Submissions – Data Sharing Submission on Data Sharing and Release Legislation Response to Issues Paper by Department of the Prime Minister and Cabinet

Introduction

The Reserve Bank of Australia (the Bank) has prepared this Submission in response to the Issues Paper for Consultation ‘New Australian Government Data Sharing and Release Legislation’, issued by the Department of Prime Minister and Cabinet.

The Bank supports this initiative to facilitate data sharing. Robust analysis using relevant data underpins good policy decisions. The availability of a wider range of data facilitates new policy-relevant analysis and research. This work can then inform better policy decisions. The Bank has already used various data provided under existing sharing initiatives of Government departments and entities. These data have enabled analysis not previously possible, so deepening the Bank's understanding of the operation of the Australian economy and financial system.

To serve the best interests of the community a data sharing initiative needs to ensure the benefits of data sharing are not out-weighed by any costs, financial or otherwise. The proposal to require a purpose test and safeguards through the Five-Safes framework will help to contain many actual or potential costs. This is an important element of the policy design. Other aspects of the policy design will also need to be carefully considered to ensure a net public benefit from the data sharing initiative. This submission focuses on some aspects of data sharing and release that are relevant for the types of data that the Bank produces and holds and some broader possible implications for the Bank. It outlines: the Bank's existing statutory obligations, which underpin existing international data sharing arrangements; some examples of data that will require some flexibility under the framework; the need to appropriately balance the costs of the framework – particularly those imposed on data holders – against the benefits; and several specific issues that it would be desirable to consider in drafting an effective framework.

The Reserve Bank's current statutory secrecy provision

The Bank is currently subject to the secrecy provision in section 79A of the Reserve Bank Act 1959. That provision protects the confidentiality of information that has not been made publicly available that has been disclosed to the Bank or obtained by the Bank:

• under or for the purposes of the Reserve Bank Act, the Banking Act 1959, the Payment Systems (Regulation) Act 1998, the Payment Systems and Netting Act 1998 or the repealed Banks (Shareholdings) Act 1972 and that relates to the affairs of a financial institution, a related body corporate of a financial institution or a customer or proposed customer of a financial institution;
• under or for the purposes of the performance or exercise of the Bank's functions or powers under Part 7.3 of the Corporations Act 2001 dealing with licensing and regulation of clearing and settlement facilities; or
• under or for the purposes of the performance or exercise of the Bank's functions or powers under Part 7.5A of the Corporations Act dealing with licensing and regulation of derivative trade repositories.

Section 79A is key to the confidence and trust that regulated institutions have in providing sensitive data to the Bank. It has periodically been reviewed and amended, most recently in 2014. The section and a Regulation made under it together facilitate sharing with a number of other government bodies.

The existence of section 79A is also key to the Bank's ability to exchange information with central banks and regulatory authorities in other jurisdictions. For example, the Key Attributes of Effective Resolution Regimes for Financial Institutions set by the Financial Stability Board specify that jurisdictions should ensure that their legal framework establishes a regime for the protection of confidential information that imposes adequate confidentiality requirements on authorities and their current and former employees and agents that receive or have received confidential information, and provides for effective sanctions and penalties for breach of confidentiality requirements. They specify a range of factors that an authority should take into account when assessing whether a proposed recipient of confidential information in another jurisdiction is subject to adequate confidentiality requirements. The Reserve Bank went through a process to have its confidentiality regime assessed as equivalent by the European Banking Authority and the existence and terms of section 79A were a key part of that assessment. Without section 79A, or something substantially similar, the Bank may lose the ability to exchange information with overseas entities in situations where it is highly desirable that it does so.

While the Bank would not oppose a further review of section 79A and the Regulation made under it, it believes that together they currently achieve a balance between permitting appropriate sharing and continuing to preserve confidentiality of the information in the hands of the RBA and of permitted recipients. They are critical to the Bank's ability to collect the data it needs effectively to perform its various mandates and to share data with international bodies and meet international obligations.

Issues for consideration

Examples of data that may require flexibility

The Bank makes publicly available a wide range of data that it produces or compiles, including financial market prices, credit data and commodity prices. However, the Bank also holds and uses many data that are not currently publicly available, including data protected by the secrecy provision described above. These data would seem to be affected by the proposed legislation. Some of these data are sourced from other organisations while other data are produced, or heavily transformed, by the Bank.

The discussion paper indicates that ‘the DS&R bill will not by default compel all data to be shared but rather will support data custodians to make informed decisions’. This suggests that the data custodian will be able to choose not to release data if they feel it is not justified. However, it would be desirable to provide greater guidance and clarity about the circumstances in which data would not be expected to be released. This has been done for just two categories with ‘appropriate exemptions for national security and law enforcement data’. For some data, there could be significant adverse consequences from their release. Consequently, it is important that either the legislation provide appropriate exemptions or the broader data sharing framework provides each entity's data custodian with sufficient backing to decline to share specific data. If there is specific guidance on the circumstances under which an entity would not be expected to share data, then there would be greater certainty for those requesting data and data custodians.

Below are some types of data where their release by the Bank may have detrimental effects.

• Supervisory data. The Bank has regulatory power for Financial Market Infrastructures and the Payments System. The Bank also receives from APRA prudential regulatory data in the context of the Bank's financial stability mandate. Most regulatory data are commercially sensitive. Releasing or sharing these data would damage the commercial interests of the regulated entity and so undermine confidence in the regulatory system. There may be some types of institution-level data which, if released during an episode of financial stress, could be misinterpreted and so undermine confidence in the financial system or individual institutions, adding to the financial stress. Note that because of the nature of the Australian financial system, with a small number of large entities, it is generally not possible to definitively anonymise institution-level data. In the Bank's view it would be desirable for the data sharing framework to have an exemption for supervisory data, or to recognise and not override the existing protection of these data under section 79A (and the equivalent provision in the Australian Prudential Regulation Authority Act 1998).
• Operations data. Some data held by the Bank are the outcome of policy operations. Where the success of those operations depends on voluntary participation a belief that individual data could be released may discourage participation and so diminish the effectiveness of those policy operations. This could apply to the Bank's dealing with individual counterparties in financial markets, including the Open Market Operations used to keep the Bank's policy interest rate at the target set by the Bank's Board. Similar concerns would relate to data resulting from the Bank's operation of the interbank payments settlement system (the Reserve Bank Information and Transfer System, known as RITS) and specialised banking services provided to Australian government agencies and overseas official institutions.
• Other commercially confidential data. The Bank possesses various other commercially and personally confidential data often provided voluntarily to the Bank. This includes data provided directly by companies to the Bank's liaison program, various payments system data and responses to the consumer payments survey. If there was a perception that these data could potentially be shared or released it is likely that many firms or individuals would not share these data with the Bank. This would hamper the Bank's ability to meet its objectives. For example the effectiveness of the liaison program, and so the Bank's assessment of economic conditions, would likely be greatly diminished.
• Contractual restrictions. Some data have contractual restrictions covering their ability to be provided to others. For example the Bank receives data at an individual loan level for loans included in asset backed securitisations. There are strict contractual provisions surrounding these data to ensure borrowers in the database cannot be identified. The Issues Paper suggests that existing contractual obligations will continue to apply and the Bank agrees that it will be important that the legislation clarify that it does not conflict with entities' contractual restrictions on sharing or releasing data. In other situations the Bank sets the terms of contracts governing the collection and use of specific data, for example data collected from RITS Members. It would not be desirable for the legislation to interfere with the drafting of these contractual arrangements in a way that discourages member participation.
• Incentive to compile or enhance data. Individual researchers or entities can exert considerable effort to compile or enhance specific data and their incentives to do so could be diminished by the potential that other parties may be able to access those data. For example researchers often invest months or years to compile or enhance data because they subsequently benefit from their customised research. If their data could be accessed by others before they have completed their research their incentive to produce the data could be greatly diminished. In this light the legislation may want to differentiate between raw and enhanced data.

The costs imposed by the framework need to be balanced against the benefits

There are considerable benefits in a framework that allows agencies ‘to make informed decisions on whether or not data should be released, and the appropriate conditions and risk management for their particular circumstances’. The objective should be to facilitate data sharing in a simple manner that balances the benefits against the various costs, including those discussed above and the expenses incurred by the holder of the data. It is important for the framework to consider these costs given the need for data holders to: assess purpose, assess the ability of the data user to meet the Five Safes Framework, potentially undertake data cleaning, publicly report on data sharing and potentially be subject to key performance indicators and audits. To the extent that the initiation of these processes is outside the data holder's control, the cumulative cost of these processes could be substantial.

Other issues for consideration

The following issues should also be considered in the design of an effective framework:

• What is meant by data? The discussion paper does not include a definition of ‘data’. It will be important to clarify what is covered by the data sharing framework. For example, entities produce a wide range of information through their operations, including financial statements, various operational reports, as well as information on their staff and technology.
• Consistency across entities. Currently where identical or equivalent data are held by different entities the provisions for data sharing or penalties for misuse of the data can differ. It would be beneficial for the new data sharing framework to address existing inconsistency across entities and any inconsistencies that may arise between the new Act and existing legislation.
• Who is the correct recipient of a data request? Many government agencies, including the Bank, hold data that they have obtained from another government agency (for example, in the Bank's case, APRA or the Australian Bureau of Statistics) or from the private sector. Consideration should be given to whether those seeking access to a particular data set should be required to approach the ‘originating entity’ (the one that originally collected or complied the data) on the basis that the originating entity is best able to assess the risks associated with loss or misuse of the data and the terms appropriate for any data sharing agreement relating to the data.
• Reliance and liability for loss arising from use. Data sets held by agencies will be subject to varying degrees of verification and to processes for updating and correction that will vary depending on the nature of the data set and the way the agency uses it. For the originating agency some margin of error may be acceptable. Even if it is not, and the agency believes its data set to be accurate and complete, it may not be in the public interest for the agency to be exposed to a claim by a third party (whether another agency or a trusted user) who accesses and relies on the data and subsequently discovers that it was not entirely accurate or complete. Consideration should be given to the extent, if any, to which agencies will be liable for any loss or damage arising from errors in data shared under the framework. Liability issues could be addressed in template data sharing agreements, but there would need to be a range of possible clauses dealing with representations about data accuracy and reliance on data, which the data custodian could select from as it determined appropriate in the circumstances.
• Defining acceptable purposes. It will be important to ensure that acceptable purposes for data use are very clearly defined, particularly given the suggestion that penalties may apply for an incorrect assessment. The category ‘research and development with clear and direct public benefits’ should be a focus in further consultation.

The new Data Sharing and Release Act has the potential to provide many benefits for policy design, analysis and delivery. This is important legislation and so it is crucial that it is well designed and crafted. The Bank appreciates the opportunity to contribute through this consultation process.