Search

Document your findings

Document your findings and recommendations to apply criterion 5:

Ensure timely updates of software and hardware to protect against the latest threats and implement ongoing training programs for staff on security best practices.
Establish and regularly update an incident response plan outlining procedures for handling security breaches.
Create guidelines for content moderation to prevent misinformation.
Make sure the data is collected and documented in a centralised knowledge repository.

Off

Links

Off

Prioritise service security measures and have processes in place to ensure that they are efficient and current. Use methods or tools such as:
- Conduct regular and comprehensive security audits to identify vulnerabilities in the digital service. This includes penetration testing and assessments to keep security measures robust and up to date.
- Regularly update software, hardware and security protocols to protect against new and emerging threats. This includes prompt application of patches, updates and security fixes.
- Implement ongoing security training for staff on best practices, include phishing recognition attempts and secure handling of sensitive data.
- Establish and regularly update an incident response plan to prepare for potential security breaches. Outline steps for detecting security incidents, responding to them and recovering.
Prioritise the accuracy of information provided. Put processes in place for regular checks and updates. Use methods or tools such as:
- Establishing clear guidelines for content moderation to prevent misinformation. This includes procedures for reviewing and verifying information before it is published.
- Implement reporting mechanisms so users can flag misinformation or content they believe is inaccurate. This encourages user engagement and helps maintain the integrity of information provided.
- Maintain processes for regular content updates and corrections when information inaccuracies are identified. Transparent correction processes build trust.
Have processes in place to make sure the service is resilient and updated against current and imminent cyber threats. Use methods or tools such as:
- Implement a layered security strategy that includes firewalls, intrusion detection systems and encryption to create multiple anti cyber barriers.
- Develop and test disaster recovery and business continuity plans to ensure the service runs quickly to recover from cyber incidents, including data breaches or denial-of-service attacks.
- Continuously monitor and assess emerging cyber threats. This involves subscribing to threat intelligence services and keeping abreast of industry developments.
- Educate users about cybersecurity best practices, such as using strong passwords and recognising phishing attempts. An informed user base enhances overall security.
Document your findings and recommendations to apply criterion 5:
- Ensure timely updates of software and hardware to protect against the latest threats and implement ongoing training programs for staff on security best practices.
- Establish and regularly update an incident response plan outlining procedures for handling security breaches.
- Create guidelines for content moderation to prevent misinformation.
- Make sure the data is collected and documented in a centralised knowledge repository.

‘Build once, use many times’

Apply reuse in decision-making: Use the Australian Government Architecture to understand the tools, capabilities, policies and standards for building government services. Identify and document how they are applied in decision-making.
Apply learnings from predecessors: Reach out to teams and agencies for their experiences and lessons creating similar services and how to apply them to other services.

Off

Design for a common, seamless experience

Adopt open standards where appropriate: Consider how reuse and open standards can support other services across government. Where appropriate, design and build with them to bring the service to more platforms, improve data sharing capability, prevent vendor lock-in and create familiarity for users.

Off

Reuse data where possible

Review existing data: Review the data already collected and how it can be reused in the service. Where appropriate, consider if safe, ethical data-sharing arrangements under the Data Availability and Transparency Act Scheme can be employed. Actions to leverage ethical, data-driven decision making can be found in Criteria 5 (‘Build Trust in Design’) and Criteria 7 (‘Do No Harm’).

Off

- Apply reuse in decision-making: Use the Australian Government Architecture to understand the tools, capabilities, policies and standards for building government services. Identify and document how they are applied in decision-making.
- Apply learnings from predecessors: Reach out to teams and agencies for their experiences and lessons creating similar services and how to apply them to other services.
- Adopt open standards where appropriate: Consider how reuse and open standards can support other services across government. Where appropriate, design and build with them to bring the service to more platforms, improve data sharing capability, prevent vendor lock-in and create familiarity for users.
- Review existing data: Review the data already collected and how it can be reused in the service. Where appropriate, consider if safe, ethical data-sharing arrangements under the Data Availability and Transparency Act Scheme can be employed. Actions to leverage ethical, data-driven decision making can be found in Criteria 5 (‘Build Trust in Design’) and Criteria 7 (‘Do No Harm’).

Guidance to not reinvent the wheel

Apply criterion 6 of the Service Standard: Don’t reinvent the wheel

To meet criteria 6 of the Digital Service Standard refer to the Digital Access Standard. The Digital Access standard is an extension of criteria 6 of the Digital Service Standard.

Off

To meet criteria 6 of the Digital Service Standard refer to the Digital Access Standard. The Digital Access standard is an extension of criteria 6 of the Digital Service Standard.

