Data sharing framework

In an era where data is a pivotal asset for governance, innovation and service delivery, the Queensland Government recognises the importance of data sharing as a catalyst for improving public services, policy making and facilitating transparent governance.

By embracing this framework, Queensland Government agencies will be equipped with a tool to unlock the significant potential that resides within government-held data to drive progress and deliver tangible benefits to all Queenslanders.

This framework is designed to guide Queensland Government agencies through the process of data sharing. It is not just a set of guidelines providing advice but serves as a foundational structure that outlines the overarching approach, principles and considerations necessary to share data effectively, ethically and legally.

Importantly, this framework encourages agencies to engage and build conversations with each other as they progress through the stages of data sharing. It is not intended to replace established and legally authorised data sharing processes. Instead, it aims to simplify the data sharing process for agencies by removing barriers and reducing associated risks. Pivotal to this framework is its intent to shift the culture of ‘hesitancy to share’ to a responsibility to share data for the benefit of all.

This framework can be applied to support any data sharing activity; however, for the purpose of providing relevancy to readers, it considers data sharing across these 3 scenarios:

• Service delivery
• Statistical analysis and research
• Situational insights.

This framework aligns with the principles and purposes of the Commonwealth's Data Availability and Transparency Act 2022, ensuring consistency in data sharing practices across jurisdictions. By reflecting similar underlying principles and approaches, it facilitates seamless collaboration between Queensland Government agencies and Commonwealth frameworks

Sharing data starts with a conversation

Data sharing is more than just moving data from one place to another under legal rules and using technology to assist the process. It is really about agencies and organisations working together, talking things through and finding ways to make the most of the information they share.

While beneficial for the parties involved, it can also lead to great things for the community, the environment, the economy—and the whole of Queensland. When we focus on cooperation and clear communication, data sharing becomes a powerful tool for progress.

The role of trust when sharing data

Trust is paramount across all parties involved in data sharing as it ensures that:

• the agency can safely, legally and ethically share the data
• the data custodian understands what their data can be used for and who it can be shared with
• data recipients will use the data as per the requirements set out and agreed upon by the data custodians.

The culture of trust between agencies is integral to establishing shared goals and driving for positive outcomes. This then enables a baseline willingness to cooperate for every interaction, and an assumption to share where feasible and appropriate. However, this does not assume data is 100% transferrable and shareable, and it is expected that stipulations for conditions, rules and usage form part of the negotiations.

Queensland Government agencies should begin data sharing conversations from a position of trust. Data custodians must consider data sharing requests with openness to saying ‘yes’. This does not mean agencies must share data or must share data in the way requested. Through conversations regarding data sharing, conditions and rules for sharing and data usage can be negotiated, thereby building trust in the data sharing system and each other.

Data sharing will provide many benefits to Queensland. The data sharing framework is the beginning of a data journey for Queensland Government. As agencies grow in their data maturity, more will be possible with data and digital technologies.

The data sharing framework provides a foundation to build confidence and success in data sharing activities. Thinking about data sharing as a conversation rather than a transaction will help to build trust amongst data custodians and data requestors, which is critical for data sharing to occur. The data sharing framework may not suit all data sharing scenarios and agencies should follow their successfully established processes where needed.

Enable the benefits of data sharing by using a standard and consistent approach to shift the culture towards a responsibility to share. Agencies are encouraged to reach out to their peers to learn and understand how they successfully share data.

Scenario: Queensland disaster management arrangements

Under the Queensland disaster management arrangements, emergency services agencies are empowered to share data and information relevant to disaster management activities to ensure Queensland is able to prevent, prepare, coordinate, respond and recover from disasters.

Scenario: Sharing education data for research

The Department of Education is permitted to share data with research organisations to undertake research on behalf of the department in areas of critical relevance. This includes areas such as curriculum assessment and improvement, health and wellbeing of staff and students, supporting diverse learners and creating successful transitions between home, education, university, employment and lifelong learning.

There are two levels of data that can be shared and used as part of a data sharing arrangement.

