Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2019 - 2020 - 2021 - 2022
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
DATA AVAILABILITY AND TRANSPARENCY BILL 2020
SUPPLEMENTARY EXPLANATORY MEMORANDUM
Amendments to be Moved on Behalf of the Government
(Circulated by authority of the Minister for Employment, Workforce, Skills, Small and
Family Business, the Hon Stuart Robert MP)
AMENDMENTS TO THE
DATA AVAILABILITY AND TRANSPARENCY BILL 2020
OUTLINE
1. The Data Availability and Transparency Bill 2020 (the Bill) establishes a new data
sharing scheme for Australian Government data (the Scheme), underpinned by
safeguards to manage risks and transparent processes to foster trust and confidence.
The Bill establishes the National Data Commissioner (the Commissioner) as an
independent regulator to oversee the Scheme. The proposed Government
amendments to the Bill will clarify key aspects to support the operation of the
Scheme and ensure its safeguards.
2. The Government amendments in part respond to concerns raised about the Bill and
the Data Availability and Transparency (Consequential Amendments) Bill 2020 by
the Senate Scrutiny of Bills Committee, the Parliamentary Joint Committee on
Human Rights and the Senate Finance and Public Administration Legislation
Committee. The amendments also respond to issues raised in the dissenting report
tabled by Australian Labor Party Senators on the Senate Finance and Public
Administration Legislation Committee.
3. In particular, the amendments will clarify and strengthen privacy protections.
Privacy provisions in the Bill will be consolidated. There will be general privacy
requirements applicable to all data sharing, as well as privacy requirements for
specific data sharing purposes. Key privacy protections and privacy enhancing
measures include:
• a starting position that data shared under the Scheme must not include personal
information unless an exception applies;
• data minimisation requirements, that is, personal information can only be shared
where necessary;
• a requirement for express consent for the sharing of biometric data;
• a prohibition on the re-identification of de-identified data;
• a prohibition on the storing or accessing of personal information outside of
Australia;
• a requirement that the Commissioner must make a data code about how Scheme
entities obtain consent from individuals and principles data custodians must
apply in determining if it is necessary, or in the public interest, to share personal
information in certain circumstances; and
• a requirement to review the Scheme if changes are implemented following the
current review of the Privacy Act 1988 (the Privacy Act).
4. The amendments will also clarify authorisations for data sharing. Specifically, the
amendments make clear what the requirements are for a data custodian to be
authorised to share data, for an accredited user to be authorised to collect and use
1
data and for an Accredited Data Service Provider (ADSP) to be authorised to act as
an intermediary and handle data. This provides certainty for Scheme entities and
requires a data sharing agreement to comprehensively meet statutory requirements
set out in the Bill. There will be limited avenues through which shared data can exit
the Scheme and no longer be subject to regulation under the Scheme.
5. In clarifying authorisations for data sharing under the Scheme, the amendments also
set out requirements for a data sharing project and introduce new terminology to
describe the different roles Scheme entities may have. A data custodian is also
referred to as the 'sharer' of data, an accredited user is also referred to as the 'user'
and an ADSP, being an entity through which data is shared with a user, is also
referred to as the 'intermediary'. This terminology reflects and adds to data
management nomenclature.
6. The accreditation framework, as amended, will allow only Australian entities to
apply for accreditation. Individuals, bodies corporate, partnerships, trusts and
unincorporated entities will not be able to apply for accreditation under the Scheme.
This also means private entities will not be able to participate in the Scheme.
7. Under the amended accreditation framework, the Minister will be responsible for
accrediting Commonwealth, State and Territory bodies, and the Commissioner will
be responsible for accrediting ADSPs and Australian universities. ADSPs will be
required to renew their accreditation every five years.
8. The Government amendments will also:
• increase civil and criminal penalties for entities and individuals for serious
contraventions;
• clarify the requirements on data sharing agreements, including that data sharing
agreements only take effect once registered and that certain information in the
data sharing agreements are to be publicly available on a register;
• provide greater clarity on services provided by ADSPs, including definitions for
three services - 'secure access data service', 'de-identification data service' and
'complex data integration service';
• clarify that the Commissioner will have an education function, rather than an
advocacy function, and provide greater clarity on the Commissioner's power to
delegate regulatory functions;
• ensure that Scheme entities take steps to prevent or reduce any harm from a data
breach and notify the Commissioner and the Information Commissioner if the
data breach includes personal information;
• clarify how a Scheme entity's authorisation to collect and use data may extend
to individuals within the entity and the circumstances where a Scheme entity
may be liable for an individual's contravention under the Scheme;
• allow non-Scheme entities and the general public to make complaints;
• streamline requirements for the Commissioner to maintain registers of
accredited users, ADSPs and data sharing agreements;
2
• clarify the interaction of legal professional privilege and the Scheme; and
• include a sunset provision, meaning the Scheme must demonstrate its value to
the Australian public to continue into the future. This decision will be informed
by a review of the legislation after three years of operation.
FINANCIAL IMPACT STATEMENT
9. The Government amendments will have minor financial impact. Excluding the
private sector has a minor impact on overall costings, and any savings will be
reprioritised to further the Commissioner's education function. The sunset clause, if
utilised, creates potential savings for Government, and funding arrangements are
proposed to be reviewed as part of the three year scheme review.
HUMAN RIGHTS IMPLICATIONS:
10. This Bill is compatible with human rights, and to the extent that it may limit human
rights, those limitations are reasonable, necessary and proportionate. Refer to the
Statement of Compatibility with Human Rights at the end of this supplementary
explanatory memorandum.
3
ABBREVIATIONS
The following abbreviations will be incorporated throughout this supplementary explanatory
memorandum:
ADSP Accredited data service provider
APP Australian Privacy Principles, as set out under the Privacy Act 1988
APP entity An agency or organisation, as defined under the Privacy Act 1988
APS Australian Public Service
Archives Act Archives Act 1983 (Cth)
ASIO Act Australian Security Intelligence Organisation Act 1979 (Cth)
Bill Data Availability and Transparency Bill 2020
Commissioner National Data Commissioner
FOI Act Freedom of Information 1982 (Cth)
Guide to Framing Attorney-General's Department, 'Guide to Framing
Commonwealth Offences Commonwealth Offences, Infringement Notices and Enforcement
Powers' (Sept, 2011)
Information Commissioner Australian Information Commissioner
Council National Data Advisory Council
PGPA Act Public Governance, Performance and Accountability Act 2013
(Cth)
Privacy Act Privacy Act 1988 (Cth)
Regulatory Powers Act Regulatory Powers (Standard Provisions) Act 2014 (Cth)
Scheme Data sharing scheme, that is the Bill and its framework of
instruments and operational process
Scheme entity Data scheme entity as defined under this Bill
User Accredited user
4
NOTES ON AMENDMENTS
Amendment Item 1
11. Amendment Item 1 amends the objects of the Bill in paragraph 3(b) to omit
"consistent safeguards for sharing public sector data" and substitutes "the Privacy
Act and appropriate security safeguards". The intent of making this amendment is to
emphasise the importance of appropriate privacy protections when sharing data
under the Scheme. This is intended to encourage sharing of data in a manner that is
consistent with the Privacy Act and the use of appropriate security safeguards and
practices.
Amendment Item 2
12. Amendment Item 2 replaces the simplified outline of the Bill to reflect the
amendments and updated policy of the Scheme.
Amendment Item 3
13. Amendment Item 3 amends subclause 7(2) to make clear that the operation of
provisions in the Bill and the Regulatory Powers Act extend to matters outside of
Australia.
Amendment Item 4
14. Amendment Item 4 omits clause 8, as the constitutional application provisions have
been relocated to subclause 13(4).
Amendment Item 5
15. Amendment Item 5 inserts new definitions of 'access' and 'accreditation authority'.
16. The term 'access' is not specifically defined, but has a meaning that is affected by
clause 10. Access is intended to be interpreted broadly, and clause 10 clarifies what
references in the Bill to providing access to data includes. The Bill uses the language
of providing 'access' as a broad term to replace 'disclose', including providing
access in a controlled manner or open access.
17. An 'accreditation authority' is a person who has the power to accredit Australian
entities under the Bill. The accreditation authority may be the Minister or the
Commissioner depending on the type of entity seeking accreditation and the type of
accreditation sought under the Scheme. The Minister is responsible for the
accreditation of entities who are Commonwealth, State or Territory bodies politic or
Commonwealth, State or Territory bodies (within the meaning of this Bill). The
Commissioner is responsible for accrediting all other types of entities, and all ADSP
accreditation (including Commonwealth, State or Territory bodies) under the Bill.
Amendment Item 6
18. Amendment Item 6 inserts a new signpost definition of 'ADSP-controlled access',
which is provided in new subclause 16B(6) (see Amendment Item 66).
5
Amendment Item 7
19. Amendment Item 7 amends the signpost reference of the definition of 'ADSP-
enhanced data', which is provided in new subclause 11A(3). The definition now
includes the result, or the product, of the data services performed by an ADSP, and
the copy of public sector data shared with an ADSP under the authorisation of the
Bill.
Amendment Item 8
20. Amendment Item 8 inserts a reference to the definition of the 'APP-equivalence
term', which is defined in new subclause 16E(2).
Amendment Item 9
21. Amendment Item 9 inserts a new signpost definition of 'approved contract', which
refers to new subclause 123(3) (see Amendment Item 236).
Amendment Item 10
22. Amendment Item 10 omits the definition of an 'Australian entity' and substitutes a
new definition that removes the reference to partnerships, unincorporated
associations, trusts, and bodies corporate from the list of what constitutes an
Australian entity, and includes a reference to Australian university (see Amendment
Item 11). This new definition means that entities that are not the Commonwealth, a
State, a Territory body politic, a Commonwealth, State, or Territory body, or an
Australian university cannot apply for accreditation as an ADSP or as an accredited
user under the Scheme.
Amendment Item 11
23. Amendment Item 11 adds a definition of what constitutes an 'Australian
university', which is a type of Australian entity that can apply for accreditation
under the Scheme. An Australian university must be registered in the Australian
University provider category under the Tertiary Education Quality and Standards
Agency Act 2011 (Cth) and be established by or under a law of the Commonwealth,
a State or a Territory.
Amendment Item 12
24. Amendment Item 12 inserts a new definition of 'biometric data', which is defined
to mean any data that is personal information that is about any measurable biological
or behavioural characteristic of an individual that could be used to identify, or verify
the identity of the individual. Biometric data includes facial features, fingerprints or
a person's gait and voice, as well as biometric templates. This new definition is
introduced to support the new privacy protection clauses (see Amendment Item
66), under which sharing of biometric data is only permitted with the express
consent of the individual to whom the biometric data relates.
Amendment Item 13
25. Amendment Item 13 amends the definition of 'Circuit Court' to reflect the
renaming of the Federal Circuit and Family Court of Australia.
6
Amendment Item 14
26. Amendment Item 14 omits the definition of 'class member', as it is no longer
required as a result of amendments to the complaint provisions (see Amendment
Items 181 - 192).
Amendment Item 15
27. Amendment Item 15 amends the definition of 'Commonwealth body' to exclude
Australian universities from the definition. This is because an Australian university
now forms a separate category of entities that may be accredited under the Scheme.
Amendment Item 16
28. Amendment Item 16 adds new definitions of 'complex data integration service' and
'condition of accreditation'.
29. The definition of 'complex data integration service' refers to subclause 16D(3). This
definition has been introduced to support the additional obligations under new clause
16D (see Amendment Item 66).
30. The definition of 'condition of accreditation' clarifies what accreditation conditions
are within the Scheme, which are those prescribed by the rules for the purposes of
subclause 77B(1) or imposed under clauses 74, 78, or 84 (see Amendment Items
147, 154 and 178).
Amendment Item 17
31. Amendment Item 17 moves the definition of 'data' into clause 9, instead of the
former separate 'Data Definitions' list contained in existing clause 10. This is a
consequential amendment resulting from restructuring of clauses and the changes to
the data definitions used by the Bill.
Amendment Item 18
32. Amendment Item 18, like the previous item, moves the definitions for: 'de-
identification data service', 'de-identified', 'delivery of government services',
'designated individual', and 'designation' from existing clause 10 into clause 9.
These are consequential amendments to support new concepts introduced into the
Bill.
33. 'De-identification data service' is defined in clause 16C(3), which relates to services
provided by ADSPs in the context of the Bill's privacy protections (see Amendment
Item 66).
34. 'De-identified' is defined as having the same meaning as in the Privacy Act. This
definition ensures consistency with existing legislation.
35. 'Delivery of government services' is a signpost definition to clause 15(1A), which
describes data sharing purposes under the Bill (see Amendment Item 56).
36. 'Designated individual' and 'designation' are defined in clause 123, which is a
provision to support the extension of authorisations for individuals to do things on
behalf of an entity (see Amendment Item 230).
7
Amendment Item 19
37. Amendment Item 19 replaces the definition of 'entity'. The amended definition
introduces 'Australian university' (see Amendment Item 11) and excludes "a
partnership", "an unincorporated association" and "a trust".
38. The concept of 'entity' ensures that bodies politic, bodies corporate, and individuals
who are not otherwise entitled to apply for accreditation (as they do not fall within
the definition of 'Australian entity') are covered by the authorisation and penalty
provisions in Chapter 2 of the Bill (see Amendment Items 52 and 53).
Amendment Item 20
39. Amendment Item 20 adds a new definition of 'exit', which is defined in clause 20E
to provide for circumstances where an output of the project is considered to exit the
Scheme.
Amendment Item 21
40. Amendment Item 21 removes the definition of 'foreign entity'. This reflects
amendments under Amendment Item 147 that removes foreign entities from the
scope of the Scheme. These amendments mean that foreign entities are not able to
apply for accreditation under the Bill.
Amendment Item 22
41. Amendment Item 22 adds a new definition to explain the 'final output' of a project,
which means the output specified in the data sharing agreement as the project's
agreed final output or product. The agreed final output (other than a copy of the
source data) must be specified in a data sharing agreement under paragraph 19(3)(b).
Amendment Item 23
42. Amendment Item 23 adds a new definition of 'government entity', which is defined
in subclause 125A(4). Clause 125 specifies how certain conduct may be attributed to
a government entity in the context of contravening civil penalty provisions
(Amendment Item 230).
Amendment Item 24
43. Amendment Item 24 removes the term 'mandatory terms'. This term is replaced in
new clause 19 (see Amendment Items 85 - 89).
Amendment Item 25
44. Amendment Item 25 amends the definition of 'output' by referring to new
subclause 11A(1). The term describes a copy of the data collected by the user and
any data that is the result or product of the user's use of the shared data or any such
copy.
Amendment Item 26
45. Amendment Item 26 adds a note to the definition of 'personal information' to
clarify that de-identified information is not considered to be personal information
under the Bill. This note aligns with the position under the Privacy Act, where
8
information is de-identified if it is no longer about an identifiable individual or an
individual who is reasonably identifiable.
Amendment Item 27
46. Amendment Item 27 adds a new definition of 'project', which is explained in
clause 11A in the context of a data sharing project.
Amendment Item 28
47. Amendment Item 28 replaces the definition of 'public sector data' to mean data
lawfully collected, created or held by or on behalf of a Commonwealth body, and
includes ADSP-enhanced data. This term has been moved from the separate 'Data
Definitions' list, previously in clause 10, into clause 9.
Amendment Item 29
48. Amendment Item 29 introduces a new definition of 'registered', explaining that a
data sharing agreement is registered if the agreement is included in the register of
data sharing agreements under subclause 130(4).
Amendment Item 30
49. Amendment Item 30 amends the definition of 'regulatory function' so that it
specifically refers to subclause 45(1) instead of clause 45.
Amendment Item 31
50. Amendment Item 31 replaces the definition of 'release' by referring to subclause
10(1), which provides context for this definition.
Amendment Item 32
51. Amendment Item 32 removes the definition of 'representative complaint'. This
term is no longer required under the new complaint provisions.
Amendment Item 33
52. Amendment Item 33 removes the definition of 'responsible individual'. This term
is no longer needed, as it referred to an individual responsible for a partnership or an
unincorporated association, which are no longer a type of Australian entity that can
be accredited under the Scheme.
Amendment Item 34
53. Amendment Item 34 adds a new definition of 'reviewer', referring to clause 118
(Amendment Item 224) which deals with reviewable decisions.
Amendment Item 35
54. Amendment Item 35 replaces the definition of 'scheme data', which was originally
contained in the previous clause 10 'Data Definitions'. The amended definition
reflects the change in terminology of the Bill and expands the definition so that
scheme data includes any copies of data created for the purposes of being shared
under the Scheme, whether or not it was shared.
9
Amendment Item 36
55. Amendment Item 36 adds the definitions of 'secure access data service' and
'security'. The definition of 'secure access data service' refers to the explanation in
subclause 16C(4). This definition is introduced to support the amendments under the
new privacy protection clauses (see Amendment Item 66), which place additional
requirements on the data custodian to consider the use of an ADSP service where the
project involves performing a de-identification data service or a secure access data
service.
56. The term 'security' has the same meaning as in the Australian Security Intelligence
Organisation Act 1979 (Cth), which is relevant to where reasons of security are
taken into account when considering the accreditation of an entity in Chapter 5 of
the Bill.
Amendment Item 37
57. Amendment Item 37 replaces the definition of 'share', which refers to subclause
10(2). The term share refers to data custodians providing accredited entities (either
the ADSP or an accredited user) with access to the data under the Scheme.
Amendment Item 38
58. Amendment Item 38 adds the definition of 'source data', which refers to paragraph
19(3)(a). The term is used to describe the public sector data that the data custodian is
to share (including any ADSP-enhanced data an ADSP is to share on behalf of the
data custodian) under a data sharing agreement.
Amendment Item 39
59. Amendment Item 39 substitutes the definition of 'State body' to be more
prescriptive and expressly excludes an Australian university. The new definition
provides that a State body may be a department of a State, a body established for a
public purpose by or under a law of a State (other than as prescribed by the rules), or
the holder of statutory office appointed under a law of a State (other than as
prescribed by the rules). This definition allows the rules to prescribe bodies that will
not be considered to be a State body for the purposes of accreditation. An Australian
university is excluded as it forms a separate category of entities that may be
accredited.
Amendment Item 40
60. Amendment Item 40 adds the definition of 'submit', which refers to
subclause 20A(3). The term is used to describe when the ADSP or accredited user
provides access to ADSP-enhanced data or output in accordance with subclause
20A(1) or (2). This term helps to clarify when data is considered submitted, which
impacts on the authorisation to collect and use submitted data under Part 2.2.
Amendment Item 41
61. Amendment Item 41 amends the definition of 'Territory body' to clarify what
constitutes a Territory body under the Scheme. The new definition also excludes an
Australian university. The new definition provides that a Territory body may be a
10
department of a Territory, a body established for a public purpose by or under a law
of a Territory (other than as prescribed by the rules), or the holder of statutory office
appointed under a law of a Territory (other than as prescribed by the rules). This
definition allows the rules to prescribe bodies that will not be considered to be a
Territory body for the purposes of accreditation. An Australian university is
excluded as it forms a separate category of entities that may be accredited.
Amendment Item 42
62. Amendment Item 42 adds the definition of 'use', which is defined non-exhaustively
to include handle, store and provide access to data. The note to this definition
clarifies that an example of use of data includes developing and modifying output of
data. This definition also intends to encompass the concept of 'use' under the
Privacy Act.
Amendment Item 43
63. Amendment Item 43 omits existing clause 10, which defines the data related
terminology used in the Bill, and substitutes a new clause 10 regarding references to
access to data. Subclause 10(1) outlines that a reference to an entity providing access
to data includes where an entity provides another entity with data access and where
the entity releases the data by providing open access, for example where the entity
publishes the data on a website. The concept of providing access to data is intended
to be interpreted broadly.
64. Subclause 10(2) introduces the expression of 'share' which is a subset of providing
access to data, and refers to circumstances where data custodians share the data with
accredited entities under the Scheme.
65. Subclause 10(3) clarifies that the entity which provides access to data is taken to
retain a copy of the data, and the entity to which access is provided is taken to
collect a copy of the data. This means that for the purposes of the Scheme, having
access to data is the equivalent of collecting data notwithstanding that the data may
not be physically received or stored by an entity (for example, in circumstances
where a user accesses data through an ADSP intermediary providing a secure access
service).
Amendment Item 44
66. Amendment Item 44 amends clause 11 by omitting subclause 11(2) and
substituting new subclauses 11(2) and 11(2A).
67. Subclause 11(2) defines 'data custodian', which is a Commonwealth body that is not
an excluded entity and either controls public sector data or has become the data
custodian of an output of a project in accordance with new clause 20F. This item
simplifies the existing definition of 'data custodian' and expressly captures the
concept of "control" and "right to deal".
68. For the purposes of subparagraph 11(2)(c)(i), control by way of physical possession
(for instance, paper-based data stored on site) is sufficient but is not required. This
reflects the reality of data management, as data may be collected and stored remotely
11
or in electronic form, including cloud storage, in accordance with the conditions set
by its custodian
69. A right to deal with data described in subparagraph 11(2)(c)(i) is a broad concept,
encompassing the power to collect and handle that particular data for the entity's
functions or activities. Such rights typically derive from legislation or contract, but
may also be reflected in other arrangements like Memoranda of Understanding or
letters of exchange.
70. Subparagraph 11(2)(c)(ii) works with subclauses 19(4) and clause 20F to allow a
data sharing agreement to designate one of the (Commonwealth) parties as data
custodian of each type of scheme data (such as any outputs, shared data, or ADSP-
enhanced data) generated under the agreement. This approach is consistent with how
custodian rights may arise outside of the Scheme, and provides flexibility so parties
can set and streamline their sharing arrangements in a manner that does not
compromise the original data custodian's control of the data. In most cases, the
entity that collects output of a project to fulfil its legislative functions or purposes
(typically a Commonwealth department or agency) will be the custodian of that data.
71. Subclause 11(2A) provides that if a data custodian shares the data with an
intermediary under clause 13 as part of a project, the data custodian is taken also to
be the data custodian of any ADSP-enhanced data of the project. This subclause
ensures that the sharing of any ADSP-enhanced data must be done in accordance
with clause 13 in order to be authorised.
Amendment Item 45
72. Amendment Item 45 adds a new paragraph (aa) into subclause 11(3), which lists
entities that are an excluded entity. This item expressly excludes the Commissioner
and any APS employee made available to the Commissioner under clause 47 of the
Bill from participating in the Scheme. This amendment addresses concerns about
transparency and conflicts of interest in relation to accreditation and regulation by
excluding the Commissioner, and their supporting staff from participating in the
Scheme as accredited entities.
Amendment Item 46
73. Amendment Item 46 adds a new paragraph (ba) in subclause 11(3) regarding the
definition of an 'excluded entity'. This item excludes the Australian Federal Police
from participating in the Scheme to address concerns raised by the Parliamentary
Joint Committee on Human Rights in Human Rights Scrutiny Report 4 of 2021, as
other law enforcement bodies have been listed as an excluded entity. Being an
excluded entity does not prevent that entity from entering into other existing data
sharing arrangements and frameworks outside of the Scheme that authorise and
regulate their activities.
Amendment Item 47
74. Amendment Item 47 amends Note 1 of subclause 11(4) to substitute "share with
third parties" with "provide other entities with access to, or release" to reflect
changes in updated terminology of 'access' and 'release'. The existing term of
12
'share' is omitted, as the new term of 'access' defined in clause 10 includes the
concept of sharing.
Amendment Item 48
75. Amendment Item 48 adds a new subclause 11(5) into clause 11 to expressly clarify
that a Scheme entity may do things under this Bill in different capacities. This item
recognises that a Scheme entity (a data custodian, an ADSP, or an accredited user)
may have different roles in a data sharing arrangement between different entities, or
in a data sharing agreement with itself. In each of those capacities, the entity is taken
to be a different Scheme entity and must comply with the requirements under the
Bill relevant to each capacity they are participating for their actions to be authorised.
This also means that a Scheme entity may enter into a data sharing agreement to
which it is a party in more than one capacity in different transactions pursuant to the
data sharing agreement. This subclause ensures the Scheme can accommodate
different types of data flows including various exchanges of data that may be
required for complex projects. In such cases, it must be clear in which capacity the
entity is acting, both in practical terms and on the face of the data sharing agreement
(refer clauses 18 and 19).
76. The note to this subclause provides an example. The same entity may be party to the
agreement in its capacity as data custodian of data to be shared and in its capacity as
the accredited entity with which the data is shared.
Amendment Item 49
77. Amendment Item 49 adds a new clause 11A under Chapter 1, Part 1.2. Clause 11A
relates to concepts and terms used in a data sharing project.
78. Subclause 11A(1) describes the mandatory elements of a 'project', which involves a
'sharer' (a data custodian) sharing data with a 'user' (an accredited user), either
directly or through an 'intermediary' (an ADSP). The user then collects and uses the
'output' of the project. This subclause also defines the output of a project, which is
the copy of the data collected by the user or any resulting product of the user's use
of the data.
79. Note 1 to subclause 11A(1) provides guidance that the sharer's authorisation to share
is under clause 13, and the user's authorisation to collect and use the data is under
clause 13A. Note 2 to this subclause explains that a project may involve multiple
sharers if multiple entities are data custodians.
80. Subclause 11A(2) expands the concept of a 'project' to include circumstances where
data is being created or data services are performed in relation to the data on behalf
of the sharer.
81. Subclause 11A(3) extends the definition of a 'project' to include circumstances
where the sharer shares data through an intermediary and the intermediary collects
and uses the data, which results in 'ADSP-enhanced data'. The note to this subclause
provides guidance that the relevant authorisations for the sharer and intermediary to
share data are under clauses 13 and 13B.
13
82. Subclause 11A(4) expands the concept of a 'project' to include the sharer's
collection and use of the output or ADSP-enhanced data, which is authorised under
clause 13C.
83. Subclause 11A(5) provides that multiple projects may be combined and treated as a
single project in a data sharing agreement, as long as they have the same purpose(s),
and the same sharer(s) and user(s).
84. Subclause 11A(6) provides for when a user subsequently shares the output of the
project, as part of a later project. In such a situation, the copy retained by the user is
considered to be output of the earlier project, and the copy subsequently made or
collected in the later project is considered output of the later project. Similarly, if an
intermediary is used, the copy collected by the intermediary in the later project is
considered ADSP-enhanced data of the later project. In effect, each successive
project is treated separately for the purposes of the Scheme. The note to this
subclause clarifies that a data sharing agreement may allow the user to share output
under clause 13 as part of a later project in accordance with clause 20D.
Amendment Item 50
85. Amendment Item 50 amends the heading of Chapter 2 to "Authorisations".
Amendment Item 51
86. Amendment Item 51 adds a new heading of Part 2.1 under Chapter 2 and replaces
the simplified outline of the Chapter. This item reflects the changes in the
terminology of 'share' and 'release', and from data being "excluded" from sharing
to where sharing is 'barred'.
Amendment Item 52
87. Amendment Item 52 adds a new heading of Part 2.2 under Chapter 2, and replaces
clause 13 with new clauses 13 to 13C. This item provides detailed authorisations in a
data sharing project.
New clause 13 - Authorisation for data custodian to share public sector data
88. Clause 13 outlines the authorisation for a sharer to share public sector data. Public
sector data may be shared directly with an accredited user, or through another entity,
which would be an ADSP.
89. Subclause 13(1) specifies the requirements that must be met before a sharer is
authorised to share data. Paragraph 13(1)(a) refers to the constitutional requirements
in subclause 13(4), and paragraph 13(1)(b) refers to the data custodian requirements
in subclause 13(2). Thus, a Commonwealth body has no authorisation to share data
under the Scheme unless all of the requirements in subclauses 13(1) and 13(2) are
satisfied, and the constitutional requirements in subclause 13(4) are met. Subclause
13(1) requires all sharing to be covered by a registered data sharing agreement that
complies with all of the requirements for data sharing agreements in the Bill, and is
registered by the Commissioner in accordance with the Bill. The sharing must be in
accordance with that agreement. The sharing can only occur if the sharer is satisfied
that the sharing will be consistent with the data sharing principles (what is required
14
in order to be satisfied about this matter is explained in subclause 16(11)). Data may
only be shared with an accredited user whose accreditation is not suspended. If
personal information is shared, the accredited user must have privacy coverage in
relation to the personal information (refer clause 16E). Where data is shared through
an intermediary, the intermediary must be an ADSP whose accreditation is not
suspended, and if personal information is being shared, the ADSP must meet the
privacy coverage condition in clause 16E.
90. Subclause 13(2) sets out further requirements that must be satisfied in relation to the
sharing of data. The sharer has to be the data custodian of the data to be shared and
the data must be public sector data. Data custodian is defined in clause 11.
Paragraph 13(2)(b) requires authority to be given by all data custodians if the sharer
is not the only data custodian of the data to be shared. Where an ADSP develops an
integrated dataset as part of a project and two or more Commonwealth bodies are the
data custodians of the integrated dataset, all of these data custodians need to provide
authority to share the integrated dataset with an accredited user (this is explained in
the note below subclause 13(2)). Data cannot be shared if the sharing of that data is
barred by clause 17. The privacy requirements in clauses 16A and 16B must be met,
and the requirements in clauses 16C and 16D about data services also need to be
met. Where personal information is to be shared, clause 16B requires that only the
minimum amount of personal information necessary for the project is shared.
Paragraph 13(2)(e) imposes a similar requirement to minimise the sharing of data in
relation to data that is not personal information.
91. Subclause 13(3) supplements paragraph 13(2)(b) by clarifying the manner in which
authority must be given where there are multiple data custodians of shared data.
