Data is any information in a form capable of being communicated, analysed or processed (whether by an individual, a computer or other automated means). Data becomes valuable when it is processed and analysed to extract meaning, leading to insights, decisions or predictions. Governance of Data considers structured data that is measurable, such as a set of observations organised into a table, spreadsheet or database — in contrast to unstructured data that cannot be easily measured, such as records of meeting minutes.

Data is a valuable asset of every Commonwealth entity, as it underpins informed decision making, efficient and effective business operations and public accountability. This means entities should invest in its governance, quality, security and ethical use to ensure data is trusted, protected and used to drive measurable results and outcomes for citizens.

Effective governance of data is critical to realising and maximising the economic, social and environmental benefits of data. This includes securely, safely, lawfully and ethically sharing data with other public sector jurisdictions, in accordance with the Intergovernmental Agreement on data sharing between Commonwealth and State and Territory governments. Good data governance is also necessary to meet legislative obligations and policy.

Through its audit work, the ANAO has observed good practices and fundamental deficiencies in the governance of data across multiple entities. Governance deficiencies have resulted in weaknesses to data integrity (reliability and verifiability), which impacts business processes and can result in reduced capability to make informed decisions, meet reporting requirements and achieve business objectives. Good data governance is essential in analytics, artificial intelligence (AI) and machine learning , to ensure ethical use of data, including avoiding bias in AI models.

Commonwealth legislation and policy on data governance

Key legislation and policy relevant to data governance

Also relevant are the:

• Archives Act 1983, which makes National Archives of Australia responsible for identifying the archival resources of the Commonwealth (that is, Commonwealth information of enduring value), and preserving and making publicly available the archival resources of the Commonwealth;
• National Archives of Australia’s Building trust in the public record policy, which identifies key requirements for managing Australian Government information assets, including records, information and data; and supports improvement in performance management of public sector data and the use and reuse of data;
• the Department of Finance’s Data Ethics Framework, which provides Australian Public Service (APS) guidance on ethical use of public data and analytics;
• the Australian Public Service Commission’s APS Data Capability Framework, which outlines 26 data-specific capability areas associated with working with data in the APS; and
• the Digital Transformation Agency’s Framework for the Governance of Indigenous Data, which aims to provide Aboriginal and Torres Strait Islander people greater agency over how their data is governed within the APS so government-held data better reflects their priorities and aspirations.

Whole-of-government data strategy

Launched in December 2023, the Australian Government’s Data and Digital Government Strategy (the Strategy) aims to provide a blueprint for the use and management of data and digital technologies by the APS through to 2030. The Strategy recognises data as a valuable national asset in realising Australia’s economic and social objectives, and in improving the evidence-base for government policy decisions, with a goal of better outcomes for all people and business.

To support implementation of the Strategy, and to help entities self-assess their data maturity over time, the Department of Finance developed the Data Maturity Assessment Tool (DMAT). The self-assessment enables entities to:

• track their data maturity progress over time;
• identify data management strengths and weaknesses; and
• improve their ability to meet reporting obligations for promoting accountability and public trust.

ANAO findings and observations on the governance of data

Performance statements audit

The ANAO provides independent assurance to the Parliament that an entity’s annual performance statements meet the relevant requirements of the Public Governance, Performance and Accountability (PGPA) Act 2013 (PGPA Act) and PGPA Rule. An object of the PGPA Act is to require Commonwealth entities to provide meaningful performance information to the Parliament and the public. Performance statements audits contribute to this objective. Meaningful performance information is based on relevant, reliable, accurate and timely data. It supports evidence-based policy and an entity’s strategic planning, budgeting, monitoring and evaluation processes. Meaningful performance information demonstrates transparency and accountability in an entity’s effective stewardship of public resources, contributing to public trust and confidence in government.

Performance Statements Auditing in the Commonwealth — Outcomes from the 2023–24 Audit Program presented assessment of the performance reporting maturity of 14 Australian Government entities. Performance reporting maturity was assessed across five categories, including ‘data and systems’, on a scale from zero to five, with five indicating an advanced level of maturity. The average maturity rating for the 14 entities was 2.6 (Baseline) with only one entity assessed as ‘Advanced’ — the Treasury.

Data and systems maturity across 14 audited entities, 2023−24

Most of the 14 entities required significant progress on data governance and assurance in the context of performance reporting.

The report identified ‘data’ as one of five themes that emerged from examination of significant and moderate findings.

Findings of the 2023–24 performance statements audit report

Data deficiencies were due to:

• inadequate assurance over data extraction and reporting;
• a lack of controls over how data was managed across the data lifecycle, from data collection through to reporting;
• weak assurance over the accuracy and reliability of data generated and reported by third parties; and
• insufficient documentation, including on data ownership, and on the reliability and verifiability of data and methodologies supporting performance measures.

Entities with data deficiencies tended to exhibit more than one type of weakness in data governance practices.

Performance audit

Performance audits provide independent assurance to the Parliament of the operational performance of entities across the public sector. Between 2019–20 and 2023–24, the ANAO made 857 recommendations in performance audit reports. Of these, 57 (7 per cent) related to the governance of data, including to address weaknesses in data processes and frameworks.

Data governance recommendations in performance audits, 2019–20 to 2023–24

Financial statements audit

The ANAO audits annual financial statements to provide the Parliament with independent assurance of the financial performance and position of all Australian Government entities.

Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2024 noted:

• IT control weaknesses increased risks of unauthorised access to systems and data, or data leakage;
• challenges with assurance over third-party data, especially in relation to cloud computing arrangements (see Case study 7); and
• increased use of AI across the public sector, from 27 entities in 2022–23 to 56 in 2023–24.

Observations on AI use from the 2023–24 financial statements audits

Governance of Data sets out five lessons aimed at improving data governance practices as part of a broader information management framework in Australian Government entities. These lessons are based on insights drawn from recent ANAO audits and are intended to help entities to realise the benefits of good data governance.

• Lesson 1: Value data as an asset
• Lesson 2: Develop an information governance framework and data strategy
• Lesson 3: Establish data leadership and define roles and responsibilities
• Lesson 4: Document data methodology with data processes mapped end-to-end
• Lesson 5: Strengthen assurance over third-party data

The further reading section provides links to relevant ANAO, Department of Finance and other resources, and additional Insights products.

Lesson 1: Value data as an asset

In a culture where data is valued as an asset:

• there are clear data governance frameworks, policies and strategies, which are aligned with the whole-of-government Data and Digital Government Strategy;
• there is leadership commitment, including a sole authority (such as a Chief Data Officer or equivalent data leadership role) responsible for all entity data, whose role includes fostering a culture where data assets are valued — they may work with a team with defined data roles and responsibilities to oversee data governance and practice;
• there is an entity culture that values curiosity, evidence and continuous learning from data;
• the data that is required to achieve business objectives is considered from the outset;
• data is collected and used with a purpose, such as for evidence-based policy, and to evaluate and measure performance;
• instead of selecting and designing systems around existing data that is not actually fit for purpose, systems are selected and designed based on required data outputs;
• there is clear methodology documentation (such as standard operating procedures and workflows) that enables users to easily locate and understand required data at any point in a process;
• appropriate controls are in place to assure the integrity of data, such as regular data checks and sign off by senior staff certifying data quality and integrity;
• emerging technologies are used responsibly to improve service delivery and performance;
• staff data capability is uplifted through learning and development programs; and
• data maturity is assessed regularly.

Data maturity assessments support entities in treating their data as an asset. The Data Maturity Assessment Tool developed by the Department of Finance to helps entities periodically measure their data maturity and capability across seven focus areas:

• Strategy and Governance;
• Architecture;
• Operations;
• Risk;
• Quality;
• Reference and Metadata; and
• Integration and Analytics.

