In principle approval

The next step in the process is for the data user (researcher) to seek in principle approval from each data custodian for the project to proceed. Often, the researcher would already have communicated with the data custodians to clarify details for their project proposal.

To provide in principle approval for the project, each data custodian should:

  • Ensure that the project is in scope and in the public interest
  • Assess the legislative and policy framework the data will be released under – does the data custodian have authorisation to release the data for the purpose of the specified project (that is, does legislation allow the release, does the project meet privacy requirements, is approval from an ethics committee required, has consent been given by data providers, would release contravene any commitment made to data providers regarding the purpose for which their data may be used, or would there need to be a public interest determination?). This should also be assessed in the context of how the data is required to be released to users, for example, does the project require identified or de-identified data, will the data be confidentialised before it is provided to the data user, and will it be made available in a secure and controlled environment?
  • Conduct a risk assessment of the project using the Risk Framework. This risk assessment is needed to demonstrate public benefit, provide transparency of a project and determine whether or not the integrating authority needs to be accredited. High risk data integration projects involving Commonwealth data are required under the Commonwealth arrangements to use an accredited Integrating Authority. If there is more than one Commonwealth data custodian, they may choose to appoint a lead custodian for the project. [1. The lead data custodian may be the agency that will conduct the project as the integrating authority (they must be accredited if the project is rated as high risk), or is supplying funding to the project, or has the most/or the more sensitive datasets involved.] The role of the lead custodian is to prepare a project risk assessment on behalf of all data custodians and liaise with the appointed integrating authority in finalising the project details. However, the data custodians may choose to work jointly or independently to assess the proposal and undertake the risk assessment. In giving in principle approval for the project to proceed, each data custodian must agree to the final risk assessment, after any mitigation strategies are applied (if applicable).
  • Data custodians may want to consider at this stage whether further assessment of the public perception in relation to the project is required. Transparent processes and community engagement will help ensure the public is aware of how Commonwealth government data is being used for statistical and research purposes to provide overall benefit to the community.
  • The in principle approval, together with the risk assessment, should be signed off by each data custodian in accordance with departmental policies or delegations for the approval of projects or the release of data for research purposes. At this stage the in principle approval will provide authorisation for further work to proceed to finalise the project proposal. Final approval will be subject to an assessment of the technical feasibility of the project by the integrating authority and agreement on the conduct of the project. The data custodians retain the right to approve or disapprove the use of their data in any project, in whole or in part. They need to ensure that risk is being managed appropriately and in line with their requirements before releasing source data.


It is expected that at this stage the data custodians will have sufficient information to appoint an integrating authority. This will be the organisation that will be responsible for the ongoing management of the project in accordance with the requirements of each data custodian. During the initial implementation of the Commonwealth arrangements, the integrating authority should be a Commonwealth agency able to comply with the high level principles. The integrating authority must be accredited if the project is high risk).

For more information about the project application and approval process see: