 So welcome to this meeting of the Australian Sensitive Data Interest Group. So this is an interest group that's co-facilitated by the Australian Data Archive and ARDC, where we come together every month or so and hear about interesting and exciting things that are happening in the space of sensitive data. I'd like to start by acknowledging and celebrating the first Australians on whose traditional lands we're meeting today. So for me here in Perth, that's the Wajah Nungar people, but there's many different peoples across Australia, and pay our respects to elders past, present and emerging. So, yep, as I just said, we are recording because I think this is a very interesting topic and there will be a lot of people who will want to catch up after the fact. That does mean that if you have your camera or mic on, then you might be in the recording. So if you don't want to be recorded, I would recommend that you turn those things off. I'd also request you turn your microphone off anyway. You should be muted just because there are quite a lot of us in here today. So we will take questions via the chat and then throw them to Georgie towards the end. So, today we're really excited to hear from the Office of the National Data Commissioner about how they are helping to streamline researchers' access to Australian government data. And for Georgie, this is a group of a very diverse range of people who work with and are interested in sensitive data. We hear from many different disciplines, many different practices, so technical level things, governance level things. It's really a space where we can come together and try and find the places where there are intersections in our work and hopefully find common solutions. But we're yet very interested to hear today about what the ONDC has been doing. And I will, in a moment, share a link. Once I stop sharing my screen, I'll share a link for everyone to our communal notes document where we can all take notes together as we listen to Georgie present. So I think that's everything. Yeah, so today, just to give you some context, that's why I'm here, what the ONDC is doing, and I'll just chat you through what a bit more on data place as a platform. Feel free to click to the next slide. Obviously, the large cherry is not here, so unfortunately, it's just me talking the whole time. But basically, I'll just run through a quick overview and then how someone actually gets on to data place. And then some of those just key services that are available. And then I might just stop the questions. I think that would be better. I won't dwell too much on the functionality. Next slide. Please just keep going. Yeah, so I suppose just reiterating what I mentioned before, data place is a whole of government platform. That's digital services platform that's designed to coordinate access to Australian government data, both for the data scheme, but also it's not limited to the data scheme. And so what we mean by that is data place will be a single place to facilitate connections between organizations seeking Australian government data and Australian government agencies. So the Department of Health, the Department of Industry, for instance, who actually hold data and are able to share it for certain purposes. Basically, the idea is the platform will enable and encourage safe data sharing and put some really good best practice guides into the processes so that both the organizations requesting data and entering into data sharing agreements and the custodians who hold data are working in a consistent and streamlined way and making sure that they're applying the right controls and frameworks over that data sharing to make sure that it's safe to do so. I'll touch on the key services and kind of what their key functions are and how they work together to achieve that outcome. It's just worth calling out because we have it as a question all the time. Data place doesn't transmit or store the data that is actually being requested or shared. It is very much a governance and monitoring tool for data sharing. So the actual transmission of data and the sharing of data occurs per project within the relevant secure location. For instance, it might use the ABS data lab or if it's really high level aggregate data, there might be no need to share within such secure locations and it's really a fit for purpose sharing mechanism there. But yeah, data place really is a governance tool for the sake of those on the line that love governance and it's very much to help manage and coordinate the sharing of data as opposed to actually the sharing. Next slide, please. So who's it for? So there's a few concepts that we talk about here is data users and these could be organizations, researchers, Commonwealth and Staten Territory Governments or private sector businesses seeking access to data in the public benefit. So they have to actually be that it's not just a request service for requesting any type of data. They do have to articulate how it would benefit the public. The concept of data custodians, which for data place is Australian Government Agency so that's not Staten Territory Agencies but just Australian Government Agencies at this point in time because it's a federal level digital services platform and we have the concept of data service providers which are basically specialty providers that help with data integration or complex data services and things like that. So they participate on data place as kind of to help data custodians put controls in place for their data sharing agreement and actually facilitate this exchange of data. A great example of a potential data service provider is some of the Australian, the AIAs that currently exist. So the ABS and there's a few Staten Territory service providers that would make that definition. And then also the general public, we have a commitment as part of the DAT scheme but just more broadly on data place to be really transparent about the data sharing that's