Overview of the bills
The Data Availability and Transparency Bill 2020 (the bill or principal bill) and the Data Availability and Transparency (Consequential Amendments) Bill 2020 (the consequential amendments bill) were introduced to the House of Representatives on 9 December 2020.
The bills are central to the Commonwealth Government’s commitment to data sharing reform which was informed by a 2017 Productivity Commission inquiry report. As the explanatory memorandum (EM) to the bill set out:
In 2018, the Australian Government committed to reform the way it shares public sector data. Reforms are necessary to realise the benefits of greater data availability and use identified by a Productivity Commission inquiry, supporting economic and research opportunities and the Government’s vision for streamlined and efficient service delivery.
The principal bill establishes a new data sharing scheme which will serve as a ‘pathway and regulatory framework’ for sharing public sector data for three permitted purposes, subject to new safeguards and enforcement mechanisms.
Subject to the exclusion provisions under clause 17 and regulations, the public sector data which can be shared under the scheme encompasses ‘all data collected, created, or held by the Commonwealth, or on its behalf’. The concept of data includes facts, statistics, and other information capable of being communicated, analysed or processed via physical or electronic means.
As the submission from the Office of the National Data Commissioner (ONDC) stated:
The bill establishes a scheme for controlled access to public sector data, which leverages existing frameworks for specific aspects of data management, rather than repeating or replacing them. This approach allows the data sharing scheme to fit neatly into the existing architecture of the national data system, minimising duplication and ensuring tailored protections are preserved.
Design of the bills
The ONDC emphasised that the bill and its underlying policy positions were developed in response to the recommendations in the Productivity Commission’s 2017 Data Availability and Use inquiry report and involved extensive co-design and engagement with the public service and stakeholders across academia, the private sector and civil society.
It advised the committee that this collaborative approach enabled the ONDC to understand the concerns and expectations of the community and key stakeholder groups around data sharing and ‘refine policy positions accordingly’.
The ONDC also informed the committee that privacy was integral to the development of the data sharing scheme and was carefully considered at each stage of the legislative process. It explained:
When developing the Bill, the ONDC adopted a ‘privacy by design’ approach to identify, minimise and mitigate privacy impacts wherever possible. Three independent Privacy Impact Assessments (PIAs) have been undertaken to identify strengths and weaknesses in the early policy positions and planned legislative framework, and the draft Bill itself. This approach reflects the ONDC’s commitment to ongoing, proactive management of privacy. Privacy safeguards were also strengthened in response to guidance and advice from NDAC [National Data Advisory Council] and privacy experts, including the Office of the Australian Information Commissioner.
The legislative makeup of the data sharing scheme comprises:
the consequential amendments bill; and
three kinds of disallowable legislative instruments:
The three kinds of legislative instruments may be used to address how using certain technology or methodologies affects entities’ obligations under the bill. The EM noted that this approach allows the bill to remain ‘technology neutral’.
Regulations and ministerial rules will set the parameters of the scheme and establish key criteria and thresholds for engaging with the scheme. Data codes will be issued by the National Data Commissioner (the commissioner) and are primarily intended to clarify how the scheme will operate and how legislative requirements should be complied with, and may implement administrative improvements.
The commissioner, which the bill will establish as an independent regulator for the scheme, may also issue ‘non-legislative guidelines’ that participating entities must have regard to and may release ‘other guidance’ as necessary.
The bill is drafted as ‘principle-based legislation’ in order to ‘ensure it remains relevant and adaptable to evolving technology and public expectations’.
Operation of the data sharing scheme
The data sharing scheme enabled by the bills will allow accredited users to request controlled access to government data for three permitted purposes (as set out in Clause 15 of the bill). The three purposes are set out below.
Improving government service delivery
Data sharing for this purpose could enable improved designs of systems, engagement and processes involved in government service delivery. For example, improving user experiences through simplified or automated systems like pre-filled forms and reminders to submit or verify details.
