Chapter 4 Further issues

4.1                   A number of additional issues regarding elements of the Privacy Amendment Bill were raised in submissions. Some of these issues are addressed in this chapter.

De-identified data

4.2                   Proposed section 20M(1) of the Privacy Amendment Bill outlines a prohibition on credit reporting bodies using or disclosing de-identified credit reporting information. Proposed section 20M(2) then outlines an exception that such de-identified data may be disclosed for the purpose of conducting research in relation to the assessment  of the credit worthiness of individuals if the credit reporting body complies with certain rules.

4.3                   De-identified data was not previously regulated by Australian privacy laws and the Australian Law Reform Commission (ALRC) report did not recommend that de-identified data be regulated.

4.4                   The Committee received evidence that no other modern economy regulates de-identified data.[1] This is likely because, once de-identified, the information is no longer personal information and therefore does not fall within the remit of privacy laws.[2] 

4.5                   De-identified credit reporting data is used to compile studies around credit risk and economic hardship in Australia.[3] It is also used for internal credit modelling and portfolio management, which Australia and New Zealand Banking Group Ltd suggests assists in the assessment of credit applications and helps banks to lend responsibly.[4]

4.6                   Veda notes that de-identified data is:

…critical for creating data series, accurate statistical modelling and developing insights into historic trends. It helps ensure the accuracy of credit risk models and the insights it can contribute are also provided to key financial pillars such as the Reserve Bank.[5]

4.7                   Several submissions suggest the restrictions on the use of de-identified data in this Bill are unnecessary and may lead to unjustified restrictions on the research and development work undertaken with this data.[6]

4.8                   Some submissions recommend that section 20M be removed from the Bill in its entirety[7] or that the majority of the section be deleted.[8] Some also suggest that a better approach would be to create a penalty for anyone found to have re-identified data.[9] In addition, it is suggested that if data is re-identified, then it would then be personal information and any misuse of that information would be regulated by the Australian Privacy Principles (APPs). This should ensure sufficient protection.[10]

4.9                   The Explanatory Memorandum states that the purpose of regulating de‑identified credit reporting information is to ‘clarify that such information can be used or disclosed in specified circumstances’[11] but notes concern ‘about the effectiveness of methods used to de-identify personal information and the risks of that information subsequently being linked again to individuals in a way that allows them to be identified.’[12]

4.10               The Australian Privacy Foundation’s submission echoes this concern. It draws the Committee’s attention to the ‘increasingly contentious’ issue of whether the de‑identification of data can really be guaranteed,[13] and notes that re‑identification technologies are growing rapidly.[14]

4.11               Veda submits that these risks relate to health data and not credit reporting data,[15] and that re-identification is a problem that has taken place in the United States where more comprehensive, large-scale, public data sources are readily available.[16]

4.12               Proposed section 20M’s purpose is to ensure that the Privacy Commissioner has the power to issue appropriate guidelines to deal with the way de-identified data is used.[17]

4.13               The Attorney-General’s Department noted that their advice from credit reporting agencies is that those agencies de-identify information prior to using it in studies. However the Attorney-General’s Department states that it is unclear how this is done.[18] Given the uncertainty around this, the Government’s view when drafting the Bill was that the proposed approach to de-identified data is the optimal one.[19]

Commencement period

4.14               Several submissions suggest that the Privacy Amendment Bill’s proposed nine month period between Royal Assent and commencement date is unreasonably short.[20]

4.15               The Australian Bankers Association (ABA) notes:

The credit reporting reforms will require individual banks to develop their own internal compliance arrangements together with ensuring that their IT systems can interface with external credit reporting bureaux systems. Further, credit reporting bureaux will have to implement their own compliance arrangements.[21]

4.16               The Australian Retail Credit Association (ARCA) suggests a four step process ensuring the Credit Reporting code (CR code) is finalised before the commencement date is set down[22] because some of ARCA’s members will only be able to undertake the full implementation process once the Office of the Australian Information Commissioner (OAIC) has approved the CR code.[23]

4.17               The ABA suggests a commencement period of 15 to 18 months would be adequate.[24]

4.18               The Australian Finance Conference suggested that rather than adopting a fixed date for commencement, an approach that enables a date to be determined by the Minister should be included in the Bill.[25]

4.19               The Attorney-General’s Department notes that the standard three month commencement period has already been extended to nine months. This was decided on the understanding that this would be a sufficient period leading to registration of the CR code, on advice from the OAIC and relying on precedent in terms of commencement periods of other regulatory changes.[26]

4.20               The Department notes:

The commencement period should provide sufficient time for the development, approval and registration of the CR code, provide certainty by setting out a defined time in the legislation for commencement, and should see all elements of the Privacy Amendment Bill commence at the same time (that is, no staged implementation).

