Data Availability and Transparency Act 2022 passes and receives Royal Assent on 1 April 2022
April 10, 2022 |
On 31 March 2022 the Federal Parliament passed the Data Availability and Transparency Bill 2022. It became law on 1 April 2022. It’s genesis is traced back to reforms proposed by the Productivity Commission’s Inquiry Report into Data Availability and Use (2017).
The Minister’s Second Reading Speech provides:
I am pleased to introduce this bill which will create the Data Availability and Transparency Act, appropriately abbreviated to DATA.
This bill establishes a new data sharing scheme for federal government data, underpinned by strong safeguards to mitigate risks and simplified processes to make it easier to manage data sharing requests.
2020 has shown us how critical this piece of legislation is.
We started the year in the middle of one of the most disastrous bushfire seasons in recent memory, with thousands of Australians needing access to government services to support them through this difficult time.
Australians continue to face the onslaught of the COVID-19 pandemic, which has cost them their jobs and their livelihoods, and they are turning to their government for help.
Government data and digital services have been fundamental to the government’s response to these events.
Data allowed Australians to receive timely and reliable services in a time of need.
Data allowed Australians to access government services online instead of queuing at Centrelink shopfronts.
It was data that informed the development of essential programs like the JobKeeper payment, so that we could provide relief to Australians who have lost their jobs during this pandemic.
The government’s vision is that Australians experience the same seamless approach to government services every day, not just in times of crisis.
Federal government data sharing has the potential to make this vision a reality, but, unfortunately, layers of old, contradictory rules and slow, inconsistent ways of sharing data is stifling this potential.
We’re working in a tangled data sharing system, and this bill is, frankly, designed to straighten it out.
Legislative outcomes
Let me be clear, the bill is not about publishing data on a website or releasing data without control.
This bill is about creating a scheme that will provide controlled access to data to trusted people and organisations.
This is why the bill establishes an independent regulator, the National Data Commissioner, who will oversee the scheme and hold all participants accountable to a robust standard of security and transparency.
The scheme will authorise sharing of government data for three permitted purposes, all in line with community expectations:
-
- delivery of government services,
- informing government policy and programs, and
- research and development.
Decisions to share will be made by the ‘data custodian’, the federal government agency responsible for the data.
Only users accredited by the National Data Commissioner will be able to request and access data through the scheme. The National Data Commissioner must accredit all non-corporate Commonwealth agencies as users, as they are subject to the Privacy Act and the Public Governance, Performance and Accountability Act. The minister may also direct the commissioner to accredit other Commonwealth bodies, like the National Disability Insurance Agency, if they meet the accreditation criteria. The minister may direct the commissioner to suspend or cancel the accreditation of public service users.
The commissioner may also accredit data service providers, who may be other government agencies or commercial providers, to support data custodians and users to share data.
The accreditation process will ensure that users and service providers have the right skills and resources to handle data safely and securely before they enter the scheme.
The bill includes a risk management framework, the data sharing principles, based on the internationally recognised Five Safes framework.
The principles provide a tool to assess the benefits and manage the strategic, privacy, security, ethical and operational risks of sharing.
If a data custodian accepts a data sharing request, the sharing arrangement must be formalised in a data sharing agreement with the accredited user.
This agreement will set the terms and conditions of a data sharing project, laying out how benefits will be realised and how risks will be mitigated.
The National Data Commissioner must publish data sharing agreements on a public register to ensure transparency and accountability and promote trust in government data handling.
A National Data Advisory Council, made up of some of the best minds in data, privacy and regulatory practice, will advise the National Data Commissioner on ethical data use and technical issues.
All of these components come together to form a principles-based data sharing scheme, which will ensure the bill remains relevant and adaptable to evolving technology and changing community expectations.
Specific powers will be given to the minister to make rules, while the National Data Commissioner will issue data codes, binding codes of practice that detail how to apply the legal provisions.
By introducing this bill and the Data Availability and Transparency (Consequential Amendments) Bill today, we are acting on commitments made by the government in its response to the 2017 Productivity Commission inquiry into data availability and use.
