Early thoughts on the Australian Productivity Commission’s draft data sharing report

(I will come back and make this a snazzier title)

Yesterday the Australian Productivity Commission published its draft report, Data availability and use, for public comment. The full report is 650 pages long, with 27 draft recommendations. That’s going to take a while for anyone to absorb. On a first read, these are my early thoughts.

It’s enormous and covers almost everything (Image: steeedm)

The report covers open public sector data; access to private sector data; data anonymisation; data standards; pricing for public data; increased rights (a “Comprehensive Right”) for citizens accessing personal data; the creation of National Interest Datasets; the establishment of an Office of the National Data Guardian; and a Data Sharing & Release Act.

There’s a lot to digest, and lots to get excited about. There’s a proposed requirement that government agencies develop and publish registries of the datasets they hold — closed, shared and open. There’s also emphasis on targeted investment in National Interest Datasets, to be published openly where possible.

There’s also a keen desire to change the way privacy laws in Australia work. This is both to give people greater control over how their data is used and who has access to it, and to free up some personal data for public interest research and public services.

So far media attention has mainly focused on the idea of a ‘Comprehensive Right’ for consumers over their personal data, so this is where I’m going to start too.

What follows are early thoughts, and as I dig further into the report (or don’t — did I mention it’s 650 pages?!?!) I might come back and update this post. Or write more posts, because there’s so many other sections to comment on — this post is really just about the personal data aspects).

The key points I make in this post are:

  1. Providing people with greater control over data that is about them is important. But who has what rights over data is complex, and the draft proposals are selective about what control means for people — more than in comparable countries
  2. Openness about how personal data is used is fundamental to build trust. If organisations and researchers have greater access to personal data, openness about what data is being accessed, who has access, and for what purpose, should be mandated.
  3. Sometimes friction around personal data is good. There are reasons some sensitive personal datasets aren’t more easily accessible.

What does ‘control’ over personal data look like?

The Productivity Commission proposes introducing new rights for people to control how their personal data is accessed and used. Recommendation 9.2 includes new rights to:

  • have shared access to their personal data (alongside the data holder)
  • request edits to their data for accuracy
  • be informed about proposals to sell and buy their data
  • appeal automated decisions
  • transfer data in a machine readable format, either to themselves or a third party
  • opt out of data collection (with exceptions).

These new rights might look familiar. They echo similar kinds of rights introduced in the EU’s General Data Protection Regulation (GDPR), an update to EU data protection laws and which all EU countries will need to implement by May 2018. They’re worth looking at, to better understand what’s not in the Productivity Commission proposals.

Rights for personal data subjects in the GDPR include:

  • A right to be informed about how personal data is being used. It in includes both obligations on data collectors and users to provide information, and a right for people to request information
  • A right of access to data that is about them, in a machine readable format
  • A right of erasure of data, in some circumstances
  • A right to restrict processing, where there’s accuracy issues or consent to processing has been withdrawn
  • A right of portability of data between service providers
  • A right to object to data processing, particularly if it’s for direct marketing purposes (but in other circumstances too)
  • Rights to understand and appeal automated decisions and instances of profiling

I look at some of the rights that are included in Europe’s GDPR, but not in the Productivity Commission’s draft proposal, below.

Deleting personal data records

The Productivity Commission rejects introducing a right for people to request deletion of data, and they have some valid reasons. They point out that a personal data record can be about multiple people (for example, a group photograph), and so one individual shouldn’t have the right to request its deletion. They also note that data can be difficult — sometimes impossible — to delete.

These aren’t issues that only come up when facing a request from someone to delete data, though. They confound the proposed new rights allowing people to make changes to, and request access to their data as well.

Personal data can concern multiple people. It might be a group photograph. Or it might be a teacher’s comments about a student’s interactions with them in the classroom. It might be your partner’s medical history, which includes information that’s about both of you — like that you have been trying IVF, or had a recent miscarriage.

‘Ownership’ of personal data is complex. I’ve written about it in the past here. And while the trend is clearly towards providing people with more control over their personal data (which is important), the fuzzy edges need considering.

Whether deleting or requesting changes to a dataset, the technical implications (read: challenges) are the same. Both the GDPR’s and Productivity Commission’s rights of control are technically difficult, if not impossible, to implement for lots of organisations managing personal data right now. But I wonder if what we’ll start to see is database systems being developed that have much better backend information management, to make compliance with these kinds of individual rights possible.

The circumstances in which personal data can be deleted can be conditional, as it is with the GDPR’s right of erasure. The Productivity Commission gives examples of instances in which the deletion of personal data wouldn’t be appropriate — e.g. Census data. Omitting a right of deletion altogether is a step too far.

There are circumstances in which being able to ask for the deletion of personal data, and have that request enforced, is important.

Where it has been accessed or used unlawfully. Where information about a person (e.g. photos or phone numbers) is published maliciously online. Where it’s information that has been provided fraudulently (e.g. signing someone up for a dating service or medical treatments, providing their information without consent). Excluding a right of deletion, however conditional, from rights of control may end up causing harm.

