A NSW Government website

Data.NSW
Data.NSW

Responding to data requests

This guide outlines the key steps and considerations to take when responding to data requests. 

Please note:

  • Data requests need to be assessed against relevant NSW legislation and policies and your agency’s specific policies and guidelines
  • Engagement with legal, information and privacy experts may be needed to help decide on the data request
  • There are no specific timeframes for considering a request. Data providers should acknowledge data requests and engage with the requestor to manage expectations.
1. Review the request

We have compiled a list of questions you need to consider when reviewing data requests.   

Questions to considerRecommended actions to take 
Data request information
  1. Is the data request from:
    • NSW government sector agency
    • Outside of NSW Government
       

If request is from a NSW government sector agency, note that the requested data may be shared under the Data Sharing Act

If the request is from outside NSW government, assess the request against relevant compliance requirements of any relevant legislation such as the Privacy and Personal Information Act 1998 (PPIP Act) or Health Records and Information Privacy Act 2002 (HRIP Act).  Apply the Five Safes Framework to guide your assessment.  

  1. Is the purpose of the data request clear?
    • Yes
    • No

If yes, check if your agency has the requested data.

If not, contact the requesting agency (Requestor) for additional information

  1. Do we have the requested data?
    • Yes
    • No

If yes, check availability of the requested data. 

If not, inform the requestor that your agency does not have the requested data.

  1. Is the requested data:
    • Publicly available
    • Can be made publicly available
    • Restricted 
       

If the data is publicly available, confirm that the requestor may use the data for their purpose.

If the data can be made publicly available, inform the requestor of where to access the data.

If the data is restricted, identify and document your agency’s requirements to fulfill the data request.  

  1. Is the data ready to be shared?
    • Yes
    • No

If yes, follow your agency's approval process.

If not, inform the requestor regarding: 

  • gaps or issues with your agency's data
  • your agency's capability and capacity to carry out activities that may be required such as:
    • data cleansing or modelling
    • de-identification
    • data extraction
  • any costs associated with preparing the data for sharing
  • your agency's capacity to undertake the sharing within the timeframe and on an 
    ongoing basis, if the data provision is recurring. 
Authority to decide on the data request
  1. Does your agency own the data?
    • Yes
    • No
    • Unsure

If yes, identify and check with the data owner if they know of any restrictions or barriers in sharing the requested data.  

If not, check if your agency is permitted to share data under: 

  • a commercial agreement
  • personal individual consent
  • consent from the copyright owner of the requested data. 

If unsure, check your agency's information asset register or data catalogue to locate the data owner within your agency.  Talk to your agency's information and subject matter experts to find and verify ownership of the requested data.  

  1.  Can you share the requested data under:
    • Data Sharing Act 2015
    • Privacy and Personal Information Act 1998 (PPIP Act)
    • Health Records and Information Privacy Act 2002 (HRIP Act)
    • Any applicable Public Interest Direction or Privacy Code of Practice?
       

a. Data Sharing Act:

  • Check that the purpose of the request relates to one of the permitted data sharing purposes:  government policy making, program management and service planning and delivery.
  • Check and document compliance requirements against the data sharing safeguards.
  • Note that the Data Sharing Act only enables data sharing between NSW government sector agencies. 

b. PPIP Act 

  • contact your information and privacy officers for advice on how to share requested data that may contain personal information.
  • negotiate with the requestor to provide de-identified data and inform them how de-identification may impact timeframes or may incur costs
  • read Data Sharing and Privacy: a guide for public sector agencies for more information.

c. HRIP Act

  • contact your information and privacy officers for advice on how to share requested data that may contain health information.
  • negotiate with the requestor to provide de-identified data and inform them how de-identification may impact timeframes or may incur costs
  • read Data Sharing and Privacy: a guide for public sector agencies for more information.

d. Public Interest Direction or Privacy Codes of Practice

  1. Does your agency have a data sharing approval process in place?
    • Yes
    • No 

If yes, follow your agency's approval process. Communicate to the requestor information about the approval process and the status of the request. 

If not, check your agency's information asset register or data catalogue to identify the data owner, data custodian or the business system owner. 

Readiness to share data
  1. Does the requestor have the appropriate technology, infrastructure, policies and processes to receive and securely manage the data?
    • Yes
    • No 

If yes, take note of details and confirm with the requestor.

If not, liaise with the requestor to address any gaps. 

  1. Are all participants - from your agency and the requestor's agency - aware of their roles and responsibilities?
    • Yes
    • No

If yes, get confirmation and make a record of it. 

If not, document and confirm roles and responsibilities with the requestor and within your agency. 

 

  1. Can you supply the required metadata or a data quality statement?
    • Yes
    • No
       

If yes, provide the required metadata or data quality statement to the requestor.

If not, document the metadata or write a data quality statement. You can use the Data Quality Reporting Tool to produce a data quality statement. 
 

  1. Does your agency have the capacity to undertake the sharing within the timeframe and on an ongoing basis, if the data provision is recurring?
    • Yes
    • No

If yes, confirm with the requestor. Communicate if there are any costs associated with sharing the data.

