Attorney-General George Brandis has said the government will introduce legislation to amend the Privacy Act that will make it a criminal offence to re-identify de-identified government datasets.
Brandis hasn’t released the wording of the proposed legislation but in a statement said it will make it an offence “to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.”
The Attorney-General said that the bill will make the offences take effect from yesterday. The government will introduce the legislation in the spring sittings of parliament, Brandis said.
The proposal comes in the wake of privacy concerns over the 2016 Census.
In addition to problems with the online portion of this year’s Census, the Australian Bureau of Statistics has come under fire for a decision to retain names and address data for a longer than usual period. The ABS has said that this will allow it to deliver richer statistical data, potentially through cross-matching Census data with other datasets.
Although the ABS has not revealed a great deal of detail about its plans, it has said that privacy will be protected through use of a Statistical Linkage Key that will render the data anonymous. However, the use of SLKs has alarmed security experts because of the potential for de-identified data to be re-identified.
Brandis' announcement has caused concern among digital rights advocates.
“The announcement made by the attorney-general is yet another sign that this government is ill-equipped to adequately protect citizen’s personal data in a digital age,” said the chair of Digital Rights Watch, Tim Singleton Norton, said in a statement.
Singleton Norton said the move pre-empted the work of the Productivity Commission, which is conducting an inquiry on data access and usage, and that Brandis had alluded to “potentially a very broad offence of 'facilitating' re-identification”.
“The specific wording of ‘counsel, procure, facilitate or encourage’ will need to be framed carefully to exclude innocent acts, such as rigorous penetration testing of encryption software,” the DRW chair said. “Likewise, the whole area of research into de-identification research, such as that undertaken by the CSIRO, could be jeopardised through heavy-handed legislation.”
The Office of the Australian Information Commissioner is currently working on developing guidelines on the interaction between big data and Australian privacy law.