Data Integration Projects - How to determine the risk level - Key concepts
Projects in Scope series
- What's in scope?
- Public register of Data Integration Projects
- How to determine the risk level
- Key Concepts
- Risk Assessment Process
- Risk Assessment Guidelines
- Appendix A
Key concepts in the Guidelines fall under two key headings: the players in the process, and risk concepts in the Guidelines. The players are individuals and organisations that take part in the integration process, while the risk concepts are key terms used throughout the Guidelines.
Players in the process
A data custodian:
- is an agency accountable for managing the use, disclosure and protection of its data.
- operates within legislative authority (where it exists) to provide data to integrating authorities for integration.
- remains accountable for the data it has responsibility for throughout the integration process (Endnote 4).
- approves data integration projects and appoints an integrating authority.
- consults with other data custodians and the integrating authority to ensure all appropriate risk assessments are undertaken.
Where there is more than one data custodian, a lead data custodian may be appointed by the data custodians to compile the risk assessments.
In this framework, the term data custodian refers to either the sole data custodian, the lead data custodian where appointed, or custodians jointly where there are multiple custodians and no lead custodian.
An integrating authority:
- is an organisation appointed by the data custodian to integrate two or more datasets, at least one of which is a Commonwealth dataset.
- is the single agency (Endnote 5) accountable for the sound conduct of the integration project, including ongoing risk management.
- may also be a data custodian or data user.
- may be an accredited Integrating Authority (Endnote 6).
- may suggest changes to the risk assessments completed by the data custodian/data custodians.
A data user:
- is a person or an organisation that undertakes analysis of an integrated dataset.
- may also be a data custodian and/or an integrating authority.
- does not need to be a Commonwealth agency.
There may be many data users involved in a project.
The Cross Portfolio Data Integration Oversight Board (The Oversight Board)
The Oversight Board:
- is responsible for the arrangements for the integration of Commonwealth data for statistical and research purposes on behalf of Secretaries Board.
- provides strategic and collaborative leadership, supports effective governance and may provide advice to help manage the risks of particular data integration projects.
- helps manage the systemic risk associated with conducting multiple data integration projects involving Commonwealth data through assessment of proposed risk mitigation strategies and the provision of advice.
- endorses any changes or additions to the overall environment, including amendments to the principles or guidelines, or the development of new general tools to support integration or safe access to integrated data for statistical and research purposes.
In practice, the Oversight Board
- has ten working days following registration of the project and receipt of the risk assessment to raise any concerns about the project with the data custodians or integrating authority. These concerns relate to the management of systemic risks of data integration.
- has no authority to approve or delay data integration projects. Approval is given by data custodians.
- ensures that the risk mitigation strategies proposed when a project is registered are implemented. To ensure this, the Oversight Board may request a review of one or more of a data custodian’s integration projects.
- may work with data custodians and integrating authorities to improve their risk assessment processes.
- can delegate its review functions.
The Oversight Board will work with data custodians and integrating authorities to resolve any issues relating to unacceptably high systemic risks or inappropriately managed projects. If the issues cannot be resolved or managed to the satisfaction of the Oversight Board, then the Chair of the Oversight Board will engage in direct discussion and negotiation with the agency head of each data custodian that is party to the project to resolve the matter. Where there is a conflict of interest for the Chair of the Oversight Board to engage in direct discussion with the head of each the agency concerned, the matter will be referred to another member of the Oversight Board and where resolution cannot be achieved, to the Secretaries Board.
- is an individual, household, business or other organisation which supplies data to a data custodian.
Risk Assessment Guidelines (the Guidelines)
The Guidelines provide a platform to assess the risk of harm to a data provider and the risk of a reduction of public trust in the Australian Government and its institutions as a result of a breach.
Data custodians can decide that the assessment guidelines on risk dimensions are not valid for their particular context. However, deviations from the assessment guidelines must be explained in the risk assessment.
A breach is “when personal information or the confidential information of an organisation held by an agency or another organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.” (Endnote 7)
For example, a breach occurs when:
- a USB with unconfidentialised data is left on a train and viewed by an individual not authorised to see the data.
- data is poorly confidentialised and exposes information about a data provider.
- an aggregate table is published with small cells that allow identification of data providers. For example consider a table that cross-tabulates the number of recipients of carer payments by sex, suburb and income, which contains a cell showing only one male recipient living in Glebe. Any users who know a male in Glebe who receives a carer payment will be able to use the table to determine his income.
If there is legislation which impacts on the dissemination and management of data, the more stringent understanding should apply.
The risk assessments are undertaken by the data custodian and involve several steps:
- a pre-mitigation risk assessment is conducted following consultation with other stakeholders.
- mitigation strategies are developed. This step may involve consultation with the integrating authority and data users.
- a post-mitigation risk rating is calculated which determines whether an accredited Integrating Authority is required.
If the post-mitigation risk rating for a project is ‘low’ or ‘medium’, the use of an accredited Integrating Authority is optional.
The risk assessments and post mitigation risk rating for a data integration project are submitted to the Oversight Board via the project registration process to ensure that they have been completed appropriately. Registration occurs after a project has been approved by data custodians and agreements signed.
Likelihood of a breach
Likelihood is the measurement of the potential for a breach to occur (Endnote 8).
It assesses the parts of a project in which a breach is possible.
For example, the security of an agency’s IT systems will determine how likely a breach is to occur due to hacking.
Consequences of a breach
Consequence is a measurement of the potential outcome of any breach.
It includes harm to a data provider, including humiliation, or a reduction in public trust in the Commonwealth’s ability to store and protect sensitive data (Endnote 9).
There are two types of review outlined in the Guidelines:
- An initial review within the ten day period of the Oversight Board receiving a risk assessment for a particular project, and
- a review of a data custodian’s completed integration projects.
The ten day review allows the Oversight Board to provide advice and guidance on specific projects. The advice may be in the form of concern around a particular project, or suggestions of ways to manage risk. This advice should focus on minimising the systemic risks of a project.
The review of completed integration projects involves an assessment of public reaction to the project and how public understanding and acceptance was managed throughout the project, as well as an assessment of the application and effectiveness of the mitigation strategies.
Such a review will be conducted by a party:
- approved by the data custodian;
- that is at arm’s length to the risk assessment process, but need not be external to the agency; and
- that has the ability to provide an objective expert assessment of whether the mitigation strategies initially proposed were implemented.
Risk mitigation strategies
Mitigation strategies attempt to minimise the risk of a project. In this risk framework, mitigation strategies will mostly act on the likelihood of a breach.
Multiple mitigation strategies may be required to lower the risk of a breach.
It is possible that mitigation strategies may lower one risk while increasing another.
Public trust in the Government
Public trust in the Government and its institutions is the degree to which individuals and organisations trust the Commonwealth, state, territory and local governments to manage their data.
Many people do not distinguish between government agencies. Therefore, the actions of one agency affects people’s trust in all government agencies.
Public trust also impacts on the Australian Statistical System in general.
Public trust affects how likely it is that individuals and organisations will participate in research conducted by government agencies.
Confidentialised data is individual (Endnote 10) or micro level unit information (Endnote 11). that has been de-identified and has had other information removed or modified to reduce the risk of a data provider being identified.
Internal data integration
Internal data integration is integration that is undertaken completely within an agency, not provided to external agencies or researchers and where the agency is also the custodian for all the Commonwealth datasets being integrated.
Work being undertaken internally does not automatically lower the risk of a breach. However, there are many elements of internal work that are likely to be effective risk mitigation strategies. For example, the IT environment is likely to be more secure and legislative penalties for a breach high.
The mitigation strategies should be included in the post-mitigation risk assessment.
- The accountability of the data custodian is described in Principle 2 of the High Level Principles for Data Integration Involving Commonwealth Data for Statistical and Research Purposes.
- More than one integrating authority may be consulted or asked for a quotation on each project before it commences. However, only one integrating authority can have full responsibility for the way in which each data integration project is conducted, and this must be determined before the project commences.
- Further information on the accreditation process can be found at: www.nss.gov.au/nss/home.nsf/pages/Data%20Integration:%20Accredited%20Integrating%20Authorities
- One definition of a breach is given at http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches#_Toc301281661. This has been expanded to include organisational information.
- These definitions draw on Standards Australia/Standards New Zealand’s definitions of likelihood and consequence in the Risk management – principles and guidelines (2009).
- These concepts are further discussed in the NHMRC National Statement on Ethical Conduct in Human Research
- That is, a person or an organisation
- That is, a family, household, community, or organisation group