Aggregate data

Data that combines individual records of data into higher level summary data

Unit (or transaction) record level data

Data that is presented as a set of records. Each record reflects information about an individual, organisation, other individual entity or a transaction

Where can I find shared data?

Current options available to data users to discover Queensland Government data holdings are:

Queensland Government Open Data Portal

The Queensland Government Open Data Portal is a catalogue of published open data that can be used freely. The use of open data is outside of the scope of the data sharing framework. However, the Open Data Portal is a good starting place for searching for government data that may be relevant to your needs.

Queensland Government Internal Data Catalogue

The Queensland Government Internal Data Catalogue is a platform for agencies to catalogue their data as well as search, discover and request data from other agencies. The catalogue publishes high-level information about data to help others from within government to discover data and information that may be of use to them. Access to the Internal Data Catalogue is restricted to Queensland Government employees. For further information please contact datadiscovery@chde.qld.gov.au.

If the data you require is not listed within the Internal Data Catalogue, you may need to contact an agency directly to begin a conversation about your data needs and purpose for the data request.

The Data Discovery and Open Data team is a great resource and can be contacted for help with finding data, starting the conversation with a data custodian and facilitating a data sharing request. To get in touch with the team, contact datadiscovery@chde.qld.gov.au.

The level of data shared will depend on the purpose of data sharing arrangement and legislative restrictions in place. Whatever the level of data to be shared, it is important to only share the data elements or data items required for the data sharing outcome to be achieved. This is known as data minimisation and is an important part of sharing data safely and appropriately.

Purpose 1: Service delivery

Data sharing for service delivery purposes will generally require sharing identifiable unit record (transaction) level data.

Example scenario: Collaborative data sharing for enhanced service outcomes

Following a comprehensive review, an evidence-based and cost-effective best practice approach has been identified to tackle a community issue. As a result of these findings, a group of agencies responsible for delivering a focused collaborative service to the community started sharing data related to individuals with severe drug and/or alcohol use. This initiative aims to enhance the outcomes of individuals who have engaged with the agencies. The service is designed to involve a multi-disciplinary team comprising various agencies and service providers.

Central to this endeavour is the sharing of information, which facilitates a synchronised response. This approach is aimed at improving individual outcomes, curbing criminal activities and fostering positive societal results at large.

Purpose 2: Statistical analysis and research

Data sharing for statistical analysis and research purposes can involve either deidentified/desensitised microdata or aggregate data, depending on what the sharing activity aims to achieve. There may also be options to use synthetic data as a technique to minimise risks with sharing identifiable/sensitive data.

Example scenario: Empower businesses in Queensland to provide better and competitive services through data sharing

The Queensland Government has identified a challenge: the suboptimal provision of vital services by businesses to the community, arising from uncertainty. This forces businesses to adopt a cautious approach, resulting in price hikes to accommodate perceived risk factors. This approach, not only strains finances but also restricts the quality and accessibility of services for the people of Queensland.

An agency identifies data that can be instrumental to remove uncertainty, thereby presenting businesses with an opportunity to recalibrate their pricing strategies. With this comprehensive dataset at their disposal, businesses can revise their pricing models, leading to reduced costs and greater accessibility of services to the community.

Sharing only the data that is required will continue to build trust in government’s ability to use data and minimise risks of data misuse.

By sharing this asset with industry, the government is enabling businesses to optimise the quality and reduce the prices of services they offer to the people of Queensland.

Purpose 3: Situational insights

Data sharing for situational insights can involve identifiable or de-identified microdata.

Example scenario: Fire rescue services

A Fire communications officer may provide a team of firefighters responding to a fire at a townhouse with details of how many residents live in the surrounding houses that could also be at risk of fire or smoke inhalation. This will enable firefighters to be prepared to support other victims or call for more support.

The When data can be shared section of this framework provides more detail on the legal authorisations for sharing different levels of data. Generally, there are more restrictions on identifiable/sensitive unit record (transaction) level data. De-identified, de-sensitised or aggregate data can more readily be shared as there are fewer legal restrictions.

For further information about handling different levels of data, see Further information.

Consider whether you need a dataset, data items or analytics and insights

When considering what data can be shared and what data may be needed for a data sharing activity, remember to carefully consider the level of data required and how much data you need. Perhaps you only require a few data items from a particular dataset. Perhaps you don’t require data at all, and the data custodian has the analytics or insight you require already prepared or could do some analysis for you?

An open discussion between data users and data custodians will help to shape the data sharing activity and may negate the need for formal data sharing arrangement altogether if microdata or aggregate data is not required.

Questions to ask before sharing

• What level of data is required as part of the proposed data sharing activity?
• Does the level of data required align to the purpose for the data sharing activity?
• Is dataset required for data sharing activity? Could something else be used to meet the same purpose and achieve the same outcomes?
• Have the risks of sharing this data been considered? Have those risks been managed or mitigated?

• What data is needed and what is the purpose for the data?
• Have the internal data holdings, the Queensland Government Internal Data Catalogue or the Open Data Portal, been explored for relevant data?
• Is there an established relationship with the agency that holds data relevant to the need?
• Is data sharing being approached as a conversation or a transaction?
• Are the right people at the right level being engaged?
• Is the request for data detailed enough for the data custodian to assist?
• Have all the required impact assessments and inputs been completed?
• If sharing data with or about Aboriginal and Torres Strait Islander communities, have the Indigenous data sovereignty and Indigenous data governance principles been adopted?
• Is this data sharing simple or complex?
• Have business as usual pressures been factored into timeframes?
• Have the delegates been sufficiently engaged with and informed?
• Are the details about how the data can be exchanged and used clear?
• Has metadata to support use and interpretation of data been discussed?
• Have retention and disposal rules for the data been discussed and agreed upon?

Explore data options

The data sharing process starts with an agency identifying a requirement to obtain specific data. This need may come from:

• Cabinet or government priorities articulated to agencies
• new policy, project, or program to be implemented
• procurement processes
• an information or data gap identified by your agency that is preventing the agency from achieving its outcomes effectively.

Once the requirement is identified, the agency will need to determine if:

• it can use existing data from within the agency
• another agency may hold data that can be used
• new data needs to be collected by the agency.

You may still need to follow the steps in the data sharing framework to request data held by your own agency if:

• the data was collected under a different legislative authority
• there are privacy or sensitivity issues that need to be addressed
• the data was provided by another agency or external party for a different purpose
• there are specific risks that need to be managed if data is shared internally.

Even if data sharing can occur informally within your agency, it may be useful to use the data sharing framework as a guide to help you shape your request and work through any access and usage conditions.

If data is not available within your agency, another agency may have the data you need. Before initiating a formal data request, explore the Queensland Government Internal Data Catalogue and Open Data Portal and other publicly accessible government data and information holdings. The data you need may already be available for you to use.

If attempts to find openly available data have been exhausted, it is at this point you may consider whether a formal data sharing arrangement with another agency is required. This path is preferrable to establishing a new agency data collection or extensively updating an existing data collection.

Updating or creating a new data collection can be resource and time intensive. It is far better to try to use existing government data and only create a new data collection as a last resort.

Identify the data custodian

Before you can establish a formal data sharing arrangement, you will need to identify which agency holds, or is likely to hold, the data relevant to your need. The Internal Data Catalogue will provide information on Queensland Government data holdings and the data custodian of data assets.

If the Internal Data Catalogue does not have a record for data relevant to your needs, you can contact the Data Competency Centre for help with finding and facilitating a data sharing request.

Creating the case for data sharing

Before initiating the request, you will need support from the senior leaders within your agency. Ensure you have endorsement before initiating a data sharing request. You will need this to document this in your agencies record management system.

In addition, agencies are encouraged to document data sharing arrangements in their information asset register, linking them to relevant information assets to ensure oversight of the data sharing arrangements in place.

Tip for data requestors: You should also consider the resourcing and funding requirements for the data custodian too. Preparing data for sharing has an impact on their resourcing and finances.

The exact details of this will be further negotiated as part of a data sharing arrangement but thinking about it now may help discussions later.

Once you have endorsement, you will be able to engage with a data custodian regarding your data needs and the potential for establishing a data sharing arrangement.

