Home | Databases | WorldLII | Search | Feedback Australian Parliamentary Joint Committee on Human Rights

Data Availability and Transparency Bill 2020 [2021] AUPJCHR 40 (31 March 2021)

Data Availability and Transparency Bill 2020^[1]

2.39 The committee requested a response from the minister in relation to the bill in Report 2 of 2020.^[2]

Public sector data sharing scheme

2.40 This bill seeks to establish a legislative framework for the sharing of public sector data, operating in addition to existing legislative mechanisms for data sharing. The bill would enable data custodians (being Commonwealth bodies which control the relevant data and have a right to deal with it)^[3] to share their data with accredited users, either directly or via an intermediary termed an 'accredited data service provider'.^[4] This would permit the sharing of data even where an existing applicable legislative scheme would prevent disclosure of the relevant data.

2.41 The bill defines 'data' broadly to mean 'any information in a form capable of being communicated, analysed or processed (whether by an individual or by a computer or other automated means)'.^[5] The term 'public sector data' means data which is lawfully collected, created or held by or on behalf of a Commonwealth body.^[6] An accredited entity with which Commonwealth data may be shared may include: non-corporate Commonwealth bodies;^[7] entities from other levels of government; and industry, research and other entities in the private sector.^[8]

2.42 The sharing of data pursuant to the scheme would be authorised where the sharing is:

(a) for a 'data sharing purpose' (being the delivery of government services; informing government policy; or research and development);^[9]

(b) consistent with five 'data sharing principles', including the requirement that the sharing can reasonably be expected to serve the public interest; that any sharing of personal information of individuals is done with their consent, unless it is unreasonable or impracticable to seek their consent; and that appropriate protections are applied to the data;^[10]

(c) not explicitly excluded from the scheme;^[11] and

(d) in accordance with a data sharing agreement between a data custodian and an accredited user.^[12]

2.43 Data scheme entities would be subject to data breach responsibilities, including an obligation to take steps to mitigate a data breach, and a requirement to notify specified persons of a data breach.^[13] The unauthorised sharing of data under the scheme would be subject to a civil penalty of 300 penalty units,^[14] or imprisonment for up to two years where a person was reckless with respect to the circumstance that the sharing was not authorised.^[15]

2.44 The bill would further provide for the establishment of the National Data Commissioner (the Commissioner), who would serve as statutory regulator for the scheme and whose role would include 'advocating for the sharing and release of public sector data more generally'.^[16] The Commissioner would be empowered to enforce the scheme, including by assessing, monitoring and investigating data scheme entities. The Commissioner would have several enforcement powers, including the ability to: suspend, cancel or impose conditions on an entity's accreditation; issue written directions to a data scheme entity; impose a civil penalty; issue infringement notices; accept and enter into enforceable undertakings; and apply for injunctions.^[17]

Summary of initial assessment

Preliminary international human rights legal advice

Right to privacy

2.45 This bill would facilitate the sharing of an extremely wide range of data held by Commonwealth bodies with other government and non-government entities (excluding only that data which is explicitly excluded from the scheme).^[18] The bill defines the term 'public sector data' very broadly, and the term 'data' itself refers to any information capable of being communicated, analysed or processed.^[19] The explanatory memorandum states that this data includes personal information, as defined by the Privacy Act 1988 (Privacy Act).^[20] In addition, the scheme would override a range of existing secrecy provisions preventing the sharing of data,^[21] in order to facilitate the sharing of data. Commonwealth bodies hold an extremely broad range of complex information, including sensitive personal information about individuals in relation to: health; migration and citizenship; child support; social security; employment; disability; and Indigenous affairs. Given the breadth and depth of information which could be shared, and with a wide group of entities, the proposed measure engages and limits the right to privacy.

2.46 The right to privacy is multi-faceted. It comprises respect for informational privacy, including the right to respect for private and confidential information, particularly the storing, use and sharing of such information.^[22] It prohibits arbitrary and unlawful interferences with an individual's privacy, family, correspondence or home.^[23] This includes a requirement that the state does not arbitrarily interfere with a person's private and home life,^[24] meaning that any interference with a person's privacy—including one provided for by law—should be in accordance with the provisions, aims and objectives of the International Covenant on Civil and Political Rights, and be reasonable in the particular circumstances.^[25] The right to privacy also includes the right to control the dissemination of information about one's private life, and requires that States Parties take effective measures to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorised by law to receive, process and use it.^[26] It also requires that legislation must specify in detail the precise circumstances in which an interference with privacy will be permitted.^[27]

2.47 In order to assess the compatibility of this bill with the right to privacy, further information is required as to:

(a) what is the specific objective the measure seeks to achieve, including what public or social concern the measure seeks to address, which is pressing and substantial enough to warrant limiting the right to privacy;

(b) why the Australian Federal Police is not listed as an excluded entity under proposed subclause 11(3), noting that it is a law enforcement body;

(c) in what type of circumstances is it likely that data will be shared, or not shared, for a data sharing purpose (with examples provided as to what is, and is not, likely to be considered to be for 'the delivery of government services'; 'informing government policy and programs'; and 'research and development');

(d) what considerations would be considered relevant (and irrelevant) in an assessment of the 'public interest' for the purpose of proposed subclause 16(2), and why does the bill not specifically reference the need to consider the right to privacy;

(e) in what circumstances, and based on what factors, would it be considered unreasonable or impracticable (under proposed paragraph 16(2)(c)) to seek the consent of individuals whose personal information would be shared, and would the provision of any government service be contingent on the individual giving their consent to the proposed sharing of their data;

(f) whether and in what manner accredited entities would be subject to ongoing monitoring (or auditing) of their continued compliance with the data sharing scheme, and their suitability for continued accreditation;

(g) why the scheme would not permit an individual to complain to the National Data Commissioner about a matter associated with the data sharing scheme, such as to report a suspected breach or data misuse, or to express concerns as to the sharing or use of their data in a specific context;

(h) noting the requirement that the sharing of personal information be minimised as far as possible without compromising the data sharing purpose, in what circumstances would the data sharing purpose be compromised by not sharing personal information;

(i) in what circumstances does the bill provide, and is it intended that the rules will provide, that a data sharing agreement may allow the accredited user to provide shared output data to a third party, and what protections apply to protect personal privacy in such circumstances; and

(j) why other, less rights restrictive alternatives would not be effective to achieve the intended objectives (such as amendments to individual pieces of legislation to invoke this data sharing scheme which take into account the specific data to be shared and the specific circumstances in which it is appropriate to share such data).

Committee's initial view

2.48 The committee noted that the measure engages and limits the right to privacy. The committee noted that this data sharing scheme is intended to facilitate greater data availability and use, in order to support economic and research opportunities, and streamline government service delivery. Noting the recent pressures placed on public service delivery following the 2020 bushfire season and the COVID-19 pandemic, greater data sharing is likely to support a 'tell us once' approach to public service delivery. The committee considered that these appear to be important objectives.

2.49 However, the committee noted that the statement of compatibility does not, itself, set out what objectives are sought to be achieved by the bill. Accordingly, the committee considered that further information was required in order to assess whether the stated objectives constitute a legitimate objective for the purposes of international human rights law. Further, the committee noted that, while the statement of compatibility provides a list of safeguards with respect to the right to privacy, the extent to which the proposed scheme may limit the right to privacy is not clear. The committee considered further information was required to assess the human rights implications of this bill, and as such sought the minister's advice as to the matters set out at paragraph [2.47].

2.50 The full initial analysis is set out in Report 2 of 2021.

Minister's response^[28]

2.51 The minister advised:

a) Objectives of the Bill
The Bill is central to the Government's response to the Productivity Commission's Inquiry into Data Availability and Use.^[29] The Bill is designed to facilitate controlled access to public sector data for specific purposes in the public interest, with safeguards in place to mitigate risks.^[30] The three permitted purposes for sharing under the data sharing scheme are: delivery of government services, informing government policies and programs, and research and development.
The natural disasters and health and economic crises of the recent past demonstrate the public benefits of greater data sharing to support informed decision-making and timely delivery of government services to people in need.^[31] The Bill's objective of promoting greater data sharing will remove legislative barriers to sharing, while establishing institutional arrangements such as a National Data Commissioner (the Commissioner) to provide oversight for the scheme and promote safe sharing.
The Bill represents a proportionate means of facilitating greater data sharing for purposes in the public interest. The limitations on data sharing in existing legislation are a constraint that can only be addressed by further legislation, such as the Bill. It would be impractical and cumbersome to amend every applicable statutory provision imposing limitations on the use and disclosure of data to achieve the public policy purpose of facilitating the benefits and outcomes of improved data sharing. The Bill permits data sharing in a closely controlled, consistent and transparent manner, with a specific regulatory regime to ensure data sharing is undertaken safely. The Bill is therefore a proportionate limitation on the right to privacy.
b) Australian Federal Police (AFP) participation in the scheme
An entity listed under subclause 11(3) of the Bill cannot participate in the scheme as a data custodian or an accredited entity, and data originating with, held by, or received from such an entity cannot be shared under the scheme.
The Bill would enable the sharing, collection and use of public sector data by the AFP only for permitted purposes in the public interest, and this would be described in publicly available data sharing agreements. For example, if it became an accredited user, the AFP could collect and use data to undertake research, or to inform policies and programs that are related to law enforcement (as distinct from policing activities that target particular individuals).^[32] As a data custodian, the AFP would also be able to share its non-operational data with accredited entities, where consistent with the requirements of Chapter 2 of the Bill. The Bill excludes sharing of the operational data of the AFP to protect the integrity and security of police operations.^[33] Other dedicated legislative frameworks will continue to govern the AFP’s law enforcement activities and any sharing of operational data.
c) Data sharing purposes
The data sharing purposes set out in clause 15 of the Bill reflect extensive public consultation on appropriate uses of public sector data for the scheme, and were considered as part of three independent Privacy Impact Assessments. While each project under the data sharing scheme will need to be assessed on a case-by-case basis, activities under each purpose may include:

• Delivery of government services: sharing data for this purpose could enable the provision of better services for Australians, such as the delivery of new disaster relief payments, grants or industry support payments. Facilitating service delivery agencies having access to up-to-date information about individuals will save time and boost productivity, while reducing friction in the process of delivering services and benefits to Australians. The sharing of data will also improve the planning and design of government services.

