This instrument is the Data Availability and Transparency (National Security Measures) Code 2022.

(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. The whole of this instrument	The day after this instrument is registered.	22 December 2022

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3 Authority

This instrument is made under section 126 of the Data Availability and Transparency Act 2022.

4 Definitions

Note: A number of expressions used in this instrument are defined in the Act, including the following:

(a) accredited entity;

(b) ADSP‑enhanced data;

(d) designated individual;

(e) output.

In this instrument:

Act means the Data Availability and Transparency Act 2022.

foreign entity means:

(a) a body corporate incorporated outside Australia;

(b) an unincorporated body formed outside Australia that does not have its head office or principal place of business in Australia.

permanent resident has the same meaning as in the AusCheck Act 2007.

5 Access to data by individuals

(1) For the purposes of subsection 19(16) of the Act, a data sharing agreement must require accredited entities to ensure that involvement in the entity’s collection or use of output, or ADSP‑enhanced data, of the project is restricted to designated individuals for the entity:

(a) who are Australian citizens or permanent residents; or

(b) for whom all of the following information is specified in the agreement:

(i) full name, any previous names, and preferred name;

(ii) nationality or (if more than one) each nationality;

(iii) the applicable designation for the individual under section 123 of the Act;

(iv) a description of the individual’s proposed role in the project.

(2) If paragraph (1)(b) applies in relation to a designated individual for an entity, the data sharing agreement must also require the entity to ensure that the individual’s involvement in the entity’s collection or use of output, or ADSP‑enhanced data, of the project is restricted to the role described in the agreement for the purposes of subparagraph (1)(b)(iv).

6 Access to data by foreign individuals—notice to Australian Security Intelligence Organisation

Application of this section

(1) This section applies if:

(a) a designated individual for an entity (the responsible entity) is neither an Australian citizen nor a permanent resident; and

(b) the individual is permitted by a data sharing agreement to access data.

Consistency with people principle—responsible entity

(2) The responsible entity cannot be satisfied that the project to which the data sharing agreement relates is consistent with the people principle set out in subsection 16(3) of the Act unless:

(a) the responsible entity has provided the following material to the Australian Security Intelligence Organisation:

(i) an electronic copy of the signed data sharing agreement;

(ii) the details about the individual that are specified in subsection (4); and

(b) at least 14 days have passed since the material was provided.

Note 1: Other requirements in relation to the people principle are set out in the Data Availability and Transparency Code 2022.

Note 2: An accredited entity may be required to provide other parties to the data sharing agreement with information about foreign individuals (such as their affiliations) as part of the application of the data sharing principles and, in particular, the people principle.

Note 3: A data custodian is not authorised by section 13 of the Act to share data, and an accredited entity is not authorised by section 13A or 13B of the Act to collect or use data, unless it is satisfied that the project is consistent with the data sharing principles.

Consistency with people principle—entities other than responsible entity

(3) An entity other than the responsible entity cannot be satisfied that the project to which the data sharing agreement relates is consistent with the people principle set out in subsection 16(3) of the Act unless:

(a) it has been informed, in writing, by the responsible entity that the responsible entity has provided the material mentioned in paragraph (2)(a) to the Australian Security Intelligence Organisation; and

(b) at least 14 days have passed since it was so informed.

Note 1: Other requirements in relation to the people principle are set out in the Data Availability and Transparency Code 2022.

Details to be notified to ASIO

(4) For the purposes of subparagraph (2)(a)(ii), the details about the individual are the following:

(i) full name, any previous names, and preferred name;

(ii) nationality or (if more than one) each nationality;

(iii) date and place of birth;

(iv) any current employment (including the individual’s place of employment and the geographical location of any employers);

(v) any current contractual arrangements for the provision of services by the individual (including the geographical location of any entity to which services are provided);

(vi) any current or previous arrangements under which the individual is authorised to act as the agent of a foreign government or an authority of a foreign government, or of any other foreign entity;

(vii) current work and personal email addresses;

(viii) current work telephone number and personal mobile telephone number;

(ix) the applicable designation for the individual under section 123 of the Act;

(x) a description of the individual’s proposed role in the project.

7 Access to data by foreign individuals—Australian universities

(1) For the purposes of subsection 19(16) of the Act, this section prescribes requirements to be met by a data sharing agreement if:

(a) an accredited entity that is party to the agreement is an Australian university; and

(b) a designated individual for the Australian university, who is permitted by the agreement to access data, is neither an Australian citizen nor a permanent resident.

(2) The agreement must require the Australian university to do the following:

(a) ensure that due diligence has been carried out with respect to the individual and that the individual has undertaken training in national security issues, including foreign interference;

(b) have regard to any guidance and reports, published by Australian government security or regulatory agencies responsible for regulating the higher education or research sectors, that deal with foreign interference threats in those sectors (including the Guidelines to counter foreign interference in the Australian university sector published by the Department of Education).