Commonwealth Coat of Arms of Australia

 

Data Availability and Transparency Code 2022

I, Gayle Milnes, National Data Commissioner, make the following code.

Dated 16 December 2022

Gayle Milnes

National Data Commissioner

 

 

 

 

Contents

Part 1—Preliminary

1 Name

2 Commencement

3 Authority

4 Definitions

Part 2—Data sharing principles

5 Purpose of Part

6 Project principle—project reasonably expected to serve the public interest

7 Project principle—applicable processes relating to ethics

8 People principle—existence of conflicts of interest

9 People principle—projects for the data sharing purpose of delivery of government service             

10 People principle—projects for the data sharing purpose of informing government policy and programs and research and development

11 People principle—attributes, qualifications, affiliations, expertise

12 People principle—experience

13 Setting principle—reasonable security standards

14 Data principle—appropriate protection

15 Output principle

Part 3—Dealings with personal information

16 Purpose of Part

17 Consent to sharing personal information—sections 16A and 16B of the Act

18 Consent to provision of access to or release of personal information—paragraph 20C(1)(b) of the Act

19 Consent to exit of personal information—paragraph 20E(4)(c) of the Act

20 Consent to use of personal information by new data custodian—paragraph 20F(3)(b) of the Act

21 Unreasonable or impracticable to seek consent

22 Personal information—determining necessity of sharing and minimum amount necessary

23 Whether public interest justifies sharing personal information without consent

Part 4—Miscellaneous

24 Information and documents required at time of giving documents under subsection 33(1) of the Act

25 Applicable period for notifying Commissioner of certain information

Part 1Preliminary

 

1  Name

  This instrument is the Data Availability and Transparency Code 2022.

2  Commencement

 (1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

 

Commencement information

Column 1

Column 2

Column 3

Provisions

Commencement

Date/Details

1.  The whole of this instrument

The day after this instrument is registered.

22 December 2022

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

 (2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3  Authority

  This instrument is made under section 126 of the Data Availability and Transparency Act 2022.

4  Definitions

Note: A number of expressions used in this instrument are defined in the Act, including the following:

(a) accredited entity;

(b) accredited user;

(c) ADSP;

(d) ADSPenhanced data;

(e) approved contract;

(f) data custodian;

(g) data scheme entity;

(h) data sharing agreement;

(i)  data sharing purpose;

(j) delivery of government services;

(k) designated individual;

(l) entity;

(m) output;

(n) personal information;

(o) project;

(p) use.

  In this instrument:

Act means the Data Availability and Transparency Act 2022.

data accessor, for an entity in relation to a project, means:

 (a) a designated individual for the entity who is permitted, under the data sharing agreement for the project, to access data; or

 (b) a body corporate that is party to an approved contract with the entity, if:

 (i) the contract is authorised by, or approved under, the data sharing agreement for the project; and

 (ii) the body corporate is permitted to access data as part of the project.

permanent resident has the same meaning as in the AusCheck Act 2007.

Part 2Data sharing principles

 

5  Purpose of Part

  For the sharing, collection or use of data to be authorised by the Act, the entity sharing, collecting or using the data must be satisfied (among other things) that the project is consistent with the data sharing principles. This Part sets out matters to be taken into account, and requirements to be complied with, by an entity in satisfying itself that a project is consistent with the data sharing principles.

Note 1: This Part is to be read together with the Act.

Note 2 See also the Data Availability and Transparency (National Security Measures) Code 2022.

6  Project principle—project reasonably expected to serve the public interest

Scope of this section

 (1) As part of satisfying itself that a project is consistent with the project principle set out in subsection 16(1) of the Act, including the element set out in paragraph 16(2)(a) of the Act, an entity must take into account the matters, and comply with the requirements, set out in this section.

Note: See also subsection 16(11) of the Act (which provides that a data scheme entity must be satisfied that it has applied each of the data sharing principles to the sharing, collection or use of data in such a way that, when viewed as a whole, the associated risks are appropriately mitigated).

Delivery of government services

 (2) If the only data sharing purpose of the project is delivery of government services (see subsection 15(1A) of the Act), the project can reasonably be expected to serve the public interest.

