Interoperability projects can only be realised when you have managed your information and data risks. All Government information and data is subject to legislation, policies and standards. Interoperability projects need specific attention to data compliance and security requirements relating to:
- data exchange mechanisms
- privacy and de-identification
- licensing for mixed, reused or derived datasets.
Data security is put in place to prevent unauthorised access to information. It is a fundamental theme for enabling interoperability and should be addressed as an enterprise-wide initiative with an agency-wide security strategy. Data security requirements across Government which your agency must consider include the:
- Protective Security Policy Framework (PSPF) which includes requirements for sensitive and classified information
- Australian Government Information Security Manual (ISM) which is the standard that governs the security of Government ICT systems and includes information on access controls.
Secure data exchange
In addition to the PSPF, your agency can ensure your processes and systems meet criteria for secure data exchange by referring to the Digital Transformation Agency's (DTA):
Data exchange security considerations include:
- access restrictions such as IP whitelisting, multi-factor authentication, security tokens and API Keys
- HTTPS secure connections
- encryption of data in transit and at rest
- tamper proofing data that is publicly exchanged
- strict password syntax checks and password resets
- encryption of all passwords
- data storage locations such as on premises and in the cloud
- security classifications.
Privacy and de-identification
Privacy and the de-identification of information must be considered when releasing information online. It is essential that all data released has undergone the necessary privacy and de-identification checks. The Office of Australian Information Commissioner (OAIC) provides information on the Australian Privacy Principles that can help you understand and meet these requirements.
- if the data uses other derived datasets