Data Availability and Transparency Act 2022 (Cth)

Data Availability and Transparency Act 2022 No. 11, 2022 Compilation No. 4 Compilation date: 11 December 2024 Includes amendments: Act No. 128, 2024 About this compilation This compilation This is a compilation of the Data Availability and Transparency Act 2022 that shows the text of the law as amended and in force on 11 December 2024 (the compilation date). The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law. Uncommenced amendments The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Register (www.legislation.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the Register for the compiled law. Application, saving and transitional provisions for provisions and amendments If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes. Editorial changes For more information about any editorial changes made in this compilation, see the endnotes. Modifications If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the Register for the compiled law. Self‑repealing provisions If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes. Contents Chapter 1—Preliminary Part 1.1—Introduction 1 Short title 2 Commencement 3 Objects 4 Simplified outline of this Act 5 Act binds the Crown 6 Extension to external Territories 7 Extraterritorial operation Part 1.2—Definitions 9 Definitions 10 References to access to data 11 Entity definitions 11A The data sharing project Chapter 2—Authorisations Part 2.1—Introduction 12 Simplified outline of this Chapter Part 2.2—Authorisations 13 Authorisation for data custodian to share public sector data 13A Authorisation for accredited user to collect and use data 13B Authorisation for ADSP to act as intermediary 13C Authorisation for data custodian to collect and use submitted data 14 Penalties for unauthorised sharing 14A Penalties for unauthorised collection or use Part 2.3—Data sharing purposes and principles 15 Data sharing purposes 16 Data sharing principles Part 2.4—Privacy protections 16A General privacy protections 16B Purpose‑specific privacy protections 16C Project involving use of de‑identification or secure access data services 16D Project involving complex data integration services 16E Privacy coverage condition 16F Compliance with APP‑equivalence term Part 2.5—When sharing is barred 17 When sharing is barred Part 2.6—Data sharing agreements 18 Data sharing agreement 19 Requirements to be met by all data sharing agreements Part 2.7—Allowed access to output of project 20A Allowed access: providing data custodian of source data with access to ADSP‑enhanced data or output 20B Allowed access: providing access to output for validation or correction 20C Allowed access: providing access to or releasing output in other circumstances 20D Allowed access: sharing under section 13 20E Exit of ADSP‑enhanced data or output of project 20F Data custodian of output of project Part 2.8—Relationship with other laws 22 Other authorisations for data custodians not limited 23 Authorisations override other laws Chapter 3—Responsibilities of data scheme entities Part 3.1—Introduction 24 Simplified outline of this Chapter Part 3.2—General responsibilities 25 No duty to share but reasons required for not sharing 26 Comply with rules and data codes 27 Have regard to guidelines 30 Comply with conditions of accreditation 31 Report events and changes in circumstances affecting accreditation to Commissioner 32 Not provide false or misleading information 33 Registration of data sharing agreements 34 Assist Commissioner in relation to annual report Part 3.3—Data breach responsibilities 35 Definition of data breach 36 Take steps to mitigate data breach 37 Interaction with Part IIIC of the Privacy Act 1988 (notification of eligible data breaches) 38 Notify Commissioner of non‑personal data breach Chapter 4—National Data Commissioner and National Data Advisory Council Part 4.1—Introduction 39 Simplified outline of this Chapter 40 Commissioner to have regard to objects of Act Part 4.2—National Data Commissioner Division 1—Establishment, functions and powers 41 National Data Commissioner 42 Functions 43 Advice related functions 44 Guidance related functions 45 Regulatory functions 45A Education and support related functions 46 Application of finance law 47 Staff 48 Contractors 49 Consultants 50 Delegation by Commissioner 51 Independence of Commissioner 52 Commissioner not to be sued Division 2—Terms and conditions etc. 53 Appointment 54 General terms and conditions of appointment 55 Other paid work 56 Remuneration 57 Leave of absence 58 Resignation 58A Disclosure of interests to Minister 59 Termination of appointment 60 Acting appointments Part 4.3—National Data Advisory Council 61 Establishment and function of Council 62 Membership of Council 63 Appointment of members 64 Term of appointment 65 Remuneration and allowances 66 Leave of absence 67 Disclosure of interests to Minister or Commissioner 68 Disclosure of interests to Council 69 Resignation of members 70 Termination of appointment of members 71 Other terms and conditions of members 72 Procedures Chapter 5—Regulation and enforcement Part 