Search

When to apply 

Apply Criterion 5 throughout Beta to protect users’ digital rights and ensure robust security measures are in place.

As cyber threats become more prevalent and sophisticated, adhere to this criterion across the Service Design and Delivery Process

How to apply 

Questions for consideration

• how are users informed about the collection, use and storage of data?
• how will you obtain informed consent from your users?
• which encryption and authentication mechanisms will provide the most robust security?
• how does the service comply with data protection legislation and policies?
• what processes are in place to prevent misinformation?
• how is the service built to be resilient against cyber threats?
• what assurances are in place to promote ethical use of data?

Consider privacy, consent, and control: Safeguard user data by adhering to the Australian Privacy Principles and the Privacy Act (1988). Always obtain explicit, informed consent before collecting a user’s data and provide a means to update or delete it. Allow users to report inaccurate data and respond with how it has been rectified. Notify users of their own responsibilities to protect their data, such as not to share their password with others.

Eliminate ambiguity in your user interface: Provide validating feedback and progress tracking as users interact with your service. Design to eliminate the need for error messages in the first place; make them understandable and actionable where they remain. Tell users what information they need before they start a task and, where appropriate, allow them to pause and resume at their own pace.

Secure by design: Use the Information Security Manual, the Essential Eight and other resources from the Australian Cyber Security Centre to thoroughly assess your service’s threats, posture and protections. Plan for which requirements and system hardening will support your service throughout design, build, operation and decommissioning.

Available and consistent: Make your service available, stable and consistent for users in different places and time-zones, at different times, on different days. Schedule maintenance for a predictable period of downtime and give notice to users well ahead of time.

Embrace contestability: Offer clear avenues for users to submit complaints, including security data and cyber concerns, contest decisions or report issues. 

Wherever possible, make avenues anonymous by default and identifying by choice to grow the likelihood of useful feedback. Provide users with timely and transparent responses, tailored to their feedback, to demonstrate it has been addressed or will inform future action.

Undertake periodic audits: Audit your service, data-handling practices, security incidents and compliance with whole-of-government policies. Use an independent review to test assumptions and identify issues that may be taken for granted. Use these results to improve and keep your service fit for purpose (Criterion 10 ‘Keep it relevant’). 

Apply Criterion 6 during the Discovery and Alpha phases to capture potential solutions, new and existing, that the service could use to solve problems. 

Foster a culture of sharing experiences with other agencies, build on the learnings taken from them and align to common platforms, patterns and standards throughout the Service design and delivery process.

Apply reuse in decision making: Use the Australian Government Architecture to understand the tools, capabilities, policies and standards for building government services. Identify and document how they are applied in your decision making. 

Apply learnings from predecessors: Reach out to teams and agencies for their experiences and lessons creating similar services and how to apply them to yours. 

Adopt open standards where appropriate: Consider how reuse and open standards can support other services across government. Where appropriate, design and build with them to bring your service to more platforms, improve data sharing capability, prevent vendor lock-in and create familiarity for users.

Review your existing data: Review what data you already collect and how it can be reused in your service. Where appropriate, consider if you can employ safe, ethical data sharing arrangements under the Data Availability and Transparency Act Scheme. Actions to leverage ethical, data-driven decision making can be found in Criteria 5 (‘Build Trust in Design’) and 8 (‘Do No Harm’).