DGA chair pushes back against ‘joint ownership’ model for data

Former ACCC chair pushes for industry self-regulation of data handling

The chair of Data Governance Australia, Graeme Samuel, has argued against a Productivity Commission recommendation that would see consumers given greater control over data about them held by businesses.

The former chair of the Australian Competition and Consumer Commission today used an address at the National Press Club to argue that any move to take too much control of data away from businesses would stifle innovation.

The Productivity Commission’s final report on Data Availability and Use recommended that individuals and small and medium businesses be given “a new Comprehensive Right to the use of their digital data.”

“Australian consumers have little capacity to choose how digital data about them is used; and too often, organisations and governments make decisions (after complying with privacy principles) about the use of individuals’ data on their behalf,” the report argued.

“In the face of the ubiquity of data collected, the scope to provide consumers with a greater say — within limits — on the handling of data that is sourced from them, is considerable.”

Under the regime envisaged by the PC, consumer data would be considered a joint asset between the individual and the organisation that holds their data.

Consumers would be able to view and request edits or corrections to personal information under a regime somewhat akin to provisions under the Privacy Act.

Consumers would also be able to obtain a machine-readable copy of their digital data or have a copy passed on to a nominated third party, such as a potential new service provider, the report said.

“The ability to require the transfer of your data from one data holder to an alternative party would offer consumers the opportunity to trade safely and conveniently on their data, as business and (increasingly) governments do,” the report argued. The PC recommended the passing of a ‘data sharing and release’ act.

“While the move to open data should be encouraged if we are to truly realise the full value of data to our society, there are serious concerns whether private business would continue their investment into data under a joint ownership of data model,” Samuel said in his address today.

“This is likely to ultimately stifle innovation and value-creation and weaken Australia’s ability to compete globally.”

The former ACCC chair said that supermarket loyalty schemes provided a useful example. The information on a shopping docket may be considered data over which an individual consumer has a joint right, he said. However, “the same cannot be true of the data being generated the moment the loyalty card is scanned”, he added.

“The data sitting behind and driving the loyalty programs does not exist without the significant investment made by businesses. Businesses make a significant investment in the information and communications technology infrastructure, sophisticated data analytic processes and algorithms, data security as well as the human capital needed to support innovation and value-creation.”

Consumers still benefit, he said, through rewards, discounts and the development of new products and services.

Samuel pushed an industry self-regulatory model for business use and management of data.

“Government regulation is likely not the answer as laws struggle to keep up with the pace of technological change and data practices,” he said.

Data Governance Australia in June launched a draft code of practice based on nine core principles: A no-harm rule; honesty and transparency; fairness; choice; accuracy and access; accountability; stewardship; security; and enforcement.

The organisation has said it is also consulting with relevant government bodies and industry stakeholders to develop solutions for data portability.

Organisations that comply with these code’s principles will earn a ‘trust mark’.

“You will also ask if self-regulation in the form of this code of practice can work,” Samuel said. “Does it have any teeth to ensure that industry complies? The answer is yes. Industry self-regulation will only be successful if it is properly enforced.

“The DGA code of practice is enforced by an individual code authority, which is responsible for resolving disputes and complaints in relation to compliance with the code of practice.”

He acknowledged that some “questionable practises” involving data and analytics had made consumers wary.

“For every innovation with data, there is a corresponding deviation,” he said. Nothing exemplifies this more than the “simplistic and inappropriate data matching” employed in Centrelink’s Online Compliance Intervention’ program, he added.

There been instances in the private sector and public sector of apparent breach of “community expectation, community concern” in relation to data.

In some cases those breaches can “become a bit like a snowball” and gather around “layer upon layer upon layer of information, misinformation and disinformation, and so what might be a minor issue can develop into something that is quite scary.”

Samuel said he didn’t know the full details of the illicit sale of Medicare numbers through a darkweb service but added: “You would have to say I wouldn't have wanted to pay too much for those Medicare numbers because I'm not sure what benefit I get out of having them.”

However, media reports and some political commentary presented the issue as “a major breach of our health systems and health record systems and the like”, he argued.