You are here: Cyber Law » Australian Cyber Law Map » Data

Data

Overview

  • At present, the regulation of public sector data in Australia (i.e. access to and usage of Australian Government data) is subject to significant reform, as set out in the proposed Data Availability and Transparency Act scheme.
  • For the regulation of data in the private sector, see Consumer Data Right under Consumer Rights.

Background

Data Availability and Transparency Bill 2020 (Cth)

  • The Data Availability and Transparency Bill 2020 authorises and regulates controlled access to and sharing of Australian Government data through a principles-based scheme accompanied by regulations, rules and data codes. Here, 'sharing' means providing controlled access to data, as opposed to open release to public.
  • Key personnel in the scheme:
    • 'National Data Commissioner' is an independent regulator responsible for overseeing the scheme and issuing non-legislative guidelines and data codes.
    • 'Data custodians' are Commonwealth bodies that control public sector data.
    • 'Accredited users' are entities accredited by the Commissioner to access public sector data once certain security, privacy, infrastructure and governance requirements are satisfied.
    • 'Accredited data service providers (ADSPs) are entities accredited by the Commissioner to perform data services such as data integration.
  • ‘Public sector data’ is defined as data lawfully created, collected or held by or on behalf of Commonwealth bodies or data custodians. These data custodians may share such data to ‘accredited users’ either directly or indirectly through an ADSP. Accredited users do not necessarily need to be Commonwealth bodies. An accredited user can be any entity that satisfies the accreditation criteria and that has applied and has been approved by the National Data Commissioner.
  • There are several criteria for accreditation of both accredited users and ADSPs, such as the ability to: manage data accountably and responsibly; apply the data sharing principles; minimise risk of unauthorised access, sharing or loss of data; commit to continuous improvement to ensure privacy and security of the data and comply with obligations under the scheme.
  • The scheme will control the sharing of data in three ways: sharing only for a 'permitted data sharing purpose', sharing only in accordance with the 5 prescribed data sharing principles; and via formalised data sharing agreements.
  • Section 23 of the Bill provides data custodians with limited statutory authority to override other laws which would otherwise prevent sharing, collection, and use of public sector data that are authorised by the scheme. The relationship between the Bill and the Privacy Act 1988 (Cth) - especially Australian Privacy Principle 6: Use or disclosure of personal information - is the subject of ongoing debate.

Security of Critical Infrastructure Act 2018 (SOCI)(Cth)

  • Data processing and storage industry functions and assets have been recently defined in the SOCI legislation. Under SOCI, ‘data storage’ implies the use of information technology and includes data back-up. A ‘data storage or processing provider’ means an entity that provides a ‘data storage or processing service’: that is, a service that enables end-users to store or back-up data; or a data processing service.
  • Data storage or processing (DSoP) has been designated a critical infrastructure sector under SOCI. One consequence of this designation is that positive security obligations under SOCI, such as implementing a risk management plan, attach to the assets of some of these providers. The DSoP sector is unique among critical infrastructure sectors as it is the only sector that is a critical sector because it is a part of other sectors’ supply chains. The obligations will not apply to every critical infrastructure sector; rather, defined asset classes will attract the obligations.

SOCI and Cloud Computing

  • Of relevance is whether DSoP and its customers have obligations under SOCI if they own or operate assets in the sectors and asset classes identified in the legislation and rules. For example, which cloud infrastructure providers does a Software as a Service (SaaS) provider engage with for hosting services? These kinds of questions lead to other sources of law, policy, and regulation, such as those set out in the assessment and authorisation frameworks providing a SaaS provider’s authority to operate.
  • It is possible that SaaS providers could in the future be declared a System of National Significance (SoNS), if the service had a large share of government and critical infrastructure provider customers and met the threshold in SOCI. Additionally, SaaS providers may be part of the critical infrastructure supply chain – that is, providing services to owners and operators of other critical infrastructure assets. In this scenario, application of SOCI to cloud providers is uncertain. SaaS providers will interact with critical infrastructure providers at the level of sectoral regulation, such as energy (electricity), financial markets and services, water, and transport (freight). Each of these sectors is subject to their own regulations, which may impact SaaS providers.

Regulatory & Policy Framework

Relevant Organisations

Inquiries & Consultations

Industry Materials

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine