Home | Databases | WorldLII | Search | Feedback Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests

Data Availability and Transparency Bill 2020 - Commentary on Ministerial Responses [2021] AUSStaCSBSD 38 (18 February 2021)

Data Availability and Transparency Bill 2020

Privacy^[4]
Significant matters in delegated legislation^[5]

2.10 In Scrutiny Digest 1 of 2021 the committee requested the minister's advice, given the potential impact on an individual's right to privacy as a result of the use and disclosure of personal information under the proposed data sharing scheme, as to whether the bill can be amended to:

• include a public interest test which prioritises privacy interests in decision-making under the scheme;

• provide guidance on the face the bill about the circumstances in which it will be ‘unreasonable or impracticable’ to seek an individual’s consent for sharing their personal information;

• require that, where possible, data that includes personal information is shared in a de-identified way;

• clarify the scope of the permitted data sharing purposes, and include guidance on the face of the bill about precluded purposes; and

• provide minimum standards for ethics approvals for private entities seeking to use data that includes personal information.^[6]

Minister's response^[7]

2.11 The minister advised:

General comment
In 2018, the Australian Government committed to reform the way it shares public sector data. Reforms are necessary to realise the benefits of greater data availability and use identified by a Productivity Commission inquiry, supporting economic and research opportunities and the Government’s vision for streamlined and efficient service delivery.
The Data Availability and Transparency Bill (the Bill) is central to these reforms, establishing an alternate pathway for the sharing of Commonwealth government data. The Bill authorises Commonwealth data custodians to share data with accredited entities for specific purposes in the public interest, with safeguards in place to mitigate risk. Modernising the approach to sharing public sector data will empower government to deliver effective services and better-informed policy, and support research and development.
While the Bill supports sharing of a wide range of Government data, such as environmental or business data, particular attention was given to the potential for sharing personal information during its development. The Bill deliberately leverages and operates alongside existing legislation, such as the Privacy Act 1988 and the Regulatory Powers (Standard Provisions) Act 2014. To minimise duplication and overlap, the Bill also draws upon existing frameworks for matters such as ethics approvals and complaints.
The Bill takes a principles-based approach to data sharing, providing parties with the flexibility to tailor sharing arrangements to manage risks on a case-by-case basis, and ensuring the scheme can respond to evolving technologies and community expectations. To ensure efficient and adaptable administration of the scheme, key concepts are included in the Bill, with more detailed requirements and procedures addressed in delegated legislation or guidelines that entities must have regard to when operating under the scheme [see clause 27].
General comments – Interactions between the Bill and the Privacy Act 1988
The Bill has been developed using a privacy-by-design approach to identify, minimise and mitigate privacy impacts wherever possible. Two independent Privacy Impact Assessments (PIAs) were undertaken to identify strengths and weaknesses in the early policy positions and planned legislative framework, and the draft Bill itself.
The Bill works with the Privacy Act 1988 to protect the personal information of individuals shared under the scheme. The Bill relies on the ‘required or authorised by law’ exception to Australian Privacy Principles (APP) 3 and 6 to allow personal information to be collected, used and disclosed under the scheme. In leveraging these exceptions, the Bill strikes an important balance — acknowledging the legitimate interests of entities in carrying out their functions or activities and balancing these interests with the protection of individual privacy. In this instance the functions and activities support government to deliver effective policy, service delivery and support research and development.
Australian Government agencies responsible for decisions under the Bill are also subject to the Privacy Code (Australian Government Agencies – Governance) APP Code 2017 (‘Privacy Code’). This includes a requirement that data custodians (as APP agencies) must conduct PIAs for ‘high privacy risk projects’ [the bill does not prevent custodians from requiring privacy impact assessments for projects beneath this threshold].
The Bill includes a range of ‘privacy-positive’ measures to protect the personal information of individuals, informed by consultation with the community and advice from privacy experts such as the Office of the Australian Information Commissioner (OAIC). These measures include:

• a privacy coverage model that ensures all entities have privacy obligations equivalent to the Privacy Act 1988 (clause 28). APP entities continue to have obligations under the APPs, including governance, privacy policies, and data security, and the Notifiable Data Breaches scheme.

• permitting data sharing for three purposes in the public interest, while precluding sharing for purposes such as surveillance or monitoring of individuals (clause 15).

• a requirement to seek consent for the sharing of personal information, unless it is unreasonable or impracticable to do so (paragraph 16(2)(c)).

• a requirement to observe applicable ethics processes (subclause 16(2)(b))

• a data minimisation requirement, which includes minimising the sharing of personal information to the extent possible (paragraph 16(8)(b)).