Protects users’ digital rights

Uphold digital rights: Consider how the service might impact the digital rights of users. Build with pre-emptive measures in mind, such as net neutrality, access to information without censorship and freedom of online assembly. Identify users facing greater personal risks and make sure they’re provided with the means to access, communicate and contest the service transparently or anonymously. If rights are breached, move quickly to implement changes that prevent future harm.
Consider flow-on effects: Consider the implications of the service beyond its immediate impacts. Workshop environmental, economic or social impacts and undertake scenario planning to explore unforeseen issues and opportunities.

Off

Understand privacy impacts

Undertake a Privacy Impact Assessment: Undertake a Privacy Impact Assessment to capture issues. Mitigate unwarranted and unauthorised surveillance, data collection and malicious data breaches and share these actions with users.
Obtain consent: Where required, seek and obtain informed consent from users prior to collecting, storing or disclosing any of their data. Consider opt-out options and build the service to require as little user data as possible.
Be transparent: Communicate how data will be used or may be used in the future at the time of consent. This includes how it may be shared with other people or between services and secondary or less obvious uses.

Off

Understand the limits of data

Use data ethically: Data should only be collected and used for the stated purpose that the user agrees to. Account for how data models, datasets and algorithms may produce discriminatory results and provide transparent detail to users on how decisions and calculations are made. Before sharing data, apply the DATA Scheme’s Data Sharing Principles to help assess whether it would be safe to do so.
Use qualitative and quantitative data: Quantitative data, which is numeric or measurable, helps us understand what is happening on a service. Qualitative data, which is descriptive or observable, helps us understand why. Use both to fully understand the story and match any correlation with a provable causation. Do this before making important decisions.

Off

- Uphold digital rights: Consider how the service might impact the digital rights of users. Build with pre-emptive measures in mind, such as net neutrality, access to information without censorship and freedom of online assembly. Identify users facing greater personal risks and make sure they’re provided with the means to access, communicate and contest the service transparently or anonymously. If rights are breached, move quickly to implement changes that prevent future harm.
- Consider flow-on effects: Consider the implications of the service beyond its immediate impacts. Workshop environmental, economic or social impacts and undertake scenario planning to explore unforeseen issues and opportunities.
- Undertake a Privacy Impact Assessment: Undertake a Privacy Impact Assessment to capture issues. Mitigate unwarranted and unauthorised surveillance, data collection and malicious data breaches and share these actions with users.
- Obtain consent: Where required, seek and obtain informed consent from users prior to collecting, storing or disclosing any of their data. Consider opt-out options and build the service to require as little user data as possible.
- Be transparent: Communicate how data will be used or may be used in the future at the time of consent. This includes how it may be shared with other people or between services and secondary or less obvious uses.
- Use data ethically: Data should only be collected and used for the stated purpose that the user agrees to. Account for how data models, datasets and algorithms may produce discriminatory results and provide transparent detail to users on how decisions and calculations are made. Before sharing data, apply the DATA Scheme’s Data Sharing Principles to help assess whether it would be safe to do so.
- Use qualitative and quantitative data: Quantitative data, which is numeric or measurable, helps us understand what is happening on a service. Qualitative data, which is descriptive or observable, helps us understand why. Use both to fully understand the story and match any correlation with a provable causation. Do this before making important decisions.

Guidance to do no harm

Undertake privacy impact assessments and plan to address findings

Regularly undertake privacy impact assessments and plan to incorporate these service improvements. Use methods or tools such as:

Develop a standardised framework for conducting privacy impact assessments. The framework should outline the steps to identify and assess privacy risks associated with new projects or services.
Involve relevant stakeholders, including legal, compliance, IT and user representatives, in the privacy impact assessment process. This can help identify potential privacy risks and ensure assessments are comprehensive.
Establish processes for ongoing monitoring of privacy impacts as the service evolves. Regularly review and update the assessment to reflect changes in data practices, technology, or regulations.
Map out how data will be collected, processed, stored, and shared throughout the service lifecycle. Understanding these data flows is crucial to identifying potential privacy impacts.

Off

Collect, store and use data in a considered way

Collect, store and use data ethically. Embed these methods into your ongoing processes and clearly communicate to users how their data is stored and used:

Adopt a data minimisation principle and only collect and store data that’s necessary for the service's functionality. This limits exposure to privacy risks.
Evaluate the quality of the data collected. Ensure that data is accurate, relevant and up to date to avoid misinterpretations and misuse.
Establish clear data retention policies that outline how long the data will be stored and the criteria for data deletion. This prevents unnecessary accumulation of data over time.
Implement role-based access controls to limit access to sensitive data. This reduces the risk of unauthorised access and enhances data security.
Establish and publish ethical guidelines regarding the collection, use and sharing of data. These guidelines should prioritise user privacy and consent.
Conduct regular audits of data collection and usage practices to comply with ethical guidelines and regulations.
Develop clear and concise privacy notices so users know how their data is collected, used and shared. Ensure these notices are accessible, easy to access and understand.

