AustLII Home | Databases | WorldLII | Search | Feedback

University of New South Wales Law Journal Student Series

You are here:  AustLII >> Databases >> University of New South Wales Law Journal Student Series >> 2021 >> [2021] UNSWLawJlStuS 12

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Penna, Justin --- "Is Australia's Statutory Regime For Privacy Protection Fit For The Purpose Of Regulating Public Agencies In The Era Of Big Data?" [2021] UNSWLawJlStuS 12; (2021) UNSWLJ Student Series No 21-12


IS AUSTRALIA’S STATUTORY REGIME FOR PRIVACY PROTECTION FIT FOR THE PURPOSE OF REGULATING PUBLIC AGENCIES IN THE ERA OF BIG DATA?

An examination into the Data Availability and Transparency Legislation.

JUSTIN PENNA

I INTRODUCTION

The era of big data analytics, artificial intelligence and machine learning is sculpting the present and future landscape of government decision-making. Despite this, while the manipulation and usage of data in the private sector has drawn significant regulatory focus, the stewardship of personal information and aggregated datasets in government agencies has not been closely tracked. This is not entirely without reason. Until the Productivity Commission’s 2017 data report,[1] there was little interest in streamlining information accessibility within government to better harness Australia’s vast data resources. Likewise, the prevalence of privacy challenges emanating from within many multinational corporations has often redirected focus from the public sector. However, the Australian government is now aware of the many strategic, economic, and scientific implications of data.

Given that the legislation recommended by the Productivity Commission – the ‘Data Availability and Transparency Legislation’ (‘DATL’) – will soon be in force, it is now especially urgent that Australia’s legislative framework for privacy protection is comprehensively reviewed. As the DATL’s real effect will be to drastically change procedures for ‘data sharing and release’,[2] it is necessary to closely examine whether this enlivened framework is also fit for the purpose of regulating government agencies and remedying breaches of privacy. In addition to examining this framework, it is also the intention of this essay to show that the discourse surrounding privacy and the purported information ‘rights’ that Australian individuals have, must change, to more accurately reflect the federal government’s intended data usage in future.

This essay will be broken into two sections. Section I will outline the current and changing context within which Australia’s privacy framework operates. By reference to the traditional scope of Australia’s key legislative pillar – the Privacy Act [3] it will be shown that the method of evaluating data usage in the public sector must be reconceptualised in the era of Big Data. This is to reflect the new reality of ‘Data as Decisions’,[4] and to properly account for the trend of western governments towards greater data sharing and information release.

In Section II, the DATL and its salient features will be outlined, again with a focus upon why there is a greater urgency to reconsider privacy regulation and the nomenclature of this discourse. This section will examine the practical effect of the DATL and provide an holistic overview of its fit within the extant framework. Likewise, the ramifications and issues in this proposed reform will be carefully considered from both a regulatory and practical recourse perspective. Finally, these issues will be considered by way of comparison to effective data regulation practices in the European Union.

As an integrated whole, this essay will argue that Australia’s privacy legislation is somewhat fit for the purpose of regulating government agencies in the era of complex data analytics and data sharing. In order to improve, the statutory model must update its theoretical underpinnings insistent on flexibility and a purposive approach to decision-making.

II SECTION 1: THE CHANGING CONTEXT OF AUSTRALIA’S PRIVACY FRAMEWORK

A The traditional, ‘principled’ privacy protection framework

The history of Australia’s privacy legislation, and the flawed system it embodies, can ultimately be traced to the reluctance of both the legislature and the judiciary to clearly define the parameters of privacy as a prescriptive right.[5] As far as the Common Law is concerned, there is no clear tort of privacy invasion, although it is arguable that its development has not yet been entirely precluded by the Courts.[6] Interestingly, the creation of such a tort was rejected by the ALRC in 1983 as it was considered to be ‘too vague and nebulous’.[7] This makes little sense given that the alternative statutory approach has provided far fewer remedial or regulatory certainties, as will be discussed. As such, the Australian approach to upholding a right to privacy, albeit a rather ‘nebulous’ one, has evolved from various ALRC inquiries throughout the 1980’s that culminated in the Privacy Act 1988 (Cth).