Only an authorised officer of a data custodian may provide authority on behalf of the
data custodian, unless one data custodian of a dataset has authorised another data
custodian of that dataset to provide authority on its behalf as its agent - in which
case an authorised officer of the agent data custodian may provide authority to share
on behalf of the principal data custodian.
92. Data may only be shared under the Scheme if one or more of the paragraphs in
subclause 13(4) apply to the sharing. Where one or more paragraphs apply, the
sharing will be supported by the Commonwealth's powers to make laws under the
Constitution. Normally, where data is to be shared under the Scheme, the data will
be shared by electronic means (for example, secure system to system
communications) and so paragraph 13(4)(e) will apply.
New clause 13A - Authorisation for accredited user to collect and use data
93. Clause 13A provides the authorisation for an accredited user to collect and use data
shared with it by a data custodian under clause 13 (including in some cases where
data was purportedly shared with it under clause 13, but one or more of the
requirements in clause 13 were not met). The accredited user is authorised to collect
and use output in accordance with a registered data sharing agreement that is in
effect and that meets all of the requirements of the Bill if:
15
a. the user is satisfied that the project is consistent with the data sharing
principles (what is required in order to be satisfied about this matter is
explained in subclause 16(11));
b. the user is an accredited user, and the user's accreditation is not suspended;
and
c. if the shared data includes personal information, the accredited user has
privacy coverage in relation to the personal information (as required by clause
16E).
94. In some cases, if a data custodian shares data purportedly under clause 13, but all the
requirements of clause 13 are not fully met and so the sharing is not authorised, the
accredited user could not be expected to know that. For example, an accredited user
would not normally be expected to know that sharing is barred under
subclause 17(3) because the sharing contravenes an agreement to which the data
custodian is a party. Where an accredited user does not actually know, and could not
be reasonably expected to know, that a purported sharing under clause 13 was
invalid, the accredited user is still authorised to collect and use data under
clause 13A if the requirements in clause 13A are otherwise met. However, if the
accredited user becomes aware that not all of the requirements in clause 13 relating
to the sharing were met, or becomes aware of circumstances that mean it would be
reasonable for the accredited user to know that, the accredited user has no further
authorisation under clause 13A to use output. The term 'output' is defined in
clause 11A. The data collected by the accredited user, and any data that is the result
or product of the accredited user's use of the data, is output.
New clause 13B - Authorisation for ADSP to act as intermediary
95. Clause 13B provides the authorisation for an ADSP to collect and use data shared
with it by a data custodian under clause 13 (including in some cases where data was
purportedly shared with it under clause 13, but one or more of the requirements in
clause 13 were not met). The ADSP is authorised to collect and use ADSP-enhanced
data in accordance with a registered data sharing agreement that is in effect and that
meets all of the requirements of the Bill if:
a. the ADSP is satisfied that the project is consistent with the data sharing
principles (what is required in order to be satisfied about this matter is
explained in subclause 16(11));
b. the ADSP's accreditation is not suspended; and
c. if the shared data includes personal information, the ADSP has privacy
coverage in relation to the personal information (as required by clause 16E).
96. In some cases, if a data custodian shares data purportedly under clause 13, but all the
requirements of clause 13 are not fully met and so the sharing is not authorised, the
ADSP could not be expected to know that. For example, an ADSP would not
normally be expected to know that sharing is barred under subclause 17(3) because
the sharing contravenes an agreement to which the data custodian is a party. Where
an ADSP does not actually know, and could not be reasonably expected to know,
that a purported sharing under clause 13 was invalid, the ADSP is still authorised to
16
collect and use data under clause 13B if the requirements in clause 13B are met.
However, if the ADSP becomes aware that not all of the requirements in clause 13
relating to the sharing were met, or becomes aware of circumstances that mean it
would be reasonable for the ADSP to know that, the ADSP has no further
authorisation under clause 13B to use ADSP-enhanced data. The term 'ADSP-
enhanced data' is defined in clause 11A. The data collected by the ADSP, and any
data that is the result or product of the ADSP's use of the data, is ADSP-enhanced
data.
New clause 13C - Authorisation for data custodian to collect and use submitted data
97. Clause 20A permits a data sharing agreement for a project to allow (or require) an
ADSP to provide ADSP-enhanced data, or for an accredited user to provide output,
to the data custodian to enable the data custodian to confirm that requirements in the
data sharing agreement have been met. The provision of ADSP-enhanced data or
output to the data custodian as permitted by clause 20A is referred to as the
'submission' of data (refer subclause 20A(3)).
98. Where ADSP-enhanced data, or output, is submitted to the data custodian, the
ADSP-enhanced data or output remains scheme data and may only be collected or
used by the data custodian as authorised by clause 13C. Clause 13C provides the
data custodian with an authorisation to collect and use submitted data if the
collection and use is in accordance with a registered data sharing agreement that is
current and that meets the requirements of the Bill.
99. Clause 20A only permits a data sharing agreement to allow ADSP-enhanced data to
be submitted to the data custodian for the purpose of ensuring the ADSP-enhanced
data is as agreed in the data sharing agreement, and for output to be submitted to the
data custodian for the purpose of ensuring the output is as agreed in the data sharing
agreement. This limitation on the purpose for which data custodians may use
submitted data must be reflected in the data sharing agreement, and this limitation
will therefore affect the breadth of the authorisation provided to data custodians by
clause 13C in relation to submitted data.
Amendment Item 53
100. Amendment Item 53 replaces clause 14 with new clause 14 in relation to penalties
for unauthorised sharing and new clause 14A in relation to penalties for
unauthorised collection or use.
New clause 14 - Penalties for unauthorised sharing
101. Subclause 14(1) provides for a civil penalty to apply if an entity provides access to
data to another entity, the provision of access was purportedly sharing under clause
13, but the sharing is not authorised under clause 13 (for example, because one of
the requirements in subclause 13(1) was not satisfied). Subclause 14(3) creates an
offence for this conduct if it can be proved that the entity was reckless whether the
provision of access to the data was authorised by clause 13. In some cases, where the
data purportedly shared under clause 13 is protected by secrecy provisions in other
Commonwealth legislation, the purported sharing may contravene the other
legislation because clause 23 will not apply.
17
102. The circumstances where the conduct of an individual or a body corporate may be
attributed to an entity for the purposes of clause 14 are set out in clause 125A (in
relation to a civil penalty) and clause 125B (in relation to an offence). Subclause
125A(2) establishes a due diligence defence for government entities (as defined in
subclause 125A(4)) in relation to civil penalty provisions under the Bill, including
the civil penalty in subclause 14(1).
103. Individuals and bodies corporate involved in the provision of access to data under, or
purportedly under, clause 13 may also contravene a civil penalty provision or
commit an offence.
104. Subclause 14(2) provides for a civil penalty to apply if:
a. an individual in a designated relationship with entity A (see clause 123), or a
body corporate with an approved contract with entity A (see clause 123) uses
data by providing access to the data to entity B;
b. the provision of access is purportedly sharing by entity A to entity B under
clause 13; and
c. the use of the data by the individual was not authorised (either because clause
124 does not extend entity A's authorisation to the individual or the body
corporate, or because the purported sharing by entity A is not authorised under
clause 13).
105. Subclause 14(4) creates an offence for this conduct if it can be proved that the
individual or the body corporate (as the case requires) was reckless whether the use
of the data was authorised by the Bill.
106. An individual may contravene the civil penalty provision in subclause 14(2), or
commit the offence in subclause 14(4), irrespective of whether they were acting
within the scope of their designation (actual or apparent).
107. A body corporate may contravene the civil penalty provision in subclause 14(2), or
commit the offence in subclause 14(4), irrespective of whether it was acting within
the scope of their contract (actual or apparent).
108. Where a designated individual of a 'government entity' (as defined in subclause
125A(4)) is acting within the scope of their designation and their conduct is
attributed to the government entity, subclause 125A(3) provides that the individual is
not personally liable for a contravention of a civil penalty provision.
109. Subclauses 14(1) and 14(2) provide for civil penalties of 300 penalty units. The
offences in subclauses 14(3) and 14(4) provide for a penalty of imprisonment for 5
years, 300 penalty units, or both.
New clause 14A - Penalties for unauthorised collection and use
110. Subclause 14A(1) provides for a civil penalty to apply if an entity collects and uses
data, the data is ADSP-enhanced data or output of a project involving the sharing of
the data with the entity under (or purportedly under) clause 13, and the collection
and use is not authorised by the Bill.
18
111. Subclause 14A(4) creates an offence for this conduct if it can be proved that the
entity was reckless whether the collection or use of the ADSP-enhanced data or
output (as the case requires) was authorised by the Bill. In some cases, where the
data collected and used by the entity is protected by secrecy provisions in other
Commonwealth legislation, the collection and use may contravene the other
legislation, because clause 23 will not apply.
112. Individuals and bodies corporate who use ADSP-enhanced data, or output, may also
contravene a civil penalty provision or commit an offence.
113. Subclause 14A(3) provides for a civil penalty to apply if:
a. an individual in a designated relationship with an entity (see clause 123), or
body corporate with an approved contract with the entity (see clause 123) uses
data that is ADSP-enhanced data or output of a project that involves the
sharing of data with the entity under (or purportedly under) clause 13; and
b. the use of the ADSP-enhanced data or output by the individual was not
authorised by the Bill (either because clause 124 does not extend the entity's
authorisation to the individual or the body corporate, or because the use did
not fall within the authorisation to the entity provided by the Bill).
114. Subclause 14A(5) creates an offence for this conduct if it can be proved that the
individual or the body corporate (as the case requires) was reckless whether the use
of the data was authorised by the Bill.
115. Subclause 14A(6) creates a defence for entities, individuals and bodies corporate if it
can be established that the data collected and used was a copy of ADSP-enhanced
data or output that has exited the Scheme (refer clause 20E), or data derived from
such a copy. The defendant bears an evidential burden of proof to establish that
subclause 14A(6) applies. An example of how subclause 14A(6) may apply is as
follows. A data sharing agreement may permit an accredited user to release specified
output in certain circumstances (refer clause 20C). If an accredited user releases a
copy of specified output by putting a copy on the internet, that copy would 'exit' the
Scheme, but the copy of the specified output retained by the accredited user would
remain scheme data. In proceedings against the accredited user seeking an order for
a civil penalty for unauthorised use of a copy of the specified output, subclause
14A(6) would apply if the accredited user could bring forward evidence that the
relevant conduct was use of a copy of the specified output that had exited the
Scheme (for example, that it used a copy of the specified output downloaded from
the internet).
116. Where a copy of ADSP-enhanced data, or output, is submitted to the data custodian
under a data sharing agreement for a project (refer clause 20A), the data custodian is
only authorised to collect and use the submitted data as permitted by clause 13C.
117. Subclause 14A(7) provides for a civil penalty to apply if a data custodian collects
and uses submitted data and the collection and use is not authorised by the Bill.
118. Subclause 14A(9) creates an offence for this conduct if it can be proved that the data
custodian was reckless whether the collection or use of the submitted data was
authorised by the Bill.
19
119. Individuals and bodies corporate who use submitted data may also contravene a civil
penalty provision or commit an offence.
120. Subclause 14A(8) provides for a civil penalty to apply if:
a. an individual in a designated relationship with an entity (see clause 123), or
body corporate with an approved contract with the entity (see clause 123) uses
submitted data; and
b. the use of the submitted data by the individual was not authorised by the Bill
(either because clause 124 does not extend the entity's authorisation to the
individual or the body corporate, or because the use did not fall within the
authorisation to the entity provided by the Bill).
121. Subclause 14A(10) creates an offence for this conduct if it can be proved that the
individual or the body corporate (as the case requires) was reckless whether the use
of the submitted data was authorised by the Bill.
122. The circumstances where the conduct of an individual or a body corporate may be
attributed to an entity for the purposes of clause 14A are set out in clause 125A (in
relation to a civil penalty) and clause 125B (in relation to an offence). Subclause
125A(2) establishes a due diligence defence for government entities (as defined in
subclause 125A(4)) in relation to civil penalty provisions under the Bill, including
the civil penalties in clause 14A.
123. Where a designated individual of a 'government entity' (as defined in subclause
125A(4)) is acting within the scope of their designation and their conduct is
attributed to the government entity, subclause 125A(3) provides that the individual is
not personally liable for a contravention of a civil penalty provision.
124. An individual may contravene a civil penalty provision in clause 14A, or commit an
offence in clause 14A, irrespective of whether they were acting within the scope of
their designation (actual or apparent).
125. A body corporate may contravene a civil penalty provision in clause 14A, or commit
an offence in clause 14A, irrespective of whether it was acting within the scope of
their contract (actual or apparent).
126. The civil penalty provisions in clause 14A generally provide for civil penalties of
300 penalty units. However, a penalty of 600 penalty units applies to a contravention
of subclause 14A(1) if subclause 14A(2) applies. Subclause 14A(2) will apply if a
court considers that a contravention of subclause 14A(1) is serious, taking account
of the sensitivity of the data collected or used (for example, if the data is personal
information), the consequences of the contravention (for example, whether the
security of the personal information of individuals has been compromised) and the
level of care taken by the entity (for example, whether it provided training to its
employees about its obligations under the Scheme).
127. The offences in clause 14A provide for a penalty of imprisonment for 5 years, 300
penalty units, or both.
128. Subclause 14A(11) confirms that the civil penalties and offences in clause 14A
apply notwithstanding any other legislation, including legislation relating to certain
20
data that may be passed under this Bill. The civil penalties and offences in clause 14
also apply notwithstanding any other legislation, including legislation relating to
certain data that may be passed under this Bill.
129. Subclause 14A(12) confirms that the civil penalties and offences in clause 14A
apply notwithstanding that a permitted situation or a permitted health situation,
exists for the purposes of the Privacy Act. That is, the fact that a particular use of
data may be authorised in some circumstances under the Privacy Act does not affect
whether use of the data is authorised, or not authorised, under this Bill. The same
position applies in relation to civil penalties and offences in clause 14.
Amendment Item 54
130. Amendment Item 54 adds a new heading of Part 2.3 under Chapter 2 in relation to
data sharing purposes and principles.
Amendment Item 55
131. A data sharing agreement must specify the data sharing purpose or data sharing
purposes of a project and (except as allowed in accordance with clause 20D) prohibit
the accredited user from using output for any other purpose or a precluded purpose
(subclause 19(6)). The authorisations in clauses 13, 13A, 13B and 13C only have
effect in relation to the sharing, collection and use of data that is in accordance with
a registered data sharing agreement that is in effect and that meets the requirements
in the Bill. Amendment Item 55 replaces the note in subclause 15(1) to provide that
data sharing agreements must specify the agreed data sharing purpose or data
sharing purposes and the incidental purposes (if any) and prohibit the collection or
use of data for any other purpose.
Amendment Item 56
132. Amendment Item 56 adds a new subclause 15(1A) to define the term 'delivery of
government services' to mean the provision of the following services by the
Australian Government, or by a government of a State or a Territory:
a. the provision of information (such as advice that an individual may be eligible
to receive a benefit, or a reminder that action on the part of an individual is
required);
b. the provision of a service that not a service relating to a payment, entitlement
or benefit (for example, a service to provide assistance to a person to help
restore their property after a flood, or to provide counselling);
c. determining eligibility for a payment, entitlement or benefit (this includes a
benefit payable under legislation, and a grant payment); and
d. paying a payment, entitlement or benefit.
133. The note under subclause 15(1A) makes it clear that using data to make a decision
whether a person is eligible for a government benefit and, if so, paying that benefit,
are examples of the delivery of government services. Determining eligibility for a
payment before the payment is made is not a precluded purpose.
21
Amendment Item 57
134. Amendment Item 57 adds a note to the definition of the term 'enforcement related
purpose', to further clarify the distinction of enforcement related purposes in clause
15(3). Enforcement related purposes are defined in subclause 15(3) to include the
detection, investigation and response to offences, contravention of laws punishable
by pecuniary penalties and acts or practices detrimental to the public revenue (such
as claiming benefits for which there is no entitlement). The note under subclause
15(3) confirms that the use of data to verify a payment made previously was
correctly made is an enforcement related purpose. Using data to identify individuals
for compliance review or compliance activity is also an enforcement related purpose.
Amendment Item 58
135. In some cases an accredited user that is also a Commonwealth body may wish to
develop a data asset that can subsequently be shared under the Scheme. At the time
the accredited user is developing the data asset, the accredited used may not have
specific future projects in mind that may utilise the data asset. Amendment Item 58
includes new subclauses 15(5) and 15(6) to provide that a project to prepare data for
a later project that will be for one or more of the data sharing purposes is taken to be
for that or those data sharing purposes.
Amendment Items 59 to 65
136. Clause 16 defines five risk management principles as the 'data sharing principles'.
These are otherwise known as the 'Five safes'. Amendment Items 59 to 65 makes
minor drafting amendments to clause 16 to improve clarity and as a consequence of
other amendments, such as the insertion of Part 2.4 (see Amendment Item 66
below).
137. Subclauses 16(1) and 16(2) define the 'project principle'. This principle is that the
project is an appropriate project or program. This principle includes that the project
can reasonably be expected to serve the public interest, and the entities involved in
the project observe appropriate ethics processes.
138. Subclauses 16(3) and 16(4) define the 'people principle'. This principle is that data
is only made available to appropriate persons. This is considered at the accredited
entity level (that is, for the accredited user and the ADSP, if any) and at the level of
designated individuals of (see clause 123), and bodies corporate who may be
contracted to, the accredited entity or entities.
139. Subclauses 16(5) and 16(6) define the 'setting principle'. This principle is that data
is only shared, collected and used in an appropriately controlled environment. This
principle considers the means by which data is to be shared and the security
standards to apply in relation to the collection and use of data.
140. Subclauses 16(7) and 16(8) define the 'data principle'. This principle is that
appropriate protections are applied to shared data. The principle includes a
requirement that only data reasonably necessary to achieve the data sharing purpose
or purposes is shared. Subclause 13(2) and clause 16B also limit the amount of data
that may be shared as part of a project.
22
141. Subclauses 16(9) and 16(10) define the 'output principle'. This principle is that the
only output of a project is the final output (as agreed by the parties involved in the
project) and output reasonably necessary or incidental to the creation of this output.
The final output must only contain the data reasonably necessary to achieve the
applicable data sharing purpose or data sharing purposes.
142. Subclause 126(2A) requires the Commissioner to make a data sharing code about the
data sharing principles. The data code is a disallowable legislative instrument
binding on Scheme entities.
143. The authorisations in clauses 13, 13A and 13B require the authorised entity to be
satisfied that the project is consistent with the data sharing principles. What is
required to meet this requirement is explained in subclause 16(11). To be so
satisfied, the entity must be satisfied that it has applied each of the five data sharing
principles to the project in such a way that, viewed as a whole, the risks associated
with the sharing, collection and use of data under the Scheme as part of the project
are appropriately mitigated. This means that if some of the data sharing principles
are applied in a way that adequately manages the risks of the project, the remaining
data sharing principles may require fewer controls to be put in place.
144. Subclause 19(7) requires a data sharing agreement for a project to specify how the
project will be consistent with the data sharing principles and the actions that will be
taken by the parties to the agreement to give effect to the principles.
Amendment Item 66
145. Amendment Item 66 inserts a new Part 2.4 into the Bill, providing additional
protections in relation to the sharing of personal information under the Scheme, and
imposing requirements on data custodians where data services are performed as part
of projects. The new Part 2.4 consolidates a number of privacy protections in the Bill
into a single location, and more clearly expresses the intention that personal
information should not be shared for projects with the data sharing purpose of
informing government policy and programs, or research and development, unless the
project cannot proceed without personal information. The privacy protections in Part
2.4 are informed by submissions to, and the report of, the Senate Finance and Public
Administration Legislation Committee on provisions of the Bill, including the
dissenting report. The Office of the Australian Information Commissioner was
consulted on the privacy protections in Part 2.4.
New clause 16A - General privacy protections
146. New clause 16A provides for three privacy protections that apply to all projects,
irrespective of the data sharing purpose.
147. Subclause 16A(1) prohibits the sharing of biometric data under the Scheme unless
the individual about whom the biometric data relates expressly consents to sharing.
The term 'biometric data' is defined in clause 9. Because information cannot be
biometric data unless it is also personal information, all biometric data is
information about an identified individual. Consent cannot be inferred for the
purpose of subclause 16A(1).
23
148. Where data shared as part of a project includes personal information, subclause
16A(2) requires the data sharing agreement covering the project to prohibit the
accredited user from storing or accessing, or providing access to output outside of
Australia, and to prohibit the ADSP (if there is an ADSP involved as part of the
project) from storing or accessing, or providing access to ADSP-enhanced data
outside of Australia. Any use of output (including the handling or storage of output)
by the accredited user contrary to this prohibition would not be authorised by clause
13A and could lead to penalties under clause 14A. Any use of ADSP-enhanced data
(including the handling or storage of ADSP-enhanced data) by the ADSP contrary to
this prohibition would not be authorised by clause 13B and could lead to penalties
under clause 14A. Permitting an individual in a foreign country to log into a system
operating on a server in Australia, to access personal information stored in Australia,
would be prohibited by the data sharing agreement provision required by subclause
16A(2).
149. For projects where the data sharing purpose is informing government policy and
programs, or research and development, de-identified data rather than personal
information will be shared whenever possible. Where de-identified data is shared as
part of a project, subclause 16A(3) requires the data sharing agreement covering the
project must prohibit the accredited user from taking any action that may have the
result that the data ceases to be de-identified. Any use of output by the accredited
user contrary to this prohibition would not be authorised by clause 13A and could
lead to penalties under clause 14A. An action by the accredited user that may have
the result that the data ceases to be de-identified would be prohibited by the data
sharing agreement provision required by subclause 16A(3), even if the action was
not done with the intention of producing data that is no longer de-identified, and
even if the action did not in fact produce data that was no longer de-identified.
New clause 16B - Purpose specific privacy protections
150. New clause 16B imposes different restrictions on the sharing of personal
information as part of a project, depending on the data sharing purpose of the
project.
Delivery of government services
151. Subclauses 16B(1) and 16B(2) relate to projects for the data sharing purpose of the
delivery of government services.
152. Generally personal information may only be shared under such projects with the
consent of the individuals to whom the personal information relates (subparagraph
16B(1)(a)(ii)). However, personal information may be shared without the consent of
the individual to whom the information relates in two circumstances:
a. in order to deliver a service to the individual that is the provision of
information, or a service other than determining eligibility for a payment,
entitlement or benefit, or the making of a payment (subparagraph
16B(1)(a)(i)); and
24
b. where the sharing would be a disclosure authorised under Part VIA of the
Privacy Act (dealing with personal information in emergencies and disasters,
subparagraph 16B(1)(a)(iii)).
153. Thus, subject to other restrictions in subclauses 16B(1) and 16B(2) (see below), the
personal information of an individual could be shared with an accredited user to
enable the accredited user to provide the individual with information about a benefit
they may be entitled to, or to provide a counselling service. It would not be possible
for the accredited user to use the shared personal information to determine that the
individual was entitled to a statutory benefit unless the individual had consented to
the sharing of their personal information.
154. Declarations under section 80J of the Privacy Act may be made if an emergency or
disaster of national significance has occurred.
155. Paragraph 16B(1)(b) prevents the sharing of personal information for a project for
the government service delivery data sharing purpose unless the data sharing
agreement for the project identifies the service or services to be delivered by the
accredited user. This identification would need to cover both the program to which
the delivery of services relates, and the nature of the services to be provided (by
reference to the definition of 'delivery of government services' in subclause
15(1A)).
156. Paragraph 16B(1)(c) prevents the sharing of personal information for a project for
the government service delivery data sharing purpose unless only the minimum
amount of personal information necessary to properly deliver the service is shared.
Paragraph 126(2C)(b) requires the Commissioner to make a data code on the
principles to be applied by data custodians when determining whether it is necessary
to share personal information to properly deliver a government service. Data codes
are disallowable legislative instruments that are binding on data custodians.
157. Clause 20E, dealing with the exit of personal information from the Scheme, permits
an individual to expressly consent to both the sharing of their personal information
with an accredited user, and the accredited user's use of that personal information
without the use constraints imposed by the Scheme. Where a project permits
personal information to exit the Scheme under subclause 20E(4), subclause 16B(2)
requires that the data sharing agreement for the project specify this.
Informing government policy and programs and research and development
158. Subclause 16B(3) provides that, where the data sharing purpose of a project is
informing government policy and programs, or research and development, generally
the shared data cannot include an individual's personal information unless the
individual consents to the sharing and only the minimum amount of information
necessary for the project to proceed is shared.
159. However, subclause 16B(3) also permits the sharing of personal information about
an individual without the individual's consent if:
a. the project cannot proceed without the personal information;
25
b. the public interest to be served by the project justifies the sharing of the
personal information without consent;
c. only the minimum amount of personal information necessary for the project to
proceed is shared; and
d. at least one of the 'permitted circumstances' in subclause 16B(4) (where the
project is for the purpose of informing government policy and programs) or
subclause 16B(5) (where the project is for the purpose of research and
development) applies.
160. While it is a matter for the judgment of the data custodian whether the public interest
to be served by the project justifies the sharing of the personal information without
consent, paragraph 126(2C)(b) requires the Commissioner to make a data code on
the principles to be applied by data custodians when determining the circumstances,
or categories of circumstances, where the public interest to be served by a project
justifies the sharing of personal information without consent. Data codes are
disallowable legislative instruments that are binding on data custodians.
161. Subclauses 16B(4) and 16B(5) provide that the following are 'permitted
circumstances' for projects for the purpose of informing government policy and
programs, and projects for the purpose of research and development:
a. it is unreasonable or impractical to seek the individual's consent;
b. the data is to be collected and used in the course of medical research and in
accordance with guidelines made under section 95(1) of the Privacy Act;
c. the sharing is with an ADSP to enable the ADSP to prepare data for sharing
with the accredited user that does not include personal information (for
example, the ADSP is performing the de-identification data service in relation
to the data shared by the data custodian);
d. the sharing is authorised under Part VIA of the Privacy Act (dealing with
personal information in emergencies and disasters);
e. the sharing is 'ADSP-controlled access'.
162. A note below subclause 16B(4) confirms that it is not unreasonable or impractical to
seek the consent of individuals to the sharing of their personal information merely
because a very large number of individuals would need to contacted. Paragraph
126(2C)(a) requires the Commissioner to make a data code on the circumstances in
which it is unreasonable or impracticable to seek the consent of individuals. Data
codes are disallowable legislative instruments that are binding on data custodians.
Where, as part of a project the personal information of individuals is shared without
their consent, on the basis that it is unreasonable or impractical to seek the consent
of the individuals, subclause 16B(7) requires the data sharing agreement for the
project to include a statement about this circumstance that includes an explanation as
to why the data custodian thinks it would be unreasonable or impractical to seek
consent. Subclause 130(2) requires this statement to be included on the publicly
accessible part of the register of data sharing agreements.
26
163. Subclause 16B(6) defines the term 'ADSP-controlled access', which is a service
within the secure access data service. ADSP-controlled access occurs where, rather
than sharing data with an accredited user so that the accredited user stores the shared
data in its systems, the data is stored on the ADSP's systems and particular
designated individuals with appropriate training are provided with access to the
ADSP's systems to use the shared data (which is output). The ADSP is able to put a
number of controls in place in this environment to significantly reduce the risk that
the accredited user is able to identify any individual.
164. Where a project is for the purpose of informing government policies and programs,
paragraphs 16B(4)(e) and 16B(4)(f) provide for additional 'permitted circumstances'
that permit the sharing of personal information without consent, if the other
requirements in subclause 16B(3) are satisfied. Paragraph 16B(4)(e) permits the
sharing of personal information without consent with another Commonwealth body
(other than a Commonwealth body excluded from this paragraph by the rules) but
only if the final output of the project only includes de-identified data. For example,
Commonwealth department A could share personal information without consent to
enable Commonwealth department B to match the shared data with its own data, so
long as the final output was a report that did not include any personal information
about individuals. The report could be used to inform government policy. In this
example, department B would not be able to use the shared data for any other
purpose, other than the creation of the report.
165. Paragraph 16B(4)(f) permits the sharing of personal information without consent if
the disclosure of the personal information would be authorised under Part VIA of the
Privacy Act. Declarations under section 80J of the Privacy Act may be made if an
emergency or disaster of national significance has occurred.
166. Subclause 16B(8) applies if, as part of a project where the data sharing purpose is
informing government policy and programs, or research and development, and
personal information is shared without consent. In these circumstances, the data
sharing agreement for the project must include a statement setting out why the
sharing of the personal information is consistent with clause 16B. Subclause 130(2)
requires this statement to be included on the publicly accessible part of the register
of data sharing agreements.
New clause 16C - Project involving use of de-identification or secure access data services
167. New clause 16C sets out requirements for projects that involve the use of a 'de-
identification data service' or a 'secure access data service'. The clause also includes
definitions for these two data services (subclauses 16C(3) and 16C(4). These data
services are two of the three types of services that an ADSP can provide under the
Scheme. The third data service an ADSP can provide is the 'complex data
integration service' (see Amendment Item 66, new clause 16D).
168. Under subclauses 16C(1) and 16C(2), if the data sharing purpose of the project is
informing government policy and programs, or research and development, and the
project involves performing a de-identification data service or a secure access data
service, there is a requirement that either a data custodian for the data to be shared
27
under the project, or an ADSP must perform these services. These requirements are
set out in subclause 16C(2).
169. Subclause 16C(2) requires, if the facts in subclause 16C(1) are met, that the data
sharing agreement covering the project must require the de-identification data
service or the secure access data service to be performed by the data custodian of the
data to be shared under the project, or an ADSP that is able to perform the data
service. If the data custodian of the data is not an ADSP, under paragraph 16C(2)(a),
the data custodian may only perform the relevant data service if the data custodian is
satisfied that it has the appropriate skills and experience to perform the service. If
the data custodian of the data is an ADSP, under paragraph 16C(2)(b) the data
custodian may only perform the service consistently with its conditions of
accreditation as an ADSP. This means that, if a data custodian who is accredited as
an ADSP has a condition imposed that would prevent it from performing the data
service, as an ADSP, the data custodian cannot perform the service in its capacity as
a data custodian (even if it believes it has the appropriate skills and experience to
perform the service). If the data services are not performed by the data custodian of
the data, in accordance with paragraph 16C(2)(c), the data sharing agreement must
require that an ADSP that is able to perform the service consistently with its
conditions of accreditation, performs the data service for the project. These
requirements are safeguards that protect data shared under the Scheme.
170. Subclause 16C(3) defines 'de-identification data service' as a service to treat data
that includes personal information so that the data is de-identified, using techniques
that restrict the data being used in a way that would have the result that the data
ceases to be de-identified. This definition frames the service as a data treatment. The
service can only be performed on data that includes personal information. Once
performed, the service has the effect of removing personal information from the data
and includes techniques that would prevent re-identification of the data.
171. Subclause 16C(4) defines 'secure access data service' as the service of providing
ADSP-controlled access, or any other service that enables an entity to access data
under the control of another entity, including controls to prevent or minimise the risk
of the data being misused. ADSP-controlled access is defined in subclause 16B(6)
(see Amendment Items 6 and 66). This service is about the system on which data is
stored and how entities access that system. Under this service, ADSPs provide a
secure system to host data and provide certain designated individuals of accredited
users with controlled access to that system. This service protects data by controlling
the storage of it in a secure system managed by an ADSP.
New clause 16D - Project involving complex data integration services
172. New clause 16D sets out requirements for projects that involve the use of a 'complex
data integration service' and includes a definition for this service. Where sensitive
datasets are to be integrated, this new clause requires an ADSP to perform the
complex data integration service, unless an individual (an authorised officer of the
data custodian, or an individual authorised under subclause 137(4), see Amendment
Item 243) determines otherwise. This requirement is a safeguard designed to ensure
data integration work involving sensitive data is undertaken by an ADSP (including
28
an ADSP that is also a data custodian of the data to be integrated as part of the
project).
173. Under subclause 16D(1), if the data sharing purpose of the project is informing
government policy and programs, or research and development, and the project
involves performing a complex data integration service, and a decision under
subclause 16D(4) has not been made, the data sharing agreement that covers the
project must require the service to be performed by the data custodian of the data (if
the data custodian is an ADSP) or an ADSP. This requirement is set out in subclause
16D(2).
174. Subclause 16D(2) requires, if the facts in subclause 16D(1) are met, that the data
sharing agreement covering the project must require the service to be performed by
either a data custodian of the data to be shared, if the data custodian is an ADSP able
to perform such a service consistently with its conditions of accreditation, or an
ADSP able to perform the service consistently with its conditions of accreditation.
Where there is more than one data custodian of the data to be shared, the
requirement in paragraph 16D(2)(a) is satisfied if any of those data custodians who
is an ADSP able to perform the service undertakes the complex data integration.
175. Subclause 16D(3) defines 'complex data integration service'. A service to integrate
data is a complex data integration service if two or more entities control the data
being integrated, the data is at the unit or micro level, any paragraph in subclause
16D(3) applies to any of the data to be integrated or to the integrated data and, if
applicable, the data to be integrated or the integrated data has any of the
characteristics prescribed by rules. Paragraphs 16D(3)(c)(i) to (v) set out data
characteristics for consideration in relation to the data to be integrated, or to the
integrated data. For example, if the data includes personal information or
commercially sensitive information. The definition of 'complex data integration
service' is functional and requires entities to methodically assess the data proposed
to be integrated, or the hypothetical integrated data.
176. Subclause 16D(4) allows an individual prescribed by subclause 16D(5) to make a
decision, so that subclause 16D(2) will not apply to the project. Under subclause
16D(4) if the individual is satisfied, having regard to the matters listed in paragraphs
16D(4)(a) to (i), that the risk the integration could cause substantial harm is low,
subclause 16D(2) will not apply to the project. A decision made under subclause
16D(4) exempts a data custodian from having to use an ADSP, or to be an ADSP
that is able to perform the complex data integration service.
177. Subclause 16D(5) provides that an authorised officer of a data custodian of the data
being integrated, or an individual authorised under subclause 137(4) for the data
custodian may, make a decision under subclause 16D(4).
178. Subclause 16D(6) requires the individual making a decision under subclause 16D(4)
to make written record of the decision and the reasons for the decision. This is a
transparency and accountability mechanism for data custodians.
29
New clause 16E - Privacy coverage condition
179. Clause 13 provides that a data custodian may only share personal information with
an accredited user, or through an ADSP, if the privacy coverage condition in clause
16E is met in relation to the accredited user and, if an ADSP is part of the project,
the ADSP. Similarly, where a project involves the sharing of personal information,
clause 13A provides that the accredited user is only authorised to collect and use
output if the privacy coverage condition in clause 16E is met in relation to the
accredited user, and if the project involves an ADSP, clause 13B provides that the
ADSP is only authorised to collect and use output if the privacy coverage condition
in clause 16E is met in relation to the ADSP.
180. The privacy coverage condition in subclause 16E(1) may be satisfied in a number of
different ways. Many Scheme entities will be agencies or organisations for the
purposes of the Privacy Act and, if they are, this satisfies the privacy coverage
condition. The privacy coverage condition is also met if the Privacy Act applies to
the entity as if it were an organisation in relation to the collection and use of
information as part of the project (because it is prescribed in a regulation made under
the Privacy Act) or if the entity is covered by a privacy law of a State or a Territory
that has the three characteristics mentioned in paragraph 16E(1)(d), one of which is
that the law must provide a means for an individual to seek recourse if their personal
information is handled in a way that is inconsistent with the law.
181. The privacy coverage condition is also met in relation to an entity if the data sharing
agreement includes an 'APP-equivalence term' that covers the entity. This is defined
in subclause 16E(2) to mean a provision in a data sharing agreement that prohibits
the entity from collecting or using personal information in any way that would be a
breach of the APPs, if the entity was an organisation for the purposes of the Privacy
Act. The enforcement of APP-equivalence terms is covered by clause 16F.
182. Generally, an act or practice of a small business that is an organisation for the
purpose of the Privacy Act because they are a contracted service provider for a
Commonwealth contract is exempt for the purposes of the Privacy Act if the act or
practice is not for the purpose of meeting an obligation under a Commonwealth
contract. Subclause 16F(3) provides that an act or practice of a small business that
involves the collection or use of personal information that is ADSP-enhanced data or
output is not exempt for the purposes of the Privacy Act, despite section 7B of that
Act.
183. The Bill is intended to work with, rather than override or modify the operation of the
Privacy Act. Subclause 16E(4) confirms that, except as provided in subclause 16E(3)
and Part 3.3 (relating to data breach responsibilities), nothing in the Bill affects the
operation of the Privacy Act.
New clause 16F - Compliance with APP-equivalence term
184. Where a data sharing agreement includes an APP-equivalence term, a use of ADSP-
enhanced data or output that is not consistent with the APP-equivalent term would
not be authorised by clause 13A or 13B (as applicable) and penalties in clause 14A
may apply. However, the Information Commissioner also has power to investigate a
30
possible breach of an APP-equivalent term and to deal with complaints about
interferences with privacy that relate to a breach of an APP-equivalence term.
Clause 16F provides that a contravention of an APP-equivalence term is taken to be
an interference with the privacy of the individual for the purposes of the Privacy Act.
Section 13G of the Privacy Act, relating to serious and repeated interferences with
privacy, applies to acts or practices covered by an APP-equivalence term. The
Information Commissioner may conduct assessments and investigations, deal with
complaints, accept enforceable undertakings and seek injunctions in relation to
conduct that contravenes an APP-equivalence term.
Amendment Item 67
185. Amendment Item 67 amends the heading of Part 2.5 and clause 17 to reflect
changes in terminology and structure of the Bill.
Amendment Item 68
186. Amendment Item 68 amends subclause 17(1) to reflect changes in terminology
used and the amendments to Part 2.2.
Amendment Item 69
187. Amendment Item 69 amends subclause 17(2) to reflect changes in the terminology
used.
Amendment Item 70
188. Amendment Item 70 removes the word "shared" to reflect changes in the
terminology used.
Amendment Item 71
189. Amendment Item 71 removes the word "shared" to reflect changes in the
terminology used.
Amendment Item 72
190. Amendment Item 72 inserts the word "or" to the end of paragraph 17(2)(b) as a
result of a new paragraph being inserted, which provides a further ground for when
sharing is barred (see Amendment Item 73).
Amendment Item 73
191. Amendment Item 73 adds a new paragraph 17(2)(c) to insert a further ground for
when sharing is barred, by capturing an excluded entity who controls data and would
be the data custodian of that data but for paragraph 11(2)(b). This is to make sure
that sharing of data controlled by an excluded entity is barred, whether or not the
data is held by the excluded entity. For example, Agency X, an excluded entity, asks
Department Y, a non-excluded entity, to create a public sector dataset for policy
development purposes. The agreement gives Agency X and Department Y joint
rights to deal with the dataset. The dataset is stored only on Department Y's systems.
In this example, because Department Y is not an excluded entity, sharing of the
dataset under the scheme will not be barred under paragraph 17(2)(a). However, it is
31
barred under paragraph 17(2)(c), because the Agency X would also be a data
custodian of this dataset, if paragraph 11(2)(b) were to be disregarded.
Amendment Item 74
192. Amendment Item 74 amends subclause 17(3) to reflect changes in the terminology
used.
Amendment Item 75
193. Amendment Item 75 amends subclause 17(4) to reflect changes in the terminology
used.
Amendment Item 76
194. Amendment Item 76 amends paragraph 17(4)(a) to clarify that if a law prescribed
in the Regulations prohibits individuals of the data custodian who would be covered
by the data custodian's authorisation (refer clause 124) from disclosing data, the
sharing of the data by the data custodian is barred.
Amendment Item 77
195. Amendment Item 77 amends subclause 17(5) to reflect changes in the terminology
used.
Amendment Item 78
196. Amendment Item 78 inserts an explanatory note of what is a law of the
Commonwealth giving effect to an international agreement binding Australia.
Paragraph 17(5)(a) provides that sharing is barred if the sharing would be
inconsistent with Australian's obligations under international law (including under
international agreements), or with Commonwealth legislation enacted to give
domestic effect to such international agreements. The Privacy Act, and instruments
made under the Privacy Act such as the Privacy (Tax File Number) Rule 2015, are
Commonwealth legislation giving effect to international agreements. Thus,
paragraph 17(5)(a) bars the sharing of any data if the sharing would be inconsistent
with the Privacy Act.
Amendment Items 79, 80 and 81
197. Amendment Items 79 and 80 make minor amendments to subclause 17(6) to align
terminology with other amendments.
198. Paragraphs 17(6)(a) and 17(6)(b) bar the sharing of the particular copy of data that is
being held as evidence before a court, or obtained by a tribunal, authority or other
person with the power to compel documents. These paragraphs do not bar the
sharing of other copies of the same data held by the data custodian.
199. Paragraph 17(6)(c) bars the sharing of data where a court or tribunal has made an
order that restricts or prohibits disclosure of the data. This paragraph applies to bar
the sharing of any copies of the relevant data held by the data custodian.
32
Amendment Item 82
200. Amendment Item 82 removes subclauses 17(7) and (8), which excluded sharing
with entities whose accreditation is suspended. The content of these subclauses are
now covered by clause 13.
Amendment Item 83
201. Amendment Item 83 creates a new Part 2.6 where provisions regarding data
sharing agreements are set out. Part 2.6 contains clauses 18 and 19.
Amendment Item 84
202. Amendment Item 84 substitutes clause 18 to update the definition of 'data sharing
agreement' and clarify requirements for agreements and variations to agreements.
203. New subclause 18(1) sets out four requirements that must be met for an agreement to
be a data sharing agreement and includes three explanatory notes. To be a data
sharing agreement, the agreement must relate to the sharing of public sector data,
parties to the agreement must include at a minimum one data custodian and one
accredited user, if there is an approved form for an agreement, the agreement must
be in that form (or in writing if there is no approved form), and any requirements set
out in a data code must be met. New Note 1 signposts that all data sharing
agreements must also meet the requirements in clause 19 and, if applicable, other
provisions that impose requirements. These other provisions include, for example,
including privacy protection details. Clause 19 sets out requirements to be met by all
data sharing agreements (see Amendment Item 87). Clause 19 sets out details of
what a data sharing agreement must include in substance. The updated definition of
'data sharing agreement' in subclause 18(1) simplifies the overarching data sharing
agreement requirements and, with Note 1, clarifies the inter-relationship between
clauses 18 and 19. New Note 2 was former Note 1. Updated Note 3, which was
former Note 2, amends cross-referencing.
204. New subclause 18(2) states a data sharing agreement must not be entered into by an
individual on behalf of a Scheme entity unless the individual is an authorised officer
of the entity, or is authorised under clause 137(4) for the entity. Unless authorised in
this way, an individual may not enter into a data sharing agreement on behalf of an
entity, even if they are otherwise authorised to enter contracts or agreements on
behalf of the entity. For example, an individual who is authorised by power of
attorney to enter into all agreements on behalf of an entity would not be able to enter
into a data sharing agreement, unless they were an authorised officer of the entity, or
authorised under clause 137(4) for the entity. Clause 18(2) is intended to apply
notwithstanding any other general provision in Commonwealth, State or Territory
legislation authorising individuals, or classes of individuals, to execute agreements
on behalf of the entity. Clause 18(2) does not prevent an entity executing an
agreement itself. For example, an Australian university may enter into a data sharing
agreement by sealing the agreement with its seal, if this is consistent with its
enabling legislation.
205. New subclause 18(3) states a variation to a data sharing agreement must not be
entered into by an individual on behalf of a Scheme entity unless the individual is an
33
authorised officer of the entity, or is authorised under clause 137(4), for the entity. If
an individual that is not authorised in this way purports to enter into a variation of a
data sharing agreement on behalf of an entity, that variation would not be a valid
variation to a registered data sharing agreement.
206. Under new subclause 18(4) a data sharing agreement has no effect until the
agreement is registered. Data sharing agreements must be given to the
Commissioner for registration under clause 33. The Commissioner must maintain a
register of data sharing agreements under clause 130. This requirement relates to
Amendment Item 102 and new clause 33 on the registration of data sharing
agreements. Once a data sharing agreement is registered, it may take effect in
accordance with its terms.
207. New subclause 18(5) clarifies that a variation of a data sharing agreement has no
effect until the variation, or the agreement as varied, is registered. Until the variation
or agreement as varied is registered by the Commissioner, the original registered
agreement continues to be in effect and determines what parties to the data sharing
agreement are authorised to do under Part 2.2.
208. New subclause 18(6) clarifies that a data sharing agreement may also deal with
matters not required under the Bill, but must not do so in a way that is inconsistent
with the Scheme. For example, under clause 20F, an agreement could appoint a
Commonwealth body that is not the data custodian or accredited user (that is, a third
party) to be the data custodian of output of the project. A data sharing agreement
may provide for matters such as funding and intellectual property rights under
subclause 18(6), because dealing with these matters is not inconsistent with the
requirements for data sharing agreements in the Bill. If provisions of a data sharing
agreement alter the operation of other provisions of the agreement required by the
Bill, the data sharing agreement would not meet the requirements of subclause 19(6).
This would mean that the agreement would not meet the requirements of the Bill for
the purposes of clauses such as clause 13A.
Amendment Item 85
209. Amendment Item 85 amends the heading of clause 19 to reflect changes in
terminology used.
Amendment Item 86
210. Amendment Item 86 adds a new subclause 19(1A), accompanied by an explanatory
note. This is to make clear that the provisions under clause 19 must be complied
with in all data sharing agreements. If a data sharing agreement for the project does
not meet the requirements of clause 19, a data custodian will not be authorised to
share data as part of the project under clause 13, and accredited users, ADSPs and
data custodians will not be authorised to collect and use data under clauses 13A, 13B
and 13C.
Amendment Items 87 to 89
211. Amendment Items 87 to 89 make changes to the requirements for data sharing
agreements in clause 19.
34
212. A data sharing agreement for a project must:
a. identify the parties to the agreement (refer subclause 19(1)) - entities may be
party to a data sharing agreement even if they are not the data custodian of the
data to be shared with the accredited user under clause 13 and are not the
ADSP for the project or the accredited user;
b. describe the project and specify that this Bill applies to the project (refer
subclause 19(2));
c. specify the data to be shared with the accredited user (including any
ADSP-enhanced data) and the agreed final output of the project (refer
subclause 19(3));
d. specify the data custodian or data custodians of the data to be shared under
clause 13 (refer paragraph 19(4)(b));
e. where a Commonwealth body that is party to the agreement is appointed as the
data custodian of specific output (this Commonwealth body may be the
accredited user, or another entity), specify the output and explain the
appointment (refer paragraph 19(4)(b));
f. specify the title of any law that the sharing of the data under clause 13 would
contravene, but for the operation of clause 23 - it is not necessary to specify
the particular provision or provisions of that law or those laws (refer subclause
19(5));
g. specify the data sharing purpose or data sharing purposes of the project and
any incidental purposes (refer paragraph 19(6)(a));
h. prohibit the accredited user from using output for any purpose not specified,
including any precluded purpose (refer clause 15(2)), other than in relation to
sharing permitted under clause 20D (refer paragraph 19(6)(b));
i. prohibit the accredited user from creating output other than the agreed final
output of the project, and output that is reasonably necessary or incidental to
the creation of that final output (refer subclause 19(6A));
j. specify how the project will be consistent with the 5 data sharing principles
(see clause 16), including how the parties to the agreement will give effect to
the principles (for example, imposing controls on what designated individuals
of the accredited user may use output) and describe how the project the will
service the public interest (refer subclause 19(7));
k. if an ADSP is involved in the project, specify the services to be performed by
the ADSP, the circumstances where the ADSP is to share ADSP-enhanced
data with the accredited user and prohibit the ADSP from providing access to,
or releasing ADSP-enhanced data in any other circumstances (except for a
submission to the data custodian as permitted by clause 20A) (refer subclauses
19(8) and 19(8A));
l. describe (in general terms) the use the accredited user may make of output,
and prohibit the accredited user from using the output in any other way (refer
paragraphs 19(9)(a) and 19(9)(b));
35
m. prohibit the accredited user from providing access to output, or releasing
output of the project except under a term of the data sharing agreement (if it
includes such a term) permitted by clause 20A, 20B, 20C or 20D (refer
paragraph 19(9)(c) and subclause 19(10));
n. prevent the accredited entities that are parties to the agreement from doing
anything inconsistent with their conditions of accreditation applying to their
accreditation as an ADSP or accredited user (as applicable to their role in the
project) (refer subclause 19(11));
o. where the project involves the sharing of personal information, specify that
clauses 37(2) and 37(3) apply (these clauses relate to responsibility for eligible
data breach notifications under the Privacy Act; the data sharing agreement
can specify that these clauses do not apply - refer subclause 37(4)) (refer
subclause 19(12));
p. if the parties agree that one or more of them have responsibilities in relation to
data breaches that are in additional to their obligations under Part 3.3, specify
those additional responsibilities (refer subclause 19(12A));
q. specify when and how the agreement may be varied or terminated (refer
subclause 19(13));
r. specify the termination date for the agreement (which may be a calendar date,
the end of a specified period or the date an event occurs), the date for regular
reviews of the agreement or both (refer subclause 19(14));
s. specify how scheme date (refer clause 9) covered by the agreement must be
handled when the agreement ends (either by termination or expiry of the term)
(refer subclause 19(15));
t. meet any other requirements for agreements set out in a data code (a data code
is a disallowable legislative instrument made by the Commissioner under
clause 126) (subclause 19(16)); and
u. require the data custodian (or a data custodian of there is more than one data
custodian of the data shared under the project) to advise the Commissioner as
soon as practical after the agreement ceases to be in effect (for example, as a
result of the termination of the agreement) (subclause 19(17)).
213. Clause 130 requires the Commissioner to maintain a register of data sharing
agreements. Subclause 130(2) sets out a number of details about data sharing
agreements that must be in the publicly accessible part of the register.
Amendment Item 90
214. Amendment Item 90 omits clause 20 and does not substitute it. Clause 20 required
that a Scheme entity must comply with the mandatory terms of a data sharing
agreement and included a civil penalty of 300 penalty units. Clause 20 has been
omitted because Amendment Items 52 and 53 substitute and streamline the
authorisations and penalty provisions.
36
Amendment Item 91
215. Amendment Item 91 omits clause 21 and substitutes a new Part 2.7. The new Part
sets out the circumstances where a data sharing agreement may permit the accredited
user to provide access to output to another entity, when a copy of output 'exits' the
Scheme (which means the copy is no longer subject to the controls on use imposed
by the Scheme) and other matters. Clause 13A only authorises an accredited user to
collect and use data shared with it under the Scheme if, amongst other matters, the
collection and use is in accordance with the applicable data sharing agreement and
the data sharing agreement is registered, in effect and meets the requirements of the
Bill. Civil penalties and offences may apply if an accredited user uses data shared
with it under the Scheme and that use is not authorised by clause 13A. Clause 9
defines 'use' to include handle, store and provide access.
New clause 20A - Allowed access: providing data custodian of source data with access to
ADSP-enhanced data or output
216. In some circumstances where data is shared under the Scheme through an ADSP as
intermediary, or an ADSP is engaged as part of a project to perform a data service,
such as the de-identification data service, it is appropriate for the data custodian to
confirm that the ADSP has complied with its obligations in relation to the data, prior
to the ADSP-enhanced data being shared with the accredited user. This type of
confirmation enables the data custodian to properly manage the data sharing
agreement and ensure that the controls and risk mitigations in the agreement are
fully implemented.
217. Subclause 20A(1) permits a data sharing agreement covering a project to allow, or
require, an ADSP that is party to the agreement to provide the data custodian with
particular ADSP-enhanced data. Providing access to the ADSP-enhanced data to the
data custodian is referred to as 'submitting' the data to the data custodian (refer
subclause 20A(3)). Where ADSP-enhanced data is submitted to the data custodian,
the submission is taken to be for the data sharing purpose, or data sharing purposes,
of the project (refer subclause 20A(4)), because the submission process is intended
to help ensure that the controls in the data sharing agreement are fully implemented.
218. In some circumstances it is appropriate for the data custodian for a project to
confirm that output is as agreed in the data sharing agreement covering the project,
before the accredited user in the project makes the output available to another entity,
or releases the output, in accordance with the data sharing agreement.
219. Subclause 20A(2) permits a data sharing agreement covering a project to allow, or
require, the accredited user to provide the data custodian with particular output.
Providing access to the output to the data custodian is referred to as 'submitting' the
data to the data custodian (refer subclause 20A(3)). Where output is submitted to the
data custodian, the submission is taken to be for the data sharing purpose, or data
sharing purposes, of the project (refer subclause 20A(4)), because the submission
process is intended to help ensure that the controls in the data sharing agreement are
fully implemented.
37
220. Both subclauses 20A(1) and 20A(2) provide that where data (ADSP-enhanced data
or output) is submitted to the data custodian, the submission is for the purpose of the
data custodian ensuring that the data is as agreed in the data sharing agreement. A
data sharing agreement that includes a provision permitted by subclause 20A(1) or
20A(2) must limit the purpose for which the data custodian may use submitted data
to the purpose mentioned in subclause 20A(1) and 20A(2). Where data is submitted
to the data custodian, it remains scheme data and the collection and use of the data
by the data custodian is controlled by the Scheme. Clause 13C provides the data
custodian with a limited authorisation to collect and use the submitted data. If the
data custodian uses submitted data otherwise than as permitted by clause 13C, it may
contravene the civil penalty in subclause 14A(7) or commit the offence in subclause
14A(9).
New clause 20B - Allowed access: providing access to output for validation or correction
221. Subclause 20B(1) permits the data sharing agreement for a project to allow the
accredited user to provide output (which may be the shared data collected from the
data custodian, or a processed form of that data) to the individual or organisation to
whom it relates for validation or correction. For example, in relation to a project for
the data sharing purpose of the delivery of government services, the accredited user
may use output to pre-fill application forms for individuals to whom the output
relates and provide those forms to the individuals for review. The individuals may
then either confirm the pre-filled information or correct the pre-filled information.
222. Subparagraph 20B(1)(a)(iii), read with clause 133, allows the Minister to make rules
to expand the operation of subclause 20B(1) so that a data sharing agreement may
permit access to persons other than entities that carry on a business, or not-for-profit
entities (refer paragraph 20B(1)(a)) and individuals (refer paragraph 20B(1)(b)).
However, the scope of such rules is intended to be narrow. A rule may only allow a
data sharing agreement to permit access to be provided to output to enable the output
to be validated or corrected.
223. The term 'not-for-profit entity' in subparagraph 20B(1)(a)(i) is intended to be read
broadly and includes entities registered under the Australian Charities and Non-for-
profits Commission Act 2012.
224. Where a data sharing agreement permits the accredited user to provide a person with
access to output as permitted by paragraph 20B(1)(a), the agreement must also
require the data custodian to be satisfied that the type of access the accredited user
proposes to provide is in accordance with the data sharing agreement. This is an
important control to ensure that the access provided by the accredited user does not
exceed what is permitted by the data sharing agreement.
225. Subclause 20B(3) confirms, for avoidance of doubt, that where a data sharing
agreement provides for access to be given in accordance with subclause 20B(1), the
access is taken to be for the data sharing purpose, or data sharing purposes, of the
project.
226. Subclause 20E(2) deals with the 'exit' of data from the Scheme. Where data has
exited the Scheme, the Scheme no longer controls how the data is collected or used.
38
Subclause 20E(2) provides that, if a person is provided with access to a copy of data
pursuant to a clause of a data sharing agreement permitted by subclause 20B(1), the
person's copy is taken to have exited the Scheme (so long as the accredited user
complies with other requirements in relation to the provision of access in clause
13A). Subclause 20E(2) does not have the effect that the copy of the data held by the
accredited user also exits, and the accredited user must continue to use the data only
as permitted by clause 13A.
227. Where a person who has been provided with data for validation or correction under a
provision of a data sharing agreement permitted by subclause 20B(1) provides the
accredited user with confirmation that the data is correct, or with corrected data, the
accredited user is taken to have collected a copy of the data, or the corrected data,
from the person (refer subclause 20B(2)). This data that is taken to be collected from
the person is not scheme data and the Scheme does not impose restrictions on how
such data is used. If the person does not respond to the accredited user when asked
to validate or correct data, the accredited user cannot take the absence of a response
as constituting the validation of the data.
New clause 20C - Allowed access: providing access to or releasing output in other
circumstances
228. Subclause 20C(1) permits a data sharing agreement to include a provision to allow
an accredited user to provide access to specified output to another entity, or to
release specified output, if three conditions set out in subclause 20C(1) are satisfied.
A data custodian is not required to include a provision in a data sharing agreement
permitted by clause 20C, and will only do so if the project, including the provision
of access to, or release, of data, is consistent with the data sharing principles. The
term 'release' is defined in subclause 10(1) to mean the provision of open access to
specific data.
229. Paragraph 20C(1)(a) only allows a data sharing agreement to permit the provision of
access, or release, or specified output in particular circumstances if the provision of
the access, or the release, would not contravene any other law of the Commonwealth
or a law of a State or Territory. When considering this, the operation of clause 23
(which provides that the authorisations in clauses 13, 13A, 13B and 13C have effect
despite anything in another law of the Commonwealth, or a law of a State or
Territory) is disregarded. Thus, for example, if secrecy provisions in another
Commonwealth law would prevent output being released (disregarding the operation
of clause 23), subclause 20C(1) would not permit a data sharing agreement to
provide for release of the output.
230. Paragraph 20C(1)(b) only allows a data sharing agreement to permit the provision of
access, or release, or specified output if the agreement prohibits the provision of
access or release of output that contains the personal information of an individual
without the individual's consent. For example, a data sharing agreement may permit
the release of a research report, but if the research report includes any personal
information of individuals, the agreement must prohibit the release of the research
report unless all of those individuals consent.
39
231. Paragraph 20C(1)(c) provides that, where a data sharing agreement allows for an
accredited user to provide access to output to another entity, or to release output, it
must also require the data custodian to be satisfied, before the provision of access or
the release, that what the accredited user proposes to do is in accordance with the
data sharing agreement. This is an important control to ensure that an accredited user
does not provide access to, or release, output inappropriately.
232. Where an accredited user provides access to, or releases, a copy of specified output
under a provision of a data sharing agreement permitted by subclause 20C(1), that
copy of the output exits the Scheme under subclause 20E(2).
233. The provision of access to, or release of, specified output under a provision of a data
sharing agreement permitted by subclause 20C(1) as part of a project is taken to be
for the data sharing purpose, or data sharing purposes, of the project (subclause
20C(2)).
New Clause 20D - Allowed access: sharing under clause 13
234. In circumstances where an accredited entity is a Commonwealth body and the data
sharing agreement provides that the accredited user is the data custodian of specified
output (as permitted by clause 20F), clause 20D permits the data sharing agreement
to also permit the accredited user to share the specified output under clause 13.
However, where the sharing of output under clause 13 is permitted, paragraph
20D(b) requires the data sharing agreement to provide for the data custodian of the
source data to be satisfied that any sharing of specified output will be authorised.
