In our earlier article, The Productivity Commission’s proposed comprehensive consumer right to data, we looked at the new consumer right to data proposed in the Productivity Commission (the Commission) recent report on data availability and release. Today, we look at the second plank of the reform proposed by the Commission: The proposed scalable risk framework for data sharing and release.
By Dr. Drew Donnelly, Compliance Quarter.
Identified deficiencies in the current regulatory framework
Currently, data release is governed by privacy legislation (both at the federal and state levels), as well as a more than 500 secrecy provisions contained in vast array of subject-matter specific legislation. An example of such a secrecy provision is in section 135A of the National Health Act 1953 which prohibits the sharing of any information about individuals gathered under that Act, unless authorised by the Minister.
In the case of privacy legislation, the Privacy Act 1988 (Commonwealth) governs the collection, use and disclosure of personal information in Australia. It applies to all federal government bodies as well as many private businesses and not-for-profits. Among other things, this Act creates an obligation for data holders to deal with data in accordance with privacy principles set out in the Act. These principles identify, for example, the importance of ensuring personal information is collected fairly and lawfully and ensuring that reasonable steps are taken to delete or de-identify personal information when no longer needed.
The Commission argues that, taken together, existing privacy legislation and secrecy provisions have created a culture which is overly-restrictive when it comes to sharing and releasing data. It is not necessarily the letter of the law itself, but the fear of non-compliance which leads bodies to restrict access to data.
The proposed new focus (data sharing)
The Commission argues for statutory reform which would be more enabling of data sharing and release and would no longer treat those activities as necessarily risky. Part of this new approach is captured in the comprehensive consumer right that we discussed in our previous article, but it also includes a new “scalable, risk-based institutional framework to allow integration and sharing or release of Australia’s data” (p169).
In this framework, any risk of data release or misuse would be managed with reference to the nature of the actual data being held or released. For example, access to higher risk, identifying data would be restricted to a group of ‘trusted users’ only. Whereas low-risk data would be widely available and accessible.
The mechanics of the new framework
In order to facilitate this new framework, the proposed statutory reform would include:
- The establishment of a new federal position known as a ‘National Data Custodian’. The Office of the National Data Custodian would be responsible for providing national guidance on the release of data and would accredit subordinate bodies would be responsible for data release.
- The creation of a class of Accredited Release Authorities (ARA). This is the name given to those subordinate bodies approved by the National Data Custodian. In general, they are likely to be state and territorial public bodies and would not only provide access datasets, but also facilitate their linking and sharing.
- The National Data Custodian would lead a process for certain datasets to be identified as ‘National Interest Datasets’. These would be datasets of high value and significant national importance. The National Data Custodian would ensure that the designated ARA makes them widely available.
To see the Productivity Commission’s full report go to http://www.pc.gov.au/inquiries/completed/data-access/report/data-access.pdf.
And for further advice on the current rules relating to privacy and data protection feel free to contact us here at Compliance Quarter.