CONSENT AND SOCIAL LICENCE
By Ania Karzek, Manager Strategy & Governance, City of Holdfast Bay
How often have you read the terms and conditions before hitting “I accept” when signing up for a website or a digital service? Have you ever not used a service or not completed a transaction because you read something in clause 427 subsection (p) paragraph 29 that you didn’t want to consent to?
It is alarming how often we skip over the details of consent, both as users and suppliers of digital services.
What many don’t realise is that there are many different types of consent. In government contexts, we often rely on implied, presumed, or hypothetical consent. Much of what we do depends on social license, not active agreement. But we need to seriously question whether that’s appropriate, fair, or ethical, especially when the people affected have no real choice.
Too often, we assume that because someone wants a service, they’re happy to hand over their data. But what if we’re the only provider of that service? Or what if it’s not really a service at all, but a legal obligation? Is that still meaningful consent?
Arguably, we should be seeking expressed, informed consent far more often than we do. We need to be clearer about what people are agreeing to - and more honest about what we’re doing with their data.
This raises another key question: who owns the data? The person who gave it, or the entity that collects it? If it’s the collector, what limits should exist on its use? Current privacy laws are not strong enough to provide citizens with meaningful protection.
What if we use someone’s data internally without their explicit consent? What if we de-identify it and use it for something seemingly beneficial, like population-level planning?
Consider the 2016 example from the federal Department of Health. It released de-identified data on 2.9 million Australians’ Medicare and pharmaceutical claims spanning some 30 years. Despite the data being anonymised, researchers at the University of Melbourne were able to re-identify individuals using publicly available tools, within a short space of time, demonstrating the power of data and the limitations of anonymisation. The Department was found to have breached privacy laws, but the damage was done – to privacy, to trust in government, to the reputation of the Department and to the integrity of public governance.
We must do better: the pursuit of faster, cheaper, smarter digital government services must not come at the expense of people’s rights.
The European Union’s General Data Protection Regulation (GDPR) enshrines the ‘right to be forgotten’. Just because someone consented once doesn't mean that consent applies forever, or to everything. For instance, I might want a streamlined healthcare experience, so I opt in to My Health Record. But that doesn’t mean I want the government to collude with banks to block my credit card if I buy fast food. Sound far-fetched? Not to the communities who were put on the (abolished in 2022) Cashless Debit Card. Well-intentioned but harmful policy happens all the time, often because we don’t seek genuine consent from the people affected.
So, before you harvest data, ask yourself: Do I really need it?
Then ask again. And again.
If the answer is still yes, be ready to explain how you'll store it, how you’ll use it, and how someone can ask you to forget them.
