Expected characteristics for data service provider accreditation

Expected characteristics

A requirement under section 74 of the Act is that the applicant meets the criteria in section 77(1) of the Act, to a standard appropriate for accreditation. Accreditation as a data service provider includes an additional criterion under section 77(1A) that relates to the specific data services. The characteristics, as set out below, inform the expectation against which these criteria will be assessed. The accreditation authority will be guided by these characteristics but will exercise their discretion for each decision.

While the characteristics inform each of the criteria under section 77, some characteristics are present in more than one criterion and the criteria support each other. Under these characteristics, policies and practices should be current, regularly communicated to staff, regularly reviewed, updated, and actioned (for example through awareness, monitoring and reporting).

Further, if data service provision is to be limited to a sub-unit of the accredited entity, then expression of the expected characteristics under section 77(1) at the entity level will need to be distinguished from their expression at the relevant sub-unit level. So, for example, there may be an entity CDO and also a sub-unit CDO with specific responsibility for the sub-unit's data management and governance; or the sub-unit may require its staff to undertake specialist training or may have particular workforce governance practices or staff vetting requirements.

Please read this information in conjunction with the other guidance available at www.datacommissioner.gov.au. This information is not intended to be legal advice. You should seek your own legal advice if you would like further clarification on the matters raised.

You can contact us at information@datacommissioner.gov.au if you have any queries.

Data management and governance policies and practices, and a qualified individual

The entity has appropriate data management and governance policies and practices and an appropriately qualified individual in a position that has responsibility for data management and data governance for the entity (s 77(1)(a) of the Act), evidenced by:

1. Identified role/s responsible for the organisation’s:

• data management and data governance (Chief Data Officer or equivalent)
• information and communications technology, including security (Chief Information Officer or equivalent); and
• management and governance of personal information (Privacy Officer or equivalent).

2. A governance body or bodies responsible for:

• overseeing the organisation’s data management and governance
• monitoring and reporting of data management and use
• managing data risks; and
• audit.

3. Organisational policies and practices that document roles, responsibilities and processes for managing and governing data.

These may be contained in one or more documents, but must include:

• a high-level strategy (e.g., data strategy, data governance framework)
• policies and procedures that address: 
  • a defined way of knowing what data is held (e.g., data inventory)
  • identification of data assets containing business-critical, personal or sensitive information (data value)
  • established practices for managing data, including agreed metadata standards.
• a risk management strategy (or equivalent) that considers data risks
• a data incident management response plan (or equivalent)
• a public-facing privacy policy
• internal guidance material, checklists and templates that inform how to manage privacy and respond to incidents
• practices to consider the privacy impacts of any new projects and systems that involve personal information and undertake Privacy Impact Assessments when needed.

4. An indication of how the organisation will manage and govern the entity’s DATA Scheme responsibilities and obligations.

Minimise the risk of unauthorised access, sharing or loss of data

The entity is able to minimise the risk of unauthorised access, sharing or loss of data (s77(1)(b) of the Act), evidenced by:

5. Identified role/s responsible for the organisation’s security (Chief Security Officer or equivalent). This is including or in addition to the roles identified elsewhere in the application.
6. A governance body or bodies responsible for physical, ICT and data security governance.
7. Organisational policies and practices that document roles, responsibilities and processes for managing and governing physical, ICT and data security.

These should demonstrate a risk-based approach to data security, be comparable to the guidance provided in the Protective Security Policy Framework (PSPF), and must include:

• a Security policy or plan that covers data/ICT and identifies security risk owners, stewards or managers
• a plan or process for security/incident reporting, investigation, monitoring or response
• currency with recognised security standards
• policies and procedures that address:
  • physical security controls
  • application controls for workstations and servers
  • vulnerability controls for applications and operating systems
  • application hardening controls for web and software applications
  • setting configuration controls for macros
  • administrative controls for account access
  • user and authentication controls
  • data security incident management
  • ICT equipment management.

8. Controls for scheme data:

• there is an approach to identifying scheme data, which may be Information Classification markings
• scheme data containing personal information must be held in Australia
• scheme data must be hosted by certified providers under the Digital Transformation Agency Hosting Certification Framework (or equivalent)
• data backups and archives are held in Australia and are protected
• cryptography arrangements must be in place for scheme data in transit and at rest.

This risk can also be addressed through the organisation nominating to:

• only store and manage data accessed through the DATA Scheme on a network that is rated Protected according to the Protective Security Policy Framework

9. Workforce governance addresses personnel risks to data:

• workforce vetting practices include identity and reference checks
• staff in data roles who are based overseas can be identified
• workforce offboarding measures include the revocation of access to data and systems where data is held.

