Log in

Australian Cyber Law Map

You are here: Cyber Law » Australian Cyber Law Map » Data

Data

14 November 2025 - 12:34 | Version 7 |

Overview

The Data Availability and Transparency Act 2022 (Cth) (or DAT Act) establishes the Data Availability and Transparency Scheme (or DATA Scheme) to authorise controlled sharing, collection and use of Commonwealth public-sector data, with objects directed to availability, privacy-consistent sharing, integrity and transparency, public confidence and institutional arrangements. The Scheme operates alongside existing regimes (e.g., the Privacy Act 1988 (Cth)) and includes an "override" mechanism that gives DAT authorisations, subject to some limitations, effect despite other Commonwealth, State or Territory laws.

The Act is under statutory review (s 142) with a five-year sunset (s 143). The review asks whether the Act advances its objects, how it interacts with other sharing pathways, and whether it should continue beyond 1 April 2027. Draft findings (July 2025) conclude the Act has not yet achieved its objectives and recommend substantial reform.

Legislative Scheme

The Data Availability and Transparency Act 2022 (Cth) is structured into six Chapters. It provides the legislative basis for the DATA Scheme—a framework enabling the collection and controlled sharing and use of Commonwealth public sector data for defined public-interest purposes. The DAT Act’s architecture is both authorising and regulatory. It establishes authorisations (Chapter 2) that are constrained by definitions and scope limitations (Chapter 1), entity responsibilities (Chapter 3), and layered oversight from an independent regulator (Chapter 4).

