Streamlining the responsible sharing of public sector data

In response to the Productivity Commission’s 2017 report on Data Availability and Use (the PC’s Data Report), the Australian Government accepted the need to reform the way public sector data is shared, and on 9 December 2020, introduced the Data Availability and Transparency Bill 2020 (DAT Bill). 

Below, we examine the DAT Bill, the submissions recently made on it by a number of interested parties and the research and commercial opportunities it is intended to facilitate.

What is the DAT Bill? 

The DAT Bill seeks to facilitate the sharing of ‘public sector data’ (meaning data that is lawfully created, collected or held by or on behalf of a Commonwealth body) between government departments and private sector organisations to encourage the delivery of more effective government services, result in better‑informed policy, and stimulate research and development projects. 

The new framework is intended to provide an alternative pathway for data sharing, where sharing would otherwise be prevented by secrecy provisions, or slowed by other burdensome and complex arrangements.

The sharing, collection and use of the public sector data will be safeguarded by a number of principles and procedures, summarised below. The DAT Bill also establishes the National Data Commissioner (NDC) to oversee the data sharing scheme and advocate for better practices in sharing and releasing data. The NDC will be entrusted with a range of enforcement powers, including issuing written directions and infringement notices, and otherwise pursuing civil and criminal penalties for non-compliance with the scheme.

Overall, the DAT Bill raises interesting prospects for public and private sector organisations with research and development focused initiatives, who stand to benefit from utilising significant sets of public sector data that may become available for use.

The DAT Bill is currently before the Senate Finance and Public Administration Legislation Committee. Submissions to the Committee closed on 12 March 2021, and the Committee is expected to release its report on 29 April 2021. 

Privacy impacts for individuals and research and commercial opportunities

Although the manner of the stakeholders that made submissions to the Senate Committee appear generally supportive of the proposed data sharing framework, Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC), and civil rights groups have highlighted the significant consequences the DAT Bill as currently drafted may have on individual privacy.

The DAT Bill will invoke the ‘required or authorised by law’ exception to Australian Privacy Principles 3 and 6 to permit the collection, use and disclosure of personal information. Nonetheless, the DAT Bill will continue to work in conjunction with the Privacy Act 1988 (Cth) (Privacy Act) to protect individuals’ personal information.[1]  

The privacy risks introduced by the DAT Bill may be heightened by the fact that the data-sharing scheme relates exclusively to government‑held personal information, which is often collected on a compulsory basis to enable individuals to receive a public service or benefit. This data is often, or becomes, sensitive when it is linked with other government data sets.[2]

However, stakeholders who stand to benefit from the proposed data sharing laws, including those in the health and medical research sector, consider that the DAT Bill strikes an appropriate balance between providing an effective mechanism for utilising data for research purposes and mitigating privacy risks.[3] 

It is expected that the following concepts will be refined and further qualified under future iterations of the DAT Bill, and will attempt to balance the interests of wide-spread data sharing practices with the interests of privacy and responsible data use.

Requirement to share de‑identified data

To minimise the privacy impacts of the DAT scheme for individuals, some stakeholders and the Senate Standing Committee for the Scrutiny of Bills have recommended that data custodians be prohibited from sharing personal information if the data sharing purpose can reasonably be met by sharing de‑identified information.[4] In particular, the OAIC agreed with the Senate Standing Committee for the Scrutiny of Bills that the DAT Bill does not include any requirements for sharing only de-identified data. Rather, the existing ‘data principle’ under the DAT Bill merely emphasises the minimisation of data sharing to the extent that the data sharing purpose is not compromised. 

The OAIC also recommended that any definition of ‘de‑identified’ should align with the definition in the Privacy Act (i.e. that personal information is ‘de‑identified’ if the information is no longer about an identifiable individual or an individual who is reasonably identifiable). Importantly, this definition is technology neutral so as to enable the data custodian to apply the most appropriate de‑identification techniques to the data while retaining the utility of the information for its intended purpose after the de‑identification process.

Commercial use of public sector data

The DAT Bill would appear to provide an opportunity for organisations to collect and use public sector data for commercial purposes. The permitted purpose of ‘research and development’ is undefined in the DAT Bill, although the Explanatory Memorandum suggests that the term is intended to at least encompass ‘activities to advance knowledge and contribute to society’ and activities that ‘gain insights that could enhance Australians’ socio-economic wellbeing’.[5] This raises prospects for entities that are looking to aggregate public sector data for research and development purposes, such as developing new or improving methods for the treatment and prevention of illness and disease. However, it seems likely that there will need to be an element of public benefit attached to the purpose for the proposed data sharing to be acceptable. 

Although the Senate Standing Committee for the Scrutiny of Bills raised concerns that a broad construction of the permitted purposes (further described below) may unduly trespass on privacy, Research Australia highlighted that ‘data sharing applications for the purpose of research and development can only come from accredited users’ thereby providing an additional level of oversight and control from the NDC.[6] Research Australia further noted that the DAT Bill does not oblige data custodians to share data. Rather, it provides a framework within which data custodians can consider data sharing requests by having regard to, amongst other things, the potential benefits of sharing data, the risks associated with data sharing and how such risks may be mitigated.[7] 

Given the scope of discretion that may be applied by applicable data custodians when assessing whether to disclose public sector data, private sector organisations will likely need to develop compelling and responsible use briefs when applying for access to public sector data. Organisations may also need to accept positions beyond those they would typically expect to see in private data sharing arrangements.

