Data Availability and Transparency Act 2022 (Cth)

Data Availability and Transparency Act 2022

No. 11, 2022

Compilation No. 4

Compilation date: 11 December 2024

Includes amendments: Act No. 128, 2024

About this compilation

This compilation

This is a compilation of the Data Availability and Transparency Act 2022 that shows the text of the law as amended and in force on 11 December 2024 (the compilation date).

The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law.

Uncommenced amendments

The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Register ( The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the Register for the compiled law.

Application, saving and transitional provisions for provisions and amendments

If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.

Editorial changes

For more information about any editorial changes made in this compilation, see the endnotes.

Modifications

If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the Register for the compiled law.

Self‑repealing provisions

If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes.

Contents

An Act to authorise the sharing of public sector data, and for related purposes

Chapter 1PreliminaryPart 1.1Introduction 1Short title

This Act is the Data Availability and Transparency Act 2022.

2Commencement

(1)
Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. The whole of this Act	The day after this Act receives the Royal Assent.	1 April 2022

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.
(2)
Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3Objects

The objects of this Act are to:
(a)
serve the public interest by promoting better availability of public sector data; and
(b)
enable the sharing of public sector data consistently with the Privacy Act 1988 and appropriate security safeguards; and
(c)
enhance integrity and transparency in sharing public sector data; and
(d)
build confidence in the use of public sector data; and
(e)
establish institutional arrangements for sharing public sector data.

4Simplified outline of this Act

This Act establishes a data sharing scheme under which Commonwealth bodies are authorised to share their public sector data with accredited users, and accredited users are authorised to collect and use the data, in a controlled way.
The sharing, collection and use of data must be part of a project that is for one or more of the defined data sharing purposes, and must be done consistently with the data sharing principles and under a registered data sharing agreement that meets the requirements of this Act. Privacy protections apply to the sharing of personal information.
Data may be shared directly with an accredited user, or through an intermediary accredited for the purpose (called an ADSP, short for accredited data service provider).

The National Data Commissioner is the regulator of the data sharing scheme and also has the function of providing education and support in relation to handling public sector data.
The Commissioner’s regulatory functions include accrediting ADSPs and users other than Commonwealth, State and Territory bodies. The Minister has the function of accrediting such bodies as users.
The Commissioner also has functions relating to handling complaints and powers to require information and to assess, monitor and investigate data scheme entities.
Data scheme entities have responsibilities under the Act. A range of enforcement options are available to the Commissioner.

This Act mainly relies for its constitutional basis on the matters set out in subsection 13(4) (constitutional requirements for authorisation for data custodian to share public sector data) (but see also subsections 42(2) and 61(2)).

5Act binds the Crown

(1)
This Act binds the Crown in each of its capacities.
(2)
However, this Act does not make the Crown liable to be prosecuted for an offence.
(3)
To avoid doubt, subsection (2) does not prevent the Crown from being liable to pay a pecuniary penalty under a civil penalty order under Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act.

6Extension to external Territories

This Act and the Regulatory Powers Act as it applies in relation to this Act extend to every external Territory.

7Extraterritorial operation

(1)
This Act, and the Regulatory Powers Act as it applies in relation to this Act, extend to acts, omissions, matters and things outside Australia.
Note: Geographical jurisdiction for civil penalty provisions and offences is dealt with in section 136.
(2)
This Act, and the Regulatory Powers Act as it applies in relation to this Act, have effect in relation to acts, omissions, matters and things outside Australia subject to:
(a)
the obligations of Australia under international law, including obligations under any international agreement binding on Australia; and
(b)
any law of the Commonwealth giving effect to such an agreement.

Part 1.2Definitions 9Definitions

In this Act:
access has a meaning affected by section 10.
accreditation authority means:
(a)
for an entity applying for accreditation, or accredited, as an ADSP—the Commissioner; or
(b)
for a Commonwealth body, State body or Territory body, or the Commonwealth or a State or Territory, applying for accreditation, or accredited, as an accredited user—the Minister; or
(c)
for another entity applying for accreditation, or accredited, as an accredited user—the Commissioner.
accredited entity: see subsection 11(4).
accredited user: see subsection 11(4).
ADSP: see subsection 11(4).
ADSP‑controlled access: see subsection 16B(6).

ADSP‑enhanced data: see subsection 11A(3).
adverse or qualified security assessment means an adverse security assessment, or a qualified security assessment, within the meaning of Part IV of the Australian Security Intelligence Organisation Act 1979.
ancillary contravention of a civil penalty provision means a contravention that arises out of the operation of section 92 of the Regulatory Powers Act.
ancillary offence has the same meaning as in the Criminal Code.
APP entity has the same meaning as in the Privacy Act 1988.
APP‑equivalence term: see subsection 16E(2).

appointed member: see paragraph 62(1)(e).
approved contract: see subsection 123(3).
approved form for a provision of this Act, the rules or a data code means a form approved by the Commissioner for the purposes of the provision under section 132.
Australia, when used in a geographical sense, includes the external Territories.
Australian aircraft has the same meaning as in the Criminal Code.
Australian entity means an entity that is any of the following:
(a)
a Commonwealth body, a State body or a Territory body;
(b)
the Commonwealth, a State or a Territory;
(c)
an Australian university.

Australian ship has the same meaning as in the Criminal Code.
Australian university means a registered higher education provider:
(a)
that, for the purposes of the Tertiary Education Quality and Standards Agency Act 2011, is registered in the “Australian University” provider category; and
(b)
that is established by or under a law of the Commonwealth, a State or a Territory.
authorised officer: see section 137.
biometric data:
(a)
means personal information about any measurable biological or behavioural characteristic relating to an individual that could be used to identify the individual or verify the individual’s identity; and
(b)
includes a biometric template containing representations of information mentioned in paragraph (a).
Note: Data that is not personal information cannot be biometric data. For example, an eye colour, by itself, is not biometric data.

breach: a data scheme entity breaches this Act if the data scheme entity engages in conduct that contravenes, or is inconsistent with, this Act.
Circuit Court means the Federal Circuit and Family Court of Australia (Division 2).
civil penalty provision has the same meaning as in the Regulatory Powers Act.
Commissioner means the National Data Commissioner referred to in section 41.
Commonwealth body:
(a)
means:
(i)
a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013; or
(ii)
any other person or body that is an agency within the meaning of the Freedom of Information Act 1982; but
(b)
does not include an Australian university.
complex data integration service: see subsection 16D(3).
condition of accreditation means a condition:
(a)
prescribed by the rules for the purposes of subsection 77B(1); or
(b)
imposed under section 74, 78 or 84.

constitutional corporation means a corporation to which paragraph 51(xx) of the Constitution applies.
Council means the National Data Advisory Council established by section 61.
court/tribunal order means an order, direction or other instrument made by:
(a)
a court; or
(b)
a judge (including a judge acting in a personal capacity) or a person acting as a judge; or
(c)
a magistrate (including a magistrate acting in a personal capacity) or a person acting as a magistrate; or
(d)
any other person or body that has the power to act judicially under a law of the Commonwealth or a State or Territory; or
(e)
a tribunal; or
(f)
a member or an officer of a tribunal;
and includes an order, direction or other instrument that is of an interim or interlocutory nature.
data means any information in a form capable of being communicated, analysed or processed (whether by an individual or by computer or other automated means).
data breach: see section 35.
data code: see subsection 126(1).
data custodian: see subsection 11(2).
data scheme entity: see subsection 11(1).
data service means any operation performed on or in relation to data, at any stage from collection or creation to destruction.
data sharing agreement: see section 18.
data sharing purpose: see subsection 15(1).
data sharing scheme means this Act and the regulations, rules, data codes and guidelines made under it.
Defence Department means the Department administered by the Minister administering the Defence Act 1903.
de‑identification data service: see subsection 16C(3).

de‑identified has the same meaning as in the Privacy Act 1988.
delivery of government services: see subsection 15(1A).
designated individual: see section 123.
designation: see section 123.

electronic communication means a communication of information in any form by means of guided electromagnetic energy, unguided electromagnetic energy or both.
enforcement related purpose: see subsection 15(3).
engage in conduct means:
(a)
do an act; or
(b)
omit to do an act.
entity means any of the following:
(a)
a Commonwealth body, a State body or a Territory body;
(b)
a body politic;
(c)
an Australian university;
(d)
a body corporate;
(e)
an individual.
excluded entity: see subsection 11(3).
exit: see section 20E.

Federal Court means the Federal Court of Australia.
final output of a project means the output specified as the agreed final output in the data sharing agreement for the project (see paragraph 19(3)(b)).
government entity: see subsection 125A(4).
guidelines means guidelines made under section 127.
offence against this Act includes an offence against section 6 of the Crimes Act 1914, or Chapter 7 of the Criminal Code, that relates to this Act.
Note: Ancillary offences that relate to this Act are also offences against this Act (see section 11.6 of the Criminal Code).
operational data means:
(a)
data about information sources or operational activities or methods available to an agency mentioned in paragraph 17(2)(b); or
(b)
data about particular operations that have been, are being or are proposed to be undertaken by such an agency, or about proceedings relating to those operations.
output: see subsection 11A(1).
paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise).
personal information has the same meaning as in the Privacy Act 1988.
Note: Information that has been de‑identified is no longer personal information.

point: see subsection 136(9).
precluded purpose: see subsections 15(2) and (4).
primary contravention of a civil penalty provision means a contravention that does not arise out of the operation of section 92 of the Regulatory Powers Act.
primary offence has the same meaning as in the Criminal Code.
project: see section 11A.
public sector data means data lawfully collected, created or held by or on behalf of a Commonwealth body, and includes ADSP‑enhanced data.
registered: a data sharing agreement is registered if the agreement is included in the register of data sharing agreements under subsection 130(4).

regulatory function means a function set out in subsection 45(1).
Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.
release: see subsection 10(1).
reviewable decision: see section 118.
reviewer: see section 118.
rules means rules made under subsection 133(1).
scheme data means:
(a)
any copy of data created for the purpose of being shared under section 13 as part of a project and held by the entity that is the sharer mentioned in that section, whether or not the data has yet been shared; or
(b)
output of a project, other than a copy that has exited the data sharing scheme (see section 20E); or
(c)
ADSP‑enhanced data of a project, other than a copy that has exited the data sharing scheme (see section 20E).
secure access data service: see subsection 16C(4).
security has the same meaning as in the Australian Security Intelligence Organisation Act 1979.
share: see subsection 10(2).
source data: see paragraph 19(3)(a).
State body means any of the following, but does not include an Australian university:
(a)
a department of a State;
(b)
a body established for a public purpose by or under a law of a State, other than a body prescribed by the rules;
(c)
the holder of a statutory office appointed under a law of a State, other than an office prescribed by the rules.
submit: see subsection 20A(3).
Territory body means any of the following, but does not include an Australian university:
(a)
a department of a Territory;
(b)
a body established for a public purpose by or under a law of a Territory, other than a body prescribed by the rules;
(c)
the holder of a statutory office appointed under a law of a Territory, other than an office prescribed by the rules.
use includes handle, store and provide access.
Note: Examples of use of data by an accredited user include developing and modifying output.

10References to access to data

(1)
For the purposes of this Act, a reference to an entity providing access to data includes a reference to the entity:
(a)
providing another entity with access to the data; and
(b)
providing open access to the data (releasing the data).
(2)
This Act uses the expression share to refer to data custodians of public sector data providing accredited entities with access to data under this Act.
(3)
For the purposes of this Act, if an entity provides another entity with access to data:
(a)
the entity that provides access is taken to retain a copy of the data; and
(b)
the entity to which access is provided is taken to collect a copy of the data.

11Entity definitions

(1)
The following are data scheme entities:
(a)
data custodians of public sector data;
(b)
accredited entities.
(2)
An entity is a data custodian if the entity:
(a)
is a Commonwealth body; and
(b)
is not an excluded entity; and
(c)
either:
(i)
controls public sector data (whether alone or jointly with another entity), including by having the right to deal with that data; or
(ii)
has become the data custodian of output of a project in accordance with section 20F.

(2A)
If a data custodian of public sector data shares the data with an intermediary under section 13 as part of a project, the data custodian is taken also to be the data custodian of any ADSP‑enhanced data of the project.
(3)
Each of the following is an excluded entity:
(aa)
the National Data Commissioner and any APS employee made available to the National Data Commissioner under section 47;
(a)
the National Anti‑Corruption Commission;
(ab)
the Inspector of the National Anti‑Corruption Commission;
(b)
the agency known as the Australian Criminal Intelligence Commission established by the Australian Crime Commission Act 2002;
(ba)
the Australian Federal Police;
(c)
that part of the Defence Department known as the Australian Geospatial‑Intelligence Organisation;
(d)
the Australian National Audit Office;
(e)
the Australian Secret Intelligence Service;
(f)
the Australian Security Intelligence Organisation;
(g)
the Australian Signals Directorate;
(h)
that part of the Defence Department known as the Defence Intelligence Organisation;
(i)
the Inspector‑General of Intelligence and Security;
(j)
the Office of the Commonwealth Ombudsman;
(k)
the Office of National Intelligence.
(4)
An entity accredited under section 74 as an:
(a)
accredited user (an accredited user); or
(b)
ADSP (short for accredited data service provider) (an ADSP);
is an accredited entity.
Note 1: Accredited users are able to collect and use shared data (including by creating output they can provide other entities with access to, or release) in accordance with an applicable data sharing agreement. ADSPs are expert intermediaries who can assist data custodians to prepare and share data appropriately.
Note 2: Excluded entities cannot be accredited (see subsection 74(1)).
(5)
A data scheme entity may do things under this Act in different capacities. In each of those capacities, the entity is taken to be a different data scheme entity. Among other things, this means that a data scheme entity may enter into a data sharing agreement to which it is party in more than one capacity.
Note: For example, the same entity may be party to the agreement in its capacity as data custodian of data to be shared and in its capacity as the accredited entity with which the data is shared.

11AThe data sharing project

Project, and output and ADSP‑enhanced data of project
(1)
A project involves at least both of the following elements:
(a)
an entity (the sharer) shares data with another entity (the user), either directly or through another entity (the intermediary);
(b)
the user collects the data and uses the output of the project, which is:
(i)
the copy of the data collected by the user; and

(ii)
any data that is the result or product of the user’s use of the shared data.
Note 1: The sharer’s authorisation to share data is in section 13. The user’s authorisation to collect and use data is in section 13A.
Note 2: A project may involve sharing of data by multiple sharers, if multiple entities are data custodians of the data.

(2)
If, for the purposes of sharing data under section 13, data services are performed in relation to data, or data is created, by or on behalf of the sharer, the project also involves performing the services or creating the data.

(3)
If the sharer shares data with the user through an intermediary, the project also involves both of the following elements:
(a)
the sharer shares the data with the intermediary;
(b)
the intermediary collects the data and uses the ADSP‑enhanced data of the project, which is:

(i)
the copy of the data collected by the intermediary; and

(ii)
any data that is the result or product of the intermediary’s use of the shared data.

Note: The sharer’s authorisation to share data with the intermediary, and the intermediary’s authorisation to share data with the user on behalf of the sharer, are in section 13. The intermediary’s authorisation to collect data from the sharer and use it is in section 13B.

(4)
If the sharer is provided with access to output or ADSP‑enhanced data of the project, the project also involves the sharer’s collection and use of the output or ADSP‑enhanced data.
Note: The sharer’s authorisation to collect and use the output or ADSP‑enhanced data of the project is in section 13C.
Combining projects
(5)
A data sharing agreement may treat multiple projects as a single project, as long as they all have the same data sharing purpose or purposes and the same sharer and user and (if applicable) intermediary.
Successive projects
(6)
If the user in a project shares data that is output of the project as part of a later project:
(a)
the copy retained by the user continues to be output of the earlier project; and
(b)
the copy collected by the user in the later project is output of the later project in accordance with paragraph (1)(b); and
(c)
if the sharing in the later project is done through an intermediary—the copy collected by the intermediary in the later project is ADSP‑enhanced data of the later project in accordance with paragraph (3)(b).

Note: A data sharing agreement may allow the user to share output under section 13 as part of a later project (see section 20D).

Chapter 2AuthorisationsPart 2.1Introduction

12Simplified outline of this Chapter

Under the data sharing scheme, Commonwealth bodies are authorised to share their public sector data with accredited users, and accredited users are authorised to collect and use the data, in a controlled way. Data may be shared with an accredited user directly, or through an intermediary accredited for the purpose (called an ADSP, short for accredited data service provider).
The sharing, collection and use of data must be part of a project that is for one or more of the defined data sharing purposes, and must be done consistently with the data sharing principles and a registered data sharing agreement that meets the requirements of this Act. Privacy protections apply to the sharing of personal information.
Commonwealth bodies must be the data custodian of public sector data they share (i.e. they must control the data, including by having the right to deal with it). Some Commonwealth bodies are excluded from the scheme.
Some sharing of data is barred (e.g. if the sharing would contravene a prescribed law or an agreement).
An accredited user’s authorisation to use data may in some circumstances extend to providing access to output of the project to other entities, which may or may not be accredited. There are limits on the circumstances in which data sharing agreements may allow this.
If sharing, collection or use is authorised by this Chapter, the authorisation has effect despite any other law of the Commonwealth or a State or Territory.
Data custodians and accredited entities must comply with the rules made by the Minister and data codes made by the National Data Commissioner and meet other responsibilities under this Chapter.

This Act mainly relies for its constitutional basis on the matters set out in subsection 13(4) (constitutional requirements for authorisation for data custodian to share public sector data) (but see also subsections 42(2) and 61(2)).

Part 2.2—Authorisations

13Authorisation for data custodian to share public sector data
(1)
An entity (the sharer) is authorised to share data with another entity (the user), either directly or through another entity (the intermediary), if all of the following apply:
(a)
the constitutional requirements in subsection (4) are met;
(b)
the data custodian requirements in subsection (2) are met;
(c)
the project the sharing is part of is covered by a registered data sharing agreement that is in effect and that meets the requirements of this Act;

(d)
the sharing is in accordance with the data sharing agreement;
(e)
the sharer is satisfied that the project is consistent with the data sharing principles;
(f)
the user is an accredited user and its accreditation is not suspended;
(g)
if the data shared with the user includes personal information—the privacy coverage condition in section 16E is met in relation to the user;
(h)
if the sharer shares through an intermediary—the intermediary is an ADSP and its accreditation is not suspended;
(i)
if the data shared with the intermediary includes personal information—the privacy coverage condition in section 16E is met in relation to the intermediary.

Note: This section authorises the sharer to share its public sector data with the user and with the intermediary (if any). It also authorises the intermediary (if any) to share with the user, on behalf of the sharer, ADSP‑enhanced data of which the sharer is the data custodian.
(2)
The data custodian requirements are the following:
(a)
the data is public sector data and the sharer is the data custodian of the data;
(b)
if the sharer is not the only data custodian of the data—authority to share the data has been given by each other data custodian;
(c)
the sharing is not barred by section 17;
(d)
the sharing is consistent with the general privacy protections in section 16A and the purpose‑specific privacy protections in section 16B;
(e)
if the data shared does not include personal information—only the minimum amount of data necessary for the project to proceed is shared;
(f)
if the requirement in subsection 16C(2) or 16D(2) applies—the requirement is met.
Note: If sharing is done through an intermediary, it is possible that authority to share as mentioned in paragraph (2)(b) will be needed from additional data custodians of ADSP‑enhanced data of the project, before the ADSP‑enhanced data can be shared with the user.
(3)
Authority given by a data custodian for the purposes of paragraph (2)(b) must be given by one of the following:
(a)
an authorised officer of that data custodian;
(b)
if another data custodian is authorised to act as the agent of that data custodian—an authorised officer of the agent data custodian.
(4)
The constitutional requirements are that any of the following apply:
(a)
the data is shared with a Commonwealth body or Territory body, or the Commonwealth or a Territory;
(b)
the data is shared with a State body or a State, as part of a project that:
(i)
relates to a matter of national interest that requires national cooperation to achieve an identified national objective; or
(ii)
addresses an immediate need to take coordinated action in an area that will have significant national and cross‑jurisdictional effect; or
(iii)
occurs in the context of the Commonwealth otherwise facilitating cooperation with or between the States;
(c)
the data is shared as part of a project that is for a data sharing purpose set out in paragraph 15(1)(a) (delivery of government services) or (b) (informing government policy and programs), if the government concerned is or includes the Commonwealth;
(d)
the data is shared with a constitutional corporation as part of a project that is for the data sharing purpose set out in paragraph 15(1)(c) (research and development);
(e)
the data is shared by means of electronic communication;
(f)
the data is shared to enable analysis for statistical purposes;
(g)
the data is statistical information.

13AAuthorisation for accredited user to collect and use data
An entity (the user) is authorised to collect data shared with the user under, or purportedly under, section 13 as part of a project, or to use output of the project, if all of the following apply:
(a)
the project is covered by a registered data sharing agreement that is in effect and that meets the requirements of this Act;

(b)
the collection or use is in accordance with the data sharing agreement;
(c)
the user is satisfied that the project is consistent with the data sharing principles;
(d)
the user is an accredited user and its accreditation is not suspended;
(e)
if the data shared with the user includes personal information—the privacy coverage condition in section 16E is met in relation to the user;

(f)
if the sharing by the sharer is not authorised by section 13—the user does not know and could not reasonably be expected to know that.

13BAuthorisation for ADSP to act as intermediary

If an entity (the sharer) is sharing data with another entity (the user) under, or purportedly under, section 13 through another entity (the intermediary) as part of a project, the intermediary is authorised to collect data shared with it by the sharer, or to use ADSP‑enhanced data of the project, if all of the following apply:
(a)
the project is covered by a registered data sharing agreement that is in effect and that meets the requirements of this Act;

(b)
the collection or use is in accordance with the data sharing agreement;
(c)
the intermediary is satisfied that the project is consistent with the data sharing principles;
(d)
the intermediary is an ADSP and its accreditation is not suspended;
(e)
if the data shared with the intermediary includes personal information—the privacy coverage condition in section 16E is met in relation to the intermediary;
(f)
if the sharing by the sharer is not authorised by section 13—the intermediary does not know and could not reasonably be expected to know that.
13CAuthorisation for data custodian to collect and use submitted data
If an entity (the sharer) has shared data with the user under section 13 as part of a project, either directly or through an intermediary, the sharer is authorised to collect output or ADSP‑enhanced data of the project from the user or intermediary, or to use output or ADSP‑enhanced data of the project collected from the user or intermediary, if both of the following apply:
(a)
the project is covered by a registered data sharing agreement that is in effect and that meets the requirements of this Act;

(b)
the collection or use by the sharer is in accordance with the data sharing agreement.

