SERVICE PRIORITY REVIEW BACKGROUND PAPER

PRIVACY AND INFORMATION SHARING

This background paper was authored by the Service Priority Review secretariat in consultation with, and to inform the work of, the Service Priority Review Panel. Every effort has been taken to ensure accuracy, currency and reliability of the content. The paper is not intended to be a comprehensive overview of the subject nor does it represent the position of the Western Australian Government. Changes in circumstances after the time of publication may impact the quality of the information.

The following background papers are published in full on the Department of the Premier and Cabinet website: www.dpc.wa.gov.au

1. Agency capability reviews

2. Best practice regulation

3. Overview of the budget process

4. Counterproductive rules and processes

5. Digital transformation

6. Engaging with the community

7. Functional leadership

8. Government boards and committees

9. Government trading enterprises

10. Leader performance management and accountability

11. One sector workforce

12. Privacy and information sharing

13. Procurement of goods and services

14. Public sector employment framework

15. Role of the centre

16. Service design and delivery

17. Successful implementation of reform

18. Whole-of-government targets

1

SERVICE PRIORITY REVIEW - BACKGROUND PAPER

Privacy and information sharing

Information privacy and information sharing in Australia

Attitudes and approaches

The Productivity Commission has identified that in 2017, 68 per cent of Australians had a social media profile and 84 per cent were enrolled in at least one customer loyalty program. The commission pointed out an apparent paradox between the existence of privacy concerns on the one hand and individuals’ readiness to trade personal information for short-term benefit on the other1. Although the commission’s comments were made in the context of information given voluntarily to the private sector, it appears that a highly restrictive approach to personal privacy rights is inconsistent with current community expectations about how personal data will be treated.

Governments collect and hold sensitive data about people – including information about physical and mental health, criminal records and home addresses – that is ripe for misuse and must be protected from general disclosure. The amount of data collected by governments – and the sophistication of tools available to make sense of it to support policy decisions, create efficiencies and drive better community outcomes – are rapidly increasing. Legal and policy settings in all Australian jurisdictions are in a state of flux, reflecting the different rates at which governments are moving to harness opportunities presented by the changing environment.

Current status

Western Australia is significantly out of step with other jurisdictions. A lack of comprehensive privacy or data sharing legislation and a patchwork of specific requirements within particular statutory schemes cause a reliance on the common law. The result is that legal rules for data use are the most restrictive in Australia and government agencies are in a difficult position when asked how they can lawfully and fairly share the information they hold.

State Government stakeholders told the Panel that WA lags behind others in its use of data to inform policy development and outcomes measurement.2

This paper examines approaches to privacy and data sharing in other Australian jurisdictions, identifies issues particular to WA and suggests options for improvement.

1 Productivity Commission. 2017. Inquiry Report No. 82, Data Availability and Use. Australian Government. Canberra, Australia. p10. 2 Including: Duncan Ord; Commissioner for Children and Young People; Western Australia Council of Social Service, Kimberley Development Commission, Department of Treasury.

2

Privacy and data sharing

Privacy legislation was introduced into most Australian jurisdictions following the enactment of the Privacy Act 1988 (Cth). As Table 1 indicates, neither WA nor South Australia have ever had specific privacy legislation.

While privacy legislation is restrictive, in that it seeks to prevent the use of particular types of information, data sharing legislation is facilitative and can authorise government agencies to share data as a default position.

As at August 2017, only New South Wales and SA have enacted specific data sharing legislation. These four jurisdictions have implemented – or announced plans to soon implement – specific government data analytic units.

Table 1: Privacy and data sharing legislation in Australia

Privacy legislation Data sharing legislation CTH Privacy Act 1988 Nil

ACT Information Privacy Act 2014 Health Records (Privacy and Access) Act 1997 Nil

NSW Privacy and Personal Information Protection Act 1998 Health Records and Information Privacy Act 2002

Data Sharing (Government Sector) Act 2015

NT Information Act Nil QLD Information Privacy Act 2009 Nil

SA Nil Public Sector (Data Sharing) Act 2016

TAS Personal Information Protection Act 2004 Nil

VIC Information Privacy Act 2000 Privacy and Data Protection Act 2014 Nil

WA Nil Nil

Data linkage

Some jurisdictions undertake data linking, which is “a complex technique for connecting data records within and between data sets using demographic data”.3 Encryption and other devices are used to ensure confidentiality is maintained. WA has historically been recognised as a leader in the area of health data linkage.4

For the purposes of this paper, it is relevant to note that a 2016 report of the Data Linkage Expert Advisory Group identified the concerns of other jurisdictions about sharing datasets with WA for data linkage purposes because of its lack of privacy legislation. Similar issues have been encountered by State Government agencies seeking to participate in inter-jurisdictional projects that require information sharing.

3 Data Linkage Expert Advisory Group. 2016. A review of Western Australia’s data linkage capabilities. Government of Western Australia. Perth, Australia. p8. 4 Ibid. pp29-32.

3

Open data

Most jurisdictions also recognise a category of ‘open data’, which is information held by the government that can be shared or released publicly without privacy or other confidentiality concerns. Generally, this includes anonymised data that is not commercial in confidence, and each government licenses the data for use under creative commons arrangements. Most governments provide an online portal through which open data can be accessed. There is no need for a legislative framework supporting the release of this information.

Table 2: Open data arrangements in Australia

Open data policy statement Open data availability

CTH Australian Data Public Data Policy Statement5 www.data.gov.au ACT Proactive Release of Data (Open Data) Policy6, www.data.act.gov.au NSW NSW Government Open Data Policy7 www.data.nsw.gov.au

(includes SA, Qld, and Cth datasets) NT Nil Nil

(some datasets are available online) QLD Open Data Strategy 2017-20218 www.data.qld.gov.au SA Open Data Declaration9 www.data.sa.gov.au TAS Open Data Policy10 Nil VIC DataVic Access Policy11 www.data.vic.gov.au WA WA Whole of Government Open Data Policy12 www.data.wa.gov.au

Information privacy – Australian legislative framework

Specific privacy legislation

Each of the privacy Acts listed in Table 1 aims to protect a personal right to privacy by limiting the ways in which information about individuals can be used and managed by government. The right to privacy does not extend to corporations, although the law recognises categories of commercial information that are subject to confidentiality requirements.

The fundamental principle underlying privacy legislation is that government agencies are prohibited from using information for any purpose that is secondary to the purpose for which it was collected.

5 Department of the Prime Minister and Cabinet. 2015. Australian Government Public Data Policy Statement. Australian Government. Canberra, Australia. 6 Office of the Chief Digital Officer. 2015. Proactive Release of Data (Open Data) Policy, Version 2.0. ACT Government. Canberra, Australia. 7 Department of Finance, Services and Innovation. 2016. NSW Government Open Data Policy. New South Wales Government. https://www.finance.nsw.gov.au/ict/resources/nsw-government-open-data-policy [21 August 2017]. 8 Office of the Information Commissioner. Open Data Strategy 2017 – 2021. Queensland Government. [https://www.oic.qld.gov.au/publications/policies/open-data-strategy]. 21 August 2017. 9 Government of South Australia. 2013. Declaration of Open Data. Adelaide, Australia. 10 Office of eGovernment. 2016. Tasmanian Government Open Data Policy. Tasmanian Government. Hobart, Australia. 11 Department of Treasury and Finance. 2012. DataVic access policy – Intent and principles. Victorian Government. Melbourne, Australia. 12 Department of the Premier and Cabinet. 2015. Whole of Government Open Data Policy. Government of Western Australia. Perth, Australia.

4

Generally, Australian privacy legislation:

• Applies to all public sector, and some private sector, entities. For instance, Commonwealth privacy requirements apply to private sector and not-for-profit organisations with an annual turnover of more than $3 million, private health service providers and some small businesses. Privacy legislation in most States extends to private health service providers.

• Contains rules – generally expressed as a set of privacy principles – dealing with how entities covered by the legislation must use, manage, disclose and keep secure personal information (that is, information or opinions about an individual who is identified or easily identified) they hold.

• Contains more restrictive principles applying to particularly sensitive types of personal information. These categories vary across jurisdictions, but can include information relating to health, racial or ethnic origin, memberships of political and other associations, religious affiliation, sexual orientation, criminal record and biometrics.

• Gives individuals the right to access and correct records of their own personal information, and sets out a framework for making and resolving complaints about privacy breaches.

