More than a year after it was first introduced (and 251 amendments later), the Data Availability and Transparency Act 2022 (Cth) (DAT Act) came into force on 1 April 2022. The DAT Act allows data created, collected or held by a Commonwealth government body (known as ‘public sector data’) to be shared with other Australian government departments and Australian universities.
Last year, we wrote on the first version of the DAT Bill. Since then, the scope of the DAT Act has been reduced in that it no longer allows Commonwealth bodies to share data with private sector organisations.
While the private sector cannot currently receive data through this Scheme, the Act’s Revised Explanatory Memorandum states that the reason for their exclusion is to allow the DAT Scheme to ‘establish and mature’. The Act provides that the DAT laws will be reviewed in three years. It also has a five-year sunset clause.
It may be that following further review, the DAT Act will eventually be expanded to allow private sector organisations to receive public sector data. The requirements and obligations placed on public sector recipients under the DAT Scheme are helpful indicators as to what responsible data sharing in Australia will look like going forward. Already, data ethics are becoming a fundamental business consideration when organisations decide how to collect, use and disclose information. Customer and individuals’ expectations about how businesses use and protect personal information are also increasing.
We anticipate that businesses’ responsibility to deal with data ethically and transparently will become even more important and that lessons can be learnt from the DAT Act. In this article, we outline how the Act currently operates for public sector bodies and we also highlight certain data governance practices for the private sector to consider in the event that the data sharing scheme in the DAT Act is extended to the private sector.
How does the DAT Act operate?
The DAT Act allows data created, collected or held by a Commonwealth entity, company or agency to be shared with Australian State and Territory bodies. These bodies are defined to mean departments, bodies established under State or Territory law for a public purpose or statutory office holders. Data can also be shared with Australian universities. The types of data accessible under the DAT Act are not exhaustively described but include personal information (including sensitive information), biometric data and de-identified data created by a data service provider.
Where the Act’s conditions are met, data can be shared directly with recipient entities or via an ‘accredited data service provider’ (ADSP). These intermediaries are recognised as having appropriate technical expertise to perform data services such as de-identification, secure access and complex data integration services.
Data sharing under the DAT Act is overseen and regulated by the National Data Commissioner (NDC). Private sector entities, foreign entities and law enforcement and intelligence agencies cannot receive data under the DAT Act.
Eligibility to receive data
To receive data, a public sector recipient entity must become accredited by the NDC or the Minister. To qualify for accreditation, the entity must be considered to have appropriate data management and governance policies and practices in place, be able to minimise the risk of unauthorised access and be able to ensure the privacy, protection and appropriate use of data.
Purpose of data transfers
Data transfers can only be carried out for three purposes under the DAT Act. These are to allow Australian governments to deliver effective services, to facilitate better informed policy and programs, and to support research and development.
Data cannot be shared for a ‘precluded purpose’ which is one which relates to an enforcement related purpose or which relates to or threatens national security within the meaning of the National Security Information (Criminal and Civil Proceedings) Act 2004. (Cth) The DAT Act provides a list of ‘enforcement related purposes’ which includes detecting, investigating, prosecuting or punishing an offence and conducting surveillance, monitoring or intelligence-gathering activities.
Consistency with data sharing principles
Data sharing must also be consistent with the five specified data sharing principles. These principles are based on the ‘five safes’, an international set of standards already used by many organisations to manage the risks of data sharing. They require consideration of whether data is being transferred for an ethical, appropriate purpose which serves the public interest. The principles are also concerned with how the data will be shared, accessed and protected, both following the transfer and during any future use. We explain the five principles, and provide examples of how entities may comply with them, below.
Data sharing agreements
Data sharing must occur in accordance with a ‘data sharing agreement’ registered with the NDC. A data sharing agreement must include the parties’ data sharing purpose and a description of the parties’ compliance with the five data sharing principles. It must also explain the output of the project for which the data is being shared and how data covered by the agreement will be dealt with when the agreement ends. The NDC has produced a template data sharing agreement and best practice guide, available here.
The DAT Act also places privacy protection and data breach response obligations on public sector entities sharing and receiving data, which reflect obligations in the Privacy Act 1988 (Cth). For example, before an entity shares data containing personal information (i.e. information about an identified individual or an individual who is reasonably identifiable), it must seek the individual’s consent unless it is unreasonable or impracticable to do so.
The recipient entity can only collect and use data containing personal information if they comply with requirements under the Privacy Act, referred to throughout the DAT Act as the ‘privacy coverage condition’. If the Privacy Act would not ordinarily apply to the recipient entity, then the entity must comply with:
- a term in the data sharing agreement which prohibits the recipient entity from collecting or using information in a way which would breach the Australian Privacy Principles (APPs) contained within the Privacy Act; or
- a State or Territory law which requires the receipt entity to protect the personal information in a way similar to that provided by the APPs.
If the recipient entity is fulfilling the privacy coverage condition via a term in the data sharing agreement (which requires it to act in accordance with the APPs), then a breach of this term will be treated the same as a breach of the APPs under the Privacy Act.
