Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Amendment (Re-identification Offence) Bill 2016



Download PDFDownload PDF

ISSN 1328-8091

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

BILLS DIGEST NO. 55, 2016-17 25 JANUARY 2017

Privacy Amendment (Re-identification Offence) Bill 2016 Mary Anne Neilsen Law and Bills Digest Section

Contents Purpose of the Bill ............................................................... 3

Structure of the Bill ............................................................. 3

Privacy Act: outline ................................................................ 3

De-identification of personal information ............................ 3

Committee consideration .................................................... 5

Senate Standing Committee on Legal and Constitutional Affairs ...................................................................................... 5

Senate Standing Committee for the Scrutiny of Bills .............. 6

Policy position of non-government parties/independents ..... 6

Position of major interest groups ......................................... 7

Financial implications .......................................................... 9

Statement of Compatibility with Human Rights .................. 10

Parliamentary Joint Committee on Human Rights ................ 10

Key issues and provisions................................................... 10

Re-identification of de-identified personal information ....... 10

Application .......................................................................... 10

Offences and civil penalty provisions .................................. 10

Comment ............................................................................. 13

Retrospective application of the offences and civil penalties ............................................................................ 13

Threshold issue—criminalisation v civil penalties alone .................................................................................. 14

Elements of the prohibitions in proposed subsections 16D(1) and 16E(1) ............................................................. 14

‘Publication’ v ‘disclosure’—proposed section 16E .......... 14

Remedies—compensation orders against persons convicted of offences ........................................................ 15

Exemptions for research and other purposes ..................... 16

Comment ............................................................................. 16

Date introduced: 12 October 2016

House: Senate

Portfolio: Attorney-General

Commencement: The substantive provisions commence the day after Royal Assent. However the new offences operate retrospectively from 29 September 2016, the day after the Government announced its intention to introduce the Bill.

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website.

When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the Federal Register of Legislation website.

All hyperlinks in this Bills Digest are correct as at

January 2017.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 2

Absence of explanation of more limited delegation of legislative power ............................................................... 16

Other exemptions ............................................................. 17

Information Commissioner: functions and powers ............. 17

Comment ............................................................................. 18

Concluding comments ....................................................... 18

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 3

Purpose of the Bill The purpose of the Privacy Amendment (Re-identification Offence) Bill 2016 (the Bill) is to amend the Privacy Act 1988 in order to introduce provisions which prohibit conduct related to the re-identification of de-identified personal information published or released by Commonwealth entities.

Structure of the Bill The Bill contains one Schedule of amendments to the Privacy Act. The main amendment in Schedule 1 is item 5 which inserts into Part III new Division 3 titled ‘Re-identification of de-identified personal information’. This new Division contains the substantive elements of the re-identification offence provisions.

Background Privacy Act: outline The Privacy Act regulates how personal information is handled. Personal information is defined under the Act as:

… information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. 1

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

The Australian Privacy Principles (APPs), which are contained in Schedule 1 of the Privacy Act, outline how most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information. (Section 15 of the Privacy Act provides that an APP entity must not do an act, or engage in a practice that breaches an APP. Contravention of the APPs may be the subject of a complaint to the Privacy Commissioner and potential investigation under Part V. In some cases, contraventions may be subject to the civil penalty provision in section 13G for serious and repeated interferences with privacy, which is subject to a maximum pecuniary penalty of 2,000 penalty units or $360,000.)

The Privacy Act also includes a wide range of exemptions and exceptions for particular acts and practices and they are found throughout the Act, in the definition of some terms, in specific exemption provisions, and in the AAPs themselves. Some of these exemptions, such as the small business exemption, the political party exemption, the employee record exemption, exemptions relating to journalists and members of parliament were controversial when introduced and enacted in 2000 and have remained so since then.2

The APPs support de-identification of personal information in specified circumstances. For example, if an entity to which the Privacy Act applies no longer needs personal information for any purpose for which it was collected or may be used, the entity must take reasonable steps to destroy or de-identify the information (APP 11.2). The credit reporting scheme in Part IIIA also contains civil penalty provisions in relation to credit reporting bodies that fail to destroy certain credit-related information or ensure it is de-identified at the end of a mandatory retention period prescribed by Part IIIA. These provisions impose a maximum pecuniary penalty of 1,000 penalty units or $180,000.3

De-identification of personal information It has been said that de-identification is one of the most contentious contemporary privacy issues. The debate centres on whether personal information can ever be truly de-identified.4

Under the Privacy Act personal information is ‘de-identified’ if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.5

1. Section 6 of the Privacy Act. 2. Parliament of Australia, ‘Privacy Amendment (Private Sector) Bill 2000 homepage’, Australian Parliament website; Privacy Amendment (Private Sector) Act 2000. 3. For example, subsection 20V(2) of the Privacy Act. 4. Commissioner for Privacy and Data Protection (CPDP), De-identification, Background paper, CPDP, Melbourne, 2015, p. 1. 5. Section 6 of the Privacy Act.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 4

De-identification involves removing or altering information that identifies an individual or is reasonably likely to do so. Generally, de-identification includes two steps:

• removing personal identifiers, such as an individual’s name, address, date of birth or other identifying information, and

• removing or altering other information that may allow an individual to be identified, for example, because of a rare characteristic of the individual, or a combination of unique or remarkable characteristics that enable identification.6

De-identified data is also known as anonymised data.

The Office of the Australian Information Commissioner (OAIC) states that while de-identification can be effective in preventing re-identification of an individual, it may not remove that risk altogether. There may, for example, be a possibility that another dataset or other information could be matched with the de-identified information. OAIC therefore advises that the risk of re-identification must be actively assessed and managed to mitigate this risk. This should occur both before an information asset is de-identified and after disclosure of a de-identified asset.7

Re-identification is the process of associating an identity with information that has previously been de-identified. It is one of the greatest challenges to the integrity of the de-identification process and generally occurs through:

• poor de-identification: where identifying information is inadvertently left in the data

• data linkage: it can be possible to re-identify individuals by linking a de-identified dataset with an ‘auxiliary dataset’.8

The benefits of responsible, appropriate and effective de-identification processes are said to be that they can enable the publication of major datasets enabling ‘the government, policymakers, researchers, and other interested persons to take full advantage of the opportunities that new technology creates to improve research and policy outcomes’.9

On 7 December 2015, the Australian Government released its Public Data Policy Statement as part of the National Innovation and Science Agenda. The Policy Statement commits Commonwealth Government entities to:

• specific actions designed to optimise the use and reuse of public data

• release non-sensitive data as open by default

• collaborate with the private and research sectors to extend the value of public data for the benefit of the Australian public.

The Statement points to the benefits of use of public data stating:

The data security and privacy of all Australians is of the highest importance. The government will always adhere to privacy laws and the highest possible security standards. Non-sensitive public data can, however, be of enormous benefit to the Australian economy. 10

On 28 September 2016 the Attorney-General announced that the Privacy Act would be amended in order to improve protections of anonymised datasets published by the Commonwealth Government. The amendment would create a new criminal offence of re-identifying de-identified government data. It would also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset. The legislative change, which the Attorney-General said would be introduced in the Spring Sittings of Parliament, would provide that these offences take effect from the day of this announcement.11

6. Office of the Australian Information Commissioner (OAIC), De-identification of data and information, Privacy business resource, 4, OAIC, Sydney, April 2014, p. 2. 7. Ibid.

