Rights, Roles and Responsibilities
Integrating Authorities
Introduction
1. This paper identifies the rights, responsibilities and roles of integrating authorities relative to those of the other key participants in data integration projects involving Commonwealth data for statistical and research purposes, namely data custodians and users of integrated datasets.
2. Commonwealth Statistical Integration Principle 3, endorsed by the (Commonwealth) Secretaries Board in February 2010, states that an integrating authority must be nominated for each data integration project (or family of projects) involving Commonwealth data for statistical and research purposes (Endnote 1).
3. Integrating Authorities will need to be accredited to undertake high risk projects.
What is an ‘integrating authority’?
4. An Integrating Authority is the single agency ultimately accountable for the implementation of a statistical data integration project. Integrating authorities must ensure that risks have been assessed, managed and mitigated throughout the duration of the project, in line with the agreed requirements of data custodians. Integrating authorities, along with the data custodians, are responsible for achieving an appropriate balance between:
- maximising the inherent value of Commonwealth data sources;
- minimising privacy concerns associated with the use of data once it is received by the integrating authorities and after it has been integrated; and
- facilitating the use of this data within the constraints of privacy and legislation.
5. The Commonwealth’s data integration arrangements are shown in Figure 1 – Appendix 1. This provides a stylised representation of how integrating authorities fit within the arrangements, and their interactions with data custodians and data users. The choice of integrating authority will be based on a consultative process led by the data custodian(s), taking into account any preferences of the data users. The data custodian(s) need to give in principle approval for the project to proceed before an integrating authority is appointed.
6. For some data integration projects, it is possible that the integrating authority may have multiple roles where the integrating authority may also be a data custodian (e.g., a Commonwealth agency) and/or the data user. When an entity has more than one role, appropriate internal governance and project documentation, consistent with the Commonwealth principles and governance arrangements for data integration should be in place.
The rights and responsibilities of integrating authorities
7. Integrating authorities have a number of key ‘rights and responsibilities’ around the management of datasets for data integration projects. These form the basis for how they will work collaboratively with other participants involved in data integration projects.
8. The key rights and responsibilities of integrating authorities in relation to data custodians are listed below.
- It is the responsibility of integrating authorities to assure the data custodians that they have the necessary legislative protections in place prohibiting disclosure of identifiable data, other than where allowed by law. For high risk projects, the accredited Integrating Authority must be bound by the Commonwealth Privacy Act (or a state/territory equivalent) and be subject to criminal penalties for a breach of legislation with regard to an unauthorised disclosure of information. For low and medium risk projects, integrating authorities must have a policy framework in place to ensure that no identifiable data is disclosed, other than where allowed by legislation, to the satisfaction of data custodian requirements.
- It is the responsibility of integrating authorities to ensure that the project is feasible and that all necessary approvals are obtained (for example, Ethics Committee approvals), before the data custodians give final approval for the project. This may also include undertaking a Privacy Impact Assessment for projects that present a very high risk, unless this has been completed by the data custodians as part of the risk assessment process.
- Integrating authorities are required to safely manage data entrusted to them by data custodians throughout the project life cycle and in accordance with any special requirements of data custodians.
- It is the right of integrating authorities to receive quality-assured data from data custodians.
- It is the responsibility of integrating authorities to provide data linkage, merging and access services on behalf of data custodians.
- Where the Cross Portfolio Data Integration Oversight Board advises on amendments to ‘high risk’ projects (or where a concern is raised), integrating authorities, data custodians and data users will need to collaborate on how to make improvements to such project(s).
- Integrating authorities may collaborate with data custodians on the content of training material provided to data users. Input, advice and assistance to such training will be provided at the discretion of data custodians.
- The integrating authority is responsible for using the Public Register of Data Integration Projects (launched in December 2012) to register any data integration project which is done for statistical and research purposes and involves Commonwealth data. The integrating authority will consult with the data custodian(s) when preparing the information to be submitted for registration.