The Privacy Act’s passing gave effect to the Organisation for Economic Cooperation and Development’s (‘OECD’) privacy guidelines of 1980,[8] as well as to Article 17 of the International Covenant on Civil and Political Rights which was ratified in the same year. Although this effectively entrenched the broadly stated right that ‘no person shall be subjected to arbitrary or unlawful interferences with his privacy’,[9] it did, and has since done, very little to move on from a mere principled approach to privacy protection. Indeed, this was one of two substantial focuses of the ALRC in advocating the creation of the Privacy Act;[10] first, to establish a set of ten Information Privacy Principles (IPPs); and second, to appoint a Privacy Commissioner operating from within the Human Rights Commission.[11]

Herein, by establishing a set of IPPs that firmed the previously voluntary guidelines in place for privacy protection[12] – now reformed into the 13 Australian Privacy Principles (APPs)[13] – it was believed that public maladministration concerning the stewardship of personal information would be successfully staved. These amounted to modest improvements on a fragmented regulatory framework. In fact, these principles were preferred to various substantive reforms that were suggested at the time, such as the implementation of a license system for all databases containing personal information, or the requirement that notifications be given to persons affected adversely by information related decisions.[14]

Time has proven that the ALRC’s logic was both overly sensitive to the possibility of ‘legislative overkill’,[15] and inherently reductive. By rejecting various sensible, preventative measures, the ALRC has preferred a merely principled approach without standardised procedures for regulation and recourse.[16] Consequently, as Bygrave argues, this entrenchment of an ad-hoc and rather limited complaints-based system centred upon breach of the IPPs, assumed that individuals were alert to the guidelines and ‘keen to act in protection of their rights’.[17] In fact, by considering the sheer lack of volume of suits against the federal government for breach of these principles, there is far greater cause to believe that this is not the case.[18] Ultimately, from this genesis little has changed; the Privacy Act still lacks a prescriptive statement regarding a direct privacy right vested in the individual, and there are few correlative duties levied upon government agencies that are stated in positive terms.[19]

Despite this, those arguments in favour of a less prescriptive approach to privacy have had considerable merit, albeit mostly in the past. First, although the Privacy Act was conceived to build confidence in public administration through regulatory oversight, it was also of great importance that government agencies would not be fettered in their ability to effectively create and administer public policy. Undoubtedly, this must remain a core tenet of Australia’s privacy ideology. However, as will be shown, a more prescriptive, rights-based, privacy legislation, is necessitated by the very fact that the nature and context in which public policy is created and administered is changing drastically. Furthermore, as many legal theorists believe, a prescriptive approach to privacy ‘would be of limited utility’[20] as the list of valid exceptions to challenge ‘an unqualified right [to privacy]’[21] would be so extensive that the very coherence of the right itself would be substantially undermined. Likewise, the ALRC has argued that principles-based regulation is preferable due to its flexibility and technology-neutral stance.[22]

Nonetheless, where the Australia model cultivates a system that is ‘less [about] a substantive right than a procedural prescription’,[23] it is clear that changes are now necessitated by the current trends in government usage of data. It is a valid assumption that lawmakers, in good faith, intend to balance between ensuring adequate regulatory oversight of government agencies, and allowing for government agencies to function without being fettered. However, as Doyle and Bagaric argue, until lawmakers, and thus the entire discourse, attempt to properly understand the ‘essential nature of the right and where it ranks in relation to other interests’, a uniform privacy right or framework will not be developed in a manner that is fit for the purpose of regulating the government usage of data in the new digital age. [24]

B The changing nature of government data usage

1 The era of Big Data

In 2013, the Australian Government Information Management Office released its Big Data Strategy in an effort to prompt the better use of data assets held by government agencies.[25] Likewise, the Productivity Commission’s report into Data Availability and Use[26] indicated that a ‘cultural shift’ was necessary to better utilise public data assets and to prime analyses for the purpose of sharing information. As such, the enormous correlative power afforded by matching, linking, or otherwise combining voluminous public datasets is soon to be fully realised by the Australian public-sector. As Paterson and McDonagh comment, the associated speed and sophistication of Big Data Analytics (‘BDA’) will, as a standalone process, ‘predict or anticipate possible future events’[27] and thereby inform public agencies as to profitable or otherwise successful initiatives.