Medical research or statistics analysis etc. relevant to public health or safety

 (3) If the data sharing purpose of the project is or includes informing government policy and programs, or research and development, the project can reasonably be expected to serve the public interest if:

 (a) the data custodian is sharing the data in the course of medical research within the meaning of the Privacy Act 1988 and in accordance with guidelines made under section 95 of that Act; or

 (b) all of the following apply:

 (i) the user is an organisation within the meaning of the Privacy Act 1988;

 (ii) the data to be shared is health information within the meaning of that Act;

 (iii) a permitted health situation, within the meaning of that Act, exists or will exist in relation to the user’s use of the data.

Other projects for the purpose of informing government policy and programs or research and development

 (4) If:

 (a) the data sharing purpose of the project is or includes informing government policy and programs, or research and development; and

 (b) subsection (3) does not apply;

the project can reasonably be expected to serve the public interest only if the entity concludes that the arguments for the project serving the public interest outweigh the arguments against the project doing so.

 (5) In reaching the conclusion mentioned in subsection (4), the entity:

 (a) must consider all of the following matters:

 (i) the public interest in promoting better availability of public sector data (see paragraph 3(a) of the Act);

 (ii) any benefits to individuals or groups of people, including commercial benefits, that can reasonably be expected to result from the project;

 (iii) any benefits to Australian citizens, permanent residents and other people in Australia that can reasonably be expected to result from the project;

 (iv) if the data sharing purpose of the project is or includes informing government policy and programs—the desirability of government policy and programs being informed by evidence that can reasonably be expected to result from the project;

 (v) any adverse impacts on individuals or groups of people, including impacts related to privacy, that can reasonably be expected to result from the project;

 (vi) if the data sharing purpose of the project is or includes research and development—whether, and when, output of the project will be released; and

 (b) may consider any other matters the entity thinks relevant, including any of the following:

 (i) any issues relevant to Australia’s national interests, as set out in policies of the Australian government;

 (ii) the social, economic, environmental, cultural and other benefits that can reasonably be expected to result from the project;

 (iii) the social, economic, environmental, cultural and other costs that can reasonably be expected to result from the project, or to result from the project not being undertaken.

Note 1: For example, a research project conducted by an Australian university may be in the public interest if a sector of Australian industry benefits from the research, even if the university also benefits commercially as a result of undertaking the research.

Note 2: A project can reasonably be expected to serve the public interest even if adverse impacts on some people, or on groups of people, can reasonably be expected. This is possible as long as other matters that must or may be considered under this subsection mean that, overall, the benefits that can reasonably be expected outweigh the adverse impacts.

Projects that do not serve the public interest

 (6) If the data sharing purpose of the project is or includes informing government policy and programs, or research and development, the project cannot reasonably be expected to serve the public interest if the only benefits that can reasonably be expected to result from the project are either or both of the following:

 (a) benefits that will serve the interests of another nation, or the people of another nation;

 (b) a commercial benefit to an entity other than an Australian entity.

Note: The Act defines Australian entity as:

(a) a Commonwealth body, State body or Territory body (each of these expressions is also defined in the Act); or

(b) the Commonwealth, a State or a Territory; or

(c) an Australian university (also defined in the Act).

7  Project principle—applicable processes relating to ethics

 (1) As part of satisfying itself that a project is consistent with the project principle set out in subsection 16(1) of the Act, including the element set out in paragraph 16(2)(b) of the Act, an entity must:

 (a) consider what processes of ethics (if any) are applicable to all or part of the project, whether as a matter of law or policy; and

 (b) if observance of an applicable process is mandatory, whether as a matter of law or policy—observe that process.

Note 1: Ethics processes involve the review of the ethical risks of sharing, collecting and using data, using an established method that is appropriate in view of the individuals, entities or subject matter to which the data relates. Ethics processes may be applicable to a project even if the data to be shared, collected and used does not directly relate to individuals (it may, for example, relate to the environment). Ethics processes may include an assessment of the potential harm of the outcomes of the project to individuals, society or the economy. They may be mandated by policy frameworks within an entity that is a data custodian or accredited entity, or by an independent body such as the National Health and Medical Research Council or the Australian Institute of Aboriginal and Torres Strait Islander Studies.

