Key issues

2.1        During the course of this inquiry a number of key issues concerning the Privacy Amendment (Re-identification Offence) Bill 2016 (the bill) were raised with the committee. These issues include:

• releasing de-identified information;
• criminalising the re-identification of data;
• scope of the offences, including the entities captured by the offences;
• scope of the Minister's discretionary power to exempt;
• retrospectivity of the bill; and
• reversed burden of proof.

2.2        This chapter will outline the above issues raised by submitters, and provide the committee's views and recommendations on the bill.

Releasing de-identified information

2.3        Submitters generally expressed their support for the bill's objective of providing greater protection to an individual's privacy. However, some submitters raised concerns that the bill would not necessarily achieve its policy goals. One submitter questioned whether personal de-identified information should be made public as the risk of re‑identification may be too great.[1] A number of submitters also highlighted that it may not be possible to truly de-identify information in light of continuing advances in technology:

With more and more aspects of individual's lives involving some aspect of online interaction, and the increasing sophistication of data-mining technologies, the likelihood that even carefully de-identified data sets can be re-identified is also increasing.

It is therefore likely that not even the most expertly de-identified data sets will remain un-re-identifiable indefinitely.[2]

2.4        The government has outlined its view that the benefits of open data outweigh the risks of re-identification. This view was shared by the Productivity Commission in its draft report Data Availability and Use. This report stated that the risks of re‑identification of data and harm to an individual were real and should not be trivialised, however noted that many of these risks could be managed with the right policies and processes.[3] The report also noted that increasing data use does not necessarily put individuals at a greater risk of harm.[4] It concluded that Australia stands out among other developed countries where information, particularly in the area of health, is poorly used and suggested that fundamental change was needed with the introduction of new legal and policy frameworks.[5] These frameworks would work towards four key elements:

• giving individuals more control over data held about them;
• encouraging and enabling broad access to government datasets;
• increasing the usefulness of publicly funded identifiable data among trusted users; and
• creating a culture where non-personal and non-confidential data is released as a default.[6]

2.5        The Office of the Australian Information Commissioner (OAIC) agreed that a careful balance is needed between open data and privacy protections and warned that the bill, in and of itself, would be unlikely to eliminate the privacy risks associated with the publication of de-identified datasets.[7] OAIC outlined the need to consider whether the risk of re-identification is sufficiently low for the data to be published openly, or whether other safeguards should be applied, such as making the data available only to trusted users with contractual or technological safeguards in place.[8]

Criminalising re-identification of data

2.6        Some submitters raised concerns that to criminalise conduct relating to re‑identification was not proportionate to other offences within the Privacy Act, which generally attracts civil penalties.[9] The Law Council of Australia (LCA) noted that the introduction of criminal sanctions was 'potentially disruptive and unworkable'.[10]

2.7        The Attorney-General's Department (AGD) outlined that the Privacy Act already contains a number of criminal offences in the credit reporting context, as well as for failure to attend a conference when directed by the Australian Information Commissioner.[11] However, it has been noted that these offences 'are arguably exceptional' to the Privacy Act, with the Australian Law Reform Commission having previously recommended that the credit reporting offences be repealed and replaced with civil penalties.[12]

2.8        The AGD explained the rationale for the criminal penalties within the bill in the following way:

...de-identification of data is not without risk as it is not possible to provide an absolute guarantee that de-identified information could never be re‑identified. The Government needs to balance this risk against the public benefit that the release of de-identified data presents. Accordingly, the Bill provides for re-identification offences at sections 16D and 16E as they are an appropriate mechanism to deter entities from doing considerable harm by re-identifying and/or disclosing re-identified personal information.[13]

2.9        Other submitters expressed a view that it is inequitable to criminalise conduct relating to the re-identification of data but not to criminalise conduct relating to poorly or improperly de-identified data. It was argued that the harm would be caused by the publication of the poorly de-identified dataset by the responsible agency and not by the entity that notices that the dataset has been poorly de-identified.[14]

2.10      The AGD explained that agencies are already subject to the Australian Privacy Principles (APPs) under the Privacy Act and failure to implement robust de‑identification processes may risk breaching the APPs.[15] In broad terms, the APPs are a set of principles concerning the handling, use and management of personal information and these apply to Australian government agencies, private health service providers, the private sector and not-for profit organisations with an annual turnover of more than $3 million and some small businesses. Under APP 1.2, agencies are required to implement practices, procedures and systems to ensure that they comply with the Privacy Act, which includes taking reasonable steps to ensure  that personal information is not disclosed through open publication.[16]

