1. This paper identifies the rights, responsibilities and roles of integrating authorities relative to those of the other key participants in data integration projects involving Commonwealth data for statistical and research purposes, namely data custodians and users of integrated datasets.
3. Integrating Authorities will need to be accredited to undertake high risk projects. The interim accreditation process, including the interim accreditation criteria, is outlined in the document titled ‘the interim accreditation process for integrating authorities’, available from nss.gov.au/dataintegration.
What is an ‘integrating authority’?
4. An Integrating Authority is the single agency ultimately accountable for the implementation of a statistical data integration project. Integrating authorities must ensure that risks have been assessed, managed and mitigated throughout the duration of the project, in line with the agreed requirements of data custodians. Integrating authorities, along with the data custodians, are responsible for achieving an appropriate balance between:
· minimising privacy concerns associated with the use of data once it is received by the integrating authorities and after it has been integrated; and
· facilitating the use of this data within the constraints of privacy and legislation.
6. For some data integration projects, it is possible that the integrating authority may have multiple roles where the integrating authority may also be a data custodian (e.g., a Commonwealth agency) and/or the data user. When an entity has more than one role, appropriate internal governance and project documentation, consistent with the Commonwealth principles and governance arrangements for data integration should be in place.
7. Integrating authorities have a number of key ‘rights and responsibilities’ around the management of datasets for data integration projects. These form the basis for how they will work collaboratively with other participants involved in data integration projects.
8. The key rights and responsibilities of integrating authorities in relation to data custodians are listed below.
· It is the responsibility of integrating authorities to ensure that the project is feasible and that all necessary approvals are obtained (for example, Ethics Committee approvals), before the data custodians give final approval for the project. This may also include undertaking a Privacy Impact Assessment for projects that present a very high risk, unless this has been completed by the data custodians as part of the risk assessment process.
· Integrating authorities are required to safely manage data entrusted to them by data custodians throughout the project life cycle and in accordance with any special requirements of data custodians.
· It is the right of integrating authorities to receive quality-assured data from data custodians.
· It is the responsibility of integrating authorities to provide data linkage, merging and access services on behalf of data custodians.
· Where the Cross Portfolio Data Integration Oversight Board advises on amendments to ‘high risk’ projects (or where a concern is raised), integrating authorities, data custodians and data users will need to collaborate on how to make improvements to such project(s).
· Integrating authorities may collaborate with data custodians on the content of training material provided to data users. Input, advice and assistance to such training will be provided at the discretion of data custodians.
· The integrating authority is responsible for using the Public Register of Data Integration Projects (launched in December 2012 and available from www.nss.gov.au/dataintegration) to register any data integration project which is done for statistical and research purposes and involves Commonwealth data. The integrating authority will consult with the data custodian(s) when preparing the information to be submitted for registration.
· Integrating authorities should always consider intellectual property rights when deciding whether they are able to provide access to data for a particular project that would involve using any externally owned software or other technology for transmission of data to a data user or allowing the data user to use such software.
· Integrating authorities in conjunction with data custodians are responsible for consulting with data users on any material changes or updates to a data integration project (regardless of whether changes originate from data custodians or integrating authorities). This will occur before data users start examining integrated datasets.
· Integrating authorities are responsible for assessing the technical feasibility of data integration projects and advising data users of outcomes.
· It is the responsibility of integrating authorities to provide integrated datasets to data users, along with full information on cost recovery policies or fee-for-service charges (where applicable).
· Integrating authorities must stipulate data access arrangements for data users, subject to written approval from all data custodians and in line with their requirements.
· It is the right of integrating authorities to be paid by data users for the provision of data integration services (where cost recovery or fee-for-service charges apply).
· Integrating authorities may collaborate with data custodians and data users on how to make improvements to ‘high risk’ project(s), based on advice provided by the Cross Portfolio Data Integration Oversight Board.
The role of Integrating Authorities in data integration projects
10. The four main roles of an Integrating Authority are listed below:
· Implementing safe and effective arrangements for data integration projects involving the use of Commonwealth data for statistical and research purposes;
· Managing datasets for the duration of the project, including the provision of suitable access for data users and ensuring that the agreed data retention and/or data destruction policies are carried out; and
· Providing transparency in its operation.
(1) Negotiating and implementing agreements with data custodians to achieve adequate control and manage risk appropriate to their datasets, as well as entering into agreements with data users
11. Integrating authorities will need to enter into agreements with data custodians and data users for data integration projects. This agreement may take the form of a contract, Memorandum of Understanding or other arrangement as appropriate for the parties concerned. When the data custodian and the integrating authority is the same agency, appropriate internal governance arrangements, rather than an agreement, will need to be in place. This agreement or arrangement will be administered by the integrating authority on behalf of every data custodian involved in the data integration project.
12. Agreements with data custodians will cover:
· The use of data protocols that balance risk and public benefit (e.g., the use of ethics committees for human-based health research);
· The use of control mechanisms, in collaboration with data custodians, to assess and ensure that outputs from the statistical data integration are not likely to enable the identification of individuals or businesses;
· Governance protocols to investigate and resolve anomalies, outliers and data quality concerns, along with any software issues;
· Special conditions that must be adhered to by data users as stipulated by data custodians; and
· The use of communication, technology, training and other processes to ensure that information likely to enable the identification of individuals or organisations is not disclosed.
13. Agreements with data users will cover:
· Details on cost recovery policies or fee-for-service charges of integrating authorities, where applicable. Fees will be set at the discretion of integrating authorities and may reflect local practices and arrangements;
· Specific details on governance protocols for examining data quality and software issues; and
· Any special conditions which must be adhered to by data users.
(2) Implementing safe and effective arrangements for data integration projects involving the use of Commonwealth data for statistical and research purposes
14. Integrating authorities are required to:
· have a high level of relevant expertise, including a strong understanding of, and capability for, maintaining security (e.g., appropriate level of building security, security clearances for staff and mechanisms to monitor the compliance of data users);
· have the technical infrastructure necessary to undertake data integration projects;
· demonstrate a consistently high standard of behaviour by all employees based on a strong culture and set of values;
· demonstrate how any conflict of interest will be managed;
· have the policy and legislative coverage deemed necessary to provide adequate protection (examples of policies include data linkage protocols, data custodian policies and data access arrangements);
· adhere to the separation principle for high risk projects and optionally as best practice for low or medium risk projects (e.g., the separation of identifiers used in linkage activities, such as date of birth, from remaining information relating to the individual, such as clinical or benefit information) (Endnote 2);
· ensure that outputs from the statistical data integration (in particular, integrated datasets) are not likely to enable the identification of individuals or businesses (e.g., through directly-programmed aggregation and/or manual reviews of outputs released from a data integration project);
· provide information on statistical disclosure control techniques used to minimise the risk of identification of individuals or businesses when multiple datasets are combined; and
· provide secure data access arrangements (e.g., data laboratories, remote access procedures).
(3) Managing datasets for the duration of the project, including the provision of suitable access for data users and ensuring that the agreed data retention and/or data destruction policies are carried out
15. Integrating authorities are required to:
· ensure datasets are managed in a way that gives the community and businesses confidence that no individual or organisation is likely to be identified;
· ensure good data management practices, including clear documentation, the use of standard definitions and classifications, and the maintenance of appropriate metadata, including quality attributes of the data;
· ensure that access to outputs from statistical data integration would be limited to those which are not only de-identified, but which are also not likely to enable the identification of individuals or businesses;
· grant broad and flexible access to data users, subject to the above constraints, and the agreements with data custodians;
· work with data users to facilitate the effective use of this data within the constraints of privacy and legislation; and
· where applicable, implement fee-for-service charges or cost-recovery mechanisms to cover all or part of the costs (recognising that there are costs associated with creating integrated datasets, managing data access arrangements and conducting quality assurance checks), and provide information to data users (i.e., researchers) on fee-for service or cost-recovery policies. It is up to the discretion of integrating authorities as to whether they charge for the provision of data integration services. Some integrating authorities may be influenced by the existence of local practices and arrangements.
(4) Providing transparency in its operations
16. Integrating authorities are required to:
· have the ability to transparently apply sanctions for unauthorised disclosure or inappropriate use of the data as required;
· work collaboratively together, where appropriate, to share knowledge and infrastructure;
· ensure stakeholders and the community are kept informed of any statistical data integration project by registering the project on the Public Register of Data Integration Projects;
· publish information on cost recovery and fee-for-service policies, where applicable;
· undertake audits and checks to evaluate security; and
· publish other relevant documents (e.g., data retention statements).
Requirements for integrating authorities handling ‘high risk’ projects
17. The governance and institutional arrangements for data integration involving Commonwealth data recognise that it is the large, complex projects involving sensitive data which engender the major systemic risk to government information based activities across the board. A systematic approach to monitoring and managing this risk has been agreed by the Cross Portfolio Data Integration Oversight Board.
20. For medium and low risk projects, data custodians and integrating authorities will need to assess the legal and policy framework for each project to ensure there is authorisation to release the data to the integrating authority and that the integrating authority has the appropriate procedures and policy framework in place to ensure that no identifiable data is disclosed.
21. Any questions about the roles and responsibilities of integrating authorities should be emailed to firstname.lastname@example.org
1. A family of projects is defined as data integration projects using the same source datasets, for similar purposes, with the same integrating authority and these are treated as a single program for the purposes of the approval process . References to data integration projects in the remainder of this document include families of projects.
2. The separation of identifying and content data ensures that only information required to perform specific data linkage tasks is made available to people performing those tasks. Specifically, this involves linking separation (where those people performing the linking of the datasets can only access those parts of the datasets that are required to complete the linkage) and analysis separation (where those people performing analysis of the linked datasets can only access those parts of the datasets required for the analysis)