On 13 September 2020, the Australian Government commenced consultation on the exposure draft of the Data Availability and Transparency Bill (the Bill), which is intended to enable greater data-sharing within government and to facilitate ‘seamless’ service delivery to the public. The Bill aims to minimise constraints on the sharing of public sector data between government agencies, as well as permitting disclosures to private sector entities in specific circumstances.
What do I need to know?
The Bill forms part of the Australian Government’s broader goals of digitally transforming and modernising public services. This exposure draft reflects the culmination of two years of government consultation on improving the use of public sector data both within the sector and across the economy, following publication of a 2017 report on the issue by the Productivity Commission.1
By establishing a formal structure for public sector data sharing, the Australian Government aims to eliminate obstacles to sharing data between government departments, agencies and other public bodies, and to enhance public confidence by introducing consistent safeguards and increased transparency. In recognition of the fact that data use by private sector entities can also be in the public interest, the Bill also allows for sharing of government data in controlled circumstances with privately-owned organisations.
Many of the details, however, are yet to be confirmed. There are certain key aspects of the Bill that need to be formulated or expanded in the rules, standards and guidance materials that will be developed alongside the legislation.
Critical considerations will include:
- formulating accreditation criteria that impose high standards on users of public sector data, without excluding smaller players;
- expanding on the Bill’s data sharing principles and purposes with further guidance to limit subjective interpretations of the requirements and meaningfully restrain improper disclosure; and
- setting clear expectations about the privacy and data security measures to be implemented by data custodians and recipients.
It will only be possible to assess the full impact of the Bill once these key aspects are further developed.
What is the data sharing framework under the Bill?
The Bill creates a high-level framework for the sharing of public sector data by data custodians, which may be supplemented by regulations (prescribing further circumstances in which data sharing will be excluded from the scheme) and technical rules. There are four core elements that set out the boundaries of authorised data sharing under this scheme, which are to be monitored and enforced by the National Data Commissioner (NDC).
- Data custodians can only share public sector data with accredited users or data service providers
Interested users or data service providers must be accredited by the NDC before they can operate in this ecosystem and seek to obtain data from data custodians (i.e. Commonwealth bodies). The requirements for accreditation will be finalised in rules created by the relevant Minister, but will require the entity to show, at least, that it has in place the requisite administrative frameworks and technical capabilities to protect, manage and use the data, as well as robust privacy and data security protections.
- Data can only be shared for a permitted purpose
Data custodians can only share data:
- to deliver government services;
- to help develop government policies; or
- for research and development.
Data sharing for law enforcement and national security related reasons, which is authorised under separate laws, is expressly excluded from the scope of the Bill. Additional exclusions include data sharing in breach of contract or confidence, that infringes IP rights, or in connection with the operation of international law or evidence before courts or tribunals.
- Data can only be shared in accordance with the data sharing principles
The Bill purposefully adopts a principles-based approach to the framework, to allow for flexibility as technology and consumer expectations develop over time. This also allows for greater tailoring in data sharing arrangements, as long as the following five principles are followed:
- project principle – data is shared for an appropriate project or program of work (and must also consider the public interest and ethics);
- people principle – data is made available only to appropriate people with the right training and skills;
- setting principle – data is shared in a safe, secure and adequately controlled environment;
- data principle – appropriate protections are applied to the data (e.g. data minimisation principle); and
- outputs principle – outputs are as agreed and as appropriate for future use.
- The sharing must be governed by a data sharing agreement
Data custodians and accredited persons must enter into data sharing agreements that govern the data sharing between them, but only once the data custodian is satisfied that the data sharing purposes and principles are satisfied. These agreements must be lodged with the NDC, who will then publish them in an online register.
What issues have been raised by the Bill to date?
Since the release of the Bill, stakeholders have identified many benefits of the proposed data sharing regime relating to the assessment and improvement of core public services. In addition, the scheme will allow technology providers to play a key role in facilitating data sharing in accordance with the requirements of the Bill. However, several concerns have been raised in relation to the draft Bill as it stands.
Greater guidance required on privacy measures
Although the Bill requires participants to implement robust privacy safeguards and to report data breaches under existing mechanisms, it does not specifically address the actual measures which are to be implemented. Key stakeholders have raised concerns about the secure handling of personal information by government agencies, noting previous data breaches, and have questioned whether the measures implemented will be sufficiently robust. To address these concerns, the Government will need to develop rules, standards and accompanying guidance materials with clear and specific requirements relating to such measures.
In an attempt to align the Bill’s approach to consent with the Australian Privacy Principles, relevant individuals must consent to the data sharing unless it is ‘unreasonable or impracticable’ to do so. Whether consent is ‘unreasonable or impracticable’ in the circumstances will often depend on the ‘amount, nature and sensitivity of the data involved’ and whether consent was provided for the proposed sharing at the point of collection. If consent is not obtained, the Consultation Paper suggests that other safeguards ‘can be dialled up to protect privacy’, but the Government will need to provide guidance on what those additional safeguards may be.
Accreditation requirements need to be clear and well-balanced
The Accreditation Framework Consultation Paper (released alongside the Bill) notes that entities seeking accreditation will need to demonstrate an ‘appropriate level of Australian ownership to be eligible’, although it is not yet clear what threshold will apply. Additionally, in developing the rules surrounding accreditation, the requirements must not be so prohibitive as to exclude smaller technology companies, which has already been the experience for many attempting to participate in the Consumer Data Right regime.
Permitted data sharing purposes are potentially too broad
The Bill tries to strike a balance between more prescriptive requirements that clearly specify how best to protect data, and seeking greater future-proofing of the regime through specifying more outcomes-focused principles and purposes. When it comes to the manner in which limitations on data sharing are specified in the Bill, stakeholders are concerned that this balance may overly favour the latter approach. Apart from certain clearly excluded purposes, including law enforcement, the Bill appears to permit data custodians to share data widely with accredited entities, subject only to the broadly-worded principles and purposes in the Bill. Similarly, the on-sharing of data by accredited entities is restricted by the same (vague) limitations. These open-ended limitations may then allow for a considerable degree of subjective interpretation by data custodians and accredited users. To address these concerns, any on-sharing of data by accredited users should ideally be more clearly defined. For example, on-sharing could be restricted to specific circumstances (as is already the case for the sharing of outputs created as a result of the data sharing scheme).
Limited ability to review decisions
Under the current Bill, both merits and judicial review will be available for the NDC’s decisions regarding accreditation, enforcement and compliance. However, the decisions to disclose data, made by data custodians themselves, cannot be challenged by the individuals concerned. The Consultation Paper suggests that appropriate redress for data mishandling is already available under the Privacy Act 1988 (Cth), the Commonwealth Ombudsman, or the laws under which the data is ultimately used. Some stakeholders, however, are concerned with this model, noting the lack of express safeguards limiting entities’ use and handling of the data. Strengthening the applicable safeguards under the Bill may help to address these concerns.
What does this mean for the future of public sector data?
Establishing a clear and transparent framework for the secure sharing of public sector data is a key step in the modernisation of government services, programs and policies. The Bill has an important role to play here. Its effectiveness, however, will depend in large part on the development of further rules, regulations and guidelines that meaningfully address stakeholder concerns about the security of data sharing and the accountability of data custodians and recipients. This means that the current consultation period (which remains open until 6 November 2020) will be an important step in further developing and refining these aspects of the framework under the Bill.
By Julian Lincoln, Anna Jaffe, Siobhan Lane and Bryce Robinson.