The information on this page provides researchers with an awareness and understanding of the Department of Health’s Data Access and Release Policy. Implementation of the Data Access and Release Policy will support the research community by facilitating greater use of available Commonwealth health data to support research that delivers better health outcomes for all Australians.The policy and its supporting principles are described below.
For further information about the policy refer to the frequently asked questions (FAQ):
PDF version: Frequently asked questions (FAQ) about the Data Access and Release Policy (PDF 212 KB)
Word version: Frequently asked questions (FAQ) about the Data Access and Release Policy (Word 24 KB)
- The Australian Government Department of Health (Health) will ensure that the community is able to realise the greatest possible value from data held by Health through better use of existing datasets for research, community information, policy development and policy evaluation, consistent with meeting its legal and contractual obligations to respect privacy, recognise intellectual property and manage risks.1
- In accordance with the Principles on Open Public Sector Information and the Freedom of Information Act 1982, data held by Health will be made publicly available in an appropriately de-identified and confidentialised form unless there are compelling reasons to the contrary.
- Any proposal to release sensitive unit record data as open data will
- be treated as a ‘high privacy risk project’ under the Privacy (Australian Government Agencies — Governance) APP Code 2017, and
- must follow the relevant whole of government sensitive unit record open data process in existence.
- Health delegates must recognise their continued accountability for the data released and establish adequate controls over the use of personal or other sensitive data to permit the use of Health data in research projects.
ScopeThe scope of the policy is health programme and health performance data. This policy does not apply to data used for administering the operations of the department, such as human resources data or financial data.
RationaleApplying a common data access and release policy supported by streamlined processes across the entire Health portfolio will ensure the public has access to a range of useful Health data. The policy objectives are to:
- improve public benefit from increased data use
- timely information release
- relevant information release
- protect individual privacy
- efficient approval, extraction and release processes
Low Risk De-Identified, Confidentialised or Non Re-Identifiable Data
Principle 1Data that can be made public should be made public
- Health should be proactive and regularly build, review, update, and refine existing publicly available summary data and informative metadata.
- Public health data facilities should be designed and maintained so that other agencies, researchers and the public can refer to them to satisfy most data requests.
- The conditions of data access and licensing, a description of holdings, data quality and up to date and comprehensible metadata should also be published and maintained.
- The publication of data is to be resourced as a standard function of collecting and using Health data.
Principle 2Health should grant structured access 2 to data as well as the delivery of data as a package
- Health should allow applicants to access and use data in a controlled environment through secure infrastructure, such as the Enterprise Data Warehouse, as an alternative to ‘takeaway’ data releases such as confidentialised unit record files.
Principle 3Australian government data is a strategic national asset and agencies, such as Health, should permit researchers, other agencies and the public as much access as possible, while recognising and minimising any risks associated with data exposure.
- Low risk de-identified health data is presumed to be able to be released to the public unless restricted by statute or other regulation, or where an individual has advised that their personal information cannot be used for purposes other than for which it was supplied.
- Requests for data should be met with responses that define what data is available/accessible.
- Precedent decision - where a precedent decision, recognised process or procedure exists with an agency, this principle should simplify the provision of specific data for a specific purpose, particularly where the data request is likely to be repeated at regular intervals. There should not be a need for a full review or risk assessment each time an agency requests the same data on a regular basis – but there would need to be a test to ensure that the specific data and specific purpose are still accurate and relevant.
- Health should facilitate the public accessibility and release of data in a way that maintains the security of data holdings and individual and organisational privacy.
High Risk - Identifiable Data
Principle 4The Minister and relevant departmental delegates retain all relevant legal responsibility for their identified or identifiable unit record data at all times
- For identified or identifiable unit record data, this principle directs Health to develop and implement legally binding agreements to safeguard the provision of data to external agencies and persons.
- Access to identified and identifiable data is restricted by legislation and cannot be used for secondary purposes unless agreed by the individual or as specified under legislation.
- Delegates cannot be absolved from the legal responsibilities relating to data holdings for which they are responsible.
- Where a data request from an agency is to be repeated at regular intervals, the precedent decision should be applied (see Principle 3 Guidelines).
- Delegates must ensure that other agencies (those with whom no recognised process or procedure exists) receiving identified or identifiable data have a thorough and demonstrated understanding of the legal and governance frameworks relating to the use and storage of that data.
- Delegates must ensure, through contract or other means, that identified or identifiable data is used only for the purpose for which it was released, that it is stored appropriately and that it is destroyed once it is no longer being used for the approved purpose
Principle 5Where data by nature of its level of detail is considered to be a high risk to release publicly, only the elements of data relevant and essential to meet the purpose of a reasonable request shall be made accessible.
- Delegates should only release sensitive unit record data to trusted users and for use in a secure environment.
- Delegates or their representative should work with applicants to identify and allow access only to the data items essential to test the research question or meet the stated requirements of the applicant.
- When access is granted to high risk data, applicants will be made aware of the relevant metadata and other database
- If the Department proposes to release sensitive data as open data, it must follow the Whole of Government Sensitive Unit Record Open Data Process and treat the proposal as a ‘high privacy risk project’ under the Privacy (Australian Government Agencies — Governance) APP Code 2017. Testing of confidentialisation methods should be undertaken by qualified personnel with relevant skills including (as required) cryptography and data analysis.
Footnote 1 - Data access, release and use must comply with regulations and legislation including but not limited to privacy, secrecy, consent, commercial-in-confidence, contractual, and freedom of information covered in for example the: National Health Act, 1953; Health Insurance Act, 1973; Privacy Act, 1988; Freedom of Information Act, 1982; agency memoranda of understandings; and the National Statement on Ethical Conduct in Human Research 2007 (Updated May 2015). Data Stewards must maintain an awareness of the legislation and interagency agreements that apply to their data holdings