The Western Australian Parliament has been asked to consider changes to a signature public sector privacy and data sharing bill, amid criticisms that the proposed legislation delivers only “privacy lite” protections.
The amendments to the bill – brought by independent Legislative Council member Wilson Tucker – would bring it closer to the European Union’s General Data Protection Regulation.
The Privacy and Responsible Information Sharing (PRIS) bill is scheduled for debate on Tuesday, but given the government’s majority in the upper and lower houses, the progress of the amendments is unsure.
Mr Tucker told InnovationAus.com “this is the one shot for WA to get these laws right”, to ensure visibility and transparency regarding the government’s use of personal data.
Mr Tucker told the Parliament in August that the Privacy and Responsible Information Sharing (PRIS) Bill was not strong enough, calling it ‘Privacy Lite’ “with just a sprinkle of GDPR laws on top”, that included only “superficial similarities” to the “global standard and shining example of data privacy”.
He then told the Legislative Council in September that he was concerned the bill is too heavily in favour of “enabling the public sector to basically do what it wants with our information” but light on giving Western Australians “rights and a sense of ownership back”.
Mr Tucker argued there was “potentially a holy ground on which we could fulfil both” and is pushing a series of five amendments developed with the support of Australian privacy experts to align the bill with the GDPR.
If accepted by the government, the amendments would give Western Australians the right to request all personal information that isn’t required by the government to be deleted, the ability to opt-out of automated decision making, and have visibility of how long a government agency holds personal data.
The amendments would also enable people to make a single request to government for all instances of personal information shared between public sector departments – avoiding the need for many agency specific requests – and to request information in writing or orally, increasing accessibility for non-native English speakers.
Innovation and the Digital Economy minister Stephen Dawson, however, rejected Mr Tucker’s claim that information sharing had been emphasised over privacy in the bill, arguing that each has common transparency and accountability objectives for government data handling.
“The PRIS legislation will enable arrangements for privacy and information sharing to be harmonised in a way that has been difficult to achieve in other jurisdictions,” Mr Dawson said in September.
Western Australia and South Australia are the only states or territories without privacy legislation covering public sector data use, as the Commonwealth’s Privacy Act only applies to the private sector.
Amid this legislative gap, the Western Australian Police Force has made liberal use of personal data with plans to hold covid-era data until 2047 and its use of contact tracing information beyond its original purpose.
The PRIS bill introduces a mandatory data breach reporting scheme and 11 new information privacy principles for government agencies, ministers and parliamentary secretaries, and some government contractors.
Public entities will also be able to share data through information sharing agreements guided by five new responsible information sharing principles.
Initial consultation on a proposed legislative model for PRIS took place in mid-2019, although many of the privacy protections proposed by experts have been ignored in the bill.
Former New South Wales privacy commissioner Elizabeth Coombs, who is now an Affiliated Associate Professor at the University of Malta, says the unamended PRIS bill is “a missed opportunity for WA”.
“Given the state’s history for taking critical and independent perspectives it is surprising that the bill does not reflect more of this character – in both the bill’s provisions and the regulatory model,” Ms Coombs said.
Among the provisions missing are protections for whistleblowers and requiring public consultation when undertaking privacy impact assessments.
There is also limited reference to “older, longstanding principles such as data minimisation” – reducing the volume of data held.
University of Western Australia Tech and Policy Lab director and Associate Professor Julia Powles has previously accused the Labor government of “using their super-majority to railroad through the bill, despite glaring deficiencies that will have a lasting impact on all Western Australians”.
Despite its shortcomings, the bill would close a “massive loophole that exists in both Commonwealth and Victorian privacy protections” relating to de-identified data, according to ANU research school of computer science Associate Professor Vanessa Teague.
Professor Teague said private and public entities subject to the Commonwealth and Victorian privacy legislation can “strip the names off personal data, pretend they’ve ‘de-identified’ it and then act as if the Privacy Act doesn’t apply”.
“My reading is that that won’t work in WA, and I think that will be hugely beneficial for everyone,” Professor Teague said.
Given the government has also tabled its own minor amendment, the bill will need to pass through the lower house again before it is legislated.
When contacted for comment before parliament sat in October, a spokesperson for Mr Dawson said, “all proposed amendments will be given due consideration”.
“In accordance with due process the Cook Government is working hard to facilitate the passage of the PRIS and the Information Commissioner legislation through Parliament as fast as possible,” the spokesperson said.
It is being debated alongside the Information Commissioner Bill to establish an office for the role alongside an Information Access Deputy Commissioner and Privacy Deputy Commissioner.
Do you know more? Contact James Riley via Email.