Of the three permitted purposes, generally only government service delivery will require the sharing of personal information about individuals. By comparison, government policies and programs, and research and development will ordinarily involve the sharing of aggregate data to support decisions about cohorts of people or the Australian community as a whole [see subclause 16(8) of the Bill].
Whether the bill can be amended to clarify the scope of the permitted data sharing purposes, include a public interest test which prioritises privacy interests, and provide guidance on unreasonable or impracticable
The Bill’s permitted purposes [see subclause 15(1)] are informed by extensive consultation and were considered as part of the two PIAs. The permitted purposes are government service delivery, informing government policy and programs; and research and development. The permitted purposes are intentionally broad to facilitate a wide range of projects using government data, with some reasonable, necessary and proportionate limitations in the form of precluded purposes. While the Minister may prescribe additional precluded purposes in Rules to circumscribe the scheme, any expansions to the permitted purposes must be passed by Parliament.
The Bill precludes sharing for certain enforcement related purposes, such as law enforcement investigations and operations, and for national security purposes [see subclause 15(2)]. While these activities are legitimate functions of government, they require specific oversight and redress mechanisms that are better dealt with through dedicated legislation. Existing legislation governing these activities, including offences and penalties, will continue to operate alongside the Bill.
Once a project is determined to be for a permitted purpose, further consideration of the appropriateness of the project occurs through application of the Project Principle [see subclause 16(1)]. This principle requires consideration of the public interest, consent, applicable ethics processes, and use of an Accredited Data Service Provider (ADSP). The data sharing agreement for a project must set out how the data sharing principles are to be applied, and must specifically include a description of how the public interest is served by the sharing [see subclause 19(7)(a)]. These details will then be made available by the Commissioner on a public register of data sharing agreements [see subclause 130].
Consistent with other laws, the Bill and its Explanatory Memorandum do not define the public interest to ensure the Bill can adapt to changing community expectations [see the Freedom of Information Act 1982 (Cth) and the Privacy Act 1988]. The question of whether a project can reasonably be expected to serve the public interest must be made on a project-by-project basis, weighing the range of factors for and against sharing.
In a similar manner, entities must consider the Bill’s consent requirements on a project-by-project basis. The Bill’s approach to consent builds upon the Privacy Act 1988, requiring consent for any sharing of personal information, unless it is unreasonable or impracticable to seek consent. The Bill’s standard of consent is that set by the Privacy Act 1988 and the language of ‘unreasonable or impracticable’ is drawn from section 16A of that Act. As noted in the Explanatory Memorandum, these terms should be interpreted using relevant guidance on consent made by the Australian Information Commissioner (AIC).
The Bill’s holistic approach ensures privacy interests are appropriately balanced with the public interest in a project, and does not assume that one must prevail at the expense of the other. In this regard, the Bill is in step with the objects of the Privacy Act 1988, which specifically recognise the need to balance the protection of the privacy of individuals with entities’ interests in carrying out their functions and activities [Privacy Act 1988 s 2A(b)].
To support entities in their decision-making, the Bill empowers the Commissioner to issue codes of practice on how aspects of the scheme are to be applied and complied with. As legislative instruments, the purpose and legal status of data codes are similar to registered APP codes under sections 26B and 26C of the Privacy Act 1988.
The Commissioner may also release guidelines on any aspect of the data sharing scheme, such as the data sharing purposes and principles, to support data scheme entities in their application. Use of guidelines to provide clarity on the Bill’s requirements is consistent with OAIC’s model for ensuring compliance with the Privacy Act 1988 [see Privacy Act 1988 s 28]. Data scheme entities must have regard to such guidelines when operating under the scheme, and the Commissioner may issue directions to address non-compliance [see clause 27 of the Bill]. These guidelines will work with the Bill’s privacy coverage model and data sharing principles to minimise the risk of interpretations that may trespass on privacy.
While I consider the level of detail to be included in these codes and guidelines is inappropriate for primary legislation, I acknowledge the importance of striking the balance between flexibility and Parliamentary scrutiny.
I note the Commissioner’s power to issue guidelines is discretionary, though there is an implicit expectation that the Commissioner will do so to support entities to comply with the requirements of the scheme. Should the Committee consider this matter to be material, I am open to giving consideration to amendments to the Bill to require that the Commissioner must issue guidelines on certain matters, including application of the Data Sharing Principles, in consultation with relevant entities.
Whether the bill can be amended to provide that, where possible, personal information is shared in a de-identified way
Under the Data Principle, data custodians must only share data that is reasonably necessary for the relevant data sharing purpose [see paragraph 16(8)(a) of the Bill]. This data minimisation requirement is complemented by a further requirement to minimise the sharing of personal information as far as possible without compromising the data sharing purpose [see paragraph 16(8)(b)]. The Data Principle as worded avoids the term ‘de-identified’ to ensure the Bill remains technology-neutral.
Whether the bill can be amended to provide minimum standards for ethics approvals for private entities seeking to use data that includes personal information.
The Bill allows for private sector entities to participate in the scheme, subject to accreditation and privacy coverage. This acknowledges that sharing data with commercial entities can greatly benefit the public when it is done safely, for the right purposes and with effective oversight.
I note the Committee’s specific concerns about private sector participation in the scheme. Paragraph 16(2)(b) of the Bill requires data scheme entities to observe any applicable ethics processes. This includes observance of established ethics approval or review processes, and seeking independent advice on the ethical implications of sharing as appropriate. The Bill leverages existing frameworks to ensure projects and research in specific fields meet accepted ethical standards. This requirement imposes a minimum standard for ethics approvals for all data scheme entities, irrespective of sector.
As an added safeguard, data custodians will be able to require ethics processes under the Project Principle in circumstances where no ethics processes would ordinarily apply. Other elements of the Project Principle (such as consent) and the privacy impact assessment requirements under the Privacy Code provide further safeguards for projects involving personal information.
A final element of the Bill’s design is the requirement to make data sharing agreements public [see clause 130], a measure supported by the second independent PIA on the draft Bill [Information Integrity Solutions, Privacy Impact Assessment – Draft Data Availability and Transparency Bill 2020 [https://www.datacommissioner.gov.au/exposure-draft/dat] (6 September 2020) p. 66]. Making transparent the factors taken into account by data custodians when making sharing decisions is an important check and balance. Such transparency places an onus on data custodians to make sharing decisions on the basis of guidelines issued by the Commissioner.

Committee comment

2.12 The committee thanks the minister for this response. The committee notes the minister's advice that the bill works with the Privacy Act 1988 (Privacy Act) to protect the personal information of individuals shared under the scheme, and relies on the 'required or authorised by law' exception to Australian Privacy Principles 3 and 6 to allow personal information to be collected, used and disclosed. The minister also advised that the bill seeks to strike a balance between acknowledging the interests of entities in carrying out their functions or activities and balancing these interests with the protection of individual privacy.

Permitted data sharing purposes, public interest, and guidance on 'unreasonable or impracticable'

2.13 The committee notes the minister's advice that the permitted data sharing purposes are intentionally broad, and that, of the three permitted purposes, generally only government service delivery will require the sharing of personal information about individuals.

2.14 The minister also advised that questions of whether a project can reasonably be expected to serve the public interest and questions in relation to consent requirements must be resolved on a project-by-project basis. The minister advised that the bill's intended approach is to ensure privacy interests are appropriately balanced with the public interest in a project, rather than assuming that one must prevail at the expense of the other, and that this approach is consistent with the objects of the Privacy Act.

2.15 The committee also notes the minister's advice that the language of 'unreasonable or impracticable' in relation to the requirement to seek consent for the sharing of personal information is drawn from the Privacy Act, and that these terms should be interpreted using relevant guidance on consent made by the Australian Information Commissioner. While noting this advice, the committee considers that, to assist users and individuals seeking to understand the scheme, it would be useful for the explanatory material to provide specific current examples of this guidance and to describe where it may be located.

2.16 The committee further notes the minister's advice that, consistent with current measures for ensuring compliance with the Privacy Act, the National Data Commissioner may release guidelines on aspects of the data sharing scheme including the data sharing purposes and principles and that these guidelines will contribute to minimising the risk of interpretations that may trespass on privacy.

2.17 The committee welcomes the minister's advice that, noting that the Commissioner's power under the bill to issues guidelines is currently discretionary, the minister is open to considering amendments to require that the Commissioner must issue guidelines on certain matters, including application of the Data Sharing Principles.

2.18 The minister also advised that he did not consider the level of detail to be included in the guidelines to be appropriate for inclusion in primary legislation but acknowledged the importance of striking a balance between flexibility and parliamentary scrutiny. While noting this advice, the committee is concerned that the guidelines, which may play an important role in minimising the risk of interpretations of the operation of the scheme that trespass on personal privacy, will be established in non-legislative instruments that are not subject to tabling or scrutiny by the Parliament.

2.19 The committee requests that an addendum to the explanatory memorandum containing the key information provided by the minister be tabled in the Parliament as soon as practicable, noting the importance of these explanatory materials as a point of access to understanding the law and, if needed, as extrinsic material to assist with interpretation (see section 15AB of the Acts Interpretation Act 1901).

2.20 The committee remains concerned about the breadth of the ‘unreasonable or impracticable’ exception to the requirement to secure consent from an individual prior to sharing their personal information, especially noting the minister’s advice that privacy interests will not be given priority in the public interest test. As such, the committee also requests the minister's further advice as to:

• whether the addendum to the explanatory memorandum can provide specific examples of current guidance on the meaning of 'unreasonable or impracticable' and provide information on where this current guidance can be accessed; and

• why it is considered necessary and appropriate for guidelines on aspects of the data sharing scheme, which may play an important role in minimising the risk of interpretations of the operation of the scheme that trespass on personal privacy, to be included in non-legislative instruments that are not subject to parliamentary scrutiny.

Where possible, personal information is shared in a de-identified way

2.21 The committee notes the minister's advice that, under the data principle, custodians must only share data that is reasonably necessary for the relevant data sharing purpose, and that this requirement is complemented by a requirement to minimise the sharing of personal information as far as possible without compromising the data sharing purpose. The minister also advised that the term 'de-identified' has been avoided to ensure the bill remains technology neutral.

2.22 While noting this advice, the committee remains concerned about the absence of an explicit requirement in the bill that, where possible, the sharing of data is done in a way that does not allow an individual to be identified.

2.23 The committee draws its scrutiny concerns to the attention of senators and leaves to the Senate as a whole the appropriateness of the bill not including an explicit requirement that, where possible, the sharing of data is done in a way that does not allow an individual to be identified.

Minimum standards for ethics approvals for private entities

2.24 The committee notes the minister's advice that paragraph 16(2)(b) of the bill requires data scheme entities to observe any applicable ethics processes, and that the bill leverages existing frameworks to ensure projects and research in specific fields meet accepted ethical standards. The minister advised that this requirement imposes a minimum standard for ethics approvals for all data scheme entities, irrespective of sector.

2.25 The committee also notes the minister's advice that data custodians may require ethics processes in circumstances where no ethics processes would ordinarily apply, and that this is an added safeguard. While noting this advice, the committee remains concerned that the ability to require a private entity who is otherwise not subject to existing ethics process to undertake such processes is discretionary, with the decision to set this requirement being left to the various Commonwealth bodies empowered to share data under the bill.

2.26 The committee draws its scrutiny concerns to the attention of senators and leaves to the Senate as a whole the appropriateness of not requiring minimum standards for ethics approvals for private entities seeking to use data that includes personal information where no ethics processes would ordinarily apply.

Privacy^[8]
Significant matters in delegated legislation^[9]

2.27 In Scrutiny Digest 1 of 2021 the committee further requested the minister’s advice as to why individuals whose privacy interests may be affected by the data sharing scheme should not have access to merits review and the dedicated complaints process established in Division 1 of Part 5.3.^[10]

Minister's response^[11]

2.28 The minister advised:

Privacy interests and merits review
The Bill’s review and complaints mechanisms are scheme-specific to supplement existing redress mechanisms and reduce duplication and overlap. Part 5.3 of the Bill provides detailed requirements for the making of complaints, which may be supplemented by data codes that deal with the management and internal handling of complaints, and set additional requirements not inconsistent with the Bill [see Part 5.3 and paragraphs 126(2)(c)-(d)].
Individuals with concerns about the data sharing scheme will have access to existing complaints and administrative review processes. For example, the existing complaints mechanism under the Privacy Act 1988 will be available for complaints relating to data scheme entities’ handling of personal information [Individuals will also be able to complain to their State or Territory privacy regulator, if the complaint relates to an accredited entity that is a State or Territory government authority]. The Bill includes provisions to allow for the transfer of matters and information between regulators, and I make some further comments on these regulatory cooperation mechanisms below.
In addition to investigating complaints from data scheme entities, the Commissioner may also conduct own-motion investigations into potential breaches in response to a ‘tip-off’ from the public or media.
As a final point, I note that the Bill includes several privacy-positive measures to minimise the sharing of personal information and promote individual control over its use. As described above, sharing of personal information will generally only be reasonably necessary for the purposes of government service delivery, as the other policies, programs and research ordinarily have a population or cohort-level focus.
Once personal information enters the scheme, it must be validated or corrected by the individual before it can ‘exit’ the scheme and be used for other lawful purposes, for example pre-filling a form [see subclauses 21(1)‑(2)]. Together, the consent requirement (which may be triggered by the project) and the exit mechanism ‘bookend’ the scheme.
Individuals will have access to a range of other redress options to address concerns unrelated to privacy. For example, individuals will be able to seek judicial review through the courts and make complaints to integrity agencies such as the Commonwealth Ombudsman. Merits review of substantive decisions based on shared data that has exited the scheme (though validating data in a pre- filled form) may also be available, if provided for by the legislation under which the decision was made. These frameworks will have their ordinary operation, without being replicated in the Bill itself.
Commissioner awareness of privacy complaints made directly to Australian Information Commissioner
I note the Committee’s concern that the Commissioner may not have adequate oversight of privacy complaints relating to the scheme, if those complaints are made directly to the Australian Information Commissioner (AIC) under the Privacy Act 1988 (para 1.21).
The Bill includes mechanisms to facilitate regulatory cooperation and to notify the Commissioner of data breaches involving personal information:

