Hostname: page-component-7dd5485656-2pp2p Total loading time: 0 Render date: 2025-10-22T10:02:14.193Z Has data issue: false hasContentIssue false
  • English
  • Français

Public data sharing legislation, privacy and sharing of health and social welfare data in Australia: a legal and policy document analysis

Published online by Cambridge University Press:  22 October 2025

James Scheibner Open the ORCID record for James Scheibner [Opens in a new window] ,
Tina Hardin ,
Wendy Keech  and
Bernadette Richards
James Scheibner*
Affiliation:
College of Business, Government and Law, Flinders University , Adelaide, SA, Australia Centre for Social Impact, College of Business, Government and Law, Flinders University, Adelaide, SA, Australia Jeff Bleich Centre, College of Business, Government and Law, Flinders University, Adelaide, SA, Australia
Tina Hardin
Affiliation:
Clinical Informatics and Innovation, Commission on Excellence and Innovation in Health, SA Government, Adelaide, SA, Australia
Wendy Keech
Affiliation:
Executive Director, Health Translation SA , Adelaide, SA, Australia
Bernadette Richards
Affiliation:
Academy of Medical Education, University of Queensland , Brisbane, QLD, Australia
*
Corresponding author: James Scheibner; Email: james.scheibner@flinders.edu.au

Abstract

Australian public sector agencies want to improve access to public sector data to help conduct better informed policy analysis and research and have passed legislation to improve access to this data. Much of this public sector data also contains personal information or health information and is therefore governed by state and federal privacy law which places conditions on the use of personal and health information. This paper therefore analyses how these data sharing laws compare with one another, as well as whether they substantially change the grounds on which public sector data can be shared. It finds that data sharing legislation, by itself, does not substantially change the norms embedded in privacy and health information management law governing the sharing of personal and health information. However, this paper notes that there can still be breaches of social licence even where data sharing occurs lawfully. Further, this paper notes that there are several inconsistencies between data sharing legislation across Australia. This paper therefore proposes reform, policy, and technical strategies to resolve the impact of these inconsistencies.

Keywords

Australian lawData sharingPublic sector dataPrivacyHealth and social welfare data

Information

Type
Research Article
Information
Data & Policy , Volume 7 , 2025 , e72
Check for updates
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2025. Published by Cambridge University Press

Policy Significance Statement

Australian governments are keen to make wider use of public sector data, and to share this data between government agencies. To this end, both the Commonwealth government and several state governments have passed legislation to encourage or mandate public sector agencies share public sector data they hold. However, these datasets may also contain personal and sensitive information. Releasing this data without considering the privacy and security of this information may severely impact the social licence to use the data. Accordingly, this paper offers some recommendations on reducing inconsistencies between data sharing laws in Australia to help support the social licence for data sharing.

1. Introduction and literature review

There have been two significant trends over the past two decades in Australia with respect to the law on how governments and public sector agencies manage data. The first is a push by Australian government agencies to make greater use of public sector data, which is part of a broader trend encouraged by the Office of Economic Cooperation and Development (OECD, 2011). “Public sector data,” which is sometimes referred to as public sector information, includes administrative data collected by government agencies and other public sector entities such as Universities and research institutions (OECD, 2010; Productivity Commission, 2017). The primary goal of making data more available is improved service delivery and coordination between agencies (Kitchin, Reference Kitchin2014; Productivity Commission, 2017). However, both Australian government agencies and statutory entities such as the Productivity Commission have also sought to encourage both the public release of open data as well as sharing of data for research purposes (Burton et al., Reference Burton, Groenewegen, Love, Treloar and Wilkinson2012; Productivity Commission, 2017).

The second is an increased public appetite for control over how governments use personal and sensitive information (Riley et al., Reference Riley, Kilkenny, Robinson and Leggat2024). In part, this increased awareness has been driven by the failure of existing data privacy laws to deter high-profile data breaches (Biddle et al., Reference Biddle, Gray and McEachern2022). These data breaches most notably include failures by private sector organisations to maintain data security, such as the Optus and Medibank data breaches in 2022 which undermined public trust. These data breaches also include the public disclosure of personal information from supposedly de-identified health and public transport data that were released as open data (Culnane et al., Reference Culnane, Rubinstein and Teague2017, Culnane et al., Reference Culnane, Rubinstein and Teague2019, Canaway et al., Reference Canaway, Boyle, Manski-Nankervis, Bell, Hocking, Clarke, Clark, Gunn and Emery2019). There have also been several scandals where government data has been used to enact harsh, ineffective, and illegal decision-making, such as the Robodebt programme (Allars, Reference Allars2023; Moses and Weatherall, Reference Moses and Weatherall2023). These controversies have damaged public trust in how both public and private organisations handle personal information and have culminated in proposals to strengthen the protections guaranteed by Australian federal and state privacy legislation (Attorney-General’s Department, 2023).

Care must be taken to strike an appropriate balance between making greater use of government data (and thus serving a broader public good) and respect for the preservation of the privacy and security of individuals if the social licence for public sector data sharing is to be maintained. “Social licence” broadly refers to whether public or private sector practices are considered socially legitimate outside existing legal norms (Carter et al., Reference Carter, Laurie and Dixon-Woods2015; Edwards et al., Reference Edwards, Gillies and Gorin2021; Brand and Langford, Reference Brand and Langford2022). This term is most used in the context of the benefits and risks of extractive industries. However, it is becoming more frequently used with respect to data-intensive applications in the private and public sectors. Adams, Allen, and Flack highlight the contractual aspects of the term social licence and therefore note that it may require the exchange of benefits between a community and an enterprise (Adams et al., Reference Adams, Flack and Allen2022). On the one hand, whilst administrative datasets have the potential to help with policy or research, they are often incomplete. This incompleteness can either be due to data entry errors, data siloing by a service, duplication of data between services, or a person not interacting with a service (Scheibner et al., Reference Scheibner, Kroesche, Wakefield, Cockburn, McPhail and Richards2023). Alternatively, it can be due to a lack of clarity about appropriate data storage and use which, in turn leads to poor collection and storage practices (Harron et al., Reference Harron, Dibben, Boyd, Hjern, Azimaee, Barreto and Goldstein2017). One way of overcoming these gaps is to enable the sharing or linking of datasets which would serve to provide a more comprehensive dataset for research or policymaking (Boyd et al., Reference Boyd, Ferrante, O’Keefe, Bass, Randall and Semmens2012). On the other hand, the public might not have a choice but to engage with a government service to receive support or might not be able to opt out of other administrative services. Relevant examples of such services in Australia include the Medicare Benefits Scheme, the Pharmaceutical Benefits Scheme, or state-run electronic medical record systems. If there is a collapse or failure to build social licence to use public sector data, it may undermine trust in these key services (Stephenson et al., Reference Stephenson, Smith and Vajdic2022).

With a view to resolving this conflict, several jurisdictions in Australia have enacted or are seeking to enact legislation that enables public sector data sharing (Richards and Scheibner, Reference Richards and Scheibner2022). However, these laws are only part of the regulatory landscape that governs public sector data sharing in Australia. They must be considered alongside relevant guidelines and policies that determine when government information or data can be shared in certain contexts in order to create a complete picture of the regulation governing data sharing. Regulation can be broadly defined as rules that are designed to impact the behaviour of different types of actors (Black, Reference Black2001, Reference Black2002; Moses, Reference Moses2013). In the context of data sharing, these actors include government agencies, researchers, and even private sector organisations (Ng et al., Reference Ng, O’Sulliavan, Paterson and Witzleb2020; de Oliveira et al., Reference de Oliveira, Bruno, Schaffer, Raichand, Karanges and Pearson2021; Lopez et al., Reference Lopez, Strange, Sanfilippo, Daniels, Pearson and Preen2023; Chen et al., Reference Chen, Howe, Kariotis and Jackson2024). This principles-based approach to regulation has also been applied to the design of privacy regulations at the federal, state, and territory levels in Australia (Burdon and Mackie, Reference Burdon and Mackie2020). However, these privacy regulations are drafted in a similar but not entirely identical way between jurisdictions, causing confusion for researchers and data custodians that want to share data (Adams et al., Reference Adams, Braunack-Mayer and Flack2025). Likewise, a lack of consistency between data sharing regulations could create a regulatory disconnect (Moses, Reference Moses2013). This regulatory disconnect would both confuse researchers and other data users whilst undermining the social licence for data sharing.

