Concerns around proposed amendments to Privacy Act

Digital Rights Watch have raised deep concerns over proposed changes to the Privacy Act, citing the need for community and expert consultation before any legislation is introduced.

“The announcement made by the Attorney General is yet another sign that this Government is ill-equipped to adequately protect citizen’s personal data in a digital age,” said Digital Rights Watch Chair Tim Singleton Norton.

Attorney General George Brandis announced that his proposed amendments to the Privacy Act will create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.

“This move is extremely concerning and seems to be preemptive of the work of the Productivity Commission and its inquiry into data availability and use. The Minister is alluding to potentially a very broad offence of ‘facilitating’ re-identification,” said Mr Singleton Norton.

“The specific wording of ‘counsel, procure, facilitate or encourage’ will need to be framed carefully to exclude innocent acts, such as rigorous penetration testing of encryption software. Likewise, the whole area of research into de-identification research, such as that undertaken by the CSIRO, could be jeapordised through heavy-handed legislation.”

“The Attorney General states that with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future. That’s absolutely correct – the SLK581 keys purported to be used in the recent Census have already been shown to be ineffective at anonymising personal data,” said Mr Singleton Norton.

“Criminalising security testing is the wrong way to increase security. The Government should instead focus on ensuring that data is not collected or stored in forms that allow re-identification. Rather than concentrating on best practices to address this important issue, this Government is instead opting to punish anyone who discovers flaws in its methods.”

“People in the community who identify weaknesses in government data management practices, either innocently or actively in the public interest, should not be treated as criminals. We are all worse off if vulnerabilities are not disclosed.”

“As with most legislation, the detail of how these amendments are framed will be key. This is an important element of privacy law in this country and must be drafted in consultation with privacy experts and the wider public that it impacts. To date, the public has many reasons to be skeptical of government promises when it comes to privacy. A process with public consultation and expert input is key to ensure the public can have faith in the legislative amendment. ”

“It is positive to see the Attorney General thinking about privacy concerns and the re-identification of data, but this is a challenge that needs to be addressed with appropriate consultation, not hastily prepared legislative proposals,” he concluded.