Likewise, government decision-making can then be targeted to ‘influence human behaviours, to inform and shape decisions relating to individuals.’[28] Accordingly, these trends toward BDA will inevitably be beneficial insofar as predicting disease or enabling more advanced medical research. In the context of the COVID-19 pandemic, big datasets have been manipulated for such ends. This was seen through the COVIDsafe app and the advent of contact tracing.[29] In this instance, personal interactions, location details and other personal/community data has been aggregated and stored by the Health Department and the Digital Transformation Agency (‘DTA’), to be analysed and stem the spread of the COVID-19 virus. Although the various derogations from the APPs involved in this process are likely legitimate in the context of the pandemic[30] – due to both legislative amendments[31] and the necessity of the government’s proportionate response to curb illness and death[32] – this recent use of BDA serves to indicate the drastic changes in data usage within the public sector.

Nevertheless, it is questionable whether our legislation is fit for the purpose of regulating this new era of data stewardship, given that it adopts an entirely outmoded taxonomy and theoretical underpinning. Because it was believed in the 1980’s that ‘the formal apparatus of the law is not always the most appropriate [device] to protect privacy interests’,[33] a ‘hybridised’ legislation emerged that prioritised principles, flexibility and abstract rules over prescriptive rights. Consequently, various key definitions of the Privacy Act are no longer relevant in contemporary society due to this flexibility, and due to two other main issues.

2 De-identification

First, as Paterson and McDonagh posit, the Privacy Act’s definition of ‘personal information’ – ‘an opinion about an identified individual or an individual who is reasonably identifiable’[34] – does not adequately protect vulnerable groups, as BDA challenges the purported infallibility of de-identification.[35] This is as both innovative techniques for actual re-identification, and the ‘the richness of the data’ itself,[36] which permits statistically significant inferences, affront the principle of anonymity entrenched in the Privacy Act.[37] Moreover, the aggregation of many data variables that are relevant to the characterisation of a vulnerable group, such as those with mental illness or Indigenous Peoples, permits stigmatized decision-making regarding entire minority groups. This may cause adverse circumstances to attach to individuals regardless of whether their data was present in a relevant study. Herein, a fundamental component of Australia’s privacy framework – that personal information can be successfully de-identified – is arguably unfit for purpose in the contemporary context of BDA in government decision-making.

3 Data as Decisions

Second, Australia’s non-consensual model of data collection, believed to be attenuated by disclosure limitation principles,[38] and the ‘purpose specification principle’,[39] faces significant challenge from the advent of BDA. Whereas the concept that data is collected for a ‘primary’ purpose was somewhat legitimate when data processing was not as complex,[40] BDA has reconceptualised data management such that information itself represents a vast opportunity, with usefulness that is realised through the process of analysis itself, and by the correlative inferences that it produces. Herein, the decision to collect data may not, in many circumstances, be a subordinated, or intermediate decision, as part of a wider administrative goal or project. Rather, the collection of data may frequently be the focus of a decision in and of itself. Therefore, it is necessary to reframe Australia’s statutory model insistent on purpose specification, to better reflect the modern reality of decisions revolving entirely around data. For the sake of brevity, this theoretical framework can be coined the ‘Data as Decisions’ model (‘DaD’). If DaD is not successfully implemented as a theoretical polestar in Australia’s statutory framework for privacy protection, the current model is apt to cause confusion and lack enforceability in the era of BDA, as will be discussed in Section II.

4 Sharing and Release

As represented by the previous name of the DATL, data sharing and release are inevitable by-products of BDA and DaD in the public sector. Likewise, the increased sharing and release of data between agencies and various ‘accredited bodies’ is the explicit long-term goal of the executive, as outlined by the DATL and the Productivity Commission.[41] Of particular salience in this space is the advent of integrated health systems aimed at building strong research networks. Of course, data sharing in this context is used to, among many things, optimize ‘precision medicine’,[42] generate predictions as to the virology of mass viral infections, or even allow complex corelative studies into the incidence of rare diseases, as has been the case in the European Union (‘EU’) with the ‘1+ Million Genomes Initiative’.[43] In fact, since the approval of the EU’s GDPR in 2018, as will be discussed, there has been a significant spike in publications on PubMed containing the phrase ‘data sharing’, which have drastically risen from only 46 articles in 1980, to 5960 articles in 2019.[44] Likewise in Australia, there are a great number of public-sector initiatives the have utilised federal government health data or have aimed to optimise data linkage and sharing for health research – one could point to the $46 million commitment to the Population Health Research Network in 2009, or the Australian Longitudinal Study on Women’s Health, as examples of this.[45]