occurring so that the public can see at an aggregate level. So it's obviously not just open to the general public at an aggregate level what kind of data has been shared and for what reasons just to kind of keep building that trust and understanding as to why the government shares data to improve its policy development for instance. Next slide please. When we talk about what success looks like from data place I kind of touched on this a little bit earlier as well is we really want to enable great use of data by more users in a safe way to make sure we're realising the value of Australian government data. Our key strategic objectives then are increasing access to that data to a broader user group whilst also increasing the maturity Australian government data sharing practices and also increasing public trust to maintain a social licence for sharing data. And there's some kind of key sorry I've got a dog joining me besides this presentation. Sit down Boogie. She really wants to be involved. So there are kind of key strategic outcomes that you know that's what we're looking to see over the next three years whilst we continue to ramp up in this program. Next please. So I mentioned how we connect organisations to be able to actually coordinate data sharing. So these are the key services the data place offers to actually be able to enable that to occur. So it's just worth calling out anything in a light blue is technically not delivered by the data place platform. However, it's just recognising that it's kind of part of the value chain and it's important to acknowledge that there is some key things that happen outside of the platform to enable data sharing with the Australian government data. So when we talk about Discover on the data place platform we have a very interim solution shall we say on how we make sure a request goes to the right custodian because no one is very clear about which custodians hold which data and who the request should go to. So in absence of the Australian data catalogue for all Australian government data we have a search functionality on data place that you can kind of enhance with keywords. It's a great first step. However, the ONDC is actually running a separate programme of work called the Australian government data catalogue and inventories programme and it's really looking at how to make data more discoverable and some of our colleagues from the ADRC are obviously online and they're very much helping us with that project as well. The idea is that data place would actually use that catalogue once it's completed to actually better direct request to the right organisation. So that's a real enhancement. But in terms of the services data place office there's an onboarding and registration process and that's really just about getting your organisation set up on the platform so that you know with some key information so that we can basically help facilitate all of the other services. We ask data custodians to onboard onto data place in order to make sure that they are receiving notifications through the applications. The right areas within their organisation are being informed of requests coming into them and they're able to respond through the platform. Accreditation is very aligned to the requirements of the data scheme. So it's an accreditation process for data users. They basically can put in an application and through that process they can actually start requesting data of the data scheme and therefore be regulated by the ONDC. That's available on data place as well and actually as of yesterday it's available to government users to actually start applying for accreditation. They wanted to. But the really exciting stuff I think personally is how you get to data sharing and we have an inquiry and request process. So basically as an organisation you can draft up a data request and send it to the Australian Government agencies. The same request in order to get a response as to whether or not there is an intent to share data. How this works is you fill out the form. It follows a similar process to the data sharing principles. So the project people at a very high level and really ask data users to articulate what they're trying to achieve by accessing that data so that the data custodian can look at that request and consider it in line and assess it in line with whether or not they can actively share that data or if there's any barriers or concerns that need to be addressed. So as part of that request process at the end of your request process you'll get an in principle agreement to share from the data custodian or you will receive a reason for refusal. So they have to basically articulate by closing out a request why they weren't able to progress that request and requesters can actually see the progress of where their request is at at all times which is really something we heard in our discoveries being very valuable because at the moment it's quite opaque and no one really knows where a request might go. It also has a really great ability to be transferred between custodians so if for some reason and we do expect this that the custodian selected isn't the holder of that data rather than asking the request to go fill out a different process at a different agency they can just transfer the request to the correct custodian all in system and they're not required to fill out any more information. So that's really beneficial and then at the end of that in principle agreement you would actually then start to discuss how you would enter in and to a data sharing agreement with those custodians and that's really a lot more of a detailed understanding and effort around how you might control put the controls in place around that data so it's shared safely. This service is still in design still underway in data place but we do have a bit of a conceptual understanding of what are the key sections that would be included in a data sharing agreement and what are some common terms