On 1 April 2022, the Data Availability and Transparency Act 2022 (Cth) commenced, creating a new scheme for sharing Commonwealth Government data. Under the Act, authorised Commonwealth bodies can provide controlled access to public sector data to accredited users, being accredited state and federal government entities and public Australian universities, for specific purposes in the public interest.
The scheme includes safeguards to ensure data security and privacy, and establishes the National Data Commissioner to regulate the scheme as well as the National Data Advisory Council to advise the Commissioner. The objects of the Act include:
- promotion better availability of public sector data;
- building confidence in the use of public sector data;
- enhancing integrity and transparency in sharing of public sector data; and
- establishing institutional arrangements for its sharing consistent with the Privacy Act.
These reforms follow the Productivity Commission’s Inquiry Report into Data Availability and Use (2017) which identified numerous benefits of increasing data availability and use.
Under the Act, ‘public sector data’ covers all data lawfully collected, created or held by a Commonwealth body or on its behalf. This data includes facts, statistics and other information capable of being communicated, analysed or processed physically or electronically.
‘Commonwealth bodies’ are widely defined under the Act and include non-corporate and corporate entities and Commonwealth-owned Corporations Act companies, but do not include Australian universities.1 To share data a Commonwealth body must be a ‘data custodian’.
There are four key safeguards to ensure safe sharing of this public sector data:
- Accreditation – only ‘data scheme entities’ (data custodians and accredited entities) can participate in the scheme;
- Authorisations – authorisation requirements for each stage of data sharing;
- Privacy – general and specific privacy requirements for sharing; and
- National Data Commissioner – independent statutory office responsible for regulating the scheme and holding participants accountable.
Accreditation: Who can share data?
Under the scheme there are two kinds of scheme entities:
- Data custodians – Commonwealth bodies (that are not an excluded entity e.g. Australia Government law enforcement and intelligence agencies) that control public sector data; and
- Accredited entities – Australian entities (Commonwealth, States, Territory, or a body of such, or an Australian university) granted accreditation as either an ‘accredited user’ who can collect and use shared data or an Accredited Data Service Provider (ADSP) who are expert intermediaries that can assist data custodians to prepare and share data appropriately.
Foreign entities, private entities (bodies corporate), individuals and unincorporated bodies (e.g. partnerships and trusts) are unable to participate in the scheme, effectively leaving only Commonwealth, state and territory government agencies and public Australian universities able to become accredited users. Commonwealth, state and territory government agencies can apply for accreditation from 1 June 2022, while Australian universities can apply from 1 August 2022.2
The Commissioner or Minister are responsible for assessing an entity’s capability to handle data safety and manage risks against the accreditation criteria before deciding whether to grant the accreditation. Administrative measures can also be taken to impose conditions on accreditation of an entity, and the Commissioner and Minister can suspend or cancel the accreditation of an entity if:3
- They are reasonably satisfied that the data scheme entity doesn’t meet the accreditation criteria;
- The data scheme entity becomes a body corporate;
- For accreditation of a government body as an ADSP – the Minister refuses to accredit or suspends or cancels the accreditation of the entity as an accredited user;
- For accreditation as an accredited user – the Commissioner suspends or cancels the entity’s accreditation as an ADSP;
- They determine it is in the national interest; or
- For security reasons, including on the basis of an adverse or qualified security assessment.
Data scheme entities are responsible for a number of general duties set out in Chapter 3 of the Act, including the requirement to comply with any rules made by the Minister or data codes released by the Commissioner, complying with the conditions of their accreditation, registering data sharing agreements and mitigating and notifying data breaches. Commonwealth entities should also note that as data custodians they are not required to share public sector data, but they must consider the request to provide the data within a reasonable period and must give written notice with the reasons for refusal within 28 days of deciding to refuse a request.4
Authorisations: What data can be shared?
Under the scheme, authorisations set out requirements for each stage of a data sharing project to ensure the sharing is fit for purpose.
Data sharing must be part of a project that is:
- for a data sharing purpose;
- follows the data sharing principles; and
- under a registered data sharing agreement.5
The data sharing purposes include:
- Delivery of government services (excluding enforcement related purposes and purposes relating to national security);
- Informing government policy and programs; and
- Research and development.
