When to use an ADSP in the DATA Scheme

Main mobile navigation open

When to use an Accredited Data Service Provider in the DATA Scheme

Guidance note 2024:4

This guidance note provides information on the role of Accredited Data Service Providers (ADSPs) in the DATA Scheme and sets out considerations for determining whether a separate ADSP is required in a data sharing project.

Related Guidance

For further guidance on the data services ADSPs provide see data services provided by ADSPs under the DATA Scheme. For guidance to assist in the preparation of ADSP accreditation applications and to assist other Scheme entities on how to choose ADSPs see expected characteristics for accreditation as an ADSP. ONDC has also published guidance on charging of fees by accredited data service providers.

The role of ADSPs in the DATA Scheme

Intermediaries can be fundamentally important in facilitating successful data sharing and appropriate use of public sector data. Intermediaries can provide technical skills and capabilities that a data custodian or accredited user may not have such as the ability to apply advanced methods to integrate data and ensure its confidentiality and security. The need for their services tends to increase as the complexity of the data and data treatments increase.

Under the Data Availability and Transparency Act 2022 (the Act), certain intermediary services must be performed by ADSPs, assisting data custodians and accredited users to meet their obligations under the Act by reducing risks identified with data sharing projects. To become an ADSP, an entity must be accredited by the National Data Commissioner (Commissioner) and meet the requirements for accreditation under the Act, including establishing their credentials (such as policies, practices, skills and capabilities) for undertaking the ADSP services (de-identification data services, secure access data services and complex data integration services). Where necessary, conditions may be imposed on accreditation to limit the services that an ADSP may perform.

Generally, only ADSPs may provide the three ADSP services to data custodians and accredited users to support sharing of data under the DATA Scheme. Data custodians and accredited users may also use ADSPs to provide services other than these three as part of a data sharing project.

One or more data custodians involved in a data sharing project may perform ADSP services in that project if those data custodians are also accredited as ADSPs and are able to perform ADSP services consistent with their conditions of accreditation.

Multiple ADSPs may work jointly in providing one or more ADSP services in relation to a project. However, the joint service arrangement must be stipulated in the data sharing agreement between the parties.

Additional considerations

In certain circumstances, whether a separate ADSP is required in a particular data sharing project can depend on which data sharing purposes (delivery of government services, informing government policy and programs, and research and development) apply1 and the risk of causing harm, particularly where personal information is involved. These are set out in the following table.

Table 1: Specific circumstances and whether a separate ADSP is required

Data is shared for the purposes of informing government policy and programs, or for research and development, and it involves performing a de-identification data service

A separate ADSP is not required to perform a de‑identification service if: 

  • the data custodian of the data is not an ADSP but is satisfied that it has the appropriate skills and experience to perform the de-identification data service; or
  • the data custodian of the data is an ADSP able to perform the service consistent with its conditions of accreditation.2
Data is shared for the purposes of informing government policy and programs, or for research and development, and it involves performing a secure access data service

A separate ADSP is not required to perform a secure access data service if:

  • the data custodian of the data is not an ADSP but is satisfied that it has the appropriate skills and experience to perform the secure access data service; or
  • the data custodian of the data is an ADSP able to perform the service consistent with its conditions of accreditation.3
Data is shared for the purposes of informing government policy and programs, or for research and development, and it involves complex data integration services

The data custodian of the data (provided it is an ADSP), or a separate ADSP, is not required to perform complex data integration services if an Authorised Officer of a data custodian or an Authorised Individual4 determines that a complex data integration service has a low risk of causing substantial harm.5 In making such a determination, the following matters must be considered:

  • the size of the data sets
  • whether the data relates to a significant proportion of the population of people or things to which the data relates
  • the detail of the individual records included in the data
  • how current the data is and whether it will be updated
  • the quality of the metadata and documentation for the data sets
  • whether entities that collected data to be integrated, or on whose behalf data to be integrated was collected, are aware of the proposed use of the data
  • if the data includes personal information—whether a person qualified to assess the ethics of the proposed use of the data has conducted such an assessment
  • whether the data custodian of the integrated data will control the technical environment in which the integrated data will be accessed
  • any other matters prescribed by the rules.6
Data is shared for the purposes of informing government policy and programs, or for research and development, and the data includes personal information

Where the data sharing purpose of a project is informing government policy and programs, or research and development, the data being shared cannot generally include an individual’s personal information unless consent to the sharing is obtained.7 However, there are permitted circumstances under the Act, where consent is not required for personal information to be included in data to be shared, including the following circumstances relating to the use of an ADSP.

  • A data custodian uses an ADSP to prepare the data so that personal information is removed, making the data ‘ADSP-enhanced data’ that does not include personal information (the concept of ADSP-enhanced data captures, for example, data that has been de-identified by an ADSP).8
  • A data custodian uses an ADSP to share the data under ‘ADSP-controlled access’.9

 

1See section 15 of the Act and separate guidance on Data Sharing Purposes under the DATA Scheme (forthcoming)

2See subsection 16C(2)

3See subsection 16C(2)

4See section 137 of the Act for information on Authorised Officers and Authorised Individuals. An Authorised Individual refers to an individual authorised under subsection 137(4) of the Act for the data custodian.

5See subsection 16D(1) and (4)

6No such matters are currently prescribed

7See subsection 16(3) 

8See subsection 16B(4)(c)

9See subsection 16B(6). For further information on 'ADSP-controlled access' see guidance

 

Guidance note: 2024:4

Last updated: 30 September 2024