The Victorian Government, following the various whole of government digital strategy initiatives announced over the past decade (and accompanied by fundamental weakening of the state privacy commissioner, has announced that it is "improving data-sharing across government to deliver better services for Victorians".
The Government collects vast quantities of data – about education and health, our communities, business, employment, infrastructure and the environment. However for too long government data has been held in agency silos and not available across government to tackle many of the pressing community concerns.
The Victorian Data Sharing Bill 2017 – which was second read in Parliament today – will break down these silos and ensure agencies can share data and information across the whole of Government.
Enabling data to be shared and used across government will provide insights about what works and why, and ensure informed policy decisions that deliver for hard working families – from tackling family violence to improve health outcomes.
This Bill provides a clear legal framework that allows for government data to be shared for policy making, service planning and design, enabling government agencies to work together to tackle key priorities.
The Bill also includes strong safeguards and oversight to protect personal data and information, including independent oversight by Victoria’s privacy regulators, mandatory reporting of any potential breaches, and new offences for unauthorised access, use or disclosure.
This Bill follows other work that the Labor Government is doing to modernise Victoria’s data and information sharing regime that includes:
- Legislation to protect women affected by family violence by better sharing information and prioritising victim survivors over their perpetrators
- The development of a Central Information Point to facilitate information sharing across agencies involved in protecting women from family violence
- The creation of Office of Victorian Information Commissioner, bringing together freedom of information with data protection and privacy, to provide independent oversight across those closely-related fields.
The Labor Government has also appointed Victoria’s first Chief Data Officer within the Victorian Centre for Data Insights to transform how the Victorian Government uses data to strengthen policy making. This Bill supports the new Officer by establishing into law the statutory position, and its powers and functions.
The Centre website states -
The Victorian Centre for Data Insights (the Centre) provides a whole-of government focus to help transform the way government uses data.
The Centre will tell a bigger story than analysing data from just one source. It will bring data together from across government to generate new insights to design better and more data driven policy and services.
The Centre will:
- partner with departments and agencies on data analytics projects that inform policy making and service design
- build data analytics skills and capability of the Victorian Public Service (VPS)
- contribute to improving how data is collected and managed across the VPS
- work with other governments across Australia on better data use, on behalf of the Victorian Government.
The Centre operates as a business unit within the Department of Premier and Cabinet. The Centre is part of the Special Minister of State’s focus on public sector reform, working to strengthen evidence- based policy and practice.
The Centre is led by Victoria’s first Chief Data Officer (CDO). The CDO will lead the Centre, and advocate for the better use of data across government. The CDO is supported by a team of data analysts, information management and policy specialists.
The Explanatory Memo for the Bill states
The main purpose of the Victorian Data Sharing Bill 2017 is to establish the
office of the Chief Data Officer, to promote the sharing and use of public
sector data as a public resource that supports government policy making,
service planning and design, and to amend the Privacy and Data Protection
Act 2014.
Clause Notes
Part 1--Preliminary
Clause 1 provides that the main purposes of the Bill are--
- to establish the office of Chief Data Officer; and
- to promote the sharing and use of public sector data
as a public resource that supports government policy
making, service planning and design;
- to remove barriers that impede the sharing of
identifiable data with the Chief Data Officer or
with data analytics bodies, and to facilitate the
sharing of data across the public sector; and
- to provide protections in connection with data sharing
under this Bill, by--
- specifying the purposes of data sharing, and the
circumstances in which sharing of identifiable
data is permitted; and
- ensuring that data that is handled under this Bill
is protected from unauthorised access, use or
disclosure; and
- to make consequential and other amendments to other
Acts.
Clause 2 sets out the commencement of the Bill. It will come into
operation on the day after the day on which it receives the
Royal Assent.
Clause 3 provides definitions for the key terms used in the Bill.
Subclause (2) provides that, for the purposes of the Bill, a body
holds data if the data is contained in a document in the possession
or under the control of the body.
Clause 4 provides that the Bill binds the Crown.
Clause 5 provides that data must only be handled under the Bill for
the purpose of informing government policy making, service
planning and design.
Part 2--Chief Data Officer
Clause 6 provides that the Secretary to the Department responsible for
administering this Bill may employ a person under Part 3 of the
Public Administration Act 2004 to be the Chief Data Officer.
Clause 7 sets out the functions of the Chief Data Officer which include
to conduct data integration and data analytics work to inform
government policy making, service planning and design, to
build capability in data analytics across the public sector, to
coordinate data sharing and integration on behalf of the state
of Victoria, to make integrated data sets and the results of data
analytics work available to data sharing bodies and designated
bodies and to collaborate with these bodies, and any other
functions incidental to these functions or conferred under this
Bill or any other Act.
Part 3--Data requests
Clause 8 sets out the mechanism by which the Chief Data Officer can
make a formal request to a data sharing body or a designated
body for data held by the body. The Chief Data Officer can
only make a request for the purpose of informing government
policy making, service planning and design and must not request
restricted data. The Chief Data Officer must make the request
in the form of a written notice which specifies the data being
requested, the reasons for the request and how the data will be
handled.
Clause 9 provides that a data sharing body that receives a request under
clause 8 must respond to the request within 10 business days
(or a longer period as agreed by the Chief Data Officer).
The data sharing body's response must either be to provide the
data, or to provide reasons (in accordance with clause 14) for
why the data sharing body will not be providing some or all of
the data. If the data sharing body does not intend to provide
some or all of the data, the response must be given to the
Secretary to the Department as well as the Chief Data Officer.
Clause 10 provides that if a designated body receives a request under
clause 8, the designated body may respond by providing some
or all of the data but is not obligated to do so.
Clause 11 sets out the mechanism by which the Chief Data Officer can
make a formal request to a data sharing body or a designated
body for information about their data holdings. The information
that may be requested includes, but is not limited to--
- the kind of data sets held by the data sharing body or
designated body; and
- the number of data sets held by the data sharing body
or designated body; and
- the kind of information contained in the data sets held
by the data sharing body or designated body; and
- the accuracy, currency and completeness of the data sets
held by the data sharing body or designated body.
The Chief Data Officer can only make a request for the purpose
of informing government policy making, service planning and
design. The Chief Data Officer must make the request in the
form of a written notice which specifies the information being
requested, the reasons for the request and how the information
will be handled.
Clause 12 provides that a data sharing body that receives a request under
clause 11 must respond to the request within 10 business
days (or a longer period as agreed by the Chief Data Officer).
The data sharing body's response must either be to provide
the information, or to provide reasons (in accordance with
clause 14) for why the data sharing body will not be providing
some or all of the information. If the data sharing body does not
intend to provide some or all of the information, the response
must be given to the Secretary to the Department as well as the
Chief Data Officer.
Clause 13 provides that if a designated body receives a request under
clause 11, the designated body may respond by providing
some or all of the information but is not obligated to do so.
Clause 14 sets out a non-exhaustive list of reasons for which a data
sharing body or designated body may choose to refuse to provide
data or information requested by the Chief Data Officer under
clause 8 or 11. The responsible officer of the data sharing body
or designated body may refuse if the responsible officer considers
that data or information should not be provided for any reason,
including but not limited to the following reasons--
- • that the provision of the data or information would
constitute a breach of one or more of the following--
- client legal privilege or legal professional
privilege;
- an equitable obligation of confidence;
- an order of a court or tribunal;
- subject to Part 4, a law of the Commonwealth,
a State or a Territory; or
- that the provision of the data or information would be
likely to prejudice one or more of the following--
- the investigation of a breach, or possible breach,
of a law of the Commonwealth, a State or a
Territory, or the administration or enforcement
of such a law;
- a coronial inquest or inquiry;
- a proceeding before a court or tribunal; or
- that the responsible officer believes on reasonable
grounds that the provision of the data or information
would be likely to endanger the health, safety or
welfare of one or more individuals.
Part 4--Use and disclosure of data
Division 1--Authorised use and disclosure of identifiable data
This division sets out the circumstances in which the use or disclosure of
identifiable data is authorised by the Bill and the restrictions which apply to
use and disclosure of identifiable data.