Note 2: If paragraph (b) applies, the data sharing agreement should specify the actions the entity will take to observe the process (see subsection 19(7) of the Act).

 (2) However, if observance of more than one applicable process is mandatory in relation to the project, or the same part of the project, the requirement in paragraph (1)(b) that the entity observe any mandatory applicable process is satisfied as long as:

 (a) the entity observes at least one of those processes; and

 (b) the process to be observed is chosen by agreement between the data custodian, the accredited user and any ADSP.

Note: This subsection means that, for the purposes of the data sharing scheme, entities need not observe more than one applicable ethics process if more than one such process is mandatory. However, being relieved of this duty for the purposes of the data sharing scheme does not affect an entity’s duty to observe mandatory ethics processes for other purposes.

 (3) The project principle does not require entities to observe any ethics processes additional to those otherwise applicable. It also does not prevent entities from observing additional ethics processes if they wish.

8  People principle—existence of conflicts of interest

 (1) For the purposes of the people principle set out in subsection 16(3) of the Act, an entity is not an appropriate person to make data available to if:

 (a) the entity or any of its data accessors has an actual, potential or perceived conflict of interest in relation to the collection or use of the data; and

 (b) that conflict is not appropriately managed.

 (2) Subsection (1) does not limit the circumstances in which an entity may not be an appropriate person to make data available to.

9  People principle—projects for the data sharing purpose of delivery of government service

 (1) This section applies if the only data sharing purpose of a project is the delivery of government services.

 (2) The data custodian, or an ADSP, may assume that any conflicts of interest in relation to the collection or use of data by the accredited user or its data accessors are appropriately managed if the accredited user represents, in the data sharing agreement, that:

 (a) it has a system in place to identify and manage such conflicts; and

 (b) the system operates effectively.

 (3) The data custodian, or an accredited user, may assume that any conflicts of interest in relation to the collection or use of data by an ADSP or its data accessors are appropriately managed if the ADSP represents, in the data sharing agreement, that:

 (a) it has a system in place to identify and manage such conflicts; and

 (b) the system operates effectively.

 (4) An accredited entity is taken to appropriately manage any conflicts of interest in relation to the collection or use of data by the accredited entity or its data accessors if:

 (a) it has a system in place to identify and manage such conflicts; and

 (b) the system operates effectively.

10  People principle—projects for the data sharing purpose of informing government policy and programs and research and development

 (1) This section applies if the data sharing purpose of a project is or includes informing government policy and programs, or research and development.

 (2) A data custodian, or an ADSP, may assume that any conflicts of interest in relation to the collection or use of data by the accredited user or its data accessors are appropriately managed if:

 (a) having made reasonable inquiries, the data custodian or ADSP is not actually aware of any such conflicts that are not appropriately managed; and

 (b) under the data sharing agreement, the accredited user is required to:

 (i) identify such conflicts of interest; and

 (ii) manage them appropriately in accordance with the data sharing agreement and any directions of the data custodian.

 (3) A data custodian, or an accredited user, may assume that any conflicts of interest in relation to the collection or use of data by an ADSP or its data accessors are appropriately managed if:

 (a) having made reasonable inquiries, the data custodian or accredited user is not actually aware of any such conflicts that are not appropriately managed; and

 (b) under the data sharing agreement, the ADSP is required to:

 (i) identify such conflicts; and

 (ii) manage them appropriately in accordance with the data sharing agreement and any directions of the data custodian.

 (4) As part of satisfying itself that a project is consistent with the people principle set out in subsection 16(3) of the Act, including by satisfying itself that its data accessors are appropriate persons to collect and use data, an accredited entity must:

 (a) identify any actual, potential or perceived conflict of interest that the entity or any of its data accessors have in relation to the collection or use; and

 (b) if any such conflict is identified:

 (i) notify the conflict, and any steps taken to manage it, to the data custodian and any other accredited entities that are party to the data sharing agreement; and

 (ii) manage the conflict appropriately in accordance with the data sharing agreement and any directions of the data custodian.

Note: An accredited entity may manage a conflict relating to one of its data accessors by ensuring that the data accessor manages the conflict.