14Penalties for unauthorised sharing

Civil penalty provisions
(1)
An entity contravenes this subsection if:
(a)
the entity provides access to data; and
(b)
the provision of access is purportedly under section 13; and
(c)
the provision of access is not authorised by section 13.
Civil penalty: 300 penalty units.
(2)
An individual or a body corporate contravenes this subsection if:
(a)
the individual or body corporate uses data; and
(b)
the use is a provision of access to the data by an entity under, or purportedly under, section 13; and
(c)
the individual has a designated relationship with the entity, or the body corporate is party to an approved contract with the entity; and
(d)
the individual or body corporate’s use is not authorised by this Act.
Civil penalty: 300 penalty units.
Offences
(3)
An entity commits an offence if:
(a)
the entity provides access to data; and
(b)
the provision of access is purportedly under section 13; and
(c)
the provision of access is not authorised by section 13 and the entity is reckless with respect to that circumstance.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
(4)
An individual or a body corporate commits an offence if:
(a)
the individual or body corporate uses data; and
(b)
the use is a provision of access to the data by an entity under, or purportedly under, section 13; and
(c)
the individual has a designated relationship with the entity, or the body corporate is party to an approved contract with the entity; and
(d)
the individual or body corporate’s use is not authorised by this Act and the individual or body corporate is reckless with respect to that circumstance.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.

14APenalties for unauthorised collection or use

Civil penalty provisions for user or intermediary
(1)
An entity contravenes this subsection if:
(a)
the entity collects or uses data; and
(b)
the data is ADSP‑enhanced data, or output, of a project involving sharing data with the entity under, or purportedly under, section 13; and
(c)
the collection or use is not authorised by this Act.
Civil penalty:
(a)
300 penalty units; or
(b)
if subsection (2) applies—600 penalty units.
(2)
This subsection applies if the entity concerned is or has been an accredited entity and the contravention is serious, having regard to any of the following matters:
(a)
the sensitivity of the data;
(b)
the consequences of the contravention for entities, groups of entities or things to which the data involved in the contravention relates;
(c)
the level of care taken by the contravening entity in relation to the entity’s responsibilities under the data sharing scheme in relation to the collection or use.
(3)
An individual or a body corporate contravenes this subsection if:
(a)
the individual or body corporate uses data; and
(b)
the data is ADSP‑enhanced data, or output, of a project involving sharing data with an entity under, or purportedly under, section 13; and
(c)
the individual has a designated relationship with the entity, or the body corporate is party to an approved contract with the entity; and
(d)
the individual or body corporate’s use of the data is not authorised by this Act.
Civil penalty: 300 penalty units.
Offences for user or intermediary
(4)
An entity commits an offence if:
(a)
the entity collects or uses data; and
(b)
the data is ADSP‑enhanced data, or output, of a project involving sharing data with the entity under, or purportedly under, section 13; and
(c)
the collection or use is not authorised by this Act and the entity is reckless with respect to that circumstance.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
(5)
An individual or a body corporate commits an offence if:
(a)
the individual or body corporate uses data; and
(b)
the data is ADSP‑enhanced data, or output, of a project involving sharing data with an entity under, or purportedly under, section 13; and
(c)
the individual has a designated relationship with the entity, or the body corporate is party to an approved contract with the entity; and
(d)
the individual or body corporate’s use of the data is not authorised by this Act and the individual or body corporate is reckless with respect to that circumstance.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
Defence
(6)
Subsections (1), (3), (4) and (5) do not apply if the data collected or used is a copy of output, or ADSP‑enhanced data, that has exited the data sharing scheme, or is derived from such a copy.
Note: A defendant bears an evidential burden in relation to the matter in subsection (6) (see subsection 13.3(3) of the Criminal Code).
Civil penalty provisions for sharer
(7)
An entity contravenes this subsection if:
(a)
the entity collects or uses data submitted to the entity under, or purportedly under, section 13A or 13B; and
(b)
the collection or use is not authorised by this Act.
Civil penalty: 300 penalty units.
(8)
An individual or a body corporate contravenes this subsection if:
(a)
the individual or body corporate uses data; and
(b)
the data was submitted to an entity under, or purportedly under, section 13A or 13B; and
(c)
the individual has a designated relationship with the entity, or the body corporate is party to an approved contract with the entity; and
(d)
the individual or body corporate’s use is not authorised by this Act.
Civil penalty: 300 penalty units.
Offences for sharer
(9)
An entity commits an offence if:
(a)
the entity collects or uses data submitted to the entity under, or purportedly under, section 13A or 13B; and
(b)
the collection or use is not authorised by this Act and the entity is reckless with respect to that circumstance.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
(10)
An individual or a body corporate commits an offence if:
(a)
the individual or body corporate uses data; and
(b)
the data was submitted to an entity under, or purportedly under, section 13A or 13B; and
(c)
the individual has a designated relationship with the entity, or the body corporate is party to an approved contract with the entity; and
(d)
the individual or body corporate’s use is not authorised by this Act and the individual or body corporate is reckless with respect to that circumstance.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
Relationship of collection and use civil penalty provisions and offences with other laws
(11)
Subsections (1) to (10) have effect despite any other law of the Commonwealth or a State or Territory, whether enacted before or after the commencement of this Act.
(12)
To avoid doubt, subsections (1) to (10) have effect regardless of whether a permitted general situation, or a permitted health situation, exists within the meaning of the Privacy Act 1988.

Part 2.3Data sharing purposes and principles 15Data sharing purposes

Data sharing purposes
(1)
The following are data sharing purposes:
(a)
delivery of government services;
(b)
informing government policy and programs;
(c)
research and development.
Note: Data sharing agreements must specify the agreed data sharing purpose or purposes and agreed incidental purposes (if any), and prohibit collection or use of data for any other purpose, including any precluded purpose.
Delivery of government services
(1A)
For the purposes of paragraph (1)(a), delivery of government services means the delivery of any of the following services by the Commonwealth or a State or Territory:
(a)
providing information;
(b)
providing services, other than services relating to a payment, entitlement or benefit;
(c)
determining eligibility for a payment, entitlement or benefit;

(d)
paying a payment, entitlement or benefit.
Note: Making a decision under legislation about whether an individual is eligible to receive a payment, before any payment is made, is an example of delivery of government services. The purpose of making such a decision is not a precluded purpose.

Precluded purposes
(2)
The following are precluded purposes:
(a)
an enforcement related purpose;
(b)
a purpose that relates to, or prejudices, national security within the meaning of the National Security Information (Criminal and Civil Proceedings) Act 2004;
(c)
a purpose prescribed by the rules for the purposes of this paragraph.
(3)
An enforcement related purpose means any of the following purposes:
(a)
detecting, investigating, prosecuting or punishing:
(i)
an offence; or
(ii)
a contravention of a law punishable by a pecuniary penalty;
(b)
detecting, investigating or addressing acts or practices detrimental to public revenue;
(c)
detecting, investigating or remedying serious misconduct;
(d)
conducting surveillance or monitoring, or intelligence‑gathering activities;
(e)
conducting protective or custodial activities;
(f)
enforcing a law relating to the confiscation of proceeds of crime;
(g)
preparing for, or conducting, proceedings before a court or tribunal or implementing a court/tribunal order.
Note: The purpose of verifying that a government payment previously made to a person was correctly made is an example of an enforcement related purpose. Other examples include the purpose of recovering overpayments, identifying individuals for compliance activity and identifying individuals for the purposes of exercising statutory investigation powers.

(4)
A purpose is not a precluded purpose within the meaning of paragraph (2)(a) or (b) if the purpose is both:
(a)
a data sharing purpose; and
(b)
a purpose that:
(i)
is with respect to matters that relate only in a general way to a purpose mentioned in paragraph (2)(a) or (b); and
(ii)
does not involve any person undertaking an activity mentioned in a paragraph of subsection (3).
Preparing data for a later project
(5)
A project that involves sharing, collecting and using data in order to prepare (including to create) data for sharing under section 13 as part of a later project that will be for one or more of the data sharing purposes is itself taken to be a project for that or those data sharing purposes.
(6)
Subsection (5) applies regardless of whether the entities sharing, collecting and using the data have a particular later project in mind and whether the data is actually shared under section 13 as part of any later project.

16Data sharing principles

Project principle
(1)
The project principle is that the project is an appropriate project or program of work.
(2)
The project principle includes (but is not limited to) the following elements:
(a)
the project can reasonably be expected to serve the public interest;

(b)
the parties observe processes relating to ethics, as appropriate in the circumstances.
People principle
(3)
The people principle is that data is made available only to appropriate persons.
(4)
The people principle includes (but is not limited to) the following elements:
(a)
access to data is only provided to individuals who have attributes, qualifications, affiliations or expertise appropriate for the access;
(b)
the entity sharing the data considers the following matters in relation to the entity collecting the data (the collector):
(i)
the collector’s experience with projects involving the sharing of public sector data, under this Act or otherwise;
(ii)
the collector’s capacity to handle public sector data securely;
(iii)
any data breaches, or breaches of the law relating to data, by the collector;
(iv)
any other matters specified in a data code.

Setting principle
(5)
The setting principle is that data is shared, collected and used in an appropriately controlled environment.
(6)
The setting principle includes (but is not limited to) the following elements:
(a)
the means by which the data is shared, collected and used are appropriate, having regard to the type and sensitivity of the data, to control the risks of unauthorised use;
(b)
reasonable security standards are applied when sharing, collecting and using data.
Data principle
(7)
The data principle is that appropriate protections are applied to the data.
(8)
The data principle includes (but is not limited to) the element that only the data reasonably necessary to achieve the applicable data sharing purpose or purposes is shared, collected and used.

Output principle
(9)
The output principle is that the only output of the project is:
(a)
the final output; and
(b)
output the creation of which is reasonably necessary or incidental to creation of the final output.
(10)
The output principle includes (but is not limited to) the following elements:
(a)
the data custodian of the data and the accredited user consider:
(i)
the nature and intended use of the output of the project; and
(ii)
requirements and procedures for use of the output of the project;
(b)
the final output contains only the data reasonably necessary to achieve the applicable data sharing purpose or data sharing purposes.
Application of data sharing principles
(11)
For a data scheme entity to be satisfied that the project is consistent with the data sharing principles, the entity must be satisfied that it has applied each principle to the sharing, collection or use of data in such a way that, when viewed as a whole, the risks associated with the sharing, collection or use are appropriately mitigated.
Note: Entities must also comply with the rules and any data codes (see section 26) and have regard to the guidelines (see section 27).

Part 2.4—Privacy protections

16AGeneral privacy protections

(1) Data that includes biometric data must not be shared unless the individual to whom the biometric data relates expressly consents to the sharing of the biometric data.
(2)
If data that includes personal information is shared, the data sharing agreement that covers the sharing must prohibit any accredited entity with or through which it is shared from storing or accessing, or providing access to, the ADSP‑enhanced data, or the output, of the project outside Australia.
(3)
If data that has been de‑identified is shared, the data sharing agreement that covers the sharing must prohibit the accredited user from taking any action that may have the result that the data ceases to be de‑identified.