Chapter 1: Preliminary (ss 1–11A)
  • Part 1.1 — Introduction (ss 1–7):
    • Objects (s 3) The objects of the Act are to: serve the public interest by promoting better availability of public sector data; enable the sharing of public sector data consistently with the Privacy Act 1988 and appropriate security safeguards; enhance integrity and transparency; build confidence in the use of public sector data; and establish institutional arrangements for sharing public sector data.
    • Crown and Territory (ss 5–7) — The Act extends to acts, omissions, matters and things outside Australia.
  • Part 1.2 — Definitions (ss 9–11A):
    • Key Definitions (s 9):
      • "accreditation authority": The Minister is the accreditation authority for a Commonwealth body, State body or Territory body applying for accreditation as a user. The Commissioner is the accreditation authority for entities applying as an ADSP and for any other entity (such as a university) applying as a user.
      • "public sector data": Data lawfully collected, created or held by or on behalf of a Commonwealth body.
      • "scheme data": Data subject to the Act. It includes any copy of data created for the purpose of being shared under s 13; output of a project; and ADSP-enhanced data of a project.
    • Entity Definitions (s 11):
      • "data scheme entities" (s 11(1)): Data custodians of public sector data; and accredited entities.
      • "data custodia" (s 11(2)): An entity is a data custodian if it is a Commonwealth body; is not an excluded entity; and controls public sector data.
      • "excluded entity" (s 11(3)): Agencies that cannot be data custodians include the Australian Criminal Intelligence Commission; the Australian Federal Police; the Australian Security Intelligence Organisation; the Australian Signals Directorate; and the Office of National Intelligence.
      • "accredited entity" (s 11(4)): An entity accredited under s 74 as an accredited user; or an ADSP (short for accredited data service provider).
    • Data Sharing Project (s 11A):
      • "output" (s 11A(1)): The copy of the data collected by the user; and any data that is the result or product of the user's use of the shared data.
      • "ADSP-enhanced data" (s 11A(3)): The copy of the data collected by the intermediary; and any data that is the result or product of the intermediary's use of the shared data.
Chapter 2: Authorisations (ss 12–23)
  • Part 2.2 — Authorisations (ss 13–14A):
    • Authorisation for data custodian to share (s 13) — An entity (the sharer) is authorised to share data with another entity (the user), either directly or through an intermediary (the intermediary) . This authorisation is conditional on:
      • The project being covered by a registered data sharing agreement;
      • The constitutional requirements in subsection (4) being met;
      • The data custodian requirements in subsection (2) being met;
      • The sharer being satisfied that the project is consistent with the data sharing principles; and
      • The user being an accredited user and (if applicable) the intermediary being an ADSP.
    • Authorisation for accredited user (s 13A) — An entity (the user) is authorised to collect data shared with the user under section 13 or to use output of the project, if the collection or use is in accordance with the data sharing agreement.
    • Authorisation for ADSP (s 13B) — An intermediary is authorised to collect data shared with it by the sharer, or to use ADSP-enhanced data of the project, if the collection or use is in accordance with the data sharing agreement.
    • Penalties for unauthorised sharing (s 14) — Establishes civil penalty provisions and criminal offences if an entity provides access to data purportedly under section 13, but the provision of access is not authorised.
    • Penalties for unauthorised collection or use (s 14A) — Establishes civil penalty provisions and criminal offences if an entity collects or uses data... and the collection or use is not authorised by the Act.
  • Part 2.3 — Data Sharing Purposes and Principles (ss 15–16):
    • Data Sharing Purposes (s 15) — Sharing is only authorised for (a) delivery of government services; (b) informing government policy and programs; and (c) research and development.
      • Precluded Purposes (s 15(2)) — The Act prohibits sharing for precluded purposes, which include: an enforcement related purpose; or a purpose that relates to, or prejudices, national security.
    • Data Sharing Principles (s 16) — The project must be consistent with five principles:
      • Project principle (s 16(1)): The project is an appropriate project or program of work.
      • People principle (s 16(3)): Data is made available only to appropriate persons.
      • Setting principle (s 16(5)): Data is shared, collected and used in an appropriately controlled environment.
      • Data principle (s 16(7)): Appropriate protections are applied to the data.
      • Output principle (s 16(9)): The only output of the project is the final output; and output reasonably necessary to creation of the final output.
  • Part 2.4 — Privacy Protections (ss 16A–16F):
    • General Protections (s 16A) — Data that includes biometric data must not be shared unless the individual expressly consents. The data sharing agreement must prohibit an accredited entity from storing or accessing outside Australia.
    • Purpose-specific Protections (s 16B) — For informing government policy and programs or research and development, data must not include personal information unless the individual consents; or all of the following apply:
      • the project cannot proceed without the personal information;
      • the public interest justifies the sharing without consent; and
      • it is unreasonable or impracticable to seek consent.
    • Specialist Services (ss 16C–16D) — A project involving a de-identification data service (s 16C) or a complex data integration service (s 16D) must require the service to be performed by an appropriately skilled data custodian or an ADSP.
    • Privacy Coverage Condition (s 16E) — The privacy coverage condition is met if the entity is an APP entity; or the Privacy Act 1988 applies to the entity as if the entity were an organisation (an APP-equivalence term); or a law of a State or Territory that provides for protection of personal information comparable to that provided by the Australian Privacy Principles applies.
  • Part 2.5 — Instances Where Sharing Barred (s 17):
    • The data is held by, or originated with... an excluded entity (e.g., AFP, ASIO).
    • Sharing the data contravenes or infringes:
      • copyright; or
      • a contract or agreement; or
      • a common law duty or privilege.
    • The data is commercial information and sharing it founds an action for breach of confidence.
    • A provision of a law prescribed by the regulations prohibits the disclosure.
    • Sharing the data is inconsistent with the obligations of Australia under international law.
  • Part 2.6 — Data Sharing Agreements (ss 18–19):
    • Data Sharing Agreement (s 18) — Defines the agreement between a data custodian and an accredited user. A data sharing agreement has no effect until the agreement is registered.
    • Requirements (s 19) — The agreement must specify:
      • the source data;
      • the final output;
      • the data sharing purpose; and
      • how the project will be consistent with the data sharing principles.
  • Part 2.7 — Allowed Access to Output of Project (ss 20A–20F):
    • Allowed Access (ss 20A–20D) — The data sharing agreement may allow the accredited user to provide access to output to:
      • the data custodian (s 20A); or
      • another entity for the purpose of validating or correcting the output (s 20B); or
      • in other circumstances if the individual consents (s 20C).
    • Exit of Output (s 20E) — Defines when a copy of output exits the data sharing scheme. This a defence to penalties under s 14A(6).
  • Part 2.8 — Relationship with Other Laws (ss 22–23).
    • Override (s 23) — The authorisations in sections 13, 13A, 13B and 13C have effect despite anything in another law of the Commonwealth, or a law of a State or Territory.
Chapter 3: Responsibilities of Data Scheme Entities (ss 24–38)
  • Part 3.2 — General Responsibilities (ss 25–34):
    • No Duty to Share (s 25) — The Act does not require a data custodian to share public sector data. However, a data custodian must, within a reasonable period, consider a request made by an accredited user. The data custodian may refuse the request for any reason, but must give the accredited user written notice of the reasons.
    • Compliance Obligations (ss 26, 27, 30) — A data scheme entity must comply with the rules and data codes. Entities must also have regard to the guidelines when engaging in conduct for the purposes of the Act. An accredited entity must comply with the conditions of the entity’s accreditation (civil penalty: 300 penalty units).
    • Reporting Obligations (ss 31, 33, 34) — An accredited entity must give the Commissioner written notice of any event or change in circumstance relevant to the entity’s accreditation (civil penalty: 300 penalty units).
    • Registration (s 33) — An entity that is party to a data sharing agreement in the capacity of a data custodian must give the Commissioner an electronic copy of the agreement.
    • Assisting Commissioner (s 34) — A data custodian must notify the Commissioner of the number of requests received and the reasons it agreed to or refused them.
  • Part 3.3 — Data Breach Responsibilities (ss 35–38):
    • Definition of Data Breach (s 35) — A data breach occurs if a data scheme entity holds scheme data and there is unauthorised access to or disclosure of the data, or the data is lost in circumstances where unauthorised access or disclosure is likely.
    • Mitigation (s 36) — If a data scheme entity reasonably suspects a data breach has occurred, the entity must take reasonable steps to prevent or reduce any harm resulting from the breach (civil penalty: 300 penalty units).
    • Interaction with Privacy Act (s 37) — This section creates a “deemed holding” provision. If a data custodian has shared personal information with an accredited entity, Part IIIC of the Privacy Act 1988 (notification of eligible data breaches) has effect as if the personal information were held by the data custodian. Consequently, the accredited entity must give the data custodian written notice of the data breach to enable the data custodian to comply with its obligations.
    • Non-Personal Data Breach (s 38) — A data scheme entity must notify the Commissioner if a data breach has occurred and the data involved in the breach is not personal information.
Chapter 4: National Data Commissioner and National Data Advisory Council (ss 39–72)

