Public Trust in Data Sharing (AU0006)

Objective and description: Australia will build public trust around data sharing and release. We will do this by actively engaging with the public regarding how open data is being used to better communicate the benefits and understand public concerns, and we will improve privacy risk management capability across government. Status Quo: In an increasingly complex and interconnected world, effective policy responses require investment in joined-up data that can provide a strong evidence-base for policy decisions. However, as the volume of data and technical capability to use it increases, we need to better inform the public about the risks and benefits of data sharing and release, and address public views and concerns, including attitudes towards privacy. It is essential that people’s privacy and personal information is protected in using and sharing data. In some cases it is not appropriate to publish or share certain datasets. The Privacy Act 1988 (Privacy Act) underpins the open data agenda and helps build public trust in data-sharing activities, but there is a need to improve capacity within government agencies to manage privacy risks when releasing data. In October 2016 the Government introduced separate pieces of legislation to amend the Privacy Act to: make it an offence to deliberately re-identify personal information from open government data;8 and introduce mandatory data breach notification provisions requiring Australian Government agencies, private sector organisations and certain other entities regulated by the Privacy Act that suffer data breaches to notify individuals whose personal information has been compromised. Data literacy across the APS is also critical. In August 2016, the Department of the Prime Minister and Cabinet released Data Skills and Capability in the Australian Public Service10 to help build skills and knowledge in publishing, linking and sharing public data. The Government will also improve whole-of-government de-identification processes by releasing guidance on publishing sensitive data. The Productivity Commission’s inquiry into data availability and use will also consider privacy safeguards and consumer rights over their data. The Government will respond to the recommendations in the Productivity Commission’s report and continue to work with the public to grow the social licence for data to empower citizens and increase transparency over government activities. Ambition: To build trust about the use of integrated data and actively respond to public concerns about data sharing. To comply with international best practice on open data principles and participate in global fora on data. Relevance: This commitment will advance the OGP values of transparency and public participation by: providing greater transparency on how government is using the data it collects and protecting personal information; enabling the public to engage with government and raise issues of concern; enabling experts outside of government to inform public debate; and providing more targeted and effective policy, service delivery and program evaluation. COMMITMENT DETAILS: OGP Grand Challenge: Improving Public Services Increasing Public Integrity; Timeframes December 2016 – July 2018; Lead agency: Department of the Prime Minister and Cabinet (data@pmc.gov.au), Australian Bureau of Statistics and Office of the Australian Information Commissioner (enquiries@oaic.gov.au); Other actors involved. Government: Attorney General’s Department, Treasury, Fair Work Ombudsman, Australian Institute of Health and Welfare, Department of Social Services, Department of Industry, Innovation and Science and Department of Health, Department of Human Services, Australian Taxation Office and Australian Federal Police, state and territory governments. Non-government Non-government organisations (including Australian Open Government Partnership Network, Open Data Institute Queensland, Open Knowledge Foundation, Electronic Frontiers Australia, Australian Privacy Foundation, other privacy groups, digital rights organisations), library associations and the public.

6. Build and maintain public trust to address concerns about data sharing and release

Commitment Text:

Australia will build public trust around data sharing and release.

We will do this by actively engaging with the public regarding how open data is being used to better communicate the benefits and understand public concerns, and we will improve privacy risk management capability across government.

[…]

Milestones:

1. Develop an ongoing and collaborative conversation with the public about the risks and benefits of data sharing and integration:
   1. Establish an expert panel to advise government and to help communicate: value and utility of data sharing and integration; how government is using the data it collects; and how government is protecting personal information.
   2. Develop and implement a public engagement process to demonstrate public-value examples and enable an ongoing dialogue with the public.
2. Improve privacy and personal information protections in using and sharing data:
   1. Publicly release a process for government agencies to determine whether sensitive data can be made sufficiently confidential to enable open publication
   2. Work with the Office of the Australian Information Commissioner to improve privacy risk management capability across the Australian Public Service.
   3. Respond to the Productivity Commission’s recommendations on consumer rights and safeguards for data.
3. Comply with international best practice on open data principles and participate in global fora on data:
   1. Adopt the International Open Data Charter and develop a high-level public statement with public consultation.
   2. Participate in the International Open Data Stewards Group.

