Reporting requirements under the DATA Scheme

Reporting requirements help to maintain the integrity of the DATA Scheme and builds community trust and confidence in the way Australian Government agencies manage public sector data. The Data Availability and Transparency Act 2022 (the Act) sets out a number of reporting requirements for DATA Scheme entities (see Parts 3.2 and 3.3 of the Act).

This guidance note provides information about these reporting obligations:

• Ongoing obligations, which should be reported as soon as practical
  • events and changes in circumstances which impact accreditation of accredited Scheme entities
  • data breaches
• Yearly obligations for reporting requirements for data custodians.

Where DATA Scheme entities fail to report, penalties may apply.

Events and changes in circumstances relevant to accreditation

DATA Scheme entities this applies to

Accredited users and accredited data service providers are required to report any event or change in circumstance that is relevant to either:

• their accreditation, or conditions of accreditation, or
• the exercise of the Commissioner’s regulatory functions or the Minister’s functions as the accreditation authority for the entity.

What to report

Accredited entities are required to report any changes that are relevant to their accreditation. Changes that are relevant to accreditation status relate to the expected characteristics for user accreditation or the expected characteristics for data service provider accreditation:

• organisational changes and events impacting your organisation’s structure, administration and key personnel
• data management, data governance and data sharing changes and events impacting your organisation’s data management and governance policies and practices, and agreements
• security setting changes and events impacting information technology, or information security
• skills and capability changes and events impacting staff training, staff support and learning and development policies and practices.

We understand that accredited entities will likely experience many changes that are minor in nature (e.g. short-term acting arrangements of the Chief Data Officer). These do not need to be reported.

Changes in circumstances that must be reported

Events or changes that must be reported typically relate to an entity’s ability to meet ongoing conditions of accreditation, governance or structural changes to the entity itself, and its ability to perform activities it has been accredited to do. To comply with their obligations under section 31 of the Act, the types of events and changes that must be reported include:

Organisational changes

• A significant organisational restructure, merger, or major machinery of government change.
• A change to the name of the accredited entity.
• Changes to the authorised officer(s), this would include changes to: 
  • the position designated as the ‘authorised officer’ (e.g. the role of Chief Data Officer previously also held the role of authorised officer but now the position of Head of Data Analytics holds the role)
  • the individual performing the role of authorised officer (e.g. Bob Brown has retired from the organisation and Penny Puddle is the new authorised officer)
  • any individuals or roles which have been added or removed from a written authorisation that enables a person to undertake the activities of the authorised officer on their behalf.

Data management, data governance and data sharing

• The appropriately qualified individual or roles with responsibility for data management and data governance for the accredited entity changes.
• The data governance committee(s) responsible for the Scheme data is disbanded or otherwise ceases.
• Key data management and governance policies are removed, substantially changed, or new policies are introduced.
• Non-compliance with DATA Scheme requirements or breach of a data sharing agreement occurs.
• Major data breach involving non-Scheme data occurs.

Security setting

• The IT governance committee(s) responsible for physical, ICT and data security governance is disbanded or otherwise changes. 
• Major change in IT or cyber security posture, which impact the security of data, for example, a hosting service supplied to the agency is no longer a Certified Service Provider under the Australian Government Hosting Certification Framework. 
• Results of IT security or cyber security reviews or audits (internal and external) with adverse findings that identify significant impacts for the security of data held by the entity.
• New locations where Scheme data is stored and accessed, for example moving data to a new on-premises environment or to a data centre or cloud service provider.

Skills and capabilities

• Major changes in the entity’s data capability including significantly reduced resourcing or deskilling or outsourcing.
• Major changes to training offered to staff by the entity on the DATA Scheme or data management and/or governance.

When to report

Accredited entities must report any of the above events or changes in circumstance, as well as any other relevant events or changes, as soon as practicable. The National Data Commissioner recommends that this information is reported no later than 3 months after the event or change. Accredited entities may want to establish quarterly reviews to determine whether any material events or changes in circumstances affecting their accreditation have occurred and must be reported.

An exception to this is where a Scheme data breach occurs, where specific reporting requirements and timeframes apply. Read more about data breach responsibilities under the DATA Scheme. Once an entity has reported a Scheme data breach, the entity will not need to separately report that incident for the purposes of meeting section 31 of the Act.

How to report

Any event, or change in circumstance should be reported through Dataplace - the digital platform that supports DATA Scheme entities to manage their accreditation. Dataplace supports Scheme entities to provide all relevant information that the National Data Commissioner needs to consider to determine if your entity is complying with any conditions of accreditation and remains eligible for accreditation. 

Alternatively, you can advise us of an event or change in circumstance by emailing us at information@datacommissioner.gov.au, or by completing the contact us form on our website.

Who can report

Reporting an event or change in circumstance does not need to be completed by an Authorised Officer or Authorised Individual. Rather, an event or change in circumstance can be reported by a designated individual on behalf of their entity, where doing so would fall within their usual range of duties. The Scheme entity is best placed to decide on the appropriate level of seniority for reporting an event or change in circumstance. 

For more information about designated individuals, see Guidance Note – Designated Individuals.

How the information reported will be used

The National Data Commissioner may use the information reported to ensure that the entity is complying with any conditions of accreditation and to determine whether the entity remains eligible for accreditation. For example, significant changes to entity structures may indicate that the accredited entity no longer exists as accredited and a new application(s) may be required. Major machinery of government changes for government entities may render an accreditation invalid. Mergers of universities would also require reconsideration of accreditation status. 

Data breaches

DATA Scheme entities have obligations to report data breaches under the DATA Scheme (see Part 3.3 of the Act). These obligations apply to both accredited entities and data custodians. Once an entity has reported a data breach in line with Part 3.3 of the Act, the entity does not need to submit a separate report. Additional information on data breaches is available in Data breach responsibilities under the DATA Scheme guidance note. 

Annual reporting

The Scheme entities this applies to

Data custodians are required to report information to support the National Data Commissioner in preparing an annual report on the DATA Scheme (see section 34 of the Act).

Data custodians may also be requested to provide the Commissioner any information reasonably necessary to prepare the report.

What to report

Data custodians are required to report to the Commissioner annually on all data sharing requests, data sharing agreements and complaints under the DATA Scheme. 

For annual reporting purposes, data custodians are required to report whether they:

• received requests from accredited users to share data under the DATA Scheme, including:
  • the number of requests and the reasons they were agreed or refused
  • the number of requests refused where refusal reasons were not given within 28 days of the decision being made.
• received complaints relating to the data sharing scheme or conduct in relation to it, including the number of complaints and information about the subject matter of the complaints.
• entered into any data sharing agreements and if so, the number entered into.

Reporting obligations include notifying the Commissioner when data custodians have not received any of the above. If the Commissioner does not receive any information from a data custodian in relation to their annual reporting requirements, the Commissioner may assume the data custodian has not received any data sharing requests or Scheme complaints, or entered into any data sharing agreements.

It is important that data custodians maintain records to ensure they have information available if requested by the Commissioner, if it is reasonably required for the preparation of annual reporting and is not already available via Dataplace. 

When to report

Data custodians must report the above information to the Commissioner before the period ending on 31 July each year (see section 25 of the Data Availability and Transparency Code 2022). This reporting supports the National Data Commissioner in preparing an Annual Report on the Commissioner’s activities during the financial year. The annual report will be given to the Minister before 15 October each year, and then presented to the Parliament.

It is important that data custodians maintain records to ensure they are prepared to provide this information. Dataplace can assist DATA Scheme entities in meeting this requirement. For more information on Dataplace, see Use Dataplace.

How to report

To assist data custodians to comply with their reporting obligations under section 34 of the Act, the ONDC will use the information on data sharing in Dataplace. For more information on Dataplace, see Use Dataplace.  

We will contact data custodians with information recorded on Dataplace to verify that it is correct. Agencies will need to report separately to the Commissioner any activities that have taken place external to Dataplace.

It is important to note the responsibility to report remains with the data custodian. To meet your obligations, you can send your entity’s annual reporting details to information@datacommissioner.gov.au. 

Who can report

Annual reporting does not need to be completed by an Authorised Officer or Authorised Individual. Rather, annual reporting can be completed by a designated individual on behalf of their entity, where doing so would fall within their usual range of duties. The Scheme entity is best placed to decide on the appropriate level of seniority for annual reporting. 

For more information about designated individuals, see Guidance Note – Designated Individuals.

Guidance note 2024:1

Last updated: 5 August 2024