New legislation that will enable data collected by public sector agencies to be more easily shared is expected to be accompanied by new rules for data breach notifications, a discussion paper released today by the government said.
The government in May 2018 said it would introduce a new data sharing and release framework as part of a package of reforms sparked by the Productivity Commissionâs report on the availability and use of data.
Development of the proposed framework is inspired partly by the UK âFive Safesâ principles.
The Office of the National Data Commissioner (ONDC), which was established last year by the government, today released a consultation paper on the development of data sharing and release legislation. The paper states that the ONDC is still considering the kind of data breach scheme that is needed for the new framework.
In February 2018, the Notifiable Data Breaches (NDB) scheme, which is overseen by the Office of the Australian Information Commissioner (OAIC) and covers a range of personal information about individuals, came into effect.
âThe Data Sharing and Release legislation requires a different kind of notification scheme for the vast range of data falling outside the Privacy Act 1988 notifications scheme,â the ONDC consultation paper states.
âFor example, we are considering options to ensure appropriate protection and notification of breaches involving sensitive data that is not personal information, such as data that is of a legally privileged, commercial-in-confidence, security classified, or environmental nature,â the paper states. âWe will continue to engage on what the breach notification scheme may look like in the coming months.â
A Privacy Impact Assessment prepared by Galexia for the government recommended that the eventual data sharing bill should include a mechanism imposing a data breach notification requirement âwhere the entities involved operate in a State or Territory where such a requirement does not yet existâ.
The PIA recommendation was supported by the Department of Prime Minister and Cabinet (DPMC).
Consent
One issue that the ONDC consultation paper confirmed has been controversial is the issue of individualsâ consenting to the use and sharing of their data. There have been ârobust discussions and debateâ about the issue, the paper states.
The paper proposes that there not be a consent requirement for sharing personal information in all instances. Instead responsibility would be placed on âdata custodiansâ and âaccredited usersâ that are part of the system to âsafely and respectfully share personal information where reasonably required for a legitimate objective.â
There will be greater restrictions imposed when it comes to âsensitive dataâ which will be covered by a binding Sensitive Data Code.
âThe Sensitive Data Code may set additional limitations for categories of sensitive data such as commercial-in-confidence, legally-privileged, security-classified, confidential, or culturally sensitive data,â the paper states.
Some matters such as advice on when and how to seek consent will be provided in non-binding guidance, the paper states.
Requiring consent could lead to biased data sets, the paper argues.
âThe research sector presented particularly robust arguments against taking a one-size-fits-all approach to consent during consultations,â the paper states, arguing for a GDPR-inspired approach that âmakes consent one of six âlawful bases of processing.ââ
The Galexia PIA argues that it will be âdifficult, but not impossible, to develop community trust, confidence and acceptanceâ for the proposed legislation because it will impose âa mandatory scheme (for consumers) with no consent provisionsâ.
âThis will need to be balanced by a significant public benefit and strong privacy protections â and the successful communication of these,â the PIA adds.
The government has indicated that the proposed framework will not allow data to be used for compliance and assurance purposes; i.e. it's not intending to use it for an expansion of its ârobodebtâ-style efforts.
Legislation
Government services minister Stuart Robert said that the new scheme will âestablish stronger safeguards and enable government to use data more effectively and securely to deliver services in a way that meets the expectations of the Australian publicâ.
âThe sharing of public sector data has incredible potential at the individual level â reducing the friction and duplication of tasks that many Australians experience when accessing government services,â the minister said. âIt is equally beneficial at the national level, by delivering new insights that inform research and government policies on complex challenges in health, education and the economy.
âCurrently, there is a labyrinth of over 500 separate privacy and secrecy provisions enacted over a century hindering our ability to share data to deliver the service Australians deserve. These reforms will ensure we keep pace with international standards and best practice when it comes to government service delivery.â
Robert said that the data must be used âsafely, for the right purpose and by the right people, with privacy and security at the very coreâ.
âWe are committed to getting this right so weâve sought the views of users and stakeholders, including peak bodies, privacy experts, businesses and research institutions to help shape the policies outlined in this discussion paper,â the minister said.
The ONDC is accepting submissions on the paper until 15 October.
The government expects to consult on draft legislation in early 2020, with a bill to create the new scheme expected to be introduced to parliament in the middle of next year.
The government earlier this year legislated a separate data-sharing scheme known as the Consumer Data Right.
Gloss