← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — March 31, 2022

Australia’s Data Availability and Transparency Act 2022, which received Royal Assent on March 31, 2022, requires agencies and their partners to formalize governance, security, and accreditation controls before sharing public-sector data under the new scheme.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Australia’s Data Availability and Transparency Act 2022 (DATA Act) received Royal Assent on March 31, 2022, establishing a legislative framework for sharing Australian government data with accredited users under strict safeguards. The Act creates a purpose-based sharing model focused on government service delivery, informing policy and programs, and research and development. It introduces new roles such as accredited users and accredited data service providers (ADSPs), mandates data sharing agreements with prescribed terms, and empowers the National Data Commissioner (NDC) to oversee compliance, accreditation, and enforcement. Agencies and partners must prepare governance structures, security controls, and cultural change programs to use the scheme responsibly.

Context and scope of the DATA Act

The Act responds to the Productivity Commission’s recommendations and the Australian Government’s Data Availability and Use reforms. It applies to Commonwealth bodies and allows limited participation from state and territory entities. Data can only be shared for permitted purposes, subject to prohibitions on sharing operationally sensitive information such as national security, law enforcement, or Cabinet documents. Sharing must comply with the DATA Act, existing secrecy provisions, the Privacy Act 1988, and other applicable laws. The scheme complements, not replaces, the existing open data program and continues to respect Indigenous data sovereignty principles outlined in the Indigenous Data Governance Framework.

Key features include a data sharing principles approach (project, people, setting, data, output), accreditation criteria focusing on governance, capability, and security, and a requirement for formal data sharing agreements that describe purposes, consent mechanisms, controls, and review arrangements. The NDC will maintain a public register of accredited entities and agreements, drive guidance, and exercise enforcement powers such as directions, suspension, revocation, and civil penalties. The Act also creates the National Data Advisory Council (NDAC) to advise on ethical use, technical best practice, and community expectations.

Operational priorities for Commonwealth entities

Agencies should begin with a readiness assessment. Catalog existing data assets, classify sensitivity levels, and map legal constraints. Identify datasets that could support service delivery, policy evaluation, or research under the permitted purposes. Develop an inventory of potential data sharing partners—other agencies, universities, think tanks—and evaluate whether they will seek accreditation. Establish internal processes for triaging data sharing requests, including eligibility checks, risk assessments, and approvals.

Governance teams must align internal policies with the data sharing principles. Update data governance frameworks to include criteria for project justification, ethical considerations, and benefit-risk analysis. Ensure privacy impact assessments (PIAs) and security risk assessments (SRAs) are mandatory inputs before approving agreements. Develop templates that incorporate mandatory clauses: scope, data minimization, security requirements, output controls, de-identification standards, consent records, review schedules, and termination procedures. Maintain version-controlled repositories for agreements and associated evidence.

Security and IT divisions need to verify controls meet Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) requirements. Implement segregation of duties for data provisioning, access approvals, and monitoring. Deploy technical safeguards such as encryption at rest and in transit, privileged access management, logging, and anomaly detection. For data shared via ADSPs, ensure secure data enclave capabilities support differential privacy, federated analysis, and controlled output checking to prevent re-identification.

Operational teams should design onboarding and offboarding workflows for accredited partners. Verify accreditation status through the NDC register before sharing data. Establish identity verification processes, audit logging, and periodic reviews of user access. Plan for capacity building to help analysts and researchers interpret data responsibly, including guidance on Indigenous data protocols, cultural considerations, and community engagement.

Governance and oversight requirements

Senior executives must designate accountable officers for DATA Act compliance—often chief data officers or deputy secretaries. Boards and secretaries should receive regular reports summarizing data sharing projects, risk ratings, incident trends, and compliance activities. Incorporate DATA Act objectives into agency corporate plans and annual reports to demonstrate transparency.

Internal audit and assurance teams should extend audit programs to cover data sharing agreements, accreditation maintenance, and control effectiveness. Develop audit criteria aligned with the data sharing principles, privacy safeguards, and PSPF controls. Schedule readiness reviews before major sharing initiatives and follow-up audits after project completion to ensure obligations, including deletion or return of data, have been met.

Risk management frameworks should integrate DATA Act considerations into enterprise risk registers. Identify risks such as unauthorized disclosure, re-identification, ethical misuse, or loss of public trust. Define mitigation strategies, residual risk owners, and reporting thresholds. Ensure incident response plans address scenarios like data breaches during sharing projects, breaches of consent conditions, or partner non-compliance, with clear escalation paths to the NDC and Office of the Australian Information Commissioner (OAIC).

Engagement with communities—particularly Aboriginal and Torres Strait Islander peoples—is essential. Agencies should apply the Maiam nayri Wingara Indigenous Data Sovereignty principles, co-design sharing arrangements where Indigenous data is involved, and ensure benefit-sharing mechanisms are documented. Governance bodies must monitor ethical review outcomes and incorporate community feedback into policy updates.

Sourcing, accreditation, and partnership strategy

Agencies may rely on accredited data service providers to facilitate secure linkage, integration, and analysis. Procurement teams should evaluate potential ADSPs based on security certifications, capability in privacy-preserving techniques, data governance maturity, and track record with public sector projects. Contracts must align with Commonwealth Procurement Rules, specify responsibilities under the DATA Act, and include service-level agreements for incident response, output checking, and audit support.

Organizations seeking accreditation themselves must prepare documentation demonstrating governance frameworks, risk management, personnel vetting, and technical safeguards. Develop training programs covering privacy law, ethical use, and secure handling. Implement continuous improvement processes to respond to NDC feedback and maintain accreditation status.

Collaborate with universities and research institutions through Memoranda of Understanding (MOUs) that set expectations for accreditation, ethical approvals, and publication controls. Ensure funding agreements include obligations to comply with the DATA Act, the Australian Code for the Responsible Conduct of Research, and relevant intellectual property requirements.

Implementation roadmap and monitoring

Develop a multi-year implementation plan with milestones: readiness assessment, policy updates, staff training, accreditation applications, pilot projects, and full-scale operations. Align budgets to cover technology upgrades, legal support, and community engagement initiatives. Track key performance indicators such as number of accredited partners onboarded, time to approve data sharing agreements, incident response times, and stakeholder satisfaction.

Maintain situational awareness by following guidance from the National Data Commissioner, OAIC, and Digital Transformation Agency. Participate in the Australian Government Data Community to share lessons learned and harmonize approaches. Monitor legislative reviews—the DATA Act mandates a review within three years of commencement—and be prepared to adapt governance frameworks as recommendations emerge.

By approaching the DATA Act as a strategic program—not just a compliance obligation—agencies can unlock data-driven innovation while maintaining public trust. The combination of robust governance, strong security controls, culturally aware engagement, and disciplined sourcing will position organizations to use Australia’s new data sharing framework responsibly and effectively.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Australia regulation
  • Data sharing
  • Public sector data
Back to curated briefings