Clause 15 subclause (1) authorises the responsible officer of a data sharing
body or a designated body to disclose identifiable data to the
Chief Data Officer in response to a request under clause 8.
The disclosure is only authorised for the purpose of informing
government policy making, service planning and design.
Subclause (2) authorises the responsible officer of a data sharing
body or designated body to disclose identifiable data to a data
analytics body. The disclosure is only authorised for the data
analytics body to conduct data integration on the identifiable data
for the purpose of informing government policy making, service
planning and design.
Clause 16 authorises the Chief Data Officer to disclose identifiable data
that the Chief Data Officer has received from a data sharing
body or designated body under the Bill to a data analytics body.
The disclosure is only authorised for the data analytics body to
conduct data integration on the identifiable data for the purpose
of informing government policy making, service planning and
design.
Clause 17 authorises the Chief Data Officer to use (as well as collect, hold
and manage) identifiable data received from data sharing bodies
and designated bodies under this Bill. The Chief Data Officer is
only authorised to use the identifiable data for data integration
for the purpose of informing government policy making, service
planning and design.
Clause 18 provides that if the Chief Data Officer or a data analytics body
intend to use the data that they have received under this Bill
for the purpose of data analytics work, they must first take
reasonable steps to ensure that the data no longer relates to an
individual that can be reasonably identified. In doing so, the
Chief Data Officer or data analytics body must have regard to--
- the de-identification techniques applied to treat the data;
- the technical and administrative safeguards and
protections implemented in the data analytics
environment to protect the privacy of individuals;
and
- any other considerations specified in the guidelines
issued by the Chief Data Officer.
Clause 19 provides that before disclosing the results of data analytics work,
the Chief Data Officer or a data analytics body must ensure that
the results to be disclosed include only de-identified data.
Division 2--Authorised use and disclosure of data
to which a secrecy provision applies
Clause 20 provides that the responsible officer of a data sharing body or
designated body may disclose data to the Chief Data Officer
under this Bill, even where a secrecy provision under another
Act applies to that information, so long as the disclosure is in
accordance with, and for the purposes of, this Bill.
Clause 21 requires that if a responsible officer of a data sharing body or
designated body is aware that a secrecy provision applies to
data which they are disclosing to the Chief Data Officer, the
body must inform the Chief Data Officer of the existence of
the secrecy provision.
Clause 22 provides that if a secrecy provision applies to the data received
by the Chief Data Officer under this Bill, then the Chief Data
Officer is authorised to use the data for the purposes of this Bill.
Clause 23 provides that if the Chief Data Officer intends to disclose
information received under this Bill to which a secrecy provision
applies, the Chief Data Officer must first obtain the approval of
the Minister responsible for administering the secrecy provision
(and in the case of a secrecy provision in the Taxation
Administration Act 1997, the Commissioner of State Revenue).
Subclause (2) enables the Chief Data Officer to disclose
data to the Minister or to the Commissioner of State Revenue
(as applicable) for the purpose of obtaining the approval.
Division 3--Relationship with other Acts
Clause 24 subclause (1) provides that this Part does not affect the handling
of data that would otherwise be permitted by or under the
Privacy and Data Protection Act 2014, the Health Records
Act 2001 or any other Act.
Subclause (2) provides that except as expressly provided by this
Part, this Bill does not affect obligations under the Privacy and
Data Protection Act 2014 or the Health Records Act 2001 in
relation to the handling of identifiable data.
Subclause (3) provides that if the Chief Data Officer or a data
analytics body becomes aware that this Bill, the Privacy and
Data Protection Act 2014, or the Health Records Act 2001
has been or is likely to have been breached in relation to data
handled under the Bill while in the Chief Data Officer's or the
data analytics body's control, they must as soon as possible
inform the data provider and the Information Commissioner
or Health Complaints Commissioner (as relevant).
Clause 25 provides that the Freedom of Information Act 1982 does not
apply to data in the possession of the Chief Data Officer or a data
analytics body that was received or integrated under this Bill.
Part 5--Offences
Clause 26 creates a summary offence for a person (without a reasonable
excuse) to access, use or disclose data obtained by the person
under this Bill, other than in accordance with this Bill or
in the performance of the person's functions under this Bill.
