Responding to data requests

1. Is the data request from:
   • NSW government sector agency
   • Outside of NSW Government
      

If request is from a NSW government sector agency, note that the requested data is shared under the Data Sharing Act.  

If the request is from outside NSW government, assess the request against relevant compliance requirements of any relevant legislation such as: 

• Privacy and Personal Information Act 1998 (PPIP Act)
• Health Records and Information Privacy Act 2002 (HRIP Act)
• Government Information (Public Access) Act  2009 (GIPA Act)
• State Records Act 1998.

Apply the Five Safes Framework to guide your assessment.  

2. Do we have the requested data?
   • Yes
   • No

If yes, check availability of the requested data. 

If not, inform the requestor that your agency does not have the requested data.

3. Is the requested data:
   • Publicly available
   • Can be made publicly available
   • Restricted 
      

If the data is publicly available, confirm that the requestor may use the data for their purpose.

If the data can be made publicly available, inform the requestor of where to access the data.

If the data is restricted, identify and document your agency’s requirements to fulfill the data request.  

4. Does that data contain:
   • confidential or commercial-sensitive information
   • personal information
   • health information

If yes to confidential or commercial-sensitive information, check and comply with the terms of the agreement or contract.

If yes to personal and/or or health information:

• check with the requestor if a privacy impact assessment (PIA) has been undertaken.
• seek advice from your legal or information or privacy team or experts to:
  • confirm compliance requirements to enable data sharing
  • determine if a risk assessment or a privacy impact assessment should be undertaken.
• negotiate with the requestor to provide de-identified data to lessen privacy risks.

5. Is the data ready to be shared?
   • Yes
   • No

If yes, follow your agency's approval process.

If not, inform the requestor regarding: 

• gaps or issues with your agency's data
• your agency's capability and capacity to carry out activities that may be required such as:
  • data cleansing or modelling
  • de-identification
  • data extraction
• any costs associated with preparing the data for sharing
• your agency's capacity to undertake the sharing within the timeframe and on an 
  ongoing basis, if the data provision is recurring. 

7. Does your agency own the data?
   • Yes
   • No
   • Unsure

If yes, identify and check with the data owner if they know of any restrictions or barriers in sharing the requested data.  

If not, check if your agency is permitted to share data under: 

• a commercial agreement
• personal individual consent
• consent from the copyright owner of the requested data. 

If unsure, check your agency's information asset register or data catalogue to locate the data owner within your agency.  Talk to your agency's information and subject matter experts to find and verify ownership of the requested data.  

8. Is the purpose of the data request clear?
   • Yes
   • No

If yes, determine which legislation permits data sharing. 

If not, contact the requesting agency (Requestor) for additional information. 

9.  Can you share the requested data under:
   • Data Sharing Act 2015
   • Government Information (Public Access) Act 2009 (GIPA Act)
   • Privacy and Personal Information Act 1998 (PPIP Act)
   • Health Records and Information Privacy Act 2002 (HRIP Act)
   • Any applicable Public Interest Direction or Privacy Code of Practice
   • State Records Act 1998
      

a. Data Sharing Act:

• Assess the purpose of the request against one of the permitted data sharing purposes:
  • government policy making
  • program management
  • service planning and delivery.
• Identify if the requested data will contain: (see Question 4)
  • confidential or commercial sensitive information – check and comply with the terms of the agreement or contract.
  • private or health information – seek advice from your legal or information or privacy team or experts to confirm compliance requirements to enable data sharing.
• Check and document compliance requirements against the data sharing safeguards.
• Note that the Data Sharing Act only enables data sharing between NSW government sector agencies. 

b. GIPA Act

• Engage and seek advice from your legal, information or privacy team to help you:
  • determine if you can share data via any of the four access pathways:
    • Mandatory proactive release
    • Authorised release
    • Informal release
    • Formal application.
  • Comply with the GIPA Act requirements and your agency’s policy, procedures and processes.
• Communicate to the requestor if you can share data via any of the four access pathways. Provide them with additional information on the benefits and drawbacks of each pathway.
• Note that decisions made in relation to share data via GIPA Act should be authorised and documented.

c. PPIP Act and HRIP Act

• Contact your legal, information and privacy team to:
  • confirm compliance requirements to enable data sharing
  • determine if a risk assessment or a privacy impact assessment should be undertaken.
• Negotiate with the requestor to provide de-identified data and inform them how de-identification may impact timeframes or may incur costs
• Read Data Sharing and Privacy: a guide for public sector agencies for more information. 

d. Public Interest Direction or Privacy Codes of Practice

• Inform the requestor and determine the next steps if the requested data falls under any of the following:
  • Public Interest Directions made under the PPIP Act
  • Health Public Interest Directions
  • Privacy Codes of Practice.

e. State Records Act

• Determine if data is at least 20 years old and is in the open access period.
  • If so, data is open to public access and can be shared to the requestor. Inform requestor that data is open to public access and will be shared under this Act.
  • If not, document and inform the requestor that data is not in the open access period or that data is subject to closed public access direction.

10. Does your agency have a data sharing approval process in place?
    • Yes
    • No 

If yes, follow your agency's approval process. Communicate to the requestor information about the approval process and the status of the request. 

If not, check your agency's information asset register or data catalogue to identify the data owner, data custodian or the business system owner. 

If not and you are the data custodian or data owner or business system owner:

• determine if you can adopt your agency’s process on releasing information. If yes, follow the approval process.
• determine if you have the authority to approve data requests. Your agency’s relevant records, information and data policies provide information about roles and responsibilities.
• seek advice from your legal, governance, information and privacy experts on what process should be followed.
• Document your actions and decisions. 

11. Does the requestor have the appropriate technology, infrastructure, policies and processes to receive and securely manage the data?
    • Yes
    • No 

If yes, take note of details and confirm with the requestor.

If not, liaise with the requestor to address any gaps. 

12. Are all participants - from your agency and the requestor's agency - aware of their roles and responsibilities?
    • Yes
    • No

If yes, get confirmation and make a record of it. 

If not, document and confirm roles and responsibilities with the requestor and within your agency. 

13. Can you supply the required metadata or a data quality statement?
    • Yes
    • No
       

If yes, provide the required metadata or data quality statement to the requestor.

If not, document the metadata or write a data quality statement. You can use the Data Quality Reporting Tool to produce a data quality statement. 
 

14. Does your agency have the capacity to undertake the sharing within the timeframe and on an ongoing basis, if the data provision is recurring?
    • Yes
    • No

If yes, confirm with the requestor. Communicate if there are any costs associated with sharing the data.

If not, inform the requestor and identify the barriers and possible solutions.

establishing long-term data sharing relationships that may involve:

• ongoing transfers of data
• multiple transfers with different parameters
• including process for authorising further data requests

Parties to the agreement

Drafting notes: 

Specify agencies and names of authorised persons who are entering into the agreement, i.e. the data provider(s) and the data recipient. 

• Name of Organisation
• Role of organisation

  • ☐ Data Provider

  • ☐ Data Recipient / Requestor

  • ☐ Intermediary

• Australian Business Number

• Address

• Name of Authorised Representative

  • Position

  • Contact information
     

Purpose 

Drafting notes: 

Include information on:

• anticipated outcomes of the project/program/initiative and how will the data requested help achieve these outcomes
• individuals, groups, demographics or organisations that will be positively affected by this project
• any specific legislative basis for permitting access to the data.

Purpose

Data is provided for the purposes of [state the purpose of the data sharing]. 

Acknowledgement:
□ The parties confirm that the sharing purpose complies with [name of legislation] under which this agreement is made and the data shared is reasonably necessary to achieve the purpose(s) as specified.

Term and variation of agreement

Drafting notes: 

Specify:

• when the agreement begins and ends

• If applicable, review dates or intervals for review date

• Frequency of supply of data: one-off, ongoing, defined timeframes

• Circumstances that must be met and the processes that must be followed for the parties to vary this Agreement.

Term and variation of agreement

The agreement starts on [start date] and ends on [end date].

This agreement will be reviewed [expected interval date, e.g. every 6 months, annually, every 3 years, etc.]. 

The data will be provided on ongoing basis until [agreement end date]

Both parties must agree in writing to vary this agreement. 

