Breach notification rules for new government data scheme, but no consent for sharing
- 03 September, 2019 10:06
New legislation that will enable data collected by public sector agencies to be more easily shared is expected to be accompanied by new rules for data breach notifications, a discussion paper released today by the government said.
The government in May 2018 said it would introduce a new data sharing and release framework as part of a package of reforms sparked by the Productivity Commission’s report on the availability and use of data.
Development of the proposed framework is inspired partly by the UK ‘Five Safes’ principles.
The Office of the National Data Commissioner (ONDC), which was established last year by the government, today released a consultation paper on the development of data sharing and release legislation. The paper states that the ONDC is still considering the kind of data breach scheme that is needed for the new framework.
In February 2018, the Notifiable Data Breaches (NDB) scheme, which is overseen by the Office of the Australian Information Commissioner (OAIC) and covers a range of personal information about individuals, came into effect.
“The Data Sharing and Release legislation requires a different kind of notification scheme for the vast range of data falling outside the Privacy Act 1988 notifications scheme,” the ONDC consultation paper states.
“For example, we are considering options to ensure appropriate protection and notification of breaches involving sensitive data that is not personal information, such as data that is of a legally privileged, commercial-in-confidence, security classified, or environmental nature,” the paper states. “We will continue to engage on what the breach notification scheme may look like in the coming months.”
A Privacy Impact Assessment prepared by Galexia for the government recommended that the eventual data sharing bill should include a mechanism imposing a data breach notification requirement “where the entities involved operate in a State or Territory where such a requirement does not yet exist”.
The PIA recommendation was supported by the Department of Prime Minister and Cabinet (DPMC).
One issue that the ONDC consultation paper confirmed has been controversial is the issue of individuals’ consenting to the use and sharing of their data. There have been “robust discussions and debate” about the issue, the paper states.
The paper proposes that there not be a consent requirement for sharing personal information in all instances. Instead responsibility would be placed on ‘data custodians’ and ‘accredited users’ that are part of the system to “safely and respectfully share personal information where reasonably required for a legitimate objective.”
There will be greater restrictions imposed when it comes to ‘sensitive data’ which will be covered by a binding Sensitive Data Code.
“The Sensitive Data Code may set additional limitations for categories of sensitive data such as commercial-in-confidence, legally-privileged, security-classified, confidential, or culturally sensitive data,” the paper states.
Some matters such as advice on when and how to seek consent will be provided in non-binding guidance, the paper states.
Requiring consent could lead to biased data sets, the paper argues.
“The research sector presented particularly robust arguments against taking a one-size-fits-all approach to consent during consultations,” the paper states, arguing for a GDPR-inspired approach that “makes consent one of six ‘lawful bases of processing.’”
The Galexia PIA argues that it will be “difficult, but not impossible, to develop community trust, confidence and acceptance” for the proposed legislation because it will impose “a mandatory scheme (for consumers) with no consent provisions”.
“This will need to be balanced by a significant public benefit and strong privacy protections – and the successful communication of these,” the PIA adds.
The government has indicated that the proposed framework will not allow data to be used for compliance and assurance purposes; i.e. it's not intending to use it for an expansion of its ‘robodebt’-style efforts.
Government services minister Stuart Robert said that the new scheme will “establish stronger safeguards and enable government to use data more effectively and securely to deliver services in a way that meets the expectations of the Australian public”.
“The sharing of public sector data has incredible potential at the individual level – reducing the friction and duplication of tasks that many Australians experience when accessing government services,” the minister said. “It is equally beneficial at the national level, by delivering new insights that inform research and government policies on complex challenges in health, education and the economy.
‘Currently, there is a labyrinth of over 500 separate privacy and secrecy provisions enacted over a century hindering our ability to share data to deliver the service Australians deserve. These reforms will ensure we keep pace with international standards and best practice when it comes to government service delivery.”
Robert said that the data must be used “safely, for the right purpose and by the right people, with privacy and security at the very core”.
“We are committed to getting this right so we’ve sought the views of users and stakeholders, including peak bodies, privacy experts, businesses and research institutions to help shape the policies outlined in this discussion paper,” the minister said.
The ONDC is accepting submissions on the paper until 15 October.
The government expects to consult on draft legislation in early 2020, with a bill to create the new scheme expected to be introduced to parliament in the middle of next year.
The government earlier this year legislated a separate data-sharing scheme known as the Consumer Data Right.