Under the DATA Scheme, the sharing of personal information under a data sharing agreement must be done with consent from the relevant individual, unless certain limited circumstances apply. The Data Availability and Transparency Code 2022 (the DATA Code) sets out further details relating to these requirements.
This guidance provides information on when obtaining consent to the sharing of personal information is required under the DATA Scheme, established by the Data Availability and Transparency Act 2022 (the Act).
Personal information in the Act has the same meaning as in the Privacy Act 1988 (Cth) (Privacy Act). For more information on what is considered to be personal information, refer to guidance provided by the Office of the Australian Information Commissioner (OAIC).
Consent
The DATA Scheme works alongside the Privacy Act to protect personal information. The Act provides for general privacy requirements applicable to all data sharing under the Scheme (section 16A), as well as privacy requirements for specific data sharing purposes (section 16B).
The DATA Code covers privacy related matters relating to the requirements for obtaining consent from an individual. Consent is required in the following circumstances:
| Circumstance Number | Circumstance Description |
|---|---|
| Circumstance 1 | The data includes biometric data (section 16A(1)) |
| Circumstance 2 | If the data purpose of the project is the delivery of government services and the data contains personal information (section 16B(1)(a)(ii)) |
| Circumstance 3 | If the data sharing purpose of the project is informing government policy and programs or research and development, and the data contains personal information (section 16B(3)(a)(i)) |
| Circumstance 4 | A data sharing agreement permits an accredited user to provide another entity with access to the output of the project (section 20C(1)(b)) |
| Circumstance 5 | Data shared for the purpose of delivery of government services is exiting the DATA Scheme and it contains personal information (section 20E(4)(c)) |
| Circumstance 6 | A data sharing agreement appoints the accredited user of a project as the new data custodian, which involves the use of personal information (section 20F(3)(b)) |
More information about each circumstance is provided below.
Circumstance 1 – Biometrics
If data includes biometric data, express consent to the sharing must be obtained from the individual to whom the biometric data relates (section 16A(1)). Biometric data is defined as personal information about any measurable biological or behavioural characteristic about an individual that could be used to identify the individual or verify the individual’s identity (see section 9).
Circumstance 2 – Delivery of government services
If the data sharing purpose of the project in a data sharing agreement is the delivery of government services, the data must not include personal information about an individual unless the individual consents to the sharing of their personal information. Consent can be express or implied.
There are limited circumstances where consent to sharing personal information is not required from the individual for the delivery of government services. These circumstances include the provision of information and providing services other than paying an entitlement or benefit (see sections 15 (1A)(a)and (b) and 16B(1)). For more information about the delivery of government services see Guidance Note – Delivery of government services (forthcoming).
Circumstance 3 – Informing government policy and programs, or research and development
If the data sharing purpose of a project in a data sharing agreement is informing government policy and programs, or research and development, the data must not include personal information about an individual unless:
the individual consents to the sharing of their personal information, and
only the minimum amount of personal information necessary for the project to proceed is shared (see section 16B(3))
or
ALL of the circumstances set out below applies:
the project cannot proceed without the personal information
the public interest served by the project justifies the sharing of personal information about individuals without their consent
only the minimum amount of personal information necessary for the project to proceed is shared, and
a permitted circumstance for the project’s data sharing purposes exists (see sections 16B(4) and (5)). More information about permitted circumstances is provided below.
Permitted circumstances
The table below, sets out when a permitted circumstance exists that allows sharing of data that includes personal information without the consent of the individual to whom the information relates.
| Permitted Circumstances | Is consent required? |
|---|---|
| It is unreasonable or impracticable to seek the individual’s consent *It is not unreasonable or impracticable to seek an individual’s consent merely because the consent of a very large number of individuals needs to be sought. *See section 21 of the DATA Code for more information about when it may be unreasonable or impracticable to seek an individual’s consent. | Consent to sharing the data is not required from the individual.