Generally, entities subject to privacy legislation are prevented from disclosing the personal information they hold unless the13:

• individual concerned has consented to the disclosure • disclosure is required or authorised under an applicable law • disclosure is related to the purpose for which the information was collected, and the

disclosing entity does not have any reason to think the individual concerned would object to it, or

• the individual concerned knows, or is likely to know, that it is usual for information of that kind to be disclosed, or

• the disclosing entity has a reasonable belief that disclosure is necessary to prevent or avoid a serious or imminent threat to life or health.

Each of the privacy Acts listed in Table 1 contains a research ‘exemption’. This is a special arrangement that allows for the use of personal and health information, without consent, for research purposes and subject to appropriate safeguards. For example, in New South Wales an agency is not required to comply with the privacy principles relating to the disclosure of personal information if certain criteria are met, including if:

• the disclosure is reasonably necessary for the purpose of research, or the compilation or analysis of statistics, in the public interest

• either: - reasonable steps are taken to anonymise the information, or - the research cannot be performed using anonymised information and it is

impracticable for the agency to seek the consent of the individual.

13 This list summarises situations in which information can be disclosed under the Commonwealth, NSW and Qld frameworks. It doesn’t accurately reflect the content of any specific statute.

5

Similarly-framed research exemptions can be found in privacy legislation in other Australian jurisdictions and overseas such as Canada, the United Kingdom and New Zealand.

Other legal frameworks affecting confidentiality of information

Specific confidentiality obligations apply to information gathered in some situations (for instance, between lawyers and clients, or health practitioners and patients). These requirements generally arise where there is a fiduciary relationship of some kind and may be reflected in professional regulatory schemes or directly in statute.

Privacy legislation only applies to the extent that it is not overridden by more specific statutes. Some individual statutes specify ways in which government entities can deal with particular types of information. For instance, the Data-matching Program (Assistance and Tax) Act 1990 (Cth) regulates how the Australian Taxation Office and other agencies, including the Department of Human Services, can use tax file numbers to compare personal information for compliance purposes.

Freedom of information legislation applying in all jurisdictions lists types of information that is exempt from disclosure which, at least by implication, imposes an extra layer of confidentiality on information in those categories.

Although South Australia does not have privacy legislation, SA Government agencies are required to comply with information privacy principles under an administrative instruction.14 The Privacy Committee of SA is established under that instruction to oversee the implementation of the privacy principles.

Data sharing – framework in Australia

Background

The Productivity Commission has identified that increased data sharing could improve individuals and entities’ interactions with government, improve systems efficiency and increase administrative efficiency.15 In light of the restrictive nature of privacy legislation, and the potential benefits to the Government and the community of sharing and analysing information, NSW and SA have introduced legislation to facilitate data sharing between government agencies. In October 2017 legislation16 was introduced into the Victorian Parliament. Queensland has indicated an intention to introduce such legislation.

14 Government of South Australia. 2016. Cabinet Administrative Instruction 1/89. Adelaide, Australia. 15 Productivity Commission. Inquiry Report No. 82, Data Availability and Use. p8. 16 The Victorian Data Sharing Bill 2017.

6

Data sharing legislation – NSW

The Data Sharing (Government Sector) Act 2015 (NSW) (the NSW Act) enables government agencies to share data with the data analytic centre (DAC) within the NSW Department of Finance, Services and Innovation, or other government agencies, to allow data analytics work to identify issues and solutions for policy making, program management, and service planning and delivery (NSW Act section 6). That section also allows regulations to prescribe other purposes for which data may be shared but, to date, none have been made. Government agencies are:

• authorised under section 6 to share data voluntarily with the DAC or other agencies, or • authorised and required to share data with the DAC or other agencies on receiving a

ministerial direction to do so under section 7 or section 8.

The DAC is, in turn, authorised to share the results of data analytics work with agencies.

The NSW Act allows data to be shared even though it is personal information, health information or commercial-in-confidence, but privacy or contractual restrictions continue to apply to any other use of the data. The Act also contains data custody and control safeguards that apply to government agencies and are required to be applied to third party providers carrying on data analytic work.

Data sharing legislation – South Australia

The Public Sector (Data Sharing) Act 2016 (SA) (the SA Act) generally mirrors the NSW Act in that it authorises public sector agencies to provide data either voluntarily, or on direction from the minister, to the Office of Data Analytics or other public sector agencies for the purpose of allowing data analytics work to be carried out on the data, or for other purposes prescribed by the regulations (section 8). The purposes of law enforcement and emergency planning and response are prescribed (r.7, Public Sector (Data Sharing) Regulations 2017).

