Criterion 3. Protect users

Criterion 3 – Protect users

Create an environment where users feel safe to foster trust and participation for a more inclusive digital community.

Your responsibilities

To successfully meet this criterion, agencies need to:

establish and maintain a safe digital environment for users
counter scams and misinformation
provide transparency and feedback loops.

When to apply

Apply Criterion 3 throughout Live as you build and maintain a safe user environment.

Revisit this criterion across the Service design and delivery process to ensure Safety by design principles are incorporated where appropriate.

Questions for consideration

How can we establish confidence and trust among users?
Are we clear about potential risks to users and proactive in mitigating these risks?
How can we monitor and respond to safety-related incidents quickly?
Have we incorporated safeguards that allow services to be used in public spaces, such as libraries and service centres?

How to apply criterion 3

Create psychological safety: Hate speech and online abuse impacts the participation and inclusion of all those targeted by it. Establish clear community guidelines on acceptable behaviour and proactively moderate digital content. Where appropriate, leverage technology to identifying instances of malicious behaviour and align to best practices outlined by the eSafety Commission.
Mitigate risk: Many digital users have encountered scams, fraud and loss of personal information. These experiences impact attitudes towards digital use. Help to ‘build trust in design’ by supporting the work of the National Anti-Scams Centre and mitigate misinformation by supporting the work of the Australian Communications and Media Authority.

Guidance to protect users

Set clear guidelines on acceptable behaviour, moderating content, and using technology to identify malicious behaviour and create a safe digital environment:
- Consider what would make a user feel safe when engaging with the provided digital service.
- Provide a variety of contact methods. This may include options like email, chat, phone, social media and other feedback methods.
- Communicate with empathy and transparency.
- Consider how the service aims to achieve user goals.
Consider how the service will build user trust and confidence in government:
- Regularly inform users about the data collected, why it is collected and how it will be used.
- Continuously assess and address risks to ensure user data remains protected.
- Create clear and concise consent forms and confirm user agreement before data is collected.
- Allow users to easily update or delete their data. Make sure there’s options for users to report incorrect data and implement a prompt and transparent process to resolve issues.
- Educate users about best practice for account protection, such as strong passwords and keeping login details private.
- Offer real-time feedback and progress tracking to enhance user experience and confidence in the service.
- Minimise the need for error messages by designing intuitive and user-friendly interfaces. When errors occur, provide clear and actionable messages.
- Explain tasks up front and give context about what users need to complete it. This may include information, documents, payment methods or eligibility. Let users pause and resume tasks at their convenience.
Agencies should communicate safety measures, provide clear channels for reporting concerns and resolve issues promptly.
- Actively listen to feedback to understand user needs and identify areas for service improvement. Consider the user experience when providing feedback, including response times.
- Think about how users interact and make changes where needed. Incorporate feedback loops and make sure the service improvement process is transparent.
- Communicate safety measures, provide clear channels for reporting concerns and resolve issues promptly.
Make sure the service is secure and thoroughly assess for threats and put protections in place. Be ready to identify, respond to and recover from threats:
- Make the service secure using the:
  - Information Security Manual
  - the Essential Eight
  - resources from the Australian Cyber Security Centre.
- Plan security requirements during service design, build, operation and decommissioning.
Document your findings and recommendations on how to apply criterion 3:
- Ensure your proposal provides evidence of countering scams and misinformation, provides transparency about data collection and usage and offers a feedback mechanism for continuous improvement.
- Use the Digital Capability Assessment Process (DCAP) template to report on meeting the criterion.
- Make sure the data is collected and documented in a centralised knowledge repository.

Digital Inclusion Standard