235. Thus, if entity A and entity B are both Commonwealth bodies, entity A could enter
into a data sharing agreement with entity B covering the sharing of certain public
sector data. The agreement could provide that entity B is the data custodian of a
particular product that is the output of entity B's use of the shared public sector data
(the 'specified output'). The data sharing agreement between entity A and entity B
could permit entity B to share the specified output under clause 13, if it wishes to do
so and the conditions in clause 13 are satisfied. However, the data sharing agreement
must require that entity A is satisfied that the sharing of specified output under
clause 13 will be authorised under the Scheme, before entity B shares the data,
Where entity B then shares the specified output under a data sharing agreement with
entity C, the authorisation of entity C to collect and use the data is governed by the
data sharing agreement between entity B and entity C (the data sharing agreement
between entity A and entity B has no relevance to entity C's authorisation to collect
and use data).
New clause 20E - Exit of output of project
236. Generally, the Scheme controls how ADSP-enhanced data and output is collected
and used. Clauses 13A and 13C provide authorisations to collect and use output.
Clause 13B provides an authorisation to collect and use ADSP-enhanced data.
Penalties apply under clause 14A if ADSP-enhanced data or output is used in an
unauthorised way.
237. The Scheme provides for a limited number of circumstances where a copy of
ADSP-enhanced data, or output, may 'exit' the Scheme, in which case the Scheme
40
controls on collection and use no longer apply to that copy. If a data sharing
agreement permits an accredited user to release a copy of specified output in
particular circumstances and the accredited user then releases the output in
accordance with the agreement (for example, by placing the copy on the internet),
the copy of the specified output retained by the accredited user remains scheme data
and it may still only be used as authorised by clause 13A. However, if the accredited
user obtains a copy of the exited copy of the specified data (for example, by
downloading a copy from the internet), it may use the exited copy in a manner not
authorised by clause 13A. Clause 14A(6) provides a defence from the civil penalties
and offences in subclauses 14A(1), 14A(2), 14A(4) and 14A(5) if the data collected
or used by the defendant is a copy that has exited the Scheme.
238. A direction given by the Commissioner under clause 112 may require a scheme
entity to provide access to output or ADSP-enhanced data to another person. Where
a person obtains a copy of output or ADSP-enhanced data pursuant to a direction
given by the Commissioner, the copy of the output or the ADSP-enhanced data
collected by the person is taken to exit the scheme.
239. Clause 135 authorises a scheme entity to provide scheme data to the
Auditor-General, the Commonwealth Ombudsman, the Information Commissioner,
a Royal Commission or a court or tribunal in certain circumstances. Where a copy of
output or ADSP-enhanced data is provided in a manner authorised by clause 135,
that copy exits the Scheme.
240. Subclause 20E(1) provides a general overview of the exit of data from the Scheme.
241. Subclause 20E(2) provides for the circumstances where output exits the Scheme. A
data sharing agreement can provide for another person to be provided with access to
output in the circumstances set out in clauses 20A, 20B, 20C and 20D. Where a data
sharing agreement provides for the provision of access to output to another person,
generally the copy of the output collected by the other person exits the Scheme. This
is not the case, however, if the provision of access is a submission of the output to
the data custodian. Where output is submitted to the data custodian, it remains
scheme data and may only be collected and used by the data custodian in accordance
with clause 13C. Further, where a data sharing agreement for a project (the first
project) includes the clause permitted by clause 20D and specified output of the first
project is shared under clause 13 as part of a second project, the data shared under
section 13 as part of the second project is scheme data and the accredited user may
only use output in the second project (including output that was the specified output
of the first project) as authorised by clause 13A.
242. Subclause 20E(3) provides for the circumstances where ADSP-enhanced data exits
the Scheme. ADSP-enhanced data may only exit the Scheme if the Commissioner
gives a direction to provide access to another person under clause 112, or access is
provided as authorised by clause 135.
243. In some projects where the data sharing purpose is the delivery of government
services, it is important that the accredited user has a copy of shared data that is an
individual's personal information that has exited the Scheme. While data is scheme
data, it cannot be used for an enforcement related purpose. This includes ensuring
41
that a payment made previously was correctly made, recovering overpayments and
identifying people for compliance review (see subclause 15(3)). In some
circumstances, service delivery agencies may not consider it is appropriate to rely
upon shared data to deliver a program unless they can also rely upon the same data
for later compliance action. Further, service delivery agencies may not have systems
in place to be able to use shared data for some aspects of a program but not other
aspects.
244. Where an individual's personal information is to be shared as part of a service
delivery project, subclause 20E(4) allows for the individual to expressly consent to
both the sharing, and the accredited user using the individual's personal information
without the limitations on use imposed by the Scheme applying. If the individual
does provide this express consent, and there data is shared with the accredited user,
subclause 20E(5) provides that the user is taken to hold an exited copy of the
personal information at the time it collects it from the data custodian (unless the
individual's consent specifies a later time, in which case the accredited user does not
hold an exited copy of the personal information until the later time).
245. An example of a situation where the exit mechanism in subclause 20E(4) may be
used is as follows. An individual claims a statutory benefit from an Australian
Government agency, agency A. Agency A requires personal information to assess
the individual's claim. The relevant personal information about the individual is
already held by another Australian Government agency, agency B. Agency A (as
accredited user) and agency B (as data custodian) are parties to a data sharing
agreement for the purpose of the delivery of government services. Agency A may
offer the individual the choice of either supplying the required personal information
to the agency directly, or expressly consenting to agency B sharing the relevant
personal information with agency A under the data sharing agreement and to agency
A being able to use the shared information without the requirements of the Scheme
applying.
246. If the individual expressly consents, agency A will be taken to have collected the
shared personal information from the individual (refer subclause 20E(6)). Any
secrecy provisions applying to the personal information held by agency B will not
apply to the exited data held by agency A.
247. Where a project permits shared personal information to exit the Scheme under
subclause 20E(4), this must be specified in the data sharing agreement covering the
project (refer subclause 16B(2)).
New clause 20F - Data custodian of output of project
248. A data sharing agreement for a project may provide that the accredited user is the
data custodian of specific output if the accredited user is a Commonwealth body and
other requirements are satisfied (refer clause 20F). In these circumstances, the
accredited user is taken to have a copy of the specified output at the time specified
for exit to occur in the data sharing agreement, provided that the data sharing
agreement does not allow the accredited user to provide access to the specific output
to another person under a provision of a data sharing agreement permitted by clause
20C or 20D, and the conditions for exit in subclause 20F(3) are met (see below).
42
249. Generally, the accredited user under a data sharing agreement for a project does not
become the data custodian of output, even if the accredited user is a Commonwealth
body (refer subclause 20F(4)).
250. A data sharing agreement may appoint an entity that is not the accredited user as the
data custodian of specified output, if the conditions set out in subclause 20F(5) are
met. The entity appointed as data custodian must be a Commonwealth body and not
an excluded entity. The specified output might not be simply the output that was
collected by the accredited user under the data sharing agreement. The data sharing
agreement must allow the accredited user to provide the entity appointed as the data
custodian of the specified output with a copy of that output under clause 20C. The
entity appointed as data custodian does not actually become the data custodian of the
output until it is provided with access to a copy of the output (refer subclause
20F(1)).
251. Subclause 20F(2) provides that the accredited user under a data sharing agreement
for a project may be appointed as the data custodian of specified output if it is a
Commonwealth body, the specified output is not simply the output that was
collected by the accredited user, and either:
a. the data sharing agreement permits the accredited user to provide access to the
specified data to another person pursuant to a clause of the data sharing
agreement permitted by clause 20C or 20D (in which case the specified output
is taken to exit the Scheme at the time it is created - refer paragraph
20F(1)(a)); or
b. the conditions for exit in subclause 20F(3) are met and the data sharing
agreement does not permit the accredited user to provide access to the
specified data to another person pursuant to a clause of the data sharing
agreement permitted by clause 20C or 20D (in which case the specified output
is taken to exit the Scheme at the time specified in the data sharing agreement
- refer subclause 20E(7)).
252. The conditions of exit specified in subclause 20F(3) are similar to the conditions set
out in subclause 20C(1).
253. The condition in paragraph 20F(3)(a) provides that the provision of access, or the
release, of the specified output by the accredited user would not contravene any
other law of the Commonwealth or a law of a State or Territory. When considering
this, the operation of clause 23 (which provides that the authorisations in clauses 13,
13A, 13B and 13C have effect despite anything in another law of the
Commonwealth, or a law of a State or Territory) is disregarded. Thus, for example,
if secrecy provisions in another Commonwealth law would prevent the specified
output being released (disregarding the operation of clause 23), the condition is not
satisfied.
254. Paragraph 20F(3)(b) applies if the specified output includes personal information
about an individual. In this case, the condition is only satisfied if the individual has
expressly consented to their personal information being used by the accredited user
without the requirements of the Scheme applying to that use.
43
255. The condition in paragraph 20F(3)(c) is only met if the data sharing agreement
requires the data custodian to be satisfied that all requirements in the data sharing
agreement relating to the exit of the specified data are met, before the time that the
agreement provides for exit to occur.
Amendment Item 92
256. Amendment Item 92 is a consequential amendment omitting a reference to
subclause 13(1) and replacing it with a reference to clause 13 to reflect amendments
to clause 13 regarding a data custodian's authorisation to share data.
Amendment Item 93
257. Amendment Item 93 amends clause 22 to reflect the changes to the terminology
used by the Bill. To avoid any doubt, clause 22 clarifies that the Scheme does not
limit other legislative authority empowering data custodians to share or release
public sector data. For example, some Commonwealth legislation permits data
custodians to disclose data in the public interest. This Bill does not affect such
powers to disclose.
Amendment Item 94
258. Amendment Item 94 amends subclauses 23(1) and 23(2) to simplify the language
and reflect the amendments to Part 2.2 in relation to authorisations under the
Scheme.
259. Subclause 23(1) provides that the authorisations in Chapter 2 (including as extended
by clause 124 to individuals and bodies corporate) apply despite anything in another
Commonwealth law or in a law of a State or of a Territory. This is the case however
the other law is drafted. For example, the authorisation in clause 13 to share
particular data has effect despite a provision in another Commonwealth law that
would otherwise prevent the access to, the recording or use of, or the disclosure of,
that data for the purpose of sharing.
260. Subclause 23(2) confirms that subclause 23(1) is intended to have effect in relation
to laws enacted after this Bill that limit the access, recording, use or disclosure of
particular data.
Amendment Item 95
261. Amendment Item 95 removes clause 24, as it has been relocated to Part 3.2 of
Chapter 3.
Amendment Item 96
262. Amendment Item 96 amends clause 25 to renumber it to clause 24 as a
consequence of amendments to other parts of the Bill.
Amendment Item 97
263. Amendment Item 97 amends clause 25 to replace the reference to clause 20 with
clause 14A, as a consequence of Amendment Item 90 discussed above.
44
Amendment Item 98
264. Amendment Item 98 inserts a new clause 25, which replaces the existing clause 24
regarding there being no duty for data custodians to share data, but reasons are
required for a decision refusing to share data. The new clause imposes additional
requirements on a data custodian when considering a data request from an accredited
user. This includes giving the accredited user a written notice of the reasons for a
decision to refuse within 28 days after the decision refusing to share data is made.
The additional requirements will provide more transparency and accountability to
the decision making process of data custodians in relation to a data request under the
Scheme, so that a data request under the Scheme will not be unreasonably refused or
delayed. New clause 25 also clarifies that a request to a data custodian to share data
can only be made by an accredited user, and must be made in the approved form, or
in writing where there is no approved form. While any entity (including entities that
are not accredited as users) may request a data custodian to share data, data
custodians only have obligations to consider requests made by, and to provide
reasons for a refusal to, accredited users.
Amendment Item 99
265. Amendment Item 99 removes clauses 28 and 29. The content in clause 28
regarding privacy coverage has been relocated to new clause 16E. The content in
clause 29 has been included in the authorisations under new clause 13.
Amendment Item 100
266. Amendment Item 100 expands the requirement under clause 31 for an accredited
entity to notify the Commissioner of any event or change of circumstance affecting
the entity's accreditation so that an accredited entity must then notify the
Commissioner of any event or change of circumstance relevant to the exercise of the
Commissioner's regulatory functions or the entity's accreditation or conditions of
accreditation. The intention of this amendment is to capture events and change of
circumstances that may reasonably affect the Commissioner making a decision in
relation to an entity's accreditation under Part 5 of the Bill. Amendment Item 100
also creates a civil penalty of 300 penalty units for a contravention of subclause
31(1).
Amendment Item 101
267. Amendment Item 101 amends clause 32 to include a reference to 'Minister', to
ensure that any provision of false or misleading information to the Minister or the
Commissioner will attract 300 penalty units. This amendment reflects the
introduction of the concept of an 'accreditation authority' (see Amendment Item 5),
where the Minister will receive information in their capacity as the accreditation
authority.
Amendment Item 102
268. Amendment Item 102 replaces clause 33 to provide the process for registering data
sharing agreements. An entity that is party to a data sharing agreement as a data
custodian is required to give a copy of the agreement to the Commissioner within 30
45
days the agreement or a variation is made. The entity must also give the
Commissioner any other information or document required by a data code. The new
clause 33 does not include a note that the Commissioner must maintain a publicly
available register as the existing clause 130 is being amended so that the register
includes a publicly accessible and non-publicly accessible part (see Amendment
Item 236).
Amendment Item 103
269. Amendment Item 103 replaces clause 34 in providing for more detailed
requirements to assist the Commissioner in relation to the annual report.
Subclause 34(1) outlines the specific information that a data custodian must notify
the Commissioner in relation to the financial year, such as the number of data
sharing requests from accredited users and the reasons for agreement or refusal to
share, the number of complaints received (if any), and the number of data sharing
agreements it entered into. Subclauses 34(2) and 34(3) provide that a data custodian
and an accredited entity must give the Commissioner any information and assistance
in relation to the preparation of the annual report. Subclause 34(4) provides for the
period of notification, which is prescribed under a data code or otherwise as soon as
practicable.
Amendment Item 104
270. Amendment Item 104 amends subparagraph 35(b)(i) to reflect changes in
terminology used. The terms 'share' and 'release' of data have specific meaning
when authorised to be disclosed under the Scheme. The term 'disclosure' takes its
ordinary meaning.
Amendment Item 105
271. Amendment Item 105 amends subparagraph 35(b)(ii) to reflect changes in the
terminology used by the Bill.
Amendment Item 106
272. Amendment Item 106 amends clause 35 to reflect changes in the terminology used
by the Bill.
Amendment Item 107
273. Amendment Item 107 amends the circumstances for when a data custodian must
take reasonable steps to mitigate a data breach under clause 36 to reflect the
introduction of the concept of ADSP-enhanced data (see Amendment Item 49).
Amendment Item 108
274. Amendment Item 108 amends subclause 36(1) to insert a time limit within which a
Scheme entity that reasonably suspects or has become aware a data breach has
occurred must take reasonable steps to prevent or reduce the consequent harm of a
data breach. The time limit is provided under the new subclause 36(3) (see
Amendment Item 112).
46
Amendment Item 109
275. Amendment Item 109 introduces a civil penalty of 300 penalty units to a
contravention of subclause 36(1).
Amendment Item 110
276. Amendment Item 110 inserts a time limit within which a data custodian, who
reasonably suspects or becomes aware of a data breach that involves scheme data or
output of data that it shared with or through an accredited entity, must take steps to
prevent or reduce the consequent harm of a data breach. The time limit is provided
under the new subclause 36(3) (see Amendment Item 112).
Amendment Item 111
277. Amendment Item 111 introduces a civil penalty of 300 penalty units to a
contravention of subclause 36(2) where a data custodian fails to take reasonable
steps to prevent or reduce any harm resulting from the suspected or actual data
breach that involves scheme data or output of data shared by the data custodian with
or through an accredited entity.
Amendment Item 112
278. Amendment Item 112 inserts new subclause 36(3) to specify the period in which
Scheme entities must take steps to address actual or suspected data breaches. Entities
must take reasonable steps to address breaches in accordance with timeframes
specified in a data code, or, if there is no such period, as soon as practicable after the
breach occurs.
Amendment Item 113
279. Amendment Item 113 is a consequential amendment to clause 37 to insert a
reference to clause 13 to reflect that clause's content regarding a data custodian's
authorisation to share data.
Amendment Item 114
280. Amendment Item 114 replaces subclause 37(3) to provide for more detailed
requirements for an accredited entity to notify the data custodian of a suspected or
actual data breach. In particular, the accredited entity must give written notice to the
data custodian in sufficient time and containing sufficient detail to enable the data
custodian to comply with its obligations under Part IIIC of the Privacy Act to notify
eligible data breaches.
Amendment Item 115
281. Amendment Item 115 replaces subclause 37(5) with new subclauses 37(5) and
37(5A) to clarify the requirements for notifying the Commissioner of data breach
statements given to the Information Commissioner under section 26WK of the
Privacy Act. This clause works with clause 38 to ensure the Commissioner has a
holistic view of data breaches involving scheme data (personal information or
otherwise).
47
282. Subclause 37(5) requires entities with notification requirements under subclauses
37(2) or 37(4) to give the Commissioner a copy of the statement about the data
breach it provided to the Information Commissioner under section 26WK of the
Privacy Act. Amendments clarify that statements must be provided if they relate to
circumstances where the data breach involves scheme data.
283. Subclause 37(5A) allows the Information Commissioner to give the Commissioner a
copy of statements received under section 26WK of the Privacy Act. The
Information Commissioner may provide the statement if they are satisfied that it is
relevant to the Commissioner's functions, for example, because the statement relates
to data shared under this Bill, or if the statement evidences insufficient privacy
practices by an entity accredited under the Scheme.
Amendment Item 116
284. Amendment Item 116 inserts a reference to the period applicable under new
subclause 38(1A) as part of a Scheme entity's requirement to notify the
Commissioner of a suspected or actual data breach. This reflects amendments under
Amendment Item 118 which specifies the period in which a Scheme entity must
notify the Commissioner of a data breach under this clause.
Amendment Item 117
285. Amendment Item 117 introduces a new civil penalty provision for Scheme entities
that fail to notify the Commissioner of a data breach within periods specified under
subclause 38(1A) and in accordance with any requirements prescribed by a data
code. This penalty is intended to deter non-compliance and build confidence in the
Scheme by incentivising proactive data breach management.
286. Timely notification of breaches will allow the Commissioner to monitor the
operation and integrity of the Scheme and the effectiveness of its safeguards. It will
also support the Commissioner's ability to exercise their regulatory powers to
minimise potential harms when data breaches occur.
287. The maximum penalty for breach of this clause (300 penalty units) aligns with other
civil penalties in this Bill, and is comparable to those in other laws such as the
Privacy Act. Consistent with the Guide to Framing Commonwealth Offences, the
Bill sets maximum penalties and a court will determine what is appropriate in each
particular case.
Amendment Item 118
288. Amendment Item 118 replaces subclause 38(2) with new subclauses 38(1A) and
38(2) to clarify the requirements for when a Scheme entity must notify the
Commissioner of a suspected or actual data breach under clause 38.
289. Subclause 38(1A) requires that the Commissioner be notified in accordance with the
timeframes specified in a data code, or, if there is no such period, as soon as
practicable after the end of the financial year in which the breach occurred. This
aligns with annual reporting requirements under the PGPA Act. This obligation is
triggered under subclause (1) when an entity becomes aware of or suspects a breach
48
has occurred, and the data involved is not personal information (breaches of personal
information are handled under clause 37).
290. Subclause 38(2) allows a data code to prescribe different periods in which Scheme
entities must notify the Commissioner of data breaches under this clause. Periods
can be differentiated according to whether the breach is such that a reasonable
person would conclude that it would be likely to result in serious harm. The existing
subclause 38(3) provides a non-exhaustive list of factors to assist entities to
determine what constitutes 'serious harm'.
Amendment Item 119
291. Amendment Item 119 removes a reference that is no longer needed as a result of
Amendment Item 118, which clarifies when entities must notify the Commissioner
of a suspected or actual data breach under this clause.
Amendment Item 120
292. Amendment Item 120 makes consequential amendments to the simplified outline
for Chapter 4 in clause 39, to reflect amendments to Chapter 4 made by
Amendment Items 122, 123, 124 and 129, detailed below. Amendment Item 120
also inserts additional details about the Commissioner's regulatory functions, which
include dealing with complaints that Scheme entities make about each other
('scheme complaints'), and other complaints relating to the scheme's administration
or operation ('general complaints') reflecting Amendment Items 181, 182, 183 and
192.
Amendment Item 121
293. Amendment Item 121 makes consequential amendments to the simplified outline
for Chapter 4 in clause 39, reflecting amendments to Chapter 4 made by
Amendment Items 124 and 138, which set out the constitutional basis for the roles
of the Commissioner and the Council.
Amendment Item 122
294. Amendment Item 122 omits the reference in clause 42 to an advocacy function for
the Commissioner and substitutes a reference to a new education related function, to
reflect amendments made by Amendment Item 129, which creates new clause 45A.
Removal of the advocacy function is intended to address any apparent or perceived
conflicts with the Commissioner's regulatory responsibilities. The new education
related function allows the Commissioner to work with Scheme entities to support
best practice sharing data, including when responding to requests to share public
sector data.
Amendment Item 123
295. Amendment Item 123 omits "the rules", and substitutes "an instrument under this
Act" in clause 42 to broaden the potential methods by which other functions could
be conferred on the Commission, noting that the rules are legislative instruments
under subclause 133(1).
49
Amendment Item 124
296. Amendment Item 124 omits subclause 42(2) and substitutes a new subclause,
reflecting the substitution of the Commissioner's advocacy function with education
related functions under Amendment Item 129. The new subclause also identifies
the constitutional basis for the role of the Commissioner. The Commissioner may
perform functions with respect to the sharing of data under clause 13 and the
collection and use of data in relation to such sharing. Subclause 13(4) identifies
applicable constitutional requirements for relevant data sharing. Further, the
constitutional basis for the role of the Commissioner extends to matters relating to
the execution of any of the legislative powers of the Parliament or the executive
power of the Parliament.
Amendment Item 125
297. Amendment Item 125 amends clause 43 to introduce a new advisory function for
the Commissioner. The new function is to advise Scheme entities on how, in their
opinion, the Scheme applies or would apply in various circumstances. This could
include, for example, how data sharing could comply with the Bill for a particular
project. This could include, for example, how data sharing could comply with this
Bill for a particular project. Performance of this function is intended to drive best
practice by supporting safe sharing of data.
298. The advice function also relates to advising the Minister in relation to the exercise of
the Minister's powers under Part 5.2 (Accreditation Framework). This will allow the
Commissioner to support the Minister in the exercise of powers in relation to the
accreditation framework (that is, the accreditation of the Commonwealth, States and
Territories, and Commonwealth, State and Territory bodies as accredited users).
Amendment Item 126
299. Amendment Item 126 omits "administration" and substitutes "administrative" in
paragraph 43(c) to correct a typographical error in the Bill.
Amendment Item 127
300. Amendment Item 127 inserts subclause numbering into clause 45 to reflect new
subclause 45(2) inserted by Amendment Item 128.
Amendment Item 128
301. Amendment Item 128 inserts a new subclause 45(2) to require the Commissioner
be satisfied that a person assisting the Commissioner in performance of the
Commissioner's regulatory functions (such as an APS employee made available to
the Commissioner under clause 47) must have the skills, qualifications or experience
necessary to provide assistance.
302. When considering whether a person's skills, qualifications or experience meet the
required standard, the Commissioner should consider the relevance of the skills,
qualifications or experience to the regulatory functions that the person will be
assisting with. It is not necessary that such a person must have the required skills,
qualifications or experience across all areas relevant to the Commissioner's
regulatory functions, provided that they relate to the aspect of assistance which the
50
person would provide. The Commissioner should also consider the extent of the
person's skills, qualifications or experience, including the length of experience. For
example, the person may have extensive practical experience in regulatory work, but
no relevant formal training or tertiary qualifications in the area.
Amendment Item 129
303. Amendment Item 129 introduces a new clause, clause 45A, that establishes the
Commissioner's education and support related functions. The Commissioner's
education related functions give the Commissioner a role in assisting data custodians
and Commonwealth bodies to support the overall functioning and operation of the
Scheme.
304. The Commissioner's education and support related functions are also intended to
foster best practice and safe data handling by Commonwealth bodies, allowing the
Commissioner to make information and educational material available on using
public sector data. Such information and educational materials will allow the
Commissioner to support best practice and promote new or emerging ways of
managing and sharing data.
Amendment Item 130
305. Amendment Item 130 omits paragraph 50(2)(b) and inserts new paragraphs
50(2)(b) and 50(2)(c) to restrict delegation of certain powers.
306. New paragraph 50(2)(b) prevents the Commissioner delegating a regulatory function
or a power in relation to a regulatory function to the extent that the function would
be performed, or the power exercised, by a delegate in relation to the Department in
which the delegate is an APS employee. This paragraph intends to avoid actual or
perceived conflicts of interest which might arise if a delegate were to exercise
regulatory powers in relation to the Department in which the delegate is an
employee.
307. New paragraph 50(2)(c) prevents the Commissioner delegating functions or powers
under Part 4.3 (National Data Advisory Council). The restriction on delegation of
powers relating to the Council reflects the important role of the Commissioner in the
Council. The intention of this paragraph is that the Commissioner's powers with
regards to the Council, such as appointing members, are carried out by the
Commissioner, rather than a delegate.
Amendment Item 131
Amendment Item 131 omits the note at the end of clause 51, to reflect amendments
to Part 5.2 (Accreditation framework) made by Amendment Item 161, detailed
below.
Amendment Item 132
308. Amendment Item 132 inserts a new clause 58A into the Bill. The effect of the new
clause is to require the Commissioner to give the Minister notice of any interests,
pecuniary or otherwise, that might conflict with the proper performance of their
functions, as set out in Chapter 4 of the Bill. Amendment Item 132 also inserts a
note following the new clause referring to the Commissioner's obligation to report
51
any conflicts of interest with regards to the Commissioner's role on the Council
under clause 67.
309. The requirement to disclose conflicts of interest aligns with the Bill's underlying
philosophy of accountability and transparency. It will also help to ensure that the
Commissioner uses their powers under the Scheme objectively and fairly.
Amendment Item 133
310. Amendment Item 133 inserts the words "if the Commissioner" at the start of
paragraph 59(d) to correct a typographical error in the Bill.
Amendment Item 134
311. Amendment Item 134 amends clause 59 to reflect the introduction of the new
clause 58A on disclosure of interest to the Minister by Amendment Item 132. This
amendment to clause 59 allows the Governor-General to terminate the appointment
of the Commissioner if the Commissioner fails, without reasonable excuse, to give
the Minister notice of any conflicts of interest with regards to the proper
performance of their functions as required by the new clause 58A, clause 67 of the
Bill or section 29 of the PGPA Act.
312. 'Reasonable excuse' is not defined, but is an excuse that an ordinary person would
accept as reasonable in the circumstances. For example, if unforeseeable
circumstances outside of the Commissioner's control prevented the Commissioner
from meeting their disclosure obligations, this may provide a reasonable excuse.
Amendment Item 135
313. Amendment Item 135 inserts the words "if the Commissioner" at the start of
paragraph 59(f) to correct a typographical error in the Bill.
Amendment Item 136
314. Amendment Item 136 inserts subclause numbering into clause 61 to reflect new
subclause 61(2) inserted by Amendment Item 138.
Amendment Item 137
315. Amendment Item 137 amends clause 61 to reflect changes in the terminology used.
Amendment Item 138
316. Amendment Item 138 creates a new subclause 61(2) which identifies the
constitutional basis for the role of the Council. The Council may perform functions
with respect to the sharing of data under clause 13 and the collection and use of data
in relation to such sharing. Subclause 13(4) identifies applicable constitutional
requirements for relevant data sharing. Further, the constitutional basis for the role
of the Council extends to matters relating to the execution of any of the legislative
powers of the Parliament or the executive power of the Parliament.
Amendment Item 139
317. Amendment Item 139 inserts the word "if" at the beginning of paragraph 70(d) to
correct a typographical error in the Bill.
52
Amendment Item 140
318. Amendment Item 140 inserts new paragraph (da) into clause 70, which provides an
additional ground for the Commissioner to terminate the appointment of a member
of the Council. The ground allows the Commissioner to terminate the appointment if
that Council member fails to meet their disclosure obligations under clause 67 and
the member does not have a reasonable excuse for the failure to disclose. Clause 67
requires an appointed member to disclose to the Commissioner all of the member's
interests, pecuniary or otherwise, that the member has, or acquires, that conflict or
could conflict with the proper performance of the member's office as a member of
the Council. The additional ground will assist in ensuring the Council provides
objective advice on the operation and administration of the Scheme and is consistent
with other Commonwealth laws.
319. 'Reasonable excuse' is not defined, but is an excuse that an ordinary person would
accept as reasonable in the circumstances. For example, if unforeseeable
circumstances outside of the member's control prevented the member from meeting
their disclosure obligations, this may provide a reasonable excuse.
Amendment Item 141
320. Amendment Item 141 amends the simplified outline in clause 73 of Chapter 5
(Regulation and Enforcement) of the Bill, reflecting the introduction of the term
'accreditation authority'.
Amendment Item 142
321. Amendment Item 142 amends the simplified outline in clause 73 to reflect changes
made by Amendment Item 183, which allows a Scheme entity to complain to the
Commissioner about another Scheme entity that has breached a data sharing
agreement to which they are a party.
Amendment Item 143
322. Amendment Item 143 amends the simplified outline in clause 73 to reflect changes
made to clause 101 by Amendment Item 194, which allow the Commissioner to
also investigate an entity on their own initiative, if the Commissioner suspects the
entity has breached the data sharing agreement to which the entity is a party.
