Resources, guidance and tools for sharing information

The series of questions below have been compiled to support regulators' plan and prepare to share information.

Working through these questions will help you understand and prepare for all the aspects of data sharing, from culture to access to distribution.

Foundational guidance

The following guidance and information have been prepared to help regulators build their understanding of core frameworks, standards and concepts of sharing information.

VPS Data Sharing Framework

A policy and agreement to promote and enable the sharing of data.

The Victorian Public Sector Data Sharing Framework includes:

• The Victorian Public Sector Data Sharing Policy:
  • sets a clear expectation on all Victorian government agencies to share data with each other to inform policy making, service planning and delivery, where there is a clear public benefit.
  • Aligns with the National Data Sharing Principles to help the Victorian government agencies fulfil that responsibility in a considered, safe and secure way, (based around the Five Safes Framework – safe projects, people, settings, data and outputs).
• The Victorian Public Sector Data Sharing Heads of Agreement (DSHA):
  • Operationalises the VPS Data Sharing Policy and provides a common framework for Victorian government agencies with general data sharing terms and conditions.
  • Provides an overarching framework to streamline and accelerate data sharing, while ensuring the right safeguards and controls are in place.
  • Is signed by all departments, Victoria Police and some agencies and welcomes more signatories:
    • The process of signing up to the DSHA is straightforward if an agency is not already a signatory. Simply contact the Data Insights team at the Department of Government Services (DGS) (data.insights@dpc.vic.gov.au).
  • Once a signatory, individual data sharing agreements (through the template Schedule) can be signed by delegation (do not require the agency head to sign)
• DGS is available to help agencies use this framework - contact them at data.insights@dpc.vic.gov.au.

Where can this help?

• Creating a data sharing agreement for sharing data.
• Making the argument for data sharing, clear responsibility on Victorian government agencies to share data with each other.

Additional resources

• The VPS Data Sharing Framework
• The VPS Data Sharing Heads Agreement

Bespoke data sharing agreements

The DSHA provides an overarching framework for data sharing across the Victorian public sector. However, it may not be suitable in all circumstances. Regulators can use it as a foundation for developing bespoke agreements tailored to specific legal and/or operational requirements. Use the below questions to support variations in the DHSA to suit your specific circumstances.

Privacy management

Managing and sharing personal and health information imposes additional privacy obligations on regulators.

Personal information is defined as “information about an individual who is identified or whose identity is reasonably ascertainable,’ whereas health information is defined as “information about an individual’s physical or mental health, or disability, including information collected while providing a health, disability or aged care service to an individual”.

Personal and health information should only be collected where it is necessary for a function and/or activity. Any personal and/or health information that is collected must be managed in accordance with the Information Privacy Principles (IPP) and Health Privacy Principles (HPP)*.

Personal information

The IPP are guidelines issued by the Office of the Victorian Information Commissioner (OVIC) under the Privacy and Data Protection Act 2014. The IPPs outline the minimum standard for the collection, storage, handling, use, disclosure and destruction of personal information by VPS organisations.

Chapter 2 of the IIPs covers the use and disclosure of personal information. This states that ‘Personal information can only be used and disclosed for the primary purpose for which it was collected, or for a secondary purpose that would be reasonably expected. It can also be used and disclosed in other limited circumstances, such as with the individual’s consent, for a law enforcement purpose, or to protect the safety of an individual or the public.’

Under the IPPs, the collection of ‘sensitive information’ is prohibited, subject to a number of exceptions. ‘Sensitive information’ is a sub-category of personal information, the collection and handling of which includes inherent risks to a person's rights. One of the most obvious risks associated with the collection and handling of sensitive information is discrimination, for example, discrimination on the basis of racial or ethnic origin, sexual practices, or political opinions. Unnecessary or unlawful collection or use of these types of sensitive information may give rise to parallel rights under both privacy and anti-discrimination laws.

Health information

Sharing health information is guided by the Health Privacy Principles (HPP) under the Health Records Act 2001. The HPPS are broadly similar to the IPPs, with important differences to ensure the protection of health information. OVIC has developed guidance on these similarities.

