15 February 2018

Our reference: D2018/001206

HEIMS Data Collections
Economic and Market Analysis Branch
Department of Education and Training
GPO Box 9880
Canberra ACT 2601

Dear HEIMS Data Collections team

Submission on Discussion Paper — Redevelopment and Audit of the Higher Education Data Collection

I welcome the opportunity to comment on the Department of Education and Training’s Discussion Paper on the Redevelopment and Audit of the Higher Education Data Collection (the HEDC).

The Discussion Paper sets out a number of proposed initiatives, which aim to streamline data collection and handling processes related to the HEDC, and introduce simpler and more flexible practices that support data exchange.

I am supportive of initiatives that seek to maximise the use and value of data, and I recognise that such initiatives have the potential to improve outcomes for education policy and programs. To ensure the success and sustainability of the enhanced HEDC, strong personal information handling practices and community support will be essential. In this regard, I welcome the acknowledgment given by the Discussion Paper to privacy issues raised by the redevelopment and the commitment to seek advice from my Office.

My comments highlight some of the potential privacy risks associated with the project that should be considered, together with some of the ways that privacy can facilitate and support the long term success of this project. Privacy is sometimes seen as a barrier to data innovation — this is not the case. In fact, when privacy considerations are embedded in policies and frameworks from the outset, it is more likely that public expectations will be met, allowing for greater public support.

I would welcome the opportunity to provide additional input and assistance to the Department, as the project moves into the co-design stage.

Role of the Office of the Australian Information Commissioner

The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency established by the Australian Parliament. The role of the OAIC is to bring together three functions:

  • privacy functions through regulating the handling of personal information under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation
  • freedom of information functions, including access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth), and
  • information management functions, as set out in the Information Commissioner Act 2010 (Cth).

The integration of these three interrelated functions into one agency provides my Office with a unique perspective, as it seeks to balance the right to privacy with broader information policy goals, such as ensuring that data is recognised as a national resource, and that it can be made available for uses in the public interest.

In the exercise of these functions, my Office has established itself as a key advisory body, shaping how agencies and organisations harness data to positively impact the lives of every Australian. As discussed further below, this has included advice in relation to use of the Unique Student Identifier, as per my regulatory responsibilities under the Student Identifiers Act 2014 (Cth).

Good privacy practice enables data innovation

The initiatives outlined in the Discussion Paper aim to increase administrative efficiency, enhance data accuracy and support usability of data. A number of proposed objectives for the redevelopment and audit are set out, including:

  • using the new Department of Human Services built government interface to make the reporting and accessing of data more efficient
  • reducing the number of elements involved in information collection that have built up over time, and subsequently reduce the burden of reporting for providers whilst preserving the value of the collection, and
  • improving data quality through a simpler, more focused HEDC.

There is great value to the education sector and the community in seeking to better use data in innovative ways, and to deliver services that are more efficient. I also acknowledge the utility in seeking to reduce duplication and create a more targeted approach to the information elements required for the HEDC, by consolidating personal information into a restructured database. I welcome these particular initiatives because reducing duplication, and/or the unnecessary collection of personal information, both have the potential to be privacy-enhancing. In this way, improving data quality not only facilitates data innovation, but is also good privacy practice.[1]

Nevertheless, I am mindful that when considering how to enhance the use and value of higher education information, it is crucial that privacy remains a central consideration from the earliest stages of a project.

Unique Student Identifier scheme

I note the Discussion Paper proposes a single unique student identifier (USI) that will be used to identify all higher education students attending an Australian higher education provider. I recognise that there are a number of advantages associated with using a USI, as outlined in the Discussion Paper.

However, while the proposed benefits of the USI scheme may be significant, as I have previously noted the introduction of any unique identifier poses privacy risks.[2] For example, such identifiers raise the risk of inappropriate data linking, or use of the identifier beyond the circumstances originally intended. Such linkages may combine personal information that has been collected for different purposes and create datasets which paint a rich picture of individuals’ interactions in society.