Engage first

Establishing a data sharing arrangement is easier if you have already established a relationship and rapport with the data custodian. If you do not have an existing relationship, reach out and engage with the data custodian before sending through the formal or informal request. This could be an introductory email about your data need and what you hope to achieve, that you hope they may be able to help you, and what the potential benefit may be to them.

Building trust is an important component of data sharing and forming a relationship helps to build that trust. The Data Competency Centre is a great resource to help you connect and build relationships with custodians.

Tip for data requestors: Everyone has business as usual pressures, and staff within a data custodial agency are no different. Your data need may be high priority to you, but not to the data custodian. Don’t be offended if they are unable to support your data needs immediately.

Engaging before you request data formally also gives the data custodian awareness that you have a desire to be put on their work program, and it’s polite to give them that notice in advance.

Tip for data requestors: The data custodian may ask you some detailed questions about why you need the data they hold. When addressing these questions, understand that the data custodian is fulfilling their responsibility to ensure data is shared appropriately. Providing clear and thoughtful responses helps to build trust in the process and strengthen collaboration

Initiate request

If the data custodian has provided an indication that they may be able to help with your data need, you will be able to initiate a formal request for data. To enable to data custodian to assist for effectively and efficiently, it is important to provide clear details of what data you need, why you need it and what you intended to do with the data. Clear requests are more likely to receive a timely response than vague requests that require the data custodian to interpret for you.

Tip for data requestors: If you aren’t sure if the data custodian has the data you require, engaging first, rather than sending a data request, will save effort if the data you need does not sit with the data custodian. Initial engagement allows you to have the conversation before requesting data. The data custodian may be able to direct you elsewhere for your data.

Tip for data custodian: If your agency has a high volume of data requests, consider establishing a triage system for initial engagement requests and formal data requests, and a mechanism for providing a brief triage response to the requestor. This information is useful to the requestor as it lets them know you have received their request and that you will get back to them in a certain timeframe. The requestor can then manage their timeframes and expectations accordingly

Drafting a data request: the Five Safes framework

The Five Safes framework is a holistic approach for assessing and managing risks associated with sharing data. The framework helps users to consider the strategic, privacy, security, ethical and operational risks associated with sharing data. It has been widely adopted by governments and the research sector in Australia. Applying the key principles of this framework can help you to shape your initial data request.

1. Safe project
   • For what purpose will you be using this data: service delivery, statistical analysis/research or situational insights?
   • What are the exact details of the purpose?
   • What outcomes do you hope to achieve through using this data?
   • Will the project have a public benefit?
   • Will the project inadvertently cause harm to anyone or anything?
2. Safe people
   • Who will have access to the data in your agency?
   • What skills do they have to use data effectively?
   • Do users have the necessary knowledge and/or training in security, data management, records managements etc. to handle and use the data appropriately?
3. Safe setting
   • Where will you be storing the data once received?
   • How can you provide assurance that there will be no data breaches or incidents?
4. Safe data
   • What data do you need?
   • What level or granularity of data is needed?
   • How will you analyse the data?
   • Are their specific variables required for disaggregation/filtering e.g. locations?
5. Safe outputs
   • Will the outputs from the data analysis be used internally or published and made publicly available?
   • What quality assurance processes are in place to ensure analysis and interpretation are fit-for-purpose?
   • What will you do with the data and outputs once you have completed the work?
   • What will be arrangements for storage, retention and disposal of the data long-term?
   • Who will be responsible for this?
   • Do you wish to on-share data or outputs in the future?

If the data custodian feels they can help you with your request, you will need to progress through a phase of negotiating the details of the data sharing arrangement before it receives formal approval.

Be flexible with your negotiation . The data custodian knows their data holdings and may not have the exact data you need but may have other data that could be useful. Some data may be better than no data.

Working through the Five Safes framework will help you to think through your request and whether you need unit record (transaction) level data, aggregate data or the outputs from existing analysis.

Assessments and inputs into the request

As part of negotiating the data sharing arrangement, other processes (impact assessment) may need to be undertaken to build confidence and trust in the data sharing activities. It is important to review these assessments and determine if they are needed for the data request.

