26 Nov Privacy & Data Sharing
As technology enables faster and more extensive sharing of information, one of the most significant emerging issues for risk management is around privacy and information sharing. Governance of information is currently more important than ever, yet did you know that Western Australia (WA) is the only Australian State or Territory not to have its own privacy and/or data sharing legislation? Admittedly Australia’s federal system of government means that privacy laws do apply to WA in some situations. In broad terms, if you are dealing with a large corporation (turnover of $3m+), a private healthcare provider, or a Commonwealth agency, then you are covered by the Commonwealth’s Privacy Act 1988. If you are dealing with a State Government agency however, you are not, although the state public sector is subject to an administrative instruction to follow the general principles of Commonwealth privacy law.
There is a sense amongst stakeholders that this confusing situation is long overdue for reform. At present, the State Government is developing draft legislation for Privacy and Responsible Information Sharing and has run a public consultation process.
Information on the proposal is available at https://www.wa.gov.au/organisation/public-sector-reform/learn-more-privacy-and-responsible-information-sharing.
Submissions closed on 1 November 2019.
The proposed legislation could be described as ‘Privacy Plus’ – that is, privacy protections combined with positive requirements to share data. The Government could have taken the relatively simple option of merely adopting the well-established Australian Privacy Principles, but instead have gone for what might be called a hybrid model. Their rationale is that privacy protections are necessary but insufficient. Essentially, the Commonwealth’s privacy legislation establishes principles on managing information to protect privacy and creates an oversight body to receive complaints and enforce the rules. It is all about protecting citizens from the misuse of their personal information, but arguably it doesn’t do anything to actively promote information sharing in the first instance.
Consequently, the State reforms seek to balance information sharing with privacy protections. The proposed legislation is going to require a high degree of sophistication in applying risk management thinking to decisions about sharing information and weighing up the public benefits and risks, case by case. A deliberate approach has been taken to avoid an overly prescriptive approach and instead put the onus on public servants to consider the potential benefits, and harms, that could flow from decisions to share information, or not. It appears that there would mostly be high-level guidance in the form of principles to be followed, rather than a detailed set of rules. For the information-sharing part of the reform to work, public servants are going to have to take a sense of proportionality in considering the risks and benefits of sharing information, rather than using an abstract concept of risk as the justification for non-disclosure.
Given the degree of goodwill towards the reforms and the sense among stakeholders that these are overdue, there is no reason to assume that the initiative is doomed to failure, but it will be challenging. Agencies would be accountable to two separate watchdogs – one responsible for privacy and the other for information sharing. Decisions will need to be justified in the circumstances.
There is a great opportunity here for agencies to develop capacity in decision making around risk, governance and procedural fairness. Moreover, it will be essential that they do so, if the intent of the information-sharing element of the reforms – better services and decision-making – is to be realised. The Government discussion paper notes that training (including that in risk management) will be essential. Passing the legislation will only be the first step.
It is understood that the Government is hoping to enact the legislation in 2020 prior to the next State Election. This is seen as an ambitious timetable and it may be that the legislation is only completed following the State election in March 2021, assuming the Government is returned.
Andrew Lee, Associate Consultant, Riskwest