As such, data sharing and release has many iterations in the public-sector. However, corollary to this is the threat posed by the ‘data warehousing’ of sensitive information in complicated cross-border and multidisciplinary networks such as the Multi-Agency Data Integration Project.[46] With the advent of complex health and medical research networks, it is clear that ‘biometric data and genetic information’ warehousing will be a major concern.[47] Even in the sharing of seemingly innocuous ‘open’ datasets, there is the tangible threat that hostile state actors may glean information and create ‘a mosaic of exploitable information.’[48]

Now that technology such as Application Programming Interfaces (APIs) can readily make metadata available in machine-readable formats, there is a direct push from the federal government to streamline its data sharing processes through the DATL.[49] Thus, it is vital that Australia’s privacy framework is fit for the purpose of storing and distributing this extremely sensitive and powerful personal information.

III INTRODUCING THE DATL

A Proposed reforms and legislative ‘fit’

1 Rationale

As aforementioned, the predominant rationale for implementing the DATL was to better utilise government data reserves, and thereby provide greater opportunity for entities to conduct productive research with public utility.[50] Where a fragmented legislative framework within the Commonwealth jurisdiction, and amongst the states and territories, has only furthered Australia’s ‘culture of risk aversion’ in data sharing, the DATL is intended to capture the missed opportunities hidden between Australia’s traditional ‘binary of closed or open data.’[51] As such, where the Privacy Act has not provided for a specific data sharing framework, this role has been assumed by the DATL, which will not oust the current statutory framework but rather, work in conjunction with it, and extend its ambit.

Unfortunately, the DATL is intended to be ‘principles-based’,[52] and therefore will likely carry with it the issues of the current privacy framework that were outlined in Section I. Despite this, the DATL has provided for a somewhat prescriptive means of safeguarding the data sharing process. First, by implementation of the ‘Five-safe’s’ model, whereby newly constructed data sharing agreements between entities are forced to consider five key questions that are compatible with APP 11, the DATL has allowed for a more substantive and positive approach to regulation.[53] This contrasts with the hybridised approach of the Privacy Act and the APPs, which balance between ascribing prescriptive and proscriptive duties to government agencies. By adopting this model, as well as empowering a new National Data Commissioner to steward the rather complex model of data custodianship, the DATL provides for a host of fresh considerations in the data governance space.

2 Purpose test

The Five-Safes model requires parties to a ‘data sharing agreement’ (‘DSA’) – an invention of the DATL, modelled upon the New Zealand Privacy Act 1993, intended to regulate the data sharing between data custodians and trusted users[54] – to consider five principles attenuating the risks of disclosure: data, people, setting, outputs and project.[55] In common parlance, this model requires that data has been deidentified, and is intended for use in a safe setting with a trusted user, whose has a valid reason or purpose for the project, which cannot produce results likely to re-identify data.

Emulating the NSW, Victorian and SA legislation,[56] the DATL allows data sharing if it is conducted for a valid purpose. These purposes include sharing for the delivery of government services, for the development of government policy and programs, or for research and development.[57] Evidently, the issues with a purposive approach to regulation in the era of BDA and DaD, as outlined in Section I, are still applicable to the DATL. However, Recommendation 7 of the June 2019 Privacy Impact Assessment,[58] that ‘data minimisation’ should be a requirement for data sharing, has been incorporated into the DATL bill such that only data that is ‘reasonably necessary’ for an approved purpose can be subject to a DSA.[59] This is likely to somewhat lessen the gap between the outmoded nomenclature of the APPs and the reality of BDA. Despite this, it does little to address the burgeoning issue of DaD, which says that all data variables have capacity to inform government decision-making through utilisation of complex BDA.

3 Authorities and entities

In practice, the aim of the DATL is to streamline the data sharing process via an accreditation framework comprising various bodies with different roles and skills.[60] By implementing DSAs, the DATL intends to compartmentalise the process of sharing; data custodians collect data, solicit the specialised services of ‘accredited data service providers’ to repurpose data, and then enter an agreement with a ‘trusted user’ who intends to use the data for a permitted purpose.[61] Applying the five-safes model, it is clear that this accreditation framework concerns itself primarily with people, although data, setting and outputs are all relevant risks that are also mitigated by safeguarded DSAs of this sort.

