Skip to main content

A NSW Government website

Responding to Data Access Requests

Data requests can be received from:

  • Government agencies
  • Members of the public

This page provides an overview of the three key steps to follow when responding to agency requests to access your organisation's data:

1. Assess

Assess whether the data can be shared safely

Share data when answering "yes" to all of the following questions:

  • Is the purpose of the data sharing consistent with s6 of the Data Sharing (Government Sector) Act 2015
    • The Data Sharing Act says that data sharing requests need to support policy development, program management and service planning and delivery
  • Is the requested data excluded from categories listed in Schedule 1 or Schedule 2 of the Government Information (Public Access) Act 2009?
  • The request doesn’t require any personally identifiable information (PII) of individuals? 
    • The Data Sharing Act (by reference to privacy legislation) does not allow personal or health information to be disclosed (or collected and used for a secondary purpose)

    • If you think any of the data being requested may contain personally identifiable information (PII), discuss the request further with the Requesting Agency and, if necessary, seek further advice from the Privacy Officer for your agency or the Information and Privacy Commission (IPC)

    • You can negotiate with the Requesting Agency to de-identify or otherwise make safe any data containing potential PII

    • Further information on making data safe for public release is available on the IPC’s website

    • Privacy legislation provides exemptions relating to the disclosure of personal and health information, however the application of these is strictly limited

  • The request doesn't require sensitive data? Sensitive data could include:
    • information about secret or sacred practices
    • ecological data that may place vulnerable species at risk
    • commercially sensitive information

If you decide that data is sensitive, you need to document this decision with the legislative or policy reference that informed your decision.

The reasoning for a final decision not to share data needs to be established in writing. Note that if a Requesting Agency disputes your reasons for not approving a request the Requesting Agency is able to make a formal access application under the GIPA Act.