The ‘trusted access principles’ set out in section 7 govern data sharing under the SA Act. These establish safeguards for the purposes for which, and the way in which, data is shared and with whom it is shared. The principles include a requirement (section 7(4)) to de-identify any personal information shared unless an exception applies.

Exceptions include instances where information is shared for criminal investigation or prosecution purposes; in connection with the welfare, wellbeing or protection of a child or

Table 3: Data sharing legislation and data analytics units in Australia

Data sharing statutes in Australia Responsible agency or unit

NSW Data Sharing (Government Sector) Act 2015

Data Analytics Centre within Department of Finance, Services and Innovation

SA Public Sector (Data Sharing) Act 2016 Office for Data Analytics within Department of Premier and Cabinet

VIC Developing legislation Victorian Centre for Data Insights QLD Developing legislation Data Sharing and Analytics Office

7

other vulnerable person; or where it is reasonably necessary to prevent or lessen a threat to life, health or safety of a person.

Under part 6 of the SA Act, the minister may enter into data sharing agreements with other Australian government entities, SA local governments or other entities prescribed by the regulations (none of which are currently prescribed).

Data sharing policy frameworks and administrative arrangements

While all jurisdictions without data sharing legislation attempt to address data sharing through policy, policies are necessarily subject to overriding privacy and confidentiality restrictions.

Queensland

A 2015 review by the Queensland Government chief information officer identifies inconsistent information management architecture, hard legal barriers, and misinterpretation and fear of privacy law as reasons for the absence of a cohesive direction for internal information sharing.17 More recently, the Queensland Government has signalled its intention to establish a data sharing and analytics office in the Department of Science, Information Technology and Information18 and to move towards data sharing legislation.19

Data sharing in Queensland is addressed by an Information Commissioner’s practice note under the Information Privacy Act 2009 (Qld)20, the content of which is limited to pointing out that that Act may prevent proposed information sharing, and that agencies should consider the purpose for, and document the process of, sharing information.

Victoria

In late 2016 Victoria established the Victorian Centre for Data Insights (VCDI) as a business unit within the Department of Premier and Cabinet, led by a chief data officer. The VCDI is developing data sharing legislation.21

Pending the development of that legislation, data sharing in Victoria is dealt with by guidelines issued by the Victorian Office of the Commissioner for Privacy and Data Protection. They set out general principles to facilitate data sharing between agencies, subject to privacy legislation.

17 Queensland Government Chief Information Officer. 2015. Information sharing – Lessons learnt report. Department of Science, Information Technology and Innovation, Queensland Government. Brisbane, Australia. 18 Cowan, P. 2017. Qld govt jumps on data analytics bandwagon. IT News. [https://www.itnews.com.au/news/qld-govt-jumps-on-data-analytics-bandwagon-449808] 21 August 2017. 19 Merrett, R. 2014. Qld govt talks cementing open data through legislation at G20 ICT Forum. CIO. [https://www.cio.com.au/article/559247/qld-govt-talks-cementing-open-data-through-legislation-g20/]. 21 August 2017. 20 Office of the Information Commissioner. Year unknown. Practice Note – Privacy and sharing information between agencies. Queensland Government. Brisbane, Australia. 21 Victorian Government. 2017. Victorian Centre for Data Insights. http://www.vic.gov.au/datainsights?_ga=2.18686457.1748387944.1503224955-845564548.1503224955 [21 August 2017].

8

Commonwealth

The Commonwealth Government’s Guidance on Data Sharing for Australian Government Entities22 requires Commonwealth Government entities to share data ‘by default’ unless there are ongoing legislative barriers or privacy, security or confidentiality risks.

Tasmania

Tasmania has introduced an information sharing arrangement called the Administrative Data Exchange Protocol for Tasmania (ADEPT)23. The protocol applies by administrative agreement between Tasmanian Government agencies and is intended to encourage information sharing for community benefit by providing practical guidance to agencies proposing to exchange information. The ADEPT protocol envisages data exchange taking place following a defined statement of intent recording proposed data use, and subject to ‘formal and rigorous’ (yet undefined) governance structures. Differential levels of security are proposed reflecting either simple, low-risk or more complex, higher-risk data exchanges. The protocol is subject to privacy or any other legal restrictions applying to the data proposed to be exchanged.

Information privacy – situation in WA

Legal restrictions in WA

An Information Privacy Bill, broadly consistent with the features of other Australian privacy statutes, was introduced into the WA Parliament and passed by the Legislative Assembly in 2007, but did not progress through the Legislative Council.

The absence of specific privacy legislation means State Government agencies operate within a patchwork of rules and sources of authority about what information can be shared publicly.

Common law and entity-specific restrictions in WA

In Australia, the body of common law relating to a particular subject applies to its fullest extent unless it is displaced or overridden by statute. The common law in Australia on information confidentiality has developed in the context of criminal prosecutions. It reflects judicial interest in protecting individuals from exposure to criminal liability and imprisonment by curbing regulatory overreach. It requires a person who has obtained information under a statutory power to treat the information as confidential and use it only for the purpose authorised by that statute.24

Although the principle has been developed in the context of information obtained under compulsion, because it is not actually expressed to be subject to any such limitation it applies generally to all information gathered under statutory powers by government

22 Department of the Prime Minister and Cabinet. 2016. Guidance on Data Sharing for Australian Government Entities. Australian Government. Canberra, Australia. 23 Tasmanian Government. Year unknown. Administrative Data Exchange Protocol for Tasmania. http://www.egovernment.tas.gov.au/stats_matter/adept [21 August 2017]. 24 Johns v Australian Securities Commission [1993] HCA 56

9

agencies. In the absence of a legislative framework overriding or displacing the common law, the principle applies generally in WA. It applies however innocent the context in which information is gathered and however innocuous the consequences of disclosure. The only thing that can reliably overcome the general principle is knowledge that the individual concerned has specifically consented to the secondary disclosure.

It may be that the High Court would take a less stringent approach if asked to decide on the use of information gathered for the purposes of one statute that is being used for relatively innocuous, and arguably related, purposes under another. However, the court has not been asked to test the application of the general principle in such circumstances, so for the time being that principle applies.

The fact that no case of apparently innocuous information sharing has found its way to the High Court is a good indication that a person whose information is shared in unremarkable circumstances, and who suffers no disadvantage from the sharing but objects to it on principle, is unlikely to have a cause of action that any court is prepared to entertain. This suggests there may be scope for a realistic risk-based assessment to be made of the information sharing landscape in the State in the absence of any legislative direction.

For some agencies, the source of difficulty in information sharing often stems from the agency’s own empowering legislation. A number of statutes contain specific provisions governing what can (and implicitly, cannot) be done with information obtained by particular agencies or which relates to particular issues. For example: section 36A of the Children's Court Act 1988 (WA) imposes stringent limitations on what information about children charged or convicted with an offence can be shared. Section 52 of the Disability Services Act 1993 is another example. Section 52 does not prohibit information sharing in all instances but makes it an offence to share information in circumstances other than those set out in the legislation. The existence of such a general prohibition on information sharing, coupled with the existence of heavy penalties for individuals (not agencies) for a failure to comply with that prohibition, contribute to a cautious approach to information sharing.

Lawyers who are asked to advise on proposed information sharing are limited to giving advice that is consistent with the law. The existence of restrictive legal advice can have a long-term chilling effect on the willingness of agencies and officers to use and disclose data, even when there is no real risk that the disclosure is unlawful.

Policy statement in WA

Public Sector Commissioner’s Circular 2014-0225 – Policy Framework and Standards for Information Sharing between Government Agencies – requires agencies to comply with a July 2003 policy document. The document is “an interim document which will later need to be modified in the event that privacy legislation is developed by the State Government”.26 It encourages sharing of information by government agencies subject to structured

25 This circular supersedes previous versions which have been in force since 2003. 26 Government of Western Australia. 2003. Policy Framework and Standards – Information Sharing Between Government Agencies. Clause 1.2. Perth, Australia.

10

memoranda of understanding to be signed by chief executives of relevant agencies, conditional on the agencies acting:

• within the limits of relevant legislation • consistently with minimum privacy standards such as the National Privacy Principles • to ensure the security of confidential information, and “within the context of

information policies, procedures and practices, relevant legislation and privacy principles”. 27

It is noted that the National Privacy Principles, which were in force under the Privacy Act 1988 (Cth) at the time the policy was drafted, were replaced in March 2014 by Australian Privacy Principles under that Act.

