HAYTHORNTHWAITE, Dr Adele, Research Data Consulting Lead, Sydney Informatics Hub, The University of Sydney [by video link]

PAYNE, Mr Tim, Director, Higher Education Policy and Projects, Office of the Vice-Chancellor and Principal, The University of Sydney [by video link]

[11:06]

CHAIR: Welcome. Information on parliamentary privilege and the protection of witnesses and giving evidence to Senate committees has been provided to you. I now invite you to make a short opening statement. At the conclusion of your remarks I will invite members of the committee to ask questions.

Mr Payne : Thank you, Chair, for the invitation to participate in today's hearing. The University of Sydney's interest in these bills stems from our desire to help achieve a better framework governing how Australian researchers access data held by Commonwealth agencies. This is important so that research with the potential to deliver benefits for the community can be conducted in a timely fashion with robust safeguards to protect against privacy and national security breaches. Currently our researchers often report enormous variability across Commonwealth agencies around the rules governing access to datasets for research purposes. We have examples of Commonwealth funded research grants expiring because datasets could not be accessed within three years. Other researchers have preferred to source data from overseas, rather than try to obtain it from Commonwealth agencies.

We commend the Office of the National Data Commissioner for the exemplary public consultations that they have run over the last three years while developing this legislation. As a result the bills are thoughtfully designed and carefully drafted. We strongly support the aims of the legislation but believe there remains some areas where the parliament could improve it further.

We've noted the concerns raised today by other stakeholders about the adequacy of privacy protections and agree these issues are critically important. A key concern to the university is the absence of a definition for the term 'public benefit' in the main bill, even though data custodians across the Commonwealth will be required to apply this test each time they consider a request for data. If research in the public benefit cannot be easily and consistently identified by data custodians we fear that there will still be unnecessary time delays and potential for poor and inconsistent decision-making. We therefore believe that a review mechanism needs to be included for decisions to reject data requests for research intended for public benefit. We also recommend that departmental data custodians be required to report regularly on all data requests received and their outcomes.

It is difficult for us at present to gauge the full impact that the legislation will have on universities and other not-for-profit research institutions. We strongly recommend against the charging of fees for accessing data for research undertaken by public-funded research institutions. We're concerned about the compliance costs that public research organisations will incur due to the accreditation requirements the legislation will create. We therefore recommend that an advisory panel including research sector representatives be built into the legislation for the first three years to help co-design the governance and the legislation's rollout.

We believe this legislation presents a rare opportunity for the parliament to establish a single coherent system for the sharing of Commonwealth datasets for research purposes that will benefit all Australians. We are confident that our remaining concerns can be addressed if the government commits to ongoing consultation and co-design, with inputs from experts representing the research sector. I'm happy to take questions.

CHAIR: Thank you very much, Mr Payne. I might start off. I note that you're from the University of Sydney, so I might ask questions relevant to the University of Sydney but then more broadly, if you can answer. How is your university positioned in relation to preventing cybersecurity breaches where hackers may seek to access or steal sensitive data?

Dr Haythornthwaite : I can take that. I do not work in information technology but I work closely with our representatives there and with cybersecurity. We have a concerted program that is addressing cybersecurity risk, as all other research institutions in Australia are doing. We are in a constant state of improving those. We are taking part in the review of critical infrastructure that's currently underway at the moment, with the legislation there, to put in even more robust risk governance frameworks to address cybersecurity risks. We have a dedicated information security officer and a team of cybersecurity analysts who stay abreast of the current developments in the cyberworld. As you're aware, it's a current state of escalation and there are always new threats to be identified. To date we have managed to have very good cybersecurity governance of our systems; that includes our administrative systems as well as our research systems.

Mr Payne : I can add that we have reported in detail on our efforts in these areas in another submission recently, in relation to foreign interference. The university is also required to report through its compact agreement with the federal government, as are all universities about their approaches to foreign interference, as part of that cybersecurity.

CHAIR: I'm not sure whether or not you were tuning in earlier in the day but I raised a few concerns about exactly what you just spoke about, regarding foreign interference at universities, with the National Data Commissioner—hence these questions to you now. Do you think your researchers being provided with access to this sort of data, which previously wasn't being released by the government, might provide an incentive for cybercriminals or foreign actors to target universities for cyberincursions? If that is a risk you've identified, what is your university doing to combat that?

Mr Payne : Firstly we would say that the data that would be accessed through this act is largely data that is already accessible. The difference is that it's not accessible through a common framework. Different rules and processes and policies apply in different agencies. What we like about this bill—and, I must say, the university has been involved with the process for the last five years; I think we have made six or seven submissions on this since the Productivity Commission did its review of data availability and use in 2017—is the consistency that it brings. We like the fact that there are high standards set for third-party data agents and also for accredited research institutions such as the university. Under this legislation each public research institution would have to become accredited, and then it becomes our responsibility to make sure that all of our researchers and research students are aware of the standards and the expectations; these are set out in a standard form data-sharing agreement which can be adapted for each agency. It would just bring so much more consistency.

The National Data Commissioner has also looked very carefully at best practice in other jurisdictions to see how they are doing it. We also have the experience in New South Wales of working very closely with the New South Wales government, which has made data sharing for public benefit a huge focus. We have researchers doing lots of research with datasets. In relation to transport, last week one of our start-up companies in quantum control signed an agreement with the New South Wales department of transport to do analysis of data in real time using quantum technology, potentially, to improve the allocation of resources across the New South Wales transport network.

