Tools

ADEPT Tools comprise a set of templates that constitute practical application of the ADEPT framework to facilitate data exchange within and between Tasmanian Government agencies. The templates will be modified, refined and improved over time, to meet organisational, legislative and regulatory changes.

Process Flowchart

The Process Flowchart provides a high-level overview of the data exchange approval process, from initial data request through to assessment and response by the source agency.

PDF(331KB)

Statement of Intent

The Statement of Intent has been designed for use as an electronic form or adapted as an online template for data requests, as a practical tool to facilitate agency compliance with ADEPT principles and obligations.

Word (75KB) PDF(265KB)

Conditions of Release

The Conditions of Release has been designed for use as an electronic form or adapted as an online template for data release, as a practical tool to facilitate agency compliance with ADEPT principles and obligations.

Word (65 KB) PDF (227 KB)

Procedures

Procedures have been developed to guide high-risk intra and inter-agency data matching, linkage and integration projects, as an extension of ADEPT principles and obligations.

The Administrative Data Exchange Protocol for Tasmania (ADEPT) provides overarching practical guidance to facilitate the safe and transparent exchange of data both within and between Tasmanian Government agencies, balancing the protection of privacy with other equally important public interests. It does not constitute legal advice about how agencies should comply with legislation in specific circumstances, nor provide for the exchange of data held by Tasmanian Government agencies with other tiers of government or academic, research and private sector organisations. Agencies should continue to seek independent legal advice where appropriate.

ADEPT Procedures are a step-by- step guide through the process of requesting, assessing, releasing and using or manipulating data provided by another business unit or agency. Adherence to these procedures is particularly significant for all projects involving data matching, data linkage and data integration activities carried out by and on behalf of the Tasmanian Government.

When unrelated datasets are matched, linked and/or integrated, that activity must be conducted transparently, be compliant with all relevant legislation and regulation, and be clearly justified in the public interest.

When requesting access to data collected and managed by another business unit or agency, an important distinction must be made between datasets that include personally identifying or sensitive information about individuals or individual organisations and those that do not.

For the purposes of this document, data exchange is classified as either:

  • Simple (low-risk): straightforward exchange of data that does not include personally identifying or sensitive information about individuals or individual organisations, and which are not bound by any other legislative or regulatory considerations.
  • Complex (high-risk): safeguarded exchange of data that involves personally identifying or sensitive information about individuals or individual organisations, multiple datasets, or data that is subject to specific legislative or regulatory considerations.

A. Data Exchange

The routine exchange of data between different business units within a Tasmanian Government agency would generally be classified as simple and low-risk. This includes data matching activities aimed at improving the delivery of services to individuals: that is, activities in which individuals would reasonable expect the data to be used in a way that relates to the purpose for which it was collected.

Data that is exchanged for use in internal-to- agency research or statistical analysis projects, potentially involving data linkage and data integration, would also normally be considered a form of data use, not disclosure.

The exchange of data between Tasmanian Government agencies would generally only be classified as simple and low-risk in cases where such exchange does not involve personal or sensitive information about individuals and individual entities, intellectual property or other legislative or regulatory considerations, including data matching activities aimed at improving the delivery of services to individuals: that is, activities in which individuals would reasonably expect the data to be used in a way that relates to the purpose for which it was collected.

Data that is disclosed by one agency for use in policy research or statistical analysis to be undertaken by another agency would generally be classified as complex and high-risk. The agency-to- agency exchange of data for use in specific projects and ongoing programs that involve data matching, linkage and integration processes between Tasmanian Government agencies would generally be considered to be either data collection or disclosure: that is, individuals are unlikely to expect that their data would be used for those secondary purposes, unless consent has been provided at the time the data was collected.

Before any exchange of data for all complex (high-risk) projects and programs, parties to the exchange should transparently evaluate, negotiate and record their agreement on the parameters and legitimacy of the project or program objective. All parties should review and be familiar with relevant provisions and Personal Information Protection Principles under the Personal Information Protection Act 2004.

Simple (Low-Risk) Exchange

Request

ADEPT Statement of Intent

Data requests to other agencies should be accompanied by an ADEPT Statement of Intent. All requests should clearly demonstrate benefits in the public interest and propose an appropriate mechanism for data exchange, as well as conditions of data retention and disposal, if required.

Evaluate

Privacy Impact and Risk Assessment

Managers of source data should objectively evaluate all requests for data in the context of any relevant legislative and regulatory considerations, privacy impact and level of risk. In situations where it is considered that data is not suitable for release, the request should be referred to the Head of Agency (or delegate) for final decision.

