this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

Select from any of the filters or enter a search term
Calendar
Calendar

Inquiry into Data Availability and Use

Inquiry into Data Availability and Use

By Steven Sapountsis

0 Comments


The LIV has made a submission on the Productivity Commission’s Data Availability and Use Issues Paper. It has commented on various issues of general application, including:

  • An integrated approach to privacy;
  • Broader content issues to be addressed;
  • When organisations can refuse service for refusal to provide personal information;
  • Greater scrutiny of commercial-in-confidence;
  • The need for greater data security; and
  • Sharing of unique identifiers.

 

The Manager
Data Availability and Use
Productivity Commission
GPO Box 1428
Canberra ACT 2601

Dear Sir/Madam,

Inquiry into Data Availability and Use

The Law Institute of Victoria (LIV) appreciates the opportunity to contribute to the Productivity
Commission’s Inquiry into Data Availability and Use (Inquiry) and to make a submission on the Data
Availability and Use Issues Paper (Issues Paper).

The LIV has considered the questions posed in the Issues Paper and offers comments on issues of
general application.

1. An integrated approach to privacy

The LIV understands that the Productivity Commission seeks to balance the benefits of greater
disclosure and use of data with protecting the privacy of the individual.

The LIV is concerned that the Issues Paper maintains the notion that privacy and economic value are
trade-offs, and that enhancing one necessarily means sacrificing the other. The LIV considers this
approach to be too limiting, and recommends that the Productivity Commission explore how privacy
and economic value can be integrated, rather than be seen as opposing interests.

The LIV recommends a ”privacy by design” approach be adopted as the starting point for any
consideration of increasing data availability, where privacy is “built in” to the design of data collection,
retention and sharing processes, to ensure that privacy is considered before and during the
development and implementation of initiatives that involve the collection and handling of personal
information.

The “privacy by design” approach has been recommended by the Office of the Australian Information
Commissioner.

2. Broader consent issues to be addressed

The Issues Paper acknowledges that the notion of consent can be problematic, both with respect to
what constitutes consent and the debate over the distinctions between “informed consent”, “passive
consent”, “unknown consent”, and “non-consent”. The LIV recommends that the Inquiry include in this
discussion the concept of "bundled consent" i.e. the combining of a number of matters on which
consent is sought, thereby removing the option to consent to some matters but not other. This is also
described as "all or nothing" consent. The LIV further suggests that the Inquiry critically assess in what
circumstances bundled consent is appropriate.

The LIV is concerned that much of the discussion regarding data sets being used for different
purposes appears to overlook the issue of consent. The LIV is of the firm view that discussions around
consent, as with privacy, should not be dealt with separately to other issues associated with data
availability and use, but rather viewed holistically.

The Issues Paper briefly explores concepts of “meaningful consent” using the individual’s agreement
to Facebook’s Data Use Policy as an example. The LIV recommends that the Inquiry consider broader
issues regarding consent.

One such issue to be considered is the proportionality between availability of data and coercion used
to collect it. A current example can be found in the mandatory collection of data through the 2016
Australian Census. The LIV queries whether data of this nature should be made available for private
use, where individuals have no choice in its provision. This becomes particularly relevant where
individuals can be identified through the data collected.

The LIV further recommends that the Inquiry address the tendency of organisations to collect more
data than is necessary to provide a good service under the guise of “consent”, especially bundled
consent.

It is often the case that for an individual to receive a service, they must provide a disproportionate
amount of data that is then commercialised. The value of the service to the individual does not equate
to the amount of data used to access it. For example, the consumer may implicitly agree to share data
with a bank in exchange for the convenience of a credit card. It should not follow that the consumer
has therefore agreed to the bank then using that data for commercial value, especially when none of
that value flows back to the consumer.

Currently, companies have an incentive to collect more data than they need, and to refuse to offer
services unless that additional data is provided. This is permitted under the current Australian Privacy
Principle (APP) 3.2, because organisations can collect personal information that is reasonably
necessary for one or more of their functions.