* The IPPs/HPPs guide use of personal/health data in the Victorian context. If Australian government data is used, consideration may be required of the Australian Privacy Principles under the Privacy Act 1988 (Cth).

Where can this help?

• Managing personal and sensitive information safely.
• Making sure you’re using data in compliance with your obligations under the Privacy and Data Protection Act 2014 and the Health Records Act 2014.

Additional resources

• Guidance on the Office of the Victorian Information Commissioner (OVIC)
• OVIC guidance on IPP2 - use and disclosure
• OVIC guidance on IPP2 - sensitive information
• Health Records Act 2001 
  • Schedule 1 (p.104 onwards) contains the Health Privacy Principles (HPPs)
• Health Complaints Commissioner 

Data retention and disposal

Once data has been collected, it needs to be managed appropriately. The IPPs and HPPs outline a regulator's obligation when managing private and health-related information, including data security and disposal.

The Public Records Office of Victoria (PROV) provides guidance on how information should be managed once collected – including disposal/destruction of this data through their Retention and Disposal Authorities (RDAs).

RDAs are the standards for:

• the minimum amount of time certain information is to be kept
• how information should be disposed.

Where can this help?

Additional resources

• PROV's retention and disposal authorities 
• Industrial RDAs (and standard durations for disposals) 

The tools and resources below will assist regulators in overcoming common barriers to information sharing, including measuring impact (privacy and business), obtaining informed consent when collecting data, discovering VPS datasets, and building data maturity.

Victorian Common Data Taxonomy

The Victorian Common Data Taxonomy is a structured way for regulators to organise information into categories and subcategories based on shared characteristics. It serves as a foundational tool to help regulators manage and structure their data in ways that promote improved information sharing and foster greater collaboration.

The taxonomy has been developed by the Department of Treasury and Finance and the Department of Government Services in collaboration with Victorian regulators. The focus of the taxonomy is on permissioning, describing business and individual data commonly collected and used by regulators, including business identifier data (e.g ABN, address) and data related to compliance history.

Adopting this taxonomy will enable regulators to create a shared business profile, facilitating more effective information exchange across agencies. It helps regulators identify which businesses are subject to oversight by which regulators and interpret data provided by other regulators with greater ease and consistency. This shared framework strengthens collaboration, reduces duplication, and supports a more coordinated regulatory environment.

The model below enables regulators to better structure their data for interoperability with common Customer Relationship Management (CRM) applications used across the Victorian Public Sector, supporting improved information sharing. This model aligns with those used by Service Victoria – making it easier to integrate with effective and efficient centrally developed solutions.

Where can this help?

Regulators should use this model as:

• a set of data field requirements for future systems​
• a method of defining data fields when sharing/requesting data from fellow regulators​
• a way of validating gaps within your current data collections​
• a framework for designing interoperable systems.

Additional resources

• Victorian Common Data Model

Privacy impact assessments

• A privacy impact assessment (PIA) is a process for analysing a program’s impact on individuals’ information privacy. Undertaking a PIA can help identify the personal information involved, identify potential privacy risks, develop risk mitigation strategies, and enhance privacy practices. If the program involves the handling of personal information, it is best practice to conduct a PIA.
• Used when a program collects, uses or shares information that may impact the privacy of an individual, e.g., personal or health information. A PIA is used to identify and appropriately manage this impact on an individual’s privacy.
• The Office of the Victorian Information Commissioner (OVIC) provides practical guidance, templates and tools to help Victorian Public Sector agencies assess and manage risks through PIAs. This includes a PIA guide and template. Key information from the guide includes:
  • A PIA should be completed where personal information is collected, used or disclosed.
  • A PIA helps to assess a program against the IPPs (Part 2 – privacy analysis) and identifies any risks to manage (Part 3 – privacy risk assessment).
  • The PIA should be reviewed/updated if new information is to be collected, used or disclosed.
  • Included in the PIA section of the VPS Data Sharing Heads of Agreement template (Annexure 2).

