In 2016, the Productivity Commission was asked to undertake an Inquiry into public and private sector data availability and use. The recently introduced Data Availability and Transparency Bill 2020 is an important outcome from that Inquiry process. The Bill will provide for a new data sharing scheme for federal government data. If that scheme is successfully implemented, it could be used as a model by state and territory governments, including by the NSW government, to allow for a greater level of public sector data sharing.
The development of DATA
In the final week of the 2020 Parliamentary sitting year, the Australian Government introduced the aptly named Data Availability and Transparency Bill 2020 (which will be shortened to DATA if the Bill becomes law). The Bill is the culmination of an extensive inquiry and consultation process, which started with the Productivity Commission's (PC) Inquiry into Data Availability and Use which commenced in 2016 and was completed in 2017.
In the view of the PC, at the time it completed its Inquiry, the then-current regulatory frameworks governing data availability and use, based as they were on risk aversion and avoidance, were not appropriate and inhibited Australian governments, businesses and not-for-profits from taking advantage of the benefits that would arise from the greater exploitation of data. Australia, in the PC's view, also needed to move to a more transparent system of data sharing, allowing users to have greater confidence in data processes.
In responding to the PC's report, the Government stated that it would create a National Data Commissioner to oversee a new data access framework and enact legislation to remove red tape limiting access to data for research and growth, while at the same time ensuring that privacy and data security were protected. The Bill is the new legislation that is intended to achieve this outcome. It has been the subject of extensive consultation – two discussion papers released in 2018 and 2019 on the appropriate form of the new legislation, followed by a consultation on an exposure draft of the Bill in 2020.
One of the immediate benefits that the Government envisages will arise from the enactment of the new law will be the ability for citizens to provide their information to the Australian Government on one occasion only, without the need to provide that information each time they interact with a different agency. In a broader policy sense, as mentioned by the Minister for the National Disability Insurance Scheme and Minister for Government Services in the second reading speech for the Bill (available here), among other benefits, the newly authorised data sharing will allow governments across Australia to work together on nationally significant policies and programs such as to improve outcomes for people with a disability, improve health services and the like.
Key provisions of the Bill
Overall framework and different roles
The intention of the Bill is to provide a voluntary mechanism to increase the amount of data that is shared by the Commonwealth government while making sure that appropriate risk management is in place to provide data safeguards and also ensuring transparency. The Bill applies to "public sector data" collected by all Commonwealth entities and Commonwealth companies, whether it is facts, statistics or other information, with limited exceptions such as for national security or where intellectual property rights would be infringed by sharing. Existing mechanisms for data sharing (and data release) will continue to apply. It is important to note that the Bill provides for data sharing, that is, providing controlled access to data. It does not provide for public access to data. The Bill does not restrict, but does not positively authorise, the public release of data.
The Bill creates a National Data Commissioner and, in fact, an interim National Data Commissioner was appointed in 2018. The Commissioner will be a champion for data sharing, oversee DATA (including by taking enforcement action where necessary) and promote best practice. The Commissioner will be supported by a National Data Advisory Council to provide advice on matters relating to the operation of the data sharing scheme, such as ethical data use and technical issues.
The Bill provides for the following "data scheme entities":
- data custodians: These are the Commonwealth bodies that collect the data in the first place and who have the right to control and deal with it (subject to exclusions for national security agencies and other limited categories). Each data custodian will maintain responsibility for the data it collects, including the sharing of that data. It will be at the discretion of data custodians as to whether they share data
- accredited users: Accredited users are the "end-users" of the shared data. An entity will only be accredited by the Commissioner by demonstrating that it meets the security, privacy, infrastructure and governance requirements set out in the accreditation framework. The Commissioner will be required to accredit all non-corporate Commonwealth agencies as users. It is expected that accredited entities will include agencies from other levels of government as well as industry, research and other private sector entities
- Accredited Data Service Providers (ADSPs): These are entities that have relevant experience in dealing with data and, like users, will require accreditation to participate in the scheme. The role of the ADSPs will be to assist data custodians and accredited users. Data custodians may share data with accredited users through an ADSP. An ADSP could provide services such as to de-identify data that was to be released as this is not a skill set that most data custodians would have.
Data sharing will only be authorised for specified purposes. These are:
- the delivery of government services
- informing government policy and programs
- research and development.
Certain purposes are prohibited by the Bill, being enforcement-related purposes, such as prosecuting an offence, and any purpose relating to or prejudicing national security. Other purposes may be prescribed by rules made under DATA.
Appropriate safeguards – the data sharing principles
If a proposed sharing is for a permitted purpose, then the data custodian must consider the data sharing principles to assess and control the risks of sharing. Risks will be assessed by applying the following data sharing principles:
- project principle: Will the data be shared for an appropriate project or program of work, including by reference to public interest, consent (where applicable for personal information) and ethics requirements?
- people principle: Can the users be trusted and do they have the right skills for the relevant project?
- setting principle: Is the sharing environment appropriately controlled, that is, is it tailored to the data type and sensitivity and subject to reasonable security standards?
- data principle: Will the data be protected, including by taking a data minimisation approach to ensure only data necessary to undertake the project is shared?
- outputs principle: Are the results and outcomes of the project agreed, including the intended uses of the outputs?
Governance and transparency
If the proposed sharing is for a permitted purpose and consistent with the data sharing principles, then the relevant data may be shared, notwithstanding the existence of any law that would otherwise prevent that sharing. Where this is to occur, a data sharing agreement must also be entered into between the relevant parties. Data sharing agreements are intended to be a key governance and transparency measure.
The mandatory minimum terms for a data sharing agreement are prescribed in the Bill and include, for example:
- identification of the data that is to be shared
- identification of the purpose for which the data is to be shared and prohibition of use for other purposes
- identification of the agreed outputs of the shared data
- specification of how the data sharing principles are to be applied
- if an ADSP is to be used for data sharing, specification of the services to be provided by that ASDP
- specification of how the outputs are to be shared or released
- specification of how responsibilities will be allocated in relation to data breaches.
Data sharing agreements will be required to be registered a public register to further increase transparency.
NSW data sharing legislation and open data policy
NSW has in place data sharing legislation and has an open data policy. The Government Information (Public Access) Act 2009 (NSW) (GIPA Act) facilitates providing access to public sector data to the public, subject to appropriate guard rails. The GIPA Act is supported by the NSW Government Open Data Policy, and reflects the government's objective for "better, faster and more open data". The Open Data Policy provides for six open data principles that are to be applied by NSW government agencies in the management of data, requiring that data is managed so that it is:
- open by default, though protected where required
- prioritised, discoverable and useable
- primary and timely (i.e., so that it is released as collected, in the form collected unless there is a compelling reason for a different approach)
- well-managed, trusted and authoritative
- free where appropriate
- subject to public input.
The Data Sharing (Government Sector) Act 2015 (NSW) (Data Sharing Act), on the other hand, is intended to facilitate a greater degree of data sharing between government agencies, as well as with the Data Analytics Centre, while ensuring that data (particularly personal information) is appropriately protected.
The NSW data sharing regime was mentioned favourably in the report from the PC's Inquiry. Nonetheless, at the current time, the NSW regime does not extend as far as the Bill. This is the case as the NSW frameworks do not allow for public sector data to be shared on a restricted basis outside of government with appropriately accredited entities. As the PC noted in the report from its Inquiry, improved data access and use have the potential to assist in the development of innovative products and services that will have benefits for Australians and the Australian economy. There are some public sector data sets that are not appropriate for open access but that could be used beyond the public sector to achieve such benefits – provided of course appropriate safeguards are in place. Therefore the Bill may serve as a useful precedent for NSW for expanding the availability of its public sector data.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.