Amendment Item 144
323. Amendment Item 144 amends the simplified outline in clause 73 to reflect changes
made by Amendment Item 194, which allow the Minister to direct the
Commissioner to investigate a Scheme entity.
Amendment Item 145
324. Amendment Item 145 amends the simplified outline in clause 73 to reflect changes
made by Amendment Item 223, which empower the Commissioner to give
directions in specified circumstances as an enforcement measure.
53
Amendment Item 146
325. Amendment Item 146 amends the simplified outline in clause 73 to reflect changes
made by Amendment Items 109, 111 and 117, which introduce civil penalties to
the data breach provisions in Chapter 3 of the Bill.
Amendment Item 147
326. Amendment Item 147 amends clause 74 and clause 75 to clarify when an
accreditation authority may accredit an entity as an ADSP or an accredited user and
the requirements for the accreditation authority to give written notice of its decision
to accredit under clause 74. The amended clauses 74 and 75 reflect the amendments
made by Amendment Item 5, which introduces a new definition for 'accreditation
authority' (detailed above) and Amendment Item 10 which changes the definition
of an 'Australian entity' (detailed above). These changes address security concerns
and improve consistency of accreditation assessments across different entity types.
The amendments also reflect that the Minister is the accreditation authority for
Commonwealth, State and Territory bodies politic and Commonwealth, State and
Territory bodies (within the meaning of the Bill) seeking accreditation as accredited
users. General provisions relating to accreditation are moved to new clause 77A.
Amended clause 74 - Accreditation
327. Subclause 74(1), as amended, allows an accreditation authority to accredit an entity
if the entity applies for accreditation under clause 76. The amended subclause
contains a new requirement that the entity seeking accreditation needs to be an
'Australian entity' and that it must not be an excluded entity under subclause 11(3).
328. The accreditation authority must be satisfied that the entity meets the criteria under
clause 77 to a standard appropriate for the accreditation for which it is applying,
either as a user or an ADSP. The accreditation authority must also be satisfied that it
is appropriate to accredit the entity in all the circumstances. This operates as a
separate criterion, in addition to the criteria under clause 77, that the accreditation
authority must consider before granting accreditation. This requires the accreditation
authority to consider the application for accreditation holistically, including the
broader scheme operation, when making a decision to grant accreditation.
329. The requirement of being an 'Australian entity' means only an entity that falls
within the definition and is not an excluded entity may participate in the Scheme.
Individuals, partnerships, trusts, unincorporated entities and bodies corporate (other
than those that are Australian universities) are no longer eligible to apply for
accreditation under the Scheme. This does not preclude individuals who are not
Australian citizens or permanent residents from accessing shared data. Individuals
who have an appropriate relationship with an accredited entity, such as an employee
or researcher of an Australian university, may be able to access shared data under
the Scheme. The Commissioner may make codes in relation to individuals who have
a relationship with an accredited entity, who are not Australian citizens or permanent
residents, who will have access to shared data. For example, the code may require
the entity to record details relating to the individuals in the data sharing agreement.
54
330. Subclause 74(2) allows the accreditation authority to accredit an entity under
subclause 74(1) with or without imposing conditions of accreditation. The
accreditation authority may impose conditions of accreditation on the grounds that it
is appropriate for reasons of security (defined to have the same meaning as in the
ASIO Act, see Amendment Item 36), or where the conditions are reasonable and
appropriate to ensure scheme data is collected and used in accordance with the Bill.
Reasons of security can relate to acts of foreign interference, and is applied as a
separate consideration from what is appropriate and reasonable in the circumstances.
For example, a condition that requires the entity to access scheme data through a
secure access data service provided by an ADSP may be a reasonable and
appropriate condition to impose in order to ensure scheme data is used in accordance
with the Bill.
331. When considering the imposition of conditions on an entity's accreditation, clause
79 requires the accreditation authority to give notice before making a decision to
accredit an entity with conditions. Note that the rules may prescribe conditions of
accreditation (refer clause 77B).
332. Subclause 74(3) provides that the accreditation authority may be satisfied that an
entity meets the criteria of accreditation under clause 77, on the basis that the entity
will comply with any conditions imposed on them. Alternatively, the entity may not
be required to meet one or more criteria of accreditation, on the basis that the entity
will comply with conditions of accreditation imposed on them. For example, an
entity may not be required to have its own secure IT environment for the purpose of
satisfying the accreditation authority that the entity can minimise the risk of
unauthorised access, sharing and loss of data, if the accreditation authority imposes a
condition requiring the entity to engage an ADSP to provide secure access data
services (see subclause 16C(4)) to access scheme data. This is intended to provide
greater efficiency in how accreditation operates including broadening the scope of
entities who are able to participate in the Scheme where otherwise they would not
have been able to, while maintaining the integrity of the Scheme.
333. Subclause 74(4) gives an example to illustrate how subclause 74(3) operates. This is
designed to assist with interpretation of paragraph 74(1)(c) of when an accreditation
authority might not consider it appropriate to grant an entity accreditation in all the
circumstances. The example provided is where the entity's participation in the
Scheme poses concerns for reasons of security. This may be on the basis of an
adverse or qualified security assessment or advice from a national security agency.
This example is not intended to limit the consideration under paragraph 74(1)(c) to
matters only relating to security.
334. This amendment item also removes subclauses 74(6) and 74(7), as this content has
been moved under the new clause 77A (see Amendment Item 153).
Amended clause 75 - Notice of accreditation decision
335. The amended clause 75 sets out notice requirements in relation to accreditation
decision made under clause 74. Subclause 75(1) requires the accreditation authority
to give the entity written notice of its accreditation decision as soon as practicable
55
after making the decision. This incorporates the requirements under the existing
subclauses 75(1) and 75(2).
336. Subclause 75(2) sets outs the content requirements for the notice under subclause
75(1). The accreditation must be renewed every five years in the case of an ADSP
(see Amendment Item 178) and the notice must state reasons for a decision to
accredit with conditions. This supports procedural fairness by detailing the entity's
rights of review and the reasons for decision.
337. The existing subclause 75(3), which relates to the provision of reasons for refusing
to accredit and information about review rights, has been moved to subclause 75(3),
with the words 'if any' removed for avoidance of doubt.
Amendment Item 148
338. Amendment Item 148 is a consequential amendment to clause 76 as a result of
Amendment Item 5, which introduces a new definition for 'access' and
'accreditation authority' (detailed above).
Amendment Item 149
339. Amendment Item 149 is a consequential amendment to clause 76 as a result of
Amendment Item 10, which changes the definition of an 'Australian entity'
(detailed above), reflecting that individuals cannot apply for accreditation under the
Scheme.
Amendment Item 150
340. Amendment Item 150 adds a further requirement in subclause 76(2) for
applications for accreditation. The new requirement states where an entity applies
for accreditation, it must supply evidence prescribed by the rules of its ability to
meet the accreditation criteria to the appropriate standard. This is to make clear that
the entity must supply the evidence prescribed by the rules to satisfy the
accreditation authority that it meets the accreditation criteria relevant to the type of
accreditation for which it is applying.
Amendment Item 151
341. Amendment Item 151 removes subclause 76(3), including the note, to reflect the
introduction of 'accreditation authority' by Amendment Item 5.
Amendment Item 152
342. Amendment Item 152 simplifies the accreditation criteria under subclause 77(1)
and inserts a new subclause 77(1A). The amendment consolidates the exiting criteria
and imposes additional criteria for ADSPs. This is intended to simplify and clarify
the accreditation criteria for both accredited users and ADSPs.
343. Subclause 77(1) consolidates the accreditation criteria previously listed in clause 76
into the following requirements:
- Appropriate data management and governance policies and practices, and an
appropriately qualified individual with responsibility for data management
and governance within the organisation; and
56
- Ability to minimise the risk of unauthorised access, sharing and loss of data;
and
- Necessary skills and capability to ensure privacy, protection and appropriate
use of data, including the ability to manage any risks in relation those
matters.
344. The requirements under paragraph 77(1)(a) focus on the policies, guidelines and
practices the entity has in place to appropriately handle data, including managing
risks and responding to incidents. This criteria also includes that the entity has an
appropriately qualified person in a role, for example a Chief Data Officer. This role
can have different responsibilities in different types of entities, but must provide the
leadership and accountability for the entity's data agenda.
345. Paragraph 77(1)(b) requires the organisation to have security settings in place, both
physical and cyber controls, to protect against the unauthorised use for the data. No
specific controls are prescribed in this paragraph, but the accreditation authority
could have regard to the entity's application of relevant security standards, such as
the Australian Government's Protective Security Policy Framework, applicable
State or Territory government security policies, or the ISO/IEC 27001 framework.
346. Paragraph 77(1)(c) requires the organisation to have the necessary data skills and
capability to handle data, including a consideration of hiring practices, such as
personnel vetting and on boarding and off boarding processes, as well as role
descriptions to support the appropriate use and protection of data.
347. The entity will also need to meet criteria prescribed by the rules (if any) under
subclause 77(2).
348. Subclause 77(1A) sets out additional criteria for ADSP accreditation. An entity
applying for accreditation as an ADSP needs to have the necessary policies,
practices, skills and capability to perform de-identification data services, secure
access data services, and complex data integration services. In accordance with
paragraph 76(2)(c) standards required to meet the criteria will be set in the rules.
This approach allows the Bill to remain technology neutral, while enabling the
Scheme to adapt to emerging technologies and future needs over time.
349. In accordance with clause 74, the accreditation authority must be satisfied that the
entity meets the criteria to a standard appropriate for the accreditation. The
accreditation authority must also be satisfied that it is appropriate to accredit the
entity in all the circumstances. While appropriate is not defined, it is intended to
mean that the accreditation authority will consider responses to the criteria as a
whole and in the context of the entity's business operations, such as its
organisational structure, size and business purpose. For example, where an entity is
large, more sophisticated documentation of data practices may be appropriate, as a
mechanism to assist with defining the organisation's expectations across a large
volume of staff. However, it may also be appropriate that the entity have a greater
level of education, training, and monitoring to ensure this policy is reflected their
practices.
57
Amendment Item 153
350. Amendment Item 153 introduces a new clause 77A, that outlines matters which
apply generally to accreditation. This new clause replaces the existing subclauses
74(6) and 74(7) removed by Amendment Item 147.
New clause 77A - General provisions relating to accreditation
351. Subclause 77A(1) provides that an ADSP has the status of an ADSP at all times
until the time its accreditation is cancelled under clause 81, which is the provision
that empowers an accreditation authority to suspend or cancel accreditation. This
means the entity continues to be subject to the responsibilities and requirements of
the Scheme even when its accreditation is suspended.
352. Subclause 77A(2) provides the same clarification under subclause 77A(1) for
accredited users. This approach ensures accredited entities remain regulated under
the Bill and can be held accountable for their conduct with respect to scheme data,
whether actively sharing or not. For example, sharing by or with an entity with
suspended accreditation may attract penalties for unauthorised sharing, collection,
and/or use (refer clause 14A).
353. Paragraphs 77A(3)(a) to 77A(3)(c) clarify that accreditation is granted subject to the
accreditation authority's powers to place conditions on, suspend, and cancel an
entity's accreditation (refer clauses 78 and 81). The Minister may prescribe
conditions for accredited entities in the rules (refer clause 77B). Accreditation may
also be affected by other legislation or future amendments to this legislation.
354. Paragraph 77A(3)(d) reflects that accreditation is granted on the basis that no
compensation is payable if conditions of accreditation are imposed or varied, or the
accreditation is suspended or cancelled. Accreditation and related interests are not
property for the purposes of section 51(xxxi) of the Constitution, which allows
Parliament to make laws for the acquisition of property on just terms. Accredited
entities are therefore not entitled to just terms compensation where their
accreditation status is altered. For example, no compensation would be payable if the
Commissioner were to accredit an ADSP but later impose conditions limiting the
types of data services it may perform.
355. Paragraph 77A(3)(d) is modelled on subsection 56CA(3) of the Competition and
Consumer Act 2010 which relates to accreditation of data recipients for the
Consumer Data Right, an analogous scheme for private sector data.
Amendment Item 154
356. Amendment Item 154 introduces a new clause 77B. It also amends clauses 78 and
79 setting out separate notice requirements in relation to change in conditions of
accreditation imposed on Scheme entities. The amendments support Amendment
Item 147 which allows the accreditation authority to accredit an entity under
subclause 74(2) with or without imposing conditions.
New clause 77B - Conditions of accreditation
357. Clause 77B clarifies matters related to the imposition of conditions of accreditation
and gives examples of conditions regarding how conditions may function.
58
358. Subclause 77B(1) provides that the Minister may prescribe conditions of
accreditation using rules. The conditions so prescribed may apply to all entities, or a
class of entities. For example, the prescribed conditions could require all accredited
users that are Australian universities to use secure access data services where the
data sharing project involves data which contains personal information.
359. Subclause 77B(2) clarifies that conditions of accreditation, whether prescribed by
the rules or under the Bill, may require, permit or prevent entities from doing a
thing. For example, a condition of accreditation may require an entity to only allow
specified personnel within the entity to access scheme data.
360. Subclause 77B(3) provides a list of examples of the kinds of conditions that could be
imposed. This list is not exhaustive and is not intended to limit the kind of
conditions that may be imposed on an entity.
361. Clause 77B is designed to allow broad flexibility in imposition of conditions of
accreditation, which will enable the conditions to address issues that the
accreditation authority may encounter when assessing the application or in
exercising their regulatory functions. This is intended to encourage more entities to
participate in the Scheme, as it allows entities to participate in the Scheme where
otherwise they may not have been able to.
Amended clause 78 - Imposition, variation or removal of conditions of accreditation by
accreditation authority
362. This item replaces clause 78 and reflects the amendments made by Amendment
Item 5, which introduces a new definition for 'accreditation authority' (detailed
above). Under this clause, the accreditation authority may impose, vary or remove
conditions of accreditation imposed on entities while the entity is accredited.
Conditions can be imposed for safeguarding scheme data and ensuring compliance
with the Bill.
363. The new clause 78 explicitly recognises that an entity can be accredited in different
capacities (that is, as an accredited user and as an ADSP), which is reflected under
subclause 78(3). Note, failure to comply with a condition of accreditation is a
contravention of a civil penalty provision and may mean a collection or use of
scheme data by the accredited entity is not authorised and may be subject to other
penalty provisions.
364. Subclause 78(1) provides that the accreditation authority for an entity may impose
conditions of accreditation on the entity if it is appropriate for reasons of security or
is otherwise reasonable or appropriate in the circumstances to ensure collection and
use of scheme data in accordance with the Bill. Reasons of security includes an
adverse or qualified security assessment of a person, for example in respect of an
employee of the entity. As in the case of subclause 74(2), reasons of security can be
potential foreign interference, and is applied as a separate consideration from
consideration for what is appropriate and reasonable in the circumstances. For
example, a condition that requires the entity to access scheme data through an ADSP
may be an appropriate condition to impose to ensure the safe sharing of data.
59
365. Subclause 78(2) requires the accreditation authority to consider suspending or
cancelling an entity's accreditation or to impose conditions if a court finds that the
entity has committed an offence against the Bill or a civil penalty is made against the
entity in relation to a serious contravention for the purposes of subclause 14(2) (see
Amendment Item 53). Conditions, if imposed under this subclause, are to mitigate
the risk of further contravention by the entity. For example, a condition could limit
the individuals within the entity who are authorised to handle any scheme data
collected or held by the entity.
366. Where an entity is accredited both as a user and an ADSP, subclause 78(3) requires
the accreditation authority to apply their considerations under subclause (2) in
relation to both of the entity's accredited capacities.
367. Subclause 78(4) allows the accreditation authority to vary or remove a condition of
accreditation imposed under subclause (1) if it is appropriate for reasons of security
or otherwise appropriate in circumstances. Reasons of security is a separate
consideration from consideration for what is appropriate in the circumstances.
368. Subclause 78(5) requires the Minister to notify the Commissioner of the Minister's
decision to impose, vary or remove a condition of accreditation. This supports the
performance of the Commissioner's regulatory functions and to ensure information
in the Register is current.
Amended clause 79 - Notice before decision relating to conditions of accreditations
369. The amended clause 79 reflects the amendments made by Amendment Item 5,
which introduces a new definition for 'accreditation authority' (detailed above), and
clarifies requirements on the accreditation authority about notice given in relation to
certain accreditation decisions.
370. Subclause 79(1) requires the accreditation authority to give an entity written notice
of the proposed decision to accredit the entity with conditions, to impose, vary or
remove conditions imposed on the entity, or to renew an ADSP accreditation with
conditions. In the case of ADSP renewal, a notice is required even if the proposed
conditions are the same conditions previously imposed.
371. Subclause 79(2) requires a notice under subclause (1) to state the proposed decision
and request the entity respond to the notice in writing. The accreditation authority
can specify a period within which the entity must respond. Subclause 79(3) places
additional obligation on the accreditation authority to consider any written statement
given under subclause (2) before making their decision.
372. Subclauses 79(2) and 79(3) are designed to provide procedural fairness and allow
the entity an opportunity to provide more information to the accreditation authority
to ensure the authority has all the relevant information before the decision is made.
This may occur if the information was initially omitted or the entity's circumstances
have since changed or if the entity wishes to provide further information for the
accreditation authority's consideration.
373. Subclause 79(4) provides that where changes to an entity's accreditation conditions
are to address issues related to security, or urgent and serious issues, the
accreditation authority may choose to not notify an accredited entity, before
60
applying a new condition, or varying or removing an existing condition. The
accreditation authority may alternatively choose to issue a notice but not request a
response, as is otherwise required under paragraph 79(2)(b). This subclause does not
prevent the accreditation authority from considering submissions by the affected
entity that were not solicited under this clause.
374. Subclause 79(4) ensures the accreditation authority is able to act quickly to mitigate
serious and urgent risks. An example is if the accreditation authority reasonably
believes a change in an entity's IT data storage arrangements has occurred that
makes scheme data vulnerable. Entities will receive a notice under clause 80 of the
condition imposed to ensure it can comply with its obligations under the Bill.
Amendment Item 155
375. Amendment Item 155 omits subclauses 80(1) to 80(3) and inserts a new subclause
80(1) requiring the accreditation authority to give written notice of a decision to
accredit as soon as practicable after making the decision under clause 78. The new
subclause has incorporated the requirements under the existing subclauses 80(1) and
80(3). The requirements under the existing subclause 80(2) are removed because
clause 80 is now only concerned with a notice of imposition, variation or removal of
conditions after an entity has been accredited, which differs from a notice under
clause 75, which relates to the decision to accredit an entity.
Amendment Item 156
376. Amendment Item 156 renumbers existing subclause 80(4) to subclause 80(2) as a
consequential amendment to Amendment Item 155.
Amendment Item 157
377. Amendment Item 157 adds 'and' at the end of paragraph 80(2)(a) to clarify that, for
an avoidance of doubt, all matters listed under subclause 80(2) must be included in a
notice of conditions.
Amendment Item 158
378. Amendment Item 158 adds 'and' at the end of paragraph 80(2)(b) to clarify that,
for an avoidance of doubt, all matters listed under subclause 80(2) must be included
in a notice of conditions.
Amendment Item 159
379. Amendment Item 159 removes the text in brackets 'if any' to confirm that a
decision to impose, vary or remove conditions by the accreditation authority is a
reviewable decision.
Amendment Item 160
380. Amendment Item 160 removes the note under clause 80, reflecting that foreign
entities can no longer apply for accreditation under the Scheme.
61
Amendment Item 161
381. Amendment Item 161 amends clause 81 to reflect the amendments made by
Amendment Item 5, which introduces a new definition for 'accreditation authority'
(detailed above). It also imposes obligations on the accreditation authority to
consider each type of accreditation the entity may hold when making a decision to
suspend or cancel, for example in circumstances where an entity is accredited as a
user and as an ADSP.
382. Subclause 81(1) provides grounds for when an accreditation authority may suspend
or cancel the entity's accreditation. In particular, the grounds include entering into
external administration for a non-Commonwealth body, where another accreditation
authority refused to accredit, or suspended or cancelled the accreditation of the
entity in its other capacity.
383. An entity's accreditation may need to be suspended or cancelled when it enters into
external administration, because its management and governance, as well as its main
objectives, effectively change as it enters into external administration, which means
it likely no longer meets the accreditation criteria set out in clause 77.
384. A Commonwealth body's accreditation as an ADSP may need to be suspended and
investigated if necessary, if the Minister refuses to accredit it as a user or its
accreditation as a user is suspended or cancelled. This is to ensure the criteria of
accreditation under clause 77 are enforced consistently across all the different
capacities of an entity's participation in the Scheme.
385. Subclause 81(1) is accompanied by a note clarifying that an accredited entity
remains accredited until its accreditation has been cancelled.
386. Subclause 81(2) allows the accreditation authority to suspend an entity's
accreditation if the accreditation authority reasonably suspects that the entity has
breached this Bill or a data sharing agreement.
387. Subclause 81(3) allows the accreditation authority to cancel an entity's accreditation
if the Commissioner determines, following investigation under clause 102, that the
entity has breached the Bill or a data sharing agreement.
388. Subclause 81(4) allows the Minister to cancel the accreditation of a Commonwealth
body as a user if the Minister reasonably believes that the entity has breached this
Bill or a data sharing agreement. The purpose of subclause 81(4) is to provide an
alternative pathway for the Minister, as the accreditation authority for accrediting
bodies politic and Commonwealth bodies, State bodies, and Territory bodies as
users, to cancel accreditation.
389. Where an entity is accredited in more than one capacity, for example, where the
entity is accredited as both an accredited user and an ADSP, subclause 81(5) allows
the accreditation authority to take into account the entity's conduct in any one or all
of those capacities when making a decision under subclauses 81(1), 81(2), 81(3) or
81(4). For example, where an entity is accredited as both a user and an ADSP, if the
Commissioner determined following an investigation under clause 102 that the
entity had breached a data sharing agreement to which they are a party as a user
(such as by allowing unauthorised access to the shared data), this breach might be
62
relevant to assessing whether the entity continues to meet the criteria relevant to
their accreditation as an ADSP and whether a suspension of their ADSP
accreditation might be appropriate.
390. Similarly, where a Commonwealth body is accredited as an ADSP, subclause 81(6)
requires the Commissioner (the accreditation authority for ADSPs) to consider
cancelling or suspending its accreditation, or imposing or varying conditions of
accreditation applicable to the entity's accreditation as ADSP, where the Minister
has refused to accredit the Commonwealth body as a user or has suspended or
cancelled its accreditation as a user.
391. Similar to subclauses 81(5) and 81(6), where an entity, who is an ADSP, as well as
an accredited user, has its accreditation as an ADSP cancelled or suspended,
subclause 81(7) requires the relevant accreditation authority to consider cancelling
or suspending its accreditation, or imposing or varying conditions of accreditation
applicable to the entity's accreditation as an accredited user.
392. Subclause 81(8) requires the Commissioner to suspend an entity's accreditation as
an ADSP if the entity fails to apply for renewal of accreditation within five years of
the last grant of accreditation. The Commissioner is also required to suspend or
cancel an entity's accreditation as an ADSP if its application for renewal is refused,
noting that the entity remains accredited until its accreditation is cancelled.
393. Subclause 81(9) allows the accreditation authority to cancel an entity's accreditation
if an authorised officer of the entity requests cancellation and that request has been
made in the approved form where there is one.
394. Subclause 81(10) provides that a decision to cancel an entity's accreditation will not
be effective if the entity has failed to comply with a direction from the
Commissioner under subclause 112(3), unless the accreditation authority for the
entity determines otherwise. This means if an accredited entity fails to comply with
directions to return or dispose of scheme data, their status as an accredited entity will
continue. This approach ensures the entity remains subject to relevant
responsibilities and liabilities, as a Scheme entity. In practice, this may involve the
Commissioner issuing a direction and taking steps to verify or enforce compliance
(which could include suspension of accreditation if the direction is not complied
with) before making a decision to cancel accreditation.
Amendment Item 162
395. Amendment Item 162 is a consequential amendment to clause 82 to reflect the
amendments made by Amendment Item 5, which introduces a new definition for
'accreditation authority' (detailed above), and Amendment Item 168 which
consolidates existing subclauses 82(4) to 82(8) into a new subclause 82(4), reflecting
the amendments to remove separate accreditation criteria for Commonwealth bodies
under clause 74.
Amendment Item 163
396. Amendment Item 163 is a consequential amendment to clause 82 to reflect the
amendments made by Amendment Item 161, which amends clause 81 to impose
63
obligations on the accreditation authority to consider each type of accreditation the
entity may hold when making a decision to suspend or cancel their accreditation.
Amendment Item 164
397. Amendment Item 164 is a consequential amendment to clause 82 to reflect the
amendments made by Amendment Item 5 introducing a new definition for
'accreditation authority' and Amendment Item 161 which amends clause 81 to
impose obligations on the accreditation authority to consider each type of
accreditation the entity may hold when making a decision to suspend or cancel.
Amendment Item 165
398. Amendment Item 165 is a consequential amendment to clause 82 to reflect the
amendments made by Amendment Item 5, which introduces a new definition for
'accreditation authority'.
Amendment Item 166
399. Amendment Item 166 is a consequential amendment to clause 82 to reflect the
amendments made by Amendment Item 161, which details the circumstances in
which a decision to suspend or cancel an entity's accreditation can occur.
Amendment Item 167
400. Amendment Item 167 is a consequential amendment to clause 82 as a result of
Amendment Item 5 introducing a new definition for 'accreditation authority', and
amendments to clause 81, which details circumstances in which an entity's
accreditation may be suspended or cancelled (Amendment Item 161).
Amendment Item 168
401. Amendment Item 168 consolidates subclauses 82(4) to 82(8) into a new subclause
82(4), reflecting amendments to clause 74 under Amendment Item 147 to improve
consistency of accreditation assessments across different entity types. This item
clarifies that, for avoidance of doubt, if the decision to suspend or cancel an entity's
accreditation is to address matters related to security, or urgent and serious issues,
the accreditation authority may choose to not notify an accredited entity, before
making a decision to suspend or cancel accreditation. The accreditation authority
may alternatively choose to issue a notice but not request a response, as is otherwise
required under paragraph 82(2)(c). This subclause does not prevent the accreditation
authority from considering submissions by the affected entity that were not solicited.
402. Subclause 82(4) ensures the accreditation authority is able to act quickly to mitigate
serious and urgent risks. An example of such a situation is if the accreditation
authority reasonable believes there is a risk of serious non-compliance with a data
sharing agreement that requires investigation. The Commissioner may immediately
suspend the entity's accreditation without giving the entity any written notice.
Amendment Item 169
403. Amendment Item 169 is a consequential amendment to clause 83 as a result of
Amendment Item 5 introducing a new definition for 'accreditation authority', and
64
amendments to clause 81, which detail circumstances in which an entity's
accreditation may be suspended or cancelled (see Amendment Item 161).
Amendment Item 170
404. Amendment Item 170 is a consequential amendment to clause 83 as a result of
Amendment Item 5, which introduces a new definition for 'accreditation authority'.
Amendment Item 171
405. Amendment Item 171 is a consequential amendment to clause 83 as a result of
Amendment Item 5, which introduces a new definition for 'accreditation authority'.
Amendment Item 172
406. Amendment Item 172 is a consequential amendment to clause 83 as a result of
Amendment Item 5, which introduces a new definition for 'accreditation authority'.
Amendment Item 173
407. Amendment Item 173 removes paragraph 83(3)(b), reflecting the amendments to
remove separate accreditation criteria for Commonwealth bodies under clause 74
(Amendment Item 147).
Amendment Item 174
408. Amendment Item 174 is a consequential amendment to clause 83 as a result of
Amendment Item 161, which amends clause 81.
Amendment Item 175
409. Amendment Item 175 amends paragraph 83(3)(e) to remove the text in brackets 'if
any' to confirm that a decision to cancel or suspend accreditation by the
accreditation authority is a reviewable decision.
Amendment Item 176
410. Amendment Item 176 removes both notes under clause 83, reflecting the changes
to subclause 83(3) and that foreign entities can no longer apply for accreditation
under the Scheme.
Amendment Item 177
411. Amendment Item 177 adds a new clause 83A to allow accreditation authority to lift
a suspension by written notice, where the accreditation authority is satisfied that
circumstances have changed so that grounds no longer exist for the suspension, or it
is otherwise no longer appropriate to continue the suspension on the entity's
accreditation.
412. For example, the accreditation authority may suspend a user's accreditation because
they reasonably suspect that unauthorised individuals within an accredited entity are
accessing scheme data and have grounds for suspecting that this may be a systemic
issue. The accreditation authority can lift the suspension if appropriate, after an
investigation demonstrates that there are no grounds for continuing the suspension.
65
413. This is to ensure that accredited entities can resume participating in the scheme once
the accreditation authority is satisfied the reasons for suspension no longer exist.
Amendment Item 178
414. Amendment Item 178 rewrites Division 4 of Part 5.2, to provide a framework
through which entities can seek renewal of accreditation as an ADSP. The Scheme
no longer allows transfer of accreditation in case of restructuring of an accredited
entity. This is because the entity can undergo significant changes following
restructure, including its management and governance policies, and hence is required
to apply for accreditation under its new structure.
415. The new Division 4 strengthens the Commissioner's oversight of ADSPs. The
requirement to renew accreditation is to ensure that the entities continue to meet the
accreditation criteria. The Commissioner can impose conditions on the ADSP's
accreditation in response to any changes to the entity's circumstances. An ADSP's
accreditation must be renewed every five years. Where an ADSP fails to apply for
renewal within five years, the entity will be suspended until its accreditation is
renewed or cancelled.