This inquiry highlighted the value of data-driven government services for Australians, and this bill lays the groundwork for us to realise these benefits and establish world-class connected, government services.
Benefits
This bill will streamline and modernise data sharing across the Australian government to support better service delivery, policies and programs and research.
Data sharing will support us to develop simpler government services akin to myTax and Single Touch Payroll, saving Australians time by pre-filling forms with information already provided to government.
Data sharing will support us to take a ‘tell us once’ approach to service delivery, so that Australian people and businesses would be able to receive tailored information, advice and services without having to waste time giving the same data to different agencies again and again.
Data sharing will break down silos between agencies and, combined with myGov enhancements, simplify existing services to give Australians faster, easier access to government support.
Data sharing will also support us to develop more tailored and targeted government policies.
For example, controlled data sharing between government agencies led to the development of methods that resulted in fairer allocation of government funding to non-government schools.
Data sharing will also support the Commonwealth and state and territory governments to work together on nationally significant policies and programs, such as the National Disability Data Asset, which aims to improve outcomes for people with disability, their families and carers.
Data sharing will give researchers the opportunity to collaborate with federal government agencies to solve problems and save lives, like when prescription data was shared safely with health researchers who identified five medications as potential contributors to heart failure and stroke.
These insights enabled the government to work with doctors to change prescription guidelines, minimise adverse effects, enhance patient safety and avoid the costs of hospitalisation and treatment.
This bill will help us realise these benefits through safe and secure data sharing in line with community expectations.
Safeguards
The bill is the product of extensive collaboration and consultation with federal government agencies, state and territory governments, researchers and academics, data and privacy advocates, and members of the community.
Over two years of consultation we:
-
- received a total of 275 submissions across the bill’s issues paper, discussion paper and exposure draft
- ran 76 roundtables and two public webinars, and
- participated in numerous one-on-one conversations with interested stakeholders across a variety of sectors.
The feedback from our consultation has been essential to building this bill on strong foundations.
This bill has been developed using a ‘privacy-by-design’ approach, which means that privacy and transparency have been considered at every stage of the legislative development process.
This is why we commissioned two independent privacy impact assessments of this bill that have told us that our safeguards are robust and our layers of defence are strong.
The bill’s approach to consent mirrors the approach in the Privacy Act, requiring consent be sought for the sharing of personal information, unless unreasonable or impracticable.
The bill also includes other privacy-enhancing measures, such as data minimisation.
Importantly, the bill will work with new regulations to exclude sharing of particularly sensitive data, such as the electoral roll, My Health Record and COVIDSafe app data.
The National Data Commissioner will champion these safeguards and cooperate with other regulators, such as the Australian Information Commissioner, to ensure personal information is handled appropriately under the scheme.
Conclusion
I would like to give my sincere thanks for the active and ongoing engagement from stakeholders and the community who have played an essential role in the development of this bill over a number of years.
As we proceed to debate this bill, we are taking a significant step towards a different future. A future where policy decisions are enriched by strong data and government services are simple, helpful, respectful and transparent for the benefit of all Australians.
More Australians than ever require government support to get back on their feet as they recover from COVID-19 and other recent national emergencies.
This bill will support the government to respond to this need, and deliver tailored, targeted, and timely government services to people and businesses every day, not just in times of crisis. I commend the bill to the House.
The Act creates a scheme whereby public sector data can be shared between Commonwealth and State governments and Australian public universities .
The purpose for sharing the data is limited to:
- the delivery of government services,
- informing government policies and programs, and
- research and development.
The Act establishes data sharing principles and creates a registered data sharing agreement.
There will be a the office of the National Data Commissioner which will oversee the operation of the Act. The Act is designed to promote greater use of public sector data, encourage innovation, and build trust within society regarding the government’s use of data. Whether it achieves that will depend on the workability of the Act and the Commissioner’s template data sharing agreement.
Under the Act:
- Commonwealth entities may share public sector data with what has been described and defined as“accredited users,”
- “accredited user” is an ADSP or someone accredited under the Act’s accreditation framework.
