ANTON, Ms Deborah, Interim National Data Commissioner, Office of the National Data Commissioner, Department of the Prime Minister and Cabinet

MENZIES-McVEY, Mr Paul, Assistant Secretary, Office of the National Data Commissioner, Department of the Prime Minister and Cabinet

Committee met at 09:00

CHAIR ( Senator Chandler ): I declare open this public hearing of the Senate Finance and Public Administration Legislation Committee for its inquiry into the provisions of the Data Availability and Transparency Bill 2020 and the Data Availability and Transparency (Consequential Amendments) Bill 2020. This is a public hearing, and a Hansard transcript of the proceedings is being made. We are also streaming live via the web, which can be found at www.aph.gov.au.

Before the committee starts taking evidence, I remind all witnesses that, in giving evidence to the committee, they are protected by parliamentary privilege. It is unlawful for anyone to threaten or disadvantage a witness on account of evidence given to a committee, and such action may be treated by the Senate as a contempt. It is also a contempt to give false or misleading evidence to a committee. In addition, if the committee has reason to believe that evidence about to be given may reflect adversely on a person the committee may also direct that the evidence be heard in private session.

The committee prefers all evidence to be given in public, but, under the Senate's resolutions, witnesses have the right to request to be heard in private session. It is important that witnesses give the committee notice if they intend to ask to give evidence in camera. If a witness objects to answering a question, the witness should state the ground upon which the objection is taken and the committee will determine whether it will insist on an answer, having regard to the ground which is claimed. If the committee determines to insist on an answer, a witness may request that the answer be given in camera. Such a request may of course also be made at any other time. On behalf of the committee, I would like to thank all witnesses appearing today for their cooperation with this inquiry.

I now welcome representatives from the Office of the National Data Commissioner. Information on parliamentary privilege and the protection of witnesses and giving evidence to Senate committees has been provided to you. I remind senators that the Senate has resolved that an officer of a department of the Commonwealth or of a state shall not be asked to give opinions on matters of policy and shall be given a reasonable opportunity to refer questions asked of the officer to superior officers or to a minister. This resolution prohibits only questions asking for opinions on matters of policy and does not preclude questions asking for explanations of policies or factual questions about when and how policies were adopted. Officers of the department are also reminded that any claim that it would be contrary to the public interest to answer a question must be made by a minister and should be accompanied by a statement setting out the basis for the claim. I now invite you to make a short opening statement, and at the conclusion of your remarks I will invite members of the committee to ask questions.

Ms Anton : Firstly, I would like to thank the members of the committee for inviting me to appear today and allowing me to deliver an opening statement on the Data Availability and Transparency Bill 2020. We developed this bill because the world is changing. Technology allows us to do more with data, but the way our world operates from a legislative point of view is it is all in silos that have been built up over time. To do more with data requires that we break out of our existing silos and engage sensibly with risk.

The bill before the parliament has been developed in response to the Productivity Commission's 2017 inquiry into data availability and use. That inquiry noted:

The potential value of data is tremendous; as is the scope for Australia to forgo much of this value under the misconception that denial of access minimises risks.

…   …   …

These risks—and the desire for privacy and confidentiality—should not be downplayed or trivialised. They are real and important. But, many of them are able to be managed with the right policies and processes—and better managed than they are now.

The bill before you seeks to do just that.

The bill will create a data-sharing scheme overseen and regulated by a new independent national data commissioner to allow sharing for the right reasons with the right people, with appropriate controls to manage risk. I have tabled for the committee a graphical representation of the key controls that participants need to work through in order to share data under the scheme, and I trust that that will support our discussions today and your ongoing considerations of the bill.

The bill seeks to progress a necessary set of reforms to modernise APS data-sharing practices, to set higher and consistent standards and to add additional transparency, to ensure the public know what is being done with their data. Ultimately this means that the bill will enable the Public Service to function better and be more responsive to the needs of Australians.

The purpose test embedded in the bill states that data can only be shared for: delivery of government services; informing policy and programs; and research and development. These are important controls of the scope of the data sharing enabled by the bill. It specifically precludes sharing for purposes that relate to national security or that may have a negative impact on individuals such as when pursuing an enforcement action. The safeguards described in the bill provides layers of defence that create a consistent and strengthened approach for the entire APS to use when managing data. The data-sharing principles across five domains identify risks and apply controls to ensure risks are appropriately managed. They are based on international best practice and are already incorporated into similar state laws.

Accreditation is also a key safeguard under the bill. Accreditation requirements mean users of the scheme must prove they have the relevant skills and capability to access government data. For those seeking to access personal data, they have additional requirements: they must be covered by the Commonwealth Privacy Act 1988 or equivalent state or territory privacy legislation. This gives confidence to the public that they have redress should things go wrong, and gives data custodians confidence that entities can be held responsible for the personal information they access under the bill. Importantly, this means foreign entities not covered by Australian privacy laws cannot seek to access personal information under the bill.

The National Data Commissioner has an important role to oversee these safeguards and take action to reduce harm if data sharing is not compliant with the requirements in the bill. To ensure the sharing under this bill is trusted by the public, we have built in transparency elements. The key terms of data-sharing agreements will be made publicly available, laying out what data will be shared, how this will benefit the public and how risks will be managed or controlled.

The bill has been developed using a privacy-by-design approach, which means privacy has been considered at every stage of the legislative development process. We have commissioned three independent privacy impact assessments on the bill, and we published the third and final PIA, which aligns with the bill as introduced to parliament, on Friday 16 April. For the chair's reference, we have provided a copy of that through the committee secretariat. The third PIA concluded that, in the context of the benefits that can be achieved through increased data sharing, our layers of defence are strong and robust, and represent a reasonable, necessary and proportionate response to privacy. The PIA also highlights the important work yet to come for the commissioner in progressing from legislation to implementation.

I want to leave you with my views on why these reforms are so important. During the three years of co-design and consultation on the bill, no-one I have spoken to, whether it be a public servant, a researcher, a privacy advocate or a member of the public, has disputed the value of data. Data is the difference between silo delivery of government services and the user experience that citizens expect and have experienced through services such as myTax. Data takes the guesswork out of government policy design by helping our policymakers to craft informed and insight-driven policy and programs that benefit all Australians. Data drives the research sector by helping academics and researchers identify valuable insights and improve Australians' experience and quality of life. All of those things matter. Yet many of the submissions to the committee are concerned about the sharing of personal information and ask the question, 'Have we got the balance right?' We believe we have, but we equally welcome this scrutiny process.

We have designed a principles based bill to ensure data sharing is secure, effective and transparent. The safeguards and controls that apply to data sharing in the bill are rigorous and able to be consistently applied across the entire Public Service, raising the bar on current APS practices. I am happy to respond to any questions that members of the committee may have.

CHAIR: Thank you very much for your opening statement, Ms Anton. I might kick off with a few questions. At a parliamentary inquiry earlier this year, the director-general of ASIO said:

Foreign intelligence services and their proxies are all too willing to take advantage of the openness that is integral to our universities and research institutions to steal intellectual property and cutting-edge technologies.

I was wondering what consultation you've had with ASIO and other security agencies regarding the bill that we are discussing here today.

Ms Anton : The bill was co-designed with the Public Service, including the national security agencies as well as many of the stakeholders, during our various rounds of consultation. In terms of your broader question about security, what might be helpful for you and the committee is to understand that, while the bill contemplates the sharing of data with foreign entities, the bill has a series of controls. I might take you the controls. The short answer to your question is that we have co-designed the bill in consultation with the national security community. In particular, there are exemptions for national security purposes that have been carefully crafted with those, as have some of the other controls in the bill.

More particularly, I do note that opening point that data cannot be shared for a purpose that relates to a prejudice of national security as per 15(2). In accrediting entities other than Commonwealth government entities, essentially, our criteria for accreditation is that the entity's participation in the data-sharing scheme would pose no concerns for reasons of national security as per section 77. The commissioner can suspend or cancel accreditation for reasons of security as per clause 81. As I noted in my opening statement, it's not expected that foreign entities, which are not covered by Australian privacy law, will be able to access personal data as they can't satisfy the privacy coverage test under clause 28.

Data-sharing agreements which may involve working with research or government policy purposes and engaging with the research community which you allude to do have a requirement for an accredited user who accesses the data. Again, there's a people principle as part of 16(4). Under that, the commissioner is able to share information with ASIO. If ASIO has concerns about the sharing of information with particular individuals, the commissioner can take action against the accredited user's accreditation to limit the sharing of data. The commissioner is specifically authorised to provide information to ASIO under clause 108. The commissioner may impose conditions of accreditation as appropriate for reasons of security, including on the basis of adverse or qualified security assessments under clause 78(1). That condition could include limiting access to shared data to individuals within an entity or could prevent shared data being accessed by particular individuals under clause 78(2). Importantly, decisions to refuse to accredit a foreign entity for security reasons, to suspend or cancel the accreditation for security reasons or to impose conditions are not reviewing by the AAT, which is set out in clause 118.

Ultimately, it's really important when considering the bill that the final decision to share data under this act ultimately rests with the data custodian, the Commonwealth public servant, and it makes clear that there is no duty to share. This bill is creating a framework to share, but there is ultimately no onus on the Commonwealth to share, and that's not a reviewable decision; they can simply say no. They do have to provide reasons why not, but ultimately, if they can't manage the risks, if it's not for an appropriate purpose, they can simply say no. From my point of view, those are quite a few layers of control—the creation of an accreditation scheme that works with the research sector in terms of accessing data that links back into the work being done by ASIO. Those are new controls designed specifically for this scheme.

CHAIR: One of the concerns that has been raised around this whole idea of foreign interference in the university sector, though, is that the purpose for which data might be provided isn't necessarily going to be up-front in terms of what the university or the entity might be asking the data commissioner for the data for. That sentence was terribly constructed; my apologies. It's not always going to be very obvious why the data is being asked for, so how can we be sure that, once the data has gone to one of these entities, there is some sort of ongoing monitoring in place to ensure that it's not being used for a purpose other than that that for which it was initially requested?

Ms Anton : I go to the flow chart that we've provided you with. There is a series of controls we have worked through. There needs to be a very up-front conversation about what data is being shared, why it is being shared—and, again, that check-in with ASIO. But your point is after the fact. The commissioner themselves is established as an independent statutory officer. The left-hand side of that diagram shows they have responsibilities for monitoring, regulation and enforcement of the data sharing. They are able to undertake own-motion investigations. As you'd expect with any regulator, they're actually able to go back and talk to the people who are sharing data, seek evidence from them and make sure that they are doing the right thing. There is also a complaints mechanism built into the legislation for those participating in the scheme. Where they think the data sharing is not happening appropriately, they're able to make complaints that the commissioner can respond to.

As you would expect, there is quite a series of enforcement related actions which could ultimately lead to suspension or cancellation of accreditation injunctions on the sharing, giving binding directions about what is happening and ultimately seeking civil or criminal penalties where appropriate. At the end of the day, there is a stick to go with the permissive: yes, we want to share, but there are controls in place at the other end. Paul, did you want to add to that?

Mr Menzies-Mcvey : The only comment I would add is that data-sharing agreements must specify the purpose for which the data can be used and provide that it can't be used for any other purpose. The data-sharing agreements are under clause 20 of the bill. All data entities that are parties must comply with it. It will be a breach of the DAT Act if it is used for another purpose, and the commissioner, as Ms Anton has said, would have regulatory powers to enforce that agreement.

CHAIR: That ties in nicely to my next question. What are those monitoring and compliance processes that you have in place to ensure that entities are only using the data for the purposes under which they have sourced it under their data-sharing agreement?

Ms Anton : Obviously, we don't have them in place at this point, because the office doesn't exist. What the bill contemplates in terms of those regulatory powers, as I've mentioned, is really about creating—to start with, the bill sets out what you're trying to do. There are then a series of subordinate documents and guidance materials that need to establish the rules more clearly to give confidence to entities that they are using things appropriately, be they regulations, rules, data codes or legislative instruments. The back end of the bill is really about more of those enforcement elements such as the capacity to conduct an own-motion investigation. It is also about injunctions placing conditions on accreditation. That ongoing monitoring is part of ensuring that the public can have confidence that the scheme is being used appropriately.

If you imagine the scheme starting up, in the first instance I imagine the commissioner will place quite a lot of scrutiny on the first series of data-sharing agreements that are made, because this is about taking and translating the law into practice and making sure that the guidance that they have provided is correct and appropriate. Then they're able to go in and, if they would like to, essentially require evidence from the custodians that that information is being used correctly. So those scrutiny processes are there. The practice of how they will be used, the normal statement from a regulator, will be about a scaled and appropriate enforcement approach. That is about doing deep dives early to make sure that it is being used appropriately.

CHAIR: Other than having the ability to consult with security agencies when you're determining if an entity should become accredited, what ongoing oversight will security agencies have to ensure that access to government data isn't being used even inadvertently to the advantage of foreign powers?

Ms Anton : The bill allows us to share information with ASIO from time to time. It gives us the capacity to share information with ASIO. What's really important to remember is that the data-sharing agreements are about what is being shared and where that is going to be publicly available, so that information becomes part of the public domain and the information that they can readily access in addition to the information that they may secure from us. I would anticipate that, as part of their usual processes, they will keep an eye on that. I can't speak for them in terms of what they will do; I can simply say that the information will be publicly available.

CHAIR: We talk about security agencies having an input at that initial point when we are accrediting a third party to access government data, but is there, through the commissioner's ongoing compliance monitoring of accredited entities, some sort of legislative trigger at which the commissioner says there needs to be input from national security agencies to determine whether or not this data is being used appropriately, or is that more ad hoc?

Ms Anton : I don't believe there's a specific trigger in the bill that would do that. From my perspective, that's just part of the usual practice where the commissioner, where it deems necessary, would consult with those agencies.

Mr Menzies-Mcvey : As mentioned before, at any time after accreditation a security agency could provide an adverse security assessment to the Data Commissioner, and the Data Commissioner has powers then to take appropriate action, which may include either suspending or cancelling the accreditation, which would prevent any further data sharing, or imposing conditions on the accreditation, which might say that the people of concern can no longer have access to that. The commissioner will then have regulatory powers to ensure that the conditions on the accreditation were being complied with.

Ms Anton : Any actions taken on the basis of the security advice are non-reviewable by the AAT, so they can simply be taken.

CHAIR: Are security agencies comfortable with the bill as it's currently drafted? You mentioned at start that you consulted with them in developing the bill, but what was their final say on the bill?

Ms Anton : Ultimately, as with any piece of legislation, the bill went through a cabinet process to make sure that the requirements of the bill and the policy authorities were appropriate and approved. Obviously, all agencies provided advice to government and cabinet in those considerations.

Mr Menzies-Mcvey : The intention is that, if the office of the commissioner is established, we will enter into MOUs with both ASIO and the Office of the Australian Information Commissioner to document the day-to-day working relationship.

CHAIR: Thank you for that. Finally, given the prevalence of cybersecurity risks, does the transfer of government data to third-party agencies increase the risk that that data can be accessed by hackers? If so, what requirements will the commission be putting in place through this legislation to ensure that government data can't be inappropriately accessed?

Ms Anton : The core risk management framework that's outlined in the bill is related to the data-sharing principles. That considers five dimensions that must be applied to any data-sharing project. The project principle is principally about whether this is the right data for that purpose. The people principle is: are these the right people to access the data? The relevant principle probably, in terms of what you're talking about, is the setting principle, and that requires that the data is shared in an appropriately controlled environment. That setting principle includes but is not limited to the following elements: that the means by which the data is shared or appropriate, having regard to the type and sensitivity of the data to the control the risks of unauthorised use or release and reasonable security standards are applied when sharing the data. Essentially, that principle allows for more detailed guidance to be provided in the subordinate material to agencies to make sure that, if there are particular requirements around where data can be stored and transferred, that should be taken into account.

Again, the principle of the bill is essentially that you should share data in the way that is most reasonable and that you're able to manage risks. In terms of those settings, if it's not conceivable that you can manage risks by providing it to a third party then there are other avenues available to access that data. A very commonly used approach by some of our agencies such as the AIHW and the ABS is to provide access to data in a secured facility that they run and that people have logged access to.

So, while the bill doesn't preclude providing data to third parties, it does put an onus on data custodians and those people who are receiving the data to have reasonable security controls in place. If they don't then the onus is back on both of those parties to say this is not the appropriate way to actually request data access. That happens in a negotiation and a conversation, and both parties need to be satisfied that they have appropriate controls in place to safely manage the data before that sharing takes place.

The other point I would make is that my sense is that there is a desire from the research sector, in particular, and from other parties to access government data to deliver good outcomes. I think there is a very strong awareness amongst those parties of the importance of maintaining appropriate security and controls and of maintaining the public's trust as we embark on a more robust sharing process.

Senator AYRES: I have a couple of general questions, and then I want to ask a series of questions about the relationship between data-sharing work and some of the government's compliance programs and other programs that either have been underway or are underway at the moment. Before I do, I was listening to your responses to Senator Chandler's questions and I think you've answered the questions in terms of who the data is shared with, but it's true that the data you're creating, as you're going through data sharing and data matching, is of much more value than the individual siloed data, isn't it? It's of more value to the public sector and to the agencies that you're working with, but it's also of more commercial value and of more value to foreign powers that might engage in the kinds of activities that Senator Chandler's described. That creates a greater onus for the protection of the data, doesn't it?

Ms Anton : I think you're going back to the PC's comment in my opening statement. There's an opportunity here, but there's also an important set of risks that need to be managed—absolutely. The Productivity Commission made the point that, at the moment, there isn't a consistent approach to sharing data. From my perspective, if we propose to do more to deliver better outcomes for the Australian public, then the bill and the frameworks it creates are about raising the standards of consistency across the public service by pulling on some of the best practice that occurs both domestically and internationally in terms of the data-sharing principles. Let's be smart about how we do this.

Principles based legislation allows us to refine and tighten those controls over time and make the most of it. I note your point about it being of interest to commercial players and other governments. I would make the point that, firstly, there are very clear purposes for which data can be shared, which is about government service delivery, research and development, and the support of policy design. We've constrained the purposes for which data can be shared—that was in our very first lot of public consultations. Ultimately, a control point for me is the transparency elements of the bill: that what is being shared needs to be published on a website, that there's a need to be very clear about what is happening and why, and that there's a need to explain what the public interest is that's being met as part of that data-sharing principle.

I don't dispute your point. I think there are both increased benefits and increased risks. The point I made in my opening was that this is really about whether we have struck the right balance in terms of designing that control framework.

Senator AYRES: That's alright in terms of agreements to share data. That works right up until the moment there's a breach, doesn't it? Senator Chandler pointed to the risks of sharing with third parties, but, of course, the big data breaches have been of government information being inadvertently provided or provided as a result of some cybersecurity breach. This is more valuable data, because it involves data matching and is the result of data analytics work across agencies. You may not have a data-sharing agreement with the person or the foreign power who's got the data or released the data but it's created nevertheless, isn't it?

Ms Anton : Going to your point about where the data has most value—you're talking about particularly the integrated datasets—

Senator AYRES: Yes.

Ms Anton : I would point to an additional control in the bill around the authorised data service provider. Noting that more integrated data has a richer value, the bill seeks to formalise in legislation some existing policy practices in the Commonwealth—that under the current frameworks it's authorised integrating authorities—so there's only a very small set of very experienced players who are able to actually manage complex integrated data assets, which have to meet very, very high standards in order to do so. Those are the likes of the ABS and the Australian Institute of Health and Welfare. The bill itself seeks to recognise that, if you are seeking to undertake complex data integration to build a complex data asset that has that increased value, the only people authorised to do so are the authorised data service providers. So there is a higher bar built into the legislation for the creation and management of those types of assets.

Senator AYRES: What are the penalties for breaches for data-sharing agreements under the act?

Ms Anton : The penalties under the act are constructed in two ways. Obviously, in order to use the act, you have to meet the requirements of the act. If you're not meeting the requirements of the act, then the penalties actually rebound to the original legislation under which the data was collected. One of the challenges of trying to design something that fits across a whole lot of pieces of legislation is: how can we accurately determine what are the relevant provisions and penalties that should be applied? If you are not using the act as intended, then, basically, you're in breach of the original sharing of the bill under which the act was collected. The bill itself then provides for additional penalties or gap coverage where people are simply not complying with, for example, provision of information to the commissioner or where it wasn't otherwise covered in original legislation. Paul, did you have the relevant clause on that one?

Mr Menzies-McVey : Yes, certainly. For breach of the mandatory terms of a data-sharing agreement, which include the requirement to only use it for the agreed purpose, it's a civil penalty of 300 penalty units. That's clause 20. But, as Ms Anton was saying, there are general penalties applying for if the sharing or use was purporting to rely upon the authorisation in the bill and the bill doesn't cover that, in fact. There are both civil penalties, which are the 300 penalty units, and criminal penalties, which is imprisonment for two years, for intentional reckless breaches.

Senator AYRES: I noticed in the legislation that the data is referred to as Australian government data and/or public sector data or public data. Who do you think owns the data?

Ms Anton : My general sense is we, the government, hold the data in trust for the public. They do provide that information, and it's a responsibility, as with many functions of the government, to hold that in good faith for the public.

Senator AYRES: That's the thrust of a range of the submissions—that this notion of privacy and consent is really getting away from people. Some of this data is provided, in some senses, voluntarily; people consent to it being provided, but this act contemplates that it may then be used for other purposes, as determined by the data custodian, that would not have been contemplated by the person when they gave what passes for permission on the government website. It's an expanded notion of consent. And some people provide this mandatorily; they don't have a choice. If they want to receive a government service or a government benefit, they provide the data or they don't get it. What do you say to those criticisms?

Ms Anton : I would make the opening point that it's not just about personal data—that the Commonwealth collects data on a range of fronts—but I note that your concern goes particularly to those concerns about personal data. I just wanted to make sure that we position the scheme as: it can relate to business data or environment data; it is broad in its contemplation. It's the question of how the bill interacts particularly with the Privacy Act. The bill relates to an express authorisation to disclose, collect and use personal information, where the requirements of the DAT bill are met. Basically, it's an authorised exemption, an expressed authorisation to use the bill under the Privacy Act. The Privacy Act provides for, essentially, secondary use frameworks to be met, and this bill then creates a very complex set of controls about what is reasonable and practical in those instances. I do note the overriding concerns, ultimately, about the need to maintain privacy, and that has been very material to our work throughout the whole process.

The bill is designed to complement, not to duplicate, the Privacy Act. That was actually one of the key design points that we were asked to contemplate at the beginning. I think one of the important elements is that the Privacy Act and the Australian Privacy Principles do continue to apply to the sharing of data under the bill, if it is about personal data. Again, clause 16(8) essentially makes the point that data sharing should be minimised as much as possible. So—again, I think these are important and valid controls—you should only be sharing the data that's necessary to do the job.

For anybody, under the bill, to access personal information, they have to have privacy coverage. We have done our work through the privacy impact assessment. I do note that the PIA, which we've now provided for your information, does recognise that ensuring that the APPs, the Privacy Principles, still apply—or comparable principles, in terms of recognition of state and territory work. They are a really important baseline for protecting personal information. On that basis, they recognise that we haven't duplicated those protections that are still available under the Privacy Act.

As to those controls and recourse: having remit for the public is still really quite important where things go wrong, which I guess is kind of what you were getting to. So, again, clause 28 makes very clear, where data sharing is related to personal information, that they are able to then make complaints under the Privacy Act. We're not seeking to duplicate those complaint and redress mechanisms under the Privacy Act. But, in terms of even contemplating the equivalent elements with state and territory law, we did work with the Information Commissioner on this and make very clear—again, trying to do a principles based expansion for the future—that those protections of personal information need to be comparable to the Privacy Principles, there needs to be monitoring for compliance with the law and there needs to be the means for individuals to seek recourse if the individual's personal data is dealt with in a way contrary to the law. So, while we haven't imported the Privacy Act into the bill, those really important links under 28 and the capacity to refer things out to the Privacy Commissioner do maintain the importance of privacy in the work that we're doing and still rest that control, where it's more appropriately dealt with by the Privacy Commissioner, with her.

Senator AYRES: It does put a lot of power in the hands of the Data Commissioner, many of whose decisions will be non-reviewable.

Ms Anton : I would just note that the decisions to share the data are ultimately left with data custodians. So they're left with senior public servants. Our view was that, in terms of sharing, they are in the best position to make an appropriate risk assessment, both on whether it's in the public interest, in their particular domain and context, to share, appropriately, and also on whether the appropriate controls have been met. So those decisions rest with data custodians in the first place. It is then for the commissioner. They could review whether they've met the terms and conditions in the act, to do the right thing, ultimately. But, again, what they have done will be on the public record as part of those transparency measures in the bill.

Senator AYRES: Yes, and when I read those submissions, on the one hand, you've got the privacy advocates and the legal advocates, and on the other hand there's an argument that there's an overwhelming public purpose in sharing the kind of data that's contemplated. The problem from their perspective is that the bill is drafted by true believers in the overwhelming public purpose and that it doesn't take into account the privacy concerns in any way approaching that.

Ms Anton : I understand the point, but I would also respond that we have conducted three independent privacy assessments to support the development of the DAT Bill. In each of those privacy impact assessments they provided advice about where we should tighten and improve things. The third and final one, which matches the bill that we presented to you, was conducted by Information Integrity Solutions, which is headed by Malcolm Crompton AM, who is a former privacy commissioner. Angelene Falk, who is the information and privacy commissioner, sits on the National Data Advisory Council. We have worked closely with them on their submissions, and obviously she has made a particular submission to the committee, which I would draw to your attention, which puts her views on the record in terms of the privacy controls that are in the bill. I do note there are some suggestions for improvement in there as well.

Senator AYRES: Is data collected by the COVIDSafe app capable of being shared under this framework?

Ms Anton : No. Two layers of data will be excluded in the bill, just to be clear. The bill itself contemplates data that is not permitted to be shared, and then there will be accompanying regulations about other specific data that will be excluded. The COVIDSafe app data—it's certainly the intention, whether that was in the draft regulations that were released when we were doing the consultation on the bill.

Mr Menzies-McVey : It will be one of the types of data that will be excluded from sharing by regulation.

Ms Anton : Similarly, there are other exemptions around electoral roll data and My Health records as well. We did a consultation process, and when the draft legislation was released for public consultation before it was presented to parliament, there was a set of those regulations publicly available, and there was a list of excluded pieces of data included in that. The final version of that obviously will be settled.

Senator AYRES: I want to come to some of those areas now and just understand what the scope of the prescriptions are, if I can put it that way. The NDIA is currently going through a process, which I think has been the subject of a bit of public discussion, for using data for compliance purposes. What is the relationship between the data sharing that's contemplated by this bill and the compliance regime that the NDIA is proposing to establish?

Ms Anton : On this, Senator, I draw your attention to clause 15, which specifically goes to data-sharing purposes. So it explains what the permitted purposes are, which are those I explained in my opening statement—delivery of government services, informing government policy and programs, and research and development—and I would describe this as thinking about what the patterns of use are. When we do government work it's actually useful to observe patterns. It precludes enforcement related purposes, and clause 15(3) then goes into a recitation of that being about:

(a)   detecting, investigating, prosecuting or punishing:

   (i)   an offence; or

   (ii)   a contravention of a law punishable by a pecuniary penalty;

(b)   detecting, investigating or addressing acts or practices detrimental to public revenue;

(c)   detecting, investigating or remedying serious misconduct;

(d)   conducting surveillance or monitoring, or intelligence gathering …

That language is there to describe a set of precluded purposes. So I don't see how enforcement action under NDIS would be supported by the bill as drafted. Based on a single-word description—you've characterised it as compliance action—it's intended to preclude that.

Senator AYRES: It's intended to preclude that. What about the kind of information that NDIS participants provide? Is that now capable of being shared across agencies, subject to the processes of the act in a framework?

Ms Anton : I think one of the challenges with principles based legislation—and the PIA went to this—is that it provides signposts, not a specific road map. I think what's always important in these circumstances is to understand what the scenario is and then, going through the flowchart I provided, what the purpose is. You can only do one of those three purposes and you still then have to explain why it's in the public interest to do that. You have then got to go through who we are sharing with, why we are sharing, whether we are sharing the minimum amount of data that they need to do the job that they are contemplating, and, at the end of the day, what the output is. A lot of this is going to be about research. What's the research? What's the output that research might help inform? I guess the point is that it might inform better public policy. If you can look for patterns of use or what's happening, those things might tell you how effectively the program is working. Again, with anything you do, it still needs to be made public that this is what you're doing, and there needs to be an agreement with the data custodian on what the outputs of that research are. It's very hard. This is principles based legislation. It creates those rules in a broad framing, without specific examples. Ultimately, it has to be assessed on a case-by-case basis as to whether this is a sensible thing to do. And, again, the onus ultimately is on data custodians. Data custodians don't have to share, at the end of the day. If they don't think this is a sensible thing to do and they cannot manage the risks then they can make a decision not to share. That can't be overturned by a commissioner suggesting they should, and I think the research sector is a little bit unhappy with us on that design point.

Senator AYRES: That's decisions that public servants made. I'm interested in the data that's been provided by participants in a scheme like the NDIS. Is it possible for the NDIA to use this framework to collect data that is then used to make assessments about the level of support that's provided to individuals?

Ms Anton : I think that goes to individual identified information. The bill contemplates that, where individual information is provided, it's also relevant to make reference to probably the exit clause, which does include a step where individuals are importantly required to validate that the information there is correct for that to go on and be used for other purposes. So, yes.

Mr Menzies-McVey : And, Senator, where personal information is being shared, the project principle provides—and this is in 16(2)—that the sharing of the personal information of individuals is done with the consent of the individuals, unless it's unreasonable or impractical to obtain their consent. So, if another entity were sharing personal information with NDIA for the purpose of delivery of government services, which I think is what you are contemplating, both the data custodian and NDIA would have to form a view about whether it's appropriate to obtain consent from the individuals concerned. In some cases, the individuals may wish to do that because it would save them providing the same information to NDIA that they have already provided to another government agency, and it might assist service delivery. So it's entirely possible that a consent model could work in that and be quite beneficial to all concerned.

Senator AYRES: But that's what I'm interested in—the relationship between improving government service delivery. In another context, the robodebt scheme was explicitly targeted at government revenue, through a compliance mechanism. If data sharing is used to determine the appropriate level of support for an individual, there's a very close relationship between that and subsequent compliance activity.

Mr Menzies-McVey : At the moment, as Ms Anton said, if NDIA sought to obtain information for a compliance purpose, which I think is the premise of your question, it wouldn't be possible under this bill. They would have to seek that information using one of their existing powers. As you know, most organisations have some capacity to share data already, albeit in limited form, so they would have to negotiate the use of those powers for compliance purposes.

Senator AYRES: Are you saying that this provides a smoother pathway for some purposes? So they are developing a capability, and I want to come to that capability in a moment. But you're saying that this provides for a smoother pathway for some purposes but not all purposes?

Mr Menzies-McVey : That's correct.

Ms Anton : Correct.

Senator AYRES: In the context of another inquiry, the Digital Transformation Agency gave some evidence about the Data Integration Partnership for Australia—$17 million was allocated to them to do some of that work. There was some evidence of an intensification of resources and activity in data sharing and data integration, with five new units and many hundreds of data analysts employed, including a social health and welfare analytical unit that sits across the Department of Social Services and the Department of Health, and, no doubt, the NDIA and others, and a similar unit in the Department of the Prime Minister and Cabinet to sort of aggregate some of that work at the top level of government. Do you have oversight over those data analytics units or do you have some engagement with them?

Ms Anton : We certainly have some engagement with them. You mentioned the Data Integration Partnership for Australia. We sit within the office of the Prime Minister and cabinet, and that initiative was administered by a branch within a close area of ours within PM&C. So we're certainly attending the same meetings, with regular reporting through, I think, the broader data governance arrangements. There's a deputy secretaries data group, and there was a specific DIPA steering committee on the Data Integration Partnership. We're certainly aware of the work that's happening. Obviously, the development of the bill has been done. I mentioned that point about co-design. We had a number of workshops with the Public Service itself about how we can design the bill in a way that will actually support its functioning, and we have ongoing discussions on many of the technical elements that we're trying to provide in terms of best practice.

In the middle of last year, we released some general guidance for Public Service agencies called The Foundational Four. Clearly, alongside increased data sharing, we need to make efforts to improve the skills and capability of the Public Service, and I think that was essentially what the inquiry into the APS reforms that you were referring to was about. We've certainly provided guidance about what doing data well looks like. The Foundational Four is practical guidance to all agencies about how to lift their skills and capabilities. There is complementary work being done by David Gruen as the head of the APS data profession in terms of lifting the skills and capabilities of individuals. If we're going to make more of data, clearly, we've got more to do with individuals. We have more to do at agency levels with this set of reforms and imagine a consistent set of rules that we can describe for the Public Service about how to share data safely, be it with the act or outside the act. Some time ago, we released the data-sharing principles as general guidance for the Public Service to use. We also released a general data-sharing agreement on how might we embed, in our data-sharing practices, the risk management framework so that we're all doing this in a consistent way. We released a draft of that in COVID. We will adapt and adjust that to fit the bill, obviously, before we have a final version of that. All of those activities go to as a public service how can we make sure that we are sharing and using data more effectively? Importantly, from those analytics units, what came out of that were good examples about how can we use data more effectively to achieve good public policy outcomes? You may have heard some of that evidence in relation to sort of pharmacovigilance stuff of combining health data to work out where there are adverse impacts, that then can flow into guidance material for doctors to make sure that we are actually having safer health outcomes. The ABS has done good data sharing to support provision of appropriate funding to independent schools, looking at what are the socio-economic needs of different schools—

Senator AYRES: I might just cut in if that's okay because I'm conscious of time. I have two questions about that, I suppose. In the event that the bill is passed unamended, the data commissioner won't have oversight over all of that data integration work. You might collaborate and engage about work but you will only have oversight over the work that is done under the framework that's been contemplated by the bill. Is that right?

Ms Anton : The act contemplates, at clause 42, functions for the data commissioner. The first elements of those relate to, basically, advice, guidance and regulatory functions as set out in the bill. It also does have an advocacy function in clause 42(1)(d) of promoting and understanding the acceptance of the benefits of, and best practice in, sharing and releasing public sector data, and it's safe data handling practices. In essence, because the role of the bill is to say, 'We have got to do this safely and develop ongoing practice', from my point of view, we continue to provide that advocacy and advice in a public sense to the broader public service as well.

Senator AYRES: But it's not the same as oversight. There is a very large program underway and being contemplated by the government. The future Data Commissioner will have oversight of a narrow band of that. You may have an advocacy role and a sort of collaboration engagement role in terms of other parts of the government's work. That work cascades upwards in terms of policy advice through to the Department of the Prime Minister and Cabinet. What are the protections that ensure that that quite powerful data and information is only used for the narrow purpose of policy advice and once it hits ministers' offices and the Prime Minister's Office it isn't used for political purposes?

Ms Anton : The bill complements other avenues that are already authorised for data sharing. Going back to the flow chart I provided you, if data can be shared under existing authorities then agencies are still free to do so. It doesn't displace existing data sharing arrangements that exist in the current legislation nor the activities of departments. The role of the commissioner is to provide an alternative pathway to share with this legislation and, noting your earlier comments about balancing risk and privacy, to make sure that we are managing those risks appropriately. The role is constructed as the regulator of the data sharing system. It's not constructed to look at every piece of advice going to government.

Senator AYRES: The name, the office of the Data Commissioner, sounds awfully like somebody who is in charge of data across the Commonwealth. That's not the case. Have all of the regulations been drafted and tabled? Will the Senate have the advantage of seeing those prior to the legislation proceeding before the Senate?

Mr Menzies-McVey : The regulations obviously can't be made until the act is passed, but we do have a draft of the regulations and we're continuing to work on that draft, refining language in relation to certain parts of data that will be excluded. But we do have a draft of those regulations.

Ms Anton : Yes, and the draft was released alongside the consultation version of the bill. But there have been further refinements to that since then.

Senator AYRES: I'm conscious of time—back to the political officers question. They are exempt from the provisions of the Privacy Act now. What are the additional probity risk issues that you see there with the information provided? With the work that is being contemplated by the bill—data-sharing work and data-matching work, data analytics work—what are the additional risks that you'd see there and what measures have been undertaken to deal with those risks?

Ms Anton : Going back to my earlier comments about the Privacy Act, it does apply and continues to apply to public servants as data custodians. There is a specific Australian government data code that was issued by the Information Commissioner, and all public servants are responsible for meeting their obligations under that code in the exercise of their duties. So that is not negated by the legislation; those obligations still stand.

Mr Menzies-McVey : And, Senator, it would be in the case of personal information. The sort of information that you're talking about, I think, would have been for the purpose of informing government policy and programs, which would very often not require the sharing of personal information, and, if it's not required, then it won't be shared. As I've mentioned previously, the purpose for which the information can be used must be set out in a publicly available data-sharing agreement, and the data-sharing agreement will provide that it cannot be used for any other purpose. So there is no real capacity for there to be a slippery slope, where it was obtained for one purpose and then used for another, because it will be clear to the public that the data can't be used for that purpose, and that will be backed up by the penalties in the legislation.

Senator AYRES: Chair, I'm done for the moment. I think Senator Kitching might have some questions.

CHAIR: Senator Kitching, I will pass the call to you before we wrap up with these witnesses.

Senator KITCHING: Ms Anton, I think you said there's a lot of data-sharing with the ABS. Is that correct? Did I hear that correctly?

Ms Anton : The ABS has a data lab that is used to support data-sharing. The Australian Institute of Health and Welfare is another of those lead agencies that also do a lot of work on data-sharing, particularly in the area of health research.

Senator KITCHING: Is most of that information de-identified?

Ms Anton : Largely, yes, it will be de-identified information. It depends on the circumstances in which it is being shared. But again, really, what both of those agencies practice is the data-sharing principles as outlined in the bill, and they are doing data minimisation, which goes to that point.

Senator KITCHING: Who else is a lead agency?

Ms Anton : The ABS and the AIHW are the two that I would point to. If you go back to the authorised integrating authorities that I mentioned earlier, they are the agencies that have been, under policy as it currently stands, anointed as having higher skills. I think they also incorporate, at a Commonwealth level, the Australian Institute of Family Studies—and the Department of Social Services, I think. They're the ones that come to mind, off the top of my head.

Senator KITCHING: Are you able to take that on notice and send back to the committee a list of the agencies that are regarded as having higher skills, or however you might identify them?

Ms Anton : Yes, I will send you a list of the Commonwealth agencies who are integrating authorities as it stands. I don't think I've missed anyone, but if we have, we'll certainly let the committee know.

Senator KITCHING: Thank you. You call them—

Ms Anton : Authorised integrating authorities. I will just ask my team if they can send me a list via email while we're still appearing, to try and save us all some time.

Senator KITCHING: That would be very helpful; I would appreciate that. They have better skills than some of the other agencies—is that right?

Ms Anton : They have a higher level of skills, yes.

Senator KITCHING: Are they going to mentor other departments who might be also sharing data?

Ms Anton : Yes. In fact, probably more particularly—I'm just scanning through my bill. The data-sharing principle 16(2)(d) states specifically: 'the data custodian considers using an ADSP'—an authorised data service provider—'to perform data services in relation to the sharing'. We're envisaging that the integrating authorities transition to authorised data service providers. So the bill actually specifically asks agencies to think about whether they have the skills and capability—

Senator KITCHING: But it's 'they should consider'; it's not mandatory.

Ms Anton : It's not mandatory, but it does require that they consider whether they have the skills and capability to do that. Ultimately, they need to be satisfied that they do. If not, it directs them—

Senator KITCHING: Do you think it should be at a higher level than 'should consider'?

Ms Anton : There are specific requirements in relation to performing data integration under the authorised data service provisions. Paul, have you got the clause?

Mr Menzies-McVey : Clause 29 of the bill allows the minister to determine by rules, which are disallowable instruments, what data services must be performed by an ADSP, which are these entities that are accredited to a higher level. Currently it is likely that the minister will make a rule that will require complex data integration work to be done by an ADSP.

Senator KITCHING: In relation to that, when you say 'the minister', do you mean the minister for each agency that might be sharing data or do you mean—because you're based in PM&C—the Prime Minister?

Mr Menzies-McVey : No, it's the minister responsible.

Ms Anton : The minister responsible for the legislation.

Senator KITCHING: Ms Anton, I like the idea that this information is held in trust on behalf of the public, I think you said. In terms of the public interest, are there positives that you can see in sharing information that benefit the public? Where do you see the benefits?

Ms Anton : If we go to each of the purposes, in terms of government service delivery, the bill contemplates how we support Tell Us Once functionality. If the public have told us something and it's held in silos and we can't share it, wouldn't it be simpler and easier for them if we could actually pick it up and reuse it where they're comfortable with that? Again that goes back to the earlier questions around consent and potential validation. I do think it's about streamlining government services.

It is also about improved public policy outcomes. I described for Senator Ayres the earlier example of data sharing being used to support better allocation of funding to independent schools on a more fair basis. The previous formula, I think, just took an average of the postcode in which the student lived. The ABS was able to work with tax data—this was never seen by the policy agencies—to actually figure out what the income of parents was. In other words, it more accurately assesses their capacity to pay. Using the controls of that expert organisation like the ABS, the product that came out of that was essentially a formula that said, 'This is what the school reasonably needs.' I think those public policy outcomes are really important.

Each of these different areas contemplates more being possible. I mentioned research and development earlier. Work done by one of those analytics units in the Department of Health looked at the different combination of medicines that were taken by people who had a heart issue, and they identified that there was some really bad combinations that led to particular issues for individuals. Again, changing those prescription guidelines led to potentially saving lives, ultimately. So it's certainly possible with all of this that there are more benefits, essentially—to support the Public Service to do their job more effectively and to work with researchers to make sure that we are solving the real problems that Australians are facing today.

Senator KITCHING: With the health data, for example, most of that would be de-identified data?

Ms Anton : Yes. The language we've used in 16(8) in the bill is that data should be minimised, which allows for service delivery, where you do actually need identified data, but equally, if it's about research partners, it is largely about de-identified data.

Senator KITCHING: Where it's not de-identified, can people opt in or opt out? Let's say you're a recipient of a government program like the NDIS or other services. Do you have an option to have your data not included?

Ms Anton : The legislation, in 16(2)(c), contemplates that any sharing of personal information—going back to that identified stuff—of individuals is done with the consent of individuals, unless it is unreasonable or impracticable to seek their consent. That question was raised in, I think, the scrutiny committee, and the response from the minister. Obviously we need to provide some initial guidance on what those circumstances might be. I expect we'd work with the Information Commissioner on that.

Senator KITCHING: You don't have those guidelines drafted now?

Ms Anton : No. We start with the bill and make sure that we've settled that and then work on the—

Senator KITCHING: The reason I ask is that I think it might be quite efficient to have the guidelines as soon as the bill is passed, if that is the case. If it takes a year to get guidelines out, you might have some departments and agencies giving out information or identifying recipients, for example, of government programs. You might have some of that information going out if you don't have the guidelines in place when the bill is passed.

Ms Anton : I understand your caution. Going through the flow chart, in order to use the bill what needs to happen as a very first step is that agencies need to be accredited as users under the bill. So we have to work through the process of accrediting organisations first, and we're working through that guidance material as well. In parallel, side by side with that, we will then work on the guidance material about: 'When you are sharing, these are the rules.' I'm not concerned that agencies could jump the gun and use the bill before they are accredited and they understand their obligations. We will work to make sure that that guidance material lands at the same time so that the scenario you're contemplating does not happen.

Senator KITCHING: That's good. How long do you think it'll take to accredit the agencies with higher skills, let's say?

Ms Anton : We are looking at the transition arrangements we may have in place. The authorised integrating authorities, which I referenced earlier, have already gone through an assessment process.

Senator KITCHING: But with no guidelines. But you're saying—

Ms Anton : Sorry; they have actually had to follow some guidelines.

Senator KITCHING: Can you table those?

Ms Anton : Yes. We're happy to do that. The information that they've had is publicly available. To come back to your earlier question, my team have sent me through an email. The current Commonwealth agencies who are integrating authorities are the Australian Bureau of Statistics, the Australian Institute of Health and Welfare, the Australian Institute of Family Studies and the Department of Social Services.

Senator KITCHING: I have another couple of questions and I'm happy for—I do want to ask about DSS. I think you said before, Ms Anton, that one of the benefits that could come from the DAT bill is the streamlining of government services. Is DSS already doing that? For the sake of time, I'll couple that with another question around—no, actually, can you answer that first. Is DSS already using data to streamline government services?

Ms Anton : The authorised integrating authorities relate back to research purposes. Their current activities are not related to service delivery. In terms of the integrating authority framework that I outlined, that was principally designed around the construction of those complex integrated data assets. That framework didn't link into service delivery in the same way that the bill does.

Senator KITCHING: I'll give you an example. Unfortunately, I sometimes have to put in FOI requests to various departments and agencies, simply because they don't answer the questions I put on notice in the first place. One of the reasons they can give, which under the Freedom of Information Act is a reason, is that it's an unreasonable diversion of resources. What I wouldn't want to see happen is—let's say that you need personal information from recipients of NDIS moneys, and the department decides that it will be an unreasonable diversion of resources to actually ask every single person who is a recipient whether or not they want their data included, even though it's personal to them. How do we overcome that instance, because I can assure you that whatever optimism I had a few years ago has been quelled by the fact that that's how people respond to questions on notice and to FOI. Some of the FOI requests—even though they're approved by the freedom of information commissioner, the department is still not wanting to release information. I think this is actually a much more serious issue, where people might want to have the opportunity not to have their data included, because it is personal data, but the department itself decides that is too much of an effort to ensure that that happens. How do we overcome that?

Ms Anton : That goes to guidance material that we will develop in relation to 16(1) and (2) in terms of that personal information and consent.

Senator KITCHING: Will you outline that a department can't use that, can't say, 'This is going to take too long,' or 'It's going to be too work intensive?' I think people should be given the option about whether their information, their personal information, is shared. The exception for me would be national security reasons; those agencies should have what they need. But in terms of people who may not necessarily be engaged, they receive money from the Department of Social Services but they may wish not to have their information shared, I would hope that the guidance material, which is yet to be produced, doesn't actually give the department an out for asking people.

Mr Menzies-McVey : In his response to the Scrutiny of Bills committee, Minister Robert did undertake to table an addendum to the explanatory memorandum that contains further guidance about the phrase that I think you're concerned about, the 'unreasonable or impracticable', for obtaining consent. That's already on the record, that the minister will provide further guidance about that for the House debate.

Ms Anton : Going back to your earlier point, the other point in this is that it's really important to look at the balance of this, look at where you don't need to share the personally identified information—

Senator KITCHING: Yes, but you've also said, Ms Anton—

Ms Anton : It is not personal information as defined under the Privacy Act; it is just patterns—you're looking for patterns in the research to inform work. In trying to balance those data-sharing principles you can dial up controls in one area and dial down controls in another area. If it is impractical to seek consent from every participant of the NDIS then the counterpoint is that you should strip out personal information so that there is not identifiable stuff in there as well.

Senator KITCHING: The standard will be you have to opt in rather than the other way? In fact, you're not releasing any personal information unless someone consents, rather than the other way around?

Ms Anton : So—

Senator KITCHING: Yes or no?

Ms Anton : It depends. If it relates to service delivery then that is about individuals, and we've made the point in the bill about the exit mechanism and validation. When it comes to individual information then the requirement in the bill is about minimising that, so the circumstances we would need the identified information would need to be controlled for.

Senator KITCHING: Would you be able to table with this committee the guidance material when you have it? Is that going to be a year away? How long do you think it will be?

Ms Anton : As principles based legislation, our plan was to settle the principles and then work through the guidance material after that. The bill does contemplate for the commissioner to do that in a number of forms. That can be in the form of a data code that can be subject to disallowance or in the form of guidelines that entities must have regard to but are not disallowable instruments. Both of those are contemplated by the bill. At the moment we do need to settle the final form of the legislation. I note that a very early version of the data-sharing principles and guidance was released in 2019 I think, but it didn't contemplate some of these more recent concepts and language in the bill.

Senator KITCHING: I am fully in agreement about research of patterns of movement or whatever, but I'll have a look at the Hansard for your response, Ms Anton, in relation to data sharing where people's personal details are identified. I think that they should have control. I think you should have to opt in to that system.

CHAIR:. Senator Kitching—

Senator KITCHING: I've finished, Chair.

CHAIR: I was just about to say that I recognise it is very difficult when we are all videoconferencing or teleconferencing. We are quite over time. Are your questions wrapping up there?

Senator KITCHING: I've finished. I will have a look at the Hansard. Ms Anton, could you table for the committee any material that you think is going to go to guidelines or guidance material?

CHAIR: Thank you very much, Senator Kitching. I note that a few things were taken on notice in that section. I flag now that the secretariat has advised me that the deadline for answers to questions taken on notice is 22 April, which is two days away. We have a quite tight reporting time frame on this. Before I dismiss these witnesses, I seek agreement of the committee to table the two documents that were emailed to us via the secretariat from the commissioner at the start of the hearing. That is all in order. I thank the officers of the Office of the National Data Commissioner. Thank you very much for your testimony today.