The Australian government has decided not to treat the re-identification of anonymised data by researchers who inform the government of vulnerabilities in its datasets as a criminal offence.
The move will effectively protect cyber security researchers from prosecution under the proposed changes to the Privacy Act legislation.
The Attorney-General, George Brandis, released a statement on September 28, which said; "the publication of major datasets is an important part of 21st century government providing a great benefit to the community.
"It enables the government, policymakers, researchers, and other interested persons to take full advantage of the opportunities that new technology creates to improve research and policy outcomes."
As part of this open data policy, Brandis said the government intended to make it a criminal offence to re-identify open government data which had been de-identified.
“The amendment to the Privacy Act will create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset,” the statement said.
This could have had potential negative consequences for cyber security industry professionals working proactively to identify vulnerabilities in government datasets.
Researchers could have been charged with a criminal offence for performing tasks which are not only routine in IT security, but in the public interest to ensure open government data remains secure.
However, just a day later, the Office of the Attorney-General said the government would provide an exemption to the amendment for those who alert the government of potential vulnerabilities in datasets.
“The amendment to the Privacy Act will ensure that valuable research based on analysis of de-identified datasets published by government can continue, while also ensuring appropriate protections for the privacy of citizens,” a spokesperson from the Office of the Attorney General said in a statement.
“The need for researchers to test the effectiveness of de-identification techniques or conduct other research into encryption or information security has been considered and will be addressed in the legislation.
"There will be provision made for legitimate research to continue."
The backflip from Brandis’ office is believed to be a direct result of the actions of researchers from the University of Melbourne who identified vulnerabilities in datasets from the Department of Health.
The researchers notified the department of the vulnerabilities and the offending datasets were removed from the data.gov.au website.
