X
Tech

Australian agencies need new privacy code to maintain public trust: Pilgrim

The OAIC will create a public service privacy code following a number of privacy incidents with Australian governmental agencies.
Written by Chris Duckett, Contributor

The Office of the Australian Information Commissioner (OAIC) has been tasked by the Department of the Prime Minister and Cabinet (PM&C) to develop a new privacy code for the Australian Public Service (APS), one that Commissioner Timothy Pilgrim said is needed after a string of privacy issues.

"While these have been the result of a range of circumstances, through my office's subsequent involvement in them I have formed the view that there is a need to strengthen the overall privacy governance processes within APS agencies," Pilgrim said in a letter to PM&C.

"I believe that if this is not done, there is a risk that the community may lose trust in the ability of government to deliver on key projects which involve the use of personal information."

Pilgrim said the Australian public service needs to move beyond compliance with the existing Australian Privacy Principles and start having a "best practice approach" to privacy, particularly in the future.

"In my view, there is also an urgent need for the Australian government to build a social licence for its uses of data, particularly in the current context where there are plans to increase data use and availability, and increasingly to make data 'open' by default," Pilgrim wrote.

In late 2015, the Australian government moved to a position where non-sensitive data stored by government entities would be open by default, "appropriately anonymised", and updated frequently.

The information commissioner said in his letter that agencies need to be transparent so the public can understand how their information is being treated.

"The broader community must believe that the uses of data which are permitted are valuable and reasonable, considering the relevant circumstances," he said.

Pilgrim said he expects the new code to make more explicit how agencies should apply the Australian Privacy Principles, rather than creating new obligations.

The new code would also allow for the current data-matching legislation and guidelines to be superseded, Pilgrim said, to allow for a consistent approach.

"The code could regulate these activities, allowing agencies to take a more flexible, modern approach to addressing the privacy risks associated with data matching," he said.

Speaking to the Senate Community Affairs References Committee on Thursday morning, Pilgrim said he would be looking into how the Department of Human Services had used income data as part of its Online Compliance Intervention (OCI) or robo-debt system.

Pilgrim will also conduct an assessment in the first quarter of the 2017-18 fiscal year to examine how DHS will integrate the non-employment income data-matching measure program into OCI.

"Recent community concerns around the PAYG data matching program and the OCI system suggest it may be time to revisit whether the existing data matching guidelines remain an appropriate regulatory framework that reflect contemporary privacy concerns and data usage," Pilgrim said.

Last month, the Commonwealth Ombudsman said the letters sent by OCI demanding money from Centrelink recipients were "reasonable and appropriate", but deemed the method used as "unfair and unreasonable".

Earlier in May, the Productivity Commission recommended the establishment of a National Data Custodian to oversee its proposed Data Sharing and Release Act. Under its recommendations, Australians would not be able to opt out of data collection, with the commission citing responses to its draft report that argued it would be too difficult to implement an opt-out right for consumers as the reason it walked back on one of its draft recommendations.

"Across the spectrum, submissions argued that there would be a need for various exceptions and qualifications to such a right, to the point that we can no longer in good faith suggest that this is applicable comprehensively," the commission said.

The commission also recommended the government abolish its requirement to destroy statistical linkage keys at the end of data research projects.

"It is akin to book burning," it said.

"Where an Accredited Release Authority is undertaking multiple linkage projects, it should work towards creating enduring linkage systems to increase the efficiency of linkage processes."

Editorial standards