Privacy watchdog to probe Oz gov's right to release personal info 'to correct the record'

The Office of the Australian Information Commissioner is investigating whether it's acceptable for an Australian government department to release personal data when seeking to correct the public record when clients recount their interactions with government agencies.

The office has told The Register it's “making inquiries with the Department of Human Services” after a Canberra Times article offered a rebuttal to a blogger's account of her interactions with payments agency Centrelink.

The blogger joined many others critical of Centrelink's data-matching scheme. The Canberra Times article included information about her tax returns, Centrelink claim history, and relationship status.

In response to a request from The Register yesterday, the Information Comissioner's e-mail continued: “Government agencies are entrusted with a significant amount of personal information. This information must be handled in accordance with the Australian Privacy Principles.

“An agency may only disclose an individual’s personal information in a limited range of circumstances.”

The Department of Human Services, which disclosed the information to The Canberra Times, has told The Register it believes “correcting the record” is one of the circumstances in which disclosure is justified.

“Personal information obtained about a welfare recipient may be used by the department for social security law or family assistance law purposes (refer to Section 202 of the Social Security (Administration) Act 1999 and Section 162 of the A New Tax System (Family Assistance) Administration Act 1999)”, the department stated.

“This allows the department to correct the record in cases where a person makes a public statement or complaint about the department’s handling of their welfare payments that does not accord with our records, including via the media.

“As such disclosures are made for the purposes of the social security law or the family assistance law, they do not need to be formally authorised by the Secretary.

“Unfounded allegations unnecessarily undermine confidence and takes staff effort away from dealing with other claims. We will continue to correct the record on such occasions.”

The minister responsible for the department seems to endorse the article:

Fairfax acknowledges that Andie Fox did have debt despite publishing her article that Centrelink "terrorised" her. https://t.co/nmacxmIKtc

— Alan Tudge (@AlanTudgeMP) February 25, 2017

We screen-captured the Tweet in case it crosses the government PR event horizon:

Anna Johnston, a privacy expert with consultancy Salinger Privacy, is not convinced government departments have an absolute right to make such disclosures. Speaking to The Register, she explained that while the Privacy Act is subordinate to other legislation in terms of what a department may release, that release is subject to a public interest test.

“I think it is highly arguable as to where the public interest lies. In my view, regardless of whether or not the law maybe allows – it's a very strong 'maybe' – allows the disclosure in these circumstances, the bigger issue is whether [the Department of Human Services] should have disclosed it.

“There's a broader public interest in maintaining public confidence in their own institution.”

In briefing The Canberra Times, Johnston said, “unfortunately I think they've undermined every promise Centrelink has made about how they value privacy.”

Steve Wilson, privacy activist and consultant at Lockstep, agrees.

“If you're an information custodian, you make a pretty solemn promise not to abuse information in your store. It's pretty explicit that if you give information to Centrelink, it's so they deliver services to you.”

“Privacy has a lot to do with self-determination, and that goes to matters of power asymmetry,” Wilson added. “One of the biggest issues online is that individuals are relatively powerless to control what happens to their data, once it falls into the hands of government or business.

“If the government is throwing its weight around to keep us all cautious, that's very worrying.”

Said Johnston: “In my view, regardless of whether or not the law maybe – it's a strong 'maybe' – allows the disclosure in these circumstances, the bigger issue is whether they should have.”

Broader impacts

Such initiatives as the Australian Bureau of Statistics' plan to retain names for longitudinal research release (de-identified and don't you dare test the strength of the algorithm), the release of Medicare data to Data.gov.au (which inspired Brandis' porridge-for-boffins law), its MyHealth Record, the data-matching at the heart of the Centrelink fiasco, and the Department of Social Services' priority investment initiatives – all rest on reams of personal data that needs protection.

Johnston is concerned that a too-broad interpretation of a department's (or a minister's) discretion to release private information will damage trust in such projects.

Government trust in public institutions has already been damaged by events like the 2016 “Census fail”, she said, and this decline will continue unless the government takes decisive action in favour of privacy.

“I would imagine that other parts of government looking to expand their big data initiatives, their open data initiatives, data matching, data linking – [public servants] should be shaking their heads in horror, because all those other projects rely on public, trust and public acceptance of promises the government makes about protecting client confidentiality.”

Whether it's someone trying to lead on e-health, electronic voting, data analytics or digital transformation, she said, “I would be appalled at how those big picture policy agendas will be set back because of these individual cases.” ®