Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Data Availability and Transparency Bill 2020

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

2019 - 2020

 

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

 

HOUSE OF REPRESENTATIVES

 

 

 

 

 

 

DATA AVAILABILITY AND TRANSPARENCY BILL 2020

 

 

 

                                                                                                                             

 

 

EXPLANATORY MEMORANDUM

 

 

 

 

 

 

(Circulated by authority of the Minister for Government Services, the Hon Stuart Robert MP)



 

Contents

Data Availability and Transparency Bill 2020 . 4

Outline and financial impact 4

Glossary and abbreviations . 4

1 - Overview .. 5

The legislative scheme . 5

Scope . 6

Interaction with other schemes . 7

Enabling safe data sharing . 7

Sharing data for certain reasons - the permitted purposes . 7

Sharing data safely - the data sharing principles . 8

Sharing data with the right people - accreditation . 9

Better management and transparency . 9

Integrity of the scheme . 10

Oversight by the National Data Commissioner 10

Avenues for redress - complaints and review of decisions . 10

Dealing with breaches - penalties and consequences . 11

Periodic reviews of the operation of the Bill 11

2 - Notes on Clauses . 12

Chapter 1 - Preliminary . 12

Part 1.1 - Introduction . 12

Part 1.2 - Definitions . 14

Chapter 2 - Authorisations to share data . 18

Chapter 3 - Responsibilities of data scheme entities . 34

Part 3.1 - Introduction . 34

Part 3.2 - Responsibilities of data scheme entities . 34

Part 3.3 - Data breach responsibilities . 38

Chapter 4 - National Data Commissioner and National Data Advisory Council 41

Part 4.1 - Introduction . 41

Part 4.2 - National Data Commissioner 41

Part 4.3 - National Data Advisory Council 46

Chapter 5 - Regulation and enforcement 48

Part 5.1 - Introduction . 48

Part 5.2 - Accreditation framework . 49

Part 5.3 - Complaints . 56

Part 5.4 - Assessments and investigations . 59

Part 5.5 - Regulatory powers and enforcement 61

Chapter 6 - Other matters . 68

Part 6.1 - Introduction . 68

Part 6.2 - Review of decisions . 68

Part 6.3 - Treatment of certain entities . 71

Part 6.4 - Data sharing scheme instruments . 74

Part 6.5 - Other matters . 79

3 - Statement of Compatibility with Human Rights . 84

Overview .. 84

Human Rights Implications . 84

Protection from arbitrary or unlawful interference with privacy . 84

Freedom to seek, receive, and impart information . 85

Right to a fair trial and fair hearing . 86

Conclusion . 88

           

 



 

Data Availability and Transparency Bill 2020

Outline and financial impact

The Data Availability and Transparency Bill 2020 (the Bill) authorises and regulates controlled access to Australian Government data. Safeguards are embedded in the Bill to ensure data is managed securely, including frameworks for risk management, transparency, and accreditation of prospective users and data service providers. The Bill establishes the National Data Commissioner to oversee the scheme and support best practice. These new legislative and governance arrangements will promote better availability and use of government data, empower the government to deliver effective policies and services, and support research and development.

Proposal announced : This Bill implements the 2018-19 Budget measure ‘Delivering Australia’s Digital Future - data sharing and release arrangements’; and the 2020-21 Budget measure ‘Department of the Prime Minister and Cabinet - additional resourcing’.

Financial impact : $20.5 million from 2018-19 to 2021-22; and $11.1 million from 2020-21 over 4 years and $0.7 million ongoing from 2024-25.

Compliance cost impact : The measure will increase average regulatory costs by $0.11 million over two years, comprising a cost to business of $0.2 million per year, to community organisations of $0.06 million, and to individuals of $0.02 million per year.

The Productivity Commission Inquiry Report into Data Availability and Use has been certified as being informed by a process and analysis equivalent to a Regulation Impact Statement (RIS) for the purposes of the Government decision to implement this legislation. The Data Availability and Use report can be found at this link: www.pc.gov.au/inquiries/completed/data-access/report .

Human rights implications : This Bill is compatible with human rights, and to the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate. Refer to the Statement of Compatibility with Human Rights, in Part 3 below.

Glossary and abbreviations

The following abbreviations are used throughout this explanatory memorandum:

ADSP

Accredited data service provider

Commissioner

National Data Commissioner

Council

National Data Advisory Council

Criminal Code

Schedule to the Criminal Code Act 1995 (Cth)

Data sharing scheme

The Bill and its framework of instruments and operational processes

FOI Act

Freedom of Information Act 1982 (Cth)

Guide to Framing Commonwealth Offences

Attorney-General’s Department, ‘Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers’ (Sept, 2011)

Privacy Act

Privacy Act 1988 (Cth)

PGPA Act

Public Governance, Performance and Accountability Act 2013 (Cth)

Regulatory Powers Act

Regulatory Powers (Standard Provisions) Act 2014 (Cth)

1 - Overview

1.                   In 2018, the Australian Government committed to reform the way it shares public sector data. Reforms are necessary to realise the benefits of greater data availability and use identified by a Productivity Commission inquiry, supporting economic and research opportunities and the Government’s vision for streamlined and efficient service delivery.

2.                   The Data Availability and Transparency Bill is central to these reforms. The Bill authorises and regulates controlled access to (‘sharing’ of) Commonwealth data, with safeguards in place to manage risk and streamline processes. This pathway for sharing is optional. Existing mechanisms and arrangements for sharing continue to be available.

3.                   The Bill takes a principles-based approach to data sharing, providing parties with flexibility to tailor sharing arrangements, and ensuring the scheme can respond to evolving technologies and community expectations. Modernising the approach to sharing public sector data will empower government to deliver effective services and better-informed policy, and support research and development.

4.                   The Department of the Prime Minister and Cabinet (PM&C) developed the Bill and its underlying policy positions through extensive co-design and engagement with experts, stakeholders, and the community. Discussion papers were released in 2018 and 2019 to test policies with the public and seek input to refine positions. These papers were supported by 76 public roundtables across Australia to consider policy evolutions and strengthen safeguards. Further consultation was undertaken on an exposure draft of the Bill over eight weeks in 2020 which involved bilateral and multilateral virtual engagements with stakeholders.

5.                   In developing the Bill, PM&C has taken a privacy by design approach to identify, minimise and mitigate privacy impacts wherever possible. Two independent Privacy Impact Assessments were undertaken to identify strengths and weaknesses in the early policy positions and planned legislative framework, and the draft Bill itself. Privacy safeguards were also strengthened in response to guidance and advice from the National Data Advisory Council and privacy experts, including the Office of the Australian Information Commissioner.

The legislative scheme

6.                   The Bill establishes a new data sharing scheme which will serve as a pathway and regulatory framework for sharing public sector data. ‘Sharing’ involves providing controlled access to data, as distinct from open release to the public.

7.                   To oversee the scheme and support best practice, the Bill creates a new independent regulator, the National Data Commissioner (the Commissioner). The Commissioner’s role is modelled on other regulators such as the Australian Information Commissioner, with whom the Commissioner will cooperate.

8.                   The data sharing scheme comprises the Bill and disallowable legislative instruments (regulations, Minister-made rules, and any data codes issued by the Commissioner). The Commissioner may also issue non-legislative guidelines that participating entities must have regard to, and may release other guidance as necessary.

9.                   Participants in the scheme are known as data scheme entities:

·          Data custodians are Commonwealth bodies that control public sector data, and have the right to deal with that data.

·          Accredited users are entities accredited by the Commissioner to access to public sector data. To become accredited, entities must satisfy the security, privacy, infrastructure and governance requirements set out in the accreditation framework.

·          Accredited data service providers (ADSPs) are entities accredited by the Commissioner to perform data services such as data integration. Government agencies and users will be able to draw upon ADSPs’ expertise to help them to share and use data safely.

10.               The Bill does not compel sharing. Data custodians are responsible for assessing each sharing request, and deciding whether to share their data if satisfied the risks can be managed.

11.               The data sharing scheme contains robust safeguards to ensure sharing occurs in a consistent and transparent manner, in accordance with community expectations. The Bill authorises data custodians to share public sector data with accredited users, directly or through an ADSP, where:

·            Sharing is for a permitted purpose - government service delivery, informing government policy and programs, or research and development;

·            The data sharing principles have been applied to manage the risks of sharing; and

·            The terms of the arrangement are recorded in a data sharing agreement.

12.               Where the above requirements are met, the Bill provides limited statutory authority to share public sector data, despite other Commonwealth, State and Territory laws that prevent sharing. This override of non-disclosure laws is ‘limited’ because it occurs only when the Bill’s requirements are met, and only to the extent necessary to facilitate sharing.

13.               If the Bill’s requirements are not satisfied, it does not give legal authority to share the data. In this instance, the situation ‘rebounds’ so the protections and penalty frameworks of the original non-disclosure law apply. Where there are no applicable non-disclosure provisions to rebound to, the Bill includes penalties and offences provide an avenue of redress for unauthorised sharing. This approach ensures there are always protections for data shared or created under this scheme.

14.               The override is also limited by the Regulations, which list certain secrecy and non-disclosure provisions that will not be overridden by the Bill. If a provision is not listed, it remains at the discretion of the data custodian whether to share data. Provisions that do not impose duties of non-disclosure, such as those relating to data handling or security like the Australian Privacy Principles, are not overridden and continue to apply to data shared under this scheme.

15.               Robust transparency and accountability mechanisms are embedded in the Bill to promote integrity and trust in the scheme. For example, details of accredited entities and sharing projects will be made publicly available, allowing Australians to better understand how government data is being used. The Commissioner also reports annually to Parliament on the operation of the scheme, and the Bill prescribes periodic reviews of the scheme to ensure it continues to operate in accordance with needs and expectations.

Scope

16.               To maximise benefits, a wide range of data and entities are within scope of the data sharing scheme.

17.               The Bill authorises data custodians to share public sector data with accredited entities from all levels of government as well as industry, research, and others in the private sector.

18.               ‘Public sector data’ encompasses all data collected, created, or held by the Commonwealth, or on its behalf. The concept of data includes facts, statistics, and other information that are capable of being communicated, analysed or processed via physical or electronic means.

19.               The Australian Government has separately established a Consumer Data Right to boost competition and to enhance consumers’ access to and control of their data in the private sector.

20.               The Bill’s in-built safeguards encourage agencies to manage the risks of sharing, rather than avoid sharing altogether. Exclusions from the scheme have been granted, however, where strictly necessary to balance the impetus for greater access to public sector data with other legitimate interests.

21.               For instance, the Bill does not authorise sharing that would infringe intellectual property rights or international agreements, or where intelligence entities or their data are involved. The Bill also excludes sharing of operational data and evidence before courts, tribunals, and certain agencies with oversight or integrity functions to protect the independence and confidentiality of their core functions. Specific provisions will also be exempted to ensure especially sensitive data handled under other legislation is not shared through this scheme.

Interaction with other schemes

22.               The Bill establishes an alternate pathway for the sharing of government data. All existing pathways and mechanisms for data sharing continue to operate unaffected as the Bill does not replace or change these arrangements.

23.               Existing legal obligations and policies for handling government data continue to apply, including the Australian Privacy Principles in the Privacy Act , records management requirements under the Archives Act 1983 , and the Protective Security Policy Framework.

24.               While the Bill focuses on data sharing, it also preserves established legal pathways for open data release. The Bill supports but does not provide authority to release data, as there are already a range of legal mechanisms for this. Outputs created through the sharing process may be released, where the data custodian agrees and the release has the support of an existing legal authority.

25.               Frameworks established by the Bill for sharing data can be adapted to facilitate release. For example, the data sharing principles can be used to mitigate the risks of releasing data under other laws. The Commissioner’s advocacy function also allows them to work with agencies to address cultural barriers to improve data availability and use more broadly.

Enabling safe data sharing

26.               The Bill enables controlled sharing of data for the prescribed purposes, with accredited entities and with safeguards in place. The Bill allows for building valuable data assets such as integrated data assets that can be re-used to deliver benefits effectively. Sharing is underpinned by strong transparency and accountability measures while the National Data Commissioner provides oversight to build trust in the data sharing scheme.

Sharing data for certain reasons - the permitted purposes

27.               The Australian Government collects and uses data for a wide range of purposes, to support government agencies to fulfil their functions. The Bill focuses on three specific purposes in line community needs and expectations, allowing other government functions to continue under other laws.

28.               The Bill authorises data sharing for the purposes of:

·          Delivery of government services;

·          Informing government policy and programs; and

·          Research and development.

29.               Government services are government activities that provide coordinated and structured advice, support, and services to individuals. Sharing data for this purpose could enable improved designs of systems, engagement, and processes involved in delivery of services, including improving user experiences through simplified or automated systems like pre-filled forms and reminders to submit or verify details.

30.               Sharing data to inform government policy and programs is a permitted purpose and is interpreted broadly. Data shared under this purpose could help enable the discovery of trends and risks to inform public policy making, enable modelling of policy and program interventions, and provide a holistic understanding of cross-portfolio impacts and ‘wicked problems’.

31.               The third permitted purpose enables sharing for research and development. This term includes activities to advance knowledge and contribute to society. Sharing for these purposes will enable accredited academics, scientists, and innovators in the public and private sectors to access public sector data to gain insights that could enhance Australians’ socio-economic wellbeing.

32.               The Bill precludes sharing public sector data for certain enforcement related purposes, such as law enforcement investigations and operations. The Bill also does not authorise data sharing for purposes that relate to or could jeopardise national security, including the prevention or commission of terrorism and espionage. While these activities are legitimate functions of government, they require specific oversight and redress mechanisms that are better dealt with through dedicated legislation. Existing legislation governing these activities, including offences and penalties, will continue to operate alongside the Bill.

33.               The Minister may preclude additional purposes through a rule making power to address any future risks that may emerge.

Sharing data safely - the data sharing principles

34.               Once a data custodian is satisfied a proposed project is for a permitted purpose, the data sharing principles must be applied to assess and control risks of sharing in a holistic manner. The principles are a framework for best practice risk management, enabling parties to adapt controls to suit the needs and context of each sharing arrangement.

35.               The principles are structured to manage risks arising across five key elements of the sharing process - project, people, settings, data, and outputs:

·          The project principle considers the intended use of the shared data, including public interest, consent and ethics requirements.

·          The people principle considers users accessing the data to ensure they can be trusted and have the right skills for the project.

·          The settings principle assesses if data is shared in a controlled environment tailored to the data type and sensitivity, subject to security standards.

·          The data principle requires data to be protected, including taking a ‘data minimisation’ approach so only data that is reasonably necessary to achieve the project is shared.

·          The outputs principle ensures the results and outcomes of the projects are agreed, including whether they are appropriate for publishing.

36.               The principles work together: overarching conceptual issues are considered under the project principle, while the other principles address technical and operational matters. Controls can be dialled up and down among the principles to suit the overall needs of each project, for instance a tightly controlled access environment such as a secure lab may support analysis of detailed (rather than aggregate) data.

37.               Controls under the principles and the party responsible for implementing them are detailed in a publicly available data sharing agreement. The Commissioner has oversight of agreements, and powers to monitor and enforce data scheme entities’ compliance with their responsibilities under this Bill. The application of the principles is not ‘set and forget’: risks must actively managed throughout the duration of a sharing project.

Sharing data with the right people - accreditation

38.               Accreditation serves as a gateway into the data scheme, as users and data service providers must be accredited by the Commissioner before they can access shared data.

39.               The accreditation process involves assessment of prospective recipients of data against criteria set in the Bill, to ensure they are capable of managing scheme data accountably, minimising risks of unauthorised access, and complying with obligations under the Bill. To support the Commissioner to make an informed accreditation decision, they may also receive security advice about applicants seeking accreditation.

40.               Non-corporate Australian Public Service (APS) agencies must be accredited as users by the Commissioner, recognising they are subject to Australian Government policies and frameworks, such as the Protective Security Policy Framework and ongoing oversight by Ministers. The Minister may also prescribe other Commonwealth bodies that must be accredited by the Commissioner, if the Minister is satisfied they meet the accreditation criteria.

41.               The Commissioner will be able to control systemic and entity-specific risks by placing conditions on, suspending, or cancelling accreditation for reasons of security or otherwise as provided by the accreditation framework (for instance, where an APS agency’s accreditation is suspended pursuant to Ministerial decision).

42.               Accreditation does not guarantee data will be shared, as data custodians have discretion whether or not to share data with accredited entities.

Better management and transparency

43.               The Government currently shares data for a range of valuable projects, but recognises the need for a more consistent and streamlined approach to sharing. To achieve this outcome, the Bill contains a range of measures to support good data governance and encourage public trust through transparency.

44.               Data sharing agreements are a key governance and transparency measure. All sharing arrangements under the Bill must be recorded in a data sharing agreement that includes a set of minimum mandatory terms. These standardised terms will support greater consistency and clarity of obligations, and reduce the need for complex negotiations.

45.               To promote transparency of sharing arrangements, the Commissioner must publish public registers of data sharing agreements and accredited entities. These registers will provide insight into what data is being shared and why, who is accessing data, and how it is being safely shared.

46.               The Commissioner must also report annually on how the data scheme is operating to highlight system-wide opportunities and areas for improvement.

Integrity of the scheme

Oversight by the National Data Commissioner

47.               The Bill establishes the National Data Commissioner as an independent statutory office holder charged with overseeing the data sharing scheme as its regulator and champion. Australian Public Service staff and contractors may assist the Commissioner to perform their functions. Staff must be made available from the Department responsible for administering the Bill, however contractors may be used where this affiliation may give rise to conflicts of interest.

48.               As champion of the data sharing scheme, the Commissioner will provide advice, advocacy and guidance to ensure the scheme operates as intended. The Commissioner will also work with data scheme entities to build data capability, promote best practice data sharing and use, and address cultural barriers to sharing.

49.               The Bill establishes a National Data Advisory Council as a source of expertise to support the Commissioner in their guidance, advice and advocacy functions. Members of the Council will be appointed by virtue of their depth of experience and expertise relevant to the data sharing scheme. The Council may advise the Commissioner on issues such as ethical data use, privacy, community expectations, technical best practice, and industry and international developments. The Commissioner may also seek advice from the Council on issues relating to the broader data environment.

50.               As regulator, the Commissioner has oversight of the scheme and is empowered to monitor, investigate, and enforce compliance with the Bill by data scheme entities. A range of mechanisms are embedded in the Bill to deter and address non-compliance, while allowing the Commissioner to act proportionally according to the circumstances of each case. Options range from working with the entity to address the situation such as by entering enforceable undertakings, to issuing a direction for the entity to comply, or seeking judicial penalties. These powers have been modelled on other regulators with similar mandates, and apply the learnings from recent inquiries into effective regulatory action.

Avenues for redress - complaints and review of decisions

51.               The Bill provides means for data scheme entities to raise issues about breaches or decisions under the scheme, and existing avenues for redress continue to be available.

52.               A complaints mechanism enables data scheme entities to complain to the National Data Commissioner, separately or as a class action, about potential breaches of the legislation. This triggers the Commissioner’s regulatory powers to investigate and address the situation.

53.               Regulatory decisions by the Commissioner may be reviewed for their merits or legality through standard administrative review processes.

54.               Data sharing decisions by data custodians will not be reviewable on their merits under this scheme. Such decisions are best made by data custodians as they have a full understanding of the risks of and public interest in sharing their data.

55.               It is important to distinguish administrative review from the regulatory oversight and powers exercised by the National Data Commissioner with respect to data sharing activities and entities.

56.               Existing avenues for redress in other schemes continue to be available, including where the situation involves sharing or shared data. For example a person affected by a decision based on shared data may seek review of that decision, where legislation governing that decision sets review rights. A person may also complain about government activities to the Commonwealth Ombudsman, to other Ombudsmen and regulators, or to the Australian Information Commissioner about suspected mishandling of their personal information.

57.               The Bill also supports a ‘no wrong door’ approach by empowering the Commissioner to transfer matters and information to other regulatory bodies, such as the Australian Information Commissioner. Other regulators will have reciprocal powers to transfer matters to the National Data Commissioner. This approach means anyone who makes a complaint or raises an issue can be connected with the appropriate service or regulator.

Dealing with breaches - penalties and consequences

58.               The Bill contains penalty frameworks to deter non-compliance with its requirements and to protect data shared or created through the scheme.

59.               If sharing or use of public sector data occurs in a manner not authorised by this Bill, other non-disclosure laws are not overridden and their penalties apply.

60.               This Bill enables sharing by overriding non-disclosure provisions in other laws, where sharing is for a permitted purpose and safeguards are in place. If these requirements are not met the situation ‘rebounds’ so the original non-disclosure provisions and penalties apply. Where there are no applicable non-disclosure provisions to rebound to, the Bill contains ‘gap coverage’ penalties to ensure redress is always available for unauthorised sharing.

61.               The Bill also includes civil penalties and criminal offences to cover situations which are unique to the data sharing scheme, such as where a data scheme entity has not complied with conditions of its accreditation. The maximum penalties were set in the Bill after considering those in established frameworks, such as the Privacy Act , and more contemporary offences for mishandling government and consumer data.

62.               The Bill also provides a framework for mitigation and reporting of unauthorised access to data that has been shared or created under this scheme (a data breach). Data scheme entities have responsibility to mitigate harm arising from data breaches and to report data breaches to the National Data Commissioner.

63.               If a serious data breach involves personal information, it must also be reported to the Australian Information Commissioner. The Bill preserves the Australian Information Commissioner’s oversight of data breaches involving personal information by engaging the notifiable data breach scheme, under Part IIIC of the Privacy Act . Responsibility for notification rests with the data custodian or an accredited entity covered by the Privacy Act involved in sharing. A copy of the statement provided to the Information Commissioner must be given to the National Data Commissioner, to ensure their continuing oversight over the data sharing scheme.

Periodic reviews of the operation of the Bill

64.               The Bill is drafted as principles-based legislation to ensure it remains relevant and adaptable to evolving technology and public expectations. The Bill will also be reviewed periodically to ensure the data sharing scheme operates as intended, and to provide opportunity for improvement.

65.               The first review will occur three years after commencement of the Bill to allow initial issues to be identified and addressed. Periodic reviews will also occur every ten years from commencement to address any emerging issues in the longer term. Review reports will be tabled in each House of the Parliament by the responsible Minister.

2 - Notes on Clauses

Chapter 1 - Preliminary

Part 1.1 - Introduction

1.              This Part sets out the preliminary matters for the operation of this Bill, including its short title, commencement, objects, and geographical jurisdiction.

Clause 1 - Short title

2.              Once enacted, the short title of the Act will be the Data Availability and Transparency Act .

Clause 2 - Commencement

3.              The entire Bill will commence the day after Royal Assent is received, as set out in the table.

4.              This approach establishes the National Data Commissioner (the Commissioner) and empowers them to implement the data sharing scheme created by the Bill.

5.              In practice, the data sharing scheme will be operational once the Commissioner is appointed, and the instruments and systems underpinning the data sharing scheme have been implemented, in particular the accreditation framework (refer clause part 5.2).

Clause 3 - Objects

6.              The ultimate intent in enacting this legislation is to improve how Australia shares public sector data to drive service delivery, evidence-based policy, research and innovation.

7.              This clause sets out specific objectives of the legislation to achieve the Government’s intent, addressing priorities identified in the Productivity Commission inquiry report Data Availability and Use for establishing a scheme to enable and regulate sharing of public sector data.

8.              Together, these objectives encourage greater sharing of public sector data with robust safeguards to protect privacy and data security, while enhancing integrity and transparency to build community confidence. Establishment of the National Data Commissioner to administer and regulate the data sharing scheme is crucial to achieving these objectives.

9.              Substantive provisions elsewhere in the Bill should be read in light of these objectives.

Clause 4 - Simplified outline of this Act

10.          This clause provides a succinct overview of the crucial concepts and content of the Bill, which establishes the National Data Commissioner as regulator of a new data sharing scheme for sharing public sector data.

11.          Simplified outlines are included to assist readers to understand the substantive provisions of this Bill. However, readers should rely on the substantive provisions of this Bill as these outlines are not intended to be comprehensive.

Clause 5 - Act binds the Crown

12.          This clause provides that the Bill binds the Crown in each of its capacities. Consistent with standard practice, this does not render the Crown liable to criminal prosecution, though it may be subject to civil penalty.

13.          The shield of the Crown does not extend to government business enterprises, or to Commonwealth employees acting outside their lawful authority.

Clause 6 - Extension to external Territories

14.          This clause operates with clause 7 to ensure the authorisations, safeguards, and regulatory aspects of the data sharing scheme apply consistently throughout Australia’s mainland and external territories, as well as extraterritorially.

15.          The geographic scope of the Bill - where it applies - as established by clauses 6 and 7 is consistent with similar legislative frameworks such as the Privacy Act .

Clause 7 - Extraterritorial operation

16.          This clause extends the application of this Bill and relevant parts of the Regulatory Powers Act to conduct, matters, and things outside of Australia. The clause applies to both civil contraventions and criminal offences.

17.          Establishing extraterritorial application of this Bill is necessary given foreign entities may be accredited, and technological advances mean that data is increasingly stored offshore and may be accessed remotely. Extending the application of the Bill in this way ensures the data sharing scheme’s safeguards apply consistently to all participants and situations, and are capable of adapting to emerging and future needs.

18.          Consistent with relevant schemes such as the Privacy Act and the Criminal Code , subclause (1) and clause 136 provide that the Bill and applicable sections of the Regulatory Powers Act have extraterritorial effect.

19.          Subclause (2) makes clear that any extraterritorial exercise of regulatory power by the Commissioner must be in accordance with international law and agreements, including Commonwealth laws giving effect to such agreements. The Commissioner may act in cooperation with relevant regulators in foreign jurisdictions.

Clause 8 - Application of this Act

20.          This clause sets out the circumstances in which the Commonwealth has authority to share and regulate sharing of public sector data under this Bill. Each subclause invokes relevant powers of the Commonwealth under the Australian Constitution.

21.          For sharing to be authorised under the Bill, it must be supported by one or more of these subclauses, and meet the other requirements in Chapter 2 (especially clauses 13 and 15).

22.          Data may be shared to inform Commonwealth policy, programs, or service delivery. This includes sharing for the recipient’s own purposes (within the limits of clause 15).

23.          Subclauses (a), (c), and (d) describe circumstances where sharing occurs with or through particular types of accredited entities. Subclauses (b), (e), (f), and (g) support sharing by a data custodian with any kind of accredited entity, both government (Commonwealth, State, or Territory) and non-government.

24.          Subclause (a) supports sharing where the intermediary or the recipient (or both) accessing the shared data is a Commonwealth or Territory body. This clause may apply where sharing involves an ADSP that is such a body (regardless of the nature of the end user), or where a custodian shares directly to an accredited user that is a Commonwealth or Territory body. This subclause could cover situations where data is shared with a Commonwealth or Territory government agency to inform design of policies, programs, or services within its legislative power, or to conduct research or development activities.

25.          Subclause (b) covers sharing for the purpose of service delivery, or informing policy or programs, where those activities are conducted by, or include, the Commonwealth government. This could support sharing among Commonwealth entities. It could also support sharing where the Commonwealth government is ‘included’, such as where the accredited user is a non-government organisation like a charity that is delivering a government program or service on behalf of the Commonwealth - for instance disaster relief or directly implementing support services. Similarly, a Commonwealth data custodian sharing with an accredited State government authority to inform the design of a joint Commonwealth-State infrastructure program could be in scope of this subclause. In this latter example, however, sharing could not be taken to ‘include’ the Commonwealth government if the sharing were to inform the State authority’s own policies, programs or services. Alternate bases of support for this type of sharing are addressed below.

26.          Subclause (c) is relevant where data is shared for research and development purposes with an accredited user that is a trading or financial corporation formed within the Commonwealth, or a foreign corporation. This subclause could support sharing with a research institute to inform Commonwealth research and development, or its own independent research and development.

27.          Subclause (d) covers sharing with an accredited user where that user is a foreign person and the sharing is done in accordance with an international agreement binding on Australia. This provision could operate where there is a bilateral treaty for information sharing between Australia and a foreign government, or an inter-governmental agreement for research cooperation.

28.          Subclause (e) covers data sharing by means of electronic communication - that is, transfer of information via the internet or a telecommunications network. This subclause covers electronic transmission of data to accredited users (from all levels of government, as well as non-government entities) to inform any of the purposes in clause 15. For example, a data custodian could rely on this subclause to transfer data from its computer or server to that of a State government authority for the recipient’s own policies, programs and services, or for research and development, as the application is not restricted to Commonwealth government purposes. Transfer of information through non-electronic means, such as printed paper, could be supported by other subclauses in clause 8.

29.          Subclause (f) may apply where data is shared for statistical purposes such as the compilation or analysis of statistics, or to enable research that is statistical in nature. Subclause (g) is relevant where census or statistical information such as from a survey or administrative source is shared. Both subclauses could support sharing with or through accredited entities, whether government (any level) or non-government.

Part 1.2 - Definitions

30.          This Part contains key definitions used throughout the Bill.

Clause 9 - Definitions

31.          This clause sets out definitions and terms used throughout the Bill. Some defined terms are signposts that refer readers to the clauses in which those terms are substantively defined.

