Professor John McMillan AOAustralian Information Commissioner

Balancing open access and privacy protection

Protecting information rights – advancing information policy

Balancing Open Access and Privacy Protection

John McMillanAustralian Information Commissioner

• FOI and access requests now more common, under a reformed Act that embodies a strong presumption of access

• Privacy Act strengthened to accord greater importance to privacy protection

• Heightened pressure on agencies to share and proactively release data sets of economic and social value

• Technology posing new threats to privacy security• OAIC role in striking a balance between those competing

pressures

Access and privacy – a changing context

Access and privacy – a changing context

• Balancing access and privacy under the FOI Act – 79.5% of 24,944 requests in 2012/13 were personal information requests– Personal privacy exemption applied in 20.6% of cases– Third party objections to release – 24 of 483 IC review applications

• The personal privacy exemption (s 47F): whether disclosure of ‘personal information’ would be ‘unreasonable’ and ‘contrary to the public interest’– ‘personal information’: any information that reasonably identifies a natural

person

• Straightforward application of s 47F - eg, information about benefit payments to third parties, detainees, the identify of correspondents

Access to information upon requestAccess to information upon request

• IC review decisions rejecting an agency decision under s 47F• Complex issues arising in IC reviews

– Access to anonymised statistical data– Release of vocational assessment information of a successful APS applicant

• Other FOI situations in which an access/privacy balance must be struck– Facilitating informal administrative access– Publishing documents released under the FOI Act on agency Disclosure

Log– A developing (but dubious) agency practice of automatically deleting

routine work references to non-SES personnel

Access to information upon requestAccess to information upon request

• Pressures for adoption of an open data culture• Australian Government policy framework documents, eg

– Australian Public Service Big Data Strategy (2013) ‘Big Data Principles’: ‘Data sets that government holds are a national asset [that] should be used for public good’ and ‘should be available for community access and use’.

– OAIC, Open public sector information principles

• International trends, eg– G8 Open Data Charter: ‘The world is witnessing the growth of a global

movement facilitated by technology and social media and fuelled by information … Open data sits at the heart of this global movement.’

Proactive release and open dataProactive release and open data

q

• Proposals for improved Australian Government practice– National Commission of Audit Recommendation 61: Data - There is

untapped potential to use anonymised data and new data analytic techniques to improve the efficiency and effectiveness of government. [Government should] rapidly improve the use of data in policy development, service delivery and fraud reduction by … extending and accelerating the publication of anonymised administrative data …

– Productivity Commission Annual Report, ‘Australia lacks a culture of information sharing and proactive data release. …[T]he main barriers … are: protection of privacy; the resources needed to ensure that data are of sufficient quality for policy evaluation; and concerns by governments about unfavourable findings on policy effectiveness.’

Proactive release and open dataProactive release and open data

• Pressures for stronger privacy protection• New Australian Privacy Principles, and stronger

enforcement powers conferred on OAIC• Increase internationally in damaging data breaches• Heightened community concern about privacy

protection• Greater complexity of anonymising ‘big data’

Proactive release and open dataProactive release and open data

Ex• Striking a balance between open data and privacy protection –

accustomed strategies• Applying the APPs• Privacy by design• Privacy impact assessment• Information security measures• Data breach notification• De-identification of personal information

Proactive release and open dataProactive release and open data

Key FOI changes

• Will a new approach be needed? See US Report by President’s Council of Advisers on Science and Technology, Big Data and Privacy: A Technological Perspective– Understanding the implications of big data, and the difficulty of predicting

whether non-obvious information will later raise a privacy issue– Developing different privacy strategies for different information categories,

eg, ‘born analog’, ‘born digital’, ‘data fusion’– Develop more advanced technology building blocks (eg, encryption,

auditable controls, cybersecurity), and place less reliance on accustomed methods (eg, de-identification)

– Shift emphasis from notice and consent to the responsibility of data holders and users

Proactive release and open dataProactive release and open data

Protecting information rights – advancing information policy

www.oaic.gov.au

Questions?