Commissioner content transparency measures are enough to deter data-sharing Act breaches

Australia's pending data-sharing Act will require Commonwealth entities to be satisfied with a proposal before sharing data and the reason for obtaining that data will need to be made public.

The Office of the National Data Commissioner considers the measures presented in Australia's pending Data Availability and Transparency Bill 2020, such as the requirement for transparency, to be enough for deterring breaches of data.

The data-sharing Bill is touted by the government as being an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.

"The Bill will create a data-sharing scheme overseen by a new and independent National Data Commissioner to allow sharing for the right reasons with the right people, with appropriate controls to manage risk," interim National Data commissioner Deborah Anton told the Senate Finance and Public Administration Legislation Committee on Tuesday.

"The Bill seeks to progress a necessary set of reforms to modernise APS data-sharing practices, to set higher and consistent standards, and to add additional transparency to ensure the public know what is being done with their data."

The purpose test embedded in the Bill states that data shared can only be shared for the delivery of government services, informing policy, and to progress research.

The Bill provides what the government is referring to as "layers of safeguards", including the data sharing principles. The principles guide how risks are assessed and managed and must be applied to each data sharing project across five dimensions: Projects, people, data, settings, and outputs.

"One of the challenges with principles-based legislation is the Bill provides signposts not a direct roadmap," Anton said.

"So I think what's always important in these circumstances is to understand, 'What's the scenario?', then going through the flow chart, 'Well, for what purpose?', you can only do one of those three purposes and you've still got to then explain why that's in the public interest to do that.

"You then have to go through who are we sharing with, why are we sharing them, are we sharing the minimum amount of data for the job that they're contemplating, at the end of the day, what's the output -- a lot of this is going to be about research."

In order to share data, the "data custodian" -- the Commonwealth body that holds the data -- must be satisfied the data will be used for an appropriate reason and that there are appropriate safeguards in place.

Anton said the onus is ultimately on data custodians.

"They don't have to share ... if they don't think this is a sensible thing to do, and they cannot manage the risks, then they can make a decision not to share and that cannot be overturned," she continued. "I think the research sector is a little unhappy with us on that design point."

The purpose for which the information can be used must be set out in a publicly available data-sharing agreement.

"The data-sharing agreement will provide that it cannot be used for any other purpose," Assistant Secretary Paul Menzies-McVey added. "So there's no real capacity for there to be a slippery slope that it was obtained for one purpose and then used for another because it will be clear to the public that the data can't be used for that purpose and that will be backed up by the penalties in the legislation."

Senators, however, are concerned that the safeguards and rules in place would only work right up until the moment when there's a breach.

Anton and Menzies-McVey pointed again to the penalties.

"In order to use the Act, you have to meet the requirements of the Act; if you're not meeting the requirements of the Act, then the penalties actually rebound to the original legislation under which the data was collected," Anton explained.

"The Bill itself then provides for additional penalties or gap coverage where people are simply not complying with, for example provision of information to the commissioner."

There are a series of enforcement actions which Anton said could ultimately lead to suspension or cancellation of accreditation, injunctions placed on the sharing of data, as well as seeking civil or criminal penalties.

"There is a stick to go with the permissive 'yes, we want to share', but there are controls at the other end," she said.

Menzies-McVey said that for breach of the mandatory terms of the data-sharing agreement, which includes the requirement to use it only for the agreed purpose, is a civil penalty of 300 penalty units -- currently AU$66,600.

There are also general penalties, including imprisonment for two years for "intentional reckless breaches".

The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.

HERE'S MORE