In a swift follow up to an announcement on September 28, 2016 by the Commonwealth Attorney-General, a bill has been introduced into the Senate to amend the Privacy Act 1988 (Cth) (Privacy Act) to introduce prohibitions on the re-identification of de-identified government information. A copy of the Privacy Amendment (Re-Identification Offence) Bill 2016 (Cth) (Re-identification Bill) is available here, along with a copy of the explanatory memorandum.
The Re-identification Bill prohibits the re-identification or attempted re-identification of de-identified information released by, or on behalf of, Commonwealth Government agencies, as well as prohibiting the disclosure of any such re-identified personal information. If the Re-identification Bill is passed in its present form, re-identification of previously de-identified government information will be a criminal offence that can incur up to two years in prison or a fine of A$21,600. Alternatively, the same conduct can be the subject of a civil penalty of up to A$108,000 for individuals or up to A$540,000 for bodies corporate. The new offences in the Re-identification Bill will operate retrospectively from 29 September 2016 (the day after the initial announcement).
The Re-identification Bill also includes secondary obligations for entities which re-identify previously de-identified government information to notify the Commonwealth agency that originally released that information, and not to otherwise disclose that re-identified information, with civil penalties of up to A$36,000 for individuals and up to A$180,000 for body corporates applying for a breach of these obligations.
The Re-identification Bill includes exceptions for:
- a government agency acting in connection with the performance of the agency's function or activity or as required by law or court order;
- entities providing services to Commonwealth agencies for the purpose of meeting their contractual obligations to the agency that originally released the de-identified information;
- entities that enter into agreements with the Commonwealth agency that originally released the de-identified information to perform functions or activities on behalf of that agency, where the act is done in accordance with that agreement; and
- acts done in accordance with a ministerial exemption (which the relevant section contemplates could be used to cover cryptology or information security researchers).
What does this mean for you?
Any person or entity working with de-identified government information now needs to take extra care to ensure that this information is not re-identified, even inadvertently. Anyone undertaking cryptology or information security research relating to de-identified government data should consider whether to apply for a ministerial exemption to permit their activity, particularly if the de-identified personal information included in the government data being worked on has only been encrypted or masked in a way that could be decrypted or revealed in the course of research activities.
Prior to the announcement of the Re-identification Bill, there was some concern that it could impair legitimate security research, which now appears to be well-founded given the need for researchers to specifically apply for an exemption covering their activities. We will continue to monitor the progress of the Re-identification Bill in this regard.
The timing of the Commonwealth Government's other major proposed privacy reform, the introduction of a mandatary data breach notification scheme, is still unclear at this time. As mentioned in our previous legal update, the bill for the introduction of such a scheme is scheduled for introduction to and passage by the Commonwealth Parliament by December 1, 2016. As the introduction of the Re-Identification Bill shows, privacy reform remains high on the Government's legislative agenda.