Australian data re-identification defendants will need to prove their innocence

The evidential burden for cases brought under proposed changes to the Privacy Act -- that criminalise the intentional re-identification and disclosure of de-identified Commonwealth datasets -- would be reversed, such that defendants would need to prove their innocence.

"The defendant entity or agency bears the evidential burden for each of these exceptions, which reverses the criminal law principle that the prosecution must prove every element of the offence," the Attorney-General's Department (AGD) said in a submission to the Senate Legal and Constitutional Affairs committee that is inspecting the legislation.

Under the changes proposed to be applied retrospectively from September 29, 2016, anyone who intentionally re-identifies a de-identified dataset from a federal agency could face two years' imprisonment, unless they work in a university or other state government body, or have a contract with the federal government that allows such work to be conducted.

"Requiring the prosecution to prove that the above exceptions do not apply would effectively require proof of a negative, namely that there were no applicable contracts, functions, activities, Australian laws, or agreements which authorised the defendant entity or agency to engage in the conduct in question," AGD said.

"This would be extremely difficult and expensive for the prosecution to prove beyond reasonable doubt.

"By contrast, this information would be readily and cheaply available from the defendant agency or entity, which would have peculiar knowledge of applicable contracts, functions, activities, Australian laws, or agreements that could be used to justify their conduct."

In its submission, AGD admitted the legislation was proposed as a response to an improperly de-identified dataset released by the Department of Health that was able to be partially re-identified by researchers at Melbourne University.

The department said that at the time the dataset did not include names or addresses of service providers and no patient information was identified.

Despite narrowing the range of acceptable individuals and entities that are able to legally re-identify datasets, AGD said "legitimate research" should not be discouraged.

"It is equally important that valuable research undertaken in areas such as testing the effectiveness of de-identification techniques, cryptology, or information security is able to continue," it said. "However, effective privacy and security measures protecting personal information are also necessary to ensure ongoing public confidence in open data.

"The department considers the provisions in the Bill strike the appropriate balance between protecting individual privacy and facilitating research."

The Bill has a provision that allows the Attorney-General to provide exemptions in the public interest, but AGD said that test will be made difficult.

"The department does not expect there will be many entities who will require an exemption under section 16G to undertake research requiring the intentional re-identification of de-identified personal information published by a government agency in a generally available publication.

"As protecting an individual's privacy is of upmost importance, research would generally only be in the public interest if it contributed in some way to enhancing protections for personal information (for example, testing for vulnerabilities in existing de-identification techniques or developing stronger techniques)."

AGD said the Bill as it stands contains an obligation for notifying the agency that released the data, and following any direction from the agency.

"If an agency publishes poorly de-identified personal information, the agency would potentially breach existing provisions of the Privacy Act," AGD said. "While the Privacy Act does not apply to de-identified information, if personal information has been so poorly de-identified such that it does not meet the Privacy Act's definition of 'de-identified', the Privacy Act would still apply to that information."

In such a case, it would then be left to the Australia Privacy Commissioner to investigate and issue a determination to remedy the agency's processes.

When announcing the proposed legislation in September, Attorney-General George Brandis said open data was a vital part of modern government, and claimed "privacy of citizens is of paramount importance" to the government.

However, Australian citizens are unlikely to know when their personal data has been stolen until 2018, as the legislation to create a data breach notification scheme has yet to be passed.

In a separate submission, Australian Information and Privacy Commissioner Timothy Pilgrim said the introduction of new offences was unlikely to prevent the privacy risks of publishing de-identified data, and government agencies needed to lift their game.

"Agencies must have the capability to manage the personal information that they hold in accordance with the Privacy Act, and in accordance with the broader community's contemporary expectations," Pilgrim said. "This is particularly relevant where Australian government agencies may be considering whether and how to release valuable datasets which contain, or are derived from, personal information."

Pilgrim suggested his office create a public service Privacy Code that would move agencies beyond compliance and more towards implementing best practices.

The Information Commissioner pointed out that online information is international, and a law in Australia cannot be applied to those not in the country.