Public Sector (Data Sharing) Bill

Second Reading

Adjourned debate on second reading.

(Continued from 22 September 2016.)

The Hon. A.L. McLACHLAN (16:50): I rise to speak to the Public Sector (Data Sharing) Bill 2016. The Liberal Party is supporting the second reading of the bill. This bill provides explicit authority for agencies to share their data. It also includes a framework for how it is envisaged that the sharing of data will occur.

When I first laid eyes on this bill, my mind recalled the novel The Circle by Dave Eggers about a young woman who joins a global internet company, which operates like a cult. She fails to meet the company's expectations when she does not share her experiences with everybody online. The company believes and reinforces the mantra, 'Privacy is theft, secrets are lies and sharing is caring.' I am surprised the Attorney-General did not adopt this catchy line when advancing this bill through the other place.

Probably a better metaphor was identified by the law academic Daniel Solove. He suggested that a better metaphor was Franz Kafka's The Trial, which depicts a bureaucracy that uses an individual's data to make important decisions about them, and at the same time does not allow them to participate in how the information is used. He identified this metaphor in an article discussing the sharing of data.

As Solove argues, data collection, processing and analysis has the potential to affect the power relationship between the citizen and the government. Personal information held by the bureaucracy and able to be shared is out of the individual's control. At the same time there may not be sufficient controls and discipline within the bureaucracy in handling and using the information. The individual becomes helpless and the state more powerful. The relationship between citizen and the state is irreparably altered.

When introducing the bill, the Attorney-General advised that the two key objectives of this bill were to promote the management and use of public sector data as a public resource to support good government policymaking, program management and service planning and delivery and as well, to remove the barriers that impede the sharing of data between agencies. The Attorney-General indicated at the committee stage, in the other place, that many government agencies are currently reluctant to share information. The ultimate aim, therefore, is to enable agencies to make the best use of their data assets and collaborate to improve the evidence base for developing policy and services. These are, on their face, noble aims.

There are many evangelists for data sharing, both within the government and without. It is argued that public services can then be more closely aligned with community need. It is understandable that the government wants to make more efficient use of the data they have collected in order to improve public services, but data sharing also has inherent and serious risks. Data may be misused or wrongfully disclosed. Sufficient safeguards must exist to ensure the protection of privacy. The threat to an individual's privacy has the potential to cause real harm, distress and damage to that person and their family.

We must not forget the horrible impact the operations of the Stasi had on the lives of East Germans. The scale of the manual record-keeping is a confronting reminder of what an unchecked government and its bureaucracy can eventually do to learn everything about everybody. I do not believe that any efficiency dividend (as the management consultants like to call it) would be worth such an intrusion of a person's privacy, so there must be a balance between the competing values of social benefit, for example efficiencies and improved services, and on the other scale, the invasion of privacy of the individual. The benefit must be proportional to the cost.

These risks are particularly poignant in South Australia, as we have no privacy regime in this state where these competing values are clearly articulated and balanced. In many ways, it is comforting to hear from the Attorney-General that government departments are reluctant to share information. This demonstrates an inherent respect by the bureaucracy for the privacy of the individual. The data collected for a particular person is not passed on to others without the individual's consent.

I feel when reading the clauses of this bill that the government bureaucracy has been placed at the centre of all the justifications for this legislation. The right of the individual appears to come a poor second. For those of us who have some experience in business, this is unusual. Business success comes from being customer-centric, not internally focused. Governments do need to work smarter and better and data is important to enable this, but we also need to ensure that there is accountability for sharing data, appropriate security and respect for individual privacy.

This bill has been based on similar legislation that currently operates in New South Wales. What I find particularly disappointing is that the Attorney-General has attempted to sell this legislative initiative as part of the government's response to the Nyland royal commission's findings and recommendations. The Attorney-General introduced this bill under the guise of child protection reform, stating that this bill is critical in supporting the new child protection department.

Whilst provisions contained in the bill will hopefully fulfil that objective, it is clear that the bill was contemplated well before the royal commissioner Margaret Nyland handed down her final report and the recommendations to which the Attorney refers. In a letter from the Attorney-General to the member for Bragg in the other place, dated 19 September, the Attorney stated:

The bill is part of a broader 'Data for Public Value' reform that progressed a number of initiatives to overcome the barriers that agencies experience in sharing data with each other.

A subgroup of the 'Data for Change Working group' established by the Premier in late 2015 initiated this work.

The Attorney-General went on to write:

In preparing the original Data for Public Value reform proposal, including the proposal to draft data sharing legislation, discussions were had at ministerial level and with the Premier's Data for Change working group and officers across key departments to canvass support for reform of government data sharing and identify any initial concerns.

Agencies feedback confirmed that the current environment is difficult to navigate and that they are keen to see a consistent, transparent, whole of government framework that facilitates appropriate data sharing.

The letter then went on to set out the policy basis for the bill and the consultation that occurred, as well as major differences between the bill and the New South Wales legislation.

The failure to protect our children over the past 14 years is a stain on this government and its ministers. While this bill does support the implementation of various recommendations of commissioner Nyland, both in terms of sharing data between agencies and enabling such data to be analysed, to dress up this bill as a cogent response to the government's failure on child protection is pure arrogance and gives us cause to suspect that the government's responses to the royal commission are more to do with political survival.

The need to share data to protect children cannot be questioned. The balance between an individual's privacy and the safety of the child is clear: the safety of the child comes first. This bill goes further and has a broader effect. The government clearly contemplated legislation of this nature well before commissioner Nyland's recommendations were handed down.

I turn now to the provisions of the bill before the chamber. The bill provides the authority and safeguards for the exchange of information by two methods. It enables voluntary data sharing between public sector agencies and provides that the Minister for the Public Sector may direct a public sector agency to provide data that it controls to another public sector agency. This can be on the minister's own initiative or where the agency is unsuccessful in pursuing the voluntary arrangement directly with another agency.

The bill sets out the objects of the act to be the following: to promote, in accordance with the trusted access principles and the data sharing safeguards, the management and use of public sector data as a public resource that supports good government policymaking, program management and service planning and delivery; to remove barriers that impede the sharing of public sector data between public sector agencies; to facilitate the expeditious sharing of public sector data between public sector agencies; and to provide protections in connection with public sector data sharing. It then lists a range of methods, albeit in very vague terms, as to how it is envisaged that these protections will be achieved.

I note that the bill also allows entities other than a government agency to be added or removed by regulation. The bill establishes an office for data analytics (ODA). It also grants the minister a power to enter data sharing agreements with other agencies, including councils or persons whom he prescribes. This is necessary in order to capture non-government organisations that are involved in child protection.

The legislation will override the legislative or policy barriers that would currently prevent data sharing within government. The bill bestows on the minister an extremely broad delegation power to delegate any of the powers under the act. It also allows certain information to be excluded by regulation. The bill also lists a set of data sharing safeguards and trusted access principles, with the ability to add to these by regulation. These include safe projects, safe people, safe data, safe settings and safe outputs.

Safe projects sets out the factors that must be considered when determining whether it is appropriate to share data in the first place; safe people sets out the requirements when assessing whether a proposed data recipient is an appropriate public sector agency with whom data is to be shared; safe data sets out what to consider when assessing whether the type of data is appropriate to be shared; safe settings sets out the factors to consider when assessing whether the environment in which data will be stored is appropriate; and safe output sets out the considerations for assessing whether publication or other disclosure of the results of data analysis is appropriate.

The bill then provides a range of data sharing safeguards. They lack detail and clarity, and are not as one might expect to see in a bill of this nature. They include the following:

that the recipient of data must ensure that confidential or commercially sensitive information is dealt with in a way that complies with any contractual or equitable obligations of the data provider;

data providers and recipients must ensure public sector data is maintained and managed in compliance with any legal requirements concerning its custody and control;

if a data recipient arranges for data analysis to be conducted on public sector data, they must ensure appropriate contractual arrangements are in place to ensure the data is dealt with in compliance with the requirements of the act and the State Records Act;

I note that the bill also provides that the legal requirements under the Freedom of Information Act continue to apply. This means that agencies or persons cannot make freedom of information applications to the agency that receives the data; they would have to apply to the agency that initially held the data; and

the bill states that any breaches may be dealt with by way of disciplinary action. I question whether this is a sufficient sanction, and therefore an incentive for the Public Service to ensure compliance.

The traditional view of privacy is that it is an individual right based on the premise of individualism. The right of privacy recognises the sovereignty of the individual. The law academic Daniel Solove argues that the value of protecting the individual should be seen as a social one. In other words, privacy is protected to ensure a healthy society that is civil, with appropriate norms of behaviour. Allowing individuals to be free from intrusiveness is a positive force in the community. If society ends up not supporting privacy it risks losing the development of individual identity, as forewarned by Eggers' in The Circle.

The provisions of this bill, once enacted, have the potential to empower government and its bureaucracy to deprive individuals of their privacy and, in doing so, diminish their lives and undermine their communities. The government must make the case that there will be respect for the privacy of the individual, and that sufficient safeguards will be in place.

Given the repeated stories of hacking of government information, I do not believe we should be confident that our citizens' data will be safe. This bill will allow the spread of our people's data to a wider audience, and heighten the risk of unauthorised disclosure and abuse. This bill, in the name of seeking to improve government services, may, when enacted, be the first step in irrevocably changing the dynamic between the state and the citizens it purports to serve.

The Liberal Party will support the second reading. I anticipate that I will have questions for the government at the committee stage.

The Hon. T.A. FRANKS (17:04): I rise on behalf of the Greens to speak to the Public Sector (Data Sharing) Bill 2016, as introduced by the Attorney-General in the other place on 4 August 2016. The Greens support data-led decision-making and evidence-based policy. We believe that statistics and data analysis provide a sound platform to improve policy outcomes for our state.

As the ABS website explains, statistics aid the decision-making processes by enabling policymakers to establish numerical benchmarks, and monitor and evaluate the progress of policies. This is critical in ensuring that policies meet initial aims and identify areas which require improvement. Statistics and data analysis are necessary and can improve policy outcomes.

This bill seeks to enable the sharing of government data between government agencies in two ways: the first is the voluntary data sharing method where an agency can approach another agency with their data request or an agency can proactively identify the value in sharing data that it controls with another agency; the second is data sharing via the minister's input where the Minister for the Public Sector can direct a public sector agency to provide data that it controls to another public sector agency. This can be done on the minister's own initiative or perhaps where an agency is unsuccessful in pursuing a voluntary arrangement directly with another agency and therefore seeks the minister's input.

There are a number of provisions in this bill that seek to protect data held within government agencies. For example, the trusted access principles that have been embedded within the bill that reflect international best practice and are employed by the ABS for accessing safe and appropriate sharing of data. At first glance, this seems like a simple piece of legislation enabling data sharing between government agencies and possibly other partners such as the local government sector, the NGO sector or, indeed, the commonwealth.

Essentially, the bill seeks to share data for the purpose of policy improvement outcomes and possibly child protection. Exactly how this relates directly to the child protection aim is unclear from the debate in the other place. I note that the recommendation of the Nyland royal commission No.242 states that the Children's Protection Act be amended:

(a) to permit and, in appropriate cases, require the sharing of information between prescribed government and non-government agencies that have responsibility for the health, safety or wellbeing of children where it would promote those issues…

This bill however is based on the New South Wales Data Sharing (Government Sector) Act 2015. The Data Analytic Centre which resides in the Department of Finance, Services and Innovation is a centre for the collection of data and expertise and the analysis of that data. My office has been informed by the New South Wales Data Analytic Centre that it operates on a budget of some $17 million over four years with $6 million allocated to its 2015-16 budget and $2 million allocated for staff salaries.

The centre employs roughly 12 full-time employees and the centre hopes to employ 20 full-time employees in the future with student placements being made available also. The head of that centre is Dr Ian Oppermann, Chief Data Scientist. Dr Oppermann was the founding director of the CSIRO's digital productivity and services flagship, director of the CSIRO's ICT Centre, the unit which is responsible for addressing major scientific challenges in wireless communications, robotics, information theory, environmental sensing and e-health. The responsibilities of that Data Analytic Centre involve the following:

deliver priority analytics projects using whole-of-government data in a secure environment;

advise on New South Wales government challenges and potential solutions using data analytics;

manage a secure environment for data sharing;

establish and maintain a register of data assets;

coordinate consistent data management definitions and standards;

advise on making de-identified data open to the public; and

advise on best practice data analytic cyber security and privacy measures.

They also publish quarterly reports to the New South Wales parliament, and the Greens are supportive of this form of data analytics and encourage, as I have said, evidence-based government policies.

We must look across the border to see how public data sharing is done properly. It requires resources. As we know, this bill has zero resources. It seems to be putting the cart before the horse. In New South Wales the priority is data and its security rather than claiming that the simple act of sharing data is somehow a tool in protecting the children of our state. I understand that the minister has claimed that this bill is a direct result of recommendation No. 242 that I read before, and I read again now. Again, I say it would amend the Children's Protection Act 1993:

(a) to permit and, in appropriate cases, require the sharing of information between prescribed government and non-government agencies that have responsibilities for the health, safety or wellbeing of children where it would promote those issues;

(b) to require prescribed government and non-government agencies to take reasonable steps to coordinate decision-making and the delivery of services for children.

I seek clarification from the government on the following points. Firstly, could the government confirm that the data storage, sharing and analysis will be related to child protection data? If so, what exactly is the sort of data that the government envisages will be shared under the proposed legislation? The minister in the other place during the debate made some seemingly contradictory statements. The minister stated that the bill is a result of the commissioner's recommendations, but he also stated that it is based on the New South Wales Data Sharing (Government Sector) Act 2015. Of course, as we know, that New South Wales bill has nothing to do with child protection.

It is perplexing to read the minister's second reading contribution where he mentions the use of different database management systems across the South Australian government departments. It is our advice, and it certainly seems to carry weight, that it does not matter what sort of database management systems are used by an agency. What matters is how that data is extracted and provided to a data analytics specialist. In today's day and age, we have modern data analytic tools able to decrypt, decode and provide data for analysis and reporting regardless of that database management system's origin.

The minister was also unable to explain in the other place what the budget estimation will be to set up an office of data analytics for South Australia, and indeed which department that office would reside within. For example, will the office of data analytics reside within the Department of the Premier and Cabinet or the Department of State Development or Treasury and Finance or within DCSI, or is it another department altogether? This is worrying because we are being asked here to support a bill without any estimated costs or details about which department will be responsible. It is important to know which department the office of data analytics will reside in so that its priorities will be made clearer, not just to this parliament but to the people of South Australia.

I and my office have been informed in requests for information that the cabinet will make these decisions. The Greens are not comfortable with the cabinet making a decision about a department allocation and a budget after the bill has passed rather than prior to the bill passing. The minister indicated that the commonwealth may provide some financial assistance for setting up an office of data analytics in our state.

I would like to know if the government can provide further information on whether conversations and agreements have been reached on this area and update this council on what matters have been discussed with any ministers of the commonwealth, including social services minister Porter, who was referred to as perhaps being interested in information about young carers or carers in general while there is a specific question there as to whether that conversation about data analytics on carers has been progressed.

What have been the conversations with the commonwealth about this piece of legislation? Has the commonwealth indicated that there is any interest in particular areas of information being made available to it in exchange for funding this office? I also seek to be illuminated and educated in this place about what data has been sought from the Department of Social Services in relation to child protection specifically in our state.

I ask further what is the estimated budget allocation in terms of an amount that perhaps is the minimum? Is there a base amount that the state government believes it could enact this piece of legislation for? Is there an amount that is the optimum amount? If the commonwealth does not stump up the money, will the state government be finding those moneys by the Mid-Year Budget Review? What source and what department will those moneys be drawn from and reside in?

If the government could provide the priorities of the data proposed to be shared between government agencies and also, given there have been incidents at Adelaide hospitals where administrative staff have accessed unauthorised files, what guarantee is there, by this government, that a similar breach will not occur under this bill? If unauthorised files are accessed by staff, what consequences will they be likely to face if they are a casual or permanent employee and are those consequences different?

What kind of disciplinary action does the government believe would be an adequate response to set a deterrence for breaching the Public Sector Act 2009 and the professional conduct standards in the Code of Ethics for the South Australian Public Sector? If the government has had any conversations with the commonwealth about those priorities, which perhaps are on the table in order to secure commonwealth funding for this project, it is time to put that information into the public realm.

This is certainly a milestone piece of legislation. This state does not have the same privacy protections that New South Wales does. This bill does not provide the appropriate financial resourcing, let alone the legislative protections, to make this happen. It is being done on a hope and a prayer that the commonwealth will come to the party to fund it, so is the commonwealth asking for something in exchange? We would like to have that question answered. If that is not the case, and if the commonwealth is, in fact, uninterested regardless of any trade of information, will the state be stumping up the money to ensure that this legislation is able to be put into effect?

With those few questions, I think there will be a robust committee stage of this debate. We will be supporting the second reading, but look forward to a very thorough committee debate.

The Hon. K.L. VINCENT (17:17): Firstly, can I start by thanking the Attorney-General for providing a briefing to my staff. Dignity for Disability continue to have a number of concerns with this bill, all of which I think have already been outlined by my parliamentary colleagues, the Hon. Mr McLachlan and the Hon. Ms Franks. They have outlined the purpose and some of the issues around this bill to a significant extent.

I do not want to reiterate those in any great detail, but I would like to echo that Dignity for Disability certainly share those same concerns about the Public Sector (Data Sharing) Bill 2016. Personally, as an MP who has been working with literally thousands of NDIS (National Disability Insurance Scheme) participants and families, particularly in the last three months, who have seen the NDIS rollout essentially come to a screaming halt due to the issues with data and IT, particularly around the Myplace portal when that portal collapsed, I certainly get very worried about government management of computer systems and data.

We have seen NDIS participant data, through the Siebel to Myplace portal migration, lost, scrambled, corrupted and transferred into other people's files. In other words, people were getting data that was in fact related to other participants completely other than themselves. So, people could certainly be forgiven for having a certain level of cynicism around government management of data.

No-one really knows why these particular issues did arise, but we do know, following a review that was done, that once those issues came to light the rollout of the data migration was pushed ahead with, despite the fact that this report shows there were multiple amber and then red flags that were showing. So, I think people could be forgiven for having a high level of cynicism around data at the moment, not to mention the census.

We certainly echo those concerns that have already been eloquently outlined by other colleagues, so I do not intend to go into those, but if there are answers that the government could provide to those questions that have been raised, we would deeply appreciate that, as that will assist us in knowing whether we should give support to this bill as it stands.

The Hon. J.A. DARLEY (17:19): This bill has two main objectives: to establish the office of data analytics and to facilitate the sharing of data between government agencies and other non-government agencies. I am wholeheartedly supportive of data sharing between government agencies for the purpose of improving service provision. The Premier has often spoken of the importance of the Public Service adopting a whole-of-government approach, and I believe that data sharing forms part of this. I have raised issues with both the Premier and ministers when I have been frustrated that a whole-of-government approach is not being taken. In fact, I have experienced cases where there is not even a whole-of-department approach, let alone a whole-of-government approach. I am supportive of anything that will improve and facilitate this.

However, I am not supportive of establishing an agency which, from what I can understand, is merely there to gather and analyse data for cabinet. The bill does not provide any details on who instructs the office for data analytics, what their objective is or the purpose of their information gathering. During a briefing on this bill, my office requested clarification on the role of the office for data analytics and was advised that the ODA was not there to facilitate data sharing between agencies, as agencies would be able to enter into data sharing agreements themselves.

We were advised that the ODA would receive instructions from cabinet to gather information based on the government of the day's priorities to assist with policy development. I would be very happy to hear from the minister on this, particularly if the minister could provide greater details on the mandate of the office for data analytics. I understand there are scant details on the ODA too. When questioned about the size of the ODA and its estimated budget, my office was advised that these issues remained undecided and would be determined once the bill was passed.

This sounds like pure and simple empire building to me and would not satisfy any cost-benefit analysis. We have a bill before us that wants us to legislate for a new office, but we do not know what it is there to do, where it will be placed, which agency or minister will host it, how big it will be and how much it will cost. Of late, the government has had a disturbing trend of asking the parliament to pass bills with little information on consequential operational matters. When questioned, the response is always, 'We will figure it out later and sort it out through regulation.' This is not good enough.

By categorising this bill as part of the child protection reforms, the government may play politics and accuse us of not taking child protection seriously. However, it has not been adequately explained how this bill, particularly the establishment of the office for data analytics, will assist in child protection. If the government provides further information on the matters I have raised, then my stance on this may change, but until that time I reserve my position on this bill.

Debated adjourned on motion of Hon. T.J. Stephens.