It is against this background that we examine laws, regulations, guidelines, and policies governing the sharing of government-held health and social welfare data in Australia. We focus on the five jurisdictions in Australia that have enacted legislation permitting the sharing of public sector data, including health and social welfare data. We also identify the associated guidelines or policies used to help interpret these laws, along with other related laws such as privacy and health information laws. We note that there are significant differences between the laws passed or being contemplated in the jurisdictions under consideration. These differences include the entities these laws apply to, what types of data can be shared, and the entities that can receive data. There are also differences in how other legislation, such as privacy and freedom of information laws, impacts these data sharing laws. The data sharing legislation in each jurisdiction conceptualises public sector data as a public resource which can be used to better public policy and outcomes. However, this goal may conflict with the objectives of privacy laws. In addition, the inconsistencies identified between Australian jurisdictions may undermine cross-jurisdictional data sharing projects. We therefore conclude this paper by making recommendations on organisational and technical strategies to overcome these regulatory inconsistencies. Accordingly, this interdisciplinary paper’s findings are of relevance to data scientists and other researchers seeking to understand the scope of data sharing regulation in Australia. In addition, this paper’s observations are relevant to regulatory reform in other jurisdictions to help promote data sharing in a manner consistent with social licence.

2. Methods

In this paper, we used a mixed methods approach relying on a comparative legal and policy review combined with identifying grey and peer-reviewed literature (Scheibner et al., Reference Scheibner, Kroesche, Wakefield, Cockburn, McPhail and Richards2023). We started with the data sharing laws in the five Australian jurisdictions under consideration. These jurisdictions included the Commonwealth, New South Wales, South Australia, Victoria, and Western Australia. All these laws are currently in force except in Western Australia, where the Parliament of Western Australia has only recently introduced a bill which will provide both public sector privacy protection and information sharing guidelines. However, this Act will not come into force until 2026 (“Privacy and Responsible Information Sharing Act 2024 and Record Keeping Obligations”, 2025). Due to three of the authors of this paper being in South Australia, we sought to compare the South Australian legislative framework with other jurisdictions. Further, the published literature has focused on the Commonwealth Data Availability and Transparency Act or legislation in individual states. However, there is less focus on comparing how data sharing laws in different Australian jurisdictions operate (Marshall, Reference Marshall2021; Krebs and Moses Reference Krebs and Moses2024). Therefore, our findings may be helpful in identifying strategies for other states and territories of Australia to implement data sharing laws. Our findings and observations can also be translated to other jurisdictions outside Australia. For example, both the European Union and the United Kingdom have supplemented their data protection legislation with data sharing legislation that is designed to encourage greater use of public sector data (Data Act, 2023; Data (Use and Access) Act, 2025). As both jurisdictions are federated, they may encounter similar problems with regulatory inconsistency to Australia.

We then gathered any regulation, policies, or guidelines that referenced these laws using grey literature search methods in the context of health and social welfare data sharing. Once we had identified all relevant regulation, policies, or guidelines, we then developed criteria to compare these regimes. These criteria were developed using a comparison with existing statutory reviews of data sharing legislation (Marshall, Reference Marshall2021). First, we considered how public sector data was defined under each regime. Second, we considered which entities had an obligation to share public sector data. Third, we considered the entities which could receive public sector data. Fourth, we compared on what grounds public sector data can (and cannot) be shared, as well as the types of public sector data that can be shared. This approach to comparative reviews of the literature has also been used to compare privacy laws between different jurisdictions (Koops et al., Reference Koops, Newell, Timan, Skorvanek, Chokrevski and Galic2016; Scheibner et al., Reference Scheibner, Ienca and Vayena2021). We also conducted an extensive but non-exhaustive literature review of any published articles that referenced any of these laws using Google Scholar.

3. Results

Table 1 contains a breakdown of the legislation, regulation, policies, and guidelines referencing or impacting data sharing laws in each jurisdiction.

Table 1. A breakdown of the relevant legislation and regulatory documents across the four jurisdictions under consideration

3.1. What are the existing rules governing public sector health and social welfare data sharing?

Outside of data sharing legislation, several different laws apply to data held by government sector agencies depending on how that data is stored and what it relates to (Moses, Reference Moses2020). Freedom of information and state records legislation applies to information in records, public records, or documents held by state and federal government agencies (Archives Act, 1983, section 3(1); Freedom of Information Act 1982a, section 4; Freedom of Information Act 1982b, section 5; Freedom of Information Act, 1991, section 4; Freedom of Information Act, 1992, section 9; Government Information (Public Access) Act, 2009, section 4(1); Public Records Act, 1973, section 2(1); State Records Act, 1997, section 3(1); State Records Act, 1998, section 3(1); State Records Act, 2000, section 3). There are differences in how each freedom of information framework defines applicable documents or records. In South Australia, an agency will be taken to hold a document when it has a right of access to document, including documents stored on a computer (Freedom of Information Act, 1991, section 4(4)-(5)).

Likewise, state and federal privacy laws (except in South Australia, which relies on administrative privacy guidelines) apply to personal information held by government agencies (Privacy Act, 1988, section 6(1); Privacy and Data Protection Act, 2014, section 3(1), 4; Privacy and Personal Information Protection Act, 1998, section 3(1), 4; Privacy and Responsible Information Sharing Bill, 2024, section 4). There are also provisions in specific health information and healthcare laws which govern how health information is used by both public sector and private agencies (Health Care Act, 2008, section 93; Health Records Act, 2001, sections 3, 5, 10–11; Health Records and Information Privacy Act, 2002, sections 4–6, 9, 11). These privacy laws are based on the notice and consent model, which prioritises an individual’s choice on consenting to the collection, use, and disclosure of their personal information. However, Adams, Allen, and Flack argue that this focus on individual consent simplifies other factors, including the need for healthcare and the requirement to engage with government services (Adams and Flack, Reference Adams, Flack and Allen2022).

Further, Australian privacy laws and guidelines provide several exceptions for government agencies to collect, use, or disclose personal information without seeking consent from individuals. For example, under the South Australian administrative privacy guidelines, personal information can be used and disclosed (that is, shared) without consent if necessary to protect public revenue (Government of South Australia, 2020). An equivalent exception can also be found in the Privacy and Data Protection Act in Victoria (Privacy and Data Protection Act, 2014, schedule 1, clause 2.1(g)(iii)). Although the Victorian Information Commissioner’s guidelines note that agencies do not need to comply with these requests, the guidelines do not define “public revenue” (Wright et al., Reference Wright, Forte, May, Ford, Pollock and Bendall2019). This conceptual uncertainty arguably provides government agencies with significant scope to share personal information.

Likewise, under privacy, health information and healthcare laws, personal and health information can be used or shared without consent for research in the public interest. Before any sharing can occur, a human research ethics review body must decide whether the waiver of consent should be granted in the circumstances. Specifically, an ethics review body must be satisfied that there is a low risk to participants, and the benefit of the research outweighs any risk of harm (National Health and Medical Research Council, 2023, paragraph 2.3.10(a)–(b)). In addition, it must be impracticable to obtain consent, and there must be no reason to think that the individuals whose data is being used or disclosed would not have consented (National Health and Medical Research Council, 2023, paragraph 2.3.10(c)–(d)). The National Statement notes that it may be impracticable to obtain consent due to quantity, age, or accessibility of records (National Health and Medical Research Council, 2023, paragraph 2.3.10(c)). Further, there must be a plan to protect the privacy and confidentiality of participants, and the transfer cannot be prohibited by state or federal law (National Health and Medical Research Council, 2023, paragraph 2.3.10(e)–(f)).

The National Statement provides that these requirements must be satisfied by an ethics review body (National Health and Medical Research Council, 2023, paragraph 2.3.10). Further, although the assessment of these requirements is usually conducted by a human research ethics committee, this requirement is not mandatory under all privacy guidelines for all types of research. The National Statement provides that only a human research ethics committee can approve a waiver for medical research or for research using personal health information (National Health and Medical Research Council, 2023, paragraph 2.3.9). By contrast, the Victorian Information Commissioner’s guidelines note that an ethics committee may help assess whether research is in the public interest (Wright et al., Reference Wright, Forte, May, Ford, Pollock and Bendall2019). Outside of these requirements, there is relatively limited oversight with respect to how ethics committees operate (Eckstein et al., Reference Eckstein, Otlowski, Taylor and McWhirter2023). Nevertheless, in Australia ethics review bodies play an important regulatory role in determining when personal information can be used and disclosed for research purposes.

Finally, privacy and health information laws permit disclosure where mandated by another law (Privacy Act, 1988, schedule 1, clause 6.2(b); Privacy and Data Protection Act, 2014, schedule 1, clause 2.1(f); Privacy and Personal Information Protection Act, 1998, section 19(2)(h); Privacy and Responsible Information Sharing Bill, 2024, schedule 1, clause 2.1(f)). Therefore, when examining how federal and state data sharing laws operate, it is important to note that other legislation provides a broad scope for sharing data (Jowett et al., Reference Jowett, Dallaston and Bennett2020; Scheibner et al., Reference Scheibner, Kroesche, Wakefield, Cockburn, McPhail and Richards2023).

