FAQ

 

FREQUENTLY ASKED QUESTIONS

What is the purpose of the Public Sector (Data Sharing) Act 2016?

The Act facilitates the sharing of public sector data between public sector agencies and provides for the sharing of data between public sector agencies and other entities.

 

What are the objectives of the Public Sector (Data Sharing) Act 2016?

The objectives of the Act are:

  • to promote, in line with the five safes and the data sharing safeguards, the management and use of public sector data as a public resource that supports good Government policy making, program management and service planning and delivery;
  • to remove barriers to the sharing of public sector data between public sector agencies;
  • to facilitate faster sharing of public sector data between public sector agencies;
  • to provide protections in connection with public sector data sharing under the Act; and
  • to enable the Minister for the Public Sector to enter into data sharing agreements with other non-public sector entities.

 

What are purposes for which data can be shared under the Public Sector (Data Sharing) Act 2016?

Under the Act a public sector agency can only provide public sector data (excluding exempt data) that it controls to another public sector agency if the sharing of the data is for at least one of these purposes:

  • to enable data analytics work to be carried out on the data to identify issues and solutions regarding Government policy making, program management and service planning and delivery by public sector agencies;
  • to enable public sector agencies to facilitate, develop, improve and undertake Government policy making, program management and service planning and delivery by the agencies;
  • to assist in law enforcement; or
  • to assist in emergency planning and response.

‘Emergency planning and response’ includes:

  • prevention or reduction of a threat to the life, health or safety of a person;
  • investigation of a missing person;
  • identification of a disaster victim or deceased person;
  • prevention or reduction of a disruption to essential services or to services usually enjoyed by the community; and
  • prevention or reduction of the destruction of, or damage to, any property.

‘Law enforcement’ includes:

  • preservation of the peace;
  • prevention and detection of crime; and
  • criminal investigations, criminal proceedings or proceedings for the imposition of a penalty.

Exempt public sector data should not be confused with public sector agencies which are exempt from the operation of the Act.

 

What is public sector data?

Public sector data is broadly defined as any data controlled by public sector agencies.

 

What is exempt public sector data?

Given the safeguards in the Act, in particular the five safes, only certain public sector data has been made exempt being:

  • data held by the Auditor-General, the Crown Solicitor, the Director of Public Prosecutions and the Ombudsman;
  • data that would be privileged from production in legal proceedings on the ground of legal professional privilege;
  • data obtained in confidential circumstances for the purposes of mediation, conciliation or other dispute resolution process undertaken under an Act or law;
  • data created by South Australia Police containing information classified by the Commissioner of Police, in accordance with the provisions of any other Act, as criminal intelligence;
  • in relation to proceedings that are being heard, or are to be heard, before a court or tribunal, data –
    • prepared for the purposes of the proceedings;
    • obtained in confidential circumstances for the purposes of mediation, conciliation or some other form of dispute resolution;
    • the disclosure of which would be inconsistent with the Crown acting as a model litigant in the proceedings; or
    • prepared by or on behalf of the court or tribunal;
  • data the public disclosure of which would, but for any immunity of the Crown –
    • constitute contempt of court;
    • contravene any order or direction of a person or body having power to receive evidence on oath; or
    • infringe the privilege of Parliament; and
  • data the disclosure of which could reasonably be expected to prejudice national security.

Although ‘exempt’, this data can still be shared in some limited circumstances.

 

What is a public sector agency and which public sector agencies are exempt?

‘Public sector agency’ has the same meaning as in the Public Sector Act 2009 but excludes certain exempt public sector agencies.  South Australian Ministers, Chief Executives and Departments all fall within the definition of a public sector agency.