The penalty for the offence is 240 penalty units or 2 years'
imprisonment or both.
Clause 27 creates an indictable offence for a person to access, use or
disclose any data or information obtained by the person under
this Bill if the person knows or is reckless as to whether the
data or information may be used to--
- endanger the life or physical safety of any person; or
- commit, or assist in the commission of, an indictable
offence; or
- impede or interfere with the administration of justice.
The penalty for the offence is 600 penalty units or imprisonment
for 5 years or both.
Part 6--Reporting and review
Clause 28 requires that the Chief Data Officer provide a report to the
Health Complaints Commissioner at least every 12 months
on the operation of the Centre in relation to the Centre's use of
health information including the sharing of health information,
projects which have involved the use of health information and
the Centre's compliance with the Health Records Act 2001.
Clause 29 requires that the Chief Data Officer provide a report to the
Information Commissioner at least every 12 months on the
operation of the Centre in relation to the Centre's use of personal
information (other than health information) including the sharing
of personal information, projects which have involved the use
of personal information and the Centre's compliance with the
Privacy and Data Protection Act 2004.
Clause 30 provides that the Minister must cause a review to be made of the
first 5 years of operation of this Bill and within 12 months of the
review being completed, cause the report of the review to be laid
before each House of Parliament.
Part 7--Other matters
Clause 31 subclause (1) allows the Chief Data Officer to delegate any
of their powers, functions or duties (other than their power of
delegation) under the Bill to a person employed or engaged
by the Department responsible for administering this Bill.
Subclause (2) allows the Secretary to a Department to delegate
in their capacity as a data analytics body, any of their powers,
functions or duties (other than their power of delegation) under
the Bill to a person employed or engaged by the Department.
Subclause (3) allows the responsible officer of a data sharing
body, data analytics body or designated body to delegate any
of their powers, functions or duties (other than their power of
delegation) under the Bill to a person employed or engaged by
the relevant body.
Clause 32 provides that the Governor in Council may make regulations to
give effect to the Bill, including regulations to--
- prescribe a body as a data sharing body or a data
analytics body; and
- prescribe a class of data to be restricted data; and
- prescribe a provision to be a secrecy provision to
which Division 2 of Part 4 does not apply.
Clause 33 provides that the Chief Data Officer may issue and publish
policies and guidelines in relation to the administration of
this Bill and that a data analytics body, data sharing body or a
designated body must have regard to the policies or guidelines
issued by the Chief Data Officer. The policies and guidelines
may relate to--
- privacy and confidentiality preserving procedures for
treating data;
- data security safeguards in relation to data handling and
storage under this Bill;
- secure technology platforms for data handling and
storage under this Bill;
- risk mitigation frameworks for data handling and
storage, such as proportionate risk assessment tools and
techniques;
- protocols for data integration and data analytics
projects, such as project design, governance and data
handling arrangements;
- any other matters the Chief Data Officer considers
relevant.
Part 8--Other matters
Clause 34 subclause (1) amends Schedule 1 of the Privacy and Data
Protection Act 2014 to correct the definition of unique identifier
by replacing the second "but" in the following definition with an
"and" so that it now reads as follows--
"unique identifier means
an identifier (usually a number) assigned by an organisation to
an individual uniquely to identify that individual for the purposes
of the operations of the organisation but does not include an
identifier that consists only of the individual's name and does not
include an identifier within the meaning of the Health Records
Act 2001;".
Subclause (2) amends Schedule 1 of the Privacy and Data
Protection Act 2014, to insert "or authorised" in clause 10.1(b)
so that it permits the collection of sensitive information by an
organisation where it is required or authorised by law.
Clause 35 amends section 20 of the Family Violence Protection
Amendment (Information Sharing) Act 2017 to repeal
certain amendments to the Privacy and Data Protection
Act 2014 that are no longer required as a result of the
amendment made by clause 34(2) of the Bill.
Clause 36 provides that the repeal of this Part is repealed on the first
anniversary of the day on which this Bill comes into operation.