Responsible institution: Department of the Prime Minister and Cabinet, Australian Bureau of Statistics and Office of the Australian Information Commissioner

Supporting institution(s): See the National Action plan for a full list.

Start date: December 2016 End date: July 2018

Editorial Note: This is a partial version of the commitment text. For the full commitment text, see the Australia National Action Plan available at https://www.opengovpartnership.org/wp-content/uploads/2001/01/Australia_NAP_2016-2018_0.pdf.

Context and Objectives

This commitment represents a number of steps to build and maintain public trust in the way government shares the information it has collected. It seeks to raise awareness of the benefits to data sharing and protections against misuse, increase those protections and adopt internationally recognised principles for openness.

The Productivity Commission, in its Data Availability and Use Report,[1] identified the need to build and retain public trust in how data is managed and used as key to achieving the many potential benefits of data use. A survey conducted by the Office of the Australian Information Commissioner (OAIC) in 2013 found that nearly half of Australians surveyed are uncomfortable with government agencies sharing personal information about them with other government agencies,[2] or using their information for research, service development or policy development purposes.[3]

As the Commission reported, that lack of trust may arise due to a lack of understanding of how data collection and use is regulated. Consent to the collection and use of personal information may be provided without clear understanding of the terms and conditions of that consent and a lack of control over what happens to personal information after it has been provided. There have also been several high-profile examples in the public sector involving cybersecurity breaches or the re-identification of anonymised data based on matching with non-sensitive publicly available information.[4] The lack of accountability for misuse or inadequate protection of personal information, asymmetries of access to sensitive information or an understanding of its implications, and the general complexity of the data landscape may all contribute to eroding trust.[5]

In its Data Availability and Use Report, the Productivity Commission found that ‘[c]omprehensive reform of Australia’s data infrastructure is needed’, including enhancement of consumer rights, improving the safeguards in place, increasing transparency and effective management of risk.[6] The Commission made a number of recommendations which relate to the rights of consumers and safeguards for data. These included the right of consumers to access and use their data;[7] legislative reform[8] to introduce a comprehensive risk-based approach by government agencies to the sharing and release of government data ;[9] and the need to engage with the community, including forums for consultation to address community concerns about increased use of data.[10]

The milestones include a number of specific elements, such as the establishment of expert panel, releasing processes, responding to recommendations or adopting the charter. However, other elements, such as working with the OAIC or participating in the Steward’s Group, are more subjective. Overall, therefore, this commitment is of medium specificity.

Milestone 6.1: Establishing an expert panel and a public engagement process will potentially increase public access to information on how government is using the data it collects and generates. By providing advice to government, and enabling an ongoing dialogue, the forums will improve the opportunities for the public to inform themselves on government information sharing practices. However, the commitment does not provide any indication of whether these forums will be able to influence decisions or reforms in this area. The relationship between the expert panel and existing governance arrangements for data integration projects within the public service, for example the Secretaries Data Group and Deputy Secretaries Data Group, is also not clear.[11]

Milestone 6.2: Providing a process for government agencies to determine whether sensitive data can be made sufficiently confidential to enable open publication is intended to increase the open publication of data which has been anonymised or de-identified. Similarly, improving privacy risk management capability should encourage disclosure where there is a low risk of sensitive information being inappropriately disclosed or used. This could in turn increase the quantity of information disclosed to the public. Its impact on increasing trust in government’s collection and use of information, however, will depend on the transparency of the process as well as its implementation and enforcement. The extent of any additional information being made available is therefore uncertain, but is expected to be moderate.

This milestone also commits the government to respond to the Productivity Commission’s recommendations on consumer rights and safeguards for data. The Productivity Commission’s recommendations are wide ranging and call for a comprehensive reform of Australia’s data infrastructure. They are also intended to increase the amount of government information made public, either entirely or indirectly via a limited user group who can be trusted to de-identify any public use or release.