Example: A researcher conducting environmental research at an Australian university, and using shared data, is also a member of an environmental group that interacts with the sharer. This is a conflict of interest for both the university and the researcher which may mean that neither the university nor the researcher are appropriate persons to collect and use data for the purposes of the people principle in subsection 16(3) of the Act. However, if the university identifies the situation, and notifies the sharer of it and of the steps being taken to manage the conflict (which may involve the researcher taking steps to manage the conflict), and the conflict is managed in accordance with the data sharing agreement and any directions of the data custodian, then the university and the researcher are able to conduct the research using the shared data.

11  People principle—attributes, qualifications, affiliations, expertise

Application of this provision

 (1) This section applies if the data sharing purpose of a project is or includes informing government policy and programs, or research and development.

 (2) As part of satisfying itself that the project is consistent with the people principle set out in subsection 16(3) of the Act, including the element set out in paragraph 16(4)(a) of the Act, an entity must take into account the matters set out in this section in relation to any individuals who are:

 (a) designated individuals for an accredited entity that is party to the data sharing agreement; and

 (b) permitted by the data sharing agreement to access data.

 (3) The entity may take the matters into account by considering them in relation to a class or classes of individuals rather than in relation to each individual.

Example: An entity may consider a class of individuals’ completion of appropriate training in handling sensitive data. In this situation, the entity is not required to assess the qualifications of each individual member of the class.

Attributes

 (4) Relevant attributes of the individuals include whether they have the security or other clearances that the data custodian considers appropriate to access the data.

Qualifications

 (5) Relevant qualifications of the individuals include any tertiary qualifications, or other formal qualifications, they hold.

Affiliations

 (6) Relevant affiliations of the individuals include the following:

 (a) employment or sponsorship by a party to the data sharing agreement or any other entity involved in the sharing, collection or use of the data;

 (b) contractual obligations, moral or commercial expectations or personal interests that are inconsistent with the data sharing scheme’s restrictions on sharing, collection or use of data;

 (c) sponsorships and scholarships provided by, or other ties to, third parties;

 (d) membership of relevant professional associations.

 (7) An individual’s affiliations may enhance, or detract from, their appropriateness to access data.

Note: Examples of affiliations that enhance the individual’s appropriateness to access data include some kinds of employment, and membership of relevant professional associations.

 (8) Affiliations will detract from the individual’s appropriateness to access data if the affiliations give rise to legal (including contractual) obligations, or moral or commercial expectations or incentives, that may conflict with the data sharing scheme’s restrictions on the collection and use of data.

Note: Examples of affiliations that detract from the individual’s appropriateness to access data include some kinds of employment, some scholarship or sponsorship arrangements, and membership of some organisations.

Example: An individual is undertaking research funded by a scholarship that requires the individual to provide regular research papers to the scholarship provider. If providing the research papers would conflict with the data sharing scheme’s restrictions on the use of data, the affiliation arising from the scholarship would detract from the individual’s suitability to access shared data, unless appropriate amendments are made to the terms of the scholarship.

Expertise

 (9) Relevant expertise of the individuals includes any education, training, or work history additional to their attributes, qualifications or affiliations. This includes onthejob training or other types of courses that do not result in formal qualifications.

12  People principle—experience

 (1) This section applies if the data sharing purpose of a project is or includes informing government policy and programs, or research and development.

 (2) As part of satisfying itself that the project is consistent with the people principle set out in subsection 16(3) of the Act, an entity must take into account the experience of any individuals who are:

 (a) designated individuals for an accredited entity that is party to the data sharing agreement; and

 (b) permitted by the data sharing agreement to access data.

 (3) The entity may take experience into account by considering it in relation to a class or classes of individuals rather than in relation to each individual.

Example: An entity may consider a class of individuals as being appropriate to access data if all members of the class have appropriate experience handling sensitive data. In this situation, the entity is not required to assess the experience of each individual member of the class.

 (4) An individual’s experience may enhance, or detract from, the individual’s appropriateness to access data.

Note: For example, an individual’s previous experience in handling Commonwealth, State or Territory government data (whether or not under the data sharing scheme) might enhance the individual’s appropriateness to access data, if they handled that data appropriately. If the individual mishandled that data, this would detract from their appropriateness.