• Inform government policy and programs: sharing for this purpose could help enable the discovery of trends and risks to inform public policymaking, enable modelling of policy and program interventions and improve the quantity and quality of the data used by governments to inform important public policy decisions.

• Research and development: sharing for this purpose could enable academics, scientists, and innovators in the public and private sectors to access public sector data to gain insights that could enhance Australia’s socio-economic wellbeing.

The Bill precludes the sharing of data for national security or enforcement related purposes.^[34] While these activities are legitimate functions of government, they require specific oversight and redress mechanisms and are better addressed under dedicated legislation.
d) Assessment of the public interest
Consideration of whether a project would serve the public interest is one of several elements under the data sharing principles in clause 16 of the Bill. The data sharing principles strengthen the privacy settings for the scheme and ensure data is appropriately protected and risks are identified and mitigated for each project. The question of whether a project can reasonably be expected to serve the public interest must be made on a project-by-project basis, weighing a range of factors for and against sharing. It is a question of judgement in the particular case in which the test is applied. Factors will include impacts on an individual’s right to privacy, the potential for serious harm to the public, and whether those impacts are reasonable, necessary and proportionate, as well as the potential benefits to the community that would arise from the project. The Commissioner will issue guidelines on assessing the public interest, which entities must have regard to when operating under the scheme.^[35]
The Bill’s holistic approach ensures privacy interests are appropriately balanced with the public interest in a project, and does not explicitly reference privacy to avoid the implication that one must prevail at the expense of the other. Similarly, the objects of the Privacy Act 1988 specifically recognise the need to balance the protection of the privacy of individuals with entities’ interests in carrying out their functions and activities.^[36]
e) When would it be unreasonable or impracticable to seek consent?
I propose to table an addendum to the Explanatory Memorandum (in response to observations of the Senate Standing Committee for the Scrutiny of Bills Scrutiny in Digest 3 of 2021) in the Parliament as soon as practicable. The addendum will outline key information and examples about the meaning of ‘unreasonable or impracticable’ to assist to clarify the interpretation of paragraph 16(2)(c) of the Bill. The addendum will also direct users to relevant guidance issued by the Australian Information Commissioner on the standard of consent, which also applies to sharing of personal information under the data sharing scheme.
f) Monitoring of accredited entities’ compliance and suitability for accreditation
The Bill proposes a range of responsibilities on accredited entities, such as complying with conditions of accreditation and reporting relevant changes in circumstances to the Commissioner.^[37] A condition of accreditation can be imposed requiring an entity to provide updated evidence at specified intervals to support the criteria for accreditation.^[38] The Bill also includes mechanisms to support ongoing decisions about an entity’s accreditation status. For example, the Bill empowers the Commissioner to request further information or evidence as prescribed by the rules, monitor compliance with the Bill, investigate complaints about suspected breaches, and conduct own-motion investigations (for example, in response to a ‘tip-off’ from the public or the media).^[39] The Commissioner will also receive information about entities’ handling of data through the Bill’s data breach notification and information transfer provisions.^[40]
Once the data sharing scheme commences, the Commissioner will identify annual regulatory priorities in a Regulatory Action Plan. Regulatory priorities will reflect areas where uncertainty, complexity or the risk of non-compliance may arise.
g) Individual complaints
The Bill's formal complaint mechanism is scheme-specific to supplement existing redress mechanisms and to reduce duplication and overlap. The complaints process is a highly structured mechanism to resolve concerns held by one data scheme entity about the conduct of another data scheme entity in relation to the data sharing scheme.
Individuals may complain to the Commissioner outside the formal complaints mechanism in the Bill. The Commissioner will respond to such complaints as appropriate and a complaint could lead to the Commissioner conducting an own-motion investigation or transferring the matter to a more appropriate regulator.^[41] Individuals with concerns about the scheme will have access to existing complementary mechanisms, including complaints to the Commonwealth Ombudsman or Australian Information Commissioner.^[42]
h) Data sharing purposes and data minimisation
Sharing of personal information will generally be reasonably necessary to support delivery of government services to particular individuals. Sharing of personal information may also be required for some data integration projects for a permitted purpose, as certain personal information may be necessary to support the integration of datasets. In these circumstances, data custodians will still be required to share only the personal information necessary to facilitate the data integration project,^[43] and would be expected to apply appropriate protections to the data.^[44] There are well-established conventions for integrated data, including to maintain functional separation of identifying information (e.g. name or date of birth) from content information (e.g. clinical information or benefit details) throughout the data integration process. These safeguards work with the project principle, under which data custodians must consider engaging a technical data expert, an accredited data service provider, to perform the data integration.^[45]
i) Sharing outputs with third parties
Outputs containing personal information are protected by a range of safeguards.
While an output remains within the scheme, it may only be used in accordance with the data sharing agreement governing the sharing of the data. The data sharing agreement must be consistent with the data sharing principles, including the Bill's privacy safeguards such as the requirement that outputs contain only the data (including personal information) that is reasonably necessary to achieve the purpose of sharing under the data principle.^[46] As such, the most common circumstances where personal information would be shared by an accredited user with a third party would be to support government agencies providing an enhanced and streamlined service delivery experience to individuals who are entitled to receive current or new services or benefits.
Any sharing of output by an accredited user would only be permitted if this were agreed by the data custodian in accordance with the data sharing agreement governing the sharing of the data. For such sharing to be authorised, the data custodian must have determined that the access is consistent with the purpose test and data sharing principles.^[47]
To support data sharing for service delivery, clauses 21(1) and (2) of the Bill sets out circumstances in which an accredited user may provide controlled access to an output to third parties. Where the output relates to an individual, subparagraph 21(1)(b)(ii) provides for the output to be shared with an individual to validate or correct the output. This provides a degree of both transparency as well as control back to the individual. In addition, outputs containing personal information remain subject to other laws that regulate the handling of that information, such as the Privacy Act 1988 and State and Territory equivalents (as relevant).
j) Alternatives to a statutory override of laws that prohibit or restrict sharing
The Bill simplifies and streamlines public sector data sharing by providing a limited override of other laws that prevent or restrict sharing.^[48] This override of other laws is 'limited' because it is engaged only when the Bill's requirements are met and only to the extent necessary to facilitate sharing. The override is also limited by the Regulations, which list certain secrecy provisions that are not overridden by the Bill.^[49]
The Bill’s authorisation to share and its limited override provide a consistent legal framework for sharing, supported by an independent regulator to oversee and champion the scheme. As principles-based legislation, the Bill supports entities to tailor sharing arrangements according to the data to be shared and the surrounding circumstances. The Bill also creates no duty to share, allowing data custodians to ultimately determine when it is appropriate to share. It would be complex and impractical to amend individual Commonwealth laws to facilitate greater sharing. An exercise of this nature would require changes to over 500 secrecy provisions^[50] without the benefits of a dedicated regulator to promote best practice and cultural change, and without the guarantee of less rights restrictive outcomes. The Bill provides for a consistent, best practice, controlled and transparent data sharing approach for all Australian Government data custodians.

