5.1
This chapter will briefly set out the range of views the committee received from submitters regarding the Data Availability and Transparency Bill 2020 (the bill) and the Data Availability and Transparency (Consequential Amendments) Bill 2020 (the consequential amendments bill).
5.2
It will then examine a number of key issues in greater detail, including:
the views and recommendations put forward by the Office of the Australian Information Commissioner (OAIC);
security concerns relating to the participation of foreign entities in the data sharing scheme; national security risks in the higher education and research sector, and cyber-security;
the standard of consent for sharing and the lack of definition of ‘unreasonable or impracticable’ in the context of paragraph 16(2)(c);
the lack of definition of ‘public interest’ in the context of paragraph 16(2)(a);
the reliance on delegated legislation for key aspects of the accreditation framework;
the reliance on guidelines (i.e. non-legislative instruments) to convey core aspects of the data sharing scheme;
the definition of ‘other persons’ in clauses 109 and 110;
the dual roles of the Office of the National Data Commissioner (ONDC);
concerns relating to the sharing of particular kinds of data;
the treatment of legal professional privilege; and
Indigenous considerations.
5.3
The chapter will then conclude with the committee’s views and final recommendations.
Views on the bills
5.4
As noted in Chapter 1 of this report, the committee received 31 submissions to its inquiry. Stakeholder views ranged from:
support for the bills and the proposed data sharing scheme;
support for the general intent of the data sharing scheme coupled with specific concerns and recommendations designed to improve the drafting of the bills and operation of the scheme; and
opposition to the bills and the broader concept of public sector data sharing.
Support for the data sharing scheme
5.5
A number of submitters to the inquiry supported the two bills and the policy outcomes the data sharing scheme seeks to achieve.
5.6
For example, Research Australia stated that it believed the framework for data availability to be established by the bills was ‘a robust and effective mechanism’ for utilising data for research purposes while mitigating the risk of privacy or data breaches.
5.7
Research Australia also commented that its support for the bill was driven by a belief that the new data sharing framework would improve the consistency and timeliness of the consideration of requests for access to data by Commonwealth government departments and agencies. It noted that this outcome would improve the conduct of research in Australia and ultimately lead to better health, social and economic outcomes.
5.8
A submission from Data Republic, an Australian technology company, argued that the bill was a ‘critical productivity driver’ for both government and improved citizen outcomes.
5.9
Data Republic also supported the ‘principles-based’ approach of the bill, noting that this approach offered a ‘longevity advantage’ over a highly codified piece of legislation. It highlighted that it was to be expected that practitioners would require some ongoing guidance (to be provided by the ONDC) in light of the increasing rate of change in data and technology spheres.
5.10
BSA | The Software Alliance (BSA), an advocate for the global software industry, noted that government-generated data is an important asset that can serve as a ‘powerful engine’ for creating new jobs, promoting economic growth, driving productivity and enabling innovation. It indicated it was ‘very supportive’ of the bills and asserted that the bills establish a ‘promising model’ for encouraging the sharing of sensitive, but high-impact data.
BSA is highly supportive of the Australian Government’s intent to enhance the collective benefits of data by advancing responsible policies that facilitate greater sharing, collaboration, and experimentation with data resources while protecting privacy.
5.12
GovHack Australia is an organisation that runs community hackathon events aimed at allowing all levels of government to engage directly with hackers in order to solve civic challenges using government agency open data. It informed the committee it believed the Commonwealth Government was taking ‘the right steps’ to facilitate data sharing and strongly supported the bills.
5.13
The George Institute for Global Health Australia, an independent global medical research institute, set out its support for the bills and highlighted that the bills would not only create opportunities for Australian health and medical researchers, but also mitigate risks relating to the storing, accessing and sharing of data.
5.14
The Population Health Research Network (PHRN), a national data linkage infrastructure network, indicated it supported the passage of the bills as they would embed existing good data sharing practices in legislation. It acknowledged the extensive stakeholder consultation that had taken place during the development of the bills, and stated that it believed that ‘overall’ the bills deliver ‘an effective balance between minimising individual privacy risks and maximising the benefits from the sharing of data’.
Opposition to the bills
5.15
A small number of submitters expressed dissatisfaction with the bills and opposed the proposed data sharing scheme.
5.16
For example, the Australian Privacy Foundation (APF) asserted that the scheme lacked transparency and adequate safeguards for data protection.
5.17
Dr Bruce Baer Arnold, Vice Chair of the APF expressed the view that the bill represents an erosion of Australian privacy law, which itself is considered inadequate and is subject to a review. The new ONDC, sitting alongside the OAIC, was considered by Dr Baer Arnold to be ‘balkanising’ current responsibilities. Additionally, the OAIC was seen as under-resourced to regulate both privacy and freedom of information law.
5.18
Digital Rights Watch stated that it was concerned that the bills were moving ahead in parallel to the review of the Privacy Act 1988 (Privacy Act) and asserted:
Given the topical overlap and potential for new privacy reforms to fundamentally impact the way data protection and ownership is viewed in Australian legislation, it should remain a priority to anticipate an updated Privacy Act before proceeding with any other fundamental changes to the way that personal data of Australians is treated.
5.19
Mr Jonathan Gadir, a member of the New South Wales Council for Civil Liberties (NSWCCL) also echoed this concern.
5.20
The Public Interest Advocacy Centre (PIAC) noted that while it does not oppose ‘appropriate, secure and informed consent-based sharing of public sector data for the purposes of improving socio-economic outcomes’, it believed that the bill did not provide ‘sufficient safeguards for a data-sharing scheme which represents a fundamental reform to the way in which public sector data is shared and used’.
Recommendations for improvement
5.21
A larger cohort of submitters expressed general support for the broad intent of the data sharing scheme and acknowledged the oversight and safeguard mechanisms already embedded in the bills.
5.22
However, some of these submitters also raised significant concerns with the practical operation and potential consequences of the bills, and put forward specific recommendations designed to improve the proposed data sharing scheme.
5.23
Many of these concerns centred on privacy risks and safeguards and echoed those raised by the Senate Standing Committee for the Scrutiny of Bills (Scrutiny committee) and the Parliament Joint Committee on Human Rights (joint committee).
5.24
For example, the Law Council of Australia (Law Council) acknowledged the importance of fostering and facilitating data sharing arrangements and the need for the continued development and improvement of robust policies to govern these arrangements. It expressed its support for the removal of ‘unnecessary barriers’ to government data sharing and the development of a single, unified approach to improve the current ‘fragmented and often unclear’ data sharing approach. However, the Law Council also stated that it appreciated the ‘delicate balance’ that must be struck between collecting and sharing data, and the right to privacy and the need for appropriate safeguards.
