Federal Register of Legislation - Australian Government

Primary content

A Bill for an Act to authorise the sharing of public sector data, and for related purposes
Administered by: Prime Minister and Cabinet
For authoritative information on the progress of bills and on amendments proposed to them, please see the House of Representatives Votes and Proceedings, and the Journals of the Senate as available on the Parliament House website.
Registered 11 Dec 2020
Introduced HR 09 Dec 2020

2019‑2020

 

The Parliament of the

Commonwealth of Australia

 

HOUSE OF REPRESENTATIVES

 

 

 

 

Presented and read a first time

 

 

 

 

Data Availability and Transparency Bill 2020

 

No.      , 2020

 

(Prime Minister)

 

 

 

A Bill for an Act to authorise the sharing of public sector data, and for related purposes

  

  

  


Contents

Chapter 1—Preliminary                                                                                         1

Part 1.1—Introduction                                                                                                        1

1............ Short title............................................................................................. 1

2............ Commencement................................................................................... 2

3............ Objects................................................................................................ 2

4............ Simplified outline of this Act.............................................................. 2

5............ Act binds the Crown........................................................................... 3

6............ Extension to external Territories.......................................................... 4

7............ Extraterritorial operation...................................................................... 4

8............ Application of this Act........................................................................ 4

Part 1.2—Definitions                                                                                                            6

9............ Definitions.......................................................................................... 6

10.......... Data definitions................................................................................. 11

11.......... Entity definitions............................................................................... 11

Chapter 2—Authorisations to share data                                          14

12.......... Simplified outline of this Chapter...................................................... 14

13.......... Authorisations to share data.............................................................. 15

14.......... Sharing must be authorised............................................................... 16

15.......... Data sharing purposes....................................................................... 18

16.......... Data sharing principles...................................................................... 19

17.......... When sharing is excluded from the data sharing scheme.................. 21

18.......... Data sharing agreement..................................................................... 24

19.......... Mandatory terms of data sharing agreement...................................... 24

20.......... Compliance with mandatory terms of data sharing agreement........... 27

21.......... Exit from data sharing scheme of shared or released output.............. 27

22.......... Other authorisations for data custodians not limited.......................... 29

23.......... Authorisation to share overrides other prohibitions.......................... 29

24.......... No duty to share but reasons required for not sharing...................... 29

Chapter 3—Responsibilities of data scheme entities               30

Part 3.1—Introduction                                                                                                      30

25.......... Simplified outline of this Chapter...................................................... 30

Part 3.2—General responsibilities                                                                              31

26.......... Comply with rules and data codes..................................................... 31

27.......... Have regard to guidelines.................................................................. 31

28.......... Privacy coverage............................................................................... 31

29.......... Engage ADSP for prescribed data services....................................... 32

30.......... Comply with conditions of accreditation........................................... 32

31.......... Report events and changes in circumstances affecting accreditation to Commissioner             32

32.......... Not provide false or misleading information..................................... 33

33.......... Notify Commissioner in relation to data sharing agreements............ 33

34.......... Assist Commissioner as required in preparation of annual report..... 34

Part 3.3—Data breach responsibilities                                                                    35

35.......... Definition of data breach.................................................................. 35

36.......... Take steps to mitigate data breach..................................................... 35

37.......... Interaction with Part IIIC of the Privacy Act 1988 (notification of eligible data breaches)        36

38.......... Notify Commissioner of non‑personal data breach........................... 37

Chapter 4—National Data Commissioner and National Data Advisory Council         39

Part 4.1—Introduction                                                                                                      39

39.......... Simplified outline of this Chapter...................................................... 39

40.......... Commissioner to have regard to objects of Act................................. 39

Part 4.2—National Data Commissioner                                                                 40

Division 1—Establishment, functions and powers                                       40

41.......... National Data Commissioner............................................................ 40

42.......... Functions.......................................................................................... 40

43.......... Advice related functions.................................................................... 40

44.......... Guidance related functions................................................................ 41

45.......... Regulatory functions......................................................................... 41

46.......... Application of finance law................................................................ 41

47.......... Staff.................................................................................................. 41

48.......... Contractors........................................................................................ 42

49.......... Consultants....................................................................................... 42

50.......... Delegation by Commissioner............................................................ 42

51.......... Independence of Commissioner........................................................ 43

52.......... Commissioner not to be sued............................................................ 43

Division 2—Terms and conditions etc.                                                              44

53.......... Appointment..................................................................................... 44

54.......... General terms and conditions of appointment................................... 44

55.......... Other paid work................................................................................ 44

56.......... Remuneration.................................................................................... 44

57.......... Leave of absence............................................................................... 45

58.......... Resignation....................................................................................... 45

59.......... Termination of appointment.............................................................. 45

60.......... Acting appointments......................................................................... 46

Part 4.3—National Data Advisory Council                                                          47

61.......... Establishment and function of Council.............................................. 47

62.......... Membership of Council.................................................................... 47

63.......... Appointment of members.................................................................. 48

64.......... Term of appointment......................................................................... 48

65.......... Remuneration and allowances........................................................... 48

66.......... Leave of absence............................................................................... 48

67.......... Disclosure of interests to Minister or Commissioner........................ 49

68.......... Disclosure of interests to Council..................................................... 49

69.......... Resignation of members.................................................................... 49

70.......... Termination of appointment of members........................................... 49

71.......... Other terms and conditions of members............................................ 50

72.......... Procedures........................................................................................ 50

Chapter 5—Regulation and enforcement                                          51

Part 5.1—Introduction                                                                                                      51

73.......... Simplified outline of this Chapter...................................................... 51

Part 5.2—Accreditation framework                                                                         53

Division 1—Accreditation                                                                                        53

74.......... Accreditation..................................................................................... 53

75.......... Notice of accreditation decision......................................................... 54

76.......... Application for accreditation............................................................. 55

77.......... Criteria for accreditation.................................................................... 56

Division 2—Conditions of accreditation                                                           57

78.......... Conditions of accreditation................................................................ 57

79.......... Notice before decision about conditions............................................ 58

80.......... Notice of conditions.......................................................................... 58

Division 3—Suspension and cancellation of accreditation                      60

81.......... Suspension or cancellation of accreditation....................................... 60

82.......... Notice before decision about suspension or cancellation................... 61

83.......... Notice of suspension or cancellation................................................. 63

Division 4—Transfer of accreditation                                                               64

84.......... Transfer of accreditation.................................................................... 64

85.......... Notice of transfer decision................................................................ 64

Division 5—Rules and further information                                                    66

86.......... Rules relating to the accreditation framework.................................... 66

87.......... Further information or evidence........................................................ 66

Part 5.3—Complaints                                                                                                        67

Division 1—Complaints                                                                                             67

88.......... Making complaints............................................................................ 67

89.......... Respondents...................................................................................... 67

90.......... Communicating with complainant..................................................... 68

91.......... Dealing with complaints.................................................................... 68

92.......... Grounds for not dealing with complaints.......................................... 69

93.......... Admissibility of things said or done in conciliation.......................... 70

Division 2—Representative complaints                                                            71

94.......... Conditions for making a representative complaint............................. 71

95.......... Commissioner may determine that a complaint is not to continue as a representative complaint               71

96.......... Additional rules applying to the determination of representative complaints            72

97.......... Amendment of representative complaints.......................................... 72

98.......... Class member for representative complaint not entitled to lodge individual complaint             73

Part 5.4—Assessments and investigations                                                             74

99.......... Assessments..................................................................................... 74

100........ Notices of assessment....................................................................... 74

101........ Investigations.................................................................................... 74

102........ Determination on completion of investigation................................... 75

103........ Notices relating to investigation........................................................ 76

Part 5.5—Regulatory powers and enforcement                                                77

104........ Power to require information and documents.................................... 77

105........ Legal professional privilege.............................................................. 78

106........ Limits on power to require information and documents.................... 78

107........ Transfer of matters to appropriate authority...................................... 79

108........ Authorisation for Commissioner to disclose and receive information 80

109........ Monitoring powers........................................................................... 81

110........ Investigation powers......................................................................... 82

111........ Recommendations............................................................................. 83

112........ Directions.......................................................................................... 84

113........ Civil penalty provisions.................................................................... 84

114........ Infringement notices.......................................................................... 85

115........ Enforceable undertakings.................................................................. 86

116........ Injunctions........................................................................................ 87

Chapter 6—Other matters                                                                                  88

Part 6.1—Introduction                                                                                                      88

117........ Simplified outline of this Chapter...................................................... 88

Part 6.2—Review of decisions                                                                                      89

118........ Reviewable decisions........................................................................ 89

119........ Applications for reconsideration of decisions made by delegates of the Commissioner           89

120........ Reconsideration by the Commissioner.............................................. 90

121........ Deadline for reconsideration............................................................. 90

122........ Review by the Administrative Appeals Tribunal............................... 91

Part 6.3—Treatment of certain entities                                                                  92

123........ Treatment of Commonwealth bodies, State bodies and Territory bodies  92

124........ Treatment of partnerships and unincorporated associations.............. 93

125........ Treatment of trusts............................................................................ 94

Part 6.4—Data sharing scheme instruments                                                       96

126........ Data codes......................................................................................... 96

127........ Guidelines......................................................................................... 96

128........ Register of ADSPs........................................................................... 97

129........ Register of accredited users............................................................... 97

130........ Register of data sharing agreements.................................................. 98

131........ Recognition of external dispute resolution schemes.......................... 99

132........ Approved forms................................................................................ 99

133........ Rules............................................................................................... 100

134........ Regulations..................................................................................... 100

Part 6.5—Other matters                                                                                                 101

135........ Disclosure of scheme data in relation to information‑gathering powers 101

136........ Geographical jurisdiction of civil penalty provisions and offences. 101

137........ Authorised officers......................................................................... 104

138........ Annual report.................................................................................. 106

139........ Charging of fees by Commissioner................................................. 107

140........ Charging of fees by data scheme entities......................................... 108

141........ Commonwealth not liable to pay a fee............................................. 108

142........ Periodic reviews of operation of Act............................................... 108

 


A Bill for an Act to authorise the sharing of public sector data, and for related purposes

The Parliament of Australia enacts:

Chapter 1Preliminary

Part 1.1Introduction

  

1  Short title

                   This Act is the Data Availability and Transparency Act 2020.

2  Commencement

             (1)  Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

 

Commencement information

Column 1

Column 2

Column 3

Provisions

Commencement

Date/Details

1.  The whole of this Act

The day after this Act receives the Royal Assent.

 

Note:          This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

             (2)  Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3  Objects

                   The objects of this Act are to:

                     (a)  serve the public interest by promoting better availability of public sector data; and

                     (b)  enable consistent safeguards for sharing public sector data; and

                     (c)  enhance integrity and transparency in sharing public sector data; and

                     (d)  build confidence in the use of public sector data; and

                     (e)  establish institutional arrangements for sharing public sector data.

4  Simplified outline of this Act

Data custodians of public sector data may share their data with accredited users in accordance with the controls established by this Act. Data custodians may share data with accredited users directly, or indirectly through an ADSP (short for accredited data service provider).

Public sector data is defined as data lawfully created, collected or held by or on behalf of Commonwealth bodies. A Commonwealth body that controls such data and has the right to deal with it is the data custodian of the data and, so, authorised to share it in a controlled way.

There are corresponding authorisations for accredited entities to collect and use shared data.

The National Data Commissioner is the regulator for the data sharing scheme and also has the function of advocating for the sharing and release of public sector data more generally. The Commissioner is assisted by APS employees in the Department and by the advice of the National Data Advisory Council.

Entities must be accredited by the Commissioner in order to have public sector data shared with or through them.

Data scheme entities (i.e. data custodians and accredited entities) have responsibilities under the Act. Data scheme entities may complain to the Commissioner about breaches of the Act by other data scheme entities. The Commissioner also has powers to require information and to assess, monitor and investigate data scheme entities. A range of enforcement options are available to the Commissioner.

5  Act binds the Crown

             (1)  This Act binds the Crown in each of its capacities.

             (2)  However, this Act does not make the Crown liable to be prosecuted for an offence.

             (3)  To avoid doubt, subsection (2) does not prevent the Crown from being liable to pay a pecuniary penalty under a civil penalty order under Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act.

6  Extension to external Territories

                   This Act and the Regulatory Powers Act as it applies in relation to this Act extend to every external Territory.

7  Extraterritorial operation

             (1)  This Act, and the Regulatory Powers Act as it applies in relation to this Act, extend to acts, omissions, matters and things outside Australia.

Note:          Geographical jurisdiction for civil penalty provisions and offences is dealt with in section 136.

             (2)  This Act, and the Regulatory Powers Act as it applies in relation to this Act, have effect subject to:

                     (a)  the obligations of Australia under international law, including obligations under any international agreement binding on Australia; and

                     (b)  any law of the Commonwealth giving effect to such an agreement.

8  Application of this Act

                   This Act applies in relation to sharing of data in any of the following circumstances:

                     (a)  accredited entities with or through which the data is shared are Commonwealth bodies or Territory bodies;

                     (b)  the data is shared for a data sharing purpose set out in paragraph 15(1)(a) or (b) and the government concerned is or includes the Commonwealth;

                     (c)  the accredited user with which the data is shared is a constitutional corporation and the sharing is for the data sharing purpose set out in paragraph 15(1)(c) (research and development);

                     (d)  the accredited user with which the data is shared is a foreign person and the sharing is done in accordance with an international agreement binding on Australia;

                     (e)  the data is shared with or through accredited entities by means of electronic communication;

                      (f)  the sharing is done to enable analysis for statistical purposes;

                     (g)  the data shared is statistical information.

Part 1.2Definitions

  

9  Definitions

                   In this Act:

accredited entity: see subsection 11(4).

accredited user: see subsection 11(4).

ADSP: see subsection 11(4).

ADSP‑enhanced data: see subsection 10(3).

adverse or qualified security assessment means an adverse security assessment, or a qualified security assessment, within the meaning of Part IV of the Australian Security Intelligence Organisation Act 1979.

ancillary contravention of a civil penalty provision means a contravention that arises out of the operation of section 92 of the Regulatory Powers Act.

ancillary offence has the same meaning as in the Criminal Code.

APP entity has the same meaning as in the Privacy Act 1988.

appointed member: see paragraph 62(1)(e).

approved form for a provision of this Act, the rules or a data code means a form approved by the Commissioner for the purposes of the provision under section 132.

Australia, when used in a geographical sense, includes the external Territories.

Australian aircraft has the same meaning as in the Criminal Code.

Australian entity means any of the following:

                     (a)  a Commonwealth body, State body or Territory body;

                     (b)  an Australian citizen or a permanent resident of Australia;

                     (c)  a body corporate incorporated by or under a law of the Commonwealth or a State or Territory;

                     (d)  a partnership formed in Australia;

                     (e)  a trust created in Australia;

                      (f)  an unincorporated association that has its central management or control in Australia.

Australian ship has the same meaning as in the Criminal Code.

authorised officer: see section 137.

breach: a data scheme entity breaches this Act if the data scheme entity engages in conduct that contravenes, or is inconsistent with, this Act.

Circuit Court means the Federal Circuit Court of Australia or, if the court previously known by that name has been continued in existence as the Federal Circuit and Family Court of Australia (Division 2)—that court as continued in existence.

civil penalty provision has the same meaning as in the Regulatory Powers Act.

class member, in relation to a representative complaint, means any of the data scheme entities on whose behalf the complaint was made, but does not include a data scheme entity that has withdrawn under subsection 96(2).

Commissioner means the National Data Commissioner referred to in section 41.

Commonwealth body means:

                     (a)  a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013; or

                     (b)  any other person or body that is an agency within the meaning of the Freedom of Information Act 1982.

constitutional corporation means a corporation to which paragraph 51(xx) of the Constitution applies.

Council means the National Data Advisory Council established by section 61.

court/tribunal order means an order, direction or other instrument made by:

                     (a)  a court; or

                     (b)  a judge (including a judge acting in a personal capacity) or a person acting as a judge; or

                     (c)  a magistrate (including a magistrate acting in a personal capacity) or a person acting as a magistrate; or

                     (d)  any other person or body that has the power to act judicially under a law of the Commonwealth or a State or Territory; or

                     (e)  a tribunal; or

                      (f)  a member or an officer of a tribunal;

and includes an order, direction or other instrument that is of an interim or interlocutory nature.

data: see subsection 10(5).

data breach: see section 35.

data code: see subsection 126(1).

data custodian: see subsection 11(2).

data scheme entity: see subsection 11(1).

data service means any operation performed on or in relation to data, at any stage from collection or creation to destruction.

data sharing agreement: see section 18.

data sharing purpose: see subsection 15(1).

data sharing scheme means this Act and the regulations, rules, data codes and guidelines made under it.

Defence Department means the Department administered by the Minister administering the Defence Act 1903.

electronic communication means a communication of information in any form by means of guided electromagnetic energy, unguided electromagnetic energy or both.

enforcement related purpose: see subsection 15(3).

engage in conduct means:

                     (a)  do an act; or

                     (b)  omit to do an act.

entity includes the following:

                     (a)  an individual;

                     (b)  a body corporate;

                     (c)  a Commonwealth body;

                     (d)  a State body or a Territory body;

                     (e)  a body politic;

                      (f)  a partnership;

                     (g)  an unincorporated association;

                     (h)  a trust.

excluded entity: see subsection 11(3).

Federal Court means the Federal Court of Australia.

foreign entity means an entity that is not an Australian entity.

guidelines means guidelines made under section 127.

mandatory term of a data sharing agreement means a term required by section 19.

offence against this Act includes an offence against section 6 of the Crimes Act 1914, or Chapter 7 of the Criminal Code, that relates to this Act.

Note:          Ancillary offences that relate to this Act are also offences against this Act (see section 11.6 of the Criminal Code).

operational data means:

                     (a)  data about information sources or operational activities or methods available to an agency mentioned in paragraph 17(2)(b); or

                     (b)  data about particular operations that have been, are being or are proposed to be undertaken by such an agency, or about proceedings relating to those operations.

output: see subsection 10(4).

paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise).

personal information has the same meaning as in the Privacy Act 1988.

point: see subsection 136(9).

precluded purpose: see subsections 15(2) and (4).

primary contravention of a civil penalty provision means a contravention that does not arise out of the operation of section 92 of the Regulatory Powers Act.

primary offence has the same meaning as in the Criminal Code.

public sector data: see subsection 10(2).

regulatory function means a function set out in section 45.

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

release means provide open access (and does not include share).

representative complaint means a complaint where the persons on whose behalf the complaint was made include persons other than the complainant, but does not include a complaint that the Commissioner has determined should no longer be continued as a representative complaint.

responsible individual: see subsection 124(6).

reviewable decision: see section 118.

rules means rules made under subsection 133(1).

scheme data: see subsection 10(1).

share means provide controlled access (and does not include release).

State body means a department or authority of a State.

Territory body means a department or authority of a Territory.

10  Data definitions

             (1)  Scheme data is:

                     (a)  public sector data shared under subsection 13(1); or

                     (b)  output of such data, other than output that has exited the data sharing scheme under section 21.

             (2)  Public sector data is data lawfully collected, created or held by or on behalf of a Commonwealth body, and includes:

                     (a)  ADSP‑enhanced data; and

                     (b)  output of which a Commonwealth body is declared by a data sharing agreement to be the data custodian.

             (3)  ADSP‑enhanced data is data that is the result or product of data services performed by an ADSP in relation to public sector data shared with the ADSP by the data custodian of the data under subsection 13(1).

             (4)  Output is data that is the result or product of the use, by an accredited user, of public sector data shared with the accredited user under subsection 13(1).

             (5)  Data is any information in a form capable of being communicated, analysed or processed (whether by an individual or by computer or other automated means).

11  Entity definitions

             (1)  The following are data scheme entities:

                     (a)  data custodians of public sector data;

                     (b)  accredited entities.

             (2)  A Commonwealth body is the data custodian of public sector data if:

                     (a)  the body controls the data; and

                     (b)  the body has the right to deal with the data:

                              (i)  apart from this Act; or

                             (ii)  in accordance with a data sharing agreement that declares or declared the body to be the data custodian of the data; and

                     (c)  the body is not an excluded entity.

Note:          Data custodians are not authorised by this Act to share data in all circumstances (see subsection 13(1), and in particular paragraph 13(1)(c)).

             (3)  Each of the following is an excluded entity:

                     (a)  the Australian Commission for Law Enforcement Integrity;

                     (b)  the agency known as the Australian Criminal Intelligence Commission established by the Australian Crime Commission Act 2002;

                     (c)  that part of the Defence Department known as the Australian Geospatial‑Intelligence Organisation;

                     (d)  the Australian National Audit Office;

                     (e)  the Australian Secret Intelligence Service;

                      (f)  the Australian Security Intelligence Organisation;

                     (g)  the Australian Signals Directorate;

                     (h)  that part of the Defence Department known as the Defence Intelligence Organisation;

                      (i)  the Inspector‑General of Intelligence and Security;

                      (j)  the Office of the Commonwealth Ombudsman;

                     (k)  the Office of National Intelligence.

             (4)  An entity accredited under section 74 as an:

                     (a)  accredited user (an accredited user); or

                     (b)  ADSP (short for accredited data service provider) (an ADSP);

is an accredited entity.

Note 1:       Accredited users are able to collect and use shared data (including by creating output they can share with third parties) in accordance with an applicable data sharing agreement. ADSPs are expert intermediaries who can assist data custodians to prepare and share data appropriately.

Note 2:       Excluded entities cannot be accredited (see subsection 74(1)).

Chapter 2Authorisations to share data

  

  

12  Simplified outline of this Chapter

Data custodians of public sector data may share their data with accredited users in accordance with the controls established by this Chapter. Data custodians may share data with accredited users directly, or indirectly through an ADSP.

Broadly, the controls relate to ensuring that sharing is done only for appropriate purposes and consistently with data sharing principles, and that it is done under a data sharing agreement and with the agreement of any other data custodians of that data. Sharing is excluded in certain circumstances (for example, if the sharing would contravene a prescribed law or an agreement).

There are corresponding authorisations for accredited entities to collect and use the shared data.

For accredited users, the authorisation to use data extends to sharing output with third parties in limited circumstances and if allowed by a data sharing agreement. Output may also be released if allowed by a data sharing agreement and not prevented by any other law. Output shared or released in such circumstances exits (i.e. is no longer covered by) the data sharing scheme.

Data scheme entities must comply with the rules and data codes and have regard to the guidelines when sharing data.

The authorisation for data custodians to share data overrides other laws that would otherwise be contravened by the sharing, with some exceptions.

Data custodians cannot be required to share data under the data sharing scheme.

13  Authorisations to share data

Sharing by or on behalf of data custodian

             (1)  A data custodian of public sector data is authorised to share the data with an accredited user, either directly or through an ADSP, if:

                     (a)  the sharing is for a data sharing purpose and not a precluded purpose (see section 15); and

                     (b)  the sharing is consistent with the data sharing principles (see section 16); and

                     (c)  the sharing is not excluded (see section 17); and

                     (d)  the sharing is in accordance with a data sharing agreement (see section 18); and

                     (e)  if the data custodian is not the only data custodian of the data—the sharing is authorised in writing by each other data custodian, or by a data custodian authorised in writing by each other data custodian to act on their behalf for the purposes of this section.

Note:          The application of this section, along with the other provisions of this Act, is limited by section 8 (application of this Act).

             (2)  Sharing data through an ADSP is authorised only if the requirements of subsection (1) are met in relation to both stages in which sharing through an ADSP occurs. The stages are:

                     (a)  the data custodian of public sector data shares the data with the ADSP; and

                     (b)  the ADSP shares the data, or ADSP‑enhanced data that is public sector data of the data custodian, with the accredited user on behalf of the data custodian.

Collection and use by accredited entity

             (3)  An accredited entity is authorised to collect public sector data shared with or through the entity under subsection 13(1), and to use the data and output of the data, if:

                     (a)  the collection and use is:

                              (i)  for the data sharing purpose for which the data was shared with or through the entity and not a precluded purpose (see section 15); and

                             (ii)  consistent with the data sharing principles (see section 16); and

                            (iii)  in accordance with a data sharing agreement (see section 18); and

                            (iv)  not inconsistent with a condition of the entity’s accreditation; and

                     (b)  the entity’s accreditation is not suspended.

Note 1:       Sharing and releasing are examples of using data (see also section 21).

Note 2:       The application of this section, along with the other provisions of this Act, is limited by section 8 (application of this Act).

14  Sharing must be authorised

Penalties for unauthorised sharing

             (1)  A person contravenes this subsection if:

                     (a)  the person shares data; and

                     (b)  the sharing purportedly relies on the authorisation in subsection 13(1); and

                     (c)  the sharing is not authorised by that subsection.

Note:          See also Part 6.3 (treatment of certain entities).

Civil penalty:          300 penalty units.

             (2)  A person commits an offence if:

                     (a)  the person shares data; and

                     (b)  the sharing purportedly relies on the authorisation in subsection 13(1); and

                     (c)  the sharing is not authorised by that subsection and the person is reckless with respect to that circumstance.

Note 1:       See also Part 6.3 (treatment of certain entities).

Note 2:       Unauthorised access to or modification of data held in a computer may be an offence regardless of whether subsection 13(1) is relied on (see Part 10.7 of the Criminal Code (computer offences)).

Penalty:  Imprisonment for 2 years.

Penalties for unauthorised collection or use

             (3)  A person contravenes this subsection if:

                     (a)  the person:

                              (i)  collects data that was shared with or through the person under subsection 13(1); or

                             (ii)  uses such data or the output of such data; and

                     (b)  the data or output is scheme data; and

                     (c)  the collection or use is not authorised by subsection 13(3); and

                     (d)  for use—the use is:

                              (i)  not a disclosure authorised by subsection 135(1) (disclosure of scheme data in relation to information‑gathering powers); and

                             (ii)  not a release of output by an accredited user in accordance with the Freedom of Information Act 1982.

Note:          See also Part 6.3 (treatment of certain entities).

Civil penalty:          300 penalty units.

             (4)  A person commits an offence if:

                     (a)  the person:

                              (i)  collects data that was shared with or through the person under subsection 13(1); or

                             (ii)  uses such data or the output of such data; and

                     (b)  the data or output is scheme data; and

                     (c)  the collection or use is not authorised by subsection 13(3) and the person is reckless with respect to that circumstance; and

                     (d)  for use—the use is:

                              (i)  not a disclosure authorised by subsection 135(1) (disclosure of scheme data in relation to information‑gathering powers); and

                             (ii)  not a release of output by an accredited user in accordance with the Freedom of Information Act 1982.

Note:          See also Part 6.3 (treatment of certain entities).

Penalty:  Imprisonment for 2 years.

             (5)  Subsections (3) and (4) have effect despite any other law of the Commonwealth or a State or Territory, whether enacted before or after the commencement of this Act.

             (6)  To avoid doubt, subsections (3) and (4) have effect regardless of whether a permitted general situation, or a permitted health situation, exists within the meaning of the Privacy Act 1988.

15  Data sharing purposes

Data sharing purposes

             (1)  The following are data sharing purposes:

                     (a)  delivery of government services;

                     (b)  informing government policy and programs;

                     (c)  research and development.

Note:          In considering whether sharing is for a data sharing purpose, the data scheme entity must comply with the rules and any data codes (see section 26) and have regard to the guidelines (see section 27).

Precluded purposes

             (2)  The following are precluded purposes:

                     (a)  an enforcement related purpose;

                     (b)  a purpose that relates to, or prejudices, national security within the meaning of the National Security Information (Criminal and Civil Proceedings) Act 2004;

                     (c)  a purpose prescribed by the rules for the purposes of this paragraph.

             (3)  An enforcement related purpose means any of the following purposes:

                     (a)  detecting, investigating, prosecuting or punishing:

                              (i)  an offence; or

                             (ii)  a contravention of a law punishable by a pecuniary penalty;

                     (b)  detecting, investigating or addressing acts or practices detrimental to public revenue;

                     (c)  detecting, investigating or remedying serious misconduct;

                     (d)  conducting surveillance or monitoring, or intelligence‑gathering activities;

                     (e)  conducting protective or custodial activities;

                      (f)  enforcing a law relating to the confiscation of proceeds of crime;

                     (g)  preparing for, or conducting, proceedings before a court or tribunal or implementing a court/tribunal order.

             (4)  A purpose is not a precluded purpose within the meaning of paragraph (2)(a) or (b) if the purpose is both:

                     (a)  a data sharing purpose; and

                     (b)  a purpose that:

                              (i)  is with respect to matters that relate only in a general way to a purpose mentioned in paragraph (2)(a) or (b); and

                             (ii)  does not involve any person undertaking an activity mentioned in a paragraph of subsection (3).

16  Data sharing principles

Project principle

             (1)  The project principle is that data is shared for an appropriate project or program of work.

             (2)  The project principle includes (but is not limited to) the following elements:

                     (a)  the sharing can reasonably be expected to serve the public interest;

                     (b)  any applicable processes relating to ethics are observed;

                     (c)  any sharing of the personal information of individuals is done with the consent of the individuals, unless it is unreasonable or impracticable to seek their consent;

                     (d)  the data custodian considers using an ADSP to perform data services in relation to the sharing.

People principle

             (3)  The people principle is that data is made available only to appropriate persons.

             (4)  The people principle includes (but is not limited to) the following elements:

                     (a)  the entity sharing data considers the accreditation status and history of the entity collecting and using the shared data;

                     (b)  data is only shared with people who have attributes, qualifications, affiliations and expertise appropriate to the sharing.

Setting principle

             (5)  The setting principle is that data is shared in an appropriately controlled environment.

             (6)  The setting principle includes (but is not limited to) the following elements:

                     (a)  the means by which the data is shared are appropriate, having regard to the type and sensitivity of the data, to control the risks of unauthorised use, sharing or release;

                     (b)  reasonable security standards are applied when sharing data.

Data principle

             (7)  The data principle is that appropriate protections are applied to the data.

             (8)  The data principle includes (but is not limited to) the following elements:

                     (a)  only the data reasonably necessary to achieve the applicable data sharing purpose is shared;

                     (b)  the sharing of personal information is minimised as far as possible without compromising the data sharing purpose.

Outputs principle

             (9)  The outputs principle is that outputs are as agreed.

           (10)  The outputs principle includes (but is not limited to) the following elements:

                     (a)  the data custodian of the data and the accredited user consider:

                              (i)  the nature and intended uses of the outputs of the sharing; and

                             (ii)  requirements and procedures for use of the outputs;

                     (b)  the outputs contain only the data reasonably necessary to achieve the applicable data sharing purpose.

Application of data sharing principles

           (11)  A data scheme entity’s sharing of data is not consistent with the data sharing principles set out in this section unless the entity is satisfied that each principle is applied to the sharing in such a way that, when viewed as a whole, the risks associated with the sharing are appropriately mitigated.

Note:          The data scheme entities sharing, collecting and using the data must also comply with the rules and any data codes (see section 26) and have regard to the guidelines (see section 27).

           (12)  A reference to sharing in this section includes a reference to collection and use.

17  When sharing is excluded from the data sharing scheme

When sharing is excluded

             (1)  For the purposes of paragraph 13(1)(c), sharing is excluded if the sharing is excluded under any of the following subsections.

Note:          If a sharing of data is excluded under this section, it is not authorised by subsection 13(1).

National security and law enforcement etc.

             (2)  The sharing is excluded if:

                     (a)  the data shared is held by, or originated with or was received from, an excluded entity; or

                     (b)  the data shared is operational data that is held by, or originated with or was received from, any of the following:

                              (i)  AUSTRAC (within the meaning of the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006);

                             (ii)  the Australian Federal Police;

                            (iii)  the Department administered by the Minister administering the Australian Border Force Act 2015.

Contravention or infringement of rights etc.

             (3)  The sharing is excluded if:

                     (a)  sharing the data contravenes or infringes:

                              (i)  copyright or other intellectual property rights to which the data is subject; or

                             (ii)  a contract or agreement to which a data custodian of the data is party; or

                            (iii)  a common law duty or privilege; or

                            (iv)  a privilege or immunity of a House of the Parliament, a member of a House of the Parliament, or a committee within the meaning of the Parliamentary Privileges Act 1987; or

                     (b)  the data is commercial information and sharing it founds an action by a person (other than the Commonwealth or a Commonwealth body) for breach of confidence.

Prescribed by the regulations

             (4)  The sharing is excluded if:

                     (a)  any of the following prohibits the data custodian, or any of the persons whose conduct is taken under section 123 to be conduct of the data custodian, from disclosing the data in the circumstances in which the sharing is done:

                              (i)  a provision of a law prescribed by the regulations for the purposes of this subparagraph;

                             (ii)  an order, direction, certificate or other instrument made by an officer of the Commonwealth (including a Minister) under a provision of a law prescribed by the regulations for the purposes of this subparagraph; or

                     (b)  the data custodian of the data is prescribed by the regulations as an entity that must not share data in the capacity of data custodian; or

                     (c)  any other circumstances prescribed by the regulations for the purposes of this paragraph exist.

International matters

             (5)  The sharing is excluded if:

                     (a)  sharing the data is inconsistent with:

                              (i)  the obligations of Australia under international law, including obligations under any international agreement binding on Australia; or

                             (ii)  any law of the Commonwealth giving effect to such an agreement; or

                     (b)  unless the foreign government, or agency of the foreign government, has agreed to the sharing—the data was collected from a foreign government, or an agency of a foreign government.

Evidence and court/tribunal orders

             (6)  The sharing is excluded if:

                     (a)  the data is being held as evidence before a court; or

                     (b)  the data was obtained by a tribunal, authority or other person using a power to require the answering of questions or the production of documents and is being held as evidence before the tribunal, authority or other person; or

                     (c)  the data:

                              (i)  is subject to a court/tribunal order that manages, prohibits or restricts publication or other disclosure of the data; or

                             (ii)  relates to the existence or content of such a court/tribunal order and a law of the Commonwealth prohibits or restricts disclosure of that existence or content.

Accreditation suspended

             (7)  The sharing is excluded if the data is shared with or through an entity whose accreditation is suspended.

Commissioner or member of the staff participating

             (8)  The sharing is excluded if the data custodian of the data, or an accredited entity with or through which the data is shared, is the Commissioner or a member of the staff mentioned in section 47.

18  Data sharing agreement

             (1)  An agreement is a data sharing agreement if:

                     (a)  the agreement relates to the sharing of public sector data; and

                     (b)  the parties to the agreement include a data custodian of public sector data and an accredited user; and

                     (c)  the agreement is entered into, on behalf of each data scheme entity that is party to the agreement, by an authorised officer of the data scheme entity (see section 137); and

                     (d)  the agreement is:

                              (i)  in an approved form (if any); or

                             (ii)  if there is no approved form—in writing; and

                     (e)  any requirements specified in a data code are met in relation to the agreement; and

                      (f)  the agreement contains the mandatory terms (see section 19).

Note 1:       Data scheme entities must also have regard to the guidelines (see section 27) in entering a data sharing agreement.

Note 2:       Copies of data sharing agreements, including variations, must be given to the Commissioner (see subsection 33(1)). The mandatory terms of the agreement are included in a publicly available register (see section 130).

             (2)  A data sharing agreement may deal with matters not mentioned in this section.

19  Mandatory terms of data sharing agreement

             (1)  The parties to the agreement must be identified in the agreement.

             (2)  The agreement must specify that the sharing is to be done under this Act.

             (3)  The agreement must identify the following (the data covered by the agreement):

                     (a)  the public sector data that the data custodian is to share (including any ADSP‑enhanced data an ADSP is to share on behalf of the data custodian);

                     (b)  any agreed outputs of the shared data.

             (4)  The agreement must identify:

                     (a)  the party that is the data custodian of the data covered by the agreement as mentioned in paragraph (3)(a); and

                     (b)  the party that is the data custodian of the data covered by the agreement as mentioned in paragraph (3)(b); and

                     (c)  the basis on which the party is the data custodian of the data.

Note:          For the purposes of this Act, only Commonwealth bodies are capable of being data custodians of public sector data (see subsection 11(2)).

             (5)  The agreement must identify any law that the sharing would contravene but for section 23 (authorisation to share overrides other prohibitions).

             (6)  The agreement must:

                     (a)  identify for which of the data sharing purposes set out in subsection 15(1) the data is to be shared; and

                     (b)  prohibit the accredited user from using scheme data covered by the agreement for any purpose other than the data sharing purpose for which it was shared.

             (7)  The agreement must specify how the data sharing principles set out in section 16 are to be applied, including by:

                     (a)  describing how the public interest is served by the sharing; and

                     (b)  specifying which party is required to take which actions.

             (8)  If the sharing is being done through an ADSP, the agreement must:

                     (a)  specify any data services the ADSP is to perform in relation to public sector data shared with the ADSP by the data custodian; and

                     (b)  do all of the following:

                              (i)  specify the circumstances in which the ADSP is to share data covered by the agreement with the accredited user on behalf of the data custodian;

                             (ii)  prohibit the ADSP from sharing the data in any other circumstances;

                            (iii)  prohibit the ADSP from releasing the data.

             (9)  The agreement:

                     (a)  may allow the accredited user to share output that is scheme data covered by the agreement with either or both of the following:

                              (i)  the data custodian of the public sector data used to create the output, for the purpose of that data custodian ensuring that the output is as agreed;

                             (ii)  a Commonwealth body that is the data custodian of the output; and

                     (b)  if it does not—must specify that sharing is not allowed for the purposes of this subsection.

           (10)  The agreement:

                     (a)  may allow the accredited user to share output that is scheme data covered by the agreement in specified circumstances that meet the requirements in subsection 21(1); or

                     (b)  if it does not—must specify that no circumstances are specified for the purposes of this subsection.

Note:          Subsections 14(3) and (4) prohibit accredited users from sharing output in circumstances other than those specified for the purposes of this subsection. However, they do not prohibit a disclosure authorised by subsection 135(1) (disclosure of scheme data in relation to information‑gathering powers) (see subsection 14(7)).

           (11)  The agreement:

                     (a)  may allow the accredited user to release the output in specified circumstances that meet the requirement set out in subsection 21(3); or

                     (b)  if it does not—must specify that no circumstances are specified for the purposes of this subsection.

Note:          Subsections 14(3) and (4) prohibit accredited users from releasing output in circumstances other than those specified for the purposes of this subsection. However, they do not prohibit the release of output by an accredited user in accordance with the Freedom of Information Act 1982 (see subsection 14(8)).

           (12)  The agreement must set out the actions the parties will take for the purposes of Part 3.3 (data breach responsibilities).

           (13)  The agreement must specify the circumstances in which it may be varied or terminated and how a variation or termination is to be done.

           (14)  The agreement must specify either or both of the following:

                     (a)  its duration;

                     (b)  the intervals at which the parties must review it.

           (15)  The agreement must provide for how scheme data covered by the agreement is to be dealt with when the agreement ends.

           (16)  The agreement must contain any other terms prescribed by a data code for the purposes of this subsection.

20  Compliance with mandatory terms of data sharing agreement

                   A data scheme entity must comply with the mandatory terms of a data sharing agreement to which it is party.

Civil penalty:          300 penalty units.

21  Exit from data sharing scheme of shared or released output

Sharing output for validation etc.

             (1)  For the purposes of subsection 19(9), a data sharing agreement may allow the accredited user to share output in circumstances specified in the agreement, if the circumstances meet the following requirements:

                     (a)  before the output is shared, the data custodian of the data used to create the output is satisfied that the sharing will be done in accordance with subsection 13(3);

                     (b)  the output is shared:

                              (i)  with an entity that carries on a business to which the output relates, for the purpose of validating or correcting the output; or

                             (ii)  with an individual to whom the output relates, or a responsible person (within the meaning of the Privacy Act 1988) for such an individual, for the purpose of validating or correcting the output; or

                            (iii)  in circumstances prescribed by the rules.

Exit of shared output

             (2)  Output shared by an accredited user in accordance with subsection 13(3) exits the data sharing scheme:

                     (a)  if shared for the purpose of validating or correcting the output—at the time the output is validated or corrected by the entity with which it is shared; or

                     (b)  if shared in circumstances prescribed by the rules—at the time specified by the rules.

Note 1:       If a data sharing agreement specifies circumstances that meet the requirements in subsection (1), sharing of output by the accredited user is an authorised use of the output as long as the sharing is done in the specified circumstances and in accordance with subsection 13(3).

Note 2:       Once data exits the data sharing scheme, it ceases to be scheme data (see paragraph 10(1)(b)).

Releasing output

             (3)  For the purposes of subsection 19(10), a data sharing agreement may allow the accredited user to release output in circumstances specified in the agreement, if releasing the output in those circumstances does not contravene a law of the Commonwealth or a State or Territory.

Exit of released output

             (4)  Output released by an accredited user in accordance with subsection 13(3) exits the data sharing scheme at the time it is released.

Note 1:       If a data sharing agreement specifies circumstances that meet the requirement in subsection (3), release of output by the accredited user is an authorised use of the output as long as the release is done in the specified circumstances and in accordance with subsection 13(3).

Note 2:       Once data exits the data sharing scheme, it ceases to be scheme data (see paragraph 10(1)(b)).

             (5)  Output released by an accredited user under the Freedom of Information Act 1982 exits the data sharing scheme at the time access to the output is granted under that Act.

22  Other authorisations for data custodians not limited

                   The authorisation in subsection 13(1) for a data custodian to share particular data does not limit any other law of the Commonwealth or a State or Territory that authorises the data custodian to share the data.

23  Authorisation to share overrides other prohibitions

             (1)  The authorisation in subsection 13(1) has effect despite anything in another law of the Commonwealth, or a law of a State or Territory, that restricts or prohibits disclosure of information.

Note:          Subsection 13(1) does not authorise a sharing of data excluded by section 17 (including a sharing prohibited by a provision of a law prescribed by the regulations).

             (2)  The authorisation in subsection 13(3) has effect despite anything in another law of the Commonwealth, or a law of a State or Territory, that restricts or prohibits collection or use of information.

             (3)  Subsections (1) and (2) apply in relation to a law enacted before or after the commencement of this Act.

24  No duty to share but reasons required for not sharing

             (1)  This Chapter does not require, or authorise any person to require, a data custodian to share public sector data. However, data custodians should consider reasonable requests for sharing.

             (2)  A data custodian of public sector data must give an accredited user reasons if the data custodian refuses a request by the accredited user to share data.

Chapter 3Responsibilities of data scheme entities

Part 3.1Introduction

  

25  Simplified outline of this Chapter

The responsibilities imposed on data scheme entities are mainly set out in this Chapter, although some important responsibilities are set out elsewhere (see especially sections 14 and 20 in Chapter 2).

Civil penalties apply in some cases if responsibilities in this Chapter are not met. In any case, the responsibilities may be enforced by use of the Commissioner’s other regulatory powers under Part 5.5.

Part 3.2General responsibilities

  

26  Comply with rules and data codes

                   A data scheme entity must comply with:

                     (a)  the rules; and

                     (b)  data codes.

27  Have regard to guidelines

                   Data scheme entities must have regard to the guidelines when engaging in conduct for the purposes of this Act.

28  Privacy coverage

             (1)  A data scheme entity that is not an APP entity must not engage in an act or practice with respect to personal information for the purposes of this Act unless:

                     (a)  the Privacy Act 1988 applies in relation to the act or practice as if the entity were an organisation within the meaning of that Act; or

                     (b)  a law of a State or Territory that provides for all of the following applies in relation to the act or practice:

                              (i)  protection of personal information comparable to that provided by the Australian Privacy Principles;

                             (ii)  monitoring of compliance with the law;

                            (iii)  a means for an individual to seek recourse if the individual’s personal information is dealt with in a way contrary to the law.

             (2)  An act or practice engaged in by an accredited entity that is an organisation referred to in paragraphs 7B(2)(a) and (b) of the Privacy Act 1988 is not, despite subsection 7B(2) of that Act, exempt for the purposes of paragraph 7(1)(ee) of that Act if the act or practice is engaged in with respect to personal information for the purposes of this Act.

Note:          Paragraphs 7B(2)(a) and (b) of the Privacy Act 1988 refer to an organisation that would be a small business operator if it were not a contracted service provider for a Commonwealth contract (within the meaning of the Privacy Act 1988).

             (3)  Except as provided by subsection (2) and Part 3.3, nothing in this Act affects the operation of the Privacy Act 1988 in relation to a data scheme entity that is an APP entity.

Note:          Part 3.3 (data breach responsibilities) deals with the relationship between this Act and the requirements of Part IIIC of the Privacy Act 1988 (notification of eligible data breaches).

29  Engage ADSP for prescribed data services

                   The data custodian of public sector data that is to be shared under subsection 13(1) must ensure that, if data services prescribed by the rules for the purposes of this section are performed on or in relation to the data, they are performed on behalf of the data custodian by an ADSP.

30  Comply with conditions of accreditation

                   An accredited entity must comply with the conditions of the entity’s accreditation.

Civil penalty:          300 penalty units.

31  Report events and changes in circumstances affecting accreditation to Commissioner

             (1)  An accredited entity must notify the Commissioner of any event, or change in circumstance, that affects the entity’s accreditation.

             (2)  Subsection (1) does not apply in relation to an event or change in circumstances prescribed by the rules for the purposes of this subsection.

32  Not provide false or misleading information

             (1)  A data scheme entity must not, in giving information or a document in compliance or purported compliance with this Act, the rules or a data code, give the Commissioner:

                     (a)  information or a document that is false or misleading; or

                     (b)  information that omits any matter or thing without which the information is false or misleading.

Note:          A data scheme entity that contravenes this subsection might also commit an offence under Division 136 or 137 of the Criminal Code.

Civil penalty:          300 penalty units.

             (2)  A data scheme entity must not, in giving information or a document for the purposes of entering into or giving effect to a data sharing agreement, give another data scheme entity:

                     (a)  information or a document that is false or misleading; or

                     (b)  information that omits any matter or thing without which the information is false or misleading.

Civil penalty:          300 penalty units.

33  Notify Commissioner in relation to data sharing agreements

             (1)  A data custodian that is party to a data sharing agreement must give the Commissioner, in an approved form (if any):

                     (a)  an electronic copy of the agreement; and

                     (b)  if the agreement is varied—an electronic copy of the variation, or the agreement as varied;

no later than 30 days after the day the agreement or variation is made.

Note:          The Commissioner must maintain a publicly available register containing the names of parties to each data sharing agreement and the mandatory terms included in the agreement (see section 130).

             (2)  A data custodian that was party to a terminated data sharing agreement must give the Commissioner written notice of the termination of the agreement, no later than 30 days after the termination takes effect.

34  Assist Commissioner as required in preparation of annual report

             (1)  A data scheme entity must give the Commissioner any information and assistance the Commissioner reasonably requires in relation to the preparation of the annual report mentioned in section 138.

             (2)  Without limiting subsection (1), a data scheme entity must give the Commissioner information about the matters mentioned in subparagraphs 138(2)(d)(i) and (ii).

Note:          Subparagraphs 138(2)(d)(i) and (ii) relate to numbers of requests for data sharing, reasons for agreeing to or refusing requests and numbers of data sharing agreements made.

Part 3.3Data breach responsibilities

  

35  Definition of data breach

                   If:

                     (a)  a data scheme entity holds scheme data; and

                     (b)  any of the following apply:

                              (i)  there is unauthorised access to, or unauthorised sharing or unauthorised release of, the data;

                             (ii)  the data is lost in circumstances where there is likely to be unauthorised access to, or unauthorised sharing or unauthorised release of, the data;

                            (iii)  an event prescribed by a data code occurs in relation to the data;

the access, sharing, release, loss or event is a data breach of the data scheme entity.

36  Take steps to mitigate data breach

             (1)  If a data scheme entity reasonably suspects or becomes aware that a data breach of the entity has occurred, the entity must take reasonable steps to prevent or reduce any harm resulting from the breach to entities, groups of entities and things to which the data involved in the breach relates.

             (2)  If:

                     (a)  a data custodian reasonably suspects or becomes aware that a data breach of an accredited entity has occurred; and

                     (b)  the data breach involves scheme data that the data custodian shared with or through the entity, or that is the output of such data;

the data custodian must take reasonable steps to prevent or reduce any harm resulting from the breach to entities, groups of entities and things to which the data involved in the breach relates.

37  Interaction with Part IIIC of the Privacy Act 1988 (notification of eligible data breaches)

Scope

             (1)  This section applies if:

                     (a)  a data custodian of public sector data that is personal information about one or more individuals has shared the personal information with or through an accredited entity under subsection 13(1); and

                     (b)  the accredited entity holds the personal information.

Deemed holding of personal information by data custodian

             (2)  Part IIIC of the Privacy Act 1988 (notification of eligible data breaches) has effect as if:

                     (a)  the personal information were held by the data custodian; and

                     (b)  the data custodian were required under section 15 of that Act not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information.

