South Australian Numbered Acts South Australian Numbered Acts(1) The "trusted access principles" to be applied in respect of the sharing and use of public sector data under this Act are set out in this section.
(2) Safe projects
The purpose for which data is proposed to be shared and used must be assessed as appropriate having regard to—
(a) whether the data is necessary for the purpose; and
(b) the proposed use of the data; and
(c) whether the purpose for which data is proposed to be shared and used will be of value to the public; and
(d) whether the public interest in the proposed sharing and use of data outweighs any contrary public interest; and
(e) whether there is a risk of loss, harm or other detriment to the community if the sharing and use of the data does not occur.
(3) Safe people
A proposed data recipient must be assessed as an appropriate public sector agency with whom data may be shared for a particular purpose having regard to—
(a) whether the proposed data recipient is appropriately equipped and in possession of the relevant skills and experience to effectively use data for the proposed purpose; and
(b) whether the proposed data recipient will restrict access to the data to specified persons with appropriate security clearance; and
(c) whether the data provider will be able to engage with the data recipient to support the use of the data for the purpose; and
(d) whether other persons or bodies in addition to the data recipient are invested in the outputs of the project and the motivations of those persons or bodies to be so invested.
(4) Safe data
(a) If data to be shared and used contains personal information, the personal information must be de-identified unless—
(i) the person to whom the personal information relates has consented to the sharing and use; or
(ii) the sharing and use of the personal information is reasonably related to the original purpose for which it was collected and there is no reason to think that the person to whom the information relates would object to the sharing and use; or
(iii) the sharing and use of the personal information is in connection with a criminal investigation or criminal proceedings or proceedings for the imposition of a penalty; or
(iv) the sharing and use of the personal information is in connection with the wellbeing, welfare or protection of a child or children or other vulnerable person; or
(v) the sharing and use of the personal information is reasonably necessary to prevent or lessen a threat to the life, health or safety of a person; or
(vi) the purpose of the sharing and use of the personal information cannot be achieved through the use of de-identified data and it would be impracticable in the circumstances to seek the consent of the person to whom the information relates; or
(vii) the sharing and use of the personal information is for a prescribed purpose or occurs in prescribed circumstances;
(b) Data to be shared and used for a purpose must be assessed as appropriate for that purpose having regard to—
(i) whether the data is of the necessary quality for the proposed use (such as being accurate, relevant and timely); and
(ii) whether the data relates to people; and
(iii) if data containing personal information is to be de-identified, how that de-identification will be undertaken and whether the data may be re-identified, and if so, how it may be re-identified.
(5) Safe settings
The environments in which the data will be stored, accessed and used must be assessed as appropriate having regard to—
(a) the physical location where the data will be stored and used; and
(b) the location of any linked data sets; and
(c) whether the proposed data recipient has appropriate security and technical safeguards in place to ensure data remains secure and not subject to unauthorised access and use (such as secure login, user authentication, encryption and supervision or surveillance); and
(d) the likelihood of deliberate or accidental disclosure or use occurring; and
(e) how the data will be dealt with after it has been used for the purpose for which it is shared.
(6) Safe outputs
The publication or other disclosure of the results of data analytics work conducted on data shared under this Act must be assessed as appropriate having regard to—
(a) the nature of the proposed publication or disclosure; and
(b) who is the likely audience of the publication or disclosure; and
(c) the likelihood and extent to which the publication or disclosure may contribute to the identification of a person to whom the data relates; and
(d) whether the results of the data analytics work or other data for publication or disclosure will be audited and whether that process involves the data provider.
(7) Prescribed trusted access principles
The regulations may prescribe any additional requirements or principles relating to the safe and secure sharing and use of data for the purposes of the definition of the "trusted access principles" (and any such additional requirements or principles may relate to the same subject matters as the trusted access principles already set out in this section).