5.25
In many cases submitters informed the committee that they had raised their concerns with the ONDC during the consultation process for the exposure draft of the bill, but that the issues had not been addressed or adequately clarified in the final bill.
5.26
For example, a submission from privacy practitioners Ms Melanie Marks, Ms Anna Johnston and other commercial, public sector and academic professionals acknowledged the significant consultation and review that had informed the development of the bill; however, they emphasised that the concerns they had raised with the ONDC during the consultation had not been addressed in the drafting of the bill.
5.27
They argued that although effective data sharing may assist with achieving enhanced productivity, better service delivery and improved research outcomes, there was ‘overarching underappreciation’ that the data sharing scheme proposed by the bill constituted an exemption ‘authorised by or under an Australian law’ from the general principle that personal information must not be used for secondary purposes as set out in Australian Privacy Principle (APP) 6 contained in Privacy Act.
5.28
The committee also received a submission from the OAIC, the independent Commonwealth regulator overseeing privacy functions, freedom of information functions, and information management.
5.29
The OAIC informed the committee that it had engaged with the ONDC throughout the development of the bills to ‘help ensure that privacy and security play a central role in the legislative framework’.
5.30
The views and recommendations put forward by the OAIC will be examined in greater detail in the next section.
Views of the Office of the Australian Information Commissioner
5.31
The OAIC noted that two of its key strategic priorities include upholding information access rights and supporting the proactive release of government-held data, in recognition that data held by the Australian Government is a ‘national resource’ which can ‘yield significant benefits for the Australian people when handled appropriately, and in the public interest’.
5.32
While identifying that the data sharing scheme is one of several Commonwealth government initiatives that reflect this policy objective, the OAIC also noted that proposals to share data containing personal information will necessarily carry certain privacy risks, including:
the loss of control by individuals; and
the potential for the mishandling of personal information.
Privacy risks can be heightened in relation to Government-held information, which is often collected on a compulsory basis to enable individuals to receive a service or benefit or is otherwise required by law. Such data is often sensitive or can become sensitive when it is linked with other government data sets.
5.34
The OAIC informed the committee that it supports the measures included in the bills that are designed to build on the existing privacy framework to minimise the privacy impacts of the data sharing scheme, including:
Requiring all data scheme entities to be covered by the Privacy Act or a law of a state or territory that provides a commensurate level of privacy protection, monitoring of compliance with the law, and a means for an individual to seek recourse if their personal information is shared.
Requiring consent to be obtained if the personal information of individuals is to be shared, unless it is unreasonable or impractical to seek their consent.
Requiring entities to outline how the public interest is served by the sharing in a data sharing agreement.
5.35
However, in addition to this statement of support, the OAIC also recommended the inclusion of additional privacy measures that will provide ‘further protections’ for individuals and clarity for data scheme entities about their privacy obligations.
The OAIC considers that these additional measures are necessary to ensure the proportionality of the scheme and to achieve the trust and confidence of the community, which is vital to the success of the DAT [data availability and transparency] scheme.
5.37
Additionally, the OAIC voiced concerns about the proposal to exempt agencies from the Freedom of Information Act 1982 (FOI Act).
5.38
These matters will be addressed in further detail below.
Recommendations for additional safeguards
5.39
The OAIC acknowledged the numerous privacy safeguards included in the bill; however, it identified further key privacy protective measures that it deemed should be included to further mitigate the risks posed by sharing personal information.
5.40
These additional measures revolve around:
the de-identification of data;
the use of exit mechanisms; and
the accreditation of Commonwealth entities as users.
5.41
Each of these additional recommended measures will be examined below.
De-identification of data
5.42
Subclause 16(7) of the bill establishes the ‘data principle’. This principle focusses on the nature of the data and whether any technical or statistical treatments are necessary to control the risks of the sharing, while still delivering the data needed to achieve the purpose of sharing.
5.43
Specifically, subclause 16(8) states that the ‘data principle‘ includes (but is not limited to) the following elements:
only the data reasonably necessary to achieve the applicable data sharing purpose is shared; and
the sharing of personal information is ‘minimised’ as far as possible without compromising the data sharing purposes.
5.44
The OAIC noted that it supported the decision of the ONDC following consultation on the exposure draft of the bill to elevate the requirement to ‘minimise’ the amount of personal information shared from guidance material into primary legislation.
5.45
However, the OAIC also indicated that it shared the concerns of Scrutiny committee in that while the data sharing principles set out in clause 16 of the bill contemplate minimising the sharing of personal information as far as possible and sharing only the data reasonably necessary to achieve an applicable purpose, there are no requirements for sharing only de-identified data contained in the principles or elsewhere in the bill.
This [concern] is consistent with the OAIC’s position throughout the development of the DAT [data availability and transparency] scheme, that data sharing should occur on a de-identified basis where possible, to minimise the privacy impacts of the scheme for individuals.
5.47
As a result, the OAIC recommended that the bill include a requirement that data custodians must not share personal information where the data sharing purpose can reasonably by met by sharing de-identified information.
5.48
The OAIC made clear that any definition of ‘de-identified’ included in the bill should align with the definition set out in section 6(1) in the Privacy Act – that personal information is ‘de-identified’ if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.
5.49
It explained the benefits of this ‘technology neutral’ approach:
Such an approach is technology neutral and would enable the data custodian to apply the most appropriate de-identification technique to the data to ensure that personal information is protected and that the information will still be useful for its intended purpose after the de-identification process.
5.50
Additionally, the OAIC recommended that clause 19 of the bill should be amended to require data sharing agreements to outline when personal information is being shared as part of a project. It noted that this amendment would create an additional transparency and accountability requirement that supports a data minimisation approach.
Exit mechanism
5.51
Subclause 21(1) of the bill establishes the limited circumstances in which an output may be provided to third parties as an authorised use of data under subclause 13(3). Subsequent to the process established in this clause, the output ‘exits’ the scheme and is no longer considered ‘scheme data’ regulated by the bill.
5.52
‘Output’ is defined in subclause 10(4) of the bill as ‘data that is the result or product of the use, by an accredited user, of public sector shared data shared with the accredited user under subsection [subclause] 13(1).’
5.53
Under subclause 21(1), an accredited user may provide individuals and businesses with outputs containing data about themselves to check the data is accurate by validating or correcting it. Subclause 21(2) clarifies the point at which an output exits the data sharing scheme and ceases to be scheme data regulated by the bill – under paragraph 21(2)(a), that point is the time the output is validated or corrected by the entity with which it is shared.
5.54
The explanatory memorandum (EM) noted that the exit mechanism contained in subclause 21(1) is intended to support the use of outputs created for permitted data sharing purposes, in particular ‘government service delivery for which accurate, up-to-date information is essential’. The EM illustrated a potential use of the exit mechanism by noting that the clause supports pre-filling forms (to be validated by the individual or business) and a single point-of-contact to engage with multiple government agencies. In regards to this statement in the EM, the OAIC observed that this data is likely to contain personal information.