New Clause 84 - Renewal
416. This clause sets out requirements for renewal of ADSP accreditation. Subclause
84(1) outlines the criteria under which the Commissioner can renew the
accreditation of an ADSP. The criteria to renew accreditation of an ADSP aligns
with the criteria under clauses 74 and 77 for initial accreditation. This ensures
consistency in the accreditation process.
417. Subclause 84(2) allows the Commissioner to renew the accreditation of an entity
under subclause 84(1) with or without imposing conditions of accreditation. The
conditions can be the same conditions that were imposed on the entity previously.
The Commissioner may impose conditions of accreditation if the condition is
appropriate for reasons of security, or is otherwise reasonable and appropriate in the
circumstances to ensure that scheme data is collected and used in accordance with
the Bill.
418. For example, if an entity was accredited as an ADSP with the condition not to
provide secure access data services, the Commissioner may impose the same
condition if the entity continues to not meet the criteria for providing the service at
the time of renewal.
419. Note 1 under subclause 84(2) signposts the Commissioner's obligation to give an
entity notice under clause 79 before making a decision to renew the entity's
accreditation with conditions. Note 2 clarifies that the Minister can prescribe
conditions of accreditation through rules and these rules would apply despite the
Commissioner's decision not to impose any conditions.
420. Subclause 84(3) provides that Commissioner may be satisfied that the criteria of
accreditation under clause 77 may be met with conditions of accreditation imposed,
on the basis that the entity will comply with the conditions. Alternatively, the entity
may not be required to meet one or more criteria of accreditation, on the basis that
the entity will comply with conditions of accreditation imposed. For example, an
66
entity may not have the capability to provide all of the ADSP services so a condition
could be applied to limit the kinds of data services the entity may provide.
421. Subclause 84(4) gives an example to illustrate how paragraph 84(1)(c) operates. An
accreditation authority might not consider it appropriate to renew an entity's
accreditation where the entity's participation in the scheme may pose concerns for
reasons of security. This may be on the basis of an adverse or qualified security
assessment or advice from a national security agency. This example is not intended
to limit the consideration under paragraph 84(1)(c) to matters only relating to
security.
New Clause 85 - Notice of renewal decision
422. This clause sets out notification requirements in relation the Commissioner's
decision under clause 84. Subclause 85(1) requires the Commissioner to give an
entity written notice of a decision to renew or refuse to renew the entity's
accreditation as soon as practicable after the decision is made. The requirement to
give notice supports procedural fairness.
423. Where the Commissioner decides to renew the accreditation, subclause 85(2)
requires the notice to include certain information, including that the renewal is in
effect for five years, any conditions of accreditation, and the entity's rights of review
under Part 6.2. Where the Commissioner decides to renew with the same conditions
of accreditation imposed before the renewal, the conditions must also be set out in
the notice.
424. If the Commissioner refuses to renew the accreditation, subclause 85(3) requires the
Commissioner to give the entity written notice setting out the reason for the refusal,
that the entity's accreditation will be suspended or cancelled under clause 81, and
the entity's rights of review under Part 6.2.
New Clause 85A - Application for renewal
425. This clause sets out procedural requirements for how an entity can apply to renew its
accreditation as an ADSP. Under subclause 85(1), an entity accredited as an ADSP
may apply for renewal of its accreditation. The note under subclause 85A(1) clarifies
that an ADSP, whose accreditation is suspended as a result of failure to apply for
renewal, may still apply for renewal under this subclause.
426. Subclause 85A(2) requires the application to be made by an authorised officer of the
entity and if there is an approved form, the application needs to be made in that
form. The application must also include the evidence prescribed by the rules to
support the criteria for accreditation. The rules may prescribe, for example, evidence
to demonstrate the entity's ability to de-identify data.
427. The entity is also required to provide consent for the Commissioner to obtain
information relevant to the entity's application from third parties and verify
information provided by the entity with third parties.
Amendment Item 179
428. Amendment Item 179 is a consequential amendment to clause 87 as a result of
Amendment Item 5, which introduces a new definition for 'accreditation authority'.
67
Amendment Item 180
429. Amendment Item 180 is a consequential amendment to clause 87 as a result of
Amendment Item 5, which introduces a new definition for 'accreditation authority'.
Amendment Item 181
430. Amendment Item 181 amends the title of this Division to 'Scheme complaints'.
This change reflects the introduction of a new class of complaints - 'general
complaints' - by amendments under Amendment Item 192 introducing new clauses
94 to 96.
Amendment Item 182
431. Amendment Item 182 amends the title of this clause to 'Making scheme
complaints'. This change reflects the introduction of a new class of complaints -
'general complaints' - by new clauses 94 to 96 under Amendment Item 192.
Amendment Item 183
432. Amendment Item 183 replaces subclause 88(1) to clarify, for the avoidance of
doubt, that a Scheme entity may make a scheme complaint when it reasonably
suspects another Scheme entity has breached this Bill or a data sharing agreement to
which both entities were a party at the time of the alleged breach. The standard of
reasonable suspicion indicates that it is less than a reasonable belief but more than a
mere possibility. It reflects that entities may require action by the Commissioner in
order to be able to gather evidence on alleged breaches.
Amendment Item 184
433. Amendment Item 184 is a consequential amendment to subclause 88(2) to replace
the term "belief" with the term "suspicion", in order to be consistent with the
amendment to subclause 88(1) in Amendment Item 183.
Amendment Item 185
434. Amendment Item 185 removes subclause 88(4), reflecting the removal of
"representative complaints" from this Bill under Amendment Item 192.
Amendment Item 186
435. Amendment Item 186 removes the note under subclause 89(2) regarding certain
entities that are non-legal persons, as clauses 124 and 125 have been substantially
amended and trusts and partnerships can no longer apply for accreditation under the
Scheme.
Amendment Item 187
436. Amendment Item 187 amends subclause 90(1) to clarify that requirements under
this clause relate to only scheme complaints made under clause 88. This reflects the
introduction of a new class of complaints - 'general complaints' - by new clauses 94
to 96 under Amendment Item 192.
68
Amendment Item 188
437. Amendment Item 188 amends paragraph 91(1)(b) to include the consideration of
external dispute resolution schemes recognised under clause 131 as a means to
resolve scheme complaints. This reflects amendments to clause 92 under
Amendment Item 190, which provides authorisation to cease dealing with a
complaint if the matter is being resolved through external dispute resolution or
conciliation.
438. External dispute resolution is an independent service that generally provides a
structured dispute resolution mechanism, such as mediation or arbitration. Use of
such processes is encouraged as they maximise the autonomy of parties to resolve
the complaint and can avoid the need for court proceedings. It also reflects similar
approaches in the Privacy Act and the Corporations Act 2001.
Amendment Item 189
439. Amendment Item 189 removes the note under clause 91, reflecting amendments to
clause 92 that clarify the treatment of complaints when conciliation is not
appropriate or has not been effective in resolving the complaint.
Amendment Item 190
440. Amendment Item 190 amends subclause 92(1) to clarify circumstances in which
the Commissioner is able to cease dealing with scheme complaints. The key
amendments are:
- updating references from "breaches" to "alleged breaches", particularly
where listed circumstances are likely to precede any formal assessment or
investigation;
- allowing the Commissioner to not deal with a complaint if the alleged breach
did not occur or is not material, for example this may be where the alleged
breach is based on a misunderstanding and has no adverse consequence to
the data sharing agreement or operation of the Scheme; and
- allowing the Commissioner to cease dealing with a complaint if the matter is
being resolved through external dispute resolution or conciliation recognised
under clause 131 (whether or not the entity and the complainant agree to do
so).
441. Amendment Item 190 amends paragraph 92(2)(b) to require the Commissioner to
provide the complainant with a notice of review rights under Part 6.2 if the
Commissioner decides to cease dealing with a complaint.
Amendment Item 191
442. Amendment Item 191 amends clause 93 to reduce the scope of the admissibility of
evidence of anything said or done in the course of conciliation. In particular, the
evidence is not admissible in any legal proceedings under this Bill or any other law,
as opposed to any legal proceedings relating to the complaint. The exception is
where participants otherwise agree, or when the conduct occurred during the course
of conciliation constitutes an offence or civil contravention. This aligns with the
69
standard protections for matters and parties involved in conciliation processes,
which aims to encourage frank discussions in order to resolve disputes.
Amendment Item 192
443. Amendment Item 192 replaces the existing Division 2 on representative complaints
with a new Division that establishes a new class of complaints - 'general
complaints', with new clauses 94 to 96.
444. The introduction of general complaints provides a means for members of the general
public or Scheme entities to raise concerns with the Commissioner on the operation
and administration of the Scheme. This mechanism will help the Commissioner to
identify any systemic issues in the Scheme, as well as providing an avenue for
complaints from individuals impacted by decisions to share data under the Scheme.
445. General complaints under this Division supplement existing avenues for redress
under other schemes. For example, an affected person may also complain about
government activities to the Commonwealth Ombudsman, to other Ombudsmen and
regulators, or to the Information Commissioner about suspected mishandling of their
personal information.
446. Inclusion of general complaints in this Bill supports a 'no wrong door' approach to
engaging with the Government. The operation of clause 107 allows general
complaints received under this Division to be transferred to other regulatory bodies,
such as the Information Commissioner.
New clause 94 - Making general complaints
447. Clause 94 establishes a separate complaints mechanism under the Scheme. General
complaints provide a means for any person, whether or not they are a Scheme entity,
to raise issues on the administration or operation of the Scheme with the
Commissioner.
448. This clause intends to allow any person, such as a member of the general public, to
raise concerns and issues, including where their personal information may have been
shared under a data sharing agreement. For example, a complainant may raise
concerns about the details of a particular data sharing agreement, or the accreditation
of a particular Scheme entity due to their conduct in other schemes.
New clause 95 - Dealing with complaints
449. Clause 95 sets out the powers of the Commissioner when dealing with a general
complaint. The Commissioner may make preliminary inquiries as needed, request
additional information, and arrange conciliation if appropriate. Conciliation is
encouraged where possible as it maximises the autonomy of the parties to resolve
the complaint.
450. If the complaint gives the Commissioner reasonable cause to believe that an entity
has breached the Bill or a data sharing agreement, the Commissioner may start an
investigation under clause 101. The Commissioner may also exercise other powers
under this Bill, including conducting an assessment under clause 99, or transferring
the complaint to a body better placed to address it under clause 107.
70
451. The Commissioner may take no action with regard to a general complaint if satisfied
that none is required - for example, because the complaint is vexatious or
unsubstantiated. While there are no specific grounds prescribed for not dealing with
a general complaint made under clause 94, the grounds for not dealing with a
scheme complaint under clause 92 provides a non-exhaustive guidance when
considering whether action should be taken. There are also no prescribed
requirements on the process for dealing with general complaints, such as timeframes
and notifications. This is intended to give the Commissioner greater flexibility in
handling general complaints, including the ability to tailor internal complaints
handling policy and processes to the volume and types of general complaints.
New clause 96 - Admissibility of things said or done in conciliation
452. Clause 96 provides that anything said or done in the course of conciliation is not
admissible in any legal proceedings, unless otherwise agreed to by the parties or
where the conduct occurred during the course of conciliation constitutes an offence
or civil contravention.
453. This clause has a similar scope of protection as the new clause 93 in relation to
scheme complaints. It allows parties to the complaint to fully commit to conciliation
and aligns with standard protections for matters and parties involved in conciliation.
Amendment Item 193
454. Amendment Item 193 amends subclause 101(1) to clarify that the Commissioner is
not required to proceed with an investigation that relates to a scheme complaint
made under clause 88 if satisfied that a ground exists to cease dealing with the
complaint, as outlined under clause 92. This includes where the complaint has been
resolved through conciliation, as permitted under paragraph 91(1)(b) and
subclause 92(1).
Amendment Item 194
455. Amendment Item 194 inserts new subclauses 101(1A) and (1B), and amends
subclause 101(2). The new subclauses allow the Minister to direct the Commissioner
to investigate an entity.
456. The new subclause 101(1A) requires the Commissioner to investigate conduct of an
entity engaged in while the entity is or was a Scheme entity, if directed by the
Minister. Subclause 101(1B) clarifies when the Minister has the power to direct such
investigation. The power arises in relation to an entity that is a Commonwealth
body, State body or Territory body of which the Minister is the accreditation
authority, and the Minister has reasonable suspicion that the entity has or is
proposing to breach requirements under the Bill or a data sharing agreement. The
investigation can be carried out while the entity is still accredited under the Scheme
or is no longer a Scheme entity.
457. Subclause 101(2) specifies that the Commissioner may investigate an entity on the
Commissioner's own initiative where they hold a reasonable suspicion that the entity
is breaching or is proposing to breach this Bill or a data sharing agreement. This
means that the Commissioner does not need to wait for a scheme complaint before
71
investigating an entity that was or is a Scheme entity. Such reasonable suspicion
could be formed based on a tip-off by an employee of the entity, a general
complaint, information received from other regulators, the entity's continued
conduct that caused a previous breach, or discrepancies identified in the
Commissioner's annual reporting. There is no requirement to form a view regarding
the entity's intention of breaching the Bill or whether a data sharing agreement
provided information regarding the entity's conduct could reasonably lead to a
breach.
Amendment Item 195
458. Amendment Item 195 replaces subclause 101(4) to identify situations in which the
Commissioner may choose to cease an investigation. For an investigation triggered
by a scheme complaint, the Commissioner may stop the investigation if satisfied that
one or more grounds for not dealing with the complaint apply under clause 92.
459. If an investigation has commenced under the Minister's direction, the Commissioner
may stop investigating if the Minister no longer reasonably suspects that the entity
has breached or is proposing to breach this Bill or a data sharing agreement, and the
Minister informs the Commissioner. This situation could arise where the
Commissioner reports to the Minister information obtained during an investigation
which sufficiently satisfies the Minister of the entity's compliance under the Bill or a
data sharing agreement, and the Minister informs the Commissioner of that fact.
Otherwise, the Commissioner may cease the investigation if it considers appropriate
to do so.
460. Similarly, if an investigation has commenced under the Commissioner's own
initiative, the Commissioner may stop investigating when the Commissioner no
longer reasonably suspects the entity has breached the Bill or a data sharing
agreement, or otherwise considers it appropriate to do so. Circumstances where it
would be appropriate to cease an investigation may include when additional
information comes to light which demonstrates the entity is compliant with its
obligations, or the complaint which triggered the investigation was not made in good
faith.
Amendment Item 196
461. Amendment Item 196 amends subclause 102(1) to reflect the amendments to clause
101 made by Amendment Item 194 to expand the scope of the Commissioner's
investigation to cover breaches of data sharing agreements in addition to breaches of
this Bill. This amendment requires that if the Commissioner completes an
investigation, the determination must outline the Commissioner's opinion on
whether the entity has breached, or is proposing to breach the Bill or a data sharing
agreement, and the reasons for that opinion.
Amendment Item 197
462. Amendment Item 197 is a consequential amendment to paragraph 102(1)(b) to
reflect the introduction of 'accreditation authority' under clause 74, and the inclusion
of potential breaches of a data sharing agreement as a cause for an investigation
under clause 101.
72
Amendment Item 198
463. Amendment Item 198 adds a new subclause 102(2A) to ensure the Minister is
informed of the outcome of an investigation that commenced under the Minister's
direction. This subclause requires the Commissioner to give the Minister a copy of
the determination of an investigation conducted under the Minister's direction under
subclause 101(1B), after completion of the investigation.
Amendment Item 199
464. Amendment Item 199 amends paragraph 103(3)(a) in relation to a notice following
the completion of an investigation of operations of an entity. In addition to the
requirement that the Commissioner must give the entity the determination under
clause 102 in relation to the investigation setting out the Commissioner's opinion
and reasons, this item requires the Commissioner to also include information on the
entity's review rights under Part 6.2 if the Commissioner decides to make the
determination publicly available under subclause 102(2).
465. This item reflects the amendment to clause 118 in relation to reviewable decisions
by Amendment Item 224. The new clause 118 specifies that a decision under
subclause 102(2) to make a determination publicly available, for any period of time,
is a reviewable decision. This amendment aligns with the Australian Review
Council's Practical Guidelines on Preparing Statements of Reasons, where appeal
rights should be included if available.
Amendment Item 200
466. Amendment Item 200 is a consequential amendment that reflects the introduction
of a new class of complaints - 'general complaints' established under clauses 94 to
96 - in addition to 'scheme complaints' established by clause 88. This item inserts
the reference to clause 88 or 94, for the avoidance of doubt, that the Commissioner
may provide determinations that relate to both general and scheme complaints to the
relevant complainant.
Amendment Item 201
467. Amendment Item 201 introduces a new subclause 103(3A) requiring the
Commissioner to give written notice to the relevant entity and complainant if it
decides to cease an investigation triggered by a complaint. This mirrors
subclause 92(2), which requires the Commissioner to give written notice to affected
entities if it decides to cease dealing with a complaint.
Amendment Item 202
468. Amendment Item 202 introduces a new clause 103A, allowing the Commissioner
to give recommendations to a Scheme entity upon completion of an assessment or
investigation. These recommendations may relate to any action the Commissioner
considers appropriate for the entity to take. This further supports the
Commissioner's functions to provide guidance on the Scheme.
73
Amendment Item 203
469. Amendment Item 203 reduces the civil penalty units under subclause 104(2) in
relation to failure to produce information or documents required by the
Commissioner. The penalty is reduced from 300 penalty units to 30 penalty units to
address matters raised by the Senate Standing Committee for the Scrutiny of Bills.
This item intends to make the penalty proportionate to the contravention concerned
and has been formulated consistent with the Guide to Framing Commonwealth
Offences. The penalty is comparable to a similar offence for failure to provide
information at section 60 in the Privacy Act where the penalty is imprisonment for
12 months or 20 penalty units for an individual, and 100 penalty units for a body
corporate. The amount of a penalty unit is provided under section 4AA of the
Crimes Act 1914, as updated from time to time.
Amendment Item 204
470. Amendment Item 204 reduces criminal penalty under subclause 104(3) from
12 months to six months imprisonment. This item intends to make the penalty
proportionate to the offence concerned and to address matters raised by the Senate
Standing Committee for the Scrutiny of Bills. The penalty has been formulated
consistently with the Guide to Framing Commonwealth Offences. The penalty is
comparable to a similar offence for failure to provide information at section 60 in the
Privacy Act where the penalty is imprisonment for 12 months or 20 penalty units for
an individual and 100 penalty units for a body corporate.
Amendment Item 205
471. Amendment Item 205 replaces subclause 105(1) to confine the scope in which a
person is not excused on grounds of legal professional privilege from giving
information or producing a document if required to under clause 104. This item
provides that a person must still comply with a notice under clause 104 if the
communication is legal advice given to a Minister or a Commonwealth body, or a
communication between a designated individual for a Commonwealth body and
another person or body. This means that Commonwealth entities are not able to rely
on grounds of legal professional privilege to protect against disclosure of
information that has been required by the Commissioner under clause 104.
Amendment Item 206
472. Amendment Item 206 inserts new subclauses 105(4) and 105(5) to expand on the
process involved when a person claims on grounds of legal professional privilege to
prevent the disclosure of information that has been required by the Commissioner
under clause 104. A person seeking to protect privileged information from disclosure
must give written notice to the Commissioner claiming legal professional privilege
that would otherwise be available if subclause 105(1) did not operate.
473. Subclause 105(4) sets out the Commissioner's actions upon receiving such a claim.
The Commissioner must withdraw the notice to produce unless satisfied that
requiring the person to give the information is reasonably necessary and
proportionate to the investigation. The Commissioner must also ensure that the
74
information and documents are held securely and destroyed when the investigation
ends.
474. The Commissioner may only disclose the information or documents to certain
persons when satisfied that the disclosure is reasonably necessary for the purposes of
the investigation. The persons whom the Commissioner may subsequently disclose
privileged information to must be either a member of the staff under clause 47, or a
contractor or consultant engaged under clauses 48 and 49, or otherwise providing
services to the Commissioner.
475. Subclause 105(5) clarifies that subclause 105(4) does not apply if there are no
reasonable grounds for the person's claim.
Amendment Item 207
476. Amendment Item 207 is a consequential amendment to clause 107 to clarify that
the reference to a complaint under clause 107 includes both scheme complaints and
general complaints under clauses 88 and 94. The effect is that the Commissioner
may cease to deal with a matter (including any of the complaints received) and
transfer it to an appropriate body prescribed by clause 108 where it could be more
effectively and conveniently dealt with by that body.
Amendment Item 208
477. Amendment Item 208 amends subclause 108(1) to allow the Commissioner to
disclose both information and document to a body prescribed in subclause (2) if
certain criteria are met.
Amendment Item 209
478. Amendment Item 209 is a consequential amendment to subclause 108(1) to include
a reference to a document following Amendment Item 208. This item clarifies that
the disclosure of information or document is permitted where that information or
document was collected by the Commissioner or staff member in the course of
performing functions under this Bill.
Amendment Item 210
479. Amendment Item 210 is a consequential amendment to subclause 108(1) to include
a reference to a document following Amendment Item 208.
Amendment Item 211
480. Amendment Item 211 is a consequential amendment to add 'and' at the end of
paragraph 108(1)(b) to reflect the inclusion of new paragraph 108(1)(c) under
Amendment Item 212.
Amendment Item 212
481. Amendment Item 212 inserts a new paragraph 108(1)(c) to provide for another
precondition to disclosure under clause 108, requiring that a claim in legal
professional privilege under subclause 105(4) does not apply. This means that
information or document protected by legal professional privilege under clause 105
is not authorised to be disclosed under subclause 108(1). This is consistent with
75
other Commonwealth laws and the treatment of information with legal professional
privilege.
Amendment Item 213
482. Amendment Item 213 amends subclause 108(3) to allow the Commissioner, or a
member of staff under clause 47 assisting the Commissioner, to receive both
information and document that may be disclosed by a body prescribed under
subclause 108(2).
Amendment Item 214
483. Amendment Item 214 is consequential amendment to clause 109 to reflect the
amendments to clause 14, resulting in the change of references from clause 14 to
new clauses 14 and 14A by Amendment Item 53 in relation to an offence or
penalty prescribed under those clauses.
Amendment Item 215
484. Amendment Item 215 adds a note under subclause 109(4) in relation to the
selection of persons providing assistance to an authorised person exercising
monitoring powers under Part 2 of the Regulatory Powers Act. The note states that
the person assisting must have the necessary skills, qualifications or experience,
consistent with the requirements under subclause 45(2) in relation to persons
assisting the Commissioner in the performance of their regulatory functions.
Amendment Item 216
485. Amendment Item 216 adds a note under subclause 110(3) in relation to the
selection of person providing assistance to an authorised person exercising
investigative powers under Part 3 of the Regulatory Powers Act. The note states that
the person assisting must have the necessary skills, qualifications or experience. This
aligns with Amendment Item 215 and is consistent with the requirements under
subclause 45(2) in relation to persons assisting the Commissioner in the performance
of their regulatory functions.
Amendment Item 217
486. Amendment Item 217 removes clause 111, as the content of this clause is being
incorporated under Part 5.4 - Assessments and Investigations.
Amendment Item 218
487. Amendment Item 218 replaces clause 112 in relation to directions, and provides for
three circumstances in which directions may be issued. This amendment separates
the different circumstances so as to distinguish urgent directions to address
situations of urgency from other directions issued for compliance or administrative
purposes that do not need to be actioned immediately.
488. The first circumstance, outlined in subclause 112(1), is in situations of urgency to
address non-compliance or an emergency or high risk situation. The Commissioner
may issue directions either where the Scheme entity, or another entity, has acted or
is likely to act inconsistently with this Bill or a data sharing agreement, or where an
76
emergency or high risk situation has arisen or is likely to arise. There must be an
element of immediate necessity for an entity to take or not take an action in order to
address or prevent the situation.
489. What may constitute a situation of urgency or an emergency or high risk situation is
assessed on a case-by-case basis. Such a situation exists when the Commissioner
reasonably believes a threat has arisen that poses serious risks to activities or
participants in or outside of the Scheme if not promptly addressed. Some factors that
would give rise to such situations are where the negative consequences from not
issuing a direction would likely have a significant impact on the privacy and security
of individuals or entities, cause irreparable harm to individuals or entities, lead to the
breach of other laws, or likely to become a matter of national concern. An example
of a high-risk situation is where the Commissioner becomes aware of a systemic
weakness in IT systems used to share data that could result in unauthorised sharing
or release of sensitive data, that is likely to compromise the integrity or wellbeing of
entities to which the data relates.
490. The second circumstance, outlined in subclause 112(2), is when the Commissioner is
satisfied a Scheme entity has acted or is likely to act inconsistently with this Bill or a
data sharing agreement, and where there is a necessity for the entity to take or not
take an action. The Commissioner may detect a breach in the course of an
assessment or investigation, or be otherwise satisfied of the entity's breach. An
example of the latter is where a Scheme entity is clearly acting inconsistently with
its data sharing agreement, such as an ADSP sharing to the wrong accredited user or
in a manner that is different to safeguards agreed under the data sharing principles.
In these circumstances, a direction could be issued to correct non-compliant or
contributory behaviours, and mitigate associated risks or harm.
491. The third circumstance, outlined in subclause 112(3), enables the Commissioner to
issue directions to accredited entities to deal with scheme data in a certain way to
mitigate risks associated with the pending cancellation of their accreditation. A
direction could be to destroy, return, or otherwise handle the scheme data as
instructed. For example, the Commissioner may direct the entity to return any
scheme data in their possession to the data custodian. A return of data is distinct
from sharing authorised by Chapter 2 as the direction to return is a regulatory
measure.
492. Subclause 112(4) provides that the specified actions in a direction may include
providing another entity with access to scheme data. This is appropriate in the
circumstance where a Scheme entity's relevant functions to which the project relates
have been transferred to another Scheme entity due to a machinery of government
change, and the continued operation of the existing data sharing arrangement
without further action is likely to lead to non-compliance with this Bill or a data
sharing agreement.
493. Subclause 112(5) states the consequences for the breach of a direction, which is up
to 300 penalty units. This aligns with analogous laws and the Guide to Framing
Commonwealth Offences. Consistent with the Guide to Framing Commonwealth
Offences, the Bill sets maximum penalties; a court will determine what is
77
appropriate on a case-by-case basis. The maximums balance the penalties of older
frameworks, such as the Privacy Act, with more contemporary offences for
mishandling government and consumer data. This intends for the Scheme to align
with other applicable frameworks, without duplicating them, as well as with
community expectations.
494. Subclause 112(6) clarifies that any direction made under this clause is not a
legislative instrument within the meaning of subsection 8(1) of the Legislation Act
2003.
495. Directions will allow the Commissioner to act quickly to protect the integrity of the
Scheme, and to limit and manage the impact of legislative and data breaches. This
enables the Commissioner to flexibly manage non-compliance, mitigating serious
consequences that are less able to be addressed through slower court processes. The
directions power also allows for a graduated enforcement approach and aligns with
existing regulatory norms, targeting both urgent and less urgent circumstances.
496. The Commissioner's directions power is not intended to impinge upon, or overlap
with, judicial injunction powers. Instead, the Commissioner's directions power could
be subject to judicial oversight. Directions must be enforced through the courts, and
the courts may review the legality of an exercise of the directions power through
established channels for judicial review. Other than urgent directions issued under
subclause 112(1), other directions may also be reviewed on their merits, and the
Administrative Appeals Tribunal may make an order to stay directions while under
review (refer clause 118).
Amendment Items 219 - 223
497. Amendment Items 219 to 223 make consequential amendments to the simplified
outline for Chapter 6 in clause 117, to reflect amendments to Chapter 6 made by
Amendment Items 224 to 251, detailed below.
Amendment Item 224
498. Amendment Item 224 omits and substitutes a new clause 118, relating to
reviewable decisions. Reviewable decisions are subject to merits review by a
reviewer (which may be the Minister or the Commissioner) or by the Administrative
Appeals Tribunal. The new clause 118 identifies specific decisions of the Minister
and Commissioner under the Scheme that are subject to merits review. Only
decisions that are adverse to the interests of a person are subject to merits review.
Decisions under the Bill that are not subject to merits review may be subject to
judicial review. Judicial review may be available under the Administrative Decisions
(Judicial Review) Act 1977, section 39B of the Judiciary Act 1903, or section 75(v)
of the Constitution.
499. Subclause 118(1) specifies the four types of accreditation decisions made by the
Commissioner that are reviewable decisions. The Commissioner is responsible for
making decisions about the accreditation of entities as ADSPs, and decisions about
the accreditation of entities that are not bodies politic, Commonwealth bodies, State
bodies or Territory bodies as users. Decisions by the Commissioner not to accredit
an entity as an ADSP or as a user, or to accredit but with conditions of accreditation,
78
may or will be adverse to the entity, and are therefore subject to merits review.
Likewise, a decision by the Commissioner to impose or vary a condition of
accreditation after accreditation, will or may be adverse to the entity, and is therefore
subject to merits review. A decision by the Commissioner to remove a condition of
accreditation can never be adverse to the interests of the entity concerned, and is
therefore not subject to merits review. A decision to suspend or cancel an entity's
accreditation is subject to merits review.
500. The accreditation of an entity as an ADSP must be renewed every five years (the
accreditation of an entity as a user does not need to be renewed). Subclause 81(8)
requires the Commissioner to suspend the accreditation of an entity as an ADSP that
fails to apply for renewal of its ADSP accreditation within five years of the initial
accreditation (or subsequent renewal), and to suspend or cancel the accreditation of
an entity as an ADSP if the Commissioner decides under clause 84 not to renew the
accreditation of an entity as an ADSP. A decision by the Commissioner under
subclause 81(8) is mandatory in nature and, in accordance with the Administrative
Review Council's publication What decisions should be subject to merit review?
