ARNOLD, Dr Bruce Baer, Vice-Chair, Australian Privacy Foundation

BLOEMENDAL, Mr Ian, Chair, Privileges and Immunities Committee, Federal Litigation and Dispute Resolution Section, Law Council of Australia [by video link]

GADIR, Mr Jonathan, Member, New South Wales Council for Civil Liberties [by video link]

GANOPOLSKY, Ms Olga, Chair, Privacy Law Committee, Business Law Section, Law Council of Australia [by video link]

MacDONALD, Mr Nathan, Principal Policy Lawyer, Law Council of Australia [by video link]

WONG, Mr Chadwick, Senior Solicitor, Public Interest Advocacy Centre [by video link]

[10:24]

CHAIR: Welcome. I understand that information on parliamentary privilege, the protection of witnesses and giving evidence to Senate committees has been provided to you. I now invite you to make a short opening statement. At the conclusion of your remarks, I will invite members of the committee to ask questions. Does the Public Interest Advocacy Centre have an opening statement?

Mr Wong : Yes. Thank you, Chair and members of the committee, for the invitation to join you. Members of the committee may know that the Public Interest Advocacy Centre is a community legal centre based in Sydney. We provide legal help and undertake systemic policy advocacy on issues that impact, in particular, people who are experiencing disadvantage or are marginalised in society. For decades our work has included work with people experiencing homelessness, people with disability, Aboriginal and Torres Strait Islander people, asylum seekers, and children in care and protection, among others. Our experience in working with these communities has greatly informed our submission to this committee.

PIAC does not oppose in principle appropriate, secure and informed consent based sharing of public sector data for the purposes of improving socio-economic outcomes. But we do not believe this bill provides sufficient safeguards for a data-sharing scheme which represents a fundamental reform to the way in which public sector data is shared and used. We share the concerns that have already been highlighted by the scrutiny committee and by the Parliamentary Joint Committee on Human Rights.

We have made a number of targeted recommendations in our submission to address these structural issues. The recommendations cover three umbrella issues. The first is empowering individuals in the use of their data. That includes strengthening consent requirements, notifying individuals about their data that is being shared, allowing consent to be withdrawn, and creating merits review and complaints processes. The second is ensuring that the data-sharing scheme excludes particularly sensitive matters that should not be captured by this broad scheme. That includes immigration detention medical records and the AFP's access to the scheme. The third is strengthening oversight of data sharing. That includes introducing regular audits by the commissioner, introducing a civil penalty regime for certain data breaches, and publishing a register of efforts to seek consent for the sharing of personal information. I would be happy to discuss these matters further.

CHAIR: Thank you very much, Mr Wong. Do we have an opening statement from the New South Wales Council for Civil Liberties?

Mr Gadir : Yes. Thank you, Chair. Thank you, members of the committee, for the opportunity to appear before you today. I really want to draw the committee's attention to the discrepancy between the ostensible goals of this bill and what it actually allows to occur. This bill is a really big carve-out from the protections of the Privacy Act applying to a very high risk activity of data sharing. This is happening at the same time that another arm of the government is telling us they want to strengthen the Privacy Act. So the term 'public sector data' is really giving the impression that data contemplated by the bill is aggregated statistics of some kind. As you've already heard early today, it does in fact include personal information. And the definition in the bill is far broader than the goals would require, encompassing 'all data collected, created or held by the Commonwealth or on its behalf'. This obviously includes detailed personal information. This kind of information is often intimate and sensitive. It includes information about living arrangements, about relationships, about finances that is disclosed to Centrelink to receive a pension or disclosed to Immigration as part of a visa application. And people are revealing the most intensely intimate parts of their lives right now to Border Force, as they beg for permission to leave the country.

So the broad definition of public sector data is not really the right one for this bill. If this bill is really just to improve service delivery and to inform policymaking and to allow for research, then let's have a definition of public sector data that reflects that. Let's exclude personal information from the definition of public sector data and say that it must be anonymous. Let's also say that the permitted purposes should not include making administrative decisions that will affect individuals. And, if we aren't excluding personal information, we need notifications to individuals whose data is being shared, we need a public interest test and we need a no harm standard. Basic fairness and civil liberties are really under threat when personal information we are compelled to disclose to a government agency is then spread silently behind the scenes to other agencies or private companies and is able to be used in surprising and unexpected ways.

