Understanding data sharing frameworks 

• Data Sharing (Government Sector) Act 2015
  • Enables data sharing between NSW Government sector agencies and the NSW Data Analytics Centre (DAC).
  • Authorises data sharing for specific purposes, even where other legislation might otherwise prevent it.
  • Does not override the Privacy and Personal Information Protection Act 1998 (PPIP Act) or the Health Records and Information Privacy Act 2002 (HRIP Act).
• Government Information (Public Access) Act (GIPA Act)
  • Supports public access to datasets and reports unless an overriding public interest consideration applies.
• Health Records and Information Privacy Act 2002
  • Governs health information held by NSW public sector agencies and certain private sector organisations.
  • Sets rules for collecting, storing, using and disclosing health information.
  • Establishes individuals’ rights to access their own health information.
  • Contains 15 Health Privacy Principles (HPPs), with exemptions possible via a research exemption, Public Interest Direction (PID), or Code of Practice.
• Privacy and Personal Information Protection Act 1998
  • Regulates how agencies handle personal information.
  • Contains 12 Information Protection Principles (IPPs) covering the collection, storage, use and disclosure of personal information.
  • Exemptions may apply—for example, for research—or may be modified by a Public Interest Direction or Code of Practice.
• State Records Act 1998
  • Provides for public access to records at least 20 years old and considered open access.
  • Sets requirements for how NSW Government agencies must maintain data, including records of data sharing activities.
• Other Applicable Legislation
  • Some data activities may also fall under additional laws. For example, clause 254A of the Children and Young Persons (Care and Protection) Act 1998 allows disclosure of information for research purposes.
• Legal instruments
  • There may be circumstances where use of data is enabled under a legal instrument or ethics approval.  These instruments specify how data can be shared, used and for what purpose. 

Three step process to navigate the data sharing legislation of NSW.

The Data Sharing (Government Sector) Act 2015 (NSW) authorises your agency to share data with other NSW Government sector agencies for specific purposes as set out in the legislation. It operates to authorise data sharing that might otherwise be prohibited under other legislation.

This act does not override the Privacy and Personal Information Protection Act 1998 or the Health Records and Information Privacy Act 2002.

What can you share:

• Government sector data

  Agencies may share data that they control with other NSW government sector agencies to:

  • identify issues and solutions for policy making, program management and service planning and delivery,
  • develop and improve policies, programs and services. 

• Private sector data 

  Where private sector information is provided to NSW Government agencies, it may be shared within the NSW Government as required. This must be considered against:

  • contractual obligations
  • confidentiality requirements
  • commercial‑in‑confidence arrangements.  

Data sharing arrangements

Most data sharing between agencies is formalised through:

• Data Sharing Agreements
• Memoranda of Understanding (MoUs). 

The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) is aimed at safeguarding the privacy of individuals by regulating how agencies collect and handle personal information. It establishes principles for the fair and lawful use of personal information and provides individuals with rights

Section 4 of the PPIP Act defines ‘personal information' as: 
“Information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.

Within the PPIP Act there are 12 Information Protection Principles (IPPs). These are legal obligations which NSW public sector agencies, statutory bodies, universities and local councils must abide by when they collect, store, use or disclose personal information.

You may get an exemption from the IPPs under exemptions such as a research exemption, or they can be modified under a Public Interest Direction or Code of Practice.

For information on the IPPs check here: Information Protection Principles (IPPs) for agencies

For information on exemptions to the PPIP Act check the guidelines issued by the Privacy Commissioner here: statutory guidelines on research 

The Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) protects the privacy of an individual’s health information held by the public and private sectors, enables individuals to gain access to their information, and provides an accessible framework for the resolution of complaints regarding the handling of health information. It establishes principles that are legal obligations that agencies must abide by when collecting, holding, using and disclosing a person’s health information.

Within the HRIP Act there are 15 Health Protection Principles (HPPs). These are legal obligations which NSW public sector agencies and private sector organisations must abide by when they collect, store, use or disclose health information.

You may get an exemption from the HPPs under exemptions such as a research exemption, or they can be modified under a Public Interest Direction or Code of Practice.

For information on the HPPs check here: Health Privacy Principles (HPPs) explained for members of the public

For information on exemptions to the HRIP Act check the guidelines issued by the Privacy Commissioner here: statutory guidelines on research

The Government Information (Public Access) Act facilitates public access to NSW government information. 

Data can be shared and release via four access pathways:

• Mandatory proactive release
• Authorised release
• Informal release
• Formal application.

The State Records Act sets requirements for how NSW Government agencies must maintain data, including records of data sharing activities.

This Act also provides public access to data that is at least 20 years old and is in the open access period.

A Privacy Code of Practice is a legal instrument which allows a NSW government sector agency or organisation to make changes to:

• an Information Protection Principle (IPP)
• provisions that deal with public registers.

Codes must not be stricter than the principles and they should not be seen as a tool for blanket exemptions to the principles.

Steps to creating a Privacy Code of Practice

1. The Privacy Commissioner or any public sector agency:
   1. initiates the preparation of a draft privacy code of practice, and
   2. develops the draft code in consultation as they think appropriate, and
   3. submits the draft code to the Minister.

2. If a draft code is initiated and prepared by a public sector agency, the agency must consult with the Privacy Commissioner on the draft code before it is submitted to the Minister.

   The Privacy Commissioner may make a submission to the Attorney General or Minister for Health on the draft as they find appropriate

3. Once a draft code is submitted to the Minister, the Minister may, after taking into consideration any submissions by the Privacy Commissioner, decide to make the code.
4. Parliamentary counsel then completes a final drafting
5. The Code is published in the Gazette.  

For more information read the Privacy Codes of Practice and Seeking a Public Interest Direction or Code of Practice for a linked data asset guidance.

Public Interest Directions

Under the NSW privacy legislation, the NSW Privacy Commissioner may make, with the approval of the relevant Minister, a PID (Direction) to waive or make changes to the requirements for a public sector Agency to comply with an Information Protection Principle (IPP) or Health Privacy Principle (HPP).

A PID is a short-term mechanism that allows agencies to temporarily depart from the IPPs, HPPs or provisions of an existing Privacy Code of Practice for a specific period if it in the public interest.

There are five key steps to creating a Public Interest Direction:

1. The agency considers the need for a direction and whether a mechanism already exists.
2. The agency contacts the Privacy Commissioner to advise and discuss its need for a direction.
3. The agency submits the draft direction to the Privacy Commissioner for consideration with a covering letter making the case for the direction.
4. The Privacy Commissioner will review the draft direction and if there is judged to be sufficient public interest, they will write to the relevant Minister/s, seeking approval.
5. With relevant approval the Privacy Commissioner will make the direction by signing the final direction. The direction comes into effect once the Privacy Commissioner signs the document.

For more information on the process check the guidelines Seeking a Public Interest Direction under NSW privacy laws issued by the Privacy Commissioner.

For more information check the page on Public Interest Directions issued by the Privacy Commissioner.