Using an Accredited Data Service Provider (ADSP)
Guidance Note 2023:5
This guidance note provides information for data custodians when using an ADSP.
This guidance note is not intended to be legal advice. You should seek your own legal advice if you would like further clarification on the matters raised in the guidance.
Under the DATA Scheme, a data custodian may share their public sector data with an accredited user directly, or through an Accredited Data Service Provider (ADSP).
ADSP’s are expert intermediaries in the data sharing process that provide services (such as complex integration, secure access, and de-identification) which support sharing by data custodians with accredited users. They can help the data custodian meet its obligations under the Data Availability and Transparency Act 2022 (the Act) by reducing risks identified with the data sharing project.
Data sharing project
The sharing, collection and use of public sector data must be part of a project that is for one or more of the defined data sharing purposes and undertaken consistently with the data sharing principles and under a registered data sharing agreement. The mandatory elements of a ‘project’ involves a ‘sharer’ (a data custodian) sharing data with a ‘user’ (an accredited user), either directly or through an ‘intermediary’ (an ADSP) (see section 11A of the Act).
If the sharer shares data with the user through an ADSP, subsection 11A(3) of the Act extends the definition of a project to include ‘ADSP-enhanced data’. The concept of ADSP-enhanced data captures, for example, data that has been de-identified.
Authorisation for an ADSP to act as intermediary
The Act provides the authorisation for an ADSP to collect and use data shared with it by a data custodian. The ADSP is authorised to collect and use ADSP-enhanced data in accordance with a registered data sharing agreement that is in effect and that meets the following requirements (see section 13B of the Act):
the ADSP is satisfied that the project is consistent with the data sharing principles
the ADSP’s accreditation is not suspended
if the shared data includes personal information, the ADSP has privacy coverage in relation to the personal information
Data sharing purpose
A data sharing agreement will specify the data sharing purpose or purposes of a project and prohibit the accredited user from using output for any other purpose or a precluded purpose. The tables below set out the prescribed data services for which data custodians must use (or consider in certain circumstances) ADSPs in a data sharing purpose or purposes of a project.
Data sharing for the purposes of delivery of government services
|Is the data sharing for the purpose of delivery of government services (section 15(1)(a) of the Act)?||
There are no prescribed circumstances under the Act where an ADSP must be used where data sharing is for the purpose of delivery of government services.
However, if there is an ADSP involved as part of the project where data shared includes personal information, the ADSP will be prohibited from storing or assessing, or providing access to data outside of Australia.
Data sharing for the purposes of informing government policy and programs, or for research and development
|Is the data sharing for the purposes of informing government policy and programs, or for research and development (sections 15(a)(1)(b), and (c)) of the Act and the data includes personal information?||
Where data sharing purpose of a project is informing government policy and programs, or research and development, the shared data cannot include an individual’s personal information unless consent to the sharing is obtained. However, there are circumstances under the Act, including ‘permitted circumstances’, where consent is not required for personal information to be included in data to be shared.
|Is the data sharing for the purposes of informing government policy and programs, or for research and development, and involves performing a de-identification data service?||
A ‘de-identification data service’ is a service to treat data that includes personal information so the data is de-identified using techniques that restrict the data and prevents re-identification of the data (see section 16C(3)).
The data sharing agreement must require the ADSP to provide the de-identification service if the data custodian is not an ADSP, or does not have the appropriate skills and experience to perform the de-identification data service (see section 16C(2)).
|Is the data sharing for the purposes of informing government policy and programs, or for research and development, and involves performing a secure access data service?||
A ‘secure access data service’ provides ADSP-controlled access, or any other service that enables an entity to access data under the control of another entity and includes controls to prevent or minimise the risk of the data being misused (see section 16C(4)).
The data sharing agreement must require the ADSP to perform the secure access data service, if the data custodian is not an ADSP or does not have the appropriate skills and experience to perform the secure access data service (see section 16C(2)).
|Is the data sharing for the purposes of informing government policy and programs, or for research and development, and involves complex data integration services?||
Where sensitive datasets are to be integrated, the Act requires an ADSP to perform the complex data integration service. This requirement is a safeguard designed to ensure data integration work involving sensitive data sets is only undertaken by an ADSP. Section 16D(3) of the Act specifies a complex data integration service; where the data to be integrated, or the integrated data is:
• controlled by 2 or more entities
• at the unit or micro level
• any one of the following situations applies to any of the data to be integrated, or to the integrated data includes:
An authorised officer or authorised individual may decide that the risk of substantial harm (caused by the integration) is low, and a complex data integration service is not required (see section 16D(4)).
If a decision under section 16D(4) of the Act has not been made, the data sharing agreement that covers the project must require the service to be performed as above.
Can a data custodian act as an ADSP?
A data custodian of the data to be shared, can perform its own ADSP service if the data custodian also has accreditation as an ADSP and is able to perform such a service consistently with its conditions of accreditation.
Contracting with an ADSP
Contracting an ADSP to perform prescribed data services can be achieved through an ‘approved contract’ under section 123(3) of the Act. An approved contract must be:
be between an individual or body corporate and an entity that is a party to a data sharing agreement
be authorised or approved under the data sharing agreement
comply with any requirements in a data code - see Data Availability and Transparency Code 2022 and the Data Availability and Transparency (National Security Measures) Code 2022)
Where an individual or a body corporate is engaged by an entity to perform services under an approved contract, that individual, or the employees, officers and members of that body corporate, are designated individuals of the entity, and the approved contract determines the designation of those designated individuals.
Extension of use and collection
An entity’s authority to collect and use shared data extends to the designated individuals of that entity. For example, an accredited user enters into a data sharing agreement with a data custodian, and the data sharing agreement authorises a data analytics contract. In the context of activities covered by the data sharing agreement, employees of the data analytics service provider are designated individuals of the accredited user, and their designation is determined by the scope of services in the analytics contract (section 124(1) of the Act).
For more information about designated individuals, see Guidance Note – ‘Designated Individuals – Individuals within a Scheme entity authorised to deal with scheme data’.
An entity is taken to have engaged in conduct by a designated individual for the entity (if the conduct is within the actual or apparent scope of the individual’s designation, which is determined under section 123 of the Act). Therefore, if the conduct is within the actual or apparent scope of the approved contract, the conduct of an individual or body corporate in an approved contract with an entity will be viewed as an action by that entity. Any unauthorised collection, use or sharing of data by an individual or body corporate under an approved contract could result in a civil penalty or a criminal offence against that Data Scheme entity.
Seeking your own legal advice on matters covered by this guidance
This guidance note is not legal advice. You may need to seek your own legal advice if you would like further clarification on Accredited Data Service Providers.
Guidance note 2023:5
Last updated 28 March 2023