The Council for Civil Liberties supports the excellent suggestions made by the Joint Parliamentary Committee on Human Rights and in the submission from Melanie Marks and Anna Johnston, which is signed by many privacy professionals.

CHAIR: Thank you very much, Mr Gadir. Does the Australian Privacy Foundation have an opening statement?

Dr Arnold : Yes. Thank you. The Hon. Stuart Robert has promoted the legislation as providing 'strong privacy and security foundations for sharing within government'. It's both deeply regrettable and very unsurprising that the bills do not provide those foundations. The bills reflect the ongoing erosion of Australian privacy law in favour of bureaucratic convenience. The bills are not accompanied by a strengthening of the Office of the Australian Information Commissioner, our regrettably inward looking and grossly under-resourced privacy and FOI watchdog. The bills obfuscate recurrent civil society requests for privacy protection. They do that by Balkanising responsibility, with the new Data Commissioner sitting alongside the information commission and other privacy agencies. Ultimately, requests for privacy protection are not exceptional or inappropriate; they simply reflect the entitlements of people in Europe, Canada and New Zealand, among other locations.

Submissions to this committee and to a wide range of other bodies have highlighted substantive concerns regarding matters such as misplaced trust in de-identification and plans to share data on a population scale with state and territory governments and non-government entities. The committee's time is valuable, so I'm not going to restate those concerns. Instead, I want to call for greater transparency about the sharing. Governments often claim that if you have nothing to hide you have nothing to fear. On that basis, there should be full transparency about government data-sharing programs so that specialists, journalists, courts, ordinary citizens and even Senate committees can hold government to account. If, as Stuart Robert says, governments must share, tell us quickly and comprehensively what is being shared, how it is being shared, why it is being shared and to whom it is being shared. If government cannot walk that talk about trust and about accountability, the bills, I think, should be rejected outright, consistent with the Senate's function as a protection against an overreaching executive. Thank you.

CHAIR: Thank you very much, Dr Arnold. Do we have an opening statement from the Law Council of Australia?

Mr Ganopolsky : Yes. Thank you. The Law Council recognises the importance of facilitating government data-sharing arrangements and the need for the continued improvement of robust policies to govern these arrangements. We are therefore generally supportive of the policy intent behind the bill. However, our submission has identified a number of concerns and areas where we see potential risks associated with the scheme in practice. These primary concerns can be separated into two distinct areas: the adequacy of the privacy protections underpinning the actual scheme; and the proposed abrogation of legal professional privilege, which is of particular importance to our membership. As the committee would be aware, there is a delicate balance to be struck between the collecting and sharing of data and the right to privacy and appropriate safeguards. In this respect, the Law Council reiterates the need for considered, robust and properly resourced oversight mechanisms and safeguards for data sharing in order to uphold the rule of law, to protect privacy and human rights and to ensure the data is shared in a trusted and responsible way.

The adequacy of privacy safeguards under the proposed scheme has been queried by both the Senate Standing Committee for the Scrutiny of Bills and the Parliamentary Joint Committee on Human Rights, as well as through many of the submissions to this committee, including by others represented on the panel today. The Law Council shares many of these concerns and our submission puts forward several recommendations that have been developed to address privacy concerns within the bills should the legislation proceed. Without repeating the recommendations in full, the Law Council has focused on the scope and practical application of the scheme, including four major areas: the resourcing and expertise within the Office of the National Data Commissioner; the need for de-identification to be the default and prima facie position prior to any sharing; the need for prior express consent in relation to the sharing of biometric data; and the appropriate accreditation of entities under the proposed schemes.

The privacy concerns are well covered in our submission, as well as by other contributors to this inquiry. But, as the peak body for the legal profession, we wish to focus on our concerns relating to the proposed abrogation of legal professional privilege. I now ask my colleague Ian Bloemendal to speak to these matters.

Mr Bloemendal : Our submissions in relation to client legal privilege, or legal professional privilege as it is also known, can be found at paragraphs 33 to 40 of our written submission. The Law Council is of the view that there is insufficient justification provided in the explanatory memorandum for the proposed abrogation of client legal privilege in clause 105 of the bill. Obviously the EM concedes that legal professional privilege is an important right that ought to be abrogated only where there is strong justification. I think that echoes the High Court's view in Baker v Campbell, where Justice Dawson said the proper functioning of our legal system depends upon freedom of communication between lawyers and their clients, which wouldn't exist if one could be compelled to disclose what passed between them for the purpose of giving or receiving legal advice—if that's what this bill proposes to do. We've got a fundamental and basic doctrine of common law that protects confidential communication between lawyers and their clients, which this bill seeks to exorcise. It's not a matter that should be lightly considered or abrogated.

The Law Council opposes this blanket abrogation of legal professional privilege, particularly because it doesn't prevent derivative use. Derivative use, which the bill proposes, would fundamentally undermine any purported protections that the bill might otherwise create. In reality, derivative use would mean that there's no meaningful protection that exists. When I read the explanatory memorandum, at paragraph 527, the justification that is given is that data-scheme entities might obtain legal advice before they enter into data-sharing arrangements, and that might be material to investigations under the clause. Well, many organisations get legal advice on arrangements which they are about to enter into which authorities might find interesting to read and love to read, but that does not give justification for that legal advice should be open to be compelled by a regulator. ASIC and the ACCC, for example, would love to have an ability to read your and my advice that we receive from our lawyers on matters that are the subject of their investigations, but that just doesn't happen. There are multiple High Court authorities which identify why there is a real public interest in the administration of justice, which is there to encourage full and frank disclosure by clients to their lawyers and the reason why a person should be entitled to seek or obtain legal advice in relation to the conduct of their affairs and how that goes.

I'd like to draw your attention, if I could, when you have the opportunity, to paragraphs 34 and 36 of the submission. If legal professional privilege was abrogated, it would effectively preclude an organisation from getting advice about their responsibilities within the DAT regime. They couldn't really get safe advice about the veracity of the conduct of the regulator or advice about the commissioner's conduct, without the risk that that advice would be exposed and compelled, and I doubt that there is a real perceived need for that to occur. In the absence of a compelling explanation of the perceived need to compel privileged information, which is confidential, we submit that proposed section 105 of the bill be omitted. If the provision is to remain for some reason then the Law Council has put forward an alternative approach in our submissions for the consideration of the committee. Thank you for your time. We welcome the opportunity to answer any questions that the committee might have.

CHAIR: Thank you very much to the Law Council for those opening statements. I will hand the call to Senator Ayres.

Senator AYRES: Thanks very much. I'll try and rattle through these efficiently. I might try and direct them to one of you, but I'm very happy to hear contributions from any of you on these questions.

Firstly, you may have been online and heard the discussion with the Data Commissioner. And Dr Arnold is quite right: one of the architects of this legislation, Mr Robert, was also an architect of the robodebt scheme. Aside from an interesting proposal from the Law Council, I think, for de-identification by default, which seems like a quite straightforward proposition, there are a range of—let me ask another question first. I wasn't entirely satisfied that compliance activities were a prohibited purpose for data sharing. What was prohibited was quite narrow in scope—that is, for law enforcement activity for prosecutions. It's not the same as supporting an activity that's trying to determine what level of support an individual is entitled to. Do you accept that compliance activities are outside of the scope of the scheme? Mr Wong first, perhaps?

Mr Wong : Yes. I agree with that concern. I think, in relation to enforcement related purposes, that that particular exclusion is defined by reference to offences, contraventions of law, investigation of matters or practices detrimental to public revenue, serious misconduct et cetera. What we've seen proposed, for example, in the NDIS is around clawing back funds that have been used by participants in ways which the agency considers to be inappropriate. This is still the early stages. We haven't seen what the exposure draft of the law will be, but—at least from media reporting—that is an example of something which may not be in contravention of the law and may not be captured by the exclusions in the act.

Senator AYRES: There's a real asymmetry to this. There is a building of data-matching and data-sharing capabilities in the public service. I think in evidence that we received in another committee, some [inaudible] in one program. What inequities does that create?

