Privacy means different things to different people. To a lot of public servants and academics, it’s become a barrier to a world of valuable insights and new investigative tools.
For others, privacy is a fundamental right shown less and less respect by governments over recent years — except when they are being asked to release their own information.
Last Thursday, Attorney-General George Brandis confirmed once again that the current government sees little value in the Office of the Australian Information Commissioner, which oversees both freedom of information and privacy.
In announcing Timothy Pilgrim’s re-appointment as Privacy Commissioner, Brandis confirmed Pilgrim is now also the permanent Information Commissioner, a role he has acted in since July 2015.
The announcement confirms the current government has no intention to appoint two separate commissioners, as the office was originally intended to have. Brandis gave no indication he intends to appoint anyone as FOI Commissioner, leaving the third post in the OAIC still vacant for the time being.
On the same day, the AG finally responded to a particularly dark shadow that has loomed over the collection, sharing and linkage of data by public sector agencies for several years now: the revelation that the process of removing personal identities from data sets can often be reversed quite easily.
Brandis announced a proposed amendment to the Privacy Act “will create a new criminal offence of re-identifying de-identified government data” which will make it illegal to “counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset”.
This language immediately stoked fears among researchers — like those who were able to recover Medicare provider identification numbers from a Department of Health data set — that they would be liable for prosecution under such a law.
Based on the information Brandis has provided, University of Melbourne data and privacy researcher Dr Suelette Dreyfus doesn’t think a new law will do much to stop people who think they can get away with re-identifying supposedly anonymous data. She has concerns that “rather than protecting privacy at the outset” the proposed legislation might “penalise” well-meaning academics.
The whole concept of open data rests on the assumption that the information can be anonymised. If this can’t be guaranteed, open data will fail. While a legal prohibition might discourage some of the various actors who might attempt to reverse the process, it does little to assuage the widespread fears about how much data is being collected and how safe it really is.
Those fears were highlighted in the lead-up to this year’s Census, and are being canvassed in the resulting Senate inquiry.
Dreyfus, who researches the collision of technology with what she calls “the emerging human right of privacy”, feels governments and their agencies should always follow strict protocols like those published by the OAIC: don’t collect more data than you need, don’t keep it for longer than you need it, and don’t link it up or re-purpose it without express permission of the people involved.
She says those principals often “seem to be ignored” when people raise legitimate concerns such as those around the Census, and a better response than a new legal prohibition would be to start again and “defend citizens’ privacy from the outset” by closely following best-practice privacy principles in every case.
Dreyfus was not at all impressed by the way the Australian Bureau of Statistics responded to privacy complaints.
“Rather than listening and responding to any of those,” she said, “the government stuck its nose in the air and said: ‘We don’t have to respond to this; we don’t care that a set of senators have actually said they will refuse to answer questions on the Census as a result of privacy concerns.'”
And she sees an inconsistency in the attitudes of politicians and public servants to privacy in different contexts. In FOI releases, public servants display a very strict attitude towards privacy, making sure any names mentioned in the documents are blacked out wherever allowed by the FOI legislation.
But when it comes to the collection, linkage, sharing, analysis and publication of large amounts of data — which can no doubt provide significant public value — the attitude is all about weighing up the risks and rewards and is often dismissive of privacy concerns. Public servants might believe the public value of open data and metadata retention outweighs privacy concerns in specific cases or in general, but the point is they must convince citizens.
She also sees a major imbalance with the way governments work with big data — and the large amount of communications metadata government agencies want to access — versus the amount of information it is prepared to release under FOI. Drefyus describes the practice of federal agencies asking the Australian Federal Police to provide them with metadata as an “end-run” around the legislation, which cut the number of bodies with access to metadata significantly as a way to protect privacy when it was enacted one year ago.
“Government’s intrusiveness into the citizen’s privacy has become very pervasive but the citizen’s ability to call government to account through FOI is miniscule in the amount of information that can be gleaned from that,” Dreyfus said.