If not, inform the requestor and identify the barriers and possible solutions.

Document any potential barriers and risks or issues that could arise from sharing data. Engage with the requestor to find solutions to mitigate risks. 

Use the Five Safes Framework to guide you with your assessment of the data request. 

2. Decide on the request

Decisions around whether data should be shared should involve an evaluation of the risks involved with sharing the data. Use the Five Safes Framework to guide you with your decision. 

Once a decision is made to approve or refuse the data request, your agency should provide a written statement of reasons for the decision. 

Approve the request

Below is a list of considerations or actions to take when you decide to approve the data request. 

  1. Identify the type of legal agreement you will need to share data. There are multiple types of agreements such as:
 DescriptionSuited for
Data Sharing Agreement (DSA)DSAs identify the parameters which govern the collection, transmission, storage, security, analysis, re-use, archiving and destruction of the data.

establishing long-term data sharing relationships that may involve:

  • ongoing transfers of data
  • multiple transfers with different parameters
  • including process for authorising further data requests
Memorandum of Understanding (MoU)An MoU is a written agreement outlining the framework or key terms and conditions. It is not legally binding.ongoing transfers that have consistent and formalised parameters.
Statement of Work (SoW)The SoW is a document that provides detailed overview of the project, specifically the roles and responsibilities of the people working on the project. Information about the use, access and storage are included.once-off data sharing with the requestor. 
  1. Communicate to the requestor that their data request is approved. Let them know if an in-principle approval is sufficient or if an agreement is needed.
  2. Negotiate with the requestor for the terms and conditions. When negotiating:
    1. Confirm project scope, objectives and outcomes.
    2. Confirm data format, data variables, frequency and timeframe, and the platform or mechanism for data transfer or access
    3. Agree an estimated timeframe for completion of the Data Sharing Agreement, building in time for internal reviews by legal officers, key stakeholders and decision-makers.
    4. Confirm whether any additional consultation is needed within or external to the agency before a Data Sharing Agreement can be finalised.
    5. Apply the Data Sharing Principles to ensure you have the appropriate controls in place to safely share data.

Refuse the request

  1. Make a record that documents the reasons why your agency is refusing to fulfill the data request.
  2. Inform the requestor of your agency's decision in writing.  

Note: The reasoning for a final decision not to share data needs to be established in writing. Note that if the requestor disputes your reasons for not approving a request the requestor is able to make a formal access application under the GIPA Act.

3. Determine and negotiate terms and conditions

Your agency can set terms and conditions for the release of data to the requestor to ensure that controls are in place on:

  • use of the data 

  • the environment the data will be stored 

  • the publication of outputs from the data. 

When sharing data, it is important that the parties involved enter into an arrangement which provides information on:

Terms and conditionsExample

Data Description

  1. Description of the data to be shared
  2. Frequency of the data provision requested (e.g. One-off, ongoing)
  3. Start date for access to the data
  4. End date for access to the data

Note: Include data quality statement as part of the agreement

Data Description:

  • Target population: [Program X] customers
  • Data types: number of customers, by suburb, by type of service
  • Level of granularity: unit record, aggregated
  • Timeframe of data: data from 2020-2025, by month and year
  • Location: postcode / suburb or statistical area level 4 (SA4)
     

Frequency 

☐ Once-off

☐ Real-time or near-real time

☐ Periodically (daily, weekly, monthly, quarterly, annually)

Start date for access to the data  

[dd/mm/yyyy]

End date for access to the data  

[dd/mm/yyyy]

Purpose and intended use

Include information on:

  • anticipated outcomes of the project/program/initiative and how will the data requested help achieve these outcomes
  • individuals, groups, demographics or organisations that will be positively affected by this project
  • any specific legislative basis for permitting access to the data.

Purpose and intended use

Data will be used for <name of project>

Insights from the data analyses will inform decisions or actions on <intended outcome>.

Storage and security

Include information on:

  • where will the data be stored once it has been shared or transferred

  • how will the data be stored

  • how will the data be delivered into the storage system

  • how long will the data be retained

  • security measures in place such as agency control of user credentials for authentication, data encryption, information dispersal, data separation, governance policies etc. 

  • specific qualifications/certifications/accreditations required for people accessing the data

 

Storage and security

  • Where will the data be stored:
    • In the requestor's agency storage
    • In the data provider's storage environment
    • In a third party’s storage environment (please name the organisation)

  • how will the data be stored

    • In a Government Data Centre
    • Via a Commercial Cloud Service
    • On-premises (e.g. Data Analytics Centre)
    • Other (please specify) 

  • how will the data be delivered into the storage system

    • Secure File Transfer Protocol
    • Online file sharing service
    • Other (please specify) 

  • how long will the data be retained

    • Permanently
    • For the duration of the project / agreement
    • Beyond the duration of the project / agreement (please specify how long the requester will need to retain the data and the justification for the retention period)

  • security measures in place

    • please specify required security measures in place.

Use and disclosure

Specify any special conditions on use and disclosure required.

 

 

Use and disclosure

  • Outputs of the data use should be 
    restricted with further anonymisation 
    techniques
  • Insights from the data will need to be approved before publication