Speech: Sharing data safely - Cyber Collaborate Conference
On 11 October 2022, National Data Commissioner Gayle Milnes gave a keynote address at the Cyber Collaborate Conference in Canberra.
The DATA Scheme
Good morning and thank you to the Public Sector Network the invitation to speak with you today.
Let me begin by acknowledging the Traditional Custodians of the land on which we are meeting today. I would also like to pay my respect to their Elders, past, present and emerging, and extend that respect to First Nations people here today.
I’ll focus my comments today on a new scheme for sharing Australian Government data safely. We call it the DATA Scheme because it is established by the Data Availability and Transparency Act 2022 which commenced in April this year. The DATA Scheme is a best practice scheme for sharing Australian Government data, underpinned by strong safeguards and simplified, efficient processes.
A new, best practice scheme for sharing Australian Government data safely
So how does this new scheme operate?
There are three types of participants in the DATA Scheme – Australian Government agencies; state and territory government agencies; and Australian universities - and three roles. There’s the accredited data user who can make a request for data from an Australian Government agency – the data custodians. It could be a request from an NSW government agency to the Australian Government Department of Health, for example. Or from one Australian Government agency to another. The data may be shared directly or via an accredited data service provider, like the Australian Bureau of Statistics, who can provide data de-identification, integration and secure access services.
The strong safeguards require that:
- only Australian entities can participate - Australian Government agencies, state and territory government agencies and Australian universities.
- For national security and other reasons, some entities are excluded from the scheme and some types of data cannot be shared. For example, law enforcement and national security agencies such as the Australian Federal Police are excluded from the Scheme. Some data such as data relating to information sources or operational activities is barred from sharing.
- sharing be in the public interest and for one of three purposes – to deliver government services, to inform government policy and programs, or for research and development. Data cannot be shared for compliance purposes.
- participants in the scheme must be accredited. Accreditation serves as a gateway into the DATA Scheme, and ensures users are capable of handling public sector data and minimising risk of unauthorised access or use. It is the job of the Minister and the National Data Commissioner to accredit scheme participants.
- When accrediting entities, we are looking to see that they have appropriate data management and governance policies and practices; an appropriately qualified individual in a position that has responsibility for data management and data governance; the entity is able to minimise the risk of unauthorised access, sharing or loss of data; the entity has the necessary skills and capability to ensure the privacy, protection and appropriate use of data, including the ability to manage risks in relation to those matters.
- a data sharing agreement is in place that applies the data sharing principles.
- The data sharing principles are the risk management framework that sits at the core of the Scheme to support data custodians to decide if it is safe to share data. The principles cover the data sharing project, people, setting, data and output. The principles must be applied in such a way that, when viewed as a whole the risks of the sharing, collection and use of data are appropriately mitigated.
- all sharing is consistent with the Privacy Act 1988 and additional privacy protections apply depending on the purpose for which data is being shared. The DATA Scheme works with the Privacy Act to protect personal information. The Act contains general privacy protections that minimise the sharing of personal information, prohibit the re-identification of data that has been de-identified, and prohibit the storage or access of personal information outside Australia. Express consent is always required to share biometric data. The Act also contains purpose specific privacy protections, depending on the data sharing purpose of the project.
- Further guidance about application of the data sharing principles and the privacy protections will be provided in a code of practice which we released recently for public comment. The code will be a legislative instrument.
- Australian Government agencies as data custodians have no duty to share data but they must provide reasons to accredited users if they refuse a request.
There are two other important safeguards I’d like to call out.
- The enhanced transparency and accountability provisions of the DATA Scheme. For example, the National Data Commissioner is required to keep public registers of accredited participants and data sharing agreements and to report annually on the scheme.
- Last but certainly not least, the DATA Scheme is a regulated scheme. The National Data Commissioner is the regulator of the scheme and provides advice and guidance about its operation. The National Data Commissioner also delivers education and support for best practice data sharing and handling.
- The Commissioner’s regulatory powers include accrediting scheme participants; handling complaints; exercising monitoring and investigation powers; seeking injunctions and issue infringement notices; issuing binding directions to deal with emergencies or high risk situations; referring matters to the Commonwealth Director of Public Prosecutions where a criminal offence may have been committed; and, seeking a civil penalty order from a court.
- The Commissioner works with the Australian Information Commissioner to protect personal information under the DATA Scheme, with a ‘no wrong door’ approach taken to complaints. Where a complaint is about how personal information has been handled in the DATA Scheme it may be transferred to the Australian Information Commissioner.
The Office of the National Data Commissioner is rolling out two initiatives to further strengthen the data handling capability of Australian Government agencies and to support implementation of the DATA Scheme.
The first is the $16.5 million Data Discovery initiative. Here we are working with Australian Government agencies to support them to build and develop their data inventories. We are also creating a searchable Australian Government Data Catalogue. We are doing this work in collaboration with the Australian Bureau of Statistics, and Geoscience Australia to ensure that the catalogue, the upgrade of data.gov.au, the Australian Government’s platform for open data, and Digital Atlas, all work together.
The second initiative is Dataplace. This is an $11 million commitment from the Australian Government to deliver a digital platform for Australian Government agencies to manage all their data requests, in a more timely and efficient manner. Dataplace also supports administration of the DATA Scheme. Dataplace is a secure and scalable Cloud platform which provides services such as
- applying for accreditation to be a data user or data service provider under the scheme
- requesting Australian Government data, including under the DATA Scheme
- developing a data sharing agreement
- monitoring and managing your data sharing activities.
Standing up the DATA Scheme
The DATA Scheme opened for business on 1 June this year, with Commonwealth as well as state and territory government agencies able to apply for accreditation as data users. From 1 August, Australian universities have been able to apply for accreditation as data users and all scheme participants can apply for accreditation as data service providers.
Dataplace went live on 1 June. There are now 18 entities registered on Dataplace, and a pool of organisations active in developing their applications for accreditation as a data user. A major milestone last month is there are now six data service providers that have been accredited as participants in the DATA Scheme:
- Australian Bureau of Statistics
- Australian Institute of Family Studies
- Australian Institute of Health and Welfare
- Commonwealth Social Services Department
- Queensland Treasury
- Victorian Department of Health.
We are continuing to focus on educating Australian, state and territory government agencies as well as Australian universities about the Scheme and helping them get ready to participate. We have information sessions on the DATA Scheme coming up – introductory sessions as well as topic specific sessions such as how to make a data request and developing a data sharing agreement on 19 October.
We received more than 30 submissions on the Data Code. We are working through them with the aim of making the Code before the end of the year.
The Optus incident has underscored the need for all entities, Australian Government agencies and other DATA Scheme participants included, to ensure they have robust data management and governance arrangements in place and the skills and capability to ensure the privacy, protection and appropriate use of data. This is what the DATA Scheme is all about. Being a best in class manager and user of data includes but is not limited to:
- having a register of your data assets
- protecting the data you hold with the right privacy, cyber and other data security settings, utilising resources available such as:
- the Protective Security Policy Framework, the Information Security Manual, the essential 8, other widely recognised security standards such as ISO-27001
- the Australian Government Agencies Privacy Code, which requires agencies to adopt a best practice approach to privacy governments to help build a consistent, high standard of personal information management across the federal public sector
- being prepared to respond to incidents to minimise the impact – how fast you detect and respond to a breach matters.
These arrangements are not set and forget. Cyber threat is both constant and evolving. As data custodians and stewards of the DATA Scheme, Australian Government agencies and other DATA Scheme participants need to be that too. Adopting these best practices will reduce the number and cost of data breaches, build and protect community trust and confidence, as well as your reputation, and is key to realising the full value of the data you hold. It’s good for your entity. It’s good for the Australian citizen.