Note:          This has the effect that the data custodian has responsibilities under Part IIIC of the Privacy Act 1988 (notification of eligible data breaches) in relation to the personal information held by the accredited entity.

             (3)  If the accredited entity reasonably suspects or becomes aware that a data breach of the entity has occurred (within the meaning of section 35), the entity must, as soon as practicable, notify the data custodian of the data breach.

Note:          This is intended to help the data custodian meet its responsibilities under Part IIIC of the Privacy Act 1988, as that Part applies because of subsection (2) of this section.

             (4)  Subsections (2) and (3) do not apply if:

                     (a)  the accredited entity is an APP entity that is required under section 15 of the Privacy Act 1988 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information; and

                     (b)  the data sharing agreement under which the personal information was shared with the entity provides that subsections (2) and (3) are not to apply in relation to the personal information.

Note:          This has the effect that only the entity with which the personal information was shared, and not the data custodian, has responsibilities under Part IIIC of the Privacy Act 1988 (notification of eligible data breaches) in relation to the personal information held by the entity.

Give Commissioner a copy of statement about eligible data breach

             (5)  If a data scheme entity is required under section 26WK of the Privacy Act 1988 to give the Information Commissioner a statement that complies with subsection 26WK(3) of that Act, the entity must give a copy of the statement to the National Data Commissioner as soon as practicable.

Meaning of hold

             (6)  A reference in this section to an entity holding personal information is a reference to the entity holding the information within the meaning of the Privacy Act 1988.

38  Notify Commissioner of non‑personal data breach

             (1)  A data scheme entity must notify the Commissioner, in an approved form (if any) and in accordance with any requirements prescribed by a data code, if:

                     (a)  the entity reasonably suspects or becomes aware that a data breach of the entity has occurred; and

                     (b)  data involved in the breach is not personal information about one or more individuals.

Note:          Breaches involving personal information are dealt with under Part IIIC of the Privacy Act 1988 (see section 37).

             (2)  The entity must notify the Commissioner of the breach:

                     (a)  as soon as practicable, if the breach is one that a reasonable person would conclude would be likely to result in serious harm to an entity, a group of entities or a thing to which the data relates (see subsection (3)); and

                     (b)  otherwise:

                              (i)  in accordance with any time frame applicable under a data code; or

                             (ii)  if subparagraph (i) does not apply—as soon as practicable after the end of the financial year in which the breach occurred.

             (3)  In determining for the purposes of paragraph (2)(a) whether a reasonable person would conclude that the breach would, or would not, be likely to result in serious harm to an entity, a group of entities or a thing to which the data involved in the breach relates, have regard to the following:

                     (a)  the kind or kinds of data;

                     (b)  the sensitivity of the data;

                     (c)  whether the data is protected by one or more security measures and, if so, the nature of those measures;

                     (d)  the persons, or the kinds of persons, who have obtained, or who could obtain, the data;

                     (e)  the nature of the harm;

                      (f)  any other relevant matters.

Chapter 4National Data Commissioner and National Data Advisory Council

Part 4.1Introduction

  

39  Simplified outline of this Chapter

There is to be a National Data Commissioner.

The Commissioner is the regulator for the data sharing scheme, and provides advice and guidance about it. The Commissioner also has the function of advocating for the sharing and release of public sector data more generally.

The Commissioner is assisted in the performance of these functions by APS employees in the Department who are made available by the Secretary. The Commissioner may also engage contractors and consultants.

The Commissioner is also assisted by the advice of the National Data Advisory Council.

40  Commissioner to have regard to objects of Act

                   In performing functions, the Commissioner must have regard to the objects of this Act (see section 3).

Part 4.2National Data Commissioner

Division 1Establishment, functions and powers

41  National Data Commissioner

                   There is to be a National Data Commissioner.

42  Functions

             (1)  The Commissioner has the following functions:

                     (a)  the advice related functions set out in section 43;

                     (b)  the guidance related functions set out in section 44;

                     (c)  the regulatory functions set out in section 45;

                     (d)  an advocacy function of promoting understanding and acceptance of:

                              (i)  the benefits of, and best practice in, sharing and releasing public sector data; and

                             (ii)  safe data handling practices;

                     (e)  any other functions conferred on the Commissioner by this Act or the rules or by any other law of the Commonwealth;

                      (f)  to do anything incidental or conducive to the performance of any of the above functions.

             (2)  Without limiting how the Commissioner may perform the advocacy function conferred by paragraph (1)(d), the Commissioner may do so by undertaking, developing or supporting educational programs.

43  Advice related functions

                   For the purposes of paragraph 42(1)(a), the Commissioner’s advice related functions are to do the following, on request by the Minister or on the Commissioner’s own initiative:

                     (a)  advise on matters relating to the operation of this Act, including Commonwealth laws and changes to Commonwealth laws relating to this Act;

                     (b)  inform the Minister about actions to be taken by data scheme entities in order to comply with this Act;

                     (c)  report and make recommendations to the Minister in relation to this Act, or the need for or desirability of legislative or administration action in relation to this Act.

44  Guidance related functions

                   For the purposes of paragraph 42(1)(b), the Commissioner’s guidance related functions are to make:

                     (a)  data codes under section 126; and

                     (b)  guidelines under section 127.

45  Regulatory functions

                   For the purposes of paragraph 42(1)(c), the Commissioner’s regulatory functions are to regulate and enforce the data sharing scheme by performing the functions and exercising the powers conferred by Chapter 5 (regulation and enforcement), and the Regulatory Powers Act as it applies in relation to this Act.

Note:          The Commissioner and members of staff mentioned in section 47 cannot participate in sharing under this Act (see subsection 17(8)).

46  Application of finance law

                   For the purposes of the finance law (within the meaning of the Public Governance, Performance and Accountability Act 2013), the Commissioner is an official of the Department.

47  Staff

             (1)  The Secretary of the Department must:

                     (a)  make available to the Commissioner APS employees in the Department who, in the Commissioner’s opinion, have the skills, qualifications or experience necessary to assist the Commissioner to perform the Commissioner’s functions and exercise the Commissioner’s powers; and

                     (b)  do so to the extent the Commissioner reasonably requires.

             (2)  An APS employee made available to assist the Commissioner is subject to the directions of the Commissioner in relation to that assistance. The APS employee remains subject to the directions of the Secretary in relation to other matters.

48  Contractors

                   The Commissioner may, on behalf of the Commonwealth, engage persons under a written agreement to assist the Commissioner to perform or exercise the functions or powers of the Commissioner.

49  Consultants

                   The Commissioner may, on behalf of the Commonwealth, engage consultants to advise in relation to the performance of the Commissioner’s functions.

50  Delegation by Commissioner

             (1)  The Commissioner may, in writing, delegate to a member of the staff mentioned in section 47 any or all of the Commissioner’s functions or powers under:

                     (a)  this Act; or

                     (b)  the rules; or

                     (c)  the Regulatory Powers Act as it applies in relation to this Act.

Note:          Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.

             (2)  Despite subsection (1), the Commissioner must not delegate:

                     (a)  functions or powers under the following provisions:

                              (i)  section 112 (directions);

                             (ii)  section 126 (data codes);

                            (iii)  section 127 (guidelines); or

                     (b)  a regulatory function, or a power in relation to a regulatory function, to the extent that the function would be performed, or the power exercised, in relation to the Department or any other agency administered by the Minister.

             (3)  In performing functions or exercising powers under the delegation, the delegate must comply with any written directions of the Commissioner.

             (4)  If the Commissioner delegates functions or powers under this section, the Commissioner must make publicly available information about the persons or class of persons to whom the functions or powers are delegated.

51  Independence of Commissioner

                   Subject to this Act and other laws of the Commonwealth, the Commissioner has discretion in the performance or exercise of the Commissioner’s functions or powers and is not subject to direction by any person in relation to the performance or exercise of those functions or powers.

Note:          The Minister may direct the Commissioner to suspend or cancel the accreditation of certain entities (see subsection 81(2)).

52  Commissioner not to be sued

                   The Commissioner, and any person acting under the direction or authority of the Commissioner, is not liable to an action, suit or proceeding in relation to an act done or omitted to be done in good faith in the performance or purported performance, or exercise or purported exercise, of a function or power conferred by this Act, the rules or a data code.

Division 2Terms and conditions etc.

53  Appointment

             (1)  The Commissioner is to be appointed by the Governor‑General by written instrument.

Note:          The Commissioner may be reappointed: see section 33AA of the Acts Interpretation Act 1901.

             (2)  A person may be appointed as the Commissioner only if the person has appropriate qualifications, skills or experience to perform the functions of the position.

54  General terms and conditions of appointment

             (1)  The Commissioner holds office for the period specified in the instrument of appointment. The period must not exceed 5 years.

             (2)  The Commissioner holds office on a full‑time basis.

             (3)  The Commissioner holds office on the terms and conditions (if any), in relation to matters not covered by this Act, that are determined by the Governor‑General.

55  Other paid work

                   The Commissioner must not engage in paid work outside the duties of the office without the Minister’s approval.

56  Remuneration

             (1)  The Commissioner is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the Commissioner is to be paid the remuneration that is prescribed by the rules.

             (2)  The Commissioner is to be paid the allowances that are prescribed by the rules.

             (3)  This section has effect subject to the Remuneration Tribunal Act 1973.

57  Leave of absence

             (1)  The Commissioner has the recreation leave entitlements that are determined by the Remuneration Tribunal.

             (2)  The Minister may grant the Commissioner leave of absence, other than recreation leave, on the terms and conditions as to remuneration or otherwise that the Minister determines.

58  Resignation

             (1)  The Commissioner may resign the Commissioner’s appointment by giving the Governor‑General a written resignation.

             (2)  The resignation takes effect on the day it is received by the Governor‑General or, if a later day is specified in the resignation, on that later day.

59  Termination of appointment

                   The Governor‑General may terminate the appointment of the Commissioner:

                     (a)  for misbehaviour; or

                     (b)  if the Commissioner is unable to perform the duties of the office because of physical or mental incapacity; or

                     (c)  if the Commissioner:

                              (i)  becomes bankrupt; or

                             (ii)  applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or

                            (iii)  compounds with the Commissioner’s creditors; or

                            (iv)  makes an assignment of the Commissioner’s remuneration for the benefit of the Commissioner’s creditors; or

                     (d)  is absent, except on leave of absence, for 14 consecutive days or for 28 days in any 12 months; or

                     (e)  fails, without reasonable excuse, to comply with section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) or rules made for the purposes of that section; or

                      (f)  engages, except with the Minister’s approval, in paid work outside the duties of the office (see section 55).

60  Acting appointments

             (1)  The Minister may, by written instrument, appoint a person to act as the Commissioner:

                     (a)  during a vacancy in the office of the Commissioner (whether or not an appointment has previously been made to the office); or

                     (b)  during any period, or during all periods, when the Commissioner:

                              (i)  is absent from duty or from Australia; or

                             (ii)  is, for any reason, unable to perform the duties of the office.

Note:          For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.

             (2)  A person must not be appointed to act as the Commissioner unless the person has appropriate qualifications, skills or experience, as mentioned in subsection 53(2), to be appointed as the Commissioner.

Part 4.3National Data Advisory Council

  

61  Establishment and function of Council

                   The National Data Advisory Council is established by this section, and has the function of advising the Commissioner on the following matters relating to sharing and use of public sector data:

                     (a)  ethics;

                     (b)  balancing data availability with privacy protection;

                     (c)  trust and transparency;

                     (d)  technical best practice;

                     (e)  industry and international developments;

                      (f)  any other matters.

62  Membership of Council

Membership

             (1)  The Council consists of the following members:

                     (a)  the Commissioner;

                     (b)  the Australian Statistician;

                     (c)  the Information Commissioner;

                     (d)  the Chief Scientist;

                     (e)  at least 5, and no more than 8, other members appointed by the Commissioner (the appointed members).

Chair

             (2)  The Commissioner may:

                     (a)  designate himself or herself as the Chair of the Council; or

                     (b)  by written instrument, designate an appointed member to be the Chair for the period specified in the instrument.

             (3)  At any time when a Chair is not designated under subsection (2), the Council may, by written instrument, designate a Chair itself from among the appointed members for the period specified in the instrument.

             (4)  A Chair may be designated or appointed for a maximum period of 3 years, but may be designated again or appointed again.

63  Appointment of members

             (1)  The appointed members are to be appointed by the Commissioner by written instrument, on a part‑time basis.

             (2)  The Commissioner must ensure that appointed members are persons with qualifications, skills or experience that will help the Council perform its function.

64  Term of appointment

                   An appointed member holds office for the period specified in the instrument of appointment. The period must not exceed 3 years.

65  Remuneration and allowances

             (1)  An appointed member is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the member is to be paid the remuneration that is prescribed by the rules.

             (2)  An appointed member is to be paid the allowances as are prescribed by the rules.

             (3)  This section has effect subject to the Remuneration Tribunal Act 1973.

66  Leave of absence

                   The Commissioner may grant leave of absence to an appointed member on the terms and conditions that the Commissioner determines.

67  Disclosure of interests to Minister or Commissioner

             (1)  The Commissioner must give written notice to the Minister of all interests, pecuniary or otherwise, that the Commissioner has or acquires and that conflict or could conflict with the proper performance of the Commissioner’s role as a member of the Council.

             (2)  A member of the Council other than the Commissioner must give written notice to the Commissioner of all interests, pecuniary or otherwise, that the member has or acquires and that conflict or could conflict with the proper performance of the member’s office as a member of the Council.

68  Disclosure of interests to Council

             (1)  A member of the Council who has an interest, pecuniary or otherwise, in a matter being considered or about to be considered by the Council must disclose the nature of the interest to a meeting of the Council.

             (2)  The disclosure must be made as soon as possible after the relevant facts have come to the member’s knowledge.

             (3)  The disclosure must be recorded in the minutes of the meeting.

69  Resignation of members

             (1)  An appointed member may resign as a member by giving the Commissioner a written resignation.

             (2)  The resignation takes effect on the day it is received by the Commissioner or, if a later day is specified in the resignation, on that later day.

70  Termination of appointment of members

                   The Commissioner may terminate the appointment of an appointed member:

                     (a)  for misbehaviour; or

                     (b)  if the member is unable to perform the duties of office because of physical or mental incapacity; or

                     (c)  if the member:

                              (i)  becomes bankrupt; or

                             (ii)  applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or

                            (iii)  compounds with the member’s creditors; or

                            (iv)  makes an assignment of the member’s remuneration for the benefit of the member’s creditors; or

                     (d)  the member is repeatedly absent, except on leave of absence; or

                     (e)  if the member’s qualifications, skills or experience are no longer relevant to the Council function or the member has ceased to hold a professional role that was relevant to the member’s appointment.

71  Other terms and conditions of members

                   An appointed member holds office on the terms and conditions (if any), in relation to matters not covered by this Act, that are determined by the Commissioner.

72  Procedures

             (1)  The Council is to hold any meetings necessary for the performance of its functions, and must meet at least twice every calendar year.

             (2)  Meetings of the Council may be convened by the Commissioner or by the Chair.

             (3)  Except as mentioned above, the Council is to determine its own procedures.

Chapter 5Regulation and enforcement

Part 5.1Introduction

  

73  Simplified outline of this Chapter

The Commissioner may accredit entities, impose and vary conditions of accreditation, and suspend or cancel accreditation, in accordance with the accreditation framework.

If a data scheme entity breaches this Act, another data scheme entity may complain to the Commissioner. A complaint will ordinarily result in an investigation by the Commissioner, which may in turn lead to enforcement action being taken by the Commissioner against the breaching data scheme entity.

The Commissioner may also conduct assessments from time to time to ensure data scheme entities are operating in accordance with the Act. If the Commissioner reasonably suspects a data scheme entity has breached the Act, the Commissioner may investigate the entity regardless of whether a complaint has been made.

The Commissioner has power to require persons to give information, and has monitoring and investigation powers in relation to certain provisions of this Act. The Commissioner may transfer matters to a more appropriate agency, which could include the police if an offence is involved.

There are a range of enforcement options available to the Commissioner, as follows:

       (a)     making recommendations to a data scheme entity;

      (b)     giving directions if satisfied a data scheme entity has breached the Act or in emergency situations;

       (c)     issuing an infringement notice, or applying to a court for a pecuniary penalty order, if a data scheme entity contravenes a civil penalty provision;

      (d)     accepting an enforceable undertaking in relation to any aspect of this Act;

       (e)     applying to a court for an injunction if a data scheme entity has contravened, or is contravening or proposing to contravene, a civil penalty provision.

The provisions continue to apply in relation to former data scheme entities as set out in the Chapter.

Part 5.2Accreditation framework

Division 1Accreditation

74  Accreditation

Accreditation as an ADSP

             (1)  The Commissioner may accredit an entity as an ADSP if:

                     (a)  the entity applies for accreditation as an ADSP under section 76; and

                     (b)  the Commissioner is satisfied the entity meets the criteria for accreditation under section 77.

Note:          The Commissioner must give written notice of a decision under this subsection (see section 75).

Accreditation as an accredited user—most entities

             (2)  The Commissioner may accredit an entity as an accredited user if:

                     (a)  the entity applies for accreditation as an accredited user under section 76; and

                     (b)  the Commissioner is satisfied the entity meets the criteria for accreditation under section 77.

Note:          The Commissioner must give written notice of a decision under this subsection (see section 75).

Accreditation as an accredited user—certain Commonwealth bodies

             (3)  The Commissioner must accredit an entity as an accredited user if:

                     (a)  the entity is:

                              (i)  a non‑corporate Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013); or

                             (ii)  a Commonwealth body prescribed by the rules for the purposes of this subparagraph; and

                     (b)  the entity applies for accreditation as an accredited user under section 76.

Note:          The Commissioner must give written notice of a decision under this subsection (see section 75).

             (4)  Before making rules to prescribe a Commonwealth body for the purposes of subparagraph (3)(a)(ii), the Minister must be satisfied that the entity meets the criteria for accreditation in section 77.

No accreditation of certain entities

             (5)  Despite subsections (1) to (3), the Commissioner must not accredit an excluded entity, or an entity for which a direction under subsection 81(2) is in force, as an ADSP or as an accredited user.

Note:          The Minister may direct the Commissioner to suspend or cancel the accreditation of certain entities (see subsection 81(2)).

General provisions relating to accreditation

             (6)  An accredited entity continues to be an accredited entity (including while its accreditation is suspended) until its accreditation is cancelled.

             (7)  Accreditation is granted on the basis that:

                     (a)  the accreditation may be suspended or cancelled under section 81; and

                     (b)  conditions of accreditation may be imposed, varied or removed under subsections 78(1) and (3); and

                     (c)  the accreditation may be cancelled, revoked, terminated or varied, and conditions of accreditation may be imposed, varied or removed, by or under later legislation; and

                     (d)  no compensation is payable in any of those events.

75  Notice of accreditation decision

             (1)  The Commissioner must give an entity written notice of a decision:

                     (a)  to accredit, or refuse to accredit, the entity under subsection 74(1) or (2); or

                     (b)  to accredit the entity under subsection 74(3).

             (2)  The Commissioner must give the notice as soon as practicable after making the decision.

             (3)  If the Commissioner accredits the entity, the notice must set out the following:

                     (a)  whether the entity is accredited as an accredited user or ADSP, or both;

                     (b)  the day the accreditation comes into force;

                     (c)  any conditions of accreditation imposed under section 78;

                     (d)  the entity’s review rights under Part 6.2 (if any).

Note:          A decision to impose conditions of accreditation for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979) is not always a reviewable decision (see paragraph 118(2)(a)).

             (4)  If the Commissioner refuses to accredit the entity, the notice must set out the following:

                     (a)  the reason for the refusal;

                     (b)  the entity’s review rights under Part 6.2 (if any).

Note:          A decision to refuse to accredit an entity for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979 is not always a reviewable decision (see paragraph 118(2)(a)).

76  Application for accreditation

             (1)  An entity may apply to the Commissioner for accreditation as an accredited user or an ADSP, or both.

Note:          Excluded entities and entities for which a direction under subsection 81(2) is in force cannot be accredited (see subsection 74(5)).

             (2)  The application must:

                     (a)  if the entity is not an individual—be made by an authorised officer on behalf of the entity; and

                     (b)  be in the form approved by the Commissioner (if any); and

                     (c)  include the evidence prescribed by the rules to support the criteria for accreditation; and

                     (d)  include consent for the Commissioner to:

                              (i)  obtain information relevant to the entity’s application for accreditation from third parties; and

                             (ii)  verify information provided by the entity with third parties.

             (3)  However, an entity to which subsection 74(3) applies need not provide the information set out in paragraph (2)(c) or (d).

Note:          Subsection 74(3) applies to certain Commonwealth bodies in certain circumstances.

77  Criteria for accreditation

             (1)  The criteria for accreditation are the following:

                     (a)  the entity is able to manage scheme data accountably and responsibly;

                     (b)  the entity has designated an appropriately qualified individual to be responsible for overseeing the management of scheme data;

                     (c)  the entity is able to apply the data sharing principles set out in section 16;

                     (d)  the entity is able to minimise the risk of unauthorised access, sharing or loss of scheme data;

                     (e)  the entity is committed to continuous improvement in ensuring the privacy and security of scheme data;

                      (f)  the entity is able to comply with an accredited entity’s obligations under the data sharing scheme;

                     (g)  the entity’s participation in the data sharing scheme would not pose concerns for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979);

                     (h)  any additional criteria prescribed under subsection (2).

             (2)  The rules may provide for additional criteria for accreditation covering any other matters the Minister considers appropriate.

Division 2Conditions of accreditation

78  Conditions of accreditation

             (1)  The Commissioner may impose conditions of accreditation that apply to an accredited entity if the Commissioner considers that doing so is:

                     (a)  appropriate for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979), including on the basis of an adverse or qualified security assessment in respect of a person; or

                     (b)  otherwise reasonable and appropriate in the circumstances.

Note 1:       Failure to comply with a condition of accreditation is a contravention of a civil penalty provision (see section 30). Such a failure may also mean an accredited entity is not authorised to collect and use scheme data (see subparagraph 13(3)(a)(iv)).

Note 2:       The Commissioner may publish the imposition of a condition of accreditation on the register of ADSPs or the register of accredited users (see sections 128 and 129).

             (2)  Conditions that may be imposed under subsection (1) include the following conditions:

                     (a)  a condition that limits the collection and use of scheme data to a specified individual or specified individuals who are authorised officers, statutory officeholders, employees, agents or members of, or contractors to, the entity;

                     (b)  a condition that limits the collection and use of scheme data to authorised officers, statutory officeholders, employees, agents or members of, or contractors to, the entity who work within, or are associated with, a specified part of the entity;

                     (c)  if the accredited entity is required to provide evidence to support the criteria for accreditation under subsection 76(2)—a condition that requires the entity to provide updated evidence to support the criteria for accreditation at specified intervals;

                     (d)  if the accredited entity is an ADSP—a condition that limits the kinds of data services the ADSP may provide, as prescribed by the rules (if any).

             (3)  The Commissioner may vary or remove a condition of accreditation at any time if the Commissioner considers that doing so is:

                     (a)  appropriate for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979), including on the basis of an adverse or qualified security assessment in respect of a person; or

                     (b)  otherwise appropriate in the circumstances.

Note           The Commissioner may publish the variation or removal of a condition of accreditation on the register of ADSPs or the register of accredited users (see sections 128 and 129).

79  Notice before decision about conditions

             (1)  The Commissioner must not impose, vary or remove a condition of accreditation under section 78, other than for reasons of security, unless the Commissioner has given the accredited entity a written notice in accordance with subsection (2).

             (2)  The notice must:

                     (a)  state the proposed condition, variation or removal; and

                     (b)  request the accredited entity to give the Commissioner, within the period specified in the notice, a written statement relating to the proposed condition, variation or removal.

             (3)  The Commissioner must consider any written statement given to the Commissioner within the period specified in the notice before making a decision to impose, vary or remove a condition of accreditation under section 78.

             (4)  A notice under subsection (2) is not required to include the request referred to in paragraph (2)(b) if the Commissioner reasonably believes that the reasons for imposing, varying or removing a condition of accreditation under section 78 are serious and urgent.

80  Notice of conditions

             (1)  Subject to subsection (2), the Commissioner must give an accredited entity written notice of a decision under section 78.

             (2)  The Commissioner is not required to give an accredited entity notice of a decision under subsection (1) if the Commissioner gave the entity notice of the condition in a notice under subsection 75(1).

             (3)  The Commissioner must give the notice as soon as practicable after making the decision.

             (4)  The notice must:

                     (a)  state the condition or the variation, or state that the condition is removed;

                     (b)  state the day on which the condition, variation or removal takes effect;

                     (c)  include a statement setting out the entity’s review rights under Part 6.2 (if any).

Note:          A decision to impose, vary or remove a condition of an accredited entity’s accreditation for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979 is not always a reviewable decision (see paragraph 118(2)(a)).

Division 3Suspension and cancellation of accreditation

81  Suspension or cancellation of accreditation

Suspension or cancellation—most entities

             (1)  The Commissioner may suspend or cancel the accreditation of an entity accredited under subsection 74(1) or (2) if any of the following circumstances exist:

                     (a)  the Commissioner reasonably believes that the entity has breached a condition of accreditation;

                     (b)  the Commissioner is reasonably satisfied that the entity does not meet the criteria for accreditation under section 77;

                     (c)  the Commissioner reasonably believes that the entity has provided false or misleading information to the Commissioner;

                     (d)  the Commissioner:

                              (i)  for suspension—reasonably believes that the accredited entity has breached the Act; or

                             (ii)  for cancellation—determines under subsection 102(1) that the accredited entity has breached the Act;

                     (e)  the Commissioner determines it is in the national interest;

                      (f)  for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979), including on the basis of an adverse or qualified security assessment in respect of a person.

Note:          An accredited entity continues to be an accredited entity (including while its accreditation is suspended) until its accreditation is cancelled (see subsection 74(6)).

Suspension or cancellation—certain Commonwealth bodies

             (2)  If the Minister considers it appropriate, the Minister may, in writing, direct the Commissioner to suspend or cancel the accreditation of an entity accredited under subsection 74(3). The direction may specify:

                     (a)  the period of suspension, or that suspension is indefinite; or

                     (b)  the date of cancellation.

             (3)  If the Minister directs the Commissioner under subsection (2), the Commissioner must suspend or cancel the accreditation of the entity in accordance with the direction.

             (4)  The direction remains in force until revoked by the Minister. The Minister must notify the Commissioner and the entity if the Minister revokes the direction.

Note:          The entity cannot be accredited again while the direction remains in force (see subsection 74(5)).

             (5)  A direction given under subsection (2) is not a legislative instrument.

Cancellation on request

             (6)  The Commissioner may cancel the accreditation of any accredited entity at the request of the entity.

Circumstances in which cancellation does not take effect

             (7)  Unless the Commissioner otherwise determines, a decision to cancel an entity’s accreditation does not take effect if the entity has not complied with a direction given by the Commissioner under paragraph 112(1)(a) (direction for the purposes of ensuring that the entity does not hold scheme data after the cancellation).

82  Notice before decision about suspension or cancellation

Notice—most entities

             (1)  The Commissioner must not suspend or cancel an accredited entity’s accreditation under subsection 81(1), other than for reasons of security, unless the Commissioner has given the accredited entity a written notice in accordance with subsection (2) of this section.

             (2)  The notice must:

                     (a)  state the circumstance that exists for the proposed suspension or cancellation under subsection 81(1); and

                     (b)  state:

                              (i)  if suspension is proposed—the period of suspension, or that the proposed suspension is indefinite; or

                             (ii)  if cancellation is proposed—the date proposed for the cancellation to take effect; and

                     (c)  request the accredited entity to give the Commissioner, within the period specified in the notice, a written statement showing cause why the accreditation should not be suspended or cancelled.

             (3)  The Commissioner must consider any written statement given to the Commissioner within the period specified in the notice before making a decision under subsection 81(1).

             (4)  A notice under subsection (2) is not required to include the request referred to in paragraph (2)(c) if the Commissioner reasonably believes that the reasons for making a decision under subsection 81(1) are serious and urgent.

Notice—certain Commonwealth bodies

             (5) The Minister must not give a direction to the Commissioner under subsection 81(2), other than for reasons of security, unless the Minister has given the accredited entity the subject of the direction a written notice in accordance with subsection (6).

             (6)  The notice must:

                     (a)  state why the Minister is considering giving a direction under subsection 81(2) in relation to the entity; and

                     (b)  state:

                              (i)  if suspension is proposed—the period of suspension, or that the proposed suspension is indefinite; or

                             (ii)  if cancellation is proposed—the date proposed for the cancellation to take effect; and

                     (c)  request the accredited entity to give the Minister, within the period specified in the notice, a written statement showing cause why the Minister should not give the Commissioner the direction.

             (7)  The Minister must consider any written statement given to the Minister within the period specified in the notice before giving the Commissioner a direction under subsection 81(2).

             (8)  A notice under subsection (6) is not required to include the request referred to in paragraph (6)(c) if the Minister reasonably believes that the reasons for giving the Commissioner the direction are serious and urgent.

83  Notice of suspension or cancellation

             (1)  The Commissioner must give an accredited entity written notice of a decision under subsection 81(1) or (3) to suspend or cancel the entity’s accreditation in accordance with subsection (3) of this section.

             (2)  The Commissioner must give the notice as soon as practicable after making the decision.

             (3)  The notice must state the following:

                     (a)  if accreditation is suspended or cancelled under subsection 81(1)—the circumstance that exists for the suspension or cancellation under subsection 81(1);

                     (b)  if accreditation is suspended or cancelled under subsection 81(3)—that the Minister has directed the Commissioner to suspend or cancel accreditation;

                     (c)  if accreditation is suspended—the period of suspension or that the suspension is indefinite;

                     (d)  if accreditation is cancelled—the date the cancellation takes effect, including the effect of subsection 81(7) if relevant;

                     (e)  the entity’s review rights (if any) under Part 6.2.

Note 1:       The effect of subsection 81(7) is that a cancellation decision does not usually take effect if an accredited entity has not complied with a direction given by the Commissioner under paragraph 112(1)(a) (direction for the purposes of ensuring that the entity does not hold scheme data after the cancellation).

Note 2:       A decision to suspend or cancel an accredited entity’s accreditation for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979 is not always a reviewable decision (see paragraph 118(2)(a)).

Division 4Transfer of accreditation

84  Transfer of accreditation

             (1)  This section applies if an accredited entity (the old entity) changes, or proposes to change, its governance structure to become a new or different entity (the new entity).

Example 1: This section would apply if an accredited entity which is a partnership becomes, or proposes to become, a company.

Example 2: This section would also apply if an accredited entity which is a company becomes, or proposes to become, a new company.

             (2)  The old entity or the new entity (the applicant) may apply to the Commissioner to transfer the old entity’s accreditation to the new entity.

             (3)  The application must be in the form approved by the Commissioner (if any), and must be accompanied by any information required by the Commissioner.

             (4)  The Commissioner may transfer accreditation if the Commissioner considers that the new entity will continue to meet:

                     (a)  the criteria for accreditation under section 77; and

                     (b)  any conditions of accreditation that apply to the old entity.

85  Notice of transfer decision

             (1)  The Commissioner must give the applicant referred to in subsection 84(2) written notice of a decision to transfer or refuse to transfer accreditation under subsection 84(4).

             (2)  The Commissioner must give the notice as soon as practicable after making the decision.

             (3)  The notice must state:

                     (a)  if the transfer is approved—the date the transfer takes effect; or

                     (b)  if the transfer is refused:

                              (i)  why the transfer is refused; and

                             (ii)  the applicant’s review rights under Part 6.2.

Division 5Rules and further information

86  Rules relating to the accreditation framework

                   The rules may provide for procedures, requirements and any other matters relating to the accreditation of entities for the purposes of the data sharing scheme.

Note:          The rules may prescribe fees in relation to services provided under the accreditation framework (see section 139).

87  Further information or evidence

             (1)  The Commissioner may, by notice in writing, request further information or evidence from an entity for the purpose of making a decision under this Part, including information or evidence prescribed by the rules.

             (2)  If the Commissioner requests information or evidence under subsection (1), the Commissioner need not make the decision under this Part until the entity provides the information or evidence.

Part 5.3Complaints

Division 1Complaints

88  Making complaints

             (1)  A data scheme entity may complain to the Commissioner if the complainant reasonably believes that another entity breached this Act while the other entity was a data scheme entity.

             (2)  An entity that ceased to be a data scheme entity no more than 12 months earlier may also complain to the Commissioner if the complainant has the reasonable belief mentioned in subsection (1).

