(Un)Harnessing AI

The interim report by the Productivity Commission on Harnessing Data and Digital Technology - consistent with the national government's enthusiasm for AI - can be read as proposing a looser regulatory framework. 

The report states 

Data and digital technologies are the modern engines of economic growth. Emerging technologies like artificial intelligence (AI), which can extract useful insights from massive datasets in a fraction of a second, could transform the global economy and speed up productivity growth. 

 

Australia needs to harness the consumer and productivity benefits of data and digital technology while managing and mitigating the downside risks. There is a role for government in setting the rules of the game to foster innovation and ensure that Australians reap the benefits of the data and digital opportunity. 

 

The economic potential of AI is clear, and we are still in the early stages of its development and adoption. Early studies provide a broad range of estimates for the impact of AI on productivity. The Productivity Commission considers that multifactor productivity gains above 2.3% are likely over the next decade, though there is considerable uncertainty. This would translate into about 4.3% labour productivity growth over the same period. But poorly designed regulation could stifle the adoption and development of AI and limit its benefits. Australian governments should take an outcomes based approach to AI regulation – one that uses our existing laws and regulatory structures to minimise harms and introduces technology specific regulations as a last resort. 

 

Data access and use can fuel productivity growth: insights from data can help reduce costs, increase the quality of products and services and lead to the creation of entirely new products. But some requirements in the Privacy Act, the main piece of legislation for protecting privacy, are constraining innovation without providing meaningful protection to individuals. For example, complying with the controls and processes baked into the Act can make consent and notification a ‘tick box’ exercise – where businesses comply with the letter of the law but not the spirit of it. The Australian Government should amend the Privacy Act to introduce an alternative compliance pathway that enables firms to fulfil their privacy obligations by meeting outcomes based criteria. 

 

Data about individuals and businesses underpins growth and value in the digital economy. But often those same individuals and businesses cannot easily access and use this data themselves. Under the right conditions, giving people and businesses better access to data that relates to them can stimulate competition and allow businesses to develop innovative products and services. A mature data sharing regime could add up to $10 billion to Australia’s annual economic output. 

 

Experience shows that we need a flexible approach to facilitating data access across the economy, where obligations placed on data holders and the level of government involvement can match the needs and digital maturity of different sectors. New lower cost and flexible regulatory pathways would help to guide expanded data access throughout the digital economy, focusing first on sectors where the gains can be significant and relatively easy to achieve. 

 

Financial reports provide essential information about a company’s financial performance, ensuring transparency and accountability while informing the decisions of investors, businesses and regulators. Government can further spark productivity by making digital financial reporting the default – that is, mandatory lodgement of financial reports in machine readable form. At the same time, the Australian Government should remove the outdated requirement that financial reports be submitted in hard copy or PDF format. This change would increase the efficiency and accuracy with which information is extracted and analysed.

The  draft recommendations are

 Artificial intelligence 

Draft recommendation 1.1 Productivity growth from AI will be built on existing legal foundations. 

Gap analyses of current rules need to be expanded and completed. Australian governments play a key role in promoting investment in digital technology, including AI, by providing a stable regulatory environment. Any regulatory responses to potential harms from using AI must be proportionate, risk based, outcomes based and technology neutral where possible. 

The Australian Government should continue, complete, publish and act on ongoing reviews into the potential gaps in the regulatory framework posed by AI as soon as possible. 

Where relevant gap analyses have not begun, they should begin immediately. 

All reviews of the regulatory gaps posed by AI should consider: • the uses of AI • the additional risk of harm posed by AI (compared to the status quo) in a specific use case • whether existing regulatory frameworks cover these risks potentially with improved guidance and enforcement; and if not how to modify existing regulatory frameworks to mitigate the additional risks. 

Draft recommendation 1.2 AI specific regulation should be a last resort 

AI specific regulations should only be considered as a last resort for the use cases of AI that meet two criteria. These are: • where existing regulatory frameworks cannot be sufficiently adapted to handle the issue • where technology neutral regulations are not feasible.   

Draft recommendation 1.3 Pause steps to implement mandatory guardrails for high risk AI 

The Australian Government should only apply the proposed ‘mandatory guardrails for high risk AI’ in circumstances that lead to harms that cannot be mitigated by existing regulatory frameworks and where new technology neutral regulation is not possible. Until the reviews of the gaps posed by AI to existing regulatory structures are completed, steps to mandate the guardrails should be paused. 

Data access 

Draft recommendation 2.1 Establish lower cost and more flexible regulatory pathways to expand basic data access for individuals and businesses 

The Australian Government should support new pathways to allow individuals and businesses to access and share data that relates to them. These regulatory pathways will differ by sector recognising that the benefits (and the implementation costs) from data access and sharing are different by sector. This could include approaches such as: • industry led data access codes that support basic use cases by enabling consumers to export relatively non sensitive data on a periodic (snapshot) basis • standardised data transfers with government helping to formalise minimum technical standards to support use cases requiring high frequency data transfers and interoperability. 

These pathways should be developed alongside efforts that are already underway to improve the Consumer Data Right (which will continue to provide for use cases that warrant its additional safeguards and technical infrastructure) and the My Health Record system. 

The new pathways should begin in sectors where better data access could generate large benefits for relatively low cost; and there is clear value to consumers. Potential examples include: • enabling farmers to combine real time data feeds from their machinery and equipment to optimise their operations and easily switch between different manufacturers • giving tenants on demand access to their rental ledgers which they can share to prove on‑time payments to new landlords or lenders • allowing retail loyalty card holders to export an itemised copy of their purchase history to budgeting and price comparison tools that can analyse spending and suggest cheaper alternatives. The scope of the data access pathways should expand over time based on industry and consumer consultation, where new technology, overseas experience or domestic developments show that there are clear net benefits to Australia.   

Privacy regulation 

Draft recommendation 3.1 An alternative compliance pathway for privacy 

The Australian Government should amend the Privacy Act 1988 (Cth) to provide an alternative compliance pathway that enables regulated entities to fulfil their privacy obligations by meeting criteria that are targeted at outcomes, rather than controls based rules. 

Draft recommendation 3.2 Do not implement a right to erasure 

The Australian Government should not amend the Privacy Act 1988 (Cth) to introduce a ‘right to erasure’, as this would impose a high compliance burden on regulated entities, with uncertain privacy benefits for individuals. 

Digital financial reporting 

Draft recommendation 4.1 Make digital financial reporting the default 

The Australian Government should make the necessary amendments to the Corporations Act 2001 (Cth) and the Corporations Regulations 2001 (Cth) to make digital financial reporting mandatory for disclosing entities. The requirement for financial reports to be submitted in hard copy or PDF format should also be removed for those entities.

It goes on

AI specific regulation should be a last resort 

AI specific regulations should only be considered as a last resort for the use cases of AI that meet two criteria. These are: • where existing regulatory frameworks cannot be sufficiently adapted to handle the issue • where technology neutral regulations are not feasible. 