2.11      To assist agencies to properly manage and de-identify data increasing numbers of Commonwealth resources are being made available. This includes guidance developed by the OAIC,[17] the Australian Bureau of Statistics,[18] and the Department of the Prime Minister and Cabinet.[19] Additionally, the OAIC is in the process of updating its de‑identification guidance materials and advises that it expects these resources to be released for consultation by early 2017.[20]

2.12      As a way of strengthening the ability of Commonwealth agencies to manage privacy risks the OAIC suggested the development of a Privacy Code across the Australian public sector.[21] The OAIC explained that a Privacy Code could set out how one or more of the APPs are to be applied and impose additional requirements to those contained in the APPs, thereby supporting agencies towards best de‑identification practices.[22]

Scope of offences and civil penalties

2.13      Submitters were broadly concerned with two aspects relating to the scope of the offences and civil penalties proposed in the bill: the entities that would be captured by the new provisions; and that the provisions were drafted too broadly.

Entities captured

2.14      It is noted that the bill has a wider reach than the Privacy Act as, in addition to applying to Australian government agencies and private sector organisations, it also applies to small businesses[23] and individuals acting in their private capacity. The bill has exclusions which apply to agencies in connection with the performance of their functions and activities, contracted service providers for the purpose of meeting an obligation under a Commonwealth contract, and entities for the purpose of an agreement with the agency.

2.15      A number of submitters were particularly worried that researchers would be captured by the bill and that this would have the effect of discouraging investigation and research into information security.[24] One submission suggested that the effect of criminalising re-identification of data would be to:

...inhibit open investigation, which could mean that fewer Australian security researchers find problems and notify the government. Criminals and foreign spy agencies will be more likely to find them first.[25]

2.16      The Explanatory Memorandum (EM) explains that proposed subsection 16CA(2) makes clear that an entity that is employed by, or engaged to provide a service to, a State or Territory authority is exempt from the operation of the Privacy Act.[26] The OAIC explains that:

... the majority of acts, practices, and/or organisations which are currently exempt from the application of the Privacy Act will also be exempt from the scope of the Bill. Acts or practices currently exempt from the Privacy Act include acts done by media organisations in the course of journalism; political acts and practices; and, as most Commonwealth legislation (including the Privacy Act) does not bind the States and Territories, the activities of state and territory bodies (including their employees) are also exempt. I note that the majority of universities in Australia are State and Territory bodies.[27]

2.17      However, some submitters remain concerned that the bill may continue to bind State and Territory authorities which could capture universities and researchers employed by universities.[28] The Attorney-General has reiterated that State and Territory authorities, which includes universities, are not subject to the Privacy Act and therefore also not subject to the offences and penalties of the bill:

I note that the provisions in the Bill do not apply to universities or any other authorities established under State and Territory authorities (see subsection 6C(1) of the Privacy Act, which states that an organisation for the purposes of the Privacy Act does not include a State or Territory authority): Under subsection 16CA(2) of the Bill this exemption also applies to acts done in the course of employment or service by individuals employed by, or engaged to provided services to, those exempt universities...[29]

2.18      Two submitters expressed a view that researchers should not need to be affiliated with a university or institution to fall outside of the scope of the bill and claimed that their work in the area of cyber security would be stifled due to the provisions of the bill.[30]

2.19      The Attorney-General explained that the offences created under the proposed sections of the bill would be unlikely to interfere with the ability to conduct research which is in the public interest.[31] The AGD outlined that for those researchers who were not based in universities, the exclusions in proposed subsections 16D(3)-(4), 16E(4)-(5), and 16F(6)-(7) would apply.[32] Additionally, provision is made for the Attorney-General to determine that an entity is an exempt entity.[33] The Attorney‑General's determination power to exempt an entity will be discussed later in this chapter.

2.20      The LCA suggested that it is unclear whether the exemption provisions would apply to sub-contractors:

It is not clear whether this exemption is intended to apply to sub-contractors of the entity which is the main contracted service provider. The Explanatory Memorandum states the intention of the exemption is to allow entities to engage in functions and activities such as information security tests. It would not be uncommon for such tests to be carried out by sub‑contractors.[34]

2.21      The AGD clarified that sub-contractors will be included in the exclusion that applies to contracted service providers as sub-contractors are included in the definition of 'contracted service provider' at section 6 of the Privacy Act.[35]

Nature of offences and civil penalties

2.22      Some submitters were concerned that the offences were drafted too broadly. One submitter suggested that rather than considering whether re-identification was intentional, the offences should consider whether there was any intent to use the data to do harm.[36] Another submitter claimed that the 'intention' requirement within these offences is not clear.[37] The Australian Bankers' Association provided the following example of where it is not clear whether the intention requirement within the bill would be satisfied:

...a de-identified Government data set is used, and at some stage in the analytics process is combined with another data set, for commercial purposes including better consumer choice, and this leads to re‑identification of the information.[38]

2.23      While the AGD has not addressed this particular example, the AGD has clarified in its submission that:

Unintentional re-identification that occurs as a by-product of other public interest research using a government dataset, for example through data matching, would not constitute an offence under section 16D. While the offence for disclosure in section 16E applies to information which is intentionally or unintentionally re-identified, the offence itself is confined to the intentional disclosure of re-identified information to a person or entity other than the responsible agency when the entity is aware the information is re-identified. Merely disclosing that a de-identified dataset published by government could be re-identified, or speculating about the possibility of re-identification, would therefore not constitute an offence under section 16E. Similarly, inadvertent disclosure of re-identified information where the entity is not aware that the information is re‑identified would also not constitute an offence.[39]

2.24      A number of submitters noted that the Privacy Act only operates in Australia and therefore de-identification or disclosure which occurs outside of Australia would not be captured by the bill. For example, the OAIC noted that information now traverses national borders and regulatory jurisdictions and warned agencies to be mindful when releasing de-identified information as entities outside Australia may not be subject to the jurisdiction of the Privacy Act.[40]

Breadth of the Minister's discretionary power to exempt

2.25      Proposed section 16G provides that the Minister may determine that an entity, or class of entities, is an exempt entity for the purposes of one or more of the offence provisions in relation to cryptology, information security, data analysis, or 'any other purpose that the Minister considers appropriate', and if the Minister is satisfied that it is in the public interest to do so. While the determination is a legislative instrument, it is not subject to disallowance pursuant to section 42 of the Legislation Act 2003.[41]

2.26      The Scrutiny of Bills Committee noted that the Minister's discretionary power to exempt an entity from proposed sections 16D, 16E or 16F is based on a single criterion: that the Minister is satisfied that it is in the public interest for the power to be exercised.[42] The Scrutiny of Bills Committee indicated that this may suggest that the offence and civil penalty provisions are drawn too broadly.[43]

2.27      In response to the concerns raised by the Scrutiny of Bills Committee, the Attorney-General advised that he considered the offence and penalty provisions of the bill appropriate and sufficiently defined. The Attorney-General explained that the exemption provision:

...is intended to provide an appropriate balance between protecting the privacy of individuals and allowing for legitimate research to continue...It is my expectation that the predominant reason for an exemption determination under section 16G will be in relation to the specific research purposes involving cryptology, information security and data analysis which is in the public interest. However, the ability to grant exemptions for 'any other purpose' ensures there is appropriate flexibility in the event that other legitimate reasons to grant exemptions arise in the future which are not currently contemplated.

In view of the narrow scope of the proposed offences noted above, I do not expect there will be a large number of entities who will need exemptions for research in the public interest which requires the intentional re‑identification of de-identified personal information published by a government agency.[44]

2.28      In response to this assertion, the Scrutiny of Bills Committee reiterated its view that 'it is appropriate that Parliament define the boundaries of criminal wrong‑doing rather than leaving these boundaries to depend (in part) on executive decision-making'.[45] While the Scrutiny of Bills Committee maintained its concerns, it noted the importance of the information provided by the Attorney-General as a point of access to understanding the law, and requested that key information be included in the EM.[46]

2.29      Some submitters expressed concern about the Attorney-General's discretionary power to exempt certain entities.[47] The Australian Bankers' Association sought clarity on whether the Minister might exempt commercial organisations, such as banks, which it argues are also engaging in valuable research in areas of de‑identification techniques, cryptology and information security.[48]

2.30      The AGD provided further clarity about the process it would be undertaking to determine classes of exempt entities for the purpose of proposed section 16G:

...the department expects that the primary focus of any determination will be on exempting classes of entities, rather than specific individuals (although it would still be possible to exempt individual entities if required).  The department intends to conduct public consultation to identify relevant classes of entities who may require exemptions prior to the Attorney-General making any determination. The department will also consider implementing a regular, annual consultation process for exemption instruments to ensure there is greater certainty and a clear process for entities which may require exemptions.[49]

2.31      It was also raised that the Minister's determinations would not be subject to the rules of disallowance.[50] One submitter argued that preventing disallowance of potentially unfair decisions by the executive in relation to exemptions could lead to an erosion of the checks and balances that would normally be available.[51]

2.32      The EM explains why the rules of disallowance do not apply to the Minister's determinations. This includes providing commercial certainty to entities that would likely be undertaking projects or research activities which would involve a commercial benefit of some kind and would require a commitment of resources to undertake from the outset, as well as the time critical nature of some projects or research activities.[52] Additionally, the requirement for the Minister to consult with the Commissioner prior to making any determination was considered to provide a degree of scrutiny and transparency.[53]

2.33      The Scrutiny of Bills Committee considered that the rationale provided in the EM in relation to the Minister's determination not being subject to the rules of disallowance was sufficient, and made no further comment in relation to this issue.[54]

Retrospectivity

2.34      A number of submitters raised concerns relating to the retrospective application of the bill.[55] If the bill is passed, the proposed new offences[56] would operate from 29 September 2016, being the date of the Attorney-General's media release advising of the government's intention to introduce a criminal offence of re‑identifying de‑identified government data.[57] It is noted that while proposed section 16F applies to conduct from 29 September which re-identifies personal information, the obligation to notify the responsible agency does not apply until after royal assent.

2.35      The LCA outlined its opposition to laws that apply retrospectively. In particular, it noted that retrospective measures generally offend rule of law principles, namely, that 'the law must be readily known and available, and certain and clear'.[58] It cited a number of High Court decisions which cautioned against retrospective legislation and emphasised the principle that the criminal law needs to be known by those who are subject to it.[59]

2.36      The retrospective application of the bill was also raised by the Senate Standing Committee for the Scrutiny of Bills. The Scrutiny of Bills Committee noted that it has consistently commented on making 'legislation by press' and that its concerns are particularly acute in relation to provisions which create new offences.[60]

2.37      In response to the Scrutiny of Bills Committee's concerns the Attorney‑General acknowledged that while retrospective offences challenge a key element of the rule of law, the retrospective application of this bill was made clear when the amendments were announced. The Attorney-General explained that given the significant consequences for individuals if personal information was released, the government considered it important to provide a strong disincentive to entities who may have considered re-identification or disclosure of personal de-identified data while the Parliament considered the bill.[61] The Scrutiny of Bills Committee acknowledged the importance of protecting privacy and reputation however, noting that:

...this is not, in itself, sufficient to override this general principle [that laws should only operate prospectively]. The importance of laws operating only prospectively is particularly acute in relation to the criminal law, where conduct should only be criminalised from the date the law making the conduct criminal commences. This supports long-recognised criminal law principles that there can be no crime or punishment without law.[62]

2.38      The Parliamentary Joint Committee on Human Rights outlined its concerns relating to the incompatibility of these retrospective offences with article 15 of the International Covenant on Civil and Political Rights (ICCPR). The Human Rights Committee noted that 'as an absolute right that cannot be limited, there can be no justifiable limitation on the prohibition on retrospective criminal laws so as to accord with human rights law'.[63] It requested advice from the Attorney-General as to whether consideration has been given to amending proposed paragraphs 16D(1)(c) and 16E(1)(c) so that these sections operate from the date of Royal Assent. To date, the Attorney-General has not responded to the Human Rights Committee's report.

2.39      Several submitters referred to the ability of government to back-date laws to a press release date as setting a dangerous precedent.[64] While another submitter explained that after its first announcement, a spokesman for the Attorney-General's office informed the media that there would be provision made for legitimate research to continue. The submitter noted that they had interpreted this to mean that 'all' legitimate research would be allowed as opposed to 'some' legitimate research may be exempt.[65] The submitter stated that researchers may be left in the situation of being unable to tell the government what they had discovered during the time that they thought the investigation was legal.[66]

2.40      The AGD explained that:

The Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers provides that offences may be made retrospective where there is 'a strong need to address a gap in existing offences, and moral culpability of those involved means there is no substantive injustice in retrospectivity.' The government considers that these narrowly prescribed offences meet these requirements.[67]

2.41      The AGD went on to explain that the recently identified vulnerability in the Department of Health's dataset showed that there were gaps in privacy legislation and that the government acted immediately to strengthen protections for personal information against re-identification.[68] It noted that the bill provides a strong disincentive to entities who may have been tempted to attempt re‑identification of any published datasets while the parliament considers the bill. Additionally, the AGD explained that the government acted to ensure that the retrospective application is only for a short period of time.[69]

Reverse burden of proof

2.42      Proposed subsections 16D(2)-(5), 16E(3)-(6) and 16F(5)-(8) of the bill provide a number of exemptions to the offences and civil penalties relating to re‑identification and disclosure of de‑identified personal information, and the requirement to inform the responsible agency of the de-identified information. In particular, these provisions reverse the burden of proof by requiring the entity to prove that the re‑identification or disclosure of the de-identified information was consistent with one of the exemptions being:

• the entity is an agency and the act was done in connection with the performance of the agency's functions or activities, or the agency was required or authorised to do the act under Australian law or court order;
• the entity was a contracted service provider for a Commonwealth contract to provide services for a responsible agency and the act was done for the purposes of meeting (directly or indirectly) an obligation under the contract;
• the entity entered into an agreement with the responsible agency to perform functions or activities on behalf of the agency, and the act was done in accordance with the agreement; or
• the entity is an exempt entity for the purpose of a determination in force under section 16G and the act was done for a purpose specified in the determination and in compliance with any conditions specified in the determination.

