Express law No. 293

22 December 2020

Data Availability and Transparency Bill 2020

The Data Availability and Transparency Bill 2020 (the Bill) was introduced to Parliament on 9 December 2020. If enacted, the Bill will establish a data sharing scheme which will serve as an important new framework for the sharing of public sector data in a controlled and secure manner.

Background

Since the release of the Productivity Commission’s Data Availability and Use report in 2017, the Australian Government has undertaken to reform the way it shares public sector data to support ‘economic and research opportunities and the Government’s vision for streamlined and efficient services delivery’.

In 2018, the Office of the National Data Commissioner (ONDC) was established within the Department of the Prime Minister and Cabinet, and an interim National Data Commissioner was appointed.

ONDC has since been developing legislation to set up a new framework to authorise and regulate the controlled and secure sharing of ‘public sector data’. An exposure draft of the Bill was released in September 2020 for stakeholder consultation. Further changes to the draft Bill were made as a result of stakeholder feedback ahead of the recent introduction of the Bill to Parliament.

How will the Scheme work?

The Bill establishes a new data sharing scheme (the Scheme) under which Commonwealth agencies can share ‘public sector data’[1] within a controlled and secure framework.

The Scheme enables and regulates controlled access to (sharing of) Commonwealth data with safeguards in place to manage risk and streamline processes. Sharing of data under the Scheme is optional as existing mechanisms and arrangements for sharing of public sector data continue to be available.

The Bill also establishes the National Data Commissioner (the Commissioner) as a regulator to oversee the Scheme and support best practice.

Who can participate in the Scheme?

The Bill establishes 3 categories of participants:

  • data custodians: Commonwealth bodies that control public sector data and have the right to deal with that data (excluding certain entities)
  • accredited users: entities accredited by the Commissioner to access public sector data. Entities must satisfy security, privacy, infrastructure and governance requirements set out in the accreditation framework to achieve accreditation
  • accredited data service providers (ADSPs): entities accredited to perform data services. ADSPs act as intermediaries between data custodians and accredited users.

How will public sector data be shared?

The Scheme does not compel data custodians to share public sector data. Rather, it allows data custodians to assess each request for data, and to decide whether they will share it by reference to the relevant risks.

After receiving a request for data, the data custodian can only share public sector data with accredited users directly, or through an ADSP, in the following circumstances:

  • sharing is for a permitted data sharing purpose – namely, government service delivery, informing government policy and programs, and research and development
  • the data sharing principles have been applied to manage the risks of sharing the data
  • if a data custodian then decides to share data under the scheme, a data sharing agreement (which includes minimum mandatory terms) is made and recorded. The Commissioner will publish a register of data sharing agreements to promote transparency.

Where the above requirements are met, the data custodian will have a limited statutory authority (i.e. subject to relevant exclusions) to share public sector data even where this would be inconsistent with other Commonwealth, State and Territory non-disclosure laws – but this authority will only be to the extent necessary to facilitate sharing consistently with the Scheme.

The Bill also preserves established legal mechanisms for open data release.

Recent stakeholder feedback on the exposure draft of the Bill has led to changes which provide more detail on the data sharing principles, clarify the accreditation criteria and processes within the Bill itself, and require data custodians to provide reasons for declining a data request.

What data sharing is excluded from the Scheme?

Many intelligence agencies are excluded entities for the purposes of the Bill and therefore cannot be ‘data custodians’. Additionally, entities such as the Australian National Audit Office and the Commonwealth Ombudsman are excluded entities so as to preserve their oversight of the Commissioner’s activities.

The Bill also does not authorise sharing in certain circumstances. For example, sharing is excluded where it:

  • relates to national security and law enforcement
  • contravenes or is inconsistent with intellectual property rights, obligations of confidence, a contract or agreement to which a data custodian of the data is party, a common law duty or privilege, a privilege or immunity of a House of Parliament or its committees or Australia’s international obligations
  • relates to data that is held as evidence by a court or tribunal
  • is prohibited by the regulations
  • relates to data that is shared with or through an entity whose accreditation is suspended.

Breaches of the Scheme

Under the Bill, there is a penalty framework that aims to protect the integrity of the Scheme. If important safeguards are not met in the sharing of data, non-disclosure provisions and penalties in other laws will apply.

Entities involved in the Scheme can raise issues about breaches of the data sharing scheme, or decisions made under the Scheme. Some decisions made under the Scheme will be subject to merits and judicial review.

Other existing avenues and schemes for redress are also available. For example, complaints can be made by individuals to the Australian Information Commissioner about concerns that personal information has been mishandled. There are mechanisms which can be enforced by the Commissioner to address non-compliance.

Further, the Bill establishes the National Data Advisory Council which will advise the Commissioner on aspects such as privacy, ethical use of data, industry developments and technical best practice.

What’s next?

AGS and ONDC are currently developing template data sharing agreements. We are also planning to conduct an agency workshop on the Bill in the new year.  Please contact us if you would like further information on the proposed workshop when it becomes available.

 

[1] ‘Public sector data’ is data lawfully collected, created or held by or on behalf of a Commonwealth body.

Contacts

CBR
Chua, Rachel

Senior Executive Lawyer

SYD
Supit, Jane

Senior Executive Lawyer and Director Sydney office

CBR
MEL
Arduca, Elena

Senior Executive Lawyer

Information law

Important: The material in Express law is provided to clients as an early, interim view for general information only, and further analysis on the matter may be prepared by AGS. The material should not be relied upon for the purpose of a particular matter. Please contact AGS before any action or decision is taken on the basis of any of the material in this message.