5.1—Introduction 73 Simplified outline of this Chapter Part 5.2—Accreditation framework Division 1—Accreditation 74 Accreditation 75 Notice of accreditation decision 76 Application for accreditation 77 Criteria for accreditation 77A General provisions relating to accreditation Division 2—Conditions of accreditation 77B Conditions of accreditation 78 Imposition, variation or removal of conditions of accreditation by accreditation authority 79 Notice before decision relating to conditions of accreditation 80 Notice of conditions Division 3—Suspension and cancellation of accreditation 81 Suspension or cancellation of accreditation 82 Notice before decision about suspension or cancellation 83 Notice of suspension or cancellation 83A Lifting of suspension Division 4—Renewal of accreditation of ADSPs 84 Renewal 85 Notice of renewal decision 85A Application for renewal Division 5—Rules and further information 86 Rules relating to the accreditation framework 87 Further information or evidence Part 5.3—Complaints Division 1—Scheme Complaints 88 Making scheme complaints 89 Respondents 90 Communicating with complainant 91 Dealing with complaints 92 Grounds for not dealing with complaints 93 Admissibility of things said or done in conciliation Division 2—General complaints 94 Making general complaints 95 Dealing with complaints 96 Admissibility of things said or done in conciliation Part 5.4—Assessments and investigations 99 Assessments 100 Notices of assessment 101 Investigations 102 Determination on completion of investigation 103 Notices relating to investigation 103A Recommendations Part 5.5—Regulatory powers and enforcement 104 Power to require information and documents 105 Legal professional privilege 106 Limits on power to require information and documents 107 Transfer of matters to appropriate authority 108 Authorisation for Commissioner to disclose and receive information 109 Monitoring powers 110 Investigation powers 112 Directions 113 Civil penalty provisions 114 Infringement notices 115 Enforceable undertakings 116 Injunctions Chapter 6—Other matters Part 6.1—Introduction 117 Simplified outline of this Chapter Part 6.2—Review of decisions 118 Reviewable decisions 119 Applications for reconsideration of decisions made by delegates of the reviewer 120 Reconsideration by reviewer 121 Deadline for reconsideration 122 Review by the Administrative Review Tribunal Part 6.3—Extension of authorisations and attribution of conduct 123 Designated individuals and designation 124 Extension of authorisations to share, collect or use data 125 Other things an entity may or must do under the data sharing scheme 125A Contraventions by entities of civil penalty provisions and other non‑criminal breaches of this Act 125B Offences by entities against this Act Part 6.4—Data sharing scheme instruments 126 Data codes 127 Guidelines 128 Register of ADSPs 129 Register of accredited users 130 Register of data sharing agreements 131 Recognition of external dispute resolution schemes 132 Approved forms 133 Rules 134 Regulations Part 6.5—Other matters 135 Disclosure of scheme data in relation to information‑gathering powers 135A Data held by National Archives of Australia 136 Geographical jurisdiction of civil penalty provisions and offences 137 Authorised officers and individuals authorised to do particular things 137A Delegation by Minister 138 Annual report 139 Charging of fees by Commissioner 140 Charging of fees by data scheme entities 141 Commonwealth not liable to pay a fee 142 Periodic reviews of operation of Act 143 Sunset of the data sharing scheme Endnotes Endnote 1—About the endnotes Endnote 2—Abbreviation key Endnote 3—Legislation history Endnote 4—Amendment history An Act to authorise the sharing of public sector data, and for related purposes Chapter 1—Preliminary Part 1.1—Introduction 1 Short title This Act is the Data Availability and Transparency Act 2022. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. The whole of this Act The day after this Act receives the Royal Assent. 1 April 2022 Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Objects The objects of this Act are to: (a) serve the public interest by promoting better availability of public sector data; and (b) enable the sharing of public sector data consistently with the Privacy Act 1988 and appropriate security safeguards; and (c) enhance integrity and transparency in sharing public sector data; and (d) build confidence in the use of public sector data; and (e) establish institutional arrangements for sharing public sector data. 4 Simplified outline of this Act This Act establishes a data sharing scheme under which Commonwealth bodies are authorised to share their public sector data with accredited users, and accredited users are authorised to collect and use the data, in a controlled way. The sharing, collection and use of data must be part of a project that is for one or more of the defined data sharing purposes, and must be done consistently with the data sharing principles and under a registered data sharing agreement that meets the requirements of this Act. Privacy protections apply