Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Data Availability and Transparency (Consequential Amendments) Bill 2020

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

2019 - 2020

 

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

 

HOUSE OF REPRESENTATIVES

 

 

 

 

 

 

DATA AVAILABILITY AND TRANSPARENCY (CONSEQUENTIAL AMENDMENTS) BILL 2020

 

 

 

                                                                                                                             

 

 

EXPLANATORY MEMORANDUM

 

 

 

 

 

 

(Circulated by authority of the Minister for Government Services, the Hon Stuart Robert MP)



 

Contents

Outline and financial impact 3

Glossary and abbreviations . 4

Data Availability and Transparency Bill 2020 . 5

1 - Overview .. 5

2 - Notes on Clauses . 6

3 - Statement of Compatibility with Human Rights . 10

Overview of the Bill 10

Human Rights Implications . 10

Right to protection from unlawful or arbitrary interference with privacy . 11

Right to freedom of expression . 11

Right to a fair and public hearing . 12

Conclusion . 13

 

 



 

Outline and financial impact

The Data Availability and Transparency (Consequential Amendments) Bill 2020 amends the Australian Security Intelligence Organisation Act 1979 , the Administrative Decisions (Judicial Review) Act 1977 , the Freedom of Information Act 1982 , and the Privacy Act 1988 to support the operation of the Data Availability and Transparency Bill 2020.

Proposal announced : the Data Availability and Transparency Bill 2020 and this Bill form part of the 2018-19 Budget measure; “Delivering Australia’s Digital Future - data sharing and release arrangements”, and the 2020-21 Budget measure “Department of the Prime Minister and Cabinet — additional resourcing ”.

Financial impact : $20.5 million from 2018-19 to 2021-22, and $11.1 million from 2020-21 over 4 years and $0.7 million ongoing from 2024-25.

Compliance cost impact : The measure will increase average regulatory costs by $0.11 million over two years, comprising a cost to business of $0.2 million per year, to community organisations of $0.06 million, and to individuals of $0.02 million per year.

The Productivity Commission Inquiry Report into Data Availability and Use has been certified as being informed by a process and analysis equivalent to a Regulation Impact Statement (RIS) for the purposes of the Government decision to implement this legislation. The Data Availability and Use report can be found at this link: www.pc.gov.au/inquiries/completed/data-access/report .

Human rights implications : This Bill is compatible with human rights, and to the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate. Refer to the Statement of Compatibility with Human Rights in Part 3 below.



 

Glossary and abbreviations

The following abbreviations are used throughout this explanatory memorandum:

AAT

Administrative Appeals Tribunal

Accredited entity

An entity accredited under Part 5.2 of the Data Availability and Transparency Bill 2020 as an accredited user and/or an Accredited Data Service Provider.

Accredited user

An entity accredited by the Commissioner as an accredited user (within the meaning of the Data Availability and Transparency Bill 2020).

ADSP

An entity accredited by the Commissioner as an accredited data service provider (within the meaning of the Data Availability and Transparency Bill 2020).

ASIO

Australian Security Intelligence Organisation

ADJR Act

Administrative Decisions (Judicial Review) Act 1977

ASIO Act

Australian Security Intelligence Organisation Act 1979

Commissioner

National Data Commissioner

FOI Act

Freedom of Information Act 1982

Information Commissioner

Australian Information Commissioner

Privacy Act

Privacy Act 1988

Scheme

The data sharing scheme established by the Data Availability and Transparency Bill 2020.

 

 



 

Data Availability and Transparency Bill 2020

1 - Overview

1.                   The Data Availability and Transparency (Consequential Amendments) Bill (the Bill) 2020 amends the ASIO Act , the ADJR Act , the Privacy Act , and the FOI Act to support the operation of the Data Availability and Transparency Bill 2020 (the principal Bill).

2.                   The principal Bill establishes a data sharing scheme to facilitate and regulate the sharing of Commonwealth government data (‘the scheme’). The principal Bill authorises Commonwealth bodies to share (provide controlled access to) government data with accredited users for specific purposes in the public interest, with safeguards in place to mitigate risk.