The DAT Act imposes significant civil and criminal penalties for the unauthorised sharing, collection or use of public sector data, and for failure to comply with any accreditation conditions or data sharing agreement obligations. Specifically, entities (which refers to individuals, Commonwealth, State or Territory bodies, and Australian universities) may be fined $66,600 and corporations may be fined $333,000. If the entity is reckless in regards to whether their data sharing is authorised, the criminal penalty is five years’ imprisonment and / or the fine described above.
There is a higher civil penalty of $133, 200 for entities whose contravention is considered ‘serious’ under the DAT Act. The seriousness can be determined based on any of the following matters: the sensitivity of the data, the consequences of the contravention for those to whom the data relates and the entities’ level of care towards their responsibilities under the data sharing scheme.
Key considerations for the private sector
We expect that the commencement of the DAT Act will heighten the focus on the responsible sharing of data, which is likely to extend beyond the public sector. The DAT Act contains some best practice requirements that we think are useful for the private sector to check against its own data sharing practices.
Organisations must have appropriate data management and governance practices
As described above, the DAT Act requires that an organisation receiving data under the Scheme has appropriate data management and governance systems in place, to ensure shared data is protected, and to mitigate risks. The Revised Explanatory Memorandum suggests that to meet this criteria, organisations may need to:
- have policies in place which deal with handling data, managing risk and responding to incidents;
- appoint a Chief Data Officer (or another appropriately qualified person) to provide leadership and accountability for the organisation’s data use;
- have physical and cyber control security settings in place to prevent unauthorised access to data, such as implementing the ISO/IEC 27001 framework; and
- emphasise the importance of dealing with data appropriately when hiring new staff (for example, by vetting personnel, integrating data training into on boarding and off boarding processes and through role descriptions for new starters who will be dealing with data). There should be ongoing education on the importance of data protection.
Given the Commonwealth Government expects that data recipients under the DAT Scheme will have these kinds of systems in place, it may be useful for private sector organisations to take them into account when designing systems to use, manage and share data in the coming years. They should also consider these in relation to contractual arrangements that are put in place with third party suppliers and associates.
Organisations should familiarise themselves with the five principles
Requests for public sector data under the DAT Scheme are assessed against the five principles and data sharing agreements made under the Act must outline a data recipient’s compliance with these principles. Given the centrality of these principles to the DAT scheme, and their likely ongoing importance in data sharing, we recommend that organisations review their data governance practices for consistency with them.
Below, we set out some key considerations relating to each principle based on the Australian Government ‘Best Practice Guide to Applying Data Sharing Principles’ (the Guide) with some suggestions of what they may look like in practice for your organisation.
- Project Principle. The Project Principle requires organisations to consider whether sharing data will lead to a public benefit. It requires consideration of whether there are legal or ethical restrictions on sharing or using certain kinds of data and whether an organisation needs to have specific systems and processes in place to best manage data of this sort.
This principle focuses on ensuring the data share is in the public interest. Organisations should therefore discuss, and document, legal, ethical and moral considerations which relate to the transfer and use of the data. An effective governance framework in this context may be one which allows an organisation to assess, monitor and oversee the use of shared data, to ensure its use remains consistent with the public interest.
The question of how this ‘public interest’ factor can be met in the private sector is worth considering. Increasingly, organisations and their boards are receiving regulatory, legislative, investor and shareholder pressure to step up and address environmental, social and governance (ESG) issues. Whether or not a business makes use of data in a responsible and ethical manner, and for a public benefit, could soon become part of the assessment of the business’ management of ESG risk and opportunity.
- People Principle. The People Principle requires entities to consider whether those receiving and using shared data understand their responsibilities. Organisations should train their staff in data storage, safe use and technical skills. It may also be necessary to implement authorisation processes so that data can only be accessed by staff with relevant, up-to-date training.
- Settings Principle. The Settings Principle focuses on the physical and IT security controls which ensure that shared data is transferred and accessed safely. Organisations should consider how they can minimise the risk of unauthorised access, use or disclosure of shared data. This may involve granting restricted access to rooms where data is made available, supervising staff access to data and auditing physical and IT environments regularly to ensure they are providing sufficient security.
- Data Principle. The Data Principle aims to ensure that protections which limit the use of shared data are appropriate and proportionate based on the sensitivity of that data. Organisations should ensure their staff understand that all data sharing contains some risk, and the five principles are not intended to eliminate risk in its entirety. Instead, the principles aim to see those risks reduced to an acceptable level. For example, the Guide states that it may be necessary to ‘treat’ sensitive data prior to transferring it, to decrease or change the level of detail available to the recipient. However, the Guide suggests that as treating data may decrease its utility, this should only be done if it is not possible to manage the relevant risk using the Project, People and Settings principles.
- Output Principle. Under the Output Principle, organisations should consider how data or information created as a result of a data sharing arrangement will be dealt with. It requires organisations to think about whether this output will be publicly released or transferred under a new data sharing agreement to third parties. Organisations should also think about how privacy and confidentiality will be protected in the output. These items should be dealt with in the relevant data sharing agreement. Organisations may also wish to implement formal processes where any output data is checked and approved before it is released publicly.
Lawmakers believe that by facilitating the sharing of public sector data, the DAT Scheme will, ‘support a modern data-based society, driving innovation and stimulating economic growth’.
The commencement of the DAT Act makes it timely for private sector organisations to review and update their processes, so they are better prepared to engage with a data-based society.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.