Brett Mason (Queensland, Liberal Party, Shadow Minister for Universities and Research) Share this | Hansard source

I will leave the broader debate surrounding this bill to my colleagues, particularly the ever-eloquent Senator Fifield, and confine my remarks to just one issue: the protection of privacy of individuals under this act. I have spoken about this issue over the years in various different contexts and I do so because privacy reflects the great tension in our democratic life between the quest for individual autonomy on one hand and the impulse for community on the other—a great philosophical, moral, social and political battle. There is never any easy answer, but even here today on the National Disability Scheme Bill 2013 those issues are again alive. I will confine my remarks just to the issue.

I am concerned that in its current form the bill does not adequately protect the privacy concerns that scheme participants and service providers may have in relation to the handling of their data. First, section 60 of the bill allows any person to obtain, make a record of, disclose or otherwise use protected information held by the National Disability Insurance Scheme Launch Transition Agency if it relates to the purposes of the bill. This potentially represents a broad infringement of privacy rights because the objects of the bill, set out in section 3, are highly generic. They include, for example:

… support the independence and social and economic participation of people with disability; and

…   …   …

raise community awareness of the issues that affect the social and economic participation of people with disability, and facilitate greater community inclusion of people with disability.

These are broad, highly generic terms.

In promoting these wide-ranging objectives, it is the privacy rights of scheme participants that are expected to give way. Moreover, according to subsection 60(3) of the bill, obtaining, recording, disclosing or using information will be taken to be for the purposes of the bill if the CEO of the agency believes on reasonable grounds that it is reasonably necessary to facilitate research or actuarial analysis into matters relevant to the scheme or, even more broadly, to facilitate policy development.

This provides an executive official with considerable discretion over the privacy rights of scheme participants. It is concerning that these rights, under the express terms of the bill, are subject to such generic matters as policy development. Surely, some thought should be given to the development of much clearer guidelines with respect to the exercise of this discretion. I note that such guidelines are not included in any of the draft NDIS rules released on 5 March.

Section 66 of the bill enables the CEO of the agency to disclose NDIS information if the CEO certifies that it is necessary to do so in the public interest. The CEO may also disclose information to the secretary, chief executive or head of a Commonwealth, state or territory department or authority for the purposes of that department or authority.

These provisions significantly expand the disclosure powers of the CEO and might further undermine the privacy rights of scheme participants. The draft NDIS Rules for the Protection and Disclosure of Information do not impose defined guidelines to limit the exercise of the CEO's discretion. For example, in considering whether to issue a public interest certificate, the CEO is required under clause 4.3 of the rules to consider whether:

… the person to whom the information will be disclosed has sufficient interest in the information.

A person will have sufficient interest in NDIS information if the person has:

… a genuine and legitimate interest in the information …

These criteria hardly alleviate concerns about the abrogation of privacy rights under the bill. Indeed, the rules simply replace one set of broad criteria with another. The end result is that there is a threat to privacy rights under the NDIS bill and its accompanying rules as currently drafted.

At section 12.7 of its 2011 inquiry report entitled Disability Care and Support, the Productivity Commission argues that any national disability insurance scheme must preserve the confidentiality and privacy of data provided by scheme participants. The Productivity Commission recommends, among other things: de-identifying scheme data; imposing conditions on how data can be used by researchers, for example, through enforceable undertakings; and requiring researchers to comply with principles regarding responsible and ethical research conduct. These matters are not expressly dealt with in the bill or the draft NDIS rules.

Some protection is afforded under the newly-created Australian Privacy Principles set out in the Privacy Amendment (Enhancing Privacy Protection) Actthat was passed late last year and is due to commence in March 2014. For example, clause 6.4 of the sixth Australian Privacy Principle requires the de-identification of data collected by an agency prior to disclosure to another entity.

However, while the Australian Privacy Principles will apply to the National Disability Insurance Scheme Launch Transition Agency, as a Commonwealth public agency, it is unclear what privacy protections will apply to the handling of information by the wide range of other entities that are likely to be involved in the NDIS. In particular, I note that the 'small business exemption' applying to any business with an annual turnover of less than $3 million has been retained in the formulation of the new Australian Privacy Principles. Further, state public agencies are not covered by the Australian Privacy Principles and not all of the states—specifically Western Australia and South Australia—have in place similar privacy arrangements to the Commonwealth scheme.

In its submission to the Senate Standing Committee on Community Affairs inquiry into the bill, the Office of the Australian Information Commissioner said:

Given the amount of personal information that will be collected and used under the Scheme, it will be important to ensure appropriate and consistent coverage of all participating entities under privacy law.

It is crucial that a uniform approach to privacy protection is mandated under the bill.

I note that the Department of Families, Housing, Community Services and Indigenous Affairs will be conducting a privacy impact assessment in relation to the NDIS. While I welcome this development as a means of considering in further detail the privacy implications of the scheme, it is unfortunate that the Senate could not have had the benefit of this analysis before being called upon to pass the bill and to debate the issues.

It is also disappointing that the Senate standing committee's final report dealt with the privacy implications of the bill in less than two pages, and in those two pages did not really provide any substantive policy analysis. The standing committee's conclusion in relation to the privacy implications of the bill is simply that:

Department officials are scheduled to meet with the Australian Information Commissioner to discuss the concerns outlined in his submission. The Committee anticipates that if any amendment to the provisions that ensure consistency across jurisdictions was required, this would be considered by the Department.

Again, it would have been useful for privacy concerns in relation to the bill to have been properly assessed and brought to the attention of the Senate before the debate here this evening.

The protection of privacy rights is by no means a 'side-issue' that we can allow to slide under the radar. As we saw last week when the government announced its new media law package, Australians do not take the abrogation of privacy rights and freedom of speech lightly. Indeed, the protection of privacy and freedom of speech are foundations of the society that we live in today. It is important that any debate about privacy rights takes place in the public domain upon a consideration of all the relevant circumstances and implications. In the event that the privacy impact assessment finds that there are gaps with respect to privacy protection under the bill, the parliament must ensure that these gaps are remedied without delay by amending the NDIS legislation as passed.