Given the safeguards in the Act, in particular the five safes, only a few bodies have been made exempt from the definition of ‘public sector agency’.  The Act does not apply to exempt agencies, being:

  • the Independent Commissioner Against Corruption;
  • the Judicial Conduct Commissioner;
  • the Office for Public Integrity;
  • all Royal Commissions;
  • a judicial conduct panel under the Judicial Conduct Commissioner Act 2015;
  • a person appointed to conduct a review of the Independent Commissioner Against Corruption or the Office for Public Integrity under section 46 of the Independent Commissioner Against Corruption Act 2012 (as in force immediately before the commencement of section 20 of the Independent Commissioner Against Corruption (Miscellaneous) Amendment Act 2016); and
  • the reviewer within the meaning of Schedule 4 of the Independent Commissioner Against Corruption Act 2012.

 

When can data be shared by a public sector agency?

A public sector agency is only authorised to share data that it controls, excluding exempt public sector data, if:

  • the sharing of the data is for a legislated purpose;
  • the public sector agency providing the data has made a written record of the purpose or purposes for which the public sector data is proposed to be provided and used, as agreed with the public sector agency who is to receive the data; and
  • the public sector agency that is to provide the data has applied the five safes and is satisfied that the provision and use of the data is appropriate in all the circumstances.

Exempt public sector data is not to be confused with public sector agencies which are exempt from the operation of the Act.

 

Who in my agency has authority to approve release of data to another agency?

Your agency will need to develop a policy regarding how data requests are actioned, considered and approved.  Most agencies have appointed a chief data officer who can provide you with guidance.

The only legislative requirements relating to approvals for release relate to prescribed health data.

 

What if my agency disagrees or has concerns with a request from another agency?

Requests for data should not be approved unless your agency is satisfied that the use of the data by the public sector agency seeking to access the data is appropriate in all the circumstances, having regard to the five safes.

For more information see: five safes.

 

What if there is a disagreement on releasing data?

Requests should not be refused if there is a good reason and purpose for use of the information.  If there is a dispute regarding information release, please consult the Office for Data Analytics.  In the parliamentary debate on 20 September 2016, the Deputy Premier indicated how he saw the provisions operating:

'Listen, all you lot, you should be sharing stuff with each other. Now, go away and play nicely.' That is the starting point. If that does not happen, it gets escalated to the point where we have a collection—a conclave, if that is the right word—of chief executives who meet and try to sort things out. If that still fails to sort things out, it escalates to the minister who says, 'Either do it or don't do it.'

 

Is there a protocol and/or template for agency requests for data access?

Yes.  Forms are available to help guide agencies on assessing whether it is appropriate to share data.  The forms are available from the person appointed as your agency’s data officer or from the Office of Data Analytics.  The forms will also be made available on the Office for Data Analytics website at www.oda.sa.gov.au during July/August 2017.

 

What are the five safes?

The five safes, or trusted access principles, are a set of principles that must be applied in respect of the sharing and use of public sector data under the Act.  The five safes are:

  • safe projects;
  • safe people;
  • safe data;
  • safe settings; and
  • safe outputs.

Forms have been developed to help guide public sector agencies on assessing whether it is appropriate to share data, based on the five safes.  Public sector agencies must not share data they control unless they are satisfied that the use of the data by the public sector agency seeking to access the data is appropriate having regard to the five safes.

Safe Projects

The purpose for which data is to be shared and used must be appropriate having regard to:

  • whether the data is necessary for the purpose;
  • the proposed use of the data;
  • whether the purpose for which data is proposed to be shared and used will be of value to the public;
  • whether the public interest in the proposed sharing and use of data outweighs any contrary public interest; and
  • whether there is a risk of loss, harm or other detriment to the community if the sharing and use of the data does not occur.

Safe People

The public sector agency who is to receive the data must be an appropriate public sector agency with whom data may be shared having regard to:

  • whether the agency receiving the data is appropriately equipped and in possession of the relevant skills and experience to effectively use the data for the proposed purpose;
  • whether the agency receiving the data will restrict access to the data to specified persons with appropriate security clearance;
  • whether the agency providing the data will be able to engage with the agency receiving the information to support the use of the data for the purpose; and
  • whether other persons or bodies in addition to the agency receiving the data are invested in the outputs of the project and the motivations of those persons or bodies.

The Office for Data Analytics conducts detailed assessment, vetting and screening of staff to act as a best practice reference for agencies for Safe People.  Agencies should consider whether vetting through AGSVA, screening such as DCSI child-related employment or SAPOL criminal association checks are required for staff.

Safe Data

Data to be shared and used for a purpose must be appropriate for that purpose having regard to:

  • whether the data is of the necessary quality for the proposed use (such as being accurate, relevant and timely);
  • whether the data relates to people; and
  • if data containing personal information is to be de-identified, how that de-identification will be undertaken and whether the data may be re-identified, and if so, how it may be re-identified.

In most circumstances, data will need to be de-identified before being shared.  Exceptions to this rule can be found by following the link below.

Safe Settings

The environment in which the data will be stored, accessed and used by the agency receiving the data must be appropriate having regard to –

  • the physical location where the data will be stored and used;
  • the location of any linked data sets;
  • whether the agency receiving the data has appropriate security and technical safeguards in place to ensure data remains secure and not subject to unauthorised access and use;
  • the likelihood of deliberate or accidental disclosure or use occurring; and
  • how the data will be dealt with after it has been used for the purpose for which it is shared.

The Office for Data Analytics is obtaining certification to handle data up to and including PROTECTED from an Australian Signals Directorate (Department of Defence) approved IRAP assessor.  This certification also covers physical security against the Protective Security Policy Framework to hold PROTECTED and limited amounts of CONFIDENTIAL information.  It is also important to consider the classification of information being shared noting that aggregated datasets will likely increase the classification level.  Please refer to the protective marking information supplied by the Australian Government for more information and guidance.

Safe Outputs

The publication or other disclosure of the results of data analytics work conducted on data shared under the Act must be appropriate having regard to –

  • the nature of the proposed publication or disclosure;
  • who is the likely audience of the publication or disclosure;
  • the likelihood and extent to which the publication or disclosure may contribute to the identification of a person to whom the data relates; and
  • whether the results of the data analytics work or other data for publication or disclosure will be audited and whether that process involves the agency providing the data.

The Office for Data Analytics can provide advice on minimising risk of re-identification in published results or datasets.  If published, consideration should be given to methods such as perturbation, aggregation and publishing of multiple data slices to avoid the need for micro datasets.

Prescribed Health Information

If the sharing of the data is prohibited under one of the following health provisions, an additional ‘safe’ has been prescribed which requires that the data not be shared or disclosed without the prior approval of the Minister for Health:

  • section 18 of the Assisted Reproductive Treatment Act 1988;
  • sections 66 and 73 of the Health Care Act 2008;
  • regulation 27 of the Health Care Regulations 2008;
  • section 216 of the Health Practitioner Regulation National Law;
  • sections 99 and 100 of the South Australian Public Health Act 2011;
  • section 39 of the Transplantation and Anatomy Act 1983; and
  • under the National Health Funding Pool Administration (South Australia) Act 2012.

SA NT DataLink

A further ‘safe’ has also been prescribed in relation to data sourced for the purposes of SA NT DataLink.  If the data proposed to be shared has been disclosed to the agency providing the data for the purposes of SA NT DataLink by a person or body that is not a public sector agency, the data cannot be shared by the agency without the prior approval of the person or body who disclosed that data to the agency in the first instance.

For more information see: exceptions to the de-identification rulepublic sector data sharingpurposes for which data can be shared under the Actpublic sector data and public sector agency.

 

Can ‘identified data’ be shared under the Public Sector (Data Sharing) Act 2016?

Yes, under specific circumstances.  If data to be shared and used contains personal information, the personal information must be de-identified unless:

  • the person to whom the personal information relates has consented to the sharing and use;
  • the sharing and use of the personal information is reasonably related to the original purpose for which it was collected and there is no reason to think that the person to whom the information relates would object to the sharing and use;
  • the sharing and use of the personal information is in connection with a criminal investigation or criminal proceedings or proceedings for the imposition of a penalty;
  • the sharing and use of the personal information is in connection with the wellbeing, welfare or protection of a child or children or other vulnerable person;
  • the sharing and use of the personal information is reasonably necessary to prevent or lessen a threat to the life, health or safety of a person; or
  • the purpose of the sharing and use of the personal information cannot be achieved through the use of de-identified data and it would be impracticable in the circumstances to seek the consent of the person to whom the information relates.

 

Are there any criteria to assess whether identified data is ‘reasonably related to the original purpose for which it was collected and there is no reason to think that the person to whom the information relates would object to the sharing or use’?

If data to be shared contains personal information, it must be de-identified before it is shared except in certain circumstances.  If your agency is seeking to access identified data, on the reasoning that:

“the sharing and use of the personal information is reasonably related to the original purpose for which it was collected and there is no reason to think that the person to whom the information relates would object to the sharing and use”,

it may be necessary for your agency to provide reasoning setting out exactly how your agency’s purpose for seeking access to the data relates to the original purpose for which the data was collected and make a case as to why there is no reason to think that the person to whom the information relates would object to the sharing or use of the data.  However, there is no set criteria for making such an assessment.

It is important to keep in mind that an assessment whether, in all the circumstances, it is appropriate to share the identified data, will need to be made by the agency providing the data before the data is shared.  If the data provider is not satisfied that it is appropriate to share the identified data, they are not be obliged to share it, except if directed to by the Minister for the Public Sector.

 

Does the criteria: ‘the sharing and use of the personal information is in connection with the wellbeing, welfare or protection of a child or children or other vulnerable person’ apply to a single child/person or a particular group of children?

The establishment of the Act came about, in part, to support a number of the recommendations of the Child Protection Systems Royal Commission.  The protection of children and vulnerable persons, as such, is at the forefront of the Act.  The Act strikes a balance between protecting the privacy of individuals and using data available to the Government to support the wellbeing, welfare and protection of South Australia’s children and vulnerable people. 

If the sharing of data will be used in connection with the wellbeing, welfare or protection of even a single child or vulnerable person, the Act supports the sharing of the data in its identified form. The agency providing the data is still required to consider all of the five safes before making a final assessment.

 

Does the criteria: ‘the sharing and use of the personal information is reasonably necessary to prevent or lessen a threat to the life, health or safety of a person’ apply to a single person or a group of people?

The Act strikes a balance between protecting the privacy of individuals and using data available to the Government to support a myriad of objectives, including for the purposes of assisting in law enforcement and to assist in emergency planning and response. 

Law enforcement purposes includes the preservation of peace, the prevention and detention of crime and criminal investigations, criminal proceedings and proceedings for the imposition of a penalty.

Emergency planning and response includes the prevention or reduction of a threat to the life, health or safety of a person, the investigation of a missing person, the identification of a disaster victim or deceased person, the prevention or reduction of a disruption to essential services or to services usually enjoyed by the community and the prevention or reduction of the destruction of, or damage to, any property.

If data to be shared contains personal information, it must be de-identified before it is shared except in certain circumstances.  One such circumstance is where the sharing of identified data is reasonably necessary to prevent or lessen a threat to the life, health or safety of a person. 

If the sharing of data is reasonably necessary to prevent or lessen a threat to the life, health or safety of a person, the Act supports the sharing of the data in its identified form.  The agency providing the data is still required to consider all of the five safes before making a final assessment.

 

Can the Minister for the Public Sector direct a public sector agency to share data, including exempt public sector data?

The Minister for the Public Sector may direct a public sector agency to provide public sector data that it holds, including exempt public sector data, to another public sector agency for any purpose under the Act. 

Public sector agencies are not authorised to share exempt public sector data that they hold under the Act.  However, the Minister for the Public Sector does have the power to direct a public sector agency to provide exempt public sector data that it holds to another public sector agency.

A direction by the Minister is binding and authorises the public sector agency specified in the direction to provide public sector data in accordance with the Minister’s direction.  Prior to the Minister making such a direction, the Minister must consider the five safes and be satisfied that the sharing and use of the data is appropriate in all the circumstances.

Exempt public sector data is not to be confused with public sector agencies which are exempt from the operation of the Act.

 

What are the obligations of public sector agencies once data has been shared?

Once public sector data has been shared, the public sector agency who provided the data and the public sector agency who received the data must comply with all relevant data sharing safeguards.  This applies both where data is shared between agencies and where data is shared on the direction of the Minister for the Public Sector.

The public sector agency who received the data is also obliged to ensure that the data received is tagged as data that has been shared under the Act.

Further the public sector agency who received the data is prohibited from using or disclosing the data received except for the purpose for which it was provided.  This includes a restriction on re-sharing the data.  Information on exceptions to this rule can be found via the link below.

 

What are the ‘data sharing safeguards’?

Once public sector data has been shared, the public sector agency who provided the data (‘data provider’) and the public sector agency who received the data (‘data recipient’) must comply with all relevant data sharing safeguards.  This applies both where data is shared between agencies and where data is shared on the direction of the Minister for the Public Sector.

Confidentiality and commercial-in-confidence

A data recipient that receives public sector data containing confidential or commercially sensitive information must ensure that the confidentiality or commercially sensitive information is dealt with in a way that complies with any contractual or equitable obligations of the data provider concerning how it is to be dealt with.

Data custody and control safeguards

A data provider and data recipient must ensure that public sector data is maintained and managed in compliance with any legal requirements concerning the data’s custody and control.

If a data recipient arranges for a person or body (other than another public sector agency) to conduct data analytics work using shared data, the data recipient must ensure that appropriate contractual arrangements are in place before the shared data is provided to ensure that the person or body deals with the data in compliance with any requirements of the Act, the State Records Act 1997 and any data security policies that are applicable to the data recipient.

Other data sharing safeguards

If data is provided to a data recipient under the Act, the data recipient must ensure that the data is clearly marked as data which has been provided under the Act.

 

In what circumstances can shared data be used or disclosed for a purpose other than the purpose for which it was originally shared?

Data that has been shared can only be used for the purpose for which it was shared for.  There are limited exceptions to this rule which are as follows:

  • the Minister for the Public Sector, after consultation with the public sector agency who provided the data, approves the further use or disclosure of the shared data;
  • the further use or disclosure of the data is required or authorised by or under law or an order of a court or tribunal;
  • the further use or disclosure of the data is reasonably required to lessen or prevent a serious threat to the life, health or safety of a person, or a serious threat to public health or safety; or
  • the further use or disclosure is by the Office of Data Analytics (‘ODA’) and:
    • the proposed further use is consistent with the objects of the Public Sector (Data Sharing) Act 2016; and
    • ODA is satisfied that the circumstances in which the proposed use will occur is consistent with the circumstances that the public sector agency who provided the data was (at the time of providing the data) informed would be the circumstances in which any proposed use of the data would occur.

 

Can shared data be re-shared by the public sector agency who received the data?

Generally, no.  Data that has been shared can only be used for the purpose for which it was shared.  There are limited exceptions to this rule which are as follows:

  • the Minister for the Public Sector, after consultation with the public sector agency who provided the data, approves the further use or disclosure of the shared data;
  • the further use or disclosure of the data is required or authorised by or under law or an order of a court or tribunal;
  • the further use or disclosure of the data is reasonably required to lessen or prevent a serious threat to the life, health or safety of a person, or a serious threat to public health or safety; or
  • the further use or disclosure is by the Office of Data Analytics (‘ODA’) and:
    • the proposed further use is consistent with the objects of the Public Sector (Data Sharing) Act 2016; and
    • ODA is satisfied that the circumstances in which the proposed use will occur is consistent with the circumstances that the public sector agency who provided the data was (at the time of providing the data) informed would be the circumstances in which any proposed use of the data would occur.

 

Which other entities can data be shared with under the Public Sector (Data Sharing) Act 2016?

In addition to the sharing of data between public sector agencies, public sector data may also be shared with:

  • an agency or instrumentality of the Commonwealth, another State or a Territory of the Commonwealth; and
  • a council within the meaning of the Local Government Act 1999.

Under the Act, public sector data can only be shared with these other entities if the Minister for the Public Sector enters into an agreement with the other entity regarding the sharing of public sector data.

An agreement between the Minister and the other entity may be subject any conditions agreed between the Minister and the other entity. 

Where the Minister enters into an agreement that involves the provision of public sector data by a public sector agency to another entity, the Minister may direct the public sector agency to provide the public sector data subject to the agreement to the other entity in accordance with the agreement.

 

How does the Public Sector (Data Sharing) Act 2016 interact with other legislation? 

The Act overrides all other South Australian legislation.  As such, the sharing of public sector data by a public sector agency to another public sector agency in accordance with the Act is lawful regardless of whether any other South Australian Act or law prohibits it.

 

What is the process for actioning a freedom of information request that has been received for data that has been shared under the Public Sector (Data Sharing) Act 2016?

If a freedom of information request is received by a public sector agency for data that is only in that agency’s possession because it was received from another public sector agency who shared the data under the Act, that agency:

  • must not give the requester access to the data; and
  • must refer the freedom of information request to the agency who provided them with the data. 

The request is then taken to be transferred to the agency who provided the data under the provisions of the FOI Act.

 

How does the Public Sector (Data Sharing) Act 2016 interact with the Information Privacy Principles and the Information Sharing Guidelines?

The Information Privacy Principles (‘the IPPs’) apply to the collection, storage, access to records, correction, use and disclosure of data by public sector agencies in respect of personal information.  The IPP’s remain relevant in many respects, however, where they conflict with the Act, it is the Act that is to be applied and followed.

In relation to the Information Sharing Guidelines, the Act creates a new framework for the sharing of data.  From 30 May 2017, all data sharing considerations should be based on the new framework.

 

What is the Office of Data Analytics and what does it do?

The Office of Data Analytics (‘ODA’) is a new office that sits in the Department of the Premier and Cabinet.  The functions of the ODA are:

  • to undertake data analytics work on public sector data received from across the whole of Government; and
  • to make the results of that data analytics work available to public sector agencies, to the private sector and to the general public as ODA sees fit.

The ODA can provide advice about data requests and can be contacted to assist with any questions you have on any aspect of the new data sharing framework.  Please email OfficeForDataAnalytics@sa.gov.au with any requests.  Further contact details are available at www.oda.sa.gov.au.

 

Where can I go for help?

Your agencies Chief Data Officer should be able to assist you with any queries.  The Office for Data Analytics is also available provide advice about data requests and can be contacted to assist with any questions you have on any aspect of the new data sharing framework. Please email OfficeForDataAnalytics@sa.gov.au with any requests.  Further contact details, forms and guidelines are available at www.oda.sa.gov.au.

 

Sending data to ODA

ODA can accept data classified under the Information Security Management Framework (ISMF) up to and including Protected for analysis. Other than public data (i.e. available on the public internet), ODA will not accept unencrypted data under any circumstances.

Encryption should be sufficiently certified by the Australian Signals Directorate or other equivalent body equal to or exceeding the highest classification of data. It is strongly recommended to use hardware encrypted devices such as SDV-HA.

 

Requesting data from ODA

Other than information published as open data or on the Department of the Premier and Cabinet website, ODA does not generally provide data in response to specific requests from the public. Requests for information should be directed to the relevant agency, which will handle your request and engage with ODA if required.

If you are undertaking research, please discuss with SA-NT Datalink, the Australian Bureau of Statistics or bodies such as the Public Health Research Network.