Concluding comments

International human rights legal advice

Right to privacy

Legitimate objective and rational connection

2.52 As the statement of compatibility did not identify the legitimate objective sought to be achieved by the bill, further information was sought from the minister. The minister has now advised that the bill is designed to 'facilitate controlled access to public sector data for specific purposes in the public interest'. As to whether and how that constitutes a public or social concern that is pressing and substantial enough to warrant limiting the right to privacy, the minister stated that the natural disasters and health and economic crises of the recent past demonstrate the public benefits of greater data sharing to support informed decision-making and timely delivery of government services to people in need. The facilitation of controlled access to public sector data for specific purposes which are in the public interest is, itself, likely to constitute a legitimate objective under international human rights law. Further, to the extent that this scheme would provide for the sharing of such data for purposes in the public interest, it would appear to be rationally connected with (that is, capable of achieving) that objective.

Proportionality

2.53 The primary issue is whether this scheme would be a proportionate means by which to achieve that objective, having regard to the extent of the interference with the right to privacy and the question of whether the measure is appropriately circumscribed. It is also necessary to consider the presence of safeguards, the possibility of oversight, the availability of review, and any less rights restrictive alternatives.

Data sharing purposes

2.54 Further information was sought as to the types of circumstances in which data would likely be shared, or not shared, for a 'data sharing purpose'. The minister stated that data sharing for the purpose of 'delivery of government services' could enable the provision of better services for Australians (such as, delivery of new disaster relief payments), including by improving their planning and design. Data sharing to 'inform government policy and programs' could help to enable the discovery of trends and risks to inform public policymaking, enable modelling of policy and program interventions and improve the quantity and quality of the data used by governments to inform public policy decisions. As to 'research and development', the minister stated that data sharing for this purpose could enable academics, scientists, and innovators in the public and private sectors to access data in order to gain insights that could enhance Australia’s socio-economic wellbeing.

2.55 The examples given as to the outcomes that might be achieved suggest that data sharing can occur for important and potentially rights-promoting purposes. However, the three data sharing purposes are framed very broadly, and, considering the breadth and depth of data held by Commonwealth entities, could capture disclosure in an extremely wide range of circumstances. For example, while data sharing for the 'delivery of government services' could be to enable better services for Australians, it may be that it could also be used when considering compliance action relating to the delivery of services, that may result in withholding government services. The breadth of the purposes and the lack of detail in the bill raises questions as to whether this key feature of the proposed data-sharing scheme is sufficiently circumscribed, having regard to the scheme's potentially significant interference with the right to privacy. The minister also advised that data sharing for national security or enforcement related purposes is excluded from the bill as these functions require specific oversight and redress mechanisms and are better addressed under dedicated legislation.^[51] However, it is not clear that security and enforcement related purposes are the only purposes undertaken by the Commonwealth government that would require specific oversight and redress mechanisms, noting that the Commonwealth delivers government services in a wide range of sensitive areas including: health; migration and citizenship; child support; social security; employment; disability; and Indigenous affairs.

Sharing of data in the 'public interest'

2.56 As to the requirement that, for data sharing to be permissible, the sharing of that data must reasonably be expected to serve the 'public interest', the minister stated that the determination of the 'public interest' must be made on a project-by-project basis, weighing a range of factors. He stated that these will include: impacts on an individual’s right to privacy; the potential for serious harm to the public; and whether those impacts are reasonable, necessary and proportionate, as well as the potential benefits to the community that would arise from the project.