3.                   The principal Bill also creates a National Data Commissioner (the Commissioner) to regulate the scheme and support best practice. To facilitate regulatory cooperation, the Commissioner may transfer matters or complaints to other entities including the Information Commissioner (refer Part 5.5 of the principal Bill).

4.                   Part 5.2 of the principal Bill empowers the Commissioner to accredit users and data service providers, [1] and to suspend, cancel or impose conditions on their accreditation. The Commissioner has discretion to refuse to accredit, to suspend or to cancel an entity’s accreditation for reasons of security (as defined in the ASIO Act ).

5.                   Accreditation is not limited to Australian entities to encourage international cooperation on projects in the public interest, particularly in the research sector. However, decisions made by Commissioner for reasons of security about the accreditation of a foreign entity are excluded from merits review (refer Part 6.2 of the principal Bill).

6.                   This Bill makes consequential amendments to the following Acts to support the operation of the scheme and to control for security risks:

·               Part IV of the ASIO Act to allow ASIO to provide advicein relation to the exercise of a power under Part 5.2 of the principal Bill, and to limit the notice and review processes for foreign entities in relation to security assessments.

·               Schedule 1 of ADJR Act to exclude the Commissioner’s accreditation decisions made on the basis of an ASIO security assessment assessments for foreign entities from judicial review under the ADJR Act .

·               Section 7 of the FOI Act to clarify the interaction between the FOI Act and the principal Bill and preserve, to the extent possible, the intended operation of both schemes.

·               Section 50 of the Privacy Act to enable the Information Commissioner to transfer complaints to the Commissioner where appropriate.

 

 

 

2 - Notes on Clauses

Clause 1 - Short title

1.              This clause provides for the short title of this Bill once enacted to be the Data Availability and Transparency (Consequential Amendments) Act 2020.

Clause 2 - Commencement

2.              This clause provides that Schedule 1 of this Bill will come into effect at the same time as the commencement of the principal Act, the Data Availability and Transparency Act 2020 (‘the principal Act’). However, the provisions in Schedule 1 do not commence if that Act does not commence.

Clause 3 - Schedules

3.              This clause provides that, upon enactment of this Bill, an Act that is specified in the Schedule is amended or repealed as set out in the Schedule.

Schedule 1 - Amendments

4.              This Schedule details the amendments that will need to be made to the ADJR Act, the ASIO Act , the FOI Act and the Privacy Act upon enactment of the principal Bill.

Administrative Decisions (Judicial Review) Act 1977

Item 1 - After paragraph (yc) of Schedule 1

5.              This item inserts a new paragraph (yd) into Sch 1 of the ADJR Act , which sets out classes of decisions to which that Act does not apply. Paragraph (yd) excludes from ADJR review certain decisions made by the Commissioner about the accreditation of a foreign entity under Part 5.2 of the principal Bill, if made for reasons of security. Specifically, it excludes decisions by the Commissioner to:

a.        refuse to accredit the entity;

b.       suspend or cancel accreditation;

c.        impose, vary or remove a condition of accreditation.

6.              In this context, ‘security’ has the same meaning as section 4 of the ASIO Act . The term ‘foreign entity’ is defined in the principal Bill as an entity that is not an Australian entity within the meaning of that Bill. Australian entities include Australian citizens and permanent residents, as well Commonwealth, State, or Territory bodies.

7.              This amendment works with item 4 of this Bill and Part 6.2 of the principal Bill to limit review rights for prospective or existing accredited entities that are foreign entities. The amendment is designed to mitigate the risk of exposing classified or otherwise sensitive details about Australia’s national security, or jeopardise ongoing security operations, through the review process. Paragraph (d) in Sch 1 of the ADJR Act already excludes ASIO security assessments from judicial review under that Act, so foreign entity security assessments conducted in the context of the principal Bill are already excluded. This amendment extends this existing exclusion to cover decisions made by the Commissioner under Part 5.2 of the principal Bill on the basis of an ASIO security assessment (‘for reasons of security’).

8.              Foreign entities maintain judicial review rights with respect to accreditation decisions under s 75(v) of the Constitution and s 39B of the Judiciary Act 1903 . Judicial review rights of Australian entities are unaffected by this Bill.

Australian Security Intelligence Organisation Act 1979

Item 2 - Section 35(1) (at the end of paragraph (a) of the definition of ‘prescribed administrative action’)

9.              This item inserts an ‘or’ at the end of paragraph (a) of the definition of ‘prescribed administrative action’ in section 35(1) of the ASIO Act . This is to ensure that every paragraph ends with an ‘or’ following the insertion of the text in item 3.

Item 3 - Section 35(1) (after paragraph (e) of the definition of prescribed administrative action )

10.          This item inserts a new paragraph into the definition of ‘prescribed administrative action’ in section 35(1) of the ASIO Act . This means an exercise of power by the Commissioner under the accreditation framework in the principal Bill is a ‘prescribed administrative action’ for the purposes of Part IV of the ASIO Act .

11.          As the gateway into the data sharing scheme, accreditation plays a crucial role in safeguarding government data shared under the principal Bill. Security advice from ASIO will assist the Commissioner to determine where an entity’s participation in the scheme poses a security concern.

12.          This amendment works with the principal Bill to ensure ASIO can provide advice (including security assessments) to inform an exercise of power under the accreditation framework, such as a decision to accredit an entity, or to suspend or cancel an entity’s accreditation.

13.          The accreditation framework in Part 5.2 of the principal Bill includes criteria relating to ‘security’ as defined in section 4 of the ASIO Act to ensure the provision of security advice (including assessments) to support the Commissioner’s accreditation decisions comes within the scope of ASIO’s functions.

Item 4 - At the end of subsection 36(1)

14.          This item inserts a new paragraph (d) into section 36(1) of the ASIO Act . This new paragraph provides that Part IV of the ASIO Act (other than subsections 37(1), (3) and (4)) does not apply to a security assessment in respect of a foreign entity in relation to the exercise of a power under Part 5.2 of the principal Bill.

15.          The term ‘foreign entity’ is defined in the principal Bill as an entity that is not an Australian entity within the meaning of that Bill. Australian entities include Australian citizens and permanent residents, as well Commonwealth, State, or Territory bodies.

16.          This amendment excludes any foreign entity security assessment that was relied upon by the Commissioner to make a decision in relation to a foreign entity from the notice requirements and AAT review mechanism in Part IV of the ASIO Act . The scope of this exclusion aligns with similar exclusions from review in this part of the ASIO Act .

17.          This amendment works with item 1 of this Bill and Part 6.2 of the principal Bill to limit review rights for prospective or existing accredited entities that are also foreign entities. The underlying intent is to control for the security risks associated with foreign national individuals who may be affiliated with foreign powers. Disclosing knowledge of this affiliation through the review process in Part IV of the ASIO Act risks jeopardising ongoing security operations and poses a threat to Australia’s national security. This is consistent with the Administrative Review Council publication, What decisions should be subject to merits review ? (1999) , which states that

decisions concerning national security may justify exclusion from merits review (para 4.23).

 

Freedom of Information Act 1982

Item 5 - After subsection 7(2E)

18.          This item inserts subsection (2F) into section 7 of the FOI Act. Subsection (2F) provides that an agency is exempt from the operation of the FOI Act in relation to a document (or extract) that:

a)       comprises ADSP-enhanced data within the meaning of principal Bill; or

b)       was shared with or through the agency under subsection 13(1) of the principal Bill.

This exemption from FOI Act coverage does not extend to documents that are outputs within the meaning of the principal Bill (refer subparagraph (2F)(c)(ii))

19.          Paragraph (2F)(a) excludes all ADSP-enhanced data from the operation of the FOI Act , even in the hands of the data custodian on whose behalf it was created.

20.          This amendment is intended to preserve protections for data under the principal Bill. The principal Bill creates a controlled environment for sharing, where data unsuitable for release (including data ordinarily subject to secrecy and non-disclosure provisions) may be safely accessed by appropriate persons for purposes in the public interest. For example, data shared under the scheme may include personal, commercial, and highly sensitive Commonwealth data (all of which are subject to various exemptions under existing FOI Act provisions). Allowing open access to this data under the FOI Act could undermine the scheme’s protections and uptake. In particular, data shared under the scheme for a permitted purpose such as policy or research could be accessed by any person for any purpose (including precluded purposes under the principal Bill).