|
| The data is to be shared during medical research and in accordance with guidelines issued by the National Health and Medical Research Council under subsection 95(1) of the Privacy Act | Consent to sharing the data is not required from the individual. |
| The sharing is a disclosure authorised under Part VIA of the Privacy Act (dealing with personal information in emergencies and disasters) | Consent to sharing the data is not required from the individual. |
| The sharing is with an ADSP as an intermediary (for example, when performing the de-identification service) | Provided the Accredited Data Service Provider (ADSP) is preparing the data so that it does not involve personal information about the individual, consent to sharing the data is not required from the individual. |
| The sharing is ADSP-controlled access (for example, when providing complex data integration and de-identification services) | Sharing is ADSP-controlled access if an ADSP is sharing the data on behalf of a data custodian with an accredited user, the data is shared by the ADSP using systems controlled by the ADSP, to designated individuals, and the ADSP has implemented controls to prevent or minimise the risk of the data being used to identify individuals. In this circumstance, consent to sharing the data is not required from the individual. |
Circumstance 4 – provision of access, or release, of personal information in specified circumstances
Section 20C allows for the provision of access, or release, of personal information in a data sharing agreement outside the protections of the Scheme in agreed circumstances. These agreed circumstances are:
when access to, or release of, specified output that contains personal information would not contravene any other law of the Commonwealth or a law of a State or Territory (see section 20C(1)(a).
when the individual consents to access to, or release of, specified output that contains personal information (see section 20C(1)(b)). Consent must be informed, voluntary, relate specifically to the access or release, must be current at the time of the access or release, and the individual must have capacity to give consent (see section 18 of the DATA Code for more information about consent requirements).
when the data custodian is satisfied, before access to, or release of, specified output, that the accredited user is authorised to use the output in accordance with a registered data sharing agreement that meets all the requirements of section 13A.
For more information regarding the above, see Guidance Note - ‘Providing access to, or releasing, specified output in agreed circumstances (section 20C)) (forthcoming).
Circumstance 5 – Provision of access, or release, of personal information for the purpose of delivery of government services
Section 20E(4) allows for the provision of access, or release, of personal information outside the protections of the Scheme, where the data sharing purpose of the project is delivery of government services. 20E(4)(c) provides that, before the data is shared, the individual must expressly consent to both the sharing of their personal information with an accredited user, and the accredited user’s use of that personal information without the protections of the Scheme. Consent must be informed, voluntary, relate specifically to the access or release, must be current at the time of the access or release, and the individual must have capacity to give consent (see section 19 of the DATA Code for more information about consent requirements).
For more information regarding the above, see Guidance Note - ‘Providing access to, or releasing, specified output for the purpose of delivery government services (sections 20B and 20E(4)) (forthcoming).
Circumstance 6 – use of personal information by a new data custodian
In some data sharing agreements, the accredited user may be appointed as the new data custodian of output of the project (see section 20F). This is subject to a condition (amongst others) that any individual whose personal information is included in the output must have expressly consented to their personal information being used without the requirements of the Act applying to its use. Consent must be informed, voluntary, relate specifically to the access or release, must be current at the time of the access or release, and the individual has capacity to give consent (see section 20 of the DATA Code for more information about consent requirements).
Whether the public interest justifies sharing personal information without consent
The DATA Code sets out the principles to be applied by data custodians when determining circumstances, or categories of circumstances, where the public interest to be served by a project justifies the sharing of personal information without consent (see section 23 of the DATA Code).
Obtaining Valid Consent
The DATA Code (Part 3—Dealings with personal information) sets out when data custodians, accredited users and ADSPs must obtain consent for the purpose of the Act. It provides that consent must be:
informed
voluntary
specifically related to the sharing of the information for the project
current at the time of the sharing, and
given by an individual who has capacity to consent, if the individual lacks capacity then a responsible person within the meaning of the Privacy Act may give consent (see section 18(8) of the DATA Code).
Withdrawal of consent
An individual may withdraw their consent for their personal information to be shared. A withdrawal of consent only takes effect if the individual expressly withdraws their consent (whether orally or in writing) before the time the data is shared or released (see section 17(7) of the DATA Code).
Once an individual has withdrawn their consent, their personal information must not be shared from that point onwards. A withdrawal of consent does not affect the sharing of personal information that occurred before the withdrawal.
Prior consent
Data custodians should note that individuals may have consented to the collection and use of their personal information at the time it was originally collected by the data custodian. Data custodians should consider whether prior consent exists, is current and covers the proposed data sharing project or the proposed data sharing purpose.
Guidance note 2023:7
Last updated: 22 August 2023