             (3)  A complaint must:

                     (a)  specify the respondent (see section 89); and

                     (b)  be made in an approved form (if any); and

                     (c)  meet any requirements prescribed by a data code.

             (4)  This section has effect subject to section 94 in relation to a representative complaint (see Division 2 of this Part).

89  Respondents

             (1)  If the complaint is about an entity that is a Commonwealth body, the respondent is whichever of the following applies:

                     (a)  if the Commonwealth body is a body corporate or an individual—the Commonwealth body;

                     (b)  if the Commonwealth body is unincorporated—the principal executive of the Commonwealth body within the meaning of section 37 of the Privacy Act 1988.

             (2)  If the complaint is about an entity that is not a Commonwealth body, the respondent is the entity.

Note:          See sections 124 and 125 for the treatment of certain entities that are not legal persons.

90  Communicating with complainant

             (1)  The Commissioner must, no later than 30 days after receiving a complaint, give the complainant written notice setting out how the Commissioner is dealing with, or intends to deal with, the complaint.

             (2)  The Commissioner may, by written notice given to the complainant, request the complainant to give the Commissioner, within the period specified in the notice, further information in connection with the complaint.

             (3)  If the Commissioner makes a request under subsection (2):

                     (a)  the Commissioner need not take any further action in relation to the complaint until the complainant complies with the request; and

                     (b)  if the request is made before the end of the 30 day period mentioned in subsection (1)—the 30 day period mentioned in that subsection is taken to start on the day the complainant complies with the request.

             (4)  The Commissioner does not need to comply with subsection (1) of this section if the Commissioner gives the complainant a notice under subsection 92(2) (grounds for not dealing with complaints) on or before the last day for complying with subsection (1).

91  Dealing with complaints

             (1)  If the Commissioner receives a complaint under section 88, the Commissioner must:

                     (a)  make any preliminary inquiries, of the complainant, respondent or any other person, that the Commissioner considers necessary for the purposes of determining whether and how to deal with the complaint; and

                     (b)  consider whether it would be appropriate to deal with the complaint by conciliation and, if so, deal with it or arrange for it to be dealt with in that way.

Note:          If satisfied that it is not appropriate to deal with the complaint by conciliation, or if the complaint has been conciliated but not resolved, the Commissioner must start an investigation under section 101.

             (2)  Paragraph (1)(b) does not apply if the Commissioner is satisfied that a ground exists for not dealing with the complaint (see section 92).

92  Grounds for not dealing with complaints

             (1)  A ground exists for not dealing with a complaint if any of the following applies:

                     (a)  the Commissioner is satisfied that the respondent has not breached and is not breaching the Act;

                     (b)  the complainant fails to satisfy the Commissioner that:

                              (i)  the complainant has complained about the breach to the respondent; or

                             (ii)  it would not be appropriate for the complainant to do so;

                     (c)  the complainant has complained about the breach to the respondent before complaining to the Commissioner and the Commissioner is satisfied that:

                              (i)  the respondent has dealt, or is dealing, adequately with the complaint; or

                             (ii)  the respondent has not had an adequate opportunity to deal with the complaint;

                     (d)  the complaint was made more than 12 months after the complainant first reasonably believed the respondent breached this Act;

                     (e)  the complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith;

                      (f)  an investigation, or further investigation, of the breach is not warranted having regard to all the circumstances;

                     (g)  the complainant has not responded, within the period specified by the Commissioner, to a request for information in relation to the complaint;

                     (h)  the breach is being dealt with, or would be more effectively or appropriately dealt with, by an external dispute resolution scheme recognised under section 131;

                      (i)  the breach is the subject of an application under another Commonwealth law, or a State or Territory law, and the subject matter of the complaint has been, or is being, dealt with adequately under that law;

                      (j)  another Commonwealth law, or a State or Territory law, provides a more appropriate remedy for the breach that is the subject of the complaint (including where the Commissioner has formed the opinion mentioned in section 107 (transfer of matters to appropriate authority));

                     (k)  the complainant has withdrawn the complaint.

             (2)  If the Commissioner decides at any time to cease dealing with a complaint because a ground exists for not dealing with the complaint, the Commissioner must give written notice of the Commissioner’s decision, and the reasons for it, to:

                     (a)  the complainant; and

                     (b)  if the Commissioner has notified the respondent of the complaint—the respondent.

93  Admissibility of things said or done in conciliation

                   If a complaint is dealt with by conciliation, evidence of anything said or done in the course of the conciliation is not admissible in any legal proceedings relating to the complaint or the matters that are the subject of the complaint, unless:

                     (a)  the complainant and respondent otherwise agree; or

                     (b)  the thing was said or done in the course of committing an offence or contravening a civil penalty provision.

Division 2Representative complaints

94  Conditions for making a representative complaint

             (1)  A representative complaint may be made under section 88 only if:

                     (a)  the class members have complaints against the same entity; and

                     (b)  all the complaints are in respect of, or arise out of, the same, similar or related circumstances; and

                     (c)  all the complaints give rise to a substantial common issue of law or fact.

             (2)  A representative complaint made under section 88 must:

                     (a)  describe or otherwise identify the class members (it is not necessary for this purpose to name them or specify how many there are); and

                     (b)  specify the nature of the complaints made on behalf of the class members; and

                     (c)  specify the nature of the relief sought; and

                     (d)  specify the questions of law or fact that are common to the complaints of the class members.

             (3)  A representative complaint may be made without the consent of class members.

95  Commissioner may determine that a complaint is not to continue as a representative complaint

             (1)  The Commissioner may, on application by the respondent or on the Commissioner’s own initiative, determine that a complaint should no longer continue as a representative complaint.

             (2)  The Commissioner may make the determination only if satisfied that it is in the interests of justice to do so for any of the following reasons:

                     (a)  the costs that would be incurred if the complaint were to continue as a representative complaint are likely to exceed the costs that would be incurred if each class member made a separate complaint;

                     (b)  the representative complaint will not provide an efficient and effective means of dealing with the complaints of the class members;

                     (c)  the complaint was not brought in good faith as a representative complaint;

                     (d)  it is otherwise inappropriate that the complaints be pursued by means of a representative complaint.

             (3)  If the Commissioner makes the determination, the complaint may be continued by the complainant, or by any other class member, as a complaint on the complainant’s or class member’s own behalf against the respondent.

96  Additional rules applying to the determination of representative complaints

             (1)  The Commissioner may, on application by a class member, replace the complainant with another class member, if it appears to the Commissioner that the complainant is not able adequately to represent the interests of the class members.

             (2)  A class member may, by notice in writing to the Commissioner, withdraw from a representative complaint:

                     (a)  if the complaint was made without the consent of the member—at any time; or

                     (b)  otherwise—at any time before the Commissioner begins to hold an inquiry into the complaint.

Note:          If a class member withdraws from a representative complaint that relates to a matter, the former class member may make a complaint under section 88 that relates to the matter.

             (3)  The Commissioner may at any stage direct that notice of any matter be given to a class member or class members.

97  Amendment of representative complaints

                   If the Commissioner is satisfied that a complaint could be dealt with as a representative complaint if the class of persons on whose behalf the complaint is made is increased, reduced or otherwise altered, the Commissioner may amend the complaint so that the complaint can be dealt with as a representative complaint.

98  Class member for representative complaint not entitled to lodge individual complaint

                   A person who is a class member for a representative complaint is not entitled to lodge a complaint in respect of the same subject matter.

Part 5.4Assessments and investigations

  

99  Assessments

             (1)  The Commissioner may, from time to time, assess whether conduct that an entity engages or engaged in while it is or was a data scheme entity is consistent with the requirements of this Act.

             (2)  The Commissioner may conduct an assessment in any manner the Commissioner considers appropriate.

             (3)  The Commissioner may, for the purposes of an assessment, obtain information from any person, and make any inquiries, the Commissioner considers appropriate.

Note:          The Commissioner may require a person to give information or documents for the purposes of the Commissioner’s functions under this Part (see section 104), and may exercise powers under the Regulatory Powers Act to monitor compliance with certain provisions of this Act (see section 109).

             (4)  If the Commissioner invites submissions in relation to an assessment, the Commissioner must have regard to any submissions made in response to the invitation.

100  Notices of assessment

             (1)  The Commissioner must give an entity written notice before starting, and on completion of, an assessment of the operations of the entity.

             (2)  The notice given before starting the assessment must specify the intended scope of the assessment.

101  Investigations

             (1)  The Commissioner must investigate conduct engaged in by an entity, so far as it relates to a complaint made about the entity under section 88, if:

                     (a)  the Commissioner has considered under paragraph 91(1)(b) whether it would be appropriate to deal with the complaint by conciliation; and

                     (b)  either of the following applies:

                              (i)  the Commissioner is satisfied that it is not appropriate to do so;

                             (ii)  the complaint has been dealt with but not resolved by conciliation.

             (2)  The Commissioner may investigate conduct engaged in by an entity while it is or was a data scheme entity if the Commissioner reasonably suspects that the entity has breached this Act.

             (3)  An investigation may be conducted while the entity is, or after it has ceased to be, a data scheme entity.

             (4)  The Commissioner may cease an investigation at any time if the Commissioner is satisfied that a ground exists for not dealing with the complaint (if any) to which the investigation relates (see section 92).

             (5)  The Commissioner may conduct an investigation in any manner the Commissioner considers appropriate.

             (6)  The Commissioner may, for the purposes of an investigation, obtain information from any person, and make any inquiries, the Commissioner considers appropriate.

Note:          The Commissioner may require a person to give information or documents for the purposes of an investigation (see section 104), and may exercise powers under the Regulatory Powers Act to investigate breaches of certain provisions of this Act (see section 110).

             (7)  If the Commissioner invites submissions in relation to an investigation, the Commissioner must have regard to any submissions made in response to the invitation.

102  Determination on completion of investigation

             (1)  If the Commissioner completes an investigation of the operations of an entity under this Part, the Commissioner must make a written determination setting out:

                     (a)  the Commissioner’s opinion as to whether the entity has breached this Act, or is breaching or proposing to breach this Act, and the reasons for that opinion; and

                     (b)  if the Commissioner is satisfied that the entity has breached this Act, or is breaching or proposing to breach this Act—an indication of any action the Commissioner has decided to take in relation to the entity’s accreditation, or under Part 5.5 (regulatory powers and enforcement) of this Act or the Regulatory Powers Act as it applies in relation to this Act.

Note:          The Commissioner must give the determination to the entity and may give it to the complainant (see subsection 103(3)).

             (2)  The Commissioner may make the determination publicly available, in any manner, and for any period (including indefinitely), the Commissioner considers appropriate.

             (3)  The Commissioner may, in writing, vary or revoke the determination.

             (4)  A determination made under subsection (1) is not a legislative instrument.

103  Notices relating to investigation

             (1)  The Commissioner must give an entity written notice before starting an investigation of the operations of the entity.

             (2)  The notice must specify the intended scope of the investigation.

             (3)  On completion of the investigation, the Commissioner:

                     (a)  must give the entity the determination made under section 102 in relation to the investigation; and

                     (b)  if the investigation relates to a complaint—may also give the complainant that determination.

             (4)  If the Commissioner varies or revokes the determination, the Commissioner must give the variation or revocation to the entities that were given the determination under subsection (3).

Part 5.5Regulatory powers and enforcement

  

104  Power to require information and documents

             (1)  If the Commissioner reasonably believes that a person has information or a document relevant to an investigation under section 101, or to any other of the Commissioner’s regulatory functions set out in section 45, the Commissioner may, by written notice given to the person, require the person to give the information, or produce the document, to the Commissioner within the period specified in the notice.

Note:          There are limits on the information and documents that may be required (see section 106).

             (2)  If:

                     (a)  a person is given a notice under subsection (1); and

                     (b)  the notice relates to an investigation under section 101;

the person must comply with the notice.

Civil penalty:          300 penalty units.

             (3)  A person commits an offence if:

                     (a)  the person is given a notice under subsection (1); and

                     (b)  the notice relates to an investigation under section 101; and

                     (c)  the person fails to comply with the notice.

Penalty:  Imprisonment for 12 months.

             (4)  If the person produces a document to the Commissioner in compliance with the notice, the Commissioner:

                     (a)  may take possession of, and may make copies of, or take extracts from, the document; and

                     (b)  may retain possession of the document for any period necessary for the purposes of the investigation; and

                     (c)  must, during that period, permit any person who would be entitled to inspect the document if it were not in the Commissioner’s possession to inspect the document at any reasonable time.

105  Legal professional privilege

             (1)  A person is not excused from complying with a notice under section 104 on the ground that giving the information or producing the document would disclose a communication protected against disclosure by legal professional privilege.

             (2)  However:

                     (a)  the information given or document produced; and

                     (b)  the giving of the information or production of the document;

are not admissible in evidence against a person in any civil or criminal proceedings.

             (3)  The fact that a person is not excused from complying with the notice on the ground mentioned in subsection (1) does not otherwise affect a claim of legal professional privilege that anyone may make in relation to that information or document.

106  Limits on power to require information and documents

Excluded entities

             (1)  A notice under subsection 104(1) must not require a person to give information or a document that is held by, or that originated with or was received from, an excluded entity.

Public interest certificate

             (2)  A notice under subsection 104(1) must not require a person to give information relating to a matter, or to give a document, specified in a certificate given to the Commissioner under subsection (3) of this section.

             (3)  The Attorney‑General may give the Commissioner a certificate stating that, in the opinion of the Attorney‑General, giving information in relation to a specified matter, or giving a specified document, would be contrary to the public interest because it would do any of the following:

                     (a)  prejudice the security, defence or international relations of Australia;

                     (b)  involve the disclosure of communications between a Minister of the Commonwealth and a Minister of a State or Territory, being a disclosure that would prejudice relations between the Commonwealth government and the government of a State or Territory;

                     (c)  involve the disclosure of deliberations or decisions of the Cabinet or of a Committee of the Cabinet;

                     (d)  involve the disclosure of deliberations or advice of the Executive Council;

                     (e)  prejudice the conduct of an investigation or inquiry into crime or criminal activity that is currently being pursued, or prejudice the fair trial of any person;

                      (f)  disclose, or enable a person to ascertain, the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;

                     (g)  prejudice the effectiveness of the operational methods or investigative practices or techniques of agencies responsible for the enforcement of the criminal law;

                     (h)  endanger the life or physical safety of any person.

Parliamentary privilege

             (4)  Nothing in section 104 affects the privileges and immunities of a House of the Parliament, a member of a House of the Parliament or a committee within the meaning of the Parliamentary Privileges Act 1987.

107  Transfer of matters to appropriate authority

                   If, at any time while dealing with a matter under this Act (including a complaint), the Commissioner forms the opinion that the matter:

                     (a)  is capable of being dealt with by an agency or body to which the Commissioner is authorised to disclose information under section 108; and

                     (b)  could be more effectively or conveniently dealt with by that agency or body;

the Commissioner may cease to deal with the matter and request the other agency or body to deal with the matter instead.

Note:          The Commissioner may give the agency or body any relevant information under section 108.

108  Authorisation for Commissioner to disclose and receive information

Disclose

             (1)  The Commissioner may disclose, or authorise a member of the staff mentioned in section 47 to disclose, information (including personal information) to an agency or body covered by subsection (2) if:

                     (a)  the information was collected by the Commissioner or staff member in the course of performing functions under this Act; and

                     (b)  the Commissioner is satisfied that the information will assist the agency or body to perform any of its functions or exercise any of its powers.

             (2)  This subsection covers the following agencies and bodies:

                     (a)  the Information Commissioner;

                     (b)  a State body, or a Territory body, whose functions include functions that correspond to those of the Information Commissioner;

                     (c)  the Commonwealth Ombudsman;

                     (d)  a State body, or a Territory body, whose functions include functions that correspond to those of the Commonwealth Ombudsman;

                     (e)  the Australian Securities and Investments Commission;

                      (f)  the Australian Competition and Consumer Commission;

                     (g)  a regulatory authority of a foreign country whose functions include functions that correspond to those of a person mentioned in paragraph (a), (c), (e) or (f);

                     (h)  the Australian National Audit Office;

                      (i)  the Australian Federal Police;

                      (j)  the police force, or police service, of a State or Territory;

                     (k)  the Australian Commission for Law Enforcement Integrity;

                      (l)  AUSTRAC (within the meaning of the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006);

                    (m)  the Australian Security Intelligence Organisation;

                     (n)  the Inspector‑General of Intelligence and Security;

                     (o)  an agency or body prescribed by the rules for the purposes of this paragraph.