Despite the generally facilitative tone of the circular and the policy underlying it, it does not contain detailed guidance about legislative restrictions that apply to agencies. Neither the circular or policy, nor any memorandum of understanding entered into consistently with them, can effectively deal with the legal constraints preventing information sharing in the State.

Freedom of Information Act 1992 (FOI Act)

Schedule 1 to the FOI Act sets out matters that are exempt from the general FOI Act requirement to disclose information held by the Government on receipt of an FOI application. These include trade secrets, commercial and business information (clause 3); personal information (clause 4); and confidential communications (clause 8).28 It can be observed that, in the absence of specific privacy or information sharing legislation, these exemption categories take on particular significance in WA and tend to be relied on as sources of authority to resist or avoid disclosing information.

Other legislative restrictions

Section 9(b) of the Public Sector Management Act 1994 requires public servants to be scrupulous in the use of official information. Section 81 of the Criminal Code makes it an offence to disclose official secrets. These are not intended to apply to all information sharing generally, but are directed at deliberate or malicious misuse of government information. Some disclosure by whistle blowers is protected under the Public Interest Disclosure Act 2003.

Issues encountered by the WA public sector

Submissions to the review Panel have indicated that the lack of clarity in WA leads to unsatisfactory outcomes for public sector workers and the community. Submitters have pointed to the restrictive nature of legal advice about what can lawfully be done with data they have collected. As discussed above, this is likely to be the consequence of the case law on confidentiality, which has developed in the context of protecting individuals against

27 Ibid. Clause 1.4 28 There are exceptions and qualifications to each of these, which are not discussed in detail here.

11

excessive exercises of State power, and the effect of the various specific legislative provisions affecting information sharing at agency level.

Submitters have stated that the situation inhibits their ability to achieve outcomes for the community by sharing, linking and analysing data. They have described complicated ad hoc procedures to gather consent from clients to use and share personal information, even between officers of the same department. Where those procedures are built into online systems, they add complexity.

In relation to human services delivery, submitters have described a crucial need to share information appropriately to benefit clients, in an environment where information sharing is not supported at system level but requires individual workers to decide whether and when to share information, often based on established personal relationships with other workers. It is acknowledged that information in this category is likely to be highly sensitive and not necessarily appropriate to be shared on a general basis. However, the lack of a strong legal basis on which to share it not only drives inconsistent outcomes and potentially disadvantages community members, but also unreasonably puts individual public sector workers at risk of breaching legal or policy rules.

Productivity Commission

The Productivity Commission’s Report No.82 – Data Availability and Use29 – contains recommendations for a new legislative right enabling active digital data control by consumers, and a structure for data sharing and release allowing for differential access arrangements depending on the level of risk associated with different proposed uses of data.

While the decision to legislate for a new right is for the Commonwealth, aspects of the report that describe a data sharing and release framework will be relevant for States and Territories in designing data-access regimes. To summarise, the commission recommends that public sector data, publicly-funded research data, entities regulated or funded for public interest purposes, and national interest datasets should be shared by default, with access given either to ‘trusted users’, where data use is higher risk, or to the public generally, in lower-risk situations. The commission also recommends the establishment of a statutory office of the national data custodian to manage data access.

Options for consideration

Immediate term

Consideration should be given to revising Public Sector Commissioner’s Circular 2014-02 and underlying policy instruments to accurately reflect and sensibly mitigate the risks of sharing personal information between agencies.

29 Productivity Commission. Inquiry Report No. 82, Data Availability and Use.

12

In particular, a revised circular or policy might:

• draw attention to the general prohibition on breaching confidentiality • realistically assess the circumstances in which an action for breach of confidentiality may

be made • encourage action to be taken to minimise the possibility of data handling causing

disadvantage that might support an individual taking legal action • support pragmatic decision making where the public interest appears to outweigh the

risk.

In making this recommendation, it is acknowledged that any revision of the circular and policy instruments will not achieve a situation in which information can be readily shared between agencies. The legal framework will continue to apply irrespective of the content of a Public Sector Commissioner’s circular.

