DATA Scheme Safeguards

Australian Government data can only be shared if it is for one of the three permitted purposes:

• government service delivery
• informing government policies and programs, and
• research and development. 

Government service delivery includes the provision of information (such as advice that the individual is eligible to receive a benefit), the provision of a service (such as assistance to a person to help restore their property after a flood), determining an eligibility for payment, or paying a payment.

Data cannot be shared for national security or enforcement related purposes.

Accreditation serves as a gateway into the DATA Scheme and ensures users and data service providers are capable of handling public sector data and minimising risk of unauthorised access or use. The Minister and the Commissioner are the authorities for accrediting users and data service providers and can impose conditions on accreditation if needed.

Accreditation is one of the Commissioner’s regulatory functions. The Commissioner maintains oversight of all accredited users and data service providers, collectively known as accredited entities. The Commissioner can conduct assessments or initiate investigations about an accredited entity. The accrediting authority responsible also has the powers to suspend or cancel an entity’s accreditation, and to vary existing conditions of an entity’s accreditation.

Data custodians must consider and respond to all requests they receive from an accredited user within a reasonable period, but they have no duty to share data. If refusing a request, data custodians have statutory obligations to provide their reasons in writing for refusing a request to the accredited user within 28 days after the refusal decision has been made.

Data custodians must maintain a record of data sharing requests received and reasons for agreement or refusal to share, as these will need to be notified to the Commissioner to assist in preparing the annual report.

The data sharing principles are the risk management framework that sits at the core of the Scheme to support data custodians in deciding if it is safe to share data. The principles cover the data sharing project, people, setting, data and output. The principles must be applied in such a way that, when viewed as a whole, the risks in sharing, collecting and using data is appropriately mitigated.

The Data Availability and Transparency Code 2022 sets out further guidance about the application of the data sharing principles. The Data Availability and Transparency (National Security Measures) Code 2022 sets out additional requirements for accredited entities when individuals who are foreign nationals are able to access shared data.

The DATA Scheme works with the Privacy Act 1988 to protect personal information.

The Act contains general privacy protections that minimise the sharing of personal information, prohibit the re-identification of data that has been de-identified, and prohibit the storage or access of personal information outside Australia. Express consent is always required to share biometric data.

The Act also contains purpose-specific privacy protections, depending on the data sharing purpose of the project.

The Data Availability and Transparency Code 2022 sets out further guidance about the application of the data sharing principles.

Participants must enter into a data sharing agreement which sets out the details of the data sharing project. A data sharing agreement must describe how the participants will give effect to the data sharing principles and how the project serves the public interest.

Details from data sharing agreements will be recorded on a register, kept and maintained by the Commissioner. Data must not be shared until the data sharing agreement has been registered.

The Data Availability and Transparency (National Security Measures) Code 2022 sets out additional requirements for accredited entities when individuals who are foreign nationals are able to access shared data.

The Commissioner must keep public registers of accredited users, accredited data service providers, and data sharing agreements.

The Commissioner must also prepare and give to the Minister, for presentation to Parliament, an annual report on the operation of the DATA Scheme each financial year.

The annual report must include:

• details of any legislative instruments made that financial year
• the scope of data sharing activities and regulatory actions which have occurred, including reasons for agreeing to or refusing data sharing requests, and
• staffing and financial resources made available to the Commissioner and how they were used.

The Commissioner regulates and enforces the DATA Scheme through their regulatory functions. The Commissioner’s regulatory functions include:

• accrediting eligible entities
• handling complaints from Scheme entities and others
• assessing and investigating Scheme entities
• taking enforcement action such as issuing infringement notices and directions, and/or seeking injunctions as well as civil and criminal penalties,
• transferring matters to another appropriate authority

The Commissioner must include information on activities undertaken in relation to their regulatory functions in an Annual Report.

The Commissioner’s regulatory activities are informed by their Regulatory Approach and guided by the Annual Regulation and Compliance Annual Priorities.

To make it easier for users to find data, the Office of the National Data Commissioner is working with Australian Government agencies to develop their data inventories, and creating a searchable Australian Government Data Catalogue.

ONDC are also developing Dataplace – a whole-of-government digital platform for Scheme participants and others to manage data requests and support administration of the DATA Scheme. Learn more about Dataplace.