8. CPDP, De-identification, op. cit. 9. G Brandis (Attorney-General), Amendment to the Privacy Act to further protect de-identified data, media release, 28 September 2016. 10. Department of the Prime Minister and Cabinet (PM&C), ‘Public data policy’, PM&C website, December 2015. 11. In fact the Bill provides that the offences take effect from 29 September 2016, the day after this announcement.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 5

In justifying the need for these amendments, the Attorney-General referred to the Government’s Public Data Policy Statement and also to the need to balance open data with privacy protection:

Our ability to deliver better policies and to solve many of the great challenges of our time rests on the effective sharing and analysis of data. For this reason, the Coalition Government has promoted the benefits of open government data, in accordance with the Australian Government Public Data Policy Statement, and published anonymised data on data.gov.au.

In accepting the benefits of the release of anonymised datasets, the Government also recognises that the privacy of citizens is of paramount importance.

It is for that reason that there is a strict and standard government procedure to de-identify all government data that is published. Data that is released is anonymised so that the individuals who are the subject of that data cannot be identified.

However, with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future. 12

Media and other reports suggested that the Attorney-General’s announcement was in fact triggered by a recent Department of Health data breach involving Medicare and Pharmaceutical Benefit Scheme (PBS) data. On 29 September 2016, the day after the Attorney-General’s announcement, the Department of Health issued a media release stating it had removed a research dataset based on Medicare and PBS claims from its open data portal after a team of Melbourne researchers alerted the Department that their research revealed that medical practitioner details could be decrypted.13 In a separate statement the researchers explained their research methods, also stating that publishing data can be a great risk to privacy:

Publishing data can bring great benefits to research but also great risks to privacy. The mathematical details matter: it’s a technically challenging task to understand whether a particular algorithm securely encrypts data or not. Datasets containing sensitive information about individuals clearly deserve more caution than others, and may not always be suitable for open public release.

The Australian Government’s open data program provides numerous benefits, allowing better decisions to be made based on evidence, careful analysis, and widespread access to accurate information.

Decisions about data publication itself should follow the same philosophy.

We have some important decisions to make about what personal data to publish and how it should be anonymised, encrypted or linked. Making good decisions requires accurate technical information about the security of the system and the secrecy of the data. 14

Committee consideration Senate Standing Committee on Legal and Constitutional Affairs On 9 November 2016, the Selection of Bills Committee referred the Bill to the Legal and Constitutional Affairs Legislation Committee for inquiry and report by 7 February 2017.15 Details are available at the inquiry webpage.16 Submissions to this inquiry are referred to below.

12. Brandis, Amendment to the Privacy Act to further protect de-identified data, op. cit. 13. Department of Health, Data update, media release, 29 September 2016. See also, P Cowan, ‘Health pulls Medicare dataset after breach of doctor details’, itnews, 29 September 2016. 14. C Culnane, B Rubinstein and V Teague, Understanding the maths is crucial for protecting privacy, Pursuit, University of Melbourne,

Melbourne, 29 September 2016. 15. Senate Standing Committee for Selection of Bills, Report, 8, 2016, The Senate, 9 November 2016, p. 3. 16. Inquiry homepage, Senate Legal and Constitutional Affairs Legislation Committee, ‘Privacy Amendment (Re-identification Offence) Bill 2016’.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 6

Senate Standing Committee for the Scrutiny of Bills The Senate Standing Committee for the Scrutiny of Bills reported on the Bill in its Alert Digest of 9 November 2016.17 The Committee raised some concerns with the Bill. In particular, the Committee sought from the Attorney-General:

• further advice on why the retrospective criminal offences are appropriate

• further justification for reversing the evidential burden of proof for a person relying on the defences to offences for re-identifying de-identified personal information and the disclosure of re-identified information

• further justification as to the breadth of the Minister’s discretionary power to determine that an entity is exempt for the purposes of the criminal and civil penalty provisions relating to the re-identification of personal information and its use; and whether consideration has been given to whether it is possible to more narrowly define the offence and civil penalty provisions so that research which is in the public interest is less likely to fall within them.18

The Attorney-General, in response, reiterated views put in the Explanatory Memorandum and his Ministerial press release.19 In relation to the retrospective criminal offences the Attorney-General defended them arguing that the retrospective application was made very clear in his Ministerial statement of 28 September and as a result ‘entities were clearly given notice that this particular conduct will be made subject to offences from that time’.20 The Committee responded reiterating its long-standing scrutiny concern that ‘legislation by press release’ challenges a basic value of the rule of law. The Committee therefore draws its concerns about the retrospective aspect of these criminal offences to the attention of the Senate as a whole.21

In justifying the reversal of the evidential burden of proof for the various exceptions to the offence provisions, the Minister argued that an accused entity is in the best position to discharge the burden of proof for these exceptions and furthermore this reversal is consistent with the principles set out in the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers (the Guide). The Committee in response argued that it appears the reversals of the evidential burden of proof may not be framed in accordance with the relevant principles in the Guide. The Committee also requested that the key information provided by the Attorney-General to the Committee be included in the Explanatory Memorandum to the Bill.22

In relation to the Minister’s discretionary power to determine exemptions in proposed section 16G, the Attorney-General argued that the current breadth of the exemption is appropriate. He is of the view that given the narrow scope of the proposed offences, he does not expect there will be a large number of entities who will need exemptions for research in the public interest. The Committee in response asked that the information provided by the Attorney-General be included in the Explanatory Memorandum and reiterated its previous view that it is appropriate that Parliament define the boundaries of criminal wrong-doing rather than leaving these boundaries to depend (in part) on executive decision-making.23

Policy position of non-government parties/independents At the time of writing, the Labor Party has not expressed a public view on the Bill, however, Shadow Minister for Health Catherine King was critical of the Government’s handling of the health data breach that occurred in September 2016. Ms King said that ‘the Government’s 17 day delay in admitting to a breach of health data under their watch is unacceptable’.24 Ms King stated:

According to reports today, there were 1500 downloads of the data set, with the records containing details of prescriptions and procedures that could reveal extremely sensitive health information.

17. Senate Standing Committee for the Scrutiny of Bills, Alert digest, 8, 2016, The Senate, 9 November 2016, pp. 32-37. 18. Proposed section 16G. 19. Scrutiny of Bills Committee, Report, 10, 2016, The Senate, Canberra, 30 November 2016, pp. 664-672. 20. Ibid., p. 671. 21. Ibid., p. 672. 22. Ibid., p. 666. 23. Ibid., p. 669. 24. C King (Shadow Minister for Health and Medicare), 17 days to reveal health data breach simply not good enough, media release,

20 September 2016.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 7

The Health Minister's failure to stand up and give Australians basic details about this breach is appalling.

It's no wonder the Attorney-General is dragging his feet to introduce mandatory reporting of data breaches, when his own Government waits 17 days to admit to a data breach, and doesn't commit to informing everyone affected. 25

At the time of writing the position of the cross bench members and senators is not known.

Position of major interest groups At the time of the Attorney-General’s initial policy announcement, some IT journalists expressed concern focusing mainly on the impact of the proposed offences on genuine researchers such as the group from Melbourne University who had discovered the Department of Health data breach.

