On 14 September 2020, the Office of the National Data Commissioner (ONDC) released the exposure draft of the Data Availability and Transparency Bill (the Bill) for public comment. The Bill follows extensive consultation by the ONDC with key stakeholders. It proposes a national framework for the controlled sharing of public sector data.
A framework for the sharing of public sector data
The Bill offers an alternative path for the Commonwealth government to share data. It does not require the sharing of data and does not propose open data release. Rather, it sets out a framework for the controlled sharing of data subject to a number of safeguards.
The Bill provides that a data custodian of public sector data is authorised to share data with an accredited user, either directly or through an accredited data service provider. There are corresponding authorisations for accredited entities to collect and use shared data.
'Public sector data' is defined broadly under the Bill as 'data lawfully collected, created or held by or on behalf of a Commonwealth body'. A Commonwealth body is a 'data custodian' of public sector data if the body controls the data, has a right to deal with the data, and is not an excluded entity. Some entities are excluded from the operation of the Bill, such as the Australian Security Intelligence Organisation and the Australian National Audit Office.
The ONDC may accredit an entity, or suspend or cancel an entity's accreditation, in accordance with the accreditation framework.
The sharing of such data is subject to the following controls:
- the sharing is for a data sharing purpose and not a precluded purpose;
- the sharing is consistent with the data sharing principles;
- the sharing is not excluded;
- the sharing is in accordance with a data sharing agreement, the requirements of which are set out in the Bill.
It is proposed that there would be penalties for the unauthorised sharing of information.
A sharing of data that is authorised by the proposed legislation would not contravene any law of the Commonwealth or of a State or Territory. This override of non-disclosure laws is limited because it only applies when the Bill's strict requirements are met, and only to the extent necessary to facilitate sharing.
Existing laws, such as the Australian Privacy Principles, will continue to apply to the handling and security of shared data.
Data sharing purposes and principles
Pursuant to the Bill, data transfers must meet one of the following data sharing purposes:
- the delivery of government services – government activities that provide coordinated and structured advice, support, and services to individuals;
- informing government policy and programs – enable the discovery of trends and risks to inform public policymaking, enable modelling of policy and program interventions, and providing an holistic understanding of cross-portfolio impacts and complex intersectional problems;
- research and development – includes activities to advance knowledge and contribute to society.
The Bill excludes sharing information for a number of purposes, including enforcement related purposes and purposes that relate to, or prejudice, national security.
The sharing must also be consistent with the data sharing principles, being:
- project principle – that data is shared for an appropriate project or program of work;
- people principle – that data is made available only to appropriate persons;
- setting principle – that data is shared in an appropriately controlled environment;
- data principle – that appropriate protections are applied to the data; and
- output principle – that outputs are as agreed;
These principles are viewed as a whole and any risks associated with the sharing of public sector data must be appropriately mitigated.
Pursuant to the scheme, the following types of accreditation are available:
- Accredited Data Service Providers: These are entities accredited by the ONDC to perform data services such as data integration. They will be intermediaries in the sharing process that provide services which support sharing by data custodians with accredited users.
- Accredited Users: These are entities accredited by the ONDC to access public sector data.
Accreditation criteria will be established in Ministerial Rules and will cover three areas:
- governance and administrative arrangements to protect, manage and use data;
- security and data privacy arrangements; and
- technical skills and capabilities to protect, manage and use data.
The Rules will also cover the circumstances in which the ONDC may suspend or cancel an entity's accreditation.
The ONDC will also maintain public registers containing details such as the names of accredited organisations.
Maintenance of accreditation and ongoing responsibilities under the scheme
The accreditation framework will set conditions that accredited entities must comply with to maintain their accreditation.
The Bill also creates a range of offences for failure to comply with its provisions (e.g. misuse of data), including civil penalties and periods of imprisonment for individuals.
Next steps for the Bill
The consultation period runs for 8 weeks, with submissions to the Bill closing on 6 November 2020. Please contact us if you'd like to discuss how the proposed Bill may impact you.