If data is the currency of the twenty first century, then the Productivity Commission’s draft recommendation for a comprehensive new right for citizens and businesses to control their own data, is arguably the biggest reform to come out of Canberra this decade.
The recommendation is driven by the simple observation, that if data is the key resource of the digital revolution, then it makes no sense to lock it away in proprietary business, community and governmental silos. And indeed if data is the new determinant of value, then as an asset, citizens should have right to control the data that is collected about them.
At the centre of proposed reforms is the introduction of a new Data Sharing and Release Act, a new National Data Custodian, and a suite of sectoral Accredited Release Authorities that will enable streamlined access to curated datasets.
The report is very much the brainchild of the Commission chairman, Peter Harris, the former secretary of Stephen Conroy’s Department of Broadband, Communications and the Digital Economy and before that the Victorian Department of Sustainability and the Environment.
A Queensland economist, Harris is a veteran bureaucrat, working mostly in central Canberra agencies, including a two year stint in Bob Hawke’s PMO, on secondment from the Department of the Prime Minister and Cabinet.
An activist technocrat, Harris pushed for the data reference, after both the Harper competition review and the Murray financial system review urged the government to consider how to make it easier for consumers to switch to new providers, be they banks, telcos, energy retailers, or insurers.
‘Australia, to its detriment, is not yet participating’
The hypothesis is that if consumers could easily take the data about their user and risk profile to alternative providers, this will significantly increase mobility and competition in Australia’s traditional oligopolistic financial, retail and utility sectors.
Harris observes that Australia is very much a laggard when it comes to data usage, policy depth and institutional structures and that the “frameworks and protections developed for data collection and access prior to sweeping digitisation now need reform”.
“This is a global phenomenon and Australia, to its detriment, is not yet participating. Lack of trust and numerous barriers to sharing and releasing data are stymieing the use and value of Australia’s data.”
Harris used a provocative speech to CEDA this week to argue marginal changes to existing structures and legislation will not suffice, arguing the aim was to move from a system based on risk aversion and avoidance, to one based on transparency and confidence in data processes.
Referring to how critical data is becoming to the modern economy Harris remarked: “It’s a big shift that’s going on, possibly the biggest structural shift in the economy in a generation. And it has a long way to run yet, by all the evidence.”
Data proposition is core to agencies’ work, yet least employed
Harris openly admits governments own major failings around data — the failure to be used in policy, the failure to understand what the data is telling agencies about their own users and “most ugly of all — the failure to be allowed to even glimpse a data set that we know exists.”
The report noted the Australian Law Reform Commission’s work that catalogued over 506 secrecy or restrictive provisions across 176 pieces of Commonwealth legislation alone, including 358 that were criminal offences.
Data sharing between agencies is undoubtedly the great elephant in the public sector room at the moment, with every major jurisdiction looking at how it can enable services to be joined up for the betterment of citizens and the community.
A key driver has been the family violence reforms, where the lack of a unified view across policing, health, education and human services has seen victims murdered. The tragic death of Luke Batty being the best known example — where a robust data sharing regime would have arguably identified the victim risk before the harm was done.
But while the intent to share is there, the deep rooted public sector culture of data protection means it has been very slow going — notwithstanding the urging of secretaries boards around the country and the creation of specialised data analytic centres.
Legislation is the minimum step … then the hard work starts
The draft report recommends a new framework Act — the Data Sharing and Release Act — plus new agencies to overturn decades of data insularity.
Harris argues the new Act would permission change and be “a legislated signal written in the skies over Canberra and other capital cities to the guardians of data sets long inaccessible that the outmoded restrictions and personality politics that have prevented data linkage and analysis might now be relieved.”
But it is the report recommendation for a consumer and business right to control the data created about them, that has really fired up interest — both locally among the big banks, telcos, utilities and the exploding digital marketing world– but also the major US based tech players, Google, Facebook, Twitter, Microsoft, Yahoo and Uber. All rely heavily, and some solely, on consumer usage data for their business model.
It is a major global precedent for a respected organisation like the Productivity Commission, in a major modern sophisticated economy such as Australia, to be proposing a robust regime to enable consumers and businesses to control the use of and access to the data.
Hence the huge number of submissions, but if Harris’s CEDA speech is any guide, the soon to be released final report is not going to back off from this key recommendation.
Which rights? Access, ownership, veto, to be forgotten?
Australia has a soft approach to privacy regulation, relying mainly on principles and industry codes, rather than actionable rights citizens can use. Despite a litany of expert recommendations calling for a statutory right of privacy, the vehemence of opposition — led by big media — has seen no political action.
While internationally there have been vibrant and substantive regulatory debates on a raft of digital privacy issues — such as cookie control, the right to be forgotten, the right not be followed and the right to see data about you — there has been near policy silence around these issues in Australia. Where there has been debate, it typically has been around security initiatives (to collect metadata,) or as a single issue, such as the holding personal data with the Census.
This has resulted in a lack of political, policy and institutional maturity to deal with these fast moving and complex digital issues where real wisdom and judgement is required.
Policy in real time: the Internet of Things is already here
The angle the PC report takes is that there are enormous consumer, community and business gains from enabling data sharing and big data analytics. These range from managing traffic congestion, to preventative health, to personalised segmented services and products based on real user needs and risk profiles.
This opportunity is uberised in the Internet of Things world where billions of devices are feeding data in real time. Using car usage data to give me a better and hopefully cheaper insurance policy, is but one example of the type of consumer benefit.
But to get those gains Harris argues we need social license from the consumers to use the date created by them.
“And to get it, and to keep it, government and private data holder alike will need to practice a common commitment to sharing back with consumers the data that was sourced from them, beyond simple mere compliance with data safety,” Harris asserts.
What data consumers should control is the vexed question. Current privacy principles cast a narrow net over personal data and Harris argues this has not led to companies returning to users obvious benefits such as a better banking or insurance offer.
He argues the new right needs to broad enough to describe in a manner that is effective across a community-wide range of competitive circumstances a coverage of data that was sufficient to deliver a real shift in responses from different providers.
“Coverage will have to be both wide enough to be useful, but tailored enough to meet the needs of exchanges amongst, say, the medical professions on the one hand and banks or telcos on the other.”
There is also the jurisprudential issue of who actually owns the data. If my air conditioner is sending data back to head office about my usage — is that data about me and something I should be able to control — or is that data that is “owned” by the aircon manufacturer?
And this is where the rubber hits the road with all the big players politely, but firmly, nervous such a wide ranging right could impact on their competitiveness and willingness to innovate around data.
The banks, tech platforms, telcos and marketeers — not to mention the big personal device makers (aka Apple and Samsung) and automakers — will all be winding up their lobbyists to narrow the personal data control right to transactional data only, arguing the insights and intelligence from data created about a person is proprietary.
That the Commission wants this right to also extend to businesses — the right of a SME to also control the data collected about them — reveals just how profound the Harris proposal is.