9. Integrating authorities also have rights and responsibilities in relation to data users.
- It is the responsibility of integrating authorities to facilitate appropriate training courses for data users. This training will cover high level statistical integration principles, governance and institutional arrangements, data protocols (e.g., ethical approval processes in the case of human-based health research), legislative frameworks and security requirements.
- Integrating authorities should always consider intellectual property rights when deciding whether they are able to provide access to data for a particular project that would involve using any externally owned software or other technology for transmission of data to a data user or allowing the data user to use such software.
- Integrating authorities in conjunction with data custodians are responsible for consulting with data users on any material changes or updates to a data integration project (regardless of whether changes originate from data custodians or integrating authorities). This will occur before data users start examining integrated datasets.
- Integrating authorities are responsible for assessing the technical feasibility of data integration projects and advising data users of outcomes.
- It is the responsibility of integrating authorities to provide integrated datasets to data users, along with full information on cost recovery policies or fee-for-service charges (where applicable).
- Integrating authorities must stipulate data access arrangements for data users, subject to written approval from all data custodians and in line with their requirements.
- It is the right of integrating authorities to be paid by data users for the provision of data integration services (where cost recovery or fee-for-service charges apply).
- Integrating authorities may collaborate with data custodians and data users on how to make improvements to ‘high risk’ project(s), based on advice provided by the Cross Portfolio Data Integration Oversight Board.
The role of Integrating Authorities in data integration projects
10. The four main roles of an Integrating Authority are listed below:
- Negotiating and implementing agreements with data custodians to achieve adequate control and manage risk appropriate to their datasets, as well as entering into agreements with data users;
- Implementing safe and effective arrangements for data integration projects involving the use of Commonwealth data for statistical and research purposes;
- Managing datasets for the duration of the project, including the provision of suitable access for data users and ensuring that the agreed data retention and/or data destruction policies are carried out; and
- Providing transparency in its operation.
(1) Negotiating and implementing agreements with data custodians to achieve adequate control and manage risk appropriate to their datasets, as well as entering into agreements with data users
11. Integrating authorities will need to enter into agreements with data custodians and data users for data integration projects. This agreement may take the form of a contract, Memorandum of Understanding or other arrangement as appropriate for the parties concerned. When the data custodian and the integrating authority is the same agency, appropriate internal governance arrangements, rather than an agreement, will need to be in place. This agreement or arrangement will be administered by the integrating authority on behalf of every data custodian involved in the data integration project.
12. Agreements with data custodians will cover:
- The provision of secure arrangements by integrating authorities to ensure appropriate management and security of the data;
- The use of data protocols that balance risk and public benefit (e.g., the use of ethics committees for human-based health research);
- The use of control mechanisms, in collaboration with data custodians, to assess and ensure that outputs from the statistical data integration are not likely to enable the identification of individuals or businesses;
- Governance protocols to investigate and resolve anomalies, outliers and data quality concerns, along with any software issues;
- Special conditions that must be adhered to by data users as stipulated by data custodians; and
- The use of communication, technology, training and other processes to ensure that information likely to enable the identification of individuals or organisations is not disclosed.
13. Agreements with data users will cover:
- Information on penalties for the identification (or re-identification) of individuals or businesses, the misuse of data or violation of data access arrangements;
- Details on cost recovery policies or fee-for-service charges of integrating authorities, where applicable. Fees will be set at the discretion of integrating authorities and may reflect local practices and arrangements;
- Specific details on governance protocols for examining data quality and software issues; and
- Any special conditions which must be adhered to by data users.