Notably, the DATL will expand its reach to all Commonwealth entities and companies as defined under the Public Governance, Performance and Accountability Act 2013 (Cth). Of note is the fact this broadened definition will allow government contractors – which will have particular salience considering the BDA era and the recent emergence of IT systems procurement – as well as any private sector or otherwise external users to seek accreditation as a trusted user.[62] Herein, data custodians and accredited data service providers are not merely innocuous originations of the DATL, but rather, represent a collaborative effort to fragment data collection, curation and linkage, such that inordinate power is not vested in any one entity, public of private, in the handling of Commonwealth datasets.

4 National Data Commissioner

The establishment of the National Data Commissioner (‘NDC’) is the salient feature of the DATL reform. Much like the Privacy Commissioner and their delegated duties in the Privacy Act,[63] the DATL will vest power in the NDC to administer regulation of DSAs, as well as keep a register of all DSAs and accredited entities. Ultimately, the seminal task of deciding whether to accept or reject DSAs will reside in the NDC. Likewise, it is provided for that the NDC has power to issue both non-binding and binding advice that takes the form of data codes and other legislative instruments.[64] Although this appears to be a good and justifiable ‘update’, it is arguable that this represents very little change to the extant framework and powers vested in the Information Commissioner in the Privacy Act. Nevertheless, the features of the NDC are novel in the sense that they apply to the administration and auditing of a new accreditation-based system. Also, the role of the NDC will extend to producing reports on the workings of this system.

Regarding the NDC’s operation within the traditional regulatory framework, it is intended that the NDC will consult the OAIC and Australian Bureau of Statistics for technical advice.[65] Likewise, its stance on ethical data use and best practice will be developed in consultation with the newly estbalished National Data Advisory Council’ consisting of the Australian Statistician, the Privacy Commissioner, academic experts and various special interest groups.[66] Herein although it is likely that the NDC will exist amicably alongside the Privacy Commissioner, especially considering that it is the express intention that their originating legislations will exist harmoniously, the added complexities of these changes warrant discussion.

B Issues

1 Governance and Regulation

As has been presaged, the DATL is intended to supplement the Privacy Act insofar as the latter statute does not clearly enable the sharing and release of data held by the government. To this end, it is expected that the statutes will not directly conflict, however this may not be the case for numerous reasons.

First, although the DATL has a greater insistence upon positive legislative requirements, it adopts a very similar purposive outlook to the Privacy Act as far as aggregation and manipulation of data is concerned. According to APP 6,[67] data usage for secondary purposes is not permitted unless an individual would reasonably expect the information to directly relate,[68] or otherwise merely relate to the primary purpose authorising its collection. However, considering that the DATL envisions the significant use and re-use of public sector data,[69] and it is reasonable to assume that meta-datasets and BDA will see continual flows of data, it is difficult to reconcile these two statutory regimes.[70] Likewise, the purposive regime of the DATL permits data sharing for the delivery of government services. However, as The Allens Hub noted in their submissions, there are practical difficulties in disentangling ‘precluded detection and monitoring activities’ that, though they may look like examples of excludable ‘enforcement’ purposes, are entirely necessary to determine the relevance of a particular study.[71]

Despite this, the advent of a new data minimisation principle in the Australian jurisdiction is a welcome change that would temper the above concern. This is as any reduction in the size and scope of permissible data collection will, to at least some degree, reduce the likelihood or impact of breaches of privacy. Furthermore, the emphasis on lowering the burden of storing duplicate datasets will likewise reduce over-collection and expound the positive corollary effects outlined above.[72]

Second, issues in governance also emerge due to the added complexity of the accreditation framework for data sharing in the DATL. In fact, this complexity is also attributable to the purposive underpinnings of the ‘project principle’ in the five-safe framework of the DATL. As each of the three components of the accreditation framework – data custodians, accredited data service providers and trusted users – have distinct roles and thereby purposes in the curation of DSAs in the public interest, it is conceivable that agency problems may emerge given that the scope of entities permitted to be data custodians and trusted users has broadened significantly.[73]

It is possible that rather than harnessing public data assets, the competitive tender process may catalyse the emergence of hostile research networks or worse still, data monopolies. Of course, it would be the role of the NDC to inquire into anti-competitive behaviours in research or public administration regarding data sharing, however it is possible that the NDC may be hamstrung by its substantial workload.[74] Also, as King and Fuse Brown show,[75] the emergence of ‘cross-market’ mergers of health care entities that ‘do not directly compete’ is a common phenomenon. Consequently, this tripartite separation of entities in the accreditation framework may not compensate for the reality that corporate interests and ownership of entities are not often transparent. Therefore, it may be the case that the independence of custodial entities and the subsequent safeguarding against systemic breaches of data privacy, is nullified.