5.55
The exit mechanism provided for in subclause 21(3) of the bill allows an accredited user to ‘release’ output in circumstances that are specified in the data sharing agreement for the project, provided that the release does not contravene a law of the Commonwealth, state or territory.
5.56
The OAIC pointed out that ‘release’ is defined in clause 9 of the bill as ‘provide open access’ to data – which is distinct from ‘share’, which means ‘provide controlled access’ to data.
5.57
The EM noted that subclause 21(3) does not create a new authorisation to release data, and instead provides that entities must rely on release mechanisms in other legislative and policy frameworks. In regard to this, the OAIC observed that if an output contained personal information it could only be disclosed by an accredited user if that disclosure is permitted by the Privacy Act.
5.58
In examining these matters, the OAIC acknowledged that to maximise the benefits and utility of the data sharing framework, it may be necessary for outputs to exit the scheme in certain circumstances.
5.59
However, it recommended that additional protections be included in the bill to ensure that this exit mechanism minimises the risks to individual’s privacy and is only used in ‘specific and confined’ circumstances.
5.60
It recommended that only output that has been shared for the purpose of delivery of government services should be permitted to exit the data sharing scheme for validation or correction under subclause 21(1), unless the ONDC could identify a clear use case prior to the introduction of the legislation that reasonably necessitates data exiting the scheme for broader purposes.
5.61
The OAIC further recommended that the bill ‘should explicitly require the accredited user to take reasonable steps to ensure that the output is being shared with the entity or individual (or the individual’s responsible person) that the output is about’.
5.62
Additionally, the OAIC recommended that outputs that include personal information should not be permitted to be released from the scheme under subclause 21(3). It explained the rationale behind this recommendation:
An accredited user will have collected the personal information from a data custodian and not directly from an individual. The individual will therefore have had no ability to consent to the information being disclosed outside the DAT [data availability and transparency] scheme (which could include publication), or to decide to withhold their consent. Given the most likely scenario for data release under cl 21(3) will be sharing research or policy outcomes, it seems unlikely that personal information will be required to meet this purpose and should therefore be explicitly prohibited from release.
Accreditation of Commonwealth entities as users
5.63
Subclause 74(3) of the bill requires the commissioner to automatically accredit non-corporate Commonwealth entities and other Commonwealth bodies as prescribed in the rules if they apply for accreditation as an accredited user under clause 76.
5.64
The OAIC observed that this constituted a ‘significant change’ to the accreditation framework for the scheme which had not been previously consulted on.
5.65
In making this observation, the OAIC highlighted that accreditation plays an important role in ensuring that entities have appropriate processes, systems and procedures in place to support safe handling of personal information.
The effectiveness of an accreditation framework rests on the accreditation criteria being set at an appropriate level and accreditation standards and processes being applied consistently across the scheme. A light touch or inconsistent approach to accreditation risks undermining the level of assurance that the framework is designed to provide. A robust accreditation process would provide a strong trust mark for the scheme.
5.67
The OAIC acknowledged the accreditation criteria set out in clause 77 of the bill, as well as the explanation in the EM which noted that non-corporate Commonwealth bodies already meet these accreditation criteria as they are subject to relevant government policies, frameworks, and ministerial oversight.
5.68
However, the OAIC still considered that it was important that the accreditation framework also include an upfront assessment of each entity that wishes to be accredited under the data sharing scheme, and that the assessment is ‘undertaken consistently’ in relation to all potential accredited entities.
Compliance with the DAT [data availability and transparency] scheme accreditation criteria could be demonstrated by drawing on the policies and processes, governance arrangements, training programs and data management protocols that an entity already has in place to comply with its existing obligations under other frameworks. However, an individual assessment of each application for accreditation by the National Data Commissioner would enable important oversight of how these obligations will be applied in the context of the DAT scheme. The OAIC considers that this should be the case even for Commonwealth bodies, who should still be subject to the same rigorous accreditation process, regardless of their broader privacy and security obligations.
5.70
Subsequently, the OAIC recommended that all accredited users (including Commonwealth bodies) be subject to the same rigorous accreditation processes and criteria as other entities seeking to become accredited under the data sharing scheme.
Proposal to exempt agencies from the FOI Act
5.71
The OAIC raised concerns regarding the proposed exemption of scheme data from the FOI Act contained in the consequential amendments bill, noting that it considered this exemption ‘runs counter’ to the objects of both the FOI Act and the principal bill.
5.72
The OAIC explained its core concerns as follows:
The OAIC is concerned that the proposal is unnecessarily broad and risks misalignment with the objects of the FOI Act to provide a fundamental legal right to access documents. The OAIC is also concerned that this proposal reduces the information access rights of individuals, impacting on their ability to seek access to their own personal information and understand how agencies are using this information.
5.73
The OAIC recommended that consideration be given to removing the proposed consequential amendment to the FOI Act so that data that is shared by agencies under the data sharing scheme remains subject to the usual FOI processes and potential exemptions under the FOI Act.
5.74
It submitted that through building on existing transfer mechanisms in the FOI Act, data custodians and accredited users could be supported to deal with such FOI requests through the inclusion of specific provisions in the FOI Act that would:
allow for the transfer of data back to the data custodian in the event an FOI request is received by an agency with which the data was shared as an accredited user; or
require the accredited user to consult with the original data custodian if data that had been shared with them under the data sharing scheme is requested through the FOI Act.
Security concerns around foreign entities
5.75
The committee received evidence relating to the participation of foreign entities in the data sharing scheme.
5.76
For example, a joint submission from the Allens Hub for Technology Law and Innovation (Allens Hub), the Australian Society for Computers and Law (ASCL) and University of New South Wales Institute for Cyber Security (UNSWICS) highlighted that it was not clear how exactly the ONDC would enforce the protection of data released offshore to a foreign entity in the case of a breach of a data sharing agreement.
5.77
The three organisations stated that they had raised this concern with the ONDC during a consultation roundtable in October 2020 and set out the response they received:
… it was suggested [by the ONDC] that if the foreign entity breached its agreement, then Australia would have recourse to send information about the breach to authorities in the foreign jurisdiction for prosecution under its own laws.
5.78
However, they emphasised that this proposed approach would only work if the entity has data protection laws ‘at least on par’ with those in Australia.
5.79
The three organisations argued that the status of the data protection laws in the foreign country should be a ‘determining factor’ in the accreditation of a foreign entity and the approval of a data sharing agreement. They contended that if the domestic laws for the foreign entity are insufficient, then no accreditation should be given and no data should be shared.
