Productivity Commission wants to hear why governments shouldn't have your data

Australia needs a legislative overhaul to change the way data is handled in the country, the Productivity Commission has said in its draft report of its Data Availability and Use inquiry.

It said the nation has fallen behind, and needs a new Data Sharing and Release Act, a National Data Custodian body, and for individuals to have greater control of the data that is collected about them by both the public and private sectors.

"Individuals have no rights to ownership of the data that is collected about them. Data is increasingly an asset, and when you create an asset you should have the ability to use it, or not, at your choice," Productivity Commission chair Peter Harris said.

"We are proposing the creation of a comprehensive right to data control for consumers that would give people the right to access their data, and direct that it be sent to another party, such as a new doctor, insurance company, or bank. Plus an expanded right for people to opt out of data-collecting activities. And existing privacy laws would all remain in place."

The Productivity Commission said Australia is missing out on the benefits of data linkage and analysis due to the "misconception that denying access will minimise risks", and called for those who have concerns about governments handling personal information to step forward and make their views known.

"Despite claims of a few privacy advocate groups, this inquiry has not been presented with evidence to suggest widespread concern about the provision of personal information to governments," the commission said.

Under the opt-out rules for individuals proposed by the commission, an organisation that receives an opt-out request would not have to delete data that is already collected and only end the collection of new data. The commission also recommended that the government abolish the need for the destruction of linked datasets and statistical linkage keys at the end of data integration projects.

The commission said increased use of data did not correspond to an increased risk of harm, and creating harsher privacy legislation would not prevent either human error or criminal intent.

"In reality, most risks of data misuse arise not through the public release of robustly de-identified data, but rather from poor or outdated data collection, storage and management practices, often coupled with malicious intent to gain access and use data that would otherwise not have been available," the commission said.

The Productivity Commission will hold public hearings in Melbourne on November 21, and in Sydney on November 28.

The Australian Parliament is currently considering laws that criminalise the re-identification of de-identified datasets that are collected and published by the Commonwealth.

The laws allow the attorney-general to declare a particular entity is exempt for the purposes of public interest. Specifically mentioned are cases of research involving cryptology, information security, and data analysis, or "any other purpose that the minister considers appropriate".

On Wednesday, Australia's Minister Assisting the Prime Minister on Cyber Security Dan Tehan said rather than take a centralised approach to cybersecurity, the individual components of the Australian government should look after themselves.

Tehan dismissed the idea of any edict from government to force agencies to up their security game.

"I think if we go over the top ... sort of a centralised approach, I think that presents dangers," he said.