Insight,

Data Availability and Transparency Act passes Parliament, paving the way for greater sharing and use of public sector data

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Germany
Japan
Singapore
Spain
United Kingdom
United States
Global

TL;DR

The Data Availability and Transparency Bill 2022 and the Data Availability and Transparency (Consequential Amendments) Bill 2022 passed both Houses of Parliament with bipartisan support on 30 March 2022. First introduced in December 2020, these Acts will significantly change the way that public sector data can be collected, shared and used.

Overview

The Data Availability and Transparency Act 2022 (the Act) establishes a new data sharing scheme whereby Commonwealth bodies can share public sector data with state and federal governments and public Australian universities. Data can only be shared for the delivery of government services, informing government policies and programs, and research and development. Data sharing must be consistent with the Act’s data sharing principles and a registered data sharing agreement. The Act also establishes the National Data Commissioner to oversee the scheme.

The Act is designed to promote greater use of public sector data, encourage innovation, and build trust within society regarding the government’s use of data. Whether it achieves that will depend on the workability of the Act and the Commissioner’s template data sharing agreement.

The Act was one of the two key reforms proposed by the Productivity Commission’s influential Inquiry Report into Data Availability and Use (2017) – along with the Consumer Data Right. The report recognised that fundamental and systematic changes are needed to the way Australian governments, businesses and individuals handle data in order to deliver net benefits to the community, increase the availability and usefulness of data, and foster community trust in how data is managed and used. The report also said that enhanced data sharing could support economic and research opportunities, and the Government’s vision for streamlined and efficient service delivery. The report said that risks from better data use are real but manageable with the right policies and processes.

The detail

The Act sets up a data sharing scheme whereby Commonwealth bodies can share public sector data with “accredited users,” who can collect and use the data subject to certain conditions. The Act also establishes the National Data Commissioner. We break down these concepts further below:

What data are we talking about?

The Act relates to public sector data, which is defined as data lawfully collected, created or held by or on behalf of a Commonwealth body, and includes data enhanced by an accredited data service provider (ADSP). This includes personal data, although that data is subject to additional privacy protections.

Which Commonwealth bodies are captured?

The Act broadly captures any Commonwealth body that controls public sector data (alone or jointly with another entity). There are a number of excluded bodies, which are primarily Government law enforcement and intelligence entities (e.g. AFP, ASIO, ASIS, ASD).

Who is an accredited user?

“Accredited user” means an ADSP or someone accredited via the Act’s accreditation framework. Private entities (bodies corporate), individuals and unincorporated bodies (such as partnerships and trusts) are precluded from participating in the scheme. This means that data recipients will realistically – at this stage – be limited to Commonwealth, State and Territory bodies and bodies politic and public Australian universities. The accreditation framework provides that the Minister and the Commissioner may accredit Australian entities (with or without reasonable conditions) if entities have appropriate data management and governance policies, and can keep the data private and secure. The rules may provide for other accreditation criteria. Data cannot be shared with foreign entities under the scheme.

How can data be shared?

Data may be shared with an accredited user directly, or through an ADSP. ADSPs must be “Australian entities”, i.e. Commonwealth, State and Territory bodies and bodies politic and public Australian universities. ADSPs may provide de-identification or secure access data services. If data is shared through an ADSP, the Commonwealth body can collect output or ADSP-enhanced data of the project from the ADSP or the user, if that is covered by a data sharing agreement.

When can data be shared?

Data can only be shared for a data sharing purpose, consistently with the data sharing principles, and consistently with a registered data sharing agreement that meets the requirements of the Act. Sharing is subject to privacy protections and is not permitted in some circumstances. The Act’s data sharing authorisations override existing laws that would otherwise prevent the sharing of data.

Data sharing purposes: Data sharing purposes are defined as delivery of government services; informing government policy and programs; or research and development. Data sharing for enforcement or national security is not permitted.

Data sharing principles: There are five data sharing principles, as follows:

Project principle

The project must be an “appropriate” project or program of work. The project must reasonably be expected to serve the public interest and the parties must observe ethics processes as appropriate in the circumstances.

People principle

Data is only made available to appropriate persons. That includes people with appropriate qualifications or expertise. The entity sharing the data must consider factors including the collector’s capacity to handle the data securely and their experience with projects involving the sharing of public sector data. 

Setting principle

Data shared, collected and used must be in an appropriately controlled environment. Reasonable security standards must be applied, having regard to the type and sensitivity of the data.

Data principle

Appropriate protections must be applied to the data. Only data reasonably necessary to achieve the data sharing purpose(s) can be shared.

Output principle

Data can only be used for, or incidental or reasonably necessary to, the data sharing project identified in the data sharing agreement.