Medium term, most beneficial option

Depending on the Panel’s recommendation on establishing specific data analytics capability in WA, a corresponding recommendation on establishing data sharing legislation should also be considered. Data sharing legislation should, among other things:

• appropriately protect privacy of personal information and commercially sensitive information

• support decisions to share sensitive personal information in human services delivery where circumstances warrant

• deal with inter-jurisdictional concerns about WA’s privacy framework that may otherwise inhibit data linkage and other data sharing arrangements

• consider the model recommended by the Productivity Commission.

Medium term

Introduce comprehensive privacy legislation in WA alongside data sharing legislation to promote effective data sharing while protecting the privacy of individuals (for instance, the NSW data sharing model). Trust in the way that government collects, uses, discloses and handles personal information (i.e. effective privacy legislation) can be viewed as an enabler of data sharing initiatives. The more confident the public is in the protection of their personal information, the more willing they are to provide such information to government, and the more accurate and complete the data available to government.

Medium term, less beneficial option

Introduce privacy legislation in WA to partially overcome data sharing issues and ensure the confidence of other jurisdictions when sharing sensitive data with WA. Privacy legislation can (and generally does) promote at least some information sharing. Privacy legislation will also have the effect of conferring some rights on individuals in the event that their privacy is breached. This is in contrast to existing provisions which are not actionable by affected individuals.

13

References

Cowan, P. 2017. Qld govt jumps on data analytics bandwagon. IT News. [https://www.itnews.com.au/news/qld-govt-jumps-on-data-analytics-bandwagon-449808] 21 August 2017.

Data Linkage Expert Advisory Group. 2016. A review of Western Australia’s data linkage capabilities. Government of Western Australia. Perth, Australia. p8.

Department of Finance, Services and Innovation. 2016. NSW Government Open Data Policy. New South Wales Government. https://www.finance.nsw.gov.au/ict/resources/nsw-government-open-data-policy [21 August 2017].

Department of the Premier and Cabinet. 2015. Whole of Government Open Data Policy. Government of Western Australia. Perth, Australia.

Department of the Prime Minister and Cabinet. 2015. Australian Government Public Data Policy Statement. Australian Government. Canberra, Australia.

Department of the Prime Minister and Cabinet. 2016. Guidance on Data Sharing for Australian Government Entities. Australian Government. Canberra, Australia.

Department of Treasury and Finance. 2012. DataVic access policy – Intent and principles. Victorian Government. Melbourne, Australia.

Government of South Australia. 2013. Declaration of Open Data. Adelaide, Australia.

Government of South Australia. 2016. Cabinet Administrative Instruction 1/89. Adelaide, Australia.

Government of Western Australia. 2003. Policy Framework and Standards – Information Sharing Between Government Agencies. Clause 1.2. Perth, Australia.

Government of Western Australia. 2017. Service Priority Review Terms of Reference. Perth, Australia.

Merrett, R. 2014. Qld govt talks cementing open data through legislation at G20 ICT Forum. CIO. [https://www.cio.com.au/article/559247/qld-govt-talks-cementing-open-data-through-legislation-g20/]. 21 August 2017.

Office of eGovernment. 2016. Tasmanian Government Open Data Policy. Tasmanian Government. Hobart, Australia.

Office of the Chief Digital Officer. 2015. Proactive Release of Data (Open Data) Policy, Version 2.0. ACT Government. Canberra, Australia.

Office of the Information Commissioner. Year unknown. Practice Note – Privacy and sharing information between agencies. Queensland Government. Brisbane, Australia.

Office of the Information Commissioner. Open Data Strategy 2017 – 2021. Queensland Government. [https://www.oic.qld.gov.au/publications/policies/open-data-strategy]. 21 August 2017.

Productivity Commission. 2017. Inquiry Report No. 82, Data Availability and Use. Australian Government. Canberra, Australia.

14

Queensland Government Chief Information Officer. 2015. Information sharing – Lessons learnt report. Department of Science, Information Technology and Innovation, Queensland Government. Brisbane, Australia.

Tasmanian Government. Year unknown. Administrative Data Exchange Protocol for Tasmania. http://www.egovernment.tas.gov.au/stats_matter/adept [21 August 2017].

Victorian Government. 2017. Victorian Centre for Data Insights. http://www.vic.gov.au/datainsights?_ga=2.18686457.1748387944.1503224955-845564548.1503224955 [21 August 2017].

www.dpc.wa.gov.au