Sourced from chapter 5 of the Productivity Commission's Final Report
Maintaining a social licence for wider data use, both public and private, can be actively supported by offering individuals the opportunity to participate, as firms and governments do, in accessing and re-using their own data.
A new right for consumers (including small and medium-sized businesses) would provide greater insight and control for individuals over how data that is collected on them is used. Consumer data for this right should be defined broadly and with a focus on desired outcomes, but with industry agreement for inclusion of data that is merely assigned to the consumer.
The new right is significant in a policy sense beyond its ability to support a social licence for better data use economy-wide. It may offer the capacity to underpin a new wave of competition policy, similar in its catalytic effect to the Hilmer reforms of the 1990s.
Under the proposal, all consumers would have a right to obtain a machine-readable copy of their own digital data, provided to them and/or to a nominated third party, such as a potential new service provider.
Existing privacy provisions to view and request edits or corrections to personal information would remain, with the new right also applying these to consumer data.
Consumer data would be a joint asset between the individual consumer and the entity holding the data. Exercise of the right by a consumer would not alter the ability of the initial data holder to retain and keep using the data.
The coverage of the right and transfer method should be agreed within each industry through a standard-setting and data-specification process, the outcome of which would require the Australian Competition and Consumer Commission’s approval.
Data available for transfer must, at a minimum, be sufficient to enable consumers to meaningfully transfer their custom and obtain service from another supplier, while the absence of industry agreement would mean the consumer data defaults to a broad definition.
Participation in comprehensive credit reporting has been low to date and the associated benefits are far from fully realised. A target for participation of 40% of all active credit accounts provided by Australian Securities and Investments Commission-licensed credit providers should be set for 30 June 2017. Legislation to mandate participation should be circulated for consultation by the end of 2017, if the target is not met.
Please send comments or enquiries to the Taskforce via email@example.com.
Productivity Commission Recommendations
5.1, 5.2, 5.3, 5.4, 5.5 and 8.7
The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner should enter into working arrangements with each other, industry ombudsmen and other relevant bodies at all levels of government to support a ‘no wrong door’ approach to how individuals (including small businesses) pursue complaints or queries regarding their rights as consumers to data held on them.
Where an industry data-specification agreement (recommendation 5.2) seeks to use a recognised industry ombudsman to address consumer complaints, this should be considered by the ACCC as part of its acceptance or rejection of a proposed industry agreement.
The Australian Government should adopt a minimum target for voluntary participation in Comprehensive Credit Reporting of 40% of all active credit accounts, provided by Australian Securities and Investments Commission (ASIC)-licensed credit providers, for which comprehensive data is supplied to the credit bureaux in public mode.
If this target is not achieved by 30 June 2017, the Government should circulate draft legislation by 31 December 2017, to impose mandatory participation in Comprehensive Credit Reporting (including the reporting of repayment history) by ASIC-licensed credit providers in 2018.
The Office of the Australian Information Commissioner and ASIC should consult with other regulators, industry groups and consumer advocates to collaboratively consider whether there is a need for a hardship flag in credit reporting.
The Department of the Treasury should be given responsibility for monitoring and publicly reporting on a regular basis on participation in Comprehensive Credit Reporting.
The Australian Government should provide for broad oversight and complaints handling functions relating to the use of the Comprehensive Right. Accordingly, the Australian Competition and Consumer Commission (ACCC) should be resourced to undertake the following additional responsibilities:
The Office of the Australian Information Commissioner and industry ombudsmen should, in order to ensure a ‘no wrong door’ approach to handling consumer engagement, coordinate with the ACCC on the receipt and handling of consumer complaints on data access and use.
All holders of consumer data should include in their privacy policies, terms and conditions, or on their websites a list of parties to whom consumer data has been traded or otherwise disclosed over the past 12 months.
On the windup of an entity that holds consumer data, consumers should be informed if data to which they hold a joint right has been traded or transferred to another entity. For businesses entering formal insolvency processes, insolvency practitioners should ensure consumers have been informed. For businesses closing but not in insolvency proceedings, the entity acquiring consumer data should inform consumers of this fact and give them the opportunity for data collection to cease.
The Australian Government should introduce an outcome-based definition of consumer data that is, as an overarching objective, data that is sufficient to enable the provision of a competing or complementary service or product for a consumer.
In the relevant service or product context, consumer data is digital data, provided in machine-readable format, that is:
Participants in an industry should determine the scope of consumer data relevant to their industry (where an industry in this context would be determined by a broad description of the service). This should be in the form of a data-specification agreement.
Data-specification agreements should also articulate: transfer mechanisms, and security of data, to ensure that data use is practical and robust to technology updates; and the requirements necessary to authenticate a consumer request prior to any transfer.
These agreements should be registered with the ACCC, which may offer interim approval where an agreement has been reached but other industry agreements have been prioritised for approval.
In the absence of such agreement, consumer data must be in machine-readable form and include all of:
Data that is solely imputed by a data holder to be about a consumer may only be included with industry-negotiated agreement. Data that is collected for security purposes or is subject to intellectual property rights would be excluded from consumer data.
A consumer for the purposes of consumer data should include a natural person and an ABN holder with a turnover of less than $3m pa in the most recent financial year.
Data that is not able to be re-identified to a consumer in the normal course of business within a data holder should not be considered consumer data.
The definition should be included in a new Act for data sharing and release (recommendation 8.1). Given the need for consumer data to have broad applicability, the outer boundary definition and reference to ACCC registered industry-specific definitions should also be included within the Acts Interpretation Act 1901 (Cth). Consequential amendments to other legislation in the future would ensure harmonisation across federal laws.
Consumer data must be provided on request to consumers or directly to a designated third party in order to exercise a number of rights, summarised as the Comprehensive Right to access and use digital data. This Comprehensive Right would enable consumers to:
Where a transfer is requested outside of an industry (such as from a medical service provider to an insurance provider) and the agreed scope of consumer data is different in the source industry and the destination industry, the scope that applies would be that of the data sender.