32.          Where possible, existing definitions have been used or adapted to ensure this Bill operates smoothly alongside other legislative schemes. Where a word is not defined, readers should rely on its ordinary meaning, when read in context of the provision in which it appears, as well as the Bill more broadly.

33.          Key definitions from this clause are explained below in alphabetical order.

34.          Breach - conduct which contravenes or is inconsistent with requirements of this Bill. These requirements include those imposed by subordinate legislative instruments (regulations, rules, codes). A legislative breach is distinct from a data breach, which is defined in clause 35.

35.          Commonwealth body - this definition captures all bodies under the standard PGPA Act definitions of Commonwealth entities and companies, as well as other bodies under the FOI Act , such as statutory office holders and judicial bodies.

36.          Data service - this definition describes what services an accredited data service provider may provide as an intermediary in sharing arrangements made under this Bill. The scope of services is broad in recognition of the diverse range of activities involved in sharing and managing data, where data custodians may seek support. The range of services, or conditions their provision, may be addressed through a data code or Ministerial rules (refer clauses 126 and 133). Data services performed by ADSP must involve the public sector data shared by the relevant data custodian, but are not limited to services involving only public sector data where supported by other legal authority (refer clause 10 definition of ‘ADSP enhanced data’) and clause 13(3)).

37.          Data sharing scheme - this term encompasses the legislative framework established by the Bill and subordinate legislative instruments (regulations, rules, and data codes), as well as guidelines made under clause 127.

38.          Engage in conduct - this definition clarifies that the term ‘conduct’ extends to positive actions as well as failing or omitting to do something. This clarity is important for determining breach, for instance it means failure to do something in order to comply with a requirement of the data sharing scheme may be considered a breach.

39.          Entity - this term is broadly defined to reflect the scope and objectives of the Bill. It covers all types of Australian and foreign entities capable of participating in the data sharing scheme. This includes individuals, government bodies, body corporate and body politics, and non-legal entities. Part 6.3 deals with how certain entities are treated under this scheme. Limits on participation are achieved through the definition of ‘data custodian’ in clause 11(2), restrictions on sharing in clause 17, and the accreditation framework set out in part 5.2, which provides a gateway to participation in the data sharing scheme.

40.          Operational data - this definition is relevant to clause 17(2), which excludes sharing of information about the operational activities and processes of certain entities specified in the clause. The term is based on the concept of ‘operationally sensitive material’ in the Independent National Security Legislation Monitor Act 1982 , adapted to the needs of this scheme.

41.          Release - in the context of this Bill, release means the data is made openly (i.e. publicly) available, so the entity that released the data retains no control over it. The aspect of control is critical to distinguish data release from data sharing.

42.          Share - this definition captures all aspects of the process authorised by clause 13. The concept includes both providing and receiving controlled access to public sector data. The term ‘share’ is used throughout this Bill to refer to the process of providing controlled access under clause 13(1), however, it is sometimes used to describe individual activities, such as the process in clause 13(1), or specific activities authorised by clause 13(3).

Clause 10 - Data definitions

43.          This clause contains definitions for key data-related terms used throughout the Bill, grouped together to assist readers to find and understand these concepts.

44.          Subclause (1) defines ‘scheme data’ to mean public sector data and outputs that have been shared and created through the data sharing scheme, and which are protected by its safeguards and controls. Outputs which have exited the scheme under clause 21 are no longer scheme data. Only data scheme entities may hold or have access to scheme data.

45.          Subclause (2) defines ‘public sector data.’ This definition establishes the scope of government data that can be shared under the data sharing scheme. The term includes data that is collected, created, or held by a Commonwealth body, or on its behalf. Public sector data includes ‘personal information’ and ‘sensitive information’, as defined by the Privacy Act , as well as other types of data. Data created or enhanced by an accredited data service provider (ADSP, refer clause 11(4)) on behalf of a data custodian also falls within this definition, as do outputs created by an accredited user and declared by a data sharing agreement to be of a data custodian (refer clauses 11(2) and 19(9)).

46.          Subclause (3) defines ‘ADSP-enhanced data’ to mean results or products generated by an ADSP in the course of providing data services on behalf of a data custodian in relation to public sector data. For instance, where an ADSP integrates several datasets on behalf of a custodian to provide to an accredited user, the integrated dataset is ‘ADSP-enhanced data’. This includes where the ADSP integrates public and non-public sector data on behalf of a data custodian, relying on the data custodian’s legal authority to collect and use both datasets. In this circumstance, the integrated dataset is also ‘public sector data’ as it is data created on behalf of the Commonwealth (the data custodian).

47.          Subclause (4) defines ‘output.’ This definition establishes what is considered under the outputs principle (refer clause 16(9)). The term ‘output’ means data that is the result or product of sharing authorised under Chapter 2 that is generated by an accredited user. This is an inclusive term to cover a range of results and products that incorporate or are founded upon the shared data, such as an integrated dataset, tables or graphs of statistical information, an algorithm, a pre-filled form compiled using shared data, a research paper, or a policy proposal. Outputs are subject to ongoing controls under the data sharing scheme, unless they exit the data sharing scheme under clause 21.

48.          Subclause (5) sets out the definition of ‘data.’ This broad definition is intended to capture all forms of data and information, including copies of original data. This definition aligns with State data sharing legislation to promote consistency between related schemes. Data shared or created under this Bill may be a record for the purposes of the Archives Act 1983, and if so must be handled in accordance with that Act.

Clause 11 - Entity definitions

49.          This clause identifies and defines the key roles entities have in the data sharing scheme. This clause is necessary to identify participants in the data sharing scheme and, accordingly, the extent of the Commissioner’s regulatory powers.

50.          Subclause (1) defines the term ‘data scheme entities’ to mean data custodians of public sector data and accredited entities, defined respectively in subclauses (2) and (3).

51.          Subclause (2) defines which entities are considered data custodians for the purpose of the data sharing scheme. Data custodians are Commonwealth bodies (refer clause 9 definition) that control and have the right to deal with particular public sector data, and are not excluded entities under subclause (3).

52.          In accordance with subclause (2)(a), the custodian must control the data itself, or through another body acting on its behalf. Physical possession (for instance, paper-based data stored on site) is sufficient but is not required. This reflects the reality of data management, as data may be collected and stored remotely or in electronic form, including cloud storage, in accordance with the conditions set by its custodian.

53.          A right to deal with data in in subclauses (2)(b) is a broad concept, encompassing the power to collect and handle that particular data for the entity’s functions or activities. Such rights typically derive from legislation or contract, but may also be reflected in other arrangements like Memoranda of Understanding.

54.          Subclause (2)(b)(i) recognises rights arising outside of this scheme, for instance under portfolio legislation, while subclause (2)(b)(ii) allows custodial rights to arise with respect to scheme data created by accredited entities that are Commonwealth bodies.

55.          Subclause (2)(b)(ii) works with clause 19(4) to allow a data sharing agreement to designate one of the (Commonwealth) parties as data custodian of each type of scheme data (such as any outputs, shared data, or ADSP-enhanced data) generated under the agreement. This approach is consistent with how custodians’ rights may arise outside of the data sharing scheme, and provides flexibility so parties can set and streamline their sharing arrangements in a manner that does not compromise the original custodian’s control.

56.          In most cases, the entity that collects data to fulfil its legislative functions or purposes (typically a Commonwealth department or agency) will be the custodian of that data.

57.          The definition of data custodian must be read with clause 13(1) and clause 17, which qualify custodians’ capacity to share data under this scheme. In particular, sharing must be in accordance with existing arrangements relating to the data, and have the agreement of all relevant custodians. Where multiple entities are authorised to collect and handle the data, such as where different departments use the same data for different functions, they should resolve custodianship prior to entering a data sharing agreement.

58.          Certain Commonwealth bodies are excluded from being data custodians for the purposes of this scheme, as provided by subclause (2)(c) and listed in subclause (3).

59.          Subclause (3) lists entities that are excluded from the scheme. Excluded entities cannot be data custodians, and are unable to seek accreditation under part 5.2. As excluded entities are not data scheme entities, they are not able to use the authorisations and are not subject to the responsibilities and regulatory provisions of this Bill. Intelligence entities are excluded to preserve existing arrangements and frameworks that authorise and regulate their activities. Oversight agencies such as the Commonwealth Ombudsman and the Australian National Audit Office are excluded as they have oversight of the government and the Commissioner’s activities under this Bill. Data originating with, held by or received from excluded entities may not be shared under this Bill (refer clause 17(2)(a)).

60.          Subclause (4) defines accredited entities. The term ‘accredited entity’ refers to two kinds of data scheme entities: users and data service providers that are accredited under the accreditation framework (refer part 5.2).

61.          Accredited entities are authorised to collect and use data shared with them under clause 13, within the parameters set by their data sharing agreement (refer clause 18) and this Chapter.

62.          Accredited users are entities that are capable of securely handling data shared with them under this scheme. Accreditation of users typically occurs at an agency or organisation level, and may involve identifying individuals within such bodies who are involved in sharing (refer part 5.2).

63.          Accredited data service providers (ADSPs) are intermediaries in the sharing process that provide data services which support sharing by data custodians with accredited users. ADSPs act on behalf of data custodians, as their agent. ADSPs play a crucial role in the scheme to fill gaps in resourcing and capability that would otherwise inhibit data availability and use.

64.          A broad range of entities may apply for accreditation, consistent with the clause 9 definition of ‘entity’ - other than excluded entities (refer clause 11(3).

65.          To become accredited, applicants are assessed by the National Data Commissioner to ensure they have appropriate capabilities to participate in the data sharing scheme. A single entity can have multiple roles: an entity may be accredited as both user and data service provider - and may also be a data custodian. A data custodian must be accredited as an accredited user to collect and use data under this scheme, including its own data. In such cases, it must be clear in which capacity the entity is acting, both in practical terms and on the face of the data sharing agreement (refer clauses 18 and 19). This is important where a data custodian is also acting as an accredited entity within the same sharing project.

Chapter 2 - Authorisations to share data

66.          Chapter 2 of the Bill authorises data custodians to share public sector data with accredited users in permitted circumstances. Authorisation to share is subject to the controls set in this Chapter.

67.          Within the circumstances of clause 8, data custodians may share public sector data with accredited users in accordance with the controls established by this Chapter. Key requirements to share (including to collect and use) data are specified in clause 13, and expanded upon in subsequent clauses. Where these requirements are met, and sharing is not excluded under clause 17, this Bill overrides other laws to the extent that they restrict sharing.

68.          Data custodians have discretion whether to use this authorisation to share public sector data; there is no duty to share, and other pathways for sharing data continue to operate.

69.          Data scheme entities must comply with legislative instruments (refer clause 26), and have regard to the Commissioner’s guidelines (refer clause 27) when engaging with the data sharing scheme.

Clause 12 - Simplified outline of this Chapter

70.          This clause provides a simplified outline of the authorisation provisions of Chapter 2 of the Bill. This simplified outline is intended to assist readers to understand the substantive provisions of the Chapter, but is not comprehensive. Readers should rely on the substantive provisions.

Clause 13 - Authorisations to share data

71.          This clause enables data scheme entities to share public sector data by providing authorisations and requirements for each component of the sharing process.

72.          Specifically, this clause authorises data custodians to provide, and accredited entities to obtain access to, public sector data in a controlled manner that meets the requirements of the subclauses. These requirements apply in all sharing situations, including where sharing involves one or more datasets, data custodians, and/or accredited entities.

73.          In short, sharing is authorised where it is for a permitted purpose, safeguards to manage risk and ensure custodian oversight are in place, the terms of sharing are set out in a data sharing agreement, and no exclusion applies. These requirements are provided at a high level in subclauses 13(1) and (3), and detailed in later clauses in Chapter 2.

74.          Subclause (1) authorises data custodians to provide controlled access to public sector data to accredited users, directly or through an ADSP. Paragraphs (a) to (d) set out high-level requirements that must be satisfied in order for sharing to be authorised. In particular, sharing must be consistent with the data sharing purposes and principles, and a valid data sharing agreement (refer clauses 15, 16, and 18). Sharing must not be for a precluded purpose (refer clause 15), or excluded under clause 17 or the regulations.

75.          Subclause (1)(e) applies to sharing a dataset that has multiple data custodians. Each custodian must authorise the sharing, either individually in the data sharing agreement, or by authorising one to act on the others’ behalf for the purposes of this Bill (whether on a one-off or an enduring basis). In the latter case, evidence of their authority to act must be attached to a data sharing agreement made by the authorised custodian. This approach enables a streamlined approach to reduce red tape, at custodians’ discretion, while ensuring custodians retain oversight of their data.

76.          Subclause (2) clarifies that the requirements of subclause (1) apply to both stages of sharing where an ADSP is involved.

77.          In practice, this means sharing must be consistent with the data sharing purposes and principles, articulated in a data sharing agreement, and no exclusion apply, for both the first stage of sharing (where the data custodian shares to the ADSP) and the second stage (where the ADSP makes data available to the accredited user on behalf of the data custodian).

78.          While both stages of sharing will be for the same overall purpose, different controls may be placed under the data sharing principles to reflect differences in context and risks in each stage. For instance, a data custodian may engage an ADSP to provide an accredited user with secure access to data for research purposes. Controls for the transfer of data to the ADSP would differ from the controls to manage the risks and conditions of the ADSP providing access to users. This is also the case where the ADSP transforms the data it receives from a custodian prior to providing access to an accredited user, such as by integrating multiple datasets from a custodian together into a single asset, or creating an extract so the user only accesses a subset of the larger dataset provided to the ADSP. The data sharing agreement must set out parties’ responsibilities and safeguards for each stage of the sharing (refer clauses 18 and 19).

79.          Importantly, the drafting of this clause means only data custodians are authorised to share, and data must be made available to at least one accredited user. If an entity that is a data custodian intends to access data covered by a sharing project it must do so in the role of an accredited entity, or under clause 19(9), as specified in the data sharing agreement.

80.          Subclause (3) authorises accredited entities to collect and use public sector data that is shared with or through them under subclause (1) - where consistent with the purpose test, data sharing principles, and the terms agreed by the data custodian. Collection and use of scheme data must also be in accordance with any conditions of an entity’s accreditation, and is not authorised if the entity’s accreditation is suspended (refer to part 5.2 for clauses on accreditation).

81.          ‘Use’ has its ordinary meaning, which in the context of this scheme could cover all forms of handling data such as analysing data, as well as sharing or release within the limited circumstances of clause 21. Data integration may also be an authorised use of public sector data under subclause (3). As the Bill provides authority for the integration of public sector data, separate legal authority is also needed to support integration with any non-public sector data under a data sharing agreement. Refer also: clause 10(3) definition of ‘ADSP enhanced data’.

82.          For clarity: sharing activities which are consistent with this clause activate the ‘authorised by law’ provisions for collection, use, and disclosure of personal information and sensitive information in Australian Privacy Principles (APP) 3 and 6 of the Privacy Act. To the extent sharing is authorised by clause 13 but does not fall within those APP provisions, the override in clause 23 will operate to support sharing, collection, and use of public sector data under this Bill.

Clause 14 - Sharing must be authorised

83.          Under this clause, a person may be liable for a civil penalty or a criminal offence for sharing data in an unauthorised manner. This clause aims to deter non-compliance and build confidence in the scheme, without discouraging participation. It does not impose retrospective liability.

84.          This Bill provides limited statutory authority to override provisions in other laws that prevent sharing, where the requirements of Chapter 2 are met (refer clauses 13 and 23). If these requirements are not met, sharing is not authorised by this Bill and the situation ‘rebounds’ so the protections and penalties of the non-disclosure laws apply.

85.          The penalties and offences in this clause are designed to capture instances of unauthorised sharing where there are no applicable penalties to which the conduct can rebound. This approach ensures there are always protections for data shared or created under this scheme. For example, the Bill may be used to share and integrate data to create an enriched dataset that is more sensitive than the individual source datasets. The penalties in this clause provide gap coverage where there are no existing penalties for unauthorised sharing, collection, or use of the individual source datasets.

86.          Where appropriate, penalties may be sought under this clause rather than under other laws through operation of the rebound approach. In this case, standard processes such as those in section 4C(1) of the Crimes Act 1914 will apply to manage situations where the same conduct could be prosecuted under multiple Commonwealth laws. Where conduct may attract a civil penalty or criminal offence (under clause 14 or a rebound provision), sections 88-90 of the Regulatory Powers Act will apply to any proceedings, penalty orders, and convictions.

87.          Subclauses (1) and (2) apply to unauthorised sharing. While these provisions are expressed to apply to persons, they must be read in conjunction with part 6.3 (treatment of certain entities) as individuals’ conduct may be attributed to the data scheme entity for which they act.

88.          Subclause (1) provides for a civil penalty where a person relies, or purports to rely, on the authorisation to share in clause 13(1) but the sharing is not authorised. This could occur in a range of circumstances, such as if a person shares public sector data with non-accredited recipients, or for a precluded purpose (refer clause 15). It could also occur where a person’s right to share particular data is qualified by a pre-existing agreement between their employer and another entity, and the sharing contravenes that earlier agreement (refer clause 17). The phrase ‘purportedly relies on’ relates to use of a data sharing agreement to facilitate the sharing transaction, as data sharing agreements must specify that sharing occurs under this Bill and in accordance with its requirements (refer clause 19).

89.          Subclause (2) creates a criminal offence for the same circumstances as (1): the person shared public sector data under or purportedly under this Bill, in a manner that resulted in the sharing being unauthorised.

90.          Each element of the offence is set out in paragraphs (2)(a) to (c), relying on default fault elements from the Criminal Code . This is consistent with the Guide to Framing Commonwealth Offences (para 2.2.4). Paragraphs (a) and (b) establish conduct elements of the offence, the relevant fault element being intention. Paragraph (c) specifies recklessness as the fault element as this paragraph relates to the circumstances or results of the conduct.

91.          Subclauses (3) and (4) are directed towards persons who collect and use data in an unauthorised way but must be read in conjunction with part 6.3 (treatment of certain entities). As with subclauses (1) and (2), the rebound approach applies in practice here.

92.          Paragraph (d) of subclauses (3) and (4) clarifies how this clause interacts with clause 135 and the FOI Act .

93.          The effect of paragraph (d)(i) is that a person will not contravene clause 14 where their disclosure of scheme data was to an integrity body pursuant to clause 135, for judicial proceedings and regulatory processes that arise under, or with respect to, this Bill.

94.          Similarly, paragraph (d)(ii) means that granting access to an output in accordance with the FOI Act does not contravene clause 14. However, this does not apply to release other forms of scheme data under the FOI Act , such as data shared by a data custodian or enhanced by an ADSP (refer clause 10), which continue to be regulated by this Bill. Access to copies of data held outside of the data sharing scheme may continue to be sought under the FOI Act .

95.          Subclauses (5) and (6) clarify that the civil penalty and criminal offence for unauthorised collection and use apply irrespective of other laws.

96.          The effect of subclause (5) is that contravention of the Bill may be established even if other legislation authorises that conduct. This clause prevents current and future laws affecting the operation and scope of the Bill. In particular, it prevents another law from expanding the permitted purposes for sharing in clause 15. Subclause (5) works in conjunction with clause 23, which provides for a limited override of other non-disclosure laws to enable sharing. Together, these provisions establish and protect the operation and scope of the DAT Bill despite any contrary laws, existing or future.

97.          Subclause (6) prevents a person from using (which includes sharing) the data in any of the permitted general or health situations set out in sections 16A and 16B of the Privacy Act . Intent is to prevent use of sections 16A and 16B to circumvent this Bill’s preclusion of sharing data for enforcement related and national security purposes (refer clause 15(2)). Pathways for sharing data in exceptional circumstances such as sections 16A and 16B of the Privacy Act continue to operate outside of the data sharing scheme.

98.          The consequences for breach of a civil penalty or criminal offence provision in this Bill - up to 300 penalty units or up to two years imprisonment, respectively - align with similar laws and the Guide to Framing Commonwealth Offences . Consistent with the Guide, the Bill sets maximum penalties; a court will determine what is appropriate on a case-by-case basis. The maximums set by this clause balance the penalties in more established frameworks, such as the Privacy Act , with more contemporary offences for mishandling government and consumer data. This approach is in keeping with the intent for this scheme to align with other applicable frameworks, without duplicating them, as well as with community expectations.

99.          Multiple persons may be responsible for a single breach of clause 14. For example, if a data custodian shares data through an ADSP to an accredited user, but the sharing occurs in an unauthorised way, persons who shared the data on behalf of the data custodian and the ADSP may be liable for their actions. A court would determine whether responsibility rests with the individual or the data scheme entity in accordance with part 6.3, and would also determine the extent of each party’s liability.

100.      Where an individual employed or otherwise associated with an ADSP (refer part 6.3) is involved in unauthorised sharing, the stage of the sharing (refer clause 13(2)) will determine the applicable subclause in clause 14. Where the individual provides unauthorised access to public sector data, subclauses (1) and (2) are relevant; subclauses (3) and (4) may apply where the individual collects or uses data from a data custodian in an unauthorised manner.

Clause 15 - Data sharing purposes

101.      Building on clause 13, this clause establishes three purposes for sharing public sector data under this Bill, and related requirements. For clarity, it also specifies precluded purposes for which sharing is not authorised by this Bill.

102.      Subclause (1) provides that public sector data may be shared for delivery of government services, to inform government policy and programs, and for research and development purposes. Sharing may occur for one or more of these purposes.

103.      Subclause (1)(a) enables sharing for delivery of government services, meaning government activities that provide coordinated and structured advice, support, and services to those engaging with the government. Data sharing under this purpose could improve design of systems, engagement, and processes involved in delivery of government services, including improving user experiences through simplified or automated systems like pre-filled forms and reminders to submit or verify information like a tax return. This purpose supports sharing to undertake services delivered by or on behalf of government, including through contractors; it does not extend to services undertaken by non-government enterprises for their own purposes, even if these are in the public interest. Similarly, enforcement activities related to service delivery are not permitted purposes for data sharing under this Bill, despite being valid activities of government (refer subclause (3) for ‘enforcement related purposes’).

104.      Sharing to inform design and implementation of government policy and programs is permitted under subclause (1)(b). Both terms should be construed broadly, using their ordinary meaning. For instance, a ‘government policy’ is a rule or principle that guides government decisions, usually related to a specific topic such as education. Similarly, a ‘government program’ refers to an organised system of services, activities, or opportunities to achieve a goal or outcome. Data sharing under this purpose could help enable the discovery of trends and risks to inform policymaking, and provide a holistic understanding of ‘wicked problems.’ Additionally, it could enable modelling of policy and program interventions, program risk analysis and impact measurement, and evaluation of the effectiveness of policies and programs. Outcomes from such sharing could help ensure the government is spending money effectively, and identify program gaps, challenges and successes to inform new or improved initiatives.

105.      Data sharing for the purpose of informing government policy and programs will not directly impact individuals as policies and programs are directed to the community (or communities) at large, rather than individuals. Further, this purpose involves sharing to inform policy and programs in the sense of their development and design (including design of how they are implemented, such as underlying systems and processes), rather than sharing that is part of carrying them out, which could involve interacting with individuals.

106.      Subclause (1)(c) supports sharing for research and development, a term encompassing activities to advance knowledge and contribute to society. Sharing for these purposes will enable accredited academics, scientists, and innovators in the public and private sectors to access public sector data to conduct research.

107.      Sharing for purposes that are consistent with clause 15(1) but have other applications may be permissible. For instance, a research project to improve pharmaceutical treatments for heart disease may deliver both profit for the researcher as well as serving the public interest. The mere fact of private sector involvement or profit does not infringe clause 15, provided sharing is for a permitted purpose, is not for a precluded purpose, and is otherwise consistent with this Chapter. In addition, other frameworks controlling anti-commercial or anti-competitive outcomes continue to apply, such as the Competition and Consumer Act 2010 and the APS Code of Conduct. Refer also to clause 15(4), below.

108.      Subclause (2) sets out precluded purposes for sharing under this Bill. If an entity needs to acquire data for such activities, that entity must do so outside of this scheme.

109.      Subclause (2)(a) and (b) preclude sharing for enforcement related purposes defined in subclause (3) and for purposes that relate to or prejudice national security, as defined. These activities are best performed and managed under dedicated legislation that provides tailored protections and redress mechanisms to ensure procedural fairness.

110.      Subclause (2)(c) precludes sharing for purposes prescribed in rules made by the Minister. This provision enables the Minister to prescribe additional precluded purposes but not permitted purposes. This approach is intended to manage unintended expansions or interpretations of clause 15, and to ensure the scheme continues to operate as intended and in line with community expectations.

111.      Subclause (3) defines enforcement related purposes, a term that includes a range of detection, investigation, and law enforcement activities. The listed purposes include operational activities and investigations that detect and determine an individual’s liability for misconduct, as well as subsequent proceedings. For instance, subclause (3)(b) precludes sharing for the purpose of detecting, investigating, or addressing (a compendious phrase) deliberate actions that are detrimental to public revenue, like fraud. While enforcement related activities are legitimate functions of government, they are best carried out under dedicated laws. The definition of ‘enforcement related purposes’ is adapted from the same concept in the Privacy Act , and should be interpreted similarly. Subclause (3) should be read with subclause (4).

112.      Subclause (4) clarifies that public sector data may be shared under subclause (1) for a permitted purpose that relates generally to enforcement related activities and national security. For instance, policy and program development in the areas of crime prevention, public safety, and emergency management or planning would be permitted under subclause (1). Using tax data to develop a policy or program to protect the public revenue would likewise be permissible. Similarly, design of systems or other aspects of government service delivery which may also be applied outside of this scheme for other purposes. Sharing data for national security research may also be consistent with this clause. These examples can be distinguished from data sharing to support police, enforcement, and security operations, or to identify and punish fraudulent individuals - which constitute precluded purposes for sharing under subclause (2).

Clause 16 - Data sharing principles

113.      This clause operates in conjunction with other limitations on sharing to ensure data is only shared where it is appropriate to do so. For clarity, ‘sharing’ includes providing controlled access to data as well as collecting and using data, consistent with clause 16(12) and the definition in clause 9.

114.      This clause establishes the data sharing principles, a key safeguard to manage risks of sharing public sector data based on the internationally recognised five safes framework.

115.      Applying the data sharing principles involves considering each principle in context of the other principles, to manage risk holistically. Each sharing arrangement will require different controls or safeguards to be set under each of the principles to manage overall risk.

116.      The principles are structured to support custodians to consider risks arising across five key elements of the sharing process: the proposed project, the setting in which data is shared and accessed, and the persons, data and outputs involved. Within each element, controls can be set to manage impacts of strategic, operational, privacy, ethical, and security risks. The principles work together as well as separately: while every principle must be considered, controls may be set under one or all of them as appropriate to mitigate risks overall. This approach ensures the risks of data sharing are managed effectively and holistically, and provides the foundation of data management throughout the sharing process.

117.      The Bill takes a principles-based approach in establishing a risk management framework. This approach ensures the data sharing principles remain applicable as technology, data management practices, and community expectations evolve over time. The Commissioner may make data codes and guidelines to provide further detail on how to apply the data sharing principles.

118.      Subclause (1) establishes the project principle, which addresses the intended purpose or use of sharing the data. This principle covers individual projects, as well as programs of work that comprise multiple projects or initiatives. The project principle requires consideration of a number of factors to ensure data is only shared for appropriate projects or programs of work, described in subclause (2). The factors include but are not limited to public interest, ethics, and use of consent and ADSPs. These requirements align with data and ethical principles used by the research sector to improve data management and guide responsible data use.

119.      Subclause (2)(a) requires that data sharing agreements include a description of how the public interest is expected to be served by the instance of sharing. This requirement works with the data sharing purposes (clause 15) to ensure that the public interest served by sharing is clearly considered and articulated before entering into data sharing agreements. This information will then be made publicly available via the data sharing agreement register (refer clause 130) to provide additional accountability and oversight.

120.      Subclause (2)(b) requires observance of applicable ethics processes. This includes, for example, observance of established ethics approval or review processes, and seeking independent advice on the ethical implications of sharing as appropriate. Existing resources and processes which may apply to sharing projects include the National Health and Medical Research Council’s National Statement on Ethical Conduct in Human Research , and the Australian Institute of Aboriginal and Torres Strait Islander Studies’ Code of Ethics for Aboriginal and Torres Strait Islander Research . Use of ethics processes help ensure research and other sharing projects have beneficial results while minimising risk of harm to relevant people, including data subjects.

121.      Where the data being shared includes personal information, subclause (2)(c) requires consent for sharing to be sought from the individuals concerned unless it is unreasonable or impracticable for the data scheme entities to do so. The standard of consent required is that set by the Privacy Act . The ‘unreasonable or impracticable’ language is drawn from section 16A of that Act, and should be interpreted using relevant guidance on consent made by the Australian Information Commissioner.

122.      The question of whether seeking consent is reasonable or impracticable may depend on the amount, nature and sensitivity of the data involved, and whether individuals gave informed consent for uses including the proposed sharing at the point the data was originally collected. Where it is unreasonable or impracticable to seek consent, parties must still consider implementing other controls to protect privacy, under this and other data sharing principles.