Economy wide efforts to regulate AI should be paused until all gap analyses are complete and implemented 

In August 2024 Australian Government Department of Industry, Science and Resources released a set of 10 voluntary AI safety standards, or guardrails, based on risk management standards such as ISO/IEC 42001:2023 (Information technology – Artificial intelligence – Management system) and the National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework (AI RMF 1.0) (DISR 2024b, p. 5). The guardrails cover aspects of AI development and application. They require several risk-management processes. These include testing of models, developing a risk plan and providing transparency to users of AI tools and owners of copyrighted materials used in the training of models. The guardrails outline reasonable risk-management practices for many organisations. In this way they have served a very important and useful step in AI governance in Australia by equipping businesses with voluntary, structured and internationally recognised standards to support and guide their adoption of AI. 

The guidelines are very useful for smaller businesses without comprehensive risk-management procedures in place. Indeed, submissions from participants to this inquiry (and submissions to the mandatory guardrails – discussed below – consultation process ) showed that many larger organisations have implemented risk management protocols that are similar in spirit to these guardrails. 

Mandating the guardrails is not necessary 

In September 2024 (DISR 2024a) a proposals paper for a set of mandatory guardrails for AI in high risk settings was released by the Australian Government. The proposal is to turn the voluntary guidelines into mandatory regulations for AI development and application. 

The PC is concerned with two aspects of the guardrails being made mandatory. First, the proposals paper argued that the mandatory guardrails would apply to all high risk uses of AI – regardless of whether risks can be better mitigated through outcomes based regulations. Second, the proposals paper argued that General Purpose AIs – which would include many generative AI tools – above a certain threshold of capability be classified as high risk by default. The proposals paper did not argue for any particular measure or threshold for technical capability, though it could include aspects like FLOPS (DISR 2024a, p. 18). It was argued that these models can perform so many functions that their risks cannot be adequately foreseen. This could result in the guardrails being applied to common generative AI tools such as ChatGPT, Claude and Grok, depending on what is chosen as the threshold and measure of technical capability. 

In general, high risk uses of AI can be split into three broad types. 

1. High risk uses that can be adequately controlled by existing regulatory frameworks (potentially with some modification) – this could include issues with privacy law (which the PC thinks can be resolved within existing frameworks with modification to make the regulations more outcomes focused, chapter 2). 

2. High risk uses that can be adequately controlled with new technology neutral regulations – this could include (non consensual) sexually explicit deepfake images which the Australian Government has recently banned (through the Criminal Code Amendment (Deepfake Sexual Material) Act 2024). 

3. High risk use cases that require technology specific regulations – these would be use cases identified in the various gap analyses as having no technology neutral solution. 

The PC’s concern with the guardrails is that they would not distinguish between these categories. This in our view raises significant issues, as the first two cases can already, by definition, be dealt with adequately by other regulatory mechanisms. It might also result in most commercial chatbots being classified as high risk regardless of the efficacy of existing regulations. The result of this approach is that many AI models would be complying with two different sets of regulation to achieve the same outcome. 

For example, the TGA’s review noted that with respect to medical devices, all ten proposed guardrails had close parallels in existing regulations (2025, pp. 27–30). That is, it is likely that firms providing AI based medical devices in Australia would already be fulfilling the objectives of the guardrails if they are operating legally under the TGA’s existing regulations. But if the guardrails are mandated, then the provider of the medical device would need to demonstrate compliance with the TGA regulations and the guardrails, raising the regulatory burden with no change in outcomes. 

The mandating of the guardrails is only appropriate in circumstances where existing regulatory frameworks or new technology-neutral regulations are not able to adequately mitigate the risk of harm. Once the Australian Government has completed and acted on all gap analyses of its existing policy framework, it will know what regulatory holes cannot be plugged by existing frameworks or new technology neutral legislation. Consideration of economy wide efforts to mandate the guardrails should be paused until these gap analyses are complete. 

Pause steps to implement mandatory guardrails for high risk AI The Australian Government should only apply the proposed ‘mandatory guardrails for high risk AI’ in circumstances that lead to harms that cannot be mitigated by existing regulatory frameworks and where new technology neutral regulation is not possible. Until the reviews of the gaps posed by AI to existing regulatory structures are completed, steps to mandate the guardrails should be paused.

In dealing with copyright the PC states 

 Copyright violation is an example of a harm that AI could exacerbate by changing economic incentives. Previous waves of innovation in information and communication technology have made the sharing of copyrighted materials much cheaper and easier, creating challenges for copyright. In most instances, copyright law was able to be adapted (or better enforced) to mitigate the harm. This made it unnecessary to directly regulate technology by, for example, regulating computer software or hardware to prevent copyright breach. It is the PC’s view that the copyright issues posed by AI can also similarly be resolved through adapting existing copyright law frameworks rather than introducing AI specific regulation. 

What is copyright? 

Copyright law prohibits a person from using original works without the permission of the copyright holder – usually the author (AGD 2022a). The types of works that are protected include text, artistic works, music, computer code, sound recordings and films (ACC 2024a). It does not protect the underlying ideas or information (AGD 2022a). In some cases, data and datasets may be protected, ‘largely depend[ing] on how the data has been arranged, structured or presented’ (Allens 2020, p. 3).  

The rise of AI technology has led to new challenges for copyright law. 

The emergence of AI also raises some additional, principle based questions about how the copyright framework (as part of Australia’s broader intellectual property regime) works to benefit society by encouraging creation and innovation, rewarding intellectual effort and achievement, and supporting the dissemination of knowledge and ideas. (AGD 2023c, p. 12) 

In 2023, the Attorney General established the Copyright and Artificial Intelligence Reference Group, which acts as ‘a standing mechanism to engage with stakeholders across a wide range of sectors on issues at the intersection of AI and copyright’ (AGD 2023a). Since then, the group has met on several occasions to discuss issues relating to AI technology and copyright law (AGD 2023a). 

This section explores one issue particularly relevant to productivity: whether current Australian copyright law is a barrier to building and training AI models. There are other legal issues relating to the outputs of AI models that are less relevant to productivity – such as whether those outputs attract copyright protection and what happens when AI outputs infringe a third party’s copyright (Evans et al. 2024). 

Training AI models 

Building and refining AI models requires the use of large amounts of data. 

The term ‘AI model training’ refers to this process: feeding the algorithm data, examining the results, and tweaking the model output to increase accuracy and efficacy. To do this, algorithms need massive amounts of data that capture the full range of incoming data. (Chen 2023) The datasets used to train AI models often contain digital copies of media such as web pages, books, videos, images and music. These media are often the subject of copyright protection, which means that their use to train AI models requires permission from the copyright holder. 

Permission is required because AI models must ‘copy’ the protected material at least temporarily to undertake the training process. The use of copyrighted materials to train an AI model is a separate issue to the copyright status of anything the model produces. As discussed above, AI outputs may have their own copyright challenges. 

A survey of the Copyright and Artificial Intelligence Reference Group indicated that, in practice, a range of copyrighted materials are used to train AI models – including literary and artistic works, sound recordings, films and musical works (AGD 2024, p. 12). 

