Third party participation in the DATA Scheme

Main mobile navigation open

Third party participation in the DATA Scheme

Guidance note 2025:3

This guidance note provides information on how third parties can participate in a DATA Scheme project. It outlines the roles, responsibilities, and authorisation mechanisms for third parties, ensuring compliance with the Data Availability and Transparency Act 2022 (the Act).

Related guidance

Overview

The DATA Scheme (Scheme) allows Scheme entities, to share, collect and use data for projects established through Scheme data sharing agreements. Scheme entities include data custodians, which are Commonwealth government bodies that control public sector data.1 They also include accredited entities, namely accredited users and accredited data service providers (ADSPs), which have undergone the accreditation process to meet the necessary standards for handling data.

Entities that are not party to a data sharing agreement (third parties) may also participate in a Scheme project. Third parties can include entities that are not accredited under the Scheme, or Scheme entities not part of a project’s data sharing agreement. Third parties include (but are not limited to):

  • government agencies and universities (whether accredited or not)
  • research organisations
  • not-for-profit bodies and community organisations, such as Indigenous community-controlled organisations.

A third party can provide certain data services, such as data cleansing, analytics, and technical or methodological support to a Scheme entity. However, de‑identification, secure access and complex data integration services will generally need to be performed by an ADSP. For more information on the specific circumstances in which an ADSP is required, please see guidance on When to use an ADSP in the DATA Scheme.

A project’s data sharing agreement may allow an accredited user in a project to provide third parties with access to the project output. For further information about access to project output, please see guidance on Allowed Access to Project Output.

How the Scheme authorises third party participation

Third party participation in a Scheme project can be achieved in the following ways:

  • Appointing an agent: appointing a third party to act as an agent for the Scheme entity that is a party to a data sharing agreement.
  • Approved contracts: a third party entity performing certain services under an ‘approved contract’.

A third party that participates in a project is taken to share, collect and use the data covered by the project on behalf of the Scheme entity that is party to the data sharing agreement. The Scheme entity generally retains responsibility and liability for the actions of the third party under the Scheme as long as the third party acts within their authority. The Scheme entity should be aware of any restrictions when engaging a third party that may be outlined in the data sharing agreement, and the accreditation conditions of the Scheme entity.

The Scheme entity’s authorisation extends to employees and officers of the third party, who are considered designated individuals as defined by subsection 123(1) of the Act for the Scheme entity. These designated individuals must act within the scope of their authority as an employee or officer and within the scope of the following:

  • the third party’s contract with the Scheme entity,
  • the project’s data sharing agreement, and
  • any accreditation conditions set for the accredited entity.

A third party participant may be directly liable to civil penalties under section 14 of the Act for unauthorised sharing. They may also be liable under section 14A of the Act for unauthorised collection or use of data.

For further information about designated individuals for an entity, see our guidance on Designated Individuals.

Appointing an agent

Any Scheme entity that is party to a data sharing agreement can appoint a third party to act as an ‘agent’. As an agent, the third party has the power to act on behalf of the Scheme entity as though they were the Scheme entity themselves. Agents often have expertise in a specific matter and are engaged to provide trusted advice and expert services. The employees of the agent become designated individuals of the Scheme entity.

Responsibility for all Scheme activity remains with the relevant Scheme entity. It is therefore important for the Scheme entity to ensure the agent understands their requirements and obligations under the DATA Scheme and is able to perform in accordance with the data sharing agreement.

Example 1

An accredited user has a data sharing agreement with a data custodian to collect and use data which will be treated and used in a subsequent project. Before the accredited user uses the data in the subsequent project, as stipulated in the data sharing agreement, the data custodian wants to review the output to ensure the output meets the requirements of the data sharing agreement.

The data custodian does not have the expertise to assess the output and has engaged an agent to vet the submitted output on its behalf. As such, the agent is a designated individual of the data custodian.

Approved contract

An accredited entity can engage a third party to perform certain services under an approved contract. Unlike the agent arrangement discussed above, approved contracts apply only to accredited users and ADSPs in performing their functions in a data sharing project. Approved contracts under the Act are not available for activities undertaken by data custodians.

An accredited entity that is party to a data sharing agreement may have an existing contract with a third party or may establish one solely to deliver services for a Scheme project. The contract can become an ‘approved contract’ under the Scheme if authorised through the data sharing agreement.

Approved contracts must be between an individual or body corporate and an accredited entity. When a contract becomes an approved contract, the individual, or employees of the body corporate, become designated individuals of the accredited entity. The contract determines the designation of the individuals, who are limited to acting within the scope of the approved contract.

Example 2

A not-for-profit entity (the third party) with specialise subject matter expertise has a contract with a state government body to deliver analysis and advisory services relating to homelessness and healthcare.

The state government body, an accredited user, has successfully requested data from a data custodian under the Scheme for a project focused on research and policy development around homelessness. The contract between the third party and the state government body is recognised as an approved contract in the project’s data sharing agreement.

As such the third party is authorised to be involved in the project under the approved contract once the data sharing agreement is registered. Relevant individuals (e.g. employees) from the third party are considered to be designated individuals of the state government body for the purposes of that project.

Roles and responsibilities of agents and approved contracts

The differences between appointing an agent and using an approved contract are summarised below.

Participation mechanismWho can use this?Authorisation and roleThird party responsibility
Appoint an AgentData Custodians, Accredited Users and ADSPs
  • Appointed by the Scheme entity
  • Act on behalf of the appointing Scheme entity (e.g. by providing expert advice and services)
  • Employees of the agent become designated individuals of the appointing entity for the project

Ensure compliance with: 
 

  • the Scheme’s requirements;
  • the project’s data sharing agreement;
  • any conditions regarding the agency arrangement with the Scheme entity;
  • any accreditation conditions set for the accredited entity (if the agency relationship is with an accredited entity).
Approved ContractAccredited Users and ADSPs
  • Contract is authorised by or approved under the data sharing agreement
  • Perform role/services as defined in the approved contract
  • Employees become designated individuals of the accredited entity.
  • Cannot perform de-identification or complex data integration services (must be done by an ADSP).

Ensure compliance with: 
 

  • the Scheme’s requirements;
  • the project’s data sharing agreement;
  • the approved contract;
  • any accreditation conditions set for the accredited entity.

Contractors and secondments

In addition to third-party participation, Scheme entities may also engage contractors and secondees to support their data sharing projects. Contractors often bring specialised expertise and flexibility for project-based work, while secondees commonly facilitate knowledge transfer and capacity building through temporary assignments. Such roles may be important in enhancing the capabilities and effectiveness of Scheme entities, helping them to achieve the objectives of their data sharing projects.

Contractors and secondees providing services to a Scheme entity are generally considered to be part of that entity and therefore are covered by the entity’s accreditation. The Scheme entity’s authorisation covers individuals contracted to the entity; these individuals are considered designated individuals of the Scheme entity. Authorisation will generally also extend to secondees. However, as secondment arrangements can vary, the Scheme entity must ensure that the authorisation is appropriate for each specific arrangement.

 

1This does not include some excluded entities. Data custodians include those appointed a data custodian of the output of a DATA Scheme project. More information on data custodians will be available in forthcoming guidance.

2For example, an accredited user may have a condition on their accreditation that requires them to use an ADSP for all their DATA Scheme projects. Any third party providing services on behalf of the accredited user are also required to use an ADSP, even if they can provide those services themselves.

Last updated 4 March 2025