3.2. What is public sector data?

Each act defines “government sector data,” “public sector data,” or “government information” as data either “held by” or under the “control” of a public sector agency (Data Availability and Transparency Act, 2022, section 9; Data Sharing (Government Sector) Act, 2015, section 4(1); Public Sector (Data Sharing) Act 2016, section 3(1); Victorian Data Sharing Act, 2017, section 3(1); Privacy and Responsible Information Sharing Bill, 2024 , section 157). The Data Sharing (Government Sector) Act and the Victorian Data Sharing Act define “control” as when an agency possesses or has custody of the data (Data Sharing (Government Sector) Act, 2015, section 4(2); Victorian Data Sharing Act, 2017, section 3(2)). Despite this relative consistency in terminology, new technologies such as cloud computing can represent a challenge, particularly when considering the scope of public sector and administrative data (Moses, Reference Moses2020). Data includes any facts, statistics, instructions, concepts, or other information that is capable of being processed, and can include personal, sensitive, or health information. Whether public sector data includes personal information is a key factor affecting which entities are permitted to share or access that data, as well as how it may be used.

3.3. What entities can share and receive public sector data?

3.3.1. Commonwealth

Currently, the Data Availability and Transparency Act only allows Commonwealth, state, or territory government agencies and Australian universities to become “accredited users” (Data Availability and Transparency Act, 2022, section 74(1)). This status allows these organisations to share and receive public sector data. Private sector and foreign organisations are excluded from the scope of this scheme (Witzleb, Reference Witzleb2023). The Data Availability and Transparency Act does not mandate that Commonwealth agencies (or “data custodians”) share data with requesting “accredited users”. However, data custodians need to provide reasons for refusing to share data within a reasonable time frame (Data Availability and Transparency Act, 2022, section 25).

3.3.2. New South Wales

The Data Sharing (Government Sector) Act authorises government sector agencies to share government sector data with one another (Data Sharing (Government Sector) Act, 2015, section 6(1)). These agencies are defined in the act as including New South Wales government departments, local councils, and state-owned corporations (Data Sharing (Government Sector) Act, 2015, section 4(1)). Agencies can also share data with the Data Analytics Centre (DAC), which is a government agency responsible for data analytics (Data Sharing (Government Sector) Act, 2015, section 6(1)). In the alternative, the Minister responsible for the Data Sharing (Government Sector) Act may direct an agency, other than a university, to share data it holds with the DAC. This request can only be made once, though the Premier has advised the Minister that the request for data is necessary (Data Sharing (Government Sector) Act, 2015, section 7).

3.3.3. Victoria

The Victorian Data Sharing Act similarly creates the statutory office of the Chief Data Officer (CDO), which can perform data analytics work (Victorian Data Sharing Act, 2017, section 7(1)). The CDO can request data from a data sharing body. These data sharing bodies include public service bodies, public entities, and any other bodies specified within the regulations (Victorian Data Sharing Act, 2017, section 3(1)). When it receives a request from the CDO, a data sharing body must either provide the data or give written notice that it will not share the data (Victorian Data Sharing Act, 2017, section 9). However, the Victorian Public Sector Data Sharing Policy imposes a “responsibility to share” on government agencies to share data where there is a clear public benefit (“Victorian Public Sector Data Sharing Policy”, 2024).

3.3.4. South Australia

The Public Sector (Data Sharing) Act and its associated regulations authorise data sharing between public sector agencies as both “data recipients” and “data providers” (Public Sector (Data Sharing) Act 2016, section 8(1)). The Minister responsible can also direct one agency to share data with another agency, although this direction must be published in the South Australian Government Gazette (Public Sector (Data Sharing) Act 2016, section 9). Further, the Public Sector (Data Sharing) Regulations in South Australia permit data sharing with non-government entities that have been contracted to provide government services (Public Sector (Data Sharing) Regulations, 2017, regulation 8A). The Minister can also enter into data sharing agreements with relevant entities. These relevant entities include Commonwealth agencies, state and territory government agencies, and any other persons or bodies prescribed by regulation (Public Sector (Data Sharing) Act 2016, section 13). These provisions allow for public sector data to be shared with a significantly broader class of recipients than under Commonwealth, New South Wales, and Victorian data sharing legislation. However, under the Act, the Minister must record the relevant entities which have received public sector data (Public Sector (Data Sharing) Act 2016, section 17(2)(e)). The public reports from 2021 to 2022 indicate that only one organisation outside the South Australian government currently has been authorised to receive public sector data (“Data Sharing Agreement Register”, 2024).

3.3.5. Western Australia

The Privacy and Responsible Information Sharing Bill permits both public entities and external entities to make data sharing requests (Privacy and Responsible Information Sharing Bill, 2024, section 160). A “public entity” is defined as any Western Australian government agency, body, or holder of an office (Privacy and Responsible Information Sharing Bill, 2024, section 6). Similar to the South Australian Public Sector (Data Sharing) Act, the definition of “external entity” is broader than just other public sector entities. Specifically, this definition includes service providers, Aboriginal community-controlled organisations, social service providers, universities, and health research organisations (Privacy and Responsible Information Sharing Bill, 2024, section 156(2)).

Both public and external entities can make information sharing requests as requesting entities from other public entities, which are deemed holding entities (Privacy and Responsible Information Sharing Bill, 2024, section 160(1)–(3)). This information sharing request must be made as a written request to the principal officer of the holding entity. It must also specify the information that is being requested, what purpose it is being requested for, and how it will be used (Privacy and Responsible Information Sharing Bill, 2024, section 160(4)). A holding entity must respond to an information sharing request within 45 days but can refuse an information sharing request (Privacy and Responsible Information Sharing Bill, 2024, sections 161–162). However, if a holding entity refuses an information sharing request, the Minister responsible for that holding entity can direct it to enter an information sharing request for a permitted purpose (Privacy and Responsible Information Sharing Bill, 2024, section 163).

3.4. When can public sector data be shared?

All five jurisdictions permit government or public sector data to be shared for either policymaking or informing government policy, as well as the delivery of government services (Data Availability and Transparency Act, 2022, section 15(1)(a)–(b); Data Sharing (Government Sector) Act, 2015, section 3(a); Public Sector (Data Sharing) Act 2016, section 4(a); Victorian Data Sharing Act, 2017, section 5). Aside from these purposes, the Data Availability and Transparency Act is the only act which explicitly permits data sharing for research purposes (Data Availability and Transparency Act, 2022, section 15(1)(c)). In addition, the Privacy and Responsible Information Sharing Act permits data to be shared for research purposes with public benefit (Privacy and Responsible Information Sharing Bill, 2024, section 160(2)). Under the Data Availability and Transparency Act, data cannot be shared for law enforcement-related or national security purposes (Data Availability and Transparency Act, 2022, section 15(2)).

If data is held by multiple custodians, each custodian must approve sharing. Each data custodian and the accredited user must have a data sharing agreement which covers the purposes for which this data may be used. This agreement must align with the Data Sharing Principles, which are a statutory expression of the Five Safes framework. This framework assesses the risk of data sharing according to five measures: safe projects, people, settings, data, and outputs (Desai et al., Reference Desai, Ritchie and Welpton2016; Green and Ritchie, Reference Green and Ritchie2023). When these principles are applied to a particular project, some might receive more relative importance than others. For example, if a government agency wishes to make a dataset open data, the safe people and settings principles are deprioritised, given the deliberate absence of control over the data. However, this lack of control then brings the safe data principle to the fore, placing a positive obligation on the agency to ensure that the dataset contains only aggregate-level data.

3.4.1. Commonwealth

Data custodians and accredited users also need to comply with the Data Availability and Transparency Code. The Code, along with the Act, makes some explicit recommendations on how to comply with the Five Safes framework. In assessing the safe project principle, an entity must determine whether an ethics approval process is mandatory, and if it is, seek that approval (Data Availability and Transparency Code, 2022, section 7(1)). In assessing the safe people principle, entities must consider whether individuals who can access the data have any conflicts of interest (Data Availability and Transparency Code, 2022, section 10). People who can access data according to a data sharing agreement should also have appropriate qualifications and expertise (Data Availability and Transparency Code, 2022, sections 11–12). With respect to the safe settings principle, entities should impose reasonable security standards, including limiting data access to an appropriately controlled environment (Data Availability and Transparency Act, 2022, section 16(6); Data Availability and Transparency Code, 2022, section 13). In assessing the safe data principle, entities may consider whether to treat the data so as to contribute to the proportionate management of the risks associated with sharing the data. This treatment could include deleting, modifying, or combining variables, categories, or unit records (Data Availability and Transparency Code, 2022, section 14). Finally, in assessing the safe outputs principle, the data custodian or accredited user should consider how outputs are to be used and whether access could be controlled (Data Availability and Transparency Code, 2022, section 15(2)–(3)).