2.43      The statement of compatibility contained in the EM noted that reversing the burden of proof is generally not consistent with the presumption of innocence under article 14(2) of the ICCPR, however it considered that in this case it was reasonable and appropriate for the burden of proof to be reversed.[70] The EM states that government does not anticipate that it will be difficult for an entity to demonstrate that its actions falls within one of the exemptions, that it is expected that the prosecution will not proceed where it is clear that the entity will rely on an applicable defence during the proceedings, and that it reflects the seriousness of the prohibited conduct.[71]

2.44      The Parliamentary Joint Committee on Human Rights considered the information provided within the EM and concluded the reversed burden of proof contained within the bill was compatible with the presumption of innocence contained in article 14 of the ICCPR on the basis that the burden was evidentiary in nature, rather than legal.[72] The Human Rights Committee expressed the view that 'the measures are likely to be a proportionate limitation on the presumption of innocence'.[73]

2.45      The Scrutiny of Bills Committee also considered the information contained within the EM and sought further justification from the Attorney‑General and requested that the principles set out in the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers (the Guide) be addressed.[74] In response to concerns raised by the Scrutiny of Bills Committee the Attorney-General explained that relevant matters would be peculiarly within the knowledge of the defendant and it would be significantly more difficult and costly for the prosecution to prove that the exclusion did not apply.[75]

2.46      However, the Scrutiny of Bills Committee noted that page 50 of the Guide states that the fact that it is difficult for the prosecution to prove a particular matter has not traditionally been considered a sound justification for placing a burden of proof on the defendant.[76] Despite the additional information provided by the Attorney-General, the Scrutiny of Bills Committee remained of the view that the reversal of the evidentiary burden of proof may not be framed in accordance with the relevant principles set out in the Guide:

...it is not apparent to the committee that it would be particularly onerous for the prosecution to prove the existence of an agreement or contract with the Commonwealth, given there does not seem to be any impediment on the Commonwealth supplying evidence of that agreement or contract to the prosecution. It is also not apparent, on the information provided to the committee, that such matters would be peculiarly within the knowledge of the defendant.[77]

2.47      The Scrutiny of Bills Committee noted the importance of the information provided by the Attorney-General as a point of access to understanding the law, and requested that the information be included in the EM.[78]

Committee View

2.48      The committee notes the concerns that have been expressed about aspects of this bill by submitters, including the introduction of criminal offences, the reversed burden of proof and the retrospective application of the bill. However, given the gap that was recently identified in privacy legislation, the committee is of the view that the bill provides a necessary and proportionate response. In arriving at this conclusion the committee has given careful consideration to the need to balance the benefits that open data can provide with the need to strengthen the protections to the privacy of Australians while also continuing to encourage research in the areas of information security. The committee considers that the bill achieves this outcome.

2.49      The committee acknowledges the Scrutiny of Bills Committee’s comments on retrospective legislation—and the information provided by the Attorney-General and  published in that committee’s Tenth Report of 2016—and is generally reluctant to endorse laws that operate retrospectively. However, in this instance the committee notes that the Minister’s announcement was in the current term of parliament, was very specific, and indicated clearly that the legislation was to apply from the date of the announcement. There is sufficient particularity in the announcement to alert would-be offenders of the nature of the offence.

2.50      The committee also notes concerns expressed by the research community but has formed the view that researchers employed by States and Territories (which includes most universities) will not fall within the scope of the Privacy Act. Additionally, the bill has exclusions for agencies in connection with their functions and activities or authorised by law, for contracted service providers for the purpose of meeting an obligation under a Commonwealth contract and for entities in accordance with an agreement between the entity and the responsible agency. Moreover, the committee is reassured by the consultation process the AGD will put in place to ensure that researchers not connected to universities will have an opportunity to be considered within a class of entities subject to the Minister’s exemption determination powers.

Recommendation 1

2.51    The committee recommends that the bill be passed.

Senator the Hon Ian Macdonald
Chair

Navigation: Previous Page | Contents | Next Page