Mr Wong : Sorry, Senator, I missed the question.

Senator AYRES: I'm saying that there's a significant ramping up of data-sharing capability, in terms of the amount of staff and the technology that has been engaged in. How does that change the unseen ways that data sharing is used to formulate policy and approaches to government service delivery?

Mr Wong : I think there are two point there. One is that this is such a fundamental reform to the way in which so-called public sector data is shared that we don't know what the boundaries or the limits will be to the sharing of personal information. We heard from Ms Anton previously that it is largely about de-identified data, but we don't know what personal information will be included, even for research and development. As we're seeing with the proposed changes to the NDIS Act, new changes to law or introductions to existing pieces of legislation may well cover areas for data sharing that are not currently being conceived. That's one issue. It's just the uncertainty about how broad this is.

The second part is this oversight issue, which has been mentioned a number of times now. Ms Anton also emphasised the role of the data custodian, and for clarification that really means the Commonwealth government agency who holds the information. They have outsized power and a level of discretion in determining who gets access to what data, what data can be shared, what data falls within the purposes, whether the data can fall within the purpose of improving government policy or research and development, which can be very broadly interpreted, as well as whether it's unreasonable or impracticable to seek consent and, then, the circumstances in which that data is shared and to which agencies they might share that information. So, theoretically or hypothetically, if information is being sought by the National Disability Insurance Agency from, say, the tax office, Centrelink or whichever other compliance agency they want information from, the agency that will decide whether to share that information will be another Commonwealth government agency. There really isn't any form of oversight in that sharing and there are no merits review processes.

There are two issues there, in summary. One is the unknowable limit or boundaries of the information being shared, and the other is the lack of oversight in the discretion that the data custodian has.

Senator AYRES: Are there any other responses from the panel? Is there anything else you want to convey to us about those issues?

Mr Gadir : I also want to highlight the question posed by the Committee on Human Rights, which is: why is the Australian Federal Police, which is a law enforcement body, not listed as an excluded entity? Also, as Mr Wong mentioned, when you have regulators that are going to be underresourced, we can't rely on them to be the only protection mechanism. We have to make sure that the words in the bill reflect what the government is saying is the goal, and I'm not satisfied that the words in the bill do that.

Senator AYRES: Dr Arnold, it was you, I think, in your opening statement who talked about transparency, in terms of people outside being able to look in and citizens being able to observe what kind of data-sharing arrangements are in scope.

Dr Arnold : Yes.

Senator AYRES: How, in your view, would that be effected and how would that improve the scheme?

Dr Arnold : For starters, a range of stakeholders would be able to see what's actually happening, and the legislation really provides very little transparency. We're very much relying on individual agencies doing the right thing. Individual agencies may well have very different views about what's appropriate and what's not. The notion of consent here, with respect, is just a nonsense. We have nice language that government agencies will be custodians. Having worked in the Public Service, talking to public servants, talking to consultants who work for the Public Service and talking to students who are public servants—they regard this data as their data: 'It's government data. We can do with it what we like.' We will in practice have very weak oversight of what's happening.

Something that is very importantly and that often isn't picked up is that, when we look at the history of privacy legislation in Australia, or privacy regimes in Australia—and possibly my irritation, having provided submissions to committees over the last 20 years or so, is reflected in my tone today—what we see is that we start off with lovely motherhood statements from people like Stuart Robert: 'It will be good. It's in the national interest. You don't need to worry. Trust us.' But over time we see a creep; we see an erosion. We may start off, potentially, with this legislation, which doesn't look too bad, but over time it will be weakened. It's opened up to a range of bodies that we would consider to be inappropriate and it's opened up to uses which we would consider to be inappropriate—uses which are administratively convenient but possibly punitive.

Senator AYRES: Thank you, and thank you to the Law Council for your submission. I did have some questions about legal professional privilege, but, Mr Bloemendal, I think you've covered that issue for us neatly. I have a couple of specific questions. In your submission you deal with biometric data. What are the particular concerns about that question?

