PUBLIC SECTOR (DATA SHARING) BILL 2016

data means any facts, statistics, instructions, concepts or other information in a form that is capable of being communicated, analysed or processed (whether by an individual or by a computer or other automated means);

data analytics work means the examination and analysis of data for the purpose of drawing conclusions about that data (including, for example, conclusions about the efficacy of Government policies, program management or service planning and delivery by public sector agencies);

data provider means the public sector agency that controls public sector data that is provided to a data recipient under this Act;

data recipient means the public sector agency to which public sector data is provided under this Act;

data sharing safeguards— Part 4

sets out the data sharing safeguards for the purposes of this Act that are applicable to the provision of public sector data by a public sector agency to another public sector agency;

de-identified—personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable;

exempt public sector data means—

(a) public sector data held by a prescribed public sector agency; and

(b) any other public sector data, or public sector data of a kind, prescribed by the regulations;

individual means a natural person, but does not include a deceased person;

personal information means information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion;

public sector agency has the same meaning as in the Public Sector Act 2009

but—

(a) excludes a person or body prescribed by the regulations for the purposes of this definition; and

(b) includes any other person or body prescribed by the regulations for the purposes of this definition;

public sector data means any data that a public sector agency controls;

trusted access principles—see section 6

(2) The regulations may provide that section 14(1)

does not apply in relation to a person or body prescribed for the purposes of paragraph (b)

of the definition of public sector agency in subsection (1)

Part 2—Objects and interaction with other Acts

4—Objects

The objects of this Act are—

(a) to promote, in accordance with the trusted access principles and the data sharing safeguards, the management and use of public sector data as a public resource that supports good Government policy making, program management and service planning and delivery; and

(b) to remove barriers that impede the sharing of public sector data between public sector agencies; and

(d) to provide protections in connection with public sector data sharing under this Act by—

(i) specifying the purposes for, and the circumstances in which, public sector data sharing is permitted or required; and

(ii) ensuring that public sector data held by public sector agencies shared under this Act continues to be protected from unauthorised use or disclosure; and

(iii) ensuring that data providers retain responsibility for the release of public sector data outside the public sector under the Freedom of Information Act 1991

; and

(iv) requiring compliance with data sharing safeguards in connection with public sector data sharing.

5—Interaction with other Acts

(1) Subject to subsection (2)

, the provision of public sector data by a public sector agency to another public sector agency is lawful for the purposes of any other Act or law that would otherwise operate to prohibit that provision (whether or not the prohibition is subject to specified qualifications or exceptions) if—

(a) this Act provides that the agency is authorised to provide the other public sector agency with the public sector data; and

(b) the agency provides the public sector data to the data recipient only for the purpose to which the authorisation relates.

(2) Nothing in this Act authorises, permits or requires a data recipient—

(a) to use or disclose public sector data received under this Act for a purpose other than the purpose to which the authorisation to provide the data relates; or

(b) to deal with any public sector data to which the State Records Act 1997

applies after it is provided under this Act otherwise than in compliance with the State Records Act 1997

(3) If a document (within the meaning of the Freedom of Information Act 1991

) is provided by a data provider to a data recipient under this Act, despite the Freedom of Information Act 1991

the following provisions apply:

(a) a person does not have a right to access the document under that Act from the data recipient and must not be given access to the document by the data recipient;

(b) insofar as an application to the data recipient seeks access to the document under that Act—

(i) the data recipient must refer the application to the data provider; and

(ii) the application is taken to be transferred to the data provider under section 16(1)(b) of that Act but the data recipient is not required to forward a copy of the document to the data provider under section 16(2) of that Act.

(4) This Act is not intended to prevent or discourage the sharing of public sector data by public sector agencies if it is proper and reasonable to do so or if it is permitted or required by or under any other Act or law.

Part 3—Facilitating public sector data sharing

6—Trusted access principles

(1) The trusted access principles to be applied in respect of the sharing and use of public sector data under this Act are set out in this section.

