Responding to Data Access Requests

1. Assess

Assess whether the data can be shared safely

Share data when answering "yes" to all of the following questions:

• Is the purpose of the data sharing consistent with s6 of the Data Sharing (Government Sector) Act 2015? 
  • The Data Sharing Act says that data sharing requests need to support policy development, program management and service planning and delivery
• Is the requested data excluded from categories listed in Schedule 1 or Schedule 2 of the Government Information (Public Access) Act 2009?
• The request doesn’t require any personally identifiable information (PII) of individuals? 

  • The Data Sharing Act (by reference to privacy legislation) does not allow personal or health information to be disclosed (or collected and used for a secondary purpose)

  • If you think any of the data being requested may contain personally identifiable information (PII), discuss the request further with the Requesting Agency and, if necessary, seek further advice from the Privacy Officer for your agency or the Information and Privacy Commission (IPC)

  • You can negotiate with the Requesting Agency to de-identify or otherwise make safe any data containing potential PII

  • Further information on making data safe for public release is available on the IPC’s website

  • Privacy legislation provides exemptions relating to the disclosure of personal and health information, however the application of these is strictly limited

• The request doesn't require sensitive data? Sensitive data could include:
  • information about secret or sacred practices
  • ecological data that may place vulnerable species at risk
  • commercially sensitive information

If you decide that data is sensitive, you need to document this decision with the legislative or policy reference that informed your decision.

The reasoning for a final decision not to share data needs to be established in writing. Note that if a Requesting Agency disputes your reasons for not approving a request the Requesting Agency is able to make a formal access application under the GIPA Act. 

2. Negotiate

Negotiate how to provide the data

Agree on the terms and conditions for sharing data with the Requesting Agency. 

It is appropriate for the Custodian Agency to set terms and conditions for the release of data to a Requesting Agency. Your agency can decide on the form that your agreement will take. 

Determine whether controls are required to ensure that: 

• The requesters use the data in an appropriate manner
• The environment the data will be stored in will not pose risks
• The publication of outputs from the data does not pose risks

3. Determine

Determine whether the data, or aspects of it, can also be made publicly available

If a Data Sharing Request is approved, it is likely that some or all of the data could also be made open (s7 of the GIPA Act). 

By proactively releasing data, your agency is meeting the requirements of the GIPA Act and streamlining and simplifying future data sharing processes.