17 July 2025

ANAO data governance

The ANAO Governance of Data report states 

Data is any information in a form capable of being communicated, analysed or processed (whether by an individual, a computer or other automated means). Data becomes valuable when it is processed and analysed to extract meaning, leading to insights, decisions or predictions. Governance of Data considers structured data that is measurable, such as a set of observations organised into a table, spreadsheet or database — in contrast to unstructured data that cannot be easily measured, such as records of meeting minutes. 

Data is a valuable asset of every Commonwealth entity, as it underpins informed decision making, efficient and effective business operations and public accountability. This means entities should invest in its governance, quality, security and ethical use to ensure data is trusted, protected and used to drive measurable results and outcomes for citizens. 

Effective governance of data is critical to realising and maximising the economic, social and environmental benefits of data. This includes securely, safely, lawfully and ethically sharing data with other public sector jurisdictions, in accordance with the Intergovernmental Agreement on data sharing between Commonwealth and State and Territory governments. Good data governance is also necessary to meet legislative obligations and policy. 

Through its audit work, the ANAO has observed good practices and fundamental deficiencies in the governance of data across multiple entities. Governance deficiencies have resulted in weaknesses to data integrity (reliability and verifiability), which impacts business processes and can result in reduced capability to make informed decisions, meet reporting requirements and achieve business objectives. Good data governance is essential in analytics, artificial intelligence (AI) and machine learning , to ensure ethical use of data, including avoiding bias in AI models. 

Benefits of good data governance

  • Improved capability to achieve business outcomes. 

  • More robust evidence base for improved decision making and increased public trust. 

  • More consistent, coordinated, accessible and timely services. 

  • More informed policy development and decision-making. 

  • Better reporting and assurance to the Parliament. 

  • Improved information exchange and transparency. 

  • Greater operational efficiency and cost-effectiveness. 

  • Reduced impact of machinery of government and other business continuity changes. 

  • Better understanding and management of regulatory and other risks. 

  • Compliance with legislative requirements, including privacy. 

  • Increased physical, information and personnel security.

Commonwealth legislation and policy on data governance 

  • Privacy Act 1988 - Outlines obligations to protect the identity of individuals an entity holds data about, and the ethical handling of this data. 

  • Data Availability and Transparency Act 2022 - Authorises Australian Government entities to make data assets discoverable and to share data with accredited individuals and organisations, provided certain conditions are met. 

  • Freedom of Information Act 1982 - With some exceptions, provides the public the right to access government held information, including government policies and decisions. 

  • Protective Security Policy Framework - Sets out what Australian Government entities must do to protect people and information assets.

Also relevant are the:

  • Archives Act 1983, which makes National Archives of Australia responsible for identifying the archival resources of the Commonwealth (that is, Commonwealth information of enduring value), and preserving and making publicly available the archival resources of the Commonwealth; 

  • National Archives of Australia’s Building trust in the public record policy, which identifies key requirements for managing Australian Government information assets, including records, information and data; and supports improvement in performance management of public sector data and the use and reuse of data; 

  • the Department of Finance’s Data Ethics Framework, which provides Australian Public Service (APS) guidance on ethical use of public data and analytics; 

  • the Australian Public Service Commission’s APS Data Capability Framework, which outlines 26 data-specific capability areas associated with working with data in the APS; and 

  • the Digital Transformation Agency’s Framework for the Governance of Indigenous Data, which aims to provide Aboriginal and Torres Strait Islander people greater agency over how their data is governed within the APS so government-held data better reflects their priorities and aspirations. 

Whole-of-government data strategy 

Launched in December 2023, the Australian Government’s Data and Digital Government Strategy (the Strategy) aims to provide a blueprint for the use and management of data and digital technologies by the APS through to 2030. The Strategy recognises data as a valuable national asset in realising Australia’s economic and social objectives, and in improving the evidence-base for government policy decisions, with a goal of better outcomes for all people and business. 

To support implementation of the Strategy, and to help entities self-assess their data maturity over time, the Department of Finance developed the Data Maturity Assessment Tool (DMAT). The self-assessment enables entities to: track their data maturity progress over time; identify data management strengths and weaknesses; and improve their ability to meet reporting obligations for promoting accountability and public trust.

The report features 'Questions for reflection'  

Lesson 1: Value data as an asset

  • Does our entity have a culture that values curiosity, evidence and learning from data? 

