The Productivity Commission’s recommended new legislative data management framework
The Federal Government has released the Australian Productivity Commission’s (Commission) final report on data availability, management and use (Report). 1 The Report sets out an ambitious proposal to fundamentally reform the way that data is managed in Australia. The lengthy Report is the product of a 12 month inquiry that involved 335 submissions from a broad range of stakeholders across the private, government and not-for-profit sectors.
In this article we summarise the Commission’s key recommendations regarding the proposed framework for improving the availability and use of data in Australia (New Framework), noting that, if fully implemented, the New Framework would significantly impact the way that data is managed and shared in both the public and private sectors.
Key drivers behind the Commission’s recommendations
A clear theme running throughout the Report is the Commission’s belief that nothing short of major reform is required in order to modernise Australia’s approach to data management. The Commission claims that Australia’s data policies have been developed in a reactive and ad hoc manner, where greater emphasis is placed on risk aversion and avoidance than on transparency and confidence in data processes, such that Australia’s data management processes are ill-equipped to adapt to the rapid changes inherent in digital technology. Accordingly, the Commission believes that fundamental and systematic changes are needed to the way that government, business and individuals handle data in order for Australia to better capitalise on the potential value of data that is at stake.
High level summary of the New Framework
The New Framework intends to recognise and manage the range of risks associated with the various types of data, the data uses and the associated need for different risk controls and approaches to apply. The main facets of the New Framework are set out below.
- Comprehensive Right – giving individuals more control over data held on them.
- National Interest Datasets – enabling broad access to datasets that are of national interest.
- Sharing other publicly funded data – making such data readily available to all.
- General data release – releasing non-personal and non-confidential public sector data for widespread use.
As further discussed in the paragraphs below, these elements of the New Framework will be implemented by various legislative and institutional changes, including the creation of a new ‘Data Sharing and Release Act’ (Data Act).
1. Comprehensive Right
Consumers will have their data protected by a new ‘Comprehensive Right’ established by the Data Act. The scope of the ‘Consumer Data’ definition will cover personal information (as defined in the Privacy Act 1988 (Cth)), files posted online by a consumer, data derived from consumers’ online transactions, data purchased or obtained from a third party that is about the customer and other data associated with data transfer activities. Accordingly, the scope of this definition means that the Comprehensive Right will apply to both public and private sector organisations.
The Comprehensive Right itself is essentially an access right for consumers allowing an individual access to matters including continued shared data access with the data holder, requesting data corrections for reasons of accuracy, being informed about a data holder’s intention to disclose or trade data about them and, importantly, being able to direct data holders to transfer data, either to the individual or to a nominated third party (such as a competitor).
The Commission envisages that data holders would be able to levy reasonable and transparent charges (that are monitored by the ACCC) for any access, editing and transfer of Consumer Data. The ACCC, along with other regulators such as the Office of the Australian Information Commissioner (OAIC), will also take the lead in governance, oversight, complaints handling and dispute resolution mechanisms associated with the Comprehensive Right.
2. National Interest Datasets
The Commonwealth, together with its state and territory counterparts, would establish a process whereby public and private datasets are able to be nominated and designated as ‘National Interest Datasets’ (NIDs). To qualify as a NID, the relevant dataset must satisfy an underlying public interest test whereby release of the dataset would be likely to generate significant spill-over community-wide benefits beyond those derived by data holders and data contributors. 2
Once designated, access to a NID would depend on the sensitivity of its data. The Commission recommends the immediate release of NIDs that contain non-sensitive data whereas only ‘trusted users’ (see below) would initially be able to access NIDs that contain data on individuals provided that those trusted users use of the NID preserves the privacy of individuals and the confidentiality of businesses. In time however, the in-principle aim would be to de-identify all NIDs and allow for public release.
To implement this ‘NIDs scheme’ the Data Act will provide for the establishment of a ‘National Data Custodian’ (NDC) and a system for appointing ‘Accredited Release Authorities’ (ARAs). The NDC would be responsible for broad oversight and monitoring of Australia’s data system, recommending the designation of NIDs and accrediting ARAs and ‘trusted users’. ARAs will be select federal/state/territory agencies that are responsible for deciding whether a NID is available for public release or limited sharing with ‘trusted users’ and for collating, curating and ensuring the timely updating of NIDs.
The last piece of the ‘NIDs scheme’ involves ‘trusted users’. Trusted users are entities that will have access to NIDs that are not publicly released. Such trusted users would be drawn from a wide range of potential entities, including federal/state/territory agencies, publicly funded research bodies and other organisations that are covered by privacy legislation.
3. Making other publicly funded data readily available to all
The Commission recommends a similar approach (to that proposed for NIDs) for sharing non-sensitive publicly funded data which otherwise would not have a public face. A realistic assessment of the risks attached to public release of identifiable information that is already public (in a less accessible form) should be undertaken by all governments, with the intention of releasing low risk data, and mitigating risks where possible to enable far greater public release of data, including that which could be used for program or agency performance management purposes.
4. General data release
The final element calls for a paradigm shift from government entities only releasing non-confidential data on request for particular projects towards such entities actively pushing data out in a coordinated way. In particular, the Commission recommends release of all non-sensitive public sector data consistent with specified release priorities.
Implementation – legislative and institutional changes
The Data Act is the primary legislative instrument that would give effect to the majority of the changes required by the New Framework. The Data Act is intended to cover States’ and Territories’ commitment of datasets on an opt-in basis.
Importantly, the Commission is not proposing any changes to the Privacy Act 1988 (Cth), other than extending section 95A to cover all research in the public interest that relates to people. Section 95A sets out guidelines for approving Australian Privacy Principles about health information issued by the National Health and Medical Research Council or a prescribed authority.
Lastly, the New Framework will also augment the roles and responsibilities of a number of Commonwealth agencies, including the ACCC, the OAIC and the Australian Bureau of Statistics, to the extent that the roles and responsibilities of these agencies relate to the reformed data management system (for example in relation to such things as, governance, resolving disputes and providing advice).
What does this mean for organisations operating in Australia?
If fully implemented, the New Framework will significantly disrupt current data management practices connected with the Comprehensive Right including in relation to:
- the additional administrative costs of complying with the Comprehensive Right in addition to the obligations that already apply under the Privacy Act 1988 (Cth);
- reconsideration of an organisation’s policies and procedures relating to data collection, storage, use and disclosure across the whole spectrum of the data lifecycle; and
- the previously assumed proprietary rights in data that an organisation previously had that may now fall within the ambit of Consumer Data.
This disruption in turn presents both risks and opportunities for the public, private and not-for-profit sectors. For example, particularly where a business operates in a sector that was recently privatised, there is a risk that the NDC may seek to designate part of that organisation’s valuable dataset as a NID and thereby require public access to a dataset be granted that would otherwise have been commercialised by that business. Conversely, obtaining ‘trusted user’ status may provide an organisation with priority access to a valuable dataset that can subsequently be utilised for commercial benefit.
- The Commission flagged some possible examples of initial NIDs as land use data, business register data, property and transport data, data on service provider performance, financial systems data and data on public infrastructure projects.
The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2019