A bill that will make it a crime to re-identify ostensibly de-identified government datasets will include provisions for exceptions to be made for security research. However, it will be up to the responsible minister to set out what individual organisations or classes of organisations will be exempt, and what conditions will be imposed on them.
Attorney-General George Brandis today introduced the Privacy Amendment (Re-identification Offence) Bill 2016</i> in the Senate. Brandis last month announced that the government would move to make it a crime to re-identify datasets released by the government.
The government was motivated by a health department privacy bungle, which saw the department release two datasets elements of which Melbourne University researchers were able to re-identify.
Unlike the general provisions of the Privacy Act, the bill will apply to small businesses and individuals as well as larger organisations. The government has made the offences outlined in the bill retrospective, with the provisions having effect from 29 September — the date of Brandis’ announcement.
The bill makes it a crime to commit an act involving a dataset released by the government “with the intention of achieving the result that the information is no longer de-identified” that “has the result that the information is no longer de-identified”.
In addition the disclosure of re-identified personal information is criminalised, as long as the entity involved “is aware that the information is no longer de-identified” and discloses to an individual or organisation other than the agency responsible for the data.
There are a handful of exceptions, including for government bodies performing their lawful duties or obeying a court order and service providers meeting their obligations under a contract with the Commonwealth;
The offences carry criminal penalties of up to two years' prison and $21,600, and possible civil penalties of up to $108,000.
The bill would also compel organisations or individuals to notify the responsible agency if de-identified personal information is re-identified.
In the wake of Brandis’ announcement, particularly after the public disclosure of the results of the Melbourne University research, there was concern about a potential chilling effect on cyber security research.
The government has sought to assuage concerns by including exceptions for research in the bill. However, it will be up to the government to decide whether an organisation is exempt from the bill’s provisions.
The bill allows the responsible minister to determine “an entity, or an entity included in a class of entities, is an exempt entity” because they are engaging in research involving cryptology, information security, data analysis or for “any other purpose that the Minister considers appropriate”.
The explanatory memorandum states: “The intention of this power is to provide a mechanism by which entities engaging in valuable research in areas such as testing the effectiveness of de-identification techniques, cryptology or information security (which may involve the re-identification of de-identified information) can be granted an exemption from sections 16D, 16E or 16F so that this legitimate research may continue.”
In addition, a determination by the minister may include conditions. “For example, a determination may provide that a particular entity is exempt from sections 16D and 16E in relation to acts done for the purposes of research involving cryptology, but only in relation to two specific datasets,” the explanatory memorandum states.
Determinations by the minister will not be subject to the usual disallowance measures of parliament “to provide certainty about the application of the law and to provide commercial certainty to entities”.