Submission to National Data Sharing and Release Discussion Paper
National Data Sharing and Release Discussion Paper Submission: Privacy, Consent, and Trust
A Discussion Paper on Data Sharing and Release legislative reforms was released on the 3rd of September. On 15th October, lead author Claire Benn (post-doc, HMI) submitted the response on behalf of HMI, co-authored with Bob Williamson, Ben Rubinstein (Associate Prof, Computing and Information Systems, U. Melbourne) and Chris Culnane (Lecturer, Computing and Information Systems, U. Melbourne). Ben and Chris (along with Vanessa Teague) made headline news when they demonstrated the vulnerability of anonymised datasets openly released by the Australian government: they re-identified themselves, their co-travellers and complete strangers from the Myki public transport dataset, as well as patients’ data records from the de-identified health records. There were therefore important partners in this submission, demonstrating the importance of cross-disciplinary engagement drawing together expertise from philosophy and computer science to provide a deep understanding of data sharing that reflects both the technical reality as well as the important social values at stake.
The Data Sharing and Release Discussion Paper proposes a process to unify, simplify and expand the abilities and responsibilities of government departments to share data they hold to inform or enable government policy, programs and service delivery as well as research and development by non-governmental bodies, such as academic institutions.
Our response focused on three core values: privacy, consent and trust. With respect to privacy, we outlined the various alternative conceptions of privacy currently not safeguarded by the proposed legislation, such as privacy as autonomy. We also highlighted some vulnerabilities such as not requiring the leading methods of anonymisation, the threat of data integration and blindness to differential impact; and suggested modifications to mitigate these risks. The attitude towards consent that the DS&R takes represents a huge shift from current norms: it proposes that consent is never required to share citizens’ data. We point to the importance of context when it comes to data sharing and propose a model of differential requirements for consent depending on three different contexts: sharing within government for narrowly defined purposes (no consent required), sharing within government for other purposes (opt-out required), sharing with third parties (opt in required). We pick up on a common theme in the discussion paper: the need for the public to trust the system. We point out that the trustworthiness of the system is a precondition for appropriate trust. We outline a model of appropriate trust and emphasise the importance of critical, ongoing oversight by both independent bodies and the public throughout the process of data sharing. We suggest more robust methods of establishing transparency, and the addition of mechanisms to guarantee accountability and auditability. In all three areas, we propose actionable reforms and improvements to the current legislative proposal, ones that respect the best philosophical, social and technological understandings of the advantages and risks of data sharing in this context.