Search

Share data: Always begin by reviewing your obligations against privacy policies and the Privacy Act (1988). If external data can be used, make your service interoperable and leverage governments’ open datasets. Support safe, ethical data sharing practices by using the government’s DATA Scheme(Opens in a new tab/window). 

Request information once: Assess the data your agency already collects and whether it can be reused to deliver your service. Where it can be reused, eliminate unnecessary data entry requests and fulfil a ‘tell us once’ approach.

Publish open APIs: Thoroughly document your service’s APIs. Where appropriate, open them for other services and third-parties to build upon existing government offerings. Align with the API Design Standard(Opens in a new tab/window) to support cross-jurisdictional data sharing, maintain a consistent, reusable vocabulary and support wider API literacy.

Plan for scale and flexibility: Ensure your service can cater for growth and changing preferences without impacting performance, functionality or stability. Embed adaptability into your design patterns from the outset to allow malleability as future changes may require.

Utilise a Digital ID: Where appropriate, endeavour to integrate the Australia Government Digital ID System, accredited by the Trusted Digital Identity Framework (TDIF)(Opens in a new tab/window), to allow users to access your service with a single set of credentials.

To successfully meet this criterion, agencies will need to:

• design for interoperability
• join up services.

When to apply 

Apply Criterion 5 throughout Beta to protect users’ digital rights and ensure robust security measures are in place.

As cyber threats become more prevalent and sophisticated, adhere to this criterion across the Service Design and Delivery Process

How to apply 

Questions for consideration

• how are users informed about the collection, use and storage of data?
• how will you obtain informed consent from your users?
• which encryption and authentication mechanisms will provide the most robust security?
• how does the service comply with data protection legislation and policies?
• what processes are in place to prevent misinformation?
• how is the service built to be resilient against cyber threats?
• what assurances are in place to promote ethical use of data?

Consider privacy, consent, and control: Safeguard user data by adhering to the Australian Privacy Principles and the Privacy Act (1988). Always obtain explicit, informed consent before collecting a user’s data and provide a means to update or delete it. Allow users to report inaccurate data and respond with how it has been rectified. Notify users of their own responsibilities to protect their data, such as not to share their password with others.

Eliminate ambiguity in your user interface: Provide validating feedback and progress tracking as users interact with your service. Design to eliminate the need for error messages in the first place; make them understandable and actionable where they remain. Tell users what information they need before they start a task and, where appropriate, allow them to pause and resume at their own pace.

Secure by design: Use the Information Security Manual, the Essential Eight and other resources from the Australian Cyber Security Centre to thoroughly assess your service’s threats, posture and protections. Plan for which requirements and system hardening will support your service throughout design, build, operation and decommissioning.

Available and consistent: Make your service available, stable and consistent for users in different places and time-zones, at different times, on different days. Schedule maintenance for a predictable period of downtime and give notice to users well ahead of time.

Embrace contestability: Offer clear avenues for users to submit complaints, including security data and cyber concerns, contest decisions or report issues. 

Wherever possible, make avenues anonymous by default and identifying by choice to grow the likelihood of useful feedback. Provide users with timely and transparent responses, tailored to their feedback, to demonstrate it has been addressed or will inform future action.

Undertake periodic audits: Audit your service, data-handling practices, security incidents and compliance with whole-of-government policies. Use an independent review to test assumptions and identify issues that may be taken for granted. Use these results to improve and keep your service fit for purpose (Criterion 10 ‘Keep it relevant’). 

Apply Criterion 6 during the Discovery and Alpha phases to capture potential solutions, new and existing, that the service could use to solve problems. 

Foster a culture of sharing experiences with other agencies, build on the learnings taken from them and align to common platforms, patterns and standards throughout the Service design and delivery process.

Apply reuse in decision making: Use the Australian Government Architecture to understand the tools, capabilities, policies and standards for building government services. Identify and document how they are applied in your decision making. 

Apply learnings from predecessors: Reach out to teams and agencies for their experiences and lessons creating similar services and how to apply them to yours.