Chief Data Officer Guideline: Responding to data sharing requests

Guidance
Read and download the Guideline below.
Last updated:

About information sharing requests under the PRIS Act

The Privacy and Responsible Information Sharing Act 2024 (PRIS Act) enables government agencies and specified external entities to responsibly share government information where they may otherwise not be able to do so. The Chief Data Officer issues guidelines under section 201 of the PRIS Act to support responsible information sharing. Parties to an information sharing agreement must have regard for these guidelines. As information sharing commonly involves the exchange of data, references to data in this document should be read as meaning government information.

An information sharing request is the first step for sharing data. The guideline explains how to determine the best pathway for sharing data and respond to a request. It is supplemented by an optional template.

If the request is supported and meets the requirements of the PRIS Act, the entities determine appropriate safeguards and then enter into an information sharing agreement, which sets out how data will be disclosed and handled for a permitted purpose. Once the parties have signed this agreement, data can be shared and used according to the terms of the agreement.  

Who can make or receive an information sharing request?

The PRIS Act enables public entities to share data with each other or with specified external entities. The entity making the request is known as the requesting entity, and the entity which holds the data that is being requested is the holding entity.

Public entitiesExternal entities
Can request or provide data under the PRIS Act and be a requesting or holding entity.Can request data from public entities under the PRIS Act and can only be a requesting entity.
  • WA Government departments
  • Statutory authorities
  • Local governments and regional local governments
  • Government trading enterprises
  • WA public universities
  • Commonwealth, State or Territory government agencies
  • Contracted service providers
  • Aboriginal Community Controlled Organisations
  • Australian universities (includes interstate and private universities) 
  • Health-related research bodies
  • Social service providers

What kind of information can be requested?

Only government information can be requested under the PRIS Act. This is defined as any information held by a public entity, but excluding any exempt information held by a public entity. Government information may include personal information, operational information, program data or other records used to deliver services. 

The PRIS Act includes a list of exempt information in section 158. Regulations made under the PRIS Act may include additional classes of exempt information so it is important to consider those as well. Examples of exempt information include certain child protection and public interest disclosure records, information that could identify complainants or protected sources, national security information and information linked to law enforcement investigations. 

What are the steps to respond to a data sharing request?

Step 1: Carefully consider the request

It is important to carefully evaluate the request to understand its public benefit, and the best enabling pathway. At times, agencies can default to not sharing data where there is legal uncertainty or other perceived risks. The PRIS Act removes barriers that impede data sharing by expressly authorising data sharing for permitted purposes. 

For these reasons, it is important for the principal officer to understand the reasons for their agency not wishing to share and to weigh these reasons against the public benefit of the proposed activity and the risks of not sharing. For more details about how requests are prepared, refer to the Chief Data Officer Guideline Requesting Data Under the PRIS Act.

Step 2: Draft a response

The response is not a lengthy or complex document. Its purpose is to signal the next steps for the data sharing process. An optional information sharing response template is available to help ensure you include all the necessary details.

Your response must indicate if you intend to share data according to the request, and whether you intend to do this under the PRIS Act, or whether another pathway is more suitable. There are several factors to help you identify the right pathway for data sharing.

  • Option A: Share data under the PRIS Act. This response provides in-principle agreement to share data under the PRIS Act. It indicates that your entity may be willing to share some or all of the requested information under the PRIS Act. Before any data is disclosed, the parties must complete the required assessments and enter into an information sharing agreement. Provide high level details about the next steps to begin this process.

    This response is appropriate if the requesting entity is a public entity or an external entity and has made a formal information sharing request under section 160 of the PRIS Act, their project aligns with a permitted purpose, and the requested data meets the definition of government information.

  • Option B: Share data another way. This response indicates that your entity considers that the data can be shared through a different pathway, such as other legislation, operational processes, or an established agreement or contract, instead of using the PRIS process. Provide details about the proposed pathway and next steps to begin sharing data. Where data is able to be shared through any of these pathways, it can be shared without the need to make an agreement under the PRIS Act. 

    This response is appropriate if it is permitted under your own legislation, if your entity already has an established arrangement for data sharing with the requesting entity (or similar types of entities), if the requesting entity does not meet the definition of a public entity or an external entity, if the project does not align with a permitted purpose under the PRIS Act, or the requested information consists solely of exempt information.

  • Option C: Refuse the request. This response indicates that your entity refuses to share the requested data. Explain your reasons for refusing the request. These reasons may provide the basis for further engagement, to identify an appropriate pathway for data sharing, so be as specific as possible.

    This response is appropriate if the proposed disclosure could pose a serious threat to the life, health, safety or welfare of any individual, or could breach a contract or court order, or could prejudice legal proceedings or law enforcement, or would contravene the law of another Australian jurisdiction – and data sharing is not required or authorised under another law.

