Public Sector (Data Sharing) Bill

Second Reading

The Hon. K.J. MAHER (Minister for Employment, Minister for Aboriginal Affairs and Reconciliation, Minister for Manufacturing and Innovation, Minister for Automotive Transformation, Minister for Science and Information Economy) (16:19): I move:

That this bill be now read a second time.

Currently, we have government agencies that are collecting and generating significant amounts of valuable data, but it is largely being used only to inform their own operations. Some of the most difficult social and economic challenges facing this state require a more holistic understanding of the environment. If we are going to be truly innovative with the way government services care for the citizens of this state, then agencies must be able to readily share the data that they hold with each other.

It is well established that data analytics can be used to provide insights and a stronger evidence base for developing policy in services. For example, addressing some of the significant health challenges cannot be resolved by simply approaching them with a health lens. The way we use our public spaces, transport, education and welfare, all play a part and the data that is collected in all these agencies can bring new insights for designing health policy and services. This legislation provides the authority that is needed for agencies to share their data and includes a framework for ensuring that this only occurs in safe circumstances and only for purposes supporting government policy making, program management, service planning and delivery.

The main authority and safeguards of the bill are modelled to some extent on the Data Sharing (Government Sector) Act 2015 that the New South Wales parliament passed late last year. Already, New South Wales is progressing policy in service delivery changes inspired by some of the insightful analysis enabled by this legislation. The artificial boundaries of government departments create barriers to agencies that are seeking to innovate and provide the type of collaborative, joined-up service delivery that people expect.

While we are establishing a distinct child protection department to focus on the important task of protecting our state's vulnerable children, the department cannot be expected to operate in isolation. This bill is critical for supporting this new department and others to work collaboratively for better outcomes. This legislation will effectively override the legislative policy barriers that operate to prevent data-sharing within government, yet will ensure data sharing is always safe and appropriate.

The two key objectives for this legislation are to promote the management and use of public data sharing as a public resource to support good government policy making, program management and service planning delivery, and to remove the barriers that impede the sharing of data between agencies. The data that government holds is a considerable asset, and we want our citizens and the public sector to be confident that it is being used to provide public value.

To provide the most public value that can possibly come from it, the major features of the bill include: the ability to establish an office of data analytics (the ODA); a framework of trusted access principles to encourage voluntary data sharing between public sector agencies; and the ability for the minister to enter into data sharing agreements with agencies of the commonwealth in other states and territories, local councils and non-government agencies prescribed by regulation.

The bill enables the minister to designate a public sector agency, or part of a public sector agency, as the ODA. Its functions would be to undertake data analytics work on data made available from across government and to make the results of the data analytics work available to government agencies to provide to the private sector and the general public. Data analytics work is defined in the bill to mean:

…the examination and analysis of data for the purpose of drawing conclusions about that data (including, for example, conclusions about the efficacy of Government policies, program management or service planning and delivery by public sector agencies);

The ODA's data analytics work would not necessarily be confined to big data and de-identified results, but could be extended to personalised results at the service delivery level. To support its functions, the ODA will be given the power, with the minister's approval, to direct a government agency to provide data to the ODA. However, the minister must have regard to the trusted access principles before giving his or her approval.

The portion of the bill allowing for the establishment of the ODA responds to research-focused recommendations of the Child Protection Systems Royal Commission. There are two mechanisms for authorising the sharing of data between public sector agencies, including with the ODA, under this legislation. The first enables voluntary data sharing between public sector agencies. In this instance, an agency may simply approach another agency with their data request or an agency may proactively identify the value in sharing data that it controls with another agency.

The second mechanism is that the Minister for the Public Sector may direct the public sector agency to provide data that it controls to another public sector agency. This may be on the minister's own initiative or, perhaps, where an agency is unsuccessful in pursuing a voluntary arrangement directly with another agency and seeks the minister's backing.

Under both mechanisms, the legislation provides authority for data to be shared for the purposes of enabling agencies to develop, improve and undertake policy-making, program management, service planning and delivery, and for enabling data analytics work to be carried out on the data to identify issues and solutions regarding these same objectives. In considering whether the data should be shared, the agency seeking to receive the data must provide satisfactory assurance against a set of trusted access principles.

These principles provide a framework for considering that the quality of the data, the people using it, the storage environment, the purpose for which the data is to be used and any outputs are all considered safe and appropriate before the data is shared and that there are adequate controls in place to support this assessment. The trusted access principles that are embedded in the bill reflect international best practice and are employed by the Australian Bureau of Statistics for assessing the safe and appropriate sharing of data.

An important principle of the trusted access principles, in a world in which data security is a common concern, is a requirement for the data provider to have regard to the environment in which the data will be stored, accessed and used by the proposed data recipient, including whether the data recipient has appropriate security and technical safeguards in place to ensure data remains secure and not subject to unauthorised access and use, such as secure login, user authentication, encryption and supervision or surveillance.

The legislation predominantly applies to public sector agencies, as defined in the Public Sector Act 2009. It does allow for additional entities to be added or removed from this definition by way of regulation, and the intention is to consult further about which agencies may be appropriate to exclude. Regarding the definition of public sector data, this also allows for the regulations to prescribe exempt data, either being all data held by a prescribed agency or data of a prescribed kind.

In New South Wales, information that is exempt from disclosure under the equivalent of the Freedom of Information Act 1991 in South Australia is also exempt from the data sharing authority. In drafting the regulations for this legislation, we will consider what might be appropriate to exempt and take outside the scope of what may be authorised for sharing under this act.

The bill includes a number of safeguards to provide protections around the appropriate sharing of data. These include, limitations on the further use or disclosure of data for purposes other than those authorised under this legislation. The limited instances include, for example, whether disclosure is reasonably required to lessen or prevent a serious threat to life, health or safety of a person.

The safeguards also include a requirement that any confidential or commercially sensitive information is dealt with in a way that complies with any contractual or equitable obligations of the data provider concerning how it is to be dealt with. Regarding the custody control of data, the safeguards require any legal requirements concerning the data, such as requirements under the Freedom of Information Act 1991, or the State Records Act 1997, to continue to be applied to any data security policies that are applicable to that data recipient.

In addition to the explicit safeguards in the bill, the principles of ethical behaviour and professional integrity found in the Public Sector Act 2009 and the Professional Conduct Standards in the Code of Ethics for the South Australian public sector will apply and require public sector employees to maintain the integrity and security of official information and only access, use and disclose information where authorised. Any employee who contravenes or fails to comply with these professional conduct standards may be liable to disciplinary action.

The trusted access principles and the information privacy principles established under a Cabinet Instruction provide adequate safeguards against privacy concerns. The data sharing safeguards in the bill will also protect confidential information by requiring the data recipient to deal with the data in a way that complies with any contractual or equitable obligation of the data provider concerning how the data is to be dealt with.

The bill also establishes a regime for sharing of government data by voluntary agreement with agencies of the commonwealth and other states and territories, with local councils and with NGOs prescribed by regulation. The sharing agreements may be subject to conditions, including the application of one or more of the trusted access principles. While the terms of the agreements will differ depending on the type of data and the level of personal information involved, core conditions on each agreement can be expected to include appropriate provisions safeguarding the privacy and confidentiality of the data and ensuring that the data remains secure and not subject to unauthorised access and use.

If the data is provided in accordance with a sharing agreement, the agreements would have effect notwithstanding a law of this state that would otherwise operate to prohibit the provision of the relevant data. This portion of the bill responds to the Child Protection Systems Royal Commission recommendation on improved data and information sharing between government and non-government agencies.

With one exception relating to NGOs, the intent of this bill is that the Freedom of Information Act 1991 does not apply to a document that has been privileged by a data provider to a data recipient, or to a document provided under a data sharing agreement between the minister and another body. This is intended to ensure that the body that is in the best position to consider the FOI request does so. That would be the body that has provided the data as the originator of the document rather than the body that receives the data.

This legislation is about overcoming the artificial walls that exist around government departments. It is about creating the authorising environment for agencies to make the best use of their data and a collaborative approach to improve the evidence base supporting policy development and the services we deliver. I commend this bill to members. I seek leave to have the explanation of clauses inserted without my reading it.

Leave granted.

Explanation of Clauses

Part 1—Preliminary

1—Short title

This clause provides the short title.

2—Commencement

This clause provides for commencement to be fixed by proclamation.

3—Interpretation

This clause provides definitions for the purposes of the measure. Public sector agency has the same meaning as in the Public Sector Act 2009, however this may be modified by the regulations to include or exclude specified persons or bodies. Public sector data means any data that a public sector agency controls and there is provision for exempt public sector data being public sector data, or public sector data of a kind, prescribed by the regulations and public sector data held by a prescribed public sector agency.

Part 2—Objects and interaction with other Acts

4—Objects

This clause sets out the object of the measure, being to promote the management and use of public sector data as a public resource that supports good Government policy making, program management and service planning and delivery, to remove barriers that impede the sharing of public sector data between public sector agencies, to facilitate the expeditious sharing of public sector data between public sector agencies and to provide for the Minister to enter into data sharing agreements with certain other entities. The objects further specify protections provided in relation to public sector data sharing under the measure.

5—Interaction with other Acts

This clause provides that the provision of public sector data by a public sector agency to another public sector agency as authorised under the measure for a specified purpose is lawful for the purposes of any other Act or law that would otherwise operate to prohibit that provision. The clause states that the measure does not permit or require a data recipient to use or disclose public sector data received under the measure for another purpose outside the authorisation or to deal with any public sector data otherwise than in compliance with the State Records Act 1997 where that Act applies to the public sector data.

This clause provides that a person does not have a right to access a document under the Freedom of Information Act 1991 from a data recipient and a data recipient must not give access to a document under that Act if the document was provided under the measure. A data recipient must refer an application under the Freedom of Information Act 1991 for such a document to the data provider who will deal with the application in accordance with that Act.

This clause also provides that the measure is not intended to prevent or discourage the sharing of public sector data by public sector agencies if it is proper and reasonable to do so or if it is permitted or required by or under any other Act or law.

Part 3—Office for Data Analytics

6—Office for Data Analytics

This clause provides that the Minister may, by notice in the Gazette, designate a public sector agency, or part of a public sector agency, as the Office for Data Analytics (ODA). The proposed functions of ODA are to undertake data analytics work on public sector data received from across the whole of Government, to make the results of that data analytics work available to public sector agencies, to the private sector and to the general public as ODA sees fit and to perform any other functions conferred on ODA by the Minister. It is proposed that ODA will be able, with the approval of the Minister, to direct a public sector agency to provide public sector data to ODA for the purposes of carrying out its functions. ODA is to undertake its functions in a manner that prioritises the provision of relevant and up to date information to public sector agencies about their service delivery, operations and performance.

Part 4—Facilitating public sector data sharing

7—Trusted access principles

This clause sets out the trusted access principles to be applied in respect of the sharing and use of public sector data under the measure. The trusted access principles are divided into groups as follows:

(a) safe projects;

(b) safe people;

(c) safe data;

(d) safe settings;

(e) safe outputs;

(f) other trusted access principles as may be prescribed by the regulations.

8—Public sector data sharing authorisation

This clause provides that a public sector agency is authorised to provide public sector data, other than exempt public sector data, that it controls to other public sector agencies for any of the following purposes:

(a) to enable data analytics work to be carried out on the data to identify issues and solutions regarding Government policy making, program management and service planning and delivery by public sector agencies;

(b) to enable public sector agencies to facilitate, develop, improve and undertake Government policy making, program management and service planning and delivery by the agencies;

(c) such other purposes as may be prescribed by the regulations.

The clause requires that a public sector agency must, before providing public sector data to another public sector agency under this section, apply the trusted access principles and be satisfied that the sharing and use of the data is appropriate in all the circumstances. The clause also requires that a data provider and a data recipient must comply with all relevant data sharing safeguards.

9—Data sharing on direction by Minister

This clause provides that the Minister may direct a public sector agency to provide public sector data that it controls, including exempt public sector data, to another public sector agency for any of the purposes referred to in clause 7(1). The Minister must, before making a direction under this clause, have regard to the trusted access principles and be satisfied that the sharing and use of public sector data is appropriate in all the circumstances.

Part 5—Data sharing safeguards

10—Confidentiality and commercial-in-confidence

This clause requires a data recipient to ensure that confidential or commercially sensitive information provided to it under the measure is dealt with in a way that complies with any contractual or equitable obligations of the data provider concerning how it is to be dealt with.

11—Data custody and control safeguards

This clause provides that a data provider and data recipient must ensure that public sector data is maintained and managed in compliance with any legal requirements concerning its custody and control (including, for example, requirements under the State Records Act 1997) that are applicable to them.

12—Other data sharing safeguards

This clause provides for additional data sharing safeguards to be prescribed by the regulations.

Part 6—Minister may enter data sharing agreements

13—Minister may enter data sharing agreements

This clause provides that the Minister may enter into an agreement relating to the sharing of data with a relevant entity, being an agency or instrumentality of the Commonwealth, another State or a Territory of the Commonwealth, a council (within the meaning of the Local Government Act 1999) or a person or body, or a person or body of a class, prescribed by the regulations.

This clause provides that the provision of public sector data by a public sector agency to a relevant entity under an agreement under this section is lawful for the purposes of any other Act or law that would otherwise operate to prohibit that provision (whether or not the prohibition is subject to specified qualifications or exceptions) if the public sector data is provided in accordance with the agreement.

Part 7—Miscellaneous

14—Restriction on further use and disclosure of public sector data

This clause provides that a data recipient must not use or disclose public sector data received pursuant to an authorisation under section 7 or section 8 other than for a purpose for which it was provided unless—

(a) the Minister approves the use or disclosure after consultation with the data provider; or

(b) the use or disclosure is required or authorised by or under law or an order of a court or tribunal; or

(c) the use or disclosure is reasonably required to lessen or prevent a serious threat to the life, health or safety of a person, or a serious threat to public health or safety; or

(d) the use or disclosure is in accordance with the regulations.

15—Delegation by Minister

This clause provides that the Minister may delegate any of the Minister's functions or powers under the measure.

16—Personal liability

This clause provides that a person acting honestly and in the exercise or purported exercise of functions in administration of this Act incurs no civil or criminal liability in consequence of doing so. A civil action that would otherwise lie against a person lies instead against the Crown (except in the case of a member of a body corporate or the governing body of a body corporate or a person employed or appointed by, or a delegate of, a body corporate, in which case liability lies instead against the body corporate).

17—Regulations

This clause provides for regulations to be made by the Governor for the purposes of the measure.

Debate adjourned on motion of Hon. J.S.L. Dawkins.