The DATA Scheme safeguards

Last updated
On this page

The DATA Scheme safeguards

Strong safeguards and transparency are embedded into the DATA Scheme and the processes that support it, ensuring best practice data sharing.

Learn more about the specific safeguards of the DATA Scheme below.

Data sharing purposes

Australian Government data can only be shared if it is for one of the three permitted purposes:

  • government service delivery such as providing information, providing a service or paying a payment or benefit
  • informing government policies and programs, and
  • research and development. 

Government service delivery includes the provision of information (such as advice that the individual is eligible to receive a benefit), the provision of a service (such as assistance to a person to help restore their property after a flood), determining an eligibility for payment, or paying a payment.

Data cannot be shared for national security or enforcement related purposes.

Data sharing purposes

Accreditation

Accreditation serves as a gateway into the DATA Scheme and ensures users and data service providers are capable of handling public sector data and minimising risk of unauthorised access or use. The Minister and the Commissioner are the authorities for accrediting users and data service providers and can impose conditions on accreditation if needed.

Accreditation is one of the Commissioner’s regulatory functions. The Commissioner maintains oversight of all Accredited Users and Accredited Data Service Providers, collectively known as accredited entities. The Commissioner can conduct assessments or initiate investigations about an accredited entity. The accrediting authority responsible also has the powers to suspend or cancel an entity’s accreditation, and to vary existing conditions of an entity’s accreditation.

Get accredited: User

Get accredited: Data service provider

Data requests

Data Custodians must consider and respond to all requests they receive from an Accredited User within a reasonable period, we recommend that as best practice this occurs within 28 days. Data Custodians have no duty to share data, but we recommend custodians consider the objects of the Act when considering a data request. The first object of the Act is to serve the public interest by promoting better availability of public sector data.

If refusing a request, Data Custodians have statutory obligations to provide their reasons in writing for refusing a request to the accredited user within 28 days after the refusal decision has been made. This provides transparency and accountability for the decision making process of Data Custodians, so that a request will not be unreasonably delayed or refused.

Data Custodians must maintain a record of data sharing requests received and reasons for agreement or refusal to share, as these will need to be notified to the Commissioner to assist in preparing the annual report.

Making and responding to data sharing requests

Data sharing principles

The data sharing principles are the risk management framework that sits at the core of the Scheme to support Data Custodians in deciding if it is safe to share data. The principles cover the data sharing project, people, setting, data and output. The principles must be applied in such a way that, when viewed as a whole, the risks in sharing, collecting and using data is appropriately mitigated.

The Data Availability and Transparency Code 2022 sets out further guidance about the application of the data sharing principles. The Data Availability and Transparency (National Security Measures) Code 2022 sets out additional requirements for accredited entities when individuals who are foreign nationals are able to access shared data.

What are the data sharing principles?

The data sharing principles are the risk management framework that sits at the core of the DATA Scheme to support Data Custodians to decide if it is safe to share data.

The principles are:

  • The project principle is that the project is an appropriate project or program of work. This goes to why the data is being used.
  • The people principle is that data is made available only to appropriate persons. This goes to who is using the data.
  • The setting principle is that data is shared, collected and used in an appropriately controlled environment. This goes to where the data is being used.
  • The data principle is that appropriate protections are applied to the data. This goes to what data is being shared.
  • The output principle is that the only output of the project is the final output and output creation of which is reasonably necessary or incidental to creation of the final output. This goes to how the results of the project are used.

The data sharing principles are based on the Five Safes, an international standard for managing disclosure risks. The principles must be applied in such a way that, when viewed as a whole the risks of the sharing, collection and use of data are appropriately mitigated.

Guidance about the application of the data sharing principles is provided in the Data Availability and Transparency Code 2022.

Privacy protections

The DATA Scheme works with the Privacy Act 1988 to protect personal information.

The Act contains general privacy protections that minimise the sharing of personal information, prohibit the re-identification of data that has been de-identified, and prohibit the storage or access of personal information outside Australia. Express consent is always required to share biometric data.

The Act also contains purpose-specific privacy protections, depending on the data sharing purpose of the project.

The Data Availability and Transparency Code 2022 sets out further guidance about the application of the data sharing principles.

Collection of consent under the DATA Scheme

Privacy requirements to participate in the Scheme

Data sharing agreements

Participants must enter into a data sharing agreement which sets out the details of the data sharing project. A data sharing agreement must describe how the participants will give effect to the data sharing principles and how the project serves the public interest.

Details from data sharing agreements will be recorded on a register, kept and maintained by the Commissioner. Data must not be shared until the data sharing agreement has been registered.

The Data Availability and Transparency (National Security Measures) Code 2022 sets out additional requirements for accredited entities when individuals who are foreign nationals are able to access shared data.

Data sharing agreements

Transparency and reporting

The Commissioner must keep public registers of Accredited Users, Accredited Data Service Providers, and data sharing agreements.

The Commissioner must also prepare and give to the Minister, for presentation to Parliament, an annual report on the operation of the DATA Scheme each financial year.

The Annual Report must include:

  • details of any legislative instruments made that financial year
  • the scope of data sharing activities and regulatory actions which have occurred, including reasons for agreeing to or refusing data sharing requests, and
  • staffing and financial resources made available to the Commissioner and how they were used.

Register of accredited entities

Register of data sharing agreements

Annual Reports

Regulatory compliance

The Commissioner regulates and enforces the DATA Scheme through their regulatory functions. The Commissioner’s regulatory functions include:

  • accrediting eligible entities
  • handling complaints from Scheme entities and others
  • assessing and investigating Scheme entities
  • taking enforcement action such as issuing infringement notices and directions, and/or seeking injunctions as well as civil and criminal penalties, and
  • transferring matters to another appropriate authority

The Commissioner must include information on activities undertaken in relation to their regulatory functions in an Annual Report.

The Commissioner’s regulatory activities are informed by their regulatory approach and guided by our priorities.

The Office of the National Data Commissioner acknowledges the Traditional Owners and Custodians of Country throughout Australia and acknowledges their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the Elders past, present and emerging.