Victorian Public Sector Data Sharing Policy

This Policy supports the Victorian Government’s response to the current and emerging impacts of COVID-19 and broader cross-portfolio data needs by facilitating data sharing across government.

Overview

The Victorian Public Sector Data Sharing Policy responds to the critical need for data sharing between Victorian government departments and agencies to inform policy and service decisions for the benefit of Victorians. It establishes that Victorian government agencies have a ‘responsibility to share’ with each other where there is a demonstrated need for the data to improve policy making, service planning and delivery with a clear public benefit, unless there is good reason not to. It adopts the National Data Sharing Principles to help the Victorian government agencies fulfil that responsibility in a considered, safe and secure way.

Policy context and purpose

Better use of data1, through sharing, linkage and analytics, is transforming the way government works. Data insights can enhance government’s understanding about what works and why, leading to better decisions, more streamlined processes and more effective and efficient services and investment. For example, data sharing between government agencies is vital to get a more holistic picture for policy making (such as building a linked social services data asset that combines health, human services, education, justice and police data2), or for providing Victorian citizens with an integrated government service (such as through Service Victoria, which allows citizens a simpler, faster way to access a range of government services). Where data sharing is vital for protecting vulnerable people, there are also specific information sharing schemes that recognise the importance of sharing (such as the family violence information sharing scheme and the child information sharing scheme).

This policy is an important contribution to assist Victorian government agencies to access the data they need to meet the policy and service needs of the Victorian community. It facilitates the expeditious sharing of data between VPS agencies within a controlled-access environment, while ensuring the right safeguards are in place. It extends the previous COVID-19 VPS Data Sharing Policy, beyond the COVID-19 context. It is modelled on the data sharing framework established under the Victorian Data Sharing Act 2017 (VDS Act), which sets up the statutory office of the Victorian Chief Data Officer (CDO) with powers and functions, including to support data-led policy and service decisions across government and to lead and coordinate data sharing and data integration work.

Establishing the ‘responsibility to share’

This policy establishes a clear responsibility on Victorian government agencies to share data3 with each other. The responsibility applies where the requesting agency has demonstrated a need for data to inform policy making, service planning and delivery with a clear public benefit, and there is no legitimate basis to refuse the request. Demonstrating the need for data should include a clear articulation of how the data will be used to benefit the Victorian community or sections of the community. For instance, this may include a statement on how data access would unlock insights to advance a stated Victorian Government policy, improve an operational program, or provide better services to vulnerable groups or individuals.

The responsibility to share sets the expectation that an agency in receipt of a request will cooperate to provide the data or give reasons for refusal within a reasonable time. Where this does not occur, a requesting agency may choose to issue a formal request for data under this policy. While there is no prescribed format for the formal request, it should at a minimum: identify that it is being made pursuant to this policy; set out the purpose and public benefit; and describe how the data will be held and used safely and securely. The agency in receipt of the formal request must respond within 14 days by providing the data or setting out reasons for refusal in writing. A copy of the refusal should be sent to the Secretary, Department of Premier and Cabinet. These arrangements are based on the process for the CDO to make a formal request under the VDS Act, giving all Victorian government agencies a similar mechanism to issue a formal data request.

A legitimate reason for refusal includes where the sharing would contravene a law or legal obligation (such as a privacy or data protection obligation or a secrecy provision), would prejudice an investigation, inquiry or legal proceeding, or be likely to endanger an individual’s health safety or wellbeing. A request may also be refused if the requested data is readily available through other sources, for example if publicly available, other rights (such as intellectual property rights) prohibit disclosure, the proposed sharing arrangement does not satisfy the National Data Sharing Principles, or sharing is otherwise considered too risky or sharing is inappropriate from a data ethics/social licence perspective, despite the proposed controls and in light of the expected public benefit.

The ‘responsibility to share’ requires agencies to use best endeavours to share, in light of existing resourcing. Where resourcing is a genuine constraint, agencies agree to use best endeavours to agree on how resourcing should be dealt with in light of the proposed public benefit.