(2) Safe projects

The purpose for which data is proposed to be shared and used must be assessed as appropriate having regard to—

(a) whether the data is necessary for the purpose; and

(b) the proposed use of the data; and

(d) whether the public interest in the proposed sharing and use of data outweighs any contrary public interest; and

(e) whether there is a risk of loss, harm or other detriment to the community if the sharing and use of the data does not occur.

(3) Safe people

A proposed data recipient must be assessed as an appropriate public sector agency with whom data may be shared for a particular purpose having regard to—

(a) whether the proposed data recipient is appropriately equipped and in possession of the relevant skills and experience to effectively use data for the proposed purpose; and

(b) whether the proposed data recipient will restrict access to the data to specified persons with appropriate security clearance; and

(c) whether the data provider will be able to engage with the data recipient to support the use of the data for the purpose; and

(d) whether other persons or bodies in addition to the data recipient are invested in the outputs of the project and the motivations of those persons or bodies to be so invested.

(4) Safe data

Data to be shared and used for a purpose should be assessed as appropriate for that purpose having regard to—

(a) whether the data is of the necessary quality for the proposed use (such as being accurate, relevant and timely); and

(b) whether the data relates to people; and

(c) if the data contains personal information, whether the personal information is necessary for the purpose for which the data is proposed to be shared and used or whether the data should be de-identified; and

(d) if data containing personal information is to be de-identified, how that de-identification will be undertaken and whether the data may be re-identified, and if so, how it may be re-identified.

(5) Safe settings

The environments in which the data will be stored, accessed and used must be assessed as appropriate having regard to—

(a) the physical location where the data will be stored and used; and

(b) the location of any linked data sets; and

(c) whether the proposed data recipient has appropriate security and technical safeguards in place to ensure data remains secure and not subject to unauthorised access and use (such as secure login, user authentication, encryption and supervision or surveillance); and

(d) the likelihood of deliberate or accidental disclosure or use occurring; and

(e) how the data will be dealt with after it has been used for the purpose for which it is shared.

(6) Safe outputs

The publication or other disclosure of the results of data analytics work conducted on data shared under this Act must be assessed as appropriate having regard to—

(a) the nature of the proposed publication or disclosure; and

(b) who is the likely audience of the publication or disclosure; and

(c) the likelihood and extent to which the publication or disclosure may contribute to the identification of a person to whom the data relates; and

(d) whether the results of the data analytics work or other data for publication or disclosure will be audited and whether that process involves the data provider.

(7) Prescribed trusted access principles

The regulations may prescribe any additional requirements or principles relating to the safe and secure sharing and use of data for the purposes of the definition of the trusted access principles (and any such additional requirements or principles may relate to the same subject matters as the trusted access principles already set out in this section).

7—Public sector data sharing authorisation

(1) Subject to this Act, a public sector agency is authorised to provide public sector data, other than exempt public sector data, that it controls to other public sector agencies for any of the following purposes:

(a) to enable data analytics work to be carried out on the data to identify issues and solutions regarding Government policy making, program management and service planning and delivery by public sector agencies;

(b) to enable public sector agencies to facilitate, develop, improve and undertake Government policy making, program management and service planning and delivery by the agencies;

(2) A public sector agency must, before providing public sector data to another public sector agency under subsection (1)

, apply the trusted access principles and be satisfied that the sharing and use of the data is appropriate in all the circumstances.

(3) A public sector agency must, on being satisfied that the sharing and use of data is appropriate under subsection (2)

, provide the data to the data recipient as soon as is reasonably practicable.

(4) If public sector data is provided under this section, the data provider and the data recipient must comply with all relevant data sharing safeguards.

8—Data sharing on direction by Minister

(1) The Minister may direct a public sector agency to provide public sector data that it controls, including exempt public sector data, to another public sector agency for any of the purposes referred to in section 7(1)

(2) A direction of the Minister under subsection (1)

—

(a) authorises the public sector agency specified in the direction to provide public sector data in accordance with the direction; and

(b) is binding according to its terms on each public sector agency referred to in the direction; and

(i) the nature and extent of the public sector data to be provided; and

(ii) the purposes for which the public sector data is to be provided.

(3) The Minister must, before making a direction under this section in relation to public sector data, apply the trusted access principles and be satisfied that the sharing and use of the data is appropriate in all the circumstances.

(4) A public sector agency must, on being directed to provide data under subsection (1)

, provide the data to the data recipient as soon as is reasonably practicable.

(5) If public sector data is provided under this section, the data provider and the data recipient must comply with all relevant data sharing safeguards.

Part 4—Data sharing safeguards

9—Confidentiality and commercial-in-confidence

(1) A data recipient that receives public sector data containing confidential or commercially sensitive information pursuant to an authorisation under section 7

or section 8

must ensure that the confidential or commercially sensitive information is dealt with in a way that complies with any contractual or equitable obligations of the data provider concerning how it is to be dealt with.

(2) In this section—

confidential or commercially sensitive information means—

(a) information a person or body controls that the person or body is required to keep confidential because of a contractual or equitable obligation; or

(b) any other information the disclosure of which would prejudice any person’s legitimate business, commercial, professional or financial interests.

10—Data custody and control safeguards

(1) A data provider and data recipient must ensure that public sector data provided pursuant to an authority under section 7

or section 8

is maintained and managed in compliance with any legal requirements concerning its custody and control (including, for example, requirements under the State Records Act 1997

) that are applicable to them.

(2) If a data recipient arranges for a person or body (other than another public sector agency) to conduct data analytics work using public sector data with which it has been provided, the data recipient must ensure that appropriate contractual arrangements are in place before the public sector data is provided to ensure that the person or body deals with the data in compliance with any requirements of this Act, the State Records Act 1997

and any data security policies that are applicable to the data recipient.

11—Other data sharing safeguards

A data provider and data recipient must comply with such other requirements as may be prescribed by the regulations in connection with the provision and receipt of public sector data pursuant to an authority under section 7

or section 8

Part 5—Miscellaneous

12—Restriction on further use and disclosure of public sector data

A data recipient must not use or disclose public sector data received pursuant to an authorisation under section 7

or section 8

other than for a purpose for which it was provided unless—

(a) the Minister approves the use or disclosure; or

(b) the use or disclosure is required or authorised by or under law or an order of a court or tribunal; or

(c) the use or disclosure is reasonably required to lessen or prevent a serious threat to the life, health or safety of a person, or a serious threat to public health or safety; or

(d) the use or disclosure is in accordance with the regulations.

13—Delegation by Minister

(1) The Minister may delegate any of the Minister's functions or powers under this Act.

(2) A delegation—

(a) may be made—

(i) to a particular person or body; or

(ii) to the person for the time being occupying a particular office or position; and

(b) may be made subject to conditions or limitations specified in the instrument of delegation; and

(d) is revocable at will and does not derogate from the power of the Minister to act in any manner.

14—Personal liability

(1) A person acting honestly and in the exercise or purported exercise of functions in administration of this Act incurs no civil or criminal liability in consequence of doing so.

(2) A civil action that would, but for subsection (1)

, lie against a person lies instead against the Crown, except in the case of a member of a body corporate or the governing body of a body corporate or a person employed or appointed by, or a delegate of, a body corporate, in which case it lies instead against the body corporate.

15—Regulations

(1) The Governor may make such regulations as are contemplated by, or necessary or expedient for the purposes of, this Act.

(2) Regulations under this Act may—

(a) be of general application or limited application; and

(b) make different provision according to the persons, things or circumstances to which they are expressed to apply; and

(c) provide that a matter or thing in respect of which regulations may be made is to be determined according to the discretion of the Minister or a prescribed person or body; and

(d) refer to or incorporate, wholly or partially and with or without modification, a code, standard or other document prepared or published by a prescribed body, either as in force at the time the regulations are made or as in force from time to time.

(3) If a code, standard or other document is referred to or incorporated in the regulations—

(a) a copy of the code, standard or other document must be kept available for public inspection, without charge and during ordinary office hours, at an office or offices specified in the regulations; and

(b) evidence of the contents of the code, standard or other document may be given in any legal proceedings by production of a document apparently certified by the Minister to be a true copy of the code, standard or other document.

[Index] [Search] [Download] [Help]