- bodies corporate, individuals and unincorporated bodies are excluded from data sharing under the Act.
- the Minister and the Commissioner may accredit Australian entities if they:
- have appropriate data management and governance policies, and
- can keep the data private and secure.
- data cannot be shared with foreign entities.
- public sector data is data lawfully collected, created or held by or on behalf of a Commonwealth body. It includes personal data, although that data is subject to additional privacy protections.
- data can be shared with an accredited user directly, or through an ADSP
- if data is shared through an ADSP, the Commonwealth body can collect output/ ADSP-enhanced data from the ADSP if that is covered by a data sharing agreement.
- data sharing purposes are defined as delivery of government services; informing government policy and programs; or research and development.
- data sharing is only permitted under a data sharing agreement that complies with the Act. The agreement must include reference to:
- the data being shared,
- the output of the project,
- the purpose for sharing, and
- details of how the project is consistent with the data sharing principles.
- where appropriate the data services that the ADSP will perform.
- prohibitions on data sharing, collection and use that is not within the scope of the agreement.
- prohibition on the recipient from re-identifying de identified data.
- data can only be shared:
- for a data sharing purpose,
- in a manner consistent with:
- the data sharing principles, and
- consistently with a registered data sharing agreement t
- pursuant to the privacy protections
- data sharing cannot occur where it:
- breaches the law
- is contrary to an agreement.
- is prescribed by the regulations
- data sharing authorisations override existing laws that would otherwise prevent the sharing of data.
- privacy protections are specified relating to the sharing of personal data including:
- the requirements for consent from the individual.
- consent for the sharing of biometric data
- the data custodian/ accredited entity is responsible for taking reasonable steps to mitigate the data breach & notify the Commissioner in the evennt of unauthorised access or disclosure or the loss of data.
- Government law enforcement and intelligence entities are exempt.
- there are civil penalty provisions for unauthorised data sharing. The monetary penalty is $66,600 and for recklessly providing access to unauthorised datat here is imprisonment for five years.
There are 5 data sharing principles set out in the legislation:
- Project Principle: The project must be an appropriate project, be reasonably expected to serve the public interest. Parties must observe appropriate ethics principles.
- People Principle. Data is only provided to appropriate individuals. The onus is on the entity sharing the data to determine whether the recipient has capacity to handle the data securely. A relevant factor is whether they have had experience with the projects involving the sharing of data.
- Setting principle: Appropriate protections are required to protect data. That involves security standards.
- Data principle: It is necessary to apply protections to the data.
- Output principle. Data can only be used for the purpose or incidental to the purpose of the data sharing project. That will be set out in the agreement.
The principles suffer from being overbroad and vague. They are unlikely to be a bright guiding light on the sharing of data. They are so amorphous that they may as easily provide assistance to entities that conduct themselves appropriately as those that don’t.
While the privacy protections in the final version of the Bill was better than in its earlier iteration they still remain quite weak by international standards. Under Part 5.3 of the Act complaints are made to the Commissioner and the Commissioner is the gatekeeper. That is a flawed and ineffective model as the Privacy Act has revealed on many occasions. The Information Commissioner has been a timid and ineffective regulator. Complaints to the Information Commissioner have been poorly handled, take too long and determinations in favour of complainants still result in risible awards. There are no rights to individuals involving breach of personal information. That is a major failure of policy.
Clearly data sharing agreements are important in the legislative scheme. How the agreement is structured will determine how effective the data sharing will be.
There is scope for the Minister to make rules and the Commissioner to issue data codes. Such rules and codes may provide for restrictions on custodians and accredited entities.
At 143 sections, it is an Act heavy on process, definitions and more process. It is quite a ponderous piece of legislation.
Given the importance of this legislation the coverage has been quite muted with the Australian FInancial Review covering it with End to multiple forms as ‘tell us once’ becomes possible. It provides:
Citizens will be saved from having to complete multiple forms to access government services, including emergency payments following fires and floods, after the Senate supported a new public data sharing law.
The Data Availability and Transparency Act (DATA) was passed in the last days of parliamentary sittings after five years of development and consultation.
The new law paves the way for the controlled sharing of Commonwealth government data between federal and state agencies, and Australian universities, to improve services, better inform policies and enable researchers to mix de-identified data sets.
The bill, which had been previously rejected by Labor, won support after Minister for Employment, Workforce, Skills and Family Business Stuart Robert and opposition government services spokesman Bill Shorten hammered out an agreement this week.
“Labor was presented with a Ford Edsel—with a lemon,” Mr Shorten told parliament.
“We’ve switched the engines, we’ve beaten the panels, and we’ve touched up the duco.
“With our improvements, well, if it’s not a Maserati then at least it’s a solid Toyota Corolla.”
Mr Shorten said the major improvements included strengthening of privacy protections and a bulking up of penalties.
Foreign access booted
The biggest change is a reduction in scope with foreign organisations such as Google and Facebook no longer able to access the new scheme.
Australian private sector players will also be unable to access the scheme, after it was agreed that it should be left to “mature” as a public sector tool. A review will be undertaken in three years to consider expansion of the scheme.
The review will inform a five-year sunset clause that was also included in the 251 amendments to secure passage of the bill.
The new “DATA scheme” requires agencies to follow the internationally recognised risk management “five safes” framework. This provides a tool to assess the benefits against the strategic, privacy, security, ethical and operational risks of sharing.
The new system will let citizens make a single application for similar services, such as for emergency support after floods or fires. Similarly, only one application will be needed for a Service Australia disability pension and support from the National Disability Insurance Agency (NDIA).
It also creates a legal regime for federal and state agencies to share data around life events, such as a simple way to register the birth of a child and have that information passed onto multiple health, education, welfare and community service agencies.
Federal and state government agencies will also be able aggregate data much more easily, enabling services such as a national bushfire warning app and a national drought map.
Controlled data sharing has also been used to better allocate funding to non-government schools based on socio-economic needs.
The new law will also help expand the Australian Bureau of Statistics data integration program with Australian researchers. This has helped health researchers find linkages that show how folate can reduce spina bifida birth defects.
Other researchers have also used prescription data to identify medications as potential contributors to heart failure and stroke.
Bipartisan support crucial
Mr Robert has strongly championed the bill for three years and said it was important it had received strong bipartisan support.
“For over 120 years, there’s been 500 different bits of legislation, secrecy provisions, all sorts of things,” Mr Robert told the Australian Financial Review.
“Most of it was pre-digital and most of it would have made sense in the paper days, but in the digital world make no sense at all. So if we were going to actually do this properly, I needed it to be bipartisan.”
“The key thing is service delivery. We can now actually share data with consent between someone on a disability support pension and someone who’s in the NDIS, or between Medicare and Centrelink. We can actually now do the ‘tell us once’,” Mr Robert said.
Mr Robert said the new regime would accelerate new services federal and state digital ministers had been developing.
“We’re working on a single digital birth certificate as a first credential. All of this is being worked on together and this is where being able to share data is just crucial.”
He said the data sharing scheme would play a key role in the roll out of the myGov app as a portal for all federal services.
“This will revolutionise how we drive out the [new] myGov app and how we have a single front door for the citizen into government. So myGov will become that single front door.“
The new law brings the federal government into line with the states, most of which have had data sharing regimes for several years.
The Act formally establishes a national data commissioner who will oversee the roll out of the data scheme, including to punish unlawful uses of federal government data.
Bringing systems together
Commissioner Gayle Milnes will formally accredit most organisations requesting access to de-identified government data, and will also accredit most data services seeking to share government data with.
Ms Milnes told The Australian Financial Review a number of measures were in place to accelerate uptake. These aim to overcome the cultural resistance other states had experienced and delayed broader data sharing.
“The first is Dataplace, which is a platform not for sharing the data itself, but for supporting and managing data sharing requests,” Ms Milne said.
“I think this is also really important enabling tool.”
The always excellent InnovationAus magazine provides a good coverage with Significant public sector data-sharing reforms pass Parliament. It provides:
The sharing of public sector data will significantly increase after legislation opening up a “new path” for this passed Parliament with bipartisan support on the last possible day before the upcoming election with the Opposition securing a number of amendments.
The Data Availability and Transparency Act passed both houses of Parliament on Wednesday with a number of bipartisan amendments from the previous version of the bill, which was introduced to Parliament in late 2020.
The data-sharing reforms have been in the works for more than five years following a Productivity Commission report in 2016 which recommended a new scheme. The Coalition has been consulting on the bill since mid-2018 but the plan stalled when the Opposition signalled it would vote against the bill in a dissenting report as part of a Senate inquiry into it.
Shadow Government Services Minister Bill Shorten has been working with the government on the bill over the last year and has secured a series of amendments, securing its passage through the Senate on Wednesday night, one of the chamber’s last acts before the May election.
The Act is the bedrock of the government’s data strategy, and facilitates the establishment of a Data Commissioner as a statutory role.
It provides a “new path” for the sharing of data which is currently blocked by secrecy provisions, and will see more data on Australians shared by departments and agencies. There are three permitted uses for the sharing of data: the delivery of government services, to inform government policies and programs, and for research and development.
The bill allows for the sharing of public sector data with federal and state governments and Australian universities.
The amendments agreed to by the government and Opposition include a requirement that the data only be shared with Australian organisations and not with the private sector, for a review of the scheme within three years and a sunset clause in five years.
Speaking in Parliament on the bill, Mr Shorten said the new version of the bill now strikes the right balance between privacy and opening up data to deliver better government services.
“I believe that the most troubling aspects of the original bill have now been mitigated. In its new form, the bill now essentially removes some of the barriers to data sharing between state and federal governments and Australian universities for specified purposes and with the approval of the Data Commissioner,” Mr Shorten said.
Employment Minister Stuart Robert confirmed that amendments to the data-sharing bill will “clarify and enhance” privacy protections, introduce new national security safeguards and ensure the scheme won’t be extended to the private sector “during initial establishment”.
“Underpinned by strong safeguards and simplified efficient processes, the scheme lays the groundwork for world-class data-driven government services that will benefit all Australians. This is critical legislation to advance our collective vision for Australia to become a leading digital economy and data-driven society by 2030,” Mr Robert said.
“This legislation takes a significant step forward towards data-driven innovation across the economy, a step towards a future where policy decisions are enriched by strong data and government services are simple, helpful, respectful and transparent. Australians can have enormous confidence that the new scheme is world class and that data sharing is the safest and most effective it can be.”
Speaking in the lower house, shadow industry minister Ed Husic said the government has dragged its feet on the data-sharing reforms.
“It’s taken a hell of a long time to get to this bill to look at the frameworks around how that data is used and shared,” Mr Husic said.
“The first act that we got out of the Coalition was not to think about the open data requirements and the way in which government could use this much more beneficially; their first thought was to come up with a consumer data right, to make a buck out of it…I don’t have a problem with that, but it’s interesting that that was the priority of this government.
“As much as we need to ensure that the data’s available, that it is crunched through AI and that it is applied in beneficial ways, we do need to not think in a completely utopic way but just get the balance right. I think the best thing in this debate is not to be completely in a utopian frame of mind or a dystopian frame of mind but to just get the balance right.”
The bill passed the House of Representatives with only Greens MP Adam Bandt, George Christensen, Craig Kelly and Andrew Wilkie voting against it.
It soon also sailed through the Senate without debate, with the Greens and crossbench Senator Rex Patrick voting against it.
The previous version of the bill was slammed by human rights and civil liberties groups, which raised concerns about the privacy impacts and the sharing of public sector data with private sector organisations.
In the dissenting Senate report last year, Labor Senators labelled the bill “deeply flawed” and “weak, poorly designed and subject to abuse”.
Developing the scheme has already cost $20.5 million, with $11.1 million set aside from 2020 for its implementation.
Gayle Milnes was appointed as the new National Data Commissioner Designate earlier this year, and this will now be a statutory role overseeing the data-sharing scheme.