2 August 2021
Australia’s Federal, State and Territory governments have agreed to a ‘default position’ on the sharing of data across jurisdictions. Data is to be shared provided this can be done securely, safely, lawfully and ethically.
The Intergovernmental Agreement on data sharing between Commonwealth and State and Territory governments (IGA) signed on 9 July 2021 seeks to shore up the foundation for better evidence-based policymaking and data-driven public administration – a laudable goal. However, it also increases privacy risks and elevates the existing struggle for Federal, State and Territory Government agencies to build and maintain public trust in their data governance and (in particular, personal information sharing) practices.
If the IGA’s objectives are to be realised without a significant detrimental impact on privacy, all government agencies must improve their privacy and information security awareness and capabilities. Otherwise, costly and embarrassing incidents are sure to follow which will quickly undermine public trust.
What public sector data is impacted?
‘De-identified data’ within the scope of the IGA includes:
administrative data; and
statistics and reference data.
In-scope data that may be identified (i.e. constitute or comprise personal information) includes:
data for emergency/disaster response and recovery (e.g. relating to bushfire/flood response);
record linkage for data integration projects and cohort needs analysis (e.g. to more accurately forecast the needs of specific groups); and
with individuals’ consent, data for the linking of government services (e.g. pre-filling forms to better integrate, and streamline the experience of, accessing services across multiple of the Federal, State and Territory Governments.
What privacy controls are in place?
In theory, the IGA will not impact the normal operation of the Australian Privacy Principles (APPs) and equivalent State/Territory privacy legislation (together, Privacy Laws). For example, APP 6.1 requires that personal information only be shared for the notified purpose(s) for which it was collected from the individual and as specified in the privacy notice. Any additional other purpose(s) for sharing must generally be related to the original notified purposes (and meet the requirements of the ‘secondary purpose’ exception) – otherwise, the agency must go back to the individual to obtain consent.
However, in practice the effectiveness of the Privacy Laws relies on robust data governance controls. Any increase in the volume of data sharing in practice will also increase the risk of the Privacy Laws being breached or expectations not being met.
Controls also exist in the form of statistical methods which are (or at least should be) employed in data analytics programs to preserve privacy.
Is data already shared within jurisdictions?
Almost every Australian jurisdiction (i.e. Federal and States/Territories) has intra-jurisdiction data sharing channels in place, at varying levels of maturity.
For example, the Multi-Agency Data Integration Project (MADIP) combines datasets from the Australian Bureau of Statistics (ABS), the Australian Taxation Office (ATO), the Department of Education, Skills and Employment (DESE), the Department of Health, the Department of Social Services (DSS) and Services Australia. The combination of these datasets is subject to what statisticians call the ‘separation principle’ which means that, in theory, no one can ever see personal identifiers and the substantive data at the same time (even though the information will retain the quality of being personal information).
Similarly, health and population data is linked through initiatives such as the Australian Institute of Health and Welfare’s (AIHW) Data Integration Services Centre, the SA-NT DataLink, the Centre for Victorian Data Linkage and other constituent units of the national Population Health Research Network (PHRN).
The Data Availability and Transparency Bill 2020 (Cth) (DAT Bill), currently before Parliament, seeks to bulldoze a new path for increased data sharing between Australian Government agencies. If passed in its present form, the DAT Bill will allow the sharing of public sector data with accredited users (who may be from the public or private sector) for the three permitted purposes of: (i) improving government service delivery; (ii) informing and evaluating government policy; and (iii) supporting research and development. However, this is only permitted in accordance with the five data sharing principles (essentially the Five Safes Framework) and must be governed by a data sharing agreement.
Cultural change is needed
The main impetus for the DAT Bill and IGA was the Productivity Commission’s 2017 Report issued following its inquiry investigating data availability and use. The Report found ‘a very real culture of risk aversion and risk avoidance in the public sector when it comes to data release’. Anecdotally, this culture of risk aversion and avoidance has changed little since then.
Based on our experience advising public sector clients on privacy, information security and broader questions of data governance, our view is that the main impediment to data sharing is still a cultural one, supplemented by a lack of clear agency-specific guidelines and guardrails as to what can be shared, to whom and in what circumstances. The Privacy Laws and secrecy requirements are often misinterpreted or misunderstood. In practice, this leaves data sharing requests dead in the water even when the right controls have been implemented and data sharing is permissible.
Neither the DAT Bill nor IGA will, by themselves, change this culture. Public sector agencies must prioritise training, awareness and developing clear guidance around privacy and data issues so data custodians and data users alike are empowered to harness the power of data in their work in a clear, safe and compliant manner. This will also help to ensure the pendulum does not swing too far the other way – so the Privacy Laws continue to protect individuals’ privacy.
But, data governance needs to improve
Apart from a lack of confidence in applying the Privacy Laws, there is a real danger that deficient data governance and poor data handling practices of some jurisdictions generally and of some agencies within a jurisdiction will come to light. Agencies that have not done their pre-IGA ‘homework’ will miss out (and likely cause other agencies to miss out) on the opportunities that better data sharing presents.
To contribute to building a data-driven public sector across all Australian jurisdictions and to be prepared for increased data sharing, Commonwealth, State and Territory agencies should now:
take an inventory of their data assets;
review legislative and policy requirements;
develop and implement a robust (i.e. ‘beyond reproach’) data governance framework;
align data strategy to current strategic and policy priorities;
implement and test appropriate technical and process controls to ensure compliance with applicable Privacy Laws; and
carry out a general privacy impact assessment (PIA) for the main types of data sharing anticipated over the next 3-5 years.
We also suggest that, in the context of overlapping Privacy Laws, agencies in each jurisdiction should ensure that in any data sharing transaction the highest standard of relevant privacy obligations prevail.
Data and Digital Ministers in each jurisdiction will now draw up a work program of ‘national priority data areas’ to focus resources on priority issues of national strategy importance, with input from relevant Portfolio Ministers. Sharing ‘lessons learnt’ from the pandemic response from each jurisdiction is at the top of the list.
For further information, please contact:
Alec Christie, Partner, Clyde & Co