Being informed about how personal data is used

The Productivity Commission stops short of a recommendation that people be informed of how their personal data is being used. They do ask for more information on what meaningful disclosure might look like.

The GDPR, as a point of comparison, sets out specific categories of information that organisations using personal data have to provide — publicly, and directly to personal data subjects on request — and mandates that these be in easily accessible, understandable language. The GDPR hasn’t been implemented yet, however, so it’s not clear how this will be implemented in practice.

At a basic level, without a right to be informed (whatever the implementation of this looks like) it’s going to be hard for people to exercise any of their other rights of control.

If a person doesn’t know what data is being collected about them, or that data is being collected about them at all, they can’t request access to that data. And they can’t make changes to it. A right to be informed of how your personal data is being collected and used is a necessary precondition of control.

Openness about how personal data is used can build trust.

The Australian Productivity Commission’s drive in undertaking this report is ultimately to see Australia make better, more efficient use of data in ways that benefit Australians. As Peter Martin writes in the Sydney Morning Herald,

“It is an outrage that sick patients still have to act as information conduits between healthcare providers (10 to 25 per cent of the medical tests ordered are thought to be duplicates) and a disgrace that 60 years after the Thalidomide tragedy we still don’t link prescription data to hospitalisation records to get insights into the side effects of drugs.”

The Australian Productivity Commission’s draft report is rich in examples of the issues organisations have had joining up data that would benefit people, and accessing data that could be used for beneficial purposes. Reducing the barriers — legislative, technical and cultural — to better data sharing inside government agencies is a preoccupation of modern government. In the UK, new data sharing powers for government are currently before the Parliament.

The Productivity Commission’s draft report includes recommendations aimed at reducing current barriers to accessing and using personal data, like:

  • Extending existing exceptions in the Privacy Act that allow access to personally identifiable data for e.g. health research, to all research deemed to be in the public interest (5.2)
  • Abolishing existing requirements that linked datasets and statistical linkage keys be destroyed at the completion of research projects (5.3)

While it’s only the day after the report launch, I anticipate these recommendations being controversial — particularly in the privacy community. And there’s no counter-balancing obligations proposed for researchers, government agencies and organisations who benefit from improved access to personal data in the report, to help build public trust.

Openness about how personal data is being used, and who has access, helps to build trust in those organisations managing personal data.

It enables people to engage in discussions about how they’d like their data to be shared, providing organisations with more context for personal data decision making.

And data about personal data use is itself a rich resource for understanding what Australia’s National Interest Datasets (NIDs) are (another draft Productivity Commission recommendation).

This is starting to happen in some places. In the UK, the Department for Education publishes information about each access request for the National Pupil Database. And the Open Data Institute has proposed eight openness principles for organisations managing personal data (full disclosure: I was Head of Policy for the ODI).

How openness sits alongside improved data sharing deserves consideration in the next iteration of the report.

Finally: some friction accessing and using personal data is good

Whew, we are almost at the end. I feel like this has been a long post.

The last point I wanted to make was about friction. In his piece for SMH, Peter Martin follows on:

“Research that could have saved the lives of Indigenous women was delayed five years while the researchers waited for ethics approval to see cervical cancer screening data; researchers wanting to study the link between vaccination and admission to hospital have had to wait eight years and counting.”

The complexity of rules for data sharing in Australia, in a patchwork of legislative instruments, is a headache. In the draft report, the Productivity Commission highlights a culture of risk aversion and confusion as to what is lawful within government agencies, that is stopping good and useful data sharing happening.

There‘s a need to streamline and align data sharing regulations across domains in Australia. The Productivity Commission proposes a Data Sharing and Release Act to facilitate this. But it’s worth stressing that sometimes, friction exists for a reason.

The need to emphasise this in any first blog struck me while skimming the Productivity Commission’s section on public interest uses of personal data (page 305). It’s a section considering the extension of exceptions in the Privacy Act, to enable use of identifiable personal data for any research deemed in the public interest.

The information they use to illustrate the need for extended public interest exceptions is information about child sexual abuse, and births, deaths and marriages.

These are two data sources that we absolutely want the necessary public bodies to be able to have access to — e.g. child support workers identifying potential foster carers, or welfare service providers knowing when a welfare recipient has died.

But we also want to have enough friction around who can access and use these datasets so that they don’t harm the people they’re intended to protect.

Victims of child sexual abuse are likely to be more sensitive than most (!) about who has access to their data, and for what purpose. Information about births, deaths and marriages needs to be relatively inaccessible (difficult combine with other data) to prevent e.g. accidentally identifying people in who are in witness protection, or undercover.

It’s usually the personal data that has potential greatest impact on our lives that needs to be most secure.

The Productivity Commission wrestles with this tension — between enabling use of data, and preserving friction — throughout their draft report. People have until 12 December to provide feedback. I’m looking forward to seeing how the conversation develops.