21.          This amendment exempts only the copy of the data shared under the principal Bill from the FOI Act because that copy has entered the controlled environment of the scheme. It does not prevent an agency from granting access to other copies of the dataset, subject to the terms of the FOI Act , as these copies are held outside the scheme. Similarly, if ADSP-enhanced data has been created as a result of data integration or data cleaning services, the relevant data custodian(s) may grant access to the component datasets or the ‘unenhanced’ data under the terms of the FOI Act .

22.          Outputs created under the scheme by a Commonwealth government accredited user may be accessed under the FOI Act , in line with usual FOI processes . This works with clauses 14 and 20 of the principal Bill, which ensure agencies are not penalised for providing access to outputs under the FOI Act and that the outputs are no longer regulated by the scheme once access is provided.

23.          To balance data and privacy protections with transparency and accountability, the principal Bill requires the Commissioner to publish registers of data sharing agreements and entities accredited to access data under the scheme.

24.          This amendment is similar to the Victorian Data Sharing Act 2017 (Vic), which exempts documents containing data provided to, or created by, entities under that Act from the operation of the Freedom of Information Act 1982 (Vic).

Privacy Act 1988

Item 6 - Subsection 50(1) (after paragraph (a) of the definition of alternative complaint body)

25.          This item amends subsection 50(1) of the Privacy Act to list the National Data Commissioner as an alternative complaint body . This amendment facilitates the transfer of complaints and related information and documents from the Information Commissioner to the Commissioner.

26.          Listing the Commissioner as an ‘alternative complaint body’ will mean disclosures of relevant information and documents to the Commissioner will not contravene subsection 29(1) of the Australian Information Commissioner Act 2010 , which creates an offence for unauthorised dealing with information acquired by a person performing functions or exercising powers relating to a privacy function as defined in that Act.  

Item 7 -After subparagraph 50(2)(a)(i)

27.          This item amends paragraph 50(2)(a) of the Privacy Act by inserting the phrase ‘to the National Data Commissioner under Part 5.3 of the [principal] Bill’. This amendment supports the Information Commissioner to transfer complaints and related information and documents to the Commissioner where the Information Commissioner forms the view that a complaint relating to a matter has been, or could have been, made to the Commissioner under the principal Bill instead.

28.          This amendment provides that complaints made to the Information Commissioner under the Privacy Act may be transferred to the Commissioner if the complaint could be more appropriately handled under the complaints mechanism in the principal Bill. For example, this could include the partial transfer of a complaint to the Commissioner, where the Information Commissioner formed the view that a portion of the complaint related to the use of data under the scheme.  

Item 8 -After subparagraph 50(3)(a)(i)

29.          This item amends paragraph 50(3)(a) of the Privacy Act by inserting the phrase ‘to the National Data Commissioner under Part 5.3 of [the principal Act].’ The effect of this amendment is that a complaint transferred under subsection 50(2) of the Privacy Act shall be taken to be a complaint made to the Commissioner under the complaints mechanism in Part 5.3 of the principal Bill.

 



 

3 - Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

1.          This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 .

Overview of the Bill

2.                   The Data Availability and Transparency (Consequential Amendments) Bill 2020 (the Bill) amends the ASIO Act , the ADJR Act , the FOI Act , and the Privacy Act to ensure the Data Availability and Transparency Bill 2020 (the principal Bill) operates as intended.

3.                   The principal Bill establishes a data sharing scheme to facilitate and regulate the sharing of Commonwealth government data (‘the scheme’). The principal Bill authorises Commonwealth bodies to share (provide controlled access to) government data with accredited users, where it serves specific purposes in the public interest, and safeguards are in place to mitigate risk.

4.                   The principal Bill also establishes a National Data Commissioner (‘the Commissioner’) to support best practice and regulate the data sharing scheme. Part 5.2 of the principal Bill empowers the Commissioner to accredit users and data service providers, and to suspend, cancel or impose conditions on their accreditation, including for reasons of security. The Commissioner may also transfer matters to a more appropriate authority under Part 5.5 of the principal Bill, including the Information Commissioner.