5.80
They also noted that subclauses 136(2) and (3) in the bill raised concerns that if a breach occurs outside of Australia, then it may not contravene a civil penalty provision. They explained:
Although Australia may not have jurisdiction to pursue matters which occur offshore, it is not clear why it is necessary to remove the civil penalty. Even so, given the non-application of penalties against foreign entities, it is questionable whether such entities would be compelled to comply with many of the safeguard mechanisms once accredited.
5.81
The committee queried Ms Deborah Anton, the Interim National Data Commissioner, as whether the ONDC had consulted with the Australian Security Intelligence Organisation (ASIO) and other security agencies regarding the bill.
5.82
The committee noted that the Parliamentary Joint Committee on Intelligence and Security (PJCIS) is currently inquiring into the national security risks affecting the Australian higher education and research sector, with a report due in July 2021.
5.83
The committee drew Ms Anton’s attention to evidence received in March 2021 by the PJCIS, where Mr Mike Burgess, the Director-General of Security for ASIO, stated :
Foreign intelligence services and their proxies are all too willing to take advantage of the openness that is integral to our universities and research institutions to steal intellectual property and cutting-edge technologies.
5.84
Ms Anton advised the committee that the ONDC had significant engagements and consultations with the Australian intelligence agencies during the development of the bill. Further, she noted that input and feedback had been critical to ensure the bill establishes protections to prevent Australian Government data from being used inappropriately by foreign entities. Ms Anton stated that while the bill contemplates the sharing of data with foreign entities, a ‘series of controls’ was also built in to manage the risks associated with international data sharing, including that the bill has extraterritorial operation (as set out in clause 7).
5.85
Ms Anton provided further detail on those controls:
More particularly, I do note that opening point that data cannot be shared for a purpose that relates to a prejudice of national security as per [subclause] 15(2).
In accrediting entities other than Commonwealth government entities, essentially, our criteria for accreditation is that the entity's participation in the data-sharing scheme would pose no concerns for reasons of national security as per section 77.
The commissioner can suspend or cancel accreditation for reasons of security as per clause 81.
As I noted in my opening statement, it's not expected that foreign entities, which are not covered by Australian privacy law, will be able to access personal data as they can't satisfy the privacy coverage test under clause 28.
Data-sharing agreements which may involve working with research or government policy purposes and engaging with the research community which you allude to do have a requirement for an accredited user who accesses the data.
5.86
With regard to ASIO’s involvement in accreditation Ms Anton advised:
Data can only be shared under the scheme with entities that are accredited as users by the Commissioner. Any foreign entity seeking accreditation must meet the criteria which include that “the entity’s participation in the data sharing scheme would not pose concerns for reasons of national security (within the meaning of the Australian Security Intelligence Organisation Act 1979)” (clause 77(1)(g) of the Bill). When assessing whether this criterion is met, the Commissioner will rely upon advice from ASIO in the form of a security assessment. If an entity is not accredited because of an ASIO recommendation, it will not be able to receive any data under the scheme. ASIO recommendations can also result in the imposition of conditions of accreditation on a foreign entity for security reasons, including constraints on data or the individuals who can access shared data.
Importantly, decisions by the Commissioner to suspend, cancel or impose a condition on the accreditation of a foreign entity for security reasons are not reviewable by the Administrative Appeals Tribunal (clause 118 of the Bill).
5.87
Ms Anton concluded that there are multiple layers of control present in the bill:
From my point of view, those are quite a few layers of control—the creation of an accreditation scheme that works with the research sector in terms of accessing data that links back into the work being done by ASIO. Those are new controls designed specifically for this scheme.
5.88
The committee requested information from the ONDC as to what ongoing oversight security agencies will have under the bill to ensure that access to government data is not being used, even inadvertently, to the advantage of foreign powers. Ms Anton advised that the security review is an ongoing process that will continue past the accreditation stage. Ms Anton noted that:
ASIO will have access to the names of accredited entities and the data sharing agreements these entities have entered into. If, at any time, ASIO has security concerns they can make a recommendation to the commissioner.
5.89
Additionally, Mr Paul Menzies-McVey, Assistant-Secretary for ONDC, noted that the commissioner would have the powers to take appropriate action in response to a security recommendation, including:
suspending or cancelling the accreditation (therefore preventing any further data sharing); or
imposing conditions on the accreditation (e.g. requiring that people of concern no longer have access to the data).
5.90
He further noted that the commissioner would have the regulatory powers to ensure that any conditions on the accreditation were being complied with.
5.91
The ONDC advised that it will enter into a memorandum of understanding with ASIO and the OAIC to document the everyday working relationship in relation to the accreditation process and other matters, if the bill is enacted.
5.92
The committee also inquired about the ability of universities participating in data-sharing agreements to protect data from cybersecurity breaches. Dr Adele Haythornthwaite from the University of Sydney advised:
We have a concerted program that is addressing cybersecurity risk, as all other research institutions in Australia are doing. We are in a constant state of improving those. We are taking part in the review of critical infrastructure that's currently underway at the moment, with the legislation there, to put in even more robust risk governance frameworks to address cybersecurity risks. We have a dedicated information security officer and a team of cybersecurity analysts who stay abreast of the current developments in the cyberworld. As you're aware, it's a current state of escalation and there are always new threats to be identified. To date we have managed to have very good cybersecurity governance of our systems; that includes our administrative systems as well as our research systems.
5.93
Mr Tim Payne from the University of Sydney added:
I can add that we have reported in detail on our efforts in these areas in another submission recently, in relation to foreign interference. The university is also required to report through its compact agreement with the federal government, as are all universities about their approaches to foreign interference, as part of that cybersecurity.
5.94
Ms Anton highlighted the Government’s ongoing efforts to ensure strong cyber-security standards and to protect data from unauthorised use, drawing particular attention to Australia’s Cyber Security Strategy 2020 and the Government’s own approach to secure data storage. With regard to ability of the commissioner to ensure those using the scheme took these factors into account she noted:
As Australian Government policies evolve over time, data custodians will be expected to apply the updated policies, as applicable, to entities receiving data shared under the scheme.
This expectation will be included in guidance to be issued by the Commissioner, and if necessary, in a data code issued by the Commissioner.
Security requirements on the accredited user must be included in the data sharing agreement, which is legally binding on the accredited user and which will be published by the Commissioner.
5.95
Ms Anton also noted the particular role that accredited data service providers (ADSPs) will can play to ensure strong security standards are met:
Where accredited users cannot meet the security standards required by the data custodian, consideration can be given to sharing the data with the accredited user using a secure facility operated by an accredited data service provider.
Standard of consent (definition of ‘unreasonable or impracticable’)
5.96
A number of submitters echoed the concerns of the Scrutiny committee in regard to the paragraph 16(2)(c) of the bill, which requires that any sharing of the personal information of individuals ‘is done with the consent of the individuals, unless it is unreasonable or impracticable to seek their consent’. Specifically, submitters were concerned that the bill does not contain a clear definition of ‘unreasonable or impracticable’.
5.97
The Law Council highlighted the Scrutiny committee’s concern with the breadth of the ‘unreasonable or impracticable’ exception, and drew attention to the minister’s advice that privacy interests will not be given priority in the public interest test. It concluded:
Further guidance is needed in relation to the scope of practical application of the ‘unreasonable or impracticable’ exception as it applies to securing consent, noting that this should be a high threshold to obtain and that many of the data sets collected are collected based on existing legal requirements or notices (not consents).
5.98
Dr Megan Prictor and Associate Professor Mark Taylor from the Melbourne Law School (who submitted in their private capacities) considered that there was ‘significant risk of confusion’ in regard to the interpretation of the terms with reference to the OAIC guidelines, given that the guidelines that apply to section 16A of the Privacy Act on when it is unreasonable or impracticable to obtain consent ‘are not an obvious fit for the use of these terms’ in the bill.
5.99
They explained that this was because section 16A is specific to circumstances where an entity is collecting, using or disclosing personal information in the context of necessity to ‘lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety’, and that this constituted a ‘narrower context’ than that envisaged in the data sharing scheme to be established under the bill, which will permit sharing for a very wide range of purposes.
5.100
Dr Prictor and Associate Professor Taylor stated that a reliance upon the OAIC guidelines relating only to section 16A of the Privacy Act (as appears to be indicated in the EM to the bill) would be ‘insufficient’ as a basis for interpretation of those terms in the new legislative context. They noted that additional OAIC guidance on consent is available in relation to other provisions of the Privacy Act, such as section 16B in relation to research relevant to public health or public safety, which they considered may be of greater relevance to the bill.
5.101
Dr Prictor and Associate Professor Taylor recommended that ‘as a minimum’ the commissioner should be ‘required’ (rather than simply ‘permitted’ under clause 127 of the bill) to make written guidelines on the interpretation of the ‘unreasonable or impracticable’ exemption. They also further recommended:
…considering that there is a substantial risk that lack of clarity relating to data sharing principles will ultimately undermine the Government’s policy goal of promoting data sharing, we would suggest a better path to certainty for those subject to the scheme would be for the Commissioner to issue codes of practice with the status of legislative instruments, rather than guidelines, to address these issues.
5.102
Ms Johnston and Ms Marks contended that it was not clear how the consent model could be implemented and maintained, particularly for the sharing of datasets containing personal information already held by a data custodian. Their submission stated that as such it was likely to be considered ‘impracticable’ for a data custodian to seek individual consent for any substantial dataset that had already been collected.
5.103
The joint submission from the Allens Hub, the ASCL and the NSWICS also recognised that the bill does not provide definitions or examples on when it is unreasonable or impracticable to seek individuals’ consent.
5.104
The three organisations identified that different data custodians (i.e. government agencies) have different rules and policies in place, and therefore what may be unreasonable to one custodian to seek consent may not be unreasonable to another. The submission explained:
In our view, it is important to promote consistency across agencies where possible and provide clarity on when it is unreasonable and impracticable to seek consent, or at least provide certain threshold examples or guidelines.
5.105
The submission recommended that the threshold for circumstances when it is unreasonable or impracticable to seek consent should be incorporated as part of the ethics function governed by the National Data Advisory Council.
5.106
Verifier, a regulatory technology company, submitted that the proposed consent requirements in the bill ‘lag community expectations’ about individuals’ privacy and the right to control how their data is shared, used and disclosed. It suggested that guidance issued by the commissioner should address the ‘unreasonable or impracticable’ exception to seeking consent to ensure that it is only applicable in ‘limited and clearly defined circumstances’.
5.107
PIAC also echoed the concerns of the Scrutiny committee. While it acknowledged that the inclusion of consent in the ‘project principle’ was an improvement on earlier versions of the bill where consent was not intended to be required, it stated that in its view paragraph 16(2)(c) remained an area of concern as the concepts of ‘unreasonable or impracticable’ are not defined in the bill or in the Privacy Act:
Guidance on this phrase, as issued by the is limited. It is not clear which existing guidelines, standards and ethics processes will apply to the data sharing scheme, or what further guidance will be provided.
5.108
Continuing on, PIAC submitted that this lack of clarity would limit the scheme’s transparency and accountability:
In the absence of clear definition and guidance, the data custodian is entrusted with wide discretion to determine whether this threshold is met, with determinations not being subject to review. As such, there is limited accountability and transparency in these decisions. This provides little assurance to the community that Commonwealth agencies sharing personal information will interpret these concepts narrowly and appropriately, with due regard to privacy.
5.109
PIAC identified that the issue would affect marginalised communities disproportionately, given their greater interaction with government services. It observed that people who rely on government services may not be in a position to provide informed consent, given the inherent power imbalance when requesting services.
5.110
PIAC asserted that for the government to build confidence in the community that data is being shared appropriately, ‘consent of those least empowered must not be bypassed’. It set out a number of potential situations that it considered would not be sufficient to satisfy the ‘unreasonable or impracticable’ exception, including:
… instances where a homeless person is unable to be located at a particular point in time for their consent to be sought, or where it is ‘inconvenient’ or costly to obtain consent from a person with disability, or where a person fails to respond to Government contact.
5.111
To mitigate its concerns, PIAC recommended that the bill be amended to strengthen the requirement for consent by better defining the circumstances in which it will be ‘unreasonable or impracticable’ to seek consent of an individual, including by identifying relevant factors to be taken into account in making that decision.
5.112
PIAC further recommended the bill incorporate a requirement that where personal information is shared by data custodians without consent on the basis that it is ‘unreasonable or impracticable’, the data custodian must publish (in such a way that does not identify individuals) the efforts undertaken to seek that consent and the subsequent reasons for dispensing with consent. It argued that this would allow for increased scrutiny and accountability of decisions made by data custodians.
5.113
As set out in Chapter 3 and Chapter 4 of this report, the then minister responded to the concerns of the Scrutiny committee and joint committee on this matter. He advised that he proposed to table an addendum to the EM ‘as soon as practicable’ which would outline ‘key information and examples’ about the meaning of ‘unreasonable or impracticable’ to assist to clarify the interpretation of paragraph 16(2)(c) of the bill. He also noted that the proposed addendum would direct users to relevant guidance issued by the Australian Information Commissioner on the standard of consent.
Definition of ‘public interest’
5.114
Several submitters flagged similar concerns to those raised by the Scrutiny committee and the joint committee about the lack of a definition of ‘public interest’.
5.115
The Scrutiny committee noted that paragraph 16(2)(a) of the bill requires a judgement to be made about whether the sharing can be reasonably expected to serve the public interest. It highlighted that ‘public interest’ is not defined in the bill, and that the EM does not provide guidance about the factors that might be considered when evaluating public interest for the purposes of data sharing.
5.116
PHRN informed the committee that it shared the concerns of the Scrutiny committee in regard to the evaluation of the public interest. It commented that although there was a strong emphasis on the concept of public interest during the ONDC consultation process for the bill, it considered that the concept was ‘significantly diluted’ in the final text of the bill.
5.117
PHRN highlighted that although the bill requires a description of how the public interest is served by sharing to be included in a data sharing agreement, there is no requirement for any independent assessment of public interest before the requested data is shared. It asserted that this could prove challenging, particularly in the case of sharing with private sector entities:
The data custodian and other entity entering into the data sharing agreement will need substantial support and guidance to be able to assess and describe the public interest in the data sharing agreement. This will be particularly important when considering sharing data with private companies. The legal obligations of private companies to their shareholders must take precedent over the public interest and therefore whether data sharing with private industry is in the public interest will require careful consideration.
5.118
The Minderoo Tech & Policy Lab at the University of Western Australian Law School argued that the bill as currently drafted only requires that sharing be expected to serve the public interest generally and does not require specific testing against competing public interest claims, such as to privacy or autonomy.
5.119
Although welcoming the inclusion of a public interest test, the submission from privacy practitioners Ms Marks and Ms Johnston noted that there remained questions about the threshold of what is and is not in the public interest. They asserted that the requirement found in paragraph 19(7)(a) of the bill for data sharing agreements to include a description of how the public interest is to be served by the sharing did not constitute a ‘robust enough’ test.
5.120
They recommended that a detailed formulation of the public interest test be modelled from the joint National Health and Medical Research Council (NHMRC)/OAIC guidelines (issued under the Privacy Act), and that a ‘no harm’ test be included where the sharing includes personal information, in order to ensure that individual harm is considered as well as broad public interest.
5.121
Dr Prictor and Associate Professor Taylor also echoed the concerns of the Scrutiny committee and flagged that the lack of definition of ‘public interest’ may permit the operation of a public interest test that cannot be appropriately reconciled with reasonable expectations of privacy. They suggested that, as a minimum and in line with the objective of the bill, it should be made clear that an assessment of a reasonable expectation of public interest should incorporate assessment from the perspective of data subjects and community expectations and norms:
…it should be critically significant whether those whose data may be shared (when relevant factors have been ‘weighed’) have reason to expect and accept the privacy interference that sharing represents and that it not be to their unjustified disadvantage. Adopting a principle that data sharing only take place under conditions that persons have reason to both expect and accept may enable privacy interests to be appropriately reconciled with the public interest in data sharing (rather than overridden for commercial or economic interests that data subjects personally may have no reason to think justify privacy intrusion.
5.122
As set out in Chapter 3 and Chapter 4 of this report, the then minister responded to the concerns of the Scrutiny committee and joint committee on this matter, advising that the question of whether a project can be reasonably expected to serve the public interest must be made on a project-by-project basis, weighing a range of factors for and against sharing.
5.123
The minister noted that the factors will include:
the impacts on an individual’s right to privacy;
the potential for serious harm to the public; and
whether those impacts are ‘reasonable, necessary and proportionate’.
5.124
He also advised that the bill’s intended approach is to ensure privacy interests are appropriately balanced with the public interest of a project, rather than assuming that one must prevail at the expense of the other. He emphasised that this approach is consistent with the objectives of the Privacy Act.
Reliance on delegated legislation for accreditation
5.125
Submitters to the inquiry raised concerns with the reliance on delegated legislation to set out the accreditation framework.
5.126
For example, the Law Council advised that it shared the Scrutiny committee’s concerns about the proposed reliance on delegated legislation to provide for procedures, requirements and matters relating to the accreditation of entities for the purpose of the data sharing scheme.
5.127
The Law Council recommended that Part 5.2 of the bill (relating to the accreditation framework) be amended to provide greater detail in regard to the procedures, requirements and matters relating to the accreditation of entities for the purpose of the data sharing scheme.
5.128
The Australian Research Data Commons (ARDC) and Universities Australia also raised concern with the reliance on delegated legislation, with the ARDC recommending that key matters of the accreditation framework should be explicit in legislation.
5.129
Universities Australia commented that leaving a range of significant matters to legislative instruments without significant guidance in the primary legislation does not support certainty, while the University of Sydney also noted that the likely impact of the implementation of the bills on universities and their research is ‘hard to gauge while the legislative instruments are not yet defined’.
5.130
As set out in Chapter 3 of this report, the then minister responded to the Scrutiny committee’s concerns around this matter. He advised that the approach of providing for three types of legislative instruments in the bill will ensure the scheme can adapt to emerging technologies and future needs while still allowing for oversight through the disallowance process.
5.131
The minister stated that he did ‘not consider it necessary to include further guidance on accreditation matters on the face of the bill’. He reiterated that as the weight of the accreditation framework was already located in Part 5.2 of the bill, significant matters would not be left to delegated legislation. He also explained that where the bill does provide for delegated legislation, it is aligned with standard drafting practices to balance legal certainty and flexibility.
Reliance on guidelines
5.132
Clause 127 of the bill empowers the commissioner to make guidelines with respect to matters relating to their functions and powers under the data sharing scheme.
5.133
Subclause 127(2) provides that these guidelines may include principles and processes relating to:
any aspect of the data sharing scheme; and
any matters incidental to the data sharing scheme, including:
data management and curation;
technical matters and standards; and
5.134
Subclause 127(4) provides that a guideline is not a legislative instrument.
5.135
The Law Council expressed reservations about this subclause given the importance of the guidelines in setting the parameters of the data sharing scheme, and the fact that non-legislative instruments are not subject to parliamentary scrutiny.
5.136
It recommended that the subclause be removed and instead a requirement inserted that guidelines made by the commissioner are a legislative instrument and therefore subject to parliamentary scrutiny and potential disallowance.
5.137
As set out in Chapter 3 of this report, the then minister responded to the Scrutiny committee’s concern in regard to this matter, emphasising that the approach taken by the bill is consistent with that of other principles-based legislative schemes. He advised that the bill establishes a framework of resources ‘of scaled legal weight’ to assist in interpretation and application, and that he considered this scaled approach to be reasonable and necessary to support best practice data sharing and a graduated approach to enforcing compliance.
5.138
The minister also noted that while guidelines do not alter the law, they provide ‘clear guidance from the commissioner about their view of law applied and better practice’, and that it was ‘not appropriate’ for such guidance to be disallowable.
