The Victorian Data Sharing Bill 2017 (Vic) brings Victoria up to speed with other States to reduce information silos within the public sector. Victorian public sector agencies will soon need to start assisting their staff on how to respond appropriately to an information sharing request received from or on behalf of the Chief Data Officer.
On 28 November 2017, the Victorian Parliament passed the Bill, which according to the Victorian Government, will improve the sharing of data between Government departments. The aim is to improve Government policy-making by breaking down agency silos, while also outlining applicable privacy and security safeguards.
With royal assent a formality, Victorian public sector agencies bound to comply with the Bill will need to ensure that they have the necessary procedures and processes in place to respond appropriately and promptly to a data sharing request received under the Bill.
Earlier in 2017, the Government appointed its first Chief Data Officer (“CDO”), Mr Julian Hebden (formerly of Telstra), to guide the Government’s use of data to strengthen policy making. Once the Bill has received royal assent from Victoria’s Governor, the Bill will set the functions and powers of the CDO.
Under the Bill, the CDO has a number of statutory functions, including to:
- conduct “data integration and data analytics work to inform government policy making, service planning and design”;
- make available integrated data sets and the results of the data analytics work; and
- lead and coordinate cross-jurisdictional data sharing and data integration work on behalf of the State of Victoria.
The Bill defines “data integration” as the “combination or collation of data contained in two or more data sets” and “data analytics work” as the “examination and analysis of data for the purpose of drawing conclusions as the result of that examination and analysis” (excluding data integration).
The CDO would have the power to request data from within other areas of the Victorian Government (including the Victoria Police), subject to certain limitations. The recipient would need to comply with the request by either supplying a copy of the requested data or informing the CDO that the request would be refused on specific grounds (such as the sharing of data would breach legal professional privilege, breach contract, breach confidentiality, breach a court order, be likely to prejudice legal proceedings or the provision of the data would be likely to endanger the health, safety or welfare of one or more individuals). The CDO’s request would need to be in writing and specify the reason for the request, the data requested and how the data will be handled.
Although the Bill contains provisions that are intended to protect the privacy of information requested and handled under the Bill (such as ensuring that the results of the data analytics work must only be disclosed once the results to be disclosed include only de-identified data), the Bill does not require the CDO or the relevant body handling the data to obtain the consent of the relevant individual(s) to the use of their personal information for data analytics work or data integration.
The CDO could also request data from other statutory bodies, such as commissions, oversight bodies, local councils and courts, but they would not be compelled to respond to a request.
The Bill then provides that the CDO may disclose identifiable data received from within Victorian Government to a data analytics body for the purpose of data integration and that the CDO may collect, hold, manage and use identifiable data received from within Victorian Government for the purpose of data integration.
The CDO and any data analytics bodies engaged by the CDO must take reasonable steps to ensure that data received can no longer identify individuals before the data is used for the purpose of data analytics.
The Bill contains provisions which are designed to protect the privacy of personal information that may be contained or comprise the data sets. If the CDO becomes aware that the Privacy and Data Protection Act or the Health Records Act has been, or is likely to have been, breached in relation to data handled pursuant to the Bill while in the control of the CDO, then the CDO must inform the Victorian Information Commissioner or the Victorian Health Complaints Commissioner. Similar obligations apply to the data analytics body which received the data.
The CDO must report annually to the Health Complaints Commissioner and to the Information Commissioner regarding the steps the CDO took during the year to ensure compliance with the relevant legislation and the details of the data integration and analysis projects undertaken during the reporting period that used health information and other personal information.
The Bill brings Victoria up to speed with States such as New South Wales and South Australia to reduce information silos within the public sector. Victorian public sector agencies will soon need to start preparing guidelines to assist their staff respond appropriately to an information sharing request received from or on behalf of the CDO.