  • Does our entity have leadership commitment, including a sole authority (Chief Data Officer or equivalent data leadership role) responsible for all entity data and for fostering a culture that values data? 

  • Does our entity consider from the outset what data is required to achieve business objectives? Does our entity collect and use data with a purpose, such as for evidence-based policy, and to evaluate and measure performance? 

  • Does our entity select and design systems based on the required data outputs? 

  • Does our entity have clear methodology documentation (such as standard operating procedures and workflows) that enables users to easily locate required data at any point in a process? 

  • Does our entity have appropriate controls in place to assure the integrity of data, such as regular data checks and sign off by senior staff certifying data quality and integrity? 

  • Does our entity uplift staff data capability through learning? 

  • Does our entity regularly assess its data maturity, such as by using the Data Maturity Assessment Tool?

 

Lesson 2: Develop an information governance framework and data strategy  

  • Does our entity have an information governance framework and a data strategy? 

  • Does our entity’s information governance framework provide broad oversight of our organisation’s data assets and data management approach to achieve business goals? 

  • Does our entity’s information governance framework set out drivers for data, such as

    • legislation, risk and business needs? 

    • the environment within which data is created and/or captured, collected and managed? 

    • the principles that guide data design, capture, management and use? 

    • roles and responsibilities, including leadership, as they relate to data? 

    • consistent understanding and use of data across systems within the organisation and with other entities? 

    • controls to protect against risks to data and to preserve the integrity of data? 

    • how ethical considerations are embedded into data and AI policies? 

    • senior management commitment to uphold data governance? 

  • What actions does our entity take to embed information governance into its culture, such as training and guidance for staff? 

  • Does our entity’s data strategy align with our organisation’s information governance framework, with greater detail on the approach to data creation, capture, collection, management and use of data? 

  • Has our entity considered the Office of the National Data Commissioner’s Foundational Four in establishing data governance and an enterprise-wide data strategy? 

  • Has our entity integrated AI into our information governance framework and data strategy to ensure responsible and secure AI use and alignment with business objectives? 

  • Does our entity regularly review and evolve our information and data framework and strategy? If applicable, does our entity meet the requirements of the Policy for the responsible use of AI in government?

Lesson 3: Establish data leadership and define roles and responsibilities

  • Does our entity have an established data leader and defined data team roles and responsibilities? 

  • Does our entity refer to the SES Accountabilities for Data guidance to establish data roles and responsibilities? 

  • Does our entity have a Chief Data Officer or equivalent who is accountable for enterprise-wide governance and use of data as an asset within the entity, and building entity data capabilities? 

  • Does the role of our entity’s Chief Data Officer or equivalent align with the Chief Data Officer Information Pack? 

  • Does our entity hold SES staff accountable for the proper use of government data within their areas of business responsibility? Does our entity clearly document data roles and responsibilities?

Lesson 4: Document data methodology with data processes mapped end-to-end

  • Does our entity document data methodology with processes mapped end-to-end? 

  • Does our entity classify and categorise data to make it more discoverable and useful? 

  • Does our entity document data sources and systems? 

  • Does our entity document end-to-end processes? 

  • Does our entity manage entire data lifecycles (using the Data Maturity Assessment Tool or the Data Lifecycle View outlined in the APS Data Capability Framework)? 

  • Does our entity implement quality standards and assurance processes? 

  • Does our entity implement auditing and monitoring practices? 

  • Is our entity’s documentation clear and sufficiently detailed to support business continuity and mitigate risks such as loss of knowledge through staffing changes?

Lesson 5: Strengthen assurance over third-party data

  • Does our entity have strong assurance over any third-party data? 

  • Does our entity clearly understand how third parties collect data? 

  • Does our entity have assurance over the quality and integrity of third-party data? 

  • Does our entity implement appropriate controls to identify, mitigate and address data risks? 

  • Does our entity integrate data reporting obligations as part of formal arrangements, such as contracts or grants management agreements? 

  • Does our entity conduct regular due diligence, such as provider risk assessments and audits? 

  • Does our entity integrate third-party data into existing data governance frameworks (e.g. through validation checks, access controls and monitoring)? 

  • Does our entity obtain control reports on the effectiveness of third-party systems, including their reliability and data security measures?

Posted by at
Labels: , , ,