(2) Implementing safe and effective arrangements for data integration projects involving the use of Commonwealth data for statistical and research purposes
14. Integrating authorities are required to:
- provide a ‘trusted’ single accountability point for the implementation of each statistical data integration project;
- have a high level of relevant expertise, including a strong understanding of, and capability for, maintaining security (e.g., appropriate level of building security, security clearances for staff and mechanisms to monitor the compliance of data users);
- have the technical infrastructure necessary to undertake data integration projects;
- demonstrate a consistently high standard of behaviour by all employees based on a strong culture and set of values;
- demonstrate how any conflict of interest will be managed;
- have the policy and legislative coverage deemed necessary to provide adequate protection (examples of policies include data linkage protocols, data custodian policies and data access arrangements);
- adhere to the separation principle for high risk projects and optionally as best practice for low or medium risk projects (e.g., the separation of identifiers used in linkage activities, such as date of birth, from remaining information relating to the individual, such as clinical or benefit information) (Endnote 2);
- ensure that outputs from the statistical data integration (in particular, integrated datasets) are not likely to enable the identification of individuals or businesses (e.g., through directly-programmed aggregation and/or manual reviews of outputs released from a data integration project);
- provide information on statistical disclosure control techniques used to minimise the risk of identification of individuals or businesses when multiple datasets are combined; and
- provide secure data access arrangements (e.g., data laboratories, remote access procedures).
(3) Managing datasets for the duration of the project, including the provision of suitable access for data users and ensuring that the agreed data retention and/or data destruction policies are carried out
15. Integrating authorities are required to:
- manage data for the entire duration of the project, including implementing agreed data retention and/or data destruction policies;
- ensure datasets are managed in a way that gives the community and businesses confidence that no individual or organisation is likely to be identified;
- ensure good data management practices, including clear documentation, the use of standard definitions and classifications, and the maintenance of appropriate metadata, including quality attributes of the data;
- ensure that access to outputs from statistical data integration would be limited to those which are not only de-identified, but which are also not likely to enable the identification of individuals or businesses;
- grant broad and flexible access to data users, subject to the above constraints, and the agreements with data custodians;
- work with data users to facilitate the effective use of this data within the constraints of privacy and legislation; and
- where applicable, implement fee-for-service charges or cost-recovery mechanisms to cover all or part of the costs (recognising that there are costs associated with creating integrated datasets, managing data access arrangements and conducting quality assurance checks), and provide information to data users (i.e., researchers) on fee-for service or cost-recovery policies. It is up to the discretion of integrating authorities as to whether they charge for the provision of data integration services. Some integrating authorities may be influenced by the existence of local practices and arrangements.
(4) Providing transparency in its operations
16. Integrating authorities are required to:
- ensure appropriate governance arrangements are in place;
- have the ability to transparently apply sanctions for unauthorised disclosure or inappropriate use of the data as required;
- work collaboratively together, where appropriate, to share knowledge and infrastructure;
- ensure stakeholders and the community are kept informed of any statistical data integration project by registering the project on the Public Register of Data Integration Projects;
- publish information on cost recovery and fee-for-service policies, where applicable;
- undertake audits and checks to evaluate security; and
- publish other relevant documents (e.g., data retention statements).
Requirements for integrating authorities handling ‘high risk’ projects
17. The governance and institutional arrangements for data integration involving Commonwealth data recognise that it is the large, complex projects involving sensitive data which engender the major systemic risk to government information based activities across the board. A systematic approach to monitoring and managing this risk has been agreed by the Cross Portfolio Data Integration Oversight Board.
18. For each high risk project, an assessment of the Legal and policy framework for IAs undertaking high risk projects must be made by data custodians and integrating authorities to ensure that there is authorisation to release the data to the integrating authority (by legislation or consent) and that there are appropriate legal protections in place prohibiting the integrating authority from disclosing identifiable data.
19. Additionally, integrating authorities undertaking high risk projects will also need to be accredited. Accredited Integrating Authorities are assessed by the Oversight Board as having the infrastructure and capability to undertake high risk data integration projects by meeting a set of criteria agreed by the Commonwealth Portfolio Secretaries including, for example, being subject to the Privacy Act 1988 or a state equivalent. A full description of the accreditation criteria can be found in the interim accreditation process document.
Requirements for integrating authorities handling low and medium risk projects
20. For medium and low risk projects, data custodians and integrating authorities will need to assess the Legal and policy framework for IAs undertaking low and medium risk projects for each project to ensure there is authorisation to release the data to the integrating authority and that the integrating authority has the appropriate procedures and policy framework in place to ensure that no identifiable data is disclosed.