n amendment bill has been tabled in Australia to amend the Privacy Act 1988 to prohibit conduct related to the re-identification of de-identified personal information published or released by Government entities. (See Details here)
According to the provisions of the amendment, when an agency is entrusted with de-identified information, they shall not act in any manner that the de-identified information gets re-identified.
The exception to the rule is when
(i) the act was done in connection with the performance of the agency’s functions or activities; or
(ii) the agency was required or authorised to do the act by or under an Australian law or a court/tribunal order.
(iii) the entity is a contracted service provider for a Commonwealth contract to provide services to the responsible agency; and the act was done for the purposes of meeting (directly or indirectly) an obligation under the contract.
(iv) the entity has entered into an agreement with the responsible agency to perform functions or activities on behalf of the agency; and the act was done in accordance with the agreement.
(v) the entity is an exempt entity for the purposes of this section in accordance with a determination in force and the act was done for a purpose specified in that determination in relation to the entity and in compliance with any conditions specified in the determination that apply in relation to the entity.
The penalty for the offence could be an imprisonment upto 2 years and also civil fines.
There is also a provision for “Disclosure” if re-identification is done failing which there could be civil and criminal penalties.
The amendment indicates a specific attempt to focus on prevention of re-identification and enhances the Privacy protection.
In the Indian Context a protection of this nature is implicit in the contractual agreement of the sub contractor failing which the responsibility for disclosure lies with the agency (which is recognized as an “intermediary” in the ITA 2008)