Attorney-General to exempt cyber security researchers from Privacy Act changes

Attorney-General to exempt cyber security researchers from Privacy Act changes

George Brandis says white hats will not be prosecuted if they re-identify datasets

The Australian government has decided not to treat the re-identification of anonymised data by researchers who inform the government of vulnerabilities in its datasets as a criminal offence.

The move will effectively protect cyber security researchers from prosecution under the proposed changes to the Privacy Act legislation.

The Attorney-General, George Brandis, released a statement on September 28, which said; "the publication of major datasets is an important part of 21st century government providing a great benefit to the community.

"It enables the government, policymakers, researchers, and other interested persons to take full advantage of the opportunities that new technology creates to improve research and policy outcomes."

As part of this open data policy, Brandis said the government intended to make it a criminal offence to re-identify open government data which had been de-identified.

“The amendment to the Privacy Act will create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset,” the statement said.

This could have had potential negative consequences for cyber security industry professionals working proactively to identify vulnerabilities in government datasets.

Researchers could have been charged with a criminal offence for performing tasks which are not only routine in IT security, but in the public interest to ensure open government data remains secure.

However, just a day later, the Office of the Attorney-General said the government would provide an exemption to the amendment for those who alert the government of potential vulnerabilities in datasets.

Attorney General, George Brandis
Attorney General, George Brandis

“The amendment to the Privacy Act will ensure that valuable research based on analysis of de-identified datasets published by government can continue, while also ensuring appropriate protections for the privacy of citizens,” a spokesperson from the Office of the Attorney General said in a statement.

“The need for researchers to test the effectiveness of de-identification techniques or conduct other research into encryption or information security has been considered and will be addressed in the legislation.

"There will be provision made for legitimate research to continue."

The backflip from Brandis’ office is believed to be a direct result of the actions of researchers from the University of Melbourne who identified vulnerabilities in datasets from the Department of Health.

The researchers notified the department of the vulnerabilities and the offending datasets were removed from the website.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags data privacyGeorge Brandis

Brand Post

Show Comments