123.      Subclause (2)(d) requires that data custodians consider using ADSPs for data services. This requirement is intended to ensure data custodians consider and manage developing data management capabilities and infrastructure, particularly when sharing requires complex protections. More detailed requirements for use of ADSPs may be set in legislative instruments, including prescribing certain data services for which data custodians must use ADSPs (refer clause 29).

124.      Subclause (3) establishes the people principle, to ensure data is only shared with appropriate recipients. This requirement operates in conjunction with the accreditation framework (refer part 5.2), and builds on it to ensure that people accessing scheme data are suitable for the particular project. The principle includes but is not limited to the elements expressed in subclause (4).

125.      Subclause (4)(a) requires that data custodians consider the accreditation status and history of the proposed recipient(s) of public sector data. This requirement builds on the accreditation framework (refer part 5.2), which assesses an entity’s capability to handle public sector data securely and may include conditions that reflect its capacity to handle particular data under this scheme. Applying this factor is intended to ensure data custodians take account of the recipient’s past performance (including length of accreditation and any known data breaches) and any conditions on its accreditation that are relevant to suitability for the proposed project, and do not share with entities whose accreditation is suspended. Parties may agree on particular controls within this principle to ensure only appropriate people access data covered by the data sharing agreement, for instance by requiring they undertake particular training in addition to their accreditation.

126.      Subclause (4)(b) requires that data custodians consider the attributes, qualifications, affiliations and expertise of the people who will handle the data being shared. Applying this element of the principle ensures data is only shared with those with the requisite character and skills for what is involved in the project. This element also interacts with clause 21, under which an accredited user may give access to an output to an individual or business for certain purposes such as validation. In relation to that aspect of a project (if intended), considerations under this element will relate to the identity and other attributes of the individual or business, to ensure an output is given to the correct recipient.

127.      Subclause (5) establishes the setting principle, which focuses on the setting(s) and manner in which sharing occurs. Applying this principle ensures public sector data is transmitted through, and accessed and stored in, environments that have sufficient security controls to prevent unauthorised sharing, use, or release of the data. Applying the settings principle involves applying the elements listed in subclause (6), in addition to other relevant considerations.

128.      Subclause (6)(a) articulates that the data custodian must consider how the data is being shared, and whether it is appropriate given the type and sensitivity of the data. This is to control the risks of unauthorised use, sharing or release. The strength of controls applied under this principle will depend on those under other principles, particularly the people and data principles, as requirements for cyber, electronic, and physical infrastructure will reflect the complexity or sensitivity of the data involved. For instance, stricter access and security controls may be needed where detailed or identifiable data is shared, compared to aggregate data.

129.      Subclause (6)(b) is closely related to (a), and requires that data custodians apply reasonable security standards when sharing data. This could include setting controls such as authentication and access protocols, as well as logging or other monitoring of activity within the physical and cyber environments. It may also extend to data localisation requirements, where storage and access must occur within a particular place. What is a reasonable security standard will depend on what is involved in each project, and the strength of controls applied under the other data sharing principles.

130.      Subclause (7) establishes the data principle, which focusses on the nature of the data and whether any technical or statistical treatments are necessary to control risks of sharing it while delivering the data needed to achieve the purpose of sharing.

131.      The ‘data minimisation’ requirement in subclauses (8)(a) and (b) apply to the total amount of data shared as well as the type of data involved. If a small amount of data would meet the user’s needs, no more than that should be shared. However, a large amount may be justifiably required, such as to identify national trends that inform policy or to input into service delivery systems. Similarly, sharing a certain amount of identifiable data, like street addresses, may be reasonably necessary to pre-fill government forms or to create an integrated dataset for use by researchers.

132.      Relevant considerations under the data principle include whether to provide an entire dataset or a customised extract of particular variables, and the level of detail of (and any treatments applied to) that data. Particular treatments of data needed to make it suitable for the user are best determined by the data custodian. Treatments may involve statistical methods such as aggregation, removal of records that could directly identify a person (for example, through de-identification), encryption, as well as transformative methods such as cleaning data to improve quality, or integrating multiple datasets to create a new comprehensive dataset for analysis. Decisions made under this principle will have regard to controls set under the other principles and the need for data provided to be useful, to achieve the purpose of sharing.

133.      Subclause (9) establishes the outputs principle, which ensures the outputs of sharing projects are as agreed by parties in their data sharing agreement (refer clause 18). ‘Outputs’ is a broad term encompassing any product created from the shared data by the user (refer clause 10). The reference to outputs being ‘as agreed’ reflects the parties’ joint understanding of the scope and purpose of their sharing project, as articulated in the data sharing agreement. Identifying what the outputs are and how they are to be treated is crucial to ensure data custodians retain control of their data, particularly where the shared data and outputs involve detailed records.

134.      Applying this principle involves the elements in subclause (10)(a) and (b). Under subclause (10)(a), parties must consider the nature and intended uses of outputs, in order to determine what sort of outputs are needed to achieve the project, and to control risks associated with their creation and use. This element includes considering requirements and processes for further sharing or release of outputs under clause 21, if this is intended, and articulating these in the data sharing agreement as required by clauses 18 and 19.

135.      Subclause (10)(b) requires each output to contain only the data (including information about persons or businesses) that is reasonably necessary to achieve the purpose of sharing. This element builds on the same requirement in subclause (8) for the data that is shared to create the output. It is important to consider data minimisation in both the data and output principles, as the principles focus on different aspects of a project. For instance, it may be reasonably necessary to share detailed or voluminous data, to create more tailored outputs from. The information in each output will depend on the purpose and circumstances of each project, and the nature and uses of the output itself, such as a report, statistical publication, or pre-filled service application form for a person.

136.      The data custodian of an output may have access to it for the purpose of checking the output is as agreed, refer clause 19(9).

137.      Parties may have further considerations and controls within each principle, in addition to the elements prescribed by the Bill. Parties may also amend their data sharing agreement consistent with clauses 18 and 19 to reflect changes to their intentions or controls, for instance to add new agreed outputs or manage emerging risks during the course of the project.

138.      Under subclause (11), sharing, collection, and use of data will be consistent with the principles where the data scheme entities are satisfied that the controls set across the principles work together to effectively manage risk. While both parties determine and agree to the controls in the data sharing agreement, the data custodian’s satisfaction would be particularly influential given their knowledge of and custodian responsibilities over the data. Once controls are set, both sharer and recipient(s) may be responsible for implementing these controls, as identified in their data sharing agreement under clauses 18 and 19.

139.      Subclause (12) clarifies that a reference to ‘sharing’ in this clause covers all aspects of that process authorised by clause 13, including provision of controlled access to data under clause 13(1) as well as collection and use of data under clause 13(3).

140.      The terms governing the controls set in a data sharing agreement will be published (refer clause 130) to ensure there is transparency of entities’ data management and adherence to agreed safeguards.

Clause 17 - When sharing is excluded from the data sharing scheme

141.      This clause works in conjunction with other limitations on sharing to ensure data is not authorised to be shared under clause 13(1) where it would be inappropriate to do so.

142.      Subclause (2) excludes sharing in circumstances relating to national security and law enforcement.

143.      Subclause (2)(a) works in conjunction with clause 11(3) to exclude intelligence agencies and certain other entities, and their data, from the scheme. It provides data held by, originating with, or otherwise received from an excluded entity (refer clause 11(3)) cannot be shared under this Bill. This exclusion includes summaries and extracts of such data, consistent with section 7(2A) of the FOI Act on which this clause is modelled. Data ‘held’ by an excluded entity means data within its control, custody, or possession; this clause does not exclude sharing of copies of that data held by other entities unless those copies originated or were received from an excluded entity, or are otherwise excluded.

144.      Subclause (2)(b) lists agencies whose operational data (refer clause 9) cannot be shared under the scheme to protect the integrity and security of these operations. Operational data is information that relates to the operations, or informs the operational processes or methodologies, of the three specified agencies. This exclusion extends to information relating to current operations, as well as data relating to both past and future potential operations, where it is sufficiently clear that the data relates to or forms part of operational activities relating to the agencies’ functions and powers. Consistent with the clause 9 definition, information about proceedings relating to the agencies’ operations is also operational data.

145.      For example, the Department of Home Affairs is currently covered by subclause (2)(b)(iii). This agency has a range of functions that include immigration, intelligence, and enforcement. For the purposes of subclause (2)(b)(iii), data relating to its intelligence and enforcement functions (such as those performed by the Australian Border Force) is taken to be ‘operational data’ and is excluded from sharing under this scheme. By comparison, immigration data such as visa data, remains within scope of the scheme, unless there is overlap with operational data. The three listed agencies may otherwise share, collect, and use non-operational data under this scheme.

146.      Subclause (3) protects existing arrangements relating to data that is within the control of a data custodian and could otherwise be shared under this scheme.

147.      Subclause (3)(a)(i) excludes the sharing of data that is subject to copyright or intellectual property rights, unless the rights holder agrees to the sharing. If the rights holder has agreed, those rights would not be infringed and the proposed sharing can proceed under clause 13(1).

148.      Subclause (3)(a)(ii) excludes sharing where the data custodian is party to a contract or other agreement outside the scheme, such as a Memorandum of Understanding or Inter-Governmental Agreement, which would be infringed by the proposed sharing. This means a data custodian cannot use clause 13 to share data it has received under another arrangement unless the sharing is consistent with the scope and terms of that other arrangement.

149.      Subclause (3)(a)(iii) and (iv) exclude sharing that is contrary to a common law duty, such as where the data is subject to a duty of confidence, or a privilege such as legal professional privilege (which applies to communications made in the provision of legal advice and legal services) or Parliamentary privilege.

150.      Subclause (3)(b) excludes sharing where the data concerned is commercial information and sharing that data would found an action for breach of a contractual or equitable obligation of confidence. This provision relies on existing legal tests for establishing a breach of confidence, and aligns with language used in section 45 of the FOI Act .

151.      The threshold in subclause (3)(b) is where the sharing would found an action for breach of confidence brought by a person other than the Commonwealth. This is the relevant threshold for action brought by the Commonwealth, see Commonwealth v Fairfax (1980) 147 CLR 39 at 51. This approach is intended to protect commercial-in-confidence information broadly, rather than only such information that would be likely to injure the public interest if shared.

152.      Note that subclause (3)(b) does not exclude sharing of commercially sensitive information where there is no duty of confidence attached, provided risks of sharing such data can be managed through application of the data sharing principles (refer clause 16).

153.      Subclause (4) excludes sharing that contravenes the regulations made under this Bill (refer clause 134).

154.      Subclause (4)(a)(i) means sharing is not authorised where it would breach a specific legislative provision that prohibits the data custodian, or persons it acts through (refer clauses 123 and 137), from disclosing the data, and is listed in the regulations. This approach recognises there are circumstances where certain secrecy or non-disclosure provisions should not be overridden by clause 23, for instance where they protect highly sensitive data collected by the Commonwealth. Some of the listed provisions complement the exclusion in subclause (2)(a) to make it abundantly clear that protections around national security and law enforcement data remain in place. Listing these provisions in regulations gives flexibility to add or remove provisions in response to need, while still being a disallowable instrument that is subject to Parliamentary scrutiny.

155.      Subclause (4)(a)(ii) excludes sharing where it would be contrary to certain orders, directions, certificates or other instruments made by an officer of the Commonwealth (including a Minister) that prohibits the data custodian, or persons it acts through (refer clauses 123 and 137), from disclosing the data. This exclusion only applies to an order, direction, certificate, or other instrument if the law under which it was made is listed in the regulations for the purposes of this subparagraph. This subclause can be distinguished from subclause (4)(a)(i), which applies to laws that prohibit disclosure, and subclause (6), which applies to orders made by courts, tribunals and bodies with coercive powers.

156.      Subclause (4)(b) excludes entities listed in the regulations from participating in data sharing under the scheme as data custodians. Such restrictions may be necessary to respond to risks presented by their participation, or to exclude an entity from the scheme as a data custodian without affecting its participation as an accredited entity.

157.      Subclause (4)(c) provides scope for the regulations to prevent sharing in other circumstances, to cater for future needs.

158.      Subclause (5) ensures Australia’s international commitments are upheld, including those arising under bi- or multi- lateral agreements. It also ensures that where the Australian Government has collected data from a foreign government, that data cannot be shared through this scheme unless the foreign government has agreed to the sharing.

159.      Subclause (6) excludes sharing of data that could prejudice judicial proceedings and other inquiries, or compromise efficacy of orders. Under subclause (6)(a) custodians are not authorised to share data that is being held as evidence before a court, or data is that evidence acquired by a body described in subclause (6)(b) in exercising their powers of inquiry. Data ‘held’ as evidence means only the copy of the data that has been tendered in court proceedings and marked as evidence is excluded from sharing. Similarly, only a copy of the data specifically obtained by a court or other body through an exercise of powers described in subclause (6)(b) cannot be shared; the exclusion is not intended to prevent sharing and use of other copies of the same data.

160.      Subclause (6)(c)(i) excludes sharing of any data that is subject to certain orders made by a court or tribunal (defined in clause 9), such as a warrant containing a non-disclosure requirement. Similarly, subclause (6)(c)(ii) excludes sharing of data about the existence or content of orders referred to in subclause (6)(c)(i) where there is a Commonwealth law that limits or prevents a person from disclosing such information.

161.      Subclause (7) excludes sharing where the Commissioner has suspended the accreditation of an accredited user or ADSP under part 5.2. In this case, the entity retains its status as a data scheme entity, meaning it continues to be subject to the requirements and regulatory provisions of this scheme. Sharing activities with or by an entity with suspended accreditation could attract penalty for unauthorised sharing under clause 14.

162.      Subclause (8) excludes the Commissioner or a member of the Commissioner’s staff (refer clause 47) from engaging in this scheme as data scheme entities. This measure is intended to preserve the independence of the Commissioner and to avoid actual and perceived conflicts of interest.

Clause 18 - Data sharing agreement

163.      Data sharing agreements set out the terms and conditions for projects under the data sharing scheme. Subclause (1) establishes the requirements for data sharing agreements, to ensure consistent practice across the data sharing scheme.

164.      In particular, under paragraphs (a) and (b) a data sharing agreement must relate to sharing of public sector data, between a data custodian and an accredited user. The singular includes the plural, so there may be multiple custodians and accredited entities.

165.      Subclause (1)(c) requires data sharing agreements to be made by authorised officers of the data scheme entities involved (refer clause 137). This approach ensures only persons with sufficient authority to act on an entity’s behalf can commit it to sharing arrangements, while preserving entities’ autonomy to arrange delegations and terms of sharing.

166.      To ensure consistent practice and transparent sharing activities, paragraphs (d) and (f) require all data sharing agreements to be in a written form approved by the Commissioner, and contain clauses giving effect to the mandatory terms prescribed in clause 19. In relation to paragraph (d), the Commissioner may approve a form under clause 132 that sets the template for agreements, or may allow use of other forms that meet the requirements of clause 18 in order to support the transition of existing sharing arrangements to the data sharing scheme.

167.      Subclause (1)(e) requires data sharing agreements to be consistent with any requirements set in a data code (refer clause 126). The Commissioner may set requirements or additional terms (refer clause 19(16) in a data code to allow the scheme to evolve, for instance to cater for changes in technology or data management that should be reflected in terms of data sharing agreements.

168.      Subclause (2) provides that data sharing agreements may cover matters in addition to the mandatory terms in clause 19. This approach enables parties to tailor agreements to their specific circumstances and to cover other matters which may be relevant, such as handling of freedom of information requests relating to the shared data. Note the requirements of the data sharing scheme and the Commissioner’s regulatory oversight apply only to the content of mandatory terms, and those prescribed in rules.

Clause 19 - Mandatory terms of data sharing agreement

169.      This clause sets out terms that data sharing agreements must contain to ensure necessary information is agreed and recorded prior to sharing data (the mandatory terms). These terms are standard inclusions in other existing data sharing arrangements and contracts, and support robust and accountable sharing practices. To support accountability and transparency, mandatory terms of data sharing agreements made under the data sharing scheme will be included in a publicly available register (refer clause 130).

170.      Each agreement must include basic information such as identifying each party to the agreement and the role they will undertake in the sharing (subclause (1)). At minimum, the data custodian and accredited user must be identified, as well as any ADSPs involved. There is also scope for funding partners to be recognised in an agreement to reflect their interest in the arrangement, in accordance with clause 18(2) which allows for the addition of bespoke terms.

171.      Similarly, the agreement must identify the data that is covered by the agreement (subclause (3)), meaning the public sector data to be shared by the data custodian and any ADSPs, as well as outputs that are expected to be created or derived from it by accredited users.

172.      Subclause (2) requires agreements to specify that sharing is to be done under this Bill. This makes intent to use the data sharing scheme clear on the face of the agreement, as necessary for the operation the Bill’s penalty provisions (refer clause 14).

173.      Subclause (2) interacts with subclause (5), which requires parties to identify other applicable laws, such as those authorising the initial collection of the public sector data to be shared, and any secrecy or non-disclosure provisions to be overridden by the operation of this Bill. These mandatory terms ensure parties are aware of their legal responsibilities and liabilities in relation to sharing the data.

174.      Under subclause (4), the agreement must identify which entity is the custodian for each type of scheme data covered by the agreement: data shared by a data custodian, data enhanced by an ADSP, and outputs created by an accredited user. An agreement may identify multiple custodians over the same data, as well as for different types of scheme data. For instance, there may be multiple custodians of a single dataset that is shared, as well as where multiple datasets are shared. An agreement may also involve designation of custodianship, such as where parties agree that the accredited user becomes data custodian of the output it creates under the agreement (refer clause 11(2)). Each agreement must also identify the basis on which each data custodian is custodian of particular scheme data. Identifying the data custodian is important to establish their right to share data under clause 13(1), and to access an output under mandatory term (9).

175.      Subclauses (6) and (7) require parties to explain how sharing complies with key requirements of the authorisation to share in clause 13. In particular, the agreement must identify which of the permitted purposes for sharing apply, and detail how the data scheme entities will apply controls to manage risks under the data sharing principles. Particular weight is given in subclause (7)(a) to the importance of explaining how the public interest is served by the sharing, which is critical to building and maintaining public trust in the scheme.

176.      Where an ADSP is involved in the sharing, the agreement must specify the services the ADSP has been engaged to provide, and any limitations on its activities, per subclause (8). For instance, if an ADSP is engaged to provide secure access to data for accredited users, this should be reflected in the data sharing agreement. The agreement should also identify specific users (or classes of users), and any conditions placed by the data custodian on the data that can be made available to them. The ADSP must adhere to these conditions: it only acts on behalf of the data custodian, and is unable to use or share data other than in accordance with the terms of the data sharing agreement, and may not release data. This limitation preserves the role of ADSPs as an intermediary in the sharing process.

177.      Subclause (9) requires a data sharing agreement to specify whether or not an accredited user is allowed to give access to an output to a data custodian that is party to the agreement, in one or both of the prescribed circumstances. For instance, an agreement may enable the data custodian that shared data under clause 13(1) to ensure the output is as agreed under the outputs principle (refer clause 16), or the custodian of the output to take control of the output and share it under new sharing arrangements authorised by clause 13(1). Such arrangements are consistent with clause 13 and do not attract penalty under clause 14. Output shared with a custodian in accordance with this term of a data sharing agreement remains scheme data, subject to the protections for sharing, management and use in this Bill.

178.      Subclause (10) requires each data sharing agreement to specify whether an accredited user is allowed to share outputs with third parties under clause 21(1). The agreement must set out in which circumstances of clause 21(1) such sharing is allowed, or state this is not allowed.

179.      Subclause (11) is drafted similarly to subclause (10) with respect to release. An agreement must specify if an accredited user is allowed to release outputs in circumstances agreed to by the custodian that meet the requirements in clause 21(3), or state such release is not allowed.

180.      To satisfy subclause (12) an agreement must set out what actions will be taken to respond to and mitigate data breaches, in accordance with their responsibilities in part 3.3.

181.      Data sharing agreements may be varied, for instance to include additional accredited users, outputs, or dimensions to a sharing project within the parameters of Chapter 2. Subclauses (13) and (14) require that agreements specify their duration or review arrangements, and how variation and termination is to be managed. Copies of data sharing agreements, including variations, must be given to the Commissioner (refer clause 33).

182.      Subclause (15) requires the parties to detail how scheme data covered by the agreement will be dealt with when the agreement ends. Parties may also include information to comply with their record management obligations under other regimes such as the Archives Act 1983 and Australian Privacy Principle 11.2.

183.      In addition to mandatory terms (1) to (15), subclause (16) requires each data sharing agreement to contain any other terms prescribed by the Commissioner in a data code (refer clause 126). Issuing such a data code will allow the scheme to evolve, for instance to cater for changes in technology or data management that should be reflected in the terms of data sharing agreements.

Clause 20 - Compliance with mandatory terms of data sharing agreement

184.      This clause establishes a civil penalty for a data scheme entity that fails to comply with the mandatory terms of a data sharing agreement to which it is a party. Compliance with matters set out in mandatory terms of data sharing agreements (refer clause 19) is essential to ensure public sector data shared is appropriately protected and in alignment with requirements of the data sharing scheme.

185.      While data sharing agreements bear a resemblance to contracts, their legal nature will depend on the type of entities party to the arrangement (i.e. government or non-government), among other factors. This clause is designed to ensure all data scheme entities have a statutory obligation to comply with the mandatory terms of data sharing agreements, while creating consequences for parties that fail to do so.

186.      This penalty is unique to the data sharing scheme so does not rebound back to other legislation (refer clause 14).

187.      The consequences for breach of this clause (up to 300 penalty units) align with analogous laws and the Guide to Framing Commonwealth Offences. Consistent with the Guide , the Bill sets maximum penalties; a court will determine what is appropriate on a case-by-case basis. The maximums set balance the penalties of older frameworks, such as the Privacy Act , with more contemporary penalties for mishandling government and consumer data. This approach is in keeping with the intent for this scheme to align with other applicable frameworks, without duplicating them, as well as with community expectations.

Clause 21 - Exit from data sharing scheme of shared or released output

188.      This clause establishes the limited circumstances in which an output may be provided to third parties as an authorised use of data under clause 13(3). Following the process established in this clause, the output ‘exits’ the scheme and is no longer ‘scheme data’ (refer clause 10) regulated by this Bill.

189.      Subclause (1) enables an accredited user to provide an output to the individual or business it relates to, to check the data is accurate by validating or correcting it (or in other circumstances prescribed in the rules and within the scope of this Bill).

190.      Before the accredited user provides access, the data custodian must have first determined that doing so is consistent with the purpose test and data sharing principles, and articulated this in the data sharing agreement (refer clauses 13(3) and 19(10)). For clarity, the relevant data custodian is the custodian of the shared data from which the output was created, irrespective of other arrangements for custody of the output itself (refer clause 11(2)(b)(ii) and clause 19(4)).

191.      The exit mechanism in subclause (1) is intended to support the use of outputs created for permitted purposes in clause 15 - particularly government service delivery for which accurate, up-to-date information is essential. This clause supports pre-filling forms (to be validated by the individual or business) and a single point-of-contact to engage with multiple government agencies. The focus of subclause (1)(b) on individuals’ and businesses’ control and active validation of their data is consistent with the privacy-positive approach of this Bill, and supports a user-centric model of service delivery.

192.      Where the output relates to an individual, the accredited user may alternatively provide access to the individual’s responsible person (e.g. parent or guardian), within the meaning of the Privacy Act , for validation or correction (refer subclause (1)(b)(ii)). This approach maintains processes and safeguards in existing frameworks to facilitate efficient government service delivery, while ensuring personal information is not provided in a manner that jeopardises the safety or welfare of the individual.

193.      Other circumstances or requirements for exit may be prescribed in rules, per subclause (1)(b)(iii), to ensure the Bill can respond to future needs while maintaining data custodian oversight of the process through subclause (1)(a). Any rules created under this subclause must be consistent with the Bill, including the permitted and precluded purposes (refer clause 15).

194.      Subclause (2) clarifies the point at which an output exits the data sharing scheme, and ceases to be scheme data regulated by the Bill. To ensure consistency, the conditions under which exit can occur are set in the Bill or rules, rather than data sharing agreements.

195.      Under subclause (2)(a) outputs that exit under subclause (1)(b)(i) or (ii) cease to be regulated by this scheme at the point the individual or business corrects or validates their data. Data cannot exit the scheme under subclause (1)(b)(i) or (ii) in the absence of a positive act of validation or correction.

196.      Once the output has exited the Bill’s protections, the individual or business may use their validated information as they see fit. The individual or business may choose to provide their data to an entity to collect and use in accordance with other laws. The protections and obligations of those other laws, which may include the Privacy Act or social security laws, would then apply.

197.      Under subclause (2)(b) outputs that exit under subclause (1)(b)(iii) will exit at the point in time specified in the rules.

198.      Subclauses (3) and (4) facilitate release of outputs from the scheme, such as highly aggregated research outputs. While exit is an authorised use of scheme data under clause 13, these subclauses do not create a new authorisation to release data. Instead, as provided by subclause (3), entities must rely on release mechanisms in other legislative and policy frameworks, which are not affected by the operation of this Bill (refer clause 22).

199.      Entities’ intent to either prohibit release or allow it in circumstances within the scope of clause 21 must be articulated in their data sharing agreement, refer clause 19(11). This means an accredited user cannot unilaterally decide to release outputs under this Bill, as custodian agreement is required.

200.      In accordance with subclause (4), an output exits the scheme and is no longer scheme data at the time it is released. The released output may be collected and used in accordance with other laws.

201.      Where access to an output is granted under the FOI Act , subclause (5) clarifies the point at which an output exits the scheme is when access is granted. This clause interacts with clause 14, under which granting access to an output under the FOI Act does not contravene this Bill.

202.      Providing access to or releasing outputs in a way that is not consistent with clause 21 or any applicable rules may attract penalties for unauthorised sharing or use of data under clause 14.

Clause 22 - Other authorisations for data custodians not limited

203.      This clause clarifies that the data sharing scheme does not limit other legislative authorities empowering data custodians to share or release public sector data.

204.      The authorisation in clause 13 operates as an alternate pathway to share data, for custodians to use at their discretion. Custodians may continue to share and use data, including releasing it, outside of this scheme relying on other legal authorities.

205.      Importantly, this scheme does not impact existing authorities to release data in other legislation. If data is shared under clause 13, it may be released by the accredited user if the data custodian indicates agreement in the data sharing agreement and there is legal authority to do so (refer clause 19(11), and clause 21).

Clause 23 - Authorisation to share overrides other prohibitions

206.      This clause provides limited statutory authority to override other laws which would otherwise prevent sharing, collection, and use of public sector data that are authorised by this Bill.

207.      This override is only effective where the requirements of clause 13 have been met: the sharing activity must be consistent with the data sharing purposes and principles, pursuant to a valid data sharing agreement, and not excluded by clause 17. In particular, provisions of laws prescribed in the regulations under clause 17 are not overridden by clause 23; their restrictions on disclosure, collection, and use of data apply to sharing under this Bill.

208.      The override is also limited in that clause 23 overcomes restrictions and prohibitions in other laws only to the extent necessary to enable sharing, collection, or use of public sector data. Other laws which do not present a barrier to these activities, such as data handling and notification requirements in the Australian Privacy Principles, continue to apply. Similarly, while a secrecy provision with an embedded offence may be overridden, separate offence provisions which do not themselves impose secrecy obligations continue to apply as this is important for operation of the Bill’s rebound approach, refer clause 14.

209.      This clause only applies to sharing activities within the data sharing scheme; laws that restrict or prohibit sharing, collection, or use of public sector data continue to apply to activities that occur through other pathways outside of this scheme.

210.      This clause is effective against laws enacted by the Commonwealth, as well as by the States and Territories. The extension to jurisdictional laws is necessary to ensure State and Territory accredited entities can participate in this scheme. If a State or Territory law prevents sharing, collection and/or use of public sector data, the override will remove this barrier to allow sharing activities that are authorised by clause 13. As State and Territory participation in the scheme is voluntary, the override will only operate on laws in jurisdictions that have chosen to be involved and only to the extent necessary to facilitate sharing, collection and use of public sector data.

211.      As this clause is an express statutory override, it overcomes secrecy and non-disclosure duties enacted in other legislation, as well as implied statutory duties to keep information confidential, such as in the duty referred to in Johns v Australian Securities Commission (1993) 178 CLR 408. While this clause overrides other legislation, clause 17(3)(a)(iii) preserves separate common law duties and obligations relevant to sharing to protect other legitimate interests in the data.

212.      Subclauses (1) and (2) give effect to the override for each aspect of the sharing process in clause 13: sharing by data custodians under clause 13(1), and collection and use of shared data by accredited entities under clause 13(3).

213.      Subclause (3) clarifies the override applies to current as well as future legislation to support longevity of the data sharing scheme, and to prevent inadvertent changes to its scope or operation.

Clause 24 - No duty to share but reasons required for not sharing

214.      Subclause (1) emphasises that this Chapter does not require data custodians to share public sector data, or authorise a person to require a custodian to share data. Data custodians are best placed to assess the risks and public interest of sharing data they are responsible for, and so maintain discretion to decide when to share or not share public sector data.

215.      Data custodians should, however, consider reasonable requests for access to their data through this scheme and must provide reasons for declining data sharing requests to the rejected applicant. This approach ensures that data custodians follow due process to consider requests that appear appropriate and made in good faith, before accepting or rejecting those requests, without committing custodians to waste resources on frivolous or vexatious requests.

216.      This clause interacts with clauses 34 and 138, which require data custodians to report their sharing activities, including reasons for refusals to share, to the National Data Commissioner for its annual report.

Chapter 3 - Responsibilities of data scheme entities

Part 3.1 - Introduction

217.      This part sets out key responsibilities of data custodians and accredited entities under this scheme, including in relation to data breaches.

218.      Data scheme entities continue to have responsibilities under other applicable frameworks, in particular the Privacy Act, the Archives Act 1983 , the Foreign Influence Transparency Scheme Act 2018 , as well as the Protective Security Policy Framework. This Bill operates alongside these schemes.

Clause 25 - Simplified outline of this Chapter

219.      This clause provides a simplified outline of Chapter 3 of the Bill, which establishes key data scheme entity responsibilities and instruments, and merits review processes. This simplified outline is included to assist readers to understand the substantive provisions of Chapter 3. As this outline is not intended to be comprehensive, readers should rely on the substantive provisions of Chapter 3.

Part 3.2 - Responsibilities of data scheme entities

220.      This part sets out some key responsibilities for data scheme entities. Civil penalties apply in some cases if these responsibilities are not met. Certain other important responsibilities are set out elsewhere in the Bill, see especially Chapter 2 (Authorisations to share data) clauses 14 and 20.

Clause 26 - Comply with rules and data codes

221.      This clause requires all data scheme entities to comply with the rules and data codes that are made under this Bill (refer part 6.4). Data codes and the rules are binding legislative instruments.

222.      The Bill and the rules set the parameters and core requirements of the data sharing scheme; data codes shape how entities implement and comply with those requirements. For instance, the rules may flesh out particular elements of the Bill, such as additional criteria for accreditation under clause 77(2), and a data code could set particular considerations to be made when applying particular data sharing principles in clause 16.

223.      The Commissioner’s power to make data codes is found in clause 126; the Minister’s power to make the rules is in clause 133.

Clause 27 - Have regard to guidelines

224.      Under this clause, data scheme entities must have regard to guidelines issued by the Commissioner under clause 127 when engaging with the data sharing scheme.

225.      The Commissioner’s guidelines will explain expectations and best practice for how the data sharing scheme should operate. Requiring entities to have regard to these guidelines is important to build data management capacity and enhance voluntary compliance with this scheme.

Clause 28 - Privacy coverage

226.      Clause 28 ensures personal information shared under this scheme is handled in accordance with privacy obligations to the standard set in the Commonwealth Privacy Act . This privacy coverage ensures personal information shared under this Bill is handled properly, and works with part 3.3 to ensure accountability through oversight and redress.

227.      All data scheme entities must be subject to the Privacy Act or comparable privacy protections. Commonwealth bodies and non-government entities that are APP entities under the Privacy Act must comply with their obligations under the Privacy Act for their acts and practices relating to personal information under the Bill. Non-government entities and State and Territory government authorities that are not covered by the Privacy Act must either become covered by the Privacy Act or be covered by their own jurisdiction’s privacy laws (where these exist and are comparable to the Privacy Act ).

228.      Subclause (1) applies to entities that are not already covered by the Privacy Act as agencies or organisations (as defined by that Act). It provides two mechanisms for these entities to achieve privacy coverage for acts and practices involving personal information under the data sharing scheme.

229.      For the purposes of subclause (1)(a), these entities could use the relevant mechanism of the Privacy Act (sections 6E(2), 6EA, and 6F) to become subject to the Privacy Act . This clause may apply to non-government entities that are not already organisations under the Privacy Act (e.g. many small business operators), and to government authorities based in States and Territories without their own privacy laws (South Australia and Western Australia at the time of drafting).

230.      Alternatively, subclause (1)(b) allows State or Territory authorities in jurisdictions with privacy laws to be covered by those laws, where that coverage is equivalent to the Privacy Act . To be deemed equivalent, a jurisdictional law must provide for protection of personal information comparable to the Australian Privacy Principles, monitoring of compliance with the law, and a means of recourse for individuals if their information is handled contrary to the law. This approach is intended to preserve the remit and autonomy of the States and Territories, and their privacy regulators, without diminishing the privacy standards set for personal information by the Privacy Act .

231.      At the time of drafting, New South Wales, Victoria, Queensland, Tasmania, the Australian Capital Territory, and the Northern Territory have privacy laws that may satisfy subclause (1)(b). A State or Territory authority in these jurisdictions may choose to achieve its coverage obligations under subclause (1)(a) or (1)(b).

232.      Subclause (2) is relevant for accredited entities that are small business operators with obligations as contracted service providers under the Privacy Act , by virtue of having a Commonwealth contract outside of this scheme. Without subclause (2), section 7B(2) of the Privacy Act would mean the entity is only covered by that Act for its conduct under the Commonwealth contract, but not for other conduct such as participating in the data sharing scheme. Subclause (2) allows those entities to be subject to the Privacy Act for their contractual acts and practices as well as for their conduct under this scheme. They may need to achieve privacy coverage under subclause (1).

233.      Subclause (3) clarifies this Bill does not affect the operation of the Privacy Act with respect to data scheme entities that are APP entities (as defined by that Act), except as provided for in subclause (2) and part 3.3. Where such an entity shares personal information covered by the Privacy Act through the data sharing scheme, it must continue to comply with its obligations under that Act. This subclause is most relevant to Commonwealth bodies and businesses that are defined by the Privacy Act as APP entities, as well as entities that have opted into the operation of that Act.

234.      Breach notification and mitigation responsibilities are an important element of privacy coverage. These responsibilities are set out in a dedicated part (refer part 3.3).

Clause 29 - Engage ADSP for prescribed data services

235.      Clause 29 provides scope for the making of rules that require data custodians to engage an ADSP to perform data services in certain circumstances. For example, such rules may be appropriate where sharing involves complex processes or data, to ensure best practice is followed and robust safeguards are in place.

236.      This clause builds on the requirement in clause 16(2) for data custodians to consider using ADSPs when assessing the appropriateness of a proposed data sharing project.

237.      These requirements reinforce the role of ADSPs in filling gaps in resourcing and capability, and the objectives of this Bill to promote better data availability and use.

Clause 30 - Comply with conditions of accreditation

238.      The accreditation framework established by part 5.2 will set conditions that accredited entities must comply with to maintain their accreditation. Under this clause, an accredited entity may be liable for a civil penalty if it fails to comply with these conditions.

239.      This is necessary to ensure the data sharing scheme operates as intended, as accreditation is the threshold requirement to ensure an entity is suitable to handle public sector data shared through this scheme.

240.      The maximum penalty for breach of this clause (300 penalty units) aligns with other civil penalties in this Bill, and is comparable to those in other laws such as the Privacy Act . Consistent with the Guide to Framing Commonwealth Offences , the Bill sets maximum penalties and a court will determine what is appropriate in each particular case.

Clause 31 - Report events and changes in circumstances affecting accreditation to Commissioner

241.      This clause requires accredited entities to report events or changes in their circumstances which affect their accreditation, other than circumstances prescribed by the rules for the purpose of this clause. Reports must be made to the National Data Commissioner.

242.      As accreditation governs entry into the scheme, and the information the Commissioner holds can be made available to data custodians to support consideration of the data sharing principles in clause 16, it is essential that this information is up-to-date.

243.      Events or changes that trigger this responsibility would typically relate to the entities’ ability to meet ongoing conditions of accreditation, or to perform activities it has been accredited to do under this scheme. For instance if an accredited entity’s IT security network is compromised it could impact on its capacity to securely receive and access data through this scheme, and it must notify the Commissioner under this clause.

244.      Core accreditation requirements will be established in the accreditation framework in part 5.2. The Commissioner may issue guidelines under clause 127 to provide clarity about accredited entities’ responsibilities.

Clause 32 - Not provide false or misleading information

245.      This clause provides that data scheme entities must not provide false or misleading information to the Commissioner or another data scheme entity when operating in the data sharing scheme.

246.      Subclause (1) provides that data scheme entities must not provide false or misleading information to the Commissioner, including where the document or information is false or misleading because of an omission. This is crucial as the Commissioner must have correct information in order to effectively regulate the data sharing scheme, and ensure its safe and effective operation. For example, the Commissioner will need accurate information to assess whether or not an entity is eligible for re-accreditation.

247.      Subclause (2) similarly requires that data scheme entities not provide false or misleading information to other data scheme entities for the purposes of entering into or executing data sharing agreements. Accurate information is necessary for data custodians to assess whether data should be shared under the data sharing scheme. Inaccurate information may, for example, lead to inappropriate application of the data sharing principles, leading to data breaches of shared data, or use of data or outputs for precluded purposes.

248.      A civil penalty of up to 300 penalty units may apply for breach of this clause. This penalty is specific to this Bill, and does not involve a rebound element like clause 14. Penalties and offences under other legislation may also apply, however, for instance under division 136 or 137 of the Criminal Code .

249.      The maximum penalty for breach of this clause aligns with other civil penalties in this Bill, and is comparable to those in other laws such as the Privacy Act . Consistent with the Guide to Framing Commonwealth Offences, the Bill sets maximum penalties and a court will determine what is appropriate in each case.

Clause 33 - Notify Commissioner in relation to data sharing agreements

250.      Subclause (1) requires a data custodian to provide the National Data Commissioner with a copy of any data sharing agreement (including varied agreements) it enters into. The copy must be provided in an electronic form approved by the Commissioner (to ensure machine readability) within 30 days of making the agreement or variation.

251.      This clause provides the Commissioner with oversight of sharing activities necessary for its regulatory function, and promotes transparency as data sharing agreements will be published on a publicly available register (refer clause 130). The 30 day timeframe provides reasonable time for the custodian to process its agreement while ensuring public accountability.

252.      Under subclause (2), a data custodian has 30 days to provide the Commissioner with written notice of the termination of any data sharing agreements to which it was party. This responsibility also supports transparency by allowing the Commissioner to maintain an accurate register of active data sharing agreements.

Clause 34 - Assist Commissioner as required in preparation of annual report

253.      This clause requires data scheme entities to support the Commissioner to prepare an annual report on the operation of the data sharing scheme.

254.      Entities must provide the information and assistance requested by the Commissioner to compile an accurate and comprehensive report, which will address the matters described in clause 138. For example, entities must provide information to the Commissioner regarding the number of data sharing requests they received, and reasons for declining any requests, to be included in the report.

Part 3.3 - Data breach responsibilities

255.      This part sets out data scheme entities’ responsibilities with respect to data breaches, building on the requirement for privacy coverage in clause 28.

256.      The clauses preserve the Australian Information Commissioner’s oversight of breaches involving personal information through a mechanism that engages the notifiable data breach scheme under Part IIIC of the Privacy Act .

257.      A separate mechanism for reporting serious breaches of non-personal information to the National Data Commissioner is also established, recognising the variety of public sector data that may be shared under the scheme.

258.      These responsibilities operate while a data scheme entity holds scheme data.

Clause 35 - Definition of data breach

259.      This clause defines ‘data breach’ for the purposes of this Bill. This definition adapts the concept of an ‘eligible data breach’ in section 26WE of the Privacy Act for the purposes and terminology of this scheme, to promote consistency between the frameworks.

260.      For the purposes of this Bill, a data breach will have occurred where there is unauthorised sharing, access, or release of scheme data held by a data scheme entity. This definition extends to a loss of data that is likely to result in unauthorised sharing, access, or release; as well as to events prescribed by any applicable data codes.

261.      As provided by subclause (a), this clause applies to all data scheme entities that hold scheme data, although it is more likely to apply to accredited entities that have received and created scheme data (i.e. the shared data and outputs derived from it). Data custodians collect and hold most of their data outside of this scheme; a breach involving such data is not covered by this clause. This clause may, however, apply where a data custodian has an output pursuant to a data sharing agreement (refer clause 19(9)) or holds scheme data that was returned to it by an accredited entity pursuant to a direction from the Commissioner (refer clause 112(1)(a)).

262.      Intent is that scheme data can only be used as agreed and authorised under Chapter 2, irrespective of permissions in other legislation. To give effect to this intent, subclause (b) provides that a data breach of the entity will have occurred if there is access to, or sharing or release of, the data that is not authorised by this Bill.

263.      Unauthorised access means access to scheme data by a person who does not have express or delegated authority to do so. This includes access by an employee or contractor of the accredited entity who is not an accredited individual, as well as unauthorised access by a third party such as a hacker.

264.      Unauthorised sharing describes any sharing that is inconsistent with the authorisation in Chapter 2. For example, deliberate or accidental sharing by an ADSP with an unaccredited user, or an accredited user not specified in the data sharing agreement. This concept would also capture an accredited entity using shared data (scheme data) for a precluded purpose.

265.      Unauthorised release of scheme data could occur where a user releases an output without agreement from the data custodian in the data sharing agreement (refer clause 19(11), and clause 21) and there is no legal basis for the user to release that data.

266.      Loss of scheme data by a current or former accredited entity will also qualify as a data breach for the purposes of this clause if the loss is likely to result in any unauthorised access to, or sharing or release of, the data. For example, ‘loss’ would cover circumstances in which an employee of an entity accidently leaves scheme data (including hard copy documents, unsecured computer equipment, or portable storage devices containing the data) on public transport.

267.      The concepts of ‘unauthorised access’ and ‘loss’ are consistent with guidance on data breaches from the Australian Information Commissioner (July 2019).

268.      Subclause (b) also provides scope for a data code to prescribe a specific event that occurs in relation to the data as an event that qualifies as a data breach of the entity. The Commissioner’s ability to issue data codes on this matter will provide flexibility and help to future-proof the data sharing scheme.

269.      Once a data scheme entity reasonably suspects or becomes aware a breach has occurred, the entities involved have mitigation and notification obligations under other clauses in this part.

270.      An output that has exited the scheme in accordance with clause 21 is no longer regulated by this Bill; redress for a data breach involving such an output may be sought through the Privacy Act or other applicable legal avenues, such as the Criminal Code .

Clause 36 - Take steps to mitigate data breach

271.      This clause requires data scheme entities to take reasonable steps to mitigate harm arising from an actual or suspected data breach (refer clause 35).

272.      Subclause (1) makes data scheme entities accountable for their actions when a data breach occurs. The responsibility to mitigate harm arises when the entity is aware of an actual breach or reasonably suspects a breach may have occurred. This responsibility arises in circumstances where the breach relates to scheme data held by the entity, or where the entity is otherwise responsible for the breach. For example, a data scheme entity may reasonably suspect a breach if it detects unauthorised access to computer servers upon which scheme data is stored.

273.      Data custodians have responsibilities under subclause (1) in addition to the obligations under subclause (2).

274.      Subclause (2) requires a data custodian to take reasonable action to mitigate harm where the breach involves data of which it is the custodian. This approach reflects data custodians’ ongoing obligations for data they share under this scheme, the outputs created from such data, as well as for data breaches for which they are directly responsible.

275.      Steps taken under subclauses (1) and (2) should be reasonable in the circumstances to mitigate harm to entities, groups of entities, or things arising from the breach. ‘Entity’ is defined in clause 9, and may include an individual, business, or governmental body. A group of entities could therefore include a community, or bodies corporate. The word ‘thing’ should be interpreted broadly, however should only be interpreted to cover ‘things’ that are capable of experiencing harm such as species, ecosystem, or buildings.

276.      What steps are ‘reasonable’ will depend on surrounding circumstances, including the severity of the breach, and the resources of the data scheme entity. Notifying affected entities (including other parties to the data sharing agreement) and relevant regulators is a reasonable mitigation step but this alone is not sufficient to mitigate a breach. Entities should take rapid action to regain control of the data to prevent further harm as soon as they become aware of, or reasonably suspect, a breach.

277.      This responsibility also extends to taking a considered approach to prevent such occurrences in future, such as reviewing and improving data handling processes or security systems, and staff training.

278.      Where a data breach involves personal information, an entity’s remedial action under this clause may affect its notification obligations under clause 37 and the Privacy Act .

Clause 37 - Interaction with Part IIIC of the Privacy Act 1988 (notification of eligible data breaches)

279.      Where there is a data breach involving personal information shared under this scheme, notification will occur under the Notifiable Data Breach Scheme in Part IIIC of the Privacy Act . Subclause (1) gives effect to this intent, ensuring a consistent, national approach to regulatory oversight.

280.      Under subclause (2), default responsibility for notification rests with the data custodian. This is effective as all Commonwealth data custodians are covered by the Privacy Act as APP entities (refer clause 28). By bringing all notifications under the federal privacy scheme, this clause caters for different approaches to breach reporting within State and Territory privacy legislation and ensures a redress mechanism is always available.

281.      Subclause (3) requires an accredited entity to notify the data custodian as soon as practicable if it reasonably suspects or becomes aware that a data breach of that entity has occurred. This requirement supports the data custodian to meet its obligations under Part IIIC of the Privacy Act , which applies due to this clause, and is consistent with the notification requirements of that Act.

282.      Where both the custodian and the accredited entity are APP entities, subclause (4) enables the accredited entity to have responsibility for notification under Part IIIC if this is expressed in the data sharing agreement. This arrangement allows parties to an agreement to decide who has responsibility for notifications: it may remain with the custodian under (2) or may shift to the accredited entity under (4). In both cases, notification is made through the federal privacy scheme, ensuring consistent regulatory oversight.

283.      Subclause (5) requires the entity with notification responsibilities under subclauses (2) or (4) to give the Commissioner a copy of the statement it provided to the Information Commissioner under section 26WK of the Privacy Act . This clause works with clause 38 to ensure the Commissioner has a holistic picture of all data breaches involving scheme data (personal information or otherwise).

284.      Subclause (6) leverages the Privacy Act definition of ‘hold’ to ensure alignment and consistency between the two schemes. This means, for the purposes of this clause, an entity will be taken to hold personal information if it has possession or control of a record that contains the personal information.

285.      In practice, this clause also interacts with clause 35, which defines ‘data breach’ for the purposes of this scheme, and clause 36, which requires entities to mitigate harm caused by a data breach. Where a data breach within the meaning of clause 35 has occurred and personal information is involved, entities must then determine whether it constitutes an ‘eligible data breach’ (as defined in the Privacy Act ) as this enlivens notification obligations under the Privacy Act . Remedial action taken under clause 36 may affect whether the data breach constitutes an ‘eligible data breach’ for the purposes of the Privacy Act .

Clause 38 - Notify Commissioner of non-personal data breach

286.      This clause provides a notification mechanism for data breaches that do not involve personal information within the meaning of the Privacy Act . Intent is to support the Commissioner to monitor the operation and integrity of the data sharing scheme and the effectiveness of its safeguards.

287.      Subclause (1) sets out the criteria that must be satisfied before the obligation to notify the Commissioner is triggered. The timing of notice will depend on the severity of the data breach, as established by subclause (2).

288.      Serious data breaches must be notified to the Commissioner as soon as practicable, per subclause (2)(a). This obligation is triggered where an entity is be aware of or suspects a breach of scheme data has occurred, the data involved is not personal information (as those breaches are handled under clause 37), and the breach is likely to result in serious harm to entities or things to which the data relates.

289.      To determine the likelihood of serious harm, subclause (3) requires the data scheme entity to apply a reasonable person test. The paragraphs within subclause (3) are a non-exhaustive list of factors to assist entities to determine what constitutes ‘serious harm’. These factors draw upon section 26WG of the Privacy Act (with some modifications to meet the needs of this scheme) to promote alignment of reporting thresholds for breaches involving personal and non-personal data. Factors include the kind and sensitivity of data involved in the breach, the nature of safeguards protecting the data which were overcome, who has accessed or could access the data, the nature of harm resulting from the breach (such as but not limited to reputational damage, financial loss, or identity theft), as well as other relevant matters in the circumstances.

290.      Subclause (2)(b) sets the notification period for data breaches that are not covered by subclause (2)(a). Data scheme entities must notify the Commissioner of such breaches in accordance with the timeframe set in a data code, which would reflect the frequency needed to maintain scheme integrity. If no data code applies, notice must be given as soon as practicable after the end of the financial year in which the breach occurred, to align with annual reporting requirements under the PGPA Act .

291.      Breaches involving personal information are addressed separately (refer clause 37) to preserve the operation of the notifiable data breaches scheme in Part IIIC of the Privacy Act .

Chapter 4 - National Data Commissioner and National Data Advisory Council

Part 4.1 - Introduction

292.      This part introduces Chapter 4, summarising its contents and noting that the Commissioner must have regard to the objects of this Bill (refer clause 3).

Clause 39 - Simplified outline of this Chapter

293.      This clause provides a simplified outline of Chapter 4 of the Bill, which establishes the Commissioner and the National Data Advisory Council.

294.      This simplified outline is included to assist readers. As the outline is not intended to be comprehensive, readers should rely on the substantive provisions of Chapter 4.

Clause 40 - Commissioner to have regard to objects of Act        

295.      This clause ensures that the National Data Commissioner upholds the objects of this Bill (refer clause 3) in carrying out their functions under clause 42.

Part 4.2 - National Data Commissioner

296.      This part establishes the statutory role and functions of the National Data Commissioner, and sets out related administrative arrangements to support this role.

Division 1 - Establishment, functions and powers

Clause 41 - National Data Commissioner

297.      This clause provides for the role of a National Data Commissioner. The Commissioner is a statutory office holder, as recommended by the Productivity Commission Inquiry into Data Availability and Use. As a statutory office holder, the Commissioner is bound by the Australian Public Service Code of Conduct, subject to regulations made under section 14(2A) of the Public Service Act 1999 .

298.      This clause works in conjunction with clause 46, which establishes the Commissioner as an official of the Department for the purposes of finance law, as defined by the PGPA Act . The Commissioner has obligations under that Act as such an official of the Department.

Clause 42 - Functions

299.      This clause sets out the functions of the National Data Commissioner.

300.      The National Data Commissioner is the regulator and champion of the data sharing scheme established by this Bill. The Commissioner will provide oversight and guidance to ensure the scheme operates as intended, driving cultural change and supporting capability building among data scheme entities to promote better sharing and release of public sector data.

301.      The Commissioner’s primary functions relate to advice, advocacy, guidance and regulation (including accreditation) (refer subclause (1)). Subclause (1)(f) clarifies that the Commissioner has the ability to do anything incidental or necessary to support these primary functions. The Commissioner may also have other functions arising under this Bill, the rules or another Commonwealth law.

302.      Subclause (2) provides that the Commissioner may perform their advocacy function by undertaking, developing, or supporting educational programs. Such programs enable the Commissioner to support best practice and promote new or emerging ways of managing and sharing data. These programs could be undertaken by the Commissioner, or the Commissioner may expend money to engage contractors to design or run the programs on the Commissioner’s behalf. It is not intended for the Commissioner to grant funding to other bodies or organisations to run educational programs.

Clause 43 - Advice related functions

303.      This clause outlines the Commissioner’s advice functions. The Commissioner will advise the Minister and relevant entities on the operation of the data sharing scheme. The Commissioner may also be required to provide advice to government agencies and Ministers under other pieces of legislation.

304.      The Commissioner will be able to provide advice on their own initiative, or at the request of the Minister. For instance, the Commissioner could provide advice to inform legislative proposals and frameworks that interact with, or improve, the data sharing scheme. This may include providing comments on draft legislation, appearing before Senate Committee Inquiries, and engaging in consultations with government agencies.

Clause 44 - Guidance related functions

305.      This clause outlines the Commissioner’s guidance functions, which are to make data codes and guidelines. These functions enable the Commissioner to support best practice data sharing, release and use, and facilitate compliance with the data sharing scheme.

306.      As data codes are legislative instruments, all data scheme entities must comply with their requirements (refer clause 26). For example, data codes may set out how to comply with requirements for sharing public sector data under this scheme, and other relevant matters, such as data management and curation (refer clause 126).

307.      Guidelines are non-legislative instruments that data scheme entities must have regard to when operating under this scheme (refer clause 27). Guidelines may set out principles and processes related to any aspect of the data sharing scheme, and any matters incidental to the scheme (refer clause 127).

Clause 45 - Regulatory functions

308.      This clause sets out the Commissioner’s regulatory functions. The Commissioner’s regulatory functions are an important element of their role, enabling effective oversight and ensuring integrity of the data sharing scheme.

309.      The Commissioner’s regulatory functions include handling complaints, conducting assessments and investigations, issuing directions, and performing functions and exercising powers with respect to the accreditation framework. Powers associated with these functions are set out in Chapter 5.

310.      The Commissioner’s regulatory functions and powers are designed to enable a graduated and proportional enforcement approach that deters, identifies, and proportionally penalises non-compliance (refer part 5.5).

Clause 46 - Application of finance law

311.      This clause establishes the Commissioner as an official of the Department for the purposes of the PGPA Act . Officials are generally people who are employed by, or otherwise form part of, a Commonwealth entity. The Commissioner will form part of the Department that has responsibility for this Bill under an Administrative Arrangements Order.

312.      As an official, the Commissioner will have duties, and be subject to rules and requirements under the PGPA Act and finance law as defined by that Act.

Clause 47 - Staff

313.      This clause provides that the Secretary of the Department responsible for this Bill must make Australian Public Service staff of the Department available to the Commissioner.

314.      Staff will assist the Commissioner in the performance of the Commissioner’s functions under this Bill and other relevant legislation such as the PGPA Act (refer clause 42), and may be delegated functions or powers in order to do so (refer clause 50).

315.      The Secretary must make adequate staff available to meet the Commissioner’s needs, in terms of both numbers and abilities. The Commissioner will determine the necessary skills, experience and/or qualifications that staff must have.

316.      Subclause (2) ensures the Commissioner directs the staff in relation to the Commissioner’s functions. The Secretary may continue to direct staff in the performance of other functions outside of the data sharing scheme, so there is no overlap.

Clause 48 - Contractors

317.      This clause allows the Commissioner to engage contractors on behalf of the Commonwealth to assist the Commissioner in the performance of their functions and powers.

318.      Contractors may assist the Commissioner, but will not be delegated the Commissioner’s functions or powers, or exercise those powers themselves. For instance, contractors may assist the Commissioner to accredit entities by assessing applications, but the decision to accredit an entity ultimately rests with the Commissioner. Similarly, contractors may assist by drafting a data code, which is officially made by the Commissioner.

319.      Contractors will be engaged subject to the requirements of the PGPA Act .

Clause 49 - Consultants

320.      This clause allows the Commissioner to engage consultants to advise the Commissioner. For example, consultants may provide expert or technical advice as relevant to support the Commissioner in the performance of their functions or powers.

321.      Consultants will be engaged subject to the requirements of the PGPA Act . They may assist the Commissioner, but will not be delegated functions or powers under clause 50.

Clause 50 - Delegation by Commissioner

322.      This clause enables the Commissioner to delegate functions and powers conferred by this Bill - with some exceptions - to Departmental staff made available to them (refer clause 47). Delegation is at the discretion of the Commissioner; the Commissioner may continue to personally perform their functions and exercise their powers.

323.      Delegation is a standard regulatory practice that promotes efficient administration. Delegating powers and functions will allow the Commissioner to focus on high priority matters, supporting timely and effective management of workflows for routine functions and processes as the data sharing scheme matures.

324.      This Bill restricts the functions and powers that can be delegated, rather than people or roles within the Department who can become delegates. This approach gives the Commissioner discretion to ensure staff with appropriate skills have access to powers appropriate for their role. This aligns with the approach taken by contemporary regulators, including the Australian Information Commissioner, Australian Competition and Consumer Commission, and Australian Prudential Regulation Authority.

325.      Subclause (2)(a) provides that the Commissioner’s powers to make data codes, guidelines, and directions (refer clauses 126, 127, and 112 respectively) cannot be delegated. These powers are unsuitable for delegation, due to the importance of these instruments to the operation of the scheme, and the consequences for entities who do not comply. While these powers can only be exercised by the Commissioner, staff and contractors may assist in the preparation of instruments and documents - for instance staff may draft a data code which is formally made by the Commissioner.

326.      Subclause (2)(b) provides the Commissioner cannot delegate their functions and powers with respect to regulating the Department or its portfolio agencies. It would be a conflict of interest for Departmental staff to regulate their employer, for instance by making accreditation decisions that affect the Department. Such decisions and powers rest with the Commissioner, as an independent statutory office-holder who is not employed by the Department. The Commissioner’s independence is further supported by clause 51, and by clause 48 which allows the Commissioner to engage contractors (instead of Departmental staff) to assist with regulating the Department and its portfolio agencies.

327.      Subclause (3) requires delegates to comply with any written directions or conditions the Commissioner places on the exercise of delegated functions and powers. This provision ensures that the Commissioner can establish appropriate bounds on the exercise of delegated powers and functions.

328.      Where the Commissioner has delegated functions or powers, subclause (4) requires them to make information publicly available about the (classes of) delegates to ensure transparency in the operation and administration of the data sharing scheme.

Clause 51 - Independence of Commissioner

329.      This clause establishes the Commissioner’s independence.

330.      The Commissioner is established as an independent statutory office holder, responsible for integrity of the data sharing scheme. It would not be appropriate for officials or other entities that are involved or interested in the scheme to influence how the Commissioner performs and exercises their powers under this scheme.