5.                   This Bill makes consequential amendments to:

·               Part IV of the ASIO Act to allow ASIO to provide advicein relation to the exercise of a power under part 5.2 of the principal Bill, and to limit the notice and review rights for foreign entities in relation to security assessments.

·               Schedule 1 of ADJR Act to exclude the Commissioner’s accreditation decisions made on the basis of an ASIO security assessment assessments for foreign entities from judicial review under the ADJR Act .

·               Section 7 of the FOI Act to clarify the interaction between the FOI Act and the principal Bill and preserve, to the extent possible, the intended operation of both schemes.

·               Section 50 of the Privacy Act to enable the Information Commissioner to transfer complaints to the Commissioner where appropriate.

6.                   To balance public interest in greater access to government data with other legitimate interests, this Bill promotes rights under the International Covenant on Civil and Political Rights (ICCPR), with some reasonable, necessary and proportionate limitations to protect Australia’s national security interests and key safeguards established by the principal Bill.

Human Rights Implications

7.                   This Bill engages the following rights:

·          The right to protection from arbitrary or unlawful interference with privacy;

·          The right to freedom of expression; and

·          The right to a fair and public hearing.

Right to protection from unlawful or arbitrary interference with privacy

8.                   Article 17 of the ICCPR enshrines the right to protection from unlawful or arbitrary interference with privacy. This right can be permissibly limited in order to achieve a legitimate objective, where the interference to privacy is for a reason consistent with the ICCPR, proportional to the ends sought, and necessary in the circumstances of any given case. [2]

9.                   Item 3 of this Bill expands the definition of ‘prescribed administrative action’ to include an exercise of power by the Commissioner under part 5.2 of the principal Bill (‘the accreditation framework’). This amendment allows ASIO to provide advice (including security assessments) to inform such an exercise of power, including decisions to accredit an entity, or to suspend or cancel an entity’s accreditation. 

10.               The security assessment process under Part IV of the ASIO Act limits the right to privacy as it involves the sharing of personal (including sensitive) information between the Commissioner and ASIO about existing and prospective accredited entities. Subjecting entities to a security assessment process ensures only safe and appropriate entities can access government data, which may include personal information, under the scheme. The limitation on the right to privacy is therefore reasonable and necessary to achieve the legitimate objective of protecting Australia’s national security interests.

11.               The limitation on the right to privacy is lawful because the amendment relies on established legal processes for security assessments under the ASIO Act . The limitation is not arbitrary, as it applies to an ascertainable class of persons (existing and prospective accredited entities) and only relates to an exercise of power by the Commissioner in making an accreditation decision.

12.               As a privacy enhancing measure, accreditation applicants will be asked to consent to the Commissioner obtaining or verifying information, including personal information, from third parties such as ASIO for security reasons.  

13.               For the reasons above, this amendment places reasonable, necessary and proportionate limitations on the right to protection from unlawful or interferences with privacy.

Right to freedom of expression

14.               Article 19(2) of the ICCPR establishes the right to freedom of expression, including freedom to seek, receive and impart information and ideas in any form. Both the principal Bill and the FOI Act establish schemes that promote this right. The former facilitates controlled access to Commonwealth government data by overriding secrecy and non-disclosure provisions in other laws, where certain requirements are met. The latter creates a scheme of open access to government documents, subject to certain exemptions.

15.               Item 5 of this Bill places limits on the right to freedom of expression as it exempts Commonwealth government agencies from the operation of the FOI Act with respect to documents containing:

·          data shared with or through the agency under the principal Bill; and

·          data that is the result or product of data services performed by an Accredited Data Service Provider (‘ADSP-enhanced data’).

16.               Item 5 of the Bill is necessary to preserve protections for data under the principal Bill. The principal Bill creates a controlled environment for sharing where data unsuitable for release, including data ordinarily subject to secrecy and non-disclosure provisions, may be safely accessed by appropriate persons for purposes in the public interest.

