APS Data Governance Practice in May 2026 — Where the Operational Maturity Sits


Data governance practice across the Australian Public Service has continued to mature through 2025 and into 2026. The Data Availability and Transparency Act framework has been operating for several years and the operational practices around accredited data sharing have settled into recognisable patterns. The cross-agency data integration projects have built capability that did not exist five years ago. The data quality discipline at most major agencies has improved.

The work is by no means complete and the operational picture is uneven across agencies, but the maturity in May 2026 is meaningfully better than it was three years ago.

What has matured:

Accredited data sharing arrangements. The framework for data sharing between Commonwealth agencies under the DAT Act is now operating with real volumes and the operational protocols are bedded in. The accredited user accreditation process, the accredited data service provider accreditation, and the data sharing project approval workflows have settled into reasonably predictable rhythms.

Privacy impact assessment practice. PIA practice across the APS has matured significantly. The integration of PIA into project initiation, the senior accountability for PIA outcomes, and the engagement with the Office of the Australian Information Commissioner where required has become much more routine than it was in 2020.

Data classification and handling. The data classification practice — the Protective Security Policy Framework alignment, the data labelling, the handling protocols — has bedded in across the APS. The day-to-day practice in agencies is meaningfully better than it was five years ago.

Data quality practice. Major agencies have invested in data quality tooling and processes through 2023–25. The data quality measurement, the source-of-truth identification for shared reference data, and the operational responsibility for data quality have all moved forward. Several agencies are now able to make credible statements about data quality that they could not have made in 2020.

What remains difficult:

Cross-agency identity. The longstanding challenge of cross-agency identity matching continues to be operationally difficult. The investments in match-rate improvement and in privacy-preserving matching techniques have helped but the underlying complexity of cross-agency identity has not been solved.

Legacy data on legacy systems. APS agencies running critical processes on legacy systems with limited data governance characteristics continue to face structural difficulties in extending modern data governance practices over the legacy data. The modernisation programs that would address this are large and slow.

Data retention and disposal. The data retention and disposal practice across the APS continues to be uneven. Agencies have improved the practice on new system implementations but the legacy holdings of data outside the modern systems remain a meaningful operational and risk concern.

AI training data governance. The governance of training data for AI systems used by APS agencies is a relatively new operational topic. The principles are clear — data provenance documentation, consent and use position, bias assessment — but the operational practice around AI training data is less mature than the operational practice around production database governance.

The cross-cutting themes:

Senior accountability. The agencies where data governance is meaningfully strong are mostly the agencies where a senior executive has explicit accountability for data governance outcomes. The agencies where data governance is a shared responsibility across several executives without a clear single point of accountability tend to have weaker outcomes.

Operating model versus framework. The agencies that have invested in a working operating model — clear roles, scheduled forums, documented escalation paths — are outperforming the agencies that have invested in framework documentation without the operating model. Documentation without operating practice does not deliver governance outcomes.

Tooling. The tooling for data governance has matured significantly through 2024–25. Data catalogue tools, data lineage tools, and data quality measurement tools are now widely deployed and the integration between these tools is meaningfully better than it was three years ago. The agencies that have invested in tooling are typically outperforming the agencies relying on manual processes.

Operational notes for APS data governance practitioners in mid-2026:

The Privacy Act reform pipeline continues to shape practice expectations. The reform direction is well-signalled even where specific provisions are still being finalised and agencies that are anticipating the reform direction are well-positioned.

The AI assurance framework alignment with data governance is an active operational topic. The agencies that have begun integrating AI assurance practice with their existing data governance frameworks are getting more efficient outcomes than agencies running AI assurance as a separate workstream.

Workforce capability is the rate-limiting factor in most agencies. The data governance practice depends on people who understand both the policy framework and the operational data environment, and that combination of skills is in short supply in 2026. Agencies that are investing in internal capability development are doing better than agencies relying on external contracting for the governance work.

For APS data governance practitioners in mid-2026, the working read is that the framework is solid, the tooling has matured, and the operational practice in well-resourced agencies has reached a credible standard. The challenge for the rest of 2026 and into 2027 is extending the practice consistently across agencies of different sizes and capability levels and continuing to evolve the practice as the AI and privacy regulatory frameworks continue to develop.