(1999) (ARC guidance), is unsuitable for merits review. Subclause 118(2) therefore
provides that decisions by the Commissioner under subclause 81(8) are not subject
to merits review. Importantly, however, a decision by the Commissioner not to
renew an entity's accreditation as an ADSP, or to renew the accreditation with
conditions of accreditation (even if these conditions of accreditation were previously
imposed on the entity's accreditation) are subject to merits review (refer paragraph
118(1)(d)).
501. Part 5.3 of the Bill provides for 2 types of complaints to be made to the
Commissioner - scheme complaints under Division 1 and general complaints under
Division 2. Scheme complaints may be made by a Scheme entity in the
circumstances specified in clause 88 of the Bill. The Commissioner must deal with a
complaint unless the Commissioner is satisfied that a ground for not dealing with the
complaint in clause 92 applies, either before the Commissioner commences an
investigation relating to the complaint (under subclause 91(2)) or after the
Commissioner has commenced an investigation (under paragraph 101(4)(a)). In
either case, a decision by the Commissioner not to deal with a scheme complaint is
subject to merits review (refer paragraph 118(1)(e)).
502. The Commissioner has a broad discretion under clause 95 of the Bill to deal with
general complaints made to the Commissioner under clause 94, including by taking
no action in relation to such complaints. Decisions taken by the Commissioner under
clause 95 in relation to general complaints are not subject to merits review. This is
consistent with ARC guidance, because such decisions are preliminary in nature.
Under clause 107, in certain circumstances the Commissioner may transfer scheme
complaints or general complaints to an agency or body mentioned in clause 108. A
decision by the Commissioner to transfer a general complaint is not subject to merits
review. This is consistent with ARC guidance, because such decisions are
preliminary in nature.
503. The Commissioner has powers under Part 5.4 of the Bill to conduct assessments and
investigations. A decision to conduct an assessment or an investigation is not subject
79
to merits review. This is consistent with ARC guidance, because such decisions are
preliminary in nature and are of a law enforcement nature. On completion of an
investigation, under subclause 102(1) the Commissioner must make a written
determination setting out matters specified in subclause 102(1). Under subclause
102(2), the Commissioner has a discretion to make such determinations public. A
decision to make a determination public may be adverse to the interests of an entity.
Therefore, a decision under subclause 102(2) to make a determination publicly
available is subject to merits review (refer paragraph 118(1)(f)). However, a decision
by the Commissioner not to make a determination publicly available is not subject to
merits review, because such a decision will not be adverse to the interests of an
entity.
504. The Commissioner has powers under Part 5.5 of the Bill to make decisions to:
require the production of information and documents (refer clause 104); exercise
monitoring powers (refer clause 109) and investigation powers (refer clause 110);
give urgent written directions (refer subclause 112(1)); apply to a court for an order
in relation to civil penalties (refer clause 113); accept and apply to a court to enforce
enforceable undertakings (refer clause 115) and apply to a court for injunctions
(refer clause 116); and issue infringement notices (refer clause 114). None of these
decisions are subject to merits review. This is consistent with ARC guidance.
Requiring the production of information or documents, and deciding to exercise
monitoring or investigation powers, are decisions of a law enforcement nature. It is
not appropriate for decisions to approach a court to be subject to merits review, nor
is it appropriate for a decision to issue an infringement notice, which is in the nature
of law enforcement, to be subject to merits review.
505. A decision by the Commissioner under subclause 112(2) or 112(3) to issue a written
direction to an entity is a reviewable decision (refer paragraph 118(1)(g)). However,
a decision by the Commissioner to issue a written direction to an entity under
subclause 112(1) is not a reviewable decision. A direction under subclause 112(1)
may only be given if the Commissioner is satisfied that it is necessary for an entity
to take actions immediately or as soon as practicable, or to stop taking actions the
entity is currently taking or may take imminently. It is intended that such directions
are complied with immediately, in order to ensure that shared data, or data to be
shared, is properly protected. For example, if the Commissioner is satisfied that an
accredited user is holding output in a manner that does not comply with the security
requirements specified in the applicable data sharing agreement, the Commissioner
may direct the accredited user under subclause 112(1) to improve security controls
immediately. This direction would need to be complied with without delay, to avoid
the risk that malicious third parties might access the output.
506. Decisions to give directions under subclause 112(1) are incompatible with external
merits review for two reasons. First, if external review of such a decision was
sought, in many cases the only practical way to preserve the practical value of the
applicant's right of review would be to stay the operation of the direction, pending a
substantive review of the decision. A stay of the decision would undermine the
purpose of subclause 112(1), which is to ensure that the Commissioner has the
power to direct Scheme entities to take prompt action to protect public sector data
80
when necessary. Secondly, because the Scheme imposes very strict limitations on
how accredited entities may use ADSP-enhanced data or output, a direction given
under subclause 112(1) would often require accredited entities to handle data in a
manner that would otherwise be unlawful. Accredited entities directed under
subclause 112(1) to take immediate action that, but for the direction, would be
unlawful, would be placed in a difficult position if the accredited entity seeks
external merits review of the decision to give the direction.
507. It would not be possible to provide for internal merits review of decisions to give
directions under subclause 112(1) because all such decisions must be made by the
Commissioner personally (clause 50 provides that the Commissioner may not
delegate their powers under clause 112).
508. Under Chapter 4 of the Bill, the Commissioner may decide to delegate powers and
functions under clause 50 and to appoint members of the Council under clause 63.
Consistent with ARC guidance, neither of these decisions is subject to merits review.
509. Where a reviewable decision mentioned in subclause 118(1) is made by a delegate
of the Commissioner, the Commissioner is the 'reviewer' for the decision. If an
application is made for reconsideration of such a decision, the decision may be
reviewed by the Commissioner personally or by a delegate of the Commissioner.
Where the original reviewable decision is made by the Commissioner personally,
internal merits review of the decision is not available and an application for merits
review must be made to the Administrative Appeals Tribunal under clause 122.
510. Subclause 118(2) specifies the 3 types of accreditation decisions made by the
Minister that are reviewable decisions. The Minister is responsible for making
decisions about the accreditation of bodies politic, Commonwealth bodies, State
bodies and Territory bodies as users. Decisions by the Minister not to accredit an
entity as a user, or to accredit but with conditions of accreditation, may or will be
adverse to the entity, and are therefore subject to merits review. Likewise, a decision
by the Minister to impose or vary a condition of accreditation after accreditation will
or may be adverse to the entity and is therefore subject to merits review. A decision
by the Minister to remove a condition of accreditation can never be adverse to the
interests of the entity concerned, and is therefore not subject to merits review. A
decision to suspend or cancel an entity's accreditation is subject to merits review.
511. The Minister may decide under clause 137A to delegate any or all of the Minister's
powers under Part 5.2 to the Commissioner. Consistent with ARC guidance, this
decision is not subject to merits review.
512. Where a reviewable decision mentioned in subclause 118(2) is made by the
Commissioner as delegate of the Minister, the Minister is the 'reviewer' for the
decision. If an application is made for reconsideration of such a decision, the
decision will be reviewed by the Minister personally. Where the original reviewable
decision is made by the Minister personally, internal merits review of the decision is
not available and an application for merits review must be made to the
Administrative Appeals Tribunal under clause 122.
81
Amendment Items 225 and 226
513. Clause 119 provides for a person affected by a reviewable decision, made by a
delegate of the 'reviewer' of the decision, to apply to the reviewer for
reconsideration of the decision. Amendment Items 225 and 226 make
consequential amendments to the heading and text of the clause to reflect that, with
Government amendments to the accreditation framework in Part 5.2 of the Bill,
some reviewable decisions are made by the Minister.
Amendment Item 227
514. Amendment Item 227 omits clauses 120 and 121 and substitutes new clauses 120
and 121.
515. New clause 120 applies where a reviewable decision (refer clause 118) is made by a
delegate, and a person affected by the decision applies under clause 119 to the
reviewer of the decision (the Minister or the Commissioner) seeking reconsideration
of the decision. Under clause 120, the reviewer (who may be the Commissioner or a
delegate of the Commissioner for decisions covered by subclause 118(1), and will be
the Minister for decisions covered by subclause 118(2)) must reconsider the initial
decision on the merits and then affirm the decision, vary the decision or revoke the
decision and substitute a new decision. The reviewer's decision has effect as if it had
been made under the provision under which the original decision was made (refer
subclause 120(2)).
516. Where a reviewer decides to vary the original decision, or to revoke the original
decision and substitute a new decision, the reviewer may specify when the varied
decision or new decision has effect (this could be at the time the original decision
was made, or at the time of the reconsideration decision). Where the reviewer
affirms the original decision, the original decision continues to have effect from the
date it was made.
517. The reviewer must provide the applicant for reconsideration with written notice of
the decision on reconsideration (refer subclause 120(3)). The reviewer must also
provide the applicant with written reasons for the reconsideration decision within 28
days after making the decision (refer subclause 120(4)). The notice of the decision
and the reasons for the decision do not need to be provided to the applicant at the
same time.
518. Where the Minister is the reviewer for a reviewable decision made by the
Commissioner as the Minister's delegate, the Minister must personally make the
reconsideration decision. Where the Commissioner is the reviewer of a reviewable
decision, the reconsideration decision may be made by the Commissioner personally
or by another delegate of the Commissioner. However, where the reconsideration
decision is made by a delegate, subclause 120(5) provides that the new delegate
must not have been involved in the making of the original decision and must be at
least the same level as the delegate who made the original decision. These
requirements ensure that the decision on reconsideration involves a fresh
consideration on the merits, and that the new delegate's decision is not influenced by
the original decision.
82
519. New clause 121 imposes a timeframe for decisions on reconsideration.
Reconsideration decisions must be made within 90 days of receiving an application
for reconsideration under clause 119. If an application for reconsideration is
purportedly made under clause 119 but the requirements of clause 119 are not met
(for example, the application is not in the approved form made by the Commissioner
for the purpose of clause 119), the 90 day timeframe under clause 121 does not
commence. There is no provision for the applicant to agree a longer period for the
making of a reconsideration decision.
520. If a reconsideration decision is not made within the 90 day period provided for by
subclause 121(1), and the reviewer has not informed the applicant of that decision in
writing before the end of that period, clause 121(2) operates to deem that the
reviewer has affirmed the original decision. This permits the applicant to seek merits
review by the Administrative Appeals Tribunal under clause 122. Clause 121 only
requires the applicant to be informed of the decision on reconsideration before the
end of the 90 day period. Written reasons for the decision may be provided to the
applicant after the end of the 90 day period. However, subclause 120(4) requires
reasons for a reconsideration decision to be provided within 28 days after the
making of the decision.
Amendment Items 228 and 229
521. Amendment Items 228 and 229 make consequential amendments to clause 122 to
reflect that, with Government amendments to Part 5.2 of the Bill, some accreditation
decisions are made by the Minister.
522. Clause 122 provides that a reviewable decision made personally by the Minister or a
subclause 118(1) reviewable decision made personally by the Commissioner may be
reviewed by the Administrative Appeals Tribunal without any need for internal
reconsideration. A subclause 118(2) reviewable decision made by the Commissioner
as delegate of the Minister must be subject to internal reconsideration by the
reviewer of the decision (that is, the Minister) before being reviewed by the
Administrative Appeals Tribunal. Subclause 118(1) reviewable decisions initially
made by a delegate of the Commissioner must also be subject to internal review
before being reviewed by the Administrative Appeals Tribunal.
Amendment Item 230
523. Amendment Item 230 replaces the existing 'Part 6.3 - Treatment of certain entities'
with a new Part 6.3, comprising clauses 123 to 125B.
524. Subclause 123(1) includes a table that identifies individuals who are 'designated
individuals' for Scheme entities, and the 'designation' of each of those individuals.
By way of example, an APS employee of a data custodian is a designated individual
for the data custodian, and the designation of that APS employee is the employee's
duties as an APS employee. Where an individual or a body corporate is engaged by
an accredited entity to perform services under an 'approved contract' (refer
subclause 123(3), discussed below), that individual, and employees, officers and
members of that body corporate, are designated individuals of the accredited entity,
83
and the approved contract determines the designation of those designated
individuals.
525. Certain actions under the Scheme (such as entering into a data sharing agreement on
behalf of a data sharing entity) may only be done by authorised officers of the
relevant Scheme entity, or other authorised individuals. The appointment of
authorised officers is covered by clause 137. Subclause 123(2) clarifies that, where
an individual is an authorised officer of a Scheme entity, or an individual authorised
for the entity under subclause 137(3) or 137(4), their designation as a designated
individual includes both their designation under clause 137 and the designation they
may have under another Item of the table in subclause 123(1) - for example, their
designation as an employee of the Scheme entity.
526. Subclause 123(3) defines the term 'approved contract'. To be an approved contract,
the contract must: (a) be between an individual and an accredited entity, or between
a body corporate and accredited body; (b) be authorised in or approved under the
relevant data sharing agreement; and (c) comply with any requirements in a data
code, if a data code is made for the purposes of this clause. By way of example, an
accredited user may have an ongoing contract with a body corporate to provide
consulting services in relation to data analytics (the analytics contract). The
accredited user enters into two data sharing agreements with different data
custodians. The first data sharing agreement authorises the analytics contract. In the
context of activities covered by the first data sharing agreement, employees of the
data analytics provider are designated individuals of the accredited user, and their
designation is determined by the scope of services in the analytics contract,
However, the second data sharing agreement does not authorise the analytics
contract and the analytics contract is not approved under that agreement. In the
context of activities covered by the second data sharing agreement, employees of the
data analytics provider are not designated individuals of the accredited user.
527. Chapter 2 of the Bill provides authorisations for Scheme entities to share, collect and
use data in certain circumstances. For example, clause 13 authorises a data custodian
to share data with an accredited user if certain conditions are met. Subclause 124(1)
provides that, generally, the authorisation provided in Chapter 2 to an entity extends
to the designated individuals of that entity. For example, the authorisation provided
to a data custodian to share data with an accredited user will also cover APS
employees of the data custodian who perform activities as part of the process of
making the data available to the accredited user, so long as the relevant activities are
within the scope of the APS employees' duties.
528. Subclause 124(2) provides that the authorisation to designated individuals provided
for in subclause 124(1) does not apply if that would be inconsistent with a condition
of accreditation imposed on, or applicable to the entity, or the terms of the applicable
data sharing agreement. For example, an employee of an accredited user who is not
an Australian citizen or permanent resident may be a designated individual of the
accredited user. However, a condition of accreditation applicable to the accredited
user may prohibit any employees that are not Australian citizens or permanent
residents from collecting or accessing output. In these circumstances, subclause
84
124(1) would not extend the accredited user's authorisation to collect and use output
to the employee.
529. Subclause 124(3) provides that, generally, where an accredited entity has an
approved contract with a body corporate in the context of a particular data sharing
agreement, the accredited entity's authorisation under Chapter 2 of the Bill to collect
and use data extends to conduct of the body corporate, if the conduct is within the
scope of the approved contract. For example, if an accredited user has a contract
with a body corporate to provide analytics services and that contract is authorised by
the relevant data sharing agreement, the accredited user's authorisation under
Chapter 2 in relation to the use of data covered by the data sharing agreement
extends to the body corporate, if the production of output authorised under the data
sharing agreement is to be in part undertaken by the body corporate and within the
scope of the approved contract.
530. However, subclause 124(4) restricts the operation of subclause 124(3) in some
circumstances. Subclause 124(4) provides that the authorisation to a body corporate
provided for in subclause 124(3) does not apply if that would be inconsistent with a
condition of accreditation imposed on, or applicable to the accredited entity, the
terms of the approved contract or the data sharing agreement for the project. For
example, if an accredited user has a contract with a body corporate to provide
analytics services that is authorised by the relevant data sharing agreement, but the
approved contract or the applicable data sharing agreement limits what the body
corporate may do, if the body corporate acts contrary to this limitation, such actions
are not covered by the authorisation extension in subclause 124(3).
531. Subclause 124(5) clarifies that when a designated individual for an entity (such as an
employee) or a body corporate acting under an approved contract with an accredited
entity is given access to data and subclause 124 provides that the entity's
authorisation to use data extends to the designated individual or body corporate, the
provision of the data to the designated individual or body corporate is taken to be a
use of the data, rather than the provision of access to (that is, a disclosure of) the
data to the designated individual or the body corporate. This is a similar position to
that which applies under the Privacy Act - where an entity makes information
available to an employee or a contractor but the information remains in the effective
control of the entity, the provision of access to the information is taken to be a use
rather than a disclosure.
532. Scheme entities have various powers and obligations under the Scheme. Subclause
125(1) provides that, generally, an entity's powers may be exercised by, and its
obligations may be performed by, a designated individual for the entity, acting
within the actual or apparent scope of their designation. Thus, an employee of a
Commonwealth body in a position of Chief Data Officer would be able to act on
behalf of the Commonwealth body and bind the Commonwealth body in relation to
Scheme matters that would normally fall within the range of duties of a Chief Data
Officer, despite any specific limitation on their role imposed by the Commonwealth
body, unless such limitation was reasonably apparent to the person with whom the
Chief Data Officer was dealing.
85
533. However, certain actions under the Scheme (such as entering in a data sharing
agreement) may only be performed on behalf of a Scheme entity by an authorised
officer or an officer authorised under subclauses 137(3) or 137(4). Subclause 125(2)
clarifies that subclause 125(1) does not apply in these circumstances. Therefore, if a
person is a designated individual for the entity, but not an authorised officer or an
officer authorised under subclauses 137(3) or 137(4), that person's actions will not
be taken to have been done for the entity, if the thing to be done must be done by an
authorised officer or an officer authorised under subclauses 137(3) or 137(4).
534. Subclause 124(1) and 124(2) set out the circumstances where an authorisation given
to a Scheme entity under Chapter 2 covers a designated individual of the entity.
Subclause 125(2) clarifies that subclause 125(1) does not apply in relation to
authorisations under Chapter 2. Subclause 125(1) is not intended to extend the
operation of subclauses 124(1) or 124(2). Therefore, because of the operation of
subclause 124(2), the conduct of a designated individual of a Scheme entity would
not be covered by the entity's authorisation under Chapter 2 if the designated
individual's conduct is contrary to conditions of accreditation imposed on or
applicable to the Scheme entity, or the applicable data sharing agreement. Therefore,
because of the operation of subclause 124(2), the conduct of a designated individual
of an entity would not be covered by the entity's authorisation under Chapter 2 if the
designated individual's conduct is contrary to conditions of accreditation imposed on
or applicable to the entity, or the applicable data sharing agreement.
535. Clause 125A sets out the principles to be applied to determine whether an entity,
other than an individual, has contravened a civil penalty provision in the Bill, or has
otherwise breached a provision in the Bill. If an accredited entity breaches a
provision of the Bill, the accreditation authority for the entity may consider the
cancellation of the entity's accreditation (see clause 81).
536. Paragraph 125A(1)(a) provides that, generally, when determining whether an entity
(other than an individual) has contravened a civil penalty provision in the Bill, or has
otherwise breached a provision in the Bill, the entity is taken to have engaged in
conduct engaged in by a designated individual for the entity (if the conduct is within
the actual or apparent scope of the individual's designation, which is determined
under clause 123), or by a body corporate that is party to an approved contract (if the
conduct is within the actual or apparent scope of the approved contract). The term
'approved contract' is defined in subclause 123(3). The inclusion of 'apparent scope'
means that conduct engaged in by a designated individual or a body corporate that is
party to an approved contract, can in some circumstances be attributed to an entity
even where the conduct is outside the scope of the designated individual's actual
designation or the actual scope of the approved contract.
537. In any circumstance where it is necessary to establish an entity's state of mind to
determine whether the entity (other than an individual) has contravened a civil
penalty provision in the Bill, or has otherwise breached a provision in the Bill,
paragraph 125A(1)(b) provides that it is sufficient to establish the state of mind of a
designated individual whose conduct is attributed to an entity under paragraph
125A(1)(a).
86
538. The term 'government entity' is defined in subclause 125A(4) to mean all
Commonwealth bodies (including bodies corporate that are Commonwealth bodies),
State bodies and Territory bodies that are not bodies corporate, and the bodies politic
that come within the definition of Australian entity (the Commonwealth, a State or a
Territory). Subclause 125A(2) provides that, where a government body would
otherwise be taken to contravene a civil penalty provision in the Bill because
conduct of a designated individual or a body corporate is attributed to the
government entity because of the operation of subclause 125A(1), the government
entity does not contravene the civil penalty provision if it is established that the
government entity took reasonable precautions and exercised due diligence to avoid
the conduct occurring. The availability of this defence will provide data custodians
with confidence to share data under the Scheme rather than using other mechanisms,
and will also encourage all Commonwealth bodies, and State bodies and Territory
bodies that are not bodies corporate, to seek accreditation under the Scheme. The
precautions and due diligence required for subclause 125A(2) to apply could include
the provision of appropriate training to designated individuals, ensuring policies are
clear and available, ensuring designated individuals are clear about the scope of their
duties, including appropriate provisions in contracts, having appropriate internal
governance arrangements and fostering a culture of compliance in relation to the
Scheme. The government entity bears an evidential burden to establish that
subclause 125A(2) applies.
539. Where the conduct of a designated individual is attributed to a government entity
because of the operation of subclause 125A(1), subclause 125A(3) provides that the
designated individual is not personally liable for a contravention of a civil penalty
provision in the Bill in relation to that particular conduct. This protection extends to
ancillary contraventions of civil penalty provisions arising from the operation of
section 92 of the Regulatory Powers Act, but subclause 125A(3) does not provide
any protection in relation to offences under the Bill. Section 92 of the Regulatory
Powers Act provides, amongst other matters, that a person must not aid, abet,
counsel or procure a contravention of a civil penalty provision and, if they do, they
are taken to have contravened the civil penalty provision.
540. Clauses 14 and 14A provide for civil penalties to apply to individuals who engage in
conduct, where the conduct is, or is part of:
- providing access to data, purportedly under clause 13, where the provision of
access is not authorised by clause 13; or
- collecting or using data that is output or ADSP-enhanced data by an entity
where the collection or use is not authorised by the Bill.
541. Clause 5 clarifies, for the avoidance of doubt, that the Crown may be made liable to
pay a pecuniary penalty for contravening a civil penalty provision in the Bill.
542. Section 97 of the Regulatory Powers Act provides that, if an element of a civil
penalty provision is done by an employee of a body corporate within the actual or
apparent scope of their employment, or by an agent or officer of the body corporate
within the actual or apparent scope of their authority, the element of the civil penalty
provision is attributed to the body corporate. Subclause 125A(5) clarifies that, when
determining whether a body corporate that is a Commonwealth body has
87
contravened a civil penalty provision in the Bill, subclause 125A(1) applies, rather
than section 97 of the Regulatory Powers Act. However, under subclause 125A(6),
to determine whether any other body corporate (including a body corporate that is a
State body or a Territory body) has contravened a civil penalty provision in the Bill,
section 97 of the Regulatory Powers Act, rather than subclause 125A(1), must be
applied. Subclause 125A(1) applies to all bodies corporate when determining
whether the body corporate has breached a provision of the Bill that is not a civil
penalty provision.
543. Clause 125B provides that, generally, when determining whether an entity has
committed an offence created by the Bill, the entity is taken to have engaged in any
conduct engaged in by a designated individual for the entity (if the conduct is within
the actual or apparent scope of the individual's designation, which is determined
under clause 123), or by a body corporate that is party to an approved contract (if the
conduct is within the actual or apparent scope of the approved contract). The term
'approved contract' is defined in subclause 123(3). This means that conduct engaged
in by a designated individual or a body corporate that is party to an approved
contract can in some circumstances be attributed to an entity even where the conduct
is outside the scope of the designated individual's actual designation or the actual
scope of the approved contract.
544. Where it is necessary to establish an entity's state of mind to determine whether the
entity (other than an individual or a body corporate) has committed an offence
established by the Bill, paragraph 125B(b) provides that it is sufficient to establish
the state of mind of a designated individual whose conduct is attributed to an entity
under paragraph 125B(a).
545. Clause 125B does not have any operation in relation to determining whether a body
corporate (including a body corporate that is a Commonwealth body, a State body or
a Territory body) has committed an offence. Part 2.5 of the Criminal Code sets out
the principles of how offences apply to bodies corporate. The Bill does not alter the
operation of the Part 2.5 of the Criminal Code, as it applies to offences established
by the Bill. Clause 5 provides that nothing in the Bill makes the Crown liable to be
prosecuted for an offence.
Amendment Item 231
546. Amendment Item 231 is a consequential amendment to clause 126 required
because of the insertion of new clauses 10 and 11A and new definitions in clause 9.
Paragraph 126(2)(a) provides that a data code may set out how definitions in clauses
9, 10, 11 and 11A are to be applied or complied with. For example, a data code
could be made about how the term 'project' (which is defined in clause 11A) is to be
applied. A data code cannot be inconsistent with the Bill and, furthermore, a data
code that is inconsistent with the Regulations or rules made under the Bill has no
effect to the extent of the inconsistency (refer subclause 126(3)).
Amendment Item 232
547. Amendment Item 232 replaces the term 'relevant' in paragraph 126(2)(e) with the
term 'necessary or convenient to deal with for carrying out or giving effect'. This is
88
a drafting change to clarify that the Commissioner has a broad power to make data
codes about the general operation of the Scheme. Data codes are legislative
instruments that are subject to disallowance. A data code cannot be inconsistent with
the Bill and, furthermore, a data code that is inconsistent with the Regulations or
rules made under the Bill has no effect to the extent of the inconsistency (refer
subclause 126(3)). Data codes are binding on data custodians, accredited users and
ADSPs (refer clause 26).
Amendment Item 233
548. Amendment Item 233 introduces new obligations on the Commissioner to make
one or more data codes dealing with particular topics. New subclause 126(2A)
requires the Commissioner to make one or more data codes about the data sharing
principles described in clause 16, and about the privacy protections set out in clauses
16A and 16B. Data codes are legislative instruments that are subject to disallowance.
Data codes are binding on data custodians, accredited users and ADSPs. Subclause
126(2A) is not intended to limit the topics that may be covered by data codes.
549. New subclause 126(2B) requires a data code relating to clause 16A to cover the
consent of individuals to share their personal information. Subclause 16A(1)
provides that biometric data may only be shared with the express consent of the
individual to whom it applies. The data code will govern how data custodians,
accredited users and ADSPs apply the concept of 'consent' for the purpose of
subclause 16A(1).
550. New subclause 126(2C) requires a data code for clause 16B to cover the consent of
individuals to share their personal information, the circumstances where it would be
unreasonable or impractical to seek the consent of individuals to the sharing of their
data, the principles to be applied by data custodians when determining whether it is
necessary to share personal information to properly deliver a government service,
and the circumstances (or range of circumstances) where the public interest to be
served by a project justifies the sharing of personal information without consent.
Clause 16B imposes significant limitations on when personal information may be
shared under the Scheme. The limitations imposed by clause 16B vary depending on
the data sharing purpose for the project. A note under subclause 16B(4) confirms
that it is not unreasonable or impracticable to seek an individual's consent merely
because the consent of a very large number of individuals would need to be sought.
Amendment Item 234
551. Amendment Item 234 amends subclause 127(1) to provide that guidelines made by
the Commissioner are legislative instruments that are subject to disallowance. While
guidelines are not binding on data custodians, accredited users and ADSPs, clause
27 requires these entities to take guidelines into account when engaging in conduct
for the purposes of the Bill. There is no obligation on the Commissioner to make
guidelines.
Amendment Item 235
552. Amendment Item 235 omits previous subclauses 127(3) and 127(4) because
Amendment Item 234 amends subclause 127(1) to provide that guidelines are
89
legislative instruments. Amendment Item 235 also inserts a new subclause 127(3)
to provide that guidelines sit below data codes in the hierarchy of legislative
instruments made under the Bill. Thus, guidelines that are inconsistent with the Bill,
or with Regulations, rules or data codes made under the Bill, are of no effect.
However, if a guideline is inconsistent with another type of legislative instrument
made under the Bill, the guideline will still operate to the extent that it is not
inconsistent with, and can operate concurrently with, the other legislative
instrument.
Amendment Item 236
553. Amendment Item 236 omits clauses imposing requirements for the Commissioner
to maintain registers for ADSPs, accredited users and data sharing agreements and
substitutes new clauses covering these matters. Under new clauses 128, 129 and 130,
each register has a section that must be publicly accessible and another section that
is not publicly accessible. The publicly accessible section of each register will be
available through the Commissioner's website. It is expected that Scheme entities
will regularly access the registers when negotiating data sharing agreements and
sharing data, but the registers will also make key information available to the general
public. The Commissioner has a discretion to maintain the registers in any form they
consider appropriate, provided that the parts of registers that are required to be
publicly accessible may be readily accessed by the public free of charge.
554. Subclause 128(2) provides that, for each currently accredited ADSP, the following
information must be made publicly available on the register of ADSPs - the name
and current contact details for the ADSP, the conditions of accreditation applicable
to the ADSP (including conditions of accreditation prescribed by rules under clause
77B) and, if the accreditation of the ADSP is currently suspended, that fact and the
duration of the suspension.
555. The Minister may make rules that require the Commissioner to include additional
details on the publicly accessible part of the register (refer paragraph 128(2)(e)),
require the Commissioner not to include details in the publicly accessible part of the
register that would otherwise be required in certain circumstances (refer subclause
128(3)), or require the Commissioner to include additional details on the part of the
register that is not publicly accessible (refer paragraph 128(4)(b)). If the rules
require the Commissioner not to include particular details in the publicly accessible
part of the register, these details must be included in the part of the register that is
not publicly accessible (refer paragraph 128(4)(a)). Rules made by the Minister for
the purpose of clause 128 are legislative instruments that are subject to disallowance.
