The DATA Act establishes a new regulatory framework for the controlled sharing of Commonwealth 'public sector data'. The Act authorises (but does not require) Commonwealth bodies to share their public sector data with accredited users, and authorises accredited users to collect and use shared data. The sharing may occur directly or through an intermediary. The reform forms part of the Australian Government's wider vision for streamlined and efficient service delivery, and is expected to support economic and research opportunities.
Key concepts and roles
Some of the key concepts defined under the DATA Act are as follows:
1. Public sector data: encompasses all data lawfully collected, created or held by or on behalf of a Commonwealth body. This includes facts, statistics and other information that is capable of being communicated, analysed or processed, whether by an individual or by computer or other automated means.
2. Data custodians: are Commonwealth bodies that are not 'excluded entities', and either control public sector data (whether alone or jointly with another entity),including by having the right to deal with that data or have become the data custodian of output of a project under the DATA Scheme.
3. Accredited users: currently, Commonwealth, State and Territory bodies and Governments, as well as Australian universities may apply to be accredited users. Private entities (bodies corporate), individuals and unincorporated bodies (such as partnerships and trusts) are precluded from participating in the DATA Scheme. The Revised Explanatory Memorandum explains that '[t]hese preclusions are intended to provide an opportunity for the Scheme to establish and mature'.
Some entities, including the Australian Security Intelligence Organisation and the Australian Federal Police are 'excluded entities' and are excluded from the scheme.
Overview of the framework for sharing public sector data
Accreditation serves as a gateway into the scheme. Entities applying for accreditation will be assessed under the accreditation framework by the relevant accreditation authority (the Minister or the Commissioner). This process involves assessment of prospective recipients of data to ensure they are capable of managing scheme data accountably, minimising the risks of unauthorised access, and complying with broader legislative obligations. Conditions may be placed on accreditation and entities are required to comply with these conditions. Accredited entities may have their accreditation cancelled or suspended in certain circumstances.
Accredited users may make a data sharing request to data custodians. Data custodians are not required to share data under the DATA Scheme, but they must respond to all such requests within a reasonable time and provide reasons for any refusal within 28 days of making a refusal decision.
According to the Act, public sector data may only be shared to accredited users for one of the following purposes:
Authorised purposes for data sharing
- Delivery of government services
Delivery of government services broadly includes providing information and services, and determining the eligibility for, and making a payment of, a payment, entitlement or benefit. These government activities provide coordinated and structured advice, support, and services to individuals. Sharing data for this purpose is expected to enable improved designs of systems, engagement, and processes involved in delivery of services, such as improved user experiences through simplified or automated systems like pre-filled forms and reminders to submit or verify details. It may also fast-track service delivery, such as emergency payments to flood or bushfire victims who are not Centrelink clients, direct to their Medicare-linked bank account.
- Informing government policy and programs
Sharing data to inform government policy and programs will enable the discovery of trends and risks through data analytics to inform public policy making, enable modelling of policy and program interventions and provide a holistic understanding of cross-portfolio impacts.
Research and development includes activities to advance knowledge and contribute to society. It will enable accredited academics, scientists and innovators in both the public and private sectors to collect and use public sector data to gain insights that could enhance Australia's socio-economic wellbeing.
Data sharing for enforcement related purposes (e.g. law enforcement investigations and operations) and purposes that relate to, or prejudice, national security (e.g. the prevention or commission of terrorism and espionage) are expressly excluded from the Act.
In addition, each instance of data sharing must be consistent with the following data sharing principles. These principles are based on the Five Safes, an international standard for managing the risks of data sharing.
- Project principle: The project must be an appropriate project or program of work. This requires the project to be reasonably expected to serve the public interest and for the parties to observe processes relating to ethics, as appropriate in the circumstances.
- People principle: Data must only be made available only to appropriate persons. This requires access to only be provided to individuals who have attributes, qualifications, affiliations or expertise appropriate for the access. It also requires the entity sharing the data to consider the collector's experience with projects involving the sharing of public sector data, capacity to handle data securely, any breaches of laws relating to data by the collector, and any other matters specified in the data code.
- Setting principle: Data must be shared, collected and used in an appropriately controlled environment. This requires consideration of the means by which the data is shared, collected and used are appropriate, having regard to the type and sensitivity of the data, to control the risks of unauthorised use. It also requires the application of reasonable security standards.
- Data principle: Appropriate protections must be applied to data. Only the data that is reasonably necessary to achieve the applicable data sharing purpose(s) may be shared, collected and used.
- Output principle: The only output of the project must be the final output, and output the creation of which is reasonably necessary or incidental to the creation of the final output. The data custodian and accredited user must consider the nature and intended use of the output of the project, and requirements and procedures for use of the output of the project. The final output must only contain the data reasonably necessary to achieve the applicable data sharing purpose(s).
Legislative safeguards
The data sharing scheme contains a number of safeguards including frameworks for risk management, transparency. In addition to the accreditation processes discussed above, these include:
- Data custodians and accredited entities must comply with the rules made by the Minister and data codes made by the National Data Commissioner.
- Data custodians and accredited entities must have regard to the guidelines when engaging in conduct for the purposes of the DATA Scheme.
- Specific requirements for the making of a valid data sharing agreement – a draft data sharing agreement is available on the Office of the National Data Commissioner's website (here).
- Data custodians must notify the Commissioner of certain matters listed in the legislation each year.
- Data that includes biometric data must not be shared unless the individual to whom the biometric data relates expressly consents to the sharing of the biometric data.
- A prohibition on storing, accessing or providing access to data or the project outputs outside Australia, where the data or outputs include personal information.
- Where public sector data has been de-identified (e.g. all public sector data shared for the purposes of informing government policy and programs) in the final output, a prohibition on the re-identification of that data.
- Data breach responsibilities.
- Civil penalties and offences for unauthorised sharing of data.
- A range of enforcement options available to the Commissioner, including making recommendations or giving directions, issuing infringement notices or applying to Court for a pecuniary penalty order, accepting enforceable undertakings, and applying to Court for an injunction.
Existing legal obligations and policies for handling Australian Government data continue to apply, including the Australian Privacy Principles in the Privacy Act. Secrecy provisions will continue to apply because a data sharing agreement must only allow the provision of access, or release, in specified circumstances that do not contravene any other law of the Commonwealth or a law of a State or Territory.
What does this mean for you?
Commonwealth data custodians should consider how they will manage requests for access to public sector data.
Government bodies and Universities should consider whether they will become an accredited user under the DATA Scheme and the benefits that this may bring to their activities. Australian, State and Territory government agencies can apply for accreditation from June 2022. Australian universities can apply for accreditation from August 2022.