DATA Scheme Safeguards
Australian Government data can only be shared if it is for one of the three permitted purposes:
- delivery of government services
- informing government policies and programs, and
- research and development.
Government service delivery includes the provision of information (such as advice that the individual is eligible to receive a benefit), the provision of a service (such as assistance to a person to help restore their property after a flood), determining an eligibility for payment, or paying a payment.
Data cannot be shared for national security or enforcement related purposes.
Accreditation serves as a gateway into the DATA Scheme, and ensures users are capable of handling public sector data and minimising risk of unauthorised access or use.
To become an accredited user, Commonwealth, state and territory government bodies must be assessed against criteria by the Minister. Where necessary, the Minister can impose conditions on accreditation. The Commissioner is responsible for assessing accreditation of Australian universities.
The Commissioner is responsible for assessing accreditation of data service providers. Where necessary, the Commissioner can impose conditions on accreditation.
Data custodians have no duty to share data, but must respond to all data sharing requests they receive from accredited users within a reasonable timeframe. If refusing a request, data custodians must provide reasons to accredited users.
Data custodians must maintain a record of data sharing requests received and reasons for agreement or refusal to share, as these will need to be notified to the Commissioner to assist in preparing the annual report.
The data sharing principles are the risk management framework that sits at the core of the Scheme to support data custodians to decide if it is safe to share data. The principles cover the data sharing project, people, setting, data and output. The principles must be applied in such a way that, when viewed as a whole the risks of the sharing, collection and use of data are appropriately mitigated.
Further guidance about the application of the data sharing principles will be provided in a code of practice. The Code will be a legislative instrument.
The DATA Scheme works with the Privacy Act 1988 to protect personal information.
The Act contains general privacy protections that minimise the sharing of personal information, prohibit the re-identification of data that has been de-identified, and prohibit the storage or access of personal information outside Australia. Express consent is always required to share biometric data.
The Act also contains purpose specific privacy protections, depending on the data sharing purpose of the project.
Further guidance about privacy protections will be provided in a code of practice. The Code will be a legislative instrument.
Participants must enter into a data sharing agreement which sets out the details of the data sharing project. A data sharing agreement must describe how the participants will give effect to the data sharing principles and how the project serves the public interest.
Details from data sharing agreements will be recorded on a register, kept and maintained by the Commissioner.
Data must not be shared until the data sharing agreement has been registered.
The Commissioner must keep public registers of accredited users, accredited data service providers, and data sharing agreements.
The Commissioner must also prepare and give to the Minister, for presentation to Parliament, an annual report on the operation of the DATA Scheme each financial year.
The annual report must include:
- details of any legislative instruments made that financial year
- the scope of data sharing activities and regulatory actions which have occurred, including reasons for agreeing to or refusing data sharing requests, and
- staffing and financial resources made available to the Commissioner and how they were used.
The Commissioner regulates the DATA Scheme to ensure data sharing is safe, including by providing guidance and tools to make data sharing fit-for-purpose. In performing these duties, the Commissioner is able to:
- exercise monitoring and investigation powers;
- seek injunctions and issue infringement notices;
- issue binding directions to deal with emergencies or high risk situations;
- refer matters to the Commonwealth Director of Public Prosecutions where a criminal offence may have been committed; and
- seek a civil penalty order from a court.
The Commissioner will work with the Australian Information Commissioner to protect personal information under the DATA Scheme, with a ‘no wrong door’ approach taken to complaints. Where a complaint is about how personal information has been handled in the DATA Scheme it may be transferred to the Australian Information Commissioner.
To make it easier for users to find data, the Office of the National Data Commissioner is working with Australian Government agencies to develop their data inventories, and creating a searchable Australian Government Data Catalogue.
ONDC are also developing Dataplace – a whole-of-government digital platform for scheme participants and others to manage data requests and support administration of the DATA Scheme. Learn more about Dataplace.