The Department does not consider that commencement should be at the discretion of the Attorney-General, nor does the Department consider that the commencement should be contingent on the registration of the CR code as this does not ensure certainty.[27]

4.21               The Department has stated that it will be considering stakeholder views on extending the proposed nine month commencement period in proposing options for consideration by the Attorney-General.[28]

Complexity

4.22               The Committee received many submissions suggesting that various parts of the Privacy Amendment Bill are complex and confusing[29] which may make the new privacy regime difficult to use and apply.[30]

4.23               The ALRC noted the complexity of the privacy regime in its report and make a multitude of recommendations that the Privacy Commissioner publish guidance and educational materials on a variety of topics.[31]

4.24               There have been further suggestions that educational materials should be developed to render this complex legislation more accessible to the public.[32]

4.25               The Attorney-General’s Department states that it is not considering any comprehensive redrafting or restructuring of the Bill and that it expects that the structure of some of the reforms that may not be currently discernible will become apparent when the amendments are incorporated and the Privacy Act is a single document.[33]

4.26               The Department also notes that in relation to the credit reporting provisions, increased complexity may be the result of the significant increase in complexity and scale since the credit reporting system’s introduction twenty years ago.[34]

4.27               The Department acknowledges the recommendations the ALRC directed to the OAIC on the provision of guidance and educational materials and notes that the Government accepted those recommendations in principle.[35] The Department supports the development of educational materials in relation to the new privacy regime but suggests that it is a matter for the OAIC.[36]

Committee comment

De-identified data

4.28               The Committee acknowledges industry’s concern that important studies may be obstructed through the regulation of de-identified data. In addition, the Committee appreciates concerns about the risk of re‑identification of data.

4.29               The Committee has not formed a view as to whether the risk of re‑identification of data is so severe that the regulation of de-identified data is justified, given lack of precedent in other modern economies.

4.30               The Committee acknowledges the importance of the studies undertaken with such data and while it suggests the Bill proceed in its current form, it suggests that the operation of section 20M be evaluated in a review to be conducted twelve months after commencement of the Act.

Commencement period

4.31               The Committee is concerned by the issues raised in relation to the commencement date. The Committee has not formed a specific view as to the length of time industry genuinely requires to implement internal systems required to comply with the new credit reporting system. However, the Committee considers that the CR code should be developed and approved by the Privacy Commissioner as soon as possible, to allow industry the greatest time possible to implement required systems.

4.32               The Committee notes the Attorney-General’s Department continue to consult stakeholders and propose options to the Attorney-General. Consequently, the Committee anticipates that the issue may be resolved to a large degree through this consultative process.

Complexity

4.33               The Committee appreciates that updating Australia’s privacy laws is a complex task that requires detailed provisions. It acknowledges that these reforms were informed by a comprehensive ALRC inquiry and significant scrutiny and time have gone into their development. In addition, the Committee notes that one of the aims of the reforms was to reduce complexity.

4.34               Accordingly, the Committee is concerned by the number of submissions that suggest significant confusion around the new provisions. The Committee is concerned whether the public will be able to easily comprehend new privacy rights and whether industry will comprehend the obligations placed on them.

4.35               The Committee notes that the Government has accepted in principle the recommendation of the ALRC to develop educational materials. The Committee considers this is essential given the complexity and seriousness of these provisions.

4.36               The Committee notes that no agency has indicated to the Committee that they are developing such material, or that they consider themselves responsible for the development of such material. This is of grave concern to the Committee and the Committee recommends that the Attorney General ensure that comprehensive material setting out new privacy obligations and protection is available prior to the commencement of the Act.

Concluding remarks

4.37               Given the seriousness of privacy concerns and that Australian privacy laws have not been updated for twenty years, the Committee recognises the importance of the enhanced privacy protections proposed in this Bill.

4.38               In examining the Bill, the Committee has looked to ensure that an appropriate balance between privacy protection and the convenient flow of data has been achieved. Given the complexity of issues and the global nature of business, there are many elements to the privacy regime proposed and there remain many areas of concern to industry and consumer advocates.

4.39               The Committee recognises that considerable consultation has gone on prior to the introduction of this Bill to the House, and that many of the provisions proposed are the enactment of recommendations made in the ALRC review. In addition, the Committee notes that the Attorney‑General’s Department is continuing to consult with stakeholders to resolve a number of the implementation details around this Bill and to discuss further possible consequences of the Bill.

4.40               However, given the degree of concerns and that Departmental consultations are continuing with the purpose of potentially advising the Attorney-General of options, the Committee expresses its disappointment that the House and indeed this Committee is asked to consider the Bill at this stage.

4.41               On balance the Committee has determined to recommend that the Privacy Amendment Bill be passed by the House of Representatives. The Committee adopts this position because it considers that there is a critical need to increase consumer privacy protections.

4.43               While recommending that this Bill should be passed (subject to the outcome of continuing consultations with stakeholders), the Committee further recommends that the Attorney-General conduct a review of the functioning of the new privacy regime twelve months after the Bill commences. This review should address a number of issues that have been raised in this inquiry.

4.45               The Committee is concerned that suitable educational and explanatory material will need to be developed prior to the commencement of the Act to ensure that individuals understand their new privacy rights, and that industry are fully aware of their obligations.

4.46               During the inquiry, it was not clear that any agency was to assume responsibility for the development and distribution of such material. Failure to ensure all parties are aware of and fully understand their obligations and protections would be a grave oversight in the implementation of this new privacy regime.

4.47               Accordingly, the Committee recommends that the Attorney-General ensure that suitable educational material is developed and distributed prior to the commencement of the Act.

Graham Perrett MP
Chair