Overview
Data custodians are not required to share public sector data (see section 25(1) of the Act), however they must consider and respond to DATA Scheme requests received from accredited users. If the data custodian refuses the request, it must provide the accredited user with written reasons for the refusal no later than 28 days after the refusal decision is made (see section 25(3) of the Act).
Making a Data Sharing Request under the Act
What information should you include in a data sharing request?
Ensuring your requests includes as much relevant information as possible will assist the data custodian to promptly consider the request and is more likely to result in a positive outcome.
If you submit your request through Dataplace you will be prompted to fill out a range of fields the data custodian will need to assess when considering your request. If you submit your request outside of Dataplace you should seek to include the following information.
Purpose of the request
- Outline how the request relates to one of the permitted data sharing purposes: delivery of government services, informing government policy or programs, or research and development.
- Identify the data you are seeking access to and whether the project will involve integration of data from more than one data custodian and identify each data custodian.
- Explain whether you intend to use an accredited data service provider (ADSP). If so, indicate the service you require (i.e. complex data integration, deidentification, or secure access). If you are unsure whether you will require the services of an ADSP this can be determined in collaboration with the data custodian after there is in-principle agreement to share data.
- Outline the proposed project timeframe and whether there is any urgency or priority attached to the request. Provide any additional documentation demonstrating funding for the project and/or whether it will support a government policy priority.
- Identify whether the project will include personal information and the proposed privacy safeguards for the project. Consider including your entity’s existing privacy obligations under legislation and any privacy policies and practices your entity holds.
How your project and data governance meet the data sharing principles:
- The project principle: Provide a description of your project and outline how your project will serve the public interest, including identifying who it will benefit and how. Explain how the public interest benefits of the project will outweigh the arguments against sharing. Identify any applicable ethics processes and oversight that will apply to the project.
- The people principle: Identify who will have access to the data (i.e., the project team) and demonstrate they have a sufficient level of expertise and experience handling data. State whether the entity and/or personnel have any actual or perceived conflicts of interest and where applicable detail any mitigation strategies. Indicate whether any foreign individuals (individuals who are neither Australian citizens or permanent residents) will have access to the data.
- The setting principle: Detail how your security standards and systems will be able to appropriately manage any risk associated with collecting, using or sharing sensitive project data. If you are not a Commonwealth body, outline whether and how you would be able to comply with Commonwealth security standards, if asked to do so.
- The data principle: Identify what dataset you propose to be shared (if known) and a description of what you are seeking. Indicate whether you expect the data will contain personal information and whether it could be considered sensitive. Also describe how the data you seek is necessary to achieve the purpose of your project and how often you expect to have the data shared (for example when updates occur).
You may not have settled all the details of your proposed project at the point in time in which you make a formal request. Many details can be updated or rescoped as part of the collaboration process for developing a data sharing agreement.
It is recommended you invite the data custodian to discuss the scope of your data request and whether you are open to refining the scope and provide the contact details for key personnel.
How to make a data sharing request under the Act?
To make a data sharing request under the Act, your organisation must:
- be an accredited user under the DATA Scheme; and
- make the request in writing (see section 25(2)(b) of the Act); and
- expressly state that the request is being made under the Act.
Failure to include the above information may result in delays to your request being considered by the data custodian.
The Office of the National Data Commissioner (ONDC) recommends you make your request through Dataplace – the digital platform that supports DATA Scheme entities to manage data requests. Dataplace supports requestors to provide all the relevant information that a data custodian will need to make a decision. Dataplace will continue to support entities to collaborate to an agreement, as well serving as a repository for all data sharing activities, making it easier for entities to track their requests and agreements and meet their reporting obligations. While not recommended, DATA Scheme requests can also be made outside of Dataplace in writing (e.g. via email). If you do not intend to use Dataplace, you should contact the relevant data custodian for information on how to request data from them under the DATA Scheme.
When should you expect to hear back?