16BPurpose‑specific privacy protections

If data sharing purpose is delivery of government services
(1)
If the data sharing purpose of the project is delivery of government services, the data must not include personal information about an individual unless:
(a)
one or more of the following apply:
(i)
the service being delivered is a service mentioned in paragraph 15(1A)(a) or (b) and is delivered to the individual;
(ii)
the individual consents to the sharing of their personal information;
(iii)
the sharing would be a disclosure authorised under Part VIA of the Privacy Act 1988 (dealing with personal information in emergencies and disasters); and
(b)
the service being delivered is identified in the data sharing agreement for the project; and
(c)
only the minimum amount of personal information necessary to properly deliver the service is shared.

(2)
If data that includes personal information is to be shared with an accredited user in circumstances in which the shared data exits the data sharing scheme under subsection 20E(4), the data sharing agreement must specify this.
If data sharing purpose is informing government policy and programs or research and development
(3)
If the data sharing purpose of the project is informing government policy and programs, or research and development, the data must not include personal information about an individual unless:
(a)
both of the following apply:
(i)
the individual consents to the sharing of their personal information;
(ii)
only the minimum amount of personal information necessary for the project to proceed is shared; or
(b)
all of the following apply:
(i)
the project cannot proceed without the personal information;
(ii)
the public interest served by the project justifies the sharing of personal information about individuals without their consent;
(iii)
only the minimum amount of personal information necessary for the project to proceed is shared;
(iv)
a permitted circumstance for the project’s data sharing purpose exists (see subsections (4) and (5)).
(4)
The permitted circumstances for the data sharing purpose of informing government policy and programs are the following:
(a)
it is unreasonable or impracticable to seek the individual’s consent;
(b)
the data is to be collected and used in the course of medical research and in accordance with guidelines under subsection 95(1) of the Privacy Act 1988;
(c)
the sharing is with an ADSP as an intermediary, to enable the ADSP to prepare ADSP‑enhanced data that does not involve personal information about the individual;
(d)
the sharing is ADSP‑controlled access (see subsection (6));
(e)
the accredited user is a Commonwealth body (other than a Commonwealth body excluded from this paragraph by the rules) and the final output of the project includes only de‑identified information;
(f)
the sharing is a disclosure authorised under Part VIA of the Privacy Act 1988 (dealing with personal information in emergencies and disasters).
Note: It is not unreasonable or impracticable to seek an individual’s consent merely because the consent of a very large number of individuals needs to be sought. The Commissioner is also required to make a data code dealing with this matter.
(5)
The permitted circumstances for the data sharing purpose of research and development are the circumstances mentioned in paragraphs (4)(a) to (d).
(6)
Sharing is ADSP‑controlled access if:
(a)
an ADSP is sharing the data on behalf of the data custodian with an accredited user; and

(b)
the data is shared by means of the ADSP providing access to the data:
(i)
by use of systems controlled by the ADSP; and
(ii)
to particular identified designated individuals for the entity, each of whom has appropriate experience, qualifications or training; and

(c)
the ADSP has implemented controls to prevent or minimise the risk of the data being used to identify individuals.

(7)
If the data custodian of the data being shared concludes that, in relation to the sharing of personal information under the agreement for the purpose of informing government policy and programs, or research and development, the circumstance mentioned in paragraph (4)(a) exists (unreasonable or impracticable to seek individual’s consent), the agreement must include:
(a)
a statement that personal information is being shared without consent of individuals because it is unreasonable or impracticable to seek their consent; and
(b)
an explanation of the data custodian’s reasons for so concluding.

(8)
If personal information about an individual is to be shared without the consent of the individual for the data sharing purpose of informing government policy and programs, or research and development, the data sharing agreement must include a statement setting out why sharing the personal information is consistent with this section.
16CProject involving use of de‑identification or secure access data services
(1)
The requirement in subsection (2) applies if:
(a)
the data sharing purpose of the project is informing government policy and programs or research and development; and
(b)
the project involves performing a de‑identification data service (see subsection (3)) or a secure access data service (see subsection (4)).
(2)
The data sharing agreement that covers the project must require the service to be performed by one of the following:

(a)
the data custodian of the data, if the data custodian is not an ADSP but is satisfied that it has the appropriate skills and experience to perform the service;
(b)
the data custodian of the data, if the data custodian is an ADSP able to perform such a service consistently with its conditions of accreditation;
(c)
an ADSP able to perform such a service consistently with its conditions of accreditation.

(3)
A de‑identification data service is a service to treat data that includes personal information so that the data is de‑identified, using techniques that restrict the data being used in a way that would have the result that the data ceases to be de‑identified.
(4)
A secure access data service is:
(a)
the service of providing ADSP‑controlled access; or
(b)
any other service that enables an entity to access data under the control of another entity and that includes controls to prevent or minimise the risk of the data being misused.

16DProject involving complex data integration services
(1)
The requirement in subsection (2) applies if:
(a)
the data sharing purpose of the project is informing government policy and programs or research and development; and
(b)
the project involves performing a complex data integration service (see subsection (3)); and
(c)
a decision that subsection (4) applies to the service has not been made.
(2)
The data sharing agreement that covers the project must require the service to be performed by one of the following:
(a)
the data custodian of the data, if the data custodian is an ADSP able to perform such a service consistently with its conditions of accreditation;
(b)
an ADSP able to perform such a service consistently with its conditions of accreditation.
(3)
A service to integrate data is a complex data integration service if:
(a)
2 or more entities control the data being integrated; and
(b)
the data is at the unit or micro level; and
(c)
any of the following subparagraphs applies to any of the data to be integrated, or to the integrated data:
(i)
the data includes personal information;
(ii)
the data includes commercially sensitive information (including trade secrets) about the business, commercial, or financial affairs of an organisation;
(iii)
the data includes information that is not publicly available about an industry or sector that forms part of the Australian economy;
(iv)
the data includes information about one or more persons or things the data custodian of the data considers to be vulnerable or sensitive;
(v)
the data is to be used for more than one project;
(vi)
the data meets conditions prescribed by the rules; and
(d)
the data to be integrated, or the integrated data, has any of the characteristics prescribed by the rules (if any).

(4)
An individual covered by subsection (5) may decide that this subsection applies to the integration, if the individual is satisfied that, having regard to the following matters in relation to the data custodian’s data and the other data proposed to be integrated, the risk that the integration could cause substantial harm is low:
(a)
the size of the data sets;
(b)
whether the data relates to a significant proportion of the population of people or things to which the data relates;
(c)
the detail of the individual records included in the data;
(d)
how current the data is and whether it will be updated;
(e)
the quality of the metadata and documentation for the data sets;
(f)
whether entities that collected data to be integrated, or on whose behalf data to be integrated was collected, are aware of the proposed use of the data;
(g)
if the data includes personal information—whether a person qualified to assess the ethics of the proposed use of the data has conducted such an assessment;
(h)
whether the data custodian of the integrated data will control the technical environment in which the integrated data will be accessed;
(i)
any other matters prescribed by the rules.
(5)
An individual is covered by this subsection if the individual is:
(a)
an authorised officer of a data custodian of data that is to be integrated; or
(b)
an individual authorised under subsection 137(4) for the data custodian of data that is to be integrated.
(6)
An individual who makes a decision that subsection (4) applies must make a written record of the decision and the reasons for the decision.

16EPrivacy coverage condition

(1)
For the purposes of sections 13, 13A and 13B, the privacy coverage condition is met, in relation to an entity, if:
(a)
the entity is an APP entity; or
(b)
the Privacy Act 1988 applies to the entity, in relation to its collection and use of data as part of the project, as if the entity were an organisation within the meaning of that Act; or
(c)
the entity is subject to an APP‑equivalence term of the data sharing agreement in relation to its collection and use of data as part of the project; or
(d)
a law of a State or Territory that provides for all of the following applies in relation to the entity’s collection and use of data as part of the project:
(i)
protection of personal information comparable to that provided by the Australian Privacy Principles;
(ii)
monitoring of compliance with the law;
(iii)
a means for an individual to seek recourse if the individual’s personal information is dealt with in a way contrary to the law.
(2)
An APP‑equivalence term is a term of a data sharing agreement prohibiting an entity from collecting or using personal information under the agreement in any way that would, if the entity were an organisation within the meaning of the Privacy Act 1988, breach an Australian Privacy Principle.
(3)
An act or practice engaged in by an entity that is an organisation referred to in paragraphs 7B(2)(a) and (b) of the Privacy Act 1988 is not, despite subsection 7B(2) of that Act,exempt for the purposes of paragraph 7(1)(ee) of that Act if the act or practice is collecting or using personal information as part of a project.
Note: Paragraphs 7B(2)(a) and (b) of the Privacy Act 1988 refer to an organisation that would be a small business operator if it were not a contracted service provider for a Commonwealth contract (within the meaning of the Privacy Act 1988).
(4)
Except as provided by subsection (3) and Part 3.3, nothing in this Act affects the operation of the Privacy Act 1988 in relation to a data scheme entity that is an APP entity.
Note: Part 3.3 (data breach responsibilities) deals with the relationship between this Act and the requirements of Part IIIC of the Privacy Act 1988 (notification of eligible data breaches).

16FCompliance with APP‑equivalence term

(1)
If an entity is subject to an APP‑equivalence term of a data sharing agreement, an act or practice of the entity that contravenes the term in relation to an individual is taken to be:
(a)
an interference with the privacy of the individual for the purposes of the Privacy Act 1988; and
(b)
covered by sections 13, 13G and 13H of that Act.
Note: An act or practice that is an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.
(2)
The entity is taken, for the purposes of Part V of the Privacy Act 1988 and any other provision of that Act that relates to that Part, to be an organisation (within the meaning of that Act) if:
(a)
an act or practice of the entity has contravened, or may have contravened, the APP‑equivalence term in relation to an individual; and
(b)
the act or practice is the subject of a complaint to, or an investigation by, the Information Commissioner under Part V of the Privacy Act 1988.
(3)
For the purposes of subsection (1), the reference in sections 13G and 13H of the Privacy Act 1988 to an entity includes a reference to any entity that is subject to an APP‑equivalence term.
(4)
Paragraph 33C(1)(a) of the Privacy Act 1988 applies in relation to an entity that is subject to an APP‑equivalence term of a data sharing agreement as if the entity were an APP entity.
(5)
Sections 80V and 80W of the Privacy Act 1988 apply in relation to an APP‑equivalence term as if the term were a provision of that Act.

Part 2.5When sharing is barred 17When sharing is barred

When sharing is barred
(1)
For the purposes of paragraph 13(2)(c), sharing data is barred if the sharing is barred by any of the following subsections.
Note: If a sharing of data is barred, it is not authorised by section 13.

