The Commonwealth Government recently released for public comment its Discussion Paper and Privacy Impact Assessment on the proposed Data Sharing and Release Legislative Reforms (the Reforms). The Discussion Paper explains the Government’s plan to ‘modernise’ and ‘streamline’ the way that it shares data between agencies, while the Privacy Impact Assessment evaluates the alignment of the proposed Reforms with Australian privacy law.
The Reforms have come out of the Productivity Commission’s 2017 Report on Data Availability and Use which found that Australia’s use of public sector data was falling behind other countries’ policies and their recommended reforms. The establishment of the Office of the National Data Commissioner in 2018 was also a result of the Productivity Commission’s 2017 report.
What are the Reforms trying to achieve?
The Reforms attempt to create a more streamlined approach to data sharing. The Government currently shares its data under a number of different laws, resulting in sometimes divergent or ad hoc data sharing processes. The Reforms are intended to supplement these existing laws and will operate alongside other relevant legislation such as the Privacy Act 1988 (Cth), the Australian Government Agencies Privacy Code 2017 and the Freedom of Information Act 1982 (Cth).
The main objectives of the Reforms are to:
- Improve public administration – the Reforms aim to reduce the over-collection of data and the burden of storing multiple and often overlapping datasets, increase transparency of government operations and improve public trust, and minimise the risk of data breaches.
- Improve service delivery – the Reforms support the idea that Australians should only need to tell Government agencies once about a change in details. Pre-filling forms should also reduce time spent on often-complex administrative forms.
- Improve research outcomes – the Reforms encourage greater access to public sector data by researchers, which should allow for more advanced and accurate research, leading to, among other things, more informed public policy development.
What data will be affected?
In relation to public sector data, the Reforms will affect data ranging from immigration details, to weather patterns and to administrative data about access to Government services by businesses and individuals. The initial focus of the Reforms will be on Commonwealth Government data. State, Territory and Local Governments may request access to data under the new legislation but, initially, the sharing of their own data will be out of scope.
How will the data sharing work?
- Under the new legislation proposed as part of the Reforms, when a data sharing request is made, the Data Custodian (Commonwealth entities such as agencies and departments, including Commonwealth companies such as Australia Post and NBN) will consider whether or not the data can be shared under an existing authority, or the new legislation.
- If the data can be shared easily under an existing authority, then that existing process will be used.
- If this is not available, the Data Custodian will consider whether:
(a) the request meets the ‘purpose test’ (i.e. that the sharing must be reasonably necessary to inform government policy, programs, or service delivery, or be in support of research and development); and
(b) the risk of sharing data can be managed in accordance with the Data Sharing Principles (risk management safeguards which must be applied prior to the sharing of public sector data).
If the answer is yes to points (a) and (b) above, the data can be shared based on the authority of the new legislation. However, certain types of data will be exempted from being shared under all circumstances given sensitivity, for example, national intelligence information and health information provided under the My Health Records Scheme.
- The National Data Commissioner will oversee and enforce the new legislation, assuming functions such as accreditation of Accredited Users (organisations or individuals who can access public sector data) and Accredited Data Service Providers (organisations that meet technical capability requirements to provide data services to Data Custodians), monitoring compliance, handling complaints, and conducting assessments and investigations.
The path to Parliament
The period for submissions on the Reforms will run for a period of 6 weeks from the beginning of September. According to the Discussion Paper, the draft legislation is planned to be released early next year for a public consultation period of 8 weeks, and subsequently introduced into Parliament in mid-2020.
Submissions in response to the Discussion Paper and Privacy Impact Assessment can be made here, up until 15 October 2019.
Authors: Meaghan Powell, Catherine Gamble and Melissa Fai