3.4.2. New South Wales

Under the Data Sharing (Government Sector) Act, if data is shared for policymaking, the data provider and the DAC must comply with appropriate data sharing safeguards (Data Sharing (Government Sector) Act, 2015, section 6(2)). These data sharing safeguards include a requirement for the data provider and data recipient to ensure that the data is managed in accordance with any applicable laws, regulations, or guidelines. For example, information held under Schedule 1 or 2 of the Government Information (Public Access) Act cannot be shared (Data Sharing (Government Sector) Act, 2015, section 5(2)(b)). The Data Sharing (Government Sector) Act also provides that personal or health information should only be shared in compliance with New South Wales privacy legislation, and that privacy safeguards should be maintained for sharing (Data Sharing (Government Sector) Act, 2015, section 12).

The Data Analytics Centre has published advice to the effect that Data Sharing (Government Sector) Act does not allow personal or health information to be disclosed for a secondary purpose unless consent is sought for that purpose (“Responding to Data Access Requests”, 2024). Further, the Information Privacy Commissioner’s guidelines state that personal and health information should only be disclosed in accordance with New South Wales privacy and health information law. This disclosure could occur with the consent of the individuals to whom the information relates or if there is an exception, such as approval from an ethics committee (Gavel, Reference Gavel2020). However, as of the time of writing no safeguards have been issued by the New South Wales government via regulations. The need for data sharing regulations was listed as one of the key recommendations from the statutory review of the Data Sharing (Government Sector) Act in 2021 (Marshall, Reference Marshall2021).

3.4.3. Victoria

The scope of the Victorian Data Sharing Act is constrained even more narrowly and permits data to be shared only for policymaking, service planning, or design (Victorian Data Sharing Act, 2017, section 5). Like the Data Sector (Government Sharing) Act, the Victorian Data Sharing Act does not change the obligations of an agency under Victorian privacy or health information laws (Victorian Data Sharing Act, 2017, section 26). Therefore, if a Victorian government agency disclosures public sector data containing personal or health information for research, it must comply with the Personal Data Protection Act or Health Records Act. Further, the Victorian Data Sharing Act limits when public sector datasets that contain personal or health information may be used or disclosed. Specifically, data sharing bodies or the CDO can disclose personal or health information (defined as “identifiable data”) for “data integration” or combining datasets (Victorian Data Sharing Act, 2017, section 17). Then, either the CDO or a “data analytics body” (a secretary of a government department) may use this data for data integration once the data has been de-identified (Victorian Data Sharing Act, 2017, section 18(1)). Any data released in the results of data analytics work must also be de-identified (Victorian Data Sharing Act, 2017, section 19). The CDO or the data analytics body must consider what de-identification techniques were applied to the data and the environment in which the data is analysed (Victorian Data Sharing Act, 2017, section 18(2)).

The CDO has also published guidelines on the use of de-identification techniques that must be employed by the CDO or data analytics bodies. Rather than referring to the Five Safes framework, these guidelines focus on de-identification in the context of data collection, data integration and analytics, and data release (Hebden, Reference Hebden2018, 6–7). The CDO’s guidelines state that separate teams should be responsible for data integration and data analytics (Hebden, Reference Hebden2018, 7). These guidelines also provide a list of technologies which can be used to alter data so that individuals are no longer reasonably identifiable. These include both conventional de-identification techniques, such as masking, perturbation, and aggregation, and advanced privacy-enhancing technologies, such as synthetic data, differential privacy, and encrypted computation (Hebden, Reference Hebden2018, 9).

3.4.4. South Australia

The Public Sector (Data Sharing) Act does not explicitly prohibit data sharing for research purposes. However, the SA Government Data Sharing Agreement templates contain space for agencies to record whether other approvals are required, including ethics approval (“Data sharing agreement forms”, 2024). In addition to policymaking, programme management, and data analytics, public sector data can be shared for purposes prescribed in the Public Sector (Data Sharing) Regulations (Public Sector (Data Sharing) Act 2016, section 8(1)). The Public Sector (Data Sharing) Regulations state that these purposes can include emergency management or law enforcement (Public Sector (Data Sharing) Regulations, 2017, regulation 7(1)(a)–(b)). However, South Australian Health guidelines note that prescribed health information can only be shared for any purpose approval from the South Australian Health Minister (SA Health, 2023). The term “prescribed health information” refers to several categories of information under different health statutes in South Australia (Public Sector (Data Sharing) Regulations, 2017, regulation 6(1)–(2)). Specifically, it includes information collected for quality improvement and root cause analysis, as well as information collected during the provision of healthcare (Health Care Act, 2008, sections 63, 73; Health Practitioner Regulation National Law (South Australia) Act, 2010, section 216). It also includes information about assisted reproductive treatment and organ donors, information collected on South Australian public health matters, and pregnancy outcome data (Assisted Reproductive Treatment Act, 1988, section 18; Health Care Regulations, 2008, regulation 26; Public Health Act, 2011, sections 99, 100; Transplantation and Anatomy Act, 1983, section 39). However, other forms of non-personal information collected during the provision of health services may fall outside of the scope of this definition. This conceptual uncertainty reflects the broader uncertainty regarding the absence of a state privacy act in South Australia.

Further, before a data provider shares data, or the Minister authorises the sharing of data, they must consider the trusted access principles (Public Sector (Data Sharing) Act 2016, section 6(5), 8(2)(b)). Like the Data Availability and Transparency Act, these principles are a legislative encoding of the Five Safes framework. However, there are some notable differences in how these principles are described under the Public Sector (Data Sharing) Act compared to the Data Availability and Transparency Act. For example, the safe projects principle in the Public Sector (Data Sharing) Act requires the data provider or Minister to consider whether there is any countervailing public interest against sharing the data (Public Sector (Data Sharing) Act 2016, section 7(2)(d)). The data provider or Minister should also consider whether there is any potential risk of harm, loss, or detriment to the use of the community if the sharing does not occur (Public Sector (Data Sharing) Act 2016, section 7(2)(e)). Likewise, the safe projects principle in the Public Sector (Data Sharing) Act provides that, by default, any personal information contained in that data shared must be de-identified (Public Sector (Data Sharing) Act 2016, section 7(4)). However, a person to whom the information relates can consent to the sharing of their personal information (Public Sector (Data Sharing) Act 2016, section 7(4)(i)). The data provider can also share the data for a purpose reasonably related to the original purpose for which it was collected if there is no reason to think that the person would object to sharing it. In addition, the data provider can share the data if it would be impossible to achieve the purpose of sharing with de-identified information and it would be impractical to seek consent from the affected person. This test is almost identical to the statutory tests under New South Wales and Victorian privacy and health information legislation. Therefore, the similarity in language shows that there is some congruence between legislation in different states. However, as the discussion shows, there are also some key points of difference which may undermine data sharing.

3.4.5. Western Australia

Under the Privacy and Responsible Information Sharing Bill, government information can be shared subject to an information sharing agreement for research and development that has a clear public benefit (Privacy and Responsible Information Sharing Bill, 2024, section 159(2)(c)). Government information can also be shared for making or implementing government policy, informing the design or delivery of government programmes and services, or informing emergency management (Privacy and Responsible Information Sharing Bill, 2024, section 159(2)). However, information cannot be shared for law enforcement or legal compliance purposes, for national security reasons, or for commercial gain (Privacy and Responsible Information Sharing Bill, 2024, section 159(3)). Similar to South Australian legislation, this Act includes provisions that exempt certain types of information from being shared. These categories of information regard abortion procedures, artificial fertilisation, adoption, or sensitive Aboriginal family history (Privacy and Responsible Information Sharing Bill, 2024, section 158(1)(a)(xii), 158(1)(b)(j), 158(1)(b)(o)).

Any sharing of government information must be performed subject to an information sharing agreement. This information sharing agreement must identify the public entity providing government information (the provider) and the public or external entity receiving that information (the recipient). The agreement should also specify the information being handled, the purposes for which it may be used, the activity to be carried out, and any derived information generated (Privacy and Responsible Information Sharing Bill, 2024, section 170). Derived information is defined as any new information generated from the use or interpretation of existing government information (Privacy and Responsible Information Sharing Bill, 2024, section 170(d)(iv)). This provision would extend data sharing obligations on a recipient to any datasets generated through data linkage. To this end, the bill explicitly permits the sharing of data for data analytics, data integration, and data linkage (Privacy and Responsible Information Sharing Bill, 2024, section 174).

Any sharing of government information must comply with the Responsible Information Sharing principles. Like the Public Sector (Data Sharing) Act, these principles are a statutory enactment of the Five Safes framework (Privacy and Responsible Information Sharing Bill, 2024, section 175(1), Schedule 2). However, Principle 1, Activities, which is equivalent to the Safe Projects Principle, requires the provider and recipient of information to also consider any risks to individuals from the disclosure. Principle 1 also requires the provider and recipient to explicitly consider whether the activity will impact Aboriginal people. Likewise, Principle 3, Information, requires the recipient and provider to consider whether the circumstances affecting the appropriateness of using the information could change during use and disclosure. This Principle appears to reflect concerns regarding how government information has been used ostensibly with consent but in ways where there is no social licence. Any information sharing agreement must explain how the handling of information will be consistent with responsible information sharing principles (Privacy and Responsible Information Sharing Bill, 2024, section 175(3)–(4)). The recipient and provider must also conduct a privacy impact assessment if the activity will have a significant impact on privacy or involves integrating two datasets together.