331.      This clause does not limit the capacity of the Minister or data sharing entities to seek advice on the operation of the data sharing scheme (refer clause 43), or the capacity of the Minister to direct the Commissioner to alter the accreditation status of certain Commonwealth bodies under clause 81(2).

332.      This clause does not limit the Commissioner’s accountability under this Bill or other laws.

Clause 52 - Commissioner not to be sued  

333.      This clause provides that the Commissioner and people acting under their direction or authority are not liable for any actions or omissions done in good faith under the data sharing scheme. This aligns with standard protections for regulators and their staff acting within the limits of their legal authority.

334.      Subclause (2) clarifies that this clause does not limit contractual liability. This means that the Commissioner and staff made available to them may be liable for failures to comply with the terms of contractual agreements.

Division 2 - Terms and conditions etc.

Clause 53 - Appointment

335.      This clause enables the Governor-General to appoint a person to be the Commissioner where they have the appropriate qualifications, skills or experience to perform the functions of the Commissioner. The Governor-General would form a view about what qualifications, skills or experience are appropriate considering the functions of the Commissioner under this legislation and the needs of the times.

336.      Appointment by the Governor-General supports the independence of the Commissioner.

337.      This clause does not prevent a person from being reappointed as the Commissioner, consistent with section 33AA of the Acts Interpretation Act 1901 .

Clause 54 - General terms and conditions of appointment

338.      This clause sets out the general terms and conditions of the Commissioner’s appointment. In particular, the Commissioner holds office on a full-time basis, for a period that does not exceed five years. Other terms and conditions of appointment may be determined by the Governor-General.

Clause 55 - Other paid work

339.      The Commissioner is a full-time office holder (refer clause 54(2)). As such, this clause provides that the Commissioner may only engage in paid work outside the duties of the office with the Minister’s approval.

Clause 56 - Remuneration

340.      This clause provides that the Commissioner is to be paid at a rate determined by the Remuneration Tribunal. The Remuneration Tribunal is an independent tribunal established under the Remuneration Tribunal Act 1973 to determine and advise on entitlements of Commonwealth and other public offices.

341.      In line with convention for the remuneration of statutory office holders, subclause (2) enables the Minister to set allowances for the Commissioner in rules. If no determination is made by the Remuneration Tribunal, the Commissioner is to be paid the amount prescribed by the rules.

Clause 57 - Leave of absence

342.      Aligning with convention, this clause provides that the Commissioner’s recreational leave entitlements determined by the Remuneration Tribunal.

343.      Other non-recreational forms of leave, such as personal or carers leave, may be granted by the Minister, on conditions determined by the Minister.

Clause 58 - Resignation

344.      This clause provides that Commissioner may resign their office by providing a written resignation to the Governor-General. The Commissioner is not required to provide a period of notice; their resignation takes effect on the day the Governor-General receives it, or on a later date specified in the resignation.

Clause 59 - Termination of appointment

345.      The Governor General may terminate the appointment of the Commissioner on grounds listed in this clause.

346.      Consistent with existing legislation establishing statutory office holders, listed grounds include misbehaviour, bankruptcy, extended unapproved absences, and physical or mental incapacity.

347.      The Commissioner’s appointment may also be terminated for contraventions of the general duties of an accountable authority under section 29 of the PGPA Act .

Clause 60 - Acting appointments

348.      This clause allows the Minister to appoint someone to act as the Commissioner for a specified period, or periods, when the office of the Commissioner is vacant, or the Commissioner is absent or otherwise unable to perform their duties.

349.      A person appointed to act as the Commissioner must have appropriate qualifications, skills or experience to fulfil the role (refer clause 53). The Minister may consult with the Governor-General to confirm appropriate qualifications, skills or experience.

350.      Providing for acting appointments is a standard feature of legislation establishing statutory roles to ensure continuity of office in the absence, expected or otherwise, of the office-holder. Appointment by the Minister, rather than the Governor-General, is appropriate as the appointment is on a temporary basis and may need to expeditiously to cater for unexpected leave.

351.      Terms and powers of acting appointments are subject to the rules within sections 33AB and 33A of the Acts Interpretation Act 1901 .

Part 4.3 - National Data Advisory Council

352.      This part establishes the National Data Advisory Council (the Council), establishing its functions, members, and various other administrative matters.

Clause 61 - Establishment and function of Council

353.      This clause establishes the Council, and its function to provide advice to the Commissioner on matters relating to the operation of the data sharing scheme. The Council’s terms of reference may provide further detail on its remit or areas of focus, within the parameters established by this clause. The Council may, for example, advise on operation of the scheme in relation to best practice data management, ethical processes, privacy, or how emerging technologies and related standards might affect the data sharing scheme.

Clause 62 - Membership of Council

354.      This clause establishes the membership of the Council.

355.      Consistent with subclause (1), the Council will include four ex-officio members (the Commissioner, Australian Statistician, Information Commissioner, and Chief Scientist), as well as between five and eight members appointed by the Commissioner.

356.      The Council’s ex-officio members have been chosen by virtue of their position and depth of experience in matters relevant to the data sharing scheme. In particular, the Australian Information Commissioner was selected as an ex-officio member due to their role and functions under the Commonwealth’s privacy, information, and freedom of information regimes. Other public office-holders with relevant expertise may be engaged as appointed members.

357.      Appointment of the Australian Statistician and the Information Commissioner is subject to the requirements of the Australian Bureau of Statistics Act 1975 and Australian Information Commissioner Act 2010 respectively. The Chief Scientist is appointed by the Prime Minister.

358.      Subclauses (2) and (3) relate to designating the Chair of the Council. The Commissioner may designate themselves as the Chair of the Council, or may alternatively designate another Council member to serve in this role. If the Commissioner does not designate a Chair, the Council may designate one of the appointed members as Chair. These options for allocating a Chair provide the Commissioner with flexibility to run the Council as they see fit.

359.      Subclause (4) provides that a Chair may be designated for a period of up to three years. A Chair may be re-appointed at the end of their term, by one of the methods in subclauses (2) and (3).

Clause 63 - Appointment of members

360.      This clause provides that the Commissioner must appoint persons with qualifications, skills or experience that will support the Council’s function, on a part-time basis, by written instrument.

Clause 64 - Term of appointment

361.      This clause provides that appointed members may be appointed for a period up to but not exceeding three years. This arrangement allows the Commissioner to review the make-up of the Council to ensure the qualifications, skills and experience of appointed members remain relevant over time.

362.      This provision does not prevent a person being re-appointed, refer to section 33AA of the Acts Interpretation Act 1901 .

363.      Ex-officio members will remain on the Council for as long as they hold their respective offices.

Clause 65 - Remuneration and allowances

364.      This clause sets out the remuneration arrangements for appointed members, subject to the requirements of the Remuneration Tribunal Act 1973.

365.      Subclause (1) provides that appointed members are to be paid at a rate determined by the Remuneration Tribunal. The Remuneration Tribunal is an independent tribunal established under the Remuneration Tribunal Act 1973 to determine and advise on entitlements of Commonwealth and other public offices. If no determination is made by the Remuneration Tribunal, appointed members are to be paid the amount prescribed in the rules.

366.      In line with convention for the remuneration of statutory office holders, appointed members will be paid the allowances prescribed by rules.

367.      This clause does not impact remuneration of ex-officio members. Entitlements of ex-officio members are established elsewhere - the Australian Statistician, for example, is appointed and remunerated under the Australian Bureau of Statistics Act 1975.

Clause 66 - Leave of absence

368.      This clause enables the Commissioner to grant leave of absence to an appointed member, subject to any terms and conditions determined by the Commissioner. Repeated absence from Council meetings without leave of absence may be grounds for termination (refer clause 69).

Clause 67 - Disclosure of interests to Minister or Commissioner

369.      This clause requires the Commissioner and other members of the Council to provide written notice of pecuniary and other interests that conflict or may conflict with the proper performance of their role on the Council.

370.      The Commissioner must report their conflicts of interest to the Minister, while other members must report conflicts of interest to the Commissioner.

371.      The requirement to disclose conflicts of interest aligns with this Bill’s underlying philosophy of accountability and transparency. It will also help to ensure that the Council provides objective advice on the operation and administration of this scheme.

Clause 68 - Disclosure of interests to Council

372.      Under this clause, a member with pecuniary or other interests in a matter before the Council must disclose that interest to a meeting of the Council. The disclosure must be minuted. This approach will help to manage and reduce bias in the Council’s advice to the Commissioner.

Clause 69 - Resignation of members

373.      This clause provides that appointed members may resign their office by submitting a written resignation to the Commissioner. Resignations will take effect on the day the Commissioner receives it, or a later day specified in the resignation.

374.      Ex-officio members cannot resign from their duties on the Council; they remain members for as long as they hold their offices.

Clause 70 - Termination of appointment of members

375.      This clause provides a list of circumstances in which the Commissioner may terminate the employment of appointed members of the Council. The grounds for termination reflect existing laws that establish similar councils, and include misbehaviour, extended unapproved absences, and physical or mental incapacity.

376.      Membership may also be terminated if the member’s expertise is no longer relevant or they cease to hold a professional role that was relevant to their membership of the Council. This enables the Council to remove members who have changed profession, and ensures membership can evolve with any changes in focus of the Council.

Clause 71 - Other terms and conditions of members

377.      This clause allows the Commissioner to determine other terms and conditions on which appointed members hold office, with respect to matters not covered by this Bill.

Clause 72 - Procedures

378.      This clause sets out core administrative procedures for the Council. In particular, Council meetings must occur at least twice per calendar year and may be convened by the Commissioner or the Chair. Otherwise, this clause empowers the Council to determine its own procedures, allowing them to be adapted as necessary over time.

Chapter 5 - Regulation and enforcement

Part 5.1 - Introduction

Clause 73 - Simplified outline of this Chapter

379.      This clause provides a simplified outline of Chapter 5 to assist readers to understand the substantive provisions on the regulation and enforcement of the data sharing scheme. The outline is not intended to be comprehensive; readers should rely on substantive provisions of the Chapter.

Part 5.2 - Accreditation framework

380.      This part establishes the accreditation framework for the data sharing scheme, administered by the Commissioner under their regulatory functions. Accreditation decisions may be reviewable under clause 118.

Division 1 - Accreditation

Clause 74 - Accreditation

381.      This clause sets out the Commissioner’s powers in relation to accreditation of entities, which form part of the Commissioner’s regulatory functions (refer clauses 42 and 45). Accreditation is an essential precondition to entities’ participation in the data sharing scheme, and provides assurance that participants are capable of handling public sector data safely. It works with the purpose test (clause 15), data sharing principles (clause 16) and data sharing agreements (clause 18) to provide a robust approach to sharing public sector data.

382.      Subclauses (1) and (2) empower the Commissioner to accredit an entity as an ADSP or accredited user if the Commissioner is satisfied its application made under clause 76 meets the criteria for accreditation established in clause 77. Entities can apply to be both an ADSP and an accredited user. Entities will be notified of accreditation decisions in accordance with clause 75.

383.      The Commissioner is required to accredit certain Commonwealth bodies as accredited users in accordance with subclause (3). This requirement applies to non-corporate Commonwealth bodies, and other Commonwealth bodies prescribed in the rules, that apply for accreditation as users under clause 76 and is not subject to a direction by the Minister under clause 81(2). Entities will be notified of accreditation decisions in accordance with clause 75.

384.      This approach recognises that non-corporate Commonwealth bodies meet the accreditation criteria as they are subject to relevant Australian Government policies and frameworks, and to ongoing oversight by Ministers. Relevant measures at the time of introduction include, but are not limited to, the Australian Government’s Protective Security Policy Framework (PSPF), the Privacy Act , and the Australian Public Service (APS) Code of Conduct. These measures ensure non-corporate Commonwealth bodies protect, manage, and use public sector data appropriately. Such entities will have responsibilities under this Bill and under data sharing agreements when participating in this scheme.

385.      Subclause (4) requires the Minister be satisfied that a Commonwealth body meets the accreditation criteria under clause 77, before it can be prescribed in the rules.

386.      Subclause (5) clarifies that an excluded entity (refer clause 11(3)) or an entity that is the subject of a direction of the Minister under clause 81(2) (relating to suspension or cancellation of certain Commonwealth bodies’ accreditation) cannot be accredited.

387.      Subclause (6) clarifies that an accredited entity has the status of an accredited entity at all times until the time its accreditation is cancelled under clause 81. This means the entity continues to be subject to the responsibilities and requirements of the scheme while its accreditation is suspended, but is not authorised to collect and use data (refer clause 13(3)(b)). This approach ensures accredited entities remain within the regulatory remit of the Commissioner and can be held accountable for their conduct with respect to scheme data, whether actively sharing or not. For example, sharing by or with an entity with suspended accreditation may attract penalties for unauthorised sharing, collection, and/or use (refer clauses 13(3)(b) and 14).

388.      Subclause (7)(a) to (c) clarifies that accreditation is granted subject to the Commissioner’s powers to place conditions on, suspend, and cancel an entity’s accreditation (refer clauses 78 and 81). Accreditation may also be affected by future versions of this legislation.

389.      Subclause (7)(d) reflects that accreditation is granted on the basis that no compensation is payable if conditions of accreditation are imposed or varied, or the accreditation is suspended or cancelled. Accreditation and related interests are not property for the purposes of section 51(xxxi) of the Constitution , which allow s Parliament to make laws for the acquisition of property on just terms. Accredited entities are therefore not entitled to just terms compensation if the Commissioner alters their accreditation status. For example, no compensation would be payable if the Commissioner were to accredit an ADSP but later impose conditions limiting the types of data services it may perform.

390.      Subclause (7)(d) is modelled on section 56CA(3) of the Competition and Consumer Act 2010 which relates to accreditation of data recipients for the Consumer Data Right, an analogous scheme for private sector data.

391.      Once an entity has successfully applied and been granted accreditation, it has responsibilities under the Bill, in particular under Chapters 2, 3, and 5. These responsibilities include complying with conditions of accreditation and providing updated evidence to maintain their accreditation (refer clauses 30, 31, and 78), as well as reporting sharing activities and relevant changes in circumstances to the Commissioner (refer clauses 31 and 34).

Clause 75 - Notice of accreditation decision

392.      This clause ensures due process by the Commissioner in deciding to grant or refuse accreditation.

393.      Subclause (1) requires the Commissioner to give written notice to the applicant of the accreditation decision. Subclause (1)(b) states that entities covered under clause 74(3) will only receive notices affirming their accreditation status.

394.      Subclause (2) requires that such notice must be provided to the entity as soon as it is practicable.

395.      Subclauses (3) and (4) set out essential matters a notice must contain where it relates to a grant or refusal of accreditation, respectively. These matters include the entity’s rights to review of the accreditation decision under part 6.2.

Clause 76 - Application for accreditation

396.      This clause governs who can apply for accreditation and what is required for each application.

397.      Subclause (1) provides that an entity may apply for accreditation, other than an entity described in clause 74(5). ‘Entity’ is defined in clause 9 to enable a broad range of entities with relevant expertise to apply to participate in this scheme.

398.      Subclause (2) lists requirements for a valid accreditation application. In particular, the application must be made by an authorised officer on behalf of the entity (refer clause 137), and be in the form approved by the Commissioner, if one is approved under clause 132. Each application must also include evidence prescribed by the rules to support the applicant’s claims against the criteria for the type of accreditation sought (ADSP and/or accredited user).

399.      Subclause (2)(d) requires each applicant to consent to the Commissioner obtaining relevant information from third parties, or verifying information provided by the entity with third parties, to support an accreditation application. This approach ensures the Commissioner makes an informed accreditation decision, and streamlines the process by allowing the Commissioner to leverage platforms such as MyGovID to verify an individual’s identity rather than collecting personal identification documents.

400.      Subclause (3) provides that Commonwealth entities which must be accredited as users under clause 74(3) do not need to comply with subclause (2)(c) or (d) by attaching evidence supporting their application for accreditation or giving consent. This is because clause 74(3) recognises their ongoing capability and responsibilities to manage public sector data for the purposes of this scheme.

Clause 77 - Criteria for accreditation

401.      Subclause (1) specifies the criteria an entity must meet to become an accredited user or an ADSP. The Commissioner will assess each application against subclause (1) to determine if the applicant has met the criteria, and may request further information under clause 87.

402.      Subclause (1)(a) requires that the entity can appropriately protect, manage and use data. Evidence to demonstrate this could include information about delegations, policies and processes, governance arrangements, audit and review, transparency and feedback mechanisms which ensure appropriate decision-making and accountability of data.

403.      Subclause (1)(b) requires the entity to have a person within the organisation who is responsible for overseeing management of scheme data by the entity. For example, it could be a senior executive, such as a Chief Data Officer, who oversees an organisation’s data functions, sets the standards for data management, and ensures the right protections and processes are in place to safely manage and use data.

404.      Subclause (1)(c) requires that the entity can effectively apply the data sharing principles outlined in clause 16 to manage risks of sharing.

405.      Subclause (1)(d) requires the entity to be able to minimise unauthorised access, sharing or loss of scheme data. Arrangements could include security protocols to control access to IT systems and physical location(s) as well as established processes for securely storing and processing data. The entity must either have effective processes and systems to meet this criteria itself, or be capable of leveraging others’ such as by using infrastructure to access data that is provided by a data custodian or an ADSP.

406.      Subclause (1)(e) requires the entity have processes and policies in place that reflect a commitment to continuous improvement of data practices in relation to scheme data, in line with privacy and security obligations. This criterion ensures entities are adaptable and can meet evolving technology, privacy and security requirements as well as community expectations into the future. For example, the entity will need to demonstrate they regularly review and update its policies, training programs, and data management protocols (which may be evidence under subclause (a)) to support data maturity and cater for changing technology.

407.      Subclause (1)(f) requires that the entity has the ability to comply with its responsibilities under the scheme. Key responsibilities are found in Chapters 2, 3, and 5 of the Bill, and include complying with conditions of accreditation and reporting obligations.

408.      Subclause (1)(g) requires that the entity can demonstrate its participation in the scheme would not be inconsistent with Australia’s national interest or requirements of security. Evidence of the entity’s security audits and foreign connections may be relevant here. This criterion also relates to the clause 76 requirement to consent to the Commissioner obtaining or verifying information with third parties, which may include security agencies.

409.      Subclause (2) ensures the Minister may also prescribe other criteria in the rules, consistent with the objects and parameters of this Bill. This approach enables the criteria to be adjusted to meet future needs of this scheme.

Division 2 - Conditions of accreditation

Clause 78 - Conditions of accreditation

410.      This clause gives the Commissioner discretion to impose and vary conditions of accreditation. Conditions are a means for the Commissioner to control how accredited entities participate in the data sharing scheme, to manage systemic and entity-specific risks. Failure to comply with accreditation conditions may attract a civil penalty under clause 30 (comply with conditions of accreditation).

411.      Subclause (1) states the Commissioner can impose conditions based on security grounds, including on the basis of an adverse or qualified security assessment, or other circumstances as reasonable and appropriate, such as those outlined in subclause (2).

412.      Subclause (2) outlines what sort of accreditation conditions may be imposed. Conditions placed under subclause (2)(a) and (b) control who can collect and use scheme data on behalf of an accredited entity. These conditions may specify individuals of the entity, or individuals of or associated with a specified part of the entity. A range of individuals may be specified in a condition, as set out in subclauses (2)(a) and (b), and consistent with clause 123 (attribution of individuals’ conduct to certain government bodies). For example, the Commissioner may impose a condition on a university’s accreditation to restrict participation in the data sharing scheme to a specific faculty, school, or individual(s).

413.      Conditions may also set a time period for when an accredited entity must provide updated evidence to maintain their accreditation, or specify the types of data services an ADSP is accredited to provide, including prescribed services under clause 29.

414.      Subclause (3) gives the Commissioner discretion to vary or remove a condition of accreditation. Varying could involve modifying the terms of a condition, such as by updating the range of individuals specified in a condition under subclause (2)(a). The Commissioner may do so based on security grounds, including on the basis of an adverse or qualified security assessment, or other circumstances as appropriate.

415.      The Commissioner may publish information about the imposition, variation or removal of a condition on the accredited user register or ADSP register (refer to clauses 128 and 129).

Clause 79 - Notice before decision about conditions

416.      This clause ensures due process by the Commissioner in deciding to impose, vary, or remove conditions of accreditation, which they have discretion to do under clause 78.

417.      Subclause (1) requires the Commissioner to give written notice to an accredited entity of their proposal to impose, vary, or remove a condition of the entity’s accreditation - where this proposal is made for reasons other than security (refer clause 78(3)(a)).

418.      Subclause (2) requires the written notice to articulate the proposed condition, or variation or removal of a condition. The notice must also request the accredited entity to give the Commissioner a written statement in response to the proposal within a time period specified in the notice. If the entity responds in accordance with the notice, the Commissioner must consider its response before making a decision under clause 78 (refer subclause (3)).

419.      If the Commissioner reasonably believes there are serious and urgent reasons to make the proposed condition, variation or removal, subclause (4) provides the notice need not include the request for response referred to in subclause (2). This qualification ensures the Commissioner is able to act quickly in serious or emergency situations to control how accredited entities participate in the scheme, while still ensuring the relevant entity has notice of how they have been affected in the interests of procedural fairness and to ensure it can comply with its obligations under this Bill. An example of such a situation is if the Commissioner receives information from a credible source that an accredited entity has provided false or misleading information about its capacity to protect data from unauthorised access or loss in order to gain accreditation, and it has access to scheme data.

420.      This clause does not prevent the Commissioner from considering submissions by the affected entity that are made after the time specified in the notice, or which were not solicited.

Clause 80 - Notice of conditions

421.      This clause requires the Commissioner to provide written notice to an accredited entity of a decision under clause 78 to impose or change (vary or remove) a condition of its accreditation, as soon as it is practicable.

422.      This requirement does not apply to a decision to impose conditions when accreditation is first granted, as notice of such decisions is governed by clause 75(3).

423.      The notice must contain the matters prescribed in subclause (4). In particular, the notice must set out what condition is being imposed, varied or removed; when this will take effect; and the entity’s review rights under part 6.2, noting accreditation decisions for reasons of security may not be reviewable (refer clause 118).

Division 3 - Suspension and cancellation of accreditation

Clause 81 - Suspension or cancellation of accreditation

424.      This clause empowers the Commissioner to suspend or cancel an entity’s accreditation in prescribed circumstances. The effect of suspension is that the accredited entity remains a data scheme entity but cannot participate in sharing activities (refer clauses 13(3)(b) and 14); cancellation involves removing accreditation so the entity ceases to be a data scheme entity.

425.      Subclause (1) sets circumstances in which the Commissioner may suspend or cancel accreditation of entities that are accredited as ADSPs and users under clause 74(1) and (2). These circumstances include where the Commissioner has a reasonable belief or has determined (refer clause 102) the entity has not complied with the Bill, does not or has ceased to meet the accreditation criteria, or the change to accreditation status is in the national interest or for reasons of security.

426.      Subclause (2) empowers the Minister to direct the Commissioner to suspend or cancel accreditation of a Commonwealth entity that was accredited as an user under clause 74(3), if the Minister considers it appropriate. The direction may specify the duration of suspension or the date of cancellation. The Commissioner must action such a direction per subclause (3).

427.      Subclause (4) ensures the direction remains in force until the Minister decides to revoke it. The Minister must notify the Commissioner and the relevant entity of a decision to revoke a direction.

428.      Subclause (5) clarifies that a direction made by the Minister under subclause (2) is not a legislative instrument within the meaning of section 8(1) of the Legislation Act 2003 .

429.      Subclause (6) empowers the Commissioner to cancel any entity’s accreditation at its request. If a Commonwealth body accredited under clause 74(3) makes such an application, the Commissioner may cancel its accreditation without being so directed by the Minister under subclause (2).

430.      Subclause (7) provides that a decision to cancel an entity’s accreditation will not be effective if the entity has failed to comply with a direction from the Commissioner under clause 112(1)(a), unless the Commissioner determines otherwise. This means if an accredited entity fails to comply with directions to return or dispose of scheme data, their status as an accredited entity will continue. This approach ensures the entity remains subject to relevant responsibilities and liabilities, as a data scheme entity. In practice, this may involve the Commissioner issuing a direction and taking steps to verify or enforce compliance (which could include suspension of accreditation if the direction is not complied with) before making a decision to cancel accreditation.

Clause 82 - Notice before decision about suspension or cancellation

431.      Subclause (1) requires the Commissioner to give written notice to an accredited entity prior to suspending or cancelling its accreditation under clause 81(1), unless the change to accreditation is done for reasons of security.

432.      Subclause (2) prescribes information the Commissioner’s notice must contain. All notices must state the grounds for the proposed suspension or cancellation, and identify the dates of suspension or cancellation. Notices must also request the accredited entity respond with a written statement showing cause why their accreditation status should not change, within a time period specified by the Commissioner.

433.      Under subclause (3) the Commissioner must consider an accredited entity’s statement, if provided within the specified time in the notice, before making a decision under clause 81(1).

434.      If the Commissioner reasonably believes there are serious and urgent reasons for the change to accreditation status, subclause (4) provides the notice need not include the request for a written response referred to in subclause (2). An example of such a situation is if the Commissioner receives information from a credible source that an accredited entity has an ongoing data breach that severely compromises its capacity to prevent unauthorised access to scheme data. This qualification ensures the Commissioner is able to act quickly in serious or emergency situations to limit how accredited entities participate in the scheme, while still ensuring the relevant entity has notice of how they have been affected in the interests of procedural fairness and to ensure it can comply with its obligations under this Bill.

435.      This clause does not prevent the Commissioner from considering submissions by the affected entity that are made after the time specified in the notice, or which were not solicited.

436.      Subclause (5) to (8) relate to notice given to certain Commonwealth bodies accredited under clause 74(3), in relation to suspension or cancellation of their accreditation pursuant to Ministerial direction.

437.      Subclause (5) provides the Minister must notify such an entity in writing of intent to suspend or cancel its accreditation, unless the change to accreditation is for reasons of security. The written notice must contain the matters prescribed by subclause (6), including why the Minister is considering altering the entity’s accreditation status and the nature of the change.

438.      The written notice must also request the entity respond within a specified period to show cause why its accreditation status should not change; if the entity complies, the Minister must consider the response. However, under subclause (8) a notice need not request a response by the entity if the Minister believes there are serious and urgent reasons to alter the entity’s accreditation status.

439.      These provisions ensure the Minister is able to act quickly in serious or emergency situations to limit how certain Commonwealth accredited entities participate in the scheme, while still ensuring the relevant entity has notice of how it has been affected in the interests of procedural fairness and to ensure it can comply with its obligations under this Bill.

440.      This clause does not prevent the Minister from considering submissions by the affected entity that are made after the time specified in the notice, or which were not solicited.

Clause 83 - Notice of suspension or cancellation

441.      This clause ensures an accredited entity receives written notice of a decision to suspend or cancel its accreditation. In accordance with subclauses (1) and (2), such notice must be provided to the entity by the Commissioner as soon as it is practicable.

442.      Each notice must contain the information prescribed by subclause (3). In particular, a notice must set out the grounds for the suspension or cancellation of accreditation, and the time period for the suspension or the date the cancellation takes effect, and how it applies in accordance with subclause 81(7). The notice must also set out what rights the entity has to seek review of the Commissioner’s decision under part 6.2, noting accreditation decisions for reasons of security may not be reviewable (refer clause 118).

Division 4 - Transfer of accreditation

Clause 84 - Transfer of accreditation

443.      This clause enables an accredited entity to apply to the Commissioner for a transfer of accreditation, if its governance structure changes such that it becomes a new or different entity. For example, this may occur as a result of Machinery of Government changes as well as corporate mergers, acquisitions, or restructures.

444.      In this case, the accredited entity (whether the old or new entity) may apply to the Commissioner seeking for its original accreditation to be transferred to the new entity, consistent with subclauses (2) and (3). The Commissioner may request the entity provide information to support its transfer application, per subclause (3).

445.      Subclause (4) gives the Commissioner discretion to grant or refuse an application to transfer accreditation. The decision will be based on the entity’s ability to continue to meet the accreditation criteria set out in clause 77 and any conditions that were imposed on the old entity.

Clause 85 - Notice of transfer decision

446.      This clause states the Commissioner must provide a written notice to the entity who applied for a transfer of accreditation. The notice must contain whether the transfer has been approved and the date it commences or, if the transfer has been refused, the reason it was refused and the applicants’ review rights under part 6.2. This notice must be provided to the entity as soon as it is practicable.

Division 5 - Rules and further information

Clause 86 - Rules relating to the accreditation framework

447.      This clauses enables rules to be prescribed for the accreditation framework, pursuant to the Minister’s rule-making power in clause 133.

448.      The rules may provide for processes and requirements to support the operation of the accreditation framework, as well as other matters relating to accreditation of entities under this scheme. For example, the rules may establish what evidence is required to satisfy the accreditation criteria as well as timeframes for when this evidence must be submitted or updated to maintain accreditation. The rules may also address other matters relating to accreditation under this Bill, such as roles of particular personnel who may act on behalf of an accredited entity such as authorised officers (refer clause 137), and the range of data services that ADSPs may be accredited to undertake including prescribed data services under clause 29.

