The Data Availability and Transparency Act 2022 (the Act) contains a condition to ensure all participants in data sharing are covered by Privacy legislation or privacy protections contained in data sharing agreements. This condition applies to all parties to a data sharing agreement when dealing with personal information under the DATA Scheme (see section 16E). The privacy coverage condition ensures that personal information is protected and that DATA Scheme entities are accountable for the safe handling of personal information. It is one of several data protections under the Act.
Satisfying the privacy coverage condition
Under the DATA Scheme, an entity must be authorised in order to share, collect and use data, specifically:
- a data custodian to share public sector data
- an accredited user to collect and use data
- an Accredited Data Service Provider (ADSP) to act as an intermediary.
If the data shared includes personal information, the privacy coverage condition must be met to satisfy the authorisation for data custodians, accredited users and ADSPs (see sections 13, 13A and 13B of the Act). The privacy coverage condition can be met in any one of the four following ways:
- The Scheme entity is an APP entity
Where the Privacy Act 1988 (Privacy Act) applies to an entity, it is an Australian Privacy Principles (APP) entity and is required to comply with the APPs. Being an APP entity meets the privacy coverage condition. A Scheme entity that is an APP entity will not need to take any additional steps to meet the privacy coverage condition.
The APP are the cornerstone of the privacy protection framework in the Privacy Act. They govern standards, rights, and obligations around personal information, including the collection, use, disclosure and governance of personal information. The APP guidelines outline the mandatory requirements of the APPs and apply to any organisation or agency the Privacy Act covers. See also Guide to Data Analytics which provides guidance about the APPs and how they apply to data analytics activities, which in particular includes data integration.
- Privacy Act is made to apply to the accredited user or an ADSP in a project
Where the entity is not an APP entity, the privacy coverage condition is met if the Privacy Act imposes privacy obligations on that entity when collecting and using information, for example, when deciding to ‘opt in’ to the Privacy Act requirements. Under this option, the data custodian could specify this requirement in the data sharing agreement.
- APP-equivalence term in data sharing agreement
Where the Privacy Act does not apply to an entity, but the data sharing agreement includes an APP-equivalence term that applies to that entity, it satisfies the privacy coverage condition.
An APP-equivalence term is a term of a data sharing agreement that prohibits an entity from collecting or using personal information in any way which would breach the APPs.
Where an APP-equivalence term applies to an entity, a breach of the APPs is taken to be an ‘interference with the privacy of an individual’ under the Privacy Act and can lead to regulatory action and penalties under the Privacy Act (see section 16F).
- State or Territory law
Where the Privacy Act does not apply to an entity, and a State or Territory law applies to the entity’s collection and use of personal information, the privacy coverage is met when the following are included:
- protection of personal information comparable to the APPs
- monitoring of compliance with the law
- there is a way for an individual to seek recourse if the individual’s personal information is dealt with in a way inconsistent with the law (for example, a complaint to the Information Commissioner).
Several States and Territories have their own privacy legislation which closely aligns to the Commonwealth Privacy Act. If a State or Territory privacy law meets the above requirements and applies to Scheme entities party to a data sharing agreement, the privacy coverage condition is met.
Guidance note 2023:2
Last updated: 22 August 2023