Tuesday, October 18, 2016

Surely This Is A Case Of Cutting Off One’s Nose To Spite One’s Face! Just Silly.

This appeared a few days ago:

Brandis wants two-year jail sentence for re-identifying govt data

By Allie Coyne on Oct 12, 2016 5:07PM

Researchers not automatically exempt.

Individuals and businesses who re-identify government data that has been stripped of identifying details face up to two years jail under new laws proposed today by Attorney-General George Brandis.
Under the bill, security researchers will not automatically be exempt from new laws, in spite of a pledge from Brandis last week that they would be protected.
Under the Privacy Amendment (Re-identification Offence) Bill 2016, reversing the de-identification of published government data after September 29 this year will be a criminal offence that can incur up to two years in prison and 120 penalty units ($21,600), or a civil penalty of up to 600 penalty units ($108,000).
The laws will not apply to government agencies, government service providers, or anyone who has been contracted to provide services on an agency's behalf, if within the course of their work. 
It will also be a criminal offence to publicly disclose revelations that supposedly de-identified data is not really anonymous, with the same maxiumum penalties in effect.
Anyone who becomes aware that published de-identified government data can be reversed is required under the legislation to notify the relevant agency in writing "as soon as practicable".
Much more here:
There is also detailed coverage here:

Senate introduces legislation criminalising re-identification of anonymised data

The amendment makes the re-identification and disclosure of de-identified data offences punishable by up to two years' imprisonment, while also forcing entities to notify agencies as soon as practicable.
By Corinne Reichert | October 12, 2016 -- 06:12 GMT (17:12 AEDT) | Topic: Telcos
Australian Attorney-General George Brandis has introduced into the Senate the legislation criminalising the re-identification of de-identified datasets that are collected and published by the Commonwealth.
"The publication of government datasets, including de-identified data, enables the government, policymakers, researchers, and other interested persons to take full advantage of the opportunities that new technology creates to improve research and policy outcomes," the explanatory memorandum [PDF] to the Privacy Act amendment says.
"However, with advances in technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future. The Bill is intended to act as a deterrent against attempts to re-identify de-identified personal information in government datasets and introduces criminal and civil penalties for the prohibited conduct."
The Privacy Amendment (Re-identification Offence) Bill 2016 [PDF] will be retrospectively applied from September 29, criminalising the re-identification of de-identified personal information under s16D and the disclosure of re-identified personal information under s16E, punishable by up to two years' imprisonment or 120 penalty units, or a civil penalty of up to 600 penalty units.
Lots more here:
To use another saying this really is using a “sledgehammer to crack a nut”!
Draconian penalties are only going to make sure that useful research from legitimate researchers will be supressed while criminals will be working hard to exploit information the Government puts on line. My view is that if this is passed then anyone who can re-identify will if they see it as useful for any reason and stay very quiet about it – which is just the opposite of what we really want.
What is needed in my view is a very ‘light touch’ approach so the Government can be confident data they release can’t be exploited for fun, profit or crime beyond what is intended!
What do others think?


Anonymous said...

This is to modus operandi of the current clueless public service. Its not up to us to ensure its done correctly, we will throw you in jail if you prove we stuffed up. This is security via gestapo tactics. Really its time to say enough's enough and admit that our public service is failing us. The advantage of a smaller public service is less danger to the country. I guess these people must interview well, but they are psychopaths with an EQ/IQ ratio of infinity.

Anonymous said...

David, I would add to your sentiments that if there needs to be a "sledgehammer" it should be on those that release "de-identified" / pseudonymised data into the public domain that is in fact identifiable without independent certification that the data has been de-identified to an acceptably (high / highest) possible standard to remove any risk of breaching the privacy (or any other legal rights) of individuals or other entities under existing legislation. Clearly this is where duty of care and competence applies - the value of making de-identified data available for research or other innovation based purposes has to be balanced with a meaningful and comprehensive risk assessment to the cohort of individuals to which the data was originally drawn or derived from. It is a reasonable expectation from a public perspective that the government should assume the responsibility and risk (rather than the individuals from which the data was drawn) for releasing the data in the first instance and should be liable for any damages applicable to the individuals concerned (if the data is re-identified and used for any unintended purposes).
My 2 cents worth ....