13  Setting principle—reasonable security standards

 (1) As part of satisfying itself that a project is consistent with the setting principle set out in subsection 16(5) of the Act, including the element set out in paragraph 16(6)(b) of the Act, an entity must take into account the matters set out in this section.

 (2) To be a reasonable security standard, a security standard must be proportionate to both of the following, as assessed by the entity:

 (a) the sensitivity of the data;

 (b) the risks posed by sharing, collecting or using the data.

 (3) The application of reasonable security standards may, in some cases, mean that accredited entities that are not Commonwealth bodies must comply with Commonwealth security standards, or parts of them.

14  Data principle—appropriate protection

 (1) As part of satisfying itself that a project is consistent with the data principle set out in subsection 16(7) of the Act, including the element set out in subsection 16(8) of the Act, an entity must take into account the matters, and comply with the requirements, set out in this section.

 (2) The entity must consider whether, before the data is shared, it should be treated in a way that contributes to the proportionate management of the risks of sharing, collecting and using the data.

Note 1: For the purposes of this section, treatment of data might include processes that reduce the detail in the data by deletion, modification, or combination of variables, categories or unit records.

Note 2: For the purposes of this section, see also the privacy protections in sections 16A and 16B of the Act, and the requirements relating to deidentification or secure access data services in section 16C of the Act.

 (3) If the data is to be shared through an ADSP, the data custodian must consider the appropriateness of treating the data before sharing with the ADSP.

 (4) The entity must consider whether a reasonable person, who is properly informed, would agree that the data to be shared, collected or used is reasonably necessary to achieve the data sharing purpose or purposes of the project.

Note: See also paragraph 13(2)(e) of the Act, and the privacy protections in sections 16A and 16B of the Act.

15  Output principle

 (1) As part of satisfying itself that a project is consistent with the output principle set out in subsection 16(9) of the Act, including the elements set out in subsection 16(10) of the Act, an entity must have regard to the matters set out in this section.

 (2) The entity must consider the nature and intended use of the output. This may include (but is not limited to) any of the following:

 (a) prefilled forms;

 (b) aggregated data sets (tables or unit records) for further analysis;

 (c) mathematical models for monitoring government programs;

 (d) publications such as academic journals or government reports.

 (3) If the data sharing agreement permits or will permit the accredited user to provide access to, or release, output, the entity must consider the appropriateness of this permission, and whether the data sharing agreement includes or should include procedures or processes to manage the provision of access or release.

Part 3Dealings with personal information

 

16  Purpose of Part

 (1) For the purposes of paragraphs 126(2A)(b) and (c) and subsections 126(2B) and (2C) of the Act, this Part sets out:

 (a) requirements relating to consent by an individual to the sharing of personal information about the individual, for the purposes of sections 16A and 16B of the Act; and

 (b) other matters relating to how to apply those provisions so far as they relate to that consent; and

 (c) principles to be applied when determining the following:

 (i) for a project that has the data sharing purpose of delivery of government services—whether it is necessary to share personal information to properly deliver a government service;

 (ii) whether the public interest to be served by a project justifies the sharing of personal information without consent.

 (2) This Part also sets out:

 (a) requirements relating to consent by an individual to dealings with personal information about the individual, for the purposes of sections 20C, 20E and 20F of the Act; and

 (b) other matters relating to how to apply those provisions so far as they relate to that consent.

17  Consent to sharing personal information—sections 16A and 16B of the Act

 (1) This section is about an individual’s consent to the sharing of personal information about the individual for the purposes of subsection 16A(1) and subparagraphs 16B(1)(a)(ii) and (3)(a)(i) of the Act.

 (2) Before the consent is given, the individual must be adequately informed about the sharing, including the following:

 (a) the nature of the personal information to be shared;

 (b) whether the information is to be shared more than once;

 (c) the accredited entity or entities with which the information will be shared.

 (3) The consent must be voluntary.

 (4) The consent must relate specifically to the sharing of the information for the project.

 (5) The consent must be current at the time of the sharing.

 (6) Without limiting subsection (5), consent is not current at the time of the sharing if the consent was withdrawn before that time.

 (7) A withdrawal of consent has effect only if done expressly (whether orally or in writing) and only in relation to sharing after the time of the withdrawal. A withdrawal of consent has no effect in relation to sharing that occurred before the withdrawal.

 (8) The consent must be given:

 (a) if the individual has the capacity to consent—by the individual; or

 (b) otherwise—by a responsible person for the individual (within the meaning of the Privacy Act 1988).

 (9) Consent for the purposes of subparagraph 16B(1)(a)(ii) or (3)(a)(i) of the Act may be express (either oral or in writing) or implied (in circumstances where it may be reasonably inferred from conduct).

Note: Consent for the purposes of subsection 16A(1) of the Act is required by that subsection to be express.

18  Consent to provision of access to or release of personal information—paragraph 20C(1)(b) of the Act

 (1) A data sharing agreement may allow the accredited user to provide another entity with access to output of a project, or to release it, if the agreement meets all of the conditions specified in subsection 20C(1) of the Act. One of the conditions is that the agreement must prohibit provision of access to or release of personal information about an individual unless the individual consents (paragraph 20C(1)(b) of the Act). This section is about the individual’s consent.

 (2) Before the consent is given, the individual must be adequately informed about the provision of access to or the release of the personal information, including the following:

 (a) the nature of the personal information;

 (b) for provision of access—the entity or entities to which access will be provided.

 (3) The consent must be voluntary.

 (4) The consent must relate specifically to the provision of access or the release.

 (5) The consent must be current at the time of the provision of access or the release.

 (6) Without limiting subsection (5), consent is not current at the time of the provision of access or the release if the consent was withdrawn before that time.

 (7) A withdrawal of consent has effect only if done expressly (whether orally or in writing), and before the time of the provision of access or the release. A withdrawal of consent has no effect in relation to a provision of access or release that occurred before the withdrawal.

 (8) The consent must be given:

 (a) if the individual has the capacity to consent—by the individual; or

 (b) otherwise—by a responsible person for the individual (within the meaning of the Privacy Act 1988).

 (9) Consent for the purposes of a provision of a data sharing agreement included for the purposes of paragraph 20C(1)(b) of the Act may be express (either oral or in writing) or implied (in circumstances where it may be reasonably inferred from conduct).

19  Consent to exit of personal information—paragraph 20E(4)(c) of the Act

 (1) Output of a project can exit the data sharing scheme in some circumstances (meaning that the requirements of the Act no longer apply to its use). Subsection 20E(4) sets out circumstances in which personal information about an individual that the accredited user holds can exit. In particular, paragraph 20E(4)(c) requires that the individual must have expressly consented to their personal information being both:

 (a) shared by the data custodian with the accredited user; and

 (b) used by the accredited user without the requirements of the Act applying to the use.

This section is about the individual’s consent.

 (2) Before the consent is given, the individual must be adequately informed about the sharing, including the following:

 (a) the nature of the personal information to be shared;

 (b) whether the personal information is to be shared more than once;

 (c) the accredited entity or entities with which the information will be shared.

 (3) Before the consent is given, the individual must be adequately informed that:

 (a) the personal information will be shared under the Act; and

 (b) generally, the use of personal information and other data shared under the Act is limited by the Act; and

 (c) if the individual gives the consent sought, the Act will not limit the use of the personal information by the accredited user.

 (4) The individual may be informed about other laws that will limit the use and disclosure of the personal information by the accredited user, if the individual gives the consent sought.

 (5) The consent may be sought by the data custodian or by the accredited user.

 (6) The consent must be voluntary.

 (7) The consent must relate specifically to the sharing of the personal information with the accredited user and the accredited user’s use of the personal information.

 (8) The consent must be current at the time of the sharing.

 (9) Without limiting subsection (8), consent is not current at the time of the sharing if the consent was withdrawn before that time.

 (10) A withdrawal of consent has effect only if done expressly (whether orally or in writing) and only in relation to sharing after the time of the withdrawal. A withdrawal of consent has no effect in relation to sharing that occurred before the withdrawal.

 (11) The consent must be given:

 (a) if the individual has the capacity to consent—by the individual; or

 (b) otherwise—by a responsible person for the individual (within the meaning of the Privacy Act 1988).