Ms Ganopolsky : I'll address the biometric data point. There are two questions that arise on the use of biometric data. One is the very breadth of what is biometric data, leaving aside the legal definition. These are immutable characteristics that go to each individual. Importantly for us, as lawyers, they are characteristics that cannot be changed, unlike a password or some other mathematically produced identifier. The second issue arises in that the Privacy Act has defined 'biometric data' in a very limited way. There were good policy reasons for that back in the day when the legislation was drafted.

The answer really sits in the definition of what is sensitive information. That includes the two types of biometric data, and those types are very narrow. We broaden that explanation in the submission we provided, from paragraph 73 onwards. Essentially, what the definitions within the Privacy Act do is limit the type of biometric data to data used to identify individuals, not any other form of biometric data, and to biometric templates, which are a very specific, mathematical representation of biometric data. That's it. That's included in sensitive information, and sensitive information commands a high level of protection. You have already seen some discussions about that and how APP 6 distinguishes between health information and sensitive information when it comes to protection, requiring higher consent standards and higher transparency. If you were to leave the definition of biometric data as it is in the Privacy Act, you would lock it in to those two types of biometric data and leave everything else to be simply another creature of identifying information, where it's identifiable. That's the technical problem with how the two regimes collide. Does that address the question?

Senator AYRES: Yes, it does; thank you. This question is for any of you: where does the bill intersect with Australia's international human rights obligations, and in what sense do you say that it's deficient?

Mr Gadir : I'm not an expert on international human rights. Earlier the witnesses from the government were explaining how the Privacy Act would continue to apply, but that is not correct. The fundamental disclosure from the government agency to some private company that would be enabled by this bill is actually a carve-out from Australian privacy principle 6. That's a basic part of the international human rights framework. What does that APP6 say? It says you only use or disclose personal information where it's reasonably expected by the individual and it's related to the primary purpose of collection. I would say, and perhaps the professor can confirm this, that would be a breach of the international human rights concept of privacy.

Senator AYRES: Are there any other observations about that, more broadly? I want to come to privacy in a moment.

Dr Arnold : We're largely talking about an aspirational regime here. It's not judicially enforceable. A range of civil society—I think including the Law Council, over many years—have suggested that Australia needs to introduce a statutory cause of action, regarding an egregious innovation of privacy. Basically, you need individuals whose privacy has been disregarded and legal power to do something about it—and when we look at the history of entities such as the Office of the Australian Information Commissioner, it's misplaced trust, alas—rather than trusting that the privacy commissioner will somehow come to the rescue.

Senator AYRES: There's a review of the privacy framework being undertaken, at the moment. I see that from each of the organisations there are a range of suggestions or recommendations about how the bill might be improved, in terms of privacy. Just as a preliminary issue, is there a problem with this bill proceeding in advance of that review being concluded and considered?

Dr Arnold : With respect, I think the bill should not be passed until we've looked at and, ultimately, fixed the existing weak regime. The bill is being driven by institutional imperatives, with political convenience, without any regard for human rights.

Senator AYRES: Are there any alternative views to that? I'd be surprised if the Australian Privacy Foundation said anything else. Are there any other views to that about the merits of proceeding prior to that review process concluding?

Ms Ganopolsky : I'd like to make a suggestion, from a legal perspective. There is a risk that you are putting the cart before the horse. What is contemplated under this bill is a very large data-sharing arrangement that will be systemic in nature. What is contemplated under the review of the Privacy Act is, potentially, an overhaul of the regime, including higher sanctions and higher levels of intrusions and different rights and causes of action that would form part and parcel of our privacy regime. So, from the point of view of building a series of infrastructure, you are, potentially, putting the cart before the horse in that it will have to respond to a brand new regime. That's a kind of legislative risk that's there.

If I can round off, again, from a purely legal perspective, the fundamental difficulty that cuts across the discussion here from a privacy perspective is that, at least retrospectively, the data that's already been collected has largely been collected through the forces of interaction with government. Sometimes it's by force, sometimes it's by implied interaction. It's very difficult to cure that without a substantive systematic approach to that very question. That's why the question of de-identification has received so much attention. Out of all of the suggestions at the legal level, that is probably the one that comes closest to addressing that very fundamental question of what you do with the existing data that's been collected under the existing regime with existing expectations.