449.      Consistent with this part, the Minister may set additional items in rules to allow the scheme to evolve, for instance to cater for changes in technology or data management that should be reflected in the accreditation criteria (refer clause 77) or to cancel certain entities’ accreditation (refer clause 81).

Clause 87 - Further information or evidence

450.      To inform a decision under this part, the Commissioner may issue a written request under subclause (1) for an entity to provide further information or evidence prescribed by the rules. For instance, this power could be used where an entity has not provided sufficient evidence to allow the Commissioner to make a fully informed decision on its accreditation application.

451.      Subclause (2) clarifies if the Commissioner makes a request under subclause (1), the Commissioner does not need to make a decision about accreditation until the information or evidence has been provided and reviewed.

452.      This power to request further information is different to the Commissioner’s power in clause 104 to require production of information, though both serve regulatory purposes.

Part 5.3 - Complaints

453.      This part establishes a complaints mechanism to manage disputes between data scheme entities. The complaints mechanism is one of several redress mechanisms in the scheme, and a means for the Commissioner to identify potential cases of non-compliance and areas to improve or support implementation of the scheme.

Division 1 - Complaints

Clause 88 - Making complaints

454.      This clause establishes a complaints mechanism for the data sharing scheme. Complaints provide a means for data scheme entities to resolve disputes with each other and to notify the Commissioner about suspected non-compliance. This mechanism supports the Commissioner to monitor and enforce the data sharing scheme, as well as identify areas where additional guidance may be needed to support voluntary compliance.

455.      Subclause (1) enables data scheme entities (complainants) that reasonably believe another data scheme entity (respondent) has breached this Bill to make a complaint to the Commissioner.

456.      A breach of this Bill includes an act, practice, or omission, whether present or past, that contravenes or is inconsistent with this Bill (refer clause 9). A reasonable belief is taken to mean actual knowledge or a subjective belief that a prudent person would hold when given the same information.

457.      Complaints may be made about former data scheme entities, where the suspected breach occurred while the entity was a data scheme entity. This aligns with the Commissioner’s ability to exercise regulatory powers in relation to the activities of former data scheme entities that occurred when the entity had data scheme entity status. This regulatory scope is necessary as breaches may not come to light immediately when they occur.

458.      Data scheme entities cannot complain about a data custodian’s decision to not share data, as this does not constitute a breach of the legislation (refer clause 24: no duty to share).

459.      Complaints may be made about other sharing decisions that may breach the Bill, for example if a custodian has not given reasons for its refusal to share (refer clause 24), or if data has been shared for a precluded purpose or agreed safeguards under the data sharing principles were improperly applied. Such complaints relate directly to the Commissioner’s regulatory functions and powers (refer clause 45) to oversee operation of the data sharing scheme.

460.      Subclause (2) clarifies that former data scheme entities may make complaints within 12 months of losing their data scheme entity status. This period provides an appropriate window for former data scheme entities to seek to resolve any latent or ongoing issues with their participation in the data sharing scheme. The 12 month window mirrors the Commissioner’s ability to dismiss complaints if they are made more than 12 months after the complainant first reasonably believed the respondent breached or was breaching the Act (refer clause 92(1)(d)).

461.      Subclause (3) requires complaints to specify the respondent, be made in the approved form (if any), and meet any requirements prescribed by an applicable data code. These requirements will standardise processes and ensure the Commissioner has crucial information to progress complaints.

462.      While this mechanism is for data scheme entities, it does not prevent other entities contacting the Commissioner through administrative channels or complaining about data scheme entities’ activities through existing legal mechanisms. For instance, a person may complain to the Australian Information Commissioner about mishandling of their personal information, under the Privacy Act .

463.      This mechanism focusses on situations unique to the data sharing scheme to avoid duplicating existing, understood redress mechanisms under the remit of other regulators, and is supported by the Commissioner’s ability to collaborate with other regulators (refer clauses 107 and 108).

Clause 89 - Respondents

464.      This clause clarifies who the respondent to a complaint is, depending on the nature of the entity.

465.      Not all data scheme entities will be legal persons. Part 6.3 outlines how such entities are treated, including attribution of conduct to them.

Clause 90 - Communicating with complainant

466.      This clause ensures the complainant receives notice of how the Commissioner is responding to their complaint within 30 calendar days of receiving it. This provision is intended to provide transparency and assurance to complainants that due process is observed. The 30 day period provides a reasonable timeframe for the Commissioner to begin any preliminary enquiries of the complaint, and set out steps to resolve it.

467.      The Commissioner may, but is not required to, notify respondents about complaints. In most cases complainants should have first raised their complaint with the respondent directly. This minimises the burden on the Commissioner and respondents when dealing with vexatious or unsubstantiated complaints. If the Commissioner decides to proceed with an investigation of the complaint they must notify the respondent of this fact (refer clauses 100 and 103).

468.      Subclause (2) provides that the Commissioner may, by written notice, request that complainants provide further information in connection with the complaint, within the period specified in the notice. Such requests will allow the Commissioner to collect information needed for preliminary inquiries of complaints when initial requests are incomplete or insubstantial.

469.      If the Commissioner makes a request under subclause (2), they need not take further action in relation to the complaint until the complainant complies with that request. The Commissioner has 30 days from the day requested information is provided to notify the complainant how they are responding to their complaint.

470.      Subclause (4) states that the Commissioner need not provide notice under subclause (1) if the Commissioner has given the complainant notice that they will not deal with the complaint (refer clause 92) on or before the day the written notice under subclause (1) was due.

Clause 91 - Dealing with complaints

471.      This clause provides the essential steps, at a high level, the Commissioner must follow in order to determine how best to deal with a complaint. In particular, the Commissioner must make preliminary inquiries as needed, and consider and arrange for conciliation if appropriate.

472.      Conciliation is encouraged as it maximises the autonomy of parties to the complaint. If the Commissioner is satisfied that conciliation is not appropriate to deal with the complaint or if the complaint is not resolved through conciliation, the Commissioner must start an investigation under clause 101.

473.      The Commissioner need not proceed with handling a complaint if the Commissioner is satisfied that there are grounds to do so under clause 92.

Clause 92 - Grounds for not dealing with complaints

474.      This clause lists circumstances in which the Commissioner may decide to cease dealing with a complaint or not deal with a complaint. The Commissioner may rely on one or more circumstance. Listed circumstances are intended to prevent regulatory duplication and limit unnecessary use of time and resources.

475.      To ensure transparency, if the Commissioner decides to cease dealing with a complaint, they must notify the complainant of their decision and the reasons for it. If the Commissioner has notified the respondent of the complaint, the respondent must also be notified.

Clause 93 - Admissibility of things said or done in conciliation

476.      This clause provides that anything said or done in the course of conciliation is not admissible in relevant legal proceedings, unless otherwise agreed to by the parties or when the thing itself constitutes an offence or civil contravention.

477.      This clause allows data scheme entities to fully commit to conciliation and aligns with standard protections for matters and parties involved in conciliation.

Division 2 - Representative complaints

478.      This division establishes a scheme for representative complaints. All provisions are modelled off equivalent provisions from the Privacy Act .

Clause 94 - Conditions for making a representative complaint

479.      This clause sets out when representative complaints can be made. A representative complaint will allow the Commissioner to deal with multiple related complaints in a single, unified process, with all the relevant information. Representative complaints may be particularly useful to resolve matters related to multi-party Data Sharing Agreements.

480.      Under subclause (1), a complainant may submit a representative complaint when: there is a group of data scheme entities (class members) who all have complaints against the same data scheme entity, and those complaints all come from similar or related circumstances giving rise to a substantial and shared issue of law or fact.

481.      Subclause (2) requires a representative complaint to describe or identify class members, and specify the nature of the complaint, relief sought, and common questions of law or fact to be addressed. Complainants need not specify the number of class members, or name them. Similarly, complainants need not seek the consent of class members before submitting a representative under subclause (3). This is because complainants may not know or be able to find out the details of all data scheme entities affected by the subject of the complaint.

Clause 95 - Commissioner may determine that a complaint is not to continue as a representative complaint

482.      This clause sets out when the Commissioner may determine that a representative complaint will not continue. The parameters for such determinations align with precedent for management of representative complaints, such as those in the Privacy Act .

483.      Subclause (1) provides the Commissioner may determine a complaint should not continue as a representative complaint on their initiative or upon application by the relevant respondent.

484.      The Commissioner may make such a determination if they are satisfied it is in the interests of justice to do so for any of the listed reasons in subclause (2). These reasons include where the representative complaint is likely to be more costly than the costs of class members making separate complaints, or will not be an efficient means of dealing with members’ complaints. Other reasons include where the complainant did not submit the complaint in good faith, or it is otherwise inappropriate to pursue the matter as a representative complaint.

485.      If such a determination is made, subclause (3) provides that the complaint may be continued as a separate complaint by the complainant or another class member, on their own behalf. Allowing representative complaints to continue as separate complaints ensures that the complainant and class members do not lose access to appropriate recourse avenues.

Clause 96 - Additional rules applying to the determination of representative complaints

486.      Subclause (1) allows the Commissioner to replace the complainant with another class member to improve the efficient and effective management and outcomes of representative complaints.

487.      Subclause (2) allows a class member to withdraw from a representative complaint if was made without their consent, or otherwise before the Commissioner begins preliminary investigations (refer clause 91(1)) into the matter.

488.      Where a person withdraws from a representative complaint under subclause (2), they may lodge a complaint about the same matter under clause 88. This is different from persons who continue as class members of a representative complaint, who may not lodge a separate complaint (refer clause 98).

489.      Subclause (3) enables the Commissioner to direct that notice of any matter be given to a class member or class members by the representative complainant or another person. This power could be used to manage situations where information needs to be provided to particular (but not all) class members, and the representative complainant has not identified which to the Commissioner. It could also be used to notify class members of matters relating to the representative complaint, especially where it is uncertain whether all have consented to participating in the matter, to ensure they are made aware of their involvement.

Clause 97 - Amendment of representative complaints

490.      This clause allows the Commissioner to alter the class membership of a representative complaint (so it continues as a representative complaint), or to unify related individual complaints into a representative complaint.

491.      ‘Altered’ includes addition and removal of members, and other changes to composition of the class of members - for instance in response to the scope of the matter being refined or clarified. Where this involves rem oval of class members whose complaints are not shared with the rest of the class, so are not part of the class action, such complaints brought separately.

Clause 98 - Class member for representative complaint not entitled to lodge individual complaint

492.      This clause provides that a class member of a representative complaint cannot lodge a separate complaint about the same matter. This reduces unnecessary administrative burden and duplication.

Part 5.4 - Assessments and investigations

493.      This part establishes mechanisms for the Commissioner to monitor and gather information about the operation of the data sharing scheme and data scheme entities within it.

Clause 99 - Assessments

494.      Subclause (1) empowers the Commissioner to assess whether data scheme entities’ activities are consistent with the requirements of the Bill. Assessments are intended to be constructive, regular processes that support voluntary compliance and provide assurance to the Commissioner that the scheme is operating as intended.

495.      Subclauses (2) to (4) relate to conduct of assessments by the Commissioner.

496.      The Commissioner may undertake an assessment in any manner they consider appropriate. This may include inviting submissions, and exercising their information-gathering and monitoring powers (refer clauses 104 and 109). This non-prescriptive approach will allow the Commissioner to adapt assessments to different circumstances and data scheme entities, and update and improve how they are undertaken over time. For instance, assessments may focus on compliance with specific aspects of this Bill, such as application of a particular data sharing principle (refer clause 16), or in line with the Commissioner’s annual regulatory priorities.

497.      The Commissioner may assess the conduct of former data scheme entities, provided that the conduct being assessed occurred while the entity was a data scheme entity. This supports scheme integrity and ensures former data scheme entities are accountable for any conduct engaged in while participating in the data sharing scheme.

Clause 100 - Notices of assessment

498.      To ensure procedural fairness, this clause requires the Commissioner to give a data scheme entity notice before starting, and on the completion of, an assessment of the operations of that entity.

499.      Assessments are intended to be collaborative processes between the entity and Commissioner, so notices given before starting assessments must specify their intended scope. This will allow data scheme entities to make any preparations necessary to facilitate the assessment and request that the assessment cover other matters, if desired.

Clause 101 - Investigations

500.      Investigations provide a means for the Commissioner to determine whether an entity is breaching or has breached requirements of the data sharing scheme. Under this clause, investigations occur in response to a complaint (refer clause 88), or on the Commissioner’s own initiative.

501.      Subclause (1) requires that the Commissioner investigate the subject of a complaint when satisfied that it is not appropriate to deal with the complaint by conciliation, or that conciliation failed to resolve the complaint (refer clause 91).

502.      Subclause (2) allows the Commissioner to investigate an entity when they reasonably suspect that entity has breached or is breaching the requirements of the data sharing scheme. Reasonable grounds may derive from advice from other regulators, information gathered during an assessment, or a pattern of breaches across the scheme that provides a realistic likelihood of non-compliance.

503.      Subclause (3) provides that the Commissioner may investigate former data scheme entities if the conduct being investigated occurred at a time when the entity was still a data scheme entity. This supports scheme integrity as breaches may not come to light immediately after they occur.

504.      Subclauses (4) to (7) contain procedural matters for how the Commissioner undertakes investigations, including when investigations may cease. Further details on when investigations may cease are established in clause 92.

505.      Note that this clause applies to entities, rather than data scheme entities, so the Commissioner may investigate non-compliance with their power to compel production of information in clause 104, which applies to data scheme entities as well as other persons. Clauses 102 and 103 take the same approach as they flow from investigations under clause 101, as do certain consequences of a determination of breach set out in later clauses.

Clause 102 - Determination on completion of investigation

506.      This clause requires the Commissioner to make a written determination setting out findings of an investigation completed under clause 101.

507.      Subclause (1) prescribes the content of a determination. To ensure due process, each determination must be in writing, and set out the Commissioner’s opinion and reasoning of whether the investigated entity breached the requirements of this legislation. If the Commissioner finds a breach has occurred or is occurring, the determination will also describe what regulatory or enforcement action the Commissioner intends to take to address the situation.

508.      Determinations will be provided to relevant entities under clause 103, providing a clear outcome from investigations. Subclause (2) provides that the Commissioner may also publish determinations, for example when they relate to a breach which may impact other data scheme entities.

509.      Subclause (3) provides that if at any time the Commissioner has reason to vary or revoke a breach determination, they may do so. This could include when a data scheme entity provides evidence that changes the Commissioner’s opinion as to whether the breach has occurred.

510.      Subclause (4) is included to assist readers, as determinations are not legislative instruments within the meaning of subclause 8(1) of the Legislation Act 2003 .

511.      Certain enforcement actions in this Bill, such as issuing infringement notices and seeking injunctions or judicial penalties, rely on a determination of breach first being made by the Commissioner.

Clause 103 - Notices relating to investigation

512.      To ensure procedural fairness, the Commissioner must give entities notice providing the intended scope of an investigation before commencing it. The Commissioner must also give determinations made under clause 102 to the entity that was investigated upon completion of that investigation. This will provide a clear outcome from each investigation, and clarify next steps, if any.

513.      The Commissioner may, but is not required to, notify complainants about determinations related to their complaint. It may not always be appropriate for complainants to be given full details of the outcomes of investigations, particularly if they would tend to disclose sensitive details about the data or processes under investigation.

514.      If the Commissioner varies or revokes a determination, the Commissioner must give the variation or revocation to the persons who were given the original determination. This will ensure relevant people are kept up-to-date on any changes to the outcomes of the investigation.

Part 5.5 - Regulatory p owers and enforcement

515.      This part provides the Commissioner’s regulatory powers to monitor and enforce the requirements of the data sharing scheme. These powers are designed to enable a graduated enforcement approach that identifies and responds proportionally to address non-compliance. Voluntary compliance will be supported through capacity building measures, such as regular assessments (refer clause 99), recommendations (refer clause 111), and activities under the Commissioner’s other functions.

Clause 104 - Power to require information and documents

516.      This clause empowers the Commissioner to compel the production of information and documents relevant to the exercise of their regulatory functions (refer clause 45) from any person. This is known as a ‘notice to produce’ power, or an information gathering power.

517.      The Commissioner’s information gathering power supplements their monitoring and investigation powers derived from the Regulatory Powers Act , which only allow for the collection of information and documents when physically inspecting a premises (refer clauses 109 and 110). Being able to collect information and documents remotely is less invasive and often more practical than gathering information on-site. This supports a graduated and proportional approach to managing non-compliance and enforcing the data sharing scheme.

518.      Subclause (1) enables the Commissioner to make requests to any person, so long as they reasonably believe the person has relevant information. This coverage mirrors that of the Regulatory Powers Act monitoring and investigation powers. Inclusion of non-data scheme entities is necessary given the scope of civil penalty provisions and criminal offences in the Bill which cover, for example, sharing data with entities that are not accredited.

519.      The information requested must be relevant to the exercise of the Commissioner’s regulatory functions. These functions include monitoring and investigating compliance with the scheme, accrediting entities, and handling complaints. Information requested may also inform the Commissioner’s enforcement approach. Note that the Commissioner may not require the provision of information from the Inspector General of Intelligence and Security or intelligence agencies, or documents specified in a certificate under clause 106.

520.      Information and document requests made under this clause must be reasonable. Information requested must be relevant to the exercise of a regulatory function, and the Commissioner must have reasonable grounds to believe the person holds it. People should also be given a reasonable amount of time to comply with requests made under this clause. For example, if a request relates to a high-risk situation, a short response period may be permissible. If the request relates to a low-risk process, however, longer periods may be appropriate.

521.      Subclauses (2) and (3) introduce penalties for failure to comply with subclause (1). Having penalties available for failure to comply with requests relating to investigations is appropriate given delays in identifying and rectifying non-compliance may have serious implications for people or things to which shared data relates.

522.      The consequences for breach of the penalty or offence provisions established by this clause - up to 300 penalty units or up to two years imprisonment, respectively - align with analogous laws and the Guide to Framing Commonwealth Offences . Consistent with the Guide , the Bill sets maximum penalties; a court will determine what is appropriate on a case-by-case basis. The maximums set balance the penalties of older frameworks, such as the Privacy Act , with more contemporary offences for mishandling government and consumer data. This approach is in keeping with the intent for this scheme to align with other applicable frameworks, without duplicating them, as well as with community expectations.

523.      Subclause (4) explains the scope of the Commissioner’s power to deal with documents obtained under this clause.

Clause 105 - Legal professional privilege

524.      This clause provides that legal professional privilege is not a basis for refusing to provide information or documents sought by the Commissioner under clause 104. However, such evidence is not admissible in civil or criminal proceedings against a person. Legal professional privilege is not otherwise affected by this clause, and other privileges continue to apply.

525.      Subclause (1) promotes effective oversight and regulation of the scheme by preventing legal professional privilege being used to deny the Commissioner access to materials relevant to an investigation.

526.      Legal professional privilege is an important right that ought to be abrogated only where there is strong justification. Abrogation is justified here in order to serve higher public policy interests in the effective regulation and enforcement of the Bill, to ensure integrity of the data sharing scheme and protection of public sector data.

527.      In particular, the abrogation of legal professional privilege is necessary as data scheme entities are likely to obtain legal advice before entering into data sharing agreements that may be material to investigations under this clause. This information is likely to be central to the issues being considered by the Commissioner’s investigations, but unlikely to be available from an alternate source. Abrogation of this privilege will allow the Commissioner to effectively hold data scheme entities to account for their handing of government information, an outcome in which there is a strong public interest.

528.      This approach is also informed by other regulators’ experience, whose investigatory activities have been delayed or hampered by an inability to access relevant information, and the difficulty establishing the bounds of the privilege (seeAustralian Law Reform Commission, Client Legal Privilege and Federal Investigatory Bodies , Discussion Paper 73 (September 2007) chapter 6).

529.      The application of subclause (1) is constrained by clause 104(1) and clause 106, which place limits on the Commissioner’s power to require information and documents. The Commissioner may only seek information and documents under clause 104 where they hold a reasonable belief the materials are relevant to one of their regulatory functions, and not in the circumstances set in clause 106.

530.      Subclause (2) ensures legal professional privilege is not completely abrogated by subclause (1), by providing a ‘use immunity’. The effect of this subclause is that information and documents given to the Commissioner pursuant to clauses 104 and 105(1), and the act of giving them, are not admissible in evidence to be used against a person in proceedings involving imposition of a penalty. This is a broad use immunity: it protects all persons, not only the person who produced the materials or is entitled to claim the privilege, and applies in both civil and criminal proceedings. The immunity does not extend to derivative use, as that would exclude all evidence discovered in reliance on leads from the disclosure (in contrast to the use immunity that renders inadmissible only the evidence that was disclosed).

531.      Like other Australian regulators, this approach has been taken to constrain the abrogation of the privilege without frustrating the point of empowering the Commissioner to compel production of information: effective regulation and enforcement of the data sharing scheme. Courts retain their usual powers to exclude evidence that would render proceedings unfair. Further information on use immunities in Commonwealth laws is found in the Australian Law Reform Commission’s Report 129: Traditional Rights and Freedoms: Encroachment by Commonwealth Laws (2016) chapters 11 and 12.

532.      Subclause (3) clarifies that subclause (1) does not affect other claims to legal professional privilege which may be made over the relevant information or document.

533.      This clause also does not abrogate legal professional privilege outside of the context of the request for materials under clause 104, for example legal advice obtained for the purpose of proceedings that follow an investigation.

534.      This clause does not displace the common law privilege against self-incrimination or affect Parliamentary privilege (refer clause 106(4)).

535.      This clause is modelled on similar provisions for other government regulators, including the Ombudsman Act 1976 , Crimes Act 1914, Law Enforcement Integrity Commissioner Act 2006 and the Inspector-General of Intelligence and Security Act 1986 .

Clause 106 - Limits on power to require information and documents

536.      This clause limits the Commissioner’s information gathering power in clause 104. A notice to produce information cannot be given to excluded entities or their employees, or in relation to information that is subject to a public interest certificate issued by the Attorney-General.

537.      Subclause (1) prevents the Commissioner requesting information from excluded entities (refer clause 9). The information that these entities hold may have particular national security sensitivities so should not be provided except when the relevant entity agrees. Subclause (1) does not prevent these entities providing information to the Commissioner if they choose to.

538.      Subclause (2) prevents the Commissioner requesting information that is subject to a certificate issued by the Attorney-General under subclause (3), stating that provision of that information would be contrary to the public interest. It would not be appropriate for the Commissioner to receive information that could prejudice any of the listed circumstances: Australia’s security or international relations; the deliberations of Government; the conduct of an enquiry or trial; effectiveness of an investigation and enforcement of criminal law; or a person’s safety. This approach aligns with that of certain other regulators with information gathering powers such as the Australian Privacy Commissioner, the Commonwealth Ombudsman, and the Law Enforcement Integrity Commissioner.

539.      If the Commissioner receives a certificate under subclause (3), any existing requests under clause 104 relating to the relevant information or documents are void.

540.      As the Cabinet minister responsible for these matters, the Attorney-General issues certificates under this clause.

541.      Subclause (4) clarifies that the information gathering power in clause 104 does not affect Parliamentary immunities or privileges, within the meaning of the Parliamentary Privileges Act 1987 .

Clause 107- Transfer of matters to appropriate authority

542.      This clause allows the Commissioner to request an integrity body prescribed in clause 108(2) to take carriage of a matter when the body is better placed to manage and/or resolve it.

543.      Enabling transfer of matters to appropriate regulators will reduce inefficiency and duplication of work or matters. For example, if the Commissioner formed the view that the primary subject of a complaint was potential non-compliance with the Privacy Act , the Commissioner could request the Australian Privacy Commissioner deal with the matter instead under this clause.

Clause 108 - Authorisation for Commissioner to disclose and receive information

544.      As part of performing their functions under this Bill, subclause (1) authorises the Commissioner and their staff to exchange information with a prescribed body, for the purpose of assisting that body to perform its functions or exercise its powers.

545.      Prescribed bodies are listed in subclause (2), which covers a range of regulatory and integrity bodies. The Minister may prescribe additional bodies with which the Commissioner may exchange information in rules under subclause (2)(o). Such rules will enable the Commissioner to continue effectively overseeing and regulating the data sharing scheme in the event of machinery of government changes, and introduction of other relevant bodies.

546.      Like clause 107, this clause facilitates ongoing cooperation among regulators to resolve issues, and may support collaborative activities such as the development of joint guidelines (refer clause 127). Such powers are crucial to allow the Commissioner and other regulators to perform their roles effectively. For instance, in order to assess whether an applicant for accreditation has capability to handle Commonwealth data securely, the Commissioner may need information from other bodies (refer clause 76). Similarly, the Commissioner may identify and need to share information that gives rise to a matter within the remit of another regulatory body (like fraud, or the mishandling of personal, protected, or consumer information) while monitoring and enforcing compliance with the data sharing scheme.

547.      This clause is a regulatory mechanism, distinct from the authorisation in clause 13 which enables data custodians to share public sector data under the data sharing scheme. It aligns with powers of other regulators such as the e-Safety Commissioner. Note also that the Commissioner has the power to do anything necessary or incidental to their legislated functions (refer clause 42), so may communicate with data scheme entities in the course of administering the data sharing scheme without needing to rely on this clause.

548.      This clause operates as an ‘authorisation by law’ for the purposes of the Privacy Act , where the information exchanged involves personal information.

549.      The power of the Commissioner (and their staff) to disclose and receive information under this clause does not impact or override secrecy provisions which may prevent listed entities disclosing their information.

Clause 109 - Monitoring powers

550.      This clause grants the Commissioner standard monitoring powers under Part 2 of the Regulatory Powers Act in relation to certain provisions of this Bill.

551.      Part 2 of the Regulatory Powers Act establishes a framework for monitoring compliance with legislative requirements. Under this framework, authorised people may enter premises for the purposes of monitoring, either with the voluntary consent of the occupier or under a monitoring warrant. The authorised person may be assisted by other persons if reasonable and necessary.

552.      Subclause (1) grants the Commissioner standard regulatory monitoring powers in relation to all civil penalty and criminal offence provisions in this Bill, as well as the responsibilities of data scheme entities under Chapter 3 of this Bill.

553.      Subclause (2) clarifies the Commissioner’s monitoring powers extend to verifying the accuracy and completeness of any information given in compliance or purported compliance with the requirements of the data sharing scheme. This includes information provided in relation to accreditation (refer clause 31 and part 5.2), and information provided for the purpose of preparing the Commissioner’s annual report.

554.      Subclause (3) identifies particular roles and bodies for the purpose of the Regulatory Powers Act , for instance specifying the Commissioner is an authorised applicant and person, and relevant courts.

555.      Subclause (4) provides that as an authorised person for the purpose of the Regulatory Powers Act , the Commissioner may be assisted by other persons in carrying out their monitoring powers and functions. This is a standard approach to ensure regulatory efficiency, supported by provisions relating to staff, contractors and consultants in Chapter 3.

Clause 110 - Investigation powers

556.      This clause grants the Commissioner standard regulatory powers under Part 3 of the Regulatory Powers Act to investigate potential contraventions of the civil and criminal penalty provisions in this Bill, as well as possible failures to comply with the responsibilities of data scheme entities in Chapter 3. Investigation powers may only be exercised in relation to an investigation under clause 101, by people identified in this clause (or their delegates).

557.      The Regulatory Powers Act creates a framework for investigating suspected breaches of penalty and offence provisions. Part 3 of that Act allows authorised people to enter premises for the purposes of investigation, either pursuant to the voluntary consent of the occupier or under a monitoring warrant. The authorised person may be assisted by other persons if reasonable and necessary.

558.      Subclause (1) specifies the matters in relation to which the Commissioner may exercise investigatory powers. Consistent with subclause (1)(b), these powers extend to investigating third parties who assist a data scheme entity to contravene the legislation, or who are accessories to an offence after the fact (refer clause 9, definition of ‘offence against this Act’).

559.      Subclause (2) identifies particular roles and bodies for the purpose of the Regulatory Powers Act , for instance specifying the Commissioner is an authorised applicant and person, and relevant courts.

560.      Subclause (3) provides that as an authorised person for the purpose of the Regulatory Powers Act , the Commissioner may be assisted by other persons in carrying out their investigatory powers and functions. This is a standard approach to ensure regulatory efficiency, supported by provisions relating to staff, contractors and consultants in Chapter 3.

Clause 111 - Recommendations

561.      This clause enables the Commissioner to give data scheme entities recommendations reflecting outcomes from assessments or investigations (refer part 5.4).

562.      Recommendations may be used to suggest how data scheme entities could improve compliance with the data sharing scheme and achieve best practice. The Commissioner may also use recommendations to encourage data scheme entities to reconsider certain decisions, for example decisions to use a particular methodology for data management.

Clause 112 - Directions

563.      This clause empowers the Commissioner to issue a written direction to a data scheme entity that require them to act or cease acting in a particular manner, which must be complied with. Directions can be used to minimise risk and non-compliance in situations of emergency or breach of this Bill. Directions are binding on recipients and are enforced through the courts.

