Sharing data under the legislation
Three step process to navigate the data sharing legislation of NSW.
Read the Data Sharing (Government Sector) Act
This Act is the primary basis for data sharing within NSW and establishes the Data Analytics Centre (DAC).
Key clauses include:
Investigate the Privacy and Personal Information Protection Act
This act governs the protection of personal information, the Data Sharing (Government Sector) Act does not override these protections.
Key clauses include:
- Clause 4: Definition of “personal information”
- Clause 18: Limits on disclosure of personal information
- Clause 20: General application of information protection principles to public sector agencies
- Clause 27B: Exemptions relating to research
Investigate the Health Records and Information Privacy Act
This act governs the protection of health information, the Data Sharing (Government Sector) Act does not override these protections.
Key clauses include:
- Clause 6: Definition of “health information”
- Clause 26: Making a request for access
- Schedule 1, Clause 11: Limits on disclosure of health information
Legislative environment
In NSW there are several pieces of legislation on data sharing and privacy that govern what data can be shared and what cannot.
NSW government sector agencies are enabled to share data under:
- Data Sharing (Government Sector) Act 2015
- Privacy and Personal Information Protection Act 1998
- Health Records and Information Privacy Act 2002
The Data Sharing (Government Sector) Act 2015 (NSW) authorises your agency to share data with other NSW Government sector agencies for specific purposes as set out in the legislation. It operates to authorise data sharing that might otherwise be prohibited under other legislation.
This act does not override the Privacy and Personal Information Protection Act 1998 or the Health Records and Information Privacy Act 2002.
What can you share:
- A government sector agency can share government sector data that it controls with government sector agencies for:
- data analysis to identify issues and solutions regarding Government policy making, program management and service planning and delivery,
- the development of better Government policy making, program management and service planning and delivery.
Data sharing between government sector agencies are usually formalised via data sharing agreements or a memorandum of understanding (MoU).
The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) is aimed at safeguarding the privacy of individuals by regulating how agencies collect and handle personal information. It establishes principles for the fair and lawful use of personal information and provides individuals with rights
Section 4 of the PPIP Act defines ‘personal information' as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.
Within the PPIP Act there are 12 Information Protection Principles (IPPs). These are legal obligations which NSW public sector agencies, statutory bodies, universities and local councils must abide by when they collect, store, use or disclose personal information.
You may get an exemption from the IPPs under exemptions such as a research exemption, or they can be modified under a Public Interest Direction or Code of Practice.
For information on the IPPs check here: Information Protection Principles (IPPs) for agencies
For information on exemptions to the PPIP Act check the guidelines issued by the Privacy Commissioner here: statutory guidelines on research
The Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) protects the privacy of an individual’s health information held by the public and private sectors, enables individuals to gain access to their information, and provides an accessible framework for the resolution of complaints regarding the handling of health information. It establishes principles that are legal obligations that agencies must abide by when collecting, holding, using and disclosing a person’s health information.
Within the HRIP Act there are 15 Health Protection Principles (HPPs). These are legal obligations which NSW public sector agencies and private sector organisations must abide by when they collect, store, use or disclose health information.
You may get an exemption from the HPPs under exemptions such as a research exemption, or they can be modified under a Public Interest Direction or Code of Practice.
For information on the HPPs check here: Health Privacy Principles (HPPs) explained for members of the public
For information on exemptions to the HRIP Act check the guidelines issued by the Privacy Commissioner here: statutory guidelines on research
Data Sharing Agreements
A data sharing agreement is defined as an agreement between two or more parties to share data according to certain terms and conditions. Data sharing agreements identify the parameters which govern the collection, transmission, storage, security, analysis, re-use, archiving and destruction of the data. While most cross-government data sharing agreements in NSW are not legally binding, they are a useful mechanism to help establish trust between parties and ensure the data is shared appropriately, in line with legal and ethical requirements.
More information on data sharing and privacy can be found on the Information and Privacy Commission’s website.
Public Interest Directions
Under the NSW privacy legislation, the NSW Privacy Commissioner may make, with the approval of the relevant Minister, a PID (Direction) to waive or make changes to the requirements for a public sector Agency to comply with an Information Protection Principle (IPP) or Health Privacy Principle (HPP).
A PID is a short-term mechanism that allows agencies to temporarily depart from the IPPs, HPPs or provisions of an existing Privacy Code of Practice for a specific period if it in the public interest.
There are five key steps to creating a Public Interest Direction:
- The agency considers the need for a direction and whether a mechanism already exists.
- The agency contacts the Privacy Commissioner to advise and discuss its need for a direction.
- The agency submits the draft direction to the Privacy Commissioner for consideration with a covering letter making the case for the direction.
- The Privacy Commissioner will review the draft direction and if there is judged to be sufficient public interest, they will write to the relevant Minister/s, seeking approval.
- With relevant approval the Privacy Commissioner will make the direction by signing the final direction. The direction comes into effect once the Privacy Commissioner signs the document.
For more information on the process check the guidelines Seeking a Public Interest Direction under NSW privacy laws issued by the Privacy Commissioner.
For more information check the page on Public Interest Directions issued by the Privacy Commissioner.
Privacy Codes of Practice
A Privacy Code of Practice is a legal instrument which allows a public sector agency or organisation to make changes to:
- an Information Protection Principle (IPP)
- provisions that deal with public registers
Codes must not be stricter than the principles and they should not be seen as a tool for blanket exemptions to the principles.
There are five steps to creating a Privacy Code of Practice:
- The Privacy Commissioner or any public sector agency:
- initiates the preparation of a draft privacy code of practice, and
- develops the draft code in consultation as they think appropriate, and
- submits the draft code to the Minister.
- If a draft code is initiated and prepared by a public sector agency, the agency must consult with the Privacy Commissioner on the draft code before it is submitted to the Minister.
- The Privacy Commissioner may make a submission to the Attorney General or Minister for Health on the draft as they find appropriate
- Once a draft code is submitted to the Minister, the Minister may, after taking into consideration any submissions by the Privacy Commissioner, decide to make the code.
- Parliamentary counsel then completes a final drafting
- The Code is published in the Gazette.
For more information check the page on Privacy Codes of Practice issued by the Privacy Commissioner.
For more information on Privacy Codes of Practice relating to a linked data assets check the Seeking a Public Interest Direction or Code of Practice for a linked data asset guidance issued by the Privacy Commissioner.