For example, Digital Rights Watch, a non-profit organisation established in 2016 to promote human rights in the digital environment, was quoted as saying the policy announcement was deeply concerning:

Digital Rights Watch have raised deep concerns over proposed changes to the Privacy Act, citing the need for community and expert consultation before any legislation is introduced. 26

Digital Rights Watch Chair, Mr Tim Singleton Norton stated:

This move is extremely concerning and seems to be preemptive of the work of the Productivity Commission and its inquiry into data availability and use. The Minister is alluding to potentially a very broad offence of ‘facilitating’ re-identification …

The specific wording of ‘counsel, procure, facilitate or encourage’ will need to be framed carefully to exclude innocent acts, such as rigorous penetration testing of encryption software. Likewise, the whole area of research into de-identification research, such as that undertaken by the CSIRO, could be jeopardised through heavy-handed legislation.

The Attorney General states that with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future. That’s absolutely correct - the SLK581 keys purported to be used in the recent Census have already been shown to be ineffective at anonymising personal data …

Criminalising security testing is the wrong way to increase security. The Government should instead focus on ensuring that data is not collected or stored in forms that allow re-identification. Rather than concentrating on best practices to address this important issue, this Government is instead opting to punish anyone who discovers flaws in its methods.

People in the community who identify weaknesses in government data management practices, either innocently or actively in the public interest, should not be treated as criminals. We are all worse off if vulnerabilities are not disclosed.

As with most legislation, the detail of how these amendments are framed will be key. This is an important element of privacy law in this country and must be drafted in consultation with privacy experts and the wider public that it impacts. 27

Media, Entertainment & Arts Alliance (MEAA), the union and industry advocate for Australia’s journalists, also opposed the Attorney-General’s announcement, stating such a move would undermine legitimate research, scrutiny and security testing of anonymised data. In a MEAA media release, the CEO Paul Murphy stated:

Journalists should be able to scrutinise and report on flaws in government security measures. Proposed changes to the Privacy Act would now act as a catch-all that would criminalise legitimate scrutiny and testing of those measures.

25. Ibid.

26. Digital Rights Watch, Concerns around proposed amendments to Privacy Act, media release, 29 September 2016. 27. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 8

Of particular concern is the proposed change that would make it an offence to ‘counsel, procure, facilitate or encourage’ anyone to re-identify data as well as to publish or communicate a re-identified data set.

Legitimate public interest journalism and genuinely well-intentioned innocent activities could be caught up by these proposed changes … Journalists working with experts in data security would all be caught up by these changes simply for seeking to determine if there are flaws in the security of government data sets. Government should be subject to legitimate scrutiny and the Privacy Act should not be used to prevent legitimate investigations in the public interest.

28

The Senate Legal and Constitutional Affairs Legislation Committee inquiry into the Bill has received 15 submissions with the majority of these raising concerns about the Bill.

For example the Law Council of Australia argues there are a number of concerning features with the Bill. In particular the Law Council noted that the move to a criminal approach of punishment for re-identification of data warrants further investigation and testing, not least because of the higher onus of proof required and the reverse onus provisions. This it is argued ‘will make enforcement difficult and in some cases virtually impossible’.29 The Law Council, like many submitters to the inquiry, is also opposed to the enactment of legislation with retrospective effect, particularly in cases that create retroactive criminal offences or which impose additional punishment for past offences.30 Nor does the Law Council consider the reverse onus provisions are appropriate and argues they should be removed.31

The Office of the Australian Information Commissioner (OAIC), while ‘recognising that the Bill has the potential to be a privacy-enhancing tool by providing a deterrent against the intentional re-identification of certain datasets’, is of the view that ‘the introduction of new criminal offences and civil penalties, in and of itself, is unlikely to eliminate the privacy risks associated with the publication of de-identified datasets.32 Rather, the OAIC believes that additional measures will be required for the policy objective of the Bill to be supported. In particular, agencies need to implement practices, procedures and systems to ensure that they comply with the Privacy Act. That includes taking reasonable steps to ensure personal information is not disclosed through open publication.33

The Australian Privacy Foundation is highly critical of the Bill stating that the proposed offences in the Bill are an ‘inadequate response to underlying intrinsic vulnerabilities associated with current de-identification methods which have the potential for re identification of personal information as re-identification becomes feasible’. It argues:

The proposed law is misconceived as blunt criminal prohibitions will inhibit legitimate data security research, including research into de-identification and re-identification technologies. 34

The Australian Privacy Foundation raises a number of specific criticisms including:

• The vesting of too much power in the Attorney-General to approve or disapprove of entities conducting data security work

• The proposed law will be inapplicable in practice to entities operating overseas who may be able to re-identify Australian government data released publicly

• The measures are a risky policy experiment internationally, given no other jurisdiction comparable to Australia has any similar laws currently in place

28. Media, Entertainment & Arts Alliance (MEAA), MEAA urges consultation over privacy changes, media release, 29 September 2016. 29. Law Council of Australia, Submission to Senate Legal and Constitutional Affairs Legislation Committee, Privacy Amendment (Re-identification Offence) Bill 2016, 16 December 2016, p. 7. 30. Ibid., p. 8. 31. Ibid., p. 9. 32. Office of the Australian Information Commissioner (OAIC), Submission to Senate Legal and Constitutional Affairs Legislation Committee,

Privacy Amendment (Re-identification Offence) Bill 2016, 2016, pp. 1-2. 33. Ibid., p. 2. 34. Australian Privacy Foundation, Submission to Senate Legal and Constitutional Affairs Legislation Committee, Privacy Amendment (Re-

identification Offence) Bill 2016, 16 December 2016, p. 1.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 9

• The measures do not provide any incentives for Australian government agencies to increase their data security, or investigate and adopt data minimisation, nor for researchers to announce a vulnerability or breach.35

Instead of this Bill, the Australian Privacy Foundation argues the Australian Government and Parliament should adopt a range of privacy protective measures including:

[…] introduce tougher data and personal information security measures and practices in the form of legislation for Australian government agencies and private sector entities, rewarding discovery of weaknesses in protection and creative ‘data minimisation’ strategies, with strong penalties for these organisations in the event of data breaches. 36

The Committee received a submission from Chris Culnane, Benjamin Rubinstein and Vanessa Teague, the team of Melbourne researchers that had alerted the Department of Health to the data breach involving Medicare and PBS data. They argue against the Bill stating:

The threat of jail time discourages law-abiding Australian researchers and journalists from making the simplest and most convincing demonstration that a de-identification method has failed. If the new rules had been in place in September, we would not have discovered the problem in the MBS/PBS dataset encryption, the dataset would probably still be up, and the government could be unaware it was insecure.

37

While agreeing that some uses of re-identified or incompletely de-identified data should be prohibited, the researchers submit that there is no good reason to prohibit re-identification itself. Their submission concludes:

Criminalizing re-identification without a clear and explicit exemption for research or a defence on the grounds of public interest will be bad for privacy and information security. It will make the government far less likely to learn about a problem before criminals and foreign governments do.

The best way to improve protections of anonymised datasets is to permit free and open re-identification combined with responsible disclosure. 38

Another report on the Bill suggests a contradiction in the Government’s policy regarding access to data versus personal privacy:

One criticism of the … Bill has been that the government, while professing its concern for privacy, has been quick to introduce legislation regulating data access but slow to implement measures designed to provide checks and balances for such regulation of data.

An example of this is cited by the ZDNet technology site, which says that while the AG and the government profess "commitment to Australian citizens' privacy . . ." they have yet to amend the Privacy Act to implement ". . . a mandatory data-breach notification scheme for [their] data-retention legislation". In that respect the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth), passed by the Australian government in March 2015, came into effect in October 2015 and will result in citizen's ". . . call records, location information, IP addresses, billing information, and other data stored for two years by telecommunications carriers, accessible without a warrant by law-enforcement agencies" and as yet data-breach notification laws are not in place and it is feared the same might be the case with respect to the … Bill.

39

Financial implications The Explanatory Memorandum states that the Bill has no significant impact on Commonwealth expenditure or revenue.40

35. Ibid., pp. 3-4. 36. Ibid., p. 4. 37. C Culnane, B Rubinstein and V Teague, Submission to Senate Legal and Constitutional Affairs Legislation Committee, Privacy Amendment (Re-identification Offence) Bill 2016, November 2016, p. 3.

38. Ibid., p. 4. 39. TimeBase, Re-identifying de-identified data Bill 2016 introduced, media release, 13 October 2016. 40. Explanatory Memorandum, Privacy Amendment (Re-identification Offence) Bill 2016, p. 3.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 10

Statement of Compatibility with Human Rights As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.41

Parliamentary Joint Committee on Human Rights The Parliamentary Joint Committee on Human Rights considered the Bill in its ninth report of 2016.42 Its main focus was on the retrospective effect of the criminal offences of re-identifying de-identified government data in proposed sections 16D and 16E. The Committee observed that Article 15 of the International Covenant on Civil and Political Rights prohibits retrospective criminal laws and that this prohibition is absolute and can never be permissibly limited. Accordingly the Committee requested advice from the Attorney-General as to whether consideration has been given to amending paragraphs 16D(1)(c) and 16E(1)(c) such that the offences in these sections operate prospectively, that is from or after the date of Royal Assent.43

The Committee also considered the reverse onus of proof exemptions to the offences in proposed section 16D and 16E noting that they engage and limit the right to the presumption of innocence. However, the Committee concluded that given ‘the nature of the matters to be proven by the defendant pursuant to the proposed sections, and that the sections impose an evidentiary burden only … the measures are likely to be a proportionate limitation on the presumption of innocence’.44

Key issues and provisions Re-identification of de-identified personal information Item 5 of Schedule 1 inserts into Part III of the Privacy Act new Division 3 titled ‘Re-identification of de-identified personal information’. The new Division, consisting of proposed sections 16CA, 16D, 16E, 16F and 16G, contains the substantive elements of new re-identification offence provisions prohibiting conduct related to re-identification of de-identified personal information published or released by Commonwealth entities.

Application Proposed section 16CA is an application provision. Its purpose is to bring certain entities normally exempt from the scope of the Privacy Act within the scope of the re-identification offence provisions.

Specifically, subsection 7B(1) and paragraph 7(1)(ee) exempt individuals acting in a non-business capacity from regulation under the Privacy Act. Proposed paragraph 16CA(1)(a) has the effect of bringing such individuals within the scope of the re-identification offence and civil penalty provisions in proposed sections 16D to 16F.

Similarly paragraphs 7B(2)(a) and (b) and paragraph 7(1)(ee) exempt small businesses working as contracted service providers for a Commonwealth contract from regulation under the Privacy Act in relation to activities that are not for the purposes of a Commonwealth contract. Proposed paragraph 16CA(1)(b) has the effect of bringing such small businesses within the scope of the offence and civil penalty provisions in proposed sections 16D to 16F.

Note that while small business operators are generally excluded from the operation of the Privacy Act,45 small businesses are to be covered by the re-identification offence provisions.46

Offences and civil penalty provisions Proposed section 16D is a dual offence and civil penalty provision providing that de-identified personal information must not be re-identified. More specifically an entity (that is an agency, organisation or a small

41. The Statement of Compatibility with Human Rights can be found at pages 4-9 of the Explanatory Memorandum to the Bill. 42. Parliamentary Joint Committee on Human Rights, Report 9 of 2016, 22 November 2016, pp. 23-26. 43. Ibid., pp. 23-24. 44. Ibid., p. 26. 45. Under the combined operation of sections 6C, 6D and 6DA small businesses are generally excluded from the Privacy Act. 46. Small businesses are brought within the ambit of the new offence provisions by the use of the term ‘entity’. An entity is defined as an agency,

organisation or small business operator (the Privacy Act, section 6).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 11

business operator47) contravenes subsection 16D(1) if it re-identifies de-identified personal information in the following circumstances:

• information has been published by an agency in a generally available publication48 and published on the basis that it was de-identified personal information,49 and

• on or after 29 September 2016, the entity does an act with the intention of de-identifying the information,50 and

• the act has the result that the information is no longer de-identified.51

Proposed subsection 16D(6) provides that contravention of subsection 16D(1) is an offence, punishable by a maximum penalty of imprisonment for two years or a fine of 120 penalty units ($21,600).52 Note 1 to subsection 16D(1) states that the ancillary offence provisions in Part 2.4 of the Criminal Code (aiding, abetting, counselling, procuring, incitement, attempt and conspiracy) apply in relation to this offence. Note 1 is not legally necessary, as it is declaratory of the application of the extensions of criminal responsibility in Part 2.4 of the Criminal Code to Commonwealth offences by reason of section 11.6.53 The Explanatory Memorandum does not explain why Note 1 has been included. One possible reason, however, may be a policy intention to give express effect to the Attorney-General's announcement ‘it will also be an offence to counsel, procure, facilitate or encourage anyone to do this’.54

Proposed subsection 16D(7) provides that an entity is liable to a maximum civil penalty of 600 penalty units ($108,000) if the entity contravenes subsection 16D(1). As the Explanatory Memorandum explains, the civil penalty is intended as an alternative to the criminal penalty for the same conduct.55 Note 2 to subsection 16D(1) confirms that section 80V of the Privacy Act, dealing with ancillary contraventions of civil penalty provisions also applies (including aiding, abetting, counselling or procuring a contravention). The Explanatory Memorandum does not contain an explanation of why this note was included. The note is legally unnecessary as section 80V applies automatically to all civil penalty provisions in the Privacy Act. The reference to section 80V of the Privacy Act in Note 2 will need to be amended if the Regulatory Powers (Standardisation Reform) Bill 201656 (presently before the Senate) is passed (Regulatory Powers Bill).57

47. Ibid.

48. ‘Generally available publication’ means a magazine, book, article, newspaper or other publication that is, or will be, generally available to members of the public, in print, electronic or in any other form (section 6). The Explanatory Memorandum explains that circumstances covered by section 16D would not include other more limited disclosure by an agency, such as discrete disclosure by the agency to a service provider or research institution (p. 13).

49. Under subsections 5.6(2) and 5.4(1) of the Criminal Code Act 1995, the prosecution must prove that the defendant was reckless as to each of these circumstances (that is, aware of a substantial risk that each circumstance existed, and acted unjustifiably in the circumstances known to him or her at the time by taking the risk and doing the relevant act with the intention of de-identifying the information).