If a new or expanded unique identifier for the education sector is proposed, it is therefore important that the intrusion on individuals’ privacy is appropriately balanced with the overall public policy objectives of the identifier. That is, whether the introduction of a unique identifier is reasonable, proportionate and necessary and the least privacy invasive option to achieve the policy objective. A failure to adequately identify and mitigate the relevant privacy risks associated with this project may jeopardise the project’s ability to maintain the confidence of the public, potentially circumscribing the utility of the identifier.

I therefore recommend that a privacy impact assessment (PIA) be undertaken to identify and mitigate the relevant privacy risks (see my further comments on conducting PIAs below). I also note that as of 1 July 2018, the Australian Government Agencies Privacy Code will enter into force, making it mandatory for agencies to conduct PIAs for certain (high privacy risk) projects.[3]

In addition, for the full value of a new identifier to be realised, the scheme should be introduced in a transparent manner and with a robust legislative framework. Strong legislative safeguards can protect the identifiers from being used for purposes beyond those originally intended, preventing the possibility of ‘function creep’. In this regard, I note that my Office currently has regulatory oversight in relation to the use of the USI for some students — as established by the Student Identifiers Act 2014 (Cth). I would recommend that a similar robust oversight regime be put in place in relation to any extension of (or changes to) the USI scheme.

A ‘privacy by design’ approach to data sharing

More broadly, to optimise the value of a data sharing project such as the redevelopment and audit of the HEDC, it is important to ensure any other potential privacy risks (in addition to those associated with the USI outlined above) are appropriately drawn out so that precautions can be put in place to mitigate those risks at the earliest stages. In this regard, I note that taking a ‘privacy by design’ approach can help enable the optimisation of data projects, whilst minimising privacy risks.

‘Privacy by design’ is a holistic approach where privacy is embedded into an entity’s initiatives from the design stage onwards. This includes taking a risk management approach to identifying privacy risks, enabling entities to take steps at the outset of a project to mitigate those risks. Embedding ‘privacy by design’ will lead to a trickle-down effect where privacy is considered automatically throughout the project, resulting in better overall privacy practice and compliance.

Conducting a PIA is the key component of a privacy by design approach. A PIA is a systematic assessment of a project that can identify the impacts a project may have on the privacy of individuals, and subsequently sets out recommendations for managing, minimising or eliminating those impacts. For example, undertaking a PIA can assist agencies to:

  • describe the personal information flows in a project
  • analyse any possible impacts on individual privacy
  • identify and recommend options for avoiding, minimising or mitigating negative privacy impacts
  • build privacy considerations into the design of a project
  • achieve the project’s goals, while minimising the negative and enhancing the positive privacy impacts.

As noted above, I recommend that a PIA be undertaken for this project. I also encourage agencies to publish their PIA reports where appropriate.

My Office has produced guidance on undertaking PIAs which may be useful, including:

  • the OAIC’s Guide to undertaking privacy impact assessments,[4] and
  • the OAIC’s Undertaking a Privacy Impact Assessment e-learning course.[5]

Conclusion

‘Getting privacy right’ is crucial to projects that rely on the use of personal information, and which may involve the creation and sharing of rich datasets.

My Office would be pleased to offer further advice or assistance moving forward into the co-design phase. If you would like to discuss these comments or have any questions, please contact Sarah Ghali, Director, Regulation & Strategy, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

15 February 2018

Footnotes

[1] This is because the Privacy Act, and Australian Privacy Principle 3 in particular, provides that information should generally be collected only where it is reasonably necessary for, or directly related to, an entity’s functions or activities.

[2] For more information, see the OAIC’s submission to the Productivity Commission’s Issues Paper for the Inquiry into the National Evidence Base for School and Early Childhood Education at: <https://www.oaic.gov.au/engage-with-us/submissions/national-education-evidence-base-submission-to-productivity-commission#a-unique-identifier-for-the-education-sector>.

[3] See the OAIC’s website for more information on the Code: <https://www.oaic.gov.au/privacy-law/australian-government-agencies-privacy-code/>.

[4] For more information, see the OAIC’s website at: <https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments#undertaking-a-pia>.

[5] For more information, see the OAIC’s website at: <https://www.oaic.gov.au/elearning/pia/>.