This Chapter establishes the independent statutory office of the National Data Commissioner, defines the Commissioner's functions and powers. In performing its functions, the Commissioner must have regard to the objects of the Act (s 40, see also s 3). It also establishes the National Data Advisory Council.
  • Part 4.2 — National Data Commissioner (ss 41–60):
    • Establishment (s 41) — There is to be a National Data Commissioner.
    • Functions (s 42) — The Commissioner has the functions set out in sections 43 to 45A. A key limitation is s 42(2), which states the Commissioner may perform the Commissioner’s functions only with respect to:
      • sharing of data under s 13; and
      • matters incidental to the execution of the legislative powers of the Parliament or the executive power of the Commonwealth.
    • Detailed Functions (ss 43–45A) — The Commissioner’s functions are to:
      • Advise (s 43): Advise on matters relating to the operation of the Act and advise a data scheme entity about how the data sharing scheme applies.
      • Guide (s 44): Make data codes under section 126 and guidelines under section 127.
      • Regulate (s 45): Regulate and enforce the data sharing scheme by performing the functions and exercising the powers conferred by Chapter 5.
      • Educate (s 45A): Foster best practice, foster safe data-handling practices, and make available information, educational material and support.
    • Independence (s 51) — The Commissioner has discretion in the performance of the Commissioner’s functions and is not subject to direction by any person in relation to the performance or exercise of those functions or powers.
  • Part 4.3 — National Data Advisory Council (ss 61–72):
    • Establishment and Function (s 61) — The National Data Advisory Council is established by this section, and has the function of advising the Commissioner on matters relating to use of public sector data, including:
      • ethics;
      • balancing data availability with privacy protection;
      • trust and transparency; and
      • technical best practice.
    • Membership (s 62) — The Council consists of the following members:
      • the Commissioner;
      • the Australian Statistician;
      • the Information Commissioner;
      • the Chief Scientist; and
      • at least 5, and no more than 8, other members appointed by the Commissioner.
Chapter 5: Regulation and Enforcement (ss 73–116)