50. Under subsection 5.6(1) and subsection 5.2(1) of the Criminal Code, the prosecution must prove that the defendant intended to engage in the relevant act (for example, that the defendant meant to run a program) and must also prove that person did so with the ‘ulterior intent’ of achieving the result that the information is no longer de-identified.

51. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable (section 6). Further, under subsection 5.6(2) and subsection 5.4(2) of the Criminal Code, the prosecution must prove that the defendant was reckless that his or her conduct would have the result of de-identifying the information. (That is, aware of a substantial risk, but nonetheless and unjustifiably in the circumstances known to the defendant at the time, taking the risk by engaging in the act.)

52. A penalty unit is currently equal to $180, (subsection 4AA(1) of the Crimes Act 1914). 53. The insertion of notes explaining the application of the general principles of criminal responsibility is not usual drafting practice. It raises the risk of creating unintended consequences—for example, evincing an intention that other offence provisions in the same enactment which do not contain a note are intended to displace or modify the application of Part 2.4 of the Criminal Code. One potential risk in relation to Note 1

is that it refers to only some of the ancillary offence provisions in Part 2.4 of the Code. It does not include joint commission in section 11.2A or commission by proxy in section 11.3. It might be queried whether the Government means to evince an intention that these extensions of criminal liability should not apply to subsection 16D(6). 54. Brandis, Amendment to the Privacy Act to further protect de-identified data, op. cit. 55. Explanatory Memorandum, Privacy Amendment (Re-identification Offence) Bill 2016, op. cit., p. 17. 56. The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page. 57. Schedule 13 to the Regulatory Powers (Standardisation Reform) Bill 2016 (item 7) repeals existing Part VIB of the Privacy Act including existing section 80V and replaces it with a new part. The proposed new provision corresponding to existing section 80V will be subsection 80U(1) which provides that each civil penalty provision in the Privacy Act is enforceable under Part 4 of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act). (Section 92 of the RPA, within Part 4, makes provision for the ancillary contravention of civil penalty provisions.) Ideally, the Privacy Amendment (Re-identification Offence) Bill should contain some contingent amendments to deal with the prior or subsequent enactment and commencement of the Regulatory Powers Bill.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 12

Proposed subsections 16D(2) to 16D(5) set out the exemptions for the offence and civil penalty provisions. The prohibition on re-identifying de-identified data will not apply if:

• in the case of an agency, the re-identification was done in connection with the performance of the agency’s functions or activities; or was required or authorised under an Australian law or a court/tribunal order (proposed subsection 16D(2))

• in the case of a Commonwealth contracted service provider to the responsible agency, the re-identification was done for the purposes of meeting (directly or indirectly) a contractual obligation (proposed subsection 16D(3))

• in the case of an entity who has an agreement with the responsible agency, the act was done in accordance with the agreement (proposed subsection 16D(4))

• the entity is exempt because of a section 16G Ministerial determination providing exemptions for research or other purposes the Minister considers appropriate (see below) (proposed subsection 16D(5)).

The defendant to criminal proceedings brought under proposed subsection 16D(6) would bear an evidential burden in proving that any of these exemptions applies.58 It is also of note that the Regulatory Powers (Standardisation Reform) Bill 2016 (presently before the Senate and referred to above) would, if passed, have some impact on the exemptions and the required burden of proof in civil penalty proceedings.59

Proposed section 16E is a dual offence and civil penalty provision, providing that re-identified personal information must not intentionally be disclosed. More specifically an entity contravenes subsection 16E(1) if:

• information has been published by an agency in a generally available publication on the basis that it was de-identified personal information and

• on or after 29 September 2016, the entity does an act that has the result that the information is no longer de-identified and

• the entity is aware that the information is no longer de-identified and

• on or after 29 September 2016, the entity discloses the information to a person or entity other than the responsible agency.

The maximum penalty for this offence is imprisonment for two years or 120 penalty units ($21,600) (proposed subsection 16E(7)). Note 1 to subsection 16E(1) states that the ancillary offence provisions in Part 2.4 of the Criminal Code (aiding, abetting, counselling, procuring, incitement, attempt and conspiracy) apply in relation to this offence. As with subsection 16D(1) above, this note is not legally necessary.60

Proposed subsection 16E(8) provides that an entity is liable to a civil penalty of 600 penalty units ($108,000) if it contravenes subsection 16E(1). The civil penalty is intended as an alternative to the criminal penalty for the same conduct. Note 2 to subsection 16E(1) confirms that the provisions of section 80V of the Privacy Act, dealing with ancillary contraventions of civil penalty provisions, also apply (including aiding, abetting, counselling or procuring a contravention). Again this note is not legally necessary.61

Proposed subsections 16E(3) to 16E(6) set out the exemptions from the offence and civil penalty provisions. The prohibition on disclosing re-identified data will not apply if:

58. Generally, where a burden of proof is placed on a defendant it is an evidential burden only (Criminal Code Act 1995, subsection 13.3(1)). The evidential burden can be discharged by the defendant adducing or pointing to evidence suggesting there was a reasonable possibility that a matter existed or did not exist (Criminal Code, subsection 13.3(6)). The effect of imposing an evidential burden on a defendant is to defer the point in time at which the prosecution must discharge its legal burden to disprove the exemption. That is, if the defendant discharges his or her evidential burden, only then is the prosecution required to negate the existence of the exemption beyond reasonable doubt.

59. If passed, Schedule 13 to Regulatory Powers Bill (amending item 7, proposed new subsection 80U(1)) will apply section 96 of the Regulatory Powers Act to the civil penalty provisions in the Privacy Act with the result that the respondent to civil penalty proceedings will bear the evidential burden in relation to exceptions to civil penalty provisions in the Privacy Act. This will extend to the exceptions in proposed subsections 16D(2)-(5) in the present Bill. Also of note is that the application of section 94 of the Regulatory Powers Act to the Privacy Act will mean that the Privacy Commissioner (as applicant for a civil penalty order) will not be required to prove the entity (as respondent's) state of mind in relation to each physical element of the civil penalty provision.

60. See page 11 above and footnote 53. 61. See footnote 57 regarding the impact of the Regulatory Powers Bill.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 13

• in the case of an agency, the disclosure was done in connection with the performance of the agency’s functions or activities; or was required or authorised under an Australian law or a court/tribunal order (proposed subsection 16E(3))

• in the case of a Commonwealth contracted service provider to the responsible agency, the disclosure was done for the purposes of meeting a contractual obligation (proposed subsection 16E(4))

• in the case of an entity who has an agreement with the responsible agency, the disclosure was done in accordance with the agreement (proposed subsection 16E(5))

• the entity is exempt because of a section 16G Ministerial determination providing exemptions for research and purposes the Minister considers appropriate (proposed subsection 16E(6)).

The defendant to criminal proceedings brought under proposed subsection 16E(7) would bear an evidential burden in proving any of these exemptions applies.62

Proposed subsection 16F provides that an entity that re-identifies de-identified data, either intentionally or unintentionally must notify the responsible agency as soon as practicable after becoming aware the of the re-identification. A maximum civil penalty of 200 penalty units ($36,000) applies for failure to notify. The provision applies to personal information re-identified on or after 29 September. The same penalty would also apply for informing or disclosing to a person or entity other than the responsible agency. There are exemptions to these offences which essentially replicate the exemptions that apply in relation to the offences for re-identifying personal information and for disclosure (described above).

