South Australia: Public Sector (Data Sharing) Act 2016 (SA)

South Australia Public Sector (Data Sharing) Act 2016 An Act to facilitate the sharing of data between public sector agencies; to provide for the sharing of data between public sector agencies and other entities; to provide for an Office of Data Analytics; and for other purposes. Contents Part 1—Preliminary 1 Short title 2 Commencement 3 Interpretation Part 2—Objects and interaction with other Acts 4 Objects 5 Interaction with other Acts Part 3—Office for Data Analytics 6 Office for Data Analytics Part 4—Facilitating public sector data sharing 7 Trusted access principles 8 Public sector data sharing authorisation 9 Data sharing on direction by Minister Part 5—Data sharing safeguards 10 Confidentiality and commercial-in-confidence 11 Data custody and control safeguards 12 Other data sharing safeguards Part 6—Minister may enter data sharing agreements 13 Minister may enter data sharing agreements Part 7—Miscellaneous 14 Restriction on further use and disclosure of public sector data 15 Delegation by Minister 16 Personal liability 17 Annual report 18 Regulations 19 Review of Act Legislative history The Parliament of South Australia enacts as follows: Part 1—Preliminary 1—Short title This Act may be cited as the Public Sector (Data Sharing) Act 2016. 2—Commencement This Act will come into operation on a day to be fixed by proclamation. 3—Interpretation (1) In this Act— data means any facts, statistics, instructions, concepts or other information in a form that is capable of being communicated, analysed or processed (whether by an individual or by a computer or other automated means); data analytics work means the examination and analysis of data for the purpose of drawing conclusions about that data (including, for example, conclusions about the efficacy of Government policies, program management or service planning and delivery by public sector agencies); data provider means the public sector agency that controls public sector data that is provided to a data recipient under Part 3 or Part 4; data recipient means the public sector agency to which public sector data is provided under Part 3 or Part 4; data sharing safeguards—Part 5 sets out the data sharing safeguards for the purposes of this Act that are applicable to the provision of public sector data by a public sector agency to another public sector agency; de-identified—personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable; exempt public sector data means— (a) public sector data held by a prescribed public sector agency; and (b) any other public sector data, or public sector data of a kind, prescribed by the regulations; individual means a natural person (including a deceased person); ODA—see section 6; personal information means information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion; public sector agency has the same meaning as in the Public Sector Act 2009 but— (a) excludes a person or body prescribed by the regulations for the purposes of this definition; and (b) includes any other person or body prescribed by the regulations for the purposes of this definition; public sector data means any data that a public sector agency controls; trusted access principles—see section 7. (2) The regulations may provide that section 16(1) does not apply in relation to a person or body prescribed for the purposes of paragraph (b) of the definition of public sector agency in subsection (1). (3) If part of an existing public sector agency is designated as ODA under section 6, ODA is taken to be a public sector agency in its own right for the purposes of this Act. Part 2—Objects and interaction with other Acts 4—Objects The objects of this Act are— (a) to promote, in accordance with the trusted access principles and the data sharing safeguards, the management and use of public sector data as a public resource that supports good Government policy making, program management and service planning and delivery; and (b) to remove barriers that impede the sharing of public sector data between public sector agencies; and (c) to facilitate the expeditious sharing of public sector data between public sector agencies; and (d) to provide protections in connection with public sector data sharing under this Act by— (i) specifying the purposes for, and the circumstances in which, public sector data sharing is permitted or required; and (ii) ensuring that public sector data held by public sector agencies shared under this Act continues to be protected from unauthorised use or disclosure; and (iii) ensuring that data providers retain responsibility for the release of public sector data outside the public sector under the Freedom of Information Act 1991; and (iv) requiring compliance with data sharing safeguards in connection with public sector data sharing; and (e) to provide for the Minister to enter into data sharing agreements with certain entities. 5—Interaction with other Acts (1) Subject to subsection (2), the provision of public sector data by a public sector agency to another public sector agency is lawful for the purposes of any other Act or law that would otherwise operate to prohibit that provision (whether or not the prohibition is subject to specified qualifications or exceptions) if— (a) this Act provides that the agency is authorised to provide the other public sector agency with the public sector data; and (b) the agency provides the public sector data to the data recipient only for the purpose to which the authorisation relates. (2) Nothing in this Act authorises, permits or requires a data recipient— (a) to use or disclose public sector data received under this Act for a purpose other than the purpose to which the authorisation to provide the data relates; or (b) to deal with any public sector data to which the State Records Act 1997 applies after it is provided under this Act otherwise than in compliance with the State Records Act 1997. (3) If a document (within the meaning of the Freedom of Information Act 1991) is provided by a data provider to a data recipient under this Act, despite the Freedom of Information Act 1991 the following provisions apply: (a) a person does not have a right to access the document under that Act from the data recipient and must not be given access to the document by the data recipient; (b) insofar as an application to the data recipient seeks access to the document under that Act— (i) the data recipient must refer the application to the data provider; and (ii) the application is taken to be transferred to the data provider under section 16(1)(b) of that Act but the data recipient is not required to forward a copy of the document to the data provider under section 16(2) of that Act. (4) This Act is not intended to prevent or discourage the sharing of public sector data by public sector agencies if it is proper and reasonable to do so or if it is permitted or required by or under any other Act or law. Part 3—Office for Data Analytics 6—Office for Data Analytics (1) The Minister may, by notice in the Gazette, designate a public sector agency, or part of a public sector agency, as the Office for Data Analytics (ODA). (2) The functions of ODA are— (a) to undertake data analytics work on public sector data received from across the whole of Government; and (b) to make the results of that data analytics work available to public sector agencies, to the private sector and to the general public as ODA sees fit; and (c) to perform any other functions conferred on ODA by the Minister. (3) ODA is to undertake its functions in a manner that prioritises the provision of relevant and up to date information to public sector agencies about their service delivery, operations and performance. (4) ODA may, with the written approval of the Minister, direct a public sector agency to provide public sector data to ODA for the purposes of carrying out its functions. (5) The Minister must have regard to the trusted access principles before granting an approval under subsection (4). (6) The Minister may impose specified requirements or limitations on the power of ODA to make a direction under subsection (4). (7) ODA must comply with all relevant data sharing safeguards in respect of public sector data provided to it under this section. Part 4—Facilitating public sector data sharing 7—Trusted access principles (1) The trusted access principles to be applied in respect of the sharing and use of public sector data under this Act are set out in this section. (2) Safe projects The purpose for which data is proposed to be shared and used must be assessed as appropriate having regard to— (a) whether the data is necessary for the purpose; and (b) the proposed use of the data; and (c) whether the purpose for which data is proposed to be shared and used will be of value to the public; and (d) whether the public interest in the proposed sharing and use of data outweighs any contrary public interest; and (e) whether there is a risk of loss, harm or other detriment to the community if the sharing and use of the data does not occur. (3) Safe people A proposed data recipient must be assessed as an appropriate public sector agency with whom data may be shared for a particular purpose having regard to— (a) whether the proposed data recipient is appropriately equipped and in possession of the relevant skills and experience to effectively use data for the proposed purpose; and (b) whether the proposed data recipient will restrict access to the data to specified persons with appropriate security clearance; and (c) whether the data provider will be able to engage with the data recipient to support the use of the data for the purpose; and (d) whether other persons or bodies in addition to the data recipient are invested in the outputs of the project and the motivations of those persons or bodies to be so invested. (4) Safe data (a) If data to be shared and used contains personal information, the personal information must be de‑identified unless— (i) the person to whom the personal information relates has consented to the sharing and use; or (ii) the sharing and use of the personal information is reasonably related to the original purpose for which it was collected and there is no reason to think that the person to whom the information relates would object to the sharing and use; or (iii) the sharing and use of the personal information is in connection with a criminal investigation or criminal proceedings or proceedings for the imposition of a penalty; or (iv) the sharing and use of the personal information is in connection with the wellbeing, welfare or protection of a child or children or other vulnerable person; or (v) the sharing and use of the personal information is reasonably necessary to prevent or lessen a threat to the life, health or safety of a person; or (vi) the purpose of the sharing and use of the personal information cannot be achieved through the use of de-identified data and it would be impracticable in the circumstances to seek the consent of the person to whom the information relates; or (vii) the sharing and use of the personal information is for a prescribed purpose or occurs in prescribed circumstances; (b) Data to be shared and used for a purpose must be assessed as appropriate for that purpose having regard to— (i) whether the data is of the necessary quality for the proposed use (such as being accurate, relevant and timely); and (ii) whether the data relates to people; and (iii) if data containing personal information is to be de‑identified, how that de‑identification will