In this light, the proper stewardship of public data rests on the NDC’s capacity to craft a continual output of binding legislative instruments so as to mediate the ‘flexible’ and purposive framework that has been lauded in the Australian jurisdiction since the inception of the Privacy Act. Alternatively, rather than implementing reform to this purposive approach head on, it may be preferable to provide for more detailed penalties provisions associated with anti-competitive data sharing practices.

2 Practical Recourse and Penalties

In respect of the practical recourse afforded to individuals and entities affected by decisions made under the DATL, there are several flaws. First, issues may potentially arise in attempting to harmonise the abstract goals of the Information and Privacy Commissioner, and the NDC. Whilst this is more a conceptual issue than it is practical, it does point to the reality that there is significant ambit for disagreement between the Privacy Act and DATL – as explained at length in relation to the purposive differences between the statutes – without any statutory indication as to whose opinion should prevail. Such a conflict may arise when considering the subsequent jurisdiction of the DATL, given that it is accepted that the Privacy Act is the first port of call to assess data related decision making. Were the Privacy Commissioner to make a determination against the interests of an entity via the Privacy Act,[76] it is possible that the NDC would assume the jurisdiction of the DATL to have been enlivened due to its more expansive scope in permitting data usage. Although such a conflict would likely remit to the offices of the Advisory Council, it is nonetheless relevant that there exists a gap in the legislative framework.

Additionally, the primary enforcement mechanism of the DATL, as it currently stands, is a discretionary complaint system.[77] Not only does this conflict with the principles underpinning the existent notifiable data breach scheme,[78] but it provides recourse only for entities affected by decisions of the NDC. If the Australian Public are to have faith in the public administration of data, it is vital that entities hold each other accountable via a mandatory complaints scheme. Moreover, a discretionary system affronts the ethical principles of accreditation; that non-compliant entities may effectively be granted permission to continue in their maladministration.

Faults aside, it is indeed a welcome change that both merits review and judicial review are available for entities to seek recourse against the NDC for their decisions. Although this does not extend to individuals, the ‘existing avenues for redress are unaffected’, including complaints directly to Australian government agencies themselves or to the Ombudsman.[79] Also, the adoption of a normative consent-based model with a standardised definition of consent,[80] is a welcome addition to these reforms, that will have lasting effects in preventing breach and enhancing public trust.

3 The European Union and The GDPR[81]

The GDPR is the European Union’s current legislative framework governing the privacy protection of individuals, as well as public sector data sharing and release. Although the initiative to compartmentalise the accreditation framework in the DATL was born out of the GDPR’s segregation of data collection and analysis into ‘data controllers’ and data processors’,[82] there are two key characteristics of the European Union’s framework that are yet to be assimilated into the DATL or Privacy Act.

First, the focus of personal information and identification in the GDPR would be apt to improve the overly flexible model employed in the Australian jurisdiction. The GDPR focusses upon the ‘identifiable natural person’ rather than remitting focus to the nature of information in question.[83] By doing so, the GDPR gives preference to the autonomy of the individual, whilst going further to define them as ‘one who can be identified, directly or indirectly’, before providing an extensive list of categories amounting to identifiable data.[84] Herein, it is clear that the Australian legislative model gives primacy only to direct identifiability as a consequence of failed de-identification or breach, and thereby neglects to observe the systemic flaws in de-identification that are attenuated by the GDPR. It would be beneficial to adopt such an approach in both the DATL and the Privacy Act.

Second, though the European schemata is supplemented by a stronger body of precedent than in Australia, it would be beneficial to implant the reasoning of Patrick Breyer v Bundesrepublik Deutschland,[85] within our legislative model. This case supports that consideration should be had as to whether there is ‘a reasonable likelihood of linkage with other databases’ resulting in identification, to account for the systemic flaws in the de-identification process. As discussed in Section I, systemic biases are a prominent feature of the Australian privacy protection framework. Thus, it would be beneficial to incorporate this logic into our legislative model so as to make it fitter for purpose.

IV CONCLUSION

Government usage of personal information and aggregated datasets is a growing cause for concern given the advent of BDA. Indeed, this has not perturbed the Australian legislature from making headway into streamlining data sharing and enabling greater usage of the Australian Government’s vast data assets. However, the salient issue in the Australian framework is the outmoded and inconsistent application of purpose-based principles in the administration of the DATL and the Privacy Act. This alone greatly undermines the many promising regulatory changes in the new legislative model for privacy protection, such that it may not be fit for the purpose of regulating the new reality of data sharing and ‘Data as Decisions.’


[1] Productivity Commission, Data Availability and Use (Inquiry Report, No 82, 21 March 2017).

[2] The original title given to the DATL was the ‘Data Sharing and Release Legislation’.

[3] Privacy Act 1988 (Cth).

[4] This is a term coined by this essay to argue that the ‘purpose specialisation principle’ entrenched in the Australian Privacy Principles is no longer fit for purpose.

[5] Carolyn Doyle and Mirko Bagaric, Privacy Law in Australia (The Federation Press, 2005) 5.

[6] Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, 328.

[7] ALRC, (n 1) Summary of Recommendations/xlix.

[8] Organisation for Economic Cooperation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (23 September 1980).

[9] International Covenant on Civil and Political Rights, 16 December 1966, [1980] ATS 23, (entered into force generally on 23 March 1976).

[10] ALRC (n 1).

[11] Lee Bygrave, ‘The Privacy Act 1988 (Cth): A Study in the Protection of Privacy and the Protection of Political Power’ [1990] FedLawRw 6; (1990) 19(2) Federal Law Review 128, 134.

[12] NSW Privacy Committee, Annual Report 1982 (1983) 15.

[13] Privacy Act 1988 (Cth) sch 1.

[14] Bygrave (n 12) 135.

[15] Ibid.

[16] ALRC (n 1); see also Australian Law Reform Commission, Australian Privacy Law and Practice (Report No 18, August 2010) 234.

[17] Bygrave (n 12) 136.

[18] Since 1 November 2010, there have been only 6 determinations made by the OAIC under s 52 of the Privacy Act 1988 (Cth), against government departments, and only 3 since the introduction of the Australian Privacy Principles.

[19] Bygrave (n 12) 124.

[20] Doyle and Bagaric (n 6) 16.

[21] United Kingdom, Report of the Committee on Privacy (Cmnd 5012, 1972) (the Younger Report) para 93.

[22] ALRC (n 17) 240.

[23] Bygrave (n 12) 130, discussing SI Benn, ‘The Protection and Limitation of Privacy’ (1978) 52 Australian Law Journal 601.

[24] Doyle and Bagaric (n 6) 6.

[25] Department of Finance and Deregulation (Cth), The Australian Public Service Big Data Strategy (August 2013).

[26] Productivity Commission (n 2) 2.

[27] Moira Paterson and Maeve McDonagh, ‘The Challenges Posed by Big Personal Data’ [2018] MonashULawRw 1; (2018) 44(1) Monash University Law Review 1, citing Government Office for Science (UK), ‘Artificial Intelligence: Opportunities and Implications for the Future of Decision Making’ (Report, 9 November 2016) 5.

[28] Ibid 3.

[29] David Watts, ‘COVIDSafe, Australia’s digital contact tracing app: the legal issues’ (Research Report, Faculty of Law, La Trobe University, 2020).

[30] Privacy Act 1988 (Cth) sch 1.

[31] Ibid pt VIIIA.

[32] Watts (n 30) 2, citing American Association for the International Commission of Jurists, Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights (April 1985) <https://www.icj.org/wp-content/uploads/1984/07/Siracusa-principles-ICCPR-legal-submission-1985-eng.pdf>.

[33] ALRC (n 1) 18.

[34] Privacy Act 1988 (Cth) s 6.

[35] Paterson and McDonagh (n 28).

[36] Ibid.

[37] Privacy Act 1988 (Cth) sch 1 cl 2.

[38] Ibid sch 1, cl 3.

[39] Fanny Coudert, Jos Dumortier and Frank Verbruggen, ‘Applying the purpose specification principle in the age of “big data”: the example of integrated video surveillance platforms in France’ (ICRI Working Paper Series, Katholieke Universiteit Leuven, 6/2012, 25 April 2012).

[40] Privacy Act 1988 (Cth) sch 1, cl 6.

[41] Department of the Prime Minister and Cabinet, New Australian government Data Sharing and Release legislation (Issues Paper, 2018).

[42] Tim Hulsen, ‘Sharing is Caring – Data Sharing Initiatives in Healthcare’ (2020) 17(9) International Journal of Environmental Research and Public Health 3046.

[43] Ibid.

[44] Hulsen (n 43).

[45] David Henry, Pauline Stehlik, Ximena Camacho, Sallie Anne Pearson, ‘Access to routinely collected data for population health research: Experiences in Canada and Australia (2018) 42(5) Australian and New Zealand Journal of Public Health 430, 431.

[46] Australian Bureau of Statistics, Microdata: Multi-Agency Data Integration Project, Australia (Catalogue No 1700.0, 13 March 2020).

[47] Patrick Dunleavy, Helen Margetts, Simon Bastow and Jane Tinkler, Digital Era Governance: IT Corporations, the State, and e-Government (Oxford University Press, 2006).

[48] Department of Finance and Deregulation, Big Data Strategy (Issues Paper, March 2013) 7.

[49] Office of the Australian Information Commissioner, Open public sector information from principles to practice (Report, February 2013) 34.

[50] Department of the Prime Minister and Cabinet (n 42).

[51] Department of the Prime Minister and Cabinet, Data Sharing and Release legislative reform (Discussion Paper, September 2019).

[52] Department of the Prime Minister and Cabinet (n 42) 6.

[53] Ibid 15.

[54] Ibid 16.

[55] Ibid 15.

[56] Data Sharing (Government Sector) Act 2015 (NSW) s 7; Data Sharing Act 2017 (Vic) s 5; Public Sector (Data Sharing) Act 2016 (SA) s 8(1).

[57] Office of the National Data Commissioner, Accreditation Framework (Discussion Paper, 14 September 2020).

[58] Department of the Prime Minister and Cabinet, Galexia Privacy Impact Assessment on the Proposed Data Sharing and Release (DS&R) Bill and Related Regulatory Framework (Report, 28 June 2019) discussed in, Department of the Prime Minister and Cabinet, Data Sharing and Release legislative reform (Discussion Paper, September 2019); see also Information Integrity Solutions, Privacy Impact Assessment – Draft Data Availability and Transparency Bill 2020, (Report, 6 September 2020) rec 9.

[59] Department of the Prime Minister and Cabinet (n 52).

[60] Department of the Prime Minister and Cabinet (n 42) 7.

[61] Department of the Prime Minister and Cabinet, Data Availability and Transparency Bill 2020: Exposure Draft (Consultation Paper, September 2020) 12.

[62] Department of the Prime Minister and Cabinet (n 42).

[63] Privacy Act 1988 (Cth) pts IV, V.

[64] Department of the Prime Minister and Cabinet (n 52) 40.

[65] Department of the Prime Minister and Cabinet (n 42).

[66] Ibid 21.

[67] Privacy Act 1988 (Cth) sch 1 cl 6.

[68] This is in the case of sensitive information.

[69] Department of the Prime Minister and Cabinet (n 52) 39.

[70] Information and Privacy Commission, Submission No 2 to Office of the National Data Commissioner, Data Availability and Transparency Exposure Draft Bill 2020 (20 October 2020).

[71] The Allens Hub, Submission No 48 to Office of the National Data Commissioner, Data Availability and Transparency Exposure Draft Bill 2020 (6 November 2020).

[72] Ibid 4.

[73] See (n 62).

[74] The University of Sydney, Submission No 41 to Office of the National Data Commissioner, Data Availability and transparency Bill Exposure Draft 2020 and Accreditation Framework Discussion Paper, September 2020 (6 November 2020.

[75] Jaime S King and Erin C Fuse Brown, ‘The Anti-Competitive Potential of Cross-Market Mergers in Health Care’ (2017-2018) 11 Saint Louis University Journal of Health Law and Policy 43.

[76] Privacy Act 1988 (Cth) pt IV.

[77] The Allens Hub (n 71) 6.

[78] Privacy Act 1988 (Cth) pt IIIC.

[79] Department of the Prime Minister and Cabinet (n 61) 16.

[80] Ibid 26.

[81] General Data Protection Regulation [2016] OJ L 119/1 (‘GDPR’).

[82] Paterson and McDonagh (n 27) 15.

[83] GDPR [2016] OJ L 119/1 art 4(1).

[84] Ibid.

[85] (European Court of Justice, C-582/14, 19 October 2014) [49] cited in, Paterson and McDonagh (n 27) 16.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJlStuS/2021/12.html