    Example - Who can make an information sharing request
    icon of a note on a clipboard with a pencil on the line. Behind it is a purple gradient

    An interstate university (external entity) requests data to analyse education outcomes in disadvantaged communities. 

    You note that the project involves the disclosure of personal information to enable data linkage. Your agency legislation does not support the sharing of identifiable information outside of WA government. 

    You consider that the proposed activity could deliver significant public benefits and this aligns with a permitted purpose under the PRIS Act. 

    In this scenario it is appropriate to select Option A, which allows the request to proceed to the next stage under the PRIS Act. In the next stage, a privacy impact assessment (PIA) can be conducted, risks can be examined and appropriate safeguards identified before a decision on data sharing is confirmed.

Step 3: Send your response to the right people

You must provide a written response to a data sharing request under the PRIS Act within 45 calendar days, unless a longer timeframe is agreed between the parties. The 45 day period starts on the day the request is made.

  • Your response must be sent to the head of the requesting entity: The PRIS Act refers to the head of an entity as the principal officer. This could be a CEO or Director General, Commissioner, or Vice Chancellor. The response must be in writing and can be sent by letter or email. You may choose to attach supporting documents where this will assist the parties to progress the data sharing arrangements.
  • Include data.sharing@dpc.wa.gov.au in the response email: This notifies the Chief Data Officer, who has oversight of information sharing activities under the PRIS Act. 
  • The head of your organisation must authorise the response: The head of your organisation can authorise a senior officer to prepare, sign and send the response on behalf of your organisation. A senior officer is a person in your organisation who has managerial responsibilities equivalent to a deputy or second tier to the principal officer.

What happens if someone changes their mind?

The request, or your entity’s response, can change.

  • A request can be withdrawn: To withdraw an information sharing request, the requesting entity must notify the principal officer of the holding entity in writing, providing details of the request and the date it was submitted to the holding entity.
  • You can change your response: A holding entity may change its position later in the process. For example, you may initially indicate willingness to share data but choose not to proceed after completing the assessments required under the PRIS Act. This allows your entity to respond to new information, risks or risk mitigations, and circumstances as the process unfolds.

Overcoming challenges to data sharing

The Objects of the PRIS Act include:

  • promoting responsible handling of government information as a public resource that supports government policy, programs and services; and
  • removing unnecessary barriers to responsible sharing of government information.

Contact the Office of Digital Government as soon as possible if:

  • You receive a data sharing request and are not sure how to proceed.
  • You have questions about established data sharing arrangements and whether they can be used to meet a new data sharing request.
  • You have questions about whether data can be shared under the PRIS Act.
  • You have questions about whether data can be shared under other legislation.
  • You need support to engage with stakeholders and determine the most suitable pathway for data sharing.
  • Your entity intends to refuse a data sharing request made under the PRIS Act.

Requesting entities are also advised to contact the Office of Digital Government, if their request has been refused or if they have not received a response within 45 days.

Escalation pathway

The authorising framework under the PRIS Act is intended to enable most data sharing challenges to be resolved between the parties at officer level, with appropriate support from the Data Governance team at the Office of Digital Government (DGov).

Where the parties fail to reach agreement within a reasonable timeframe, the Chief Data Officer (CDO) will engage with the parties and make a recommendation in writing to the principal officers.  This is in line with the functions of the CDO under section 200 of the PRIS Act to build capability and assist public entities to share data appropriately. 

In engaging with parties, the CDO will work to resolve uncertainty and remove barriers that unnecessarily limit the responsible sharing and use of government information as a public resource. The CDO will consider:

  • the objects and permitted purposes for data sharing under the PRIS Act;
  • types of exempt information excluded from data sharing under the PRIS Act;
  • the anticipated outcomes and public benefit of the data sharing project;
  • the risk assessment and risk management plan, including privacy and security safeguards; and
  • other available pathways for data sharing.

Once this recommendation has been made, the Government Chief Information Officer (GCIO) and the CDO will engage directly with the principal officer of the holding entity and the principal officer of the requesting entity, where necessary.

In circumstances where a request meets the requirements of the PRIS Act and data sharing is aligned with Government priorities or is anticipated to deliver significant public benefits, yet barriers persist, the CDO may advise the Information Sharing Minister to write to the responsible Minister. The Information Sharing Minister could issue an information sharing direction under section 163, requiring the holding entity to enter into an information sharing agreement under the PRIS Act.

If you need help…

For advice or assistance in responding to a data sharing request, please contact the Office of Digital Government by email at data.sharing@dpc.wa.gov.au.

Download a copy of the Guideline and optional template below.

Have a question or want to report a problem?

Fill in the form to get assistance or tell us about a problem with this information or service.

Send feedback