• Data scheme entities that report a personal information breach to the AIC must also provide a copy to the Commissioner to allow for monitoring of systemic privacy breaches [see subclause 37(5)].

• Further, where a privacy complaint is made directly to the Commissioner, the Commissioner may transfer the matter and related information to the AIC as the Commonwealth’s dedicated privacy regulator [see clauses 107-108]. The AIC will have reciprocal transfer powers under a proposed amendment to section 50 of the Privacy Act 1988 [see Data Availability and Transparency (Consequential Amendments) Bill 2020 items 6-8].

These aspects of the scheme have been designed in consultation with the Attorney-General’s Department and the OAIC to avoid duplication and regulatory overlap, consistent with other laws that provide for transfers between regulators. I expect that the ONDC and OAIC will address specific requirements through a Memorandum of Understanding.

Committee comment

2.29 The committee thanks the minister for this response. The committee notes the minister's advice that individuals with privacy concerns about the data sharing scheme will have access to existing complaints and administrative review processes, such as the existing complaints mechanism under the Privacy Act in relation to data scheme entities’ handling of personal information, and complaints mechanisms in relation to State or Territory privacy regulators, if the complaint relates to an accredited entity that is a State or Territory government authority.

2.30 The committee also notes the minister's advice that the National Data Commissioner may conduct own-motion investigations into potential breaches. The minister also advised that other redress options to address concerns unrelated to privacy will be available to individuals such as judicial review and making a complaint to the Commonwealth Ombudsman. The committee further notes the minister's advice that merits review of substantive decisions based on shared data that has exited the scheme may also be available, if this is provided for by the legislation under which the decision was made.

2.31 While also noting the minister's advice in relation to the requirements in subclauses 21(1) and (2) that personal information in the scheme must be validated or corrected by the individual before it can ‘exit’ the scheme, the committee notes that paragraph 21(1)(b)(iii) also permits data as 'output'^[12] to be shared in circumstances prescribed by the rules. While the explanatory memorandum states that any such rules created must be consistent with the bill,^[13] the committee is concerned that allowing delegated legislation to expand the circumstances in which output may be shared may undermine the value of this measure as a safeguard as described in the minister's response.

2.32 Further, while noting the minister's advice in relation to the mechanisms for regulatory cooperation and requirements to notify the Commissioner of data breaches, the committee remains concerned that the bill does not require any information to be given to the Commissioner with respect to complaints received by the Australian Information Commissioner, or other bodies who may receive complaints about the scheme, such as the Commonwealth Ombudsman, or Commonwealth entities acting as data custodians within the scheme. In raising this scrutiny concern, the committee notes that full visibility of complaints about the scheme may assist in reducing the possibility of tension between the dual roles of the National Data Commissioner as both regulator and champion of the data sharing scheme.

2.33 The committee draws its scrutiny concerns to the attention of senators and leaves to the Senate as a whole the appropriateness of the complaint mechanisms available to individuals whose privacy interests may be affected by the scheme, including the lack of mechanisms on the face of the bill to ensure that the National Data Commissioner has full visibility of privacy complaints made in relation to the scheme.

