Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Author:
Australie | Publication | mai 2022
On 1 April 2022, the Data Availability and Transparency Act 2022 (Cth) commenced, creating a new scheme for sharing Commonwealth Government data. Under the Act, authorised Commonwealth bodies can provide controlled access to public sector data to accredited users, being accredited state and federal government entities and public Australian universities, for specific purposes in the public interest.
The scheme includes safeguards to ensure data security and privacy, and establishes the National Data Commissioner to regulate the scheme as well as the National Data Advisory Council to advise the Commissioner. The objects of the Act include:
These reforms follow the Productivity Commission’s Inquiry Report into Data Availability and Use (2017) which identified numerous benefits of increasing data availability and use.
Under the Act, ‘public sector data’ covers all data lawfully collected, created or held by a Commonwealth body or on its behalf. This data includes facts, statistics and other information capable of being communicated, analysed or processed physically or electronically.
‘Commonwealth bodies’ are widely defined under the Act and include non-corporate and corporate entities and Commonwealth-owned Corporations Act companies, but do not include Australian universities.1 To share data a Commonwealth body must be a ‘data custodian’.
There are four key safeguards to ensure safe sharing of this public sector data:
Under the scheme there are two kinds of scheme entities:
Foreign entities, private entities (bodies corporate), individuals and unincorporated bodies (e.g. partnerships and trusts) are unable to participate in the scheme, effectively leaving only Commonwealth, state and territory government agencies and public Australian universities able to become accredited users. Commonwealth, state and territory government agencies can apply for accreditation from 1 June 2022, while Australian universities can apply from 1 August 2022.2
The Commissioner or Minister are responsible for assessing an entity’s capability to handle data safety and manage risks against the accreditation criteria before deciding whether to grant the accreditation. Administrative measures can also be taken to impose conditions on accreditation of an entity, and the Commissioner and Minister can suspend or cancel the accreditation of an entity if:3
Data scheme entities are responsible for a number of general duties set out in Chapter 3 of the Act, including the requirement to comply with any rules made by the Minister or data codes released by the Commissioner, complying with the conditions of their accreditation, registering data sharing agreements and mitigating and notifying data breaches. Commonwealth entities should also note that as data custodians they are not required to share public sector data, but they must consider the request to provide the data within a reasonable period and must give written notice with the reasons for refusal within 28 days of deciding to refuse a request.4
Under the scheme, authorisations set out requirements for each stage of a data sharing project to ensure the sharing is fit for purpose.
Data sharing must be part of a project that is:
The data sharing purposes include:
The data sharing principles include:
A data sharing agreement is required to include certain information such as the parties to the agreement (being a minimum of one data custodian and one accredited user), a description of the project and data to be shared, details of the output of the project, the applicable data sharing purposes and an explanation of the project’s consistency with the data sharing principles. If an ADSP will be involved in the data sharing, then the agreement must specify the services it will perform and the circumstances in which it can share the data. The Commissioner has released a draft data sharing agreement template for general use, but this is not tied to the Act and is not an approved form (available here).
Liability and penalties in relation to authorisations
Under the Act, it is a civil penalty provision for an entity or individual to share, use or collect data that is not authorised, with a penalty up to 300 penalty units ($66,600).6 Unauthorised sharing, use or collection of data that is reckless is an offence with a maximum penalty of 5 years imprisonment or 300 penalty units, or both.
Generally, entities are liable for the conduct of their employees, officers and agents (i.e. ‘designated individuals’) and bodies corporate party to an ‘approved contract’ with the entity (i.e. a contract authorised under the data sharing agreement).7 The Act clarifies that the Commonwealth cannot be prosecuted for criminal offences, but can be liable to pay pecuniary penalties under civil penalty orders.8
Government entities are protected from contravening a civil penalty provision if they took reasonable precautions and exercised due diligence to avoid the contravening conduct (e.g. training designated individuals, ensuring policies are clear and available, etc.). Further, individuals whose conduct is attributed to a government entity will not be personally liable for contravening a civil penalty provision, including an ancillary contravention.9 However, these protections do not extend to criminal offences under the Act.
Generally, personal information should not be shared under the scheme unless an exception applies and it is necessary that the personal information be shared.
There are three general privacy protections including:
If a data scheme entity breaches the Act or a data sharing agreement, another entity can complain to the Commissioner, who will investigate the complaint which may lead to enforcement action being taken. The Commissioner can also assess whether data scheme entities are operating in accordance with the Act, and if they reasonably suspect a breach of the Act or a data sharing agreement they may investigate the entity without a complaint being made. The Minister can also direct the Commissioner to investigate a data scheme entity.
The Commissioner has other enforcement powers including, requiring persons to provide information, certain monitoring and investigation powers, and transferring matters to a more appropriate agency (including the police).
The enforcement options available to the Commissioner under the Act, include:
As of 1 June 2022, government agencies can start applying to become accredited entities and the requests for data sharing projects will start kicking off. Commonwealth bodies should start thinking about how they will provide access to public sector data and whether they will require the assistance of ADSPs. This Act also creates opportunities for Commonwealth agencies to consider what data they would benefit from having access to and potential data sharing projects they may want to seek out.
Section 25 of the Data Availability and Transparency Act 2022 (Cth).
Sections 14-14A of the Data Availability and Transparency Act 2022 (Cth).
Section 5(3) of the Data Availability and Transparency Act 2022 (Cth).
Section 125A of the Data Availability and Transparency Act 2022 (Cth).
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023