Outsourcing or working in partnership

It is a requirement of the High Level Principles that a single integrating authority be identified for each statistical data integration project to manage the project from start to finish. The governance and institutional arrangements also require the integrating authority to be accredited if the project is assessed as high risk. However, it is possible for an integrating authority to outsource or involve consortium/partnership arrangements to complete a project. For example, it might use another agency to create linkage keys, or it may use infrastructure provided by another agency to support dissemination or access to the integrated dataset by data users.

To ensure that the lines of accountability are clear, it is recommended that the integrating authority responsible for the project perform the merging and confidentialising of the data to be used for the research project.The merging of linked datasets and confidentialising of the integrated dataset are key functions, and are where most of the risks of an unauthorised disclosure lie.

Where consortium/partnership/outsourcing arrangements are used, these should be consistent with:

  1. Commonwealth governance and institutional arrangements;
  2. legislative requirements; and
  3. other specific requirements of data custodians.

For example, if an integrating authority uses another agency to undertake linkage services (e.g. to produce project specific statistical linkage keys to be included on the source data files) then that agency should be authorised to access identifiable data and should have appropriate legal and policy protections in place (see the Legal and Policy Considerations topic for further details).

Using consortium arrangements for high risk projects

An accredited Integrating Authority wanting to conduct high risk projects using consortium/partnership/outsourcing arrangements will need to have those arrangements reviewed by the Oversight Board (unless they’re working with other accredited agencies, or are using infrastructure provided by another party, discussed below). It is the integrating authority’s responsibility to ensure that the accreditation application and associated audit covers the consortium arrangements if these will be standing arrangements for that integrating authority. The accreditation relates only to the applicant organisation and does not extend to other organisations providing infrastructure or services.  

Consortium arrangements between two accredited Integrating Authorities

Where consortium arrangements exist between two accredited Integrating Authorities, one of those accredited Integrating Authorities is to retain responsibility for the day to day management of a particular high risk project. If such consortium arrangements are in place, it is recommended for the integrating authority managing the project to notify the Oversight Board of these arrangements.

The notification to the Oversight Board can be done either in the application for accreditation (where the arrangements are likely to be ongoing and are known before the integrating authority applies for accreditation) or as a separate notification to the Board via the Secretariat (where the use of a consortium approach is either a ‘one-off’ arrangement or is an arrangement entered into after an integrating authority has been accredited).

For low or medium risk projects, details of any outsourcing or partnership arrangements should be detailed in the agreement between the integrating authority and the data custodians.

Using infrastructure provided by a third party

If an accredited Integrating Authority is using infrastructure provided by another party (e.g. remote data lab facilities to provide data users with secure access to data, such as the Secure Unified Research Environment (SURE)), then the use of this infrastructure does not need to be reviewed by the Oversight Board. The integrating authority will be held accountable for the safe conduct of data integration projects and will need to ensure that the use of such infrastructure complies with commitments made to data custodians and meets the requirements of the interim accreditation criteria. It is recommended to note the use of such infrastructure in the application for accreditation where the arrangements are likely to be ongoing and are known before the integrating authority applies for accreditation.

For more information about steps in finalising project details see: