4.1
The Parliamentary Joint Committee on Human Rights (joint committee) examined the Data Availability and Transparency Bill 2020 (the bill) in its Report 2 of 2021, where it raised a number of concerns and requested further information from the minister. It further considered the bill in its Report 4 of 2021, taking into account the responses provided by the then minister, the Hon. Stuart Robert MP.
4.2
This chapter will provide an overview of each of the concerns raised by the joint committee, as well as the responses from the minister to those matters.
Right to privacy
4.3
In its Report 2 of 2021, the joint committee noted that the bill seeks to establish a legislative framework that overrides existing laws in order to facilitate the sharing of, and controlled access to public sector data held by Commonwealth bodies with accredited entities.
4.4
It observed that, in doing so, the bill ‘engages and limits’ the right to privacy, while also noting that this right may be subject to ‘permissible limitations’ if they are shown to ‘reasonable, necessary and proportionate’.
Context
4.5
The joint committee stated that the right to privacy is ‘multi-faceted’ and comprises respect for informational privacy, including the right to respect for private and confidential information, particularly the storing, use and sharing of such information.
prohibits arbitrary and unlawful interference with an individual’s privacy, family, correspondence or home;
includes a requirement that the state not arbitrarily interfere with a person’s private and home life (meaning that an interference with a person’s privacy – including one provided for by law – should be in accordance with the International Covenant on Civil and Political Rights and be reasonable in the particular circumstances);
includes the right to control the dissemination of information about one’s private life;
requires that States Parties take effective measures to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorised by law to receive, process and use it; and
requires that legislation must ‘specify in detail the precise circumstances’ in which an interference with privacy will be permitted.
4.7
The right to privacy may be subject to permissible limitations where the limitation:
pursues a legitimate objective;
is rationally connected to an objective; and
is a proportionate means of achieving that objective.
Concerns
4.8
The joint committee recognised that the data sharing scheme to be established by the bill is intended to facilitate greater data availability and use which could in turn support economic and research opportunities and streamline government service delivery. It acknowledged that these appear to be important objectives, particularly given the recent pressures on public service delivery following the 2020 bushfire season and COVID-19 pandemic.
4.9
However, it identified that the statement of compatibility with human rights for the bill did not set out what objectives are sought to be achieved by the bill.
4.10
As a result, the joint committee considered that further information was required for it to assess whether the stated objectives constitute a legitimate objective for the purposes of international human rights law.
4.11
It also submitted that while the statement of compatibility provides a list of safeguards with respect to the right to privacy, the extent to which the proposed scheme may limit the right to privacy is not made clear.
4.12
In its Report 2 of 2021, the joint committee indicated that it had not yet formed a concluded view in relation to the matter and required further information to assess the compatibility of the bill with the right to privacy.
4.13
As a result, it sought the minister’s advice as to:
(a)
what is the specific objective the measure seeks to achieve, including what public or social concern the measure seeks to address, which is pressing and substantial enough to warrant limiting the right to privacy;
(b)
why the Australian Federal Police (AFP) is not listed as an excluded entity under proposed subclause 11(3), noting that it is a law enforcement body;
(c)
in what type of circumstances is it likely that data will be shared, or not shared, for a data sharing purpose (with examples provided as to what is, and is not, likely to be considered to be for 'the delivery of government services'; 'informing government policy and programs'; and 'research and development');
(d)
what considerations would be considered relevant (and irrelevant) in an assessment of the 'public interest' for the purpose of proposed subclause 16(2), and why does the bill not specifically reference the need to consider the right to privacy;
(e)
in what circumstances, and based on what factors, would it be considered unreasonable or impracticable (under proposed paragraph 16(2)(c)) to seek the consent of individuals whose personal information would be shared, and would the provision of any government service be contingent on the individual giving their consent to the proposed sharing of their data;
(f)
whether and in what manner accredited entities would be subject to ongoing monitoring (or auditing) of their continued compliance with the data sharing scheme, and their suitability for continued accreditation;
(g)
why the scheme would not permit an individual to complain to the National Data Commissioner (commissioner) about a matter associated with the data sharing scheme, such as to report a suspected breach or data misuse, or to express concerns as to the sharing or use of their data in a specific context;
(h)
noting the requirement that the sharing of personal information be minimised as far as possible without compromising the data sharing purpose, in what circumstances would the data sharing purpose be compromised by not sharing personal information;
(i)
in what circumstances does the bill provide, and is it intended that the rules will provide, that a data sharing agreement may allow the accredited user to provide shared output data to a third party, and what protections apply to protect personal privacy in such circumstances; and
(j)
why other, less rights restrictive alternatives would not be effective to achieve the intended objectives (such as amendments to individual pieces of legislation to invoke this data sharing scheme which take into account the specific data to be shared and the specific circumstances in which it is appropriate to share such data).
Minister’s response
4.14
In response to the joint committee’s request for additional information, the minister advised that the bill constitutes a ‘proportionate limitation on the right to privacy’, given that it permits data sharing in a closely controlled, consistent and transparent manner, with a specific regulatory regime to ensure data sharing is undertaken safely.
4.15
The minister addressed each of the joint committee’s ten requests separately, with each response summarised briefly below.
(a) What is the specific objective of the bill?
4.16
The minister advised that the bill is designed to facilitate controlled access to public sector data for specific purposes in the public interest, with safeguards in place to mitigate risks. The minister also noted that limitations on data sharing in existing legislation are ‘a constraint’ that can be only be addressed by further legislation, such as the bill, stating:
It would be impractical and cumbersome to amend every applicable statutory provision imposing limitations on the use and disclosure of data to achieve the public policy purpose of facilitating the benefits and outcomes of improved data sharing.
(b) Why is the AFP not listed as an excluded entity?
4.17
The minister advised that the bill would enable the sharing, collection and use of public sector data by the AFP only for permitted purposes in the public interest, and that these would be described in publically available data sharing agreements. The minister emphasised that the bill excludes the sharing of the operational data of the AFP to protect the integrity and security of police operations, and provided the following example of how this could operate:
For example, if it became an accredited user, the AFP could collect and use data to undertake research, or to inform policies and programs that are related to law enforcement (as distinct from policing activities that target particular individuals).
(c) In what type of circumstances is it likely data will be shared or not shared?
4.18
The minister advised that the data sharing purposes set out in clause 15 of the bill reflect ‘extensive public consultation’ on appropriate uses of public sector data for the scheme and were considered as part of three independent Privacy Impact Assessments. The minister’s response provided the following examples of activities that could fall under each of the three data sharing purposes:
(i)
Delivery of government services
Sharing data for this purpose could enable the provision of better services, such as the delivery of new disaster relief payments, or grants of industry support payments.
(ii)
Inform government policy and programs
Sharing for this purpose could help enable the discovery of trends and risks to inform public policymaking, enable modelling of policy and program interventions, and improve the quantity and quality of the data used by governments to inform public policy decisions.
(iii)
Research and development
Sharing for this purpose could enable academics, scientists, and innovators in the public and private sectors to access public sector data to gain insights that could enhance Australia’s socio-economic wellbeing.
(d) What considerations would be considered relevant (and irrelevant) in an assessment of the public interest?
4.19
The minister advised that the question of whether a project can be reasonably expected to serve the public interest must be made on a project-by-project basis, weighing a range of factors for and against sharing. The minister noted that the factors will include:
the impacts on an individual’s right to privacy;
the potential for serious harm to the public; and
whether those impacts are ‘reasonable, necessary and proportionate’.
4.20
The minister also advised:
The Bill’s holistic approach ensures privacy interests are appropriately balanced with the public interest in a project, and does not explicitly reference privacy to avoid the implication that one most prevail at the expense of the other.
(e) When would it be ‘unreasonable or impracticable’ to seek consent?
