This article applies to organisations that interact with public sector data and/or are involved in the collection, use and sharing of public sector data.
Data Availability and Transparency Bill 2022 (Cth)
Please be advised that the Data Availability and Transparency Bill 2022 (Cth) (the Bill) passed parliament on 30 March 2022 and received Royal Assent on 31 March 2022. The Bill commenced on 1 April 2022.
The Bill creates a new data sharing scheme for public sector data, which involves providing controlled access to data (scheme data) to enable its secure and regulated use in projects. Data sharing will be underpinned by an accreditation scheme that requires users and data-sharers to apply for accreditation. Additionally, the Bill establishes an independent regulator, the National Data Commissioner (the Commissioner) who is to oversee and support the scheme.
For the purposes of the Bill, a project involves at least both an entity that shares data with another entity, either directly or through an intermediary, and a user that collects the data for use in producing an output of the project – being a copy of the data collected and any data that is the result or product of the user’s use of the shared data. Where an internediary is used, the project will also include the use of enhanced data.
Participants in the Scheme – data scheme entities
Data scheme entities have responsibilities under the scheme and may be subject to enforcement proceedings by the Commissioner. Data scheme entities include:
- data custodians of public sector data; and
- accredited entities.
Data custodians are responsible for assessing each sharing request and deciding whether to share data if they are satisfied the risks can be managed. Data custodians are defined under section 11 of the Bill as Commonwealth bodies, that are not excluded entities (as listed in section 11(3)), that control public data (whether alone or jointly with another entity), including by having the right to deal with that data or have otherwise become custodians of project output in accordance with section 20F of the Bill. The Commonwealth body must be the data custodian of public sector data they share, meaning they must be in control of the data.
Accredited entities are those entities that are accredited under section 74 of the Bill as an accredited user or accredited data service provider (an ADSP). Commonwealth bodies are authorised to share data with these accredited users. Accredited users are authorised to collect and use data that is shared with them in an authorised and controlled way. ADSPs are authorised intermediaries that facilitate the sharing of data and provide data integration services.
Under section 13A, an accredited user may collect and use data as part of a project if all of the conditions of that section are met, including that the project is covered by a registered data sharing agreement that is in effect and that meets the requirements of the Bill and the collection or use is in accordance with the data sharing agreement. An ADSP may act as an intermediary under similar conditions, outlined in section 13B. The penalty for unauthorised use of data, or for an entity providing unauthorised access to data, is a maximum of 300 penalty units (currently $66,600), 5 years imprisonment or both. Unauthorised collection of data can result in a maximum penalty of 600 penalty units (currently $133,200), depending on the sensitivity of the data collected.
As outlined in section 11, data scheme entities may act in different capacities at different times, depending on their dealings with the public sector data. Thus, a data scheme entity will have responsibilities at different times related to that capacity. Provided as an example in the Bill, the same entity may be party to the agreement in its capacity as data custodian of data to be shared and in its capacity as the accredited entity with which the data is shared.
In accordance with the Bill, data may be shared, collected and/or where:
- sharing is for one or more defined data sharing purposes;
- the sharing is consistent with:
- the data sharing principles; and
- a registered data sharing agreement that meets the requirements of the Bill.
Subscribers should note that some sharing of data is barred, such as where the sharing would be inconsistent with a prescibred law or agreement. Additionally, privacy protections apply to the sharing of any personal information.
All users and data service providers must be accredited by the relevant accreditation authority before they can access shared scheme data. For these pruposes, the accreditation authority is:
- for an entity applying for accreditation, or accredited, as an ADSP—the Commissioner; or
- for a Commonwealth body, State body or Territory body, or the Commonwealth or a State or Territory, applying for accreditation, or accredited, as an accredited user—the Minister; or
- for another entity applying for accreditation, or accredited, as an accredited user—the Commissioner.
An application must be made in accordance with section 76 of the Bill and must:
- be made by an authorised officer on behalf of the entity; and
- be in the form approved by the Commissioner (if any); and
- include the evidence prescribed by the rules to support the criteria for accreditation and the entity’s ability to meet the 9 criteria to the appropriate standard; and
- include consent for the Commissioner to:
- obtain information relevant to the entity’s application for accreditation from third parties; and
- verify information provided by the entity with third parties.
An application involves assessment against criteria, set out in section 77, to ensure that the entity:
- has appropriate data management and an appropriately qualified individual in a position that has responsibility for data management and data governance for the entity;
- can appropriately minimise risk of unauthorised access, sharing or loss of the data; and
- has the necessary skills and capacbility to ensure the privacy, protection and appropriate use of data, including the ability to manage risks in relation to those matters.
Accreditation may also be given with certain conditions.
Obligations of data scheme entities
The Bill lists ongoing responsibilities of data scheme entities to comply with privacy rules and data codes, as well as necessary steps to mitigate data breaches. Data scheme entities have a responsibility to report data breaches to the National Data Commissioner.