Milestone 6.3: Adopting the International Open Data Charter represents an international commitment to making data openly available. The Open Data Charter is a collaboration between government and experts working to embed a culture and practice of openness in government. Adopting the charter involves agreeing to six principles for opening up data.[12] Institutions adopting the charter should also ‘participate actively with recognised external accountability and impact evaluation mechanisms in regard to open data’.[13] Therefore, adopting the charter provides an additional basis for public criticism of government action or inaction on its open data commitments. In itself, however, it does not provide a redress mechanism leading to more accountability for government officials and while it may increase the usability of data released, it may have only a limited impact on increasing access to government information.

Some concerns were raised in interviews and open forums in the preparation of this report over the Productivity Commission’s recommendations and whether they adequately reflected individual privacy interests when balanced against the benefits of extending the availability and use of data.[14] The availability of resources within government agencies to improve their risk management capability and to enforce privacy and other requirements was also raised. Interviewees considered this a more significant hurdle than release of processes or OAIC guidance, with questions over whether budget announcements[15] of a public sector modernisation fund would be sufficient. The government needed to be committed to establishing a consultation process that does more than seek to promote government initiatives in this area. Comments at the Sydney and Melbourne Open Forums also suggested that recent data linkage projects at the Commonwealth, States and Territories and their impact on public trust should also be considered as part of the commitment.[16]

Completion

Milestone 6.1: This milestone was delayed and not started after the first year of implementation. The time needed to properly respond to the many issues raised by the recommendations (see milestone 6.2 below) contributed to the delay in progressing establishment of an expert panel and developing the public engagement process as originally planned. PM&C indicated that a consultation process on the response was under way with several roundtables having been held with business groups and civil society organisations, but this was not directly addressing this milestone.[17] This milestone was therefore not started as at the reporting date.

Milestone 6.2: This milestone was on time and substantially completed as at the reporting date. The Australian Information and Privacy Commissioner and the Secretary of the PM&C jointly announced development of a new Australian Government Agencies Privacy Code on 18 May 2017.[18] The Code will set out specific requirements and key practical steps that agencies must accept as part of complying with the Australian Privacy Principles under the Privacy Act 1988. A consultation draft was released on 30 June 2017, with submissions invited until 11 August 2017, and was made available on the OAIC website.[19] The final version of the Code was registered on 27 October 2017.[20]

In May 2017, the Australian government established a task force with representatives from different department and government agencies to work on a response to the Productivity Commission’s recommendations. A response is expected towards the end of 2017.[21] In interviews in preparing this report, PM&C indicated that the Commission’s recommendations on consumer rights and safeguards were closely tied with other recommendations which affected this and other commitments in the national action plan (including commitment 5 - high-value datasets). The Minister for Cities and Digital Transformation, Angus Taylor, has recently indicated that the Government would support a consumer data rights framework giving individuals greater rights over their data to encourage competition.[22]

In addition, a process for government agencies to publish open data was released on 7 December 2017, after the period of implementation under consideration, and will be expanded upon in the end-of-term report.[23]

Milestone 6.3: This milestone has been substantially completed on time. The government adopted the Open Data Charter on 27 March 2017.[24] In the Government’s Mid-Term Self-Assessment report it is suggested that Australia has offered to support the Charter Secretariat as they establish the Charter working groups and test projects over the next 12 months, however, there is no public evidence of that.

On 25 May 2017, the Government announced a new initiative: the Data Integration Partnership for Australia (DIPA) to support the integration and analysis of government held data.[25] This initiative is not included in the commitment but is relevant to its objectives of enhancing trust in government sharing and release of data. The DIPA will seek to build on data integration projects, including the Multi-agency data integration project (MADIP) and the Business Longitudinal analysis data environment.[26] The MADIP, for example, is a partnership between six commonwealth government agencies integrating census data with datasets involving healthcare, government benefit payments and income tax. The project was initiated in 2015 to facilitate analysis of government policies, programs and services. The Australian Bureau of Statistics (ABS), as the agency responsible for protecting access to the de-identified data linked through the project, has recently released four case studies demonstrating some of the benefits of the project,[27] as well as consulting with a range of interested stakeholders and commissioning a privacy impact statement.[28]

There are no early results available.

