. a contravention of a law punishable by a pecuniary penalty;
  2. detecting, investigating or addressing acts or practices detrimental to public revenue;
  3. detecting, investigating or remedying serious misconduct;
  4. conducting surveillance or monitoring, or intelligence-gathering activities;
  5. conducting protective or custodial activities;
  6. enforcing a law relating to the confiscation of proceeds of crime;
  7. preparing for, or conducting, proceedings before a court or tribunal or implementing a court/tribunal order.[136]

However, data sharing for enforcement related purposes or national security related purposes is not precluded in a general sense, so long as it does not involve any person undertaking an activity in the above list.[137]

The Explanatory Memorandum explains the precluded provisions in the following terms:

The Bill precludes sharing public sector data for certain enforcement related purposes, such as law enforcement investigations and operations. The Bill also does not authorise data sharing for purposes that relate to or could jeopardise national security, including the prevention or commission of terrorism and espionage. While these activities are legitimate functions of government, they require specific oversight and redress mechanisms that are better dealt with through dedicated legislation. Existing legislation governing these activities, including offences and penalties, will continue to operate alongside the Bill.[138]

The data sharing principles comprise the:

  • project principle, meaning that the data sharing is for a project that is ethical and serves the public interest, and that any sharing of personal information is done with the consent of the individuals unless that is unreasonable or impracticable
  • people principle, meaning that data is only shared with appropriately qualified people
  • setting principle, meaning that the data is shared in an appropriately controlled environment (for example, reasonable security standards are applied when sharing the data)
  • data principle, meaning that the data shared is only that necessary to be shared, with the minimisation of sharing personal information
  • outputs principle, meaning basically that the data custodian and the accredited user know what the data is to be used for before sharing the data.[139]

Each of these principles is to be applied in such a way, when viewed as a whole, to mitigate any risks involved in the data sharing.[140]

Stakeholder and committee comment

A relatively common complaint in submissions to both the Exposure Draft of the Bill and the Senate inquiry has been that the language used, particularly in the project principle, is vague and poorly defined. The words most commented on are ‘public interest’ and ‘unreasonable or impracticable’. For example, the AMA has questioned paragraph 16(2)(c), which says that ‘any sharing of the personal information of individuals is done with the consent of the individuals, unless it is unreasonable or impracticable to seek their consent’. The AMA submitted:

It is entirely foreseeable that this exception will be used to justify the disclosure of MBS and PBS data large datasets of identified or identifiable sensitive health information without patient consent.[141]

The language question was also raised by the Senate Scrutiny of Bills Committee, which stated that:

The committee is concerned that there is a significant amount of flexibility in the meaning of ‘unreasonable or impracticable’ in this context, and that this may undermine the effectiveness of clause 16 as a safeguard against undue trespass on the privacy of individuals whose data may be shared under the scheme. The committee also notes that, while the data principles contemplate minimising the sharing of personal information as far as possible and sharing only the data reasonably necessary to achieve an applicable purpose, there are no requirements for sharing only de-identified data in the principles or elsewhere in the bill.[142]

In response, the Minister Stuart Robert said:

entities must consider the Bill’s consent requirements on a project-by-project basis. The Bill’s approach to consent builds upon the Privacy Act 1988, requiring consent for any sharing of personal information, unless it is unreasonable or impracticable to seek consent. The Bill’s standard of consent is that set by the Privacy Act 1988 and the language of ‘unreasonable or impracticable’ is drawn from section 16A of that Act. As noted in the Explanatory Memorandum, these terms should be interpreted using relevant guidance on consent made by the Australian Information Commissioner (AIC).[143]

In respect of defining ‘public interest’ the Minister said:

Consistent with other laws, the Bill and its Explanatory Memorandum do not define the public interest to ensure the Bill can adapt to changing community expectations. The question of whether a project can reasonably be expected to serve the public interest must be made on a project-by-project basis, weighing the range of factors for and against sharing.[144]

The Committee stated that it remained concerned about the breadth of possible definitions of the above terms, and requested that the proposed addendum to the Explanatory Memorandum provide further guidance, including specific examples.[145]

Excluded sharing

As well as the precluded purposes for data sharing mentioned earlier, some sharing is excluded from the scheme where:

  • the data held by a custodian originated with or was received from an excluded entity
  • it is operational data that is held by, or originated with or was received from AUSTRAC, the Australian Federal Police (AFP), or the Department of Home Affairs[146] 
  • where the data is legally barred—for example, if its sharing would infringe copyright, breach parliamentary privilege or if the data is evidence before a court
  • sharing the data is inconsistent with Australia’s obligations under international law
  • the data was collected from a foreign government, unless the foreign government agrees to the sharing
  • disclosure of the data is prohibited by a law prescribed by the regulations, or an order, direction, certificate or other instrument made under such a law[147]
  • the custodian of the data is prescribed by the regulations as an entity that must not share data in that capacity
  • it is otherwise prescribed by the regulations.[148]

How does an accredited user or ADSP become accredited?

An ADSP or accredited user becomes accredited by applying for accreditation,[149] and being accepted by the Commissioner as meeting the eligibility criteria.[150] In most cases, this is a discretionary decision by the Commissioner—the Bill says that the Commissioner may accredit an entity.[151] Decisions on accreditation by the Commissioner must be in writing and be given to the applicant entity.[152] Decisions to not accredit, or to change the accreditation status, of foreign entities for reasons of security are not reviewable.[153]

Discretion to accredit does not apply to non-corporate Commonwealth entities within the meaning of the Public Governance, Performance and Accountability Act 2013 and Commonwealth bodies prescribed by the Minister in the rules. Those bodies are automatically accredited on application, however, where bodies are prescribed in the rules by the Minister, the Minister must be first satisfied that the body meets the eligibility criteria.[154]

In its submission to the Senate Inquiry, the Office of the Australian Information Commissioner questioned why non-corporate Commonwealth entities should be automatically accredited. The OAIC stated:

… the OAIC considers that it is important that the accreditation framework include an upfront assessment of each entity that wishes to be accredited under the DAT scheme, and that the assessment is undertaken consistently in relation to all potential accredited entities. An upfront assessment component is an important safeguard in any accreditation framework to verify that an entity is compliant with regulatory and accreditation requirements and build accountability and transparency.[155]

There are seven basic eligibility criteria for accreditation, namely:

  • the entity is able to manage ‘scheme data’[156] accountably and responsibly
  • the entity has designated an appropriately qualified individual to be responsible for overseeing the management of scheme data
  • the entity is able to apply the data sharing principles
  • the entity is able to minimise the risk of unauthorised access, sharing or loss of scheme data
  • the entity is committed to continuous improvement in ensuring the privacy and security of scheme data
  • the entity is able to comply with an accredited entity’s obligations under the data sharing scheme
  • the entity’s participation in the data sharing scheme would not pose concerns for reasons of security.[157]

Other eligibility criteria can be prescribed by the Minister in the rules.[158]

The Commissioner can impose conditions on accreditation, such as where the Commissioner considers it appropriate for security purposes, or by placing limitations on which people in the applicant body can have access to the shared data.[159]

Other than for reasons of security, the Commissioner must not impose, vary or remove a condition without giving the accredited entity a written notice. The written notice must set out the proposed condition and request a written statement from the entity relating to the condition, except where the Commissioner considers that the reasons for the condition, or its variation or removal, are serious and urgent. Where a written statement is requested, the Commissioner must consider that statement. After considering the statement the Commissioner must then give the accredited entry written notice of their decision.[160]

Under certain specified circumstances, such as that the entity has breached a condition of accreditation or that it no longer fulfils the eligibility criteria, the Commissioner, either at the written direction of the Minister, or on their own initiative, can suspend or cancel an entity’s accreditation.[161] Where the Commissioner intends to make such a decision they must first advise the entity in writing and provide the entity the opportunity to show cause as to why accreditation should not be suspended or cancelled.[162] This requirement does not apply if the suspension or cancellation is for security reasons.[163]

