The Public Sector (Data Sharing) Act 2016 provides a safe, legal framework to share public sector data between government departments and other trusted entities.
This short video explains the benefits of data sharing and the Act.
Before sharing data, all providers and recipients must apply the trusted access principles (also known as the Five Safes) to any proposed data initiative via a data sharing agreement.
Trusted Access Principles
The Trusted Access Principles are:
Public sector agencies must only share their data if they are satisfied that the data recipient meets all the criteria of the trusted access principles.
The purpose for which data is to be shared and used must be appropriate.
- Is the data necessary for the purpose?
- What is the proposed use of the data?
- Will the purpose of the data sharing or use provide public value?
- Does positive public interest outweigh negative public interest?
- Is there a risk of loss, harm or other detriment to the community if the sharing and/or use of the data does not occur?
The public sector agency that receives the data must be an appropriate recipient.
- Are they appropriately equipped and possess the relevant skills and experience to effectively use the data for the proposed purpose?
- Will they restrict data access to only specified persons with the appropriate security clearance(s)?
- Can or will they work with the provider agency to support the project/initiative?
- Are any additional persons/bodies invested in the project outputs and what are their motivations for being invested?
The Office for Data Analytics (ODA) demonstrates best practice through assessing, vetting and screening staff to demonstrate best practice. Agencies should consider vetting and screening their own staff through the Australian Government Security Vetting Agency, Department of Human Services child-related employment and/or South Australia Police criminal association checks.
Data to be shared and used for a purpose must be appropriate for that purpose.
- Is the data of the necessary quality for the proposed use (e.g. sufficiently accurate, relevant and/or timely)?
- Does the data relate to people?
- If required, how will de-identification and re-identification occur?
In most circumstances, data will need to be de-identified before being shared. See frequently asked questions for exceptions.
The environment in which the data will be stored, accessed and used by the agency receiving the data must be appropriate.
- Is the physical location where the data will be stored and used appropriate?
- Is the location of any linked data sets appropriate?
- Does the agency receiving the data have appropriate security and technical safeguards to ensure data remains secure and not subject to unauthorised access and use?
- What is the likelihood of deliberate or accidental disclosure or use occurring?
- How will data be handled after it has been used/shared for the specified purpose?
The classification of information being shared should also be considered - aggregated datasets will most likely increase the classification level. Please refer to the Federal Government's protective marking information for further information.
ODA is also obtaining IRAP (Information Security Registered Assessors Program) certification to handle data up to and including PROTECTED, and limited amounts of CONFIDENTIAL information.
The publication or other disclosure of the results of data analytical work conducted on data shared under the Act must be appropriate.
- What is the nature of the proposed publication or disclosure?
- Who is the likely audience of the publication or disclosure?
- What is the likelihood or extent to which publishing or disclosing may contribute to identifying a person in the data?
- Will the results of the data analytics work or other data for publication or disclosure be audited and/or will that process involve the provider agency?
We can advise on methods such as perturbation and aggregation to minimise the risk of re-identification in published results or datasets, and avoid micro-datasets.
Additional safe for prescribed health information
In some cases, data sharing may be prohibited by one of the following health provisions:
- section 18 of the Assisted Reproductive Treatment Act 1988
- sections 66 and 73 of the Health Care Act 2008
- regulation 27 of the Health Care Regulations 2008
- section 216 of the Health Practitioner Regulation National Law
- sections 99 and 100 of the South Australian Public Health Act 2011
- section 39 of the Transplantation and Anatomy Act 1983
- under the National Health Funding Pool Administration (South Australia) Act 2012.
If data sharing or disclosing relates to one of these provisions, the Minister for Health must sign the data sharing agreement.
Additional safe for SA NT DataLink
If data has been disclosed to the provider agency by a person or body that is not a public sector agency for the purposes of SA NT DataLink, the provider agency cannot share the data without the approval of the person or body that originally disclosed the data to the agency.