This Chapter establishes the regulatory and enforcement mechanisms of the DATA Scheme: the accreditation framework and the Commissioner's powers including in relation to complaints-handling and conducting investigations.
  • Part 5.2 — Accreditation Framework (ss 74–87). This Part creates the mechanism for accrediting entities as trusted participants in the scheme.
    • Accreditation (s 74) — The accreditation authority may grant the accreditation applied for if the entity is an Australian entity and not an excluded entity, and the authority is satisfied that the entity meets the criteria for accreditation under s 77.
    • Criteria for Accreditation (s 77) — The criteria for accreditation are:
    • the entity has appropriate data management and governance policies and practices;
    • the entity is able to minimise the risk of unauthorised access, sharing or loss of data; and
    • the entity has the necessary skills and capability to ensure the privacy, protection and appropriate use of data.
    • Conditions of Accreditation (s 78) — The accreditation authority may impose conditions of accreditation on the entity if the authority considers this appropriate for reasons of security, or otherwise reasonable and appropriate to ensure that scheme data is collected and used in accordance with the Act.
    • Suspension or Cancellation (s 81) — The accreditation authority may suspend or cancel the accreditation if the authority is reasonably satisfied that the entity does not meet the criteria for accreditation, reasonably suspects that the entity has breached the Act or a data sharing agreement, or does so for reasons of security.
  • Part 5.3 — Complaints (ss 88–96). This Part establishes two formal complaint pathways.
    • Division 1 — Scheme Complaints (s 88) — A data scheme entity may complain to the Commissioner if the complainant reasonably suspects that another entity, while a data scheme entity, breached the Act or a data sharing agreement.
      • Grounds for Not Dealing with Complaints (s 92) — A ground exists for not dealing with a complaint if the alleged breach is not material, the complaint was made more than 12 months after the complainant first reasonably suspected the breach, or the complaint is frivolous, vexatious, misconceived, lacking in substance, or not made in good faith.
    • Division 2 — General Complaints (s 94) — A person may complain to the Commissioner about any matter relating to the administration or operation of the data sharing scheme.
  • Part 5.4 — Assessments and Investigations (ss 99–103A). This Part provides the Commissioner with proactive and reactive powers to monitor compliance.
    • Assessments (s 99) — The Commissioner may, from time to time, assess whether conduct that an entity engages in is consistent with the requirements of the Act.
    • Investigations (s 101) — The Commissioner must investigate conduct so far as it relates to a complaint made under s 88, unless a ground exists for not dealing with the complaint. The Commissioner may, on the Commissioner’s own initiative, investigate conduct if the Commissioner reasonably suspects that the entity has breached the Act or a data sharing agreement.
    • Determination on Completion (s 102) — The Commissioner must make a written determination setting out the Commissioner’s opinion as to whether the entity has breached the Act or a data sharing agreement, the reasons for that opinion, and an indication of any action the Commissioner has decided to take.
  • Part 5.5 — Regulatory Powers and Enforcement (ss 104–116)
    • Power to Require Information (s 104) — If the Commissioner reasonably believes that a person has information or a document relevant to an investigation, the Commissioner may require the person to give the information or produce the document.
    • Monitoring and Investigation Powers (ss 109–110) — Specified provisions of the Act are subject to monitoring under Part 2 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (Regulatory Powers (Standard Provisions) Act) and subject to investigation under Part 3 of the Regulatory Powers (Standard Provisions) Act.
    • Directions (s 112) — The Commissioner may give a data scheme entity a written direction requiring the entity to take, or not take, specified actions if the Commissioner is satisfied that the entity has acted, or is likely to act, inconsistently with the Act or a data sharing agreement, or if an emergency or high-risk situation has arisen. An entity must comply with a direction (civil penalty: 300 penalty units).
Chapter 6: Other Matters (ss 117–143)
  • Part 6.2 — Review of Decisions (ss 118–122):
    • Reviewable Decisions (s 118) — Defines the decisions made by the Commissioner or the Minister that are reviewable decisions. The following decisions are reviewable:
      • a decision to accredit an entity with conditions or to refuse to accredit the entity;
      • a decision under s 78 to impose conditions of accreditation or vary them; and
      • a decision under sub-ss 81(1), (2), (3) or (4) to suspend or cancel an entity’s accreditation.
    • Review by the ART (s 122) — Applications may be made to the Administrative Review Tribunal to review a reviewable decision if the decision was made personally by the Commissioner, the decision was made personally by the Minister, or the decision has been affirmed or varied on reconsideration.
  • Part 6.3 — Extension of Authorisations and Attribution of Conduct (ss 123–125B):
    • Designated Individuals (s 123) — This section specifies the individuals who are designated individuals for entities, including an authorised officer, a statutory officeholder, an APS employee, and an individual who is party to an approved contract.
    • Extension of Authorisations (s 124) — An authorisation in Chapter 2 for an entity also authorises a designated individual for the entity to engage in conduct if the conduct is within the actual scope of the individual’s designation.
    • Attribution of Conduct (ss 125A–125B) — In determining whether an entity has contravened a civil penalty provision (s 125A) or committed an offence (s 125B), the entity is taken to have engaged in any conduct engaged in by a designated individual for the entity if the conduct is within the actual or apparent scope of the individual’s designation.
  • Part 6.4 — Data Sharing Scheme Instruments (ss 126–134):
    • Data Codes (s 126) — The Commissioner may, by legislative instrument, make codes of practice about the data sharing scheme. A data code may set out how provisions are to be applied or complied with, or impose additional requirements that are not contrary to Chapters 2 and 3.
    • Guidelines (s 127) — The Commissioner may, by legislative instrument, make written guidelines in relation to matters for which the Commissioner has functions. Data scheme entities must have regard to the guidelines (see s 27).
    • Registers (ss 128–130) — The Commissioner must maintain a register of ADSPs (s 128), accredited users (s 129), and data sharing agreements (s 130). Each register must include a publicly accessible part.
  • Part 6.5 — Other Matters (ss 135–143):
    • Sunset of the Data Sharing Scheme (s 143) — the Act ceases to have effect at the end of the day (the sunset day) that is the fifth anniversary of the commencement of this section.

Interaction Notes

  • Privacy Act 1988 (Cth) — The DAT Act is designed to operate harmoniously with the Privacy Act. The Explanatory Memorandum for the Data Availability and Transparency Bill 2022 (Cth) makes clear that the authorisations to share data under the DAT Act must always remain consistent with privacy obligations, and that the override clause in s 23 is not intended to displace fundamental privacy protections. Rather, it permits data sharing only to the extent necessary to achieve the Act’s purposes, while the Australian Privacy Principles continue to govern the handling of personal information.
  • The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) — The SOCI Act designates data storage or processing (DSoP) assets as a category of critical infrastructure, bringing them within the Act’s broader national-security and resilience framework. Entities responsible for such assets must comply with risk-management obligations that require the identification, assessment and mitigation of material risks to their operation. In practice, this framework has important implications for cloud and software-as-a-service (SaaS) environments, where control and ownership of infrastructure are often distributed across multiple providers. These arrangements raise complex questions of supply-chain accountability and, in some cases, the potential for Systems of National Significance (SoNS) declarations. The extent of these obligations depends on how particular data assets are defined and regulated within the SOCI Act and its accompanying rules.
  • Consumer Law (Competition and Consumer Act 2010 (Cth) (Competition and Consumer Act)): The Consumer Data Right, established under Part IVD of the Competition and Consumer Act, gives consumers and small businesses the right to access and share their data held by service providers in designated sectors. By authorising accredited third parties to receive this information, the CDR seeks to enhance competition, promote innovation and empower consumers with more control over their data. The CDR governs the portability of private-sector consumer data, whereas the DAT Act regulates the sharing of Commonwealth public-sector data for policy, research and service delivery purposes. For more on the CDR, see the Consumer Rights page.

Statutory Review of the Data Availability and Transparency Act (2025)

The review commenced 20 March 2025 (s 142), to be completed within 12 months; it specifically asks whether the Act should remain in force past the 1 April 2027 sunset (s 143) and how it compares with other mechanisms.

The draft findings of the 2025 statutory review describe the DAT Act as having fallen short of its intended objectives. Uptake of the Scheme has been minimal and largely confined to a small number of projects associated with the National Disability Data Asset (NDDA). The review observes that the legislation’s complexity and prescriptiveness, combined with uncertainty about whether it is intended as a “last-resort secrecy override” or a comprehensive data-sharing framework, have significantly constrained participation. In practice, the voluntary nature of the Scheme means that data custodians may decline requests without consequence, leaving accredited users with no practical remedy.

The draft report therefore proposes a substantial redesign. It recommends that the DAT Act be transformed into a more facilitative, outcomes-focused and principles-based framework—one that simplifies the authorising provisions while maintaining essential safeguards. Among the proposed reforms are recalibrating the accreditation system to reduce administrative burden, refining the scope of authorised purposes, clarifying the functions of the National Data Commissioner, and strengthening recognition of First Nations and state and territory participation in national data governance.

Regulatory and Policy Framework

Relevant Organisations

  • Office of the National Data Commissioner (ONDC) — established under Part 4.2 (ss 41–60) of the DAT Act, the ONDC administers and regulates the DATA Scheme, accredits users and data service providers, maintains the public register of data-sharing agreements, and oversees compliance and enforcement.
  • National Data Advisory Council — created by s 61 of the DAT Act, the Council advises the Commissioner on ethics, privacy, and technical standards relating to public-sector data sharing.
  • Cyber and Infrastructure Security Centre (Department of Home Affairs) — oversees critical-infrastructure risk management under the SOCI Act, which interacts with data storage and processing obligations introduced by the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (ERP Act).
  • Trusted Information Sharing Network (TISN) – Data Sector Group — coordinates engagement between government and industry on data resilience and risk management within Australia’s critical-infrastructure framework.

Implementation and Agency Guidance

  • Office of the National Data Commissioner, ‘About Dataplace’ (Web Page, 20 May 2025).
  • Australian Bureau of Statistics, ‘Requesting ABS Data under the Data Availability and Transparency Act (DATA) Scheme’ (Web Page, 2025).
  • Australian Taxation Office, ‘Requesting ATO Data under the DATA Scheme’ (Web Page, 6 February 2024).

Inquiries and Consultations

Industry Materials



This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine