This Bill proposed a national framework relating to controlled sharing of public sector data, notably changing the way the federal government manages data. The objectives of the Bill are to promote better availability of public sector data, mostly to improve delivery of public services. Other objectives are to implement consistent safeguards and arrangements, and ensure transparency in how this data is shared.
Background
The Bill was the result of an issues paper in 2018, and a discussion paper in 2019. The legislation reforms more than 500 secrecy provisions that public data held by the government was previously subjected to.
The Proposed Framework
‘Public sector data’ is defined in the Act as data lawfully created, collected or held by or on behalf of Commonwealth bodies. These government bodies are named the ‘data custodians’ and are authorised to share the data they control in the manner set out by the Act. Data can only be shared for three purposes: (1) for more convenient access for government services delivery; (2) for planning policy and programs; (3) to guide academic, scientific, and innovative research and development relating to improving economic, environmental and societal health. The Bill specifically bans sharing information for certain purposes, including for law enforcement, national security or compliance activities. If for a permitted purpose, data custodians are able to share their data to accredited users, which include other government agencies, state and territory authorities, and non-government entities (e.g. universities). Entities are accredited by the National Data Commissioner, and accreditation can be conditional or revoked. The Commissioner position, functions and duties are also established by the Act. Briefly, the Commissioner regulates data sharing, advocates generally for data sharing, and develops requirements and guidance to support organisations and individuals.
Protection of Data
Individuals cannot necessarily opt out of this legislation to protect their personal data. However, the Act does establish regulations, including enforcement and accountability mechanisms, to safeguard data sharing, collection and use.
When accredited users make requests for data, data custodians apply a risk management approach to consider this request. Requirements that must be satisfied include a public interest test and limits on what purposes the data can be used for. If risks cannot be appropriately managed, the data cannot be shared. The data custodian has the final verdict of whether sharing occurs. Sharing is done under a data sharing agreement. Accredited users are limitedly authorised to release or share outputs from the data with third parties, if allowed by the data sharing agreement and law. These outputs are then external to the Act’s regulation. The authorisation for data custodians to share data overrides other laws that would otherwise be contravene, such as parts of the Freedom of Information Act 1982 (Cth).
Responsibilities imposed on data custodians and accredited entities are mostly set out in chapter three. Either can complain to the Commissioner about breaches of the Act, which usually leads to an investigation. Responsibilities may be enforced by the Commissioner, civil penalties can apply and the issue can be transferred to a more appropriate agency (e.g. the courts or police). The Commissioner also has powers to require information and to assess, monitor and investigate data scheme entities.
Indigenous-sector concerns
Submissions from Aboriginal and Torres Strait Islander viewpoints raised concerns regarding ethics processes, Indigenous data sovereignty, who benefits from the value of data created from Aboriginal and Torres Strait Islander peoples and cultures, and obtaining consent that conforms with international human rights standards. The Bill attempts to mitigate this by supporting data policies developed by the National Indigenous Australians Agency and requiring users to adhere to applicable policies and processes when sharing and using data about Aboriginal and Torres Strait Islander peoples. Also, all relevant ethics processes under current arrangements continue to apply and must be considered to demonstrate the public interest in a request.