The more thorough and specific the request, the easier it will be for data custodians to consider a request, which will likely lead to quicker decisions.
Data custodians are required to consider a request for it to share the data within a reasonable period. A reasonable period is determined on a case-by-case basis at the time the request is made, considering the amount of time necessary to make a decision, and the context of the request.
Data custodians may be considering multiple requests. If you do not receive an acknowledgment within the week confirming the request has been received and is being considered, we recommend you reach out to the data custodian directly to confirm the request has been received. If you have not received a decision about your request within four weeks, we recommend you reach out to the data custodian directly to confirm the status of your request. If a request is made through Dataplace, you can view the progress of your request in the system.
If you have not received a decision, or the decision was made, outside of what you would consider a reasonable period, you can make a complaint to the National Data Commissioner. For more information on making a complaint, please see guidance on Handling complaints under the DATA Scheme.
Responding to a Data Sharing Request under the Act
How does the data custodian know whether a request is made under the DATA Scheme?
If the data sharing request was made via Dataplace, the request will specify whether it is a request under the DATA Scheme or outside of the Scheme.
If the request was received outside of Dataplace, ideally the requester will have stated in their written correspondence whether the request is being made under the Act. If the request is silent or ambiguous as to which legal pathway they intend to use, we recommend you reach out to the requester to seek clarification.
Data custodians cannot assume that a request is made under the Act, or not, simply because there is ambiguity. Data custodians must take steps to resolve the ambiguity.
How long do you have to consider a data sharing request?
If a data custodian receives a request from an accredited user for data under the DATA Scheme, then the data custodian must consider the request within a reasonable period (see section 25 of the Act). A reasonable period should be determined on a case-by-case basis at the time the request is made, considering the amount of time necessary to make a decision, and the context of the request.
While there are no specific legislative timeframes for considering a request, data custodians should endeavour to acknowledge receipt of requests within one week, and consider the request, or issue a request for further information or re-scoping of the request, within two weeks.
Considering a data sharing request
Public sector data is an important national asset that drives innovation and evidence-based decision-making. The effective use of public data enables program evaluation, informed policy and research, risk-based regulatory processes and drives better services for all Australians. Data custodians are encouraged to view a data sharing request through this lens, particularly if the data sharing project would serve the public interest.
While the Act does not require data custodians to share public sector data, data custodians should take account of the objects of the Act when considering a data request. The first object of the Act is to serve the public interest by promoting better availability of public sector data (see section 3(1) of the Act).
Data sharing requests do not need to be perfect or complete for them to be approved ‘in principle’ by a data custodian. Data custodians should remember that the data will not be shared until after negotiations have taken place and a data sharing agreement has been signed and registered in accordance with the Act.
When an ‘in principle’ decision to share is made, the data custodian should notify the requester as soon as practicable so the parties can determine the details of the proposed project and commence collaboration. Where a data sharing request is incomplete or further information is required, the data custodian should contact the requester as soon as possible, and ideally within two weeks, to determine next steps.
Legal basis to refuse
Data custodians are not required to share public sector data. They have the power to refuse a request for any reason, but this does not mean there are no limits to exercising that power. The power must be exercised reasonably and for a proper purpose (i.e., not fraudulently or for improper purposes), having regard to the subject matter, scope, and purpose of the Act. Data custodians should follow due process and make decisions in good faith based on facts and evidence that rationally support the decision. Any decisions to refuse must be made observing administrative law principles for decision making.
There are certain matters data custodians must turn their minds to under the Act when considering a data sharing request. For example, data custodians must not share data under the Act where sharing is not authorised under section 13 of the Act, including where:
- the data is not public sector data (e.g., the data has not been lawfully collected, created or held by the Commonwealth)
- the data is held by, or originated with or was received from an excluded entity (e.g., Australian Security and Intelligence Organisation etc.)