Skills and capability

The entity has the necessary skills and capability to ensure the privacy, protection and appropriate use of data including the ability to manage risks in relation to those matters (s 77(1)(c) of the Act), evidenced by:

10. Identified data specialist roles:

• data analyst; and
• data manager or data policy/governance.

This is including or in addition to the roles identified elsewhere in the application.

11. Organisational policies and practices supporting data skills and capability show formal practices around data and include:

• identified data analytics expertise, with common use of data analysis software packages to produce meaningful information
• an established way of communicating about and describing data
• ongoing support for staff data capability uplift
• for staff who regularly interact with data, regular mandatory training that covers
  • data responsibility
  • security awareness
  • privacy.

12. Training for staff about the DATA Scheme.

ADSP Services 

The entity has the necessary policies, practices, skills and capability to perform de-identification data services (s77(1A)(a) of the Act), evidenced by: 

13. Policies and practices for the provision services 

• data dissemination and release policy (or similar) 
• confidentiality policy, processes or equivalent documentation 
• confidentiality and output checking manual, guide policies, processes or equivalent 
• details of arrangement for vetting, confidentialising and monitoring outputs, including clearance 
• policies, processes and methodology for managing disclosure risk and de-identifying data, e.g. suppression, aggregation, perturbation, etc 
• risk management processes and application of the DATA Scheme Data Sharing Principles 
• associated governance bodies, e.g. disclosure review committee 
• incident management procedures/plan and incident register, including for data confidentiality breaches. 

14. Skills and capabilities for the provision services 

• role-specific training and training schedule to build and maintain skills and capability 
• role descriptions demonstrating specific expertise 
• proven track record of successful delivery of projects. 

The entity has the necessary policies, practices, skills and capability to perform secure access data services (s77(1A)(b) of the Act), evidenced by: 

15. Policies and practices for the provision of services 

• processes relating to secure data access arrangements, including secure file transfer protocols, virtual, remote or on-site data laboratories 
• output vetting processes 
• arrangements for recording, monitoring and auditing access sessions 
• arrangements for releasing, vetting and managing dissemination and publication of results and outputs 
• provision of data analytics software and appropriately treated microdata files 
• Information security Registered Assessors Program assessment(s) for in-scope environments (regular and ongoing). 

16.  Skills and capabilities for the provision of services 

• role-specific training and training schedule to build and maintain skills and capability 
• role descriptions demonstrating specific expertise 
• processes for managing authorised users, induction, training and confidentiality agreement processes 
• experience creating appropriately treated microdata files to manage disclosure risk 
• proven track record of successful delivery of services. 

17. Documentation, processes and guidance to support service users  

• use of data access arrangements 
• data and metadata catalogues, registries or inventories and guidance on their use 
• information on available software 
• information on user training provided and demonstration that staff have relevant skills and/or experience to deliver the training 
• query, complaints and requests mechanisms 
• support services for user/researchers, such as clearing outputs or code, import functionality, linking, query management, expert advice, training. 

The entity has the necessary policies, practices, skills and capability to perform complex data integration services (s77(1A)(c) of the Act), evidenced by: 

18. Policies and practices for the provision of services 

• onboarding processes such as: 
  • security clearances
  • security briefings specific to the data integration environment 
  • legislative considerations 
  • conditions of use 
  • roles and responsibilities 
  • conflicts of interest  
  • remote working arrangements. 
• management and governance arrangements, including but not limited to: 
  • project-level data integration plans (or similar)  
  • Privacy Impact Assessment threshold assessment and Privacy Impact Assessment where required    
  • data retention and deletion plans 
  • incident management and response plans 
  • data minimisation and output vetting
  • secure transfer mechanisms and procedures (e.g. authority model, justifications and approvals) 
  • approach to implementing the separation principle 
    • Access control 
    • External separation 
    • Storage separation 
    • Analysis separation 
  • role based access controls and user management processes 
  • regular auditing schedule
  • internal/external audits including secondary audits (at file and user level). 
• Information Security Registered Assessors Program assessment(s) for in-scope environments (regular and ongoing) 
• restricted or limited external connectivity 
• proven track record of successful delivery of services.  

19. Skills and capabilities for the provision of services 

• role-specific training and training schedule to build and maintain skills and capability 
• role descriptions demonstrating specific expertise 
• dedicated technical support.