This article was written by Michael Swinson, Prudence Buckland and Hannah Glass.
The Australian Government has today released the Productivity Commission's final report into Data Availability and Use - spelling out just how serious the Australian Government should be about looking at the use of data with new eyes. The new world will necessitate a fundamental change in the way Australian governments, business and individuals handle data.
Proposing an 'ambitious timeline' for reform implementation, the recommendations put every sector in the Australian economy (public and private) on notice that they will need to be prepared for the opportunities and challenges of the new 'data' age. In addition to the overview below we have outlined how the recommendations will affect financial services, TMET, utilities, health and government sectors. The Commission recommends the introduction of a new data framework, with two key elements:
- Establishing a new "Comprehensive Right" that will give consumers (including both individuals and small businesses (SMEs)) greater control over consumer data; and
- Creating infrastructure to support sharing and release of data.
The proposed reforms are geared to improving transparency and accountability for release of data across the different sectors, avoiding fragmentation of data collection activities and removing current inefficiencies.
Data sharing and use is currently a regulatory minefield with an array of different rules that may currently inhibit effective sharing and utilisation of data. The Commission has suggested that new Commonwealth legislation – a Data Sharing and Release Act (Act) – is required to cut through this red tape and authorise appropriate data sharing and release. The Act would also create the institutional foundation necessary to deliver the Commission's data vision for Australia.
Below we outline our top 3 takeaways from the Commission's report.
1. The proposed new "Comprehensive Right" is not quite as "comprehensive" as the Commission's draft report foreshadowed but would still have a far reaching impact.
The proposed introduction of new consumer rights to data about them was a feature of the Commission's draft report. However, the right proposed by the final report is a somewhat moderated version of the one proposed in the draft report. This reframed Comprehensive Right is centred on striking a balance between the needs of individuals and business.
Under the proposed new right, consumers (including individuals and SMEs) would be given rights to access and request edits or corrections to their consumer data. They would also be entitled to direct the holders of that data to copy a machine-readable version of the data and provide this to a third party (which may include one of their competitors). Entities holding consumer data would need to publicly disclose a list of third parties to whom consumer data has been traded or disclosed in the past 12 months.
A number of critical aspects of this regime, including the scope of the consumer data that would be subject to the regime and the technological mechanisms for sharing the data, would be determined by industry agreement. Similarly, industry will need to consider ways to address uncertainty around consent, risk and liability regarding use and provision of data. These address concerns expressed in response to the Commission's draft report that an attempt to apply a 'one size fits all' approach to all industry sectors could have unintended consequences and may be unnecessarily burdensome. If industries cannot agree on an appropriate definition of consumer data or data sharing mechanisms, then expansive default positions would apply. The entire regime would be subject to oversight by the ACCC.
The Commission's recommendations have taken account of feedback received from industry and other stakeholders, such as by:
- clarifying that data that might have been influenced by some consumer information, however has effectively been created by an entity through application of its own analytical effort (e.g. conclusions drawn about a consumer's profile by inference from some underlying transaction data) would not be treated as consumer data that may be subject to the regime – recognising the intellectual effort required to create this type of data;
- removing the recommendation from the draft report that consumers should be given the right to opt out of data collection altogether, in part as this is unfeasible in practice; and
- providing that entities should be able to charge individuals for expenses reasonably incurred when actioning requests to access or transfer their data, subject again to ACCC oversight.
2. National leadership is required to implement the proposed reforms and build trust between jurisdictions and across sectors.
The Commission has recommended that policy responsibility for data is given to a new national statutory office holder – the Office of the National Data Custodian (NDC). It is intended that the NDC will be a 'facilitator' of improved data access and best practice. The Commission proposes that the NDC will have oversight of the national data system and will assume a number of key responsibilities.
It is envisaged that the NDC will:
- accredit and audit Accredited Release Authorities (who will have responsibilities in relation to dataset curation, sharing and release);
- guide data de-identification processes and establish best practice guidance for risk management and secure storage and access processes;
- accept nominations for "National Interest Datasets" (public or private sector datasets deemed to be of national interest) and assess their public interests merits before referring nominations to a Parliamentary Committee for public scrutiny; and
- be responsible for public reporting and complaints handling.
If the NDC is given statutory responsibilities with respect to data, it is likely to become the key focal point for consumers, data users and data custodians. The Commission has recommended the early appointment of the NDC – prior to passage of legislation. Given this, questions remain as to how the NDC will engage private sector participants and existing government institutions, such as the Digital Transformation Agency, and what powers it will have to embed best practice within the different sectors.
3. Legislative change is a critical piece of the puzzle, but the approach to reform must be facilitative.
To implement its proposed new data framework, the Commission proposes the introduction of a new Data Sharing and Release Act. The intention is for this new legislation to cut through the noise and send a clear signal to individuals, private and public sectors, that the way data assets are managed and used must, and will, change.
The new Act will establish the new "Comprehensive Right" for consumer data discussed above. In this regard it would sit alongside the Privacy Act, which already sets out specific principles that apply to the management of personal information. The Commission was adamant that its objectives could not be achieved through changes to the Privacy Act – the Commission's goals are far broader and extend to data that is not covered by the Privacy Act, as it may not be considered personal information.
The new Act would also establish a new regime to facilitate data sharing and release which could be "dialled up or down" according to the different risks associated with different data, uses and environments. Again, the Commission recognises the need for flexibility to deal with different issues that may arise with different data sets (for example, some data sets will inherently be more sensitive than others). However, the aim of the new Act would be to, as far as possible, set consistent rules around data access and sharing and embed expectations about availability of data as well as in relation to risk management.
Given that the new Act would apply to all government (including Commonwealth, State and Territory), private and not-for-profit sector bodies, the Commission has also acknowledged that successful implementation of the new legislation will necessarily require oversight and coordination.
The final report is wide-ranging and relatively radical in its recommendations. The Commission is strong in its recommendations that action should be taken to implement these recommendations sooner rather than later, and suggests that the implementation could be staggered with a number of initiatives coming into effect by the end of this year and the new data sharing legislation to be introduced and in effect by the end of 2018 (with a suitable compliance period built in). If you would like further information regarding these sweeping reforms, please let us know.