Addendum to the Explanatory Memorandum(Circulated by authority of the Minister for Employment, Skills, Small and Family Business, Senator the Hon Michaelia Cash)
Schedule 2 - Information sharing
Statement of Compatibility with Human Rights
After the sixth dot point on page 8 (beginning with the words: 'The Minister's power to make 'information safeguard rules' ...) insert:
The necessity to disclose identifiable student data
Identified data is required by the listed bodies in subsection 210A(1) in item 2 of Schedule 2 of the Bill in order to perform their core functions. Specifically, there are community expectations that the broad gamut of functions that a department undertakes will be cognisant of individual circumstances and that portfolio departments will not work in silos.
De-identified data is currently available to the listed bodies in subsection 210A(1) in item 2 of Schedule 2 of the Bill, however they are unable to understand how a person moves across the tertiary system and into work, how outcomes can be improved for people with different needs and in different regions, and how to target funding and programs to match individual aspirations with the needs of the Australian labour market. By overcoming these evidence barriers, the Commonwealth will be able to enhance the rights of individuals to work and pursue education.
To develop policies based on evidence and target services to assist those with different needs and circumstances, VET data will need to be linked with other data sets to enhance evidence about the employment, social and personal factors that affect a person's engagement with the VET system. The only way to form these datasets is to start with identified sensitive personal information in order to understand the pathways and outcomes for different people, including those with disability, Indigenous Australians and people for whom English is not their first language.
Excluding this information may exacerbate disadvantage as policies and funding cannot be calibrated to meet the needs of all segments of Australian society. Any limitation of the right to privacy resulting from these provisions is offset by the legitimate objective of promoting and enhancing other human rights, including the right to education, the right to work, the right to social security, and the rights of people with disability.
Stringent requirements are followed when data is linked, with oversight from the Australian Bureau of Statistics and a cross portfolio committee. To link separate data sets, it is essential to begin with identified data, however to ensure privacy is protected, once linked, the merged data set can be de-identified for analysis and research. The identifiers used to create the linkage (whether they are unique student identifiers, names or something else) are stripped from the integrated analytical data set once the data has been successfully merged. This is referred to as the separation principle and Commonwealth data integration projects adhere to this process for statistical and research purposes.
In relation to the disclosure of VET data:
- Students will be made fully aware of the use of their data. At the point that personal information is collected from VET students, they are made aware that their information will be shared with the NCVER and authorised government agencies. All RTOs are required to issue a privacy notice to students that outlines how VET data may be used or disclosed. The Department will review the minimum mandatory content of the privacy notice for VET on passage of the Bill.
- Bodies accessing data will almost certainly be APP entities under the Privacy Act or subject to similar requirements under state and territory legislation and as such will only be expected to request identified information where it is strictly necessary.
- NCVER is purposely given discretion to exercise judgement over the release of identified data, providing an opportunity to assess whether identified data is indeed required for the purposes of the request. However, there are critical public policy cases that require identified data, and more details on these are below. The Bill gives the NCVER the discretion (rather than a compulsion) to disclose data. It is expected that the entities listed in subsection 210A(1) in item 2 of Schedule 2 of the Bill will request particular data from NCVER, and list the specific data required and the purpose for the request. In line with arrangements already in place to ensure individuals' privacy is protected, NCVER will assess all data requests, giving consideration to a range of factors, and will not disclose identified data if de-identified or confidentialised data will achieve the relevant purpose.
Disclosure to bodies for the purposes of that body
To enable the disclosure of personal information to each of the listed bodies, the purpose of disclosure referred to in subsection 210A(1) is 'for the purposes of that body' rather than limiting the disclosure for the purposes of 'administering the VET sector'.
Generally, with around 4 million students per year participating in VET, the training sector touches all industries and aspects of the Australian economy. A narrow purpose such as 'administering the VET sector' would preclude the value that all portfolios derive from the VET sector, whether they are directly administering the system, reliant on it for a skilled workforce or engaging with these same 4 million people in designing services around their lifelong learning journey. In this way, Commonwealth, state and territory authorities are able to work together to develop policy and programs that enhance the right to work and the right to education.
VET regulators require identified data to enable them to analyse student movements between RTOs and the actions of RTOs, in order to identify emerging risks and respond to issues such as placing students of RTOs that cease trading.
The purposes expressed in the Bill are broad, transparent and appropriate to the reach of the VET sector across public administration. The protections conferred by privacy legislation and discretion by NCVER ensure that this identified data will only be used where necessary.
Department or another Commonwealth authority
The Department and other Commonwealth authorities listed under paragraphs 210A(1)(a) and (b) in item 2 of Schedule 2 of the Bill are generally bound by the Privacy Act and the Australian Privacy Principles (APPs), ensuring a level of privacy protection for the information of individuals.
The purposes of these bodies are transparent, and are generally articulated in corporate plans and annual reports required under the Public Governance Performance and Accountability Act 2013 and subject to Parliamentary scrutiny as they change, through the consideration of Appropriation Bills from time to time.
As noted above, there are a range of policy issues that are best explored through cross portfolio data integration. As an example, data about the demographics of people undertaking aged care training in VET disclosed to a Commonwealth authority tasked with the future development of the aged care workforce, would be "for the purposes of that authority", "for the purposes of making VET policy" as well as "the administration of VET".
State or territory authority that deals with VET or VET regulator
Like Commonwealth authorities, state and territory authorities jointly responsible for VET are also interested in examining VET's role broadly in the economy and community, and over the life-course of individuals. State and territory departments dealing with VET are also bound by jurisdiction privacy legislation, rules and public scrutiny. As the states and territories directly administer VET and report to ministers who are joint members of the NCVER company with the Commonwealth Minister, it is appropriate that they have access to the VET data collected by NCVER. For the reasons outlined above, narrowing the purposes to "the administration of VET" would not be appropriate.
In the case of a VET regulator, limiting disclosure to the "purposes of that body" effectively limits disclosure to the purposes of administration and regulation of VET.
Information safeguard rules
The Minister 'may' make information safeguard rules, by legislative instrument, under new section 214A in item 2 of Schedule 2 of the Bill, which apply to disclosures to research bodies referred to in new subsection 210A(2) and not the broader range of disclosures under new subsection 210A(1) in item 1 of Schedule 2 of the Bill.
The reason the information safeguard rules would only apply to disclosure to research bodies and not the broader range of disclosures under subsection 210A(1) is that government bodies to which data may be released are already bound by various privacy legislation, rules and public scrutiny. Research bodies are not necessarily regulated in the same way and therefore it is appropriate that there be a capacity to specify rules with which they need to comply.
Appropriate levels of safeguards and guidance have been included on the face of primary legislation. For example, subsection 210A(2) in item 2 of Schedule 2 of the Bill ensures that NCVER only discloses to a person that is engaged by NCVER to support NCVER to carry out its research functions. This person would likely be someone that is contracted to NCVER to perform those functions, and would undergo various scrutiny measures to ensure the person engaged has the ability to fulfil the role and meets all requirements under that contract, such as suitability checks and privacy considerations. The provision also supports current use of information processes by NCVER, and similarly when a Commonwealth department engages a person by contract to carry out duties for that department. NCVER is an APP entity under the Privacy Act and must already meet those collection, use or disclosure requirements, in particular under APP 6 - use or disclosure of personal information.
The proposed arrangements under subsection 210A(2) in item 2 of Schedule 2 of the Bill do not increase the risk of inappropriate disclosure of personal information and support NCVER's use of personal information where additional persons are engaged to assist NCVER to perform its functions.
The information safeguard rules add an additional layer of protection to those already included on the face of primary legislation for the specified bodies to satisfy. As the protection of an individual's personal information is a serious matter and if unforeseen issues were to arise, over time and with changing technological capabilities, the information safeguard rules give the Minister the power to respond to emerging issues in a manner appropriate and proportionate to the new circumstances.
The Minister plans to draft information safeguards rules for consideration by the Ministerial Council. These rules will list the factors that should be considered before a decision is made by the NCVER or the Secretary to disclose identified personal information. These factors will include the purpose for the request, how the data will be used and how privacy will be protected. They will also state that identified data should not be disclosed if de-identified or confidentialised data will achieve the relevant purpose.