Significant matters in delegated legislation^[14]

2.34 In Scrutiny Digest 1 of 2021 the committee requested the minister's advice as to:

• why it is considered necessary and appropriate to leave procedures, requirements and other matters relating to the accreditation of entities for the purposes of the data sharing scheme to delegated legislation;

• whether the bill can be amended to include at least high-level guidance regarding these matters on the face of the primary legislation.^[15]

Minister's response

2.35 The minister advised:

Part 6.4 of the Bill provides for three types of disallowable legislative instruments, which must be complied with by data scheme entities: Ministerial rules, regulations made by the Governor-General and data codes issued by the Commissioner [see clause 26 of the Bill]. This approach helps to ensure the scheme can adapt to emerging technologies and future needs over time, while allowing for oversight through the disallowance process.
Accreditation is an essential precondition for entities’ participation in the data sharing scheme. In recognition of this, Part 5.2 of the Bill includes detailed provisions on matters such as criteria, applications and conditions of accreditation [see also chapter 3, which sets out core obligations of data scheme entities, including accredited entities]. This Part also includes procedures for accreditation transfer, cancellation and suspension, and notice of accreditation decisions. Decisions of this nature are subject to merits review to promote procedural fairness, with some exceptions for foreign entities [see clause 118]. As these requirements and procedures go to the ‘essence’ of the legislative scheme, it is necessary and appropriate to include them in the primary legislation to allow for Parliamentary oversight [Department of the Prime Minister and Cabinet, Legislative Handbook, 2017 para 1.10(j)]. This distinguishes the Bill from the recent Consumer Data Right, which delegates most of its accreditation framework to the Competition and Consumer (Consumer Data Right) Rules 2020.
As the Committee notes, clause 86 allows Rules to provide for procedures, requirements and any other matters relating to accreditation. This approach aligns with the Department of the Prime Minister and Cabinet’s Legislative Handbook, which states that matters of detail and matters that may change frequently are best dealt with in delegated legislation to streamline the primary legislation [Department of the Prime Minister and Cabinet, Legislative Handbook, 2017 paras 5.65-5.66; see also para 1.10(d)]. At the time of writing, the Accreditation Rules will describe circumstances in which data custodians must use an accredited data service provider (ADSP), and specify documentation to support entities’ claims against the accreditation criteria in clause 77 [see clauses 29 and 87 of the Bill]. This content is appropriate for Rules, as documents and circumstances for use of an ADSP are detailed and may change over time. These Rules will be subject to oversight through the disallowance process for legislative instruments.
For these reasons, I do not consider it necessary to include further guidance on accreditation matters on the face of the Bill. As the weight of accreditation framework is already located in Part 5.2, significant accreditation matters will not be left to delegated legislation. Where the Bill does provide for delegated legislation, it is aligned with standard drafting practices to balance legal certainty and flexibility.

Committee comment

2.36 The committee thanks the minister for this response. The committee notes the minister's advice that the approach of providing for various types of legislative instruments in the bill helps to ensure the scheme can adapt to emerging technologies and future needs over time, while allowing for oversight through the disallowance process. The minister also advised that the approach taken in relation to allowing rules to provide for procedures, requirements and any other matters relating to accreditation aligns with the Legislative Handbook, issued by the Department of the Prime Minister and Cabinet.

2.37 The committee also notes the minister's advice that, at the time of writing, the Accreditation Rules will describe circumstances in which data custodians must use an accredited data service provider (ADSP) and specify documentation to support entities’ claims against accreditation criteria. The minister advised that, as documents and circumstances for use of an ADSP are detailed and may change over time, this content is appropriate for rules. The committee further notes the minister's advice that significant matters will not be left to delegated legislation, as the weight of the accreditation framework is already located on the face of the bill, in Part 5.2.

2.38 However, noting the importance of ensuring that the accreditation framework only permits accreditation of entities who can safely handle public sector data, from a scrutiny perspective, the committee remains concerned about the extent to which the bill relies on delegated legislation to determine matters related to the accreditation of entities under the scheme.

2.39 The committee draws its scrutiny concerns to the attention of senators and leaves to the Senate as a whole the appropriateness of leaving procedures, requirements and other matters relating to the accreditation of entities for the purposes of the data sharing scheme to delegated legislation.

2.40 The committee also requests that an addendum to the explanatory memorandum containing the key information provided by the minister relating to the expected content of the Accreditation Rules be tabled in the Parliament as soon as practicable, noting the importance of these explanatory materials as a point of access to understanding the law and, if needed, as extrinsic material to assist with interpretation (see section 15AB of the Acts Interpretation Act 1901).

2.41 The committee also draws this matter to the attention of the Senate Standing Committee for the Scrutiny of Delegated Legislation.