2.57 If these matters were considered when determining if the sharing of data pursuant to a specific project can reasonably be expected to serve the public interest, this may operate to help to safeguard the right to privacy. However, much of the safeguard value would depend on how the term 'public interest' would be interpreted in practice.^[52] The minister stated that the Commissioner will issue guidelines on assessing the public interest, to which entities would be required to have regard. However, the minister provided no information as to what those guidelines would require in practice, and it is noted that the bill itself does not require that such guidelines are made, only that if there are guidelines in place, data scheme entities 'must have regard' to them.^[53] It is noted that the minister's advice to the Scrutiny of Bills committee was that this means that scheme entities 'must have regard for the guidelines however they are not binding'. The minister has added that the guidelines would not alter the law, but would only provide guidance about the Commissioner's view of the law and what is 'better practice'.^[54] Consequently, without any legislative guidance as to what would be considered as part of the assessment of the 'public interest', it is not possible to conclusively assess the safeguard value of the public interest requirement.

Sharing of personal information without consent

2.58 With respect to the sharing of personal information without the consent of individuals concerned where it would be 'unreasonable or impracticable' to seek that consent, the minister indicated that he intends to table an addendum to the explanatory memorandum, which would outline key information and examples concerning the meaning of ‘unreasonable or impracticable’ to assist to clarify the interpretation, and to direct users to other relevant guidance issued by the Australian Information Commissioner on the standard of consent.^[55] However, the minister did not provide any detail as to the content of that addendum, so it is not possible to assess what safeguard value (if any) such an addendum would have. Further, it is not clear why that information should not be provided for in the bill itself, noting the extent of the potential interference with the right to privacy pursuant to this measure.

Sharing identifiable personal information

2.59 Subclause 16(8) requires that only data which is reasonably necessary to achieve the data sharing purpose is to be shared, and the sharing of personal information is to be minimised as far as possible without compromising that data sharing purpose. As set out in the initial analysis, this could operate as a significant safeguard, as it may result in data being shared which de-identifies or anonymises the individual to whom the data relates. However, this protection is qualified by the requirement that this does not compromise the broadly framed data sharing purpose, and that there is no specific requirement that data be de-identified where possible. In response to the question regarding the circumstances in which the data sharing purpose would be compromised by not sharing personal information, the minister stated that the sharing of personal information 'will generally be reasonably necessary to support delivery of government services to particular individuals'. The minister further stated that sharing personal (non-anonymised) information may also be required for some data integration projects, as certain personal information may be necessary to support the integration of datasets. He advised that in these circumstances, data custodians would be required to share only the personal information necessary to facilitate the data integration project and would be expected to apply appropriate protections to the data. The minister further noted that there are established conventions for integrated data, including to maintain functional separation of identifying information (e.g. name or date of birth) from content information (e.g. clinical information or benefit details) throughout the data integration process. If such larger-scale multi-dataset integration projects were accompanied by these safeguards in practice, this would assist in terms of the sharing of personal information, including to help ensure that the information is not capable of being connected (or re-connected) such that it could be used to identify a person. However, the value of this as a safeguard would be better protected if the legislation specifically stated that where it is possible to do so, the data should only be shared where it does not identify individual personal data.

Monitoring the appropriateness of bodies to share data

2.60 As to the monitoring of accredited entities' compliance and ongoing suitability for accreditation to be able to share data under this scheme, the minister noted that, pursuant to subclause 78(2), a condition of accreditation which could be imposed on an entity may require it to provide updated evidence at specified intervals to demonstrate that it meets the criteria for accreditation. The minister noted that the bill also includes mechanisms to support ongoing decisions about an entity’s accreditation status, such as empowering the Commissioner to: request further information or evidence as prescribed by rules; monitor compliance; investigate complaints about suspected breaches; and conduct own-motion investigations (for example in response to a 'tip off' from the public or media). In addition, he stated that the Commissioner will also receive information about entities’ handling of data through the data breach notification and information transfer provisions, and noted that the Commissioner would identify annual regulatory priorities, which may reflect areas where a risk of non-compliance may arise.

2.61 By providing for a framework for ongoing monitoring of compliance these measures have the capacity to serve as useful safeguards. However, it is noted that many of the examples provided by the minister seem to involve reacting to problems that have already arisen with the accreditation of an entity, such as following a complaint or media interest. This approach would appear to mean that the privacy of persons may have been adversely affected before the Commissioner is alerted to problems with an entity. Noting the significant extent of the potential interference with the right to privacy pursuant to this scheme, it is not clear why the bill does not provide that an entity must provide updated evidence at specified intervals to support its criteria for accreditation (rather than leave this as a discretionary condition).

Avenues for complaints

2.62 Further information was also sought as to the capacity of individuals whose data has been shared under this scheme to register complaints with the Commissioner. The minister stated that the bill's formal complaints mechanism is scheme-specific, but that individuals could complain to the Commissioner outside the formal complaints mechanism in the bill, and the Commissioner would respond as appropriate, noting that this could lead to the Commissioner then conducting an investigation or transferring the matter to another regulator. However, given that the scheme itself is not designed to facilitate the management of complaints from the public, it is not clear that the public would be aware that they could complain directly to the Commissioner (for example, by having this information on the Commissioner's website). The bill itself does not establish a legislative basis for the management of individual complaints about matters associated with the scheme (such as to report a suspected breach or data misuse, or to express concerns as to the sharing or use of their data in a specific context) even though this would appear to support the Commissioner's own function of monitoring data entities, and the overall scheme, in practice. The minister noted that individuals could access existing complementary oversight mechanisms (such as the Commonwealth Ombudsman and the Australian Information Commissioner), which would likely serve as a useful safeguard. However, given that these bodies may likely need to liaise with the Commissioner to address any such complaints, as the Commissioner would be responsible for the administration of the scheme, it is unfortunate that the bill does not establish a mechanism for the management of individual complaints directly to the Commissioner.

Sharing personal information with third parties

2.63 Further information was also sought as to the circumstances in which it is intended that a data sharing agreement would allow the accredited user to provide shared 'output data' (that is, data that is the result or product of the use of public sector data) to a third party, and what protections would apply to protect personal privacy in such circumstances. The minister stated that this would most commonly occur in order to support government agencies providing an enhanced and streamlined service delivery experience to individuals who are entitled to receive current or new services or benefits. The minister stated that any such sharing of output by an accredited user would only be permitted if this were agreed by the data custodian in accordance with the data sharing agreement governing the sharing of the data. The minister stated that for such sharing to be authorised, the data custodian must have determined that the access is consistent with the purpose test and data sharing principles.

2.64 While the agreement of the data custodian to the sharing of output by an accredited user may serve as a safeguard in practice, it is noted that the data custodian is not the individual whose personal data may be shared (and that individual is not able to prevent the sharing of such data). Rather it is the Commonwealth body that controls the data and has the right to deal with the data.^[56] In addition, considering the example provided (the sharing of data with a third party to support government agencies to provide streamlined service delivery), it is not clear why such a project would require the exiting of data from the scheme, as this would appear to be captured by the data-sharing purpose 'delivery of government services'. Further, while the minister noted that clause 21 provides for the exit of shared output data with affected individuals in order for them to validate it, the bill would also permit the exit of shared output data in circumstances prescribed by the rules (under paragraph 21(2)(b)), and it is not clear what those circumstances may be. As such, it does not appear to have been established that the proposed framework for the sharing of scheme data with a third party outside the scheme is itself sufficiently constrained, or accompanied by sufficient safeguards, such that it may be said to be proportionate to the stated objective of the measure overall.

Less rights restrictive alternatives

2.65 Finally, information was sought as to why other, less rights restrictive alternatives—such as amending individual pieces of legislation to invoke this data sharing scheme—would not be effective to achieve the scheme's objectives. The minister stated that it would be complex and impractical to amend individual laws to facilitate greater sharing, noting that this would require changes to over 500 secrecy provisions. The minister also stated that it would be impractical and cumbersome to amend every existing statutory provision imposing limitations on the use and disclosure of data to achieve the public policy purpose of facilitating the benefits and outcomes of improved data sharing (as opposed to introducing a measure of this nature). However, the fact that amending individual pieces of legislation to invoke this data sharing scheme would be a complex exercise does not mean that it would not be effective to achieve the intended objectives of this scheme. It merely indicates that it would take more time. While the minister stated that such an approach would not have the benefit of a dedicated regulator to promote best practice and cultural change, or the guarantee of less rights restrictive outcomes, it is not clear that this is the case. It would appear that the bill could still provide for the establishment of the Commissioner with the same responsibilities, and establish a framework facilitating the progressive uptake of the scheme in individual legislative contexts, subject to its adoption by legislative amendment in each context. The fact that there are over 500 pieces of legislation that contain existing secrecy provisions that could be overridden by this broad data sharing power itself raises significant concerns that these targeted secrecy provisions could be overridden by this broad information sharing power in circumstances that may not be appropriate.

Concluding remarks

2.66 This bill appears to be directed towards the legitimate objective of facilitating controlled access to public sector data for specific purposes in the public interest, and would appear to be rationally connected to that objective. However, it is not clear that the measure would constitute a proportionate means by which to achieve that objective. It would establish an overarching framework to facilitate the sharing of a substantial range of Commonwealth-held data, some of which includes highly sensitive content (relating to, for example, child support, employment, health, Indigenous affairs, and immigration). The sheer breadth of data to which the scheme could apply, and the corresponding considerable extent of the potential interference with the right to privacy, means that the measure would need to be accompanied by stringent safeguards, oversight and review mechanisms. As set out above, it is not clear that the safeguards built into the scheme would be sufficient. In particular, the three data sharing purposes are broadly framed and would appear to capture a very wide range of purposes, and no guidance exists (or is required as a matter of law) to assess the extent to which the requirement that data sharing reasonably be expected to serve the 'public interest' is met. It remains unclear when it would be considered 'unreasonable or impracticable' to seek the consent of affected individuals in terms of sharing their personal information. It would also appear that the bill may permit the sharing of personal information in a potentially wide range of circumstances (being to support the delivery of government services), and although there appear to be some established data protection conventions which apply to data integration projects, there is no explicit requirement that data only be shared in a de-identified way where it is possible to do so. Questions also remain as to the circumstances in which output data may be provided to third parties outside the scheme, and the protections which would apply to it in those circumstances. Further, in terms of monitoring scheme participants, it would appear that the mechanisms built into the scheme could be further strengthened such that entities must be required to provide information on an ongoing basis to justify their continued suitability for accreditation under the scheme. Additionally, noting the advice that the Commissioner could investigate individual complaints made to them about the scheme, it is not clear why the bill itself does not establish a formal framework to facilitate this.

2.67 Having regard to these matters, the question of whether a less rights restrictive alternative could achieve the objective of the measure is significant. In this regard, no information has been provided to demonstrate that a less rights restrictive mechanism—such as amending individual pieces of legislation to invoke this data sharing scheme—would not be equally as effective to achieve the scheme's objectives. The fact that this may be a complex undertaking does not, itself, indicate that it would not be effective to achieve the objective of facilitating controlled access to public sector data, particularly noting that no evidence has been presented identifying some urgency as to introducing a data-sharing scheme. As a result, it is not clear that this data sharing scheme would constitute a permissible limitation on the right to privacy.

Committee view

2.68 The committee thanks the minister for this response. The committee notes that the bill seeks to establish a legislative framework, that overrides existing laws, to facilitate the sharing of, and controlled access to, public sector data held by Commonwealth bodies with accredited entities.

2.69 The committee notes that, in doing so, the measure engages and limits the right to privacy. The committee notes that this right may be subject to permissible limitations if they are shown to be reasonable, necessary and proportionate.

2.70 The committee notes that this data sharing scheme is intended to facilitate greater data availability and use, in order to support economic and research opportunities, and streamline government service delivery. Noting the recent pressures placed on public service delivery following the 2020 bushfire season and the COVID-19 pandemic, greater data sharing is likely to support a 'tell us once' approach to public service delivery. The committee considers that these are important objectives, and that the measure appears likely to be capable of achieving them.

2.71 However, the committee retains concerns that this scheme, as drafted, may not be a proportionate means by which to achieve those objectives. The committee considers that the breadth of Commonwealth public sector data to which the scheme could apply, and the corresponding considerable extent of the potential interference with the right to privacy, means that the measure would need to be shown to be accompanied by stringent safeguards, oversight and review mechanisms. The committee is concerned that while the bill contains some important safeguards to help protect the right to privacy, it has not been clearly established that these safeguards are sufficient. In particular, the committee notes that the bases on which personal data may be shared are broadly framed and would capture a wide range of purposes. The committee is also concerned that there is no legislative guidance as to when data sharing could reasonably be expected to serve the 'public interest', and no requirement that privacy considerations are considered in this process. The committee is also concerned that there is no explicit requirement in the bill that, where it is possible to do so, information is shared only in a way that does not allow for the identification of an individual.

2.72 The committee is particularly concerned that under clause 23 of this bill, authorisation under this overarching legislation would override any existing Commonwealth, State or Territory law that restricts or prohibits disclosure of personal information. As such, this scheme would permit a Commonwealth body to disclose personal data regardless of any law that currently prohibits this, and without parliamentary oversight of the specific privacy implications of sharing that type of data. This would also mean that the value of any future data protection or secrecy provisions in specific legislative contexts (aside from those related to law-enforcement and national security) would all need to be assessed having regard to the operation of this scheme. While sharing data in some contexts may have limited privacy implications, there may be other data (such as health data) which if shared using this umbrella type legislation may have significant privacy implications. Accordingly, in assessing proportionality, it is necessary to consider if there are less rights restrictive alternatives which would be effective to achieve the goals of this scheme. In this regard, no information has been provided to demonstrate that a less rights restrictive mechanism—such as amending individual pieces of legislation to invoke this umbrella data sharing scheme—would not be equally as effective to achieve the scheme's objectives. While the committee appreciates that this may be a complex undertaking, this does not, itself, indicate that it would not be effective to achieve the objective of facilitating controlled access to public sector data. As a result, the committee considers it has not been established that this data sharing scheme would constitute a permissible limitation on the right to privacy.

2.76 The committee draws these human rights concerns to the attention of the minister and the Parliament.

[1] This entry can be cited as: Parliamentary Joint Committee on Human Rights, Data Availability and Transparency Bill 2020, Report 4 of 2021; [2021] AUPJCHR 40.

[2] Parliamentary Joint Committee on Human Rights, Report 2 of 2021 (24 February 2021),

pp. 5-18.

[3] Chapter 1, Part 1.2, subclause 11(2). Per subclause 11(3), Commonwealth entities which operate in national security and intelligence (including the Australian Security Intelligence Organisation and the Office of National Intelligence) are excluded from the definition of 'data custodian'.

[4] An entity may be accredited as either a 'user' or 'data service provider' if the National Data Commissioner is satisfied that they meet the criteria for accreditation. See, Chapter 5, Part 5.2, clause 74.

[5] Chapter 1, Part 1.2, subclause 10(5).

[6] Chapter 1, Part 1.2, subclause 10(2). This subclause notes that 'public sector data' includes: accredited data service provider-enhanced data; and output of which a Commonwealth body is declared by a data sharing agreement to be the data custodian.

[7] Chapter 5, Part 5.2, clause 74. See also, explanatory memorandum, p. 47.

[8] Explanatory memorandum, p. 4.

