The Law Commission, while making proposals for amendment of the law on “information matching” and “information sharing” among public-sector agencies, recommends no measures to regulate data mining.
One reason for not doing so, as suggested by public submitters on the Commission’s study of privacy, is that a requirement to report on data-mining might draw attention to the practice and cause an increase in its incidence. Alternatively, the study suggests, it might lead potential subjects of data mining to take measures against it.
“Not only would a requirement [to report each data mining activity] be a bureaucratic imposition,” the Lawcom report states, “but some submissions made the point it might also be harmful in that it would give publicity to techniques, which others might wish to emulate or might take steps to counteract.”
In any case, the Commission says, it is not clear how data mining might be specified in the law. “‘Data mining’ covers a multitude of activities and would be well-nigh impossible to define,” the report states. “We recommend that there be no change to the [Privacy] Act in this regard.”
A glossary on the Princeton University website defines data mining as: “data processing using sophisticated data search capabilities and statistical algorithms to discover patterns and correlations in large pre-existing databases; a way to discover new meaning in data.” This definition is substantially reflected by many other sources.
Information matching – typically the pulling together of information held by different agencies on the same people — is handled in the present form of the Privacy Act, which requires authorisation for specific matching programs and provides for them to be monitored and subjected to periodic reviews.
However, definitions are unclear, says the Law Commission. “The definitions of ‘information matching programme’ and ‘authorised information matching programme’ are poles apart and have been the source of much confusion.”
Even those who understand the matching provisions are sometimes uncertain whether a given activity falls under the regulations or can be embarked on without authorisation, the report states.
Information sharing – the passing of information held by one agency to another — is not specifically regulated, though there is a schedule to the Act governing “law enforcement information”.
The Commission suggests information matching be considered a subset of information sharing and the latter be regulated. “If government decides not to specifically regulate sharing, then the definition of matching may need to be amended,” the report states.
The Law Commission favours a regime requiring specific approval for all information sharing.
It also, however, notes the restructuring of agencies, pointing out if two separate agencies are combined, information dealt with in the merged entity will not be seen as being “shared”.
Privacy Act principle 5, dealing with security of information and principle 10, regulating new uses of already collected information, may provide enough protection in such cases, the report suggests, but more transparency of such activities may be needed.