The Data Sharing and Release Legislative Reforms Discussion Paper,1 announced by the Minister for Government Services, the Honourable Stuart Robert MP on Tuesday2, sets out the Department of Prime Minster and Cabinet’s vision for data sharing and release by Australian Government agencies. It incorporates the insights that the Department – through the Office of the National Data Commissioner – has obtained from submissions and stakeholder engagement activities in the wake of the Department’s earlier Issues Paper for Consultation.3
The Department’s vision, as set out in the Discussion Paper4, has sharpened as a result of those insights. So too has the Department’s language: while the Issues Paper did not clearly distinguish between the concepts of data “sharing” and “release”, the Discussion Paper defines the terms up front.5 While data “sharing” refers to “the provision of controlled access [of public sector data] to the right people for the right reasons with safeguards in place”, data “release” refers to open data made available to the world at large.
Like the Issues Paper,6 the Discussion Paper emphasises the link between data sharing and efficient government services, recognising that interactions with government should be “as seamless, easy and fast” as banking or shopping.7 It notes that many in the community “already expect” government to be able to offer the modern courtesies offered by the private sector. These include “tell us once”8, and pre-filling of forms.
Given both major political parties’ policy platforms in recent years have given explicit support to improved service delivery, data sharing is likely to move its way to the top of Commonwealth agencies’ agendas, despite government’s historically “default closed” approach to sharing.9 Indeed, there is likely to be ministerial encouragement to do so.
It’s a Brave New World for government. In the spirit of efficiency, we set out below some key takeaways from the Discussion Paper, along with our thoughts as to what they might mean for agencies.
- Agencies will not be able to share data under the proposed data sharing and release legislation for compliance, assurance or national security purposes:10 the legislation will, however, authorise sharing or release to inform government policy or programs.11
- Agencies will need to accept risk under the proposed legislation: the Discussion Paper provides broad endorsement for the “modern risk sharing” regulatory model which was proposed for inclusion in the legislation in the Issues Paper.12 The centrepiece of that regulatory model is five “Data Sharing Principles”, which are based on the internationally accepted “Five-Safes Framework” for data sharing and release (safe projects, safe people, safe settings, safe data and safe outputs).13 The Discussion Paper confirms that the Data Sharing Principles against which any request for sharing or release will be assessed by an agency will be supplemented by:
– mandatory additional requirements (Data Codes) imposed by the Minister by legislative instrument for sharing or release of certain types of data (sensitive data);14 non-binding guidance issued by the National Data Commissioner (eg on how and when to seek consent to sharing)15
– Data Sharing Agreements (DSAs) between agencies and data users16
– accreditation of data users and data service providers (organisations which would play a similar role to existing accredited data integrators)17, and
– an enforcement strategy with a graduated range of sanctions.18
- Although the sharing authorisation available under the proposed legislation will “override” existing statutory secrecy and non-disclosure provisions, the authorisation comes with a twist:19 if data is shared for an unauthorised purpose or the required safeguards are not applied, the authorisation will fall away. The penalties that would normally apply to disclosure in contravention of the secrecy/non-disclosure provisions will apply.
- Agencies will not receive the benefit of any new “good faith” defence from criminal liability if they genuinely (but mistakenly) believe that sharing or data is authorised:20 the Discussion Paper takes the view is that the good faith defences available at sections 90 and 92 of the Freedom of Information 1982 (Cth) will likely be available in those circumstances. (Those defences apply to information the publication of which is authorised or required under the Information Publication Scheme.)
- Agencies will likely need to review their data breach notification processes: the Discussion Paper indicates that the legislation will prescribe processes for identification and mitigation of risks associated with the sharing, release or use of public sector data (which may be legally privileged, commercial-in-confidence, security classified or of environmental significance) contrary to the legislation.21 These processes, which will be developed over the coming months, will sit alongside the Notifiable Data Breach Scheme under the Privacy Act 1988 (Cth), which applies to the release of personal information. Data Sharing Agreements (discussed below) will likely include details of data users’ obligations in the event of a breach.22
- Agencies will need to carefully consider the information they disclose in Data Sharing Agreements (DSA): the Discussion Paper indicates that there is strong stakeholder support for DSAs to be made public by default.23 In addition, the National Data Commissioner will maintain a register of DSAs.24 The Discussion Paper indicates it is likely that some DSA content will be mandated. Agencies will at a minimum, need to address:25
– who is sharing and receiving data under the agreement
– why data is being shared
– what data is being shared
– how data will be protected and risks managed, and
– when the data sharing will occur.
- Agencies may need to consider which of their staff members require accreditation in order make use of (other agencies’) shared data: as presently proposed, a data custodian within an agency will only be able to enter into a DSA with an “accredited organisation” and share data with “accredited individuals” within that organisation.26 While the accreditation related examples in the Discussion Paper refer to use of data by research organisations, agencies are also likely – in an era of joined up government – to be frequent users of agency data.
- Agencies will be exposed to the risk of complaints under a new mechanism: the National Data Commissioner will be responsible for “system-specific complaints”27, with this new mechanism to sit alongside existing complaints mechanisms such as those available under the Privacy Act in the case of personal information. The decisions of the National Data Commissioner will amenable to both merits and judicial review.28
The Department anticipates the release of an exposure draft of data sharing and release legislation in early 2020.29