Next Steps

It is likely that the response to the Productivity Commission’s recommendations will give rise to a number of initiatives to be reflected in the next national action plan cycle. The collaboration process committed to in milestone 1 could be adapted to further develop and implement that response.

The establishment and operation of an expert panel, which was not completed within this cycle, could be included as part of the next national action plan. If it were to be included, the panel should have a role in scrutinising and coordinating data integration projects, including review of privacy impact assessments and the consultation process involved in each project. The expert panel should have a clearly identified role in the governance of data management projects within the APS and complement the oversight role of the Australian Privacy Commissioner and other similar bodies.

An examination of the resourcing required to support the Australian Information Commissioner’s role in monitoring and enforcing the Australian Government Agencies Privacy Code could also be undertaken, along with the resource implications of complying with the Code within agencies, to ensure adequate resourcing is available.

Commitment 6. Build and maintain public trust to address concerns about data sharing and release

Commitment Text:

Australia will build public trust around data sharing and release.

We will do this by actively engaging with the public regarding how open data is being used to better communicate the benefits and understand public concerns, and we will improve privacy risk management capability across government.

[…]

Milestones:

1. Develop an ongoing and collaborative conversation with the public about the risks and benefits of data sharing and integration:
   • Establish an expert panel to advise government and to help communicate: value and utility of data sharing and integration; how government is using the data it collects; and how government is protecting personal information.

• Develop and implement a public engagement process to demonstrate public-value examples and enable an ongoing dialogue with the public.

2. Improve privacy and personal information protections in using and sharing data:
   • Publicly release a process for government agencies to determine whether sensitive data can be sufficiently confidential to enable open publication.
   • Work with the Office of the Australian Information Commissioner to improve privacy risk management capability across the Australian Public Service.
   • Respond to the Productivity Commission’s recommendations on consumer rights and safeguards for data.
3. Comply with international best practice on open data principles and participate in global fora on data:
   • Adopt the International Open Data Charter and develop a high-level public statement with public consultation.
   • Participate in the International Open Data Stewards Group.

Responsible institution: Department of the Prime Minister and Cabinet, Australian Bureau of Statistics and Office of the Australian Information Commissioner (OAIC)

Supporting institution(s): See the National Action plan for a full list.

Start date: December 2016                          End date: July 2018

Editorial Note: This is a partial version of the commitment text. For the full commitment text, see the Australia National Action Plan available at https://www.opengovpartnership.org/sites/default/files/Australia_NAP_2016-2018_0.pdf.

Commitment Aim:

This commitment included a number of steps to try to build and maintain public trust in the way government shares the information it has collected. It seeks to engage with the public on the risks and benefits of data sharing and protections against misuse. It also sought to increase those protections—for example, by establishing guidance for government agencies on how sensitive information can be released and enhancing privacy risk management—and adopt internationally recognised principles for data openness.

Status

Midterm: Substantial

Overall this commitment saw substantial completion during the first year of the national action plan. There had been no progress on milestone 1, primarily due to delays associated with preparing a government response to a report on data availability and use which had been prepared by the Productivity Commission (see the discussion in Commitment 5 above). [61] A process for government agencies to publish open data was released on 7 December 2016 [62] (milestone 2a) and a new Australian Government Agencies Privacy Code was released for public comment on 18 May 2017 [63] (milestone 2b).

A taskforce was established to work on the government’s response to the Productivity Commission report, including recommendations on consumer rights and safeguards for data, with the Minister responsible indicating the government’s support for giving individuals greater rights over their data [64] (milestone 2c). The government adopted the Open Data Charter, as set out in milestone 3, on 27 March 2017. [65] Outside of this commitment but relevant to its objectives, the government also announced the Data Integration Partnership for Australia (DIPA) to support the integration and analysis of government-held data, building on existing data integration projects including the Multi-Agency Data Integration Project (MADIP), a partnership between six Commonwealth government agencies integrating census data with datasets involving healthcare, government benefit payments, and income tax. [66]

For more information, please see the midterm Progress Report.

