Authorised Officers and Individuals
Guidance note 2023:1
This guidance provides information about authorised officers and individuals.
This guidance note is not intended to be legal advice. You should seek your own legal advice if you would like further clarification on the matters raised in this guidance.
The Data Availability and Transparency Act 2022 (the Act) establishes a DATA Scheme for sharing Australian Government data. Under the DATA Scheme, Commonwealth bodies are data custodians of public sector data and they are authorised to share their data with entities that are accredited under the DATA Scheme. The Act also authorises accredited users to collect and use the data.1
The sharing of public sector data by a data custodian or receiving data as a data user must be authorised by an authorised officer of the entity. The Act recognises the heads of all entities that participate in the DATA Scheme as authorised officers. These include:
Secretaries of Commonwealth departments and heads of other agencies under the Public Service Act 1999
CEOs of corporate Commonwealth entities and Commonwealth companies,
Principal officers of prescribed entities under the Freedom of Information Act 1982
Heads of State and Territory government bodies
The Act also recognises heads of other bodies corporate covered by the Act to be authorised officers. For example, the Chief Executive Officer or any director of the entity. In relation to Australian universities, these would be at the Vice Chancellor level.
An authorised officer can also authorise certain other persons in the entity to do things in relation to the DATA Scheme. This includes the head of the entity authorising another individual to be the authorised officer for the entity for the purposes of the DATA Scheme.
Only authorised officers can do certain things under the DATA Scheme
Various actions that may be taken by entities under the Act must be taken on behalf of the entity by an authorised officer of the entity or, in some cases, by another person authorised by the authoring officer. For example, an application for accreditation must be made by an authorised officer on behalf of the entity (see section 76). Other important actions include:
• entering into data sharing agreements and ensuring all the requirements of a data sharing agreement are met (see section 18(2))
• entering into variations to data sharing agreements (see section 18(3))
• providing authority to share data in a data sharing project where there is more than one data custodian (see section 13(3))
• deciding (and being responsible for making a record of that decision) that the risk of substantial harm caused by a proposed data integration project is low (see section 16D(4), (5), and (6)).
Only individuals can be authorised officers and only individuals can be authorised to do particular things under the Act. A committee or governance body cannot be an authorised officer or authorised individual.
Authorising others to do certain things under the DATA Scheme
In some cases, the Secretary, Agency Head, Chief Executive Officer or other entity head may find it administratively efficient to authorise another person to undertake activities under the Act on their behalf. Table 1 below sets out who can become authorised officers or authorised individuals and what they can be authorised to do under section 137(2), (3) and (4).
Table 1: Authorised Officers & Individuals
Activities that can be authorised
To be an authorised officer for the purpose of the data sharing scheme.
To enter into variations to data sharing agreements for the entity.
Do all of the following for the entity:
|Type of Australian Government department, agency or body||Authorised officer||By written instrument, the Authorised Officer can authorise these individuals to do certain activities:||Activities that the Authorised Officer can authorise the individuals to do:|
|An SES employee or an acting SES employee in the Department authorised by the Secretary or Agency Head||Activity 1 Activity 2 Activity 3|
|An SES employee, or an acting SES employee, in another Department, Executive Agency or Statutory Agency authorised by the Agency Head||Activity 3|
|Corporate Commonwealth Entity||Chief Executive Officer||An individual authorised by the Chief Executive Officer||Activity 1 Activity 2|
|Commonwealth Company||Chief Executive Officer||An individual authorised by the Chief Executive Officer||Activity 1 Activity 2|
|A person who is a prescribed authority within the meaning of section 4(1) of the Freedom of Information Act 1982 (FOI Act) not covered above||Principal Officer||A person authorised by the principal officer||Activity 1 Activity 2|
|A State body of Territory body that is the holder of a statutory office||The holder of the statutory office of a State or Territory body||An individual authorised by the holder of the statutory office||Activity 1 Activity 2|
|A State body or Territory body other than the holder of a statutory office||Chief Executive Officer||An individual authorised by the Chief Executive Officer||Activity 1 Activity 2|
|A body corporate not covered above||Chief Executive Officer||An individual authorised by the Chief Executive Officer||Activity 1 Activity 2|
|A body politic not covered above||Chief Minister||An individual authorised by the Chief Minister||Activity 1 Activity 2|
Authorisations cannot be limited
An authorised officer or authorised individual is responsible for either activity 1, activity 2, or activity 3 as set out in Table 1.
Where an individual is authorised to undertake activity 3 in Table 1, the individual must be authorised to do all of the activities in activity 3. The individual cannot be limited in the activities they can do.
Authorisations need to be made by written instrument
Authorisations must be made by the authoriser by a written instrument. Depending on the instrument, there could be limitations imposed on powers or functions of authorised individuals. For example, an individual only authorised to do activity 2 is not authorised to do the activities in activity 1 or 3. A sample instrument is provided at the end of this guidance.
Note - Authorisations do not need to be in the form of this sample instrument and the sample instrument may not be suitable in all cases.
Entities should retain the original of all authorisation instruments. There is no requirement to send a copy of the written instrument to the National Data Commissioner. However, the Commissioner has the power to request and inspect copies of authorisation instruments from time to time.
Revoking or varying authorisations
The authoriser may revoke an authorisation by written instrument.
Authorised Individuals cannot delegate their responsibilities
Individuals authorised to be an authorised officer, or to do activities 2 or 3 in Table 1, cannot delegate their responsibilities or authorise another person to undertake responsibilities on their behalf. They must personally exercise them.
The Act authorises a designated individual for the entity to engage in conduct that is, or part of, the sharing, collection or use, if the conduct is within the actual scope of the individual’s designation under the Act. However, where a person is a designated individual for the entity, but not an authorised officer or an authorised individual, that person’s actions will not be taken to have been done for the entity, if the action to be done must be done by an authorised officer or an authorised individual.
For more information about designated individuals, see Guidance Note - ‘Designated Individuals - Individuals within a Scheme entity authorised to deal with scheme data’ (forthcoming).
Decisions by a Commonwealth body (as data custodian) not to share data
Decisions by a Commonwealth body, in its capacity as a data custodian, not to share data do not need to be made by an authorised officer. This decision can be made by a designated individual (which includes authorised officers and authorised individuals) if it is within the scope of their designation.
Similarly, an authorised officer is not required to assist the Commissioner in relation to the annual report (for example, reporting requirements on refusals to share data) if another designated individual of the Commonwealth body may fulfil this responsibility.
The data custodian is best placed to decide on the appropriate level of seniority for making such decisions. For example, an appropriate level of seniority in a Department could be an SES employee.
Seeking your own legal advice on matters covered by this guide
This guidance note is not intended to be legal advice. You should seek your own legal advice if you would like further clarification on the matters raised in the guidance.
Guidance note 2023:1
Last updated 1 May 2023
1. Commonwealth bodies under the DATA Scheme include non-corporate Commonwealth entities, corporate Commonwealth entities and Commonwealth companies, as defined in the Public Governance, Performance and Accountability Act 2013. See Flipchart of PGPA Act Commonwealth entities and companies for further guidance. Bodies that meet the definition of ‘prescribed authorities’ under section 4(1) of the Freedom of Information Act 1982.
Page version history
|Date of Update||Change made|
|3 March 2023||Page created|
|21 April 2023||Authorisation template format amended|
|1 May 2023||Authorisation template replaced with a downloadable sample template|