The Department of Social Services (DSS) aims to deliver creative policy options and solutions for Government and improve the lifetime wellbeing of people and families in Australia. This is achieved through the development of evidence-based policies, managed programs, grant allocations, and research and regulation activities.
DSS complies with the High Level Principles for Data Integration Involving Commonwealth Data for Statistical and Research Purposes (‘High Level Principles’) Endorsed by Portfolio Secretaries on 3 February 2010.
This means that all DSS data integration projects:
- only occur where they provide significant benefit to the public,
- are only conducted for statistical and research purposes (not for compliance or administrative purposes),
- must minimise any potential impact on privacy and confidentiality, and
- are conducted in an open and accountable way.
Alignment with the Australian Bureau of Statistics (ABS)
All DSS data integration projects and processes are aligned to the methodologies and protocols used by the Australia Bureau of Statistics. The Australian Bureau of Statistics (ABS) became the first agency to be accredited as an Accredited Integrating Authority under the Commonwealth data integration interim arrangements in April 2012.
In its role as an accredited Integrating Authority, DSS will adopt the ABS’ operational procedures for protecting Australians’ personal information. These include:
- All DSS staff sign undertakings of secrecy and fidelity which are legally binding agreements.
- To protect the identities of individuals and organisations, DSS separates identifying variables from content variables and information is stored on separate secure servers.
- DSS staff can see only the information required for specific linking or analysis. No-one can see identifying information in conjunction with content data.
DSS will only undertake data integration for statistical and research purposes and where there is a strong public benefit in doing so. The Department has internal governance procedures to thoroughly vet applications for proposed data integration projects.
DSS is committed to upholding the privacy, confidentiality and security of the information it collects. Not only does the DSS have strong legislative protections that safeguard an individual’s information, it has mirrored its approach to data integration undertaken by the ABS, which has a proven record in the way it collects, uses, discloses, and stores personal information for over 110 years.
Risk Assessment Guidelines
DSS has also adopted a risk framework based upon the ABS’ Data Integration Involving Commonwealth Data for Statistical and Research Purposes: Risk Assessment Guidelines (December 2013). The Risk Assessment Guidelines are embedded in the governance and institutional framework that supports the High Level Principles for all data integration projects. These Guidelines help Commonwealth agencies assess the level of risk of data integration projects to determine if a project should proceed, and identify whether an Accredited Integrating Authority is required to manage the project. The risk assessment guidelines are intended to provide a set of ‘rules of thumb’ rather than definitive advice.
Under the High Level Principles, all data integration projects must undergo a structured risk assessment to ensure agencies focus on any risk of a breach to confidentiality and privacy.
The risk assessment guidelines take a number of dimensions into account including:
- nature of data collection
- technical complexity
- managerial complexity
- duration of project
- how the data is to be linked, and
- nature of access
The risk assessment guidelines also provide a framework made up of two parts:
- Likelihood which measures the potential for a breach to occur
- Consequence – which measures the potential outcome of any breach including harm to the data provider (including humiliation) and any negative consequences for agencies including a reduction in public trust in the Commonwealth’s ability to store and protect sensitive data.
2. Data Integration Governance
Data Integration Policy
Consistent with the broad principles mentioned earlier, all data integration projects undertaken in DSS must include the following elements of data integration policy:
- To minimise any potential impact on privacy and confidentiality, the separation principle must be applied when the linkage involves personal information.
- Data integration projects must undergo a Privacy Impact Assessment (PIA), based on guidelines issued by the Office of the Australian Information Commissioner, if they:
- are assessed as high risk, post-mitigation, or
- use personal information (as defined by the Privacy Act 1988).
- A risk assessment must be undertaken for all data integration projects. The risk assessment must be guided by the Risk Assessment Guidelines agreed upon as part of the Commonwealth Arrangements for Data Integration Involving Commonwealth Data.
- Data integration projects require approval by the Data and Projects Sub-committee if they are assessed as ‘high risk’, post mitigation.
- Data linkage must not commence until approval has been granted. However, preparations for linkage can be made so long as they are in keeping with the principles and arrangements of this policy.
- A data custodian must agree in writing that DSS can use their data in a data integration project before data can be linked.
- Data linkage where personal information is involved must only be conducted within DSS’ dedicated Data Access and Integration section.
- Data must not be linked if a specific commitment has been made to data providers that their information will not be used for data integration.
Approval of project proposals
All Data Integration Project Proposals completed within DSS will be submitted for approval through the Data Access and Integration section in the Data Strategy and Development Branch.
This project proposal must:
- Detail any legislative requirements of the datasets involved including documenting that there is appropriate legislation allowing release of the data to DSS, and that it can be used for statistical purposes;
- Ensure data custodian consent for the use of all source datasets is appropriately documented;
- Ensure the data has been brought into DSS under the Social Security Act 1991 or document what alternative arrangements may be in place;
- Explain the main method of linkage and what infrastructure will be used;
- Detail any plans for retention of the integrated dataset;
- Explain how the project will be communicated to the general community and whether there will be any community consultation regarding the project;
- Explain who the users of the integrated dataset will be and what outputs from the project will be produced;
- Illustrate how the project provides significant public benefit and safeguards privacy; and
- Attach a Privacy Impact Assessment where required.
Projects assessed as ‘low’ or ‘medium’ risk, require approval from both the Branch Manager of the Data Strategy and Development Branch (the ‘delegate’) and the Director of the Data Access and Integration section(the ‘administrator’) before data linkage can take place.
Projects assessed as ‘high risk’ will be conducted within DSS’ authority as an Accredited Integrating Authority. As such, these projects require approval from the Data and Projects Sub-committee, informed by an accompanying assessment by the Data Access and Integration section, Data Strategy and Development Branch, before data linkage can commence.
Data security and confidentiality
DSS regularly collects a range of potentially sensitive information from individuals, businesses and service providers. The Department therefore maintains strong security practices to ensure the security and confidentiality of all the information it holds. These include:
- Strong security arrangements for all DSS information technology systems. The Department conforms with IT security arrangements set out in the Australian Government Information Security Manual, and also has customised Protective Security Policies for effective information, personnel and physical security.
- Strict control of access to all DSS premises and areas in accordance with the Australian Government's Protective Security Policy Framework, to ensure compliance with legislative responsibilities. Access to all DSS premises are at all times restricted to approved persons and are controlled by the use of electronic access control systems, sign-in registers and contract guards.
- Appropriate personnel security arrangements. In particular, upon appointment all DSS staff undergo pre-employment checks, security checks and additional background checks for identified positions as required, and are required to sign a Declaration of Confidentiality upon commencing employment or on reassignment or promotion from an external agency. This ensures DSS staff are aware of their privacy, confidentiality and secrecy obligations under Commonwealth law.
- A secured internet gateway which is secured in accordance with controls listed in the Information Security Manual to the PROTECTED level. There are a number of different aspects as to how this is designed including firewalls, micro-segmentation and intrusion protection.
- A password-protected Remote-Access Research Gateway (RARG), which was established by the Department of Social Services to only enable accredited researchers to analyse de-identified individuals’ data using statistical programming languages in a Secure Unified Research Environment (SURE), supported by the Australian Institute of Health and Welfare (AIHW). The Department commissioned an independent Information Security Risk Assessment for the Research Gateway Project, using an Australian Signals Data Directorate (ASD) accredited Information Security Registered Assessors Program (IRAP) Assessor. The Assessment advised that the approach taken by the Department provides appropriately secure services and facilities for the data provided to accredited researchers and that penetration testing and subsequent remedial actions are sufficient.
- Regular Protective Security risk reviews to ensure that security arrangements continue to be effective; and
- An ongoing program of security audits and reviews of computer systems and the physical environment.
Confidentiality and limited data access
The most fundamental strategy for handling confidential data is limiting access to those who need it. Consequently, DSS staff who are involved in data integration only have access to the specific data as is required for their work. Access to data is granted by the custodians of the datasets on a ‘need to know’ basis. All access is logged and monitored.
Rigorous technical, operational and governance controls are implemented at each stage of the data integration process. Regular audit and review procedures are also undertaken.
All DSS officers are bound by strict secrecy provisions and sign an Declaration of Confidentiality to ensure that they are aware of their responsibilities around data privacy.
Unauthorised access to, or use of, protected information is punishable by imprisonment for a term not exceeding two years. These protections apply to all data collected by DSS, and to any linked datasets produced using this data.
A list of DSS Data Access Policy Principles is shown below.
DSS Data Access Policy Principles
The Department of Social Services is committed to realising the value of its data holdings and the information contained within it, and for making these available for public access and use. The data held by the Department are national assets to both the Government and the Australian public.
The Department is committed to realising the value of its data holdings and the information contained within it, and for making these available for public access and use.
The following principles guide data access within the Department.
Principle 1: DSS should permit as much public access to data as possible, while protecting the privacy and confidentiality of individuals and organisations.
Principle 2: Data access must comply with relevant legislation, interagency agreements and information protocols.
Principle 3: Data access must be considered as standard practice.
Principle 4: Aggregate or summary data should be easy to access.
Principle 5: DSS retains all relevant legal responsibility for social services unit record data at all times.
Principle 6: DSS should grant controlled access to unit record data.
Principle 7: Only the unit record data essential to meet the purpose of the request shall be accessed.
Dissemination of data
The Department has considerable expertise protecting the confidentiality of those who provide information. DSS has put in place a range of procedures to ensure these obligations are met.
As with the release of any DSS data, a range of techniques are applied to the data to ensure the privacy of individuals’ information contained in an integrated dataset. These include:
- Removing all directly identifying information such as names/addresses or government identifiers
- Ensuring data items are unlikely to identify respondents by the application of a number of different statistical confidentialisation methods (such as ‘top coding’, collapsing categories, or making other minor adjustments)
- Providing access in different ways depending on the level of detail required
- Requiring individual users and their employing organisations to sign legally enforceable undertakings that restrict how they use the data
- Raising awareness in users as to why it is vital to keep data confidential and what that means in practice when they are using the files and publishing results.
A high-level DSS committee (the Data and Projects Sub-committee) reviews these methods prior to release of any dataset classified above ‘low risk’ to ensure data is not released in a manner likely to enable identification of an individual, business or service provider.
Prior to the approval process, the Data Policy and Governance section conducts a risk assessment and reviews the application to determine whether the project requires a Threshold Assessment, Privacy Impact Assessment (PIA) or Information Security Assessment to be undertaken.
3. Data Linkage Procedures
The Separation Principle
DSS adheres to the separation principle identified by the ABS’ National Statistical Service (NSS), as outlined in ‘A Guide for Data Integration Projects Involving Commonwealth Data for Statistical and Research Purposes’. The Department does so by implementing functional separation or roles in all data integration projects.
Functional separation means that staff undertaking data linkage projects are assigned to different roles so that no one has the ability to access the identifying details of an individual at the same time as accessing other information about that individual or business.
Where data is provided to DSS for the purposes of data integration, datasets containing identifying information to be used during data linkage are either:
- supplied separately to those containing other information for analysis (content data), or
- are separated immediately upon receipt.
These separate datasets are then also stored separately and securely. These procedures ensure that an individual's identity remains protected during the linking and analysis process.