CHAIR: Mr Payne, you just said that, through this framework, the onus will be on universities to ensure they clearly set the standards and expectations of their researchers or their students that might be accessing data under this scheme. Does the University of Sydney have even a vague idea of what that compliance framework is going to look like internally, and how that framework will be continually monitored to make sure that data, once it goes from government to a university, is being used for the purpose for which it was originally accessed—that it's not getting into the hands of people who shouldn't be accessing it?

Mr Payne : That goes to one of the recommendations we've made about the need for ongoing engagement between the data commissioner and the research community. Potentially this could link into the work of the University Foreign Interference Taskforce. At the University of Sydney we have robust mechanisms for ensuring compliance with legislation and that we will go through our normal processes to comply. We are concerned about the costs of compliance—there is no funding provided for research institutions here—but we'll just have to cope with that. There are already costs involved in complying with the processes. Our training will be upgraded. All research requires ethics approval if it involves human or animal datasets; Dr Haythornthwaite can talk in more detail about that. Perhaps what's missing at the moment is a national framework for ensuring there are consistently robust approaches taken across the whole of the sector.

Dr Haythornthwaite : I agree. We deal with a lot of sensitive data as part of our normal research activity. We have systems and classifications of data rated to those systems available to all researchers, and we have a lot of outreach in education and policy to ensure that researchers are aware of the resources they have and their obligations to protect the data they are working with. There is also the national research code, which they all comply with, which is also a condition of their employment at the university. As Mr Payne said, all research that involves human subjects has to have the approval of the human research ethics committee from our university or from data providers who release the data to us. We also have contractual obligations on datasets that are shared with us by government and other third parties, and there are very strong stipulations on what you can and cannot do with the data within those research contracts.

CHAIR: Finally, can you provide some examples of how greater access to data would be beneficial for researchers and perhaps the nation more broadly, considering how that research might impact our lives?

Dr Haythornthwaite : There are many examples we could give in the health and social sectors. Some of the great value that we get from these research data sets is when you combine them and you link them to actually be able to address much broader and deeper questions than you would through just single data sets. For example, we have epidemiologists working at the university who are able to combine data sets from births, deaths and marriages registries with maternal health and fetal health outcomes and also early education outcomes to be able to come up with policy initiatives that help children with developmental issues in early childhood. Mr Payne has also given examples of how we can combine transport data with quantum computing to be able to give a better method of running transport systems and getting increased efficiencies. There are any number of different research questions that could be answered if the data was available. What we must do is balance the public benefit of acquiring that data and conducting that research with the privacy considerations that we all agree are very important and getting that balance right and getting a workable framework that means that we don't get bottlenecks every time we try to link data sets because it's just too hard getting data from data custodians.

CHAIR: Thank you very much for your responses to my questions. I will now handball to Senator Ayres.

Senator AYRES: There is just one question from me really, which I can't promise won't lead to others, but we'll see how we go. One of the challenges in this bill is that it deals with data being used for different purposes. In terms of data being provided to research institutions, you may have heard the discussion we had in the previous panel about a proposal that the presumption be for data to be de-identified. Are there circumstances in which research institutions like the University of Sydney would require data to identify individuals or is it all essentially de-identified data that you're using when you're engaging with government departments about data use?

Dr Haythornthwaite : We believe that data should be minimised wherever possible and that you only use the degree of sensitivity of data that you actually need to answer the research question. So, wherever possible, we recommend that the data should be anonymised or aggregated in some way to remove any risk of identity. However, when you're linking different data sets, then you need to link using common identifiers. The best way of doing this is to use a third party such as the current integrating authorities or the proposed accredited data service providers, to provide a secure service to link those data sets together, using a common identifier, and then to remove those identifiers before they give them to the researchers. That way, the research institutions do not have to work with identified data. We're very keen to encourage that wherever possible.

Senator AYRES: So, in the way that you envisage this working, when the data arrives with you, it's anonymised, but of course to do data integration or data-matching work it requires some identifiers.

Dr Haythornthwaite : This is one of the problems at the moment. Because there are very few integrating authorities, there are very large bottlenecks, because the integrating work is specialised. At the moment, you need to get permission and ethics approval from each data supplier linking into that process. So, if I were to link three datasets together, I would have to get three lots of permission from three different data custodians and three lots of ethics committee approvals, probably, to be able to do that. That all takes a long time, and then the integrating authority would link those together. One of the major benefits we see in the legislation as proposed is to provide a smoother running of this particular part of the framework so that these long delays are avoided.

Senator AYRES: Public sector resources would be doing the data integration work and engaging with the research institution that's requesting it, but the data would then be provided to you in a way that allows you to complete the research program. At the moment, there's data-matching work that's going on within universities with separate permissions from separate owners of datasets.

Dr Haythornthwaite : Most of the data matching is currently happening through integrating authorities.

Senator AYRES: Thank you for your submission. I'm done, Chair.

CHAIR: Thank you very much for your economy of time, Senator Ayres, and thank you to the University of Sydney for your submission and for appearing today. We will send you off with our thanks.