The shifting data landscape and the Australian government’s whole-of-economy vision for data is set to propel Australia to be a data-driven society by 2030. In light of this, data has never been more valuable. But a survey conducted by McKinsey in 2021 showed that only 7% of Australian organisations rated themselves as ‘very effective’ at meeting their data and analytics objectives.
The Data Availability and Transparency Act 2022 (DAT Act) came into force on 1 April 2022. This Act is particularly relevant to Commonwealth research bodies and Australian universities which are eligible to participate in the data sharing scheme. Our previous article provides a snapshot of the framework of the DAT Act and the relevant parties eligible for the scheme. Currently, only government bodies and Australian universities are eligible to participate as accredited users.
This article discusses how the DAT Act applies to a project or research output of entities who could be captured as a data custodian or eligible credited user under the scheme.
When is data intellectual property?
The DAT Act defines ‘data’ as any information in a form capable of being communicated, analysed or processed by an individual, computer or other automation. This could include, for example, personal information (which is captured by the Privacy Act 1988 (Cth) (Privacy Act) or equivalent State information privacy laws or directives), information collected or produced in a research project, figures, numbers and records.
As a general proposition, raw information or data that exists in its own right and without any human input is not capable of attracting intellectual property rights. Intellectual property protects the intangible creations of the mind such as inventions, discoveries, or physical embodiments to these creations such as machines or computer programs. For a work to be protected by copyright it has to be an expression of an idea or information that is the original literary, dramatic, musical or artistic work of an author, as opposed to a mere fact or the product of an automated machine.
The Copyright Act 1968 (Cth) provides that copyright subsists in original ‘literary works’ of the author, which includes a table or compilation expressed in words, figures or symbol. Compilation or analysis of data in research would fall within this definition.
In addition to copyright, there are also other avenues to protect data. For example, data that has commercial value can be protected as confidential information, usually by entering into a confidentiality or non-disclosure agreement. Such agreements aim to restrict access, use and disclosure of information communicated in confidence, and can be enforced as a contract in addition to common law confidentiality rights.
How does the DAT Act compare to the EU’s Open Data Directive?
Open data
Unlike the 2019 EU Open Data Directive1, the DAT Act does not impose an obligation on the data custodian to make publicly funded research data ‘open by default’.
Article 10(1) of the EU Open Data Directive mandates EU Member States to support the availability of research data by aiming to make research data openly available, consistent with the FAIR principles (findable, accessible, interoperable and re-usable). The EU Open Data Directive envisages that research data should be ‘as open as possible, as closed as necessary’, taking into account intellectual property rights, personal data protection, confidentiality, security and legitimate commercial interests.
In Australia, there is no obligation for data custodians to share any of their data, let alone to make such data publicly available. The DAT Act merely authorises and streamlines the process of sharing ‘public sector data’. ‘Public sector data’ is defined as data that is lawfully collected, created or held by or on behalf of a Commonwealth body, and includes ADSP-enhanced data (data produced as a result of an accredited data service provider’s use of the shared data).
Where an accredited user requests particular data, the data custodian can choose whether to share the data, but it must provide its reasons for any refusal. Additionally, section 17 of DAT Act sets out the circumstances in which data sharing may be barred. For example, this includes data that relates to national security or law enforcement, or data sharing that contravenes copyright or other intellectual property rights. In other words, any data sharing activity must be consistent with intellectual property rights.
‘Research data’?
Further, the EU Open Data Directive draws a distinction between ‘public data’ and ‘research data’. The difference is that ‘research data’ is expressly subject to the FAIR principles. There are also different re-use obligations in respect of public data and research data. While the DAT Act does not discriminate the type of data as such, section 16B provides different privacy requirements depending on the purpose of data sharing, including if the data sharing is to ‘inform government policy programs or research and development’ or ‘delivery of government services’.
Privacy requirements
The EU’s Open Data Directive expressly provides that it does not affect the EU’s General Data Protection Regulation, the main piece of regulation governing personal information of EU citizens. The DAT Act adopts similar approach, by requiring APP entities to continue complying with the Australian Privacy Act under section 16E of the DAT Act.
Part 2.4 of the DAT Act sets out a series of additional general privacy protections which are complementary to the Privacy Act. When data to be shared contains personal information, section 16B provides that (subject to certain exceptions) consent from the individual to whom the personal information relates must be obtained, and only the ‘minimum amount’ of personal information necessary is shared.
What does this mean?
The DAT Act sets out the requirements and parameters for data sharing. Among other things, the Act aims to facilitate institutional arrangements for sharing public sector data while ensuring integrity and transparency in the process. Before a data custodian shares its data, it is important that it enters into – and registers with the National Data Commissioner – a data sharing agreement that meets the requirements of the DAT Act.
Civil penalties apply for unauthorised sharing of data in contravention of the Act, that is, when entities purport to share data under the Act without satisfying requirements under section 13 of the DAT Act.
Data sharing agreement requirements
There are various requirements that must be satisfied when drafting a data sharing agreement. Among other things, a data sharing agreement must:
- describe the project and specify that the DAT Act applies to the project;
- specify the public sector data that the data custodian intends to share, including if any accredited data service provider-enhanced data is to be shared on behalf of the data custodian;
- agree the intended final output of the project;
- specify the title of any law that the sharing would contravene but for the DAT Act (including any State or Territory laws that would have otherwise prohibited the data sharing);
- prohibit the accredited user from creating any output other than the agreed final output or any other incidental or necessary outputs;
- specify how the project is consistent with the data sharing principles, which relate to appropriate project scope, recipients, security requirements and inclusion of only necessary source data in project outputs;
- responsibilities in relation to data breaches; and
- confirm handling of source data following completion of the project and require the data custodian of the source data to give the National Data Commissioner written notice of the cessation of the agreement as soon as practicable after the agreement ceases be in effect.
Draft data code
The Act contemplates the adoption of a data code to further clarify data sharing principles, privacy protections, data sharing agreements and other miscellaneous matters relating to data sharing.
The exposure draft of the Data Availability and Transparency Code 2022 (draft data code) was recently circulated for public consultation. The draft data code includes:
- further clarification in respect of the data sharing principles;
- further safeguards in respect of data containing personal information, including what amounts to consent, when it is ‘necessary’ to share personal information, and circumstances in which personal information can be shared without consent;
- imposing an obligation on Australian universities to have regard to threats of foreign interference, carry out due diligence with respect to non-Australian individuals who are designated to access data under the scheme, and ensure that designated non-Australian individuals undertake national security training; and
- further outline of other miscellaneous matters such as the type of information required to be supplied to the National Data Commissioner and the applicable timeframes.
It is anticipated that a data code will be implemented by the end of 2022.
If you have any queries or concerns regarding your research data management plan or how the DAT Act may affect your research or data sharing activities, please contact a member of our IP, Technology & Media team for advice and assistance.
This article was written by Luke Dale, Partner, Nikki Macor-Heath, Special Counsel and Paul Sigar, Solicitor.
1 Directive EU 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information.
