Guide to Registering Data Sharing Agreements

Main mobile navigation open

Guide to Registering Data Sharing Agreements

Guidance note 2023:11

This guidance note provides information on signing and lodging data sharing agreements under the DATA Scheme.

 

The purpose of this guidance is to support DATA Scheme participants to sign and lodge data sharing agreements for registration made pursuant to the Data Availability and Transparency Act 2022 (the DAT Act).

Sharing of data in reliance on the agreement must not commence until after confirmation that the agreement has been registered by the National Data Commissioner (see subsection 18(4) and paragraph 13(1)(c) of the DAT Act).

For further assistance lodging data sharing agreements, please contact the Office of the National Data Commissioner (ONDC) at: information@datacommissioner.gov.au.

Authorised Officer signs a data sharing agreement

A data sharing agreement made under the DAT Act must be signed by the parties’ authorised officers before it is lodged with the National Data Commissioner for registration (see subsection 18(2) of the DAT Act).

An authorised officer is a person specified under subsection 137(1) of the DAT Act, or someone authorised by that person, by written instrument, under subsections 137(2) or (4) of the DAT Act.  

Authorised officers can sign the agreement in hard copy or using an official digital signature.

Liaising with the Australian Security Intelligence Organisation

Where a data sharing agreement permits a foreign individual access to shared data, the parties to the agreement must satisfy themselves of the people principle (see section 6 of the Data Availability and Transparency (National Security Measures) Code 2022):

  • The responsible entity (i.e. the entity reporting to ASIO about a foreign individual) cannot be satisfied of the people principle until they have provided the required materials to ASIO and at least 14 days have passed since the material was provided (this includes no response) (see subsection 6(2) of the Code).
  • Entities other than the responsible entity cannot be satisfied of the people principle until they have been informed by the responsible entity in writing that notification to ASIO has occurred and at least 14 days have passed since it was so informed (see subsection 6(3) of the Code).

For example, if the data custodian is informed in writing on the same day that the data user (in their capacity as a responsible entity) notifies ASIO of the relevant materials, both clocks will start ticking and the 14-day timeframe will expire at the same time. However, if the data user in this example provides the information to ASIO and does not notify the data custodian until 14 days later, the data custodian must still wait a further 14 days until they can be satisfied that the people principle has been met.

If ASIO has concerns about the individual, they will contact the data custodian directly (and not the responsible entity). Once the parties are satisfied that the above requirements have been met, the data custodian must lodge the data sharing agreement for registration with the ONDC.

Further information on these requirements are set out in the ONDC Guidance on foreign individuals (see also the Data Availability and Transparency (National Security Measures) Code 2022).

Lodging a data sharing agreement for registration

The lead data custodian must lodge the data sharing agreement for registration with the ONDC within 30 days of the data sharing agreement having been signed (see section 33 of the Act).

To lodge a signed data sharing agreement for registration the data custodian must submit the following in Dataplace or send the following to information@datacommissioner.gov.au:

  • a PDF version of the agreement, signed by all parties’ authorised officers; and
  • a statement indicating whether the agreement permits a foreign individual access to shared data; and
  • where applicable, confirmation that at least 14 days have passed since the material was provided to ASIO and no concerns have been raised by ASIO.

Parties that submit their documentation via email will later need to work with ONDC staff to ensure that a copy of their signed data sharing agreement is uploaded to Dataplace for record keeping purposes.

Parties seeking urgent registration should contact ONDC to provide advanced notice, where possible.

The submitter will receive an automated confirmation that their email has been received.

Checking of a data sharing agreement ahead of registration

The ONDC will undertake a check of the data sharing agreement to ensure that it contains all the information required by the DATA Scheme legislation for the purposes of registration (see subsections 18(1) and 18(4) of the DAT Act).

Registration will occur within 1-3 business days, and all parties to the agreement will be notified upon registration. Parties seeking urgent registration should contact ONDC to provide advanced notice, where possible.

Inclusion of information on the public register of data sharing agreements  

The National Data Commissioner must maintain a register of data sharing agreements. The register must include a publicly accessible part and a part that is not publicly accessible (see section 130 of the DAT Act).

The Commissioner will draw on information contained in the signed data sharing agreements to ensure that information required to be made public is contained on the register available at www.datacommissioner.gov.au.

This information includes the following (see subsection 130(2) of the DAT Act):

  1. the entities that are parties and the capacity in which each entity is a party;
  2. the date the parties entered into the agreement;
  3. the date the Commissioner registered the agreement;
  4. a description of the project the agreement covers;
  5. the data sharing purpose of the project;
  6. a description of the data to be shared;
  7. whether personal information is to be shared;
  8. if personal information is to be shared—a statement in the approved form (if any) relating to the privacy obligations applicable to the accredited user in relation to its use of output of the project and the person or body to whom individuals may complain about use inconsistent with those obligations;
  9. If personal information is being shared without consent, the ‘permitted circumstance’ for sharing without consent under s 16B(3)(b)(iv) is that it is unreasonable or impracticable to seek consent, and the sharing is for the purpose of informing government policy and programs, or research and development – a copy of the statement included in the data sharing agreement that personal information is being shared without consent of individuals because it is unreasonable or impracticable to seek consent, and an explanation of the data custodian’s reasons for coming to this conclusion;
  10. If personal information is being shared without consent, the ‘permitted circumstance’ for sharing without consent under s 16B(3)(b)(iv) is that it is unreasonable or impracticable to seek consent, and the sharing is for the purpose of informing government policy and programs, or research and development – a copy of the statement included in the data sharing agreement setting out why sharing personal information about an individual without consent is consistent with section 16B of the DAT Act (i.e. how the requirements of section 16B are met);
  11. if, but for section 23, sharing, collecting or using data under the agreement would contravene another law—the title of the other law;
  12. a statement of how the project will serve the public interest;
  13. a description of the final output of the project;
  14. if output of the project may exit the data sharing scheme under section 20E—the circumstances in which the exit may occur;
  15. if the agreement has an expiry date—the expiry date;
  16. whether the agreement is in effect or has expired or been terminated;
  17. if any details are affected by a variation of the agreement—the details as varied and the date the variation was registered;
  18. any other details prescribed by the rules to be included in the publicly accessible part of the register.

The rules do not currently prescribe any additional details that must be included on the public register.

The Commissioner will rely on the information contained in the data sharing agreements to be accurate and will not seek consent ahead of publishing the information on the register. For further guidance on collection of consent under the DATA Scheme when sharing personal information visit Collection of consent under the DATA Scheme | Office of the National Data Commissioner

Should a party to the agreement feel the information on the public register is incorrect, they should contact the ONDC at the earliest opportunity at information@datacommissioner.gov.au.

Where variations, expiry or termination of an agreement occurs, the register will be updated to reflect the current situation once notification to the Commissioner has occurred.

 

Guidance note 2023:11

Last updated: 18 December 2023