End of term: Substantial

Milestone 1: This milestone saw limited completion during the term of the national action plan. In responding to the Productivity Commission’s Data Availability and Use Report, the Government recommitted to actively engage with the community on matters related to data availability and use. [67] The Government has also committed to establishing a National Data Advisory Council which will include experts from outside of government, including business, civil society, and academia, with a call for expressions of interest having been issued on 4 July 2018. [68]

Milestone 2: This milestone was completed. The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Privacy Code) was formally registered on 26 October 2017. [69] The Code seeks to improve privacy risk management capability by setting out requirements for government agencies as part of their obligations under the Privacy Act 1988. These include the need for a privacy management plan, designated privacy officers to carry out certain privacy-related functions, and a senior officer to act as a privacy champion to promote a culture of privacy and provide leadership on strategic privacy issues. Privacy Impact assessments are required for all high-privacy risk projects. Appropriate privacy education or training must also be provided for all government agencies on induction and annually, and internal privacy processes regularly reviewed. The Office of the Australian Information Commissioner (OAIC) has also released various guides and supporting material. [70]

The government released its response to the Productivity Commission’s Data Availability and Use Report on 1 May 2018. [71] That response included a commitment to introduce a consumer data right to allow consumers to access their data, including transaction, usage, and product data, in a format which would enable them to provide it to others. Industry standards will be established to provide privacy and security safeguards, overseen by both the OAIC and the Australian Competition and Consumer Commission. [72]

Milestone 3: This milestone was substantially completed. The government adopted the Open Data Charter on 27 March 2017 and has indicated that it has offered to support the Charter Secretariat as they establish the Charter working groups and test projects over the next 12 months, but no information on the extent of the support offered is publicly available. [73]

In an interview for this report, James Horton, Founder and Chief Executive Officer of Datanomics Pty Ltd and member of the Open Government Partnership Forum, considered it likely that the adoption of the charter represents the current government interest in the potential use of open government data, but is unlikely in itself to lead to an increase in the information made available. [74]

Did It Open Government?

Access to Information: Did Not Change

Civic Participation: Did Not Change

The IRM researcher was not able to find any information publicly available at the end of the term of the national action plan on whether the commitment has led to an increase in government information available to the public. Milestones relevant to civic participation saw limited completion, with no changes in government practice.

By releasing a process for government agencies to determine whether sensitive data can be safely published in an open format, the government sought to encourage the release of additional datasets.

However, information on use of the process, or the extent to which sensitive data has subsequently been able to be released, is not collected by the Department of the Prime Minister and Cabinet (PM&C).

The Privacy Code for government agencies came into effect on 1 July 2018. The IRM researcher was not able to find any information on its use or impact on release of government information at the time of writing this report. There is also no information on the effect, if any, of the adoption of the Open Data Charter on the release of additional government information.

The government provided some opportunity to comment on issues of risks and benefits of data sharing and integration, in public consultations, including in the development of the Privacy Code [75] and data integration projects including MADIP, under the responsibility of the Australian Bureau of Statistics. [76] Other elements of DIPA, however, have not so far engaged in public consultation. [77] Milestone 1, the establishment of an expert panel and public engagement process, achieved limited completion and, thus, change in government practice as a result of implementation is coded as ‘did not change’ for civic participation.

Carried Forward?

The second national action plan includes a commitment to improve the sharing, use, and reuse of public sector data. [78] The commitment builds public consultation into the implementation of the reforms announced by government in response to the Productivity Commission report on Data Availability and Use. It will include the establishment of a National Data Advisory Council drawn from both government and civil society, and public consultation on a new Data Sharing and Release Act which is intended to consider safeguards and build trust in use of public data. [79]