National security and law enforcement etc.
(2)
Sharing data is barred if:
(a)
the data is held by, or originated with or was received from, an excluded entity; or
(b)
the data is operational data that is held by, or originated with or was received from, any of the following:
(i)
AUSTRAC (within the meaning of the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006);
(ii)
the Australian Federal Police;
(iii)
the Department administered by the Minister administering the Australian Border Force Act 2015; or
(c)
an excluded entity would be a data custodian of the data, if paragraph 11(2)(b) were disregarded.
Contravention or infringement of rights etc.
(3)
Sharing data is barred if:
(a)
sharing the data contravenes or infringes:
(i)
copyright or other intellectual property rights to which the data is subject; or
(ii)
a contract or agreement to which a data custodian of the data is party; or
(iii)
a common law duty or privilege; or
(iv)
a privilege or immunity of a House of the Parliament, a member of a House of the Parliament, or a committee within the meaning of the Parliamentary Privileges Act 1987; or
(b)
the data is commercial information and sharing it founds an action by a person (other than the Commonwealth or a Commonwealth body) for breach of confidence.
Prescribed by the regulations
(4)
Sharing data is barred if:
(a)
any of the following prohibits the data custodian, or any of the individuals to whom the data custodian’s authorisation would extend under section 124, from disclosing the data in the circumstances in which the sharing is done:
(i)
a provision of a law prescribed by the regulations for the purposes of this subparagraph;
(ii)
an order, direction, certificate or other instrument made by an officer of the Commonwealth (including a Minister) under a provision of a law prescribed by the regulations for the purposes of this subparagraph; or
(b)
the data custodian of the data is prescribed by the regulations as an entity that must not share data in the capacity of data custodian; or
(c)
any other circumstances prescribed by the regulations for the purposes of this paragraph exist.
International matters
(5)
Sharing data is barred if:
(a)
sharing the data is inconsistent with:
(i)
the obligations of Australia under international law, including obligations under any international agreement binding on Australia; or
(ii)
any law of the Commonwealth giving effect to such an agreement; or
(b)
unless the foreign government, or agency of the foreign government, has agreed to the sharing—the data was collected from a foreign government, or an agency of a foreign government.
Note: The Privacy Act 1988 and legislative instruments made under that Act are examples of laws of the Commonwealth giving effect to an international agreement binding on Australia (the International Covenant on Civil and Political Rights done at New York on 16 December 1966 ([1980] ATS 23)).

Evidence and court/tribunal orders
(6)
Sharing data is barred if:
(a)
the copy of the data to be shared is being held as evidence before a court; or

(b)
the copy was obtained by a tribunal, authority or other person using a power to require the answering of questions or the production of documents and is being held as evidence before the tribunal, authority or other person; or
(c)
the data:
(i)
is subject to a court/tribunal order that manages, prohibits or restricts publication or other disclosure of the data; or
(ii)
relates to the existence or content of such a court/tribunal order and a law of the Commonwealth prohibits or restricts disclosure of that existence or content.

Part 2.6Data sharing agreements 18Data sharing agreement

(1)
An agreement is a data sharing agreement if:
(a)
the agreement relates to the sharing of public sector data; and
(b)
the parties to the agreement include a data custodian of public sector data and an accredited user; and
(c)
the agreement is in the approved form (if any) or in writing (if there is no approved form); and
(d)
any requirements specified in a data code are met in relation to the agreement.
Note 1: All data sharing agreements must also meet the requirements in section 19. Other provisions also impose requirements in certain circumstances (see for example sections 16B and 16C).
Note 2: Data scheme entities must also have regard to the guidelines (see section 27) in entering a data sharing agreement.
Note 3: Copies of data sharing agreements, including variations, must be given to the Commissioner (see section 33) for inclusion on the register of data sharing agreements under section 130. Certain details of the agreements must be made publicly available.
(2)
A data sharing agreement must not be entered into by an individual on behalf of a data scheme entity unless the individual is an authorised officer of the entity or authorised under subsection 137(4) for the entity.
(3)
A variation of a data sharing agreement must not be entered into by an individual on behalf of a data scheme entity unless the individual is an authorised officer of the entity or authorised under subsection 137(3) or (4) for the entity.

(4)
A data sharing agreement has no effect until the agreement is registered.
(5)
A variation of a data sharing agreement has no effect (and the agreement as in effect before the variation continues in effect) until the variation, or the agreement as varied, is registered.

(6)
A data sharing agreement may deal with matters not required to be dealt with by this Act, but must not do so in a way that is inconsistent with the data sharing scheme.

19Requirements to be met by all data sharing agreements
(1A)
The requirements in this section must be met by all data sharing agreements.
Note: There are other requirements that, depending on the nature of the project, must be met by some data sharing agreements. See sections 16A and 16B.
(1)
The parties to the agreement must be identified in the agreement.
(2)
The agreement must describe the project and specify that this Act applies to the project.
(3)
The agreement must specify:
(a)
the public sector data that the data custodian is to share (including any ADSP‑enhanced data an ADSP is to share on behalf of the data custodian) (the source data); and

(b)
the output of the project that the data custodian and accredited user agree is to be the final output.
(4)
The agreement must:
(a)
specify the data custodian of the source data; and
(b)
if the agreement appoints a Commonwealth body as data custodian of output of the project in accordance with section 20F—specify the output and explain why the appointment has been made.
Note: If the accredited user is a Commonwealth body, the agreement may appoint the accredited user as the Commonwealth body that is to be data custodian of the output.

(5)
The agreement must specify the title of any law that the sharing would contravene but for section 23 (authorisation to share overrides other laws).
(6)
The agreement must:
(a)
specify:
(i)
the data sharing purpose, or data sharing purposes, of the project; and
(ii)
if, under the agreement, the accredited user is to be allowed to use output of the project for any purpose incidental to that purpose or those purposes—any such incidental purpose; and
(b)
except in relation to any use of the output allowed in accordance with section 20D—prohibit the accredited user from collecting and using output of the project for any of the following:
(i)
any purpose not specified;
(ii)
any precluded purpose.

(6A)
The agreement must prohibit the accredited user from creating output of the project, other than:
(a)
the final output; and
(b)
output the creation of which is reasonably necessary or incidental to creation of the final output.
(7)
The agreement must specify how the project will be consistent with the data sharing principles, including by:
(a)
describing how the public interest is served by the project; and
(b)
specifying the actions the party will take to give effect to the principles.
(8)
If the sharing is being done through an ADSP, the agreement must:
(a)
specify any data services the ADSP is to perform in relation to public sector data shared with the ADSP by the data custodian; and
(b)
specify the circumstances in which the ADSP is to share, with the accredited user on behalf of the data custodian, ADSP‑enhanced data of the project; and

(c)
prohibit the ADSP from providing access to, or releasing, the ADSP‑enhanced data in any other circumstances other than circumstances (if any) specified in the agreement.
(8A)
For the purposes of paragraph (8)(c), the only other circumstances that may be specified in the agreement are those allowed by section 20A.
(9)
The agreement must:
(a)
describe in general terms the use to be made by the accredited user of the output of the project; and
(b)
prohibit the accredited user from using the output in a way that is inconsistent with the description; and
(c)
prohibit the accredited user from providing access to, or releasing, the output in any circumstances other than circumstances (if any) specified in the agreement.
(10)
For the purposes of paragraph (9)(c), the only circumstances that may be specified in the agreement are those allowed by section 20A, 20B, 20C or 20D.
(11)
The agreement must prohibit the accredited entities that are party to the agreement from doing anything inconsistent with the conditions of accreditation imposed on or applicable to the entity from time to time.

(12)
If section 37 applies in relation to sharing under the agreement and the agreement does not provide that subsections 37(2) and (3) are not to apply, the agreement must specify that those subsections apply.
(12A)
If the parties agree to responsibilities in relation to data breaches additional to those under Part 3.3, the agreement must set out those responsibilities.
(13)
The agreement must specify the circumstances in which it may be varied or terminated and how a variation or termination is to be done.
(14)
The agreement must specify either or both of the following:
(a)
its duration;
(b)
the intervals at which the parties must review it.
(15)
The agreement must provide for how scheme data covered by the agreement is to be dealt with when the agreement ends.
(16)
The agreement must meet any other requirements prescribed by a data code for the purposes of this subsection.
(17)
The agreement must require the data custodian of the source data to give the Commissioner written notice of the cessation of the agreement, as soon as practicable after the agreement ceases be in effect.

Part 2.7—Allowed access to output of project

20AAllowed access: providing data custodian of source data with access to ADSP‑enhanced data or output

(1)
The data sharing agreement may allow the ADSP to provide access to specified ADSP‑enhanced data of the project under the agreement to the data custodian of the source data, for the purpose of the data custodian ensuring that the ADSP‑enhanced data is as agreed.
(2)
The data sharing agreement may allow the accredited user to provide access to specified output of the project under the agreement to the data custodian of the source data, for the purpose of the data custodian ensuring that the output is as agreed.
(3)
If the ADSP or accredited user provides access to data that is ADSP‑enhanced data or output in accordance with subsection (1) or (2), the ADSP or accredited user submits the data.
(4)
Providing access to output or ADSP‑enhanced data as allowed by this section is taken to be for the data sharing purpose, or data sharing purposes, of the project.

20BAllowed access: providing access to output for validation or correction
(1)
The data sharing agreement may allow the accredited user to provide another entity with access to specified output of the project, if the agreement:

(a)
allows the access to be provided to:
(i)
an entity that carries on a business, or is a not‑for‑profit entity, to which the output relates, for the purpose of validating or correcting the output; or

(ii)
an individual to whom the output relates, or a responsible person (within the meaning of the Privacy Act 1988) for such an individual, for the purpose of validating or correcting the output; or
(iii)
another person in circumstances prescribed by the rules that relate to validating or correcting the output; and
(b)
requires the data custodian of the source data to be satisfied, before access is provided, that the access will be an authorised use of the output under section 13A.

(2)
If data exits the data sharing scheme under subsection 20E(2) as a result of the accredited user providing an entity, individual or other person with access to the data as allowed by subsection (1), the accredited user is taken to have collected a copy of the data from the entity, individual or person concerned, at the time the entity, individual or person validates or corrects the data.
(3)
Providing access to output in accordance with a term of a data sharing agreement allowed by this section is taken to be for the data sharing purpose, or data sharing purposes, of the project.
20CAllowed access: providing access to or releasing output in other circumstances

(1)
The data sharing agreement may allow the accredited user to provide another entity with access to, or to release, specified output of the project, if the agreement:
(a)
allows the provision of access, or release, in specified circumstances that do not contravene any other law of the Commonwealth or a law of a State or Territory (disregarding section 23 of this Act); and

(b)
if the output includes personal information about an individual—prohibits provision of access or release unless the individual consents; and
(c)
requires the data custodian of the source data to be satisfied, before the access is provided or the release occurs, that the access or release will be an authorised use of the output under section 13A.

(2)
Providing access to output in accordance with a term of a data sharing agreement allowed by this section is taken to be for the data sharing purpose, or data sharing purposes, of the project.

20DAllowed access: sharing under section 13

The data sharing agreement may allow the accredited user to share output of the project under section 13, if:
(a)
the accredited user is appointed as the data custodian of the output in accordance with subsection 20F(2); and
(b)
the agreement requires the data custodian of the source data to be satisfied, before the sharing occurs, that the sharing will be an authorised use of the output under section 13A.

20EExit of ADSP‑enhanced data or output of project

Overview of this section
(1)
If the user or intermediary in a project uses output, or ADSP‑enhanced data, of the project in ways other than those authorised by this Act, it is a defence to an offence under section 14A if the copy being used has exited the data sharing scheme under this section (see subsection 14A(6)).
Exit on provision of authorised or required access
(2)
If a person obtains a copy of output of the project as a result of the user providing the person with access to the output, the copy exits the data sharing scheme at the time it is collected by the person, as long as the user’s provision of access is:

(a)
a use of the output authorised by section 13A or 135 or required by a direction under section 112; and
(b)
not a submission of the output; and
(c)
not a sharing of data under section 13 allowed as mentioned in section 20D.
Note: See the definition of submit in subsection 20A(3).
(3)
If a person obtains a copy of ADSP‑enhanced data of the project as a result of the intermediary providing the person with access to the ADSP‑enhanced data, the copy exits the data sharing scheme at the time it is collected by the person, as long as the intermediary’s provision of access is:
(a)
required by a direction under section 112; or
(b)
authorised by section 135.
Exit on collection etc. if sharing is for purpose of delivery of government services
(4)
A copy of output of the project held by the user exits the data sharing scheme at the time applicable under subsection (5) if:

(a)
the data is personal information about an individual; and
(b)
the data sharing purpose of the project is delivery of government services; and
(c)
before the data was shared with the accredited user, the individual expressly consented to their personal information:
(i)
being shared by the data custodian with the accredited user; and
(ii)
being used by the accredited user without the requirements of this Act applying to the use.
(5)
For the purposes of subsection (4), the applicable time is:
(a)
the time the user collected the copy of the shared data; or
(b)
if the individual’s consent as mentioned in paragraph (4)(c) specified a later time—that later time.
(6)
The user is taken to collect a copy of data that exits the data sharing scheme under subsection (4) from the individual concerned, at the time the data exits.
Exit for accredited user that is appointed data custodian of output
(7)
The user in a project is taken to hold a copy of output of the project that has exited the data sharing scheme, from the time specified for exit of the output in the data sharing agreement that covers the project, if:
(a)
the agreement appoints the user as data custodian of the output under subsection 20F(2); and
(b)
subparagraph 20F(2)(c)(i) does not apply; and
(c)
the conditions in subsection 20F(3) for exit of the output are met.

20FData custodian of output of project

(1)
An entity appointed as the data custodian of output of a project in accordance with subsection (2) or (5) becomes the data custodian of the output:
(a)
if subparagraph (2)(c)(i) applies—at the time the output is created; or
(b)
if subparagraph (2)(c)(ii) applies—at the time the output exits the data sharing scheme under subsection 20E(7); or
(c)
if subsection (5) applies—at the time the entity is provided with access to the output in accordance with section 13A.
(2)
A data sharing agreement that covers a project may appoint the user in the project as the data custodian of specified output of the project, if:
(a)
the user is a Commonwealth body; and
(b)
the output is public sector data and not a copy of the shared data collected by the user; and
(c)
either:
(i)
the agreement allows the user to provide access to the data in circumstances allowed by section 20C or 20D; or
(ii)
if subparagraph (i) does not apply—the conditions in subsection (3) for exit of the output are met.
(3)
The conditions for exit of the output are that:
(a)
provision of access to, or release of, the output by the user would not contravene any other law of the Commonwealth or a law of a State or Territory (disregarding section 23 of this Act); and
(b)
if the output includes personal information about an individual—the individual has expressly consented to their personal information being used by the user without the requirements of this Act applying to the use; and
(c)
the agreement requires the data custodian of the source data to be satisfied that all requirements in the agreement relating to exit of the output are met before the time specified in the agreement for the exit.
(4)
Unless appointed as mentioned in subsection (2), the user in the project is not the data custodian of output of the project. This subsection has effect despite subparagraph 11(2)(c)(i).
(5)
A data sharing agreement that covers a project may appoint an entity that is party to the agreement, other than in the capacity of user, as the data custodian of specified output of the project, if:
(a)
the entity is a Commonwealth body; and
(b)
the entity is not an excluded entity; and
(c)
the output is public sector data and not a copy of the shared data collected by the user; and
(d)
the agreement allows the user to provide the entity with access to the output in circumstances allowed by section 20C.

Part 2.8Relationship with other laws 22Other authorisations for data custodians not limited

The authorisation in section 13 for a data custodian to share particular data does not limit any other law of the Commonwealth or a State or Territory that authorises the data custodian to share or disclose the data.

23Authorisations override other laws

(1)
The authorisations in sections 13, 13A, 13B and 13C have effect despite anything in another law of the Commonwealth, or a law of a State or Territory.
Note: These authorisations extend to individuals (see section 124).
(2)
Subsection (1) applies in relation to a law enacted before or after the commencement of this Act.

Chapter 3Responsibilities of data scheme entitiesPart 3.1Introduction 24Simplified outline of this Chapter

The responsibilities imposed on data scheme entities are mainly set out in this Chapter, although some important responsibilities are set out elsewhere (see especially sections 14 and 14A in Chapter 2).
Civil penalties apply in some cases if responsibilities in this Chapter are not met. In any case, the responsibilities may be enforced by use of the Commissioner’s other regulatory powers under Part 5.5.

Part 3.2General responsibilities 25No duty to share but reasons required for not sharing

(1)
This Act does not require, or authorise any person to require, a data custodian to share public sector data.
(2)
However, a data custodian of public sector data must, within a reasonable period, consider a request for it to share the data, if the request is made:
(a)
by an accredited user; and
(b)
in the approved form (if any) or in writing (if there is no approved form).
(3)
The data custodian may refuse the request for any reason (including that the request is unreasonable), but must give the accredited user written notice of the reasons no later than 28 days after the day the decision to refuse is made.

26Comply with rules and data codes

A data scheme entity must comply with:
(a)
the rules; and
(b)
data codes.

27Have regard to guidelines

Data scheme entities must have regard to the guidelines when engaging in conduct for the purposes of this Act.

30Comply with conditions of accreditation

An accredited entity must comply with the conditions of the entity’s accreditation.
Civil penalty: 300 penalty units.

31Report events and changes in circumstances affecting accreditation to Commissioner

(1)
An accredited entity must give the Commissioner written notice, in the approved form (if any) of any event, or change in circumstance, relevant to either of the following:

(a)
the exercise of the Commissioner’s regulatory functions or the Minister’s functions as the accreditation authority for the entity;

(b)
the entity’s accreditation or conditions of accreditation.
Civil penalty: 300 penalty units.

(2)
Subsection (1) does not apply in relation to an event or change in circumstances prescribed by the rules for the purposes of this subsection.

32Not provide false or misleading information

(1)
A data scheme entity must not, in giving information or a document in compliance or purported compliance with this Act, the rules or a data code, give the Minister or Commissioner:
(a)
information or a document that is false or misleading; or
(b)
information that omits any matter or thing without which the information is false or misleading.
Note: A data scheme entity that contravenes this subsection might also commit an offence under Division 136 or 137 of the Criminal Code.

(i)
whether it is necessary to share personal information to properly deliver a government service; or
(ii)
the circumstances, or categories of circumstances, where the public interest to be served by a project justifies the sharing of personal information without consent.
(3)
A data code that is inconsistent with the regulations or rules has no effect to the extent of the inconsistency, but a data code is taken to be consistent with the regulations and rules to the extent that the data code is capable of operating concurrently with them.

127Guidelines

(1)
The Commissioner may, by legislative instrument, make written guidelines in relation to matters for which the Commissioner has functions under this Act.
Note: Data scheme entities must have regard to the guidelines when engaging in conduct for the purposes of this Act (see section 27).
(2)
The guidelines may include principles and processes relating to:
(a)
any aspect of the data sharing scheme; and
(b)
any matters incidental to the data sharing scheme, including:
(i)
data release; and
(ii)
data management and curation; and
(iii)
technical matters and standards; and
(iv)
emerging technologies.
(3)
Guidelines that are inconsistent with the regulations, rules or data codes have no effect to the extent of the inconsistency, but guidelines are taken to be consistent with those instruments to the extent that the guidelines are capable of operating concurrently with them.

128Register of ADSPs

(1)
The Commissioner must maintain a register of ADSPs. The register must include a publicly accessible part and may include a part that is not publicly accessible.
(2)
Subject to subsection (4), the Commissioner must include in the part of the register that is publicly accessible the following details for each ADSP:
(a)
the name of the ADSP;
(b)
contact details for the ADSP;
(c)
conditions of the ADSP’s accreditation;
(d)
at any time while the ADSP’s accreditation is suspended—the duration of the suspension (which may be indefinite);
(e)
any other details prescribed by the rules to be included in the publicly accessible part of the register.
(3)
The rules may prescribe circumstances in which details mentioned in paragraph (2)(a), (b) or (c) must not be included in the publicly accessible part of the register.

(4)
The Commissioner must include in the part of the register that is not publicly accessible any details:
(a)
prescribed for the purposes of subsection (3); or
(b)
prescribed by the rules to be included in the part of the register that is not publicly accessible.
(5)
The register may be maintained in any form the Commissioner considers appropriate.
(6)
The register is not a legislative instrument.

129Register of accredited users

(1)
The Commissioner must maintain a register of accredited users. The register must include a publicly accessible part and may include a part that is not publicly accessible.
(2)
Subject to subsection (4), the Commissioner must include in the part of the register that is publicly accessible the following details for each accredited user:
(a)
the name of the accredited user;
(b)
contact details for the accredited user;
(c)
conditions of the accredited user’s accreditation;
(d)
at any time while the accredited user’s accreditation is suspended—the duration of the suspension (which may be indefinite);
(e)
any other details prescribed by the rules to be included in the publicly accessible part of the register.
(3)
The rules may prescribe circumstances in which details mentioned in paragraph (2)(a), (b) or (c) must not be included in the publicly accessible part of the register.
(4)
The Commissioner must include in the part of the register that is not publicly accessible any details:
(a)
prescribed for the purposes of subsection (3); or
(b)
prescribed by the rules to be included in the part of the register that is not publicly accessible.
(5)
The register may be maintained in any form the Commissioner considers appropriate.
(6)
The register is not a legislative instrument.

130Register of data sharing agreements

(1)
The Commissioner must maintain a register of data sharing agreements. The register must include a publicly accessible part and a part that is not publicly accessible.
(2) Subject to subsection (4), the Commissioner must include in the part of the register that is publicly accessible the following details in relation to each registered data sharing agreement:
(a)
the entities that are parties and the capacity in which each entity is a party;
(b)
the date the parties entered into the agreement;
(c)
the date the Commissioner registered the agreement;
(d)
a description of the project the agreement covers;
(e)
the data sharing purpose of the project;
(f)
a description of the data to be shared;
(g)
whether personal information is to be shared;
(h)
if personal information is to be shared—a statement in the approved form (if any) relating to the privacy obligations applicable to the accredited user in relation to its use of output of the project and the person or body to whom individuals may complain about use inconsistent with those obligations;
(i)
if subsection 16B(7) applies in relation to the agreement—a copy of the statement and explanation required by that subsection;
(j)
if subsection 16B(8) applies in relation to the agreement—a copy of the statement required by that subsection;
(k)
if, but for section 23, sharing, collecting or using data under the agreement would contravene another law—the title of the other law;
(l)
a statement of how the project will serve the public interest;
(m)
a description of the final output of the project;
(n)
if output of the project may exit the data sharing scheme under section 20E—the circumstances in which the exit may occur;
(o)
if the agreement has an expiry date—the expiry date;
(p)
whether the agreement is in effect or has expired or been terminated;
(q)
if any details are affected by a variation of the agreement—the details as varied and the date the variation was registered;
(r)
any other details prescribed by the rules to be included in the publicly accessible part of the register.
(3)
The rules may prescribe circumstances in which details mentioned in subsection (2) must not be included in the publicly accessible part of the register.
(4)
The Commissioner must include in the part of the register that is not publicly accessible:
(a)
copies of data sharing agreements and variations given to the Commissioner under section 33; and
(b)
any details prescribed for the purposes of subsection (3); and
(c)
any details prescribed by the rules to be included in the part of the register that is not publicly accessible.