There is evidence to suggest that large AI models are already being trained on copyrighted materials without consent or compensation (APA and ASA, qr. 39, pp. 3–4; APDG, qr. 6, p. 4; APRA AMCOS, qr. 58, p. 4; ARIA and PPCA, qr. 65, p. 5, Creative Australia, qr. 62, p. 3). It should be noted that Australian copyright law only applies to copying that occurs within Australia’s boundaries – in other words, the training of AI models overseas is subject to the relevant laws of the jurisdiction in which it occurs. Lawsuits have been brought against technology companies – including Meta, Microsoft and OpenAI – in some overseas jurisdictions about the unlicensed use of copyrighted works to train AI models (Ryan 2023). 

There are concerns that the Australian copyright regime is not keeping pace with the rise of AI technology – whether because it does not adequately facilitate the use of copyrighted works or because AI developers can too easily sidestep existing licensing and enforcement mechanisms. There are several policy options, including: • no policy change – that is, copyright owners would continue to enforce their rights under the existing copyright framework, including through the court system • policy measures to better facilitate the licensing of copyrighted materials, such as through collecting societies • amending the Copyright Act to include a fair dealing exception that would cover text and data mining. 

The PC is seeking feedback on what reforms are needed to bring the copyright regime up to date. 

Is there a need to bolster the licensing or enforcement regime? 

Several participants expressed concern about the unauthorised use of copyrighted materials to train AI models. For example, Creative Australia said: Much of the data has been used reportedly without consent from the original creator, and without acknowledgement or remuneration. The global nature of the technology industry has made it difficult for the owners of creative work to enforce their intellectual property rights and be remunerated for the use of their work. (qr. 62, p. 3) 

There are two points at which concerns of this type could be addressed. First, they could be addressed before the fact, through copyright licensing. Licensing is the key mechanism through which a copyright holder grants permission for others to use their work and often involves some form of payment. In Australia, licensing is often done through collecting societies, which are organisations that represent copyright holders. This can streamline the licensing process, because the collecting society can negotiate licences on behalf of multiple copyright holders at once. As the Copyright Agency said: We can help these sectors use third party content for AI related activities. Our annual licence for businesses now allows staff to use news media content in prompts for AI tools (e.g. for summarisation or analysis). We are extending this to other third party content later in the year. We are also in discussions with our members and licensees about other collective licensing solutions, including the use of datasets for AI related activities. (qr. 7, pp. 2–3) 

The issue of unauthorised use of copyrighted materials could also be addressed after the fact, through enforcement. This encompasses a range of possible measures, including take down notices, alternative dispute resolution and court action. In 2022 23, the Attorney General’s Department undertook a Copyright Enforcement Review to assess ‘whether existing copyright enforcement mechanisms remain effective and proportionate’ (AGD 2022b). That review found that additional regulatory measures are needed to achieve an effective copyright enforcement regime, and work is currently underway to identify options for: • reducing barriers for Australians to use of the legal system to enforce copyright, including examining simple options to resolve ‘small value’ copyright infringements • improving understanding and awareness about copyright. (AGD 2023b) 

In light of this ongoing work, the issue of copyright enforcement is not in scope for this inquiry. 

Is there a case for a text and data mining exception? 

Another option is to expand the existing ‘fair dealing’ regime, which provides certain exceptions to the requirement to obtain permission from the copyright holder (box 1.6). Currently, there is no exception that covers AI model training per se (The University of Notre Dame Australia 2024). However, depending on the case, a different exception could apply. For example, AI models built as part of research could fall within the scope of the ‘research or study’ exception. 

Box 1.6 – What are fair dealing exceptions? 

Fair dealing exceptions allow for the use of copyright material without permission from the copyright owner, so long as it is used for one of several specified purposes and is considered fair. What are the specified purposes? The Copyright Act specifies several purposes where the exception may apply. These include: research or study, criticism or review, parody or satire, reporting news, and enabling a person with a disability to access the material (Copyright Act 1968 (Cth), Part III, Div 3; Part VIA, Div 2). 

What counts as ‘fair’? 

Fairness is determined with regard to all the relevant circumstances – that is, it depends on the facts. Some purposes have specified criteria that must be taken into account. For example, where the use is for research or study, the following considerations apply: • the purpose and character of the dealing • the nature of the work • whether the work can be obtained within a reasonable time at an ordinary commercial price • the effect of the dealing upon the potential market for, or value of, the work • how amount and substantiality of the work that was copied (Copyright Act 1968 (Cth), s 40(2)). 

The ‘fair use’ doctrine – an alternative approach 

Some overseas jurisdictions (notably the United States) take a ‘fair use’ approach to copyright exceptions. Under this doctrine, any types of use can be considered non infringing, provided that it is considered ‘fair’ – in other words, the use need not fall within one of several defined categories. Several reviews have recommended the adoption of the fair use doctrine in Australia (including by the Australian Law Reform Commission and the Productivity Commission), but this has not occurred. Source: ACC (2024b); ALRC (2013); Copyright Act 1968 (Cth); PC (2021, p. 187). 

In its report on Copyright and the Digital Economy, the Australian Law Reform Commission recommended amendments to enable text and data mining by adopting a fair use approach to copyright exceptions (box 1.6) – or, failing that, through a new fair dealing exception. It explained: There has been growing recognition that data and text mining should not be infringement because it is a ‘non expressive’ use. Non expressive use leans on the fundamental principle that copyright law protects the expression of ideas and information and not the information or data itself (2013, p. 261)  

The Australian Government has since indicated that it is not inclined to introduce a fair use regime (Australian Government 2017, p. 7). Therefore, the PC is considering whether there is a case for a new fair dealing exception that explicitly covers text and data mining (a ‘TDM exception’). TDM exceptions exist in several comparable overseas jurisdictions (box 1.7). 

Such an exception would cover not just AI model training, but all forms of analytical techniques that use machine read material to identify patterns, trends and other useful information. For example, the use of text and data mining techniques is common in research sectors to produce large datasets that can be interrogated through statistical analysis. 

Box 1.7 – Text and data mining around the world 

European Union: There are two text and data mining (TDM) exceptions embedded in the Digital Single Market Directive (EU 2019/790) – one for scientific research (article 3) and another for general use (article 4). The Artificial Intelligence Act (Regulation (EU) 2024/1689) specifically characterises the training of AI models as involving ‘text and data mining techniques’ (recital 105) and refers to the TDM exception (article 53). The recent case of Kneschke v. LAION [2024] endorsed the view that the TDM exception extends to cover AI training (Goldstein et al. 2024a, 2024b). 

United States: It has been argued that training AI models falls within the scope of the fair use doctrine (Khan 2024; Klosek and Blumenthal 2024). However, the case Thomson Reuters v. Ross [2023] 694 F.Supp.3d 467 highlights that whether AI training is covered by the doctrine depends on whether the fair use factors are met in the circumstances (ReedSmith 2025). 

United Kingdom: There is a TDM exception for that applies to non commercial research (UK Intellectual Property Office 2014). There have been proposals to expand the exception to cover all uses, though these are still under consideration (Pinsent Masons 2023; UK Government 2024). 

