Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) The requirement in subsection (2) applies if:
(a) the data sharing purpose of the project is informing government policy and programs or research and development; and
(b) the project involves performing a complex data integration service (see subsection (3)); and
(c) a decision that subsection (4) applies to the service has not been made.
(2) The data sharing agreement that covers the project must require the service to be performed by one of the following:
(a) the data custodian of the data, if the data custodian is an ADSP able to perform such a service consistently with its conditions of accreditation;
(b) an ADSP able to perform such a service consistently with its conditions of accreditation.
(3) A service to integrate data is a complex data integration service if:
(a) 2 or more entities control the data being integrated; and
(b) the data is at the unit or micro level; and
(c) any of the following subparagraphs applies to any of the data to be integrated, or to the integrated data:
(i) the data includes personal information;
(ii) the data includes commercially sensitive information (including trade secrets) about the business, commercial, or financial affairs of an organisation;
(iii) the data includes information that is not publicly available about an industry or sector that forms part of the Australian economy;
(iv) the data includes information about one or more persons or things the data custodian of the data considers to be vulnerable or sensitive;
(v) the data is to be used for more than one project;
(vi) the data meets conditions prescribed by the rules; and
(4) An individual covered by subsection (5) may decide that this subsection applies to the integration, if the individual is satisfied that, having regard to the following matters in relation to the data custodian's data and the other data proposed to be integrated, the risk that the integration could cause substantial harm is low:
(a) the size of the data sets;
(b) whether the data relates to a significant proportion of the population of people or things to which the data relates;
(c) the detail of the individual records included in the data;
(d) how current the data is and whether it will be updated;
(e) the quality of the metadata and documentation for the data sets;
(f) whether entities that collected data to be integrated, or on whose behalf data to be integrated was collected, are aware of the proposed use of the data;
(g) if the data includes personal information--whether a person qualified to assess the ethics of the proposed use of the data has conducted such an assessment;
(h) whether the data custodian of the integrated data will control the technical environment in which the integrated data will be accessed;
(i) any other matters prescribed by the rules.
(5) An individual is covered by this subsection if the individual is:
(a) an authorised officer of a data custodian of data that is to be integrated; or
(b) an individual authorised under subsection 137(4) for the data custodian of data that is to be integrated.
(6) An individual who makes a decision that subsection (4) applies must make a written record of the decision and the reasons for the decision.