Proposed subsection 16F(9) provides that when an entity notifies the responsible agency of the re-identification, the agency may give the entity written directions for dealing with the information. Failure to comply with a written direction would incur a maximum civil penalty of 200 penalty units ($36,000) (proposed subsection 16F(10)). The responsible agency must also notify the Information Commissioner of what has occurred (proposed subsection 16F(9)).

Comment

Retrospective application of the offences and civil penalties Both the offence and the civil penalty provisions relating to re-identification will apply retrospectively to any contraventions occurring on or after 29 September 2016, the day after the Government announced the introduction of the Bill.

While retrospective offences challenge a key element of the rule of law63 and are prohibited under article 15 of the International Covenant on Civil and Political Rights (ICCPR),64 the Government argues that these measures are reasonable and necessary and are consistent with the prohibition on retrospective criminal laws. They are said to be reasonable because the Attorney-General’s press release of 28 September made it abundantly clear that the offences would take effect from the day of that announcement.65 They are argued to be necessary because:

… releases of private information can have significant consequences for individuals beyond their privacy and reputation, which cannot be easily remedied. This warrants swift and decisive action by the Government to prohibit such conduct. Further, the retrospective commencement of the offences creates a strong disincentive for entities to engage in such conduct while the Parliament considers the Bill.

66

62. Ibid. See also footnote 59 above regarding the impact of the Regulatory Powers Bill. 63. That ‘laws are capable of being known in advance so that people subject to those laws can exercise choice and order their affairs accordingly’. Quoted in the Statement of Compatibility with Human Rights, Explanatory Memorandum, Privacy Amendment (Re-identification Offence) Bill 2016, op. cit., p. 9.

64. Article 15 of the International Covenant on Civil and Political Rights (ICCPR) provides that no one shall be held guilty of any criminal offence on account of any act or omission which did not constitute a criminal offence at the time when it was committed. Quoted in the Statement of Compatibility with Human Rights, ibid.

65. Statement of Compatibility with Human Rights, Explanatory Memorandum, Privacy Amendment (Re-identification Offence) Bill 2016, op. cit., p. 5. 66. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 14

However, it could also be argued that until the Bill is enacted by the Parliament, the exemptions that might be provided for genuine research via ministerial determination remain unknown and therefore this retrospective application will in the meantime cause undue inconvenience and uncertainty for genuine research.

As noted above, the Senate Standing Committee for the Scrutiny of Bills raised concerns with the retrospective nature of the new offences, arguing that the rationale provided in the explanatory materials for the retrospective application of these offences appears to be overly broad and that the conclusion expressed in the statement of compatibility that the measures in the Bill are consistent with the prohibition on retrospective criminal laws has not been adequately explained.67

Threshold issue—criminalisation v civil penalties alone A question that Parliament might consider is whether the prohibitions in proposed sections 16D and 16E should be the subject of criminal offences at all, as distinct from the use of civil penalty provisions alone?

The Explanatory Memorandum refers to the general objective of deterrence but does not specifically address why it is considered necessary to criminalise the mischief sought to be addressed by the enactment of offences in proposed subsections 16D(6) and 16E(7), and in particular why it is considered that such mischief could not be addressed adequately through the imposition of civil penalties alone.

The proposed offences in subsections 16D(6) and 16E(7) appear to be a material change to the regulatory approach taken by the Privacy Act, which utilises civil penalties for the majority of contraventions of prohibitions or obligations imposed under the Act, with the exception of credit reporting offences and the offence for unauthorised secondary disclosures of information in emergencies and disasters.68

Further, these offences are arguably exceptional. For example, the Australian Law Reform Commission (ALRC), in its 2008 report on privacy recommended that the credit reporting offences should be repealed and replaced with civil penalty provisions, primarily because it considered that civil penalties were adequate.69 In October 2009, the (then) Government announced that it accepted that ALRC recommendation.70 Accordingly, the present Bill raises a broader conceptual question about the appropriate form of redress (civil versus criminal, or both) for contraventions of obligations under the Privacy Act.

While the ALRC and the (then) Government’s views on other offence provisions in the Privacy Act are not conclusive of the case for (or against) the enactment of the proposed offences in the present Bill, they arguably suggest a need for a specific justification of the proposal to criminalise contraventions of proposed subsections 16D(1) and 16E(1), rather than reliance on civil penalty provisions alone.

Elements of the prohibitions in proposed subsections 16D(1) and 16E(1)

‘Publication’ v ‘disclosure’—proposed section 16E Proposed paragraph 16E(1)(e) prohibits the disclosure of re-identified information which has been published by or on behalf of the responsible agency. This may have some unintended consequences, arising from potential ambiguity in the meaning of the term ‘disclose’ for the purpose of this provision. In particular:

The prohibition on ‘disclosure’ rather than ‘publication’ of information may technically capture ‘internal’ disclosures (for example, by one researcher within an institution to another).

The prohibition on ‘disclosure’ rather than ‘communication’ might potentially capture the making available of information without being required to intend that it is seen, read or heard by a specific third person or persons. The term ‘disclose’ is undefined in the Privacy Act. However, the OAIC has provided the following interpretation of the ordinary meaning of the term ‘disclose’ for the purpose of the APPs—although it is not clear that this interpretation is (a) authoritative, or (b) capable of application to the proposed offence provisions.

67. Senate Standing Committee for the Scrutiny of Bills, Alert digest, op. cit., p. 37. 68. The relevant credit reporting provisions are sections 20P, 21R, 24 and 24A—relating generally to the provision or disclosure of false or misleading credit information and the offences are punishable by a maximum penalty of 200 penalty units. The offence relating to unauthorised secondary disclosure of information in an emergency or disaster is set out in Part VIA, section 80Q and is punishable by a

maximum penalty of 60 penalty units and/or imprisonment for one year. 69. Australian Law Reform Commission (ALRC), For your information: Australian privacy law and practice, Report, 108, ALRC, Sydney, 12 August 2008, Rec 59-9. 70. Australian Government, Enhancing national privacy protection: first stage response to the Australian Law Reform Commission Report 108: for

your information: Australian privacy law and practice, Australian Government, Canberra, October 2009, p. 128.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 15

An APP entity ‘discloses’ personal information where it makes it accessible to others outside the entity and releases the subsequent handling of the information from its effective control. This focuses on the act done by the disclosing party. The state of mind or intentions of the recipient does not affect the act of disclosure. Further, there will be a disclosure in these circumstances even where the information is already known to the recipient.

71

The Explanatory Memorandum does not explain why the prohibition (and consequently criminal and civil liability) should extend to all disclosures (other than those within the exemptions) rather than being limited to ‘publications’ or ‘communications’. It is also of note that the Attorney-General’s media release of 29 September specifically referred to a prohibition on ‘publication’ and ‘communication’ which are arguably narrower than the OAIC’s interpretation of ‘disclosure’ for the purpose of the APPs.

