The Productivity Commission (PC) released the report from its inquiry into public and private sector data in May 2017. As part of its response to that report, the Australian Government announced in May 2018 that it would create a National Data Commissioner to oversee a new data access framework and pass new legislation to remove red tape inhibiting access to data for research and growth (while at the same time ensuring that privacy and data security are protected). This article looks at the current status of those initiatives and the implications for governments generally from sharing a wide range of public data sets.
Productivity Commission recommendations
In its May 2017 report, the PC argued that fundamental change is needed, noting the current regulatory frameworks governing data availability and use, based as they are on risk aversion and avoidance, are not appropriate and inhibit Australian governments, businesses and not-for-profits from taking advantage of the benefits that would arise from greater exploitation of data.
Amongst other recommendations, the PC proposed a new Data Sharing and Release Act. Under the proposed legislative framework for data sharing and release, a National Data Custodian would have overall responsibility for the implementation of data management policy in consultation with all levels of government. The Custodian would accredit the processes and capabilities of Accredited Release Authorities. Those Authorities were intended to be sectoral hubs of expertise and would be tasked with taking steps to ensure that as many datasets as possible were made available either to trusted users or more widely, where appropriate risk mitigations were in place. Trusted users would be third parties (from both the public and private sectors) with appropriate governance structures and processes in place to address risks associated with data use or release.
Under this proposed framework, all Australian governments would release non-sensitive publicly funded datasets and, on completion of risk assessments, release other more sensitive datasets (either generally or to trusted users). The PC also recommended that “National Interest Datasets” of particularly important public sector data should be designated. For those National Interest Datasets, new access and use arrangements would apply to the exclusion of any existing regulatory regime (whether at a Commonwealth or State/Territory level).
On 1 May 2018, the Australian Government announced that it would partially implement the PC’s recommendations and would:
- create a new National Data Commissioner who would oversee the new data access framework, including managing risks, responding to complaints and monitoring the integrity of the framework. The Commissioner would be assisted by a Data Advisory Council, which would provide advice on ethical data use, technical best practice and industry and international developments. The Australian Bureau of Statistics would provide technical guidance and support to the Commissioner
- establish a new legislative regime to remove the roadblocks to the sharing of public data sets, whilst ensuring the retention of appropriate data safeguards. As recommended by the PC, the establishment of Accredited Data Authorities would be provided for in the legislation. The Government stated the legislation would also establish a trusted user framework.
National Data Commissioner
An interim National Data Commissioner has been appointed and has been consulting on the proposed draft data legislation, as discussed further below. Information has also been released on the National Data Advisory Council, with the publication of the draft terms of reference. The Council is intended to comprise up to 10 members, including the Commissioner. It is proposed that its first task would be to advise on the development of the draft legislation.
Consultation on draft legislation
The Australian Government released a consultation paper on the proposed Data Sharing and Release Bill in mid 2018. The Bill is proposed to apply to data collected by all Commonwealth entities and Commonwealth companies, with exceptions for national security/law enforcement and contractual arrangements for purchased data sets. At a very high level, the Bill is to deal with the following matters:
- the role of the Commissioner would be enshrined in the legislation
- data sharing and release would be authorised for specified purposes (such as informing and assessing government policy and research and development with public benefits), provided data safeguards are met.
The data safeguards should be able to be flexibly applied, depending on the relevant data, and would be based on the “Five-Safes” disclosure risk management framework, that is:
- safe data: can the data disclose identity?
- safe people: can the users be trusted?
- safe setting: does the access environment prevent unauthorised use?
- safe outputs: are the project results likely to disclose identity?
- safe project: is the purpose of use appropriate (with the permitted categories of purpose to be specified in the legislation)?
The following accredited bodies would be put in place:
- data custodians: These are the Commonwealth entities that collect the data in the first place. Each data custodian would maintain responsibility for the data it collects, including the sharing and release of that data
- accredited Data Authorities: These would be entities which have relevant experience in dealing with data, such as the Australian Bureau of Statistics, which meet the criteria set by the Commissioner. The role of the Authorities would be to assist data custodians
- trusted users: Trusted users are the “end-users” of the shared or released data. A user could only be accredited by demonstrating that it is able to safely use that data.
The draft legislation is not expected to be introduced to Parliament before the next Federal election and therefore there is some doubt as to the timing for its implementation and whether changes may be made based on feedback from the consultation process and also potentially a different approach adopted by a future Government.
Data is not only important for government policy and decision making but has the potential to unlock many productivity benefits across the Australian economy more broadly.
The fact that the Australian Government is now proposing a new comprehensive regime does not mean that Australian governments do not currently make public data available. For example, data.gov.au provides public access to many thousands of anonymised public data sets published by federal, State, Territory and local governments. There is also legislation at a State level that provides for data sharing, for example, in New South Wales, the Data Sharing (Government Sector) Act 2015 facilitates data sharing between the Data Analytics Centre and other government agencies. South Australia has in place the Public Sector (Data Sharing) Act 2016 and Victoria has the Victorian Data Sharing Act 2017. But these existing data sharing arrangements are not as extensive as they could be.
As noted in the PC’s report, and the consultation paper on the proposed new legislation, there have been many reasons why governments have not in the past provided greater access to the valuable data that they hold. Risk aversion (particularly in relation to data that relates to individuals) and significant amounts of regulation (not all of which is entirely consistent) are the main barriers. A lack of a consistent approach has also been cited as a factor.
The Australian Government’s new regime is intended to address these issues. As such, if the proposed framework is implemented, it could assist in ensuring that significantly more data sets are available both across the public sector and for private sector use. The regime could be extended in due course, with the co-operation of State and Territory governments, to assist in greater use of the valuable data sets that are held across all levels of government.
However, feedback on the proposed framework has not been uniformly positive. For example, there has been particular concern expressed as to how the framework will interact with other existing regulation, particularly the Privacy Act 1988 (Cth). There is also concern as to what remedies will be available where data is misused and how compliance will be able to be enforced. These, and other issues raised by stakeholders, are important issues for consideration and should be addressed in the draft legislation to ensure the new framework achieves its ambitious aims.