Receive

             (3)  The Commissioner, or a member of the staff mentioned in section 47, is authorised to receive information disclosed by an agency or body covered by subsection (2) for the purposes of assisting the Commissioner or staff member to perform any of their functions or exercise any of their powers.

109  Monitoring powers

Monitoring powers

             (1)  The following provisions of this Act are subject to monitoring under Part 2 of the Regulatory Powers Act:

                     (a)  a civil penalty provision;

                     (b)  subsections 14(2) and (4) (offences for unauthorised sharing, collection and use) and subsection 104(3) (failure to comply with notice given under subsection 104(1));

                     (c)  a provision of Chapter 3 (responsibilities of data scheme entities).

Note:          Part 2 of the Regulatory Powers Act creates a framework for monitoring whether a provision is being complied with. It includes powers of entry and inspection.

Information subject to monitoring

             (2)  Information given in compliance or purported compliance with a provision of this Act is subject to monitoring under Part 2 of the Regulatory Powers Act.

Note:          Part 2 of the Regulatory Powers Act creates a framework for monitoring whether the information is correct. It includes powers of entry and inspection.

Related provisions, authorised applicant, authorised person, issuing officer, relevant chief executive and relevant court

             (3)  For the purposes of Part 2 of the Regulatory Powers Act, as that Part applies in relation to the provisions mentioned in subsection (1) and the information mentioned in subsection (2):

                     (a)  there are no related provisions; and

                     (b)  the Commissioner is an authorised applicant; and

                     (c)  the Commissioner is an authorised person; and

                     (d)  any judicial officer within the meaning of the Regulatory Powers Act is an issuing officer; and

                     (e)  the Commissioner is the relevant chief executive; and

                      (f)  each of the following is a relevant court:

                              (i)  the Federal Court;

                             (ii)  the Circuit Court;

                            (iii)  a court of a State or Territory that has jurisdiction in relation to matters arising under this Act.

Person assisting

             (4)  An authorised person may be assisted by other persons in exercising powers or performing functions or duties under Part 2 of the Regulatory Powers Act in relation to the provisions mentioned in subsection (1) and the information mentioned in subsection (2).

110  Investigation powers

Provisions subject to investigation

             (1)  The following provisions of this Act are subject to investigation under Part 3 of the Regulatory Powers Act:

                     (a)  a civil penalty provision;

                     (b)  an offence against this Act;

                     (c)  a provision of Chapter 3 (responsibilities of data scheme entities).

Note 1:       Part 3 of the Regulatory Powers Act creates a framework for investigating whether a provision has been contravened. It includes powers of entry, search and seizure.

Note 2:       The meaning of offence against this Act is extended by the definition in section 9.

Related provisions, authorised applicant, authorised person, issuing officer, relevant chief executive and relevant court

             (2)  For the purposes of Part 3 of the Regulatory Powers Act, as that Part applies in relation to evidential material that relates to a provision mentioned in subsection (1):

                     (a)  there are no related provisions; and

                     (b)  the Commissioner is an authorised applicant; and

                     (c)  the Commissioner is an authorised person; and

                     (d)  any judicial officer within the meaning of the Regulatory Powers Act is an issuing officer; and

                     (e)  the Commissioner is the relevant chief executive; and

                      (f)  each of the following is a relevant court:

                              (i)  the Federal Court;

                             (ii)  the Circuit Court;

                            (iii)  a court of a State or Territory that has jurisdiction in relation to matters arising under this Act.

Person assisting

             (3)  An authorised person may be assisted by other persons in exercising powers or performing functions or duties under Part 3 of the Regulatory Powers Act in relation to evidential material that relates to a provision mentioned in subsection (1).

111  Recommendations

                   If the Commissioner completes an assessment or investigation, under Part 5.4, of the operations of a data scheme entity, the Commissioner may give the entity written recommendations about any action the Commissioner considers the entity should take in relation to matters covered by the assessment or investigation.

112  Directions

             (1)  The Commissioner may give a data scheme entity a written direction:

                     (a)  if the Commissioner intends to cancel the entity’s accreditation—for the purposes of ensuring that the entity does not hold scheme data after the cancellation; or

                     (b)  in either of the following situations:

                              (i)  the Commissioner is satisfied that the entity has not acted consistently with this Act;

                             (ii)  the Commissioner is satisfied that giving the entity a direction under this section is necessary to properly address an emergency or a high risk situation.

             (2)  The direction may require the entity to do, or cease doing, specified actions for the purposes mentioned in paragraph (1)(a) or for the purpose of addressing the situation mentioned in paragraph (1)(b) or ensuring that it does not occur again.

             (3)  The entity must comply with the direction.

Civil penalty:          300 penalty units.

             (4)  A direction under subsection (1) is not a legislative instrument.

113  Civil penalty provisions

Enforceable civil penalty provisions

             (1)  Each civil penalty provision of this Act is enforceable under Part 4 of the Regulatory Powers Act.

Note:          Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.

             (2)  However, an authorised applicant may not apply under section 82 of the Regulatory Powers Act for an order that a person pay a pecuniary penalty in relation to a contravention of a civil penalty provision of this Act unless the Commissioner has made a determination under section 102 of this Act setting out the Commissioner’s opinion that the person has contravened the provision.

Authorised applicant and relevant court

             (3)  For the purposes of Part 4 of the Regulatory Powers Act:

                     (a)  the Commissioner is an authorised applicant in relation to the civil penalty provisions in this Act; and

                     (b)  each of the following is a relevant court in relation to the civil penalty provisions of this Act:

                              (i)  the Federal Court;

                             (ii)  the Circuit Court;

                            (iii)  a court of a State or Territory that has jurisdiction in relation to the matter.

114  Infringement notices

Provisions subject to an infringement notice

             (1)  A civil penalty provision of this Act is subject to an infringement notice under Part 5 of the Regulatory Powers Act.

Note:          Part 5 of the Regulatory Powers Act creates a framework for using infringement notices in relation to provisions.

             (2)  However, an infringement officer may not give a person an infringement notice under section 103 of the Regulatory Powers Act in relation to a contravention of a civil penalty provision of this Act unless the Commissioner has made a determination under section 102 of this Act setting out the Commissioner’s opinion that the person has contravened the provision.

Infringement officer and relevant chief executive

             (3)  For the purposes of Part 5 of the Regulatory Powers Act:

                     (a)  the Commissioner is an infringement officer in relation to the provisions mentioned in subsection (1); and

                     (b)  the Commissioner is the relevant chief executive in relation to the provisions mentioned in subsection (1).

Single infringement notice may deal with more than one contravention

             (4)  Despite subsection 103(3) of the Regulatory Powers Act, a single infringement notice may be given to a person in respect of:

                     (a)  2 or more alleged contraventions of a provision mentioned in subsection (1); or

                     (b)  alleged contraventions of 2 or more provisions mentioned in subsection (1).

However, the notice must not require the person to pay more than one amount in respect of the same conduct.

115  Enforceable undertakings

Enforceable provisions

             (1)  The provisions of this Act are enforceable under Part 6 of the Regulatory Powers Act.

Note:          Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.

Authorised person and relevant court

             (2)  For the purposes of Part 6 of the Regulatory Powers Act:

                     (a)  the Commissioner is an authorised person in relation to the provisions of this Act; and

                     (b)  each of the following is a relevant court in relation to the provisions of this Act:

                              (i)  the Federal Court;

                             (ii)  the Circuit Court;

                            (iii)  a court of a State or Territory that has jurisdiction in relation to the matter.

Enforceable undertaking may be published on the Commissioner’s website

             (3)  An authorised person in relation to a provision mentioned in subsection (1) may make an undertaking given in relation to the provision publicly available.

116  Injunctions

Enforceable provisions

             (1)  The following provisions of this Act are enforceable under Part 7 of the Regulatory Powers Act:

                     (a)  a civil penalty provision;

                     (b)  a provision of Chapter 3 (responsibilities of data scheme entities).

Note:          Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.

             (2)  However, an authorised person may not apply under section 121 of the Regulatory Powers Act for an injunction in relation to conduct in contravention of a civil penalty provision of this Act unless the Commissioner has made a determination under section 102 of this Act setting out the Commissioner’s opinion that the person has contravened, is contravening or is proposing to contravene the provision.

Authorised person and relevant court

             (3)  For the purposes of Part 7 of the Regulatory Powers Act:

                     (a)  the Commissioner is an authorised person in relation to the provisions mentioned in subsection (1); and

                     (b)  each of the following is a relevant court in relation to the provisions mentioned in subsection (1):

                              (i)  the Federal Court;

                             (ii)  the Circuit Court;

                            (iii)  a court of a State or Territory that has jurisdiction in relation to matters arising under this Act.

Chapter 6Other matters

Part 6.1Introduction

  

117  Simplified outline of this Chapter

Some of the administrative aspects of the data sharing scheme are set out in this Chapter.

Administrative decisions made by the Commissioner are reviewable by the Administrative Appeals Tribunal.

The following kinds of legislative instruments may be made for the purposes of the data sharing scheme:

       (a)     data codes (made by the Commissioner);

      (b)     rules (made by the Minister);

       (c)     regulations (made by the Governor‑General).

The Commissioner may also make the following non‑legislative instruments:

       (a)     guidelines;

      (b)     registers making certain information about accredited entities and the mandatory terms in data sharing agreements publicly available;

       (c)     instruments recognising external dispute resolution providers and approving forms.

Some other matters of detail are also set out in this Chapter.

Part 6.2Review of decisions

  

118  Reviewable decisions

             (1)  A decision made by the Commissioner in the exercise of any of the Commissioner’s regulatory functions set out in section 45 is a reviewable decision.

             (2)  Despite subsection (1), the following are not reviewable decisions:

                     (a)  any of the following decisions about the accreditation of a foreign entity, if made for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979):

                              (i)  to refuse to accredit the entity;

                             (ii)  to suspend or cancel accreditation;

                            (iii)  to impose, vary or remove a condition of accreditation;

                     (b)  a decision to suspend or cancel the accreditation of an entity as required by subsection 81(3);

                     (c)  a decision under section 107 (transfer of matters to appropriate authority);

                     (d)  a decision under section 108 (authorisation for Commissioner to disclose and receive information).

119  Applications for reconsideration of decisions made by delegates of the Commissioner

             (1)  If a person is affected by a reviewable decision made by a delegate of the Commissioner, the person may apply to the Commissioner for reconsideration of the decision.

             (2)  The application must:

                     (a)  be in an approved form (if any); and

                     (b)  set out the reasons for the application.

             (3)  If the rules prescribe a fee for making an application under this section, the application is taken not to have been made unless the fee is paid.

120  Reconsideration by the Commissioner

             (1)  If an application is made under subsection 119(1) for reconsideration of a reviewable decision, the Commissioner must:

                     (a)  reconsider the decision; and

                     (b)  affirm, vary or revoke the decision.

             (2)  The Commissioner’s decision on reconsideration of a decision has effect as if it had been made under the provision under which the original decision was made.

             (3)  The Commissioner must give the applicant a written notice stating the Commissioner’s decision on the reconsideration.

             (4)  Within 28 days after making the decision on the reconsideration, the Commissioner must give the applicant a written statement of the Commissioner’s reasons for the decision.

             (5)  If the Commissioner’s functions under this section are performed by a delegate of the Commissioner, the delegate who reconsiders the reviewable decision:

                     (a)  must not have been involved in making the reviewable decision; and

                     (b)  must hold a position, or perform duties, of at least the same level as the delegate who made the reviewable decision.

Note:          The Commissioner may delegate functions and powers to certain APS employees in the Department (see sections 47 and 50).

121  Deadline for reconsideration

             (1)  The Commissioner must make a decision on reconsideration of a decision within 90 days after receiving an application for reconsideration.

             (2)  The Commissioner is taken, for the purposes of this Part, to have made a decision affirming the original decision if the Commissioner has not informed the applicant of the Commissioner’s decision on the reconsideration before the end of the period of 90 days.

122  Review by the Administrative Appeals Tribunal

                   Applications may be made to the Administrative Appeals Tribunal to review a reviewable decision if either of the following apply:

                     (a)  the decision was made personally by the Commissioner;

                     (b)  the decision has been affirmed or varied under paragraph 120(1)(b).

Part 6.3Treatment of certain entities

  

123  Treatment of Commonwealth bodies, State bodies and Territory bodies

             (1)  This Act applies to an entity that is a Commonwealth body, or a State body or Territory body, and not a person, as if it were a person, but with the changes set out in this section.

             (2)  If this Act authorises or requires the entity to engage in conduct, the conduct may be engaged in on behalf of the entity by a person covered by subsection (5), if engaging in the conduct is within the scope of the person’s employment or authority.

             (3)  In determining whether the entity has breached this Act:

                     (a)  conduct engaged in on behalf of the entity by a person covered by subsection (5) acting within the scope (actual or apparent) of the person’s employment or authority is taken to have been engaged in instead by the entity; and

                     (b)  if it is necessary to establish intention, knowledge or recklessness, or any other state of mind, of the entity, it is sufficient to establish the intention, knowledge or recklessness, or other state of mind, of the person mentioned in paragraph (a).

Note 1:       The Crown is not liable to be prosecuted for an offence (see subsection 5(2)).

Note 2:       Part 2.5 of the Criminal Code and section 97 of the Regulatory Powers Act deal with responsibility of bodies corporate for offences and civil penalties.

             (4)  Despite paragraph (3)(a), the entity does not contravene a civil penalty provision of this Act, or commit an offence against this Act, because of conduct of a person that the entity is taken to have engaged in, if it is established that the entity took reasonable precautions and exercised due diligence to avoid the conduct.

             (5)  This subsection covers the following persons:

                     (a)  an authorised officer of the entity;

                     (b)  a statutory officeholder of the entity;

                     (c)  an officer, employee or member of the entity;

                     (d)  a person that is party to a contract with the entity (other than a data sharing agreement);

                     (e)  an agent of the entity.

             (6)  A reference in this section to this Act includes a reference to a legislative instrument made under this Act.

124  Treatment of partnerships and unincorporated associations

             (1)  This Act applies to an entity that is a partnership or an unincorporated association as if it were a person, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the entity by this Act is imposed on each responsible individual for the entity instead, but may be discharged by any of the responsible individuals.

             (3)  An offence against this Act that would otherwise be committed by the entity is taken to have been committed by each responsible individual for the entity who, at the time the offence was committed:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the responsible individual).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

             (5)  A change in the composition of the entity does not affect the continuity of the entity for the purposes of this Act.

             (6)  An individual is a responsible individual for an entity if:

                     (a)  for a partnership—the individual is a partner in the partnership; or

                     (b)  for an unincorporated association—the individual is a member of the association’s committee of management.

             (7)  This section does not apply to an entity to which section 123 applies.

             (8)  A reference in this section to this Act includes a reference to a legislative instrument made under this Act.

125  Treatment of trusts

             (1)  This Act applies to a trust as if it were a person, but with the changes set out in this section.

             (2)  If the trust has a single trustee:

                     (a)  an obligation that would otherwise be imposed on the trust by this Act is imposed on the trustee instead; and

                     (b)  an offence against this Act that would otherwise be committed by the trust is taken to have been committed by the trustee.

             (3)  If the trust has 2 or more trustees:

                     (a)  an obligation that would otherwise be imposed on the trust by this Act is imposed on each trustee instead, but may be discharged by any of the trustees; and

                     (b)  an offence against this Act that would otherwise be committed by the trust is taken to have been committed by each trustee, at the time the offence was committed, who:

                              (i)  did the relevant act or made the relevant omission; or

                             (ii)  aided, abetted, counselled or procured the relevant act or omission; or

                            (iii)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the member).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

             (5)  This section does not apply to an entity to which section 123 applies.

             (6)  A reference in this section to this Act includes a reference to a legislative instrument made under this Act.

Part 6.4Data sharing scheme instruments

  

126  Data codes

             (1)  The Commissioner may, by legislative instrument, make codes of practice about the data sharing scheme (data codes).

             (2)  Without limiting what a data code may do, it may do any of the following:

                     (a)  set out how the data definitions in section 10, and provisions of Chapters 2 (including section 13) and 3, are to be applied or complied with;

                     (b)  impose additional requirements to those imposed by Chapters 2 and 3, so long as the additional requirements are not contrary to, or inconsistent with, those Chapters;

                     (c)  deal with the internal handling of complaints;

                     (d)  deal with the management of complaints under Part 5.3 and impose additional requirements to those set out in that Part, so long as the additional requirements are not contrary to, or inconsistent with, that Part;

                     (e)  deal with any other matters the Commissioner considers relevant to the data sharing scheme.