4. Discussion

Table 2 provides a breakdown of the differences between each of the five data sharing frameworks.

Table 2. A comparison of when public sector data can be shared under each regime

As the proceeding analysis shows, there are four key points of differences between these frameworks. The first is the set of purposes for which government sector or public sector data can be shared. In particular, the South Australian Public Sector (Data Sharing) Act, the Commonwealth Data Availability and Transparency Act, and the Western Australian Privacy and Responsible Information Sharing Act permit data sharing for a wide range of purposes. By contrast, data sharing is only permissible under the Data Sharing (Government Sector) Act and the Victorian Data Sharing Act for policy design and delivery of government services. Although research is not mentioned in the Public Sector (Data Sharing) Act, associated templates indicate that approval by a research ethics committee could be grounds for sharing data. By contrast, the Data Sharing (Government Sector) Act, the Public (Sector) Data Sharing Act, the Victorian Data Sharing Act, and the Agreement do not explicitly mention sharing for research. The Public Sector (Data Sharing) Regulations also permit the sharing of government data for emergency management and law enforcement purposes. By contrast, sharing for law enforcement purposes is explicitly excluded under the Data Availability and Transparency Act and the Privacy and Responsible Information Sharing Act.

The second is whether public sector agencies are mandated to share data. Both the Data Availability and Transparency Act and the Victorian Data Sharing Act do not mandate that public sector entities need to share data, although the Victorian Data Sharing Policy sets data sharing as the norm. By contrast, the Data Sharing (Government Sector) Act and the Public Sector (Data Sharing) Act allow either the relevant Minister or the Premier to mandate a government agency to share public sector data. The Privacy and Responsible Information Sharing Act also permits a Minister responsible for a public entity to order that entity to share government information. However, this is limited to when a public entity has already refused an information sharing request.

The third are the entities that can receive public sector or government sector data. Here, there is a divergence between the Commonwealth, New South Wales, and Victorian legislation on the one hand and the South Australian legislation on the other. The former three legal frameworks only permit other public sector agencies to receive public sector data. By contrast, the Public Sector (Data Sharing) Regulations currently permit access by private sector organisations that have been contracted to provide government services. Nevertheless, it appears that access by private sector organisations to South Australian public sector data (beyond aggregate-level data) is currently limited. Likewise, the Privacy and Responsible Information Sharing Act permits external entities to access government information. However, access is only permissible for public good purposes, as opposed to for commercial purposes.

The fourth concerns the security requirements, including technical and organisational measures, which public sector agencies must employ when disclosing public sector data. The Commonwealth, South Australian, and West Australian data sharing regulations rely upon the Five Safes framework to help public sector agencies determine the risk of disclosing public sector data. However, the statutory enactment of these principles in the Data Availability and Transparency Act and the Public Sector (Data Sharing) Act does not prescribe the use of specific technical or organisational strategies. By contrast, the guidelines published by the CDO under the Victorian Data Sharing Act require separate data collection, integration, and analytics teams (an organisational measure). In addition, the CDO’s guidelines list several technical de-identification measures which can be used to reduce the risk that an individual may be re-identified. Likewise, the New South Wales data sharing guidelines provide technical guidance on measures that can be used to share public sector data. Because the Privacy and Responsible Information Sharing Act is yet to come into force, the Western Australian Chief Data Officer is yet to publish guidelines on the technical requirements for sharing. There is an ongoing debate in the academic literature regarding the utility of the Five Safes framework as a guide for data sharing (Culnane et al., Reference Culnane, Rubinstein and Watts2020; Green and Ritchie, Reference Green and Ritchie2023). However, their explicit presence in regulation indicates at the very least a recognition of how the data breaches discussed in the introduction to this paper have occurred.

These grounds for sharing public sector data need to be considered alongside both existing laws governing data and public support for data sharing. On the one hand, Australian privacy laws and guidelines provide government agencies with broad grounds to share personal information. These grounds can include both notice and consent, as well as exemptions. For example, the SA Health Privacy Guidelines notes that a request under the Public Sector (Data Sharing) Act would constitute disclosure authorised by law under the Health Care Act. Therefore, provided the data does not contain exempt information under the Public Sector (Data Sharing) Regulations, if the Minister authorised sharing, that agency would need to share data (SA Health, 2023). Likewise, the Office of the Victorian Information Commissioner’s guidelines note that personal or health information can be disclosed by government agencies without consent for a permitted secondary purpose (Bertram, Reference Bertram2021, 19–20). Nevertheless, the legal barriers that government agencies cite for not using or disclosing public sector data containing personal information may be self-imposed (Richards and Scheibner, Reference Richards and Scheibner2022).

On the other hand, the social licence for Australian public sector agencies to share personal information is fragile. There is a broad public support for the secondary use of government-held personal and health information for public benefit in Australia. However, this broad support does not extend to sharing with private sector organisations. In addition, there are increasing public concerns about the ability of government agencies to keep personal and health information safe (Street et al., Reference Street, Fabrianesi, Bosward, Carter and Braunack-Mayer2020; Braunack-Mayer et al., Reference Braunack-Mayer, Fabrianesi, Street, O’Shaughnessy, Carter, Engelen, Carolan, Bosward, Roder and Sproston2021). Several high-profile data breaches, including data breaches involving health information, have brought these security issues into public consciousness (Prictor, Reference Prictor2023). Further, even where there is legal authority and consent to disclose public sector data, it may not prevent further unlawful uses of that data (Ng et al., Reference Ng, O’Sulliavan, Paterson and Witzleb2020). Therefore, even if Australian government agencies have legal authority to share data, they should always consider whether they should (Andrews, Reference Andrews2019).

Considering the jurisdictional differences highlighted in this paper, one area where this social licence is at risk is when data is shared across jurisdictional boundaries. It was, in part, in response to this risk, that the Commonwealth government signed the Intergovernmental Agreement on Data Sharing with states and territories in 2021. The purpose of this agreement is to encourage federal, state, and territory government agencies to share data with one another as a default position (Cabinet, Reference Cabinet2021, paragraph 1(a)(i)). However, the agreement only permits sharing between government agencies for informing policy, designing programmes, tracking outcomes, and improving service delivery (Cabinet, Reference Cabinet2021, paragraph 1(b)). The Agreement also notes that any identifiable data should be only disclosed in accordance with relevant federal, state, and territory privacy laws (Cabinet, Reference Cabinet2021, paragraph 5(h)). Further, like the Data Availability and Transparency Act, under the Agreement a government agency does not need to accept a data sharing request. Valid reasons for refusing data sharing requests can include if the request would contravene law or would be inappropriate from a data sharing perspective (Cabinet, Reference Cabinet2021, 12). However, there is currently no explicit authority for government agencies to share data for research (Pearson et al., Reference Pearson, Pratt, de Oliveira, Zoega, Laba, Etherton-Beer, Sanfilippo, Morgan, Kalisch Ellett, Bruno, Kelty, IJzerman, Preen, Vajdic and Henry2021). This inconsistency could therefore represent a potential breach of social licence.

Inconsistencies and gaps in regulation such as those identified here heighten the risk of social harm through a breach of social licence. To prevent this, responsible agencies at both Commonwealth and state levels must take steps to resolve these inconsistencies and close regulatory gaps. These steps could operate on multiple regulatory levels. First, all Australian jurisdictions should pass privacy legislation that applies to personal information held by government agencies. Currently, South Australia is the only state of Australia that does not have formal privacy legislation which applies to public sector entities. This legislation would provide government agencies with greater certainty as to their obligations. Specifically, this legislation should define when personal information can be used or disclosed with third parties, including for policymaking purposes or research purposes. Existing legislation such as the Public Sector (Data Sharing) Act should also be amended to reference the privacy principles contained within this legislation. These amendments would prevent breaches of social licence with respect to the use of personal or health information for policymaking purposes. Greater consistency between state and federal privacy legislation would also prevent regulatory disconnect leading to breaches of social licence as Australian governments increasingly share data with each other.

Second, we recommend that each of the data sharing regimes in Australia create agencies that are responsible for creating regulatory documents on each regime. So far, only the Victorian Chief Data Officer has provided public guidance on the use of technical measures for de-identifying public sector data. Other states and the Commonwealth have not yet published this public guidance. By contrast, the Five Safes framework embedded in the Data Availability and Transparency Act and the Public Sector (Data Sharing) Act is not a technical framework but a qualitative framework (Green and Ritchie, Reference Green and Ritchie2023). Oppermann has developed a modified Five Safes framework which attempts to set levels of “safety” associated with a particular project (Oppermann, Reference Oppermann2018). Nevertheless, it is difficult to determine a quantitative framework for when the threshold for “safe people” or “safe projects” are met (Oppermann, Reference Oppermann2017). It is important, therefore, to ensure that the data sharing frameworks embedded in legislation be combined with advice on technical measures that could help govern access to public sector data. As Andrews notes, public sector agencies often equate data sharing with data copying, which results in government departments duplicating data. Instead, Andrews argues that public sector agencies should consider the needs of their data users, and develop mechanisms to provide appropriate data. For example, non-sensitive information (such as aggregate data) may be most appropriate for policy design or service planning (Andrews, Reference Andrews2019). Alternative, sensitive information (including personal and health information) may be required for more complicated uses, such as research purposes. These guidelines could also address when data is held by a government agency for the purposes of the legislation, such as when it is held by a cloud computing provider.

Third, for more complicated uses, advanced privacy-enhancing technologies could be used to provide researchers access to data containing personal or health information without exposing that information (McCarthy and Fourniol, Reference McCarthy and Fourniol2020). Depending on what the data may be used for, there are several potential privacy-enhancing technologies. One strategy to control access to identifiable datasets, such as unit record data, is to limit such access to trusted research environments (TREs). This approach has been used extensively in the United Kingdom to govern researcher access to administrative data (Jones et al., Reference Jones, Ford, Thompson and Lyons2019). TREs can be a useful solution to only permit trusted individuals to access public sector data that contains identifiable information (Macdonald et al., Reference Macdonald, Green, Gibin, Leech, Singleton and Longley2023). Likewise, synthetic data, or data that resembles the correlations of real data without necessarily disclosing personal information, can be used for training machine learning software. Wang and others demonstrate how to generate two completely synthetic datasets using large registry health datasets from the United Kingdom (Wang et al., Reference Wang, Myles and Tucker2021). Generating synthetic data can be useful to permit research between two jurisdictions with potentially incompatible data privacy laws (Tschider et al., Reference Tschider, Compagnucci and Minssen2024). Nevertheless, it cannot be assumed that each of these techniques, by themselves, can provide a perfect guarantee of data security. Therefore, the use of each technique should be coupled with other measures to reduce the risk of re-identification.

5. Conclusion

This paper has provided an overarching analysis and comparison of the permissible data flows under data sharing legislation implemented by the Commonwealth government, New South Wales, South Australia, Western Australia (when operational), and Victoria. Each data sharing regime permits government agencies to share public sector datasets with one another. Although these regimes operate in a similar manner, there are some significant variations in what data can be shared, with whom, and for what purpose. These laws do not significantly change the grounds that personal and sensitive information can be shared under privacy laws. Nevertheless, the increasing policy push for government agencies to share public sector datasets not only with one another but across different Australian jurisdictions could lead to breaches of social licence. This detailed overview of the interaction of Commonwealth and state legislation alongside regulatory documents has identified three main strategies that Australian governments should pursue to prevent breaches of social licence. First, all Australian states and territories should introduce comprehensive privacy legislation. Second, state government agencies should align their information management and data access policies to ensure consistent terminology when different actors can access public sector data. Third, Australian governments should implement infrastructure to improve yet control access to public sector data. Measures such as secure access environments and privacy-enhancing technologies can significantly reduce the risk of data re-identification. Without these safeguards, there is a real danger of causing irreversible harm to the social licence for sharing public sector data, thus undermining the potential benefits of using this data for the public good.

Data availability statement

The data that supports the findings of this study is publicly available data and is listed in Table 1 of the article. The authors are not the custodians of any data referred to in this article.

Acknowledgements

The authors would like to thank Donella Piper, Nicole Kroesche, and Jordan Tutton for their amendments to this paper. The paper only reflects the views of the authors.

Author contributions

Conceptualisation: J.S, T.H, W.K, and B.R. Methodology: J.S. Data curation: J.S. Writing original draft: J.S and B.R. Writing - review & editing: J.S, T.H, and W.K. All authors approved the final submitted draft.

Funding statement

Health Translation SA funded a previous research project by J.S and B.R. However, this particular publication received no specific grant from any funding agency.

Competing interests

The authors declare none.