564.      Subclause (1) specifies circumstances in which the Commissioner may issue directions.

565.      The first circumstance enables the Commissioner to issue directions to accredited entities to deal with scheme data in a certain way to mitigate risks associated with the pending cancellation of their accreditation. A direction could be to destroy, return, or otherwise handle the scheme data as instructed. For example, the Commissioner may direct the entity to return any scheme data in their possession to the data custodian. A return of data is distinct from sharing authorised by Chapter 2 as the direction to return is a regulatory measure.

566.      The second circumstance is when the Commissioner is satisfied a data scheme entity has breached or is breaching the requirements of the data sharing scheme. The Commissioner may detect a breach in the course of an assessment or investigation, or be otherwise satisfied of the entity’s breach. An example of the latter is where a data sharing entity is clearly acting inconsistently with its data sharing agreement, like an ADSP sharing to the wrong accredited user or in a manner that is different to safeguards agreed under the data sharing principles. In these circumstances, a direction could be issued to correct non-compliant or contributory behaviours, and mitigate associated risks or harm.

567.      The third circumstance is an emergency or high-risk situation. Such a situation exists when the Commissioner reasonably believes a threat has arisen that poses serious risks to activities or participants in the data sharing scheme if not promptly addressed. An example of a high-risk situation is where the Commissioner becomes aware of a systemic weakness in IT systems used to share data that could result in unauthorised sharing or release of sensitive data, that is likely to compromise the integrity or wellbeing of entities to which the data relates.

568.      Directions will allow the Commissioner to act quickly to protect the integrity of the data sharing scheme, and to limit and manage the impact of legislative and data breaches. This approach allows the Commissioner to flexibly manage non-compliance, mitigating serious consequences that are less able to be addressed through slower court processes. The directions power also allows for a graduated enforcement approach and aligns with existing regulatory norms.

569.      The Commissioner’s directions power is not intended to impinge upon, or overlap with, judicial injunction powers. Instead, the Commissioner’s directions power could be subject to judicial oversight. Directions must be enforced through the courts, and the courts may review the legality of an exercise of the directions power through established channels for judicial review. Directions may also be reviewed on their merits, and the Administrative Appeals Tribunal may make an order to stay directions while under review.

570.      The consequences for breach of a direction - up to 300 penalty units - align with analogous laws and the Guide to Framing Commonwealth Offences . Consistent with the Guide , the Bill sets maximum penalties; a court will determine what is appropriate on a case-by-case basis. The maximums balance the penalties of older frameworks, such as the Privacy Act, with more contemporary offences for mishandling government and consumer data. This approach is in keeping with the intent for this scheme to align with other applicable frameworks, without duplicating them, as well as with community expectations .

571.      Subclause (4) is included to assist readers, as the instrument is not a legislative instrument within the meaning of subsection 8(1) of the Legislation Act 2003 .

Clause 113 - Civil penalty provisions

572.      This clause allows the Commissioner to seek civil penalties from a court under Part 4 of the Regulatory Powers Act , which provides a framework for use of civil penalties. This framework covers how civil penalties may be sought, state of mind factors that must be proved, and applicable defences.

573.      Penalties may be sought once the Commissioner has investigated and determined that a civil penalty provision has been breached (refer clauses 101 and 102).

574.      This clause also clarifies procedural matters, including the federal, State and Territory courts that may hear matters arising under this Bill.

Clause 114 - Infringement notices

575.      This clause allows the Commissioner to issue infringement notices to current and former data scheme entities under Part 5 of the Regulatory Powers Act .

576.      The Commissioner may issue an infringement notice if they have determined that a breach has occurred or is occurring (refer clauses 101 and 102). Infringement notices will contain fees to be paid in relation to alleged breaches. If the fee is paid, the matter is resolved, and there will be no need for court enforcement. If the fee is not paid, the Commissioner may bring court proceedings against the entity in relation to the alleged breach.

577.      Infringement notices are intended to address minor instances of non-compliance, as an alternative to court proceedings which may be long and expensive. For efficiency purposes, infringement notices may deal with multiple contraventions, but may not charge multiple fees in relation to the same conduct.

Clause 115 - Enforceable undertakings

578.      This clause empowers the Commissioner to accept and enter into enforceable undertakings with data scheme entities under Part 6 of the Regulatory Powers Act .

579.      Enforceable undertakings are tools to support and enforce compliance with legislative obligations. They will set out actions an entity must take to comply with their requirements under the data sharing scheme. The Commissioner may enter into undertakings in various situations, including when they have assessed a data scheme entity (refer clause 99) and identified ways in which the entity could better comply with requirements.

580.      Enforceable undertakings are voluntarily entered into, but once accepted by the Commissioner are enforceable through the judicial system. Parties may withdraw or vary an enforceable undertaking with the Commissioner’s agreement.

581.      In the interests of transparency, the Commissioner may publish enforceable undertakings made under this clause.

Clause 116 - Injunctions

582.      This clause enables the Commissioner to seek injunctions from specified federal and jurisdictional courts to enforce obligations arising under civil penalty provisions of this legislation. Such injunctions are made under Part 7 of the Regulatory Powers Act .

583.      Part 7 of the Regulatory Powers Act establishes a framework for using injunctions, including interim injunctions, to enforce legislative obligations. Injunctions are court orders directing a person or entity to do or not do a certain thing. They are often sought to resolve legal issues and disputes, but can also be used as temporary remedy while courts hear related matters.

584.      The Commissioner must have determined a breach has or is occurring under clause 102 before seeking an injunction.

Chapter 6 - Other matters

Part 6.1 - Introduction

585.      This part introduces Chapter 6, providing a simplified outline of its contents.

Clause 117 - Simplified outline of this Chapter

586.      This clause provides a simplified outline of Chapter 6 of the Bill, which provides for various matters relevant to the operation of the data sharing scheme. This simplified outline is intended to assist readers to understand the substantive provisions of Chapter 6, without being comprehensive. Readers should rely on the substantive provisions of Chapter 6.

Part 6.2 - Review of decisions

587.      This Bill provides tailored redress mechanisms for the data sharing scheme, including an avenue for complaints (refer clause 88) and provision for administrative and judicial review. Avenues for redress under other frameworks and bodies continue to be available, such as the Privacy Act and the Commonwealth Ombudsman, including where data sharing is involved.

588.      This part sets out internal and external merits review available under the data sharing scheme.

589.      Operation of this part does not affect the availability of judicial review, which may be available for decisions made under the data sharing scheme by the National Data Commissioner or by data scheme entities. Judicial review may be available under the Administrative Decisions (Judicial Review) Act 1977 , section 39B of the Judiciary Act 1903 , or section 75(v) of the Constitution .

Clause 118 - Reviewable decisions

590.      This clause provides that regulatory decisions (refer clause 45) made by the Commissioner may be reviewed on their merits, aside from the types of decisions listed in subclause (2). The intent is to ensure the Commissioner’s regulatory decisions are correct (i.e. made according to law) or preferable (the best on the facts before the decision-maker, when exercising discretion), to promote best practice and fair treatment of entities affected by a decision.

591.      Decisions made under the Commissioner’s regulatory functions are generally appropriate for merits review as they may directly impact the rights and interests of individuals. This would include decisions made under the accreditation framework (refer part 5.2) and decisions under Chapter 5 to conduct assessments and investigations, make determinations, and issue directions (refer clauses 99, 101, 102, and 112 respectively).

592.      This approach is consistent with government policy on administrative decision-making, as merits review is available for administrative decisions that will, or are likely to, adversely affect the interests of a person - unless there are factors justifying exclusion of review (see Attorney-General's Department, Australian Administrative Law Policy Guide (2011) , page 14) .

593.      Subclause (2) lists four types of decisions which are not reviewable, relating to accreditation and exchange of information with other regulators.

594.      Subclause (2)(a) specifies accreditation decisions relating to foreign entities made by the Commissioner on security grounds are not subject to merits review. The exclusion from merits review only covers a decision made under part 5.2 if that decision directly affects the accreditation of a foreign entity. A ‘foreign entity’ is defined as an entity that is not an ‘Australian entity’, refer clause 9. Foreign entities include foreign government bodies and individuals who are not Australian citizens or permanent residents.

595.      These decisions are not appropriate for merits review as the review process could expose classified or otherwise sensitive details about Australia’s national security, and jeopardise ongoing security operations. The exclusion is narrow; it focusses on adverse accreditation decisions relating to foreign entities which are made on security grounds.

596.      Under subclause (2)(b), a decision by the Commissioner to suspend or cancel accreditation of an entity as required by clause 81(3) is not subject to merits review as it relates to a Commonwealth entity, rather than to the rights or interests of a particular individual.

597.      Other accreditation decisions will be reviewable on their merits, for instance decisions involving Australian entities (whether or not connected to foreign entities), and decisions involving foreign entities that are not made on security grounds. The scope of the exclusion mirrors similar exclusions in Part IV of the Australian Security Intelligence Organisation Act 1979 .

598.      Subclause (2)(c) and (d) provide that decisions by the Commissioner to transfer a matter (refer clause 107), or to disclose or receive information (refer clause 108), are not subject to merits review. These decisions are preliminary or procedural in nature as they facilitate or lead to the making of a substantive or determinative decision by the body that receives the matter or information. The procedural or preliminary quality of these decisions makes them unsuitable for merits review, and the availability of review could frustrate or delay administrative decision-making.

599.      Certain other decisions under this Bill are not reviewable due to the nature of the decision, rather than through an express exclusion in clause 118. Decisions made under the Commissioner’s advice, guidance, advocacy, and incidental functions (refer clause 42) are not appropriate for merits review. For instance, decisions made under the advocacy and guidance functions do not relate to the rights or interests of a particular individual, and are legislation-like in character. Delegation decisions are also unsuitable for merits review, as they are preliminary or procedural decisions that precede the making of a substantive decision. Decisions to appoint persons to undertake specified functions, such as to appoint members of the National Data Advisory Council, are also generally not appropriate for review. This approach is consistent with the Administrative Review Council publication, What decisions should be subject to merits review ? (1999) para.s 3.3-4.48.

600.      Certain decisions under the Commissioner’s incidental function may be challenged through other channels, such as the independent review mechanism for government procurement under the PGPA Act . The Commissioner’s decisions will also be subject to public and Parliamentary scrutiny though their annual report and various other government accountability processes.

Clause 119 - Applications for reconsideration of decisions made by delegates of the Commissioner

601.      This clause establishes a formal process for internal merits review. A decision that is a reviewable decision under clause 118 may be internally reviewed if the decision was made by a delegate of the Commissioner (refer clause 50).

602.      A formal internal review process is consistent with good administrative decision-making practices. Internal review is generally easier for applicants to access, and provides a quicker and less expensive means of re-examining decisions than external review. Formal (statute-based) internal review also provides applicants with greater certainty and clarity as to their review rights, compared with informal review processes. This is consistent with the Attorney-General's Department’s Australian Administrative Law Policy Guide (2011) .

603.      If a delegate has made a reviewable decision, subclause (2) allows an affected person to apply to the Commissioner for review. This internal review will be undertaken by the Commissioner personally, or a delegate, in accordance with the process set out in clause 120.

604.      Decisions made personally by the Commissioner (i.e. not a delegate) cannot be reviewed internally, and affected persons must seek external review by the Administrative Appeals Tribunal (refer clause 122).

605.      Under subclause (3), applications for internal review must provide reasons for the application and be in an approved form (if any) to ensure consistency.

606.      In circumstances where the Minister has made rules prescribing fees for the purpose of this clause, subclause (4) provides that an application will only be considered to have been made if the relevant fee has been paid. If such a rule is made, merits review applications made under this clause are deemed not to have been made unless the prescribed fee is paid. This subclause and any rule issued under it does not preclude application fees from being paid otherwise than together with an application.

Clause 120 - Reconsideration by the Commissioner

607.      This clause sets out how the Commissioner or their delegate must deal with applications under clause 118 for internal review of a decision. The processes established by this provision reflect and formalise standard practice for internal merits review.

608.      Subclause (1) provides that reviewable decisions must be reviewed, then either affirmed, varied, or revoked by the Commissioner or their delegate.

609.      Subclause (2) clarifies that the affirmed, varied, or revoked decision operates as if it were the original decision. This means, for example, if a decision to issue a direction is revoked, relevant data scheme entities are not liable for failing to comply with the direction prior to its revocation.

610.      Subclauses (3) and (4) promote procedural fairness by requiring written notice be provided to applicants, advising them of the outcome of the review and the reasons for the decision. The requirement to provide reasons in subclause (4) is separate from the ability to request reasons for a decision under section 28(1) of the Administrative Appeals Tribunal Act 1975 . Reasons must be provided within 28 days after the Commissioner or their delegate decides to affirm, vary, or revoke the relevant decision.

611.      Subclause (5) sets out requirements for delegates when reviewing decisions. Delegates must not have been involved in making the original decision, and must at least hold a position or perform duties at the same level as the original decision maker. This ensures appropriate separation from the original decision-making process, while maintaining the seniority of delegates involved.

Clause 121 - Deadline for reconsideration

612.      This clause establishes a period within which the Commissioner or their delegates must reconsider decisions under clause 120.

613.      Subclause (1) provides that the Commissioner or their delegate must reconsider decisions within 90 calendar days of receiving an application under clause 119. This deadline provides assurance to applicants that their case will be considered in a timely manner that does not unduly impede their ability to seek external merits review.

614.      Subclause (2) clarifies the original decision is taken to be affirmed if the Commissioner does not notify applicants of the outcome of a review within 90 days.

Clause 122 - Review by the Administrative Appeals Tribunal

615.      This clause enables the Administrative Appeals Tribunal to review the merits of regulatory decisions that are reviewable under clause 118.

616.      A person may seek review of a reviewable decision by the Administrative Appeals Tribunal where the decision has been made by the Commissioner personally (that is, not by a delegate), or where the decision has been affirmed or varied by the Commissioner or a delegate. In the latter situation, the Tribunal will review the decision as affirmed or varied by the Commissioner or the delegate (not the original decision).

617.      In accordance with section 28 of the Administrative Tribunal Act 1975 , a person who is entitled to apply to the Tribunal for review of a decision is able to request a statement of the reasons for the reviewable decision from the relevant decision-maker.

Part 6.3 - Treatment of certain entities

618.      This part describes the treatment of various entities participating in the data sharing scheme.

619.      Clause 123 outlines when and how the conduct of employees and other personnel may be attributed to a Commonwealth, State or Territory body. Clauses 124 and 125 take a similar approach with respect to non-legal entities, such as partnerships and trusts.

620.      Responsibility of legal entities such as bodies corporate will be determined in accordance with other applicable laws, such as Part 2.5 of the Criminal Code and section 97 of the Regulatory Powers Act .

621.      These clauses and legislation work together to hold all data scheme entities accountable for actions within the scheme, to a consistent standard.

Clause 123 - Treatment of Commonwealth bodies, State bodies and Territory bodies

622.      This clause is important from an accountability perspective, as it clarifies when an individual’s conduct will be attributed to a Commonwealth, State or Territory body for the purposes of triggering the entity-level authorisations, responsibilities, and penalties under this Bill.

623.      Subclause (1) explains this Bill applies to a data scheme entity that is a Commonwealth, State or Territory body (refer clause 9) that is not a legal person (such as a body corporate) as if the body were a person, but with certain modifications set out in subclauses (2) to (4).

624.      Subclause (2) recognises that Commonwealth, State and Territory bodies act through persons covered by subsection (5). Where these individuals engage in conduct within the scope of their employment or authority, their act or omission is attributed to the relevant data scheme entity under subclause (3), subject to subclause (4).

625.      Subclause (3) sets out when and how breaches of this Bill will be attributed to the entity, instead of a person who acts (or omits to act) on its behalf. Clause 9 defines ‘breach’ to include civil contraventions, criminal offences, and other conduct which is not consistent with the Bill.

626.      Subclause (3)(a) attributes the conduct of a person covered by subsection (5) to the relevant entity, if they engaged in the conduct on that body’s behalf and within the actual or apparent scope of their employment or authority. For example, if an authorised officer of a data custodian (see clause 137) shares data for an enforcement related purpose such as conducting surveillance, their conduct would be attributed to the data custodian. The data custodian may then be liable for unauthorised sharing (refer clause 14), unless subclause (4) applies.

627.      For the purpose of establishing whether an entity has breached this Bill, subclause (3)(b) provides it is sufficient to establish the person in subclause (3)(a) engaged in conduct with the requisite state of mind. The reference to ‘state of mind’ covers intention, knowledge, and recklessness, as well as beliefs, such as a belief about the purposes of sharing, or reasonable suspicion of a data breach.

628.      A person will be liable for their own actions where they act outside the scope of their employment or authority, or not on behalf of an entity. This could mean that the person breaches this Bill, or another law under the rebound approach (refer clause 14).

629.      Where subclause (3)(a) attributes a person’s conduct to an entity, subclause (4) provides that the entity will not have contravened this Bill if it took reasonable precautions and exercised due diligence to avoid the conduct. This subclause encourages entities to have sound internal governance processes and procedures to support and monitor compliance with this Bill. Examples of due diligence and reasonable precautions include protective security policies, employee codes of conduct, clear delegation instruments, as well as training and review of sharing, privacy and data management practices.

630.      Subclause (4) places a legal burden on an entity in proceedings for a breach of this Bill, requiring them to establish it took reasonable precautions and exercised due diligence to avoid the conduct (see Criminal Code section 13.4(b)). This burden is justifiable as the evidence required to prove reasonable precautions and due diligence would be peculiarly within the entity’s knowledge and means to provide (see the Guide to Framing Commonwealth Offences at 4.3.1). Consistent with section 13.5 of the Criminal Code , a defendant need only discharge this burden on the balance of probabilities, a lower standard of proof than beyond reasonable doubt.

631.      Subclause (5) sets out the range of persons whose conduct may be attributed to the government body they work for. It covers employees, officers, and members of an entity, which may include personnel such as members of the Australian Federal Police or Australian Defence Force. The subclause covers people who have a particular role within an entity, such as an authorised officer (refer clause 137) or statutory office holder. Natural and legal persons who are engaged or appointed to act for an entity, such as an agent or contractor, are also covered by this subclause. The scope of authority for persons holding roles covered by this subclause can be determined using resources such as their terms of employment, delegation, or contract.

632.      Subclause (6) clarifies a reference in this clause to ‘this Act’ includes a reference to subordinate legislative instruments, which may affect how data scheme entities and their personnel engage with the data sharing scheme.

633.      As clarified in the Note under subclause (3), this clause interacts with clause 5(2), as government bodies that do not form part of the Crown may be liable for criminal offences. Note also that Commonwealth bodies are notionally liable to pay a fee under clause 141.

634.      This clause does not apply to government entities that are legal persons, such as agencies that are bodies corporate. For such entities, existing laws such as section 97 of the Regulatory Powers Act and Part 2.5 of the Criminal Code continue to apply. Those laws operate similarly to subclause (3)(a), attributing the conduct of individuals to bodies corporate for the purposes of civil penalties and criminal offences.

635.      This clause is based on section 8 of the Privacy Act , section 245 of the Work Health and Safety Act 2011 , and section 250 of the Life Insurance Act 1995 , adapted for the needs of this Bill.

Clause 124 - Treatment of partnerships and unincorporated associations

636.      This clause establishes how the data sharing scheme applies to partnerships and unincorporated associations, both of which may be accredited entities (refer clause 11). In short, partnerships and unincorporated associations have responsibilities under this scheme themselves, as if they were persons, although these obligations may be imposed upon and discharged by a responsible individual for the entity. Subclause (6) clarifies that a responsible individual is either a partner or a member of the association’s committee of management, as relevant.

637.      Consistent with legal norms, a responsible individual may be personally liable where their actions or omissions contribute to a civil contravention or criminal offence of the partnership or unincorporated association. Subclauses (3) and (4) provide three situations where such liability arises, namely where the partner or member:

a.        Committed the relevant act or omission; or

b.       Supported the commission of the act or omission by aiding, abetting, counselling, or affirming it;

c.        Was otherwise involved in or party to the act or omission, either directly or indirectly.

638.      Subclause (5) provides that a change in composition of the partnership or unincorporated association, such as the addition or removal of partners or members of the committee of management, does not impact the continuity of its obligations as a data scheme entity. This maintains consistent standards for and regulation of all entities participating in this scheme, while allowing for changes in particular entities’ circumstances.

639.      Subclause (7) clarifies that this clause does not apply to a Commonwealth, State or Territory body that is not a legal person, as clause 123 covers treatment of these entities.

640.      Subclause (8) clarifies a reference in this clause to ‘this Act’ includes a reference to subordinate legislative instruments, which may affect how data scheme entities and their personnel engage with the data sharing scheme.

641.      This clause is modelled on sections 98A and 98B of the Privacy Act .

Clause 125 - Treatment of trusts

642.      This clause establishes how the data sharing scheme applies to trusts, which may be accredited entities (refer clause 11). In short, a trust has responsibilities under this scheme itself, as if it were a person, although these obligations may be imposed upon and discharged by individual trustees.

643.      If a trust has a single trustee, subclause (2) provides that trustee will be personally liable for contraventions or offences of the trust. If a trust has multiple trustees, subclause (3)(a) provides that an obligation imposed on a trust by this Bill is imposed on each trustee, however, any trustee may discharge the obligation.

644.      Consistent with legal norms, an individual trustee may be personally liable where their actions or omissions contribute to a civil contravention or criminal offence of the trust. Subclause (3)(b) provides three situations where such liability arises, namely where the trustee:

a.        Committed the relevant act or omission; or

b.       Supported the commission of the act or omission by aiding, abetting, counselling, or affirming it;

c.        Was otherwise involved in or party to the act or omission, either directly or indirectly.

645.      A change in the composition of a trust may affect its continuity as a data scheme entity. This reflects the legal nature of trusts, as distinct from other non-legal entities in the data sharing scheme (refer clause 124).

646.      Subclause (5) clarifies that this clause does not apply to a Commonwealth, State or Territory body that is not a legal person, as clause 123 covers treatment of these entities.

647.      Subclause (6) clarifies a reference in this clause to ‘this Act’ includes a reference to subordinate legislative instruments, which may affect how data scheme entities and their personnel engage with the data sharing scheme.

648.      This clause is modelled on section 98C of the Privacy Act .

Part 6.4 - Data sharing scheme instruments

649.      This part covers the instruments that the Commissioner will be responsible for under the data sharing scheme.

650.      There are three kinds of legislative instruments under the data sharing scheme. Regulations and Ministerial rules set parameters of the scheme and establish key criteria and thresholds for engaging with the scheme. Data codes are primarily intended to clarify how the data sharing scheme operates and how the legislative requirements should be complied with, and may implement administrative improvements. These instruments could also address how using certain technology or methodologies affects entities’ obligations under the Bill. This approach allows the Bill itself to remain technology neutral, while enabling the data sharing scheme to adapt to emerging technologies and future needs over time.

651.      Non-legislative instruments in the scheme include guidelines and registers made by the Commissioner to support best practice and transparency in the scheme.

Clause 126 - Data codes

652.      This clause empowers the Commissioner to make data codes, legislative instruments that serve as binding codes of practice for the data sharing scheme. The purpose and legal nature of data codes are similar to registered privacy codes under the Privacy Act . The Commissioner will consult with experts and other bodies on the development of data codes.

653.      Subclause (2) provides a non-exhaustive list of what data codes may address.

654.      Consistent with subclause (2)(a) and (b), a data code may set out how data scheme entities are to apply data definitions in clause 10, or comply with requirements for sharing in Chapters 2 and 3. This could include prescribing how to apply the data sharing principles in different situations, such as when sharing via an ADSP, or assess requests against the data sharing purposes. Use of data codes in this manner will clarify core requirements for sharing, and standardise their application by data scheme entities.

655.      Data codes may also deal with the management of complaints, including by imposing additional requirements on their submission and management, under subclause (2)(c) and (d). These requirements may be used, for example, to minimise the submission of vexatious or frivolous complaints. This provides a means for the Commissioner to effectively and appropriately administer the complaints mechanism to maximise satisfactory outcomes.

656.      Subclause (2)(e) enables data codes to deal with any other matters the Commissioner considers relevant, where these matters are not contrary to, or inconsistent with, the requirements of the data sharing scheme.

657.      Any additional requirements imposed by data codes must be consistent with the Bill.

658.      Use of data codes for these matters, rather than regulations, is consistent with the Office of Parliamentary Counsel’s Drafting Direction No. 3.8 - Subordinate Legislation . This Drafting Direction states that the contemporary approach is to use legislative instruments other than regulations. This approach has a number of advantages, including rationalising the types, number, and content of legislative instruments, as well as simplifying the structure and language of this Bill.

659.      Data codes made under this clause are legislative instruments for the purposes of the Legislation Act 2003 . Under sections 15G, 38, and 39 of that Act, legislative instruments and their explanatory statements must be registered on the Federal Register of Legislation and tabled in both Houses of the Parliament within six sitting days of registration. Once tabled, instruments are subject to Parliamentary scrutiny and may be disallowed by a notice of motion in either House within 15 sitting days.

660.      As legislative instruments, data codes may not create an offence or civil penalty, provide the Commissioner with additional powers, impose a tax, set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Bill, or directly amend the text of this Bill. Matters set out in data codes apply where they do not contradict, or are not inconsistent with, the requirements of this Bill.

661.      Subclause (3) clarifies that rules and regulations prevail over data codes in the event of any inconsistency.

Clause 127 - Guidelines

662.      This clause empowers the Commissioner to make guidelines with respect to matters relating to their functions and powers under the data sharing scheme. The Commissioner may use guidelines to support best practice and to provide information about how the data sharing scheme operates.

663.      Data scheme entities are required to have regard to guidelines when engaging in conduct under this Bill (refer clause 27).

664.      Consistent with subclause (2), guidelines may outline principles and processes related to any aspect of the data sharing scheme and matters incidental to it such as data release, management, and curation, technical matters and standards, and emerging technologies. Guidelines will help to build capacity in the data sharing scheme and data system more broadly, contributing to the Commissioner’s functions and objects of the Bill.

665.      Guidelines will be developed in consultation with specialists and other bodies and agencies, such as the Office of the Australian Information Commissioner and the National Archives of Australia. The National Data Advisory Council may also advise the Commissioner on the development of guidelines, particularly those that relate to the council’s functions (refer clause 61).

666.      Subclause (3) provides that the Commissioner may publish the guidelines in any manner they consider appropriate. In order to maximise the availability and subsequent impact of guidelines, it is likely the Commissioner will publish them on their website.

667.      Subclause (4) is included to assist readers, as a guideline is not a legislative instrument within the meaning of section 8(1) of the Legislation Act 2003 .

Clause 128 - Register of ADSPs

668.      This clause requires the Commissioner to maintain a public register of ADSPs. The register will support the Commissioner’s administration of the accreditation framework (refer part 5.2), and provide a transparency mechanism to report and provide information on ADSPs to data scheme entities and the public more broadly.

669.      Subclause (2) requires the register to contain the name and contact details of each ADSP, at the organisational level, as well as the data services the ADSP is accredited to perform. Subclause (3) provides that this information may be supplemented by other relevant information, including conditions or suspension of an ADSP’s accreditation, and any other information the Commissioner considers appropriate.

670.      Subclauses (4) and (5) work together to allow the Commissioner to maintain the register in any form they consider appropriate, so long as it is publically available. The Commissioner may omit details from the register if they are satisfied it would be appropriate to do so. The Commissioner may, for example, remove the details of an ADSP from the register when their accreditation is suspended because of an investigation into a serious potential breach.

671.      Subclause (6) is included to assist readers, as a register is not a legislative instrument within the meaning of section 8(1) of the Legislation Act 2003 .

Clause 129 - Register of accredited users

672.      This clause requires the Commissioner to maintain a public register of accredited users. The register will support the Commissioner’s administration of the accreditation framework (refer part 5.2), and provide a transparency mechanism to report and provide information on accredited users to data scheme entities and the public more broadly.

673.      Subclause (2) requires the register to contain the name and contact details of each accredited user, at an organisational level. Subclause (3) provides that this information may be supplemented by information about conditions of an user’s accreditation and any other information the Commissioner considers appropriate. Other relevant information could include details of whether the entity’s accreditation has been suspended or cancelled, or the accreditation applies to a specific sub-unit of the entity like a particular college of an university.

674.      Subclauses (4) and (5) work together allow the Commissioner to maintain the register in any form they consider appropriate, so long as it is publically available. The Commissioner may omit details from the register if they are satisfied it would be appropriate to do so.

675.      Subclause (6) is included to assist readers, as a register is not a legislative instrument within the meaning of section 8(1) of the Legislation Act 2003 .

Clause 130 - Register of data sharing agreements

676.      The register of data sharing agreements is a key transparency and accountability mechanism, providing useful insights on the operation of the scheme, and information necessary for the effective use of redress mechanisms.

677.      This clause requires the Commissioner to maintain a public register of data sharing agreements. The register will support the Commissioner in administering and reporting on the data sharing scheme, and provides transparency about data sharing activities for data scheme entities and the public more broadly.

