By Dr Drew Donnelly, Compliance Quarter.
Over the last couple of weeks we have asked the question ‘Is your business prepared for roll out of the Notifiable Data Breaches Scheme?’, we have also discussed the impact that recent changes to European Union (EU) privacy laws may have on businesses that hold information on EU citizens. Today, we look at a proposed change to data regulation in Australia that would see individual privacy playing a more muted role in a new comprehensive consumer right to data.
This right is proposed in the Productivity Commission’s Inquiry Report into Data Availability and Use. For the full 658-page report see http://www.pc.gov.au/inquiries/completed/data-access/report/data-access.pdf.
Australia’s under-utilised resource
The Productivity Commission (The Commission) observes that Australia is behind other countries with similar governance arrangements (such as New Zealand and the United Kingdom) when it comes to utilising data. This, the commission suggests, applies equally in the case of public data (such as information-matching between government departments) and private data (such as consumer financial data held by banks). The Commission suggests a deep overhaul of data management is required if Australia is to arrest this trend. On page 12 of the Report the Commission describes the situation as follows:
“The legal and policy frameworks under which public and private sector data is collected, stored and used (or traded) in Australia are ad hoc and not contemporary. Privacy has carved out a space, but privacy is only one aspect of data use, and a defensive one at that.”
The cornerstone of the proposed regime would be new federal legislation containing:
- A new comprehensive data right for consumers.
- A new structure for data sharing and release. This structure would make access to and release of data more closely aligned with the risks associated with release of that data.
Today we look at the proposed comprehensive data right.
The Comprehensive Right
The new right would mean that consumer data would have to be provided to consumers on request, or to designated third parties. It would also mean a right to request edits or corrections of inaccurate data and to be informed of disclosure of data to third parties.
Note that this new right will not necessarily include ‘imputed data’ of the data holder. ‘Imputed data’ is data recorded about a person but not collected from them or considered to be identifiable. For example, this could include data held by a lender about the difficulty of an individual paying a debt in virtue of their age or marital status. As this data is created from the businesses own expertise and processes it could be considered property of the business. Inclusion of this data in consumer data will depend on industry-negotiated agreement.
The Commission acknowledges that a mandated requirement to provide consumer data could be costly for businesses, and in light of this, the Commission recommends that businesses be permitted to charge a fee for access to the data.
Related to this new comprehensive data right is a Commission recommendation that there be mandatory comprehensive credit reporting. This would require, for example, the sharing of a positive repayment history in an individual’s credit data.
It must be emphasised that the Commission’s report simply provides recommendations. It will be up to the Government itself to determine whether any of them are adopted and implemented. The Federal Government has established a cross-portfolio taskforce to determine its response. Already, however, the Government has announced one change in line with the Commission’s recommendations. At the same time as Federal Budget 2017, the Government committed to legislating a comprehensive credit reporting regime if providers do not report at least 40 per cent of their data by the end of 2017.