Agencies responsible for source data (data custodians) as well as those accessing that data for integration and analysis (integrating authorities and data users) have an obligation to ensure they respect the privacy of those providing information and that individuals and organisations cannot be identified in the integrated dataset.
These obligations are set out in the Privacy Act 1988 as well as a range of other legislative requirements that offer protections for personal or protected information. These include secrecy provisions in agency specific legislation, which carry penalties such as fines and jail terms if the provisions are breached, as well as sector specific and other legislation that applies more broadly across government.
One example of disclosure protections in agency specific legislation is the National Health Act 1953 (Cth). Under Section 135A of the National Health Act 1953, if a person directly or indirectly divulges or communicates information with respect to the affairs of a third person, and is not authorised to do so by law, the person is guilty of an offence punishable by a $5000 fine, imprisonment for 2 years or both. Any authority or person to whom the information is divulged is subject to the same and continuing obligations and liabilities as a Commonwealth officer except where the legislation provided otherwise (example correct at August 2011).
In addition to legal protections, the Governance and Institutional Arrangements for Statistical Data Integration Involving Commonwealth Data have been developed to provide a consistent and agreed framework to enable statistical data integration to take place in a safe environment; and the guide provides comprehensive advice on procedures that put into practice the governance and institutional arrangements to help ensure that privacy and confidentiality are maintained.
It is important to note that the governance and institutional arrangements, including the interim accreditation scheme for integrating authorities wishing to undertake high risk projects, are administrative arrangements which do not over-ride legislation. All legal obligations (for example, obligations resulting from the Privacy Act or privacy and secrecy clauses in agency-specific legislation) must always be met.
For more information on protections prohibiting disclosure of identifiable data see the papers:
- Legal framework for Integrating Authorities undertaking high risk projects – project level requirements and
- Legal framework for Integrating Authorities undertaking low and medium risk projects – project level requirements.
For more information on legal and policy considerations see:
- Authorisation to release identifiable data
- Protections prohibiting disclosure of identifiable data
- Privacy Act 1988