Breadth of application of proposed sections 16D and 16E—potential unintended consequences

The prohibitions in proposed paragraphs 16D(1)(a) and 16E(1)(a) apply to information that has been published by or on behalf of an agency. The use of the term information would seem broader than the policy intent identified in the Attorney-General’s media release of 29 September (which referred to improving ‘protections of anonymised datasets that are published by the Commonwealth government’). The Australian Government’s data.gov.au site explains that a dataset is ‘simply a structured presentation of data, such as a spreadsheet, with some special features’.72

However, the application of the prohibitions in subsections 16D(1) and 16E(1) (and consequently the offence and civil penalty provisions) to information published by or on behalf of an agency could extend far more broadly—including, for example:

• The release of documents under FOI with redactions made under section 47F of the Freedom of Information Act 1982 (personal privacy) where those redactions were made in a non-secure way and the redacted text is visible simply by changing the colour / contrast settings on a document, or selecting the redacted passage with the mouse. These documents would clearly have been published if uploaded to the agency’s FOI disclosure log, and there may be some argument as to whether they have been published by making them available to the applicant (as a member of the public). The FOI applicant who received that information could potentially be subject to liability under sections 16D and 16E and the duty to notify the agency in section 16F.

• The publication of an image of an individual that is pixelated to protect that person’s identity, but the pixilation is done in a non-secure way with the result that it can be reversed.

While this potential breadth of application is not necessarily problematic, the Explanatory Memorandum does not seem to explain why a broader application than datasets is considered appropriate.

Remedies—compensation orders against persons convicted of offences The Bill does not appear to make consequential amendments to sections 25 and 25A of the Privacy Act. Currently those provisions confer jurisdiction on the Federal Court and Federal Circuit Court to make an order that an entity provide financial or other compensation to a person for loss or damage arising from contravention of the credit reporting provisions in Part IIIA, if the entity is found guilty of an offence under those sections. The power to award compensation would not extend to the proposed offence provisions in new sections 16D, 16E or 16G because it is limited to offences against Part IIIA.

However in contrast, sections 25 and 25A confer jurisdiction on the courts to award compensation for contravention of a civil penalty provision in the Privacy Act. This is not limited to credit reporting and would extend to the proposed civil penalty provisions in sections 16D, 16E and 16F.

To remove arbitrariness or inconsistency it is suggested that there may be a need for consequential amendments to existing subparagraphs 25(1)(a)(ii) and 25A(1)(a)(ii) to extend the application of the compensation provisions to offences against new Division 3 of Part III (that is sections 16D, 16F or 16G).

71. Office of the Australian Information Commissioner, APP guidelines: Chapter 6: APP 6 — Use or disclosure of personal information, February 2014. Under the Privacy Act the Australian Information Commissioner may issue guidelines regarding acts or practices that may have an impact on the privacy of individuals. The APP guidelines outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs, and matters the OAIC may take into account when exercising functions and powers under the Privacy Act.

72. Australian Government, Open Government Toolkit: Publishing your Data, September 2016.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 16

Alternatively, it may be desirable for the Government to amend the Explanatory Memorandum to explain why it is not considered appropriate to allow persons who are adversely affected by a re-identification of their personal information to obtain compensation from the convicted entity under the Privacy Act rather than reliance upon private civil proceedings, noting the absence of a Commonwealth victims of crime compensation scheme.

Exemptions for research and other purposes Proposed 16G provides that the Minister may by determination exempt from the offence provisions in new Division 3, certain entities for the purposes of research involving cryptology, information security or data analysis or for any other appropriate purpose as determined by the Minister. The Minister must also be satisfied it is in the public interest to make such a determination and he/she must consult the Information Commissioner before making the determination. Such a determination is a legislative instrument but would not be subject to disallowance.

The Explanatory Memorandum justifies this determinations power stating it:

… will ensure that an appropriate range of research activities can still be undertaken to test or otherwise assess the effectiveness of de-identification techniques, and advise agencies of any shortcomings in those techniques, without engaging the offence provisions. 73

Comment

Absence of explanation of more limited delegation of legislative power As noted above, there has been criticism that the Bill fails to live up to the Attorney-General’s promise to adequately protect researchers from prosecution and in particular that the exemption for genuine academics and researchers should not be reliant on a Ministerial determination.

The Attorney-General’s power to determine exempt entities or classes of entity seems to be very broad, applying to any entity or class of entity for any purpose that the Attorney-General considers is in the public interest. The Senate Standing Committee for the Scrutiny of Bills confirms this view and also suggests that the need for such a broad power of exemption may indicate that the offence and civil penalty provisions have been drawn too broadly. The Committee states that, in general, it is appropriate that Parliament define the boundaries of criminal wrong-doing rather than leaving these boundaries to depend (even in part) on executive decision-making.74

The Explanatory Memorandum does not identify why greater statutory guidance or limitation on the exercise of Ministerial discretion could not be provided in primary legislation. Such guidance or limitation might be considered important to avoid arbitrariness in determining the exposure of regulated entities to criminal and civil liability, particularly noting the non-disallowable status of the instrument.

For example, the Explanatory Memorandum gives no explanation of why it would be inappropriate to enact alternatives that could offer greater certainty and strengthen safeguards against arbitrariness, while permitting flexibility, such as:

• mandatory, statutory considerations to which the Attorney-General must have regard in assessing whether a possible exemption is in the public interest

• statutory circumstances in which the Attorney-General must grant an exemption

• a statutory application process by which entities can seek an exemption from the Attorney-General (potentially with provision for procedural fairness and review)

• amending the consultation requirement at proposed subsection 16G(4) to also require the Attorney-General to take into account the Information Commissioner’s opinion on the proposed determination

• the statutory designation of classes of exempt entities (for example, certain types of research, perhaps by reference to subject matter and the existence of accreditation and/or classes of research institution) with

73. Explanatory Memorandum, Privacy Amendment (Re-identification Offence) Bill 2016, op. cit., p. 15. 74. Senate Standing Committee for the Scrutiny of Bills, Alert digest, op. cit., p. 34.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 17

provision for the Attorney-General to make a legislative instrument excluding a particular entity or class of entities from the exemption, or adding classes of entities

• the conferral of a rule-making power on the Privacy Commissioner rather than the Minister.

An example of an existing exemption scheme from prohibitions in the Privacy Act is contained in subsections 20M(2)-(4) (with respect to credit reporting information). Subsection 20M(2) provides for an exemption from the general prohibition in subsection 20M(1) on using or disclosing de-identified credit reporting information, for the purpose of conducting research. This is provided that the credit reporting body complies with rules made by the Information Commissioner under subsection 20M(3). The rules may include matters of the kind set out in subsection 20M(4) such as the kinds of information that may be used, the purpose of the research and the conduct of the research. Of further interest, the rules made under subsection 20M(3) are subject to disallowance, which may call into question the adequacy of the justification (referred to above) for the non-disallowable status of the Attorney-General’s determinations under proposed subsection 16G(5). It is of interest that the Law Council in its submission has also recommended that this approach to exemptions may be a preferable option with regard to the prohibitions regarding re-identified data.75

The Explanatory Memorandum also does not identify how the proposed exemption scheme provides safeguards against the risk of conflicts of interest (actual, potential or perceived) by the Attorney-General as rule-maker. For example, if an entity seeks an exemption pertaining to the re-identification of information published by the Attorney-General’s Department or an agency within the Attorney-General’s portfolio. Arguably, setting statutory parameters on the exercise of Ministerial discretion to consider and grant exemptions may go some way towards managing the risk.

