The Data Availability and Transparency Act 2022  (DAT Act) establishes a legislative scheme for sharing Australian Government data. A new mechanism for sharing public sector data was recommended by the Productivity Commissioner in 2017, and the Government has been consulting on such a scheme since mid-2018.

The scheme set out in the DAT Act was introduced to the Australian Parliament on 9 December 2020 to allow greater flexibility in sharing public sector data.

Relevantly, the Bill's Explanatory Memorandum (Explanatory Memorandum) provides that:

"Reforms are necessary to realise the benefits of greater data availability and use identified by a Productivity Commission inquiry, supporting economic and research opportunities and the Government's vision for streamlined and efficient service delivery."1

On 30 March 2022, the Bill passed both houses of Parliament and received Royal Assent on 31 March 2022. Under amendments passed by Parliament, the scheme allows the sharing of public sector data with Australian entities, specifically Commonwealth, State and Territory bodies and Australian universities. The DAT Act commenced on 1 April 2022.

Controls established by the scheme

The DAT Act provides a new method by which public sector data is shared. Under the DAT Act, the three purposes for sharing public sector data are:

  • the delivery of government services
  • to inform government policies and programs
  • for research and development.

Data custodians are Commonwealth bodies that control public sector data or the output of certain data projects which are not excluded entities. Once a data custodian is satisfied that a proposed project is for a permitted purpose, the data sharing principles must be applied to assess and control risks of sharing.

The five data sharing principles act as one of the key layers of safeguards. The principles include:

  • project principle:  Considering the intended use of the shared data, including public interest, consent and ethics requirements
  • people principle:  Considering users accessing the data to ensure they can be trusted and have the right skills for the project
  • setting principle:  Assessing if data is shared in a controlled environment tailored to the data type and sensitivity, subject to security standards
  • data principle:  Requiring data to be protected, including taking a 'data minimisation' approach, so only data that is reasonably necessary to achieve the project is shared
  • output principle:  Ensuring the results and outcomes of the projects are agreed upon, including whether they are appropriate for publishing.

These principles guide how risks should be assessed and managed.   

Risk management for data custodians

The principles are a framework for best practice risk management, enabling parties to adapt controls to suit the needs and context of each sharing arrangement.

Relevantly, the Explanatory Memorandum reminds data custodians:

"The Bill does not compel sharing. Data custodians are responsible for assessing each sharing request, and deciding whether to share their data if satisfied the risks can be managed."2

On this basis, it will be key for data custodians to assess each project on a case-by-case basis, paying attention to each project's circumstances.

If a data custodian decides that a permitted purpose is not met or the project does not meet the requirements of the data principles, section 25 of the DAT Act requires the entity to provide reasons as to why the data request is rejected. Indeed, the DAT Act contains penalty provisions to deter non-compliance with its requirements and to protect data shared or created through the scheme.

Applying the principles and considering whether a project meets a permitted purpose on a case-by-case basis will not only ensure compliance with the DAT Act, but also assist in establishing good administrative practice. This will aid in increasing public confidence in the way the Government handles public sector data.

Interaction with other legislation

The DAT Act presents an interesting dynamic regarding its interaction with existing legislation regulating public sector information, such as the Freedom of Information Act 1982  (Cth), Privacy Act 1998 (Cth) (Privacy Act) and secrecy provisions. The DAT Act includes specific privacy protections at Part 2.4, regulating the sharing of personal information. Notably, the DAT Act provides an authorisation under section 23 that overrides any law of the Commonwealth, a State or Territory, including those contained within a secrecy provision.

Next steps

The DAT Act provides for the publication of data codes, rules and regulations which will provide further guidance on the operation of the legislation. A review of the scheme is scheduled to take place in three years and a sunset clause has been included, which operates after five years.

Key takeaways

The DAT Act presents a significant milestone in the legislation applicable to sharing public sector data. The recent pandemic and recurring emergency situations have demonstrated the value of data to inform public policy that best meets the needs of the Australian community. At the same time, there is increased awareness regarding the protection of personal information. Accordingly, it is essential that all entities involved in the scheme pay close attention to the requirements of the legislation.

Footnotes

1 Explanatory Memorandum, Data Availability and Transparency Bill 2020, 5.

2 Explanatory Memorandum, Data Availability and Transparency Bill 2020, 5.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.