Recently, we published an article based on a Media Release of 28 September 2016, by the Federal Attorney General announcing the Government's intention to introduce amendments to the Privacy Act 1988 (Cth), which, among other matters, will “. . .create a new criminal offence of re-identifying de-identified government data” (see -Attorney-General Brandis Announces New Offence of Re-Identifying De-Identified Government Data). On Wednesday (12 October 2016), the Privacy Amendment (Re-identification Offence) Bill 2016 (the Re-identification Offence Bill) was introduced into the Federal Senate by the Attorney General Senator George Brandis (the AG) as part of a package which also includes the Regulatory Powers (Standardisation Reform) Bill 2016.
The Re-identification Offence Bill is, according to the AG's second-reading speech, part of the Australian Government's plans to ensure that the ". . . considerable benefits associated with the release of public sector datasets can be realised . . ." without compromising information security and also protecting the privacy of Australian citizens. Behind this are seen to be motives such as the recent health department privacy bungle, which saw that Department release dataset elements from which Melbourne University researchers were able to re-identify service provider ID numbers.
In general terms, the Re-identification Offence Bill proposes to make it a crime to re-identify ostensibly de-identified government datasets but includes provisions for exceptions to be made for security research. Such exceptions are to be the discretion of the responsible Minister as to what individual organisations or classes of organisations will be exempt and the conditions to be imposed on them. Further, as per the AG's second reading speech:
With respect to the Ministerial powers relating to exemptions, it is important to note that Re-identification Offence Bill exempts determinations by the Minister from the disallowance scheme contained in the Legislation Act 2003 (Cth) so as to:
The Re-identification Offence Bill, unlike the general provisions of the Privacy Act, applies to small businesses and individuals as well as large organisations and, as per the AG's second reading speech, the offences outlined in the Re-identification Offence Bill have been retrospective, dating from 29 September 2016 — the date of the AG's Media Release. The reason offered for the retrospective operation is that it:
The Re-identification Offence Bill also provides additional powers to the Australian Information Commissioner. For example, where an agency is informed of the re-identification of information, it will be required to inform the Australian Information Commissioner, allowing the responsible agency to engage with the Commissioner on the issue and providing the Commissioner with the opportunity to investigate the matter.
The Re-identification Offence Bill also provides investigation powers to the Australian Information Commissioner in relation to contraventions and to support the Commissioner's existing power to seek civil penalty orders in relation to civil penalty offences under the Privacy Act.
The offences created by the Re-identification Offence Bill carry criminal penalties involving up to two years in prison and $21,600, and possible civil penalties of up to $108,000. Further, the Re-identification Offence Bill would also compel organisations or individuals to notify the responsible agency if de-identified personal information is re-identified.
Following on an initial adverse reaction, particularly from the IT industry, the actual introduction of the Re-identification Offence Bill has not as yet provoked more than interested reaction. One criticism of the Re-identification Offence Bill has been that the government, while professing its concern for privacy, has been quick to introduce legislation regulating data access but slow to implement measures designed to provide checks and balances for such regulation of data.
An example of this is cited by the ZDNet technology site, which says that while the AG and the government profess "commitment to Australian citizens' privacy . . ." they have yet to amend the Privacy Act to implement ". . . a mandatory data-breach notification scheme for [their] data-retention legislation". In that respect the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth), passed by the Australian government in March 2015, came into effect in October 2015 and will result in citizen's ". . . call records, location information, IP addresses, billing information, and other data stored for two years by telecommunications carriers, accessible without a warrant by law-enforcement agencies" and as yet data-breach notification laws are not in place and it is feared the same might be the case with respect to the Re-identification Offence Bill.
The passage through parliament of the Re-identification Offence Bill is not expected to be controversial as most see the need to keep pace with the invasive nature of modern technology and the need to control the rate of intrusion.
TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products.
Privacy Amendment (Re-identification Offence) Bill 2016 and 2nd Reading Speech and Explanatory Memorandum as reported in LawOne.
FREE legislation news, delivered weekly.
Sign up now.#WeLoveLegislation Tweets
NEW information resources - great for training.