Responding to data access requests

Responding to data access requests

Data requests can be received from members of the

  • government agencies. 
  • public

Responding to agency requests

There are three key steps to follow when responding to agency requests to access your organisation’s data.

1. Assess whether the data can be shared safely

Share data when answering “yes” to the following questions:

  • Is the purpose of the data sharing consistent with s6 of the Data Sharing Act?
    • The Data Sharing Act says that data sharing requests need to support: policy development, program management and service planning and delivery.
  • Is the data requested excluded from categories listed in Schedule 1 or Schedule 2 of the Government Information (Public Access) Act 2009 (GIPA Act)?
    • The Data Sharing Act prohibits the sharing of data if it falls into one of the types referred to in these schedules.
  • The request doesn’t require any personally identifiable information (PII) of individuals?
    • The Data Sharing Act (by reference to privacy legislation) does not allow personal or health information to be disclosed (or collected and used for a secondary purpose).
    • If you think you any of the data being requested may be personally identifiable information (PII), discuss the request further with the Requesting Agency and if necessary seek further advice from the Privacy Officer for your agency or the Information and Privacy Commission.
    • You can negotiate with the Requesting Agency to de-identify or otherwise make safe any data containing potential PII.
    • Further information on making data safe for public release is available.
    • Privacy legislation provides exemptions relating to the disclosure of personal and health information, however the application of these is strictly limited. NSW Government is committed to the protection of personal and health information and by extension, the privacy of NSW citizens.
  • The request doesn't require any sensitive data?
    • Sensitive data could include:
      • information about secret or sacred practices
      • ecological data that may place vulnerable species at risk
      • commercially sensitive information
      • If you decide that particular data is “sensitive” and cannot be disclosed, you need to document this decision with the legislative or policy reference that informed your decision.

Remember, you can discuss any concerns you have with the data requester and negotiate arrangements that meet both agencies’ needs.

A decision to not share data should only be made after consultation with the Requesting Agency and all attempts made to remedy the factors preventing the safe sharing of data.

The reasoning for a final decision not to share data needs to be established in writing. Note that if a Requesting Agency disputes your reasons for not approving a request they are able to make a formal access application under GIPA Act.

2. Negotiate how to provide the data

Agree on the terms and conditions for sharing data with the Requesting Agency.

It is appropriate for the Custodian Agency to set terms and conditions for the release of data to a Requesting Agency. Your agency can decide on the form that your agreement will take.

Determine whether controls are required to ensure that:

  • the requesters use the data in an appropriate manner
  • the environment the data will be stored in will not pose risks
  • the publication of outputs from the data does not pose risks

3. Determine whether the data or aspects of it can also be made publicly available

If a Data Sharing Request is approved, it is likely that some or all of the data could also be made open (s7 of the GIPA Act).

By proactively releasing data, your agency is meeting the requirements of the GIPA Act and streamlining and simplifying future data sharing processes.


Last updated: 19 June 2019