Iterative negotiation

Negotiating the details of the agreement will be iterative and may involve multiple stakeholders across all agencies involved. Being open, flexible and coming from a position of trust and willingness to share will make these negotiations easier.

The negotiations may be undertaken at a practitioner level, but ensure you are keeping your senior leaders and delegates informed of the process. As signatories to a future agreement, the delegate needs to be fully informed of what they agreeing to and have confidence in the negotiation process.

The length of negotiation will depend on the complexities of the data sharing request and other business as usual pressures. Data sharing efforts are usually in addition to a normal work program. Factor this in early to avoid friction.

Selecting the most efficient, safe, and secure method for data transfer is essential to ensure the protection of all parties involved and the integrity of the data. Depending on the specific requirements of the data sharing arrangement, the following mechanisms may be considered:

• email: for non-sensitive or low-risk data, with appropriate encryption if required
• secure SharePoint links: for controlled access to shared files
• APIs: for automated and scalable data exchange.

The data exchange mechanism used will depend on:

• the purpose of data sharing
• the type and level of data shared
• the security classification of the data
• whether sharing is a once-off or ongoing.

The Queensland Government Enterprise Architecture (QGEA) provides policies and standards to support safe and secure data exchange, including the Information and cyber security policy (IS18) and the Information security classification framework.

Building trust is an important component of data sharing and forming a relationship helps to build that trust. The Data Competency Centre is a great resource to help you connect and build relationships with custodians.

Pro tip: Discuss your data exchange requirements with your agency’s information security team to ensure you use the right exchange method for the data.

Exchanging data between government agencies can be complex as data and systems are not always interoperable. Agencies that are more mature in their data sharing may save secure exchange infrastructure established to enable data sharing. Conversations surrounding data exchange will have been part of the information exchange schedule negotiations and a secure method will have been agreed.

The data can only be handled, managed, used, interpreted and reported as agreed as part of the information exchange schedule.

The data can only be used by the people specified in the information exchange schedule.

If, for some reason, the agreed data usage conditions need to be changed, this must be re-negotiated with the data custodian. The data activities must stop until new conditions have been negotiated and approved.

If, at any point there is a security breach with the data, or personal, confidential or sensitive data is accidentally disclosed, the delegates who signed the data sharing agreement and information exchange schedule must be informed immediately. The data activities must stop until the breach or disclosure has been appropriately resolved and the delegates are confident the data activities can continue. Incidents may result in termination of the data sharing agreement. Refer to the QGEA policies and standards that detail information and cyber security reporting requirements.

Share your results and outputs with the data custodian provides them with confidence that you are using the data appropriately and provide them an opportunity to review outputs to avoid accidental misuse or misinterpretation.

If a data custodian has concerns about the outputs, these should be discussed and documented, without pressuring the data requestor to hide or change results. If concerns cannot be resolved, the escalation pathways can be followed (see Resolve disputes).

Pro tip: A review of results and outputs by the data custodian should not be seen as an opportunity to criticise, stifle innovation or hide unexpected results from analysis. It should be considered part of the ongoing data sharing conversation and trust building.

Using and interpreting data appropriately

Metadata plays a critical role in ensuring that data can be understood, interpreted and used effectively. It provides essential context about the data, such as how it was collected, its structure, limitations and potential applications. Data custodians, as the experts in their datasets, possess in-depth knowledge of these aspects. They understand the nuances of the data, including its origins, intended purpose and any constraints on its use. However, data requestors may lack this detailed insight and require guidance to interpret and apply the data correctly. To bridge this gap, it is strongly recommended that comprehensive metadata is included as part of any data exchange. Metadata serves as a vital tool to communicate the necessary context, enabling data requestors to use the data responsibly and effectively while minimising the risk of misinterpretation.

Metadata should include:

• data dictionaries
• business glossaries
• standard vocabularies
• data model
• data collection methodology
• access and usage constraints
• data standards used
• data quality statement or similar.

The metadata that is provided will depend on the type of data being exchanged.

Purpose 1: Service delivery

Data sharing for service delivery purposes will generally require sharing identifiable data. There is specific legislation in place to allow this to occur—for example, the Child Protection Act 1999 and the Domestic and Family Violence Protection Act 2012. A privacy impact assessment (PIA) must be conducted to understand the impacts on an individual’s privacy and to ensure there are appropriate mitigation strategies in place.

Example scenario: Coordinated disaster response

In the case of natural disasters, such as flooding or bushfires, relevant data about affected individuals and properties might be shared amongst other emergency service agencies and local government bodies.

For instance, the State Emergency Service (SES) could share data with other emergency service agencies to identify residents who require urgent assistance or evacuation. This informed data exchange ensures a swift and targeted service delivery that prioritises the safety and immediate needs of the community in crisis situations.

Purpose 2: Statistical analysis and research

Data sharing for statistical analysis and research purposes generally requires sharing aggregate, deidentified or desensitised data. There are fewer legislative barriers to sharing this type of data but there will be other usage restrictions that need to be discussed and managed as part of the data sharing arrangement. If the data requested is deidentified or aggregated data that originally contained personally identifiable information, conducting a threshold assessment for a PIA is recommended. This will help to ensure the sharing data will not impact on individual’s privacy and appropriate data handling and management processes are in place.

Example scenario: Biodiversity data repository

The Department of Environment, Tourism, Science and Innovation shares data with the Australian Government Department of Climate Change, Energy, the Environment and Water to contribute to the Biodiversity Data Repository. The Biodiversity Data Repository aims to improve the management and conversation of Australia’s biodiversity through bringing together data about plants, animals, fungi and other organisms for planning, decision-making and reporting within and across jurisdictions.

Purpose 3: Situational insights

There are established legal provisions to share personally identifiable data in frontline service delivery situations if doing so will reduce threat to life, health, or welfare of a person. The aim of this is to reduce harm to the public and employees providing this service. Conducting a threshold assessment for personal identifiable information is required for sharing situational insights.

There may be scenarios where identifiable data does not need to be shared, but there could be a risk of re-identification based on the insight provided. Legal advice will be required for sharing identifiable data for situational insights.

Example scenario: COVID contact tracing

During the COVID pandemic, contact tracing was established to understand who may have been exposed to COVID with the aim of slowing the rates of infection within the community. Contact tracers were able to share de-identified information with identified contacts alerting them to their potential exposure and the need to quarantine

It is essential to consult with your agency's legal area to confirm legislative authority for data sharing.

There are other processes and assessments that can help to determine when data can be shared. The following outlines some impact assessments that will help determine risks and conditions for data sharing and how these may be managed.

Impact assessment

Threshold assessment for privacy impact assessment (PIA)

Required if there may be a need to access personally identifiable information. A threshold assessment will help determine if a full PIA is required.

Privacy impact assessment

Required if personally identifiable information is to be included as part of the data sharing arrangement, impacts on privacy need to be managed through a PIA.

Ethics assessment

Ethics approvals are a standard process in the research sector.

Required if data sharing is potentially contentious or harmful. Even if the sharing is legal, the agency must consider ‘should we’ not just ‘can we’.

Required if data is to be used as part of automated decision-making where outcomes of decisions could have negative consequences.

Consent

If you wish to use identifiable personal information, you may need to obtain current, informed and specific consent to do so. You should also keep a record demonstrating that consent has been obtained. Obtaining and recording current, informed and specific consent is not always possible or practical.

Discuss requirements around consent with your legal team, privacy officer or the privacy commissioner for more information.

Security assessment

Required to ensure data is held in systems appropriate to its classification and to protect against cyber-attack or security breach.

Ecological risk assessment

Required if data sharing may have consequences for protected or threatened species or potentially have negative consequences for the environment.

Human rights assessment

Required to determine if sharing will impact on human rights.

Legal assessment

Required to determine if the data sharing is authorised through existing legislation. This will require assessment from both the data requestor and data custodians’ legal teams.

