In a separate submission to the Senate Legal and Constitutional Affairs Committee, the Australian Privacy and Information Commissioner, Timothy Pilgrim, said that while he recognised the Bill’s potential to be a privacy-enhancing tool by providing a deterrent against the intentional re-identification of certain datasets, the introduction of new criminal offences and civil penalties alone would be unlikely to eliminate the associated privacy risks.
“Rather, additional measures will be required for the policy objective to be supported,” he said.
Pilgrim added that agencies would need to implement practices, procedures, and systems to ensure they comply with the Privacy Act 1998.
“That includes taking reasonable steps to ensure personal information is not disclosed through open publication.”
“The open publication of de-identified datasets may always present some level of risk. Effective de-identification requires a careful consideration of all relevant contextual factors, to help ensure that the risk of re-identification, as well as other threats to privacy are minimised.
“I believe that the existing privacy capability of APS [Australian Public Service] agencies to manage privacy risks may need to be strengthened. Agencies must have the capability to manage the personal information that they hold in accordance with the Privacy Act, and in accordance with the broader community’s contemporary expectations,” he said.
Sign up for Computerworld eNewsletters.