Informing government policy and programs
Data sharing for this purpose (which is intended to be ‘interpreted broadly’) could help enable the discovery of trends and risks to inform public policy making, enable modelling of policy and program interventions, and provide a holistic understanding of cross-portfolio problems.
Research and development
Data sharing for this purpose will enable accredited academics, scientists and innovators in the public and private sectors to access public sector data to gain insights and undertake activities to ‘advance knowledge and contribute to society’.
In addition to outlining the three ‘permitted purposes’ for data sharing, the bill also precludes data sharing for certain enforcement related purposes, such as law enforcement investigations and operations. The bill also does not authorise data sharing for purposes that relate to or could jeopardise national security, including the prevention or commission of terrorism and espionage. The minister may also preclude additional purposes through a rule making power to address any future risks that may emerge.
Participants in the data sharing scheme are known as ‘data scheme entities’ (see clause 11 of the bill), of which there are three categories as detailed in Table 2.1
Table 2.1: Data scheme entities
Commonwealth bodies that control public sector data and have the right to deal with that data.
Entities accredited by the commissioner to access public sector data.
To become accredited, entities must satisfy the security, privacy, infrastructure and governance requirements set out in the accreditation framework.
Entities can be from all levels of government, as well as industry, research and others in the private sector.
Accreditation is not limited to Australian entities to encourage international cooperation on projects in the public interest (with appropriate controls in place).
Accredited data service providers (ADSPs)
Entities accredited by the commissioner to perform data services such as data integration.
Government agencies and users will be able to draw upon an ADSP’s expertise to help them share and use data safely.
Source: Data Availability and Transparency Bill 2020, Explanatory Memorandum, pp. 3-4; Data Availability and Transparency Bill (Consequential Amendments) Bill 2020, Explanatory Memorandum, p. 5.
Part 5.2 of the bill relates to the accreditation framework of the data sharing scheme. Users and data service providers must be accredited by the commissioner before they can access shared data. The process involves the assessment of prospective recipients of data against criteria set out in the bill. The accreditation seeks to:
ensure that data recipients are capable of managing the data accountably;
minimise the risks of unauthorised access; and
ensure that only users who comply with obligations under the bill can seek access to data.
The commissioner may also receive security advice, including security assessments from ASIO, about applicants seeking accreditation in order to assist them to make an informed accreditation decision. Additionally, the commissioner will be able to control systemic and entity-specific risks by putting conditions on, suspending, or cancelling accreditation for reasons of security or otherwise as provided by the accreditation framework.
As set out in the following graphic, the legal framework for accreditation will be drawn from the bill and the specific details will be contained in legislative instruments issued by the minister or commissioner.
Figure 2.1: Accreditation framework
Accreditation does not guarantee that data will be shared. This is because data custodians must be satisfied that any data sharing meets the requirements of the bills before making the final decision on whether or not to share data with accredited entities.
A graphical representation of the key controls included in the bill was tabled by the ONDC at the public hearing on 20 April, and can be found at Appendix 1.
Data sharing principles
Once a data custodian is satisfied a proposed project is for a permitted purpose, the data sharing principles must be applied to assess and control risks of sharing ‘in a holistic manner’. The principles are a framework for best practice risk management, enabling parties to adapt controls to suit the needs and context of each sharing arrangement.
The principles are set out in clause 16 of the bill and are structured to manage risks arising across five key elements of the sharing process – project, people, settings, data, and outputs:
The project principle considers the intended use of the shared data, including public interest, consent and ethics requirements.
The people principle considers users accessing the data to ensure they can be trusted and have the right skills for the project.
The settings principle assesses if data is shared in a controlled environment tailored to the data type and sensitivity, subject to security standards.
The data principle requires data to be protected, including taking a ‘data minimisation’ approach so only data that is reasonably necessary to achieve the project is shared.
