When sharing is barred under the DATA Scheme

Main mobile navigation open

When sharing is barred under the DATA Scheme

Guidance note 2023:6

This guidance provides information about when sharing of data is barred under the DATA Scheme. 

This guidance note is not legal advice. You should seek your own legal advice if you would like further clarification on the matters raised in this guidance. 

 

The Data Availability and Transparency Act 2022 (the Act) and the Data Availability and Transparency Regulations 2022 (Regulations) bar certain entities from participating in the DATA Scheme and certain data from being shared.  

When sharing is barred 

Data custodians are authorised to share their data with entities that are accredited under the DATA Scheme. However, the Act does not authorise sharing of data in circumstances relating to (see section 17): 

  • national security and law enforcement  

  • contravention or infringement of legal rights  

  • prescribed by Regulations 

  • is inconsistent with international law obligations  

  • the data is evidence in courts and tribunals 

Each of these situations is discussed in more detail below. In addition, a checklist is provided at the end of this guidance. 

National security and law enforcement  

The Act does not authorise the sharing of data held by, originated with, or received from, an excluded entity (section 17(2)). Excluded entities include intelligence agencies and certain other entities that have oversight of the government and the Commissioner’s activities under the Act.  

The sharing of operational data from AUSTRAC, the Australian Federal Police and the Department of Home Affairs is also excluded (section 17(2)(b)). Operational data is information that relates to the operations or informs the operational processes or methodologies of these agencies. The exclusion extends to information relating to current operations, as well as data relating to both past and future potential operations, where it is sufficiently clear that the data relates to or forms part of operational activities relating to the agencies’ functions and powers. 

The table below provides a list of excluded entities and agencies whose operational data cannot be shared under the DATA Scheme. 

Categories of excluded entities  Reason for exclusion  Excluded entities include: 

Commonwealth intelligence and law enforcement entities  

 To preserve existing arrangements and frameworks that authorise and regulate their activities. 

Australian Criminal Intelligence Commission 

Australian Federal Police 

Australian Geospatial-Intelligence Organisation 

Australian Secret Intelligence Service 

Australian Security Intelligence Organisation 

Australian Signals Directorate 

Defence Intelligence Organisation 

Inspector-General of Intelligence and Security 

Office of National Intelligence 

Commonwealth oversight agencies

 To preserve the integrity of their oversight over the government and the Commissioner’s activities under the DAT Act. 

Australian Commission for Law Enforcement Integrity 

Australian National Audit Office 

Office of the Commonwealth Ombudsman 

Scheme oversight figures

 To preserve the integrity of their oversight over the DATA Scheme.

The National Data Commissioner 

Any APS employee made available to the Commissioner under section 47 of the DAT Act. 
Barred under specific circumstances*  Further details  Applicable entities include: 
Barred if dataset contains operational data.  Operational data includes information about information sources, operational activities or methods and particular past, current and future operations. 

AUSTRAC 

Australian Federal Police 

Department of Home Affairs 
Barred if excluded entity would be a data custodian if not for the operation of section 11(2)(b), which provides that an excluded entity is not a data custodian.  For example, a Scheme entity holds a public sector dataset comprising of (in part or in whole) data originating from an excluded entity. In this example, the dataset is barred from sharing because (some of) the data in the dataset originated from an excluded entity even though it is held by a Scheme entity that is not barred from sharing data. 

*The Regulations may prescribe other entities as excluded entities. 

Contravention or infringement of rights 

The Act does not authorise sharing data if the sharing would contravene or infringe (section 17(3)): 

  • copyright or other intellectual property rights 

  • a contract or agreement to which the data custodian is a party (this includes a memorandum of understanding that is not legally enforceable) 

  • a common law duty or privilege, or 

  • a Parliamentary privilege or immunity. 

The sharing of data is also excluded if that data is commercial information that is subject to a legally enforceable duty of confidence.  

Prescribed by regulations 

The Regulations do not authorise the sharing of certain data. This includes, for example, data collected under the Commonwealth Electoral Act 1918 and the Australian Institute of Health and Welfare while acting as data custodian within the meaning of the My Health Records Act 2012. 

The Regulations also allows an order, direction, certificate or other instrument to be made by an officer of the Commonwealth (including a Minister) which excludes particular data from being shared or a data custodian from sharing (section 17(4) of the Act). 

International matters 

The Act does not authorise the sharing of data that is inconsistent with Australia’s obligations under international law (including international agreements), or with Commonwealth legislation that gives effect to such international agreements (section 17(5)).  

Sharing data collected from a foreign government is excluded unless the relevant government agrees.  

Evidence and court/tribunal orders 

The Act does not authorise sharing data if the data is held as evidence before a court, or obtained by a tribunal, authority or other person with the power to compel documents but does not exclude other copies of that data held by the data custodian. 