Do no harm

Another consideration to help determine when data should be shared is the principle of ‘do no harm’. Data sharing should not result in any harm or adverse effects to the community or environment. This can be difficult to determine as ‘harm’ is subjective; what is considered harmful by some, may not be considered harmful by others. This becomes particularly difficult if the data sharing has benefits to some parts of the community but inadvertently causes harm to others.

Coordinating transportation services

Modernising and expanding transportation services is crucial for urban development and can significantly enhance public convenience.

Let's say the government shares commuter data with public transportation departments to optimise bus routes and schedules in the city. This sharing of data can improve efficiency and passenger satisfaction for the community overall.

However, without considering the data on specific areas with vulnerable populations, like elderly residents or schools, changes to transportation services could inadvertently reduce access for those who may be reliant on certain routes.

Therefore, the ‘do no harm’ principle requires an assessment of the broader impact and the implementation of measures ensuring that any shifts in service provision maintain or improve accessibility for all community members, including the most vulnerable.

Determining whether data sharing may result in harm can be a complex decision-making process. In some cases, you may not be able to clearly determine whether there will be harm caused from sharing data. This raises a challenge, particularly in cases when there are some obvious benefits that may come from the sharing activity. The relevant impact assessments listed in Table 1 can help determine the risk of causing harm.

When balancing benefits of sharing against perceived harm, it is important that agencies demonstrate evidence of due diligence and decision-making.

Establishing a data sharing agreement

Data must only be shared when a formal data sharing agreement is in place.

A formal data sharing agreement should be used to support data sharing arrangements. The data sharing agreement provides a high-level description of the data sharing arrangements and must cover:

• The purpose for data sharing and outcomes it will achieve
• Who is party to the data sharing agreement (data custodian/s and data requestor)
• Legal authority to share
• Length of the agreement
• How the data will be used and intended outputs

Establishing an information exchange schedule

To specify detail, each data sharing agreement must be accompanied by a detailed information exchange schedule, which must cover:

• Format of the exchange
• Details and outcomes of assessments, such as PIA, legal assessment, security assessment, etc.
• Who will have access to the data?
• Dispute resolution
• Access and usage conditions of the data, such as licencing, provision of third-party data, known data quality, required capabilities of users. (important if it is data that requires specialist knowledge of skill set)
• Specifics of how the data will be used, managed, analysed, stored and disposed of, and time limits for disposal.

Further details on the data sharing agreement and information exchange schedule are outlined in How data can be shared.

Questions to ask before sharing

• Is there legal authority to share data?
• Will certain impact assessments need to be undertaken to ensure data sharing is safe and all risks are known and managed?
• Has a data sharing agreement and information exchange schedule been developed?
• Has data sharing been discussed with the relevant agency's legal and privacy officer to get their advice and insights?

Who has delegation to make data sharing decisions?

To ensure the data sharing arrangement is agreed and endorsed by the agencies involved, it is important that the delegate for signing the agreement is at the appropriate level to understand what data is being shared, for what purpose, how the data will be used and what are the associated risks and benefits for the data sharing activity. Table 2 describes the delegation to agree to certain types of data sharing arrangements.

Agreement types and their delegation

Data sharing heads of agreement

Delegation: Director-General (or equivalent)

The data sharing heads of agreement acts as a clear signal of intent to promote data sharing across Queensland Government agencies. It demonstrates a commitment to fostering collaboration, building trust and enabling the safe and secure exchange of data to deliver better outcomes for Queenslanders. It also operationalises the Queensland data sharing framework by providing a common framework with general terms and conditions to guide data sharing practices.

Data sharing agreement

Delegation: Data custodian

An agreement between two or more organisations or agencies that are providing and receiving data. It will specify the conditions under which data will be shared, accessed and used.

Information exchange schedules

Delegation: Data stewards

Information exchange schedules are data sharing agreements between one or more agencies. It outlines comprehensive details of data sharing activities for the agreed data sharing purpose/s.

Who else needs to be involved in the activity?

The senior leaders within an agency may be the delegate for decision making but negotiating a data sharing arrangement is a collaborative process and will require input from others within the agency. Who you engage with will depend on the data sharing activity, but it will involve conversations with anyone involved in the creation, management, support and governance of the data asset, including CIOs, executive directors, directors, managers and/or data analysts. Further details on these roles can be found in the Information management roles and responsibilities guideline.