             (3)  A data code that is inconsistent with the regulations or rules has no effect to the extent of the inconsistency, but a data code is taken to be consistent with the regulations and rules to the extent that the data code is capable of operating concurrently with them.

127  Guidelines

             (1)  The Commissioner may make written guidelines in relation to matters for which the Commissioner has functions under this Act.

Note:          Data scheme entities must have regard to the guidelines when engaging in conduct for the purposes of this Act (see section 27).

             (2)  The guidelines may include principles and processes relating to:

                     (a)  any aspect of the data sharing scheme; and

                     (b)  any matters incidental to the data sharing scheme, including:

                              (i)  data release; and

                             (ii)  data management and curation; and

                            (iii)  technical matters and standards; and

                            (iv)  emerging technologies.

             (3)  The Commissioner may publish the guidelines in any manner the Commissioner considers appropriate.

             (4)  Guidelines made under subsection (1) are not a legislative instrument.

128  Register of ADSPs

             (1)  The Commissioner must maintain a register of ADSPs.

             (2)  The register must contain the following details for each ADSP:

                     (a)  the name of the ADSP;

                     (b)  contact details for the ADSP;

                     (c)  the data services the ADSP is accredited to perform.

             (3)  The register may contain:

                     (a)  information about conditions of the ADSP’s accreditation; and

                     (b)  any other information in relation to ADSPs that the Commissioner considers appropriate.

             (4)  The register may be maintained in any form the Commissioner considers appropriate.

             (5)  The Commissioner must make the register publicly available, but may omit any details the Commissioner is satisfied are not appropriate to make publicly available.

             (6)  The register is not a legislative instrument.

129  Register of accredited users

             (1)  The Commissioner must maintain a register of accredited users.

             (2)  The register must contain the following details for each accredited user:

                     (a)  the name of the accredited user;

                     (b)  contact details for the accredited user.

             (3)  The register may contain:

                     (a)  information about conditions of the accredited user’s accreditation; and

                     (b)  any other information in relation to accredited users that the Commissioner considers appropriate.

             (4)  The register may be maintained in any form the Commissioner considers appropriate.

             (5)  The Commissioner must make the register publicly available, but may omit any details the Commissioner is satisfied are not appropriate to make publicly available.

             (6)  The register is not a legislative instrument.

130  Register of data sharing agreements

             (1)  The Commissioner must maintain a register of data sharing agreements.

             (2)  The register must contain the following details for each data sharing agreement:

                     (a)  the mandatory terms;

                     (b)  if a mandatory term is varied—the term as varied.

             (3)  The register may contain any other information in relation to data sharing agreements that the Commissioner considers appropriate.

             (4)  The register may be maintained in any form the Commissioner considers appropriate.

             (5)  The Commissioner must make the register publicly available, but may omit any details the Commissioner is satisfied are not appropriate to make publicly available.

             (6)  The register is not a legislative instrument.

131  Recognition of external dispute resolution schemes

             (1)  The Commissioner may, by written notice, recognise an external dispute resolution scheme for:

                     (a)  a data scheme entity or a class of data scheme entities; or

                     (b)  a specified purpose.

             (2)  In considering whether to recognise an external dispute resolution scheme, the Commissioner:

                     (a)  must take the following aspects of the scheme into account:

                              (i)  accessibility;

                             (ii)  independence;

                            (iii)  fairness;

                            (iv)  accountability;

                             (v)  efficiency;

                            (vi)  effectiveness; and

                     (b)  may take into account any other matter the Commissioner considers relevant.

             (3)  The Commissioner may:

                     (a)  specify a period for which the recognition of an external dispute resolution scheme is in force; and

                     (b)  make the recognition of an external dispute resolution scheme subject to specified conditions, including conditions relating to the conduct of an independent review of the operation of the scheme; and

                     (c)  vary or revoke:

                              (i)  the recognition of an external dispute resolution scheme; or

                             (ii)  the period for which the recognition is in force; or

                            (iii)  a condition to which the recognition is subject.

             (4)  A notice under subsection (1) is not a legislative instrument.

132  Approved forms

                   The Commissioner may, by writing, approve a form for the purposes of a provision of this Act, the rules or a data code.

133  Rules

             (1)  The Minister may, by legislative instrument, make rules prescribing matters:

                     (a)  required or permitted by this Act to be prescribed by the rules; or

                     (b)  necessary or convenient to be prescribed for carrying out or giving effect to this Act.

             (2)  To avoid doubt, the rules may not do the following:

                     (a)  create an offence or civil penalty;

                     (b)  provide powers of:

                              (i)  arrest or detention; or

                             (ii)  entry, search or seizure;

                     (c)  impose a tax;

                     (d)  set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;

                     (e)  directly amend the text of this Act.

             (3)  Rules that are inconsistent with the regulations have no effect to the extent of the inconsistency, but rules are taken to be consistent with the regulations to the extent that the rules are capable of operating concurrently with the regulations.

134  Regulations

                   The Governor‑General may make regulations prescribing matters:

                     (a)  required or permitted by this Act to be prescribed by the regulations; or

                     (b)  necessary or convenient to be prescribed for carrying out or giving effect to this Act.

Part 6.5Other matters

  

135  Disclosure of scheme data in relation to information‑gathering powers

             (1)  A data scheme entity is authorised to disclose scheme data held by the entity if the disclosure is:

                     (a)  to a person who has the power to require the disclosure of information under a law covered by subsection (2) for the purposes of exercising the person’s functions in relation to this Act or the data sharing scheme; or

                     (b)  to a person who requires the disclosure of the scheme data under a law of the Commonwealth or a State or Territory for the purposes of giving effect to this Act or the data sharing scheme; or

                     (c)  to a court or tribunal that orders or directs the disclosure of the scheme data in the course of proceedings relating to this Act or the data sharing scheme.

Note:          Except as authorised by this subsection or under the Freedom of Information Act 1982, an accredited entity must not share or release scheme data unless authorised to do so under subsection 13(3).

             (2)  The following laws are covered by this subsection:

                     (a)  the Auditor‑General Act 1997;

                     (b)  the Ombudsman Act 1976;

                     (c)  a law of the Commonwealth to the extent that the law requires or authorises the use or disclosure of information for the purposes of performing the Information Commissioner’s functions in relation to the data sharing scheme.

136  Geographical jurisdiction of civil penalty provisions and offences

Geographical jurisdiction of offences and civil penalty provisions

             (1)  A person does not contravene a civil penalty provision of this Act, or commit an offence against this Act, unless at least one of the following paragraphs applies in relation to the conduct constituting the alleged contravention or offence:

                     (a)  the conduct, or a result of the conduct, occurs wholly or partly in Australia, or on board an Australian aircraft or Australian ship;

                     (b)  for conduct alleged to constitute an ancillary contravention—the conduct, or a result of the conduct, that would constitute the primary contravention to which the ancillary contravention relates would have occurred wholly or partly in a place covered by paragraph (a);

                     (c)  for conduct alleged to constitute an ancillary offence—the conduct, or a result of the conduct, that would constitute the primary offence to which the ancillary offence relates was intended by the person to occur wholly or partly in a place covered by paragraph (a);

                     (d)  the conduct occurs wholly outside Australia and the person engaging in the conduct is an Australian entity.

Defence for primary contravention or primary offence

             (2)  Despite subsection (1), a person does not contravene a civil penalty provision of this Act, or commit an offence against this Act, if:

                     (a)  the alleged contravention or offence is a primary contravention or primary offence; and

                     (b)  the conduct constituting the alleged contravention or offence occurs wholly in a foreign country, but not on board an Australian aircraft or Australian ship; and

                     (c)  the person is not an Australian entity; and

                     (d)  there is not in force, in the foreign country or the part of the foreign country where the conduct constituting the alleged contravention or offence occurred, a law creating a pecuniary or criminal penalty for conduct corresponding to the conduct constituting the alleged contravention or offence.

Defence for ancillary contravention or ancillary offence

             (3)  Despite subsection (1), a person does not contravene a civil penalty provision of this Act, or commit an offence against this Act, if:

                     (a)  the alleged contravention or offence is an ancillary contravention or ancillary offence; and

                     (b)  for conduct constituting an alleged contravention—the conduct constituting the primary contravention to which the alleged contravention relates, or a result of that conduct, occurs, or would have occurred, wholly in a foreign country, but not on board an Australian aircraft or Australian ship; and

                     (c)  for conduct constituting an alleged offence—the conduct constituting the primary offence to which the alleged offence relates, or a result of that conduct, occurs, or was intended by the person to occur, wholly in a foreign country, but not on board an Australian aircraft or Australian ship; and

                     (d)  the person is not an Australian entity; and

                     (e)  there is not in force, in the foreign country or the part of the foreign country where the conduct constituting the alleged contravention or offence occurred, a law creating a pecuniary or criminal penalty for conduct corresponding to the conduct constituting the primary contravention or primary offence to which the alleged contravention or offence relates.

             (4)  A person who is alleged to have contravened a civil penalty provision of this Act and who wishes to rely on subsection (2) or (3) bears an evidential burden (within the meaning of the Criminal Code) in relation to the matters set out in the subsection.

             (5)  For the purposes of the application of subsection 13.3(3) of the Criminal Code to an offence against this Act, subsections (2) and (3) of this section are taken to be exceptions provided by the law creating the offence.

Note:          This means that a defendant bears an evidential burden in relation to the matters in subsections (2) and (3).

Other matters

             (6)  Division 14 of the Criminal Code (standard geographical jurisdiction) does not apply in relation to an offence against this Act (this section applies instead).

             (7)  A reference in this section to a result of conduct is a reference to a result that is an element of the civil penalty provision or offence.

             (8)  For the purposes of this section and without limitation, if a person sends, or causes to be sent, an electronic communication or other thing:

                     (a)  from a point outside Australia to a point in Australia; or

                     (b)  from a point in Australia to a point outside Australia;

that conduct is taken to have occurred partly in Australia.

             (9)  A point includes a mobile or potentially mobile point, whether on land, underground, in the atmosphere, underwater, at sea or anywhere else.

137  Authorised officers

             (1)  An individual specified in the following table for a kind of entity is an authorised officer of an entity of that kind.

 

Authorised officers

Item

Kind of entity

Individuals who are authorised officers

1

Any of the following:

(a) a Department;

(b) an Executive Agency within the meaning of the Public Service Act 1999;

(c) a Statutory Agency within the meaning of the Public Service Act 1999

The following:

(a) the Agency Head within the meaning of the Public Service Act 1999;

(b) an employee in the entity authorised in writing by the Agency Head for the purposes of this section

2

Any of the following:

(a) a corporate Commonwealth entity within the meaning of the Public Governance, Performance and Accountability Act 2013;

(b) a Commonwealth company within the meaning of the Public Governance, Performance and Accountability Act 2013

The following:

(a) the chief executive officer (however described) of the entity;

(b) an individual authorised in writing by the chief executive officer for the purposes of this section

3

A person who is a prescribed authority within the meaning of paragraph (c) or (d) of the definition of prescribed authority in subsection 4(1) of the Freedom of Information Act 1982 and not covered by item 1 or 2

The following:

(a) the person;

(b) a person authorised in writing by that person for the purposes of this section

4

A body corporate not covered by item 1 or 2

The following:

(a) the chief executive officer (however described) of the entity;

(b) a director of the entity;

(c) an employee of the entity authorised in writing by the chief executive officer for the purposes of this section

5

A partnership or unincorporated association not covered by item 1 or 2

The following:

(a) a responsible individual for the entity (see subsection 124(6));

(b) an individual determined in accordance with the rules

6

A trust not covered by item 1 or 2

The following:

(a) a trustee of the trust;

(b) an individual determined in accordance with the rules

7

An entity not covered by any other item

An individual determined in accordance with the rules

 

             (2)  Rules determining an individual for the purposes of an item of the table in subsection (1) may provide for individuals to be determined by reference to a decision of the Commissioner or another person.

             (3)  If the rules provide that a kind of individual who would be an authorised officer of a kind of entity under an item of the table in subsection (1) is not an authorised officer, the rules have effect despite the item.

             (4)  Rules made for the purposes of subsection (3) may prescribe another kind of individual as an authorised officer for the kind of entity instead.

138  Annual report

             (1)  After the end of each financial year, the Commissioner must prepare and give a report to the Minister, for presentation to the Parliament, on the Commissioner’s activities during the financial year.

             (2)  The report must include the following in relation to the financial year:

                     (a)  information about legislative instruments and guidelines made by the Commissioner under this Act;

                     (b)  information about activities undertaken for the purposes of the regulatory functions set out in section 45;

                     (c)  a description of any efforts made by the Commissioner to assist data scheme entities to comply with the requirements of the data sharing scheme;

                     (d)  a statement of the following:

                              (i)  the number of requests received by data custodians of public sector data for sharing of data under this Act and information about the reasons for requests being agreed to or refused;

                             (ii)  the number of data sharing agreements made;

                            (iii)  the number of entities accredited;

                            (iv)  the number of accredited entities as at the end of the financial year;

                     (e)  information about the activities of the National Data Advisory Council;

                      (f)  information about the number of APS employees made available to the Commissioner as mentioned in section 47;

                     (g)  a report on financial matters, including a discussion and analysis of the financial resources available to the Commissioner in the financial year and how they were used.

Note:          The Commissioner may require data scheme entities to give information and assistance for the purposes of preparing the report (see section 34).

             (3)  The report may include any other information relating to the operation of the data sharing scheme that the Commissioner considers appropriate.

             (4)  The report must be given to the Minister by the 15th day of the fourth month after the end of the financial year, or by the end of any further period granted under subsection 34C(5) of the Acts Interpretation Act 1901.

139  Charging of fees by Commissioner

             (1)  The rules may prescribe fees to be charged by the Commissioner for services provided by or on behalf of the Commissioner in performing or exercising functions or powers under this Act, the rules or the data codes.

             (2)  Without limiting subsection (1), the rules may provide for the amount of a fee to be the cost incurred by the Commonwealth in arranging and paying for another person to perform functions or exercise powers.

             (3)  A fee prescribed by the rules is payable to the Commonwealth.

             (4)  The rules may make provision for:

                     (a)  when and how fees are payable;

                     (b)  any other matters in relation to fees including exemptions, refunds and remissions.

             (5)  If a fee is payable for a service, the service need not be provided while the fee remains unpaid. The rules may provide for the extension of any times for providing services accordingly.

140  Charging of fees by data scheme entities

             (1)  A data custodian of public sector data may charge fees to an accredited entity for services performed by the data custodian in dealing with a request by the accredited entity for data to be shared under this Act.

             (2)  A data custodian that charges fees must do so in a way that is not inconsistent with the policies of the Australian Government.

             (3)  Nothing in this section has the effect of preventing an accredited entity (including a Commonwealth body) from charging fees in relation to services it performs in relation to the data sharing scheme.

141  Commonwealth not liable to pay a fee

             (1)  The Commonwealth is not liable to pay a fee that is payable under this Act. However, it is the Parliament’s intention that the Commonwealth should be notionally liable to pay such a fee.

             (2)  The Finance Minister may give such written directions as are necessary or convenient for carrying out or giving effect to subsection (1) and, in particular, may give directions in relation to the transfer of money within an account, or between accounts, operated by the Commonwealth.

             (3)  Directions under subsection (2) have effect, and must be complied with, despite any other Commonwealth law.

             (4)  In subsections (1) and (2), Commonwealth includes a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013) that cannot be made liable to taxation by a Commonwealth law.

142  Periodic reviews of operation of Act

             (1)  The Minister must cause periodic reviews of the operation of this Act to be undertaken.

             (2)  The first review must:

                     (a)  start no later than 3 years after the commencement of this section; and

                     (b)  be completed within 12 months or a longer period agreed by the Minister.

             (3)  Subsequent reviews must:

                     (a)  start no later than every 10 years after the commencement of this section; and

                     (b)  be completed within 12 months or a longer period agreed by the Minister.

             (4)  The Minister must cause a written report about each review to be prepared. A review is taken to be completed when the Minister is given the report about the review.

             (5)  The Minister must cause a copy of the report about each review to be laid before each House of the Parliament within 15 sitting days of that House after the Minister receives the report.