Off

Document your findings

Document your findings and recommendations to apply criterion 7:

Clearly document privacy risks, potential impacts and mitigation recommendations.
Create actionable plans to address risks, including technical controls and policy revisions. Establish ongoing monitoring to update assessments as the service evolves
Map the data lifecycle, including collection, processing, storage and sharing, to identify potential privacy issues.
Make sure the data is collected and documented in a centralised knowledge repository.
Thoroughly document findings of the privacy impact assessment, include identified risks, potential impacts on user privacy, and recommendations for mitigating those risks.
Create action plans to address findings of the privacy impact assessment. This includes implementing specific technical controls, revising policies, or enhancing user communications regarding data practices.

Off

Links

Off

Regularly undertake privacy impact assessments and plan to incorporate these service improvements. Use methods or tools such as:
- Develop a standardised framework for conducting privacy impact assessments. The framework should outline the steps to identify and assess privacy risks associated with new projects or services.
- Involve relevant stakeholders, including legal, compliance, IT and user representatives, in the privacy impact assessment process. This can help identify potential privacy risks and ensure assessments are comprehensive.
- Establish processes for ongoing monitoring of privacy impacts as the service evolves. Regularly review and update the assessment to reflect changes in data practices, technology, or regulations.
- Map out how data will be collected, processed, stored, and shared throughout the service lifecycle. Understanding these data flows is crucial to identifying potential privacy impacts.
Collect, store and use data ethically. Embed these methods into your ongoing processes and clearly communicate to users how their data is stored and used:
- Adopt a data minimisation principle and only collect and store data that’s necessary for the service's functionality. This limits exposure to privacy risks.
- Evaluate the quality of the data collected. Ensure that data is accurate, relevant and up to date to avoid misinterpretations and misuse.
- Establish clear data retention policies that outline how long the data will be stored and the criteria for data deletion. This prevents unnecessary accumulation of data over time.
- Implement role-based access controls to limit access to sensitive data. This reduces the risk of unauthorised access and enhances data security.
- Establish and publish ethical guidelines regarding the collection, use and sharing of data. These guidelines should prioritise user privacy and consent.
- Conduct regular audits of data collection and usage practices to comply with ethical guidelines and regulations.
- Develop clear and concise privacy notices so users know how their data is collected, used and shared. Ensure these notices are accessible, easy to access and understand.
Document your findings and recommendations to apply criterion 7:
- Clearly document privacy risks, potential impacts and mitigation recommendations.
- Create actionable plans to address risks, including technical controls and policy revisions. Establish ongoing monitoring to update assessments as the service evolves
- Map the data lifecycle, including collection, processing, storage and sharing, to identify potential privacy issues.
- Make sure the data is collected and documented in a centralised knowledge repository.
- Thoroughly document findings of the privacy impact assessment, include identified risks, potential impacts on user privacy, and recommendations for mitigating those risks.
- Create action plans to address findings of the privacy impact assessment. This includes implementing specific technical controls, revising policies, or enhancing user communications regarding data practices.

Follow guidance on critical and emerging technologies

Stay current: Technology can advance at a staggering pace. If available, refer to government guidance on risks, opportunities and developments for up-to-date advice on critical or emerging technology that may impact the service.
Regularly check the Australian Government Architecture: Follow published guidance in the Australian Government Architecture for the adoption of critical and emerging technologies.

Off

Maintain interoperability in the face of new technology interoperability

Consider interoperability: Consider if new technologies will impact the service’s interoperability. Plan for its introduction or implementation in partnership with other affected agencies to prevent further divergence or disconnection.
Be digital ready: Undertake an assessment of the preparedness for new technologies. Consider the resources and training for a new technology that will be required by the agency and team.

Off

Track adoption of new technology

Track adoption: Prior to implementing a new technology, determine whether it aligns with the clear intent of the service and whether it risks leaving certain types of users behind. If implemented, monitor how users respond to the new technology and respond to any accessibility or usability concerns.

Off

- Stay current: Technology can advance at a staggering pace. If available, refer to government guidance on risks, opportunities and developments for up-to-date advice on critical or emerging technology that may impact the service.
- Regularly check the Australian Government Architecture: Follow published guidance in the Australian Government Architecture for the adoption of critical and emerging technologies.
- Consider interoperability: Consider if new technologies will impact the service’s interoperability. Plan for its introduction or implementation in partnership with other affected agencies to prevent further divergence or disconnection.
- Be digital ready: Undertake an assessment of the preparedness for new technologies. Consider the resources and training for a new technology that will be required by the agency and team.
- Track adoption: Prior to implementing a new technology, determine whether it aligns with the clear intent of the service and whether it risks leaving certain types of users behind. If implemented, monitor how users respond to the new technology and respond to any accessibility or usability concerns.

Guidance to not reinvent the wheel

Guidance to do no harm

DXP policy

Connect with the digital community