4.21
The minister advised that he proposed to table an addendum to the explanatory memorandum (in response to the observations of the Senate Standing Committee for the Scrutiny of Bills) in the Parliament ‘as soon as practicable’. He noted that the addendum will outline ‘key information and examples’ about the meaning of ‘unreasonable or impracticable’ to help clarify the interpretation of paragraph 16(2)(c) of the bill, and that it would also direct users to relevant guidance issued by the Australian Information Commissioner (AIC) on the standard of consent.
(f) Will accredited entities be subject to ongoing monitoring of their continued compliance with and suitability for participation in the data sharing scheme?
4.22
The minister advised that the bill proposes a range of responsibilities on accredited entities, such as complying with conditions of accreditation and reporting relevant changes. The minister noted that a condition of accreditation can be imposed requiring an entity to provide updated evidence at specific intervals to support the criteria for accreditation. The minister also stated that once the data sharing scheme commences, the commissioner will identify annual regulatory priorities in a Regulatory Action Plan, which will reflect areas where uncertainty, complexity or the risk of non-compliance may arise.
(g) Why does the scheme not permit an individual to complain to commissioner about a matter associated with the data sharing scheme?
4.23
The minister advised that the bill’s formal complaint mechanism is ‘scheme-specific’ to supplement existing redress mechanisms and ‘reduce duplication and overlap’. He clarified that the complaints process in the bill is a ‘highly structured’ mechanism designed to resolve concerns held by one data scheme entity about the conduct of another data scheme entity in relation to the scheme.
4.24
The minister further noted that individuals may complain to the commissioner outside of the formal complaints mechanism in the bill, and that the commissioner would respond to such complaints ‘as appropriate’ which could lead to the commissioner conducting an own-motion investigation or transferring the matter to a more appropriate regulator.
(h) In what circumstances would the data sharing purposes be compromised by not sharing personal information?
4.25
The minister advised that the sharing of personal information will ‘generally be reasonably necessary to support delivery of government services to particular individuals’. He also advised that sharing of personal information may also be required ‘for some data integration projects for a permitted purpose’ as certain personal information may be necessary to support the integration of the data sets. In these circumstances, data custodians would still be required to share only the personal information necessary to facilitate the data integration project, and would be expected to apply appropriate protections to the data.
4.26
The minister further noted that there are ‘well-established’ conventions for integrated data, including to maintain ‘functional separation’ of identifying information (e.g. name or date of birth) from content information (e.g. clinical information or benefit details).
(i) In what circumstances does the bill provide (and is it intended that the rules will provide) that a data sharing agreement may allow the accredited user to provide shared output data to a third party? What protections will apply to protect personal privacy in these circumstances?
4.27
The minister advised that outputs containing personal information are protected by a range of safeguards. He noted that the most common circumstances where personal information would be shared by an accredited user with a third party would be to support government agencies providing an enhanced and streamlined service delivery experience to individuals who are entitled to receive current or new services of benefits.
4.28
Additionally, the minister advised that any sharing of output by an accredited user would only be permitted if this were agreed by the data custodian in accordance with the data sharing agreement, and that for sharing to be authorised, the data custodian must have determined that the access is consistent with the purpose test and data sharing principles.
4.29
The minister also drew the joint committee’s attention to subclauses 21(1) and (2) of the bill which set out the circumstances in which an accredited user may provide controlled access to an output to third parties.
(j) Why would other ‘less rights restrictive alternatives’ (such as amendments to individual pieces of legislation) not be effective to achieve the intended objectives of the bill?
4.30
The minister advised that the bill’s authorisation to share and its ‘limited override’ provide a consistent legal framework for sharing that would be supported by an independent regulator. He stated that it would be ‘complex and impractical’ to amend individual Commonwealth laws to facilitate greater sharing and explained:
An exercise of this nature would require changes to over 500 secrecy provisions without the benefit of a dedicated regulator to promote best practice and cultural change, and without the guarantee of less rights restrictive outcomes.
Joint committee’s concluding comments
4.31
After considering the additional information provided by the minister, the joint committee acknowledged that the bill ‘appears to be directed towards the legitimate objective of facilitating controlled access to public sector data for specific purposes and would appear to be rationally connected to that objective’.
