30 January 2019
13 min read
#Government, #Local Government, #Data & Privacy, #Technology, Media & Telecommunications, #Procurement, #Planning, Environment & Sustainability
Welcome to this edition of Queensland government bulletin - your essential legal reading!
In this special edition of our fortnightly publication, we take a magnifying glass to the issues and reforms that emerged over 2018 in key areas affecting government. We also cast forward to examine the expected major trends and developments for 2019.
Our Queensland government team will also be presenting at our upcoming Queensland government lawyers half day CPD intensive on Thursday 14 February 2019. You can view the program and register for the seminar by clicking here.
Summer Government Bulletin index:
By general counsel Lyn Nicholson
2018 was a monumental year for data privacy and protection - globally and in New South Wales.
On a global scale, the introduction of the EU General Data Protection Regulation (GDPR), the Facebook-Cambridge Analytica data scandal, and Equifax’s record £500,000 fine (and US$287,000,000 remediation costs) for a 2017 security breach has brought data privacy and protection to the forefront of both government and business considerations.
On a local scale, data privacy and protection continues to make headlines.
In this article, we recap the big events (and breaches) that have shaped the data and privacy landscape in NSW this year, stemming from the overreach of data using technology.
In March, a NSW resident successfully challenged Transport for NSW’s collection of personal data through the Opal card ticketing system. The complainant argued against the mandatory registration of pensioner and concession Opal cards, which tracked the public transport movements of an identifiable user. The NSW Civil and Administrative Tribunal ruled in favour of the complainant, finding that there was little basis for the collection of the travel information for the stated purpose of enforcement of entitlement to the concession/pensioner travel card. However, the Tribunal has since overturned the decision, allowing an appeal by Transport for NSW in August.
In August, more than 1,000 confidential medical records were found in a derelict former aged care facility near Helensburgh. NSW Health responded to the data breach by stating that the building had been illegally accessed. Photos from the aged care facility indicate that the site had been illegally accessed since 2015, meaning that NSW Health had failed to take action to secure the records for up to three years. The NSW Government announced an audit of the archived medical records and apologised to the families of those whose records had been exposed to the breach. Following the findings from the audit by NSW Health, the incident may constitute a breach of the Health Records and Information Privacy Act 2002 (NSW) and Health Privacy Principle 5, which requires an organisation holding health information to protect against unauthorised access, use and misuse.
At the other end of the spectrum, moving from privacy, the NSW Government’s push towards open data continues with ongoing releases of data by Government agencies and continued investment and co-operation by NSW Government agencies responsible for open data including the NSW Information and Privacy Commissioner who, during May, launched a number of online learning resources to further assist the open data process in NSW. At the time of writing, it appears that NSW open data has been successful in the period that it has been running and unlike a range of media reports that have plagued Federal Government agencies misuse of data, it seems that the NSW move towards open data is continuing and continuing to succeed.
Further, the implementation of the EU’s GDPR in May of this year has had a trickle-down effect on the privacy and data considerations of NSW businesses and public sector agencies. The GDPR has extraterritorial reach, applying to all organisations that handle the personal information of EU residents. If a NSW business or government agency has an establishment in the EU, or offers goods or services, or monitors the behaviour of individuals in the EU, it will now need to comply with GDPR requirements. This includes the implementation of measures that ensure compliance with a prescribed set of privacy principles, with the aim of promoting the transparent handling of personal information. So ubiquitous has the GDPR become that the IPC has provided guidance for NSW agencies on the topic on its website.
By partner Angela Flannery
The Productivity Commission (PC) released the report from its inquiry into public and private sector data in May 2017. As part of its response to that report, the Australian Government announced in May 2018 that it would create a National Data Commissioner to oversee a new data access framework and pass new legislation to remove red tape inhibiting access to data for research and growth (while at the same time ensuring that privacy and data security are protected). This article looks at the current status of those initiatives and the implications for governments generally from sharing a wide range of public data sets.
Productivity Commission recommendations
In its May 2017 report, the PC argued that fundamental change is needed, noting the current regulatory frameworks governing data availability and use, based as they are on risk aversion and avoidance, are not appropriate and inhibit Australian governments, businesses and not-for-profits from taking advantage of the benefits that would arise from greater exploitation of data.
Amongst other recommendations, the PC proposed a new Data Sharing and Release Act. Under the proposed legislative framework for data sharing and release, a National Data Custodian would have overall responsibility for the implementation of data management policy in consultation with all levels of government. The Custodian would accredit the processes and capabilities of Accredited Release Authorities. Those Authorities were intended to be sectoral hubs of expertise and would be tasked with taking steps to ensure that as many datasets as possible were made available either to trusted users or more widely, where appropriate risk mitigations were in place. Trusted users would be third parties (from both the public and private sectors) with appropriate governance structures and processes in place to address risks associated with data use or release.
Under this proposed framework, all Australian governments would release non-sensitive publicly funded datasets and, on completion of risk assessments, release other more sensitive datasets (either generally or to trusted users). The PC also recommended that “National Interest Datasets” of particularly important public sector data should be designated. For those National Interest Datasets, new access and use arrangements would apply to the exclusion of any existing regulatory regime (whether at a Commonwealth or State/Territory level).
Government’s response
On 1 May 2018, the Australian Government announced that it would partially implement the PC’s recommendations and would:
National Data Commissioner
An interim National Data Commissioner has been appointed and has been consulting on the proposed draft data legislation, as discussed further below. Information has also been released on the National Data Advisory Council, with the publication of the draft terms of reference. The Council is intended to comprise up to 10 members, including the Commissioner. It is proposed that its first task would be to advise on the development of the draft legislation.
Consultation on draft legislation
The Australian Government released a consultation paper on the proposed Data Sharing and Release Bill in mid 2018. The Bill is proposed to apply to data collected by all Commonwealth entities and Commonwealth companies, with exceptions for national security/law enforcement and contractual arrangements for purchased data sets. At a very high level, the Bill is to deal with the following matters:
The data safeguards should be able to be flexibly applied, depending on the relevant data, and would be based on the “Five-Safes” disclosure risk management framework, that is:
The following accredited bodies would be put in place:
The draft legislation is not expected to be introduced to Parliament before the next Federal election and therefore there is some doubt as to the timing for its implementation and whether changes may be made based on feedback from the consultation process and also potentially a different approach adopted by a future Government.
Implications
Data is not only important for government policy and decision making but has the potential to unlock many productivity benefits across the Australian economy more broadly.
The fact that the Australian Government is now proposing a new comprehensive regime does not mean that Australian governments do not currently make public data available. For example, data.gov.au provides public access to many thousands of anonymised public data sets published by federal, State, Territory and local governments. There is also legislation at a State level that provides for data sharing, for example, in New South Wales, the Data Sharing (Government Sector) Act 2015 facilitates data sharing between the Data Analytics Centre and other government agencies. South Australia has in place the Public Sector (Data Sharing) Act 2016 and Victoria has the Victorian Data Sharing Act 2017. But these existing data sharing arrangements are not as extensive as they could be.
As noted in the PC’s report, and the consultation paper on the proposed new legislation, there have been many reasons why governments have not in the past provided greater access to the valuable data that they hold. Risk aversion (particularly in relation to data that relates to individuals) and significant amounts of regulation (not all of which is entirely consistent) are the main barriers. A lack of a consistent approach has also been cited as a factor.
The Australian Government’s new regime is intended to address these issues. As such, if the proposed framework is implemented, it could assist in ensuring that significantly more data sets are available both across the public sector and for private sector use. The regime could be extended in due course, with the co-operation of State and Territory governments, to assist in greater use of the valuable data sets that are held across all levels of government.
However, feedback on the proposed framework has not been uniformly positive. For example, there has been particular concern expressed as to how the framework will interact with other existing regulation, particularly the Privacy Act 1988 (Cth). There is also concern as to what remedies will be available where data is misused and how compliance will be able to be enforced. These, and other issues raised by stakeholders, are important issues for consideration and should be addressed in the draft legislation to ensure the new framework achieves its ambitious aims.
By partner Scott Alden & Victoria Gordon
Two significant developments in procurement in 2018 will have huge impacts for the procurement space this year.
Last year, we saw the enactment of both Commonwealth and NSW state modern slavery legislation in Australia, reflecting a growing awareness for the need to address modern slavery both domestically and internationally.
The Modern Slavery Act 2018 (Cth) (the Modern Slavery Act) passed both houses of parliament late last year and was assented to on 10 December 2018. The key operative provisions of the Modern Slavery Act will commence on a date to be fixed by proclamation (yet to be stated) or six months from the assent date if no proclamation date is fixed earlier.
The Modern Slavery Act will require entities in Australia that have an annual consolidated revenue of more than $100 million to report annually on the risks of modern slavery in their operations and supply chains, and describe their actions to address those risks.
NSW also introduced similar legislation in June 2018 to combat this issue, although there are some interesting differences between the two regimes which we expect to see further fleshed out this year.
The other significant change in procurement in 2018 which will have significant impacts this year is the passing of the Government Procurement (Judicial Review) Act 2018 (Cth) (Government Procurement Act) which will provide suppliers with a statutory platform to challenge a government procurement process in the Federal Court of Australia or Federal Circuit Court of Australia for a breach of the Commonwealth Procurement Rules. Similar to the Modern Slavery Act, the Government Procurement Act will commence on a date to be fixed by proclamation (yet to be stated) or six months from the assent date (19 October 2018) if no proclamation date is fixed earlier.
This is the first time in Australia that tenderers will have a statutory avenue to challenge government procurement; no longer having to rely on existing remedies for breach of process contract, misleading and deceptive conduct or judicial review under administrative law.
As well as these significant legislative changes there is also increased pressure on business and government to conduct procurement using sustainable processes, especially since the world’s first International Standard for sustainable procurement - ISO 20400 - was published in late 2017.
Looking forward in 2019, both public and private organisations must now be more acutely aware of the consequences of choices they make regarding what to buy, how to buy it and who to buy it from.
Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.
