Reporting requirements under the DATA Scheme

Skip to main content
Main mobile navigation open

Reporting requirements under the DATA Scheme

Guidance note 2024:1

This guidance provides information for DATA Scheme entities about their reporting obligations under the DATA Scheme, including what, when and how to report.

 

Reporting requirements help to maintain the integrity of the DATA Scheme and builds community trust and confidence in the way Australian Government agencies manage public sector data. The Data Availability and Transparency Act 2022 (the Act) sets out a number of reporting requirements for DATA Scheme entities (see Parts 3.2 and 3.3 of the Act).

This guidance note provides information about these reporting obligations, including:

Where DATA Scheme entities fail to report, penalties may apply.

Events and changes relevant to accreditation or regulation

DATA Scheme entities this applies to

Accredited users and accredited data service providers are required to report any event or change in circumstance that is relevant to either:

  • their accreditation, or conditions of accreditation
  • the exercise of the Commissioner’s regulatory functions or the Minister’s functions as the accreditation authority for the entity.

What to report

To accredit entities for participation in the DATA Scheme, applicants are assessed against the expected characteristics for user accreditation or the expected characteristics for data service provider accreditation. These assessments take place at a point in time.

As accredited entities frequently change their polices, processes and practices, changes may affect the status of their accreditation in the DATA Scheme. Most changes will reflect ongoing good practices around managing and protecting data. This is expected as part of the Office of the National Data Commissioner (ONDC) accreditation assessment, which considers whether the applicant has good structures and approaches for responding to environmental changes and continually making improvements.

Accredited entities are required to report any changes that are relevant to their accreditation. Changes that are relevant to accreditation status relate to the expected characteristics for user accreditation or the expected characteristics for data service provider accreditation:

  • organisational changes and events impacting your organisation’s structure, administration and key personnel
  • data management, data governance and data sharing changes and events impacting your organisation’s data management and governance policies and practices, and agreements
  • security setting changes and events impacting information technology, or information security
  • skills and capability changes and events impacting staff training, staff support and learning and development policies and practices.

We understand that accredited entities will likely experience many changes that are minor in nature. These do not need to be reported.

Changes in circumstances that must be reported

Events or changes that must be reported typically relate to an entity’s ability to meet ongoing conditions of accreditation, governance or structural changes to the entity itself, and its ability to perform activities it has been accredited to do. To comply with their obligations under section 31 of the Act, the types of events and changes that must be reported include:

Organisational changes

  • A significant organisational restructure, merger, or major machinery of government change.
  • A change to the name of the accredited entity.
  • Changes to the authorised officer(s), this would include changes to: 
    • the position designated as the ‘authorised officer’ (e.g. the role of Chief Data Officer previously also held the role of authorised officer but now the position of Head of Data Analytics holds the role)
    • the individual performing the role of authorised officer (e.g. Bob Brown has retired from the organisation and Penny Puddle is the new authorised officer)
    • any individuals or roles which have been added or removed from a written authorisation that enables a person to undertake the activities of the authorised officer on their behalf.

Data management, data governance and data sharing

  • The appropriately qualified individual or roles with responsibility for data management and data governance for the accredited entity changes.
  • The data governance committee(s) responsible for the Scheme data is disbanded or otherwise ceases.
  • Key data management and governance policies are removed, substantially changed, or new policies are introduced.
  • Non-compliance with DATA Scheme requirements or breach of a data sharing agreement occurs.
  • Major data breach involving non-Scheme data occurs.

Security setting

  • The IT governance committee(s) responsible for physical, ICT and data security governance is disbanded or otherwise changes. 
  • Major change in IT or cyber security posture, which impact the security of data, for example, a hosting service supplied to the agency is no longer a Certified Service Provider under the Australian Government Hosting Certification Framework. 
  • Results of IT security or cyber security reviews or audits (internal and external) with adverse findings that identify significant impacts for the security of data held by the entity.
  • New locations where Scheme data is stored and accessed, for example moving data to a new on-premises environment or to a data centre or cloud service provider.

Skills and capabilities

  • Major changes in the entity’s data capability including significantly reduced resourcing or deskilling or outsourcing.
  • Major changes to training offered to staff by the entity on the DATA Scheme or data management and/or governance.

How the information reported will be used

The National Data Commissioner may use the information reported to ensure that the entity is complying with any conditions of accreditation and to determine whether the entity remains eligible for accreditation. For example, significant changes to entity structures may indicate that the accredited entity no longer exists as accredited and a new application(s) may be required. Major machinery of government changes for government entities may render an accreditation invalid. Mergers of universities would also require reconsideration of accreditation status.

When to report

Accredited entities must report any of the above events or changes in circumstance, as well as any other relevant events or changes, as soon as practicable. The National Data Commissioner recommends that this information is reported no later than 3 months after the event or change. Accredited entities may want to establish quarterly reviews to determine whether any material events or changes in circumstances affecting their accreditation have occurred and must be reported.

An exception to this is where a Scheme data breach occurs, where specific reporting requirements and timeframes apply. Read more about data breach responsibilities under the DATA Scheme. Once an entity has reported a Scheme data breach, the entity will not need to separately report that incident for the purposes of meeting section 31 of the Act.

How to report

We recommend you advice of any event or change in circumstance through Dataplace - the digital platform that supports DATA Scheme entities to manage their accreditation. Dataplace supports Scheme entities to provide all relevant information that the National Data Commissioner needs to consider to determine if your entity is complying with any conditions of accreditation and remains eligible for accreditation. 

Alternatively, you can advise us of an event or change in circumstance by emailing us at information@datacommissioner.gov.au, or by completing the contact us form on our website.

Who can report

Reporting an event or change in circumstance does not need to be completed by an Authorised Officer or Authorised Individual. Rather, an event or change in circumstance can be reported by a designated individual on behalf of their entity, where doing so would fall within their usual range of duties. The Scheme entity is best placed to decide on the appropriate level of seniority for reporting an event or change in circumstance. 

For more information about designated individuals, see Guidance Note – Designated Individuals.

Annual reporting

The Scheme entities this applies to

Data custodians are required to report information to support the National Data Commissioner in preparing an annual report on the DATA Scheme (see section 34 of the Act).

An accredited entity may also be requested to provide the Commissioner any information reasonably necessary to prepare the report.

What to report

Data custodians are required to report on all data sharing requests, including the number received, any refusals, and the reasons for refusal. It is important that data custodians maintain records to ensure they are prepared to provide this information when requested by the National Data Commissioner.

Information required for the annual report, includes:

  • Whether the data custodian received requests from accredited users to share data under the DATA Scheme, including:
    • the number of requests and the reasons they were agreed or refused
    • the number of requests refused where refusal reasons were not given within 28 days of the decision being made.
  • Complaints relating to the data sharing scheme or conduct in relation to it, including the number of complaints and information about the subject matter of the complaints.
  • Whether the entity entered into any data sharing agreements and if it did, the number entered into.

Note, further information may be requested by the Commissioner if it is reasonably required for the preparation of the Annual Report.

When to report

DATA Scheme entities must report the above information to the Commissioner before the period ending on 31 July annually (see section 25 of the Data Availability and Transparency Code 2022). This reporting supports the National Data Commissioner in preparing an Annual Report on the Commissioner’s activities during the financial year. The annual report will be given to the Minister before 15 October each year, and then presented to the Parliament.

It is important that data custodians maintain records to ensure they are prepared to provide this information. Dataplace can assist DATA Scheme entities in meeting this requirement. For more information on Dataplace, see Use Dataplace.

How to report

To assist data custodians to comply with their reporting obligations under section 34 of the Act, the ONDC will collect information through Dataplace. We will contact agencies with information recorded on Dataplace to verify that it is correct. Agencies will need to report separately to the Commissioner any activities that have taken place external to Dataplace.

It is important to note the responsibility to report remains with the data custodian. To meet your obligations, you can send your entity’s annual reporting details to information@datacommissioner.gov.au.

Who can report

Annual reporting does not need to be completed by an Authorised Officer or Authorised Individual. Rather, annual reporting can be completed by a designated individual on behalf of their entity, where doing so would fall within their usual range of duties. The Scheme entity is best placed to decide on the appropriate level of seniority for annual reporting. 

For more information about designated individuals, see Guidance Note – Designated Individuals.

Data breaches

DATA Scheme entities have obligations to report data breaches under the DATA Scheme (see Part 3.3 of the Act). These obligations apply to both accredited entities and data custodians and are set out in a separate guidance note – Data breach responsibilities under the DATA Scheme.

Once an entity has reported a data breach in line with Part 3.3 of the Act, the entity does not need to submit a separate report to comply with the section 31 reporting obligations.