Home | Databases | WorldLII | Search | Feedback Australian Senate Standing Committee for the Scrutiny of Delegated Legislation - Monitor

Data Availability and Transparency Code 2022 [2023] AUSStaCSDLM 4 (25 January 2023)

• Data Availability and Transparency Code 2022
• Overview
• Scrutiny concerns
• Significant matters in delegated legislation8
• Conferral of discretionary power;10 clarity of drafting11

Data Availability and Transparency Code 2022

Overview

1.17 The Data Availability and Transparency Act 2022 (the Act) commenced on 1 April 2022 and established a new data sharing scheme (the scheme) for safely sharing Australian Government data with entities accredited under the scheme. The Act authorises the National Data Commissioner to make codes of practice about the scheme.

1.18 The Data Availability and Transparency Code 2022 (the Code) provides guidance for scheme participants on best practice data sharing, including the data sharing principles that scheme participants must apply when entering into a data sharing agreement, as well as privacy protections.

Scrutiny concerns

Significant matters in delegated legislation^[8]

1.19 Part 2 of the Code sets out the data sharing principles for the sharing, collection or use of data authorised by the Act. This includes principles related to public interest and conflicts of interest when sharing data, as well as protections required in relation to the management of data.

1.20 Senate standing order 23(3)(j) requires the committee to consider whether an instrument contains matters more appropriate for parliamentary enactment, which should be included in primary, rather than delegated, legislation. As a matter of technical scrutiny, the committee is required to scrutinise each legislative instrument as to whether it contains matters more appropriate for parliamentary enactment.

1.21 The data sharing principles included in the Code are significant, and the committee is concerned they have been included in delegated rather than primary legislation, and are therefore not subject to the same level of parliamentary oversight and scrutiny. In this regard, the explanatory statement does not indicate why it is considered necessary and appropriate to leave these matters to delegated legislation.

1.22 The committee notes that the Senate Standing Committee for the Scrutiny of Bills previously reported on the Data Availability and Transparency Bill 2020. It noted that significant matters such as privacy safeguards for data sharing should be included in primary legislation unless a sound justification is provided.^[9] The committee is concerned that these principles have subsequently been included in the Code rather than the Act.

1.23 The committee requests the minister's advice as to why it is considered necessary and appropriate to use delegated legislation, rather than primary legislation, to provide for the data sharing principles set out in Part 2 of the Code, noting the significance of these principles and the comments previously made by the Senate Standing Committee for the Scrutiny of Bills in relation to this matter.

Conferral of discretionary power;^[10] clarity of drafting^[11]

1.24 Senate standing order 23(3)(c) requires the committee to scrutinise each instrument as to whether it makes rights, liberties, obligations or interests unduly dependent on insufficiently defined administrative powers. This includes where instruments confer discretionary powers on an entity or person.

1.25 The Data Availability and Transparency Code 2022 (the Code) appears to provide for high levels of discretion to entities when making decisions under the data sharing scheme.

Consent to share personal information

1.26 Subsection 21(1) provides for the consideration that the data custodian must make when deciding whether it is 'unreasonable or impractical' to seek consent for the sharing of data, including personal information. Subsection 21(2) states that it may be unreasonable or impracticable to seek consent if doing so would be excessively burdensome in all the circumstances.

1.27 It is not clear from the Code or the explanatory statement what 'excessively burdensome' means in this context. It appears that this could be interpreted differently by data custodians when deciding whether consent is needed to share personal information.

1.28 Additionally, subsection 20(8) provides that consent to use personal information by a new data custodian under the Act must be 'current'. However, 'current consent' is not defined in the Code or the explanatory statement.

Dealing with conflicts of interest

1.29 Section 9 of the Code provides that data custodians may assume that any conflicts of interest in relation to the collection or use of data by the accredited user are appropriately managed if the accredited user represents that they have 'a system in place to identify and manage such conflicts' and 'the system operates effectively'. There are no further details or guidance in the Code or the explanatory statement about what an 'effective operating system' means in this context.

1.30 The committee considers that instruments that confer discretionary powers on a person should set out the factors which the person must consider in exercising the discretion. Additionally, the explanatory statement should also address the purpose and scope of the discretion and why it is necessary.

1.31 The committee requests the minister's advice as to:

• when seeking consent would be 'excessively burdensome' under section 21 of the Code;

• what constitutes 'current consent' under the Code;

• what constitutes an 'effective' system to identity and manage conflicts of interest in relation to accredited data users, and how this should be represented or demonstrated to the data custodian under section 9 of the Code.