It can be helpful to develop a brief stakeholder engagement plan or map to determine who you should engage with as part of establishing a data sharing arrangement. You must also engage with the delegate throughout the process to ensure their decision-making is informed by the relevant information. Data sharing is a conversation, and regular conversations will ensure all stakeholders are engaged and supportive of the data sharing activity.

Questions to ask before sharing

• Who has the delegation to agree to this data sharing arrangement?
• Who else in the relevant agency needs to be involved in the conversation?
• Have all stakeholders who may be impacted by the data sharing activity been engaged?
• Has the delegate been sufficiently informed throughout the process?

As part of building a trusting relationship, data requestors should, where appropriate, share the results, outputs and outcomes of the data sharing with the data custodian. The outputs may benefit the data custodian too.

Each data sharing arrangement can provide new insights and learnings that can improve the process for data custodian, data requestors and others into the future. Data custodians and data requestors should take time to reflect on the process, what worked well and what could be improved. This is another important component of the data sharing conversation.

Pro tip: Share your learnings widely. Use them as a basis for conference papers, agenda items at cross-agency data sharing forums or publish as a report on data sharing activities for your agency. Data sharing is a maturing practice across all levels of government. Everyone can learn from your experience.

Data is a public record, and all records associated with the data sharing arrangements (including decisions made and actions taken) must be kept in the appropriate records management system by all parties involved for as long as required under an approved retention and disposal schedule.

If a data requestor is to retain the data, the length of retention and storage platform must be agreed with the data custodian, in discussion with record management officers. Retention and disposal schedules must comply with the Public Records Act 2023.

If the custodianship of the data is to transfer to the data requestor, allowing the data requestor to make future decisions regarding the use of the data, this must be detailed and documented as part of the data sharing agreement and information exchange schedule. Data requestors generally do not become custodians of data shared with them and do not have rights to make decisions regarding on sharing that data with third parties.

Where a data sharing agreement stipulates ongoing sharing, data custodians and data requestors must agree to a timeframe for revisiting and reviewing the data sharing agreement to determine if:

• data is still required
• data is being used and managed as agreed.

Revisiting and reviewing agreement need not be an intensive process involving third-party auditors but viewed as a continuation of the data sharing conversation to maintain the trusted relationship into the future.

• Have the outputs and outcomes of the data sharing been shared back with the data custodian? Have they been provided an opportunity to comment?
• Have agencies involved taken the time to discuss and document lessons learnt to improve future data sharing processes?
• Have ways to share lessons learnt with others been considered?
• Has data been stored according to what was agreed in the information exchange schedule?
• Is the retention schedule for the data understood by all?
• Have all records relating to the data sharing arrangement stored appropriately?
• Are the ongoing custodianship arrangements of the data clear and understood?
• Has a plan for revisiting and auditing existing data sharing agreements been put in place?
• Is there a plan to maintain the relationships with the parties involved in the data sharing agreement, as part of continuing to build a culture of trust within the Queensland public service?

Escalation pathways

Data sharing agreement delegates

If officers involved in the data sharing activity cannot resolve the issue, the delegates who signed the data sharing agreement should collaborate to resolve the disagreement.

Data Leadership Committee

If the disagreement cannot be resolved amongst agencies involved in the data sharing arrangement, then the issue must be escalated to the Data Leadership Committee for external support and resolution.

Director-General (or equivalent) of data custodians and data requestors

If the disagreement still cannot be resolved after advice and support from the Data Leadership Committee, the issue must be escalated to the Director-General (or equivalent) of the data custodian/s and data requestor/s.

Advice and support

Data Competency Centre

This team is embedded within Data and Digital Government within the Department of Customer Services, Open Data and Small and Family Business and provides advice on issues relevant to data sharing including data sharing agreements, policies and standards, risk management and pathways to resolve disputes.

Office of the Information Commissioner

Provides agencies with privacy information and assistance to comply with their obligations.