Do you ever use public transport, GPS, water or electricity? The NSW government has your data in its sights.
The NSW Government is throwing serious money at data analytics. For example Data61, a business arm of the CSIRO, has been funded close to $4 million by the NSW Government to tackle Sydney's traffic congestion. The project includes using data collected real-time from Opal Cards, as well as 'anonymised' data from in-vehicle GPS devices. But did Opal Card users sign up for that? Did car owners agree to that? And can geolocation data ever be anonymous?
Yesterday's State budget revealed that a further $16.8M is being spent on the new Data Analytics Centre (DAC) over four years. Minister for Innovation and Better Regulation Victor Dominello says the DAC will be his lasting legacy.
Special legislation was passed last year to establish the regime for information-sharing between public sector agencies and the DAC, but crucially, that legislation makes very clear that it does not override the privacy principles governing agencies.
The limitations on using and disclosing personal information for purposes unrelated to the original purpose of collection still apply. Government entities can't just disclose personal information about their clients -- be they students, patients, prisoners, tenants, licence-holders, consumers, ratepayers or passengers -- willy-nilly.
Yet DAC CEO Dr Ian Oppermann has claimed that the DAC legislation has dealt with the "not allowed" argument that agencies previously gave for not sharing their data. Minister Dominello has also been quoted as saying that the "barrier" posed by privacy and confidentiality has been dramatically reduced because of the new DAC legislation.
But how can that be, when the DAC legislation explicitly states that it does not alter the legal privacy obligations on agencies? The DAC website even notes that privacy laws have not been changed, and says sharing of personal data is excluded from the DAC.
Public sector agencies have started receiving requests from the DAC to hand over their clients' data, without advice as to how the disclosure of the data requested will comply with their privacy legal obligations. These requests might ask for 'anonymous' data, but on the other hand expect to be given enough details that would easily enable identification of those clients.
Even if DAC does not know names yet, identifiability is surely within reach. Their stated goal, in a current project mapping data in South Sydney region, is to "get it down to 30-minute intervals of not only who lives where with whom, but who travels in, who travels out, who travels around, or who stays put".
They claim to be collating data not only from public sector agencies including Opal Card data, but from energy and water utilities, telcos, banks and car-share companies. Given the potency of geolocation data and metadata to enable individuation and identification of individuals, the privacy implications are enormous.
This is serious, Big Brother stuff.
How can agencies possibly hand over detailed data about individuals, in a state that would surely risk identification of the individual, without breaching their privacy obligations?
Rightly, agencies are concerned about the impact on public trust if they get it wrong, and about the "unexpected consequences of sharing". And yet Minister Dominello is also quoted as saying he is getting close to using his "sledgehammer" coercive powers to demand data be handed over to the DAC.
Is the problem that we are all talking at cross-purposes here? Perhaps there isn't a shared understanding about what 'anonymity' means. Just because you don't know someone's name, doesn't mean that you're not breaching their privacy. In the words of The Economist, the "stripping of a few details as the only means of assuring anonymity, in a world choked with data exhaust, cannot work".
Public trust in government agencies doing data analytics depends on getting privacy right. But do the researchers, statisticians and data scientists have enough guidance on their ethical and legal obligations? And will those considerations be different, if the purpose is not only research to guide a public policy response, but a project to actually track down individuals in order to penalise them? Minister Dominello is reportedly planning to use the DAC to identify and target slumlords.
At what point does data analytics become just a fancy name for social surveillance on a mass scale? Fishing expeditions masquerading as law enforcement or public safety initiatives are the very type of activity that privacy laws are intended to protect us from. Allowing our lives to be ruled by algorithms means surrendering not only our privacy, but our autonomy as individuals, and as citizens.
Where do we turn to help resolve these ethical questions? Privacy legislation can be horribly tangled, but it is the closest thing we have to help navigate a way forward. Privacy principles were developed deliberately, as a way of codifying our society's values and ethics. They represent a considered balancing act between the public interest served by protecting privacy, and other social objectives such as law enforcement, research in the public interest, and the proper administration of government.
I have faith that our privacy laws can guide the way, so long as in the rush to develop 'big data' analytics, the data scientists actually pause long enough to develop a nuanced understanding of what their privacy legal obligations entail, and consider whether their work is ethical and appropriate.
This is an edited version of a blog originally published at Salinger Privacy.Suggest a correction