Sheet 6: Accreditation of an Integrating Authority

The appointment of an integrating authority for each statistical data integration project is an essential pillar in establishing a safe and effective environment for data integration involving Commonwealth data. An integrating authority is the single organisation ultimately responsible for the sound conduct of the statistical data integration project.

For each data integration project involving Commonwealth data for statistical and research purposes (a project), a risk assessment should be conducted by the data custodian(s) to assess whether a project should proceed and its level of systemic risk (high/medium/low)(Endnote 1).

If a project is assessed as posing a high risk, the integrating authority must be accredited. This information sheet provides an overview of the accreditation process.

Accreditation

Accreditation of an integrating authority is the recognition by the Cross Portfolio Data Integration Oversight Board (the Oversight Board) that the organisation has the requisite expertise, skills and knowledge, infrastructure and secure environment to undertake data integration projects, particularly those considered to be a high risk rating.

It is important to note, the accreditation scheme is an administrative arrangement which does not override legislation. All legal obligations (e.g. with regard to the Privacy Act 1988 or privacy and secrecy provisions in agency-specific legislation) must be met.

Accreditation criteria

The eight criteria integrating authorities must meet to gain accreditation are:

1. ability to ensure secure data management;
2. demonstrated ability to ensure that information that is likely to enable identification of individuals or organisations is not disclosed to external users;
3. availability of appropriate skills;
4. appropriate technical capability;
5. lack of conflict of interest;
6. culture and values that ensure protection of confidential information and support the use of data as a strategic resource;
7. transparency of operation; and
8. appropriate governance and administrative framework.

The steps involved in gaining accreditation

The process for accreditation of integrating authorities involves:

1. Self-assessment. Integrating authorities apply for accreditation by preparing a self-assessment report explaining how they meet the criteria for accreditation and evidenced by supporting documentation. The self-assessment should be succinct and avoid qualitative statements that cannot be directly verified in the supporting documentation provided. The assessment should be signed off by the head of the agency.
2. Audit. An independent third party audits the integrating authority’s self-assessment to verify the statements of the claims made in the self-assessment. This verification is made on the basis of the documentary evidence. This audit is paid for by the integrating authority applying to become accredited.
3. Decision. The Oversight Board will make the final decision on interim accreditation, based on the self-assessment and results of the audit.
4. Publication of list of accredited agencies. The Secretariat publishes a list of accredited integrating authorities, together with a summarised version of the integrating authority’s application and a summary of the audit report

Who can apply for accreditation?

The interim accreditation arrangements will be tested on Commonwealth government agencies first. While this does not preclude State/Territory government agencies applying for accreditation against the interim arrangements (provided that they meet all the requirements), it will not be possible for any State/Territory government agencies to be accredited in the short term, as this would not allow time for sufficient testing and evaluation of the arrangements with Commonwealth agencies.

The system is not yet mature enough to ensure that adequate safeguards apply to private firms. State/Territory government agencies and private firms can continue to apply for access to Commonwealth data under existing arrangements. The Oversight Board will only consider applications for accreditation, against the interim accreditation arrangements, for those agencies covered by privacy legislation (either the Privacy Act 1988 or State/Territory equivalent).

Will the accreditation process be reviewed?

The accreditation process is currently interim. Once a sufficient number of organisations have successfully gone through the interim accreditation process, a review will be conducted, and any necessary changes will be made to the process. The accreditation process will then become final.