Other exemptions On a related point regarding exemptions, the Explanatory Memorandum notes that ‘existing exemptions and exclusions in the Privacy Act (such as the exclusion of State or Territory Government entities, or the exemption for media organisations acting in the course of journalism) would also apply’.76

Information Commissioner: functions and powers Part IV of the Privacy Act sets out the Information Commissioner’s functions and section 33C within Part IV deals with the Commissioner’s function of assessing whether entities comply with their obligations under the Privacy Act. Item 6 amends section 33C to add that that the Commissioner has the additional function of conducting an assessment of whether methods used by agencies for de-identifying personal information are effective to protect individuals from being identifiable or reasonably identifiable.

Section 40 sets out the Information Commissioner’s powers of investigation. Item 10 inserts subsection 40(2A), which provides that the Commissioner may, on his or her own initiative, investigate an act that may contravene the re-identification offences in sections 16D to 16F. The Explanatory Memorandum notes that this new investigation power for the Commissioner supports the Commissioner’s existing power to seek civil penalty orders in relation to civil penalty offences under Part VIB of the Privacy Act.77 Item 19 inserts new section 53AA which provides that the Information Commissioner may make a written determination following an investigation under new subsection 40(2A) that it would be inappropriate for any further action to be taken in relation to the matter. This determination power, which is not reviewable, is in addition to the existing determination power in section 52. The Explanatory Memorandum argues that a new and distinct non-reviewable power is appropriate in this situation.78

Section 49 requires that the Information Commissioner refer matters to the Commissioner of Police of the Australian Federal Police (AFP) or the Commonwealth Director of Public Prosecutions (CDPP) in cases where the Information Commissioner forms an opinion that certain offences may have been committed.79 Items 14-17 amend section 49 with the effect that when the Information Commissioner is investigating possible re-

75. Law Council of Australia, op. cit., p. 7. 76. Explanatory Memorandum, op. cit., p. 15. 77. Ibid., p. 28. 78. Ibid., p. 31. 79. These offences are currently credit reporting offences, healthcare identifier offences, tax file number offences and anti-money laundering and

counter-terrorism offences.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 18

identification offences under section 40 and forms the opinion that certain offences may have been committed under section 16D and 16E then he/she must inform the AFP or the CDPP and provide all relevant information. Under existing paragraph 49(1)(c) the Information Commissioner would in this situation also be required to discontinue the section 40 investigation except to the extent that it concerns matters unconnected with the possible offence.

Comment These provisions which set out new functions and powers for the Information Commissioner would appear to be logical and consequential, given the new offence provisions in the Bill. However, it might be asked whether the work involved in providing effective scrutiny of government open data programs may stretch the limited resources of the OAIC.

On a related matter, there may be potential resource implications for law enforcement bodies as well as the OAIC in relation to the proposed new offences, particularly noting the mandatory referral provisions in section 49.80

There will also be a practical question as to whether a matter should be dealt with as a potential contravention of a civil penalty provision or an offence under sections 16D and 16E—in particular how law enforcement decisions will be made in relation to matters referred to the AFP or CDPP under subsection 49(2). (In practice referrals are made to the AFP rather than the CDPP.)81 The OAIC expressed a number of concerns in its submission to the ALRC’s privacy inquiry in 2007 about the lack of prioritisation given by the AFP to matters referred under subsection 49(2) and delays in the AFP making investigative decisions which required the suspension of the Privacy Commissioner’s investigations, and making decisions not to investigate due to resource constraints.82 In its report on the Privacy Act (Report 108) the ALRC took the view that the problems identified by the OAIC could be managed largely via its recommendation to repeal the credit reporting offences, since this would narrow the range of offences required to be referred to the AFP—limiting them to tax file number, healthcare identifier and anti-money laundering and counter-terrorism offences.83

Given that the Bill proposes to expand the range of offences that must be referred to the AFP under section 49(2), the Parliament may find it beneficial to obtain more information about how the proposed expansion would impact upon the resources of the OAIC and the AFP, as well as the efficacy of the Information Commissioner’s investigations since they must be suspended until the AFP provides a notice under section 49(2) indicating that it will not pursue criminal law enforcement action.

The Bill may also exacerbate existing problems in relation to subsection 49(2) because the offence and civil penalty provisions in proposed subsections 16D(6)/(7)-16E(7)/(8) are comprised of identical conduct in the form of a breach of proposed subsections 16D(1) and 16E(1). Therefore, it seems that the Privacy Commissioner will likely be required under amended subsection 49(1) to refer all contraventions of subsections 16D(1) and 16E(1) to the AFP and suspend his or her investigation pending receipt of a notice from the AFP under subsection 49(2).

Concluding comments The Attorney-General’s initial announcement of the new re-identification offence provisions in September 2016 caused some concern as reported in the media, and those initial concerns and criticisms have being reiterated and reinforced since the Bill’s introduction into Parliament. Two Parliamentary Committees have raised

80. For example, in the OAIC’s 2009 submission to the ALRC's inquiry into secrecy laws, the office made the following comment about the referral of credit reporting and other privacy related offences to the AFP under section 49 (at p. 9): "In the Office's experience, few matters referred to the AFP under s 49 as possible offences are subsequently prioritised for investigation by the AFP". "In the last six years, the Office is aware of at least nine referrals made to the AFP. In all instances, the AFP has considered the Office's referral but has declined to, or has been unable to, investigate for various reasons including lack of resources or competing operational requirements". Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s review of secrecy laws, Discussion paper, 74, Office of the Privacy Commissioner, Sydney, August 2009.

81. The OAIC has indicated in a submission to the ALRC’s inquiry to secrecy laws in 2009 that in practice referrals are made to the AFP as the CDPP advised it would not accept referrals in the absence of a brief of evidence from the AFP. Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Secrecy Laws, Discussion paper, 74, op. cit.

82. Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy, Issues paper, 31, Office of the Privacy Commissioner, Sydney, February 2007. The OAIC repeated some of these concerns in its submission to the ALRC’s secrecy inquiry in 2009. Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Secrecy Laws, Discussion paper, 74, op. cit.

83. See ALRC, For your information: Australian privacy law and practice, op. cit., paragraph 49.108.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Privacy Amendment (Re-identification Offence) Bill 2016 19

questions regarding some provisions and most submitters to the current Senate Committee inquiry into the Bill are critical of at least some aspects of the Bill. The introduction of criminal offences into the Privacy Act, the retrospective nature of those offences, the Bill’s possible impact on genuine data security research and the effect of the research exemption being reliant on Ministerial determination are amongst the criticisms that have repeatedly been raised. The controversial retrospective nature of the offences which will commence from the Attorney-General’s initial announcement rather than from when the Bill receives Royal Assent, is perhaps indicative of an anxious response to data security issues that have arisen since the introduction of the Government’s recent open data program.

More broadly, the Bill raises questions about the risks of open data to privacy and the importance of good and effective data security. The Melbourne University researchers who discovered the Department of Health data breach have raised serious questions about de-identification and data publication. Amongst their concerns, they say that data sets containing sensitive information about individuals clearly require more caution than others and may not always be suitable for open public release.

Another question concerns the additional workload that presumably this Bill and the Privacy Amendment (Notifiable Data Breaches) Bill (which is also currently before the Parliament) might bring to the OAIC. It might be asked whether the work involved in providing effective scrutiny of government open data programs plus the increased workload arising from the mandatory data breach notification system may stretch the limited resources of the OAIC.

© Commonwealth of Australia

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library’s Central Enquiry Point for referral.

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2500.