Public data legislation could see white hats face jail

Information security researchers who inadvertently re-identify publicly available de-identified government data could face up to two years of jail time, under new proposed measures introduced into Parliament on 12 October.

The Privacy Amendment (Re-identification Offence) Bill 2016, which amends the Privacy Act 1988, was introduced in the Senate by Attorney-General, George Brandis.

The proposed legislation would make it a criminal offense to re-identify data sets that have been stripped of identifying markers for open publication by government agencies – even if re-identification occurs by accident.

If the legislation passes both houses of parliament without amendments, the offences it outlines would apply from 29 September this year, and could result in a jail term of up to two years for those found guilty of breaking the proposed laws.

“This commencement date is intended to be a strong deterrent against attempts to re-identify de-identified personal information in government datasets while the Bill is considered in parliament,” the Bill’s explanatory memorandum stated.

The legislation does not apply to government agencies themselves, or individuals and organisations that have been contracted by government agencies to provide services or to specifically test their information security processes. However, agencies will need to inform the Information Commissioner of the re-identification of public data, according to the legislation.

Likewise, the laws would not apply if the re-identification of anonymised data was done in connection with the performance of the agency’s functions or activities, or to test an agency’s compliance in relation to its information handling processes.

“These exclusions will ensure these entities are not captured by the Bill’s offences when engaging in ordinary functions and activities such as decryption activities to test information security,” the explanatory memorandum said.

The proposed laws, however, do apply to other businesses or individuals who re-identify de-identified public datasets while not under contract by the government agency in question, and disclose the information to any entity other than that agency – regardless of whether re-identification is intended or not.

The Bill states that those who re-identify a public dataset need to notify the responsible agency in writing, “as soon as practicable after becoming aware that the information is no longer de-identified”.

The legislation also contains a provision for the Minister to exempt individuals or organisations from the penalties outlined in the Bill for certain purposes or “if there is a public interest” to do so. The Attorney-General would need to consult with the Information Commissioner to determine exemptions.

Exemptions may be made if the person or organisation that re-identifies a dataset is involved in research involving cryptology, information security, data analysis, or any other purpose that the Minister “considers appropriate”.

The legislation comes after Brandis released a statement in late September suggesting that those who re-identify anonymised datasets for research purposes would be exempt from the proposed laws.

While the proposed laws would be unlikely to be a major problem for security-focused channel partners actively conducting work for government agencies, it could act as a barrier for non-contracted white hat hackers or university-based security research teams like the one from the University of Melbourne that revealed vulnerabilities last month in datasets published by the Department of Health.

The legislation has been put forward, in part, as a result of the government’s push to make agencies’ data public for research and development purposes.

The move comes as the federal government talks up its cyber security prowess, with Minister for Industry, Innovation, and Science, Greg Hunt, backing the country’s developments in its cyber-defence capabilities.

“What we’ve done is create a whole Australian cyber-security strategy. There’s a lot of money; $230 million over four years for the strategy and then another $400 million over the next decade under the Defence White Paper,” Hunt told ABC Radio on 12 October.

“But we’re getting the best people in. I met today with the head of an organisation called Data61, and we were looking at how we will be building the capacity of Australian firms to be engaged in cyber defence. So, we have a whole national strategy,” he said.

The proposed legislation is yet to go to a vote in Parliament.