Where can this help?

• Used to help consider and document a program’s impact on individuals’ information privacy.

Additional resources:

• OVIC provide guidance on when and how to complete a PIA 

Business Impact Level assessments

• The Victorian Protective Data Security Framework (VPDSF) uses Business Impact Levels (BILs) to classify information by the severity of consequences if that information is compromised, lost or becomes unavailable. BILs guide protective markings, handling rules and the selection of proportionate security controls across Victorian public sector agencies.
• VPS agencies are required to comply with the VPDSF. OVIC has developed a BIL Table to assist agencies with assigning protective markers to ensure data is managed appropriately.
• The BIL table provides examples of impacts for each level across 5 categories:
  • economy and finance
  • legal and regulatory
  • personal
  • public services
  • public order, public safety and law enforcement.
• The BIL table also provides guidance on the use of protective markings:
  • OFFICIAL
  • OFFICIAL: Sensitive
  • Protected (may include Cabinet-in-Confidence)
  • Secret (may include Cabinet-in-Confidence)
  • Top Secret.
• The VPS Data Sharing Heads of Agreement template includes further guidance on undertaking a data security risk assessment section under Annexure 3.

Where can this help?

• When deciding what protective markings to apply.
• Making the argument for data sharing, where data may be reasonable to share rather than considered sensitive.

Additional resources

• OVIC assessment table for BIL and corresponding protective markers

Collection notices

• Collection notices are required when personal information is collected. Similar requirements exist for collecting health information also (refer to Health Privacy Principle 1.4). The following provides an overview of key terms, what a collection notice should contain, and tips for writing collection notices.

Key terms:​

• Privacy policy: covers broad information management practices for an organisation​.
• Collection notice: for a specific purpose; how the information will be handled and the rights and obligations of individuals (provision and later access)​.
• Consent: not provided through a collection notice; if required, ensure individuals express active agreement and have genuine control over provision or withholding consent.
• When collecting personal information, organisations should take reasonable steps to provide a collection notice.
• Can be provided at or before collection.
• Should contain:
  • name of collecting organisation and contact details
  • how the individual can access the information collected
  • purpose of collection – specific; list all purposes
  • disclosure of collected information – types of individuals or organisations
  • if the information is collected under any specific law e.g., authorising legislation
  • main consequences of not providing information
  • note where information is collected from another source (unless a serious safety risk).
• To be provided every time the collection occurs.
• A separate collection notice is required for different functions
  • e.g., permit application and complaint forms should have separate collection notices.
• May be layered where a full collection is not practicable e.g., a concise summary referring to the full notice.

Where can this help?

• When collecting data directly from individuals.

Tips:

• Use plain language.
• Be specific about the purpose (including if multiple).
• Separate collection notices for different functions.
• Can be different formats.
• A collection notice is not consent.
• A collection notice is different from a privacy policy.
• Changing a collection notice does not automatically allow data collected under the previous notice to be shared.

Additional resources

• General introduction to collection notices, including a brief comparison with privacy policies – OVIC collection notice resource.
• Practical advice on collection notices, including examples and template – OVIC privacy officer toolkit.
• Plain language collection notice case study – Innovation Network event recap.

Discovering and sharing VPS data

Use the VPS Data Directory to find and share data across the VPS.

The VPS Data Directory is the Victorian public sector’s open data catalogue: a central index of datasets, metadata and publishing organisations that makes government data discoverable, reusable and accessible to the public and other agencies. The directory is accessible to VPS staff only – access through single sign-on (SSO) or by registering your details.

The VPS Data Directory:

• Includes a searchable catalogue of VPS data – by organisation, category or format.
• Includes APIs (self-service).
• Includes contact mechanism for data custodians for each dataset.
• Enables visualisation previews for spatial datasets.
• Contains open data (also available through DataVic) and restricted data only available to those in the VPS.
• Can be used as a tool to:
  • search for data from agencies (as a user)
  • expose and share data with other agencies (as a provider) – including restricted data
  • discover other data tools, resources and news.
• Can facilitate open data being published to DataVic.
• Provides support documentation such as the DataVic Assess Policy, Guidelines, and Publishing Manual.

