This chapter contains the following key action:
1. Datasets must be made available unless access is restricted for reasons of privacy, public safety, security, law enforcement, public health and compliance with the law.
The Policy stipulates that datasets will be made available unless access is restricted for reasons of privacy, public safety, security, law enforcement, public health and compliance with the law. These and additional restrictions are detailed below.
Datasets must not be made available if one of the following restrictions applies and a solution for removing the restriction cannot be found.
- Section 4.1 - the dataset contains personally identifiable information and therefore does not support the Policy intent
- Section 4.2 - making the dataset available may have an adverse impact upon public safety
- Section 4.3 - the dataset attracts security restrictions
- Section 4.4 - the dataset contains information, the release of which is prohibited by court orders, legal proceedings or legal privilege, including legal advice
- Section 4.5 - making the dataset available may have an adverse impact upon public health
- Section 4.6 - the dataset contains third party copyright and the State does not have permission from the copyright owner to make the data available12
- Section 4.7 - the dataset is subject to a contract/agreement that does not allow it to be made available
- Section 4.8 - making the dataset available is in breach of statutory or legislative requirements including the Privacy and Data Protection Act 2014 or Health Records Act 2001 13
- Section 4.9 - the dataset contains confidential information
Each of these restrictions are discussed below.
4.1 Personal information
The default obligation under the Policy is for agencies to make de-identified datasets available where possible. If a dataset contains personal information (refer to the definition of ‘personal information’ in the Privacy and Data Protection Act 2014) and cannot be de-identified, it is not suitable for release under the Policy. Further information on de-identification can be found in section 0 below.
An example of a dataset containing personal information is unit record information about births, deaths or marriages. While aggregate datasets on this information, for example a dataset to measure the number of births in the State over a 12 month period may be appropriate for release under the Policy, individual birth data records including personal information and are not appropriate for release.
4.2 Public safety
Datasets must not be made available under the Policy that contain information that adversely affects public safety unless it can be cleansed and the risks mitigated.
4.3 Security classification
If data has been classified with a security classification and cannot be cleansed to allow the removal of the classification then it is unsuitable for release under the Policy. Refer to the Victorian Protective Data Security Framework and Victorian Protective Data Security Standards for further guidance.
The Victorian Government Information Security Management Policy also requires agencies to assess the business impact of information release and classify information accordingly. For further information on dataset (information) classification, agencies should contact its Chief Information Officer or Information Security Adviser, and refer to:
- Agency Information Security policies and standards that are specific to the agency’s risk appetite and relevant legislation
- The 14
- State of Victoria, Information Security Management Policy15, Standards and Associated Guidelines, 2012
- Australian Government, Protective Security Policy Framework, 201216
- Australian Government, Information security management guidelines – Australian Government security classification system, Version 2.1 - Commonwealth of Australia, 201417
4.4 Legal documents
Datasets containing information subject to court orders, legal proceedings or legal privilege including legal advice, must not be made available under the Policy unless it can be de-identified or appropriate approvals obtained.
4.5 Public health
Datasets under the Policy that contain information that may adversely affect public health must not be made available unless it can be cleansed and the risks mitigated.
4.6 Third party copyright
Agencies must not make datasets available which contain third party copyright materials where the State does not have permission from the copyright owner. This includes circumstances where an agency co produces a dataset with another non Victorian state government agency at either the local, state or federal level.
Under the Copyright Act 1968, the owner of copyright has exclusive rights to reproduce, publish and communicate the work, and to license others to do so. The State generally holds copyright in works created by its employees, but not in any third party material that is incorporated into those works unless otherwise specified under contract.
Where a dataset has been developed by a third party under a contract or agreement, copyright ownership may be dealt with specifically and should be checked.
For further information on intellectual property and copyright, agencies may refer to the Whole of Victorian Government Intellectual Property Policy Intent and Principles and supporting Guidelines18 or seek professional legal advice.
Where appropriate an agency should secure appropriate permission to release third party copyright material particularly when negotiating a new contract.
4.7 Contracts and agreements
Agencies must consider the Policy when entering into contracts. Where possible agencies should secure appropriate permission to release data when new contracts are being developed by including a clause in contracts to facilitate making datasets available to the public. The Victorian Government Purchasing Board (VGPB) has developed standard contracts to support the release of open data.19
For more information on how to deal with copyright when establishing new contracts and agreements see Section (a)(i)8 Developing and procuring datasets and the Victorian Government Intellectual Property Policy Intent and Principles and supporting Guidelines.
Agencies may have already entered into contracts or agreements with third parties that specifically determine whether datasets can be made available and who owns copyright on material created under the arrangement. These contracts or agreements must be checked before releasing datasets and, where appropriate, agencies should negotiate with the contractor to have the data made available. This is best done when a contract is up for renegotiation.
Agencies operate under various legislative provisions that specify conditions for restricting access or release of datasets. The Policy does not override existing legislation.
Legislation includes the following but is not limited to:
- Public Records Act 1973 21
- Privacy and Data Protection Act 2014 22
- Health Records Act 2001 23
Agencies may be subject to other legislation particular to its business that specifies conditions for restricted access and/or release of its datasets.
4.9 Confidential information
Datasets containing confidential information must not be made available under the Policy. Confidential information may include, but is not limited to:
- Cabinet in confidence information
- commercial in confidence information
- information protected by the Protected Disclosure Act 2012 24
Reviewed 18 May 2020