A level of resignation accompanies talk of the data sharing legislation to be introduced into the Commonwealth Parliament later this year. For some Commonwealth agency staff, it’s the result of exposure to the day-to-day reality of agency data management. While the days of manila files and giant compactuses have receded firmly from view, they have been replaced by electronic systems which, in some cases, are haphazardly organised and have limited complex search capabilities. The result is that it can be very time consuming (and sometimes impossible) to locate data. Where data is found, agency staff are sometimes unsure how it came to be where it is, where it came from, and to whom it really belongs.
While this picture is not reflective of data management across the Commonwealth as a whole, it is representative of many agencies. It has implications for the sharing of data, and for the success of the proposed legislation. If an agency does not know how it came to hold data, there is a risk that the agency will not be aware of whether the data is subject to any restrictions or sensitivities that may impact on the agency’s ability to share it as authorised under the legislation, subject to the application of Data Sharing Principles.
The Data Sharing Principles, which are set out in best practice guidance produced by the Department of the Prime Minister and Cabinet, are presently used by the Australian Bureau of Statistics and others. They are based on the internationally accepted “Five Safes Framework” and are designed to ensure that agencies appropriately safeguard data.
The guidance indicates that agency data custodians will, in contemplating a sharing request, need to:
- determine whether, or to what degree, data is considered particularly sensitive; and
- consider how the sensitivity of data may change following the application of the Data Sharing Principles.
Although conceptually reasonable, in many cases “sensitivity” may not be evident on the face of the data.
Data collected by agencies may, for example, be:
- confidential to another person and provided on the basis that it would kept confidential;
- copyright, and subject to a licence which provides for use for a particular purpose only; and/or
- subject to legal professional privilege.
Such constraints are in many cases only likely to be identifiable from information about the circumstances of the creation of the data that has come to be in the agency’s possession – that is, the data’s “provenance”.
If an agency manages data in the way described above, information about provenance will not always be available. A decision to share in the absence of that information therefore has the potential to expose an agency to legal risk. That risk may be in the form of the inadvertent waiver of the agency’s legal professional privilege, in the form of an action for breach of confidence or intellectual property rights infringement, or something else. Thus, the most prudent approach for a data custodian will be to adopt a blanket approach, and reject all of the sharing requests received.
While it might work in the short term, a “default no” approach to sharing requests is unlikely to be sustainable. It’s the information age: both sides of politics support improved service delivery by government through “tell us once” and other customer-centric initiatives. Almost without exception, these rely on sharing of information.
As processing power increases, the value of the data held by agencies will rise proportionately, reflecting the additional uses to which it can be put. This rise in value will highlight a fact hitherto ignored by many agencies: that data is, in many cases, “intellectual property owned or held by the Commonwealth” and is, like real property or a financial appropriation, subject to agency heads’ legislative resource stewardship obligations. For perhaps the first time, agencies will be forced to examine whether their treatment of data - including their decisions in relation to the sharing of data – is efficient, effective, economical, and ethical.
The window prior to introduction of the data sharing legislation provides an opportunity for agencies to get serious about managing data. As a first step, agencies should consider developing and implementing formal data governance arrangements to complement their existing arrangements for specific types of data (eg personal information, Commonwealth records).
Those arrangements should include, at a minimum:
- the establishment of a Data Governance Steering Committee tasked with overseeing the agency’s Data Governance Framework;
- the development and implementation of an agency-wide Data Governance Framework which:
- defines key concepts (eg data, data governance, metadata, data custodian, Commonwealth record, personal information);
- provides an overview of the broader legal, regulatory and governance framework in which the agency operates;
- describes key bodies with responsibility for data within the agency and their respective roles and delegations;
- provides an overview of agency data-related policies, procedures, and guidelines;
- provides an overview of any systems or tools used by the agency to manage data and;
- describes processes for monitoring agency staff members’ compliance with the framework and related policies.
As the success of these arrangements will depend on the extent to which they can be implemented effectively, agencies should, in parallel, consider commissioning a data audit to:
- provide a baseline overview into the volume and type of data that they hold;
- identify the data that the agency proposes to make available to other agencies or researchers; and
- identify, to the extent possible having regard to contextual and other information, any constraints on the use of that data so that these can be addressed prior to the commencement of the data sharing legislation.