An Act with respect to the sharing of government sector data with a government data analytics centre and between other government sector agencies and to the privacy and other safeguards that apply to the sharing of that data.
Part 1 Preliminary
1 Name of Act
This Act is the Data Sharing (Government Sector) Act 2015.
This Act commences on the date of assent to this Act.
3 Objects of Act
The objects of this Act are:(a) to promote, in a manner that recognises the protection of privacy as an integral component, the management and use of government sector data as a public resource that supports good Government policy making, program management and service planning and delivery, and(b) to remove barriers that impede the sharing of government sector data with the DAC or between other government sector agencies, and(c) to facilitate the expeditious sharing of government sector data with the DAC or between other government sector agencies, and(d) to provide protections in connection with data sharing under this Act by:(i) specifying the purposes for, and the circumstances in, which data sharing is permitted or required, and(ii) ensuring that data sharing involving health information or personal information continues to be in compliance with the requirements of the privacy legislation concerning the collection, use, disclosure, protection, keeping, retention or disposal of such information, and(iii) requiring compliance with data sharing safeguards in connection with data sharing.
(1) In this Act:control in relation to data—see subsection (2).DAC means that part of the Department known as the Data Analytics Centre or such other government sector agency (or part of a government sector agency) as may be prescribed by the regulations.data means any facts, statistics, instructions, concepts or other information in a form that is capable of being communicated, analysed or processed (whether by an individual or by a computer or other automated means).data analytics work means the examination and analysis of data for the purpose of drawing conclusions about that data (including, for example, conclusions about the efficacy of Government policies, program management or service planning and delivery by government sector agencies).data provider means the government sector agency that controls government sector data that is provided under this Act to a data recipient.data recipient means the government sector agency to which government sector data is provided under this Act.data sharing safeguards—see Part 3.Department means the Department of Finance, Services and Innovation.function includes a power, authority or duty, and exercise a function includes perform a duty.government sector agency means each of the following:(a) the DAC,(b) a government sector agency within the meaning of the Government Sector Employment Act 2013,(c) a statutory body representing the Crown,(d) a council, county council or joint organisation within the meaning of the Local Government Act 1993,(e) a State owned corporation,(f) a body (whether incorporated or unincorporated) established or continued for a public purpose by or under the provisions of an Act or statutory instrument,(g) a wholly-owned subsidiary of the Crown in right of the State or an agency, council, corporation or other body referred to in paragraph (a), (b), (c), (d), (e) or (f),(h) a person or body exercising public official functions declared by the regulations to be a government sector agency for the purposes of this Act.government sector data means any data that a government sector agency controls, but does not include data of a kind excluded by the regulations.head of a government sector agency means:(a) in the case of a government sector agency within the meaning of the Government Sector Employment Act 2013—the head of the agency within the meaning of that Act, and(b) in the case of any other government sector agency:(i) the chief executive officer or other principal officer of the agency, or(ii) any other person who is declared by the regulations to be the head of the agency for the purposes of this definition.health information has the same meaning as in the Health Records and Information Privacy Act 2002.personal information has the same meaning as in the Privacy and Personal Information Protection Act 1998.Note—Section 4A of the Privacy and Personal Information Protection Act 1998 excludes health information from the definition of personal information in section 4 of that Act.privacy legislation means:(a) the Privacy and Personal Information Protection Act 1998 or the Health Records and Information Privacy Act 2002, and(b) any regulation or code of practice made, and any public interest directions or guidelines issued, under either of those Acts., in relation to government sector data, means to provide (or be provided with) the data.(2) For the purposes of this Act, a person or body is taken to have control of data if:(a) the person or body has possession or custody of the data, or(b) the person or body has the data in the possession or custody of some other person or body.A person or body is, for example, taken to have control of data held by the person or body in storage with a commercial storage provider (including a storage provider who provides cloud storage facilities).Note—The Interpretation Act 1987 contains definitions and other provisions that affect the interpretation and application of this Act.(3) Notes included in this Act do not form part of this Act.s 4: Am 2017 No 65, Sch 2.6.
