Victorian Bills Explanatory Memoranda

[Index] [Search] [Download] [Bill] [Help]


Victorian Data Sharing Bill 2017

         Victorian Data Sharing Bill 2017

                        Introduction Print


              EXPLANATORY MEMORANDUM


                                 General
The main purpose of the Victorian Data Sharing Bill 2017 is to establish the
office of the Chief Data Officer, to promote the sharing and use of public
sector data as a public resource that supports government policy making,
service planning and design, and to amend the Privacy and Data Protection
Act 2014.

                              Clause Notes

                          Part 1--Preliminary
Clause 1   provides that the main purposes of the Bill are--
             •       to establish the office of Chief Data Officer; and
             •       to promote the sharing and use of public sector data
                    as a public resource that supports government policy
                    making, service planning and design;
             •       to remove barriers that impede the sharing of
                    identifiable data with the Chief Data Officer or
                    with data analytics bodies, and to facilitate the
                    sharing of data across the public sector; and
             •       to provide protections in connection with data sharing
                    under this Bill, by--
                    •       specifying the purposes of data sharing, and the
                           circumstances in which sharing of identifiable
                           data is permitted; and




581326                               1     BILL LA INTRODUCTION 18/10/2017

 


 

• ensuring that data that is handled under this Bill is protected from unauthorised access, use or disclosure; and • to make consequential and other amendments to other Acts. Clause 2 sets out the commencement of the Bill. It will come into operation on the day after the day on which it receives the Royal Assent. Clause 3 provides definitions for the key terms used in the Bill. Subclause (2) provides that, for the purposes of the Bill, a body holds data if the data is contained in a document in the possession or under the control of the body. Clause 4 provides that the Bill binds the Crown. Clause 5 provides that data must only be handled under the Bill for the purpose of informing government policy making, service planning and design. Part 2--Chief Data Officer Clause 6 provides that the Secretary to the Department responsible for administering this Bill may employ a person under Part 3 of the Public Administration Act 2004 to be the Chief Data Officer. Clause 7 sets out the functions of the Chief Data Officer which include to conduct data integration and data analytics work to inform government policy making, service planning and design, to build capability in data analytics across the public sector, to coordinate data sharing and integration on behalf of the state of Victoria, to make integrated data sets and the results of data analytics work available to data sharing bodies and designated bodies and to collaborate with these bodies, and any other functions incidental to these functions or conferred under this Bill or any other Act. Part 3--Data requests Clause 8 sets out the mechanism by which the Chief Data Officer can make a formal request to a data sharing body or a designated body for data held by the body. The Chief Data Officer can only make a request for the purpose of informing government 2

 


 

policy making, service planning and design and must not request restricted data. The Chief Data Officer must make the request in the form of a written notice which specifies the data being requested, the reasons for the request and how the data will be handled. Clause 9 provides that a data sharing body that receives a request under clause 8 must respond to the request within 10 business days (or a longer period as agreed by the Chief Data Officer). The data sharing body's response must either be to provide the data, or to provide reasons (in accordance with clause 14) for why the data sharing body will not be providing some or all of the data. If the data sharing body does not intend to provide some or all of the data, the response must be given to the Secretary to the Department as well as the Chief Data Officer. Clause 10 provides that if a designated body receives a request under clause 8, the designated body may respond by providing some or all of the data but is not obligated to do so. Clause 11 sets out the mechanism by which the Chief Data Officer can make a formal request to a data sharing body or a designated body for information about their data holdings. The information that may be requested includes, but is not limited to-- • the kind of data sets held by the data sharing body or designated body; and • the number of data sets held by the data sharing body or designated body; and • the kind of information contained in the data sets held by the data sharing body or designated body; and • the accuracy, currency and completeness of the data sets held by the data sharing body or designated body. The Chief Data Officer can only make a request for the purpose of informing government policy making, service planning and design. The Chief Data Officer must make the request in the form of a written notice which specifies the information being requested, the reasons for the request and how the information will be handled. 3

 


 

