Reporting requirements under the DATA Scheme
Guidance note 2026:1
This guidance outlines reporting obligations for DATA Scheme entities including what, when and how to report.
All Scheme entities have reporting obligations under the Data Availability and Transparency Act 2022 (the Act). Reporting is a key oversight and transparency measure that builds public trust and confidence in the management of public sector data. It supports the National Data Commissioner (the Commissioner) to regulate the Scheme by providing the Commissioner with information about accredited entities, data sharing and data breaches.
Reporting obligations include ongoing reporting by all Scheme entities, as well as annual reporting by Data Custodians (see Table). Scheme entities are required to report timely and accurate information to the Commissioner. Failure to comply with reporting obligations may constitute a breach of the Act and result in penalties.
The Office of the National Data Commissioner (ONDC) has published separate guidance on reporting Scheme data breaches.
Table: Summary of reporting obligations
| Reporting type | Who reports | What to report | When to report | How to report |
|---|---|---|---|---|
| Event or change in circumstance (section 31) | Accredited entity | Event or change relevant to accreditation or conditions of accreditation, or exercise of Commissioner’s regulatory functions (including those delegated by the Minister) | As soon as practicable | Change in circumstance form via Dataplace |
| Commissioner’s Annual Report (section 34) | Data Custodian | Data requests, refusals, complaints and data sharing agreements | By 31 July every year (for previous financial year) | Email information@datacommissioner.gov.au |
| Scheme data breach – personal data (section 37) | Scheme entity | Notify parties and report incident and actions to the appropriate regulator (Commissioner/Office of the Australian Information Commissioner (OAIC)) | As soon as practicable | Data breach reporting form via Dataplace Further information here |
| Scheme data breach – non-personal data (section 38) | Scheme entity | Report incident and actions taken to the Commissioner | As soon as practicable after end of financial year in which the breach occurs | Data breach reporting form via Dataplace Further information here |
Event or change in circumstances
Accredited users and accredited data service providers (ADSPs) must report any event or change in circumstances relevant to:
- the entity’s accreditation or conditions of accreditation, or
- the exercise of the Commissioner’s regulatory functions or the Minister’s functions as the accreditation authority for the entity.
Ongoing reporting of events and changes in circumstances ensures the Commissioner holds up-to-date information about accredited entities, as such changes may affect accreditation decisions. Accredited entities must monitor for changes and notify the Commissioner as soon as practicable.
What to report
Accredited entities must report events or changes in circumstances affecting:
- eligibility for accreditation
- criteria for accreditation
- conditions of accreditation, or
- other factors relating to the entity’s accreditation.
In considering criteria for accreditation, the National Data Commissioner assesses Scheme entities against expected characteristics for user accreditation or expected characteristics for data service provider accreditation. The Commissioner must be notified about any changes relating to these characteristics through an event or change in circumstances report. In deciding what to report, the entity should refer to information provided in its accreditation application and the Commissioner’s accreditation decision, including the statement of reasons.
For minor or routine changes, please discuss your reporting obligations with the ONDC before submitting a report.
Examples of reportable changes
Changes to an entity’s structure, responsibilities, eligibility or operational functions.
- Major organisational changes: Significant restructures, changes to the entity’s name or functions, mergers or machinery‑of‑government changes.
Updates to governance frameworks, policies and practices, including changes to accountable roles, committees or oversight structures.
- Authorisation instruments: Enactment, revocation or amendment, including changes to appointed authorised officers.
- Policies and practices: Data strategy, governance framework, risk management, incident response, privacy policy, metadata standards.
- Qualified roles: Chief Data Officer, Chief Information Officer, Privacy Officer or other designated positions.
- Governance bodies: Oversight committees for data management and risk monitoring.
- DATA Scheme responsibilities: Approach for managing DATA Scheme obligations.
Changes to controls for minimising risks of unauthorised access, sharing, or loss of data.
- Significant non-Scheme data breach: Ransomware, phishing, insider threats. Investigate, remediate and report resulting actions, such as process, policy or system updates.
- Roles and governance: Security leadership roles or governance bodies for ICT/data security.
- Security policies and practices: Security plans, incident response, compliance with standards, physical and ICT security controls.
- Scheme data controls: Identification, classification, hosting in Australia, encryption and backups.
- Workforce governance: Staff vetting, identification of overseas personnel, offboarding measures.
Updates to organisational capability for data privacy, protection, and risk management.
- Specialist roles: Data analyst, governance specialist.
- Practices and tools: Formal data management practices, analytics tools, capability uplift programs.
- Mandatory training: Data responsibility, security awareness, privacy and DATA Scheme requirements.
Updates to policies, practices, and capabilities for managing disclosure risk and de-identifying data.
- Policies and practices: Data dissemination policy, confidentiality processes, output checking guides, disclosure risk management (for example, suppression, aggregation, perturbation), incident management plans, governance bodies.
- Skills and capability: Role-specific training, documented expertise, proven track record.
Updates to controls and processes for secure data access and output vetting.
- Policies and practices: Secure access arrangements (for example, secure file transfer, virtual/remote labs), output vetting, monitoring and auditing sessions, dissemination controls, analytics tools, Information Security Registered Assessors Program assessments.
- Skills and capability: Training schedules, user management processes, confidentiality agreements, experience creating treated microdata, proven delivery record.
- User Support: Data catalogues, metadata guidance, software information, training resources, query and complaints mechanisms, expert support services.
Updates to processes for secure integration and governance of complex data projects.
- Policies and practices: Onboarding (security clearances, legislative considerations), governance arrangements (integration plans, Privacy Impact Assessments, retention/deletion plans), incident response, secure transfer mechanisms, separation principle implementation, access controls, audit schedules, ISRA assessments, restricted connectivity.
- Skills and capability: Role-specific training, technical support, documented expertise, proven delivery record.
When to report
Accredited entities should report events or changes in circumstances as soon as practicable, which will depend on the risk, severity and complexity of the event or change. Timely and accurate reporting supports effective oversight and compliance with the Act. Delays in reporting increase regulatory risk and may result in non-compliance.
Significant events or changes in circumstances that present high risk should be reported immediately. For example:
- a non-scheme data breach involving unauthorised access to personal information should be reported as soon as the incident is detected and initial containment actions are taken
- planned organisational changes should be reported in advance of implementation, with updated documentation to help assess any impact on accreditation status.
To support timely and accurate reporting, ONDC recommends that accredited entities conduct, at a minimum, quarterly reviews to identify any events or changes in circumstances that may impact accreditation and require reporting.
How to report
Event or change in circumstance reports are submitted through Dataplace.
Multiple changes may be included within a single report, however multiple reports cannot be submitted at the same time. Once a report has been lodged, a new report cannot be created until the ONDC has completed its assessment and closed the case. This approach supports effective case management and enables a detailed assessment of each case.
To avoid limiting future reporting, CiCs should be created only when they are ready for submission and should not be left in draft status for extended periods. If a CiC is created in error, it can be deleted in Dataplace by the creator or an Organisation Administrator.
For enquiries about reporting obligations, or if you would like to discuss an upcoming change, please contact us via email at information@datacommissioner.gov.au or complete the contact us form on our website.
Who can report
A designated individual can report an event or change in circumstance where this falls within the scope of their role. The accredited entity is responsible for determining the appropriate level of seniority for submitting reports.
For more information about designated individuals, see Guidance Note – Designated Individuals.
How the information reported will be used
The Commissioner uses reported information to determine if an accredited entity continues to meet accreditation requirements, including compliance with any conditions of accreditation. Depending on the nature of the reported event or change, the Commissioner may suspend or cancel accreditation, or vary, impose or remove conditions of accreditation.
Following the Commissioner’s review and decision, the ONDC will advise the accredited entity of the outcome including whether subsequent regulatory or enforcement action may be taken.
Annual reporting
To support integrity and transparency of the DATA Scheme, the Commissioner prepares an Annual Report that is provided to the Minister by 15 October each year and tabled in Parliament.
Data Custodians assist the Commissioner to prepare the Annual Report by providing information on data sharing activities undertaken during the relevant financial year. The Commissioner may also request additional information from Data Custodians or accredited entities if reasonably necessary to complete the report.
What to report
For each financial year, a Data Custodian must report:
- data requests from accredited users, including the number received and reasons for agreeing or refusing them
- refusals where reasons were not provided within 28 days
- Scheme-related complaints, including the number and subject matter, and
- data sharing agreements, including the number entered into.
If the Data Custodian did not receive any requests or complaints, or did not enter into any agreements, the custodian must submit a nil response.
When to report
Data Custodians must provide the required information to the Commissioner by 31 July each year (see section 91 of the Data Availability and Transparency Code 2022).
How to report
Data Custodians must submit written confirmation of their Scheme activities to information@datacommissioner.gov.au. This should be based on a review of Dataplace to confirm Scheme activity for the financial year and ensure records are current. Where any Scheme activity is not recorded in Dataplace, details must be included in the email submission. The ONDC will cross‑check information provided against Dataplace and may contact custodians if there are any discrepancies.
Who can report
A designated individual may undertake annual reporting where this aligns with their role. The Data Custodian is responsible for determining the appropriate level of seniority for submitting information to the Commissioner.
For further detail, see Guidance Note – Designated Individuals.
Scheme data breaches
Under Part 3.3 of the Act, Scheme entities are required to report Scheme data breaches (personal or non-personal) to the Commissioner. This obligation applies to both accredited entities and Data Custodians.
A Scheme data breach is any breach involving scheme data. Incidents that do not involve scheme data fall outside the scope of Part 3.3 and must instead be reported in an event or change in circumstance report.
For further guidance on reporting Scheme data breaches, see Guidance Note – Data breach responsibilities under the DATA Scheme.
Reporting requirements
Scheme entities must report a Scheme data breach in accordance with:
- section 37 for a personal data breach, or
- section 38 for a non-personal data breach.
For detailed information on scheme data breaches and reporting obligations under the Act, refer to the Guidance Note – Data breach responsibilities under the DATA Scheme.
Note: Accredited entities must promptly report a non-Scheme data breach via the change in circumstance form. The report should detail the breach, its cause, mitigation and prevention measures and any impacts on accreditation characteristics, such as minimising risks of unauthorised access, sharing or data loss.