to the sharing of personal information. Data may be shared directly with an accredited user, or through an intermediary accredited for the purpose (called an ADSP, short for accredited data service provider). The National Data Commissioner is the regulator of the data sharing scheme and also has the function of providing education and support in relation to handling public sector data. The Commissioner's regulatory functions include accrediting ADSPs and users other than Commonwealth, State and Territory bodies. The Minister has the function of accrediting such bodies as users. The Commissioner also has functions relating to handling complaints and powers to require information and to assess, monitor and investigate data scheme entities. Data scheme entities have responsibilities under the Act. A range of enforcement options are available to the Commissioner. This Act mainly relies for its constitutional basis on the matters set out in subsection 13(4) (constitutional requirements for authorisation for data custodian to share public sector data) (but see also subsections 42(2) and 61(2)). 5 Act binds the Crown (1) This Act binds the Crown in each of its capacities. (2) However, this Act does not make the Crown liable to be prosecuted for an offence. (3) To avoid doubt, subsection (2) does not prevent the Crown from being liable to pay a pecuniary penalty under a civil penalty order under Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act. 6 Extension to external Territories This Act and the Regulatory Powers Act as it applies in relation to this Act extend to every external Territory. 7 Extraterritorial operation (1) This Act, and the Regulatory Powers Act as it applies in relation to this Act, extend to acts, omissions, matters and things outside Australia. Note: Geographical jurisdiction for civil penalty provisions and offences is dealt with in section 136. (2) This Act, and the Regulatory Powers Act as it applies in relation to this Act, have effect in relation to acts, omissions, matters and things outside Australia subject to: (a) the obligations of Australia under international law, including obligations under any international agreement binding on Australia; and (b) any law of the Commonwealth giving effect to such an agreement. Part 1.2—Definitions 9 Definitions In this Act: access has a meaning affected by section 10. accreditation authority means: (a) for an entity applying for accreditation, or accredited, as an ADSP—the Commissioner; or (b) for a Commonwealth body, State body or Territory body, or the Commonwealth or a State or Territory, applying for accreditation, or accredited, as an accredited user—the Minister; or (c) for another entity applying for accreditation, or accredited, as an accredited user—the Commissioner. accredited entity: see subsection 11(4). accredited user: see subsection 11(4). ADSP: see subsection 11(4). ADSP‑controlled access: see subsection 16B(6). ADSP‑enhanced data: see subsection 11A(3). adverse or qualified security assessment means an adverse security assessment, or a qualified security assessment, within the meaning of Part IV of the Australian Security Intelligence Organisation Act 1979. ancillary contravention of a civil penalty provision means a contravention that arises out of the operation of section 92 of the Regulatory Powers Act. ancillary offence has the same meaning as in the Criminal Code. APP entity has the same meaning as in the Privacy Act 1988. APP‑equivalence term: see subsection 16E(2). appointed member: see paragraph 62(1)(e). approved contract: see subsection 123(3). approved form for a provision of this Act, the rules or a data code means a form approved by the Commissioner for the purposes of the provision under section 132. Australia, when used in a geographical sense, includes the external Territories. Australian aircraft has the same meaning as in the Criminal Code. Australian entity means an entity that is any of the following: (a) a Commonwealth body, a State body or a Territory body; (b) the Commonwealth, a State or a Territory; (c) an Australian university. Australian ship has the same meaning as in the Criminal Code. Australian university means a registered higher education provider: (a) that, for the purposes of the Tertiary Education Quality and Standards Agency Act 2011, is registered in the "Australian University" provider category; and (b) that is established by or under a law of the Commonwealth, a State or a Territory. authorised officer: see section 137. biometric data: (a) means personal information about any measurable biological or behavioural characteristic relating to an individual that could be used to identify the individual or verify the individual's identity; and (b) includes a biometric template containing representations of information mentioned in paragraph (a). Note: Data that is not personal information cannot be biometric data. For example, an eye colour, by itself, is not biometric data. breach: a data scheme entity breaches this Act if the data scheme entity engages in conduct that contravenes, or is inconsistent with, this Act. Circuit Court means the Federal Circuit and Family Court of Australia (Division 2). civil penalty provision has the same meaning as in the Regulatory Powers Act. Commissioner means the National Data Commissioner referred to in section 41. Commonwealth body: (a) means: (i) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013; or (ii) any other person or body that is an agency within the meaning of the Freedom of Information Act 1982; but (b) does not include an Australian university. complex data integration service: see subsection 16D(3). condition of accreditation means a condition: (a) prescribed by the rules for the purposes of subsection 77B(1); or (b) imposed under section 74, 78 or 84. constitutional corporation means a corporation to which paragraph 51(xx) of the Constitution applies. Council means the National Data Advisory Council established by section 61. court/tribunal order means an order, direction or other instrument made by: (a) a court; or (b) a judge (including a judge acting in a personal capacity) or a person acting as a judge; or (c) a magistrate (including a magistrate acting in a personal capacity) or a person acting as a magistrate; or (d) any other person or body that has the power to act judicially under a law of the Commonwealth or a State or Territory; or (e) a tribunal; or (f) a member or an officer of a tribunal; and includes an order, direction or other instrument that is of an interim or interlocutory nature. data means any information in a form capable of being communicated, analysed or processed (whether by an individual or by computer or other automated means). data breach: see section 35. data code: see subsection 126(1). data custodian: see subsection 11(2). data scheme entity: see subsection 11(1). data service means any operation performed on or in relation to data, at any stage from collection or creation to destruction. data sharing agreement: see section 18. data sharing purpose: see subsection 15(1). data sharing scheme means this Act and the regulations, rules, data codes and guidelines made under it. Defence Department means the Department administered by the Minister administering the Defence Act 1903. de‑identification data service: see subsection 16C(3). de‑identified has the same meaning as in the Privacy Act 1988. delivery of government services: see subsection 15(1A). designated individual: see section 123. designation: see section 123. electronic communication means a communication of information in any form by means of guided electromagnetic energy, unguided electromagnetic energy or both. enforcement related purpose: see subsection 15(3). engage in conduct means: (a) do an act; or (b) omit to do an act. entity means any of the following: (a) a Commonwealth body, a State body or a Territory body; (b) a body politic; (c) an Australian university; (d) a body corporate; (e) an individual. excluded entity: see subsection 11(3). exit: see section 20E. Federal Court means the Federal Court of Australia. final output of a project means the output specified as the agreed final output in the data sharing agreement for the project (see paragraph 19(3)(b)). government entity: see subsection 125A(4). guidelines means guidelines made under section 127. offence against this Act includes an offence against section 6 of the Crimes Act 1914, or Chapter 7 of the Criminal Code, that relates to this Act. Note: Ancillary offences that relate to this Act are also offences against this Act (see section 11.6 of the Criminal Code). operational data means: (a) data about information sources or operational activities or methods available to an agency mentioned in paragraph 17(2)(b); or (b) data about particular operations that have been, are being or are proposed to be undertaken by such an agency, or about proceedings relating to those operations. output: see subsection 11A(1). paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise). personal information has the same meaning as in the Privacy Act 1988. Note: Information that has been de‑identified is no longer personal information. point: see subsection 136(9). precluded purpose: see subsections 15(2) and (4). primary contravention of a civil penalty provision means a contravention that does not arise out of the operation of section 92 of the Regulatory Powers Act. primary offence has the same meaning as in the Criminal Code. project: see section 11A. public sector data means data lawfully collected, created or held by or on behalf of a Commonwealth body, and includes ADSP‑enhanced data. registered: a data sharing agreement is registered if the agreement is included in the register of data sharing agreements under subsection 130(4). regulatory function means a function set out in subsection 45(1). Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014. release: see subsection 10(1). reviewable decision: see section 118. reviewer: see section 118. rules means rules made under subsection 133(1). scheme data means: (a) any copy of data created for the purpose of being shared under section 13 as part of a project and held by the entity that is the sharer mentioned in that section, whether or not the data has yet been shared; or (b) output of a project, other than a copy that has exited the data sharing scheme (see section 20E); or (c) ADSP‑enhanced data of a project, other than a copy that has exited the data sharing scheme (see section 20E). secure access data service: see subsection 16C(4). security has the same meaning as in the Australian Security Intelligence Organisation Act 1979. share: see subsection 10(2). source data: see paragraph 19(3)(a). State body means any of the following, but does not include an Australian university: (a) a department of a State; (b) a body established for a public purpose by or under a law of a State, other than a body prescribed by the rules; (c) the holder of a statutory office appointed under a law of a State, other than an office prescribed by the rules. submit: see subsection 20A(3). Territory body means any of the following, but does not include an Australian university: (a) a department of a Territory; (b) a body established for a public purpose by or under a law of a Territory, other than a body prescribed by the rules; (c) the holder of a statutory office appointed under a law of a Territory, other than an office prescribed by the rules. use includes handle, store and provide access. Note: Examples of use of data by an accredited user include developing and modifying output. 10 References to access to data (1) For the purposes of this Act, a reference to an entity providing access to data includes a reference to the entity: (a) providing another entity with access to the data; and (b) providing open access to the data (releasing the data). (2) This Act uses the expression share to refer to data custodians of public sector data providing accredited entities with access to data under this Act. (3) For the purposes of this Act, if an entity provides another entity with access to data: (a) the entity that provides access is taken to retain a copy of the data; and (b) the entity to which access is provided is taken to collect a copy of the data. 11 Entity definitions (1) The following are data scheme entities: (a) data custodians of public sector data; (b) accredited entities. (2) An entity is a data custodian if the entity: (a) is a Commonwealth body; and (b) is not an excluded entity; and (c) either: (i) controls public sector data (whether alone or jointly with another entity), including by having the right to deal with that data; or (ii) has become the data custodian of output of a project in accordance with section 20F. (2A) If a data custodian of public sector data shares the data with an intermediary under section 13 as part of a project, the data custodian is taken also to be the data custodian of any ADSP‑enhanced data of the project. (3) Each of the following is an excluded entity: (aa) the National Data Commissioner and any APS employee made available to the National Data Commissioner under section 47; (a) the National Anti‑Corruption Commission; (ab) the Inspector of the National Anti‑Corruption Commission; (b) the agency known as the Australian Criminal Intelligence Commission established by the Australian Crime Commission Act 2002; (ba) the Australian Federal Police; (c) that part of the Defence Department known as the Australian Geospatial‑Intelligence Organisation; (d) the Australian National Audit Office; (e) the Australian Secret Intelligence Service; (f) the Australian Security Intelligence Organisation; (g) the Australian Signals Directorate; (h) that part of the Defence Department known as the Defence Intelligence Organisation; (i) the Inspector‑General of Intelligence and Security; (j) the Office of the Commonwealth Ombudsman; (k) the Office of National Intelligence. (4) An entity accredited under section 74 as an: (a) accredited user (an accredited user); or (b) ADSP (short for accredited data service provider) (an ADSP); is an accredited entity. Note 1: Accredited users are able to collect and use shared data (including by creating output they can provide other entities with access to, or release) in accordance with an applicable data sharing agreement. ADSPs are expert intermediaries who can assist data custodians to prepare and share data appropriately. Note 2: Excluded entities cannot be accredited (see subsection 74(1)). (5) A data scheme entity may do things under this Act in different capacities. In each of those capacities, the entity is taken to be a different data scheme entity. Among other things, this means that a data scheme entity may enter into a data sharing agreement to which it is party in more than one capacity. Note: For example, the same entity may be party to the agreement in its capacity as data custodian of data to be shared and in its capacity as the accredited entity with which the data is shared. 11A The data sharing project Project, and output and ADSP‑enhanced data of project (1) A project involves at least both of the following elements: (a) an entity (the sharer) shares data with another entity (the user), either directly or through another entity (the intermediary); (b) the user collects the data and uses the output of the project, which is: (i) the copy of the data collected by the user; and (ii) any data that is the result or product of the user's use of the shared data. Note 1: The sharer's authorisation to share data is in section 13. The user's authorisation to collect and use data is in section 13A. Note 2: A project may involve sharing of data by multiple sharers, if multiple entities are data custodians of the data. (2) If, for the purposes of sharing data under section 13, data services are performed in relation to data, or data is created, by or on behalf of the sharer, the project also involves performing the services or creating the data. (3) If the sharer shares data with the user through an intermediary, the project also involves both of the following elements: (a) the sharer shares the data with the intermediary; (b) the intermediary collects the data and uses the ADSP‑enhanced data of the project, which is: (i) the copy of the data collected by the intermediary; and (ii) any data that is the result or product of the intermediary's use of the shared data. Note: The sharer's authorisation to share data with the intermediary, and the intermediary's authorisation to share data with the user on behalf of the sharer, are in section 13. The intermediary's authorisation to collect data from the sharer and use it is in section 13B. (4) If the sharer is provided with access to output or ADSP‑enhanced data of the project, the project also involves the sharer's collection and use of the output or ADSP‑enhanced data. Note: The sharer's authorisation to collect and use the output or ADSP‑enhanced data of the project is in section 13C. Combining projects (5) A data sharing agreement may treat multiple projects as a single project, as long as they all have the same data sharing purpose or purposes and the same sharer and user and (if applicable) intermediary. Successive projects (6) If the user in a project shares data that is output of the project as part of a later project: (a) the copy retained by the user continues to be output of the earlier project; and (b) the copy collected by the user in the later project is output of the later project in accordance with paragraph (1)(b); and (c) if the sharing in the later project is done through an intermediary—the copy collected by the intermediary in the later project is ADSP‑enhanced data of the later project in accordance with paragraph (3)(b). Note: A data sharing agreement may allow the user to share output under section 13 as part of a later project (see section 20D). Chapter 2—Authorisations Part 2.1—Introduction 12 Simplified outline of this Chapter Under the data sharing scheme, Commonwealth bodies are authorised to share their public sector data with accredited users, and accredited users are authorised to collect and use the data, in a controlled way. Data may be shared with an accredited user directly, or through an intermediary accredited for the purpose (called an ADSP, short for accredited data service provider). The sharing, collection and use of data must be part of a project that is for one or more of the defined data sharing purposes, and must be done consistently with the data sharing principles and a registered data sharing agreement that meets the requirements of this Act. Privacy protections apply to the sharing of personal information. Commonwealth bodies must be the data custodian of public sector data they share (i.e. they must control the data, including by having the right to deal with it). Some Commonwealth bodies are excluded from the scheme. Some sharing of data is barred (e.g. if the sharing would contravene a prescribed law or an agreement). An accredited user's authorisation to use data may in some circumstances extend to providing access to output of the project to other entities, which may or may not be accredited. There are limits on the circumstances in which data sharing agreements may allow this. If sharing, collection or use is authorised by this Chapter, the authorisation has effect despite any other law of the Commonwealth or a State or Territory. Data custodians and accredited entities must comply with the rules made by the Minister and data codes made by the National Data Commissioner and meet other responsibilities under this Chapter. This Act mainly relies for its constitutional basis on the matters set out in subsection 13(4) (constitutional requirements for authorisation for data custodian to share public sector data) (but see also subsections 42(2) and 61(2)). Part 2.2—Authorisations 13 Authorisation for data custodian to share public sector data (1) An entity (the sharer) is authorised to share data with another entity (the user), either directly or through another entity (the intermediary), if all of the following apply: (a) the constitutional requirements in subsection (4) are met; (b) the data custodian requirements in subsection (2) are met; (c) the project the sharing is part of is covered by a registered data sharing agreement that is in effect and that meets the requirements of this Act; (d) the sharing is in accordance with the data sharing agreement; (e)