The outputs principle ensures the results and outcomes of the projects are agreed, including whether they are appropriate for publishing.
Controls set to manage risk within each principle can be ‘dialled up or down’ to suit the overall needs of each project.
Data sharing agreements
Clauses 18, 19 and 20 of the bill go to details relating to data sharing agreements. Once a data sharing request is accepted, an accredited entity or ADSP needs to enter into a data sharing agreement with the data custodian that documents how the data will be used and shared. The bill sets out the mandatory terms that must be included in the agreement, which include how the project serves the public interest. These mandatory terms are designed to support robust and accountable sharing practices.
Mandatory terms of data sharing agreements made under the data sharing scheme will be included in a publicly available register. This will provide the public with information about what data is being shared and why, who is accessing data, and how it is being safely shared.
Oversight of the data sharing scheme and avenues for redress
As set out in Part 4.2, the bill will create a new independent regulator, the National Data Commissioner. The commissioner’s role is to regulate and oversee the data sharing scheme, with the position modelled on other regulators such as the Australian Information Commissioner.
As regulator, the commissioner will provide advice, advocacy and guidance to ensure the scheme operates as intended. The commissioner will also work with data scheme entities to build data capability, promote best practice data sharing and use, and address cultural barriers to sharing.
Part 5.3 of the bill relates to complaints under the scheme. The bill provides means for data scheme entities to raise issues about breaches or decisions under the data sharing scheme. For example, a complaints mechanism will enable data scheme entities to complain to the commissioner about potential breaches of the legislation, and this will trigger the commissioner’s regulatory powers to investigate and address the situation.
Existing avenues for redress in other schemes will continue to be available, including where the situation involves sharing or shared data. As the EM to the bill explained:
For example, a person affected by a decision based on shared data may seek review of that decision, where legislation governing that decision sets review rights. A person may also complain about government activities to the Commonwealth Ombudsman, to other Ombudsmen and regulators, or to the Australian Information Commissioner about suspected mishandling of their personal information.
Clause 28 of the bill ensures that when personal information is shared, affected individuals will have the means to seek recourse if their information is dealt with in a way contrary to the law. This may include through the Privacy Act 1988 or equivalent state or territory law.
Part 5.4 of the bill establishes mechanisms for the commissioner to monitor and gather information about the operation of the scheme and the entities participating in it. The commissioner can conduct assessments and investigations to determine whether an entity is breaching or has breached requirements under the scheme. This may occur in response to complaints or the commissioner’s own initiative.
Part 5.5 of the bill provides the regulatory powers to monitor and enforce the requirements of the data sharing scheme. A range of mechanisms are contained in the bill to deter and address non-compliance, which are modelled on the powers available to other regulators with similar mandates. Options available to the commissioner to deal with a non-compliant entity include:
entering into an enforceable undertaking with an entity;
issuing a direction for an entity to comply;
seeking a civil penalty; and
investigating possible criminal offences.
Consequential amendments bill
The consequential amendments bill operates in conjunction with the principal bill and amends relevant Commonwealth legislation to control for security risks and ensure that the principal bill operates as intended.
Specifically, the consequential amendments bill makes amendments to:
Part IV of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) to allow the Australian Security Intelligence Organisation (ASIO) to provide advice in relation to the exercise of a power under Part 5.2 of the principal bill, and to limit the notice and review processes for foreign entities in relation to security assessments.
Schedule 1 of Administrative Decisions (Judicial Review) Act 1977 (ADJR Act) to exclude the commissioner’s accreditation decisions made on the basis of an ASIO security assessment for foreign entities from judicial review under the ADJR Act.
Section 7 of the Freedom of Information Act 1982 (FOI Act) to clarify the interaction between the FOI Act and the principal bill and preserve, to the extent possible, the intended operation of both schemes.
Section 50 of the Privacy Act 1988 (Privacy Act) to enable the Australian Information Commissioner to transfer complaints to the commissioner where appropriate.