4.32
However, it also stated that it remained concerned that the scheme as drafted may not be a proportionate means by which to achieve the stated objective. It explained:
The committee considers that the breadth of the Commonwealth public sector data to which the scheme could apply, and the corresponding considerable extent of the potential interference with the right to privacy, means that the measure would need to be shown to be accompanied by stringent safeguards, oversight and review mechanisms.
4.33
The committee continued with its concerns, emphasising that while the bill contained some important safeguards to protect the right of privacy, it had not been clearly established that these safeguards were ‘sufficient’. It noted:
In particular, the committee notes that the bases on which personal data may be shared are broadly framed and would capture a wide range of purposes. The committee is also concerned that there is no legislative guidance as to when data sharing could reasonably be expected to serve the ‘public interest’, and no requirement that privacy considerations are considered in this process. The committee is also concerned that there is no explicit requirement in the bill that, where it is possible to do so, information is shared only in a way that does not allow for the identification of an individual.
4.34
The joint committee indicated that it was also ‘particularly concerned’ that under clause 23 of the bill, authorisation under the overarching legislation would override any existing Commonwealth, state or territory law that restricts or prohibits disclosure of personal information.
4.35
It observed that as a result, the data sharing scheme would permit a Commonwealth body to disclose personal data regardless of any law that currently prohibits this, and without parliamentary oversight of the specific privacy implications of sharing that type of data. It noted that this would mean that the value of any future data protection or secrecy provisions in specific legislative contexts (aside from those related to law-enforcement and national security) would need to be assessed having regard to the operation of the scheme.
4.36
The joint committee highlighted that while sharing data in some contexts may have limited privacy implications, there may be other data (e.g. health data) which if shared using ‘umbrella type legislation’ (such as that proposed in the bill) may have ‘significant privacy implications’.
4.37
As such, it pointed out that in assessing proportionality, it was necessary to consider if there were ‘less rights restrictive alternatives’ which would also be effective in achieving the goals of the scheme. In this regard, the joint committee remarked that no information had been provided by the minister to demonstrate that a less rights restrictive mechanism – such as amending individual pieces of legislation to invoke the umbrella data sharing scheme – would not be equally as effective to achieve the scheme’s objectives.
4.38
On this matter, it commented that although it appreciated that amending individual pieces of legislation may be a ‘complex undertaking’, this did not, in itself, indicate that such an alternative would not be effective to achieving the objective of facilitating controlled access to public sector data. The joint committee determined that as a result it had not been established that the data sharing scheme would constitute a permissible limitation on the right to privacy.
4.39
In summing up its examination of the bill, the joint committee concluded:
The committee considers that consideration should be given to establishing overarching data sharing legislation which does not override existing secrecy provisions but which requires that the data sharing powers must be specifically invoked by individual pieces of legislation, to ensure appropriate regard is had to whether these broad data sharing powers are appropriate in each specific context.
The committee otherwise considers that the proportionality of the measure may be assisted were the bill amended to provide that:
(a)
determining if ‘the sharing of information can reasonably be expected to serve the public interest’, requires consideration of the impact on an individual’s right to privacy, the potential for serious harm to the public, and whether those impacts are reasonable, necessary and proportionate, as well as the potential benefits to the community that would arise from the project;
(b)
subclause 16(8) specifies that the application of appropriate protections to the data includes, where possible, ensuring personal information is shared in a manner that does not allow for the identification of individuals;
(c)
clause 79 requires that it is a condition of accreditation that an entity which is required to provide evidence for accreditation must provide updated evidence at specified intervals to support its continued suitability for accreditation; and
(d)
Part 5.3 makes clear that the Commissioner may consider complaints from individuals with respect to the scheme, and establish a mechanism for dealing with such complaints.
The committee recommends that consideration be given to updating the statement of compatibility with human rights to reflect the information which has been provided by the minister.
4.40
The joint committee drew its human rights concerns to the attention of the minister and the Parliament.