Clause 12 provides that a data sharing body that receives a request under clause 11 must respond to the request within 10 business days (or a longer period as agreed by the Chief Data Officer). The data sharing body's response must either be to provide the information, or to provide reasons (in accordance with clause 14) for why the data sharing body will not be providing some or all of the information. If the data sharing body does not intend to provide some or all of the information, the response must be given to the Secretary to the Department as well as the Chief Data Officer. Clause 13 provides that if a designated body receives a request under clause 11, the designated body may respond by providing some or all of the information but is not obligated to do so. Clause 14 sets out a non-exhaustive list of reasons for which a data sharing body or designated body may choose to refuse to provide data or information requested by the Chief Data Officer under clause 8 or 11. The responsible officer of the data sharing body or designated body may refuse if the responsible officer considers that data or information should not be provided for any reason, including but not limited to the following reasons-- • that the provision of the data or information would constitute a breach of one or more of the following-- • client legal privilege or legal professional privilege; • contract; • an equitable obligation of confidence; • an order of a court or tribunal; • subject to Part 4, a law of the Commonwealth, a State or a Territory; or • that the provision of the data or information would be likely to prejudice one or more of the following-- • the investigation of a breach, or possible breach, of a law of the Commonwealth, a State or a Territory, or the administration or enforcement of such a law; 4

 


 

• a coronial inquest or inquiry; • a proceeding before a court or tribunal; or • that the responsible officer believes on reasonable grounds that the provision of the data or information would be likely to endanger the health, safety or welfare of one or more individuals. Part 4--Use and disclosure of data Division 1--Authorised use and disclosure of identifiable data This division sets out the circumstances in which the use or disclosure of identifiable data is authorised by the Bill and the restrictions which apply to use and disclosure of identifiable data. Clause 15 subclause (1) authorises the responsible officer of a data sharing body or a designated body to disclose identifiable data to the Chief Data Officer in response to a request under clause 8. The disclosure is only authorised for the purpose of informing government policy making, service planning and design. Subclause (2) authorises the responsible officer of a data sharing body or designated body to disclose identifiable data to a data analytics body. The disclosure is only authorised for the data analytics body to conduct data integration on the identifiable data for the purpose of informing government policy making, service planning and design. Clause 16 authorises the Chief Data Officer to disclose identifiable data that the Chief Data Officer has received from a data sharing body or designated body under the Bill to a data analytics body. The disclosure is only authorised for the data analytics body to conduct data integration on the identifiable data for the purpose of informing government policy making, service planning and design. Clause 17 authorises the Chief Data Officer to use (as well as collect, hold and manage) identifiable data received from data sharing bodies and designated bodies under this Bill. The Chief Data Officer is only authorised to use the identifiable data for data integration for the purpose of informing government policy making, service planning and design. 5

 


 

Clause 18 provides that if the Chief Data Officer or a data analytics body intend to use the data that they have received under this Bill for the purpose of data analytics work, they must first take reasonable steps to ensure that the data no longer relates to an individual that can be reasonably identified. In doing so, the Chief Data Officer or data analytics body must have regard to-- • the de-identification techniques applied to treat the data; • the technical and administrative safeguards and protections implemented in the data analytics environment to protect the privacy of individuals; and • any other considerations specified in the guidelines issued by the Chief Data Officer. Clause 19 provides that before disclosing the results of data analytics work, the Chief Data Officer or a data analytics body must ensure that the results to be disclosed include only de-identified data. Division 2--Authorised use and disclosure of data to which a secrecy provision applies Clause 20 provides that the responsible officer of a data sharing body or designated body may disclose data to the Chief Data Officer under this Bill, even where a secrecy provision under another Act applies to that information, so long as the disclosure is in accordance with, and for the purposes of, this Bill. Clause 21 requires that if a responsible officer of a data sharing body or designated body is aware that a secrecy provision applies to data which they are disclosing to the Chief Data Officer, the body must inform the Chief Data Officer of the existence of the secrecy provision. Clause 22 provides that if a secrecy provision applies to the data received by the Chief Data Officer under this Bill, then the Chief Data Officer is authorised to use the data for the purposes of this Bill. Clause 23 provides that if the Chief Data Officer intends to disclose information received under this Bill to which a secrecy provision applies, the Chief Data Officer must first obtain the approval of the Minister responsible for administering the secrecy provision 6

 


 