Japan: The Japanese Copyright Act includes broad statutory exemptions for TDM (article 30 4(ii)), provided the work is used for ‘non enjoyment’ purposes (Senftleben 2022, p. 1494). In essence, the requirement for ‘non enjoyment’ distinguishes between whether the work is being consumed as a work or as data, and is broadly equivalent to the distinction between expressive and non expressive uses. 

Singapore: The Singaporean Copyright Act includes a specific TDM exception, as well as a broader fair use exception (Ng-Loy 2024). 

To assist its consideration of this option, the PC is seeking feedback about the likely effects of a TDM exception on the AI market, the creative sector and productivity in general – particularly in light of the following considerations. • At present, large AI models (including generative AI and large language models) are generally available to be used in Australia. The introduction (or not) of a TDM exception is unlikely to affect whether AI models continue to be available and used in Australia (PC 2024c, p. 13). • At present, large AI models are trained overseas, not in Australia. It is unclear whether the introduction of a TDM exception would change this trend. • As discussed above, large AI models are already being trained on unlicensed copyrighted materials. • A TDM exception could make a difference to whether smaller, low compute models (such as task specific models) can be built and trained in Australia, such as by Australian research institutions, medical technology firms, and research service providers. It should also be noted that a TDM exception would not be a ‘blank cheque’ for all copyrighted materials to be used as inputs into all AI models. As discussed in box 1.4, the use must also be considered ‘fair’ in the circumstances – this requirement would act as a check on copyrighted works being used unfairly, preserving the integrity of the copyright holder’s legal and commercial interests in the work. There may be a need for legislative criteria or regulatory guidance about what types of uses are likely to be considered fair. 

Information request 1.1 

The PC is seeking feedback on the issue of copyrighted materials being used to train AI models. • Are reforms to the copyright regime (including licensing arrangements) required? If so, what are they and why? The PC is also seeking feedback on the proposal to amend the Copyright Act 1968 (Cth) to include a fair dealing exception for text and data mining. • How would an exception covering text and data mining affect the development and use of AI in Australia? What are the costs, benefits and risks of a text and data mining exception likely to be? • How should the exception be implemented in the Copyright Act – for example, should it be through a broad text and data mining exception or one that covers non commercial uses only? • Is there a need for legislative criteria or regulatory guidance to help provide clarity about what types of uses are fair?

ANAO data governance

The ANAO Governance of Data report states 

Data is any information in a form capable of being communicated, analysed or processed (whether by an individual, a computer or other automated means). Data becomes valuable when it is processed and analysed to extract meaning, leading to insights, decisions or predictions. Governance of Data considers structured data that is measurable, such as a set of observations organised into a table, spreadsheet or database — in contrast to unstructured data that cannot be easily measured, such as records of meeting minutes. 

Data is a valuable asset of every Commonwealth entity, as it underpins informed decision making, efficient and effective business operations and public accountability. This means entities should invest in its governance, quality, security and ethical use to ensure data is trusted, protected and used to drive measurable results and outcomes for citizens. 

Effective governance of data is critical to realising and maximising the economic, social and environmental benefits of data. This includes securely, safely, lawfully and ethically sharing data with other public sector jurisdictions, in accordance with the Intergovernmental Agreement on data sharing between Commonwealth and State and Territory governments. Good data governance is also necessary to meet legislative obligations and policy. 

Through its audit work, the ANAO has observed good practices and fundamental deficiencies in the governance of data across multiple entities. Governance deficiencies have resulted in weaknesses to data integrity (reliability and verifiability), which impacts business processes and can result in reduced capability to make informed decisions, meet reporting requirements and achieve business objectives. Good data governance is essential in analytics, artificial intelligence (AI) and machine learning , to ensure ethical use of data, including avoiding bias in AI models. 

Benefits of good data governance

• Improved capability to achieve business outcomes. 

• More robust evidence base for improved decision making and increased public trust. 

• More consistent, coordinated, accessible and timely services. 

• More informed policy development and decision-making. 

• Better reporting and assurance to the Parliament. 

• Improved information exchange and transparency. 

• Greater operational efficiency and cost-effectiveness. 

• Reduced impact of machinery of government and other business continuity changes. 

• Better understanding and management of regulatory and other risks. 

• Compliance with legislative requirements, including privacy. 

• Increased physical, information and personnel security.

Commonwealth legislation and policy on data governance 

• Privacy Act 1988 - Outlines obligations to protect the identity of individuals an entity holds data about, and the ethical handling of this data. 

• Data Availability and Transparency Act 2022 - Authorises Australian Government entities to make data assets discoverable and to share data with accredited individuals and organisations, provided certain conditions are met. 

• Freedom of Information Act 1982 - With some exceptions, provides the public the right to access government held information, including government policies and decisions. 

• Protective Security Policy Framework - Sets out what Australian Government entities must do to protect people and information assets.

Also relevant are the:

• Archives Act 1983, which makes National Archives of Australia responsible for identifying the archival resources of the Commonwealth (that is, Commonwealth information of enduring value), and preserving and making publicly available the archival resources of the Commonwealth; 

• National Archives of Australia’s Building trust in the public record policy, which identifies key requirements for managing Australian Government information assets, including records, information and data; and supports improvement in performance management of public sector data and the use and reuse of data; 

• the Department of Finance’s Data Ethics Framework, which provides Australian Public Service (APS) guidance on ethical use of public data and analytics; 

• the Australian Public Service Commission’s APS Data Capability Framework, which outlines 26 data-specific capability areas associated with working with data in the APS; and 

• the Digital Transformation Agency’s Framework for the Governance of Indigenous Data, which aims to provide Aboriginal and Torres Strait Islander people greater agency over how their data is governed within the APS so government-held data better reflects their priorities and aspirations. 

Whole-of-government data strategy 

Launched in December 2023, the Australian Government’s Data and Digital Government Strategy (the Strategy) aims to provide a blueprint for the use and management of data and digital technologies by the APS through to 2030. The Strategy recognises data as a valuable national asset in realising Australia’s economic and social objectives, and in improving the evidence-base for government policy decisions, with a goal of better outcomes for all people and business. 

To support implementation of the Strategy, and to help entities self-assess their data maturity over time, the Department of Finance developed the Data Maturity Assessment Tool (DMAT). The self-assessment enables entities to: track their data maturity progress over time; identify data management strengths and weaknesses; and improve their ability to meet reporting obligations for promoting accountability and public trust.

The report features 'Questions for reflection'  

Lesson 1: Value data as an asset

• Does our entity have a culture that values curiosity, evidence and learning from data? 

• Does our entity have leadership commitment, including a sole authority (Chief Data Officer or equivalent data leadership role) responsible for all entity data and for fostering a culture that values data? 

• Does our entity consider from the outset what data is required to achieve business objectives? Does our entity collect and use data with a purpose, such as for evidence-based policy, and to evaluate and measure performance? 

• Does our entity select and design systems based on the required data outputs? 

• Does our entity have clear methodology documentation (such as standard operating procedures and workflows) that enables users to easily locate required data at any point in a process? 

