Risk framework

Prior to giving in principle approval for a project, it is the responsibility of data custodians to assess the risk of a project to determine whether a project should proceed and whether an accredited Integrating Authority is required to manage the project. This risk assessment may be undertaken by a ‘lead data custodian’ appointed with the mutual agreement of all data custodians, jointly by all of the data custodians, or individually by each data custodian. Input or clarification may be sought from integrating authorities [1] with expertise in data integration and from data users.

The risk assessment framework provides a guideline to assess the risk of:

  1. a breach resulting in an unauthorised disclosure of personal or business information and
  2. a reduction in public trust of the Australian government and its institutions. These risks may occur as a result of an unauthorised disclosure of personal or business information or a negative public perception of the project.

Data custodians should consider whether further assessment of the public perception in relation to the project is required. Transparent processes and community engagement will reduce the concerns the public have in integration projects.

The risk assessment framework describes a two stage process that assesses the risk of the data integration project against criteria agreed by the Oversight Board. The first stage (the pre-mitigation risk assessment) identifies and rates the elements of risk presented by the project. The second stage assesses the residual risk after accounting for risk mitigation strategies (the post-mitigation risk assessment). If the project risk is high after mitigation then the project must be managed by an accredited Integrating Authority.

The pre and post-mitigation risk assessments must be submitted to the Oversight Board through the Secretariat as part of the project registration. The Oversight Board has ten working days following registration of the project and receipt of the risk assessment to raise any concerns about the project with the data custodians or integrating authority. These concerns relate to the management of the systemic risks of data integration.

The integrating authority has the responsibility to manage the data integration project from end-to-end. This includes the management and mitigation of systemic risks identified by the data custodians, as well as the identification and mitigation of risks that emerge during the course of the project. Risks should be managed in consultation with the data custodians.

To view the full risk assessment framework to be used when determining the risk level of data integration projects involving Commonwealth data for statistical and research purposes please refer to Data Integration Involving Commonwealth Data for Statistical and Research Purposes: Risk Assessment Guidelines (December 2013) on the National Statistical Service website,www.nss.gov.au.

Risk assessments should be forwarded to the Secretariat by email: statistical.data.integration [at] nss.gov.au as part of the project registration process. 

Other topics in this section relating to the Commonwealth arrangements for statistical data integration are:

Note that the final decision on which integrating authority to appoint for the project will remain subject to the outcome of the risk assessment and the agreement of all data custodians.