(5)
The register may be maintained in any form the Commissioner considers appropriate.
(6)
The register is not a legislative instrument.

131Recognition of external dispute resolution schemes

(1)
The Commissioner may, by written notice, recognise an external dispute resolution scheme for:
(a)
a data scheme entity or a class of data scheme entities; or
(b)
a specified purpose.
(2)
In considering whether to recognise an external dispute resolution scheme, the Commissioner:
(a)
must take the following aspects of the scheme into account:
(i)
accessibility;
(ii)
independence;
(iii)
fairness;
(iv)
accountability;
(v)
efficiency;
(vi)
effectiveness; and
(b)
may take into account any other matter the Commissioner considers relevant.
(3)
The Commissioner may:
(a)
specify a period for which the recognition of an external dispute resolution scheme is in force; and
(b)
make the recognition of an external dispute resolution scheme subject to specified conditions, including conditions relating to the conduct of an independent review of the operation of the scheme; and
(c)
vary or revoke:
(i)
the recognition of an external dispute resolution scheme; or
(ii)
the period for which the recognition is in force; or
(iii)
a condition to which the recognition is subject.
(4)
A notice under subsection (1) is not a legislative instrument.

132Approved forms

The Commissioner may, by writing, approve a form for the purposes of a provision of the data sharing scheme.

133Rules

(1)
The Minister may, by legislative instrument, make rules prescribing matters:
(a)
required or permitted by this Act to be prescribed by the rules; or
(b)
necessary or convenient to be prescribed for carrying out or giving effect to this Act.
(2)
To avoid doubt, the rules may not do the following:
(a)
create an offence or civil penalty;
(b)
provide powers of:
(i)
arrest or detention; or
(ii)
entry, search or seizure;
(c)
impose a tax;
(d)
set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;
(e)
directly amend the text of this Act.
(3)
Rules that are inconsistent with the regulations have no effect to the extent of the inconsistency, but rules are taken to be consistent with the regulations to the extent that the rules are capable of operating concurrently with the regulations.

134Regulations

The Governor‑General may make regulations prescribing matters:
(a)
required or permitted by this Act to be prescribed by the regulations; or
(b)
necessary or convenient to be prescribed for carrying out or giving effect to this Act.

Part 6.5Other matters

135Disclosure of scheme data in relation to information‑gathering powers
A data scheme entity is authorised to disclose scheme data held by the entity:
(a)
to the Auditor‑General, if the disclosure is required under the Auditor‑General Act 1997; or
(b)
to the Commonwealth Ombudsman, if the disclosure is requested or required under the Ombudsman Act 1976; or

(c)
to the Information Commissioner, if the disclosure is required under the Freedom of Information Act 1982 or the Privacy Act 1988; or
(d)
to a court or tribunal of the Commonwealth or a State or Territory, or a Royal Commission (within the meaning of the Royal Commissions Act 1902), that orders or directs the disclosure.
Note 1: Except as authorised by this section, data scheme entities must not provide access to scheme data unless authorised to do so by Chapter 2 or by a direction under section 112.
Note 2: Section 23 (authorisations override other laws) applies only in relation to provision of access to data authorised by Chapter 2.

135AData held by National Archives of Australia

Before the open access period
(1)
Where public sector data is transferred by its data custodian to the National Archives of Australia before the start of the open access period (within the meaning of the Archives Act 1983) in relation to the data, then, for the purposes of this Act and until the start of the open access period in relation to the data:
(a)
the data custodian continues to be the data custodian of the data; and
(b)
the National Archives of Australia is not a data custodian of the data.

(2)
Subsection (1) has effect despite anything in the definition of data custodian in subsection 11(2).
Records in the open access period
(3)
An authorisation in Chapter 2 does not apply in relation to sharing, collecting or using a record in the open access period, unless the sharing, collection or use is part of a project covered by a data sharing agreement registered before the start of the open access period.
Note: Records that are in the open access period may be accessed under the Archives Act 1983.

136Geographical jurisdiction of civil penalty provisions and offences

Geographical jurisdiction of offences and civil penalty provisions
(1)
A person does not contravene a civil penalty provision of this Act, or commit an offence against this Act, unless at least one of the following paragraphs applies in relation to the conduct constituting the alleged contravention or offence:
(a)
the conduct, or a result of the conduct, occurs wholly or partly in Australia, or on board an Australian aircraft or Australian ship;
(b)
for conduct alleged to constitute an ancillary contravention—the conduct, or a result of the conduct, that would constitute the primary contravention to which the ancillary contravention relates would have occurred wholly or partly in a place covered by paragraph (a);
(c)
for conduct alleged to constitute an ancillary offence—the conduct, or a result of the conduct, that would constitute the primary offence to which the ancillary offence relates was intended by the person to occur wholly or partly in a place covered by paragraph (a);
(d)
the conduct occurs wholly outside Australia and the person engaging in the conduct is an Australian entity, an Australian citizen or a permanent resident of Australia.
Defence for primary contravention or primary offence
(2)
Despite subsection (1), a person does not contravene a civil penalty provision of this Act, or commit an offence against this Act, if:
(a)
the alleged contravention or offence is a primary contravention or primary offence; and
(b)
the conduct constituting the alleged contravention or offence occurs wholly in a foreign country, but not on board an Australian aircraft or Australian ship; and
(c)
the person is not an Australian entity, an Australian citizen or a permanent resident of Australia; and
(d)
there is not in force, in the foreign country or the part of the foreign country where the conduct constituting the alleged contravention or offence occurred, a law creating a pecuniary or criminal penalty for conduct corresponding to the conduct constituting the alleged contravention or offence.
Defence for ancillary contravention or ancillary offence
(3)
Despite subsection (1), a person does not contravene a civil penalty provision of this Act, or commit an offence against this Act, if:
(a)
the alleged contravention or offence is an ancillary contravention or ancillary offence; and
(b)
for conduct constituting an alleged contravention—the conduct constituting the primary contravention to which the alleged contravention relates, or a result of that conduct, occurs, or would have occurred, wholly in a foreign country, but not on board an Australian aircraft or Australian ship; and
(c)
for conduct constituting an alleged offence—the conduct constituting the primary offence to which the alleged offence relates, or a result of that conduct, occurs, or was intended by the person to occur, wholly in a foreign country, but not on board an Australian aircraft or Australian ship; and
(d)
the person is not an Australian entity, an Australian citizen or a permanent resident of Australia; and
(e)
there is not in force, in the foreign country or the part of the foreign country where the conduct constituting the alleged contravention or offence occurred, a law creating a pecuniary or criminal penalty for conduct corresponding to the conduct constituting the primary contravention or primary offence to which the alleged contravention or offence relates.
(4)
A person who is alleged to have contravened a civil penalty provision of this Act and who wishes to rely on subsection (2) or (3) bears an evidential burden (within the meaning of the Criminal Code) in relation to the matters set out in the subsection.
(5)
For the purposes of the application of subsection 13.3(3) of the Criminal Code to an offence against this Act, subsections (2) and (3) of this section are taken to be exceptions provided by the law creating the offence.
Note: This means that a defendant bears an evidential burden in relation to the matters in subsections (2) and (3).
Other matters
(6)
Division 14 of the Criminal Code (standard geographical jurisdiction) does not apply in relation to an offence against this Act (this section applies instead).
(7)
A reference in this section to a result of conduct is a reference to a result that is an element of the civil penalty provision or offence.
(8)
For the purposes of this section and without limitation, if a person sends, or causes to be sent, an electronic communication or other thing:
(a)
from a point outside Australia to a point in Australia; or
(b)
from a point in Australia to a point outside Australia;
that conduct is taken to have occurred partly in Australia.
(9)
A point includes a mobile or potentially mobile point, whether on land, underground, in the atmosphere, underwater, at sea or anywhere else.

137Authorised officers and individuals authorised to do particular things

(1)
An individual is an authorised officer of an entity if the individual is specified in paragraph (a) of the column headed “Individuals” in an item in the following table, or authorised under subsection (2), in relation to the entity.
Note: An individual may also be authorised under subsection (3) or (4) to do particular things. These individuals are authorised to do those things but are not authorised officers.

Authorised officers and individuals authorised to do particular things
Item	Kind of entity	Individuals
1	Any of the following: (a) a Department; (b) an Executive Agency within the meaning of the Public Service Act 1999; (c) a Statutory Agency within the meaning of the Public Service Act 1999	The following: (a) the Agency Head within the meaning of the Public Service Act 1999; (b) an SES employee, or an acting SES employee, in the entity authorised by the Agency Head under subsection (2), (3) or (4); (c) an SES employee, or an acting SES employee, in another Department, Executive Agency or Statutory Agency authorised by the Agency Head under subsection (4)
2	Any of the following: (a) a corporate Commonwealth entity within the meaning of the Public Governance, Performance and Accountability Act 2013; (b) a Commonwealth company within the meaning of the Public Governance, Performance and Accountability Act 2013	The following: (a) the chief executive officer (however described) of the entity; (b) an individual authorised by the chief executive officer under subsection (2) or (3)
3	A person who is a prescribed authority within the meaning of paragraph (c) or (d) of the definition of prescribed authority in subsection 4(1) of the Freedom of Information Act 1982 and not covered by item 1 or 2	The following: (a) the person; (b) a person authorised by that person under subsection (2) or (3)
4	A State body or a Territory body that is the holder of a statutory office	The following: (a) the holder of the statutory office; (b) a person authorised by the holder of the statutory office under subsection (2) or (3)
5	A State body or a Territory body other than the holder of a statutory office	The following: (a) the chief executive officer (however described) of the body; (b) a person authorised by the chief executive officer under subsection (2) or (3)
6	A body corporate not covered by any other item	The following: (a) the chief executive officer (however described) of the entity and any director of the entity; (b) an employee of the entity authorised by the chief executive officer under subsection (2) or (3)
7	A body politic not covered by any other item	The following: (a) the chief Minister (however described); (b) a person authorised by the chief Minister under subsection (2) or (3)

Note: The expressions SES employee andacting SES employee are defined in the Acts Interpretation Act 1901.
(2)
If an item of the table in subsection (1) refers to an individual (the authoriser) authorising another individual under this subsection, the authoriser may, by written instrument, authorise the other individual to be an authorised officer for the purposes of the data sharing scheme.
Note: An individual authorised under this subsection is an authorised officer (see subsection (1)).
(3)
If an item of the table in subsection (1) refers to an individual (the authoriser) authorising another individual under this subsection, the authoriser may, by written instrument, authorise the other individual to enter into variations to data sharing agreements for the entity.
(4)
If an item of the table in subsection (1) refers to an individual (the authoriser) authorising another individual under this subsection, the authoriser may, by written instrument, authorise the other individual to do all of the following for the entity:
(a)
enter into data sharing agreements;
(b)
enter into variations to data sharing agreements;
(c)
make decisions that subsection 16D(4) applies to a proposed integration of data and make the required records under subsection 16D(6).

137ADelegation by Minister

(1)
The Minister may, in writing, delegate any or all of the Minister’s powers under Part 5.2 to the Commissioner.

Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
(2)
In exercising a delegated power, the Commissioner must comply with any written directions of the Minister.

138Annual report

(1)
After the end of each financial year, the Commissioner must prepare and give a report to the Minister, for presentation to the Parliament, on the Commissioner’s activities during the financial year.
(2)
The report must include the following in relation to the financial year:
(a)
information about legislative instruments and guidelines made by the Commissioner under this Act;
(b)
information about activities undertaken for the purposes of the regulatory functions set out in section 45;
(c)
a description of any efforts made by the Commissioner to assist data scheme entities to comply with the requirements of the data sharing scheme;
(d)
a statement of the following:
(i)
the number of requests received by data custodians of public sector data from accredited users for sharing of data under this Act and information about the reasons for requests being agreed to or refused;
(ia)
the number of such requests refused by data custodians where reasons for the refusal were not given within the time required by subsection 25(3);
(ii)
the number of data sharing agreements made;
(iii)
the number of entities accredited;
(iv)
the number of accredited entities as at the end of the financial year;
(v)
the number of complaints received by the Commissioner under Division 1 of Part 5.3 (scheme complaints);
(vi)
the number of complaints received by the Commissioner under Division 2 of Part 5.3 (general complaints);
(vii)
the number of complaints received by data custodians relating to the data sharing scheme or a data custodian’s conduct in relation to the data sharing scheme;
(e)
information about the activities of the National Data Advisory Council;
(f)
information about the number of APS employees made available to the Commissioner as mentioned in section 47;
(g)
a report on financial matters, including a discussion and analysis of the financial resources available to the Commissioner in the financial year and how they were used.
Note: The Commissioner may require data scheme entities to give information and assistance for the purposes of preparing the report (see section 34).
(3)
The report may include any other information relating to the operation of the data sharing scheme that the Commissioner considers appropriate.
(4)
The report must be given to the Minister by the 15th day of the fourth month after the end of the financial year, or by the end of any further period granted under subsection 34C(5) of the Acts Interpretation Act 1901.

139Charging of fees by Commissioner

(1)
The rules may prescribe fees to be charged by the Commissioner for services provided by or on behalf of the Commissioner, or for or on behalf of the Minister in the Minister’s capacity as an accreditation authority for an entity, in performing or exercising functions or powers under this Act, the rules or the data codes.
(2)
Without limiting subsection (1), the rules may provide for the amount of a fee to be the cost incurred by the Commonwealth in arranging and paying for another person to perform functions or exercise powers.
(3)
A fee prescribed by the rules is payable to the Commonwealth.
(4)
The rules may make provision for:
(a)
when and how fees are payable;
(b)
any other matters in relation to fees including exemptions, refunds and remissions.
(5)
If a fee is payable for a service, the service need not be provided while the fee remains unpaid. The rules may provide for the extension of any times for providing services accordingly.

140Charging of fees by data scheme entities

(1)
A data custodian of public sector data may charge fees to an accredited entity for services performed by or on behalf of the data custodian in dealing with a request by the accredited entity for data to be shared under this Act.
(2)
A data custodian that charges fees must do so in a way that is not inconsistent with the policies of the Australian Government.
(3)
Nothing in this section has the effect of preventing an accredited entity (including a Commonwealth body) from charging fees in relation to services it performs in relation to the data sharing scheme.

141Commonwealth not liable to pay a fee

(1)
The Commonwealth is not liable to pay a fee that is payable under this Act. However, it is the Parliament’s intention that the Commonwealth should be notionally liable to pay such a fee.
(2)
The Finance Minister may give such written directions as are necessary or convenient for carrying out or giving effect to subsection (1) and, in particular, may give directions in relation to the transfer of money within an account, or between accounts, operated by the Commonwealth.
(3)
Directions under subsection (2) have effect, and must be complied with, despite any other Commonwealth law.
(4)
In subsections (1) and (2), Commonwealth includes a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013) that cannot be made liable to taxation by a Commonwealth law.

142Periodic reviews of operation of Act

(1)
The Minister must cause periodic reviews of the operation of this Act to be undertaken.
(2)
A review must start by, and be completed within 12 months (or a longer period agreed by the Minister) of:
(a)
the third anniversary of the commencement of this section; and
(b)
the day that is 3 months after the commencement of any amendments of the Privacy Act 1988 that:
(i)
are made in response to the review of that Act announced by the Attorney‑General on 12 December 2019; and
(ii)
in the Minister’s opinion, are likely to have a material impact on the data sharing scheme.
(3)
If subsection (2) would have the effect that a review must start before another review is completed:
(a)
the reviews may be combined; and
(b)
the combined review must be completed within 12 months (or a longer period agreed by the Minister) of the day the latest of the reviews was required to start.
(4)
The Minister must cause a written report about each review to be prepared. A review is taken to be completed when the Minister is given the report about the review.
(5)
The Minister must cause a copy of the report about each review to be laid before each House of the Parliament within 15 sitting days of that House after the Minister receives the report.

143Sunset of the data sharing scheme

(1)
Subject to this section, this Act ceases to have effect at the end of the day (the sunset day) that is the fifth anniversary of the commencement of this section.
Note: Section 7 of the Acts Interpretation Act 1901 (effect of repeal or amendment of Act) applies in relation to this section.
(2)
Despite subsection (1), regulations may be made under section 134 for the purposes of subsection (3) of this section at any time during the period starting 12 months before the sunset day and ending immediately before the first anniversary of the sunset day.
(3)
The regulations may, for the purposes of ensuring that scheme data is appropriately dealt with, prescribe matters of a transitional nature relating to this Act ceasing to have effect under subsection (1), including:
(a)
prescribing any saving or application provisions; and
(b)
the matters set out in subsections (4) to (7).
(4)
The regulations may provide that certain provisions of this Act continue to apply, or to apply in a modified way, after the sunset day, for the purposes set out in the regulations. Those provisions continue to apply, or continue to apply in the modified way, as set out in the regulations.
Note: For example, the regulations may continue in existence the Commissioner and the Council.
(5)
The regulations may empower the Commissioner to give a data scheme entity, or an entity that was a data scheme entity before the sunset day, a written direction requiring the entity to take, or not to take, specified actions in order to ensure that scheme data is appropriately dealt with in connection with this Act ceasing to have effect.
(6)
The regulations may create offences or civil penalties for failure to comply with a direction mentioned in subsection (5).
(7)
The regulations may prescribe:
(a)
penalties, not exceeding 50 penalty units for individuals and entities other than bodies corporate or 250 penalty units for bodies corporate, for offences against the regulations; and
(b)
civil penalties, not exceeding 300 penalty units for individuals and entities other than bodies corporate or 1,500 penalty units for bodies corporate, for contraventions of the regulations.
(8)
Regulations made for the purposes of subsection (3) of this section must not have the effect of allowing data to be shared under section 13 (authorisation for data custodian to share public sector data) after the sunset day.
(9)
All legislative instruments made under this Act (including regulations made for the purposes of subsection (3) of this section) are repealed on the first anniversary of the sunset day.

Endnotes

Endnote 1About the endnotes

The endnotes provide information about this compilation and the compiled law.

The following endnotes are included in every compilation:

Endnote 1—About the endnotes

Endnote 2—Abbreviation key

Endnote 3—Legislation history

Endnote 4—Amendment history

Abbreviation key—Endnote 2

The abbreviation key sets out abbreviations that may be used in the endnotes.

Legislation history and amendment history—Endnotes 3 and 4

Amending laws are annotated in the legislation history and amendment history.

The legislation history in endnote 3 provides information about each law that has amended (or will amend) the compiled law. The information includes commencement details for amending laws and details of any application, saving or transitional provisions that are not included in this compilation.

The amendment history in endnote 4 provides information about amendments at the provision (generally section or equivalent) level. It also includes information about any provision of the compiled law that has been repealed in accordance with a provision of the law.

Editorial changes

The Legislation Act 2003 authorises First Parliamentary Counsel to make editorial and presentational changes to a compiled law in preparing a compilation of the law for registration. The changes must not change the effect of the law. Editorial changes take effect from the compilation registration date.

If the compilation includes editorial changes, the endnotes include a brief outline of the changes in general terms. Full details of any changes can be obtained from the Office of Parliamentary Counsel.

Misdescribed amendments

A misdescribed amendment is an amendment that does not accurately describe how an amendment is to be made. If, despite the misdescription, the amendment can be given effect as intended, then the misdescribed amendment can be incorporated through an editorial change made under section 15V of the Legislation Act 2003.

If a misdescribed amendment cannot be given effect as intended, the amendment is not incorporated and “(md not incorp)” is added to the amendment history.

Endnote 2—Abbreviation key

ad = added or inserted	o = order(s)
am = amended	Ord = Ordinance
amdt = amendment	orig = original
c = clause(s)	par = paragraph(s)/subparagraph(s)
C[x] = Compilation No. x	/sub‑subparagraph(s)
Ch = Chapter(s)	pres = present
def = definition(s)	prev = previous
Dict = Dictionary	(prev…) = previously
disallowed = disallowed by Parliament	Pt = Part(s)
Div = Division(s)	r = regulation(s)/rule(s)
ed = editorial change	reloc = relocated
exp = expires/expired or ceases/ceased to have	renum = renumbered
effect	rep = repealed
F = Federal Register of Legislation	rs = repealed and substituted
gaz = gazette	s = section(s)/subsection(s)
LA = Legislation Act 2003	Sch = Schedule(s)
LIA = Legislative Instruments Act 2003	Sdiv = Subdivision(s)
(md) = misdescribed amendment can be given	SLI = Select Legislative Instrument
effect	SR = Statutory Rules
(md not incorp) = misdescribed amendment	Sub‑Ch = Sub‑Chapter(s)
cannot be given effect	SubPt = Subpart(s)
mod = modified/modification	underlining = whole or part not
No. = Number(s)	commenced or to be commenced

Endnote 3Legislation history

Act	Number and year	Assent	Commencement	Application, saving and transitional provisions
Data Availability and Transparency Act 2022	11, 2022	31 Mar 2022	1 Apr 2022 (s 2(1) item 1)
National Anti‑Corruption Commission (Consequential and Transitional Provisions) Act 2022	89, 2022	12 Dec 2022	Sch 1 (items 108–111): 1 July 2023 (s 2(1) item 2)	—
Statute Law Amendment (Prescribed Forms and Other Updates) Act 2023	74, 2023	20 Sept 2023	Sch 4 (items 25–28): 18 Oct 2023 (s 2(1) item 3)	Sch 4 (item 26)
Administrative Review Tribunal (Consequential and Transitional Provisions No. 1) Act 2024	38, 2024	31 May 2024	Sch 10 (item 1): 14 Oct 2024 (s 2(1) item 2)	—
Privacy and Other Legislation Amendment Act 2024	128, 2024	10 Dec 2024	Sch 1 (items 45, 46): 11 Dec 2024 (s 2(1) item 3)	—

Endnote 4Amendment history

Provision affected	How affected
Chapter 1
Part 1.2
s 9.............................................	ed C1
s 11............................................	am No 89, 2022
Chapter 2
Part 2.2
s 14............................................	am No 74, 2023
Part 2.4
s 16F..........................................	am No 128, 2024
Chapter 3
Part 3.2
s 34............................................	am No 74, 2023
Chapter 5
Part 5.5
s 108..........................................	am No 89, 2022
Chapter 6
Part 6.1
s 117..........................................	am No 38, 2024
Part 6.2
s 118..........................................	am No 38, 2024
s 122..........................................	am No 74, 2023; No 38, 2024