Sheet 4: Data Custodians and the Commonwealth Arrangements

A data custodian, in the context of the arrangements for data integration involving Commonwealth data for statistical and research purposes (Commonwealth arrangements), is the entity responsible for the source data and any activities relating to it, such as its collection, management, protection and access approval.

Often the responsibilities of a data custodian are set out in relevant legislation which may extend to the provision of data for statistical and/or research purposes.

This Information Sheet provides a summary of the considerations data custodians need to take into account at each stage of a data integration project, where it is in scope of the Commonwealth arrangements. A checklist for data custodians is also provided on the back of this sheet.

Deciding if data can be released

Each data custodian is responsible for deciding whether to approve the release of their data for a data integration project (a project). When a project is first proposed and access to data is requested, each data custodian must consider if they are authorised to provide the data under governing legislation or with data provider’s consent.

If there is authorisation to release the data, the data custodian may then also consider if the release of their data for the project will provide a public benefit that outweighs the privacy imposition and risks to confidentiality involved.

Data custodian roles within the Commonwealth arrangements

• Role 1 - Maximise the value of data holdings

• Role 2 - Assess project risk

• Role 3 - Comply with policy and legislation

• Role 4 - Ensure safe storage of unit record data

• Role 5 - Safely transmit unit record data

• Role 6 - Enter project agreements

Assessing the risk of the project

It is the responsibility of data custodian(s) to assess the risk of a project. The risks to be considered are:

1. a breach resulting in an unauthorised disclosure of personal or business information; and

2. a reduction in public trust of the Australian government and its institutions.

While the final decision and agreement on the risk rating (high, medium or low) of the project remain with the data custodian(s), input may be sought from integrating authorities (the agency that manages, and is ultimately accountable for, the sound conduct of the project, (see Information Sheet 5).

Appointing an integrating authority

Following the completion of the risk assessment, the data custodian(s) is then responsible for appointing an integrating authority. If the project risk is rated high, then the project must be managed by an accredited Integrating Authority (refer to Information Sheets 5 and 6).

The data custodian(s) should also ensure the integrating authority nominated to manage the project is authorised to receive the data, either through legislation or data providers’ consent.

Finalising project agreements

Once the details of the project have been decided, project agreements are signed between the data custodian(s) and the integrating authority. These agreements provide a mechanism for the data custodian(s) to exercise their accountability for the security and confidentiality of their data once it is provided to the integrating authority for the project.

Agreements should detail any conditions specified by the data custodian(s) relating to data security obligations, privacy and confidentiality requirements, data access provisions and potential sanctions which may apply to misuse of the data.

Extracting and providing data

Data custodian(s) are responsible for ensuring the safe extraction and transmission of their data (as specified in the project agreements) to the integrating authority. This transmission of data should be consistent with Australian Privacy Principles (APPs) and the Australian Government Protective Security Policy Framework.

A checklist for data custodians

This is a list of considerations for data custodians who have been approached for their data to be included in a data integration project for statistical or research purposes.

In Principle approval

✔ Is your project in scope of the Commonwealth arrangements?

✔ Does the public benefit outweigh the privacy imposition of the project?

✔ Do you have authorisation to release the data for the purpose of the project?

✔Is the purpose consistent with departmental policies and purposes?

✔ Have you completed the risk assessment in conjunction with other data custodians?

✔ Are you satisfied that this project does not present an unacceptably high risk to public trust in the Australian Government and its institutions?

✔ Do you require an accredited Integrating Authority to manage the project?

✔ Do you require any further assessments to be undertaken prior to signing project agreements (e.g. ethics committee approval or privacy impact assessment)?

✔ Have you specified any special conditions to be met as part of your project approval?

✔ Do you give in principle approval for this project to proceed to the next stage?

Final approval

✔ Are you satisfied with the arrangements provided by the integrating authority for security of the data (e.g. data transfer, access, use, storage and destruction or retention)?

✔ Have you considered how confidentiality and privacy will be protected?

• How will the separation principle be applied (if applicable)?

• How will data be de-identified and/or confidentialised?

• What conditions will data users be expected to comply with (e.g. signing confidentiality undertakings, review of research results before publication)?

• What are the consequences if there is a misuse of data or breach of privacy?

✔ Have all necessary authorisations been received (e.g. Ethics committee approval, privacy impact assessment, departmental authorisation, consent of the data provider, Public Interest Determination)?

✔ Have you entered into a project agreement with the integrating authority (and all other data custodians)?

Project delivery

✔ Has data been extracted and delivered to the integrating authority according to project agreements?

✔ Have you provided metadata and information about the quality of the data to assist the integrating authority and data users understand the source data?