Broad delegation of investigatory powers^[16]

2.42 In Scrutiny Digest 1 of 2021 the committee requested the minister's advice as to:

• why it is considered necessary and appropriate to allow any 'other person' to assist an authorised person in exercising monitoring and investigatory powers; and

• whether the bill can be amended to require that any person assisting an authorised person have the knowledge and expertise appropriate to the function or power being carried out.^[17]

Minister's response

2.43 The minister advised:

The Bill establishes the National Data Commissioner as an independent statutory office holder to oversee the scheme as its regulator and champion. As regulator, the Commissioner has oversight of the scheme and is empowered to monitor, investigate, and enforce compliance with the Bill by data scheme entities. Part 5.5 of the Bill sets out the Commissioner’s regulatory and enforcement powers. This Part provides for a range of mechanisms to deter and address non-compliance, allowing the Commissioner to take a graduated approach to enforcement.
Subclauses 109(4) and 110(3) of the Bill allow the Commissioner (as an authorised person) to receive assistance from ‘other persons’ in the exercise of monitoring and investigation powers. This clause invokes s 23(1) of the Regulatory Powers (Standard Provisions) Act 2014 (‘RPA’) and aligns with the Office of Parliamentary Counsel’s Drafting Direction No. 3.5A. The standard suite of RPA provisions is an accepted baseline of powers required for an effective monitoring, investigation or enforcement regulatory regime, while providing adequate safeguards and protecting important common law privileges [Replacement Explanatory Memorandum, Regulatory Powers (Standard Provisions) Bill 2014, p. 2]. The Bill adopts this standard approach to the exercise of regulatory powers to promote an efficient, flexible and accountable approach to regulation.
The Explanatory Memorandum for clauses 109 and 110 refers to the staffing provisions in the Bill [Explanatory Memorandum, Data Availability and Transparency Bill 2020, paras 555 and 560] The Bill’s staffing provisions ensure that ‘other persons’ at the Commissioner’s disposal will have the appropriate knowledge, training and expertise in the exercise and performance of investigatory powers and functions [see clauses 47-49 of the Bill]. APS employees made available to the Commissioner must have the skills, qualifications or experience necessary to assist the Commissioner, while contractors and consultants may be specifically engaged in order to assist with the performance or exercise of the Commissioner’s functions or powers.
Subsections 23(2)-(4) of the RPA ensure monitoring and investigatory powers are exercised accountably. Persons assisting must act under the direction of the Commissioner as authorised person and any valid actions of the person assisting will be taken to be those of the Commissioner. As persons employed or engaged by an APS Department, assisting individuals will be further subject to standard accountability measures such as the APS Code of Conduct (for staff), Commonwealth Procurement Rules (for contractors), security clearances and other pre-employment screening procedures.
For these reasons, the Bill and RPA already give effect to the suggested drafting changes to clauses 109 and 110.

Committee comment

2.44 The committee thanks the minister for this response. The committee notes the minister's advice that the provisions adopt standard provisions under the Regulatory Powers (Standard Provisions) Act 2014, and that these are an accepted baseline of powers required for an effective monitoring, investigation or enforcement regulatory regime, while providing adequate safeguards and protecting important common law privileges.

2.45 The committee also notes the minister's advice that staffing provisions in the bill will ensure that ‘other persons’ at the Commissioner’s disposal will have the appropriate knowledge, training and expertise in the exercise and performance of investigatory powers and functions. The minister advised that APS employees made available to the Commissioner must have the skills, qualifications or experience necessary to assist the Commissioner, while contractors and consultants may be specifically engaged in order to assist with the performance or exercise of the Commissioner’s functions or powers. The minister further advised that:

• persons assisting must act under the direction of the Commissioner as authorised person;

• any valid actions of the person assisting will be taken to be those of the Commissioner; and

• as persons employed or engaged by an APS Department, assisting individuals will be further subject to standard accountability measures such as the APS Code of Conduct (for staff), Commonwealth Procurement Rules (for contractors), security clearances and other pre-employment screening procedures.

2.46 The minister advised that, for the above reasons, the bill and the Regulatory Powers (Standard Provisions) Act 2014 already give effect to the committee's suggested drafting changes.

2.47 While the committee acknowledges the minister's advice as to how it is intended this power will be exercised, and the ways in which an authorised person will be made accountable for the actions of persons assisting, there is nothing on the face of the bill to limit the use of 'other persons' to assist the Commissioner as set out in the response. In particular, it appears that there is no requirement on the face of the bill that 'other persons' assisting an authorised person must be the staff, consultants or contractors to which clauses 47 to 49 of the bill refer. The committee reiterates its consistent scrutiny view in relation to the exercise of coercive or investigatory powers that persons authorised to use such powers should have appropriate training and experience.

2.48 The committee draws its scrutiny concerns to the attention of senators and leaves to the Senate as a whole the appropriateness of allowing authorised persons who are exercising monitoring and investigation powers to be assisted by other persons with no requirement on the face of the bill that the other person has appropriate training or experience.