Details of data to be shared

Drafting notes:

Provide a brief description of the data to be shared. Include as much information as possible about the data.  

Include data specifications or data quality statements or data dictionaries as part of the agreement. 

Details of data to be shared

The Data Provider will supply [name of the dataset], with the following parameters:

• Target population: [Program X] customers
• Data types: number of customers, by suburb, by type of service
• Level of granularity: unit record, aggregated
• Timeframe of data: data from 2020-2025, by month and year
• Location: postcode / suburb or statistical area level 4 (SA4)
   

Approvals required

Drafting notes: 

• Specify the approval processes required. Note that approvals process(es) required will be determined by the nature of the project. Not all options listed in the examples may be relevant.
• Attach additional evidence as required.
• Specify who is responsible for conducting or facilitating the approvals.

Approvals required

Data will be provided subject to: (select all options that apply):
☐ no approvals required
☐ ethics approvals 
☐ financial approval (e.g. Digital Restart Approval)
☐ others, please specify (e.g. AI Review Committee)
 

Use of data

Drafting notes:

Include clauses relating to:

• the purpose for which the data may be used by the requester
• specific restrictions on who may use, access or release any shared data 
   

Use of data

The Data Recipient agrees it will:

• use the Shared Data for the Approved Purpose(s) only
• where necessary, nominate certain authorised users to have access to the Shared Data (Authorised Users) and ensure that only authorised users have access to the Shared Data
• seek the authorisation and approval of the Data Provider before making public, or disclosing to any third party, the Shared Data or any document incorporating the Shared Data. 

The Data Recipient will not:

• permit access, or release any Shared Data, to a third party (except as set out in the Agreement or with the express consent of the Data Provider);
• produce any information based on, or incorporating, the Shared Data that generates personal Information or health information (that is, it re-identifies a person), unless permitted by law.

Access to Data

Drafting notes:

Specify 

• method of data access
• data access date
• approval process on requests to change access to the data. 

Access to Data

The Data Provider agrees to make the Shared Data available via [method of data access, e.g. API, secure File Transfer Protocol or online file sharing service] for the agreed term.

The parties may agree to make changes to the data scope as follows:

• Recipient may send request via email and the Data Provider to acknowledge request.
• Data Provider will confirm if requested changes are approved and from when changes will be applied.
• Data Provider will provide reasons for not approving requested changes and the Recipient may appeal the decision.

Licence, copyright and intellectual property

Drafting notes:

Include details of: 

• any licence or copyright conditions
• potential or restriction of commercial use of the data
• attribution 

Licence, copyright and intellectual property

The Data Provider grants to the Data Recipient a non-exclusive, non-transferable, royalty free licence to use, reproduce and adapt the Shared Data for the Approved Purposes (on the terms, and subject to the restrictions, set out in this Data Sharing Agreement).

Storage and security

Drafting notes

Specify your storage and security requirements. Include information on:

• where will the data be stored once it has been shared or transferred

• how will the data be stored

• how will the data be delivered into the storage system

• how long will the data be retained

• security measures in place such as agency control of user credentials for authentication, data encryption, information dispersal, data separation, governance policies etc. 

• specific qualifications/certifications/accreditations required for people accessing the data. 

Storage and security

The Data Recipient will store the Shared Data [name of the approved storage and provide further details relating to security measures in place]

Data provided by [Data Provider] to [Data Recipient] will be removed or destroyed by the [Data Provider] in compliance with the provisions of the State Records Act 1998 [or other relevant legislation.]

The [Data Recipient] will notify [Data Provider] when data is removed or destroyed. 

Data provided under this Agreement will be retained or destroyed based on the information provided in the below table.

Data Breach

Drafting notes:

Specify the data breach notification process. 

Data Breach

The [Data  Recipient] will immediately notify [Data Provider] if it becomes aware of any unauthorised access to, or use or disclosure of, any data, including the steps the [Data Recipient] is taking to remedy the data breach.

Termination

Drafting notes:

Include information on circumstances where the data sharing agreement may be terminated.

Termination

Either Party may terminate by giving [X] days written notice to the other Party for any reason or for a specified reason, or to terminate without notice if there has been a serious privacy or data breach.