[9] Chapter 2, clause 15. Subclause 15(2) states that the sharing of data for enforcement-related purposes, or a purpose which relates to, or prejudices, national security, or a purpose prescribed by rules, is precluded.

[10] Chapter 2, clause 16.

[11] Clause 17 of the bill proposes that sharing of data would be excluded from the scheme in a number of specified instances, including where: it relates to national security or law enforcement; would contravene or infringe rights such as intellectual property; the sharing would be inconsistent with Australia's obligations under international law; the data is being held as evidence before a court, or subject to court/tribunal orders; or it is prohibited under regulations.

[12] Chapter 2, clauses 18–19.

[13] Chapter 3, Part 3.3.

[14] Chapter 2, subclauses 14(1) and (3).

[15] Chapter 2, subclauses 14(2) and (4).

[16] Chapter 4, Part 4.2, see, clause 4.

[17] Chapter 5, Part 5.5.

[18] The sharing of data for an enforcement-related purpose, a purpose relating to or prejudicing national security, or a purpose prescribed by the rules, would be precluded under this scheme. See, Chapter 2, subclause 15(2). See also, Chapter 1, Part 1.2, subclause 11(3), which excludes specific entities from participation in the scheme.

[19] Chapter 1, Part 1.2, subclauses 10(2) and (5).

[20] Explanatory memorandum, p. 16.

[21] Chapter 2, clause 23.

[22] International Covenant on Civil and Political Rights, article 17.

[23] UN Human Rights Committee, General Comment No. 16: Article 17 (Right to Privacy) (1988) [3]-[4].

[24] The UN Human Rights Committee further explains that this right is required to be guaranteed against all such interferences and attacks whether they emanate from State authorities or from natural or legal persons: General Comment No. 16: Article 17 (Right to Privacy) (1988).

[25] UN Human Rights Committee, General Comment No. 16: Article 17 (Right to Privacy)

(1988) [4].

[26] UN Human Rights Committee, General Comment No. 16: Article 17 (Right to Privacy)

(1988) [10].

[27] UN Human Rights Committee, General Comment No. 16: Article 17 (Right to Privacy)

(1988) [8].

[28] The minister's response to the committee's inquiries was received on 11 March 2021. This is an extract of the response. The response is available in full on the committee's website at: https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Human_Rights/Scrutiny_reports.

[29] Department of the Prime Minister and Cabinet, The Australian Government’s response to the Productivity Commission Data Availability and Use Inquiry (2018) p. 11.

[30] Clause 3.

[31] See further Royal Commission into National Natural Disaster Arrangements, Interim observations, 31 August 2020.

[32] Subclause 15(4); Data Availability and Transparency Bill Explanatory Memorandum (EM) para 112.

[33] Paragraph 17(2)(b); Data Availability and Transparency Bill EM paras 144-145.

[34] Subclause 15(3); Data Availability and Transparency Bill EM para 111.

[35] Clause 27.

[36] Privacy Act 1988 s. 2A(b).

[37] Clauses 30-31.

[38] Paragraph 78(2)(c).

[39] Subclause 87(1); clauses 101, 109-110.

[40] Part 3.3; clauses 107-108; Data Availability and Transparency (Consequential Amendments) Bill, items 6-8.

[41] Clauses 107-108.

[42] Complaints may also be made to State or Territory privacy regulators, if related to an accredited entity that is a State or Territory government authority.

[43] Subclause 16(8).

[44] Subclause 16(7).

[45] Paragraph 16(2)(d); clauses 29, 86.

[46] Subclauses 16(7)-(8); paragraph 16(10)(b).

[47] Subclauses 13(3) and 19(10).

[48] Productivity Commission, Data Availability and Use (2017) (PC Inquiry) pp. 331-333.

[49] Subclause 17(4); Data Availability and Transparency Regulations Exposure Draft, September 2020.

[50] Australian Law Reform Commission, Secrecy Laws and Open Government in Australia, Report No 112, December 2009.

[51] With respect to the scope of the explicit preclusion of sharing data for enforcement-related purposes, the minister clarified the Australian Federal Police (AFP) could have restricted participation in the scheme. The AFP could be accredited as a user, but not as part of policing activities targeting particular individuals. It could only collect and use data to undertake research, or to inform policies and programs related to law enforcement. Further, as a data custodian, the AFP would also be able to share its own non-operational data with other accredited entities. This would appear to constrain the manner in which the AFP could participate in this scheme (should it participate) and ensure that this scheme could not be used to share data within the immediate context of detecting, investigating or prosecuting criminal conduct.

[52] In this regard, it is noted that existing Australian legislation does provide examples of relevant and irrelevant factors where assessing the disclosure of information in the context of the public interest. See, for example, Freedom of Information Act 1982, section 11B.

[53] See clause 27.

[54] See Senate Standing Committee for the Scrutiny of Bills, Scrutiny Digest 5 of 2021 (17 March 2021) p. 37.

[55] In this regard, the Office of the Australian Information Commissioner website provides a brief overview of the different types of consent which may be required with respect to the handling of personal information, what consent requires (e.g. voluntary, informed, current and specific), and how that consent may be withdrawn. See, https://www.oaic.gov.au/privacy/ your-privacy-rights/your-personal-information/consent-to-the-handling-of-personal-information/ (accessed 18 March 2021).

[56] See subclause 11(2).