Australian Information Commissioner Professor John McMillan has warned the incoming Coalition Government faces a significant backlog of  issues in national privacy and information policy.

In an address to the Records and Information Management Professionals Australasia (RIMPA) Conference, held in  Canberra this week, Professor McMillan, said of information policy, "Little was said on this issue by either major party during the election campaign. There was no mention of this broad topic in the major policy documents of the parties. 

"At most, answers to some candidate questions gave a generalised reference to matters such as ongoing privacy reform. This contrasts with earlier elections in which, for example, there was a detailed policy commitment that resulted in the establishment of the Office of the Australian Information Commissioner and major reform projects on freedom of information and privacy."

Professor McMillan believes the new Australian Government will face many information policy challenges. In particular in the areas of open government, Freedom of Information policy and privacy.

Open Government

He cited the data.gov.au web site as a successful outcome of the previous government's Declaration of Open Government in 2010, which has  made 530 public sector datasets that available for public reuse on open licensing terms. A growing proportion of Australian Government agencies engage with the public through social media sites and downloadable apps

"The way that government agencies value, manage, use and share information has fundamentally changed. Through the web we are enjoying an unparalleled release on open access terms of information and raw data relating to economic performance, educational achievements, health outcomes, spatial patterns, weather forecasts, government contracting, government spending, crime patterns, political donations, agricultural activity, procurement and licensing and, at the more popular level, toilet and BBQ locations."

Professor McMillan believes the challenge for Australia's  new government is to  it is to take stock of the fact that many other governments have been moving in the same direction, but moving faster. 

"This is aptly captured in the recent Communique of the G8 nations in June – eight nations that produce two thirds of the world’s economic output. The 2013 Communique opened with the sentence: ‘As leaders of the G8, we are committed to open economies, open societies and open governments as the basis of lasting growth and stability.’ 

"Signifying that the commitment to open government goes beyond the rhetorical, the G8 nations adopted an Open Data Charter annexed to the Communique. The Charter opens with the sentence: ‘The world is witnessing the growth of a global movement facilitated by technology and social media and fuelled by information …. Open data sits at the heart of this global movement’.

"An open data culture must be led from the top. A fundamental change in thinking is required. At all levels in government there must be an understanding that information is both an internal and a national asset; that information sharing supports innovation, research, economic growth and better decision making; that government ownership of data must give way to open licensing, even if that means a commercial benefit for someone who did not create the data; that in a world overflowing with digital data it will only be useable by the community if government makes that data discoverable, accessible and useable; and that these initiatives must become a priority within agencies, supported by appropriate governance structures and information management practices. 

"Cultural change of that magnitude, occurring evenly across government, will not eventuate unless the message from the top is that it must occur. "

FOI

With regard to Freedom of Information, Professor McMillan is concerned about the balance between privacy and publication. 

"An underlying FOI reality is that the release of a document to an FOI applicant is ostensibly a release of that document to the world at large, as no limitation can be placed on further circulation of that document by the applicant. In the earlier years it seems that documents released under the FOI Act had limited circulation, except for occasional news stories. 

"But now of course it is easy for applicants to republish documents on the web, and indeed the FOI Act requires agencies to publish released documents in a disclosure log. This is prompting considerable unease as regards documents that contain personal information – names, signatures, phone numbers, and other personal facts, about public servants but others also. Interestingly, the National Archives office has just adopted a new policy that military service records and public service personnel records will not enter the open access period at the same time as other government records, but will do so many decades later.

"A second example of a growing tension is the application of the FOI Act to government data sets. The FOI Act, enacted in 1982, is expressed to apply to ‘documents’, though that word is defined to include articles that record sounds, images and electronic information. The 1982 FOI Act assumption is that a person requesting information stored on a computer will want that material transcribed into a hard copy document. But nowadays, of course, an applicant may instead prefer the entire data set, whether refined or unrefined. And it seems the FOI Act confers such a right. 

"That in my view is ultimately a good thing, but it would be better that we adopted the British approach of creating an access scheme that is properly tailored to a digital world rather than to squeeze digital access into a scheme designed for the release of paper-based records. 

"My third example concerns the impact of the FOI Act on high level policy briefing and discussion in agencies. It has been customary to frame that issue as a debate about candour and frankness. Is protection needed, or can we nowadays expect that professional public servants will be forthright, honest, consistent and prepared publicly to defend any view put to their colleagues? In two recent decisions I have accepted candour and confidentiality arguments, deciding in each case that the document author might otherwise tailor their comments to a different audience or with different interests in mind, and thus rob the documents of their value to government. Those findings will run against the grain of some open government commentary, including in the Hawke report. Clearly this is an important issue that requires more complex analysis."

Privacy

"Privacy issues are sure to confront new and established governments on a regular and controversial basis," said Professor McMillan. 

"Issues currently in the media concern access by national security agencies to encrypted data, email traffic and mobile phone calls; release of personal information by social media sites such as Yahoo, Facebook and Google to government agencies; cloud computing and the security of personal information stored on foreign servers; data farming by electronic communication channels; credit history information retained by financial bodies; and the exclusion of political parties from the coverage of the Privacy Act. 

"Two issues for the new government, carrying over from the former Parliament, are the reference to the Law Reform Commission on a statutory cause of action for serious invasions of privacy; and a lapsed Bill to require mandatory data breach notification.

"The other immediate privacy challenge, more for agencies and businesses than the government, is the commencement in March of the new Australian Privacy Principles (APPs). The 13 Privacy Principles will have a marked impact on government and business entities. For example – 

1. all entities will need to develop a new Privacy Policy that describes how personal information is collected, managed, used and disclosed, and the location of any overseas recipients to whom that personal information is sent (APP 1)
2. individuals must be given the option of dealing anonymously or by pseudonym with an entity, for example, when purchasing a service, lodging a complaint, making a request (APP 2)
3. different procedures must be implemented for handling solicited and unsolicited information (APPs 3, 4)
4. different procedures are also required according to whether the proposed use or disclosure of information accords with a primary or secondary purpose of collection (APP 6)
5. people must be notified when personal information is collected (APP 5)
6. entities must take responsibility for ensuring that an overseas recipient of personal information manages it consistently with Australian privacy standards (APP 8)
7. a higher level of protection is required for the security of personal information, extending now to reasonable protection against hacking (APP 11).