If a court or tribunal makes an order that restricts or prohibits disclosure of data, the Act excludes sharing of that data. In this instance, sharing of any copies of the relevant data held by the data custodian would also be excluded (section 17(6)). 

Seeking your own legal advice on matters covered by this guidance 

This guidance note is not legal advice. You should seek your own legal advice if you would like further clarification on the matters raised in this guidance. 

Barred data sharing  

The following table provides a checklist to assist DATA Scheme entities to identify whether data is barred from sharing under the Data Availability and Transparency Act 2022 (the Act).  

Is the data held by, did it originate with or was it received from an ‘excluded entity’ under the Act?  

section 17(2)(a) 

A number of entities are ‘excluded entities’. These include: 

- National Data Commissioner and any APS employee made available to the National Data Commissioner  

- Australian Commission for Law Enforcement Integrity 

- agency known as the Australian Criminal Intelligence Commission established by the Australian Crime Commission Act 2002  

- Australian Federal Police 

- that part of the Defence Department known as the Australian Geospatial-Intelligence Organisation  

- Australian National Audit Office  

- Australian Secret Intelligence Service  

- Australian Security Intelligence Organisation  

- Australian Signals Directorate  

- that part of the Defence Department known as the Defence Intelligence Organisation 

- Inspector-General of Intelligence and Security  

- Office of the Commonwealth Ombudsman, and 

- Office of National Intelligence. 

Is the data information that relates to the operations, or informs the operational processes or methodologies, of the three specified agencies? 

Section 17(2)(b) 

The Act bars sharing data if it is operational data that is held by, originated with or received from any of the following entities: 

- AUSTRAC 

- Australian Federal Police, and 

- Department administered by the Minister administering the Australian Border Force Act 2015), which is currently the Department of Home Affairs. 

Would sharing the data contravene or infringe upon rights? 

Section 17(3) 

The Act bars sharing data if the sharing would contravene or infringe: 

- copyright or other intellectual property rights 

- contract or agreement to which the data custodian is a party (this includes a memorandum of understanding that is not legally enforceable) 

- common law duty or privilege, or 

- Parliamentary privilege or immunity. 

The Act bars sharing data that is commercial if it would support legal action for breach of confidence. 

Is the data to be shared precluded by the Regulations? 

Section 17(4)(a) 

The Data Availability and Transparency Regulations 2022 sets out further circumstances in which sharing is barred.  

These include data collected for the purposes of: 

- Commonwealth Electoral Act 1918, or the Referendum (Machinery Provisions) Act 1984 

- Director of Public Prosecutions Act 1983  

- data held by the Director of Professional Services Review for the purposes of Part VAA (the Professional Services Review Scheme) of the Health Insurance Act 1973 

- data that is health information (within the meaning of the Privacy Act 1988) about a person, including a deceased person which is also data in relation to the Australian Border Force Act 2015, and created at a time when the person was a detainee under the Migration Act 1958 

- data that is COVID app data within the meaning of the Privacy Act 1988, and 

- data in relation to the Royal Commission Act 1902 which has not been made publicly available. 

The Act bars sharing data if any of the prescribed provisions of Acts and legislative instruments identified by the Regulations prohibit disclosing the data.  

The Act bars sharing data if an order, direction, certificate or other instrument made under a provision of a law prescribed by the Regulations prohibits disclosing the data as follows: 

  • subsections 7(1), 13(1), 14(2) and (3) of the Foreign Proceedings (Excess of Jurisdiction) Act 1984, and 

 

Is the data held by, did it originate with or was it received from an ‘excluded entity’ under the Regulations? 

Section 17(4)(b) 

The Regulations bar sharing data of entities acting in a capacity under the My Health Records Act 2012. These include: 

- System Operator 

- Data Custodian within the meaning of the My Health Records Act 2012 

- Chief Executive Medicare, and 

- any other entity that is a participant in the My Health Records system. 

Would sharing the data be inconsistent with Australia’s international obligations? 

Section 17(5) 

The Act bars sharing data that is inconsistent with Australia’s obligations under international law (including international agreements), or with Commonwealth legislation that gives domestic effect to such international agreements. 

Sharing data collected from a foreign government or agency is barred unless the relevant government or agency agrees. 

Is the data to be shared currently considered to be held as evidence before a court, or obtained by court/tribunal/authority powers or subject to court/tribunal orders? 

Section 17(6) 

 The Act bars sharing data held as evidence before a court, or obtained by a tribunal, authority or other person with the power to require answering of questions or compel production of documents. If a court or tribunal orders restrictions or prohibits disclosure of data, the Act also bars sharing that data. 

Guidance note 2023:6

Last updated 28 March 2023