‘Other persons’
5.139
Clauses 109 and 110 of the bill relate to monitoring and investigation powers respectively. Specifically, subclauses 109(4) and 110(3) provide that an authorised person may be assisted by ‘other persons’ in exercising powers or performing functions or duties in relation to monitoring and investigation.
5.140
As set out in Chapter 3 of this report, the Scrutiny committee raised concerns with these clauses, given that the EM does not contain any information on the categories of ‘other persons’ who may be granted such powers and the bill does not confine who may exercise the powers by reference to any particular expertise or training.
5.141
Despite receiving further information from the then minister on the matter, the Scrutiny committee remained concerned with the clauses and reiterated that its consistent position in relation to the exercise of coercive or investigatory powers is that persons authorised to use such powers should have the appropriate training and expertise.
5.142
The Law Council echoed these concerns and affirmed its support of the view of the Scrutiny committee. It recommended that the bill be amended to include minimum thresholds of training or experience for ‘other persons’ assisting the commissioner in the exercise of their monitoring and investigation powers.
5.143
As set out in Chapter 3 of this report, the then minister addressed this matter and clarified that the staffing provisions in the bill will ensure that ‘other persons’ at the commissioner’s disposal will have the appropriate knowledge, training and expertise in the exercise and performance of investigatory powers and functions.
Dual roles of the Office of the National Data Commissioner
5.144
As set out in Chapter 3 of this report, the Scrutiny committee noted the possibility of tension between the dual roles of the commissioner as both regulator and champion of the data sharing scheme.
5.145
A number of submitters flagged similar concerns with the possible tensions that could arise from the dual roles of the commissioner.
5.146
For example, the submission authored by privacy practitioners Ms Marks and Ms Johnston stated that ‘at a fundamental level’ it was not appropriate for the commissioner to have powers to investigate or suspend activities given that the role also included advocating for the sharing and release of public sector data. The submission concluded:
We see the dual roles of promoting and maximising sharing whilst protecting privacy to be at odds, and a conflict of interest.
5.147
The Australian Medical Association (AMA) also expressed concern about the potential conflict between the commissioner’s two roles:
If an agency seeks advice from the Data Commissioner prior to entering into a data sharing agreement, there is potential conflict at the point of providing advice between the Data Commissioner’s role of promoting safety and their role of promoting sharing. Moreover, if the data is subsequently re-identified or a complaint is made, the Data Commissioner will be investigating a data sharing agreement that they advised on.
5.148
In order to mitigate this potential conflict, the AMA recommended that that OAIC be provided with a greater role in the oversight of the scheme.
5.149
The NSWCCL, Electronic Frontiers Australia (Electronic Frontiers) and the APF also suggested that there was an inherent conflict of interest in having the commissioner as both the regulator and champion of data sharing. The NSWCCL and Electronic Frontiers both recommended that as an alternative the OAIC be funded to perform the oversight and regulatory functions for the scheme, leaving the commissioner to focus on advocacy, education and advice.
Concerns with the sharing of particular kinds of data
5.150
A number of submitters raised concerns regarding the sharing of particular kinds of data, including:
health data (including immigration detention health records);
commercially sensitive data; and
5.151
Each of these matters will be addressed further below.
5.152
In its submission the ONDC highlighted that data sharing will not be authorised if it is for a precluded purpose, or another exclusion applies. In addition, the minister may also prescribe additional precluded purposes in rules.
5.153
Specifically, the EM clarified that:
Clause 17 of the bill outlines when sharing of data is excluded from the scheme, and clause 17(4) allows further exclusions to be prescribed by regulations. Exclusions detailed in this clause include contravention or infringement of rights such as commercial-in-confidence, contracts, international law and evidence before the court.
Clause 17 works in conjunction with other limitations on data sharing to ensure data is not authorised to be shared where it would be inappropriate to do so. Clause 13 ensures that all other controls in the bill, as outlined in clauses 15 to 18 are met, and that data sharing is in the public interest.
5.154
Draft regulations, released alongside the exposure draft of the bill, exclude types of entities from sharing data and also data collected under specific legislation. Ms Anton advised the committee:
I understand that the Minister’s intention is to make available another version of the draft regulations before the Bill is debated in the House of Representatives.
Health data
5.155
The AMA submitted that clause 15 of the bill allows individuals’ health information to be shared with private sector organisations for profit. The AMA cited the EM to the bill, which states:
Sharing for purposes that are consistent with clause 15(1) but have other applications may be permissible. For instance, a research project to improve pharmaceutical treatments for heart disease may deliver both profit for a researcher as well as serving the public interest.
5.156
In light of this, the AMA emphasised that it was concerned for the potential for non-admitted primary healthcare data, including Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data, to be shared with health funds for their own purposes. It explained:
Currently this [the sharing of non-admitted primary healthcare data] is prohibited by the National Health Act 1953, the Health Insurance Act 1973 and the My Health Records Act 2012. It makes no sense to preclude My Health Record data from the data sharing scheme, but then permit the same MBS/PBS data to be directly shared with private health insurers. This is not consistent with the public’s expectations and has the potential to undermine the community-rated private health insurance system.
5.157
To mitigate this concern, the AMA recommended that rules created under paragraph 15(2)(c) specify that the use of MBS and PBS data by health funds is a precluded purpose for data sharing.
5.158
Additionally, PIAC raised concerns that the bill’s provisions may not adequately safeguard the confidentiality of immigration detention medical records, or sufficiently protect against the unintended use of the personal information they contain. It explained:
We are concerned that the data sharing scheme could enable the information in detention health records held by the Department of Home Affairs, to be more broadly shared with other entities without due regard to the standards of confidentiality that normally apply to a patient’s health information in other contexts.
5.159
It noted that while the exposure draft of the Data Availability and Transparency Regulations 2020 proposed to exclude other types of especially sensitive data (such as My Health Record information) from the data sharing scheme (pursuant to clause 17(4)(a) of the bill), there was no mention of immigration detention health record information also being excluded. PIAC recommended that immigration detention records held by the Department of Home Affairs be excluded from the data sharing scheme.
Commercially sensitive data
5.160
The Australian Banking Association (ABA) strongly recommended that business regulation and commercially sensitive data obtained from the private sector (but held by the public sector) be excluded from the data sharing scheme.
5.161
The ABA explained that it had raised its concerns with the ONDC during consultation on the exposure draft of the bill, but stated that it was not satisfied with the proposed solution.
