The Commonwealth Government has committed to making it easier for third parties to access government data. Currently, government entities have different approaches as to whether or not they will permit access to data that they hold, which has led to confusion and inconsistency.

As part of its commitment to greater data sharing, the Government is planning to develop new data sharing and release legislation, which will establish a framework for how the Government will share data it holds with third parties in a risk appropriate way.

The Department of the Prime Minister and Cabinet has invited the public to provide feedback on the development of the new legislation and its Issues Paper released last week. Submissions are due by 1 August 2018.

Why is Australia introducing a Data Sharing and Release Bill?

The Data Sharing and Release Bill (DS&R Bill) is one of a number of data reforms (including the introduction of a consumer data right) which the Government has committed to enacting in response to the Productivity Commission’s Inquiry on Data Availability and Use. The reforms aim to release more data into the hands of individuals, researchers, and businesses to 'harness the power of data to drive innovation and opportunity for the Australian economy'.

The Issues Paper explains that greater value could be derived from data if there was a framework in place to facilitate data sharing:

Australian Government data includes information about the environment, about individuals and about businesses, and when this data is used appropriately, it can provide government with new insights into important and complex policy questions and to improve service delivery. Currently, data use is fragmented and sharing of data within government is often limited by lack of authority, cultural barriers and lack of clarity in the purposes of data use and reuse. The DS&R Bill will seek to provide an alternative authority to share, access and release data that is otherwise prohibited, when appropriate conditions and safeguards are met. 

Whose data will the DS&R Bill apply to?

The DS&R Bill is likely to apply to data held by Commonwealth entities and certain companies controlled by the Commonwealth regardless of the purpose for which the data was collected or generated (with some exceptions). This broad scope would mean that individuals may be able to access both the underlying data as well as data which has been ‘crunched’ by Commonwealth Government entities.

Despite its aim of facilitating greater release of data, the Issues Paper suggests that it would be appropriate to exclude certain categories of data, such as data used for national security or law enforcement purposes and data subject to contractual obligations (eg, purchased datasets).

Who may request access to data?

Although data held by Commonwealth Government entities is described as a ‘valuable national resource’, the Issues Paper does not propose that there be any limitation on which parties will be permitted to request access to data. Rather, the Issues Paper proposes the use of a ‘purpose test’ as well as the Five-Safes Framework to determine whether and how data may be shared.

Purpose test

A ‘purpose test’ could be adopted to determine whether data may be shared. For example, the Issues Paper canvasses that the following purposes would each constitute sufficient grounds for authorising data sharing under the legislation:

1. informing government policy making;
2. supporting the efficient delivery of government services or government operations;
3. assisting the implementation and assessment of government policy; or
4. research and development with clear and direct public benefits.

These proposed purposes suggest that the Government must be a beneficiary of the activities conducted pursuant to the release of data under the legislation. However, such a formulation of the purpose test could inadvertently limit the circumstances under which data may be released, and consequently, the extent to which the public could benefit under the legislation. Also, once data has been released, it is not clear from the Issues Paper how the Government entity may exercise any rights or control over the data, including the purposes for which the data may be used.

Five-Safes Framework

The Issues Paper raises the possibility of requiring decision makers to use the Five-Safes Framework when deciding whether data should be shared. The five

'Safes' to be considered are:

1. Safe data: can the data disclose identity?
2. Safe people: can the users be trusted?
3. Safe setting: does the access environment prevent unauthorised use?
4. Safe outputs: are the project results likely to disclose identity?
5. Safe project: is the purpose of use appropriate?

Depending on the risks associated with each 'Safe', varying degrees of control could be applied to other 'Safes'. For example, if the data can be used to identify individuals (Safe 1), then the other Safes would need to have more stringent controls applied, such as by limiting the number of people who can access the data (Safe 2) and the scope of their access (Safe 5).

Who are the decision makers?

The Issues Paper contemplates that the head of each Government entity will perform the role of a ‘data custodian’, and will be responsible for applying the requirements of the DS&R Bill. However, it would also be possible for data custodians to authorise ‘accredited data authorities’ (ADAs) to assist them with managing their responsibilities under the DS&R Bill and undertake activities such as data cleansing and de-identification. At this stage, it is not clear from the Issues Paper what the nature of the legal relationship between ADAs and Government entities or data recipients will be.

The DS&R Bill is also expected to establish a ‘National Data Commissioner’ to oversee the public data system. A National Data Advisory Council will assist the Commissioner in its role as well as the development of the DS&R Bill. Members of the Council will include the Australian Statistician and the Privacy Commissioner, other Government representatives, and representatives from academia, industry and privacy groups. The Council is currently being established and expressions of interest are due by 20 July 2018.

The Issues Paper also proposes a ‘trusted user’ concept, whereby recipients of data could become accredited to subsequently on-share data. These trusted users could comprise employees or contractors of Government entities and companies.

Making a submission

The public is being invited to provide feedback generally as well as in relation to the following five topics which are discussed in further detail in the Issues Paper:

• key principles of the DS&R Bill;
• scope of the DS&R Bill;
• streamlining data sharing and release;
• roles and responsibilities within the system; and
• the role of the National Data Commissioner.

Submissions to PM&C are due by 1 August 2018.