|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Australian Parliamentary Joint Committee on Human Rights |
|
Purpose
|
This legislative instrument makes transitional arrangements for the data
sharing scheme established by the Data Availability and Transparency Act
2022 by prescribing six Australian entities as transitional entities, which
are taken to be accredited data service providers for the
purposes of the Act
for a limited transition period
|
|
Portfolio
|
Finance
|
|
Authorising legislation
|
|
|
Last day to disallow
|
15 sitting days after tabling
|
|
Right
|
Privacy
|
1.151 This legislative instrument prescribes six entities[2] as transitional entities for the purposes of the data sharing scheme established by the Data Availability and Transparency Act 2022 (the Act). Transitional entities are taken to be accredited data service providers (ADSPs) for the purposes of the Act for a transition period (up to
30 July 2025).[3]
1.152 Under the Act, departments and agencies that control Australian Government data are treated as ‘data custodians’ and may share the data they control with ‘accredited users’ under a data sharing agreement. This data may be shared through an ADSP, which acts as an intermediary. An ADSP is a provider that is meant to have 'particular expertise in data sharing and the provision of data services',[4] and may provide: de‑identification data services; secure access data services; and complex data integration services.[5] Consequently, this measure has the effect that these six entities may facilitate the sharing of Australian Government data during the transitional period.
1.153 By authorising the provision of controlled access to Australian Government data to the six prescribed entities until 30 July 2025, this measure engages and limits the right to privacy.
1.154 The right to privacy is multi-faceted. It comprises respect for informational privacy, including the right to respect for private and confidential information, particularly the storing, use and sharing of such information.[6] It prohibits arbitrary and unlawful interferences with an individual's privacy, family, correspondence or home.[7] This includes a requirement that the state does not arbitrarily interfere with a person's private and home life,[8] meaning that any interference with a person's privacy—including one provided for by law—should be in accordance with the provisions, aims and objectives of the International Covenant on Civil and Political Rights, and be reasonable in the particular circumstances.[9] It also includes the right to control the dissemination of information about one's private life, and requires that States Parties take effective measures to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorised by law to receive, process and use it.[10] It also requires that legislation must specify in detail the precise circumstances in which an interference with privacy will be permitted.[11] The right to privacy may be subject to permissible limitations where the limitation pursues a legitimate objective, is rationally connected to that objective, and is a proportionate means of achieving it.
1.155 The statement of compatibility identifies that this measure engages the right to privacy.[12] With respect to the objective of the measure, it states that if this instrument was not made, there would be no ADSPs in the data sharing scheme established by the Act until Australian entities were accredited as ADSPs by the Commissioner, meaning that departments and agencies with high levels of expertise would not be able to act as intermediaries in data sharing projects in the short term.[13] In this regard, the explanatory statement also states that ADSPs have particular expertise in data sharing and the provision of data services.[14]
1.156 To the extent that the scheme overall seeks to facilitate controlled access to public sector data for specific purposes, this would appear capable of constituting a legitimate objective. Further, to the extent that the prescription of these six entities as ‘intermediaries’ for a transitional period will facilitate such controlled data sharing, the measure would appear to be rationally connected to that objective.
1.157 The primary issue is whether this measure constitutes a proportionate means by which to achieve the stated objective, having regard to the extent of the interference with the right to privacy and the question of whether the measure is appropriately circumscribed. It is also necessary to consider the presence of safeguards, the possibility of oversight, the availability of review, and any less rights restrictive alternatives.
1.158 The statement of compatibility highlights several safeguards regulating the sharing of information under the scheme. It states that a transitional entity taken to be an ADSP may only collect and use shared data as authorised by section 13B of the Act.[15] This includes the requirement that a transitional entity may only collect and use personal information as an ADSP if it is subject to privacy obligations in relation to the information.[16] It further notes that personal information may only be shared under the Act if the sharing is consistent with the privacy protections in sections 16A and 16B of that Act. These protections: set out the requirements for: consent regarding the sharing of personal information; prohibit any personal information from being shared, stored, or accessed outside Australia; and require that any
de-identified data remains de-identified. However, the Act also establishes that there are circumstances where the sharing of data may be permitted despite these restrictions, such as where it has been deemed 'unreasonable or impracticable' to seek the relevant person's consent.[17]
1.159 The statement of compatibility further notes that the prescription of these transitional entities cannot extend beyond 30 July 2025.[18] It states that each transitional entity has been assessed under non-statutory arrangements as being suitable to perform data services in relation to Australian Government data. It also notes that the Commissioner has regulatory oversight over these entities and, if necessary, the Commissioner may vary, suspend or cancel their ADSP accreditation.[19] This oversight has the capacity to serve as an important safeguard. However, were such disciplinary responses to take place once a breach of privacy has occurred, this would not assist with the interference with a person's privacy.
1.160 In addition, the statement of compatibility states that all data sharing under the Act must be consistent with the Privacy Act 1988.[20] To the extent that this requirement is enforced in practice (before the sharing of personal information has occurred, and the corresponding interference with privacy has taken place), this has the capacity to serve as a safeguard.
1.161 The above safeguards assist the proportionality of the measure with respect to the right to privacy to varying degrees. However, the extent to which this measure is likely to constitute a proportionate limit on the right to privacy also depends on whether the data-sharing scheme itself constitutes a proportionate limit on the right to privacy.[21] In this regard, what kinds of data, the sharing of which these entities may facilitate as transitional ADSPs, is unclear. It is also unclear whether such data could include personal information that may be identifiable. The statement of compatibility does not provide examples of potential or anticipated data-sharing agreement projects to which these six entities may be party. Further, the statement of compatibility specifically identifies the relevance of the right to privacy as it applies to children under the Convention on the Rights of the Child.[22] However, it does not particularise whether (for example) the prescription of these six entities may have the effect of facilitating the sharing of particular information that relates to children, or whether it may facilitate data-sharing agreements that may have a particular impact on children.
The committee notes that authorising the provision of controlled access to Australian Government data to six entities as prescribed by these rules, engages and limits the right to privacy.
1.162 The committee considers further information is required to assess the compatibility of this measure with this right, and as such seeks the minister's advice as to:
(a) the type of data, the sharing of which these prescribed entities may facilitate as ADSPs, and whether this could include personal information that may be identifiable; and
(b) whether the prescription of these six entities may have particular implications with respect to the right to privacy as it applies to children (including, whether this measure may have the effect of facilitating the sharing of particular information that relates to children, or whether it may facilitate data-sharing agreements that may have a particular impact on children).
1.163 The committee further notes, more broadly, that it raised numerous concerns about the bill (now Act) which established this scheme (the Data Availability and Transparency Bill 2022), particularly with respect to the right to privacy.[23] The committee notes that 251 amendments were made to the bill after it had been considered by the committee, meaning that it is challenging to determine whether, and to what extent, the data-sharing scheme, as implemented, reflects the committee's previous concerns. The committee considers that a comprehensive understanding of the entire data-sharing scheme is necessary in order for it to assess the compatibility of this legislative instrument with the right to privacy.
1.164 Noting the complexity of the scheme, the committee intends to write to the minister asking departmental officials to provide a briefing to the committee secretariat about how the scheme as a whole operates, whether the amendments to the bill establishing the scheme have addressed the committee's previous concerns, and the interaction of this legislative instrument with the scheme as a whole.
[1] This entry can be cited as: Parliamentary Joint Committee on Human Rights, Data Availability and Transparency (Consequential Amendments) Transitional Rules 2022 [F2022L01260], Report 6 of 2022; [2022] AUPJCHR 52.
[2] Australian Bureau of Statistics, Australian Institute of Family Studies, Australian Institute of Health and Welfare, Commonwealth Social Services Department (DSS), Queensland Treasury, and Victorian Department of Health, see section 7.
[3] Section 7.
[4] Explanatory statement, p. 1.
[5] Data Availability and Transparency Act 2022 (Data Availability and Transparency Act), sections 16C–16D. This instrument limits the types of services that some of these transitional entities may provide: DSS must not provide secure access services; Queensland Treasury must not provide secure access services and is limited in providing de-identification services; and the Victorian Department of Health is restricted in terms of any of the three services an ADSP can provide (in that any services must be provided by the Centre for Victorian Data Linkage). See, section 5.
[6] International Covenant on Civil and Political Rights, article 17.
[7] UN Human Rights Committee, General Comment No. 16: Article 17 (Right to Privacy) (1988) [3]-[4].
[8] The UN Human Rights Committee further explains that this right is required to be guaranteed against all such interferences and attacks whether they emanate from State authorities or from natural or legal persons: General Comment No. 16: Article 17 (Right to Privacy) (1988).
[9] UN Human Rights Committee, General Comment No. 16: Article 17 (Right to Privacy)
(1988) [4].
[10] UN Human Rights Committee, General Comment No. 16: Article 17 (Right to Privacy)
(1988) [10].
[11] UN Human Rights Committee, General Comment No. 16: Article 17 (Right to Privacy)
(1988) [8].
[12] Statement of compatibility, pp. 8–9.
[13] Statement of compatibility, p. 9.
[14] Explanatory statement, p. 1.
[15] Statement of compatibility, p. 9.
[16] Data Availability and Transparency Act, subsection 13B(3) and section 16E.
[17] Data Availability and Transparency Act, section 16B.
[18] The explanatory statement states that it is expected that the six entities will apply to the Commissioner for accreditation as ADSPs within this period. See, p. 2.
[19] Statement of compatibility, p. 9.
[20] Data Availability and Transparency Act, subsection 17(5).
[21] The committee published its consideration of the bill that gave effect to this scheme—the Data Availability and Transparency Bill 2022—in its scrutiny Report 2 of 2021 and Report 4 of 2021. At that time, the committee retained concerns that this scheme, as drafted, may not be a proportionate means by which to achieve its objectives. However, when that bill was passed by the Parliament, it included 251 amendments which were not considered by this committee.
[22] Statement of compatibility, p. 8.
[23] The committee published its consideration of the bill that gave effect to this scheme—the Data Availability and Transparency Bill 2022—in its scrutiny Report 2 of 2021 and Report 4 of 2021. At that time, the committee retained concerns that this scheme, as drafted, may not be a proportionate means by which to achieve its objectives.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/other/AUPJCHR/2022/52.html