Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Australie | Publication | février 2020
A level of resignation accompanies talk of the data sharing legislation to be introduced into the Commonwealth Parliament later this year. For some Commonwealth agency staff, it’s the result of exposure to the day-to-day reality of agency data management. While the days of manila files and giant compactuses have receded firmly from view, they have been replaced by electronic systems which, in some cases, are haphazardly organised and have limited complex search capabilities. The result is that it can be very time consuming (and sometimes impossible) to locate data. Where data is found, agency staff are sometimes unsure how it came to be where it is, where it came from, and to whom it really belongs.
While this picture is not reflective of data management across the Commonwealth as a whole, it is representative of many agencies. It has implications for the sharing of data, and for the success of the proposed legislation. If an agency does not know how it came to hold data, there is a risk that the agency will not be aware of whether the data is subject to any restrictions or sensitivities that may impact on the agency’s ability to share it as authorised under the legislation, subject to the application of Data Sharing Principles.
The Data Sharing Principles, which are set out in best practice guidance produced by the Department of the Prime Minister and Cabinet, are presently used by the Australian Bureau of Statistics and others. They are based on the internationally accepted “Five Safes Framework” and are designed to ensure that agencies appropriately safeguard data.
The guidance indicates that agency data custodians will, in contemplating a sharing request, need to:
Although conceptually reasonable, in many cases “sensitivity” may not be evident on the face of the data.
Data collected by agencies may, for example, be:
Such constraints are in many cases only likely to be identifiable from information about the circumstances of the creation of the data that has come to be in the agency’s possession – that is, the data’s “provenance”.
If an agency manages data in the way described above, information about provenance will not always be available. A decision to share in the absence of that information therefore has the potential to expose an agency to legal risk. That risk may be in the form of the inadvertent waiver of the agency’s legal professional privilege, in the form of an action for breach of confidence or intellectual property rights infringement, or something else. Thus, the most prudent approach for a data custodian will be to adopt a blanket approach, and reject all of the sharing requests received.
While it might work in the short term, a “default no” approach to sharing requests is unlikely to be sustainable. It’s the information age: both sides of politics support improved service delivery by government through “tell us once” and other customer-centric initiatives. Almost without exception, these rely on sharing of information.
As processing power increases, the value of the data held by agencies will rise proportionately, reflecting the additional uses to which it can be put. This rise in value will highlight a fact hitherto ignored by many agencies: that data is, in many cases, “intellectual property owned or held by the Commonwealth” and is, like real property or a financial appropriation, subject to agency heads’ legislative resource stewardship obligations. For perhaps the first time, agencies will be forced to examine whether their treatment of data - including their decisions in relation to the sharing of data – is efficient, effective, economical, and ethical.
The window prior to introduction of the data sharing legislation provides an opportunity for agencies to get serious about managing data. As a first step, agencies should consider developing and implementing formal data governance arrangements to complement their existing arrangements for specific types of data (eg personal information, Commonwealth records).
Those arrangements should include, at a minimum:
As the success of these arrangements will depend on the extent to which they can be implemented effectively, agencies should, in parallel, consider commissioning a data audit to:
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023