Data-sharing details open
Authorities are working out the kinks in proposed public data-sharing laws.
A new exposure draft of the Data Availability and Transparency Bill has been published as part of efforts to allow a higher level of sharing between government agencies.
The latest draft includes an important change to the Office of National Data Commissioner (ONDC) policy position. The new position makes consent one of five vital data-sharing principles.
The ONDC, which is part of the Department of Prime Minister and Cabinet, previously held the position that consent only needs to be ‘encouraged’.
After backlash and consultation, the ONDC now says; “The consent requirement has been elevated into the bill”, rather than “only having the requirement in guidance on the application of the data sharing principles”.
“Under the project principle, any sharing of personal information is done with the consent of the individuals, unless it is unreasonable or impracticable to seek their consent,” it said.
In situation where consent cannot be sought (as defined by the Privacy Act) agencies may increase the other privacy-enhancing measures in the data-sharing principles, including “using de-identified data where possible and undertaking a privacy impact assessment” (PIA).
The bill (available here in PDF form) also describes a controlled access scheme for agencies to more freely share data with accredited entities in industry, research and other private sectors.
The scheme would run on data codes and regulations developed by the ONDC, and include safeguards based on the five data sharing principles to “manage risks and streamline processes”.
“The bill takes a principles-based approach to data sharing, providing parties with flexibility to tailor sharing arrangements, and ensuring the scheme can respond to evolving technologies and community expectations,” the bill states.
“Modernising the approach to sharing public sector data will empower government to deliver effective services and better-informed policy, and support research and development.”
The bill only allows data to be released for one of three purposes: service delivery, informing policy and programs and research and development.
The government says it will not use the new data-sharing regime for compliance and assurance purposes, largely to avoid another ‘Robodebt’ saga.
“The bill precludes sharing public sector data for certain purposes, such as compliance and assurance activities, and other enforcement-related purposes,” the bill states.
Also, national security data cannot be shared, nor can My Health Record data or any “especially sensitive data handled under other legislation or data that infringes intellectual property rights”.
The bill will override some 500 data secrecy and confidentiality provisions in 175 pieces of existing legislation, though some can continue unaffected.
Government agencies that are declared data custodians are only allowed to share public sector data with accredited users and accredited data service providers (ADSPs).
Accreditation will come from the national data commissioner.
Importantly, the bill does not “compel” agencies to share data.
“Data custodians are responsible for assessing each sharing request, and deciding whether to share their data if satisfied the risks can be managed,” its explanatory memorandum states.
Data sharing agreements with accredited users and ADSPs will be publicly available in an online register.
“These registers will provide insight into what data is being shared and why, who is accessing data, and how it is being safely shared,” the bill’s explanatory memorandum states.
Fines or jail time could result from failing to comply with the data sharing requirements.
Consultation on the latest draft runs until November 6.