678.      Subclause (2) requires that the register must contain the mandatory terms and any variations to mandatory terms for each data sharing agreement. Mandatory terms set out key elements of data sharing agreements including the purpose of and parties to the agreement, public sector data involved, and an explanation of how the data sharing principles have been applied (refer clause 19). Subclause (3) provides that this information may be supplemented by any other information the Commissioner considers appropriate. This may, for example, include information on terminated or expired data sharing agreements.

679.      Subclauses (4) and (5) work together allow the Commissioner to maintain the register in any form they consider appropriate, so long as it is publically available. The Commissioner may omit details from the register if they are satisfied it would be appropriate to do so. For example, the Commissioner may not publish detailed information about data security or privacy controls used by data scheme entities, in order to prevent those controls being compromised.

680.      Subclause (6) is included to assist readers, as a register is not a legislative instrument within the meaning of section 8(1) of the Legislation Act 2003 .

Clause 131 - Recognition of external dispute resolution schemes

681.      This clause empowers the Commissioner to recognise external dispute resolution schemes for the purposes of resolving complaints received under clause 88. The Commissioner may refer a complaint to external dispute resolution when they are satisfied it would effectively resolve the relevant matter (refer clause 92(1)(h)).

682.      External dispute resolution is an independent service that generally includes mediation and conciliation. Use of such processes is encouraged as they maximise the autonomy of parties to the complaint and can avoid the need for court proceedings. It also reflects precedent from the Privacy Act and the Corporations Act 2001 .

683.      Subclause (1) allows the Commissioner to recognise an external dispute resolution scheme for an entity or a class of entities, or for a specified purpose.

684.      Subclause (2) sets out matters the Commissioner must take into account before recognising a scheme. The list is modelled on matters that must be considered by the Australian Information Commissioner and the Australian Securities and Investments Commission Chair under their respective schemes.

685.      Subclause (3) allows the Commissioner to recognise an external dispute resolution scheme for a set period of time, or subject to particular conditions (which may be varied or revoked).

686.      Subclause (4) is included to assist readers, as the instrument of recognition is not a legislative instrument within the meaning of section 8(1) of the Legislation Act 2003 .

Clause 132 - Approved forms

687.      The Commissioner may approve a form for use in the data sharing scheme.

688.      Approved forms may be used to standardise the content, format, and means of distribution of information to the Commissioner and among data scheme entities. This approach supports consistent practice and streamlining of the administrative and operational systems underpinning the data sharing scheme. The Commissioner will also be able to update approved forms over time to cater for future needs, such as changes to machine readable technologies.

689.      Approved forms may be made to standardise the form of data sharing agreements (refer clause 18), non-personal data breach notifications (refer clause 38), complaints (refer clause 88), and applications for internal merits review (refer clause 119). Rules and data codes may prescribe other situations where an approved form may or must be used.

Clause 133 - Rules

690.      This clause empowers the Minister to issue rules for the data sharing scheme. The rules may prescribe matters required or permitted by the Bill, such as matters relating to the accreditation framework (refer part 5.2) or prescribing additional precluded purposes for sharing (refer clause 15). The Minister may also prescribe other matters necessary or convenient for giving effect to the data sharing scheme, to cater for future needs as the scheme evolves over time. The rules will reflect the scope of the data sharing scheme established by this Bill, and may not contradict or be inconsistent with its clauses.

691.      Dealing with the matters outlined above in rules rather than regulations accords with the Office of Parliamentary Counsel’s Drafting Direction 3.8 - Subordinate Legislation . Drafting Direction 3.8 outlines the contemporary approach to legislative instruments: namely, subordinate instruments should be made in the form of legislative instruments (as distinct from regulations) unless there is good reason not to do so. This approach has a number of advantages, including rationalising the types, number, and content of legislative instruments, as well as shortening the Bill and simplifying the structure and language of its provisions.

692.      Covering matters in the rules will also allow the Bill to be technology agnostic, and give flexibility for the data sharing scheme to adapt to changing technology and needs over time. The capacity for rules to prescribe additional requirements on precluded purposes (refer clause 15), data sharing agreements (refer clause 18), and use of ADSPs (refer clause 29) are particularly important to ensure that the data sharing scheme is appropriately safeguarded against new and emerging risks.

693.      As legislative instruments, rules made under this clause are legislative instruments for the purposes of the Legislation Act 2003 . Under sections 15G, 38, and 39 of that Act, legislative instruments and their explanatory statements must be registered on the Federal Register of Legislation and tabled in both Houses of the Parliament within six sitting days of registration. Once tabled, instruments are subject to Parliamentary scrutiny and may be disallowed by a notice of motion in either House within 15 sitting days.

694.      To avoid any doubt, subclause (2) clarifies that, as legislative instruments, rules may not create an offence or civil penalty, provide the Commissioner with additional powers, impose a tax, set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Bill, or directly amend the text of this Bill.

695.      There are three kinds of legislative instruments under the data sharing scheme. The rules and regulations set parameters for the scheme, including criteria and thresholds for engaging with the scheme. Data codes focus on how the scheme operates, and how entities should implement and comply with legislative requirements.

696.      Subclause (3) clarifies that the regulations prevail over rules, and rules prevail over data codes in the event of inconsistency.

Clause 134 - Regulations

697.      This clause empowers the Governor-General to issue regulations which may prescribe matters required or permitted by the Bill, or necessary or convenient for giving effect to the data sharing scheme.

698.      Primarily, the regulations will list bodies and legislation that are exempt from the scheme (refer clause 17). Establishing these matters in the regulations allows exemptions to be adapted over time, while maintaining Parliamentary oversight. As exemptions set thresholds for access to the sharing scheme, it is more appropriate to create them through the Bill itself or in the regulations made by the Governor-General, rather than in subordinate instruments made by the Minister or the National Data Commissioner.

699.      Regulations prevail over both the rules and data codes in the event of any inconsistency.

Part 6.5 - Other matters

700.      This part sets out administrative and other matters that are necessary to ensure the data sharing scheme operates in an effective and accountable manner. This includes provisions relating to fees, the treatment of non-legal persons participating in this scheme, the Commissioner’s annual report, and reviews of the operation of the data sharing scheme.

Clause 135 - Disclosure of scheme data in relation to information-gathering powers

701.      This clause controls the circumstances in which data shared and created under this scheme may be disclosed to a court or tribunal, or a person that could otherwise compel disclosure of information or documents. This provision is designed to preserve the scope of the Bill, while maintaining a limited, legitimate avenue for scheme data to be accessed for judicial proceedings and regulatory processes that arise under, or with respect to, this Bill.

702.      Subclause (1) authorises a data scheme entity to disclose scheme data to a court, tribunal, or certain other persons in limited circumstances relating to this Bill or the data sharing scheme. In this context, disclosure includes verbal communications in response to a question, voluntary statements, as well as the production of documents or other tangible information to the same effect.

703.      Subclause (1)(a) permits disclosure to persons who are empowered by the laws in subclause (2) to require disclosure of information, provided that person is exercising their powers in relation to a matter arising under, or with respect to, the data sharing scheme. Subclauses (1)(a) and (2) work together to ensure the Auditor-General, Commonwealth Ombudsman and Information Commissioner are able to perform their respective oversight functions in relation to the scheme. Examples include investigating potential privacy breaches by a data scheme entity, auditing the Commissioner, and responding to complaints about data scheme entities’ activities under the scheme.

704.      Subclause (1)(b) authorises a data scheme entity to disclose scheme data to persons, in circumstances where the disclosure is required under a Commonwealth, State or Territory law for the purposes of giving effect to this Bill. Similar to subclause (1)(a), the phrase ‘giving effect to this Act’ requires the disclosure of scheme data to be connected to administration of this legislation. For example, this subclause would authorise disclosure to a State privacy regulator for the purpose of it investigating a State government authority’s handling of personal information under the data sharing scheme (refer clause 28(1)(b)).

705.      Subclause (1)(c) authorises disclosure to a court or tribunal in response to an order made in the course of proceedings relating to breaches of this Bill, or breaches of other legislation, where an instance of unauthorised sharing has rebounded to the original penalty framework.

706.      This clause functions as a regulatory mechanism. Disclosure authorised by this clause is distinct from sharing data under Chapter 2, so would not qualify as sharing for a (precluded) enforcement related activity, or an instance of unauthorised sharing (refer clause 14(7)).

707.      This clause is necessary to provide limited access to data created under this scheme. As this data cannot be accessed via any other channel, preventing such access could frustrate proceedings under, and investigations with respect to, this Bill.

708.      Permitting disclosure to persons or authorities with certain powers of compulsion also facilitates regulatory cooperation between the Commissioner and other regulators who can receive matters and information from the Commissioner (refer clauses 107 and 108). For example, this would allow the Australian Information Commissioner to conduct an investigation into a potential interference with privacy involving personal information shared under this Bill.

709.      To ensure alignment and consistency, this clause is based on equivalent provisions in other schemes, including the My Health Records Act 2012 , the Australian Information Commissioner Act 2010 , the Child Support (Assessment) Act 1989 , and the Child Support (Registration and Collection) Act 1988 .

710.      This clause does not affect powers of regulatory and judicial bodies to conduct their activities or to access information and data outside of the data sharing scheme. Data collected and held outside of this scheme will be able to be accessed through existing avenues, such as usual warrants processes.

Clause 136 - Geographical jurisdiction of civil penalty provisions and offences

711.      This clause builds on clauses 6 and 7, providing the Bill may apply extraterritorially where there is a sufficient link between the matter and Australia to establish the Commissioner’s jurisdiction.

712.      Subclause (1)(a), (b), and (c) cater for situations where there is a territorial link. These clauses affirm that conduct or a result of conduct that occurs in whole or in part in Australia, including its external territories, or an Australian aircraft or ship may constitute a contravention or offence (primary or ancillary) under this Bill.

713.      Subclause (1)(d) establishes jurisdiction where there is a link to Australia founded on nationality of the entities involved in the contravention or offence. This clause provides that even if conduct occurs wholly outside of Australia, the Bill applies to entities formed in Australia or individuals with citizenship or permanent residence which are participating in the data sharing scheme.

714.      Subclauses (2) and (3) limit the geographic scope of this Bill by providing defences for foreign entities, modelled on defences in section 15.2(2) and (4) of the Criminal Code . This ensures all participants in the data sharing scheme are treated equally and have appropriate access to justice.

715.      Under subclause (2), a foreign entity will not be liable under this Bill for contravening a civil penalty or criminal offence provision if there is no Australian connection (territorial or nationality) and the conduct is lawful in the foreign jurisdiction in which it occurred. Subclause (3) provides the same defence for an ancillary contravention or ancillary offence, where it relates to a primary contravention or offence which occurred outside of Australia.

716.      Subclauses (4) and (5) explain how the defences in subclauses (2) and (3) interact with the Criminal Code , in particular that the responsibility to establish a valid defence under subclause (2) or (3) rests on the entity alleged to have contravened this Bill (i.e. the defendant).

717.      Subclause (6) notes that this clause displaces the application of Division 14 of the Criminal Code in relation to an offence under this Bill. Division 14 of the Criminal Code provides for the geographical jurisdiction applicable to offences under Commonwealth laws. The geographical jurisdiction established in this clause is modelled on the extended geographical jurisdiction, category B, in section 15 of the Criminal Code .

718.      Subclauses (7) and (8) clarify concepts necessary to establish extraterritorial operation of the Bill. Subclause (7) explains that a ‘result of conduct’ refers to an element of the contravention or offence at issue. Subclause (8) explains that conduct involving electronic communications will be considered to have occurred partly within Australia if the communication was sent or received within Australia.

719.      Subclause (9) provides a definition of the word ‘point’ as that term is used in this clause.

Clause 137 - Authorised officers

720.      This clause identifies the authorised officers of data scheme entities for the purposes of clause 18, which requires data sharing agreements be entered into by an authorised officer of the relevant data scheme entity.

721.      The table specifies persons who may be authorised to enter data sharing agreements on behalf of a data scheme entity, and covers the range of possible types of entities that may participate in the scheme. Typically, an authorised officer will be the head of the entity, or their delegate who has been authorised in writing for the purposes of this Bill. Entities can nominate a position rather than an individual in the written instrument. The ability to specify authorised officers in writing provides data scheme entities with the autonomy to authorise appropriate persons to enter into data sharing agreements on their behalf, and, in the case of data custodians, retain oversight and control of their data.

722.      Subclause (2) allows for Ministerial rules to modify authorised officers listed in the table in subclause (1). If such rules are made, the prescribed individuals (or categories of individuals) are the authorised officers for the relevant kind of data scheme entity, not the individuals listed in the table. Any modification to subclause (1) through rules will not represent a significant change to the substance and operation of this Bill. Rather, this approach recognises the variety of potential participants in the scheme, and ensures the scheme is capable of adapting to future needs, subject to the usual requirements for disallowable instruments.

Clause 138 - Annual report

723.      This clause sets out matters for the Commissioner’s annual report. The annual report is a key accountability and transparency mechanism for the data sharing scheme and the Commissioner as its regulator.

724.      Subclause (1) requires the Commissioner to prepare and give the Minister, for presentation to Parliament, an annual report on the operation of the data sharing scheme each financial year, in accordance with the standard timing set in subclause (4). These requirements mirrors that for accountable authorities in section 46 of the PGPA Act. The Commissioner’s annual report will not overlap with the report of the Department, as it only pertains to the data sharing scheme.

725.      Subclause (2) sets out key information that the annual report must include about the operation of the data sharing scheme, and the Commissioner and National Data Advisory Council’s activities. Such information includes details of any legislative instruments made that financial year, and the scope of data sharing activities and regulatory actions which have occurred. Information on reasons for entering or rejecting data sharing requests will be particularly important as an indicator of whether the data sharing scheme has or is achieving its objectives, and to identify areas for improvement. The report will also cover the staffing and financial resources made available to the Commissioner, and how they were used, for transparency.

726.      Other relevant information on operation or implementation of the scheme may be included under subclause (3).

727.      The Commissioner may require data scheme entities to give information and assistance for the preparation of the annual report (refer clause 34).

Clause 139 - Charging of fees by Commissioner

728.      The Commissioner may charge fees to recover costs of providing services related to their functions or powers that are not covered by appropriations funding. Subclause (1) provides that Ministerial rules may prescribe such fees.

729.      Fees may be charged where the services were provided by the Commissioner on their behalf. For example, the Commissioner could charge fees for coordinating conciliation in relation to a complaint, or processing an application for an entity to become accredited. The Commissioner may also charge fees for the cost of outsourcing certain elements of their functions, for example the cost of hiring a contractor to undertake an assessment of whether entities satisfy accreditation criteria.

730.      Subclause (3) provides that fees are payable to the Commonwealth, through the Consolidated Revenue Fund. Under subclause (4), Ministerial rules may specify when and how fees are payable, and any other matters in relation to fees including exemptions, refunds and remissions. Other fee frameworks may also apply, including the Australian Government Cost Recovery Guidelines.

731.      Subclause (5) provides that the Commissioner need not deliver a service when a fee is payable but remains unpaid in connection to that service. This means, for example, if the rules specified a fee for an entity to be accredited, that entity may not be accredited until that fee is payed. The Minister may provide for the extension of time for providing services in the rules.

732.      Charging of fees by the Commissioner is established in the rules to enable appropriate and flexible adjustments of fees and related processes overtime, whilst maintaining Parliamentary oversight.

733.      To avoid doubt, fees prescribed by rules may not impose a tax (refer clause 133). This means that fees must be charged on a cost-recovery basis, unless a relevant exception applies, such as applying a fee for a licence (refer section 53 of the Constitution for further information).

Clause 140 - Charging of fees by data scheme entities

734.      Subclause (1) authorises a data custodian to charge fees to an accredited entity to cover the costs of services it performs to deal with the request to share the data with the accredited entity. This allows the data custodian to recover costs of processing the request, and for other services such as preparing the data in order to share.

735.      Under subclause (2), a data custodian must charge fees in accordance with applicable policies of the Australian Government, to ensure a consistent approach. For instance, non-corporate bodies would have regard to guidelines issued by the Australian Government Department of Finance under section 21 of the PGPA Act .

736.      Nothing in this clause prevents an accredited entity charging fees for services it performs in relation to the data sharing scheme, as clarified by subclause (3). This means that an ADSP or accredited user may charge fees for services such as data integration or analysis, regardless of any fees that they may have to pay to a data custodian for access to public sector data.

737.      Clause 141 applies where the accredited entity being charged is a Commonwealth body.

Clause 141 - Commonwealth not liable to pay a fee

738.      While the Commonwealth is not liable to pay a fee imposed by its own legislation, this clause expresses Parliament’s intent for the Commonwealth to be notionally liable. This is consistent with the intent behind part 6.3, which ensures that all data scheme entities are held to account for their actions within the scheme, and to a consistent standard. Subclauses (2) and (3) enable the Finance Minister to give such written directions to give effect to this policy.

739.      In practice, this means that the Commissioner may charge other Commonwealth entities for services under clause 139, and that Commonwealth entities are notionally liable for civil penalties.

Clause 142 - Periodic reviews of operation of Act

740.      This clause ensures the operation of the Act is periodically reviewed. Reviews must be completed within 12 months or a longer period agreed to by the Minister, as is standard to enable more comprehensive reviews.

741.      Reviews will conclude with a written report submitted to the Minister, and subsequently tabled in each House of Parliament. Review reports must be tabled within 15 sitting days of the Minister receiving the report.

742.      Reviews will occur every ten years from commencement, except the first review which must start three years after commencement. The first review occurring three years after commencement will allow for swift identification and implementation of improvements to the operation of the data sharing scheme.

743.      Reviews will help ensure the data sharing scheme operates as intended, and provide an opportunity to consider expansion or refinements. The data sharing scheme could, for instance, be expanded in the future to enable greater State and Territory participation. They also provide a key accountability and Parliamentary oversight mechanism, to ensure the data sharing scheme is operating in-line with public expectations.

 



 

3 - Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

1.              This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 .

Overview

2.              The Bill establishes a legislative scheme to facilitate and regulate controlled access to (sharing) public sector data.

3.              The Bill authorises Commonwealth bodies to share public sector data to accredited entities where consistent with its safeguards, overriding any laws which would otherwise prevent the sharing. If the Bill’s requirements are not met, however, the other laws still apply.

4.              The Bill establishes the Commissioner to support best practice and regulate the data sharing scheme, including accrediting users and data service providers to ascertain they are capable of handling public sector data appropriately, and enforcing compliance with the Bill.

5.              A person may commit an offence of contravene a civil penalty provision if they fail to comply with certain obligations under the data sharing scheme.

Human Rights Implications

6.              This Bill engages the following rights to:

·          Protection from arbitrary or unlawful interference with privacy;

·          Freedom of expression, including to seek, receive and impart information; and

·          A fair trial and fair hearing.

Protection from arbitrary or unlawful interference with privacy

7.              Article 17 of the International Covenant on Civil and Political Rights (ICCPR) enshrines the right to protection from arbitrary or unlawful interference with privacy. The Bill engages this right as it authorises the government and other entities to share public sector data, which may include personal information.

8.              In order to be permissible, an interference with the right to privacy must be reasonable in the circumstances and authorised by a law consistent with the ICCPR. The United Nations Human Rights Committee (UNHRC) has interpreted ‘reasonable’ to mean ‘any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case.’ [1]

9.              The Bill includes layered safeguards to minimise interference with the right to privacy, and to ensure any remaining impact is reasonable, necessary and proportionate to its objectives.

10.          Measures which engage and support the right to privacy include:

·          Data sharing, collection and use are only authorised under chapter 2 for defined purposes that serve the public interest, in accordance with the data sharing principles, and consistent with terms and conditions for management of data set in a published agreement.

·          Accreditation of users and data service providers before they participate in sharing, to assess whether they are capable of handling public sector data in a way that minimises risk of unauthorised access or use, in accordance with best practice.

·          The privacy coverage model in clause 28 ensures personal information shared under the scheme is handled in accordance with the standard set in the Privacy Act , which gives effect to the right to privacy in Article 17 of the ICCPR.

11.          Protections that further support a conclusion that any interference with privacy would be reasonable, necessary, and proportionate include:

·          The data sharing principles manage risks of sharing across all aspects of a project. The principles work in tandem to ensure data is shared with appropriate persons and projects in the public interest, in secure environments, where treated and controlled to minimise the risk of disclosure or interference. Applying the principles requires parties to only share data, including personal information, that is reasonably necessary to give effect to a permitted project.

·          Transparency mechanisms, such as registers of data sharing agreements and accredited entities, and annual reporting, provide a public record of who is handling personal information under the scheme for what purposes.

·          Certain entities are excluded from sharing under the scheme, including intelligence agencies and integrity agencies with a role oversighting the scheme. Highly sensitive data, including intelligence data and certain health data, is excluded from being shared under the scheme.

·          Sharing of data is excluded if it is inconsistent with the obligations of Australia under international law, including obligations under any international agreement binding on Australia or that would be inconsistent with Australia’s obligations under international law or agreements.

·          Requirements in part 3.3 for mitigation and notification of any data breaches, which align with thresholds and provisions in the Privacy Act .

·          Civil and criminal sanctions may apply for unauthorised sharing of data, and other conduct that does not comply with the Bill.

12.          Development of these safeguards involved consultation with privacy experts and two independent Privacy Impact Assessments to identify and address privacy impacts.

Freedom to seek, receive, and impart information

13.          Article 19 of the ICCPR establishes the right to freedom of expression, including freedom to seek, receive and impart information and ideas. Facilitating access to data is consistent with the freedom to seek and impart information, demonstrated by the UNHRC’s recent calls for governments to make information available, either online or by request. [2]

14.          The Bill engages and supports this right by authorising controlled sharing and use of government data, and by establishing operational frameworks and tools such as standardised data sharing agreements that support access to such data.

15.          The right is also engaged by the role of the Commissioner, established by chapter 4 of the Bill as both champion and regulator of the data sharing scheme. In promoting the objects of this legislation and supporting best practice data sharing and use, the Commissioner will play an important role in improving access to government data.

16.          Clause 20 also supports access to government data more broadly by facilitating open release of outputs created under the scheme, where release is consistent with a data sharing agreement and relevant Australian laws such as the Privacy Act and the FOI Act .

17.          Building on this, an accredited user does not contravene the Bill if it grants access under the FOI Act to an output created from shared data, despite the recipient not being accredited (refer clause 14). While the Bill does not provide for FOI access to copies of data shared by data custodians and ADSPs, this approach is reasonable as (unlike newly created outputs) other copies of the data are held outside the scheme and continue to be available through the usual FOI processes.

18.          Consistent with Article 19(3) of the ICCPR, the Bill imposes some limitations on the right to seek, receive, and impart information which are necessary to protect national security and to respect others’ rights.

19.          The accreditation framework in part 5.2 works with the Chapter 2 authorisation to share data with accredited entities, rather than the public at large, to ensure government data is only shared with organisations and persons who are capable of handling it securely. The accreditation process may involve assessment of an applicant by Australia’s security agencies, and conditions of accreditation that affect how an entity participates in this scheme may be placed and adjusted by the Commissioner to manage systemic or entity-specific risks.

20.          The Bill upholds existing rights and privileges over public sector data, by precluding sharing that would contravene such interests or in other circumstances prescribed in clause 17 or the regulations. These exclusions are designed to ensure sharing of highly sensitive data, or involving national security purposes and entities, continues to be handled under dedicated frameworks. Likewise, the Bill provides an optional pathway for sharing and does not compel data custodians to share public sector data (refer clauses 16(11) and 24) to ensure there is no compulsion to share where risks cannot be adequately managed.

21.          The Bill preserves existing legal avenues for sharing and use of government data, so channels for data access within those dedicated frameworks are not affected.

22.          These restrictions on the scope of the data sharing scheme align with Article 19(3), which allows limits on the transmission of information to the extent necessary to protect national security or to respect others’ rights.

Right to a fair trial and fair hearing

23.          The ICCPR establishes rights to due judicial process and procedural fairness in Articles 14 and 15. Australia interprets the Article 14 right to a fair trial or fair hearing to apply in both criminal and civil proceedings, and in cases before both courts and tribunals. [3]

24.          The Bill engages these rights as it contains a range of penalties for non-compliance, including civil and criminal penalties, and injunctions, imposed by a court.

Civil penalties and criminal offences

25.          The Bill creates new civil penalties for conduct that is inconsistent with its requirements. Consistent with its proportionate approach to enforcement, the Bill distinguishes civil from criminal penalties. As the term ‘criminal’ has a specific meaning in international human rights law, civil penalty provisions in domestic law may engage criminal process rights under Articles 14 and 15 of the ICCPR. However, the Bill’s civil penalty provisions should not be considered ‘criminal’ for the purposes of international human rights law, as failure to pay a civil penalty will not result in a prison sentence.

26.          The Bill also creates three new criminal offences to capture instances of unauthorised sharing, collection and use of data not covered by other laws. The availability of criminal penalties in this context is appropriate as it directly undermines the scheme’s protections and safeguards. These criminal offences are modelled on the standard for all Australian criminal laws, including default fault elements from the Criminal Code Act 1995 and maximum penalties available under laws such as the Privacy Act .

27.          When data is shared, collected or used in an unauthorised manner, the Bill does not override secrecy and non-disclosure provisions in other laws so sanctions under other laws may alternatively apply (‘the rebound approach’).

28.          Consistent with Article 14(1), an independent, impartial court will preside over all criminal and civil proceedings brought under the Bill or another Australian law (where the rebound approach applies). Such proceedings will be subject to established Australian court processes and procedures that protect the right to a fair trial, including requirements relating to procedural fairness, evidence and sentencing.

29.          The right to be considered equal before a court or tribunal is also upheld, as all parties to proceedings under the Bill (or another law under the rebound approach) will be given reasonable opportunity to present their case in conditions that do not disadvantage them as against other parties.

Presumption of innocence: legal burden

30.          Clause 123 of the Bill engages the right to the presumption of innocence in Article 14(2) of the ICCPR by placing a legal burden on a defendant. To the extent this might be considered to limit the presumption of innocence, the limitation is reasonable in all circumstances.

31.          Clause 123 sets out when an individual’s conduct will be attributed to the Commonwealth, State or Territory body that employs or engages them, and when the individual will be personally liable for their conduct. Clause 123(4) interacts with the right to the presumption of innocence, because it requires the defendant (whether individual or government body) to prove whether the government body took reasonable precautions and exercised due diligence to avoid the individual’s conduct which contravened the Bill.

32.          This legal burden is justifiable as the evidence required to prove reasonable precautions and due diligence would be peculiarly within the entity’s knowledge and means to provide (see the Guide to Framing Commonwealth Offences at 4.3.1). Consistent with section 13.5 of the Criminal Code , a defendant need only discharge this burden on the balance of probabilities, a lower standard of proof than beyond reasonable doubt.

33.          The right to presumption of innocence is not otherwise impacted, and would apply in criminal proceedings brought under this Bill or rebound legislation.

Administrative measures and review of decisions

34.          The Bill engages the right to a fair and public hearing through the Commissioner’s powers to investigate breaches, and to issue infringement notices, seek injunctions, and enter into enforceable undertakings having determined the entity has not complied with the Bill. These are administrative penalties, distinct from those imposed by a court. However, consistent with Article 14(1) and the doctrine of separation of powers in Australia, a court will be responsible for their enforcement.

35.          Clause 105 provides a person is not excused from complying with a notice to produce documents or information to the Commissioner for their regulatory functions on the grounds of legal professional privilege. This clause interacts with the right to a fair trial as it abrogates legal professional privilege, however the privilege is not wholly abrogated as a broad use immunity is provided that prevents the information being used as evidence against any persons in civil or criminal proceedings. To the extent this provision may limit the right to a fair trial or hearing, it is reasonable and proportionate to the objectives of this legislation in establishing an effective regulator that can investigate and address compliance with the Bill.

36.          The Bill upholds fair hearing rights by providing court and tribunal oversight of administrative decisions. For example, pathways for judicial review will continue to be available to ensure decisions by the Commissioner and government data scheme entities are lawful.

37.          The Commissioner’s decisions will also be subject to internal merits review and/or review by the Administrative Appeals Tribunal. Consistent with the Guide to Framing Commonwealth Offences , there are limited, reasonable exceptions for decisions involving national security or which are not appropriate for merits review.

38.          Avenues for individuals or other entities to seek redress, such as complaints and administrative review of government decisions, are also available under other frameworks. For instance, a person may complain to the Privacy Commissioner about mishandling of personal information under the scheme. As a result, the Bill upholds, and does unreasonably limit, the right to a fair and public hearing with respect to administrative decisions.

Conclusion

39.          The Bill is compatible with human rights because it advances their protection and enjoyment, and, to the extent that it may also limit human rights, those limitations are reasonable, necessary and proportionate to the end.

 

 

 

 




[1] Office of the United Nations High Commissioner for Human Rights , Toonen v Australia , Communication No. 488/1992, UN Doc CCPR/C/50/D/488/1992 (10 April 1992, adopted 31 March 1994) [8.3]: https://juris.ohchr.org/Search/Details/702 .

[2] Office of the High Commissioner for Human Rights, Freedom of opinion and expression , GA Res 44/12, UNHRC, 44 th sess, 27 th mtg, Agenda Item 3, UN Doc A/HRC/44/L.18/Rev.1 (14 July 2020, adopted 16 July 2020).