Systematic government access to private-sector data in Australia

2008

The Senate Finance and Public Administration Legislation Committee, 2021

This submission focuses on: • Objects of Bill. A reference to accountability should be inserted into the Bill’s Objects. This would strengthen the functionality of existing safeguards and ensure accountability plays a central interpretive role. In addition, the Objects clause should note that consent remains the primary basis for sharing personal information. • Private Sector Research and Research Ethics. Private sector organisations seeking to use data for research should be required to prove a rigorous ethics process. • New Data Attributes. Interaction with the review of the Privacy Act 1988 definition of “personal information” should be managed. • International Data Sharing. Accreditation of foreign entities should be subject to proof that the relevant foreign country has a comparable privacy law framework. • Transparency. Transparency measures should be put in place with respect to the operation of Clause 15(4). Further, there should be ongoing transparency about flaws in the data protections applied in clause 16(7). • Interaction with Other Legislation. Details of interaction with other legislation should be published, ideally within the Bill. Consistent terminology across legislation should be a long term goal. • Handling of Data After Project Completion. Requirements on termination of a project or suspension of an accredited entity, such as data deletion, should be specified. • Accountability. Transparency and accountability should be enhanced through additional language in privacy policies and a requirement for data scheme entities to raise complaints. Data subjects should also be encouraged to make complaints. • Consent. The threshold for circumstances when it is unreasonable or impracticable to seek consent should be incorporated as part of the ethics function governed by the National Data Advisory Council. • Data Sharing Controls and Environment. There should be minimum standards for security and data protection practices, including training. • Guidelines to Address Data Procurement. The scope of guidelines be amended to cover data procurement and pre-processing as well as the operation of clause 15(4).

former Chief Executive Officer of the HRB). Whilst this work has taken longer to complete than first envisaged, the advantage has been that many others have also expressed their opinions in this area. The wisdom of those opinions has been very helpful and those opinions are cited widely in this document.

2015

This thesis considers whether the Australian Privacy Commissioner's use of its powers supports compliance with the requirement to 'take reasonable steps' to protect personal information in National Privacy Principle 4 of the Privacy Act 1988 (Cth). Two unique lenses were used. First, the Commissioner's use of powers was assessed against the principles of transparency, balance and vigorousness and secondly against alignment with an industry practice approach to securing information. Following a comprehensive review of publicly available materials, interviews and investigation file records, this thesis found that the Commissioner's use of his powers has not been transparent, balanced or vigorous, nor has it been supportive of an industry practice approach to securing data. Accordingly, it concludes that the Privacy Commissioner's use of its regulatory powers is unlikely to result in any significant improvement to the security of personal information held by org...

University of New South Wales Faculty of Law Legal Studies Research Paper Series, 2019

Co-authored submission from the Allens Hub for Technology, Law, and Innovation, UNSW to the Office of the National Data Commissioner on the Data Sharing and Release Legislative Reforms Discussion Paper. As we previously noted in our response to the Issues Paper on Data Sharing and Release, the current law around government information-sharing is unnecessarily complex. There is a patchwork of laws dealing with the sharing of government information which results in confusion and reluctance within government agencies to use existing data-sharing and release mechanisms. Efforts to develop context-specific laws, such as consumer data right, or for automated vehicles, or for data sharing for research purposes, despite the potential merits of each, contributes to this complexity. The Discussion Paper acknowledges the need for clarity within this space, expressing a desire to simplify information sharing processes and shift the Australian public service culture towards responsible sharing. The relationship between the Data Sharing and Release legislation and other existing data protection provisions (such as the Privacy Act 1988 (Cth) and secrecy provisions) has been clarified. However, the parallel operation of these reforms alongside existing provisions has the potential to add complexity, particularly where it introduces new terminology (such as “sharing” rather than “disclosure”, “data” rather than “information” and, potentially, new terminology linking entities and data).

Your Rights Online, Published by the Bar Association of Sri Lanka, 2017

Right to Information Act, No. 12 of 2016 (RTIA) is an act to provide for the right to access to information; to specify grounds on which access may be denied; to establish the right to information commission; to appoint information officers and to set out the procedure and for matters connected therewith or incidental thereto. Right to Information is a fundamental right which ensures in terms of the Article 14A of the Constitution of Sri Lanka which inserted to the constitution section 2 of the nineteenth amendment. After RTIA which passed on 4 th August 2016, came into effect from 03 rd March 2017, Sri Lanka could join with Pakistan, India, Nepal and Bangladesh which already had enacted Right to Information laws, within the region. However, it is arguable, whether the ordinary public and also the government officers are aware of the functions of RTIA and its role in ensuring accountability of the Government. Some argue that provisions of RTIA clash with some laws such as the establishment code which all the government officials should comply with. Further, the confrontation between the Privacy Rights versus Right to Information is also controversial. Hence, this paper will discuss the key features of RTIA and its' consequence, the role of the Information Officer, how the general public is benefited by RTIA and foremost criticisms on the Act. The author uses primary sources viz. acts and codes of Sri Lanka and other countries and secondary sources viz. journals, reports, electronic resources and books as main sources for this study. Finally, the paper concludes with suggestions to RTIA towards minimizing afflictions affecting both the institutions and general public in complying with RTIA pursuing the maximum benefits of the Right to Information. Keywords: Information, Right to Information, Information Officer

2019

This extended abstract describes the regulation of privacy under Australian laws and policies. In the CRC D2D programme, we will develop a strategy to model legal requirements in a situation that is far from clear. Law enforcement agencies are facing big floods of data to be acquired, stored, assessed and used. We will propose in the final paper a linked data regulatory model to organise and set the legal and policy requirements to model privacy in this unstructured context.

The Data Protection and Privacy Act, 2019 herein as the "Act" is an Act of Parliament that was enact to protect the privacy of the individual and of personal data by regulating the collection and processing of personal information, to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processors and data controllers, to regulate the use or disclosure of personal information and for related matters. In order to ensure this mandate, the Act entails obligations of data collectors, data processors or data controllers or any person who collects, processes, holds or uses personal data to the data subjects and also provides for the rights to be exercised by the data subjects. A data collector, data processor or data controller or any person who collects, processes, holds or uses personal data by virtue of section 3 of the Act has the following obligations;