Project application and approval

The following steps are suggested for proposing and seeking approval for a statistical or research data integration project involving Commonwealth data. Most of the steps should align with existing project approval procedures, with some additional steps incorporated to reflect the requirements of the Commonwealth arrangements. The degree of formality used to address these steps is likely to vary depending on the nature of the project and the relationship between the parties involved.

1. Project proposal - the data user develops a project proposal 1 and contacts data custodians seeking approval.

2. In Principle approval - the data custodian(s) consider the proposal, ensuring the project is in scope of the Commonwealth arrangements, assessing the legislative or other authority to release the data for the project purpose, and conducting a risk assessment. 2

3. Appoint an integrating authority - the data custodians appoint an integrating authority who will be responsible for the ongoing management of the project. To conform with the high level principles, the integrating authority must be accredited if the project has been assessed as high risk.

4.Finalise project details - the integrating authority, in consultation with the data custodians and the data users, finalises the details of the project including the methodology, application of the separation principle where required, reviewing the identified risks and the mitigation strategies, and data security and data management arrangements. They also negotiate and draft agreements with data custodians and users as part of this process.

5. Final approval - by this stage all necessary approvals will have been obtained (for example, Ethics Committee approval). The final approval from the data custodians for the project to proceed will be confirmed as a result of signed project agreements between data custodian(s) and the integrating authority and between the integrating authority and data user. The integrating authority will register the project including the submission of the risk assessment.

Following submission of the risk assessment, the Oversight Board has ten working days to raise any concerns relating to unacceptably high systemic risk or inadequate risk mitigation. However, this review period does not delay the project which can proceed as soon as data custodians have given their final approval for the project and agreements have been signed.  At this point the project moves to the Project delivery phase.

  1. In some circumstances an integrating authority or an authorised representative of a data custodian may assist with the preparation of the project proposal. However, the final decision on which integrating authority to appoint for the project will remain subject to the outcome of the risk assessment and the agreement of all data custodians
  2. In some circumstance, an integrating authority or an authorised representative of a data custodian may assist data custodians with some aspects of this work, including the risk assessment. However, the final decision on which integrating authority to appoint for the project will remain subject to the outcome of the risk assessment and the agreement of all data custodians.