Data sharing agreement: Sharing is only permitted pursuant to a data sharing agreement that complies with the Act. The ONDC will release a generic template that can be used for the purposes of the Act. The agreement must specify things like the data being shared, the output of the project, the data sharing purpose(s), and an explanation of how the project is consistent with the data sharing principles. If data sharing is through an ADSP, the agreement must specify the data services that the ADSP will perform. The agreement must prohibit data sharing, collection and use that is not within the scope of the agreement.

Privacy protections: Additional privacy protections apply to the sharing of personal data, including the need to obtain consent from the individual. Biometric data can only be shared with consent of the individual. If data that has been de‑identified is shared, the data sharing agreement must prohibit the recipient from re-identifying the data.

Data breach responsibilities: The Act contains specific data breach responsibilities. If there is unauthorised access or disclosure, or data is lost, then the data custodian or accredited entity (as applicable) must take reasonable steps to mitigate the data breach. There are also obligations to notify the Commissioner.

No duty to share; some sharing barred: The Act does not require data sharing in any way, but if a data custodian refuses a request for data sharing then it must provide reasons. Some data sharing is also barred, such as if the data sharing would breach the law or an agreement. Data sharing may also be barred in circumstances prescribed by the regulations (which have not yet been published).

The National Data Commissioner

The Act establishes the Office of the National Data Commissioner (ONDC or Commissioner) and the National Data Advisory Council. The Commissioner regulates the data sharing scheme, including advising on and enforcing it. The Commissioner has the power to make data codes, which data custodians and accredited entities must comply with.

Penalties for non-compliance

Unauthorised data sharing comes with a civil penalty of up to $66,600. If an entity or individual recklessly provides access to data that is not authorised to be shared, there is an additional penalty of imprisonment for five years.

The Data Availability and Transparency (Consequential Amendments) Bill 2022 makes consequential amendments to the Administrative Decisions (Judicial Review) Act 1977, Australian Security Intelligence Organisation Act 1979, Freedom of Information Act 1982 and Privacy Act 1988 in relation to the operation of the data sharing scheme described above.

Key takeaways and reflections

1. Significance

The Act is key to the Government’s data strategy and is the culmination of the Government’s response to the influential Productivity Commission Report. It has the potential to facilitate significantly more streamlined Government services. For example, the Opposition said in Parliament that in the wake of bushfire or a flood, where the government is trying to get emergency payments to people without documentation, the Act could enable Centrelink offices to make an emergency disaster payment to family in need that are not Centrelink clients, direct into their Medicare-linked bank account. That is not possible at present due to rule constraints.

The Act has the potential to radically change the way that public sector data is collected, shared and used. Whether it lives up to that potential will depend on whether data sharers and recipients believe the Act is workable and that the pay-offs are greater than any potential liability under the Act. Whether the Act is workable will depend in large part on the ease of use and adaptability of the template data sharing agreement.

2. Template data sharing agreement

Data sharing agreements will be critically important for accredited users that want to collect and use public sector data. We are expecting the ONDC to release a template agreement in an ‘approved form’ for the purposes of the Act. The ONDC has already released a template agreement that is “legislation agnostic” and not tied to the Act. Although the existing template is useful, we consider that a more detailed agreement – perhaps with more ‘tick box’ options for ease of contracting – would greatly benefit data custodians and accredited entities share data with confidence. The existing template is also not especially well suited to complex multi-agency data sharing arrangements. The agreement should also contain more thorough ‘mandatory terms’, which outline the parties’ obligations, data breach responsibilities, and termination.

3. Privacy protections

Part 2.4 of the Act contains privacy protections that are more robust than the version of the Bill that was introduced to Parliament in December 2020. The Act now contains three general privacy protections: a prohibition on sharing of biometric data without consent, a prohibition on providing access to ADSP-enhanced data or project output outside Australia, and a prohibition on re-identifying data that has been shared in de-identified form. It also contains purpose-specific privacy protections, which can restrict the government’s ability to share personal information.

4. Importance of the rules and codes

Data custodians and accredited entities must comply with the rules made by the Minister and data codes made by the Commissioner. It will be important that those rules and codes impose appropriate restrictions on custodians and accredited entities, proportionate to the value of the data being shared and used. If the restrictions are too high, we may see limited data sharing and reduced innovation.

LATEST THINKING
Insight
In September 2023, the Australian Federal Government published for consultation a comprehensive reform package, including exposure draft legislation, to amend the Personal Property Securities Act 2009 (Cth) (PPSA) and Personal Property Securities Regulations 2010 (Cth) (PPS Regs).

29 February 2024

Insight
All of the Closing Loopholes reforms have now become law, or soon will be.

29 February 2024

Insight
Twice a year the OAIC produces a report about the operation of the notifiable data breaches (NDB) scheme under the Privacy Act.

27 February 2024