5.162
The ABA explained its position:
Data held by banks can reveal confidential information provided under, or contained in, commercial contracts. Even where data is anonymised or used in aggregate form, it can reveal commercial information about certain entities or their customers in specific sectors or geographical regions. As it is currently drafted, the DAT Bill creates the real risk of on-sharing this data to third parties who may lack full understanding of the implications of further sharing the information. Further, the proposed individual contractual agreements between individual regulators and third parties cannot fully ensure the adherence of third parties to protect the confidentiality of commercially sensitive data.
5.163
The ABA also noted that its understanding was that the ONDC intends to use regulations to exempt data from the Australian Prudential Regulation Authority (APRA) and the Reserve Bank of Australia (RBA) from the bill. The ABA argued that such an exemption would need to be extended to other business regulators like the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC) in order to protect commercially sensitive data.
Biometric data
5.164
The Law Council drew attention to the potential sharing of biometric data – that is, data that can be described as an individual’s physical characteristics (such as fingerprints) which can be used to verify their identity. It highlighted the ‘immutable nature’ of biometric data and noted that under the Privacy Act, biometric information is defined and treated as a class of ‘sensitive information’ which requires a higher standard of care, specifically where use of the information is a secondary use of such information.
5.165
The Law Council commented that it was unclear whether biometric data was intended to be specifically dealt with in the bill, and observed that the ‘apparent lack of specific reference’ to this type of data in the bill raised questions about privacy safeguards. It flagged that this may be problematic, given:
The data sharing regime is subject to other legislation, however, if biometric data is not so covered, then it is reliant on this regime, which is a risk management regime and relies largely on good will.
5.166
In relation to this, the Law Council raised the matter of consent:
The Law Council considers the issue of consent, or lack thereof, in relation to the obtaining and subsequent sharing of such data to be a primary concern. In circumstances where biometrics are the only means of access to technology and buildings, and the data is subsequently available to be shared under this regime, the Law Council queries whether the persons subject to the biometric analysis are aware of the uses that may be made of their intimate data. This gives rise to a critical question as to whether the individual has provided meaningful consent to the use of their biometric data for external purposes, despite the fact that the purposes may be in the public interest.
The Law Council expresses concern at the perceived creation of ‘mandatory consent’ in these circumstances in the form of an agreement to share personal data in order to engage with an agency. Such situations render consent functionally meaningless.
5.168
To mitigate this concern, the Law Council recommended that the bill be amended to provide that where privacy interests that involve biometric data may be affected by the data sharing scheme, all sharing of such data must be based on prior express consent.
Treatment of legal professional privilege
5.169
The Law Council argued against the proposed abrogation of legal professional privilege. It suggested the bill does not provide strong justification for why this is necessary in this instance and may impact on the willingness of participants to seek legal advice before entering into a data sharing agreement.
5.170
The Law Council proposed that section 105 of the bill be omitted, or the bill be amended to include additional controls.
Indigenous considerations
5.171
The Indigenous Data Network (IDN) and the National Aboriginal Community Controlled Health Organisation (NACCHO) both raised concerns regarding the lack of specific regard given to Indigenous Australians and Indigenous public sector data in the bills.
5.172
Both organisations recommended that the National Data Advisory Council established by the bill include at least one Aboriginal or Torres Strait Islander representative. NACCHO noted that this would ensure considerations relating to Aboriginal and Torres Strait Islander data will be included in the advice provided to the commissioner.
Committee view
5.173
The committee recognises the Australian Government’s commitment to reforming public sector data sharing in response to the Productivity Commission’s 2017 Data Availability and Use report.
5.174
It is of the view that a proportionate and balanced data sharing scheme with appropriate privacy and security safeguards would help bring Australia into line with international best practice for data sharing in regard to government service delivery, policy and program development, and research purposes.
5.175
In particular, the committee is cognisant that a well-developed data-sharing scheme has the potential to unlock benefits for the Australian community, as agreed by the majority of submitters to the inquiry.
5.176
However, the committee is mindful that for a data sharing scheme to be successful and trusted by the community it must be underpinned by strong and effective safeguards and protections for privacy and security.
Security concerns
5.177
The committee considers that it is imperative that national security concerns related to access to data have been fully considered and appropriately managed, particularly given the current concerns about cyber security and the covert influence of foreign actors in the university and research sector.
5.178
The committee recognises that a number of security safeguards are already present in the bill and welcomes the advice from the ONDC that they intend to establish memorandums of understanding with ASIO and the OAIC to clearly document the working relationship between the agencies in relation to this scheme.
5.179
The committee anticipates that the Australian Government and the Parliament will wish to be assured that in addition to upfront security assessments for data sharing participants which are already embedded in the bill, appropriate ongoing oversight is in place to manage and, wherever possible, mitigate security risks. The committee appreciates the advice of the ONDC that such mechanisms are under development.
5.180
The committee notes that the PJCIS is currently conducting an important inquiry into the national security risks affecting the Australian higher education and research sector, and is due to report to the Parliament in July 2021.
5.181
Given that universities and the research sector are expected to be one of the core participants in the proposed data sharing scheme, the committee notes the possibility that the findings of the PJCIS inquiry into national security risks in the higher education and research sector may be relevant to the ongoing management of data sharing agreements and may need to inform the development of additional data codes and guidance material.
5.182
The committee recommends that assurances are provided to Parliament regarding appropriate ongoing oversight by security agencies of data sharing agreements and potential security risks.
5.183
The committee recommends that any relevant findings of the Parliamentary Joint Committee on Intelligence and Security inquiry into national security risks affecting the Australian higher education and research sector are taken into account as part of the development of any additional data codes and guidance material and inform continued engagement with the national security community.
Privacy issues
5.184
The committee notes the issues raised by stakeholders regarding privacy considerations.
5.185
The committee is of the view that, in drafting the bill and the proposed framework for data sharing, the ONDC has made substantial effort to address privacy concerns and strike an appropriate balance.
5.186
The committee notes that the bill has been designed to work with, and to be supported by, the Privacy Act (as it may be in force from time to time) rather than the bill replicating any particular point-in-time provisions from the Act. If the Privacy Act is amended in the future (for example, following the current review), the provisions of the bill will continue to operate in the context of those amended provisions.
5.187
The committee notes that the intention of the bill is to provide a high-level, principles-based framework to facilitate the sharing of government data, and that in addition to the proposed legislative privacy protections in the bill, many other potential privacy concerns would be addressed through further protections prescribed in regulation and guidance material, and in the exercise of appropriate judgement and controls by scheme users.
5.188
However, despite these layers of protection, it is evident that some stakeholders believe further privacy protections should be prescribed in legislation or specifically addressed in the EM to the bill.
5.189
The committee recommends that consideration is given to whether amendments could be made to the bill, or further clarification added to the explanatory memorandum to provide additional guidance regarding privacy protections, particularly in relation to the de-identifying of personal data that may be provided under the bill’s data-sharing scheme.
Senator Claire Chandler
Chair