The appointment of an integrating authority for each statistical data integration project (or family of projects) is “an essential pillar of establishing a safe and effective environment for data integration involving Commonwealth data” (see Governance and Institutional Arrangements). For projects assessed as posing a high risk, the integrating authority must be accredited, that is, they must be approved by the Cross Portfolio Data Integration Oversight Board (the Oversight Board) as having the capacity to deal with high risk data integration projects.
An interim accreditation scheme for integrating authorities has been established to develop and test the system. During this testing phase, only Commonwealth government agencies will be accredited. Once these interim arrangements have been reviewed, the Oversight Board will be in a position to consider finalising the arrangements and extending the scheme beyond the Commonwealth government.
The accreditation scheme is an administrative arrangement which does not override legislation. All legal obligations (for example, with regard to the Privacy Act 1988 or privacy and secrecy provisions in agency-specific legislation) must still be met. Regardless of whether or not the integrating authority is accredited, the data custodian must be authorised to release identifiable data to that integrating authority, either by their legislation or by consent from the data provider, where this is not precluded by legislation (see Legal and policy considerations).
Who can apply for accreditation?
The interim accreditation scheme is designed to recognise a relatively small number of agencies that have the requisite expertise, skills and knowledge, infrastructure and secure environment to undertake high risk data integration projects involving Commonwealth data for statistical and research purposes. It is a requirement of the Oversight Board that all applicants for accreditation be subject to privacy legislation (either the Privacy Act 1988 or a state/territory equivalent).
During the early implementation phase, only Commonwealth agencies will be approved for accreditation so that the system can be fully tested and evaluated before it is extended beyond the Commonwealth. This does not preclude State government agencies or other data users from applying for access to Commonwealth data for research purposes.
The accreditation process
There are four key steps to become accredited:
- self-assessment: an agency applies for accreditation by completing a self-assessment against eight criteria.
- an audit by an independent third party to substantiate the claims made against the eight accreditation criteria in the self-assessment are factual (largely through documentary evidence).
- a decision by the Oversight Board on whether to grant the agency accreditation to undertake high risk data integration projects, based on their self-assessment and the audit report.
- inclusion on a published list of accredited Integrating Authorities, together with a summarised version of the integrating authority’s application (with commercial-in-confidence information removed by the successful applicant) and a summary of the audit report (see the accredited Integrating Authorities page on the NSS website). Applications by agencies that have been accredited are a useful resource for applicants when preparing their self-assessment.
Commonwealth data integration accreditation has recently undergone a period of review. The interim Data Integration Accreditation Subcommittee Secretariat can provide information on the governance and application process.
Please email dsdg-coord [at] pmc.gov.au
For further guidance for completing the self-assessment report, including advice on documentation to support the claims made in the accreditation application see Applying for accreditation.
Detailed information about the interim accreditation process, including a full description of the eight criteria for accreditation and a proforma for the self-assessment report, is available in the ‘Interim accreditation process for integrating authorities’ document.
Accreditation criteria
The eight criteria integrating authorities must meet to gain accreditation are:
- ability to ensure secure data management;
- demonstrated ability to ensure that information that is likely to enable identification of individuals or organisations is not disclosed to external users;
- availability of appropriate skills;
- appropriate technical capability;
- lack of conflict of interest;
- culture and values that ensure protection of confidential information and support the use of data as a strategic resource;
- transparency of operation; and
- appropriate governance and administrative framework.
These eight criteria are described in full in the ‘Interim accreditation process for integrating authorities’ document. Advice on documentation to support the claims made against the criteria is provided in the next section, Applying for accreditation.
Accreditation audit
Under the interim accreditation arrangements, the integrating authority seeking accreditation is responsible for obtaining an independent audit of their self-assessment against the accreditation criteria. They are also responsible for the associated costs of the audit which are expected to be in the order of $15,000 to $20,000. Internal procurement procedures should be followed when engaging an audit provider. [1. The Secretariat can provide a list of auditors who have audited previous applications for accreditation if required.]
The auditor is expected to conduct audit procedures in accordance with applicable Standards on Assurance Engagements (ASAE 3100 Compliance Engagements) to verify the statements of claim made in the self-assessment as measured by the documentary evidence provided. The auditor is not expected to test the design of processes and controls in relation to compliance with the subject matter or the operating effectiveness of such processes and controls.
To make the audit as efficient and cost-effective as possible, every statement made in the self-assessment should be succinct, avoid qualitative statements, supported with documented evidence and clearly reference the specific sections of the documents that support each claim made in the application.
Submitting an application for accreditation to the Oversight Board
A copy of the auditor’s report, together with the applicant’s self-assessment against the accreditation criteria, should be forwarded to the Secretariat for submission to the Oversight Board when they next meet. The Oversight Board aims to consider each application as soon as reasonably practical after lodgement, but it only meets a limited number of times during the year.
The Secretariat will prepare a brief covering note with the application, summarising any key information contained in the application or the audit report to facilitate the Board’s decision.
The Oversight Board will make the decision whether to approve or reject the application for accreditation and advise the applicant of their decision in writing. If the Oversight Board decides to reject an application they will provide reasons why they are not currently satisfied that the accreditation criteria have been met.
Applications for accreditation may be re-submitted to the Oversight Board once the concerns of the Board have been addressed. Any criteria that did not satisfy the Oversight Board with the first application should be re-audited before the application is re-submitted.
Information about the audit process, including the Terms of Reference for Audits of Integrating Authorities, is outlined in the document ‘Interim accreditation audit’, available from the National Statistical Service website.
Other topics in this section relating to the Commonwealth arrangements for statistical data integration are:
- Scope of the Commonwealth arrangements
- Risk framework
- Legal and policy considerations
- Accreditation
- The separation principle
- Data security
- Data management
- Data breaches
1. The Secretariat can provide a list of auditors who have audited previous applications for accreditation if required.