34|The Gatherer

www.wrays.com.au

| 35

JUDITH MILLER

Principal

O

n 12 October 2016, the

Attorney General, George

Brandis, introduced

the Privacy Amendment (Re-

identification Offence) Bill 2016

into the Federal Senate. This

Bill introduces amendments to

the Privacy Act 1988 (Cth) to

improve protections of anonymised

datasets that are published by

the Commonwealth government.

The amendments would make it a

criminal offence to re-identify de-

identified government datasets. The

proposed changes would also make

it an offence to counsel, procure,

facilitate, or encourage anyone to do

this, and to publish or communicate

any re-identified dataset. The

changes, if passed, will apply

retrospectively from 29 September,

2016.

Senator Brandis acknowledged

that publication of major datasets

is an important part of 21st

century government and provides

a great benefit to the community.

According to the Attorney General,

the effective sharing and analysis

of data enables the government

to deliver better policies and

respond quickly and efficiently

to new challenges. In accepting

the benefits of open data and the

publication of collected datasets,

Senator Brandis also recognised

that the privacy of citizens was

of paramount importance. Data is

anonymised so that the individuals

who are the subject of the data

cannot be identified. The danger

today is that advances in technology

may enable the re-identification

of data that had been previously

de-identified. The data can then

be linked back to an individual with

significant consequences to privacy

and reputation.

The Privacy Commissioner’s

Outlook on the Bill

In his submission to the Senate

Legal and Constitutional Affair

Legislation Committee in relation

to the new Bill, the Australian

Information Commissioner, Timothy

Pilgrim, states that although the

introduction of new criminal offences

and civil penalties will provide a

deterrent against the intentional

re-identification of certain datasets,

it is unlikely to eliminate the privacy

risks associated with the publication

of de-identified datasets.

In addition, the Bill will not apply

to the acts and practices of many

organisations which are currently

exempt from the Privacy Act

including media organisations in the

course of journalism, political acts

and practices and the activities of

state and territory bodies including

many universities, not to mention

overseas entities who may have

access to the published datasets.

Accordingly, Government agencies

need to focus on implementing

best de-identification practices by

strengthening policies regarding

whether the de-identified

information should be published,

whether to restrict access to the

datasets and how to decrease the

risk of re-identification, and other

threats to privacy. Ultimately,

privacy capabilities for Government

agencies must be strengthened

across the entire information life-

cycle.

The Office of the Australian

Information Commissioner is

currently updating its guide to de-

identification of data and information

published at

www.oaic.gov.au

.

RE- IDENT I FYING

THE DE- IDENT I F I ED

- a new c r imi na l o f f ence

The proposed changes would also make it

an offence to counsel, procure, facilitate, or

encourage anyone to do this, and to publish

or communicate any re-identified dataset.

LAURA TATCHELL

Associate

MARK DUFFY

Formerly a Lawyer at Wrays