Data sharing reforms are taking shape and federal agencies need to get up to speed. Expect new powers, new responsibilities and cultural change

By Stephen Easton

Monday September 9, 2019

Getty Images

The data sharing and release scheme aims to stake out a patch of middle ground between locking up government information and releasing it on data.gov.au for all the world to see, according to a discussion paper that doubles as a reform manifesto. Draft legislation is expected in early 2020 but new rules will just be the start; public servants are expected to change their attitudes.

“A much larger part of the journey is changing the Australian public service culture to achieve the paradigm shift from ‘need to know’ to ‘responsibility to share’ where there is clear public benefit.”

Federal agencies would be empowered to share the contents of publicly owned databases more widely, but only to support better government policy and service delivery or research and development that benefits society.

The legislation will create new authority to share data but not for compliance, law enforcement, national security or purely commercial purposes. Anything of that nature will continue to be governed by other laws, as will My Health Record data.

Agencies would get a limited exemption from some existing secrecy and non-disclosure rules that prevent data sharing, as long as they abide by the new rules. If not, the exemption would evaporate meaning existing penalties for those unauthorised disclosures “rebound” back into play.

Open data has proven riskier than first thought, as it is sometimes possible to identify specific individuals in anonymised datasets, and the risk of this occurring increases over time. The paper notes that “once released, data cannot be retracted or protected against future uses and misuses” but also points to an opportunity cost in keeping information locked away entirely.

“Closed data protects privacy, but carries the risk that research does not use the best information, government policies are not targeted where they are most needed, and citizens find it difficult and annoying to access government services.”

The paper claims data sharing and release also enhances transparency about what information the government has in its files. Its authors lament that public conversations are stuck in a “binary” view with only two options: open or closed.

“We need to make a distinction between data sharing and open data release. By data sharing, we mean providing controlled access to the right people for the right reasons with safeguards in place. By data release, we mean open data that is made available to the world at large.”

A “purpose test” would define the right people and the right reasons.

“The purpose test is satisfied if sharing is reasonably necessary to inform government policy, program and service delivery or for research and development. Data sharing for any other purposes, including compliance, law enforcement and national security is not permitted under this legislation. Government agencies must use other legislative avenues such as their primary legislation to share data for such purposes.”

The discussion paper sets out some clear positions the government has reached since publishing an issues paper last July, receiving 108 submissions, and holding about 50 roundtables with “interested stakeholders” plus unspecified bilateral talks.

Authorisations for agencies

The act would not allow the open release of “personal information” or expand the authority of agencies to share open data; the government position is they already have sufficient means but need to be encouraged use them more often.

“Government agencies are confused and uncertain about the existing mechanisms and lack the confidence to use them. We heard that broader cultural barriers in the Australian Public Service related to data use, including a general risk aversion in decision making and a lack of understanding of what can be done and how to do it, also come into play to limit the release of open data.”

Each new instance of data sharing would need a written agreement explaining its purpose, as well as risk management and accountability arrangements. There may be a special approach for Indigenous data, possibly even a whole-of-government Indigenous data strategy.

The legislation will not compel agencies to share data; it will be up to them to decide whether to use their new powers and whether they can do so safely in a given situation.

The paper notes a tension here: secrecy is quite important in certain cases, but on the other hand, “the research sector is concerned secrecy provisions are used by the Australian Public Service to indiscriminately lock up data”.

The government sees merit in both arguments, and intends to have a list of existing secrecy provisions that will not be overridden by the data sharing and release legislation. Agencies will have the chance to “make a case” for certain secrecy rules to be maintained and the list will go out for public consultation along with the draft law.

Agencies will not necessarily need the consent of people represented in the data they share. Early reactions to the paper suggest this is a key point of contention, following the carve-out of potentially controversial and sensitive applications of data sharing. The government says:

“Listening to feedback from consultations and our National Data Advisory Council, we have nuanced our position on consent. While consent is important in certain situations, the societal outcomes of fair and unbiased government policy, research and programs can outweigh the benefits of consent, provided privacy is protected.”

The paper regularly notes there are divergent views about the risks and benefits of data sharing and release. Some feel individual privacy and consent should be paramount, especially when citizens usually can’t opt out of telling the government about themselves, and some sceptics suggest the value of the data is routinely overstated.

Others – mainly researchers, whose views featured heavily in consultations – are more concerned that immense value will stay locked away if the data is not shared because individual rights are placed above the interests of society as a whole. The preferred approach is to leave it up to agencies to decide when consent is required with guidance from the data commissioner.

“There were robust discussions and debate in roundtables about consent,” according to the paper.

“Many participants noted the inherent complexities of consent: what constitutes consent, when does the wider societal benefit outweigh the individual’s right to consent, and whether it is reasonable to place the burden on individuals to read long privacy policies or if the government should regulate to a higher privacy standard.

“Particular to our system, many warned that a consent model could create biases in data and result in the allocation of government services to where citizens who had consented rather than to citizens in greatest need.”

The government says there is support for “efforts to progress the public conversation around consent” and it was told to be clear about its intentions to avoid taking the public by surprise.

What is and isn’t likely to be authorised by a new data sharing scheme. Image: PM&C discussion paper.

The commissioner

The paper also explains the role of the National Data Commissioner, currently held by Deborah Anton on an interim basis.

The office is described as “a central trusted authority to provide advice and guidance on the framework” that spends its time “driving change and supporting best practice sharing and release of public sector data” while trying to enforce compliance and uphold safeguards.

“The National Data Commissioner will not be able to compel or overturn decisions to share or not to share, instead focusing on ensuring that when data is shared, it is done safely.”

There will be several new offences for the commissioner to enforce: unauthorised sharing, release and use of data; unauthorised uses of data created using the new powers; providing false or misleading information to the office; and failing to take reasonable steps to implement safeguards, as agreed in Data Sharing Agreements. There may also be new penalties for non-compliance with various rules, directions from the commissioner, accreditation conditions and so on.

These new offences are described as “gap coverage” in a section on what happens “when things go wrong” because they aim to manage new risks data sharing creates.

“For example, relatively benign data can become sensitive when integrated with other data to create a new enriched dataset. The original ‘benign’ data may not have attracted offences or penalties under existing secrecy and non-disclosure provisions.”

New datasets created by combining existing ones would “inherit” the rules that applied to the sources.

“If one or more of the source datasets were subject to a non-disclosure provision, the integrated dataset would be subject to that provision (or provisions) in the event of a breach. If not, the penalties of the Data Sharing and Release legislation apply to protect the data.”

Elsewhere, the government also notes the research-sector evangelists worry that a strict regulatory regime could discourage data sharing.

“Some stakeholders reflected that strong penalties are necessary to ensure data is shared responsibly. Some researchers also accept the need for strong deterrence, but felt it was important to find a careful balance: encouraging safe data sharing and not creating a risk averse environment.”

On public consent, the data commissioner would simply “encourage” agencies to seek it “where appropriate” and its proposed role is generally to guide, support, encourage and work with other agencies, such as the existing information commissioner.

“The National Data Commissioner will be a champion and advocate for greater data sharing and release. This includes advocating for consistent and effective best practice data governance across the public sector.”

The office has four main stated objectives, and wielding a big stick is not one of them. It is to:

  • promote the use and reuse of public sector data;
  • enhance the integrity of the public sector data system;
  • engage with the community and earn trust about use of public sector data; and
  • ensure the data sharing and release legislation is applied in a consistent and effective manner.

What’s the point?

Only two direct benefits for individual citizens are listed in the paper: the ability to update personal details with one arm of government and have it tell the others; and the tantalising possibility of more forms that are pre-filled with data.

Most of the bigger claimed benefits are expected to flow through the government itself and the research sector – including research by for-profit companies that is somehow deemed to be in the public interest.

“We want to preclude commercial uses that the public do not support, but do not want to prevent research delivering public benefits,” says the discussion paper, but the government has not yet decided how to do that.

Data sharing is not only supposed to improve “the quality of research outcomes” but also allow government agencies to pick “trusted researchers” to evaluate their policies and programs.

“Strengthening cooperation between the Australian government and researchers, leading to more robust outputs tested by leading experts” is claimed as a another general positive. There will also be some wins through better public administration, according to the report.

It says “over-collection of data across the public sector” will be a thing of the past, and there will be more investment in improving data quality. No longer will the budget bear “the burden of storing duplicate datasets” and we’re told there will even be lower risk of data breaches, because many agencies will access the same datasets in a “federated model” instead of each having its own copy.

The most optimistic hopes are that public trust will be strengthened, as the “transparency of government operations around the use of public sector data” is enhanced, and that public policy will be improved – even though policymakers routinely ignore plenty of evidence and data that is available.

There’s a lot to digest in the publication and its attachments, and much that is yet to be decided. The president of the Australian Academy of Health and Medical Sciences, Professor Ian Frazer, explains the value of public sector data in his field and the importance of privacy. A Privacy Impact Assessment of the present framework is also out, with responses from the Department of the Prime Minister and Cabinet, and the draft legislation will go through a second PIA.

The paper also poses 14 discussion questions and clarifies the government’s current positions and summarises a range of views that have come up in consultations this far.

Submissions for the next round of consultation are open until October 15

Join Australia’s public sector leaders at Mandarin Premium. Only $5 a week for a limited time*.

A year ago, after listening to the views of hundreds of Mandarin readers, we launched Mandarin Premium

Our readers told us they had an appetite for another layer of Mandarin journalism that went well beyond the news – to analyse the nuts and bolts of managing and implementing government policy. 

Put simply, our readers wanted something that understood their jobs and would help with it. 

And that’s exactly what Mandarin Premium is and does.

We need your support. 

For a limited time, sign up to Mandarin Premium for a year at only $5 a week. That’s just $260 a year, and a saving of $180.

Join today by using promo code 5AWEEK at checkout.

Chris Johnson
Managing Editor

Join today
About the author
Premium

The essential resource for effective public sector leaders

Check out the Latest