(and in the case of a secrecy provision in the Taxation Administration Act 1997, the Commissioner of State Revenue). Subclause (2) enables the Chief Data Officer to disclose data to the Minister or to the Commissioner of State Revenue (as applicable) for the purpose of obtaining the approval. Division 3--Relationship with other Acts Clause 24 subclause (1) provides that this Part does not affect the handling of data that would otherwise be permitted by or under the Privacy and Data Protection Act 2014, the Health Records Act 2001 or any other Act. Subclause (2) provides that except as expressly provided by this Part, this Bill does not affect obligations under the Privacy and Data Protection Act 2014 or the Health Records Act 2001 in relation to the handling of identifiable data. Subclause (3) provides that if the Chief Data Officer or a data analytics body becomes aware that this Bill, the Privacy and Data Protection Act 2014, or the Health Records Act 2001 has been or is likely to have been breached in relation to data handled under the Bill while in the Chief Data Officer's or the data analytics body's control, they must as soon as possible inform the data provider and the Information Commissioner or Health Complaints Commissioner (as relevant). Clause 25 provides that the Freedom of Information Act 1982 does not apply to data in the possession of the Chief Data Officer or a data analytics body that was received or integrated under this Bill. Part 5--Offences Clause 26 creates a summary offence for a person (without a reasonable excuse) to access, use or disclose data obtained by the person under this Bill, other than in accordance with this Bill or in the performance of the person's functions under this Bill. The penalty for the offence is 240 penalty units or 2 years' imprisonment or both. Clause 27 creates an indictable offence for a person to access, use or disclose any data or information obtained by the person under this Bill if the person knows or is reckless as to whether the data or information may be used to-- 7

 


 

• endanger the life or physical safety of any person; or • commit, or assist in the commission of, an indictable offence; or • impede or interfere with the administration of justice. The penalty for the offence is 600 penalty units or imprisonment for 5 years or both. Part 6--Reporting and review Clause 28 requires that the Chief Data Officer provide a report to the Health Complaints Commissioner at least every 12 months on the operation of the Centre in relation to the Centre's use of health information including the sharing of health information, projects which have involved the use of health information and the Centre's compliance with the Health Records Act 2001. Clause 29 requires that the Chief Data Officer provide a report to the Information Commissioner at least every 12 months on the operation of the Centre in relation to the Centre's use of personal information (other than health information) including the sharing of personal information, projects which have involved the use of personal information and the Centre's compliance with the Privacy and Data Protection Act 2004. Clause 30 provides that the Minister must cause a review to be made of the first 5 years of operation of this Bill and within 12 months of the review being completed, cause the report of the review to be laid before each House of Parliament. Part 7--Other matters Clause 31 subclause (1) allows the Chief Data Officer to delegate any of their powers, functions or duties (other than their power of delegation) under the Bill to a person employed or engaged by the Department responsible for administering this Bill. Subclause (2) allows the Secretary to a Department to delegate in their capacity as a data analytics body, any of their powers, functions or duties (other than their power of delegation) under the Bill to a person employed or engaged by the Department. 8

 


 

Subclause (3) allows the responsible officer of a data sharing body, data analytics body or designated body to delegate any of their powers, functions or duties (other than their power of delegation) under the Bill to a person employed or engaged by the relevant body. Clause 32 provides that the Governor in Council may make regulations to give effect to the Bill, including regulations to-- • prescribe a body as a data sharing body or a data analytics body; and • prescribe a class of data to be restricted data; and • prescribe a provision to be a secrecy provision to which Division 2 of Part 4 does not apply. Clause 33 provides that the Chief Data Officer may issue and publish policies and guidelines in relation to the administration of this Bill and that a data analytics body, data sharing body or a designated body must have regard to the policies or guidelines issued by the Chief Data Officer. The policies and guidelines may relate to-- • privacy and confidentiality preserving procedures for treating data; • data security safeguards in relation to data handling and storage under this Bill; • secure technology platforms for data handling and storage under this Bill; • risk mitigation frameworks for data handling and storage, such as proportionate risk assessment tools and techniques; • protocols for data integration and data analytics projects, such as project design, governance and data handling arrangements; • any other matters the Chief Data Officer considers relevant. 9

 


 

Part 8--Other matters Clause 34 subclause (1) amends Schedule 1 of the Privacy and Data Protection Act 2014 to correct the definition of unique identifier by replacing the second "but" in the following definition with an "and" so that it now reads as follows--"unique identifier means an identifier (usually a number) assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual's name and does not include an identifier within the meaning of the Health Records Act 2001;". Subclause (2) amends Schedule 1 of the Privacy and Data Protection Act 2014, to insert "or authorised" in clause 10.1(b) so that it permits the collection of sensitive information by an organisation where it is required or authorised by law. Clause 35 amends section 20 of the Family Violence Protection Amendment (Information Sharing) Act 2017 to repeal certain amendments to the Privacy and Data Protection Act 2014 that are no longer required as a result of the amendment made by clause 34(2) of the Bill. Clause 36 provides that the repeal of this Part is repealed on the first anniversary of the day on which this Bill comes into operation. 10

 


 

 


[Index] [Search] [Download] [Bill] [Help]