Victoria has legislation that allows data to be shared across government according to strict rules:
- Data can only be shared when it helps to address key community priorities in a better way.
- Data sharing involves following strict privacy, information sharing and de-identification rules.
This work is administered by the Victorian Centre for Data following strict data security, privacy and integrity rules.
Data sharing in Victorian Government
The Victorian Data Sharing Act (VDS Act) enables data to be shared across government while providing strong safeguards and oversight.
The VDS Act works alongside existing privacy which still apply.
The Act sets up the Chief Data Officer as the head of the Victorian Centre for Data. The Act will make it easier for the VCDI to conduct data analytics projects in response to government initiatives, particularly those with a whole-of-government strategic focus, and where cross-government data sharing is required and expected by the community.
How the Act protects your information
- All data handled under the VDS Act must be for the approved purpose of informing policy making, service planning and design
- Before any data is used for analytics, steps must be taken to ensure no individual can be identified from that data
- New offences have been introduced for unauthorised data access, use or disclosure
- The Victorian Centre for Data Insights reports annually to Victorian privacy regulators on its operations, functions and potential privacy law breaches
- The VDS Act ensures accountability and oversight by independent authorities (the Office of the Victorian Information and Health Complaints)
Guidance on data sharing in government
Information sharing schemes
The Child Information Sharing Schemeallows authorised organisations and professionals who work with children, young people and their families to share information with each other to promote children's wellbeing and safety.
The Family Violence Information Sharing allows authorised organisations that work with victims and perpetrators of family violence to share information with each other to in order to keep victims safe and hold perpetrators to account.
Legislation that applies to data sharing and use
- Privacy and Data Protection Act
- Health Records Act
- Victorian Data Sharing Act
- Family Violence Protection Amendment (Information Sharing) Act
Frameworks and standards for data sharing and use
- Victorian Protective Data Security
- Victorian Protective Data Security
- Public Records Office Victoria
- Information Management Framework for the Victorian Public
- Information Security Management Framework
Reporting on data security
All public sector organisations must undertake a range of activities to meet their reporting obligations under the Privacy and Data Protection Act, including:
- submitting their Protective Data Security Plan
- cooperating with the Office of the Victorian Information when they undertake monitoring and assurance such as audits or reviews
Ensuring secure and ethical data use
Standard operating protocols
Our standard operating protocols outline the process and framework for conducting data analytics projects - including the protection and control measures we must take for safe and ethical data use.
This ensures we are taking the required steps to protect the data we hold from misuse, loss and unauthorised access, modification and disclosure.
Assessing and mitigating risk
We use a trusted data access and sharing model
We use the Five Safes to assess and mitigate risk when we access, share and disclose data. This framework is also used by the
The framework has five elements. We evaluate these independently and then analyse them together to measure the overall risk level for each project:
- Safe Projects: is data to be used for an appropriate, authorised purpose?
- Safe Data: is there a disclosure risk in the data itself (sensitivity and re-identification)?
- Safe People: can those using the data (e.g. researchers and analysts) be trusted to use it in an appropriate manner?
- Safe Settings: does the access environment (physical, technical, and procedural) prevent unauthorised data use?
- Safe Outputs: are the analytical results non-disclosive (e.g. can individuals or groups be re-identified from a broader audience)?
This approach shifts the focus away from the data itself to how the data will be accessed, used and released.
We're guided by key data security and privacy principles
Our operating model, project model and technology platforms are based on the following principles:
- Privacy by Design: this ensures that appropriate privacy protections are embedded into the overall design from the very start and built into all planning and design decisions. This model gives us a clear, layered, scalable privacy risk assessment framework that aligns with the Five Safes Framework. Privacy risks require a flexible, case-by-case risk management approach.
- Defence in Depth: this ensures we have a series of layered defensive mechanisms to protect our data and information, including physical, technical, and people security. This approach aligns with the requirements of the Victorian Protective Data Security and Five Safes Framework.
Reviewed 05 March 2019