Pitched as necessary for our own safety, Scott Morrison’s Data Availability and Transparency Bill has experts reeling over the sheer lack of accountability within.
The Coalition government has found itself sitting upon a tonne of public sector data.
However, the constituency it currently governs is known to value its privacy. This was evidenced during the sustained 1980s campaign against the Australia Card identification scheme, which led to a watered-down tax file number alternative, accompanied by the passing of the Privacy Act 1988 (Cth).
So, that’s why the enhanced data sharing scheme set out in the Data Availability and Transparency Bill 2020 (the DATA Bill) is framed around public health and safety.
Indeed, in introducing it on 6 December, government services minister Stuart Robert cited the bushfires and COVID-19 as reasons behind it.
During his second reading speech on the bill, Robert posits that “the same seamless approach to government services” should always be available “not just in times of crisis”. “But, unfortunately, layers of old, contradictory rules and slow inconsistent ways of sharing data is stifling this potential.”
And what this tearing down of privacy protections is going to mean in real terms is that the government will be able to more easily collate citizens’ data, as it continues to construct the surveillance state, as well as turning a profit by sharing it with the private sector while it’s at it.
Sharing it around
“It’s kissing your privacy goodbye and trust that there won’t be data breaches, won’t be misused by government agencies, won’t be cheaply sold to the private sector,” said Dr Bruce Baer Arnold, adding there “won’t be real accountability” or any “strong sanctions if something goes wrong”.
And the Australian Privacy Foundation vice-chair further made clear that much of the citizens’ data that government proposes to share around was provided “on a mandatory basis”, which is in stark contrast to the information people readily share with social media companies.
The “controlled access” data scheme will be established under the supervision of the National Data Commissioner. And section 15 of the DATA Bill sets out three broad sharing aims: delivering of government services, informing government policy and programs, and research and development.
The scheme will involve commissioner-approved accredited users requesting data sharing via a data custodian – a federal agency holding data. The two entities will then enter into an official data sharing agreement, which will also be published on a public register.
“A salient issue is that it’s weakly controlled, with inadequate governance likely to be exploited by government agencies,” Dr Arnold told Sydney Criminal Lawyers. “Agencies regard themselves as owners – not custodians – and the individuals to whom the data relates have no ownership rights.”
The Morrison government also plans to remove the requirement that personal information should only be shared with the consent of the person it relates to, whether that data was provided willingly or on a mandatory basis.
Schedule 1 of the Privacy Act sets out 13 Australian Privacy Principles. The sixth principle stipulates that if an organisation has obtained information about a person for a primary reason, they cannot go on to disclose that data for another purpose unless it has the consent of the individual.
Section 16 of the DATA Bill establishes 12 data sharing principles based on the internationally recognised Five Safes framework: data is shared for a specific project with appropriate people into a controlled setting, with safeguards – including data minimisation – and agreed outcomes.
And subsection 16(2)(c) specifically casts out the need for consent, when it stipulates that “any sharing of the personal information of individuals is done with the consent of the individuals, unless it is unreasonable or impracticable to seek their consent”.
Dr Arnold outlined that existing consent measures are already weak, as they only require a person’s agreement to “undefined sharing with unidentified agencies”. And while government often says, “don’t worry: everything will be deidentified”, this isn’t guaranteed and it’s easily reversed.
Tell one, tell-all
Section 15 of the DATA Bill also sets out some precluded purposes for data sharing around law enforcement and national security. However, the approved data sharing purposes are so broad that one would presume that law enforcement and intelligence agencies will be able to get around this.
Another disturbing aspect to the scheme is the “tell us once” approach to service delivery, which means that if a citizen provides information to one government agency, all will receive it. This is supposed to avoid wasting time in having to provide it on numerous occasions.
Dr Arnold warned that while there’s a lot of talk about the proposed data sharing regime providing transparency, it’s certainly not transparency about government.
“It’s everyone being transparent – a digital Full Monty – to most government agencies,” he remarked.
What’s in it for Canberra?
“Another issue is that the new regime is being introduced at the same time as a major review of the Privacy Act” is underway, Dr Arnold added. And he questioned why the government couldn’t wait for it to be completed.
In response to a question about what’s to be gained by government enabling the overriding of basic privacy measures in order to allow for the greater flow of public data, the University of Canberra assistant law professor said there are three main objectives.
The first is getting rid of “existing weak restrictions” to sharing citizens’ data. The second is making money for both the public and private IT service sectors, and the third is that public sector data is the “last remaining Commonwealth asset” available to sell off.
“They’ve sold the buildings and state-owned enterprises,” Dr Arnold concluded. “Population-scale data – often more accurate than standard private sector surveys – is valuable and a wide range of businesses will pay for it.”