Accredited Release Authorities


Hubs of data sharing and release expertise.

Key points

Sourced from chapter 6 of the Productivity Commission's Final Report

An integral part of the Commission’s recommended data reform framework is the introduction of a network of Accredited Release Authorities (ARAs).

Accredited Release Authorities would be hubs of sectoral expertise in data curation, de-identification and linkage, and would implement a risk-based approach to the broader sharing and release of data through formal, contemporary, National Data Custodian-reviewed risk management procedures.

They would also be accredited by the National Data Custodian in their processes, governance and objectives and have responsibility for releasing or sharing data, usually drawn from a particular sector of activity.

The Commission suggests that ARAs should themselves be responsible for managing the risks associated with the data they hold. Making ARAs accountable for sharing or release would have the benefit of providing them with strong incentives to maintain effective, sector-relevant risk management and mitigation practices and keep these updated in the context of technological, regulatory, and other environmental changes.

ARAs would generally be nationally focused and may be located within the Commonwealth, State or Territory public sectors or be other publicly funded entities that have the necessary expertise, focus, governance structures and social licence.

They would be funded to undertake data curation, management, linkage, storage and release, with the National Data Custodian to play a role in funding determinations. ARAs could also receive revenue from project work undertaken for clients.

Given that ARAs are envisaged as sectoral centres of excellence, with an established track record and leadership position within their sector, it is likely that a relatively limited number of such entities would exist or be established.

Please send comments or enquiries to the Taskforce via data.taskforce@pmc.gov.au.

Productivity Commission Recommendations

6.8, 6.9, 6.10, 6.12 and 7.3

Recommendation Description
6.8

Selected public sector and public interest entities should be accredited as release authorities. Accreditation should be determined based on sectoral expertise, capability, governance structures, and include consultation throughout the relevant sector.

Accredited Release Authorities (ARAs) would be responsible for:

  • deciding (in consultation with original data custodians) whether a dataset is available for public release or limited sharing with trusted users
  • collating, curating, linking and ensuring the timely updating of National Interest Datasets and other datasets
  • offering advice, services and assistance on matters such as dataset curation, de-identification and linking
  • providing risk-based access to trusted users.

ARAs should be fully operational from the beginning of 2019.

6.9

All Accredited Release Authorities must have and publish formal risk management processes to effectively assess and manage the risks associated with sharing and release of data under their control.

Standardised, access-friendly Data Sharing Agreements should be implemented with external data providers and users to formalise the activities that can take place with identifiable and de-identified data.

Risk management processes should be regularly reviewed and revised to account for new and emerging risks.

6.10

Funding of Accredited Release Authorities (ARAs), for the purposes of data management, curation, storage and access should be set via a funding agreement with the National Data Custodian.

ARAs should have the power to charge fees sufficient to recoup costs where ARAs undertake requested work beyond that envisaged in their funding arrangement with the National Data Custodian.

In assessing the scope to undertake such activities, ARAs must ensure they do not detract from their primary focus on the public benefits of enabling greater access to, and use of, data (which is the basis for their accreditation and funding).

6.12

Accredited Release Authorities (ARAs) should be given responsibility to grant, on a continuing program-wide basis, data access to trusted users from a range of potential entities that:

  • Have the necessary governance structures and processes in place to address the risks of inappropriate data use associated with particular datasets, including access to secure computing infrastructure.
  • Have a signed legal undertaking that sets out safeguards for data use and recognises relevant privacy requirements.

In assessing trusted user access, the ARAs should accept existing current approvals of the trusted user’s work environment.

Trusted user status for use of identifiable data would cease for that user when they leave the approved environment, when a program is completed, or if a data breach or mishandling occurs in that same environment and/or program.

7.3

Trusted users should be accredited by the relevant Accredited Release Authority (ARA) for access to those National Interest Datasets (NIDs) that are not publicly released, under processes accredited and updated as needed by the National Data Custodian.

Trusted users should be personnel from a range of potential entities that:

  • Have the necessary governance structures and processes in place to address the risks of inappropriate data use associated with particular datasets, including access to secure computing infrastructure.
  • Have a signed legal undertaking that sets out safeguards for data use and recognises relevant privacy requirements.

The default position should be that after applicants and their institution establish capability to respect the processes and obligations of the ARA’s accredited standard, an individual researcher from one of these organisations would be readily approved for access.

For trusted users of NIDs, this status should provide an ongoing access arrangement to specified unreleased datasets that would only cease on completion of a researcher’s engagement with their relevant institution, or a loss of trust in the user or their organisation (via processes also established in accreditation of the ARA by the National Data Custodian).