A NSW Government website

Data.NSW
Data.NSW

Responding to data requests

This guide outlines the key steps and considerations to take when responding to data requests. 

Please note:

  • Data requests need to be assessed against relevant NSW legislation and policies and your agency’s specific policies and guidelines
  • Data sharing may be enabled via an agreement or contract, public interest direction or privacy codes of practice.  
  • You may need to engage with your legal, information and privacy experts to help decide on the data request. 
1. Review the request

Below are the items your agency needs to assess when deciding to share data: 

  • the purpose and context for the data request
  • authority to share based on the scope of the data and applicable laws that prohibits or enables sharing
  • capacity and capability to share data
  • arrangements that need to be in place to share data.

We have compiled a list of questions you need to consider when reviewing data request.   

Questions to considerRecommended actions to take
Data request information
  1. Is the data request from:
    1. NSW government sector agency
    2. Outside of NSW Government
       

If request is from a NSW government sector agency, the requested data may be shared under the Data Sharing Act.

If the request is from outside NSW government, assess the request against relevant compliance requirements of any relevant legislation such as the Privacy and Personal Information Act 1998 (PPIP Act) or Health Records and Information Privacy Act 2002 (HRIP Act).  Apply the Five Safes Framework to guide your assessment.  

  1. Is the purpose of the data request clear?
    1. Yes
    2. No

If yes, check if your agency has the requested data.

If not, contact the requesting agency (Requestor) for additional information

  1. Do we have the requested data?
    1. Yes
    2. No

If yes, check availability of the requested data. 

If not, inform the requestor that your agency does not have the requested data.

  1. Is the requested data:
    1. Publicly available
    2. Can be made publicly available
    3. Restricted 
       

If the data is publicly available, confirm that the requestor may use the data for their purpose.

If the data can be made publicly available, inform the requestor of where to access the data.

If the data is restricted, identify and document your agency’s requirements to fulfill the data request.  

  1. Is the data ready to be shared?
    1. Yes
    2. No

If yes, follow your agency's approval process.

If not, inform the requestor regarding: 

  • gaps or issues with your agency's data
  • your agency's capability and capacity to carry out activities that may be required such as:
    • data cleansing or modelling
    • de-identification
    • data extraction
  • any costs associated with preparing the data for sharing
  • your agency's capacity to undertake the sharing within the timeframe and on an 
    ongoing basis, if the data provision is recurring. 
Authority to decide on the data request
  1. Does your agency own the data?
    1. Yes
    2. No
    3. Unsure

If yes, identify and check with the data owner if they know of any restrictions or barriers in sharing the requested data.  

If not, check if your agency is permitted to share data under: 

  • a commercial agreement
  • personal individual consent
  • consent from the copyright owner of the requested data. 

If unsure, check your agency's information asset register or data catalogue to locate the data owner within your agency.  Talk to your agency's information and subject matter experts to find and verify ownership of the requested data.  

  1.  Can you share the requested data under:
    1. Data Sharing Act 2015
    2. Privacy and Personal Information Act 1998 (PPIP Act)
    3. Health Records and Information Privacy Act 2002 (HRIP Act)
    4. Any applicable Public Interest Direction or Privacy Code of Practice?
       

a. Data Sharing Act:

  • Check that the purpose of the request relates to government policy making, program management and service planning and delivery.
  • Check and document compliance requirements against the data sharing safeguards.
  • Note that the Data Sharing Act only enables data sharing between NSW government sector agencies. 

b. PPIP Act 

c. HRIP Act

d. Public Interest Direction or Privacy Codes of Practice

Data quality
  
2. Decide on the request

Decisions around whether data should be shared should involve an evaluation of the risks involved with sharing the data.

 

 

 

The reasoning for a final decision not to share data needs to be established in writing. Note that if a Requesting Agency disputes your reasons for not approving a request the Requesting Agency is able to make a formal access application under the GIPA Act.

3. Determine terms and conditions

Your agency can set terms and conditions for the release of data to the requestor to ensure that controls are in place on:

  • use of the data 

  • the environment the data will be stored 

  • the publication of outputs from the data. 

When sharing data, it is important that the parties involved enter into an arrangement which provides information on:

Terms and conditionsExample 

Description of the data to be shared 

The description of the data being shared may include information such as: 

  • the source datasets(s) and the relevant time period(s) required (e.g. monthly, annually)
  • the type of variables requested (e.g. demographic, geographic, agency-specific) and specific variables of interest (e.g. name, age, sex, current residential address, etc.)
  • format and level of detail required (e.g. unit record data file, cross-tabulated data file) 

Please include details of any supporting information requested to accompany the shared data.

Description of the data to be shared

 

Authority to share

If the data contains personal or health information, or information by which a personal could reasonably be identified, specify the legal source of authority the sharing of the data is permitted under:

  • Legal sources of authority may include data subjects’ consent
  • Human Research Ethics (HREC) Approval
  • Public Interest Direction
  • Relevant legislation 

 

 

Roles and responsibilities by each party

 

Terms of use and disclosure

 

Intellectual property and licencing

 

Data transfer and management

 

Service level

 
Change management 
4. Preparing data for sharing

Technical specifications, including data quality statement