The Robodebt scheme was a controversial and unlawful attempt by the Australian government to recover debts from welfare recipients between 2015 and 2019 using an automated data-matching system. During this period, serious questions were raised about the processes behind automated data-matching and associated privacy practices of involved government agencies involved: the Australian Department of Human Services and the Australian Taxation Office.
What followed was infamously referred to as "a massive failure of public administration" in the class action lawsuit, which prompted the establishment of a Royal Commission inquiry into the scheme. The Royal Commission's final report, delivered in July 2023, provides a detailed account of the data processes behind the scheme and offers several important insights for privacy professionals.
To retain or destroy?
One key challenge of managing large quantities of information is determining when it is no longer needed and should be destroyed. Under the Australian Privacy Principles, entities and agencies are required to take reasonable steps to destroy or deidentify personal information that is no longer needed for the purpose for which it was used or disclosed. However, the rapid rise of cloud computing and decreasing digital storage costs have created, at best, a complacent culture of digital hoarding and, at worst, poor retention practices contrary to the APP.
The data-matching processes between the DHS and ATO were conducted in accordance with an internal protocol that required the destruction of all information not used, unsuitable for use or already used in the matching process. However, despite this requirement, the Royal Commission found information was retained indefinitely "while there was an intent to use it."
Confusing "we might use it" with "we will use it" is a common trap many organizations fall into when determining if personal information should be destroyed. The fact that this situation continued even when the protocol was amended in 2017 showed risk-culture failures, including poor risk management measures and misalignment between protocols and processes.
The retention of personal information for undefined periods is never a sensible risk approach, and is contrary to the APPs. However, it could be argued this practice does not solely stem from poor risk management but also from the complexity of multiple legal provisions outside the privacy regime that require the retention of personal information, resulting in a culture of retaining it "just in case" (a known trend recently highlighted by the large privacy breaches in Australia).
To address this situation, the Privacy Act Review Report 2022 recommended reviewing of all legal provisions requiring personal information retention and having entities establish maximum and minimum data-retention periods.
Open and transparent
APPs 3 and 6 outline the circumstances in which entities can collect, use or disclose personal information and the circumstances. APP 5 also requires entities to notify individuals of the circumstances of collection and its purpose, among other requirements. These fundamental aspects of the Australian privacy regime are predicated on the principle of openness and transparency in APP 1.
The Royal Commission noted the Robodebt scheme may have breached these APPs by not adequately informing or seeking consent from individuals before disclosing and collecting their personal information for the data-matching process. This view was based on doubts raised by the Royal Commission over the ATO's compliance with its own secrecy obligations when sharing information with the DHS.
Notwithstanding the merits of this view, the open and transparent principle must always be upheld for the benefit of the owner of the personal information — a central tenet and driving force of Australia's privacy regime. The community expects entities to be forthcoming with their personal information handling practices. The legal and regulatory ramifications that followed the scheme serve as a stark reminder for all privacy pros of what eventuates when this expectation is not met.
Right to an explanation
A heavily criticized aspect of the scheme was the lack of human intervention in the calculation and notification of debts and insufficient information about this process. The Royal Commission found human intervention was slowly removed to the point that debt notices were issued without review, leaving support recipients to navigate the complexities of DHS internal processes unaided.
This experience intensified conversations around the right to obtain explanations of the decisions reached through automated decision-making processes, particularly when personal information is used to produce decisions with significant legal consequences.
Under the existing Australian regime, individuals are entitled to know why their personal information is collected. However, as we have learned from the scheme, this is insufficient. The EU General Data Protection Regulation attempted to solve this issue by prohibiting decision-making "based solely on automated processing," but this ambiguous language has been criticized as multistage processes with minimal human intervention arguably fall outside this prohibition, making the provision almost inoperative.
The Privacy Act Review Report 2022 attempted to strike a balance, using less rigid language to recommend disclosing the types of personal information to be used in "substantially automated" decisions and meaningful information on how those decisions are made. To assist entities further, it also recommended including high-level indicators of the types of decisions with legal effect in the legislation.
The Robodebt scheme has become a textbook case of what can go wrong when inadequate frameworks, processes and controls are implemented, particularly when dealing with personal information. In this age of digital automation, it also demonstrates the clear need for a modern framework that aligns with community expectations.