The Government’s plan to upgrade its data package
The Data Availability and Transparency Bill 2020 (Bill) is set to overturn the stringent restrictions on data collection by Government bodies. Following the release of an exposure draft on 14 September 2020, the Bill was recently introduced and read for the first time in the House of Representatives on 9 December 2020. The Bill aims to modernise the use of public sector data and encourage its sharing between Government departments and agencies.
A propelling force behind the proposed Bill was the recommendations of the Royal Commission into Natural Disaster Arrangements. The Commission’s Report was published on 31 August 2020 commenting on how improvements to the availability and quality of natural disaster information could enhance policy and decision making during times of disaster.
The proposed framework will enable data custodians of public sector data, such as Centrelink or the Australian Tax Office, to share information with accredited users. Though primarily intended to encourage data sharing between Government agencies, other bodies such as universities, think-tanks, not-for-profits and businesses may also become an accredited user.
The apparent breadth of the Data Sharing Scheme (Scheme) is however tempered by clear safeguards. An essential precondition to participating in the data sharing scheme is meeting the requirements of the accreditation framework contained in Part 5.2 of the Bill. In accordance with clause 77 of the Bill, the entity must satisfy the National Data Commissioner of the following:
· the entity can appropriately protect, manage and use data;
· there is a person within the organisation who is responsible for overseeing of scheme data by the entity;
· the entity can effectively apply the data sharing principles outlined in clause 16 to manage risks of sharing;
· the entity is able to minimise unauthorised access, sharing or loss of scheme data;
· the entity has processes and policies in place that reflect a commitment to continuous improvement of data practices in relation to scheme data, in line with privacy and security obligations;
· the entity has the ability to comply with its responsibilities under the scheme; and
· the entity can demonstrate its participation in the scheme would not be inconsistent with Australia’s national interest or requirements of security;
The Minister may also prescribe other criteria in the rules, consistent with the objects and parameters of the Bill.
The significant scope of the Bill brings a wide range of entities and data within its purview. Notably the Bill defines public sector data as “all data collected, created, or held by the Commonwealth, or on its behalf.” However the sharing of data is limited to one of three permitted purposes – government service delivery, informing government policy and programs, or research and development. The Scheme is further regulated by data sharing principles which the custodian must apply to assess the risk of sharing data. The principles reflect five key areas of risk and are stated as follows:
· the project principle considers the intended use of the shared data, including public interest, consent and ethics requirements;
· the people principle considers users accessing the data to ensure they can be trusted and have the right skills for the project;
· the settings principle assesses if data is shared in a controlled environment tailored to the data type and sensitivity, subject to security standards;
· the data principle requires data to be protected, including taking a ‘data minimisation’ approach so only data that is reasonably necessary to achieve the project is shared; and
· the outputs principle ensures the results and outcomes of the projects are agreed, including whether they are appropriate for publishing.
Importantly, data sharing is not mandatory but rather assessed by the data custodian on a case-by-case basis. Custodians and accredited users will also be guided by a layer of secondary legislative instruments containing more detailed guidance. Adjacent to the legal framework will be an operational and administrative system designed to facilitate the transfer and streamlining of data.
Advocacy groups such as Electronic Frontiers Australia have expressed concerns over the sharing of personal information and the Bill’s approach to consent. Originally the Federal Government’s position was that consent is implied when an individual uses a government service. Since entering the House of Representative, their position has shifted such that any sharing of personal information is to be done with consent unless it is unreasonable or impracticable.
Charged with overseeing the scheme is the newly established independent regulator, the National Data Commissioner. The Bill does not displace existing legislation such as the Privacy Act 1988, which will continue to operate and provide an avenue for complaints where a suspected mishandling of personal information has occurred.
 Melissa Clarke, ‘Draft legislation proposed by Federal Government would allow your personal data to be shared between Government agencies’, 16 September 2020, ABC News < https://www.abc.net.au/news/2020-09-16/government-draft-law-share-personal-data-between-agencies/12666792>.  Data Availability and Transparency Bill 2020 (Cth), cl 16(2)(c).