- the data is operational data held by, originated with or was received from one of the entities listed in section 17(2) of the Act (e.g., AUSTRAC, the Australian Federal Police, the Department of Home Affairs)
- the data is precluded from being shared under the Data Availability and Transparency Regulations 2022 (e.g., COVID app data within the meaning of the Privacy Act 1988 etc.)
- sharing the data would be inconsistent with Australia’s international obligations (e.g., data collected from a foreign government is barred unless the relevant government agrees)
- the data is held as evidence before a court, or obtained by a tribunal, authority or other person with similar powers
- the constitutional requirements are not met
- the request is for a precluded purpose (e.g., compliance or enforcement activities)
- sharing the data would contravene or infringe upon certain rights, agreements, or common law duties or privileges (e.g., the data is protected by copyright or intellectual property rights, contracts or memorandums of understanding to which the data custodian is a party, common law duties, or parliamentary privilege or immunity)
- the privacy protections contained in the Act would not be upheld (e.g., biometric data would be obtained without consent, the project would allow for re-identification of de-identified data etc.)
- the request was received from an entity not accredited under the Act or whose accreditation is currently suspended
- data custodianship is shared, and consent has not been provided by each of the relevant data custodians’ authorised officers
- the request was verbal, and not made in writing.
For further information refer to the guidance on When sharing is barred under the DATA Scheme.
Other basis for refusal
There may also be practical reasons why a data sharing request may be refused. These include where:
- there are duplicate requests from the same requester
- requested data is already publicly available
- the scope of the request is unclear or too broad
- the data custodian does not hold the requested data
- there is an alternative avenue for sharing the data that would be simpler to execute.
If the time, effort, complexity, and staffing resources involved in processing a data sharing request would substantially and unreasonably divert the resources of the data custodian from its other operations, the request may be refused on the basis that it is unreasonable due to its size. In these cases, the data custodian should consider inviting the requester to re‑frame their request.
If the request is large, but the data custodian has the time and resources to fulfill the request, they should seek to do so, noting data custodians are permitted to recover costs of data sharing (see guidance on Charging of fees by data custodians).
Procedural fairness
Consistent with the obligation to afford procedural fairness, if a data custodian is proposing to refuse a request, the data custodian should notify the requesting entity of their intention to refuse the request before a decision to refuse is made.
Data custodians should contact the accredited user in writing to advise they are proposing to refuse the request, set out the grounds on which the decision to refuse will be made, and invite the accredited user to make submissions or provide further information in support of their request, or revise the terms of their request.
Data custodians should provide a reasonable timeframe for accredited users to respond to requests for further information, and if a response is not received within the proposed timeframe, data custodians can proceed to provide their written notice of refusal.
If appropriate, data custodians can also encourage accredited users to withdraw their request. For example, this may be appropriate where the accredited user has requested publicly available data. If the accredited user does not wish to withdraw their request, the data custodian will still need to provide a written notice of refusal in accordance with s 25(3) of the Act.
Providing written notice of refusal
Once a decision is made to refuse a request, the data custodian must prepare a written statement of reasons for the decision. A written notice of refusal should:
- be in writing
- set out the findings on material questions of fact
- refer to the evidence or other material on which those findings were based
- give the reasons for the decision that are capable of being understood.
The written notice of refusal must be provided to the requester no later than 28 days after the day the decision to refuse is made (see section 25(3) of the Act). Day one starts the day after the decision is made. For example, if the decision to refuse is made on 1 March, the 28 day clock commences on 2 March. This means the written notice of reasons must be provided to the requester on or before 29 March.
The notice of refusal can be issued through Dataplace which will help facilitate compliance with the Act, including timeframes, or in writing through other means (e.g., email).
Review of refusal
Complaints
A Scheme entity may lodge a complaint with the National Data Commissioner about the conduct of another Scheme entity. Complaints may be lodged using the Contact Us form or by emailing information@datacommissioner.gov.au.
For more information on how the Commissioner handles complaints refer to the guidance on Handling complaints under the DATA Scheme.
Guidance note 2023:12
Last updated: 21 December 2023