The current language of APP6 really talks to that as an existing dataset. So unlocking that, even with the best intention, is conceptually and operationally a very hard thing to do without committing to a form of de-identification. Bringing it back to the legal question, without putting de-identification as a prima facie legal obligation, you're not making much progress in that very structural conflict that one needs to address very expressly.

Senator AYRES: There's a sort of blizzard of proposals on privacy. Does de-identification of itself substantially resolve the concerns that are motivating the other recommendations? Does it partly do it, does it wholly do it or is it not a substantial enough amendment to the legislation itself to support the passage of the legislation through the Senate?

Ms Ganopolsky : From a legal point of view, it substantially doesn't, because from a privacy perspective—obviously provided identification is effective—it removes the dataset from an ability to identify individuals, so it takes away the privacy risks entirely. Actually, it takes away the privacy regime entirely, because, if the data is genuinely de-identified, it is not information about individuals, and the rights and freedoms of individuals are not impacted by the data. The reason it contains such power is that not only does it deal with information that's actually collected as part of the interactions individuals have with government but it deals with information that the government generates, and that is a very protective position both for the information for the government entities that are interacting and exchanging data and, clearly, for the individuals. So it's a very powerful control, hence the recommendation to legislate for it, rather than leave it at that operational level.

Senator AYRES: The policy objectives that are set out—the three: supporting government service delivery, policy development and whatever the other one was—don't require identification to the individual level, do they?

Ms Ganopolsky : No.

Senator AYRES: They might require certainly geography and a range of other characteristics but not individual identification.

Ms Ganopolsky : In fact, that's the opposite of what they require. They require trends, they require functions and they require a level of analysis that shows community behaviour, not individual behaviour, so it's a complementary approach to the very objectives as set.

Senator AYRES: One final question: is there a view from the panel about whether the bill is actually capable of amendment to deal with these proposed amendments, particularly around the privacy issue, or is it a back to the drawing board kind of operation?

Ms Ganopolsky : Is that a question to the Law Council?

Senator AYRES: Let's start with you, yes.

Ms Ganopolsky : The Law Council thinks that the bill is salvageable if the recommendations are addressed and both the substantive and the draft points are met, and that includes the privacy point and clearly the privilege issue that has already been raised and aired.

Mr Wong : From PIAC's perspective, there also needs to be a fundamental reconsideration of the intention of this legislation. It's cutting both ways in the sense that government services' first purpose is intended to require personal information, because that is where the government is seeking to share personal information between different agencies potentially to ensure that someone doesn't need to provide their information three times to three different agencies—that seems to be one of the intentions. You've also coupled that with research and development, which, as Ms Anton said, is largely about de-identified data. They are two entirely different purposes, and I would submit that you can't really capture them both in the same piece of legislation, especially if one of the proposals is to de-identified data.

Senator, I might come back to, briefly, your earlier point about privacy rights and international human rights law. The other point to flag there is that we haven't seen what particularly sensitive data will be excluded from this regime. There was an exposure draft of the proposed regulations which excluded things like health: My Health Record. One of the concerns we raised as PIAC was that it didn't include immigration detention health records. The health data of asylum seekers and refugees is covered by the Migration Act, not by these other processes. Without knowing what sort data is excluded from the bill we don't know what other privacy rights under international law are also raised. For instance, under the Convention on the Rights of Persons with Disabilities there are particular provisions around protection of their health and medical records—for obvious reasons they're particularly sensitive. Without seeing the full suite of regulations and guidelines it's very difficult to comment on that. I know that Ms Anton was saying that there's a process in place where you look at the legislation first before moving onto the regulations et cetera. But I think what we need is the full package of proposed reforms before we're able to comment on some of these privacy issues.

Mr Arnold : Yes, I would agree with that.

Senator AYRES: Thank you all for your submissions in the discussion today. Thanks, Chair, I am done.

CHAIR: Thank you, Senator Ayres. I don't believe there are any other questions from committee members. We will send these witnesses off with thanks for your testimony here today, for making the time and apologies for running a little bit late. We're rapidly catching up time.