Where can this help?

• Locating data for use in analysis and research.
• Sharing data across the VPS or with the wider public.

Digital maturity to enable sharing

Improving digital maturity can enable safer and easier data sharing between regulators and key stakeholders.

The Digital Regulation Capability Model (DRCM) helps regulators to assess their digital capability and identify focal areas for improvement. Regulators may choose certain core regulatory functions and functional areas based on their regulatory focus, size, capacity, and the areas that may provide the greatest benefits – both to the regulator and their duty holders.

Improved digital maturity enables data sharing – within the organisation and with other regulators and agencies. Deciding on the desired digital maturity supports the design of systems and processes up front to realise the benefits of data sharing. Some areas where digital maturity may support more effecting and efficient operations are highlighted below.

Core function: licensing and permissions

• ID verification rather than storage of proof of ID data.
• Pre-fill applications based on existing applicant data.
• Integration of internal and external data sources to validate information.
• When applicants update their data, it is updated across records.
• Business accounts that allow multiple individuals to be registered to them.

Core function: manage compliance

• Compliance assessments and outcomes reported across an industry or location.
• Proactive monitoring of compliance from information sourced outside the duty holder – may include sourcing data from other regulators or third parties.
• Consolidated ‘case’ view of inspections, investigations, audits across agencies.

Core function: manage enforcement

• Integration of non-compliance data from other regulators or agencies.
• Agency collaboration on legal cases.

Core function: evaluate, assure and improve

• Integration of data from other agencies for a better picture of regulatory outcomes and impacts.

Additional resources, including the Better Practice Permissions Playbook provide additional support for regulators digitising processes, including:

• Preparing permissions to be ‘digitally ready’.
• A high-level data and information architecture toolkit.

The tools and resources below will assist regulators in overcoming legislative barriers to information sharing, including model legislative provisions that support the development of best practice legislation.

Legislative enablers for data sharing

Model Legislative Provisions

The Department of Treasury and Finance has developed best practice guidance on the topic of information sharing and confidentiality. The Guidance on Adopting Model Legislative Provisions are tools for policymakers working on new or amended legislative provisions. They include model legislative provisions drafted by the Office of the Chief Parliamentary Counsel.

The guidance expresses a preference for sharing where possible, recommends categorising information and confidentiality protections by risk level, and stresses that risk assessments should weigh both the harms of disclosure and the risks or lost opportunities from not sharing.

Regulatory Reform Omnibus Bill

The Department of Treasury and Finance runs an annual Regulatory Reform Omnibus Bill. This program was established to support policymakers in removing ineffective regulations embedded in legislation. The annual Regulatory Reform Omnibus Bill is a useful vehicle for policymakers seeking to make uncontroversial changes to legislation, and is a potential vehicle for the adoption of the confidentiality and information-sharing model legislative provisions.

For more information, or to test a potential reform, please contact reg.reform@dtf.vic.gov.au.

Legal Services

The Victorian Government Solicitor’s Office (VGSO) provide legal services to the VPS. This is an option where legal expertise may not be available within your organisation directly, i.e. where you do not have access to a legal team or General Counsel.

The VGSO can provide advice and support on information management, privacy and data protection, including:

• Advice on a suitable agreement for your purposes.
• Support in drafting an appropriate agreement.

Contact the VGSO to enquire about the legal services available to support safe and appropriate data sharing options for your specific circumstances.

Where can this help?

• Legislative barriers have been identified, and you want to enable data sharing.
• You're drafting or updating your authorising legislation.

Resources

• Model Legislative Provisions

General legislation considered

• Victorian Data Sharing Act 2017
• Privacy and Data Protection Act 2014
• Health Records Act 2001
• Charter of Human Rights and Responsibilities Act 2006
• Data Availability and Transparency Act 2022 (Cth)
• Privacy Act 1988 (Cth)
• Spent Convictions Act 2021