​Data Governance Australia launches draft Code of Practice for data use

The independent body tasked with establishing industry standards around data has released a draft Code of Practice in a bid to set benchmarks for the responsible use of data.
Written by Asha Barbaschow, Contributor

Data Governance Australia (DGA) has launched a draft Code of Practice for public consultation as part of its effort to set industry standards and benchmarks for the responsible collection, use, management, and disclosure of data.

The draft code [PDF] places a heavy focus on doing "no harm" to the customer, as well as ensuring all steps have been taken to ensure data cannot be re-identified, requesting organisations appoint an officer to oversee data activities.

Under its proposed no-harm rule, the DGA said organisations would be required to "use best endeavours" to ensure they do not cause harm to an individual as a result of the collection, use, or disclosure of their personal information.

The no-harm principle would also dictate an organisation must act with integrity and ensure that data is not used for unethical purposes, and that they must not exploit the lack of knowledge or inexperience of the individual whom it is collecting data on.

Similarly, the DGA's proposed second principle says an organisation must act with honesty and transparency when collecting, using, and disclosing data, and insists it has all of its privacy policy ducks in order before collecting information.

"Organisations must be clear and upfront about the facts and purpose of their collection, use and disclosure activities in relation to personal information, and ensure that their privacy policy and privacy notification statements are easily accessible," the DGA explained, noting this also means transparency around other third-parties that have access to an individual's data.

Under the topic of fairness, the DGA has proposed organisations only collect personal information from individuals for actual or anticipated legitimate business purposes and that they should take into consideration factors such as the circumstances surrounding how the data was collected.

DGA also wants to see organisations take reasonable steps to ensure that any data it shares is accurate and not misleading.

When it comes to the topic of choice, the DGA recommends organisations must not, unless required by law, re-identify external datasets that would reasonably likely contain sensitive information upon re-identification without the express consent of the individual in question.

Similarly, under principle six -- safety, security, and de-identification -- the DGA would mandate that organisations ensure third parties with access to its data also comply with rules and regulations related to de-identification.

Under this principle, organisations would also be required to nominate an individual to be tasked with the responsibility for ensuring the security of the data it holds.

Adequate training for staff around the formalised code is also requested by the data body, as well as an easy-to-access public data policy, and a register of the data it holds.

Currently, the Australian government is awaiting the passing of legislation that would see the criminalisation of those who re-identify de-identified data.

The proposed laws -- which the Senate recommended be passed in February -- followed its swift introduction by Attorney-General George Brandis in September, who said at the time that open data was a vital part of modern government, and claimed "privacy of citizens is of paramount importance" to the government.

Under the Australian Government Public Data Policy Statement [PDF], government entities are by default permitted to publish "appropriately anonymised" data.

Come May 2018, Australian organisations that hold information on citizens of the European Union will need to provide a high level of protection and explicitly know where every piece of data is stored, under the EU's General Data Protection Regulation (GDPR).

As the DGA has no legal power over an organisation, it would rely on the moral and ethical nature of the organisation to enforce the rules its code dictates.

In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed data breach notification laws at its third attempt in February that will see people be alerted of their data being inappropriately accessed come February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act.

The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".

Notification laws apply only to companies covered by the Privacy Act, and sees intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.

Key to the DGA's proposed Code of Practice is the need to strictly adhere to such legislation; however, the organisation's CEO Jodie Sangster said the requirements of a business under the code extends beyond personal information, which is what is defined under the Privacy Act.

"Self-regulation is the right approach in the era of rapid transformation," she added. "Introducing laws and regulations run the risk of stifling innovation and creating a regime that is not flexible enough to respond to the rate of change."

DGA was launched in October last year, with its chair Graeme Samuel -- formerly the chairman of the Australian Competition and Consumer Commission -- heading the independent body tasked with establishing industry standards around data.

Aiming to cut down the often two-year time frame legislation tends to take when government gets involved, Samuel previously said that government should only step in to regulate where businesses have failed to do so themselves and that setting industry standards for the use, collection, and application of data is something that cannot be avoided much longer.

Joining Samuel on the DGA board is Thomas Dobson, head of marketing planning & performance at NAB; Leif Evensen, general manager business performance & analytics at Westpac; Adam Story, general manager at Flybuys, Loyalty & CRM Coles; Ingrid Maes, director loyalty & customer data at Woolworths; David Rohan, general manager of loyalty analytics for Qantas Loyalty; and Paul McCarney, co-founder and CEO of Sydney data startup, Data Republic.

The DGA's draft Code of Practice will be available for a month from Wednesday and the DGA is accepting feedback and submissions during that time.

Editorial standards