For any data integration project where the data custodian differs from the integrating authority, the data custodian must be authorised to release identifiable data to the integrating authority, either by the data custodian’s legislation or by consent from the data provider (that is, the person, household, business or other organisation who originally supplied the data for statistical or administrative purposes), where this is not precluded by legislation.
Commonwealth administrative data cannot be used for statistical or research purposes if this contravenes legislation or any commitment made to data providers regarding the purpose for which their data may be used.
Before giving in principle approval for a statistical data integration project and appointing an integrating authority for the project, each Commonwealth data custodian must ensure that the project complies with requirements set out in its legislation.
Legislative obligations governing the access and use of identifiable data will differ between agencies. For example, child support data can only be used for data integration with the consent of the customer (according to the provisions of the Child Support (Registration and Collection) Act 1988 and Child support (Assessment) Act 1989). Other pieces of legislation do not require that consent is obtained but do require that a public interest test is applied, for example, through an ethics committee.
Although legal requirements will differ between agencies, a legislated authority exists for a data custodian to release identifiable data to an integrating authority when one of the following applies:
1. The integrating authority is explicitly named in the legislation under which the data was collected as an agency which can access and use the identifiable data for statistical and research purposes.
2. The legislation under which the data was collected provides for this type of agency or body to access and use the identifiable data for statistical and research purposes.
3. The integrating authority is covered by legislation that authorises it to access and use the data custodian’s data for statistical and research purposes.
Note: If at any time a data custodian is unsure if their legislation allows for the release of data for an integration project, independent legal advice should be sought (for example, from the agency’s legal department in the first instance).
For some examples of legislated authorisation for Commonwealth data custodians to release identifiable information see Examples of Legislated Authorisation.
Other authorisation processes
There are a few other authorisation processes that may need to be considered, depending on the data custodian’s legislation. In some legislation, consent or Human Research Ethics Committee approval are needed. Where the use of personal information for a research project may be in breach of an Australian Privacy Principle (APP) then it may be necessary to obtain a Public Interest Determination from the Australian Information Commissioner to seek an exemption from the APP for the project to proceed.
The following links provide more information about these processes.
Data custodians should also always collect and provide data in line with the Privacy Act 1988.
For more information on authorisation to release identifiable data see the papers:
- Legal framework for Integrating Authorities undertaking high risk projects – project level requirements and
- Legal framework for Integrating Authorities undertaking low and medium risk projects – project level requirements.
For more information on legal and policy considerations see:
- Authorisation to release identifiable data
- Protections prohibiting disclosure of identifiable data
- Privacy Act 1988