Protective security measures and safe data management practices are essential to ensure that information held in confidence by the Australian government (as data custodian) is safeguarded from unauthorised access, disclosure, loss or misuse. It is critical that adequate protections are in place for data integration projects because integrating datasets creates new combinations of data, which in turn increases the likelihood that an individual or organisation may be identified in the data.
Most Commonwealth agencies are subject to mandatory requirements detailed in the Australian Government Protective Security Policy Framework. Compliance will satisfy data security requirements for data integration projects.
There are three core protective security policies that together safeguard government information assets from unauthorised access or harm:
- Personnel security- ensuring that access to information is provided on a strict need to know basis only to people who have been assessed as suitable.
- Physical security- preventing unauthorised access or harm to government resources, including information assets, through physical control measures such as entry barriers and security systems.
- Information and communication technology security– having in place operational procedures and technical control measures to manage access, transmission, storage and disposal of information.
All data integration projects using Commonwealth data should comply with these core policies. In addition, data integration projects that are considered high risk will need to be undertaken in a very secure environment by an accredited Integrating Authority. The accreditation process for integrating authorities examines an agency’s ability to ensure secure data management, technical capability and how the disclosure of identifiable information will be prevented.
Other topics in this section relating to the Commonwealth arrangements for statistical data integration are:
- Scope of the Commonwealth arrangements
- Risk framework
- Legal and policy considerations
- Accreditation
- The separation principle
- Data security
- Data management
- Data breaches