Data Integration Projects
Commonwealth Arrangements Information Series
Sheet 5: Integrating Authorities
An essential pillar of establishing a safe and effective environment for data integration involving Commonwealth data is the nomination of an organisation to manage each statistical data integration project from start to finish.
This role is known as the integrating authority. The integrating authority is responsible for the management of the data integration project on behalf of the data custodians and minimising privacy concerns associated with the use of the data once it is received from data custodians and after integration. It is also responsible for facilitating the use of the integrated data within the constraints of privacy requirements and legislation.
This Information Sheet provides a summary of the roles and responsibilities of an integrating authority, including a checklist of considerations on the back of this sheet.
Nominating an integrating authority
When a data integration project involving Commonwealth data for statistical and research purposes (a project) is proposed, it is considered by the data custodians and a risk assessment is conducted (see Information Sheet 4). Once this is complete, the data custodians appoint an integrating authority to manage and conduct the project from start to finish.
The integrating authority must be a secure and trusted institution (an individual cannot be an integrating authority) and in a position to comply with the requirements of the Privacy Act 1988 or the equivalent State/Territory legislation (in regards to information about individuals) and secrecy provisions generally (in regards to information with respect to the affairs of any third party, corporate or individual). In addition, if the project is rated as high risk, the integrating authority appointed must be accredited (see Information Sheet 6).
When nominating an integrating authority, the data custodians should also ensure they are authorised to release the identifiable data, either by legislation or consent, to the integrating authority appointed (see Information Sheet 4)
Integrating authority roles within the Commonwealth arrangements
Role 1 - Enter into project and data access agreements
Role 2 - Implement safe and effective arrangements for data integration projects
Role 3 - Manage datasets for the duration of data integration projects
Role 4 - Provide transparency in operation
Finalising agreements
Once appointed, the integrating authority is responsible for reviewing and finalising the arrangements for the project and preparing project agreements with data custodians and data access agreements with data users.
The purpose of project agreements is to help ensure that integrated datasets are managed and used in accordance with data custodian requirements, protecting privacy and ensuring that data is not likely to enable the identification (or re-identification) of individuals and businesses. Project agreements set out the terms and conditions that accompany the final project approval.
Once the project is approved the integrating authority is responsible for registering the project on the public register of data integration projects.
Delivering a project
The integrating authority has an important role in managing the increased risk of identification that exists when two or more datasets are integrated. Generally an integrating authority will be chosen because they have the skills and expertise to conduct a data integration project safely and securely.
However, it is possible for an integrating authority to outsource or involve consortium/partnership arrangements to complete a project. For example, it might use another agency to create linkage keys, or it may use infrastructure provided by another agency to support dissemination or access to the integrated dataset by data users.
Providing access to integrated data
Part of the integrating authority's role in managing integrated datasets is to provide data users with secure access to the integrated data.
Data access agreements between the integrating authority and data users should set out the conditions and arrangements for accessing and producing output from the integrated data.
The conditions and nature of access may vary from project to project, according to the requirements of data custodians.
A checklist for integrating authorities
This is a list of considerations for integrating authorities who have been approached to undertake the end to end management of a data integration project for statistical or research purposes.
If the project is assessed as high risk, the integrating authority must be accredited.
In Principle approval
✔ Have you assessed the technical feasibility of the project and ensured that you can deliver on all aspects of the project? (e.g. linking methods, data security and provision of secure access to the integrated data, timeframes, data quality, risk management, etc.)
Final Project Details
✔ Have you discussed and agreed the arrangements for security of the data (e.g. data transfer, access, use, storage and destruction or retention) with all data custodians?
✔ Have you discussed and agreed with data custodians how confidentiality and privacy will be protected?
How will the separation principle be applied (if applicable)?
How will the data be de-identified and/or confidentialised?
Do the data custodians have any special conditions to be met for users of the data (e.g. signing confidentiality undertakings, review of research results before publication)?
Are the consequences, if there is a misuse of data or breach of privacy, understood for both the integrating authority and the data user?
✔ Will there be a fee for service or cost recovery charge to the data user and has a quote been prepared and accepted?
✔ Do you need to assist the data users to seek Ethics Committee approval for the project?
✔ Is a privacy impact assessment required?
✔ Do you intend to outsource or work in partnership with other organisations to complete components of the project (such as creation of linkage keys) and have the data custodians been advised?
✔ Have you entered into a project agreement with all of the data custodians to formalise the arrangements for the project?
✔ Have you entered into a data access agreement with the data user to set out the conditions and arrangements for accessing the integrated data for research and analysis?
✔ Have you registered the project on the public register of data integration projects and submitted the risk assessment to the Oversight Board?
Project delivery
✔ Have you conducted the following steps in accordance with the project agreements?
Data prepared, linked, merged and quality checked using agreed protocols (e.g. application of the separation principle);
Integrated data de-identified and confidentialised;
Secure access to the integrated data provided to data users;
Ensure that the integrated data is stored securely if it is to be retained and a review process is in place or that it is destroyed at project completion; and