EnergyAustralia has blasted the prioritisation of “data-driven innovation” over privacy when bringing new industries into the consumer data right (CDR).
The utility, which must comply with the CDR rules in November, made the comments in a submission [pdf] to the CDR statutory review in May - the same month the government changed.
It criticised the weighting that privacy was given over other factors when determining whether to force new sectors to join the government-led data sharing scheme.
EnergyAustralia said that “comprehensive” privacy impact assessments (PIAs) were being prepared for each new sector and were “integral to understanding the potential privacy risks for consumers, where they may not be obvious due to the complexity of how the CDR rules cross-interact.”
“The [CDR] Act mandates consideration of the privacy or confidentiality of consumer’s information before sector designation and making rules, which Treasury does by considering and responding to the PIA,” EnergyAustralia said.
“Our concern is that the PIA’s recommendations are often not accepted and, at times, the reasoning seems weak.
“We acknowledge there are several matters that must be balanced in sectoral designation and rulemaking.
“However it seems other matters like “data-driven innovation” (and lowering barriers to becoming an accredited person) are taking precedence over privacy impacts in decision making.”
EnergyAustralia noted that, as the CDR “is a new digital data sharing regime”, and there are also “existing issues with digital consent, privacy impacts should be heavily weighted in decision making.”
“We recommend that the Act be changed to place heavier emphasis on privacy impacts when making a sector designation and the CDR rules,” the utility said.
The findings of the statutory review [pdf], which were released late Thursday, do not go that far, however.
It notes that before a new sector is added to the scheme, a privacy impact assessment for the sector is prepared, and the information commissioner’s views are also separately sought.
However, the statutory review “identified an apparent lack of clarity in the legislation” on the timing of the information commissioner’s input.
For that input to be available to influence decisions on adding sectors, “it must come earlier in the process,” the review found.
The review indicates the information commissioner may not have had much bearing on the addition of new sectors to the CDR scheme to date.
“To ensure that privacy is properly factored into the designation design, it is recommended that the information commissioner’s assessment on privacy and confidentiality is considered as part of the sectoral assessment report,” the review states.
.png&h=140&w=231&c=1&s=0)