5 Relationship of Act with other laws
(1) Subject to subsection (2), a disclosure of government sector data by a government sector agency to the DAC or to another government sector agency is lawful for the purposes of any other Act or law that would otherwise operate to prohibit that disclosure (whether or not the prohibition is subject to specified qualifications or exceptions) if:(a) this Act provides that the agency is authorised to share the data with the DAC or other government sector agency, and(b) the agency provides the data to the data recipient only for the purpose to which the authorisation to share relates.(2) Nothing in this Act authorises, permits or requires the DAC or another government sector agency:(a) to collect, use, disclose, protect, keep, retain or dispose of any government sector data that is health information or personal information otherwise than in compliance with the privacy legislation, or(b) to disclose any government sector data that is:(i) excluded information of an agency specified in Schedule 2 to the Government Information (Public Access) Act 2009 (being any information that relates to any function specified in that Schedule in relation to the agency), or(ii) information of a kind described in Schedule 1 to that Act, or(c) to deal with any government sector data to which the State Records Act 1998 applies after it is shared under this Act otherwise than in compliance with the State Records Act 1998.(3) This Act is not intended to prevent or discourage the sharing of government sector data by government sector agencies as permitted or required by or under any Act or other law (apart from this Act).
Part 2 Facilitating government sector data sharing
6 Voluntary data sharing with DAC or between other government sector agencies
(1) A government sector agency (other than the DAC) is, subject to section 5 (2), authorised to share government sector data that it controls with the DAC or with another government sector agency for any of the following purposes:(a) to enable data analytics work to be carried out on the data to identify issues and solutions regarding Government policy making, program management and service planning and delivery by the government sector agencies,(b) to enable related government sector agencies (such as branches, offices and other agencies within or otherwise related to a Public Service agency) to develop better Government policy making, program management and service planning and delivery by the agencies,(c) such other purposes as may be prescribed by the regulations.(2) If government sector data is shared under this section, the data provider and the data recipient must comply with all data sharing safeguards that are applicable to them in connection with the sharing.
7 Minister may give directions for data sharing with DAC
(1) The Minister may direct a government sector agency in writing to provide specified government sector data that it controls to the DAC within 14 days or such longer period specified in the direction, but only if the Premier has advised the Minister that the data concerned is required to be shared for the purpose of advancing a Government policy.(2) A copy of a direction given under this section must be provided to the head of the government sector agency to which the direction is given.(3) If a direction is given under this section:(a) the specified data provider is, subject to section 5 (2), authorised and required to provide the specified government sector data in compliance with the direction, and(b) the specified data provider and the DAC must comply with all data sharing safeguards that are applicable to them in connection with the sharing of the data.(4) The Premier may certify, in writing, that the Premier has advised the Minister that a specified provision of government sector data by a government sector agency is required for the purpose of advancing a Government policy. The certificate is conclusive evidence of the matter stated in the certificate.(5) The head of a government sector agency to which a direction is given under this section must ensure that the direction is complied with in accordance with subsection (3).(6) A direction cannot be given under this section to a government sector agency that is a university.
8 Minister may obtain information for DAC concerning government sector data sets
(1) The Minister may direct a government sector agency in writing to provide the DAC with such information concerning the government sector data that it controls as the Minister may require so as to enable the DAC to determine the number and kinds of sets of data that the agency controls and the kind of information collected in those data sets.(2) A copy of a direction given under this section must be provided to the head of the government sector agency to which the direction is given.(3) The government sector agency is (subject to section 5 (2)) authorised and required to comply with a direction given to it under this section.(4) This section does not require a government sector agency to provide government sector data to the DAC.(5) Nothing in this section affects or limits the functions of the Privacy Commissioner under the privacy legislation.
9 Sharing of results of data analytics work carried out by the DAC
The DAC is, subject to section 5 (2), authorised to share with government sector agencies the results of data analytics work that it has carried out on data provided to it by a government sector agency under this Act, but is not authorised to share that data with any other agency, person or body.
10 Directions to State owned corporations
(1) A direction may be given under this Part to a State owned corporation only if:(a) the direction is given with the approval of the Premier, and(b) where the portfolio Minister of the State owned corporation is neither the Premier nor the Minister administering this Act—the Minister administering this Act has consulted the portfolio Minister about the direction before it is given.(2) If the direction to provide the government sector data is given in circumstances where the board of the State owned corporation considers that it is not in the commercial interests of the State owned corporation to provide the data, a State owned corporation is entitled to be reimbursed for the activity of providing the data in accordance with the provisions of section 20N (3)–(5) of the State Owned Corporations Act 1989.(3) In this section:portfolio Minister, in relation to a State owned corporation, has the same meaning as in the State Owned Corporations Act 1989.
Part 3 Data sharing safeguards
11 The data sharing safeguards
This Part sets out the data sharing safeguards for the purposes of this Act that are applicable to the sharing of government sector data under this Act with the DAC or between other government sector agencies.
12 Privacy safeguards
(1) Without limiting section 5 (2), a data provider and data recipient must ensure that health information or personal information contained in government sector data that is shared is not collected, used, disclosed, protected, kept, retained or disposed of otherwise than in compliance with the privacy legislation.(2) If a data recipient that is provided with government sector data that contains health information or personal information becomes aware that the privacy legislation has been (or is likely to have been) contravened in relation to that information while in the recipient’s control, the data recipient must, as soon as is practicable after becoming aware of it, inform the data provider and the Privacy Commissioner of the contravention or likely contravention.
13 Confidentiality and commercial-in-confidence
(1) A data recipient that is provided with government sector data that contains confidential or commercially sensitive information must ensure that the information is dealt with in a way that complies with any contractual or equitable obligations of the data provider concerning how it is to be dealt with.(2) In this section:confidential or commercially sensitive information means:(a) information a person or body controls that the person or body is required to keep confidential because of a contractual or equitable obligation, or(b) without limiting paragraph (a), information about commercial-in-confidence provisions of a contract (within the meaning of the Government Information (Public Access) Act 2009), or(c) any other information the disclosure of which would prejudice any person’s legitimate business, commercial, professional or financial interests.
14 Data custody and control safeguards
(1) A data provider and data recipient must ensure that the government sector data that is shared is maintained and managed in compliance with any legal requirements concerning its custody and control (including, for example, requirements under the Government Information (Public Access) Act 2009 or State Records Act 1998) that are applicable to them.(2) If a data recipient that arranges for a person or body (other than another government sector agency) to conduct data analytics work using government sector data with which it has been provided, the head of the data recipient is to ensure that appropriate contractual arrangements are in place before the data is provided to ensure that the person or body deals with the data in compliance with any requirements of the privacy legislation, the State Records Act 1998 and any Government data security policies that are applicable to the data recipient.Note—See, also, the offences in Part 6 of the Crimes Act 1900 in connection with unauthorised access to, or the modification or impairment of, data held in computers.
15 Other data sharing safeguards
(1) A data provider and data recipient must comply with such other requirements as may be prescribed by the regulations for the provider or recipient in connection with the sharing of government sector data.(2) Without limiting subsection (1), a requirement prescribed by the regulations for the purposes of that subsection may require a data provider or data recipient to comply with any of the following in connection with the sharing of government sector data:(a) specified instruments, or specified provisions of instruments, forming part of the privacy legislation (for example, codes of practice, guidelines or directions),(b) any other codes of practice, guidelines, directions or publications specified (or issued, made or published as provided) by the regulations.
Part 4 Miscellaneous
16 Act binds the Crown
This Act binds the State and, in so far as the legislative power of the Parliament of New South Wales permits, the other States, the Territories and the Commonwealth.
17 Reports by Secretary of Department about compliance
(1) The Secretary of the Department may report to the Minister responsible for a government sector agency or the Public Service Commissioner any failure by the agency to comply with the requirements of this Act or the regulations or any other matter of concern to the Secretary with regard to the agency’s obligations under this Act or the regulations.(2) The Secretary of the Department can include in the annual report of the Department under the Annual Reports (Departments) Act 1985 a report of any incidences of failure by government sector agencies to comply with the requirements of this Act or the regulations. A report of any such incident is to include any response provided to the Secretary by the agency concerned about the matter.
The Minister may delegate to the Secretary of the Department any function of the Minister under this Act, except this power of delegation.
(1) The Governor may make regulations, not inconsistent with this Act, for or with respect to any matter that by this Act is required or permitted to be prescribed or that is necessary or convenient to be prescribed for carrying out or giving effect to this Act.(2) The regulations may apply, adopt or incorporate (with or without changes) any publication (including any guidelines or standards) as in force at a particular time or from time to time.
20 Review of Act
(1) The Minister is to review this Act to determine whether the policy objectives of the Act remain valid and whether the terms of the Act remain appropriate for securing those objectives.(2) The review is to be undertaken as soon as possible after the period of 5 years from the date of assent to this Act.(3) A report on the outcome of the review is to be tabled in each House of Parliament within 12 months after the end of the period of 5 years.
Schedule 1 Savings, transitional and other provisions
Part 1 General
(1) The regulations may contain provisions of a savings or transitional nature consequent on the enactment of this Act or any Act that amends this Act.(2) Any such provision may, if the regulations so provide, take effect from the date of assent to the Act concerned or a later date.(3) To the extent to which any such provision takes effect from a date that is earlier than the date of its publication on the NSW legislation website, the provision does not operate so as:(a) to affect, in a manner prejudicial to any person (other than the State or an authority of the State), the rights of that person existing before the date of its publication, or(b) to impose liabilities on any person (other than the State or an authority of the State) in respect of anything done or omitted to be done before the date of its publication.