Applying the National Data Sharing Principles

In addition to legal and other requirements relevant to data sharing4, Victorian government agencies should be guided by the National Data Sharing Principles in deciding whether or not to share, which are set out in the Office of the National Data Commissioner’s Best Practice Guide to Applying Data Sharing Principles. The National Data Sharing Principles are based on the Five Safes Framework, which is the internationally recognised risk management framework that is the standard for, and used widely across, the Victorian Government. It promotes a principles-based approach to enable sharing of data held by the public sector in a way that delivers public benefit, while ensuring the privacy and security of Victorians’ data remains paramount.

Adopting the National Data Sharing Principles not only reflects that many of the core considerations are the same in the Victorian context,5 it also ensures a nationally consistent approach wherever possible. This aligns with national reforms aimed at streamlining the sharing of Commonwealth government data. A consistent approach facilitates uniformity in data sharing conditions and streamlines governance.

Scope of this policy

As a starting point, the policy applies to all Victorian departments and administrative offices (which are considered as part of departments) and Victoria Police. Departments and Victoria Police commit to implement this policy within their agency by signing the VPS Data Sharing Heads of Agreement (Agreement). The Heads of Agreement also provides a common framework that parties can use to document their particular data sharing arrangements. Over time, any Victorian public sector bodies (including statutory bodies or independent and oversight bodies) can elect to come within the remit of this policy by signing the Heads of Agreement.

While use of this Heads of Agreement to document particular arrangements helps foster consistency and expedite sharing, it is not mandatory. Signatories are free to document such arrangements using alternative instruments or agreements. In addition, this Heads of Agreement does not affect any existing data sharing arrangements that signatories have in place.

This policy also does not apply to ‘restricted data’ as defined under the VDS Act. Restricted data refers to data relating to the identity of confidential sources or those included in a witness protection program, national security or the disclosure of investigative measures or procedures.

Where to go for help

The Victorian Centre for Data Insights (VCDI) is available to assist agencies to navigate this policy, the National Data Sharing Principles and the Heads of Agreement. It also provides other resources and templates where they are required, including a common register of agreements made under the Heads of Agreement. Queries can made directly to VCDI at data.insights@dpc.vic.gov.au.

The Office of the Victorian Information Commission (OVIC) and Health Complaints Commissioner (HCC) can assist agencies with issues concerning personal information, information security and health information respectively. OVIC and HCC have a wide range of guidance to help VPS agencies understand their privacy obligations on their websites: ovic.vic.gov.au and hcc.vic.gov.au. OVIC has also put out guidance on information sharing and privacy.

Governance and review

This policy was approved by the Victorian Secretaries Board (VSB) on 28 April 2021 and will continue for an initial period of 3 years. At the end of this period, a review of this policy will be conducted and any extension to the policy will be approved by VSB.

Minor updates to the policy can be made by VCDI to ensure it continues to reflect contemporary practice and government policy. Any major changes in policy direction must be approved by the VSB to ensure the policy continues to meet the data sharing and use expectations of the Victorian Government, and to fully realise the value of data-led decision making for the benefit of all Victorians.

Footnotes

[1] This policy adopts the same use of the term ‘data’ as defined under the Victorian Data Sharing Act 2017, namely “any facts, statistics, instructions, concepts or other information in a form that is capable of being communicated, analysed or processed (whether by an individual or by a computer or other automated means).

[2] Called the Victorian Social Investment Integrated Data Resource, developed in partnership between the Victorian Centre for Data Insights and the Centre for Victorian Data Linkage.

[3] The ‘responsibility to share’ is also found in the National Best Practice Guide to Applying Data Sharing Principles, which defines data sharing as making data available to another agency, organisation or person under agreed conditions.

[4] Including any obligations relating to privacy or data protection.

[5] Noting that where there are definitional differences between the Commonwealth Data Sharing Principles and Victorian law and policy (e.g. the definition of ‘personal information’), Victorian definitions shall apply.

Updated