17.               Allowing open access to this data under the FOI Act could undermine the scheme’s protections and uptake, reducing the public benefits to be realised from controlled access to government data. In particular,data shared under the scheme for a permitted purpose such as policy or research could be accessed by any person for any purpose (including precluded purposes under the principal Bill) in the absence of Item 5.

18.               The limitation on Article 19(2) of the ICCPR is reasonable and proportionate, as it minimises the amount of data exempted from the FOI Act . Only the copy of the data shared under the principal Bill is exempt from the FOI Act because that copy has entered the controlled environment of the scheme. Other copies of the dataset continue to be accessible under the FOI Act as these copies are held by agencies outside the scheme. Similarly, if an ADSP has integrated several government datasets, the component datasets remain within the scope of the FOI Act . To balance data protections and privacy with transparency and accountability, the Commissioner must also publish registers of data sharing agreements and entities accredited to access data under the scheme.

19.               Item 5 of this Bill is also clear that outputs created under the scheme by a Commonwealth government accredited user may be accessed under the FOI Act. This approach promotes the right to seek, receive and impart information and ideas, as it facilitates public access to data that is new and unique to the scheme.

20.               For these reasons, the amendment to the FOI Act is a reasonable, necessary and proportionate limitation on the right to freedom of expression.

Right to a fair and public hearing

21.               The ICCPR establishes rights to due judicial process and procedural fairness. Article 14 provides that all persons are equal before the law, and are entitled to a fair and public hearing before a competent, independent, and impartial tribunal established by law.

Items 1 and 4 -ADJR Act and ASIO Act amendments

22.               Items 1 and 4 of this Bill impose reasonable, necessary and proportionate limitations on the right to a fair and public hearing. In particular, these items limit procedural fairness for foreign entities by excluding them from notice and review rights in certain circumstances.

23.               Item 4 of this Bill excludes foreign entity security assessments from notice requirements and the AAT review mechanism in Part IV of the ASIO Act ,where related to the Commissioner’s accreditation decisions. These exclusions are reasonable and necessary to protect Australia’s national security interests, as disclosing knowledge of foreign affiliation through notice and review mechanisms could prejudice ongoing security-related investigations, sources and capabilities.

24.               The impact on procedural fairness is also proportionate to the goal of protecting national security, as notice and review rights for Australian entities (as defined in the principal Bill) continue under the ASIO Act , including where an accreditation decision was made for reasons of security related to a foreign entity.

25.               Item 1 of this Bill amends the ADJR Act to exclude certain accreditation decisions made with respect to foreign entities from judicial review under that Act. As above, the exclusion of judicial review in this context is reasonable and necessary to preserve Australia’s national security interests.

26.               The exclusion in item 1 is also proportionate as it is limited to specific accreditation decisions made for reasons of security (not any reason). Foreign entities maintain judicial review rights with respect to such decisions under s 75(v) of the Constitution and s 39B of the Judiciary Act 1903 , while judicial review rights of Australian entities are unaffected.

Items 6-8 - Privacy Act amendment

27.               Items 6-8 of this Bill amend the Privacy Act to allow the Information Commissioner to transfer complaints relating to the scheme to the Commissioner. These amendments work with a similar provision in the principal Bill to promote procedural fairness, ensuring all complainants have the opportunity to have their case heard by the appropriate regulator under a ‘no wrong door’ approach.

28.               For the reasons outlined above, this Bill is consistent with the right to a fair and public hearing as any limitations on this right are reasonable, necessary and proportionate.

Conclusion

29.               This Bill is compatible with human rights because any limitations are reasonable, necessary and proportionate to the ends sought.

 

 

 

 

 




[1] Accredited users are authorised to collect and use shared data under Chapter 2 of the principal Bill in accordance with an applicable data sharing agreement. ADSPs are expert intermediaries who can assist data custodians to prepare and share data appropriately.

[2] Office of the United Nations High Commissioner for Human Rights , Toonen v Australia, CommunicationNo. 488/1992, UN Doc CCPR/C/50/D/488/1992 (10 April 1992, adopted 31 March 1994) para 8.3 https://juris.ohchr.org/Search/Details/702