Data custodians

The key roles and responsibilities for data custodians under the Commonwealth arrangements concern the access and use of Commonwealth datasets in statistical data integration projects, as well as the design and management of administrative data holdings to support wider statistical and research use.

Data custodians are ultimately responsible for the approval of project proposals, in whole or in part. Commonwealth administrative data cannot be used for statistical or research purposes if this contravenes legislation or any commitment made to data providers regarding the purpose for which their data may be used.

The data custodian is the agency that is the responsible agency in terms of the relevant legislation and who will approve the project proposal. However, the data custodian may work with other agencies that may provide advice or take an active role in the data integration process on behalf of the data custodian (their authorised representatives). The ‘authorised representative’ will only undertake a role where mutually agreed between custodian and authorised representative and/or where the role is specified in a Bilateral Management Agreement. For example, a data custodian may have a formal agreement with another agency or organisation to hold and manage the data.

Data custodians (and/or their authorised representatives) collaborate with integrating authorities to achieve an appropriate balance between:

  • maximising the inherent value of Commonwealth data sources;
  • minimising privacy concerns associated with the use of data; and
  • facilitating the use of this data within privacy and legislative requirements.

For more information on what a data custodian should consider when undertaking a data integration project involving Commonwealth data, see A checklist for data custodians.

Data custodians have the following roles in managing their datasets for data integration:

Role 1 • Maximise the value of data holdings

Principle 1  of the High Level Principles for Data Integration Involving Commonwealth data for Statistical and Research Purposes (the High Level Principles) encourages agencies to treat data as a strategic resource and notes that agencies should consider the broader value of information contained in administrative data when designing and managing administrative datasets. This includes the public benefit which can be derived from integrating data from different sources to provide new, enhanced datasets for statistical and research purposes.

Data integration projects involving Commonwealth data can be particularly useful for informing whole of government policy perspectives and minimising respondent burden around new data collections by making the best possible use of existing data. Data custodians assist in this by:

  • providing metadata (information about the data) to assist the integrating authority and data users to understand the source data including concepts, classifications, scope and coverage, sources of error and areas where careful interpretations is required, and
  • assuring the data quality of the source data or otherwise providing advice to users on the quality of the data and any known deficiencies.
  • Assessing the public benefit likely to be derived from statistical and research proposals as a key consideration when evaluating these proposals. Principle 4  of the High Level Principles requires that statistical integration should only occur where it provides significant overall benefit to the public. The potential public benefit must outweigh the privacy imposition and risks to confidentiality involved in the integration project (see Role 2), taking into consideration the likely public perception of the risks and benefits.

Role 2 • Assess project risk

A key role of data custodians is to determine the level of risk for a data integration project and to specify strategies to mitigate that risk. Data custodians assess the risk of a project by using the risk framework. This may involve consultation with other custodians and an integrating authority, where appropriate. Data custodians responsible for source data used in statistical data integration remain individually accountable for the security and confidentiality of their data (Principle 2 of the High Level Principles).

Data custodians may want to consider whether further assessment of the public perception in relation to the project is required before approving a project. Transparent processes and community engagement will help ensure the public are aware of how Commonwealth government data is being used for statistical and research purposes to provide overall benefits to the community.

Risk is assessed by the data custodians prior to giving in principle approval for a project to proceed. Based on this assessment, together with consideration of the public benefit and legislative requirements (see below), data custodians will be in a position to appoint an integrating authority for the project. If the project is assessed as high risk, then an accredited Integrating Authority will need to be appointed to comply with the High Level Principles.

Data custodians are responsible for approving the use of their data in any integration project, in whole or in part. They must be satisfied that the integrating authority has the capacity to manage the associated risks appropriately and in line with their legislative and policy obligations before releasing source data.

Role 3 • Comply with policy and legislation

Data custodians should ensure data integration projects address all legislative and ethical obligations that are associated with their datasets before agreeing to release data. Obligations governing disclosure of information about individuals are set out in the Privacy Act 1988. In addition, most Commonwealth agencies that collect information from individuals or organisations have specific legislation which controls access to that data and prescribes penalties for unauthorised use or disclosure. While these obligations will vary, across both datasets and data custodians, there are two broad areas to consider in the context of a data integration project:

  • authorisation to release identifiable data - data custodians must determine whether they are authorised by their legislation, or by the informed consent of the data providers, to provide identifiable information to the integrating authority for the purpose of the specified project.
  • protections prohibiting the release of identifiable data - integrating authorities undertaking data integration projects involving Commonwealth data must have appropriate legal and/or policy protections in place to prohibit the disclosure of identifiable data, other than where allowed by law.

Role 4 • Ensure safe storage of unit record data

In the context of a data integration project, data custodians should ensure that the integrating authority is able to provide safe storage of unit record data in accordance with data custodians’ requirements and data storage policies. See Data Security for further information.

Role 5 • Safely transmit unit record data

Data custodians need to ensure the safe transmission of data to integrating authorities, consistent with Australian Privacy Principles and the Australian Government Protective Security Policy Framework.

See Data Security for further information.

Role 6 • Enter project agreements

Before providing their data for use in a data integration project, data custodians must give final approval for a project to proceed which is signified by entering into formal project agreements with the nominated integrating authority. This agreement may take the form of a contract, Memorandum of Understanding or other arrangement as appropriate for the parties concerned.

The agreement between the data custodian(s) and the integrating authority provides a mechanism for the data custodians to exercise their accountability for the security and confidentiality of the source data. Agreements should therefore include conditions relating to data security obligations, privacy and confidentiality requirements, data access provisions to be passed on to the data users and potential sanctions which may apply to misuse of the data.

For more information about entering into project agreements see:

The conditions specified in the project agreement will be determined in collaboration with the integrating authority in the course of finalising the project details, prior to giving final approval for the project to proceed.

For roles and responsibilities of key players in a data integration project see: