|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests |
|
Purpose
|
This bill seeks to authorise and regulate controlled access to Australian
Government data to promote better availability and use of
government data,
empower the government to deliver effective policies and services, and support
research and development
|
|
Portfolio
|
Government Services
|
|
Introduced
|
House of Representatives on 9 December 2020
|
1.8 The bill seeks to establish a new scheme authorising sharing of public sector data between accredited entities, for the purposes of delivering government services and supporting research and development. Subclause 10(2) defines ‘public sector data’, which includes data that is collected, created, or held by a Commonwealth body, or on its behalf, as well as ‘personal information’ and ‘sensitive information’, as defined by the Privacy Act 1988, and other types of data.[7] As a result, the committee considers that the scheme, in enabling the sharing of data including personal information has the potential to trespass on an individual's right to privacy.
1.9 Clause 16 establishes data sharing principles, which are intended to manage risks of sharing public sector data. The principles are structured to support data custodians to consider risks arising across five key elements of the data sharing process: the proposed project, the setting in which data is shared and accessed, and the persons, data and outputs involved.[8] Where the data being shared includes personal information, paragraph 16(2)(c) requires consent for sharing to be sought from the individuals concerned unless it is unreasonable or impracticable for the data scheme entities to do so.[9] The explanatory memorandum explains:
The standard of consent required is that set by the Privacy Act. The ‘unreasonable or impracticable’ language is drawn from section 16A of that Act, and should be interpreted using relevant guidance on consent made by the Australian Information Commissioner.
The question of whether seeking consent is reasonable or impracticable may depend on the amount, nature and sensitivity of the data involved, and whether individuals gave informed consent for uses including the proposed sharing at the point the data was originally collected. Where it is unreasonable or impracticable to seek consent, parties must still consider implementing other controls to protect privacy, under this and other data sharing principles.[10]
1.10 The committee is concerned that there is a significant amount of flexibility in the meaning of ‘unreasonable or impracticable’ in this context, and that this may undermine the effectiveness of clause 16 as a safeguard against undue trespass on the privacy of individuals whose data may be shared under the scheme. The committee also notes that, while the data principles contemplate minimising the sharing of personal information as far as possible and sharing only the data reasonably necessary to achieve an applicable purpose,[11] there are no requirements for sharing only de‑identified data in the principles or elsewhere in the bill.
1.11 Further, paragraph 16(2)(a) requires a judgement to be made about whether the sharing can reasonably be expected to serve the public interest. The committee notes that ‘public interest’ is also not defined in the bill, and the explanatory memorandum does not provide guidance about the factors that might be considered when evaluating public interest for the purposes of data sharing. In contexts where commercial and economic interests may be considered to factor into the ‘public interest’, the committee is concerned that privacy interests are not clearly central to the operation of the scheme.
1.12 The committee also notes that the application of the data sharing principles will be clarified in ‘data codes’, legislative instruments made by the Data Commissioner that serve as binding codes of practice for the data sharing scheme. The explanatory memorandum notes:
a data code may set out how data scheme entities are to apply data definitions in clause 10, or comply with requirements for sharing in Chapters 2 and 3. This could include prescribing how to apply the data sharing principles in different situations, such as when sharing via an ADSP [Accredited data service provider], or assess requests against the data sharing purposes. Use of data codes in this manner will clarify core requirements for sharing, and standardise their application by data scheme entities.[12]
1.13 The committee's view is that significant matters, such as privacy safeguards for data sharing, should be included in primary legislation unless a sound justification for the use of delegated legislation is provided. In this instance, while the explanatory memorandum explains the approach of using legislative instruments rather than regulations to establish data codes, there is no explanation of why these matters cannot be included in primary legislation.
1.14 Clause 15 establishes permitted data sharing purposes, which are: delivery of government services, to inform government policy and programs, and research and development. These purposes are not clearly defined; rather, the explanatory memorandum emphasises that the purposes are to be construed broadly:
Sharing to inform design and implementation of government policy and programs is permitted under subclause (1)(b). Both terms should be construed broadly, using their ordinary meaning. For instance, a ‘government policy’ is a rule or principle that guides government decisions, usually related to a specific topic such as education. Similarly, a ‘government program’ refers to an organised system of services, activities, or opportunities to achieve a goal or outcome. [13]
1.15 The committee notes that a broad construction of the permitted purposes for data sharing risks interpretations which may unduly trespass on privacy. The bill seeks to manage this risk in paragraph 15(2)(c) which enables the minister to make rules prescribing ‘precluded purposes’. As noted above, the committee's view is that significant matters, such as privacy safeguards and the permissible scope for sharing personal information, should be included in primary legislation unless a sound justification for the use of delegated legislation is provided. In this instance, the explanatory memorandum states that ‘this approach is intended to manage unintended expansions or interpretations of clause 15, and to ensure the scheme continues to operate as intended and in line with community expectations.’ [14]
1.16 The committee’s scrutiny concerns in this regard are heightened by the breadth of the application of the bill, in particular that data may be shared with private sector entities with no requirements that the safeguards that apply to, for example, university research, apply to these entities.
1.17 Given the potential impact on an individual's right to privacy as a result of the use and disclosure of personal information under the proposed data sharing scheme, the committee requests the minister’s advice as to whether the bill can be amended to:
• include a public interest test which prioritises privacy interests in decision-making under the scheme;
• provide guidance on the face the bill about the circumstances in which it will be ‘unreasonable or impracticable’ to seek an individual’s consent for sharing their personal information;
• require that, where possible, data that includes personal information is shared in a de-identified way;
• clarify the scope of the permitted data sharing purposes, and include guidance on the face of the bill about precluded purposes; and
• provide minimum standards for ethics approvals for private entities seeking to use data that includes personal information.
1.18 The committee also notes that decisions about data sharing made by Commonwealth bodies that are data custodians under the bill will not be subject to internal or external merits review under the data sharing scheme. The explanatory memorandum states:
Data sharing decisions by data custodians will not be reviewable on their merits under this scheme. Such decisions are best made by data custodians as they have a full understanding of the risks of and public interest in sharing their data.[15]
1.19 Noting that privacy interests may be affected by decisions made by data custodians under the scheme, it is not clear to the committee why individuals whose privacy interests may be affected should not have access to merits review. The committee notes that, as many decisions under the scheme will affect individual interests as a class, most individuals will be excluded from the initial decision making process. As discussed above, the lack of clarity around certain terms in the data sharing principles and purposes illustrates the broad scope for discretionary decision-making by the data custodians. The committee is concerned that there is a risk that individuals’ interests in their personal information being kept private may not be given sufficient weight in an evaluation of public interest. Further, it does not appear that the Commonwealth entity making initial decisions with respect to sharing of data must consult experts or seek other external input.
1.20 The committee also notes that under the complaints mechanism established in Division 1 of Part 5.3, only data scheme entities may make a complaint. The explanatory memorandum states:
While this mechanism is for data scheme entities, it does not prevent other entities contacting the Commissioner through administrative channels or complaining about data scheme entities’ activities through existing legal mechanisms. For instance, a person may complain to the Australian Information Commissioner about mishandling of their personal information, under the Privacy Act.[16]
1.21 However, it is unclear to the committee why persons with privacy complaints must make complaints through a separate mechanism. The committee is concerned that establishing a narrowly focused complaints mechanism may result in the Data Commissioner rarely or never hearing privacy complaints, which may result in privacy concerns not being given adequate consideration in decision making under the scheme.
1.22 The committee also notes that, as similarly described above at [1.12], much of the detail about the complaints process under the data sharing scheme is left to data codes, legislative instruments made by the Data Com[17]ssioner.17
1.23 The committee therefore requests the minister’s advice as to why individuals whose privacy interests may be affected by the data sharing scheme should not have access to merits review and the dedicated complaints process established in Division 1 of Part 5.3.
1.24 Clause 14 of the bill creates new criminal offences for sharing data in an unauthorised manner. The maximum penalty for both offences is imprisonment for 2 years. Subclause 104(3) also creates an offence for failing to comply with a notice to provide information or documents, which is subject to a maximum penalty of imprisonment for 12 months.
1.25 The committee's expectation is that the rationale for the imposition of significant penalties, especially if those penalties involve imprisonment, will be fully outlined in the explanatory memorandum. In particular, penalties should be justified by reference to similar offences in Commonwealth legislation. This not only promotes consistency, but guards against the risk that liberty of the person is unduly limited through the application of disproportionate penalties. In this regard, the committee notes that the Guide to Framing Commonwealth Offences states that a penalty ‘should be consistent with penalties for existing offences of a similar kind or of similar seriousness. This should include a consideration of... other comparable offences in Commonwealth legislation.’[19]
1.26 In this instance, the explanatory memorandum provides the following explanation of the penalties in both clause 14 and clause 104:
The consequences for breach of a civil penalty or criminal offence provision in this Bill – up to 300 penalty units or up to two years imprisonment, respectively – align with similar laws and the Guide to Framing Commonwealth Offences. Consistent with the Guide, the Bill sets maximum penalties; a court will determine what is appropriate on a case-by-case basis. The maximums set by this clause balance the penalties in more established frameworks, such as the Privacy Act, with more contemporary offences for mishandling government and consumer data. This approach is in keeping with the intent for this scheme to align with other applicable frameworks, without duplicating them, as well as with community expectations.[20]
1.27 With respect to clause 104, the explanatory memorandum also states:
Having penalties available for failure to comply with requests relating to investigations is appropriate given delays in identifying and rectifying non-compliance may have serious implications for people or things to which shared data relates. [21]
1.28 The committee acknowledges the importance of providing robust safeguards against the misuse of data under the new scheme, and notes that other Commonwealth legislation imposes comparable penalties for offences relating to the use and disclosure of sensitive data. However, given the significance of the penalties that may be imposed under proposed clauses 14 and 104 the committee would expect a comprehensive justification for the penalty in each of those provisions to be included in the explanatory memorandum.
1.29 The committee draws its scrutiny concerns to the attention of senators and leaves to the Senate as a whole the appropriateness of the justification for the maximum penalties imposed by clauses 14 and 104.
1.30 The bill contains a number of clauses that provide for matters relating to the accreditation of entities under the data sharing scheme to be provided for in the rules (that is, in delegated legislation).[23] Clause 86 enables rules to be prescribed for the accreditation framework, providing for procedures, requirements and any other matters relating to the accreditation of entities for the purposes of the data sharing scheme.
1.31 The committee's view is that significant matters, such as the accreditation of entities for the purposes of sharing public sector data (which may include personal information), should be included in primary legislation unless a sound justification for the use of delegated legislation is provided. In this instance, the explanatory memorandum contains no justification regarding why it is necessary to allow such significant matters to be set out in delegated legislation.
1.32 The committee’s scrutiny concerns in this regard are heightened by the extent to which the bill relies on delegated legislation to determine the scope and operation of the data sharing scheme, especially in relation to privacy protections, as discussed above at [1.12] to [1.14] and [1.23].
1.33 In light of the above, the committee requests the minister's detailed advice as to:
• why it is considered necessary and appropriate to leave procedures, requirements and other matters relating to the accreditation of entities for the purposes of the data sharing scheme to delegated legislation;
• whether the bill can be amended to include at least high-level guidance regarding these matters on the face of the primary legislation.
1.34 Clauses 109 and 110 seek to trigger the monitoring and investigation powers under the Regulatory Powers (Standard Provisions) Act 2014. Subclauses 109(4) and 110(3) provide that an authorised person may be assisted by 'other persons' in exercising powers or performing functions or duties in relation to monitoring and investigation. The explanatory memorandum does not explain the categories of 'other persons' who may be granted such powers and the bill does not confine who may exercise the powers by reference to any particular expertise or training.
1.35 The committee's consistent scrutiny position in relation to the exercise of coercive or investigatory powers is that persons authorised to use such powers should have the appropriate training and experience.
1.36 The committee therefore requests the minister's advice as to:
• why it is considered necessary and appropriate to allow any 'other person' to assist an authorised person in exercising monitoring and investigatory powers; and
• whether the bill can be amended to require that any person assisting an authorised person have the knowledge and expertise appropriate to the function or power being carried out.
1.37 Clause 136 establishes the geographic jurisdiction of civil penalty provisions and offences in the bill, by providing that the bill may apply extraterritorially where there is a sufficient link between Australia and the matter. Proposed subclauses 136(2) and (3) provide exceptions (offence-specific defences) for foreign entities if there is no Australian connection (territorial or nationality) and the conduct is lawful in the foreign jurisdiction in which it occurred.
1.38 At common law, it is ordinarily the duty of the prosecution to prove all elements of an offence.[26] This is an important aspect of the right to be presumed innocent until proven guilty. Provisions that reverse the burden of proof and require a defendant to disprove, or raise evidence to disprove, one or more elements of an offence, interferes with this common law right.
1.39 While in this instance the defendant bears an evidential burden (requiring the defendant to raise evidence about the matter), rather than a legal burden (requiring the defendant to positively prove the matter), the committee expects any such reversal of the evidential burden of proof to be justified. The reversals of the evidential burden of proof in clause 136 have not been addressed in the explanatory materials.
1.40 As the explanatory materials do not address this issue, the committee requests the minister's advice as to why it is proposed to use offence-specific defences (which reverse the evidential burden of proof) in this instance. The committee's consideration of the appropriateness of a provision which reverses the burden of proof is assisted if it explicitly addresses relevant principles as set out in the Guide to Framing Commonwealth Offences.[27]
[5] Clauses 15, 16 and 88. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).
[6] Clauses 15, 126 and 133. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(iv).
[7] Explanatory memorandum, p. 16.
[8] Explanatory memorandum, p. 23.
[9] Explanatory memorandum, p. 24.
[10] Explanatory memorandum, p. 24.
[11] See subclause 16(8).
[12] Explanatory memorandum, pp. 75-76.
[13] Explanatory memorandum, p. 22.
[14] Explanatory memorandum, p. 23.
[15] Explanatory memorandum, p. 10.
[16] Explanatory memorandum, p. 57.
[17] Clause 126.
[18] Clauses 14 and 104. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(i).
[19] Attorney-General's Department, Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, p. 39.
[20] Explanatory memorandum, p. 21.
[21] Explanatory memorandum, p. 63.
[22] Clause 86. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(iv).
[23] See clauses 77, 86, 137 and 139.
[24] Clauses 109 and 110. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(ii).
[25] Clause 136. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(i).
[26] Subsection 13.3(3) of the Criminal Code Act 1995 provides that a defendant who wishes to rely on any exception, exemption, excuse, qualification or justification bears an evidential burden in relation to that matter.
[27] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, pp 50-52.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/other/AUSStaCSBSD/2021/3.html