Data access and transfer rights – a new regulatory framework proposed

The generation of data is increasing exponentially: it is estimated that 90% of the world’s information has been created in just the last two years.

The Productivity Commission believes Australia’s regulatory framework to deal with this tsunami of information is out of date and needs to be overhauled.

Its draft report Data Availability and Use released on 3 November lays out a vision of a new regulatory regime for data access. If the recommendations are implemented, this could present great opportunities for fintech businesses – and real challenges for established financial institutions. The report is open for submissions until 12 December.

Data types

The Commission proposes to classify data into four broad data types, with access and use rights depending on the data type.

  • Non-personal/non-confidential: this information would be open access and could be used for such things as market analysis.
  • De-identified: this would only be available to “trusted users” for applications such as scenario development and testing, program or policy analysis and evaluation, and broad service delivery.
  • Identifiable: identifiable information would only be available to “trusted users” and the individual concerned.
  • Confidential/protected: the release of confidential and protected information would be determined by a “data custodian”.

A new Act, a new regulator

A Data Sharing and Release Act would regulate access to data and apply to all digital data held in both the public and private sector.

The National Data Custodian, a central government agency, would have overall responsibility for the framework. Accredited Release Authorities (ARAs) would assist data custodians to improve the curation and quality of datasets to be released, including de-identification of data, and to update and maintain datasets. An ARA would also decide whether a dataset was available for public release or limited to sharing with trusted users.

The Comprehensive Right

A new “Comprehensive Right” is proposed for individuals to access digitally held data about themselves. The Comprehensive Right would give the following rights to an individual in relation to their data:

  • Continuing shared access with the data holder.
  • Access to the data provided directly by the individual or collected in the course of other actions, or created by others.
  • Requesting edits or corrections for reasons of accuracy.
  • Being informed about the intention to disclose or sell data about them to third parties.
  • Appealing automated decisions.
  • Directing data holders to copy data in machine-readable form either to the individual or to a nominated third party. The Comprehensive Right would therefore let an individual direct a financial institution to transfer data about the individual to another financial institution or financial service provider.

Opting out

The Commission also proposes that individuals should have a right to opt out of data collection. This would be subject to exceptions, such as for data collected or used as a condition of continued delivery of a product or service to the individual. However the right to demand a stop to the collection of data would not extend to stopping the use of data collected on the individual up to the point when the individual opts out.

National Interest Datasets

The draft report calls for all non-sensitive public sector data to be released in accordance with agreed standards. It also recommends a process by which public and private datasets could be nominated and designated as National Interest Datasets (NIDs). A dataset would need to satisfy an underlying public interest test to be classified as an NID. An NID that contained only non-sensitive data should be immediately released. NIDs that included data on individuals would be available initially only to trusted users and in a way that retains the privacy of individuals and the confidentiality of individual businesses, but the aim would be to de-identify these datasets so that they could be publicly released.

UK Open Banking

In related overseas developments, the UK Competition and Markets Authority announced in August an initiative to introduce “Open Banking” by early 2018, which will enable personal customers and small businesses to share their data with other banks and third parties.

Patrick Dwyer
Legal Director