The proposed data sharing framework

The proposed scheme will regulate the sharing of public sector data between the following ‘data scheme entities’:

• Data custodians – Commonwealth bodies that control public sector data, and which are responsible for sharing the data (either directly, or indirectly through an Accredited Data Service Provider);
  
  
• Accredited users – Entities accredited by the NDC to collect and use public sector data; and
  
  
• Accredited data service providers (ADSPs) – Intermediaries accredited by the NDC as having appropriate technical expertise to perform data services such as data integration and data sharing under the scheme.

Importantly, the DAT Bill does not compel data custodians to share data. If requested by an accredited user, it is at the discretion of data custodians to decide whether to share particular information (provided the data custodian is authorised to do so). In general terms, under the DAT Bill, data custodians are authorised to share public sector data with accredited users only if the sharing:

• achieves one of the data sharing purposes (i.e. the delivery of government services, informing government policy and program, and research and development);
  
  
• is consistent with the five data sharing principles (based on the ‘five safes’, an international set of standards already used by many organisations to manage the risks of data sharing);
  
  
• is not for a precluded purpose or otherwise prohibited – in general terms, the proposed laws do not authorise sharing public sector data:
  
  
  • for enforcement related purposes (e.g. detecting, investigating, prosecuting or punishing an offence) or that is held by a specified enforcement agency (e.g. the Australian Federal Police);
    
    
  • for a purpose that relates to, or prejudices, national security;
    
    
  • if the sharing contravenes or infringes, for example, intellectual property rights or Australia’s international agreements; or
    
    
  • for any other purpose prescribed by the rules; and
    
    
• is in accordance with a data sharing agreement – the DAT Bill outlines an extensive list of provisions that must be included in the data sharing agreement, including the purposes for which the data is shared, and each party’s responsibilities in relation to the data sharing principles and data breaches. Data scheme entities’ compliance with a data sharing agreement may be enforced by the NDC. 

Data custodians must be satisfied that, when all five principles are applied to the sharing and considered jointly, the risks associated with the sharing are appropriately mitigated. The Office of the NDC has prepared a Best Practice Guide to Applying Data Sharing Principles to assist data custodians to determine the appropriate safeguards to apply before sharing public sector data.

Authorisation to share public sector data overrides any other Commonwealth, State or Territory law prohibiting or restricting the disclosure (i.e. the sharing, collection and use) of public sector data. This means that other laws that do not prohibit such activities, such as the data handling and notification requirements under the Australian Privacy Principles, will continue to apply.

Organisations must apply to the NDC for accreditation as an accredited user or ADSP (or both) to participate in the data sharing scheme. The DAT Bill prescribes high‑level accreditation criteria an organisation must satisfy, such as demonstrating its ability to responsibly manage scheme data, apply the data sharing principles and minimise the risk of unauthorised access to, or sharing or loss of, the public sector data. 

While it’s not clear what the precise accreditation criteria will be, the Office of the NDC’s Accreditation Framework Discussion Paper suggests that detailed eligibility criteria (including technical requirements) will be established in Ministerial Rules and based on three categories:

1. Appropriate governance and administrative arrangements to protect, manage and use data. This may involve consideration of an organisation’s structure, conflicts of interest, and data management policies and procedures (eg. its privacy policy, roles and training);
   
   
2. Arrangements for security and privacy of data to ensure appropriate handling. Organisations may be required to provide information in relation to any recent assessments or audits against recognised Australian Government or international standards, software development control, data transfer protocols and the use of cryptography; and
   
   
3. Technical skills and capabilities to protect, manage and use data. This may involve consideration of an organisation’s data roles and expertise, and recruitment processes. Organisations may also be required to demonstrate that they are subject to the Privacy Act or have otherwise opted to comply.

Penalties for unauthorised data sharing

The Explanatory Memorandum for the DAT Bill suggests a two‑tiered penalty framework will be imposed in respect of the unauthorised sharing, collection or use of public sector data:

• where another Commonwealth, State or Territory law prohibits the disclosure, the DAT Bill ‘rebounds’ (i.e. does not override) to the original non‑disclosure law and its penalties will apply; and
  
  
• where there are no applicable non‑disclosure laws to rebound to, the civil and criminal penalties set out in the DAT Bill apply.

The DAT Bill imposes significant civil and criminal penalties for the unauthorised sharing, collection or use of public sector data, and for failure to comply with any accreditation conditions or data sharing agreement obligations. Civil penalties for such breaches are $333,000. Where a person is reckless as to whether the sharing, collection or use is authorised by the data sharing scheme, the criminal penalty is two years imprisonment.

Where to from here?

The Senate Committee is expected to release its report on the DAT Bill on 29 April 2021, following which we expect to see a number of amendments proposed to the DAT Bill.

On 9 April 2021, National Cabinet reiterated the Government’s commitment to reforming the way public data is shared by agreeing to develop an intergovernmental data sharing agreement with the states and territories that will ‘capitalise on the value of public data to achieve better outcomes for Australians’.[8] Although details of the proposed intergovernmental agreement remain scarce, some commentators anticipate that the agreement will mirror, or work alongside, the DAT Bill. [9] 

---