and clauses that should just kind of by default be data sharing agreements to try and take some of the complexity out of which agreement you use in what circumstances. And at the end of that kind of collaboration agreement process there's also a collection of key monitoring information to enable custodians and data users to actually keep track of their data sharing agreements and what they're actually meant to be doing for instance if there's controls around the destruction of data what date that's meant to occur on and we're able to actually notify the relevant parties that the date for data destruction is approaching and obviously the nuances of that is maybe the project is too much delayed and they can go in and update that agreement and just say that the data destruction would occur two months later but basically it's all tracked in system is the idea and obviously from an O&DC perspective it's really useful for us to be able to see and help report on those using the data scheme so we would use it to perform our regulatory functions but also more broadly to inform kind of the Australian government around the health of the data sharing ecosystem and what's going on and how many requests are actually getting you know refused and for what reasons and whether or not there's any interventions that might occur there. So that's a really really very detailed overview of kind of how the different services on data place work to help make it easier to request Australian government data. I'll just flick through to the next slide. I think I've covered off a lot of this stuff here anyway but just so everyone can see that was our engagement. We've done basically a lot of user research on this and over the course of 18 months and with heaps of input from different organisation types which has been really valuable in our designs. And then next slide. This is kind of our road map of when certain services will actually start appearing and coming online which is probably less relevant now we've actually gone live for June and the rest just keep coming basically it's going to be a busy year. Next slide please. Yeah so key some key things to be aware of is when you're actually accessing the platform there's a few key kind of administrative roles that are associated with per organisation. One's an org admin and they're really responsible for managing their own information their own staff and how they use the data place platform both on the custodian side but also on the data user side we had quite strongly that in some cases organisations also didn't know that certain areas of their business were requesting the same data from the same custodian so this is also just a really useful oversight mechanism so organisations are acting in a more coordinated way as well and there's efficiencies gained there. There's a concept of an authorized officer as well which is someone that effectively just needs to be in place with a level of authority to sign off on a data sharing agreement once the kind of negotiations for that have been included and then we have a concept of a data coordinated this is more more so used for data custodians as they might have different business divisions that they want to put in this role to be able to see at a higher level all the different types of requests coming into their organisation so that they can assign them to the appropriate people in their teams however this role could be used if you wanted to say on the data user side if you wanted different business areas to have a slightly more reporting level view of the types of requests going to the Australian Government we have heard though that from a university perspective they wouldn't want anyone in this role because they don't want the request to be seen by other say schools and for instance there is actually a mechanism where you can just add specific people to a request that you wanted to see and then no one else can see it so that's kind of the key roles and how data plays works and custodians have been designing some internal processes around these roles so that they can, I think someone mentioned they've already got existing existing agreements and processes in place and custodians are really just looking at how they can assign these roles to accommodate their existing processes and amend them where necessary but realistically they could still run their divisions the same way they wanted to this is a platform coordinating requests into them and there's the concept of a general user which is just anybody who wants to jump onto data place, they just have to go through an authentication service which will associate them with the right organization they have fairly base level permissions they can kind of get on there and they can raise a request but they can't see all that much more across the platform unless they're involved in the activity so that's just a great way to make sure the right people are associated with the right organizations coming onto the platform but you don't have to add them individually as a organization data.gov has used a request data page that's exactly the intent of data place is actually to align it to data.gov because we recognize that it's really great for open data and this is really that next level down of sensitive data that may be of value to share so we are working quite closely with it's now the ABS who operate data.gov.io to actually coordinate and make sure these two services are complementary of each other and next slide please this is just talking about those authentication services which I mentioned and I think there was a question on that there's three services technically you can log into Vanguard which is run by the department industry and free really easy to sign up if organizations don't want to sign up to that service and set that up there's the MyGov ID and RAM services there's a bit more of a user overhead for using that service though so we definitely would recommend Vanguard and for