Respond

ADEPT Conditions of Release

Responses to simple data requests submitted by another agency should be accompanied by ADEPT Conditions of Release.

Exchange

Data exchange should be exchanged in an environment with levels of security commensurate with the type and format of data and perceived level of risk.

Record

Data Exchange Register

All requests and agreements should be entered into a register of data exchange projects and ongoing programs for whole-of- government probity and transparency.

Complex (High-Risk) Exchange

Request

ADEPT Statement of Intent

Complex data requests to another agency must be accompanied by an ADEPT Statement of Intent. All requests should clearly demonstrate either an operational imperative or benefits in the public interest and propose an appropriate mechanism for data exchange, as well as conditions of data retention and disposal, if required.

Data Matching or Integration Proposal

Agencies implementing high-risk projects involving personally identifying or sensitive information for use in data linkage and integration activities should complete and submit a Data Matching or Integration Proposal.

Evaluate

Privacy Impact and Risk Assessment

Managers of source data should objectively evaluate all requests for data in the context of any relevant legislative and regulatory considerations, privacy impact and level of risk. In situations where it is considered that data is not suitable for release, the request should be referred to the Head of Agency (or delegate) for final decision.

Processes proposed for data linkage and data integration should be carefully evaluated in the context of the secure management of data during and after integration, the handling of identifiers and the application of principles to separate demographic information from individual content or event information:

Respond

ADEPT Conditions of Release

Responses to complex data requests submitted by another agency should be accompanied by ADEPT Conditions of Release.

Exchange

All data exchange should be carried out securely, through a secure file transfer service, in accordance with whole-of- government information management guidelines and protocols.

Record

Data Exchange Register

All requests and agreements must be entered into a register of data exchange projects and ongoing programs for internal probity and transparency.

B. Data Exchange for Matching, Linkage and Integration Guidelines

These guidelines have been developed to support the protection of privacy and guide best practice data matching, linkage and integration activities within a Tasmanian Government context. If an agency intends to conduct similar projects, either concurrent or sequential, they should be combined and treated as a single program for assessment and approval purposes.

Data Request Checklist

Scenario

You want to develop a data request and enter into a formal agreement with another business unit or agency to establish a data matching/linkage/integration project or program

Checklist

  • Is the request justified?
  • What is the project or program objective?
  • Have you evaluated the public benefit and privacy impact?
  • Is the risk proportionate to the public benefit?
  • Could the objective be achieved in another way, for example, by using an alternative data source?
  • Do you have senior executive endorsement for the project or program?

Data Evaluation Checklist

Scenario

You have been asked to enter into a formal agreement to provide data to another business unit or agency for a data matching/linkage/integration project or program.

Checklist

Is the request justified?
  • Do you have any concerns about the project or program objective?
  • Does the proposal demonstrate public benefit?
  • Are there significant risks to privacy and confidentiality that outweigh public benefit?
  • Are you aware of an alternative source of suitable de-identified or anonymised data?
Are you authorised to supply the data?
  • Are there legislative or regulatory constraints that inhibit your ability to provide the data?
  • Is it necessary or appropriate to provide public notice or notification to affected individuals about the proposed project or program?
  • Do you have assurance that the data will not be published in a form that identifies any individuals?
  • Do you have senior executive approval to supply data for the project or program?
  • Do you need to seek further/independent legal advice?
Does the proposal demonstrate adequate safeguards and appropriate technical standards?
  • Does the proposed process include demonstrable safeguards for the protection of privacy?
  • Are the detailed technical standards and controls appropriate to the proposed use andlevel of risk?
  • Should time limits be applied to the project or program?
  • Are the proposed processes and timeframes for data retention and disposal adequate?

Data Matching, Linkage and/or Integration Proposal, Risk Assessment & Agreement Template

Applicants intending to undertake a data matching, linkage or integration project or program should complete this project proposal form prior to approaching data managers to request in-principle approval and agreement for data exchange, disclosure and use. The information compiled in this project proposal may be used to form the basis of project agreements.

On completion of the proposal, the applicant should submit the proposal to the data source manager for consideration and in-principle approval, including any conditions of release. Once in-principle approval is given, details of the project may be finalised, including technical feasibility, data security and data management arrangements, linking methodology, measures to protect privacy and confidentiality, data access arrangements and data retention and destruction plans. Final approval is confirmed through the signing of project agreements 1 between all parties.

Word (71 KB) PDF (297 KB)