Data Sharing and Release Act


A modernized regulatory framework.

Key points

Sourced from chapter 8 of the Productivity Commission's Final Report

Legislation, in the form of the Data Sharing and Release Act, should be introduced to create consistent rules for improved data sharing and release.

The legislation will serve two major purposes. First, it will provide a clear and unambiguous signal of the shift in approach of the Australian Government and parliament to the data issues uncovered in this report - a crucial step to achieving cultural change amongst a myriad of data custodians.

Secondly, it will offer a structural framework, principles-based and outcomes-focused, to give authority and guidance to effective and responsible use of information in a data-rich future.

The Data Sharing and Release Act would include:

  • A risk-based approach to improved data sharing and release.
  • New institutional arrangements to promote trust and confidence in the data sharing and release system are centred on improved capabilities, accreditation procedures for both users and custodians, and most particularly the National Data Custodian.
  • National Interest Datasets would overcome impediments to the effective integration, sharing and use of data of national significance, currently hindered by multiple legislative barriers.
  • The Comprehensive Right for consumers to access their data from government and private data holders alike, for the purposes of improving the services that are offered to them by alternative providers.

The Data Sharing and Release Act would, for the purposes of other legislation that impedes consideration of improved sharing and release, authorise the sharing of data within the public sector and Accredited Release Authorities to trusted users.

Privacy is an important human right and existing protections are retained. The Data Sharing and Release Act should, where it deals with release of personal information (as defined in privacy legislation), operate subject to existing Commonwealth privacy legislation.

To ensure that individuals (including small businesses) can participate in data sharing opportunities, a new definition of data — consumer data — would be created to cover all digital information to give consumers the ability to utilise their data. The changes in consumer data rights should be supported proactively by existing consumer-oriented regulators.

The Data Sharing and Release Act should, to the maximum extent available under Commonwealth powers, establish a national framework, and offer cooperating jurisdictions (and occasionally private datasets) the ability to become integrated and accessible for research and other authorised purposes.

The benefits of a consistent framework, that is scalable and adaptive over time, have generally been widely recognised by stakeholders responding to the draft report.

Please send comments or enquiries to the Taskforce via data.taskforce@pmc.gov.au.

Productivity Commission Recommendations

6.16, 8.1, 8.2, 8.3, 8.5 and 8.6

Recommendation Description
6.16

The Privacy Act 1988 (Cth) exceptions that allow access to identifiable information for the purposes of health and medical research without seeking individuals’ agreement, should be expanded in the legislative package that implements these reforms to apply to all research that is determined by the National Data Custodian to be in the public interest.

8.1

New Commonwealth legislation — the Data Sharing and Release Act — should be passed drawing on the full range of Commonwealth powers to regulate digital data, in order to authorise the better sharing and release of data.

The new Act should also establish the Comprehensive Right of consumers to access their data from government and private data holders alike, for the purposes of improving the services that are offered to them by alternative providers.

8.2

The Data Sharing and Release Act should establish the risk-based approach to data sharing and release and accompanying institutional frameworks.

  • All non-sensitive data held by agencies and Accredited Release Authorities (ARAs) should be explicitly presumed to be made public, consistent with the Australian Government’s Public Data Policy Statement.
  • Data custodians and ARAs would be authorised to provide sensitive data to trusted users in a secure environment, with de-identification where necessary for risk management of the data.
  • The National Data Custodian should have the authority to issue guidance on how the risks of all sharing of identifiable data between entities should be managed. This guidance should be updated where it judges the risks have shifted.
8.3

The Data Sharing and Release Act (DSR Act) would, where possible, override secrecy provisions or restrictions on use that prevent original custodians actively providing access to data to other public sector data custodians and Accredited Release Authorities (ARAs).

Access should be governed by Data Sharing Agreements that embed the trusted user principles, actively assist data sharing and create clarity of understanding amongst the parties. The National Data Custodian (NDC) should issue a model Data Sharing Agreement early in its life, and update it from time to time.

The DSR Act should establish modern, clear and supportive standards — the new ‘rules of the game’ — for data sharing and release. The Commonwealth Privacy Act would continue to apply, as well as any residual obligations emanating from the original data custodian’s legislation.

Existing protections would remain on datasets that do not utilise the DSR Act, in order to ensure there is no gap between the accountability obligations on original public sector data custodians and the ARA.

In limited exceptional circumstances as the DSR Act transitions to becoming nationally effective, it may be necessary to provide access to data shared under the new Act to a party that has yet to adopt its provisions. The NDC should be provided with the power to use a disallowable instrument to allow access or sharing for such transitional purposes.

8.5

Legislative reform to implement the Commission’s recommendations would need to be undertaken in two parts, moving forward together:

  • The first part is the passage of the Data Sharing and Release Act (DSR Act) itself, that authorises to the greatest extent practical in a single statute, the sharing and release of data for the purposes of the Act and removes existing Commonwealth and State restrictions on integrating, linking and research uses of datasets by Accredited Release Authorities.
  • The second part is a further legislative amendment process that may be necessary, depending on the particular characteristics of, for example, National Interest Datasets, in order to address residual restrictions on the use of specific datasets that were not able to be effected by the DSR Act itself.

The National Data Custodian should be asked to identify residual legislative restrictions that need removal in its consideration of National Interest Datasets.

8.6

The Data Sharing and Release Act (DSR Act) should have national reach — to create a simplified and transparent one-stop location for a national framework for data volunteered, declared or acquired for inclusion under the DSR Act.

The Act should allow for the acquisition of private datasets via disallowable instruments as part of the process of creating National Interest Datasets (NIDs). Acquisition should only occur on just terms after parliamentary scrutiny determines the benefits are demonstrable.

An initial set of NIDs should be identified by the National Data Custodian to accompany the DSR Bill, following processes to establish additionality and public interest.

The DSR Act should apply Commonwealth privacy legislation to datasets managed by Accredited Release Authorities where feasible. It should be drafted with reference to (and with the intention of being consistent with) the Data Sharing (Government Sector) Act 2015 (NSW) and the Public Sector (Data Sharing) Act 2016 (SA) to the extent possible.