20  Consent to use of personal information by new data custodian—paragraph 20F(3)(b) of the Act

 (1) A data sharing agreement may appoint the accredited user in the project as the data custodian of output of the project, in the circumstances set out in subsection 20F(2) of the Act. Among other things, the circumstances include a condition that any individual whose personal information is included in the output must have expressly consented to their personal information being used by the accredited user without the requirements of the Act applying to its use (paragraph 20F(3)(b) of the Act). This section is about the individual’s consent.

 (2) Before the consent is given, the individual must be adequately informed about:

 (a) the nature of the personal information; and

 (b) the identity of the accredited user.

 (3) Before the consent is given, the individual must be adequately informed that:

 (a) generally, the use of personal information and other data shared under the Act is limited by the Act; and

 (b) if the individual gives the consent sought, the Act will not limit use of the personal information by the accredited user.

 (4) The individual may be informed about other laws that will limit the use and disclosure of the personal information by the accredited user, if the individual gives the consent sought.

 (5) The consent may be sought by the data custodian or by the accredited user.

 (6) The consent must be voluntary.

 (7) The consent must relate specifically to the accredited user being able to use the personal information without the requirements of the Act applying to the use.

 (8) The consent must be current at the time the personal information exits the data sharing scheme.

 (9) Without limiting subsection (8), consent is not current at the time the personal information exits the data sharing scheme if the consent was withdrawn before that time.

 (10) A withdrawal of consent has effect only if done expressly (whether orally or in writing) and only if done before the time of the exit. A withdrawal of consent has no effect in relation to an exit that occurred before the withdrawal.

 (11) The consent must be given:

 (a) if the individual has the capacity to consent—by the individual; or

 (b) otherwise—by a responsible person for the individual (within the meaning of the Privacy Act 1988).

21  Unreasonable or impracticable to seek consent

 (1) For the purposes of paragraph 16B(4)(a) of the Act, the data custodian’s conclusion that it is unreasonable or impracticable to seek an individual’s consent to the sharing of data that includes personal information about the individual must be based on considerations including the following:

 (a) whether the data custodian is able to contact the individual to seek consent, including whether the data custodian has resources, systems and practices to do so;

 (b) whether the proposed sharing is authorised by any other law;

 (c) the likely impact (whether positive or negative, or direct or indirect) of the project of which the sharing is a part on the individual about whom personal information will be shared, or a group of people that includes the individual;

 (d) the likely impact on the individual of seeking, or not seeking, the individual’s consent;

 (e) whether the sharing relates to a serious threat to, or urgent situation involving, the individual about whom personal information will be shared, or a group of people that includes the individual.

 (2) It may be unreasonable or impracticable to seek consent if seeking consent would be excessively burdensome in all the circumstances.

 (3) It is not unreasonable or impracticable to seek consent merely because it would be inconvenient, timeconsuming or incur costs.

 (4) It is not unreasonable or impracticable to seek consent merely because the consent of a very large number of individuals needs to be sought.

22  Personal information—determining necessity of sharing and minimum amount necessary

Scope of section

 (1) This section sets out, in relation to projects that have the data sharing purpose of delivery of government services, the principles to be applied by data custodians when determining whether it is necessary to share personal information to properly deliver the service (see subparagraph 126(2C)(b)(i) of the Act).

General principle

 (2) Except as provided by this section, it is not necessary to share personal information to properly deliver a government service.

Providing information

 (3) To properly deliver a government service mentioned in paragraph 15(1A)(a) of the Act (providing information), it is necessary to share the following personal information:

 (a) contact information for the individual to whom the service is being delivered;

 (b) any information relevant to the timing of the provision of the information, or to the content of the information.

Providing services, other than services relating to payment, entitlement or benefit

 (4) To properly deliver a government service mentioned in paragraph 15(1A)(b) of the Act (providing services, other than services relating to a payment, entitlement or benefit), it is necessary to share the following personal information:

 (a) contact information for the individual to whom the service is being delivered;

 (b) any information relevant to the timing of the provision of the service, or to the scope or content of the service.

Determining eligibility for a payment, entitlement or benefit, or paying a payment, entitlement or benefit—under legislation

 (5) If the delivery of a government service mentioned in paragraph 15(1A)(c) or (d) of the Act (determining eligibility for a payment, entitlement or benefit, or paying a payment, entitlement or benefit) is being done under legislation, then, to properly deliver the service, it is necessary to share the following personal information:

 (a) contact information for the individual to whom the service is being delivered;

 (b) any information about the individual:

 (i) that, under the legislation, may be taken into account; and

 (ii) that is expected to be taken into account when delivering the service.

Determining eligibility for a payment, entitlement or benefit, or paying a payment, entitlement or benefit—other than under legislation

 (6) If the delivery of a government service mentioned in paragraph 15(1A)(c) or (d) of the Act (determining eligibility for a payment, entitlement or benefit, or paying a payment, entitlement or benefit) is being done other than under legislation, then, to properly deliver the service, it is necessary to share the following personal information:

 (a) contact information for the individual to whom the service is being delivered;

 (b) information about the individual that may be taken into account in accordance with any written policies, procedures, processes or guidance applicable to delivery of the service;

 (c) other information about the individual:

 (i) that may lawfully be taken into account in relation to delivery of the service; and

 (ii) that is expected to be taken into account when delivering the service.

23  Whether public interest justifies sharing personal information without consent

 (1) For the purposes of subparagraph 126(2C)(b)(ii) of the Act, this section sets out the principles to be applied by data custodians when determining circumstances, or categories of circumstances, where the public interest to be served by a project justifies the sharing of personal information without consent.

 (2) Any adverse impacts on individuals that are likely to be caused by the sharing of the personal information are to be identified. The public interest to be served by the project only justifies the sharing if the ways in which the public interest is served by the project outweigh all of the likely adverse impacts.

 (3) The data custodian must take into account the following considerations:

 (a) whether the project relates to preventing, or responding to, a serious threat to life, or to the health, safety or welfare of the public;

 (b) whether the project includes any safeguards to minimise any impact on an individual, such as security measures specified in the data sharing agreement;

 (c) whether personal information is to be shared with the accredited user, or whether it is only to be shared with an ADSP that will either deidentify the information, or provide the accredited user with ADSPcontrolled access;

 (d) the benefits to individuals or groups of people, and the likelihood of the project achieving those benefits;

 (e) any adverse impacts to individuals or groups of people that can reasonably be expected to result from sharing the data.

 (4) The data custodian may consider any other matters it thinks relevant, including any of the following:

 (a) any issues relevant to Australia’s national interests, as set out in policies of the Australian government;

 (b) the social, economic, environmental, cultural and other benefits that can reasonably be expected to result from the project;

 (c) the social, economic, environmental, cultural and other costs that can reasonably be expected to result from the project, or to result from the project not being undertaken.

Part 4Miscellaneous

 

24  Information and documents required at time of giving documents under subsection 33(1) of the Act

 (1) For the purposes of subsection 33(2) of the Act, the entity is required to give the Commissioner:

 (a) the information set out in subsection (2) of this section, in an approved form (if any); and

 (b) if the data sharing agreement, or variation, has an attachment—the attachment; and

 (c) any other information or documents the entity considers relevant in relation to registration of the data sharing agreement or variation.

 (2) For the purposes of paragraph (1)(a), the information is the following:

 (a) the entities that are parties to the data sharing agreement (whether in the capacity of data scheme entity or any other capacity) and the capacity in which each entity is a party;

 (b) the date the parties entered into the agreement;

 (c) a description of the project the agreement covers;

 (d) the data sharing purpose of the project;

 (e) a description of the data to be shared;

 (f) whether personal information is to be shared;

 (g) if subsection 16B(7) of the Act applies in relation to the agreement—the statement and explanation required by that subsection;

 (h) if subsection 16B(8) of the Act applies in relation to the agreement—the statement required by that subsection;

 (i) if, but for section 23 of the Act, sharing, collecting or using data under the agreement would contravene another law—the title of the other law;

 (j) a statement of how the project will serve the public interest;

 (k) a description of the final output of the project;

 (l) if output of the project may exit the data sharing scheme under section 20E of the Act—the circumstances in which the exit may occur;

 (m) if the agreement has an expiry date—the expiry date.

25  Applicable period for notifying Commissioner of certain information

  For the purposes of paragraph 34(4)(a) of the Act, the applicable period for notifying the Commissioner is the period ending on 31 July.

Note: The notification relates to information for inclusion in the annual report prepared under section 138 of the Act.