Data Availability and Use
The Law Council welcomes the comprehensive review by the Productivity Commission into ways to improve the availability and use of public and private sector data. The observations that data is being collected and used in a variety of ways, and that data is an asset, are observations about the current commercial or technological environment and are not contentious.
Apart from item 5, which expressly references Australia’s privacy laws, the Productivity Commission’s Terms of Reference is largely focused on the economic benefits and risk of broader data sharing.
While this is understandable at this stage of the review process, it is worth noting that to progress the inquiry and address the legal issues that will be triggered by the range of potential changes, Australia would have to undertake a major rewrite of its privacy laws. This will need to include laws on State and Federal levels dealing with, amongst other matters, credit reporting, confidentiality and intellectual property. This is because:
• The distinction between identified and de-identified data is not clear and is difficult to apply in practice. The definition of what amounts to ‘personal information’ is the subject of an appeal yet to be heard by the Federal Court1. Similar challenges are experienced in other jurisdictions;
• Advances in technology mean that the process of data analytics can move seamlessly between identified and de-identified data. This is particularly so where ‘Big Data’ is involved (the Law Council notes that ‘Big Data’ is currently the subject of pending guidelines being prepared by Office of the Australian Information Commissioner);
• The review appears to proceed on the basis of an assumption that the data currently available in the system can be used without restrictions. This assumption needs to be thoroughly tested and investigated, especially noting the fact that:
o in relation to data collected and processed by agencies, much of this data has been collected under various regimes that obtained the data under a form of compulsion or pursuant to legislative or administrative arrangements that impose some limitations on the use and disclosure of the data (particularly where that data is personal information as defined);
o in relation to data collected and processed by the private sector, that data may have substantial proprietary rights attaching to its format, content and in the case of personal information, legislative limitations on its use and disclosure; and
o the current privacy regime relies on a hybrid of notice and consents and puts a premium on transparency and governance. It will be important to preserve the levels privacy protections and build on these.
• The developments in the use of data benefit from an international approach. To that end, it will be important to address the newer concepts enshrined in legislation such as the European Union (EU) Data Protection Regulation, which is due to come into effect in the EU in May 2018. The Regulation will introduce new legal concepts such as ‘data portability’, ‘profiling’ and ‘the right to be forgotten’ – all matters that impact directly on the availability and uses of personal data or personal information as these terms are defined in the relevant legislation.
These issues require careful attention and a comprehensive review of our privacy and related data regimes to ensure that appropriate privacy protections are in place and that our regime aligns with, and responds to, international developments in this area.
The Law Council also notes the current issue that has arisen with regards to Census data and queries whether such data from this point forward will involve a longitudinal study tracking each individual. This controversial change has been made in advance of the Productivity Commission’s current inquiry into commercialisation of government and private data, which will decide how it can be used. Consideration should be given to whether identified Census data collected before the completion of the Productivity Commission’s review requires protection from changes that may in effect be retrospective (as it relates to data already collected).
The Law Council would welcome an opportunity to discuss these issues with the relevant officers of the Productivity Commission to help ensure that the legal issues are addressed and where possible progressed in the context of the inquiry and its pending outcomes.
Thank you for your consideration of this submission. For further information in the first instance, please contact Dr Natasha Molt, Senior Legal Adviser, Policy Division, on (02) 6246 3754 or natasha.molt@lawcouncil.asn.au or Olga Ganopolsky, Chair of the Business Law Section’s Privacy Law Committee, (02) 8237 9194 or Olga.Ganopolsky@macquarie.com.
1 Privacy Commissioner v Telstra Corporation Limited listed for a Full Federal Court hearing on 23 August 2016, https://www.comcourts.gov.au/file/Federal/P/VID38/2016/actions.