Under section 31, data scheme entities must give the Commissioner written notice of any event or change in circumstances that may be relevant to the entity’s accreditation or conditions of accreditation. Failure to notify the Commissioner can result in a civil penalty of 300 units (currently $66,600).
An entity that was an accredited entity at any time during a financial year must also, under section 34, give the Commissioner any information and assistance that the Commissioner reasonably requires in relation to the preparation of the Commissioner’s annual report for that financial year.
Under Part 3.3, data scheme entities are required to raise issues about data breaches. A data breach, in relation to scheme data, is considered to occur where there has been unauthorised access to or disclosure of data, data has been lost in a way that will likely cause unauthorised access or disclosure, or an event prescribed under a data code occurs. Data scheme entities must, where they know or suspect a breach has occurred and within the time outlined in a relevant data code or as soon as practicable, take reasonable steps to prevent or mitigate any harm that may result to entities, groups of entities and things to which the data involved relates. They must also notify the Commissioner of the breach or suspected breach. Failure to do so will result in a penalty of 300 units (currently $66,600).
An accredited entity must also notify the data custodian if the entity knows or reasonably suspects a breach has occurred in sufficient time and with sufficient detail to enable the custodian to comply with its obligations under the Privacy Act 1988 (Cth), where the breach concerns personal data, unless the accredited entity is also an APP entity for the purposes of the Privacy Act.
Additionally, a data scheme entity must also give the National Data Commissioner a copy of any statement the entity is required to give the Information Commissioner under section 26WK of the Privacy Act if a breach relates to scheme data.
Under sections 16A to 16F, entities have obligations relating to dealing with personal data and other privacy requirements. Specific requirements relate to projects that involve the de-identification of data or secure access of data services and projects involving complex data integration services. Generally, under section 16A, data that includes biometric data must not be shared without consent of the individual to whom the data relates. Further, any personal information shared must be shared under an agreement that prohibits any accredited entity with or through which it is shared, from storing or accessing, or providing access to, the ADSP-enhanced data, or the output, of the project outside Australia. De-identified data must also be shared with the condition that an accredited user is prohibited from taking any action that may result in the data ceasing to be de-identified.
Under sections 16E and 16F, an entity will be taken to be compliant with the privacy requirements if the entity is an APP entity and meets its requirements under the Privacy Act. If an entity is subject to a term in a data sharing agreement that is equivalent to an APP, the entity is taken to be in contravention with that term by any act or practice of the entity that interferes with the privacy of an individual to whom the term relates and is covered by sections 13 and 13G of the Privacy Act.
Data sharing purposes and principles
Data custodians may share data with accredited users directly or indirectly through an ADSP in accordance with the data sharing purposes. The purposes permit sharing of data subject to the following:
- That the sharing is for a data sharing purpose including the delivery of government services, informing government policy and programs, and research and development.
- That the sharing is consistent with the data sharing principles.
- That the sharing is not excluded.
- That the sharing is done under a data sharing agreement and with the agreement of any other data custodians of that data.
The Bill excludes sharing data for an enforcement related purpose, or a purpose that relates to or prejudices national security.
The sharing of data must also be consistent with the data sharing principles, being:
- The project principle: data is shared for an appropriate project or program of work, including but not limited to programs that serve the public interest.
- The people principle: data is only made available to appropriate persons, considering the accreditation status and people who have qualifications and expertise appropriate to the sharing.
- The setting principle: Data is shared in an appropriately controlled environment, including applying reasonable security standards are applied when sharing data.
- The data principle: Appropriate protections are applied to the data, including limiting the data shared to data reasonably necessary to achieve the purpose.
- The outputs principle: The outputs are as agreed.
For a data scheme entity to be satisfied that the project is consistent with the principles, the entity must be satisfied that it has applied each principle to the sharing, collection or use of the data such that, when viewed as a whole, the risks associated with the sharing, collection or use are appriopriately mitigated.
Data sharing agreements
Part 2.6 of the Bill establishes the conditions under which an agreement is a data sharing agreement, being the agreement relates to the sharing of public data, the parties include a data custodian and an accredited user, and the agreement is in the approved form (if any), or in writing (if no approved form). Any requirements specified in a data code must also be met in relation to the agreement.
Only authorised officers of data scheme entities must enter into an agreement, or agree to vary an agreement, on behalf of an entity. The agreement, or variation, will have no effect until the agreement is registered. This registration occurs by the data custodian giving the Commissioner an electronic copy of the agreement, variation or agreement as varied within 30 days after the day the agreement or variation is made. Any other information or documents required by a data code must also be given to the Commissioner at the same time.
Data sharing agreements must meet all the requirements of section 19 of the Bill, including, but not limited to, the agreement containing a description of the project, and the agreement specifying the public sector data that is to be shared by the custodian and the output of the project that the custodian and accredited user agree is to be the final output.
Please click here to access the full Bill.
For further information please contact the Law Compliance team:
Phone: 1300 862 667