be undertaken and whether the data may be re‑identified, and if so, how it may be re‑identified. (5) Safe settings The environments in which the data will be stored, accessed and used must be assessed as appropriate having regard to— (a) the physical location where the data will be stored and used; and (b) the location of any linked data sets; and (c) whether the proposed data recipient has appropriate security and technical safeguards in place to ensure data remains secure and not subject to unauthorised access and use (such as secure login, user authentication, encryption and supervision or surveillance); and (d) the likelihood of deliberate or accidental disclosure or use occurring; and (e) how the data will be dealt with after it has been used for the purpose for which it is shared. (6) Safe outputs The publication or other disclosure of the results of data analytics work conducted on data shared under this Act must be assessed as appropriate having regard to— (a) the nature of the proposed publication or disclosure; and (b) who is the likely audience of the publication or disclosure; and (c) the likelihood and extent to which the publication or disclosure may contribute to the identification of a person to whom the data relates; and (d) whether the results of the data analytics work or other data for publication or disclosure will be audited and whether that process involves the data provider. (7) Prescribed trusted access principles The regulations may prescribe any additional requirements or principles relating to the safe and secure sharing and use of data for the purposes of the definition of the trusted access principles (and any such additional requirements or principles may relate to the same subject matters as the trusted access principles already set out in this section). 8—Public sector data sharing authorisation (1) Subject to this Act, a public sector agency is authorised to provide public sector data, other than exempt public sector data, that it controls to other public sector agencies for any of the following purposes: (a) to enable data analytics work to be carried out on the data to identify issues and solutions regarding Government policy making, program management and service planning and delivery by public sector agencies; (b) to enable public sector agencies to facilitate, develop, improve and undertake Government policy making, program management and service planning and delivery by the agencies; (c) such other purposes as may be prescribed by the regulations. (2) Before public sector data is provided to a public sector agency under subsection (1)— (a) the public sector agency must make a written record of the purpose or purposes for which the public sector data is proposed to be provided and used as agreed with the public sector agency that is to provide the data; and (b) the public sector agency that is to provide the data must apply the trusted access principles and be satisfied that the provision and use of the data is appropriate in all the circumstances. (3) A public sector agency must, on being satisfied that the sharing and use of data is appropriate under subsection (2), provide the data to the data recipient as soon as is reasonably practicable. (4) If public sector data is provided under this section, the data provider and the data recipient must comply with all relevant data sharing safeguards. 9—Data sharing on direction by Minister (1) The Minister may direct a public sector agency to provide public sector data that it controls, including exempt public sector data, to another public sector agency for any of the purposes referred to in section 8(1). (2) A direction of the Minister under subsection (1)— (a) authorises the public sector agency specified in the direction to provide public sector data in accordance with the direction; and (b) is binding according to its terms on each public sector agency referred to in the direction; and (c) must, in relation to the provision of public sector data, specify— (i) the nature and extent of the public sector data to be provided; and (ii) the purposes for which the public sector data is to be provided. (3) The Minister must, before making a direction under this section in relation to public sector data, have regard to the trusted access principles and be satisfied that the sharing and use of the data is appropriate in all the circumstances. (4) A public sector agency must, on being directed to provide data under subsection (1), provide the data to the data recipient as soon as is reasonably practicable. (5) If public sector data is provided under this section, the data provider and the data recipient must comply with all relevant data sharing safeguards. (6) The Minister must— (a) as soon as practicable after making a direction under subsection (1), cause notice of the direction to be published in the Gazette; and (b) within 6 sitting days of making a direction under subsection (1), cause notice of the direction to be laid before each House of Parliament. (7) A notice under subsection (6) must specify the data provider, the data recipient and the general nature of the public sector data to which the direction relates. Part 5—Data sharing safeguards 10—Confidentiality and commercial-in-confidence (1) A data recipient that receives public sector data containing confidential or commercially sensitive information under Part 3 or Part 4 must ensure that the confidential or commercially sensitive information is dealt with in a way that complies with any contractual or equitable obligations of the data provider concerning how it is to be dealt with. (2) In this section— confidential or commercially sensitive information means— (a) information a person or body controls that the person or body is required to keep confidential because of a contractual or equitable obligation; or (b) any other information the disclosure of which would prejudice any person's legitimate business, commercial, professional or financial interests. 11—Data custody and control safeguards (1) A data provider and data recipient must ensure that public sector data provided under Part 3 or Part 4 is maintained and managed in compliance with any legal requirements concerning its custody and control (including, for example, requirements under the State Records Act 1997) that are applicable to them. (2) If a data recipient arranges for a person or body (other than another public sector agency) to conduct data analytics work using public sector data with which it has been provided, the data recipient must ensure that appropriate contractual arrangements are in place before the public sector data is provided to ensure that the person or body deals with the data in compliance with any requirements of this Act, the State Records Act 1997 and any data security policies that are applicable to the data recipient. 12—Other data sharing safeguards A data provider and data recipient must comply with such other requirements as may be prescribed by the regulations in connection with the provision and receipt of public sector data under Part 3 or Part 4. Part 6—Minister may enter data sharing agreements 13—Minister may enter data sharing agreements (1) The Minister may enter into an agreement relating to the sharing of data with a relevant entity. (2) An agreement between the Minister and a relevant entity under this section may be subject to such conditions as are agreed between the Minister and the relevant entity, including conditions providing for— (a) the provision of public sector data by a public sector agency to the relevant entity; and (b) the provision of data by the relevant entity to the Minister or a public sector agency; and (c) the application of 1 or more of the trusted access principles to the sharing of data under the agreement. (3) If a relevant entity enters into an agreement under this section, the relevant entity must comply with the conditions of the agreement. (4) If the Minister enters into an agreement that involves the provision of public sector data by a public sector agency to a relevant entity, the Minister may direct the public sector agency to provide public sector data that it controls to the relevant entity in accordance with the agreement. (5) The provision of public sector data by a public sector agency to a relevant entity under an agreement under this section is lawful for the purposes of any other Act or law that would otherwise operate to prohibit that provision (whether or not the prohibition is subject to specified qualifications or exceptions) if the public sector data is provided in accordance with the agreement. (6) Section 16(1) does not apply to a relevant entity that enters into an agreement under this Part. (7) The Freedom of Information Act 1991 does not apply to or in relation to a document (within the meaning of that Act) that is provided by a relevant entity, other than a person or body (or a person or body of a class) prescribed for the purposes of paragraph (c) of the definition of relevant entity, under an agreement under this section. (8) In this section— relevant entity means— (a) an agency or instrumentality of the Commonwealth, another State or a Territory of the Commonwealth; or (b) a council (within the meaning of the Local Government Act 1999); or (c) a person or body, or a person or body of a class, prescribed by the regulations. Part 7—Miscellaneous 14—Restriction on further use and disclosure of public sector data (1) A data recipient must not use or disclose public sector data received pursuant to an authorisation under section 8 or section 9 other than for a purpose for which it was provided unless— (a) the Minister, after consultation with the data provider, approves the use or disclosure; or (b) the use or disclosure is required or authorised by or under law or an order of a court or tribunal; or (c) the use or disclosure is reasonably required to lessen or prevent a serious threat to the life, health or safety of a person, or a serious threat to public health or safety; or (d) the use or disclosure is in accordance with the regulations. (2) The Minister must— (a) as soon as practicable after giving an approval for the purposes of subsection (1)(a), cause notice of the approval to be published in the Gazette; and (b) within 6 sitting days of giving an approval for the purposes of subsection (1)(a), cause notice of the approval to be laid before each House of Parliament. (3) A notice under subsection (2) must specify— (a) the data provider and the data recipient; and (b) the general nature of the public sector data to which the approval relates; and (c) in the case of an approval for the use of public sector data—the purpose for which the data may be used under the approval; and (d) in the case of an approval for the disclosure of public sector data—to whom, and for what purpose, the data will be disclosed under the approval. 15—Delegation by Minister (1) The Minister may delegate any of the Minister's functions or powers under this Act. (2) A delegation— (a) may be made— (i) to a particular person or body; or (ii) to the person for the time being occupying a particular office or position; and (b) may be made subject to conditions or limitations specified in the instrument of delegation; and (c) if the instrument of delegation so provides, may be further delegated by the delegate; and (d) is revocable at will and does not derogate from the power of the Minister to act in any manner. (3) The Minister must— (a) as soon as practicable after delegating a function or power under subsection (1), cause notice of the delegation to be published in the Gazette; and (b) within 6 sitting days of delegating a function or power under subsection (1), cause notice of the delegation to be laid before each House of Parliament. (4) A notice under subsection (3) must specify— (a) the delegate and the delegated functions or powers; and (b) any conditions or limitations imposed on the delegation; and (c) whether the instrument of delegation provides for further delegation by the delegate. 16—Personal liability (1) A person acting honestly and in the exercise or purported exercise of functions in administration of this Act incurs no civil or criminal liability in consequence of doing so. (2) A civil action that would, but for subsection (1), lie against a person lies instead against the Crown, except in the case of a member of a body corporate or the governing body of a body corporate or a person employed or appointed by, or a delegate of, a body corporate, in which case it lies instead against the body corporate. 17—Annual report (1) The Minister must, as soon as practicable after each 30 June, cause a report to be prepared about the operation of this Act during the year ended on that 30 June. (2) Without limiting subsection (1), a report relating to a year must include the following matters: (a) in relation to the provision of public sector data pursuant to a direction of ODA under section 6(4), a list of such directions including, in respect of each direction— (i) the identity of the data provider and data recipient; and (ii) the nature of the data; and (iii) whether the public sector data contained personal information and whether the data was, at the time of the direction, exempt public sector data; (b) a summary of the results of data analytics work undertaken by ODA and made available to public sector agencies, the private sector and the general public; (c) in relation to the provision of public sector data containing personal information under section 8(1), a list of all instances of such provision including the identification of the data provider and data recipient, the general nature of the data and the purpose for which the data was shared; (d) a list of all directions made by the Minister under section 9(1), including, in respect of each direction— (i) the identification of the data provider and data recipient and the general nature of the public sector data; and (ii) the purpose for which the public sector data was to be provided; and (iii) whether the direction related to public sector data containing personal information and whether the data was, at the time of the direction, exempt public sector data; (e) a list of all agreements entered into pursuant to section 13(1) including, in respect of each agreement— (i) the identification of the parties to the agreement and the general nature of the data being shared; and (ii) whether the agreement related to the sharing of public sector data containing personal information and whether the public sector data was, at the time of sharing, exempt public sector data. (3) The Minister must, within 6 sitting days after receipt of a report under this section, cause copies of the report to be laid before each House of the Parliament. 18—Regulations (1) The Governor may make such regulations as are contemplated by, or necessary or expedient for the purposes of, this Act. (2) Regulations under this Act may— (a) be of general application or limited application; and (b) make different provision according to the persons, things or circumstances to which they are expressed to apply; and (c) provide that a matter or thing in respect of which regulations may be made is to be determined according to the discretion of the Minister or a prescribed person or body; and (d) refer to or incorporate, wholly or partially and with or without modification, a code, standard or other document prepared or published by a prescribed body, either as in force at the time the regulations are made or as in force from time to time. (3) If a code, standard or other document is referred to or incorporated in the regulations— (a) a copy of the code, standard or other document must be kept available for public inspection, without charge and during ordinary office hours, at an office or offices specified in the regulations; and (b) evidence of the contents of the code, standard or other document may be given in any legal proceedings by production of a document apparently certified by the Minister to be a true copy of the code, standard or other document. 19—Review of Act (1) The Minister must, as soon as practicable after the third anniversary of the commencement of this Act, appoint a retired judicial officer to conduct a review of the operation of this Act. (2) The Minister and any other person performing functions and powers under this Act must ensure that a person appointed to conduct a review is provided with such information as they may require for the purpose of conducting the review. (3) A report on a review under this section must be presented to the Minister within 6 months of the appointment under subsection (1). (4) The Minister must, within 6 sitting days after receipt of a report under this section, cause copies of the report to be laid before each House of Parliament. (5) In this section— judicial officer means a person appointed as a judge of the Supreme Court or the District Court or a person appointed as judge of another State or Territory or of the Commonwealth. Legislative history Notes • For further information relating to the Act and subordinate legislation made under the Act see the Index of South Australian Statutes or www.legislation.sa.gov.au. Principal Act Year|No|Title|Assent|Commencement| 2016|61|Public Sector (Data Sharing) Act 2016 |8.12.2016|30.5.2017 (Gazette 30.5.2017 p1982)|