the university sector we have integrated the Australian Access Federation authentication method as well because we heard that across the university sector that was a preferred authentication method so that's kind of the login details I also did notice there was a data sharing agreement around Creative Commons it's worth noting there's some terms that must be in a data sharing agreement to satisfy for the DATS scheme however because we are looking at a whole of government approach we do recognize that in some circumstances a data sharing agreement would be really valuable but maybe doesn't need to have an extensive list of terms because the way that the data is the controls are placed on the data and curated that a lot of the risk is managed that way so the agreement can be quite straightforward and we are aware of the Creative Commons as a good base for what we would like to call as our kind of our base level data sharing agreement and then as the data sharing gets more and more complex and there might be more say legal authority issues and things like that we would add in more terms as relevant to the type of sharing that's occurring and I might just get you to flip to the next this is the organizational profile basically that's just how an organization manages their different users so you know just very similar to how you might see any kind of platform it's just that ability to kind of keep track of who's actually operating and really useful from a government's perspective within your own organization that's what we've heard. Next slide please and this is kind of what the request dashboard looks like so depending on which role you're in you see more or less in this view but you can basically see all of the requests here that have been sent and to who and by who and kind of when the last time they were response and that if you want more information you can click into the request depending on whether or not you're a data coordinator or a general user you'll only see requests that you've raised or if you're a data coordinator you can see more details about that request likewise there's also a dashboard for say custodians to see which requests have been sent to them from one place so they can see all of the requests currently open for their organization. Next this is really I think I mentioned discover interim solution this is really what we're saying here it's a bit of a keyword search and it brings up potential suggestions of which custodian to send send your request to the custodians can edit this search by putting in keywords in their organizational profile so it'll over time we're expecting it to get more accurate as they kind of get used to the types of words and search terms that organizations put in to understand which custodian it might go to. Next please that's basically what the request form looks like it's pretty simple, fairly open-minded question open questions and really just trying to get to the heart of the data sharing principles just to get the requester thinking about why they need that project data for their project and some of the considerations that the custodian might ask them so it's really just about helping uplift and if you go to the next question next slide this is kind of the data custodian view of when they get your request then there's an assessment process so they can actually see who sent it to them if they need any more information they can get in contact with you really easily and you can work through that data request together so it's really about bringing the two parties together and making sure that they're on the same page before proceeding to a formal assessment and then basically what happens is the data custodian sorry next slide we'll assess the request based off some key attributes is it available, did they have any legal authority to share can it be done safely have they thought about the data sharing principles and is it a viable option and just any administrative issues that might influence so maybe the request is to get the data in two days time and it's not possible to actually fulfil that request in that time or that there's a cost associated with extracting that data so the data request has to be aware of that and agree to pay that cost prior for them proceeding and so basically they would send you back a response and it's against this criteria you get a summary of their assessment which is really valuable and if you go to the next slide basically they can notify you of what's happening and you'll get as a data requester a notification back and I think that's the last slide just covers off what what the requester has to do once once you've actually got a response from a data custodian use the request you just need to accept that you're comfortable and to move into a data sharing agreement process or in some cases it might be that you're not going to proceed because the cost associated for instance aren't appropriate for you so that's I suppose the request service and how it's intending to work at the moment there's a lot of questions Georgie are you are you about to jump into the questions? yeah yeah I was just going to okay I was trying to track them and jot down one or two so I'm happy to try and mediate on the fly that would be wonderful thank you I think there was a question that a couple of people asked and actually it's the last one in there as well just a similar concept so a number of agencies government agencies already have procedures in place for requesting and providing access to data does data place replace those existing processes? so in the first instance all existing processes remain the same and then basically what we're asking is that organizations work to slowly move onto the data place platform however because the platform doesn't can actually you can actually assign different business areas into different roles they can still actually use it so if a request comes through data place that is technically may have gone through an existing service they can still get access to and still respond to this request using this platform and they still might assess it in a similar way but yeah there's a a long term I suppose adoption of the platform and we're seeing that whilst custodians are signing up they'll slowly roll it out and kind of update their internal processes to start using it however it is the preferred way to request Australian government data great another question around so you had in an earlier slide that workflow starting with discover and ending with I can't remember what last one was yeah monitoring close yeah so the middle step in there was inquire and request and so the request is I think you showed was the filling in the form information can you speak a little bit about the inquire stage and maybe also around so we've discussed this before and I know a bit of the background of it but does the platform actually allow there to be a chat backwards and forwards between the requester and the custodian yeah so that's a really good pickup so we what we've done is deployed the request service just the request service so far as our first relief but when we were doing quite a lot of our use of discovery we did hear that sometimes an organisation doesn't really know if they need data but they do need to understand if it's if it's possible and I suppose help help design what their request might even look like and so that's what the inquire process is really about it's actually about not asking a researcher for instance to go down a very long it's not long but a more considered request process because they might just not realise necessarily what data they want if they even want data they just really have a problem statement that they're trying to understand so the inquiry process is definitely it's using similar functionality to the request process but a lot shorter and sharper types of you know what is the purpose and what are you trying to look for and it just allows the custodian to actually propose what data might be useful for them ahead of even putting in a formal request so we are looking to bring that on that service on later but we heard that it was really valuable in terms of both really really new researchers that aren't really sure what type of data they might be able to get but also it satisfied a lot of other really complex data sharing requests that allowed kind of the organisations to actually work together to figure out what the request should even have in it so that they can actually just once actually get to the request so they're actually quite clear what data they're requesting and for what reasons well ahead of well ahead of actually putting it in so that's what the inquiry request is really looking for it's just that the request process we're released first obviously because gets to the heart of the issue faster but we are looking to bring the inquiry process on later in the development of the platform. Okay, brilliant. There was a question around how requests are assessed so once it gets to that stage is there a standard procedure that custodians will follow is there a standard set of criteria for process that will be used? So there's a standard set of questions that we are prompting them to consider definitely they can also add in anything additional that they feel is necessary just what we were hearing is some types of data might just require a little bit more consideration for instance but realistically we've got the core assessment is quite consistent and then just whilst we're learning and figuring out is there more assessment criteria that we need to be considered there's just some flexibility in that assessment process for them to add in and request any additional information that they might need. So I'm seeing on that screen there a lot of the kind of practical aspects of assessing your requirements. Is there a principle development? I mean we're all broadly aware that the data bill act sorry it's a five saves reference. Is that part of the assessment? Yeah so yeah sorry the data sharing principle is similar to the five saves very much following the same kind of risk framework and the assessment process looks at and prompts the data custodian to consider those elements it's worth mentioning though in the request process it's very early days so it's you might not even know specifically which data you're getting at that point in time it's just getting them to do kind of a high level assessment where the where the real kind of controls might come into play and the decisions around which data sharing principles and controls you need to put in place is very much later on in the agreement process however we just wanted to start bringing in the five saves really early so you know there was some consideration as to whether or not the request was even possible because it was you know actually able to be done under a safe sharing framework. Okay alright so there while we've been doing back and forth there's been a lot more questions come in that I I can't read and think at the same time unfortunately so the last question that I jotted down before the influx of questions was around how would a researcher and I'm seeming to using the example of say a university based researcher actually place a request are they going can they get onto the system directly do they have to go through someone in their institution what does that look like? Yeah so their organisation will have to actually on board onto the platform so what we mean by that is except the set up the digital identity services so that members of their organisation can access a place and then assign themselves an organisational admin role so that they have that oversight and they understand that they have to manage users from that point any kind of researcher could jump on the platform and put in a request it's just be aware that the organisations agreed to be on it and that there's an that someone in your organisation is