Reversal of evidential burden of proof ^[18]

2.49 In Scrutiny Digest 1 of 2021 the committee requested the minister's advice, given the explanatory materials do not address the issue, as to why it is proposed to use offence-specific defences (which reverse the evidential burden of proof) in this instance.^[19]

Minister's response

2.50 The minister advised:

For data sharing to be authorised under the Bill, data custodians must only share data with accredited users, either directly or through an ADSP. Accreditation is not limited to Australian entities to encourage international cooperation on projects in the public interest, with appropriate controls in place such as ASIO security assessments [see Data Availability and Transparency (Consequential Amendments) Bill 2020 items 3-4].
Section 136 of the Bill provides a set of provisions for extended geographical jurisdiction, drawn from section 15.2 of the Criminal Code Act 1995. Subclauses 136(2) and (3) provide offence-specific defences for foreign entities if they are not an Australian entity, the conduct occurred wholly in a foreign country and the conduct is lawful in the foreign jurisdiction in which it occurred.
As described in subclause 136(4), a person that seeks to rely on these defences bears an evidential burden. It is appropriate for the defendant to bear the evidential burden in these circumstances because evidence to establish whether:

• the relevant conduct occurred wholly in a foreign country (but not on board an Australian aircraft or ship); and

• the defendant is not an Australian entity (as defined in clause 9 of the Bill)

is best able to be adduced by, and within the knowledge of, the defendant. Evidence that suggests the reasonable possibility that the conduct in question was lawful in the foreign country is also best raised by the defendant, as the defendant would have knowledge of that foreign jurisdiction, and it would be significantly more difficult or costly for Australian-based prosecutors to bear this burden.
I am willing to consider an addendum to the Bill’s Explanatory Memorandum at an appropriate time that incorporates the explanation above.

Committee comment

2.51 The committee thanks the minister for this response. The committee notes the minister's advice that it is appropriate for the defendant to bear the evidential burden in the circumstances set out in subclauses 136(2) and (3) as evidence to establish whether the relevant conduct occurred wholly in a foreign country (but not on board an Australian aircraft or ship), and whether the defendant is not an Australian entity is best able to be adduced by, and within the knowledge of, the defendant. The minister also advised that evidence that suggests the reasonable possibility that the conduct in question was lawful in the foreign country is also best raised by the defendant, as the defendant would have knowledge of that foreign jurisdiction, and it would be significantly more difficult or costly for Australian-based prosecutors to bear this burden.

2.52 The committee welcomes the minister's advice that he is willing to consider an addendum to the bill’s explanatory memorandum at an appropriate time that incorporates the explanation above.

2.53 In light of the minister's advice, the committee makes no further comment on this matter.

2.54 The committee requests that an addendum to the explanatory memorandum containing the key information provided by the minister be tabled in the Parliament as soon as practicable, noting the importance of these explanatory materials as a point of access to understanding the law and, if needed, as extrinsic material to assist with interpretation (see section 15AB of the Acts Interpretation Act 1901).

[4] Clauses 15, 16 and 88. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[5] Clauses 15, 126 and 133. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(iv).

[6] Senate Scrutiny of Bills Committee, Scrutiny Digest 1 of 2021, pp. 4-8.

[7] The minister responded to the committee's comments in a letter dated 10 February 2021. A copy of the letter is available on the committee's website: see correspondence relating to Scrutiny Digest 3 of 2021 available at: www.aph.gov.au/senate_scrutiny_digest.

[8] Clauses 15, 16 and 88. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[9] Clauses 15, 126 and 133. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(iv).

[10] Senate Scrutiny of Bills Committee, Scrutiny Digest 1 of 2021, pp. 4-8.

[11] The minister responded to the committee's comments in a letter dated 10 February 2021. A copy of the letter is available on the committee's website: see correspondence relating to Scrutiny Digest 3 of 2021 available at: www.aph.gov.au/senate_scrutiny_digest.

[12] Subclause 10(4) provides that 'output' is data that is the result or product of the use, by an accredited user, of public sector data shared with the accredited used under subsection 13(1).

[13] Explanatory memorandum, p. 30.

[14] Clause 86. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(iv).

[15] Senate Scrutiny of Bills Committee, Scrutiny Digest 1 of 2021, p. 10.

[16] Clauses 109 and 110. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(ii).

[17] Senate Scrutiny of Bills Committee, Scrutiny Digest 1 of 2021, pp. 10-11.

[18] Clause 136. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(i).

[19] Senate Scrutiny of Bills Committee, Scrutiny Digest 1 of 2021, pp. 11-12.