References

Adams, C, Flack, F and Allen, J (eds) (2022) Law. In Sharing Linked Data for Health Research: Toward Better Decision Making. Cambridge: Cambridge University Press, pp. 131174. https://doi.org/10.1017/9781108675789.008.Google Scholar
Adams, C, Flack, F and Allen, J (eds) (2022) Social licence. In Sharing Linked Data for Health Research: Toward Better Decision Making. Cambridge: Cambridge University Press, 5782. https://doi.org/10.1017/9781108675789.005.Google Scholar
Adams, C, Braunack-Mayer, A and Flack, F (2025) Access to general practice data for research in Australia: The need for greater clarity in relation to privacy and confidentiality. Journal of Law and Medicine 31(4), 840855. https://doi.org/10.3316/informit.T2025032900007790681162610.Google ScholarPubMed
Allars, M (2023) Automated decision-making and review of administrative decisions. Georgia Law Review 58(3), 11451182.Google Scholar
Andrews, P (2019, October 14) Open data is fine, but sharing more data won’t solve all problems. What you need to do data properly. Available at https://www.themandarin.com.au/117995-when-people-need-specific-data-for-specific-things-freely-open-sharing-your-data-is-not-as-helpful-as-you-might-think-what-you-need-to-do-to-do-data-properly/ (accessed 19 September 2024)Google Scholar
Archives Act (1983) Available at https://www.legislation.gov.au/C2004A02796/latest/textGoogle Scholar
Assisted Reproductive Treatment Act (1988) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FA%2FAssisted%20Reproductive%20Treatment%20Act%201988Google Scholar
Attorney-General’s Department (2023) Privacy Act Review Report. Available at https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-reportGoogle Scholar
Bertram, C (2021) Information Sharing and Privacy – Guidance for Sharing Personal Information. Office of the Victorian Information Commissioner. Available at https://ovic.vic.gov.au/privacy/resources-for-organisations/information-sharing-and-privacy/Google Scholar
Biddle, N, Gray, M and McEachern, S (2022) Data Trust and Data Privacy: A Brake on the Data and Digital Dividend? (Report). Centre for Social Research and Methods. Available at https://apo.org.au/node/320057Google Scholar
Black, J (2001) Decentring regulation: Understanding the role of regulation and self-regulation in a ‘post-regulatory’ world. Current Legal Problems 54(1), 103146. https://doi.org/10.1093/clp/54.1.103.CrossRefGoogle Scholar
Black, J (2002) Critical reflections on regulation. Australian Journal of Legal Philosophy 27, 136.Google Scholar
Boyd, JH, Ferrante, AM, O’Keefe, CM, Bass, AJ, Randall, SM and Semmens, JB (2012) Data linkage infrastructure for cross-jurisdictional health-related research in Australia. BMC Health Services Research 12(480). https://doi.org/10.1186/1472-6963-12-480.CrossRefGoogle ScholarPubMed
Brand, V and Langford, RT (2022) Doing the job that’s required’?: Social licence to operate and directors’ duties. Sydney Law Review 44(1), 111.Google Scholar
Braunack-Mayer, A, Fabrianesi, B, Street, J, O’Shaughnessy, P, Carter, SM, Engelen, L, Carolan, L, Bosward, R, Roder, D and Sproston, K (2021) Sharing government health data with the private sector: Community attitudes survey. Journal of Medical Internet Research 23(10), e24200. https://doi.org/10.2196/24200.CrossRefGoogle ScholarPubMed
Burdon, M and Mackie, T (2020) Australia’s consumer data right and the uncertain role of information privacy law. International Data Privacy Law 10(3), 222235. https://doi.org/10.1093/idpl/ipaa008.CrossRefGoogle Scholar
Burton, A, Groenewegen, D, Love, C, Treloar, A and Wilkinson, R (2012) Making research data available in Australia. IEEE Intelligent Systems 27(3), 4043. https://doi.org/10.1109/MIS.2012.57.CrossRefGoogle Scholar
Cabinet, N (2021) Intergovernmental Agreement on Data Sharing between Commonwealth and State and Territory Governments. Available at https://federation.gov.au/sites/default/files/about/agreements/iga-on-data-sharing-signed.pdfGoogle Scholar
Canaway, R, Boyle, DI, Manski-Nankervis, J-AE, Bell, J, Hocking, JS, Clarke, K, Clark, M, Gunn, JM and Emery, JD (2019) Gathering data for decisions: Best practice use of primary care electronic records for research. Medical Journal of Australia 210(S6), S12S16. https://doi.org/10.5694/mja2.50026.CrossRefGoogle ScholarPubMed
Carter, P, Laurie, GT and Dixon-Woods, M (2015) The social licence for research: why care.data ran into trouble. Journal of Medical Ethics 41(5), 404409. https://doi.org/10.1136/medethics-2014-102374.CrossRefGoogle ScholarPubMed
Chen, C, Howe, J, Kariotis, T and Jackson, S (2024) Open data, workplace relations law compliance, and digital regulation. Data & Policy 6, e26. https://doi.org/10.1017/dap.2024.18.CrossRefGoogle Scholar
Culnane, C, Rubinstein, BIP and Teague, V (2017, December 15) Health Data in an Open World. arXiv. https://doi.org/10.48550/arXiv.1712.05627.CrossRefGoogle Scholar
Culnane, C, Rubinstein, BIP and Teague, V (2019, August 14) Stop the open data bus, we want to get off. arXiv. https://doi.org/10.48550/arXiv.1908.05004.CrossRefGoogle Scholar
Culnane, C, Rubinstein, BIP and Watts, D (2020) Not fit for Purpose: A critical analysis of the ‘Five Safes’ arXiv e-prints. Available at https://ui.adsabs.harvard.edu/abs/2020arXiv201102142CGoogle Scholar
Data Act (2023) Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) (2023). Available at https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng (accessed 21 July 2025)Google Scholar
Data Availability and Transparency Act (2022) Available at https://www.legislation.gov.au/C2022A00011/latest/textGoogle Scholar
Data Availability and Transparency Code (2022) Available at https://www.legislation.gov.au/F2022L01719/latest/textGoogle Scholar
Data Sharing Agreement Forms (2024, September 2) Available at https://www.treasury.sa.gov.au/Our-services/data-sharing/data-sharing-forms-and-templates (accessed 19 September 2024)Google Scholar
Data Sharing Agreement Register (2024, September 2) Available at https://www.treasury.sa.gov.au/Our-services/information-sharing-data-analytics/data-sharing-agreement-register (accessed 19 September 2024)Google Scholar
Data Sharing (Government Sector) Act (2015) Available at https://legislation.nsw.gov.au/view/whole/html/inforce/current/act-2015-060Google Scholar
Data (Use and Access) Act (2025) Available at https://www.legislation.gov.uk/ukpga/2025/18/contentsGoogle Scholar
de Oliveira, CJ, Bruno, C, Schaffer, AL, Raichand, S, Karanges, EA and Pearson, S-A (2021) The changing face of Australian data reforms: Impact on pharmacoepidemiology research. International Journal of Population Data Science 6(1), 1418. https://doi.org/10.23889/ijpds.v6i1.1418.Google Scholar
Desai, T, Ritchie, F and Welpton, R (2016) Five Safes: Designing Data Access for Research (No. 20161601). Department of Accounting Economics and Finance, Bristol Business School, University of the West of England. Available at https://ideas.repec.org//p/uwe/wpaper/20161601.htmlGoogle Scholar
Eckstein, L, Otlowski, M, Taylor, M and McWhirter, R (2023) Reversing the ‘quasi-tribunal’ role of human research ethics committees: A waiver of consent case study thematic: Life sciences: Ethics, innovation and the future of law. University of New South Wales Law Journal 46(2), 498534.10.53637/JNSP7349CrossRefGoogle Scholar
Edwards, R, Gillies, V and Gorin, S (2021) Data linkage for early intervention in the UK: Parental social license and social divisions. Data & Policy, 3, e34.10.1017/dap.2021.34CrossRefGoogle Scholar
Freedom of Information Act (1982a) Available at https://www.legislation.vic.gov.au/in-force/acts/freedom-information-act-1982/111Google Scholar
Freedom of Information Act (1982b) Available at https://www.legislation.gov.au/C2004A02562/latest/textGoogle Scholar
Freedom of Information Act (1991) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FA%2FFREEDOM%20OF%20INFORMATION%20ACT%201991Google Scholar
Freedom of Information Act (1992) Available at https://www.legislation.wa.gov.au/legislation/statutes.nsf/main_mrtitle_353_homepage.htmlGoogle Scholar
Gavel, S (2020) Data Sharing and Privacy: A Guide for Public Sector Agencies (Information and Privacy Commission New South Wales). Available at https://www.ipc.nsw.gov.au/sites/default/files/2021-03/Guide_Data_Sharing_and_Privacy_July_2020.pdfGoogle Scholar
Government Information (Public Access) Act (2009) Available at https://legislation.nsw.gov.au/view/whole/html/inforce/current/act-2009-052#Google Scholar
Government of South Australia D of P and C (2020) Information Privacy Principles (IPPS) Instruction (PC 012). Available at https://www.dpc.sa.gov.au/resources-and-publications/premier-and-cabinet-circulars/DPC-Circular-Information-Privacy-Principles-IPPS-Instruction.pdfGoogle Scholar
Green, E and Ritchie, F (2023) The present and future of the five safes framework. Journal of Privacy and Confidentiality 13(2). https://doi.org/10.29012/jpc.831.CrossRefGoogle Scholar
Harron, K, Dibben, C, Boyd, J, Hjern, A, Azimaee, M, Barreto, ML and Goldstein, H (2017) Challenges in administrative data linkage for research. Big Data & Society 4(2), 2053951717745678. https://doi.org/10.1177/2053951717745678.CrossRefGoogle ScholarPubMed
Health Care Act (2008) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FA%2FHealth%20Care%20Act%202008Google Scholar
Health Care Regulations (2008) Available at https://www.legislation.sa.gov.au/lz?path=/v/r/2008/health%20care%20regulations%202008_190Google Scholar
Health Practitioner Regulation National Law (South Australia) Act (2010) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FA%2FHealth%20Practitioner%20Regulation%20National%20Law%20(South%20Australia)%20Act%202010Google Scholar
Health Records Act (2001) Available at https://www.legislation.vic.gov.au/in-force/acts/health-records-act-2001/048Google Scholar
Health Records and Information Privacy Act (2002) Available at https://legislation.nsw.gov.au/view/html/inforce/current/act-2002-071Google Scholar
Hebden, J (2018) De-identification Guidelines. Victorian Government | Department of Premier and Cabinet. Available at https://www.vic.gov.au/sites/default/files/2019-03/Victorian-Data-Sharing-Act-2017-De-identification-guidelines.pdfGoogle Scholar
Jones, KH, Ford, DV, Thompson, S and Lyons, R (2019) A profile of the SAIL databank on the UK secure research platform. International Journal of Population Data Science 4(2). https://doi.org/10.23889/ijpds.v4i2.1134.Google ScholarPubMed
Jowett, S, Dallaston, E and Bennett, B (2020) Genomic research and data-sharing: Time to revisit Australian Laws? University of Queensland Law Journal 39(2), 341370.10.38127/uqlj.v39i2.5031CrossRefGoogle Scholar
Kitchin, R (2014) Open and linked data. In The Data Revolution: Big Data, Open Data, Data Infrastructures & Their Consequences. SAGE Publications Ltd, pp. 4866. https://doi.org/10.4135/9781473909472.Google Scholar
Koops, B-J, Newell, BC, Timan, T, Skorvanek, I, Chokrevski, T and Galic, M (2016) A typology of privacy. University of Pennsylvania Journal of International Law 38(2), 483576.Google Scholar
Krebs, S and Moses, LB (2024) Data sharing agreements: Contracting personal information in the digital age. Melbourne University Law Review 48(1), 95151. https://doi.org/10.3316/informit.T2024121100012390001183113.Google Scholar
Lopez, D, Strange, C, Sanfilippo, F, Daniels, B, Pearson, S and Preen, D (2023) Priorities for building Australian workforce capacity to leverage population-based, routinely collected data: Views from pharmacoepidemiology. Public Health Research & Practice 33(1), 32122206. https://doi.org/10.17061/phrp32122206.CrossRefGoogle ScholarPubMed
Macdonald, JL, Green, MA, Gibin, M, Leech, S, Singleton, A and Longley, P (2023) Local data spaces: Leveraging trusted research environments for secure location-based policy research in the age of coronavirus disease-2019. Data & Policy 5, e22. https://doi.org/10.1017/dap.2023.14.CrossRefGoogle Scholar
Marshall, A (2021) Statutory Review of the Data Sharing (Government Sector) Act 2015 (Statutory Report). Department of Customer Service. Available at https://www.parliament.nsw.gov.au/tp/files/80507/Statutory%20Review%20of%20the%20Data%20Sharing%20Government%20Sector%20Act%202015.pdfGoogle Scholar
McCarthy, N and Fourniol, F (2020) The role of technology in governance: The example of privacy enhancing technologies. Data & Policy 2, e8. https://doi.org/10.1017/dap.2020.8.CrossRefGoogle Scholar
Moses, LB (2013) How to think about law, regulation and technology: Problems with ‘technology’ as a regulatory target. Law, Innovation and Technology 5(1), 120. https://doi.org/10.5235/17579961.5.1.1.CrossRefGoogle Scholar
Moses, LB (2020) Who owns information? Law enforcement information sharing as a case study in conceptual confusion. University of New South Wales Law Journal 43(2), 615641.Google Scholar
Moses, LB and Weatherall, K (2023) Data problems and legal solutions—Some thoughts beyond privacy. In Data and the Digital Self: What the 21st Century Needs. Australian Computer Society. Available at https://thelivinglib.org/data-and-the-digital-self/ (accessed 27 March 2024)Google Scholar
National Cabinet (2021) Intergovernmental Agreement on data sharing between Commonwealth and State and Territory governments. Available at https://federation.gov.au/sites/default/files/about/agreements/iga-on-data-sharing-signed.pdfGoogle Scholar
National Health and Medical Research Council (2023) National Statement on Ethical Conduct in Human Research. Canberra. Available at https://www.nhmrc.gov.au/about-us/publications/national-statement-ethical-conduct-human-research-2023Google Scholar
Ng, Y-F, O’Sulliavan, M, Paterson, M and Witzleb, N (2020) Revitalising public law in a technological era: Rights, transparency and administrative justice. University of New South Wales Law Journal 43(3), 10411077.10.53637/YGTS5583CrossRefGoogle Scholar
OECD (2010) OECD Information Technology Outlook 2010. Available at https://www.oecd.org/en/publications/oecd-information-technology-outlook-2010_it_outlook-2010-en.htmlGoogle Scholar
OECD (2011) The Call for Innovative and Open Government. Available at https://www.oecd.org/en/publications/the-call-for-innovative-and-open-government_9789264107052-en.htmlGoogle Scholar
Oppermann, I (2017) Data Sharing Frameworks—Technical Whitepaper. Australian Computer Society. Available at https://www.acs.org.au/content/dam/acs/acs-publications/ACS_Data-Sharing-Frameworks_FINAL_FA_SINGLE_LR.pdfGoogle Scholar
Oppermann, I (2018) Privacy in Data Sharing: A Guide for Business and Government. Australian Computer Society. Available at https://www.acs.org.au/content/dam/acs/acs-publications/Privacy%20in%20Data%20Sharing%20-%20final.pdfGoogle Scholar
Pearson, S-A, Pratt, N, de Oliveira, CJ, Zoega, H, Laba, T-L, Etherton-Beer, C, Sanfilippo, FM, Morgan, A, Kalisch Ellett, L, Bruno, C, Kelty, E, IJzerman, M, Preen, DB, Vajdic, CM and Henry, D (2021) Generating real-world evidence on the quality use, benefits and safety of medicines in Australia: History, challenges and a roadmap for the future. International Journal of Environmental Research and Public Health 18(24), 13345. https://doi.org/10.3390/ijerph182413345.CrossRefGoogle Scholar
Prictor, M (2023) Data breach notification Laws—Momentum across the Asia-Pacific region. Journal of Bioethical Inquiry 20(4), 567570. https://doi.org/10.1007/s11673-023-10324-w.CrossRefGoogle ScholarPubMed
Privacy Act (1988) Available at https://www.legislation.gov.au/C2004A03712/latest/textGoogle Scholar
Privacy and Data Protection Act (2014) Available at https://www.legislation.vic.gov.au/in-force/acts/privacy-and-data-protection-act-2014Google Scholar
Privacy and Personal Information Protection Act (1998) Available at https://legislation.nsw.gov.au/view/html/inforce/current/act-1998-133Google Scholar
Privacy and Responsible Information Sharing Act 2024 and Record Keeping Obligations (2025, May 15) Available at https://www.wa.gov.au/organisation/state-records-office-of-western-australia/privacy-and-responsible-information-sharing-act-2024-and-record-keeping-obligations (accessed 26 May 2025)Google Scholar
Privacy and Responsible Information Sharing Bill (2024) Available at https://www.parliament.wa.gov.au/parliament/bills.nsf/BillProgressPopup?openForm&ParentUNID=3329DA2DC25F557148258B1E003267FFGoogle Scholar
Productivity Commission (2017) Inquiry ReportData Availability and Use. Available at https://www.pc.gov.au/inquiries/completed/data-access/reportGoogle Scholar
Public Health Act (2011) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FA%2FSouth%20Australian%20Public%20Health%20Act%202011Google Scholar
Public Records Act (1973) Available at https://www.legislation.vic.gov.au/in-force/acts/public-records-act-1973/042Google Scholar
Public Sector (Data Sharing) Act (2016) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FA%2FPUBLIC%20SECTOR%20(DATA%20SHARING)%20ACT%202016Google Scholar
Public Sector (Data Sharing) Regulations (2017) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FR%2FPublic%20Sector%20(Data%20Sharing)%20Regulations%202017Google Scholar
Responding to Data Access Requests (2024, July 15) Available at https://data.nsw.gov.au/responding-data-access-requests (accessed 11 September 2024)Google Scholar
Richards, B and Scheibner, J (2022) Health technology and big data: Social licence, trust and the law. Journal of Law and Medicine 29(2), 388399.Google ScholarPubMed
Riley, M, Kilkenny, MF, Robinson, K and Leggat, SG (2024) Researchers’ perceptions of the trustworthiness, for reuse purposes, of government health data in Victoria, Australia: Implications for policy and practice. Health Information Management Journal 18333583241256049. https://doi.org/10.1177/18333583241256049.Google Scholar
SA Health (2023) Privacy Guideline. Available at https://www.sahealth.sa.gov.au/wps/wcm/connect/public+content/sa+health+internet/resources/policies/privacy+guidelineGoogle Scholar
Scheibner, J, Ienca, M and Vayena, E (2021) Whose health record? A comparison of patient rights under National Electronic Health Record (NEHR) regulations in Europe and Asia-Pacific jurisdictions. Singapore Journal of Legal Studies 2021(1), 5675.Google Scholar
Scheibner, J, Kroesche, N, Wakefield, L, Cockburn, T, McPhail, SM and Richards, B (2023) Does legislation impede data sharing in Australia across institutions and jurisdictions? A scoping review. Journal of Medical Systems 47(1), 116. https://doi.org/10.1007/s10916-023-02009-z.CrossRefGoogle ScholarPubMed
State Records Act (1997) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FA%2FSTATE%20RECORDS%20ACT%201997Google Scholar
State Records Act (1998) Available at https://legislation.nsw.gov.au/view/whole/html/inforce/current/act-1998-017Google Scholar
State Records Act (2000) Available at https://www.legislation.wa.gov.au/legislation/statutes.nsf/law_a2037.html&view=consolidatedGoogle Scholar
Stephenson, N, Smith, C and Vajdic, CM (2022) Health and public sector data sharing requires social licence negotiations. Australian and New Zealand Journal of Public Health 46(4), 426428. https://doi.org/10.1111/1753-6405.13261.CrossRefGoogle ScholarPubMed
Street, J, Fabrianesi, B, Bosward, R, Carter, S and Braunack-Mayer, A (2020) Community attitudes towards sharing government health data with private companies: A scoping review. International Journal of Population Data Science 5(5). https://doi.org/10.23889/ijpds.v5i5.1531.CrossRefGoogle Scholar
Transplantation and Anatomy Act (1983) Available at https://www.legislation.sa.gov.au/lz?path=%2FC%2FA%2FTransplantation%20and%20Anatomy%20Act%201983Google Scholar
Tschider, C, Compagnucci, MC and Minssen, T (2024) The new EU–US data protection framework’s implications for healthcare. Journal of Law and the Biosciences 11(2), lsae022. https://doi.org/10.1093/jlb/lsae022.CrossRefGoogle ScholarPubMed
Victorian Data Sharing Act (2017) Available at https://www.legislation.vic.gov.au/in-force/acts/victorian-data-sharing-act-2017/002Google Scholar
Victorian Public Sector Data Sharing Policy (2024, April 4) Available at https://www.data.vic.gov.au/victorian-public-sector-data-sharing-policy (accessed 29 April 2024)Google Scholar
Wang, Z, Myles, P and Tucker, A (2021) Generating and evaluating cross-sectional synthetic electronic healthcare data: Preserving data utility and patient privacy. Computational Intelligence 37(2), 819851. https://doi.org/10.1111/coin.12427.CrossRefGoogle Scholar
Witzleb, N (2023) Responding to global trends?: Privacy law reform in Australia. In Data Disclosure: Global Developments and Perspectives. Walter de Gruyter, pp. 147168. https://doi.org/10.1515/9783111010601-009.CrossRefGoogle Scholar
Wright, F, Forte, J, May, S, Ford, C, Pollock, A and Bendall, A (2019, November 14) IPP 2 – Use and Disclosure. Available at https://ovic.vic.gov.au/book/ipp-2-use-and-disclosure/ (accessed 23 April 2024)Google Scholar
Figure 0

Table 1. A breakdown of the relevant legislation and regulatory documents across the four jurisdictions under consideration

Figure 1

Table 2. A comparison of when public sector data can be shared under each regime

Submit a response

Comments

No Comments have been published for this article.