looking at the different users that are getting in there and putting in requests so it's very easy for a researcher to put in a request once the organisations decided to use data place Okay now Nicola I don't know if you're monitoring the questions I have a question from Tim around how's this new process speed things up and rather than add a layer of complexity what we heard a lot of with all of our research was there is absolutely no way of knowing where your request is up to so you can't even speed it up because you have no idea where it is who's it sitting with, what's the hold up so if one aspect of that is because this is visible and basically we can send reminders and notifications based on the request submitted we can nudge behaviour to speed things up like obviously we can't force a decision but that's an important step that needs to be decided alongside the researcher and the custodian. What it does do is create a lot of transparency and what's going on and where the hold ups are and as a regulator the ONDC sees themselves as being able to learn from that and understand whether or not we can provide additional guidance or address capability and gaps and consistency more with our kind of educational role as well. I suppose the first thing is we can't really tell where the complexity and what's holding things up because it's so opaque so it really brings the request process into a much visible process and every custodian has to provide a reason for a refusal on data place regardless of whether it's a data scale we think it's just best practice that they close out a data request and from that we can also start to learn and look at interventions around what is a reasonable reason to say no and where could we maybe help educate and improve that process as well. Great. I'm seeing a few questions around the theme of cost so is there I guess broadly speaking of the cost to get onto the platform and the cost to request data or to access data, how does that work and how do people find out about those costs? There's no cost to get onto data place there is no cost I'm trying to think there's no cost to actually access the platform or put a request in however the custodians are able to charge cost recovery on a data sharing request if they wish to so some agencies already have some standard policies around how much they charge per request and what types of requests they tend to do they basically will provide that information to you as part of the request process if that's the case in some cases the agency may not charge because it is such a small administrative overhead for them and they just see it as being part of their roles in delivering public benefit as well so it really will depend on the complexity of the request as to how much money it will cost I had a great example from the Department of Education where someone asked for their entire data warehouse in two days and they said well we couldn't possibly do that because it would cost you way too much money and we couldn't meet the time frame so I think it's a little bit the benefit of this process is that it's starting to bring together and educate people on that as well so it varies depending on the request and the agency and so on and that information about the cost there isn't a place that people can go to like it's on the website that people can go to and find out that actually it comes out through during the request that can form there was a question just about is it similar to data lab absolutely not data lab is a secure data access location we see the two working quite complimentary together so data place helps kind of figure out do they need to actually use the data lab to get access to that data and if so that's just documented in the data sharing agreement but the actual access to data would still be facilitated by the ABS for instance if that was the decided control so we actually coming up to time I see that there are some interesting and some quite complex questions that we may not have time for so I wonder Georgie if we might be able to compile those questions and send them to you and we could put answers in our collaborative document so that way we can get to the few that we're not going to have time for now does that sound good no worries actually I think there's a bit of a thing there as well around we've got a number of researchers and research sector university staff and infrastructure operators asking alright how do we get involved in this you said that you've done consultation is there something where they can connect to O&C in data place directly to be part of that discussion and ask questions or can we facilitate that I would encourage so the O&C is actually running a whole heap of general information sessions over the next couple months ones summer scheme specific there is one specific to getting onto data place so just the information you might need as an organisation and from I've got to check these dates the 15th of August data place will be open to universities and the like to put in data request so it might be really useful to come to some of those sessions just to get ready and see what you might need to do if your organisation is interested in participating in that Georgie we're just about to send out that list of information sessions through our newsletter and also externally as well Yeah they're really great and they'll point you to just extra information and guides around how to get on board and things like that so you can do a little bit of have a bit of a read of those and figure out kind of your next steps as well Well that's that's us on the Alice so I think we just have time to thank Georgie so much for that presentation particularly in the face of extensive and multiple technical issues we really appreciate it now it's really interesting work Yes please if you ever want to know about a data request for us I feel like I've been living and breathing it for the last 18 months so very happy to chat