Agencies could access personal data without consent under new bill

Australians’ personal information could be accessed by government agencies and researchers without their consent under proposed data-sharing legislation that critics say could pave the way for more robodebt-style tactics.

© (Photo by Sam Mooy/Getty Images)
Former government services minister Stuart Robert

In a speech at an Australian Financial Review conference this week, the former government services minister Stuart Robert said it wasn’t his job to make government “sexy”, but make it simple.

“Simple and helpful, so a single mum with three kids only has to give her birth certificate details to government once to access childcare payments and an immunisation history,” he said.

Related: Facebook data leak: Australians urged to check and secure social media accounts

“Transparent and respectful, so a person applying for a visa can see progress and how much it will cost.”

Robert retained responsibility for digital services despite being moved to employment minister in the last reshuffle in March.

He pointed to a piece of legislation introduced into parliament in December with little fanfare – the data availability and transparency bill. The bill is aimed at making it easier for government agencies to share personally identifiable data and allow external organisations such as universities to access de-identified data.

With some limited exclusions, the legislation covers “all data collected, created or held by the commonwealth, or on its behalf”.

A key plank of the legislation, Robert said when introducing the bill to parliament, was people only having to update their information once for all agencies to have it.

While that can be convenient, it can go wrong, as the privacy commissioner ruled this month when it found Centrelink had breached a woman’s privacy by disclosing her new address to her former partner.

The woman and her former partner, who was subject to an apprehended violence order, had a linked account and when she updated her address details, his account was updated too.

The woman was alerted to the privacy breach when her ex-partner posted a picture of her new house from Google Maps to Facebook, with the comment, “Change your MyGov”, in 2017.

Privacy experts warn the new arrangements will mean much more personal information collected by governments will end up being shared without people’s consent, and will lead to more errors.

“Today’s inefficiencies and errors will be worsened by increasing the volume and speed of data sharing,” privacy experts Melanie Marks and Anna Johnston told the parliamentary committee reviewing the legislation. “There will be a direct downstream impact on consumers and particularly vulnerable groups who will no longer be able to seek redress.”

The legislation specifically excludes using the data-sharing scheme for the purposes of law enforcement but the Electronic Frontiers Australia board member Justin Warren told the committee he was not convinced that once the data was obtained it wouldn’t end up being used for that purpose.

“If the legislation is written with, ‘if you intended to do this for not an enforcement purpose, then sharing is fine’, when we then find out later on that it was actually used for an enforcement purpose, what happens? What are the consequences for that outcome?” he said.

The joint parliamentary committee on human rights noted that it was unclear whether the delivery of government services would be subject to the enforcement restriction. That means data could potentially be shared with agencies such as Centrelink and the National Disability Insurance Agency to help determine the level of support payments, raising fears of debt recovery tactics similar to those used in the robodebt scandal.

Robodebt generated debt notices for people by comparing data held by Centrelink against averaged income data from the Australian Taxation Office. Last year, it was found to be an unlawful tactic.

Although the legislation requires consent to be obtained before the sharing of the data, there is an exception if it is “unreasonable or impracticable to obtain”. Robert has said he will amend the explanatory memorandum for the legislation to outline in what circumstances obtaining consent would be considered “unreasonable”.

Organisations such as the Public Interest Advocacy Centre, Verifier and other privacy advocates argue people’s expectations around how data is used has changed, and consent must be obtained when shared.

Related: Government investigates data breach revealing details of 774,000 migrants

The Public Interest Advocacy Centre said the most marginalised groups, including people with a disability, First Nations people, young people, elderly people and asylum seekers, will likely be most at risk by the proposed new law, because they access government services more than the rest of the population or are disproportionately subjected to corrective services or detention.

The Australian Medical Association called for the government to explicitly exclude Medicare and Pharmaceutical Benefits Scheme data from the legislation, and warned that as currently drafted, it could lead to personal data being shared over insecure methods such as email or Dropbox.

The Australian Banking Association has also warned in its submission that even de-identified data could reveal confidential information held by banks.

“Even where data is anonymised or used in aggregate form, it can reveal commercial information about certain entities or their customers in specific sectors or geographical regions,” the ABA said.

“As it is currently drafted, the DAT bill creates the real risk of on-sharing this data to third parties who may lack full understanding of the implications of further sharing the information.”

The minister can exclude certain types of data from the scheme through regulation, and Robert has said he will release the draft regulations before the bill is debated in the House of Representatives. But several groups have said the data types should be included in the legislation rather than in regulations, which the minister can change more easily.

The Senate standing committee on finance and public administration, comprising a majority of Coalition MPs, did not recommend the bill be passed, noting more privacy protections may be required to boost public confidence in the legislation.

In Labor’s dissenting report, senators expressed concern about the creation of another robodebt scandal, noting the legislation could be used to obtain data to determine payment levels by the National Disability Insurance Agency, for example, and said the bill should not be passed.

Deputy chair of the committee, Labor senator Tim Ayres, said the legislation would provide a “blank cheque” to the government to share personal data without the public’s knowledge or consent.

“The data availability and transparency bill is a dangerous and reckless power grab by a government that has lost its way,” he said.

“Scott Morrison and Minister Stuart Robert were the designers of the cruel robodebt scheme, which used Australian’s private data to target the most vulnerable for debts they didn’t owe. Robodebt was illegal and demonstrates that this prime minister can’t be trusted with sweeping powers and access to Australians’ private data.”

Robert’s office said the government was considering the committee’s findings.