Foreign individuals – DATA Scheme requirements
Guidance note 2023:8
This guidance provides information about foreign individuals who access DATA Scheme data under a data sharing project, if that foreign individual is a designated individual for the accredited entity named in the data sharing agreement.
Under the DATA Scheme, data custodians may share data with accredited entities only. Currently, only Commonwealth, state and territory governments and bodies, and Australian universities may be accredited under the DATA Scheme.
Foreign entities cannot be accredited under the DATA Scheme. However, foreign individuals (someone who is neither an Australian citizen nor a permanent resident) may access DATA Scheme data under a data sharing project (‘project’) if that foreign individual is a designated individual for the accredited entity named in the data sharing agreement (see section 123 of the Data Availability and Transparency Act 2022 (the Act).
Designated individuals – requirements for a data sharing agreement
The National Security Code requires each accredited entity party to a data sharing agreement to restrict the entity’s collection and use of data of the project to designated individuals for the entity who are Australian citizens or permanent residents. This requirement must be set out in the data sharing agreement for the project (see paragraph 5(1)(a) of the National Security Code).
For data sharing projects where one or more individuals for the accredited entity are foreign individuals, the accredited entity must specify certain information about the foreign individual in the data sharing agreement. That information is:
- full name, any previous names, and preferred name
- nationality or (if more than one), each nationality
- the applicable designation for the individual under section 123 of the Act, and
- a description of the individual’s proposed role in the project (see paragraph 5(1)(b) of the National Security Code).
If one or more individuals for the accredited entity are foreign individuals, the data sharing agreement must also require the accredited entity to ensure that the foreign individual’s involvement in the entity’s collection or use of data of the project is restricted to the role described in the data sharing agreement.
Projects involving foreign individuals – requirements to provide ASIO with certain information
If a data sharing agreement for a project permits a foreign individual access to shared data (as a designated individual of an accredited entity (‘responsible entity’)), the National Security Code imposes further requirements.
The People Principle
The People principle requires that parties to a data sharing agreement must be satisfied the project’s data is made available only to appropriate persons (see section 16(3) of the Act).
The National Security Code provides that the responsible entity cannot be satisfied that a project under a data sharing agreement satisfies the people principle unless:
- the responsible entity has provided to the Australian Security Intelligence Organisation (‘ASIO’) the relevant material including an electronic copy of the signed data sharing agreement and the details about the foreign individual that are specified in Table 1 below; and
- at least 14 days have passed since the material was provided to ASIO.
Table 1: Details of the foreign individual to be notified to ASIO
| 1 | Full name, any previous names, and preferred name of the individual. |
| 2 | Date and place of birth of the individual. |
| 3 | Nationality or (if more than one) each nationality of the individual. |
| 4 | Current work and personal email addresses of the individual. |
| 5 | Current work telephone number and personal mobile telephone number of the individual. |
| 6 | Any current employment (including the individual’s place of employment and the geographical location of any employers) of the individual. |
| 7 | Any current contractual arrangements for the provision of services by the individual (including the geographical location of any entity to which services are provided). |
| 8 | Any current or previous arrangement under which the individual is authorised to act as the agent of a foreign government or an authority of a foreign government, or of any other foreign entity. |
| 9 | The applicable designation for the individual under section 123 of the Act. |
| 10 | A description of the individual’s proposed role in the data sharing project. |
Requirement 2
An entity involved in the project other than the responsible entity (e.g., a data custodian) cannot be satisfied that a project under a data sharing agreement satisfies the people principle unless:
- it has been informed, in writing, by the responsible entity that the responsible entity has provided the relevant material to ASIO; and
- at least 14 days have passed since it was so informed.
Additional requirements for Australian universities
Australian universities that are an accredited entity have additional obligations under the National Security Code in circumstances where they permit foreign individuals (as the university’s designated individual) to access data under a project. The additional requirements are to ensure:
- due diligence has been undertaken in relation to foreign individuals;
- the foreign individual has undertaken training in national security issues. The training for a foreign individual may be delivered to the foreign individual by the Australian university or another provider; and
- it has (or will have) regard to Australian Government guidance and reports regarding foreign interference in the higher education and research sectors.
The Australian Government has developed Guidelines collaboratively with the university sector to build awareness and resilience to foreign interference. The Guidelines support universities to develop new or examine existing tools, frameworks and resources to use for assessing and mitigation risks. The Guidelines should be applied by each Australian university proportionate to their organisational risk from foreign interference. The Guidelines are available on the Department of Education’s web site (see Guidelines to Counter Foreign Interference in the Australian University Sector - Department of Education, Australian Government).
The Department of Education’s web site also includes a range of other tools and resources for Australian universities that will assist them to comply with a requirement in a data sharing agreement (see Guidelines to counter foreign interference in the Australian university sector - Department of Education, Australian Government).
Guidance note 2023:8
Last updated: 25 October 2023