The difficulty for the consumer is that this binary approach results in their only option being to opt-out
of the service. The LIV recommends that the Inquiry explore:

  • opportunities for consumers to choose the level of data that they wish to share in exchange for a service;
  • the introduction of a proportionality requirement between services and data collected;
  • limiting APP 3.2 to the collection of personal information reasonably necessary for the functions/services engaged by the individual at the time of that collection.


3. When organisations can refuse service for refusal to provide personal information.

Where organisations collect personal information which is necessary for functions directly related to
the service sought by the individual, failure to provide that information is likely to be a reasonable
ground for refusing service.

Where the refusal relates to a function which is not directly related to the service sought by the
individuals, it is not reasonable to refuse to provide the service if the information is not provided.
Permitting organisations to refuse service in such circumstances is based on the fallacy that the
individual has “consented”. However, where consent is bundled and the individual does not have a
choice about providing the reasonably necessary information but not the rest, any consent is obtained
under a form of coercion or duress and should not be treated as valid.

This reference to duress is considered and not mere hyperbole- many essential services and
functions, including banking, communications services and housing services, require personal
information that may be well in excess of what is reasonably necessary for the provision of those
services.

4. Greater scrutiny of commercial-in-confidence

The Issues Paper poses the question of whether there is a need for a more uniform treatment of
commercial-in-confidence data held by the Australian Government and state and territory
governments.

The LIV recommends there be greater scrutiny regarding commercial-in-confidence and the benefit of
agencies and organisations having restrictions on the release and use of particular data.
The LIV queries why commercial-in-confidence is regularly given priority over other interests (such as
the interest in public debate about government procurement and projects) and yet personal privacy is
framed as a trade off that may compromised for economic, and other public and private interests.
The LIV considers this to be particularly problematic where documents are sought under FOI. The LIV
recommends that the question to be asked is, whether there is a greater public interest in disclosure of
information regarding government procurement or commercial-in-confidence, especially in the context
of major government projects.

5. The need for greater data security

The LIV calls for and supports the introduction of mandatory data breach notification laws; see, for
example the LIV media release of 13 October 2015.

Such laws were integral to the recommendations of the Parliamentary Joint Committee on Intelligence
and Security (PJCIS) regarding the Data Retention Bill. The PJCIS recommended passage of the Bill
and the introduction of mandatory data breach notification laws before the end of 2015. There has yet
been no indication that they will be introduced before the end of 2016.

Aside from that particular issue, the failure to introduce mandatory data breach notification laws
illustrates a broader problem in dealing with privacy matters. That is, governments are generally quick
to authorise privacy intrusions, such as the Data Retention Bill, but much slower authorising or
providing privacy protections. The time it has taken to implement the recommendations of the
Australian Law Reform Commission's 2008 Report, For Your Information, many of which remain
unimplemented, is an example.

The LIV considers that the benefits to the public of a mandatory data breach notification scheme
include:

  • creating an incentive for better information security and handling of personal information by Australian Privacy Principle entities; and
  • enabling timely and appropriate action to be taken by individuals when notified of a real risk of harm, for example changing passwords and cancelling credit cards.

A more full discussion of those issues is found in the Law Council of Australia submission to the Serious Data Breach Notification Consultation in February 2016, to which the LIV contributed.

6. Sharing of unique identifiers

The LIV recommends that unique identifiers not be shared when data is made available. If data is to
be made available, it should be group, aggregated data, not data attached to any identifier.

This is particularly important in the context of the 2016 Australian Census. The LIV recommends that
amendments be made to the Census and Statistics Act 1905 (Cth) to insert provisions into section 13
of the Act (which deals with the release of information) to ensure that census data continues to be
protected, including a prohibition on releasing the unique identifiers with any data sets disclosed to
persons or organisations external to the Australian Bureau of Statistics.

If you would like to discuss the matters raised in the submission, please do not hesitate to contact me
or our legal policy team at submissions@liv.asn.au.

We look forward to engaging further with this consultation, following with the release of the draft report
which is anticipated in November 2016.

Yours sincerely

Steven Sapountsis
President

 

View the formal letter


Views expressed on liv.asn.au (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment