The NSW Council for Civil Liberties (NSWCCL) welcomes the opportunity to make a submission to the Department of Customer Service in relation to the Review of the NSW Data Sharing (Government Sector) Act 2015.
NSWCCL considers that it is a misuse of information to use it for a purpose other than that for which it was obtained. All information whether personal or not should not be shared unless consent for that secondary or repurposed use has been obtained. Personal information should not be shared if the limitation for specific purpose cannot be guaranteed.
The Act should encompass provisions for independent assessment of the appropriateness of the purpose for which data is proposed to be shared and used. The assessment should have regard to its necessity, use, value to the public and whether there is a risk of loss, harm or other detriment to the community if the sharing and use of the data does not occur.
An assessment regime should be included in the Act to ascertain the appropriateness of:
a) the information to be shared, including whether it is appropriate to be shared at all, or
stay with the authoritative source,
b) the agency to receive the information, having regard to the whether the agency has the
appropriate skills and experience and will restrict data appropriately.
Personal information should be shared only in exceptional circumstances, in a safe and controlled manner and provided that it can be established that privacy interests should be outweighed.
If personal information is shared that information needs to be anonymised or deidentified according to a strict protocol which includes an assessment as to whether data may be reidentified.
The Act is inadequate in terms of its privacy safeguards. The Act should include necessary technical, operational and legal data governance and data management provisions.
To minimise the social implications of privacy violations and maintain accountability there should be auditing and reporting provisions in the Act. Those provisions should address, at the least, details of:
a) the nature of data being collected,
b) data destruction in accordance with agreed time limits,
c) compliance with consent provisions,
d) details of any complaints.
NSWCCL considers that there should be developed and included in the Act a set of transparent and consistent standards so that privacy is not circumvented during an emergency.
The definition of Government Sector Data is too broad and limitations on the type of data to be shared should be set out in the Act.
The number and type of agencies included in the definition of government Sector agencies is too broad. Data recipients should be assessed independently as to their appropriateness to receive the data.
NSWCCL considers that the Act relies too heavily on the PPIP Act which may be overridden by other statutes and has too many exemptions in its operation. NSWCCL strongly recommends a review of the PPIP Act.