The data sharing principles include:
- Project principle – the project is an appropriate project or program of work, including that the project can reasonably be expected to serve the public interest and the parties observe processes relating to ethics as appropriate;
- People principle – data is made available only to appropriate persons, including people with appropriate attributes, qualifications, affiliations and experience;
- Setting principle – data is shared, collected and used in an appropriately controlled environment, including reasonable security standards having regard to the sensitivity of the data;
- Data principle – appropriate protections are applied to the data and only data reasonably necessary for the data sharing purposes can be shared;
- Output principle – the only output of the project is the final output, or output the creation of which is reasonably necessary or incidental to the creation of the final output.
A data sharing agreement is required to include certain information such as the parties to the agreement (being a minimum of one data custodian and one accredited user), a description of the project and data to be shared, details of the output of the project, the applicable data sharing purposes and an explanation of the project’s consistency with the data sharing principles. If an ADSP will be involved in the data sharing, then the agreement must specify the services it will perform and the circumstances in which it can share the data. The Commissioner has released a draft data sharing agreement template for general use, but this is not tied to the Act and is not an approved form (available here).
Liability and penalties in relation to authorisations
Under the Act, it is a civil penalty provision for an entity or individual to share, use or collect data that is not authorised, with a penalty up to 300 penalty units ($66,600).6 Unauthorised sharing, use or collection of data that is reckless is an offence with a maximum penalty of 5 years imprisonment or 300 penalty units, or both.
Generally, entities are liable for the conduct of their employees, officers and agents (i.e. ‘designated individuals’) and bodies corporate party to an ‘approved contract’ with the entity (i.e. a contract authorised under the data sharing agreement).7 The Act clarifies that the Commonwealth cannot be prosecuted for criminal offences, but can be liable to pay pecuniary penalties under civil penalty orders.8
Government entities are protected from contravening a civil penalty provision if they took reasonable precautions and exercised due diligence to avoid the contravening conduct (e.g. training designated individuals, ensuring policies are clear and available, etc.). Further, individuals whose conduct is attributed to a government entity will not be personally liable for contravening a civil penalty provision, including an ancillary contravention.9 However, these protections do not extend to criminal offences under the Act.
Privacy protections
Generally, personal information should not be shared under the scheme unless an exception applies and it is necessary that the personal information be shared.
There are three general privacy protections including:
- a prohibition on the sharing of biometric data without express consent;
- a prohibition on storing or accessing, or providing access to output outside of Australia. If an ADSP is involved then they are prohibited from storing or accessing, or providing access to ADSP-enhanced data outside of Australia; and
- where de-identified data is shared instead of personal information, a prohibition on re-identification of that de-identified data.10
There are also a number of specific privacy protections relating to the sharing of personal information for each data sharing purpose. The Commissioner is responsible for making a data code about how data scheme entities should obtain consent from individuals for sharing of personal information and the principles that data custodians must apply in considering if it is necessary to share personal information.
Enforcement framework
If a data scheme entity breaches the Act or a data sharing agreement, another entity can complain to the Commissioner, who will investigate the complaint which may lead to enforcement action being taken. The Commissioner can also assess whether data scheme entities are operating in accordance with the Act, and if they reasonably suspect a breach of the Act or a data sharing agreement they may investigate the entity without a complaint being made. The Minister can also direct the Commissioner to investigate a data scheme entity.
The Commissioner has other enforcement powers including, requiring persons to provide information, certain monitoring and investigation powers, and transferring matters to a more appropriate agency (including the police).
The enforcement options available to the Commissioner under the Act, include:
- making recommendations to a data scheme entity following an assessment or investigation of that entity;
- giving data scheme entities directions to take or not take specified actions in specific circumstances;
- issuing an infringement notice or applying to a court for a pecuniary penalty order if the Commissioner determines that a data scheme entity has contravened a civil penalty provision;
- accepting an enforceable undertaking in relation to the Act; and
- applying to a court for an injunction if a data scheme entity contravenes, or proposes to contravene, a civil penalty provision or provision of Chapter 3 (responsibilities of data scheme entities).
Next steps
As of 1 June 2022, government agencies can start applying to become accredited entities and the requests for data sharing projects will start kicking off. Commonwealth bodies should start thinking about how they will provide access to public sector data and whether they will require the assistance of ADSPs. This Act also creates opportunities for Commonwealth agencies to consider what data they would benefit from having access to and potential data sharing projects they may want to seek out.