556. The Commissioner has no discretion about what details are, or are not, on the
publicly accessible part of the register, or the part of the register that is not publicly
accessible. What details must, or must not, be included on each part of the register is
determined by clause 128 and any rules made for the purpose of that clause.
Accordingly, decisions by the Commissioner to include particular details on a part of
the register, or not to include particular details, are not subject to merits review
under clause 118.
90
557. Subclause 128(6) provides that the register of ADSPs is not a legislative instrument.
This is not a substantive exemption from the Legislation Act 2003 because the
register does not otherwise fall within the definition of legislative instrument in
section 8 of that Act. Subclause 128(6) is included so that the position that the
register is not a legislative instrument is clear on the face of the Bill.
558. Subclause 129(2) provides that, for each currently accredited user, the following
information must be made publicly available on the register of accredited users - the
name and current contact details for the user, the conditions of accreditation
applicable to the user (including conditions of accreditation prescribed by rules
under clause 77B) and, if the accreditation of the user is currently suspended, that
fact and the duration of the suspension.
559. The Minister may make rules that require the Commissioner to include additional
details on the publicly accessible part of the register (refer paragraph 129(2)(e)),
require the Commissioner not to include details in the publicly accessible part of the
register that would otherwise be required in certain circumstances (refer subclause
129(3)), or require the Commissioner to include additional details on the part of the
register that is not publicly accessible (refer paragraph 129(4)(b)). If the rules
require the Commissioner not to include particular details in the publicly accessible
part of the register, these details must be included in the part of the register that is
not publicly accessible (refer paragraph 129(4)(a)). Rules made by the Minister for
the purpose of clause 129 are legislative instruments that are subject to disallowance.
560. The Commissioner has no discretion about what details are, or are not, on the
publicly accessible part of the register, or the part of the register that is not publicly
accessible. What details must, or must not, be included on each part of the register is
determined by clause 129 and any rules made for the purpose of that clause.
Accordingly, decisions by the Commissioner to include particular details on a part of
the register, or not to include particular details, are not subject to merits review
under clause 118.
561. Subclause 129(6) provides that the register of users is not a legislative instrument.
This is not a substantive exemption from the Legislation Act 2003 because the
register does not otherwise fall within the definition of legislative instrument in
section 8 of that Act. Subclause 129(6) is included so that the position that the
register is not a legislative instrument is clear on the face of the Bill.
562. Subclause 130(2) provides that, for each registered data sharing agreement, a
number of details about the data sharing agreement and the project covered by the
agreement must be made publicly available on the register of data sharing
agreements. These matters are set out in paragraphs 130(2)(a) to (r).
563. The Minister may make rules that require the Commissioner to include additional
details on the publicly accessible part of the register (refer paragraph 130(2)(r)),
require the Commissioner not to include details in the publicly accessible part of the
register that would otherwise be required in certain circumstances (refer subclause
130(3)) or require the Commissioner to include additional details on the part of the
register that is not publicly accessible (refer paragraph 130(4)(c)). If the rules require
the Commissioner not to include particular details in the publicly accessible part of
91
the register, these details must be included in the part of the register that is not
publicly accessible (refer paragraph 130(4)(b)). Rules made by the Minister for the
purpose of clause 130 are legislative instruments that are subject to disallowance.
The part of the register that is not publicly accessible must include the full text of
each registered data sharing agreement, and each variation to such agreement that
has been registered (refer paragraph 130(4)(a)).
564. The Commissioner has no discretion about what details are, or are not, on the
publicly accessible part of the register, or the part of the register that is not publicly
accessible. What details must, or must not, be included on each part of the register is
determined by clause 130 and any rules made for the purpose of that clause.
Accordingly, decisions by the Commissioner to include particular details on a part of
the register, or not to include particular details, are not subject to merits review
under clause 118.
565. Subclause 130(6) provides that the register of data sharing agreements is not a
legislative instrument. This is not a substantive exemption from the Legislation Act
2003 because the register does not otherwise fall within the definition of legislative
instrument in section 8 of that Act. Subclause 130(6) is included so that the position
that the register is not a legislative instrument is clear on the face of the Bill.
Amendment Item 237
566. Amendment Item 237 substitutes the reference 'this Act, the rules or a data code'
with 'the data sharing scheme'. The expression 'data sharing scheme' is defined in
clause 9 to mean 'this Act and the regulations, rules data codes and guidelines made
under it'. Item 3 of Schedule 3 to the Data Availability and Transparency
(Consequential Amendments) Bill 2020, as amended by Government amendments,
provides that the 'data sharing scheme' is taken to include that Schedule and rules
made under it. Thus, clause 132 will empower the Commissioner to approve a form
if rules made under Schedule 3 of the Data Availability and Transparency
(Consequential Amendments) Bill 2020 provide for such a form to be an approved
form.
Amendment Item 238
567. Amendment Item 238 omits clause 135 and substitutes a new clause 135.
568. A Scheme entity may contravene a civil penalty provision or commit an offence
under clauses 14 and 14A if they use scheme data in a manner that is not authorised
under clauses 13A, 13B or 13C and is not otherwise authorised by the Bill. Clause 9
defines the term 'use' to include handle, store and provide access. If a Scheme entity
provides another entity with scheme data and the provision of that access is not
authorised by Chapter 2 or another provision of the Bill, the Scheme entity providing
the access may contravene a civil penalty provision or commit an offence under
clauses 14 and 14A, even if access was provided in response to a request,
requirement or notice made or issued under other Commonwealth legislation.
569. Clause 135 authorises Scheme entities to provide access to scheme data to the
Auditor-General, the Commonwealth Ombudsman, the Information Commissioner,
a Commonwealth, State or Territory court or tribunal or a Commonwealth Royal
92
Commission in certain circumstances. Where a Scheme entity provides access to
scheme data to a statutory officeholder (or their delegate), a court, a tribunal or a
Royal Commission in accordance with clause 135, the Scheme entity will not
contravene a civil penalty provision or commit an offence under clauses 14 and 14A
solely due to the provision of access to the scheme data.
570. Scheme data may be subject to secrecy or confidentiality provisions in other
legislation. Where clauses 13, 13A, 13B or 13C authorises the sharing, collection or
use of data, clause 23 provides that the authorisation has effect despite anything in
another law of the Commonwealth, or a law of a State or Territory. However, clause
23 has no operation in relation to the authorisation provided by clause 135.
Therefore, a Scheme entity that proposes to provide scheme data to a statutory
officeholder, a court, a tribunal or a Royal Commission as authorised by clause 135
must consider whether applicable secrecy or confidentiality provisions in other
legislation permit the disclosure, or whether the power requiring the disclosure of
the scheme data authorises the disclosure despite applicable secrecy or
confidentiality provisions.
Amendment Item 239
571. Amendment Item 239 introduces a new clause 135A that clarifies how the Scheme
applies to data that has been transferred to the National Archives of Australia (the
Archives).
572. The data custodians of public sector data will transfer the care of some of that data to
the Archives prior to the commencement of the open access period for that data, as
defined by the Archives Act. Where such transfer occurs, subclauses 135A(1) and
135A(2) clarify that the Archives is not the data custodian of the transferred data for
the purpose of the Scheme. The data custodian that transferred the data to the
Archives remains the data custodian for the purpose of the Scheme. If such a data
custodian receives a request to share the data from an accredited user under clause
25, the data custodian will have an obligation to consider the request under that
section. If necessary, the data custodian will be able to obtain the data from the
Archives in order to share the data under the Scheme.
573. Subclause 135A(3) provides that the authorisations in Chapter 2 generally do not
apply to any public sector data that is in the open access period for that data, as
defined by the Archives Act. Access to data in the open access period must be sought
under the Archives Act, rather than under the Scheme. However, where a data
sharing agreement in relation to particular public sector data has been registered by
the Commissioner before the open access period for that data, subclause 135A(3)
provides that the sharing, collection and use of data as authorised under Part 2 as
part of the project covered by the agreement, may occur after the commencement of
the open access period for the data. This is the case even if the data sharing
agreement is varied after the commencement of the open access period.
Amendment Items 240 - 242
574. Clause 136 limits the geographical jurisdiction of civil penalty provisions and
offences in the Bill to circumstances where there is some specified connection with
93
Australia. Because of Government amendments to the Bill, the definition of
'Australian entity' in clause 9 no longer includes a reference to Australian citizens
and permanent residents of Australia. Amendment Items 240, 241 and 242 make
consequential amendments to clause 136 to refer to Australian citizens and
permanent residents of Australia in paragraphs 136(1)(d), 136(2(d) and 136(3)(d) so
that the amendment to the definition of 'Australian entity' does not alter the
operation of clause 136 in relation to Australian citizens and permanent residents of
Australia.
Amendment Item 243
575. Amendment Item 243 omits clause 137 and substitutes a new clause 137.
576. Various important actions that may be taken by entities under the Bill must be taken
on behalf of the entity by an authorised officer of the entity or, in some cases, by
another person appointed under clause 137. For example, clause 76 provides that an
application for accreditation must be made by an authorised officer on behalf of the
entity.
577. Subclause 137(1) (including the table that forms part of that subclause) provides that
the head of each type of Scheme entity (for example, the Secretary of an Australian
Government department) is an authorised officer of that entity by force of the clause.
Subclause 137(2) provides that the head of the entity may, by written instrument,
appoint an individual falling within the description in the 'Individuals' column of the
applicable item row of the table to be an 'authorised officer' for the entity. In the
case of Scheme entities that are Australian Government departments, or Executive
Agencies or Statutory Agencies (within the meaning of the Public Service Act 1999),
only SES employees or acting SES employees in the entity may be appointed as
authorised officers of the entity. Where the head of an entity has appointed an
individual as an authorised officer, section 33(3) of the Acts Interpretation Act 1901
provides the entity head with the power to revoke or amend the appointment. An
instrument may identify a class of individuals that are appointed as authorised
officers, including the class of individuals holding or acting in particular offices
from time to time.
578. It is not possible for an individual to be appointed as an authorised officer of an
entity for some purposes but not others. For example, the Secretary of an Australian
Government department may not appoint an SES employee an authorised officer of
the entity for the purpose of lodging an application for accreditation as a user, but
not for other purposes. A person who is appointed as an authorised officer of an
entity may not delegate any part of this role to another individual, or authorise
another individual to perform the role on their behalf. Only individuals may be
appointed as authorised officers.
579. Subclause 137(3) enables the head of a Scheme entity to appoint an individual by
written instrument to enter into variations of data sharing agreements on behalf of
the entity. Individuals appointed under subclause 137(3) are not 'authorised
officers'. In the case of Scheme entities that are Australian Government
departments, or Executive Agencies or Statutory Agencies (within the meaning of
the Public Service Act 1999), only SES employees or acting SES employees in the
94
entity may be appointed under subclause 137(3). Where the head of an entity has
appointed an individual under subclause 137(3), section 33(3) of the Acts
Interpretation Act 1901 provides the entity head with the power to revoke or amend
the appointment. An instrument may identify a class of individuals that are
appointed under subclause 137(3), including the class of individuals holding or
acting in particular offices from time to time. An instrument appointing an
individual under subclause 137(3) must be a general appointment and may not
provide that the individual is only authorised to enter into a particular variation of a
data sharing agreement, or variations of agreements that have particular
characteristics (for example, a variation that does not provide any additional data to
be shared with the accredited user under clause 13).
580. The Agency Heads of Scheme entities that are Australian Government departments,
or Executive Agencies or Statutory Agencies (within the meaning of the Public
Service Act 1999), may appoint an individual in their agency or in another APS
agency under subclause 137(4). Such individuals must be SES employees or acting
SES employees. Individuals appointed under subclause 137(4) may enter into data
sharing agreements and variations of such agreements, and make decisions under
subclause 16D(4) (and the associated records of decisions), that the risk a particular
proposed data integration could cause substantial harm is low. For example, if the
Secretary of Australian Government department A appoints an SES employee in
Australian Government department B under subclause 137(4), by virtue of the
appointment, the SES employee may enter into a data sharing agreement with an
accredited user on behalf of department A, as the data custodian of the public sector
data to be shared.
581. Where the head of an entity has appointed an individual under subclause 137(4),
section 33(3) of the Acts Interpretation Act 1901 provides the entity head with the
power to revoke or amend the appointment. An instrument may identify a class of
individuals that are appointed under subclause 137(4), including the class of
individuals holding or acting in particular offices from time to time. An instrument
appointing an individual under subclause 137(4) must be a general appointment and
may not provide that the individual is only authorised to enter into a particular type
of data sharing agreement, or variations of agreements that have particular
characteristics, or only make particular data integration decisions.
Amendment Item 244
582. Amendment Item 244 inserts a new clause 137A to allow the Minister to delegate,
in writing, to the Commissioner any or all of the Minister's powers in relation to the
accreditation framework in Part 5.2. The Minister is the 'accreditation authority' for
the Commonwealth, a State, a Territory, a Commonwealth body, a State body or a
Territory body applying for accreditation as, or accredited as, a user (refer clause 9).
The Minister therefore makes decisions about: the accreditation of these entities as
users; the imposition, variation or removal of conditions of accreditation (as users);
and, if necessary, the suspension or cancellation of the accreditation of these bodies
as users. The Minister may only delegate their powers under Part 5.2 to the
Commissioner, and the Commissioner may not sub-delegate such powers.
95
583. Subclause 137A(2) provides that, when exercising delegated power, the
Commissioner must comply with any written directions given to the Commissioner
by the Minister.
584. The Minister's power of delegation only relates to the Minister's power to make
administrative decisions under Part 5.2. The Minister may make rules under clause
133 relating to accreditation matters (for example, prescribing conditions of
accreditation for the purposes of clause 77B) but the Minister may not delegate the
power to make rules.
585. Sections 34AA, 34AB and 34A of the Acts Interpretation Act 1901 apply to the
Minister's power of delegation in clause 137A.
Amendment Item 245
586. Amendment Item 245 amends clause 138 to clarify that the Commissioner's annual
report should include details of the number of requests received by data custodians
during the relevant financial year from accredited users. While any entity (including
entities that are not accredited as users) may request a data custodian to share data,
data custodians only have obligations under clause 25 to consider requests made by,
and to provide reasons for a refusal to, accredited users. It is appropriate that the
Commissioner's reporting under clause 138 aligns with the obligations of data
custodians under clause 25.
Amendment Item 246
587. Amendment Item 246 amends clause 138 to require further information to be
included in the Commissioner's annual report on the Scheme to provide additional
transparency and accountability. Data custodians have no obligation under the
Scheme to share data but, where an accredited user makes a written request to a data
custodian to share data, clause 25 requires the data custodian to consider the request
within a reasonable period and, if the request is refused, to provide the accredited
user with written reasons within 28 days of the date of the refusal decision. The new
subparagraph 138(2)(d)(ia) will provide a measure of public accountability if data
custodians fail to comply with the time limits imposed by clause 25.
Amendment Item 247
588. Amendment Item 247 amends clause 138 to require additional information to be
included in the Commissioner's annual report on the Scheme to provide additional
transparency and accountability. The amendment to paragraph 138(2)(d) ensures that
the annual report includes details of the number of complaints received by the
Commissioner during the financial year (both scheme complaints received under
Division 1 of Part 5.3 and general complaints received under Division 2 of Part 5.3)
and complaints received directly by data custodians relating to the Scheme generally
or in relation to data custodians' conduct under the Scheme. The number of
complaints in a financial year, and trends in the numbers of complaints over time,
will provide the Minister, the Parliament and the public with additional information
in relation to the operation of the Scheme.
96
Amendment Item 248
589. Amendment Item 248 is a consequential amendment to reflect that, because of
other amendments, the Minister is the accreditation authority for user accreditation
of entities other than Australian universities. The amendment ensures that the rules
could prescribe a fee covering initial accreditation decisions made by the Minister
(or by the Commissioner as the Minister's delegate) and for the internal review of
such decisions.
Amendment Item 249
590. Amendment Item 249 amends clause 140 to clarify that a data custodian may
charge a fee to an accredited entity in relation to services performed on behalf of the
data custodian by another entity. For example, in response to a request to share data
under the Scheme made by an accredited user, the data custodian may decide to
share de-identified data with the accredited user. If the data custodian engages an
ADSP to perform the de-identification data service in relation to the data to be
shared with the accredited user, the cost of the ADSP performing the service may be
taken into account if the data custodian charges a fee to the accredited user.
Amendment Item 250
591. Amendment Item 250 amends clause 142 to provide for two reviews of the
operation of the Bill, if enacted, prior to the operation of the new sunset clause in
Amendment Item 251.
592. Subclause 142(2) provides for an independent review three years after the Scheme's
commencement, in addition to a review three months after the commencement of
any amendments to the Privacy Act resulting from the review of that legislation,
discussed below, which would have a material impact upon the Scheme. The review
must be completed within 12 months, or a longer period agreed by the Minister.
593. The three year review is intended to allow an independent assessment of the
operation of the Scheme. If the review were conducted earlier, the Scheme would
not be sufficiently mature to properly assess its effectiveness, and whether the
Scheme should continue, continue with amendments or be allowed to cease to have
effect under the sunset clause. The timing should allow the review and consideration
of any response to be completed in sufficient time to provide valuable input towards
informing Parliament whether to extend the Scheme or to allow the sunset provision
under new clause 143 to take effect.
594. On 12 December 2019, the Attorney-General announced that the Australian
Government would conduct a review of the Privacy Act to ensure privacy settings
empower consumers, protect their data and best serve the Australian economy. The
review was announced as part of the Government's response to the Australian
Competition and Consumer Commission's Digital Platforms Inquiry.
595. The Bill is intended to work with, rather than override, the Privacy Act and several
key terms in the Bill, such as 'personal information', take their meaning from the
Privacy Act.
97
596. If the Privacy Act is amended in response to the review mentioned above, it is
possible that consequential amendments to the Bill may be required. Thus,
paragraph 142(2)(b) provides that the Minister must commission a review of the Bill
if amendments to the Privacy Act made in response to the review initiated by the
Attorney-General would, in the Minister's opinion, have a material impact on the
Scheme.
597. Subclause 142(3) provides that if subclause 142(2) would require overlapping
reviews of the Bill, the reviews may be combined. The combined review must be
completed within 12 months of the day the latest of the reviews was required to
commence. The Minister may agree a longer period in which the review must be
completed.
Amendment Item 251
598. Amendment Item 251 inserts new clause 143 to provide for the Bill to cease having
effect. The Bill sunsets and ceases to have effect at the end of the day that is the fifth
anniversary of the day the Scheme commences. This provides another accountability
mechanism to ensure the operation of the Scheme is considered by Parliament
following the review undertaken under subclause 142(2).
599. Subclause 143(2) allows regulations to be made for the purposes of prescribing
transitional matters in relation to this sunset clause. The regulations for these
purposes may be made during the period commencing 12 months before the sunset
date, which is at the fourth anniversary of the Scheme's commencement, and ending
immediately before a year from the sunset day. The one year period leading to the
sunset day allows the Commissioner to commence activities transitioning out of the
Scheme ahead of the sunset.
600. Subclauses 143(4) to 143(7) provide details on the matters that the regulations may
prescribe to deal with transitional matters arising from this sunset clause. The
regulations may:
- provide for savings or application provisions so that certain provisions
continue to apply, including in a modified way, such as the existence of the
Commissioner as a statutory office holder;
- empower the Commissioner to direct a Scheme entity to take or not take
certain actions to ensure the scheme data is appropriately dealt with when the
Scheme ends; or
- create offences or civil penalties for failure to comply with directions made for
the purposes of this sunset clause, as well as penalties for both individuals and
entities for contravening the regulations or offences against the regulations.
601. Subclauses 143(4) to 143(7) will not allow modifications to provisions of the Act,
they will only allow modification of application of those provisions, to ensure that
the Scheme applies appropriately after sunset.
602. Subclause 143(7) permits the regulations made under this clause to prescribe
penalties, as it would be inappropriate to create an offence or civil penalty in the Bill
regarding transitional matters, as Parliament may, instead of choosing to let the
98
Scheme sunset, amend clause 143 in some way, thereby bypassing the need for
sunset regulations and offences or civil penalties under regulations. Further, it is not
possible to anticipate all transitional matters that may arise that may require civil
penalty provisions or offences.
603. A legislative safeguard is in place for the regulations. An automatic repeal which has
the effect that the longest period of time such regulations may stay in force is one
year from the sunset day (refer subclause 143(9)). Further, there is still
Parliamentary oversight of such regulations as they are still required to be tabled in
Parliament in accordance with the Legislation Act 2003, and subject to disallowance
under that Act.
604. Subclause 143(8) clarifies that these regulations must not have the effect of allowing
data to be shared under clause 13 after the sunset day. This means that the
regulations could not allow data custodians to be able to continue providing access
to data under the Scheme following the sunset day. This ensures that the regulations
do not have the effect of overriding the operation of the sunset clause when
prescribing transitional matters.
605. Subclause 143(9) provides a self-repealing provision for regulations made for the
purposes of this sunset clause, which provides that they are repealed one year from
the sunset day, consistent with the timeframe provided under subclause 143(2).
99
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
1. The amendments to the Bill are compatible with the human rights and freedoms
recognised or declared in the international instruments listed in section 3 of the Human
Rights (Parliamentary Scrutiny) Act 2011.
Overview
2. The amendments support the establishment of a new Scheme for Australian
Government data.
3. The amendments strengthen privacy protections for the sharing of personal information
under the Scheme that complement privacy requirements and obligations in the Privacy
Act. Australian Government data that contains personal information about an individual
can only be shared without an individual's consent in limited circumstances. Biometric
data can only be shared with the express consent of the individual.
4. The amendments also:
• further clarify requirements relating to accreditation and data sharing;
• require the Commissioner to provide further guidance in a data code;
• provide the Commissioner with an education and support function to establish and
maintain best practice data sharing under the Scheme;
• allow individuals to make complaints in relation to the Scheme;
• clarify merits review requirements; and
• introduce a civil penalty for serious contraventions.
Human Rights Implications
5. The amendments engage the following rights:
• protection from arbitrary or unlawful interference with privacy;
• right to freedom of expression; and
• right to a fair trial and fair hearing.
Protection from arbitrary or unlawful interference with privacy
6. The right to protection from arbitrary or unlawful interference with privacy is
recognised in Article 17 of the International Covenant on Civil and Political Rights
(ICCPR). The Bill engages with this right by authorising the Australian Government
and other Scheme entities to share, collect and use public sector data, which may
contain personal information.
7. The amendments uphold this right as they provide additional protections to minimise
interference with the right to privacy, and to ensure any remaining impact is reasonable,
necessary and proportionate. The privacy protections are consistent and harmonious
with the protections in the Privacy Act.
100
8. Part 2.4 of the amended Bill strengthens and consolidates the privacy protections under
the Scheme. These protections include:
• a starting position that data shared under the Scheme must not include personal
information unless an exception applies;
• data minimisation requirements, that is, personal information can only be shared
where necessary;
• restricting the sharing of biometric data by requiring the express consent of the
individual;
• requiring all sharing of personal information under the Scheme be subject to the
Privacy Act, a state or territory equivalent, or an equivalent requirement that the
data sharing agreement must include terms that the entities must not do an act or
engage in a practice that would breach the Australian Privacy Principles and for
parties to agree to be subject to the jurisdiction of the Information Commissioner;
• requiring data sharing agreements to prohibit re-identification of de-identified data;
• requiring entities to comply with data codes that will set out requirements for how
consent is to be collected from individuals, and how principles are to be applied in
determining whether it is necessary, or in the public interest, to share personal
information in certain circumstances; and
• prohibiting the storage or access of data containing personal information outside
Australia.
9. Further privacy protections also apply depending on the purpose of data sharing under
the Scheme (purpose-specific privacy protections, clause 16B). The Scheme establishes
three data sharing purposes - delivery of government services, informing government
policy programs, and research or development.
• If the sharing is for the purpose of delivering government services, the data must
not include personal information about an individual, unless the government
service (other than services relating to a payment, entitlement or benefit) is being
delivered to the individual, or the individual consents to the sharing of their
personal information, or the sharing would be a disclosure authorised under Part
VIA of the Privacy Act (dealing with personal information in emergencies and
disasters). The government service being delivered must be identified in the
relevant data sharing agreement and only the minimum amount of personal
information necessary to properly deliver the service can be shared.
• If the sharing is for the purpose of informing government policy and programs, or
research and development, personal information must not be shared unless either:
the individual consents to the sharing of their personal information and only the
minimum amount of personal information necessary for the project to proceed is
shared; or, the project cannot proceed without the personal information, that the
public interest in the project justifies sharing of personal information without
consent, only the minimum of personal information necessary for the project to
proceed is shared, and at least one permitted circumstance for the data sharing
project exists.
101
The permitted circumstances for research and development include: where it is
unreasonable or impracticable to seek the individual's consent; where the data to
be collected and used is in the course of medical research and is in accordance with
the guidelines under subsection 95(1) of the Privacy Act; where the sharing is to
allow an accredited data services provider to create data that does not include any
personal information; or, where access to the data is controlled by an accredited
data services provider.
The permitted circumstances for informing government policy and programs are
the same as for research and development, but also include where the user
receiving the data is a Commonwealth body and the agreed output of the project
only includes de-identified information, and where sharing would be a disclosure
authorised under Part VIA of the Privacy Act (dealing with personal information in
emergencies and disasters).
10. The amendments also authorise the Information Commissioner to provide details of a
privacy complaint related to the Scheme, to the Commissioner. This allows the
Information Commissioner to continue to handle the complaint, whilst enabling the
Commissioner to be aware of matters related to the Scheme. The Bill, as amended,
imposes a new civil penalty for a serious contravention of the Bill. A serious
contravention, among other things, could include non-compliance with obligations
relating to the sharing of data containing personal information (such as a failure to
obtain consent to share biometric data). This is intended as a deterrence against serious
misconduct under the Scheme and an enforcement option allowing the Commissioner
to apply for higher penalty with the court. This amendment adds to protections under
the Bill that protect individuals from arbitrary or unlawful interference with privacy.
Right to freedom of expression
11. Article 19 of the ICCPR establishes the right to freedom of expression, including
freedom to seek, receive and impart information. The exercise of this right may be
subject to restrictions only if provided by law and where it is necessary for the
protection of national security, or to respect the rights of others.
12. The right to freedom of expression is upheld by the Scheme, as it establishes a
framework for accredited entities to seek, receive, and impart information (in the form
of data). The Scheme does this by establishing clear authorisations for when it is lawful
to share, collect and use Australian government data. The amendments also clarify
requirements for data sharing agreements. Through these clarifications, it is clear how
information (that is, data) can be lawfully sought, received and handled under the
Scheme. The Scheme and amendments do limit the circumstances in which data can be
shared, and this is necessary to ensure Australian government data is handled in
accordance with other laws (for example, secrecy provisions in program legislation).
13. The amendments also engage with this right by clarifying the requirements relating to
accreditation. Only Australian entities are able to be accredited under the Scheme.
Foreign entities are precluded from being able to be an accredited entity under the
Scheme. An accreditation authority (the Minister or the Commissioner) has discretion
to refuse accreditation or impose conditions of accreditation where appropriate for
102
reasons of security. The amendments support the protection of national security and
make clear the Scheme is intended to operate for the benefit of the Australian public.
14. The amendments further engage with this right by establishing a Scheme that supports
accredited entities. The amendments require the Commissioner to make a data code on
the data sharing principles and consent. These requirements support the Scheme to
establish clear requirements for the sharing of data. Under the amendments, the
Commissioner will also have an education and support function. These amendments are
beneficial in supporting safe data sharing and improving the operation of the Scheme.
15. Furthermore, the amendments enhances the right to impart information by requiring
certain information contained in a data sharing agreement be made publicly available
on the register. The information that must be published on the register includes
descriptions of the project, data sharing purpose and the data to be shared. With this
information, the public will have visibility of what data is being shared and how the
sharing is done and for what purpose, supporting transparent and accountable
management of the Scheme.
16. While the Scheme and amendments impose some limitations on the right to seek,
receive, and impart information, the limitations are consistent with Article 19(3) of the
ICCPR as they are necessary to protect national security and to respect the rights of
others.
Right to a fair trial and fair hearing
17. Articles 14 and 15 of the ICCPR establish rights to due judicial process and procedural
fairness. These rights apply to both criminal and civil proceedings, and in cases before
both courts and tribunals.
18. The amendments engage these rights by way of introducing or amending penalties for
non-compliance, including civil and criminal penalties, as well as clarifying procedural
fairness requirements in relation to accreditation decisions.
19. The amendments specify the particular decisions that are subject to merits review, with
favourable decisions not subject to merits review. Further, decisions made by the
Commissioner that are classed as 'urgent' directions are not reviewable decisions, as
directions made in these circumstances are the result of a high risk or emergency
situation which requires immediate action to address.
20. The amendments also provide that a serious contravention of certain civil penalty
provisions can attract a higher civil penalty. A court may decide that the higher penalty
is appropriate considering the sensitive data involved in the contravention, the
consequences of the contravention and the degree of care exercised by the entity
involved in the contravention.
21. Consistent with Article 14(1), an independent, impartial court will preside over all
criminal and civil proceedings brought under the Bill or another Australian law (where
the rebound approach applies). Such proceedings will be subject to established
Australian court processes and procedures that protect the right to a fair trial, including
requirements relating to procedural fairness, evidence and sentencing.
103
Conclusion
22. The amendments are compatible with human rights as they strengthen the protection of
human rights. Where the amendments may limit particular rights, the limitations are
reasonable, necessary, and proportionate with human rights.
The Hon. Stuart Robert MP, Minister for Employment, Workforce,
Skills, Small and Family Business
104
Index]
[Search]
[Download]
[Bill]
[Help]