Related Guidance
Overview
Under the DATA Scheme, which is established under the Data Availability and Transparency Act 2022 (the Act), Scheme entities (data custodians, accredited users and, if relevant, accredited data service providers (ADSPs)) must enter a valid data sharing agreement for a data sharing project (project). The agreement must be registered before any public sector data is shared, collected or used.
There are three steps to ensuring that a data sharing agreement meets the requirements of the Act.
Step 1 – The form requirements
The first step is to ensure that an agreement made between the parties to share, collect and use public sector data is a DATA Scheme data sharing agreement by meeting the requirements of section 18 of the Act. If an agreement to share, collect and use public sector data does not meet those requirements, the agreement cannot be a data sharing agreement that is in effect. This is because it will not be registrable under sections 33 and 130 of the Act. This is dealt with under Part A of this guidance.
Step 2 – The substantive requirements
The second step is to ensure the data sharing agreement meets the requirements of section 19 of the Act.
Under paragraphs 13(1)(c), 13A(a) and 13B(a) of the Act, parties to a data sharing agreement must ensure the project is covered by a registered data sharing agreement that is in effect and that meets the requirements of the Act. This is one of several steps necessary to ensure parties to a data sharing agreement are authorised to share, collect and use data.
The requirements to be met by all data sharing agreements are set out in section 19 of the Act. If a data sharing agreement for the project does not meet the requirements of section 19, parties to the data sharing agreement will not be authorised to share, collect and use data. This is dealt with under Part B of this guidance.
There are additional requirements that must be met in certain circumstances outlined in other parts of the Act, for example, where the data being shared contains personal information, or where the accredited user will be permitted to provide access to the output of the project to a third party. These ‘conditional requirements’ are dealt with in Part C and Part D of this guidance.
Step 3 – Registration
The third and final step is to ensure the data sharing agreement is registered, giving it effect. A data sharing agreement (or variation of a data sharing agreement) has no effect until the data sharing agreement is registered on the register of data sharing agreements, which is kept and maintained by the National Data Commissioner (Commissioner).
Data must not be shared until the data sharing agreement has been registered.
For more information about how to register a data sharing agreement, see Guide to Registering Data Sharing Agreements.
General note about specifying matters in a data sharing agreement
In general, the Act does not prescribe the level of specificity required to comply with particular matters in a data sharing agreement. Parties should consider whether their requirements for a project should be specified or described either:
narrowly, to strictly control what parties may do as part of a project, or
broadly, to allow for more flexibility and reduce the need to vary an agreement to adapt to new requirements as the project develops.
How to make a data sharing agreement under the DATA Scheme
The Office of the National Data Commissioner (ONDC) recommends you use Dataplace to manage your DATA Scheme data sharing agreements. Dataplace provides a number of pathways for negotiating your agreement, all of which can be adapted based on your data sharing project and the preferences of the parties involved. Options in Dataplace include:
- Use Dataplace to generate a data sharing agreement based on responses to key questions about the data sharing principles. You can either enable your entity’s Authorised Officers to electronically sign the agreement, or download, adapt and sign the agreement as needed, or
- Use the Office of the National Data Commissioner’s short-form data sharing agreement template, aligned to Scheme requirements. This is a new template released in February 2025 which streamlines existing data sharing agreement templates, making it easier to establish your Scheme data sharing project.
- You can download this template at the collaboration phase of a project in Dataplace. In the Project tab, select ‘DATA Scheme data sharing agreement’ and the ‘Upload adapted ‘Dataplace generated agreement’ option, then ‘Next’ (to save) at the bottom of the page. This will allow you to download a copy of the short-form data sharing agreement template by selecting the action button in the top right of the screen - titled 'DATA Scheme DSA Short.'
The generated data sharing agreement and the short-form template can also be accessed at the collaboration stage in the Dataplace training environment.
Read more about how to collaborate to an agreement on Dataplace.
Requirements for all data sharing agreements
Part A—Form requirements
| Data sharing agreement requirement | Explanation |
|---|---|
| The data sharing agreement relates to the sharing of public sector data (s 18(1)(a) of the Act) | The data to be shared by the data custodian in the project must be ‘public sector data’, which is data that is lawfully collected, created, or held by or on behalf of a Commonwealth body. |
| The parties to the data sharing agreement include a data custodian of public sector data and an accredited user (s 18(1)(b) of the Act) | A data sharing agreement must include at least one data custodian of public sector data and at least one accredited user as parties. A data sharing agreement may have multiples of each type of Scheme entity and may include non-Scheme entities under an approved contract. |
| The data sharing agreement is in the approved form or in writing if there is no approved form (s 18(1)(c) of the Act) | A data sharing agreement must be in writing. There is currently no approved form. Dataplace is the recommended platform for developing and managing a best practice DATA Scheme data sharing agreement that is compliant with the Act. |
| The requirements in any data codes are met (s 18(1)(d) of the Act) | Section 6 of the Data Availability and Transparency (National Security Measures Code) 2022 (the National Security Code) requires Scheme entities to notify the Australian Security Intelligence Organisation (ASIO) of certain information and provide ASIO with an electronic copy of the data sharing agreement if individuals who are not Australian citizens or permanent residents are participating in the project. Fourteen days must have passed since this notification for a data sharing agreement to be compliant with this requirement. For further information about requirements related to foreign individuals, please see guidance here. Section 24 of the Data Availability and Transparency Code 2022 (the Code) requires certain information and documents to be given at the time that data sharing agreements are provided to the Commissioner for registration under section 33(1) of the Act. |
| A data sharing agreement must be entered into by an authorised officer or an individual authorised under s 137(4) of the Act (s 18(2) of the Act) | A data sharing agreement must be entered into by an individual on behalf of a DATA Scheme entity who is an authorised officer for the entity, or an individual authorised by the authorised officer under section 137(4). For further information about authorised officers and individuals, please see guidance here. |
Part B—Substantive requirements
| Data sharing agreement requirement | Explanation |
|---|---|
| Identify the parties to the data sharing agreement that will be participating in the project (s 19(1) of the Act) | The data sharing agreement must identify all parties participating in the project to which the data sharing agreement relates. This includes all Scheme entities and any non-Scheme entities party to the agreement. A single entity may be party to an agreement in multiple capacities (e.g. a Commonwealth body may be party to an agreement as data custodian, ADSP and accredited user or a combination of these). In each capacity, the entity is taken to be a different DATA Scheme entity. |
| Describe the data sharing project (s 19(2) of the Act) | The data sharing agreement must include a description of the data sharing project. This description will also be included in the public register. This description should explain, in simple terms, what the project is and will involve. For example, the description should state why the data is needed and what the accredited user intends to do with it. For example, the subject of a data sharing project may be ‘to undertake research on the needs of older Indigenous populations in regional and remote Australia that will inform policy needed to develop new programs or enhance existing programs’. Further information about DATA Scheme data sharing projects will be provided in forthcoming guidance. |
| Specify that the Act applies to the project (s 19(2) of the Act) | The data sharing agreement must include a term stating that the Act applies to the project. |
| Specify the public sector data the data custodian is to share (s 19(3)(a) of the Act) | The data sharing agreement must specify the data to be shared by the data custodian, as well as any ADSP-enhanced data. Together, this is the ‘source data’ for the project. |
| Specify the agreed output of the project (s 19(3)(b) of the Act) | The data sharing agreement must specify the output of the project as agreed between the data custodian and the accredited user. This is the ‘final output’ of the project, and can be described broadly or narrowly, depending on the project and the parties’ requirements and preferences. |
| Specify the data custodian of the source data (s 19(4)(a) of the Act) | The data sharing agreement must specify the data custodian of the source data. There may be more than one data custodian sharing data for the project. In some cases, there may be more than one data custodian of the data, but only one custodian sharing the data. In the latter case, all data custodians must provide authorisation for the data sharing (s 13(2)(b) of the Act refers). Further information about data custodianship under the DATA Scheme will be provided in forthcoming guidance. |
| If a Commonwealth body is appointed as the data custodian of the output in accordance with section 20F of the Act, specify the output and explain why the appointment has been made(s 19(4)(b) of the Act) | The data sharing agreement must identify any Commonwealth body that is appointed as the data custodian of the output of the project and specify the relevant output. The appointment may concern the final output as a whole, or a sub-component of the output. Further information about appointing a data custodian of the output of a project will be provided in forthcoming guidance. Note: there are additional requirements for a data sharing agreement if a Commonwealth body is to be appointed data custodian of the output in accordance with 20F (see Part D of this guidance). |
| Specify the title of any law that the sharing would contravene but for section 23 of the Act (s 19(5) of the Act) | The data sharing agreement must specify any laws that would be contravened by sharing the data, if not for section 23 of the Act. Only the title of the relevant law needs to be specified. Parties can specify provisions of relevant laws if they consider it appropriate as a matter of transparency. The authorisations in the Act override other laws of the Commonwealth, a state or a territory (s 23 of the Act refers). That means that if sharing, collecting or using the data would be prohibited under another Act then, if all the requirements of the authorisation provisions in Chapter 2 of the Act are met, section 23 of the Act will override the prohibition. |
| Specifying the data sharing purpose or data sharing purposes of the project (s 19(6)(a)(i) of the Act) | The data sharing agreement must specify the data sharing purpose, or data sharing purposes, of the project. A project may be for one or more data sharing purpose. Further information about data sharing purposes will be provided in forthcoming guidance. Note: there are additional requirements for a data sharing agreement depending on the data sharing purpose of the project (see Part B.1 and Part C of this guidance). |
| If relevant, specify any incidental purpose (s 19(6)(a)(ii) of the Act) | The data sharing agreement must specify whether the accredited user will be allowed to use output for any purpose that is incidental to the specified data sharing purpose(s) and specify what those incidental purposes are. |
| Prohibit the accredited user from collecting and using output of the project for any unspecified or precluded purpose (s 19(6)(b) of the Act) | The data sharing agreement must include a term that the accredited user must not collect and use output of the project for any purpose not specified in the agreement, or any precluded purpose. Precluded purposes are generally enforcement- or national security-related (see section 15). Note: this limitation does not apply to the extent that an accredited user is permitted to share the output as the appointed data custodian in subsequent data sharing projects. |
| Prohibit the accredited user from creating output other than the final output and output incidental to creation of the final output (s 19(6A)) | The data sharing agreement must include a term that the accredited user must not create any output apart from the ‘final output’, and output that is reasonably necessary for, or incidental to, creation of the final output (‘intermediate output’). Final output is the term given to the output that the parties agree will be the final output of the project. It is not necessary to specify intermediate output, though parties may specify details about intermediate output should they choose to or deem it appropriate (for example to support data governance and transparency). |
Specify how the project will be consistent with the data sharing principles, including (s 19(7) of the Act):
| Parties must specify how the project will be consistent with the data sharing principles in section 16 of the Act. The data sharing agreement must include a description of how the public interest is served by the project. Parties must specify in the data sharing agreement the actions they will take to give effect to the data sharing principles. In specifying how the public interest is expected to be served by the project, parties must have regard to the matters set out in section 6 of the Code. These considerations may differ depending on the data sharing purpose of the project. Parties must also set out any other actions they will take to give effect to the data sharing principles. Parties must consider the requirements specified in the Code in relation to all of the data sharing principles. In considering the actions that will be specified, parties should consider the requirements in the Act that they are satisfied that the sharing, collection and use of data is consistent with the data sharing principles. To be so satisfied, each party must be satisfied that it has applied each principle to the sharing, collection and use of data in such a way that, when viewed as a whole in the context of the project, the risks associated with the sharing, collection or use are appropriately mitigated. |
| Specify any data services any ADSP is to perform in relation to public sector data shared with the ADSP by the data custodian (s 19(8)(a) of the Act) | If an ADSP is to perform data services on data shared by the data custodian, the ADSP and the services must be specified in the data sharing agreement. For further information on when a project should involve an ADSP, please see guidance here. For further information on ADSP services, please see guidance here. Note: there are circumstances in which the data sharing agreement must require certain services to be performed by an ADSP (see Part C of this guidance). |
| Specify the circumstances in which the ADSP is to share, with the accredited user on behalf of the data custodian, ADSP‑enhanced data of the project (s 19(8)(b) of the Act) | The data sharing agreement must set out how, and in what circumstances, the ADSP will share ADSP-enhanced data with the accredited user. For example, this could be via secure access, or by transferring the data to the accredited user. |
| Prohibit the ADSP from providing access to, or releasing, the ADSP‑enhanced data in any circumstances other than circumstances (if any) specified in the data sharing agreement (s 19(8)(c) of the Act). | The data sharing agreement must include a term that ADSP must not provide access to ADSP-enhanced data except in the circumstances specified in the data sharing agreement. Note: the only circumstances that may be specified in the data sharing agreement are where the ADSP ‘submits’ ADSP-enhanced data to the data custodian so that the custodian can confirm that the data is as agreed. If this applies, there are additional requirements that the data sharing agreement must satisfy (see Part D of this guidance). |
| Provide a general description of the use that will be made by the accredited user of the output of the project (s 19(9)(a) of the Act) | The data sharing agreement must describe at a general level how the accredited user will use the output of the project. This requires more detail than would be covered by specifying the data sharing purpose of the project but may otherwise be as broad or narrow as the parties consider appropriate. This requirement is also different from the project description and should focus on the accredited user’s use of the output (whereas the project description would cover, at a general level, how the output will be created). Note: there are additional requirements relating to any access to output that the accredited user will be permitted to provide (see Part D of this guidance). |
| Prohibit the accredited user from using the output in a way that is inconsistent with the description (s 19(9)(b) of the Act) | The data sharing agreement must include a term that the accredited user must not use output of the project in any way that is inconsistent with the description above. Parties should consider this requirement when drafting the description. Specifically, parties should consider whether a broad or narrow description is more appropriate in the context of the project, such that this term will cover all aspects of the accredited user’s use of output. |
| Prohibit the accredited user from releasing or providing access to output in circumstances other than those specified in the data sharing agreement (s 19(9)(c) of the Act) | The data sharing agreement must include a term that the accredited user must not provide access to any output, or publicly release any output, except in the circumstances specified in the data sharing agreement. Note: the only circumstances that may be specified in the data sharing agreement are those allowed by sections 20A, 20B, 20C or 20D of the Act. There are additional requirements for a data sharing agreement if access or release of the output will be allowed under any of these provisions (see Part D of this guidance). |
| Prohibit accredited entities from doing anything inconsistent with any conditions of accreditation (s 19(11) of the Act) | The data sharing agreement must include a term that the accredited entities that are party to the agreement (accredited users and/or ADSPs) must not do anything inconsistent with any conditions of accreditation imposed on or applicable to the entity from time to time. Conditions of accreditation may be imposed on a specific entity or could be prescribed by rules made under the Act. No rules have been made prescribing conditions of accreditation. For information about conditions imposed on the accreditation of specific entities, parties should refer to the register of accredited entities. |
| Where section 37 of the Act applies, specify whether sections 37(2) and 37(3) either apply, or do not apply (s 19(12) and s 37(4)(b) of the Act) | The data sharing agreement must specify whether sections 37(2) and (3) of the Act apply in relation to each accredited entity party to the agreement. Section 37 of the Act applies to a data sharing project if a data custodian has shared data that includes personal information either directly with an accredited user or through an ADSP, and an accredited entity (either the ADSP or the accredited user) holds the personal information. Section 37 sets out which entity has responsibilities in relation to notification of eligible data breaches under Part IIIC of the Privacy Act 1988 (Privacy Act). Subsection 37(4) of the Act allows parties to specify in a data sharing agreement that subsections 37(2) and 37(3) do not apply in relation to an accredited entity that would otherwise be required to comply with Australian Privacy Principle 11.1. If this is specified, this has the effect that only the entity with which the personal information was shared, and not the data custodian, has responsibilities for notification of eligible data breaches in relation to the personal information held by the entity. If subsections 37(2) and 37(3) do apply, then the data custodian has responsibilities for notification of eligible data breaches in relation to the personal information held by the entity with which the personal information was shared. |
| Set out any additional data breach responsibilities (apart from those in Part 3.3 of the Act) (s 19(12A) of the Act) | If the parties agree to data breach responsibilities in addition to the responsibilities Scheme entities have under Part 3.3 of the Act, those additional responsibilities must be set out in the data sharing agreement. For further information on data breach responsibilities, please see guidance here. |
| Specify circumstances and methods in which the data sharing agreement may be varied or terminated (s 19(13) of the Act) | Parties can agree circumstances and methods for the variation or termination of a data sharing agreement and must specify these in the data sharing agreement. Note: variations must be entered into by an individual on behalf of a DATA Scheme entity who is an authorised officer for the entity (s 137(1) and (2)) or authorised under s 137(3) or (4). For further information about authorised officers and individuals, please see guidance here. Further information about varying a data sharing agreement will be provided in forthcoming guidance. The Act does not provide any specific requirements in relation to the termination of a data sharing agreement. |
| Specify the data sharing agreement’s duration and/or the intervals at which it must be reviewed (s 19(14) of the Act) | The data sharing agreement must specify its duration and/or the intervals at which the parties must review the data sharing agreement. A data sharing agreement does not need to have a specific end date, but, if this is the case, the parties must specify a review period in the agreement. |
| Specify how Scheme data covered by the data sharing agreement is to be dealt with when the data sharing agreement ends (s 19(15) of the Act) | Parties must include details about how Scheme data will be dealt with when the data sharing agreement ends. Scheme data includes:
Parties should ensure they adhere to any legislative requirements that may apply to the data (e.g. the Archives Act 1983). The DATA Scheme does not impose specific requirements for how Scheme data should be dealt with at the end of a data sharing project. |
| Comply with any other requirements prescribed by a data code (s 19(16) of the Act) | There are additional specification requirements for data sharing agreements set out in each of the following data codes:
These requirements are detailed in Part B.1 below. |
| Require the data custodian of the source data to give the Commissioner written notice of the cessation of the data sharing agreement (s 19(17) of the Act) | The data sharing agreement must require the data custodian of the source data to give the Commissioner written notice of the cessation of the data sharing agreement as soon as practicable after the data sharing agreement ceases. If there is more than one data custodian of source data party to the data sharing agreement, parties may specify that only one data custodian is subject to this obligation. |
Part B.1—Data Codes requirements
i. Data Availability and Transparency Code 2022 (the Code) Requirements
| Data sharing agreement requirement | Explanation |
|---|---|
| Represent to the data custodian and other accredited entities that the accredited user and/or ADSP has a system in place to manage conflicts of interest, and that the system operates effectively (s 9(2) and (3) of the Code) | For a project that has a data sharing purpose that is only delivery of government services, the accredited user and/or ADSP must each represent in the data sharing agreement that they have a system in place to identify and manage conflicts of interest and that the system operates effectively. This is required for each of the other parties to be able to assume that any conflict of interest in relation to the collection and use of data by accredited users and ADSPs, or their ‘data accessors’ (defined in section 4 of the Code), are appropriately managed. This is required for all parties to be satisfied that the project is consistent with the people principle. For the purposes of the people principle, an entity is not an appropriate person to make data available to if the entity or any of its data accessors has an actual, potential or perceived conflict of interest, and the conflict is not appropriately managed. For further information about designated individuals, please see guidance here. |
| Require accredited entities to identify conflicts of interest and manage them appropriately in accordance with the data sharing agreement and any directions of the data custodian (s 10(2)(b) and (3)(b) of the Code) | For a project that has a data sharing purpose that is informing government policy and programs or research and development, the data sharing agreement must require the ADSP and accredited user to identify any conflicts of interest and manage them appropriately in accordance with the data sharing agreement and any directions of the data custodian. This is required for each of the other parties to be able to assume that any conflict of interest in relation to the collection and use of data by accredited users and ADSPs, or their data accessors, are appropriately managed. This is required for all parties to be satisfied that the project is consistent with the people principle. For the purposes of the people principle, an entity is not an appropriate person to make data available to if the entity or any of its data accessors has an actual, potential or perceived conflict of interest, and the conflict is not appropriately managed. For further information about designated individuals, please see guidance here. |
ii. Data Availability and Transparency (National Security Measures) Code 2022 (the National Security Code) Requirements
| Data sharing agreement requirement | Explanation |
|---|---|
| Require accredited entities to ensure that involvement in the entity’s collection or use of output or ADSP-enhanced data is restricted to designated individuals for the entity who are Australian citizens or permanent residents, or about whom prescribed information is specified in the data sharing agreement (s 5(1) of the National Security Code) | The data sharing agreement must require accredited entities to ensure that involvement in the entity's collection or use of ADSP-enhanced data and output is restricted to designated individuals for the entity who are Australian citizens or permanent residents, or individuals for whom all the following information is specified in the data sharing agreements (foreign individuals):
For further information about National Security Measures Code requirements, please see guidance here. |
| Require accredited entities to ensure that any foreign individuals’ involvement in the entity’s collection or use of output or ADSP-enhanced data is restricted to the role described in the data sharing agreement (s 5(2) of the National Security Code) | If the circumstance above applies in relation to a designated individual for an entity because they are a foreign individual, the data sharing agreement must also require the entity to ensure that the individual’s involvement in the entity’s collection or use of output or ADSP‑enhanced data of the project is restricted to the role described in the data sharing agreement. For further information about National Security Measures Code requirements, please see guidance here. |
| Require any accredited entities who are Australian universities to take additional steps in relation to foreign individuals (s 7(2) of the National Security Code) | If an accredited entity that is party to the data sharing agreement is an Australian university, and a designated individual for the Australian university (who is permitted by the data sharing agreement to access data) is a foreing individual, the data sharing agreement must also require the Australian university to do the following:
|
Conditional requirements
Part C—Privacy Protections
| Data sharing agreement requirement | Explanation |
|---|---|
| When sharing data that includes personal information | |
| Prevent accredited entities from storing or accessing personal information (shared for the project) outside of Australia (s 16A(2) of the Act) | If a data custodian shares data that includes personal information, the data sharing agreement for the project must include a term preventing any accredited entity party to the data sharing agreement from storing or accessing, or providing access to, the ADSP enhanced data, or the output, of the project outside Australia. |
| Prevent re-identification of de-identified data by accredited user (s 16A(3) of the Act) | If a data custodian shares data that includes personal information that has been de identified, the data sharing agreement must include a term preventing the accredited user from taking any action that may have the result that the data ceases to be de identified. |
| Identify the service being delivered in the data sharing agreement when the purpose is delivery of government services (s 16B(1) of the Act) | For projects where the data sharing purpose is delivery of government services and the data includes personal information, the service being delivered must be identified in the data sharing agreement for the project. |
| Specify whether shared data that includes personal information will exit the DATA Scheme under subsection 20E(4) of the Act (s 16B(2) of the Act) | If data that includes personal information is to be shared with an accredited user in circumstances in which the shared data exits the DATA Scheme under subsection 20E(4) of the Act, the data sharing agreement must specify this. Further information about appointing a data custodian of the output of a project will be provided in forthcoming guidance. |
| Include a statement that personal information is being shared without consent (if relevant) because it is unreasonable or impracticable to seek consent, and an explanation for this conclusion (s 16B(3)(b), 16B(4)(a), 16B(7) of the Act) | If the data sharing purpose is informing government policy and programs or research and development, and personal information is being shared without the consent of relevant individuals, because a permitted circumstance exists that it is unreasonable or impracticable to seek consent of those individuals, the data sharing agreement must include:
See section 21 of the Code for considerations upon which the conclusion must be based. For further information about consent requirements for sharing personal information, please see guidance here. |
| Include a statement setting out why sharing personal information without consent is consistent with section 16B (s 16B(3)(b),16B(8) of the Act) | If the data sharing purpose is informing government policy and programs, or research and development, if personal information about an individual is to be shared without their consent, the data sharing agreement must include a statement setting out why sharing the personal information is consistent with section 16B. This statement should consider and set out how the project satisfies each of the requirements for sharing personal information without consent set out in paragraph 16B(3)(b). Parties should refer to sections 22 and 23 of the Code. For further information about consent requirements for sharing personal information, please see guidance here. |
| Include an APP-equivalence term, where required, to satisfy the privacy coverage condition (s 16E(1)(c) and (2) of the Act) | For the privacy coverage condition to be met with respect to an accredited entity, an APP-equivalence term must be included in a data sharing agreement for any accredited entities which are not:
An APP-equivalence term is a term of a data sharing agreement prohibiting an entity from collecting or using personal information under the agreement in any way that would, if the entity were an organisation within the meaning of the Privacy Act, breach an Australian Privacy Principle. The Australian Information Commissioner may investigate a possible breach of an APP-equivalence term and deal with complaints about interferences with privacy that relate to a breach of an APP-equivalence term. For further information on satisfying the privacy coverage condition, please see guidance here. |
When the project involves the performance of data services | |
| Require an ADSP or the data custodian to perform de-identification or secure access data services (s 16C(2) of the Act) | If the data sharing purpose of a project is informing government policy and programs, or research and development, and the project involves performaing a de-identification or secure access data service, the data sharing agreement must require the services to be performed by one of the following:
For further information about ADSP services, please see guidance here. For further information about using an ADSP as part of a data sharing project, please see guidance here. |
| Require an ADSP to perform complex data integration services (s 16D(2) of the Act) | If the data sharing purpose of a project is informing government policy and programs , or research and development, and the project involves performing a complex data integration service, the data sharing agreement must require the service to be performed by one of the following:
Note: the requirement in subsection 16D(2) does not apply if a decision is made that subsection 16D(4) applies, because the data custodian is satisfied, taking the specified circumstances into account, that the risk that the integration could cause substantial harm is low. For further information about ADSP services, please see guidance here. For further information about using an ADSP as part of a data sharing project, please see guidance here. |
Part D—Other requirements in particular circumstances
| Data sharing agreement requirement | Explanation |
|---|---|
If data will be submitted to the data custodian | |
| Allow the accredited user or ADSP to provide access to the output or ADSP-enhanced data to the data custodian for the purpose of ensuring that the output is as agreed (s 20A(1) and (2) of the Act) | An accredited user or ADSP may provide access to output or ADSP-enhanced data to the data custodian so that the data custodian can ensure that the output or ADSP-enhanced data is as agreed between the parties. This is referred to as ‘submitting’ data. The data sharing agreement should also set out any actions the data custodian will take for the purpose of ensuring that the data is as agreed. This mechanism may be used, for example, where an accredited user will be allowed to provide access to output to a third party, or publicly release the output. There may be a requirement to ensure that the output is appropriately de-identified, or the data custodian may want to ‘vet’ the output. As the data custodian will be required to be satisfied that the output meets the requirements of the data sharing agreement, the data custodian may choose to require the submission of output. This allows the data custodian to satisfy itself that the output meets the relevant requirements, such that the use will be authorised under section 13A of the Act (see further under ‘If the accredited user will provide access to output’ heading below). |
| Specify the output or ADSP-enhanced data to be submitted to the data custodian (s 20A(1) and (2) of the Act) | The data sharing agreement must specify the output or ADSP-enhanced data that will be submitted. |
| If the accredited user will be allowed to provide access to output for validation or correction | |
| Allow the accredited user to provide access to output to an entity or individual for the purpose of validating or correcting the output (s 20B(1)(a) of the Act) | A data sharing agreement may allow the accredited user to provide another entity or individual with access to specified output of the project for the purposes of validation or correction, if the output relates to the entity or individual. This is provided the relevant requirements (detailed below) are met. |
| Specify to whom the accredited user will provide access to output (s 20B(1)(a) of the Act) | The data sharing agreement must specify which of the following the accredited user will provide access to:
Note: no rules have been made for the purpose described at c) above. |
| Specify the output the accredited user will provide access to (s 20B(1) of the Act) | The data sharing agreement must specify the output that the entity or individual identified above will be provided access to. |
| Require the data custodian to be satisfied that providing access will be an authorised use of output (s 20B(1)(b) of the Act) | The data sharing agreement must require the data custodian to be satisfied, before the accredited user provides any access to output, that the access will be an authorised use of the output under section 13A of the Act. To meet this requirement, the data custodian must be satisfied that the use of the output will be in accordance with the data sharing agreement. This may not require any additional action from the data custodian, provided the data custodian is satisfied that all the requirements of the data sharing agreement have been met prior to any access being provided to an entity or individual. Alternatively, the data custodian may wish to require the accredited user to submit the output prior to providing any access to an entity or individual. |
| If the accredited user will be allowed to provide access to output for a third party, or release the output publicly | |
| Allow the accredited user to provide another entity with access to output, or release output publicly, in circumstances that do not contravene any law (s 20C(1) of the Act) | The data sharing agreement may allow the accredited user to provide a third party with access to the output, or to publicly release output, in circumstances that do not contravene any law of the Commonwealth, a state, or a territory. This is provided the relevant requirements (detailed below) are met. |
| Specify the output the accredited user will provide access to or release (s 20C(1) of the Act) | The data sharing agreement must specify the output that the accredited user will provide access to, or release. This may be the final output as a whole, or a part of the final output. |
| Specify the circumstances for the accredited user to provide access to output, or release output (s 20C(1)(a) of the Act) | The statutory override in section 23 of the Act does not apply when the accredited user is providing access to output to a third party, or releasing output, under section 20C of the Act. This means that any restrictions in the primary legislation that governed the source data should be considered in relation to the relevant output. If the accredited user is to be allowed to provide access to, or release, output, the data sharing agreement must specify the circumstances in which the accredited user may do so. The circumstances specified must not contravene any other law of the Commonwealth, a state, or a territory. In general, if output is consistent with the ‘output principle’ and does not contravene any secrecy provisions that applied to the source data before it came into the Scheme, the access or release should not contravene other laws. Parties should ensure they have obtained independent advice about the appropriateness of providing access to, or releasing, output. Further information about providing access to output and releasing output will be provided in forthcoming guidance. |
| Prevent the accredited user from providing access to, or releasing, output that contains personal information without individuals’ consent (s 20C(1)(b) of the Act) | If the specified output that will be accessed or released contains personal information about an individual, the data sharing agreement must include a term providing that the accredited user must not provide any access to, or release, the output, unless the individual consents. |
| Require the data custodian to be satisfied that providing access or releasing output will be an authorised use of output (s 20C(1)(c) of the Act) | The data sharing agreement must require the data custodian to be satisfied, before the accredited user provides any access to output, or releases output, that the access or release will be an authorised use of the output under section 13A of the Act. To meet this requirement, the data custodian must be satisfied that the use of the output will be in accordance with the data sharing agreement. This may not require any additional action from the data custodian, provided the data custodian is satisfied that all the requirements of the data sharing agreement have been met prior to any access or release. Alternatively, the data custodian may wish to require the accredited user to submit the output prior to releasing or providing any access to output. Further information about providing access to output and releasing output will be provided in forthcoming guidance. |
| If the accredited user will be allowed to share output in subsequent data sharing projects under the DATA Scheme | |
| Allow the accredited user to share output of a project under subsequent DATA Scheme projects (s 20D of the Act) | The data sharing agreement may allow the accredited user to share the output of a project as a data custodian in subsequent DATA Scheme data sharing projects. This is provided the relevant requirements (detailed below) are met. |
| Appoint the accredited user as the data custodian of specified output under section 20F(2) of the Act (s 20D(a) of the Act) | See the next section of this guidance for the requirements for appointing the accredited user as the data custodian of the specified output. |
| Require the data custodian of the source data to be satisfied that sharing will be an authorised use of output (s 20D(b) of the Act) | The data sharing agreement must require the data custodian of the source data to be satisfied, before the accredited user shares output in a subsequent project, that the sharing will be an authorised use of the output under section 13A of the Act. To meet this requirement, the data custodian of the source data must be satisfied that the use of the output will be in accordance with the data sharing agreement. This may not require any additional action from the data custodian, provided the data custodian is satisfied that all the requirements of the data sharing agreement have been met prior to any access. Alternatively, the data custodian may wish to require the accredited user to submit the output prior to releasing or providing any access to output. See below for additional requirements to appoint a data custodian of the output of the project. |
| Appointing the accredited user as data custodian of project output where the accredited user may provide access to output | |
| Further information about appointing a data custodian of the output of a project will be provided in forthcoming guidance. | |
| Appoint the accredited user as data custodian of output (s 20F(2) of the Act) | A data sharing agreement may appoint the accredited user as the data custodian of a specified output if:
|
| Specify the output that the accredited user will be appointed custodian of (s 20F(2) of the Act) | The data sharing agreement must specify the output of which the accredited user will become the data custodian. This could be the final output as a whole, or a part of the final output. |
| Ensure that the accredited user is allowed to provide access to output under section 20D or 20C (s 20F(2)(c)(ii) of the Act) | The data sharing agreement must allow the accredited user to do one of the following:
Both mechanisms are dealt with in previous sections of this guidance. |
| Appointing the accredited user as data custodian of project output where the conditions for exit of output are met | |
| Further information about appointing a data custodian of the output of a project will be provided in forthcoming guidance. | |
| Appoint the accredited user as data custodian of output (s 20F(2) of the Act) | A data sharing agreement may appoint the accredited user as the data custodian of specified output if:
|
| Specify the output that the accredited user will be appointed custodian of (s 20F(2) of the Act) | The data sharing agreement must specify the output of which the accredited user will become the data custodian. This could be the final output as a whole, or a part of the final output. |
| Require the data custodian of the source data to be satisfied that all requirements relating to exit of the output are met before the time specified for exit (s 20F(3)(c) of the Act) | The data sharing agreement must require the data custodian of the source data to be satisfied, before the time specified in the agreement for the output to exit the DATA Scheme, that the conditions of exit of the output are met. Including this term in the data sharing agreement is one of the requirements of exit. The other requirements are:
|
| Specify a time for the exit of output (s 20F(3)(c) and 20E(7) of the Act) | For the exit to take effect, the data sharing agreement must specify a time for the exit of the output. This is the time at which the accredited user will become the data custodian of the output. |
| Appointing a party other than the accredited user as data custodian of project output | |
| Further information about appointing a data custodian of the output of a project will be provided in forthcoming guidance. | |
| Appoint a party as the data custodian of specified output (s 20F(5) of the Act) | A data sharing agreement may appoint an entity that is party to the data sharing agreement in a capacity other than as the accredited user as the data custodian of specified output of the project, if:
|
| Ensure that the accredited user is allowed to provide access to output to the entity under section 20C (s 20F(5)(d) of the Act) | This mechanism is dealt with in the previous section of this guidance. |
| Approved contracts | |
| Specify any contracts that will be authorised or approved under the data sharing agreement as approved contracts for accredited entities (s 123(3) of the Act) | The data sharing agreement must specify the approved contracts for the accredited entities party to the data sharing agreement. At a minimum, parties should specify:
The parties may also wish to include a representation from the accredited entity on behalf of any approved contractors that the approved contactors understand their responsibilities under the DATA Scheme. An individual or body corporate's contract with an entity is an approved contract if:
This has the effect of making the body corporate, or an employee, officer or member of a body corporate, that is party to an approved contract with the entity a 'designated individual' for the entity. The authorisations of entities to share, collect and use data under the Act are extended to the entity's designated individuals. Similarly, the entity's responsibilities with respect to designated individuals, including the requirement to specify details of any foreign individuals, also apply to approved contractors. For further information on designated individuals, please see guidance here. |
| Fees | |
| Include any fees or costs associated with the data sharing project or the basis for determining fees (where they are yet to be settled or can only be indicative) | Fees and costs are not required to be specified in a data sharing agreement. However, parties may agree that fees or costs will be paid as part of the data sharing project. Any fees or costs, or methods of calculating fees or costs, that parties agree to may be set out in the data sharing agreement. For further information on the charging of fees by data custodians, please see guidance here. For further information on the charging of fees by ADSPs, please see guidance here. |
| Other matters | |
| Specify any other matters agreed to (s 18(6) of the Act) | A data sharing agreement for a project may include matters that are not required to be included under the Act. However, any additional matters included must not be inconsistent with the DATA Scheme. |
Guidance note 2025:2
Last updated: 18 February 2025