Lesson 2: Develop an information governance framework and data strategy

An information governance framework may set out:

• drivers for data requirements, such as legislation, risk and business needs;
• the environment within which data is created and/or captured, collected and managed;
• the principles that guide data design, capture, management and use in the entity;
• roles and responsibilities, including leadership, as they relate to data;
• consistent use of terminology and nomenclature across systems within the organisation and with other entities;
• controls to protect against risks to data and to preserve the integrity of data (this includes IT controls to, for example, restrict access to entity data );
• ethical considerations embedded into data and AI policies;
• senior management commitment to uphold data governance; and
• actions the organisation will take to embed information governance into its culture, such as training and guidance for staff.

With regard to implementing the information management framework, relevant procedures and policies, including an entity’s information management policy, should be developed or updated to align with the framework.

A data strategy is designed to provide a clear entity-wide approach to managing, governing and leveraging data as a strategic asset. It is typically more specific than an information governance framework, setting out a detailed plan for capturing, managing, using, storing and protecting data to achieve required objectives, improve decision-making and drive innovation. A data strategy should identify what data is required, what data will be collected, how the data will be used, risks to effective data management and measures of success.

For further guidance on establishing data governance and an enterprise-wide data strategy, entities can refer to the Office of the National Data Commissioner’s Foundational Four.

AI should be integrated into an entity’s information governance framework and data strategy to ensure that AI-driven decisions, models, and technologies are used responsibly, securely, and in alignment with business objectives. Entities that use or are planning to use AI in their business should:

• specifically address the management of data used for AI in their information governance framework, including monitoring and validation of data that will be input into and generated by an AI technology;
• regularly review their information governance framework and monitor risks on an ongoing basis because of the evolving nature of AI; and
• ensure that they meet the requirements of the Policy for the responsible use of AI in government (provided that they are not exempted from applying the policy).

Key resources on integrating AI use into data governance

Note a: Information Management Standard for Australian Government.

Lesson 3: Establish data leadership and define roles and responsibilities

Five of the six principles outlined in the Department of Finance’s SES Accountabilities for Data guidance refer to data roles and responsibilities.

Principles to strengthen SES accountabilities for data

By following the six principles, entities can increase and maintain consistency of data governance practices and quality within the organisation as well as across the APS. A Chief Data Officer or equivalent is typically accountable for enterprise-wide governance and use of data as a valuable and well-governed asset across the entity, and building entity data capabilities (see also the Chief Data Officer Information Pack). SES staff more generally should be accountable for proper use of government data within their areas of business responsibility, in accordance with the entity’s information governance framework, and for supporting efforts to build the entity’s data capabilities.

To further support accountability and transparency of decision-making, the Chief Data Officer or equivalent should consider establishing a data team with defined member roles and responsibilities, such as:

• a data champion — promotes best practice use, sharing and re-use of data throughout the organisation and across the APS;
• data custodians — responsible for the integrity, availability and use of specific data assets;
• senior data stewards — responsible for daily management of specific data assets, including quality and access; and
• data analysts — responsible for ensuring that they access and use data appropriately.

Lesson 4: Document data methodology with data processes mapped end-to-end

Entities can realise the benefits of good data governance by requiring clear documentation that specifies:

• data ownership and stewardship — information on individual and team roles and responsibilities for specific datasets and processes;
• data classification and categorisation — define the different types of data and how it is classified to make it discoverable and useful;
• data sources and systems — reliable and verifiable data sources and data systems;
• end-to-end processes — mapping the flow of data from start to finish ensures that data remains consistent and accurate across platforms and systems and enables data teams to promptly locate required data at any point in time and assist stakeholders in tracking progress toward achievement of business objectives;
• data lifecycle management — data processes and standards for data collection, retention and disposal. Entities may refer to the Data Maturity Assessment Tool or the Data Lifecycle View outlined in the APS Data Capability Framework to identify areas for improvement to their data lifecycle management practices;
• quality standards and assurance processes — confirm that underlying data is relevant, complete and accurate; and
• auditing and monitoring practices — data can be formatted and organised to enable audit and assurance of that data, and to support change management procedures (such as changes to data access and modifications to data).

Data documentation should be clear and sufficiently detailed to support business continuity, mitigating risks such as loss of knowledge through staffing or machinery of government changes. Where entities need to work together with data to achieve a common purpose, data documentation helps entities collaborate effectively.

Lesson 5: Strengthen assurance over third-party data

The services of third-party data providers may be sought to address business needs, such as managing internal resource constraints and capability gaps. For example, an entity with limited resources may not be able to collect and analyse large amounts of data within a short timeframe. It may opt to use and analyse data collected by others, or outsource data collection and analysis to a third-party provider.

Outsourcing may introduce heightened risks, for example, to data integrity, security, privacy and regulatory non-compliance. Data risks may be identified, mitigated and addressed by implementing controls as part of a broader risk management strategy. Controls should be fit for purpose, with reporting obligations usually specified as part of a formal arrangement, such as the entity’s contract or grants management arrangements. Controls to ensure delivery of agreed programs and services include:

• conducting regular due diligence, such as provider risk assessments and audits to help ensure third parties adhere to required practices;
• integrating third-party data into existing data governance frameworks (e.g. validation checks, access controls and monitoring) to help reinforce trust and ensure that data remains fit for purpose throughout its lifecycle; and
• obtaining control reports on the effectiveness of third-party systems, including their reliability and data security measures.

IT security controls are a key issue, especially with regard to entities that outsource software, hardware or infrastructure services under a cloud computing arrangement (CCA). During 2023–24, 89 per cent of Australian Government entities that the ANAO audited used one or more CCAs. Under CCAs:

• third-party cloud providers may supply a Service Organisation Controls (SOC) certificate to confirm that IT security controls were designed, implemented and operating effectively; and
• entities retain accountability and responsibility for ensuring that contracted IT services meet legislative and policy requirements, including the Protective Security Policy Framework and the Australian Government Information Security Manual.

Accordingly, receipt and review of a SOC certificate provides assurance over the implementation, design and operating effectiveness of controls included in contracts, including data security, privacy, process integrity and availability. Contrary to this assurance process, the ANAO’s 2023–24 financial statements audit work found that:

• 75 per cent of Australian Government entities did not receive a SOC certificate for all CCA services provided; and
• 82 per cent did not have a policy or procedure requiring formal review and consideration of a SOC certificate.

ANAO links

• 2023–24 Major Projects Report | Australian National Audit Office (ANAO)
• Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2024 | Australian National Audit Office (ANAO)
• Governance of Artificial Intelligence at the Australian Taxation Office | Australian National Audit Office (ANAO)
• Performance Audit Process | Australian National Audit Office (ANAO)
• Performance Statements Auditing in the Commonwealth — Outcomes from the 2023–24 Audit Program | Australian National Audit Office (ANAO)
• Reporting Meaningful Performance Information | Australian National Audit Office (ANAO)

External links

Key legislation and policy

• Privacy Act 1988 - Federal Register of Legislation
• Data Availability and Transparency Act 2022 - Federal Register of Legislation
• Freedom of Information Act 1982
• Protective Security Policy Framework

Other

• AI in government policy | digital.gov.au
• APS Data Capability Framework | Australian Public Service Commission
• Building trust in the public record | naa.gov.au
• Chief Data Officer Information Pack | Department of Finance
• Data and Digital Government Strategy
• Data Ethics Framework | Department of Finance
• Data governance and management | naa.gov.au
• Data Maturity Assessment Tool | Department of Finance
• Framework for the Governance of Indigenous Data | aga
• Foundational Four | Office of the National Data Commissioner
• Information management | Department of Finance
• Information management for records created using Artificial Intelligence (AI) technologies | naa.gov.au
• Information management legislation | naa.gov.au
• Information Management Standard for Australian Government | naa.gov.au
• National framework for the assurance of artificial intelligence in government | Department of Finance
• SES Accountabilities for Data | Department of Finance
• Voluntary AI Safety Standard | Department of Industry Science and Resources