• Does our entity have appropriate controls in place to assure the integrity of data, such as regular data checks and sign off by senior staff certifying data quality and integrity? 

• Does our entity uplift staff data capability through learning? 

• Does our entity regularly assess its data maturity, such as by using the Data Maturity Assessment Tool?

 

Lesson 2: Develop an information governance framework and data strategy  

• Does our entity have an information governance framework and a data strategy? 

• Does our entity’s information governance framework provide broad oversight of our organisation’s data assets and data management approach to achieve business goals? 

• Does our entity’s information governance framework set out drivers for data, such as

• legislation, risk and business needs? 

• the environment within which data is created and/or captured, collected and managed? 

• the principles that guide data design, capture, management and use? 

• roles and responsibilities, including leadership, as they relate to data? 

• consistent understanding and use of data across systems within the organisation and with other entities? 

• controls to protect against risks to data and to preserve the integrity of data? 

• how ethical considerations are embedded into data and AI policies? 

• senior management commitment to uphold data governance? 

• What actions does our entity take to embed information governance into its culture, such as training and guidance for staff? 

• Does our entity’s data strategy align with our organisation’s information governance framework, with greater detail on the approach to data creation, capture, collection, management and use of data? 

• Has our entity considered the Office of the National Data Commissioner’s Foundational Four in establishing data governance and an enterprise-wide data strategy? 

• Has our entity integrated AI into our information governance framework and data strategy to ensure responsible and secure AI use and alignment with business objectives? 

• Does our entity regularly review and evolve our information and data framework and strategy? If applicable, does our entity meet the requirements of the Policy for the responsible use of AI in government?

Lesson 3: Establish data leadership and define roles and responsibilities

• Does our entity have an established data leader and defined data team roles and responsibilities? 

• Does our entity refer to the SES Accountabilities for Data guidance to establish data roles and responsibilities? 

• Does our entity have a Chief Data Officer or equivalent who is accountable for enterprise-wide governance and use of data as an asset within the entity, and building entity data capabilities? 

• Does the role of our entity’s Chief Data Officer or equivalent align with the Chief Data Officer Information Pack? 

• Does our entity hold SES staff accountable for the proper use of government data within their areas of business responsibility? Does our entity clearly document data roles and responsibilities?

Lesson 4: Document data methodology with data processes mapped end-to-end

• Does our entity document data methodology with processes mapped end-to-end? 

• Does our entity classify and categorise data to make it more discoverable and useful? 

• Does our entity document data sources and systems? 

• Does our entity document end-to-end processes? 

• Does our entity manage entire data lifecycles (using the Data Maturity Assessment Tool or the Data Lifecycle View outlined in the APS Data Capability Framework)? 

• Does our entity implement quality standards and assurance processes? 

• Does our entity implement auditing and monitoring practices? 

• Is our entity’s documentation clear and sufficiently detailed to support business continuity and mitigate risks such as loss of knowledge through staffing changes?

Lesson 5: Strengthen assurance over third-party data

• Does our entity have strong assurance over any third-party data? 

• Does our entity clearly understand how third parties collect data? 

• Does our entity have assurance over the quality and integrity of third-party data? 

• Does our entity implement appropriate controls to identify, mitigate and address data risks? 

• Does our entity integrate data reporting obligations as part of formal arrangements, such as contracts or grants management agreements? 

• Does our entity conduct regular due diligence, such as provider risk assessments and audits? 

• Does our entity integrate third-party data into existing data governance frameworks (e.g. through validation checks, access controls and monitoring)? 

• Does our entity obtain control reports on the effectiveness of third-party systems, including their reliability and data security measures?

MyHR Expansion

The Bills Digest preliminary item on the Health Legislation Amendment (Modernising My Health Record—Sharing by Default) Bill 2024 notes that 

The Health Legislation Amendment (Modernising My Health Record—Sharing by Default) Bill 2024 establishes a legislative framework for requiring key health information to be shared with the My Health Record system, subject to exceptions. Certain healthcare providers within the pathology and diagnostic imaging sectors will be the first healthcare providers required to share test results to the My Health Record system. The Strengthening Medicare Taskforce and others have called for sharing by default arrangements to increase the amount of health information in My Health Record and allow it to deliver greater benefits to users and the health system. 

Currently it is voluntary for health providers to upload health information. While there have been various efforts to encourage greater uploading of documents (which have seen an increasing volume of clinical documents uploaded), some large private providers have indicated that they would not move to make share by default part of their standard practice until a legal requirement to do so is established. 

The Bill proposes that Medicare benefits for specific health services will be conditional upon upload of information about those health services. Rebates would continue to be paid to patients in the usual way, however if the providers do not upload results within the required timeframe the Medicare payment received would need to be repaid by the provider. At the time of writing, the Bill had not been referred to or reported on by any parliamentary committees. ... 

The Bill is expected to 

 amend the My Health Records Act 2012 (the MHR Act) and the Health Insurance Act 1973 (the HI Act) to establish a legislative framework for requiring key health information to be shared with the My Health Record system, subject to exceptions. As explained in the Minister’s second reading speech: We're starting with pathology and diagnostic imaging. However, this framework will position the My Health Record system to deliver access to key information, and become a routine, central part of our health system. ...  There are also related amendments to the A New Tax System (Goods and Services Tax) Act 1999, Fringe Benefits Tax Assessment Act 1986, National Health Act 1953, National Health Reform Act 2011 and Private Health Insurance Act 2007. ... 

 The Bill comprises 2 Schedules: Schedule 1 contains the main amendments. Part 1 amends the MHR Act to require prescribed constitutional corporations to become registered under the MHR Act and to upload prescribed information to the My Health Record system. Part 2 amends the HI Act to provide that Medicare benefits will no longer be payable for prescribed healthcare services, unless required information is shared to the My Health Record system. It also provides for exceptions in certain circumstances. Schedule 2 contains other amendments to: enable limited data matching between Medicare and My Health Record information to support compliance and enforcement with the new share by default requirements enable the Australian Commission on Safety and Quality in Health Care to disclose information about healthcare providers to the Secretary or MHR System Operator for compliance purposes make consequential amendments to the HI Act and other Acts to ensure that even if Medicare benefits are not payable because information hasn’t been uploaded, that this doesn’t affect how those services are treated by other Acts and programs.

The preliminary Digest item goes on to state 

My Health Record is a secure digital place to store health information and records. It commenced in July 2012 on a voluntary opt-in basis, then known as the Personally Controlled Electronic Health Record system (PCEHR). In March 2017, Australian governments agreed to move the My Health Record system to an opt-out model, with the Australian Government providing funding for implementation in the 2017–18 Budget (p. 116). Every Australian now has a My Health Record unless they ‘opted out’ before the end of January 2019. People who cancelled their My Health Record do not have one. A person can delete their My Health Record at any time.

A substantial number of people - perhaps a third of the cohort - opted out 

The My Health Record system operates under the My Health Records Act 2012. The Act establishes: the role and functions of the System Operator (currently the Australian Digital Health Agency) a registration framework for individuals and healthcare provider organisations to participate in the My Health Record system a privacy framework specifying which entities can collect, use and disclose certain information in the system and penalties on improper collection, use and disclosure. A consumer’s My Health Record includes information such as vaccinations, prescriptions, test and scan reports, pathology reports, hospital discharge information and emergency contacts. Authorised healthcare providers can upload and view a patient’s health information, however it is currently voluntary for providers to upload information. 

Prior efforts to increase the volume of health information available in My Health Record have included: financial incentives, industry offers to subsidise the development and rollout of My Health Record functionality, education and engagement, and progress toward national harmonisation of legislation, regulation and policies across governments (see pages 29–31 of the Impact Analysis for the Bill (included as part of the Explanatory Memorandum) for further information). 

The move to sharing by default 

A 2020 Review of the My Health Records Legislation recommended that the Australian Government examine options for tying eligibility criteria for specific government health benefit payments to support increased core clinical content in My Health Record and extensive adoption by healthcare providers (p. 6). 

The Strengthening Medicare Taskforce (established in 2022 to recommend ways to improve primary health care for all Australians) recommended that the Government: Modernise My Health Record to significantly increase the health information available to individuals and their health care professionals, including by requiring ‘sharing by default’ for private and public practitioners and services, and make it easier for people and their health care teams to use at the point of care. (p. 9) 

The Productivity Commission’s 2023 Advancing Prosperity inquiry report recommended using My Health Record as the foundation for sharing and using health data, including by requiring healthcare providers to share relevant health records to My Health Record where a consumer has not opted out (p. 60). 

In the 2023-24 Budget, the Australian Government committed $429 million over 2 years to modernise My Health Record, including investment to improve the sharing of pathology and diagnostic imaging information (p. 149). On 17 September 2023, the Minister for Health and Aged Care announced that the Government would require pathology and diagnostic imaging reports to be uploaded to My Health Record by default.

Property

'Proprietary Data, Open Data, Data Commons: Who Owns the Data? How to Best Reconcile Conflicting Interests in Exploiting the Value of Data and Protecting Against its Risks' by Luisa Kruse and Maximilian Grafenstein comments

 The European data strategy aims to make the EU a leader in a data-driven world. To this aim, the EU is creating a single market for data where 1) data can flow across sectors for the benefit of all; 2) European laws like data protection and competition law are fully respected; and 3) the rules for access and use of data are fair, practical and clear. In order to structure the corresponding initiatives of legislators and public authorities, it is important to clarify the data ownership models on which the initiatives are based: Proprietary data models, Open Data models or so-called data commons models. Based on a literature analysis, this article first provides an overview of the discussed economic and social advantages and disadvantages of proprietary and Open Data models and, against this background, clarifies the concept of the data commons. In doing so, this article understands the data commons concept to mean that everyone has an equal right in principle to exploit the value of data and control its associated risks. Based on this understanding, purely technical power of the data holder to exclude others from “her” data does not mean that she has a superior or even exclusive right to generate value from the data. By means of legal mechanisms, the competent legislator or public authorities may therefore counteract such purely de facto powers of data holders by opening their technical access control over data for other parties and define the conditions of its use. In doing so, the interests of the data holder in keeping the data for themselves must be weighed up against the interests of data users in using the data as well as the interests in controlling the related risks of all parties affected by this use. While this balancing exercise may be established, in a more or less general manner, by the European or national legislator or even by municipalities, data intermediaries will have to play a central role in ensuring that this balancing of interest is resolved in specific cases. Data intermediaries may do this not only by specifying the general data usage rules provided by the legislators and municipalities in the form of context-specific access and use conditions but above all by monitoring compliance with these conditions.

University Management

'Strategic Bureaucracy: The Convergence of Bureaucratic and Strategic Management Logics in the Organizational Restructuring of Universities' by Peter Woelert and Bjørn Stensaker in (2024) Minerva comments 

Over recent decades, the organizational dimensions of universities have taken a center stage in analyses of higher education policy reform and governance change (e.g., Bleiklie, Enders, and Lepori 2015; Fumasoli and Stensaker 2013; Seeber et al. 2015). Research from different parts of the world has documented a changing university where key organizational trends include greater centralization and formalization, more external and internal reporting and accountability pressures, and the growth of an increasingly professionalized and managerial administrative apparatus within universities (e.g., Christensen 2011; Croucher and Woelert 2022; Ramirez and Christensen 2013). 

Across the literature examining the changing organizational governance of universities, one can identify two related but differently accentuated narratives concerning the observed changes. The first narrative is broadly associated with analyses of public sector reform along New Public Management (NPM) lines and the associated policy and governance changes (Ferlie et al. 1996). Key elements in this narrative are, first, the state’s off-loading of responsibilities for organizational governance to universities and increases in universities’ institutional autonomy in operational matters, and second, increases in universities’ accountability to government authorities and other key stakeholders setting the broader policy goals and objectives (e.g., Capano 2011; Christensen 2011; Enders, de Boer, and Weyer 2013). This shift towards increased institutional autonomy and accountability entails new and expanded administrative responsibilities and demands that, so the narrative goes, compel universities to increasingly acquire the characteristics of formalized, centralized, and hierarchical organizations (Bleiklie, Enders, and Lepori 2015; Musselin 2006). In view of these apparent changes, universities thus can be said to have undergone an organizational process of bureaucratization. 

The second narrative is related to the first in that it also sees the environment as the core driver of change within universities. However, in contrast to linking organizational change in the university directly to public sector reform and ‘steering at a distance’, this narrative foregrounds the emergence of dynamic forms of institutional competition including those associated with markets or quasi-markets (see Jungblut and Vukasovic 2018) as a key driver of change. Intensifying institutional competition for domestic and international students and university ranking positions (Brankovic 2018; Espeland and Sauder 2007), the narrative then goes, has made it imperative for universities to become comprehensively managed organizations capable of strategic decision-making and swift internal restructuring to effectively identify and realize opportunities offered by their environment (see, e.g., Krücken and Meier 2006; Thoenig and Paradeise 2016). In short, according to this narrative, an increasingly competitive and uncertain environment has driven universities to transform into strategically managed organizations. 

Despite the ongoing centrality of these two narratives to accounts of university reform and change, the question of how specifically the two associated organizational logics – bureaucratic and strategic – interrelate in the restructuring of universities has received little attention. This is in parts because the strategic organizational logic, on a more general level, has been frequently yet simplistically painted as implying a radical departure from bureaucratic forms and processes (see on this point, e.g., Hoggett 2007; Wright, Sturdy and Wylie 2012). Applied to the domain of universities, such ‘post-bureaucratic’ notion of strategic management thus provides little scope to account for any common ground or convergence between the two logics in processes of organizational restructuring and change. 

This is an issue also since more recent empirical studies from around the world appear to present a mixed picture as to how universities are changing as organizations (see, e.g., Bleiklie, Enders, and Lepori 2017; Ramirez and Christensen 2013; Seeber et al. 2015). There is, for example, a range of evidence suggesting that universities have become more tightly integrated and managed as organizations (Bleiklie, Enders, and Lepori 2015, Seeber et al. 2015). Yet there are also signs of ongoing fragmentation in university organization due to the successive addition of new administrative layers that ultimately appear to have expanded the bureaucratic dimensions of university life (Maassen and Stensaker 2019, Ramirez and Christensen 2013; Woelert 2023). 

In this conceptual paper, we argue that bureaucratic and strategic logics, despite their different emphases and points of departure, converge and combine with respect to key dimensions of universities’ internal governance and organizing, ultimately giving rise to a hybrid form of organizational governance we refer to as ‘strategic bureaucracy’. We suggest that the manifestation of strategic bureaucracy within universities is inter alia characterized by a strong focus on strategic leadership and the associated management techniques alongside intensification of organizational features and dimensions traditionally associated with bureaucratic governance such as formalization and hierarchical authority. 

The key research questions guiding our discussion are: 1. What are the key characteristics of bureaucratic and strategic logics in a university setting? 2. How are the bureaucratic and strategic organizational logics articulating within universities? 3. What are some of the key organizational implications arising from this articulation between both logics? 

Our use of the notion of organizational logic throughout this paper is motivated by the ambition to conceptualize (a) distinctive forms or types of collective rationality that frame, legitimize, and guide organizational activities; and (b) the relationships between these forms. There are affinities to the institutional logics conception that has become widely popular in the social sciences over recent decades, and which assumes that typically there are several such forms, or logics, to be found and interacting within organizations, and which further posits that understanding of the articulation of such different forms is key to understanding organizational change also (Thornton, Ocasio, and Lounsbury 2012). In contrast to the institutional logics perspective and its ambition to integrate macro-, meso-, and micro-levels of analysis (see Thornton, Ocasio, and Lounsbury 2012), our analyses remain, however, more modestly focused on the organizational level and, in particular, do not attempt to integrate individual or micro-level dimensions or foundations.

'Turning universities into data-driven organisations: seven dimensions of change' by Janja Komljenovic, Sam Sellar and Kean Birch in (2024) Higher Education comments 

Universities are striving to become data-driven organisations, benefitting from data collection, analysis, and various data products, such as business intelligence, learning analytics, personalised recommendations, behavioural nudging, and automation. However, datafication of universities is not an easy process. We empirically explore the struggles and challenges of UK universities in making digital and personal data useful and valuable. We structure our analysis along seven dimensions: the aspirational dimension explores university datafication aims and the challenges of achieving them; the technological dimension explores struggles with digital infrastructure supporting datafication and data quality; the legal dimension includes data privacy, security, vendor management, and new legal complexities that datafication brings; the commercial dimension tackles proprietary data products developed using university data and relations between universities and EdTech companies; the organisational dimension discusses data governance and institutional management relevant to datafication; the ideological dimension explores ideas about data value and the paradoxes that emerge between these ideas and university practices; and the existential dimension considers how datafication changes the core functioning of universities as social institutions. 

Universities recognise the potential value of their digital data and strive to become data-driven organisations that collect, analyse, structure, manage, and use data and data products in their strategic and operational activities. As one of the participants in the focus groups we held during our research on the digitalisation of higher education (HE) in the UK noted: I think every university knows that the data they hold is the wealth of the institution, whether that’s data about how people are behaving or what they’ve actually produced. But that is, at the end of the day, that is the most valuable thing you have. (G6P3). 

This imaginary of the value of digital data is supported and encouraged by policymakers and sectorial agencies (Gulson et al., 2022). Jisc, a digital technology and data agency supporting HE in the UK, has recently launched the Data Maturity Framework, which universities can use to assess their ‘data capability’ and guide strategic change. The Higher Education Statistics Agency (HESA) led the Data Futures Project, which aimed at sector-level data collection and analysis to modernise HE data collection and make it more efficient. These initiatives are further driving the marketisation of HE in the UK (Williamson, 2018) and supporting commercial actors to economically benefit from university data (Komljenovic, 2020), including the recent emergence of educational data brokers (Arantes, 2023). 

Datafication refers to the ‘quantification of human life through digital information, very often for economic value’ (Mejias & Couldry, 2019, p.1), which involves representing social and natural worlds in machine readable digital formats (Williamson et al., 2020) with significant social consequences. In education, datafication consists of collecting and processing data at all levels, from individual to institutional, national and beyond, impacting education stakeholders’ discursive and material practices (Jarke & Breiter, 2019). 

We specifically focus on digital data collected by or registered in digital platforms and digital infrastructure. In many industries, data are valuable when aggregated into big data, allowing more sophisticated analyses, such as group analysis and comparison of individuals for targeted advertising (Birch et al., 2021; Pistor, 2020). In HE, policymakers and educational leaders are attempting to improve quality, efficiency, and impact via datafication at the sectoral and institutional levels (Eynon, 2013). Imaginaries of precision education promise to deliver personalisation akin to other sectors, such as medicine and agriculture (Kuch et al., 2020). 

This omnipresent and techno-deterministic belief in the value of data acts as a mythical belief in magic in that it evokes the ideas of seamless functionality with impressive end experience without attention to how it works or the means with which this was achieved, including struggles, efforts, risks, and costs (Elish & boyd, 2018). However, a paradox emerges as this belief in the value of data is not realised in HE, at least not to the extent that stakeholders would wish; yet it continues to drive investment, business models, actions, and strategies (Komljenovic et al., 2024, 2024b). Currently, data are both valuable and not valuable. Various actors, including EdTech companies and universities, experiment and look for ways to realise economic and social value from data. 

Universities are diverse along many dimensions, including size and resources, which are particularly important for datafication. These differences mean they organise data processes differently. Having thousands of students and staff, universities have to manage petabytes of data, which is a complex task technologically, financially, and legally. The costs of data storage alone have substantially increased, on top of other new costs related to establishing and maintaining the digital ecosystems required for datafication. Universities also deal with legacy software, problems integrating various systems and data flows, ensuring data security, facing cyberattacks, and more. Moreover, diverse actors formally and informally scrutinise universities concerning their data and digital practices (Komljenovic et al., 2024, 2024b). 

In this article, we focus on the UK as an illustrative case due to the high level of digitalisation and datafication of HE (Williamson, 2019). We aim to recognise UK universities’ needs and aims to become data-driven organisations and analyse the challenges they face as they pursue the datafication journey. We first examine datafication in HE and then elaborate on our methodological approach. We then turn to our analysis, structured around seven interrelated dimensions of change, followed by a brief conclusion calling for democratic and relational datafication in HE.

edTech

'Edtech in Higher Education: Empirical Findings from the Project ‘Universities and Unicorns: Building Digital Assets in the Higher Education Industry’ by Janja Komljenovic, Morten Hansen, Sam Sellar and Kean Birch (published by the Centre for Global Higher Education, Department of Education, University of Oxford comments 

Higher education (HE) is by now thoroughly digitalised. Universities use a variety of digital products and services to support their operations. The educational technology (EdTech) industry has been expanding in the past decade, while investors have become important actors in the field. This report offers findings from the ESRC-funded research project ‘Universities and Unicorns: Building Digital Assets in the Higher Education Industry’ (UU), which investigated new forms of value in digitalised HE as the sector engages with EdTech providers. ... 

The project was conducted between 1 January 2021 and 30 June 2023. It investigated new forms of value in digital and digitalised higher education (HE) as the sector engages with educational technology (EdTech) providers. The project was especially interested in digital user data and data operations. We followed three groups of actors: universities, EdTech start-up companies, and investors in EdTech. 

Our study of universities focused on understanding their: digitalisation strategies and practices; digital ecosystems and collaborations with EdTech companies; attitudes towards and experiences with EdTech companies; user data operations and data outputs; and key challenges with digitalisation. 

Our study of EdTech start-up companies focused on understanding: development of products and services; business models and strategies; how products are datafied and their data operations; how user data is made valuable; experiences and relations with universities; experiences and relations with investors; and challenges they are facing in their work and growth. 

Our study of investors focused on understanding: their views of HE and the future of the sector; the role that EdTech should play in this future; their beliefs about the value of user data; their investment theses, strategies and activities; and their experiences and relations with the EdTech and HE sectors. xx Understanding EdTech relationally, and bringing these groups together, allowed us to gain particular insights into the digitalisation of HE and its political economy. We aimed to trace the flow of ideas, strategies, and actions between these actors and to understand how and why the EdTech industry is developing as it is. 

Our conceptual approach centred on rentiership and assetisation. The global economy is increasingly characterized by rentiership: the move from creating value via producing and selling commodities in the market to extracting value via controlling access to assets. In the digital economy, rentiership is often exercised by controlling digital platforms and pursuing revenues associated with platforms, such as collecting and monetising digital data extracted via these platforms. Users became valuable through their engagement with the platform and are made visible through various user metrics. Emerging work on assetisation in education argues that this is a productive way to understand the impact of the privatisation, financialisation, and digitalisation of public education. However, the rise of assetisation does not mean that HE is no longer a public good or subject to commodification. Instead, it adds new complex forms of value creation and governance to the sector. We should note that this research project was conducted before the release of ChatGPT into public use. Therefore, this report does not make reference to the turbulent discussions about generative AI and its potential usage and impacts in HE. Finally, we note that this report offers an empirical description of key themes and dynamics identified in our study. More in-depth and theorised analyses of project findings are being published in journal articles and book chapters, all of which are openly accessible. The Appendix includes a list of publications.  ...

In this section, we briefly summarise key overall findings, which are analysed in more detail in academic publications, i.e. journal articles and book chapters (see Appendix). The following findings are relevant to our case studies and might be different in other contexts. 

Takeaway #1: Big Tech and legacy software are prominent in digitalising higher education 

Big Tech infrastructure and platforms, legacy software, and EdTech incumbents dominate university digital ecosystems. It is challenging for the EdTech start-up industry to enter HE markets. Digital products and services offered by new companies represent a small proportion of digitalisation work at universities. EdTech companies primarily target individuals as customers, enterprises for staff development and training, and lower levels of education (i.e. schooling rather than HE). 

Takeaway #2: EdTech in HE is less advanced than imagined 

There is a discrepancy between the promises of the EdTech industry regarding the quality and impact of digital products and services and the perception of university customers. Many university actors, as well as a few EdTech companies, argued that the current quality of EdTech products is generally low compared to other sectors. 

Takeaway #3: Making user data valuable is difficult 

Collecting, cleaning, sorting, processing, and analysing digital user data demands significant human, technological, and financial resources. It is difficult to make user data analysis useful and valuable, such that universities are willing to pay higher fees for data-driven products. Most EdTech companies that we analysed struggle with monetising user data. There is also less user data analysis currently in the sector than imagined by the EdTech industry in its public discourse. The omnipresent belief in the value of user data among all actors is disjunctive with the realities of data practices, which are mostly simple or non-existent. Most university users are sceptical about learning analytics. 

Takeaway #4: User data analytics in HE are not well-developed 

EdTech companies attempt to make their digital products valuable by incorporating user data analytics into their core products. However, currently, these analytics are simple and remain at the level of basic descriptive feedback loops for the user. Nevertheless, there is a clear trend in which EdTech companies are continuing their attempts to construct new metrics, scores, and analytics to monetise data, with efforts to convince customers of the value of these analytics.  

Takeaway #5: Datafication in HE happens at universities 

Universities are in the driving seat of their institutional datafication. Universities are establishing data warehouses, and many aim to collect all user data produced by external digital platforms in order to organise and analyse it for pedagogical and business purposes. However, universities currently lack the capacity to analyse, interpret and act on data. Universities need to establish frameworks for action based on data and acquire the requisite personnel and skills to do so. Universities should ensure that data outputs (e.g. analytics, metrics, scores) are truly representative of what is measured and build confidence in their communities regarding data-driven decision-making. 

Takeaway #6: Digitalisation and datafication create work and costs for universities 

Digitalisation and EdTech promise to bring efficiency and cost savings for universities, but in reality, university actors feel that digitalisation and data operations create more work and higher costs. In addition, new staff profiles and skills are needed, including data scientists, vendor managers, cloud engineers, as well as more learning technologists. 

Takeaway #7: Good EdTech does not challenge core university values and practices 

University actors find technology useful in general and are interested in technological innovation in relation to their work. However, there are two instances where university actors are sceptical towards EdTech. First, when companies' business models are exploitative and extractive. Second, when digital products interfere with the university's core values and practices, such as by challenging professional judgement or academic freedom. Intentions to automate the teaching process or provide behavioural nudges are often received with scepticism. Most university actors feel that user data collection should be limited, and data outputs, including analytics, should be restricted and carefully evaluated. 

Takeaway #8: The aims of EdTech require greater clarity 

The key aims of EdTech are understood to be personalisation, automation, enhanced student engagement, and greater institutional efficiency. However, there are discrepancies between university, EdTech, and investor actors in terms of how they understand these objectives and, consequently, how they will be achieved. Each of these aims needs clarification, including recognising the plurality of dimensions to each objective. 

Takeaway #9: Future imaginaries of tech companies and universities 

The future imaginaries of HE and EdTech are constructed by the EdTech industry and policy actors. There are discrepancies between investors, EdTech companies, and universities in relation to what EdTech should do and how it should shape the future of HE. Universities should drive these discussions and determine their futures and the role of technology in creating these futures. 

Takeaway #10: Democratic data governance 

Universities should do more to inform students and staff about the digital products and services they routinely use. Universities should also continuously provide transparent information to students and staff about user data collected from them and what is being done with this data within their universities and externally. Students and staff should have the choice to participate or not in user data collection and processing. Students and staff should be included in the governance of EdTech and user data at their institutions. 

Takeaway #11: There is a plurality of assetisation processes in EdTech 

EdTech companies establish a variety of processes to control and charge for access to their assets. These include mediating content, organising and mediating teaching interventions, and digitalising and mediating credentials. Typical moats that EdTech companies build are lock-in, network effects, and integration of products into everyday individual practices.