The need for the Commissioner to provide the accredited entity with prior notice of a suspension or cancellation does not apply when the Commissioner is acting at the direction of the Minister. However, except in relation to security matters, the Minister must not give such a direction to the Commissioner without first giving the accredited entity a written notice setting out details of the proposed direction and giving the accredited entry the right to make a written statement within a specified time. This last provision is not necessary if the Minister considers that the reason for the direction is serious and urgent.[164]

On application to the Commissioner, accreditation can be transferred from one entity to another, where the original entity has changed its governance structure.[165]

Responsibilities of data scheme entities

All data scheme entities must comply with the rules and data codes and must have regard to guidelines.[166]

Data codes are described in clause 126 of the Bill. The codes are in the form of legislative instruments made by the Commissioner. Being legislative instruments, data codes are subject to the normal provisions of the Legislation Act 2003 as regards parliamentary tabling and disallowance. Provisions written in the rules or regulations override inconsistent code provisions, to the extent of any inconsistency.[167] Codes can cover a variety of subjects, for example:

  • how data definitions are to be applied and complied with in practice
  • additional responsibilities for entities, so long as those additional responsibilities do not create inconsistencies with the Act
  • how complaints are to be handled and
  • other matters that the Commissioner considers it necessary to make a code about.[168]

Data scheme entities also have responsibilities for providing full and accurate information to the Commissioner.[169]

What are the guidelines?

Written guidelines are made at the discretion of the Commissioner about matters for which the Commissioner has functions under the Act.[170] Data scheme entities are required to have regard to these guidelines while engaging in conduct in the scheme.[171] The guidelines can be published in any manner that the Commissioner deems appropriate, most probably on the Commissioner’s website.[172] They are not legislative instruments.[173] Guidelines can cover principles and processes on subjects such as:

  • data release
  • data management and curation
  • technical matters and standards and
  • emerging technologies.[174]

The Explanatory Memorandum says that it is the intention that guidelines:

… will be developed in consultation with specialists and other bodies and agencies, such as the Office of the Australian Information Commissioner and the National Archives of Australia. The National Data Advisory Council may also advise the Commissioner on the development of guidelines, particularly those that relate to the council’s functions.[175]

Privacy

The Bill’s potential impact on privacy is probably its most contentious issue. The views of a number of organisations in relation to privacy issues were set out earlier in this Digest.

Clause 28 of the Bill is about privacy coverage in the scheme. All entities taking part in the scheme will be required to comply with the provisions of the Privacy Act 1988, or a state or territory laws that provide similar protection of personal information to that contained in the Australian Privacy Principles, including the monitoring of compliance and the ability for an individual to seek recourse.[176] Most importantly, this means that in general personal information obtained by an entity in the data sharing scheme can only be used for the purpose for which it is shared and for no other purpose.[177] Disclosure for other purposes however is still possible in some circumstances, such as where the individual has consented to the disclosure/use of the information or where disclosure is authorised by Australian law. Should this Bill be passed by the Parliament, ‘Australian law’ will of course include the provisions in this Bill.

Where entities are not subject to the Privacy Act but wish to participate in data sharing, they can become subject to that Act through existing provisions of that Act.[178]

However, submissions to the Senate inquiry and on the Exposure Draft saw a broader problem than this. One complaint was that this Bill would widen the exceptions to APP 6 to such an extent that it would effectively nullify that Principle.[179] Forcing entities to comply with such a weakened Principle would not provide much protection.

Clauses 35 to 38 inclusive of the Bill set out the responsibilities of entities in the case of a data breach. A data breach occurs not only where data is accessed in an unauthorised manner, but where it is lost in circumstances which could suggest unauthorised access.[180] In such circumstances entities have a responsibility to ‘take reasonable steps’ to mitigate the damage.[181]

Where a data custodian of public sector data has shared personal information with an accredited user and a breach occurs, the breach notification provisions of the Privacy Act apply as if the breach occurred from the data custodian.[182] As all data custodians are covered by the Privacy Act, this is to ensure that all breaches are also covered by the Privacy Act.[183] The processes for dealing with data breaches are set out in the notifiable data breaches provisions of Part IIIC of the Privacy Act and apply here. The following information from the OAIC explains how the notifiable data breaches (NDB) scheme in Part IIIC operates:

Complaints

A data scheme entity can complain to the Commissioner if it reasonably believes that another data scheme entity has breached the Act. This includes entities that are no longer members of the scheme but were within the last 12 months.[185] The Commissioner can also assess whether conduct of an entity was consistent with the Act on their own initiative and in a manner they consider appropriate.[186]

The Commissioner must advise the complainant within 30 days as to how the Commissioner is dealing with, or intends to deal with, the complaint.[187] Initially, the Commissioner must make any preliminary inquiries thought necessary, and can refer the matter to conciliation if appropriate.[188] The Commissioner has the option of not dealing with a complaint for a number of reasons, including:

  • it is considered that the respondent (the person about whom the complaint has been made) has not breached and is not breaching the Act
  • the respondent has already dealt with the subject of the complaint
  • the complaint is being investigated elsewhere
  • the complainant has failed to provide requested information
  • the complaint is lacking in substance or frivolous or
  • it is considered that an investigation is not warranted.[189]

If the Commissioner decides that a full investigation is warranted in regard to a breach of the Act, and that conciliation would not, or has not, settled the problem; the Commissioner may investigate in any manner the Commissioner considers appropriate; and in so doing, obtain information from any person and make any inquiries necessary.[190]

Following an investigation, the Commissioner must make a determination setting out the decision, the reasons for the decision, and what action the Commissioner intends to take if the finding is the entity is in breach.[191] The Commissioner may make the determination publicly available.[192]

Comment

Individuals cannot complain to the National Data Commissioner if they consider that their personal privacy has been breached in the scheme. This has been the source of considerable adverse comment in submissions and by the Senate Scrutiny of Bills Committee. The latter said:

The committee also notes that under the complaints mechanism established in Division 1 of Part 5.3, only data scheme entities may make a complaint … The committee is concerned that establishing a narrowly focused complaints mechanism may result in the Data Commissioner rarely or never hearing privacy complaints, which may result in privacy concerns not being given adequate consideration in decision making under the scheme … The committee therefore requests the minister’s advice as to why individuals whose privacy interests may be affected by the data sharing scheme should not have access to … the dedicated complaints process established in Division 1 of Part 5.3.[193]

The Minister has stated that not creating a new public complaints scheme was intentional and that persons who wish to complain can use ‘existing complaints and administrative review processes’, for example, the complaints mechanism under the Privacy Act or similar state/territory schemes.[194]

Regulatory Powers

The Commissioner has a number of regulatory powers, set out in clauses 104 to 116 of the Bill. Among other things, the Commissioner can:

  • require the provision of information and documents relevant to an investigation,[195] other than documents from an excluded entity, or information or documents the giving of which would, in summary, be contrary to the public interest in the view of the Attorney-General,[196] but including documents that would otherwise attract legal professional privilege[197]
  • disclose information to a number of listed, normally investigatory, agencies if the Commissioner considers that the information would assist those bodies to fulfil their functions[198]
  • make recommendations to an entity[199]
  • give written directions to an entity.[200]

Penalty Provisions

The Bill contains a number of civil penalty provisions for breaches of Bill provisions. For example, a failure to follow a Commissioner’s written direction renders an entity liable to a maximum penalty of 300 penalty units ($66,600).[201] There are also a number of offence provisions. It is an offence to collect, share or use scheme data for a purpose other than those set out in the scheme, with a maximum penalty of two years’ imprisonment.[202] There is also an offence for failing to comply with a requirement to provide information or documents to the Commissioner, with a maximum penalty of 12 months imprisonment.[203] 

Civil penalties, and infringement notices setting out penalties, will be enforceable under the provisions of the Regulatory Powers (Standard Provisions) Act 2014 (RPA).[204] The RPA contains a standard suite of investigative, compliance monitoring and enforcement powers which may be applied to other Commonwealth laws. These standard provisions are intended to be ‘an accepted baseline of powers required for an effective monitoring, investigation or enforcement regulatory regime, providing adequate safeguards and protecting important common law privileges’.[205] For the RPA to apply, its powers must be ‘triggered’ by another Act, with or without modification.[206] The Bill triggers the RPA’s monitoring and investigation powers, and civil penalty provision enforcement (including through the use of infringement notices, enforceable undertakings and injunctions), as explained below.[207]

Compliance monitoring powers

Part 2 of the RPA creates a framework for monitoring:

  • compliance with provisions of an Act or legislative instrument and
  • whether information given in compliance (or purported compliance) with a legislative provision is correct.[208]

Clause 109 of the Bill provides that:

  • the civil penalty provisions of the Bill
  • subclauses 14(2) and (4) of the Bill (offences for unauthorised sharing, collection and use of data)
  • subclause 104(3) of the Bill (offence of failure to comply with a requirement to provide information or documents to the Commissioner) and
  • a provision of Chapter 3 of the Bill (responsibilities of data scheme entities)

are subject to monitoring under Part 2 of the RPA.

Part 2 of the RPA provides that an authorised person (in this case the Commissioner or their delegate)[209] may exercise various standard monitoring powers for the above purposes—these include the power to:

  • enter and search premises, and observe activity carried out on the premises[210]
  • deal with evidence found on premises, including by inspecting, examining, making recordings of and securing things (pending the regulatory agency obtaining authorisation to seize them under investigation powers)[211] and
  • require persons on the premises to answer questions and produce documents.[212]

The standard provisions prescribe the authorisation process for the exercise of monitoring powers (under warrants issued by a judicial officer acting in a personal capacity, or with the consent of the occupier of the premises).[213]

They also set out the obligations applying to persons exercising monitoring powers (such as providing the occupier with details of a warrant, and carrying identification),[214] and the rights and responsibilities of persons occupying the premises being searched.[215] The standard provisions also state that the compliance monitoring powers do not abrogate legal professional privilege and the privilege against self-incrimination.[216]

Investigation powers

Part 3 of the RPA creates a framework for gathering material that relates to the contravention of offence provisions and civil penalty provisions.[217] It contains standard investigation powers, including related authorisation and procedural requirements, which enable an agency to gather evidence of contraventions of criminal offences and civil penalty provisions within its statutory enforcement functions. Standard investigation powers include the power to:

  • enter and search premises for evidential material[218]
  • seize evidential material[219] and
  • require persons on the premises to answer questions and produce documents.[220]

The standard investigation powers must be authorised under a warrant issued by a judicial officer acting in a personal capacity, or exercised with the consent of the occupier of the premises.[221]

They set out the conditions and limits of the investigation powers able to be authorised as well as the obligations of persons exercising powers and the rights and responsibilities of persons occupying the premises being searched.[222] Like the compliance monitoring powers, the investigation powers expressly do not abrogate self-incrimination or legal professional privilege.[223]

Enforcement powers

Parts 4 to 7 of the RPA contain standard enforcement mechanisms for contraventions of regulatory legislation, principally through the use of civil penalties, infringement notices, enforceable undertakings and injunctions.

The standard provisions prescribe requirements governing a regulatory agency’s ability to:

  • apply to the court for a civil remedy in relation to the contravention (a civil penalty or an injunction)[224]
  • issue an infringement notice to a regulated entity (which means that the regulated entity can pay an amount of money specified in the notice, as an alternative to having court proceedings brought against them for a contravention) and to commence enforcement action in court if the regulated entity does not pay the amount specified in the notice[225] and
  • accept an enforceable undertaking from a regulated entity (for example, to cease engaging in activities that contravene regulatory requirements) and to commence proceedings in court if the regulated entity does not adhere to the terms of the undertaking.[226]

For a person to have breached the civil penalty provisions of the Bill the conduct, or result of the conduct, must either have occurred at least partly in Australia; or if it occurred outside Australia, have been performed by an Australian entity.[227]

Review of decisions

Most decisions made by the Commissioner will be reviewable decisions at administrative law.[228] This is a two-step process. First, the Commissioner must reconsider the decision, and can affirm, vary or revoke the decision.[229] The Commissioner must make a reconsideration decision within 90 days; if this time frame is not met, it is deemed that the Commissioner has affirmed the decision.[230]

Any reconsideration decision that is made by the Commissioner directly, or affirmed (including deemed to be affirmed) or varied on reconsideration, is subject to further review by the Administrative Appeals Tribunal.[231]

Other provisions

A number of documents are required to be maintained, or can be made, in relation to the scheme. These include publicly available registers of:

  • ADSPs
  • accredited users and
  • data sharing agreements.[232]

However, the Commissioner may omit details that the Commissioner considers are not appropriate to be made public.

Legislative instruments

The Bill provides for the following categories of legislative instruments to be made in relation to the scheme:

  • the Governor-General can make Regulations required or permitted by the Bill or necessary or convenient to give effect to the Bill[233]
  • the Minister can make rules required or permitted by the Bill or necessary or convenient to give effect to the Bill[234]
  • the Commissioner can make data codes.[235]

Written notices that are not legislative instruments

The Commissioner can:

  • make guidelines[236]
  • approve forms[237]
  • recognise external dispute resolution schemes.[238]

Stakeholder comments

A number of stakeholders have expressed concern that significant aspects of the scheme will be contained in legislative instruments and written notices, and that these will not be in existence when the Bills come up for a parliamentary vote. In a legal sense this is inevitable as, until the Bills become Acts of Parliament, there is no statutory power to make the necessary legislative instruments. However, as implied by some stakeholders, this means that the Parliament is to some extent voting on an incomplete scheme.[239] Draft legislative instruments were prepared for the Exposure Draft process, but these are by their nature not final documents.[240]

In an additional statement to the Senate Finance and Public Accounts Committees following her personal appearance, the National Data Commissioner said:

I understand that the Minister’s intention is to make available another version of the draft Regulations before the Bill is debated in the House of Representatives.[241]

At the time of writing this does not appear to have occurred.

The consequential Bill

The consequential Bill amends a number of other Acts to give recognition to the proposed scheme and office of Commissioner as well as making consequential amendments in relation to the Bill’s review provisions. An amendment to the Administrative Decisions (Judicial Review) Act 1977 makes decisions in relation to the accreditation, or otherwise, of a foreign entity, not susceptible to judicial review, if made for reasons of security.[242]

The Australian Security Intelligence Organisation Act 1979 (ASIO Act) is amended to include a reference (item 3) to the exercise of a power under the accreditation framework of the principal Bill in the definition of ‘prescribed administrative action’ in the ASIO Act. The Explanatory Memorandum notes that this means:

… an exercise of power by the Commissioner under the accreditation framework in the principal Bill is a ‘prescribed administrative action’ for the purposes of Part IV of the ASIO Act[243]

and that the amendment ensures:

ASIO can provide advice (including security assessments) to inform an exercise of power under the accreditation framework, such as a decision to accredit an entity, or to suspend or cancel an entity’s accreditation.[244]

Item 4 proposes to insert a new paragraph into subsection 36(1) of the ASIO Act. The effect of this is that security decisions in relation to foreign entities under the accreditation framework will not be subject to merits review. The Explanatory Memorandum comments that:

The underlying intent is to control for the security risks associated with foreign national individuals who may be affiliated with foreign powers. Disclosing knowledge of this affiliation through the review process in Part IV of the ASIO Act risks jeopardising ongoing security operations and poses a threat to Australia’s national security. This is consistent with the Administrative Review Council publication, What decisions should be subject to merits review? (1999), which states that decisions concerning national security may justify exclusion from merits review (para 4.23).[245]

Amendments to the Privacy Act at items 6 to 8 insert references to the National Data Commissioner. These references have the effect of making the National Data Commissioner an alternative complaint body under the Privacy Act, meaning that the Privacy Commissioner can transfer a complaint to the National Data Commissioner, if the Privacy Commissioner forms the opinion that the complaint could be more conveniently or effectively dealt with by that office.

An amendment to the Freedom of Information Act 1982 at item 5 exempts agencies from FOI processes in relation to documents shared with an agency or created for Data Availability and Transparency Act purposes.[246]