Information and communication technology (ICT) security measures are necessary to protect confidential information from unauthorised use, modification, loss or release.
The three key elements of an effective ICT security system include:
- Monitoring and controlling access to confidential information
- Safe transmission of data
- Secure storage and disposal of data
Monitoring and controlling access to confidential information
A fundamental principle of protective security is to ensure access to information that the government holds in trust is on a need-to-know basis only. There are a number of technical security measures that are commonly used to monitor and control access to confidential information, in accordance with the requirements of the Australian Government Protective Security Policy Framework. These measures should be applied for all data integration projects involving Commonwealth data:
- Assignment of unique personal identification code and a secure means of authentication for system access.
- User accounts, access rights and security authorisations managed through an accountable system or records management process.
- Protocols that ensure access rights are not shared with or provided to others.
- Audit trails that include date and user identification to track and monitor access to systems and data and how they are used.
- Control mechanisms to prevent unauthorised access, deletion, modification, duplication, printing or transmission of files.
- Systems maintenance plans that provide adequate ongoing resources for security upgrades.
Safe transmission of data
The safe transmission of data, including source data, linkage keys, as well as that associated with remote or electronic access to integrated datasets, is a primary consideration for data integration projects. The following security measures for the transmission of data are essential for all data linkage projects:
- A secure internet gateway. For high risk projects this gateway must be reviewed annually by Australian Signals Directorate, or equivalent.
- Encryption of all electronic data transfer to restrict access to information to authorised users and prevent deciphering of intercepted information. Electronic data transfer should only occur where there is a secure internet gateway.
- Use of a courier, if there are technical, security or other reasons that restrict the transfer of data electronically. At media level, it is expected that all information contained on the disc or other medium will be encrypted.
Secure storage and disposal of data
Measures for the secure storage and disposal of integrated data are largely the same as for any information being held in trust by the Australian government. Some additional considerations also apply for data integration projects in managing linkage keys and the confidentiality of the combined data.
The integrating authority is responsible for the ongoing storage or destruction of the integrated dataset, in accordance with the requirements of the data custodians. Information must be protected for the life of the data – that is, it should only be released in a way that will not allow the identification of any individual or organisation, unless otherwise agreed with data custodians and permitted by legislation.
The following measures are recommended as best practice to ensure that data is stored and destroyed securely for all data integration projects involving Commonwealth data:
- Protocols and control mechanisms to prevent storage of sensitive or confidential information on portable devices such as laptops or thumb drives unless they are both encrypted and password protected. This requirement is consistent with the Protective Security Framework.
- Storage of datasets associated with an integration project on a password protected stand-alone computer in a secure room or on a password protected server on a computer network with a secure firewall.
- To preserve privacy and confidentiality in accordance with High Level Principle 6, identifying information (such as name, address and date of birth) should be used only for the purpose of creating linkage keys and not stored on the integrated dataset, unless specifically required and approved for the project purpose and enabled by legislation.
- Project specific linkage keys should not enable links to be established with other datasets or projects. The code (algorithm) used to create linkage keys should also be kept confidential to prevent anyone re-identifying records through their knowledge of the key.
- Once the approved purpose of the project is met, the integrated dataset and project linkage keys should be destroyed in a way that complies with secure disposal requirements, unless retention of the dataset is required for long-term studies or has otherwise been agreed by data custodians.
Secure disposal of electronic records could include: overwriting records so that the underlying, previously stored data is rendered beyond easy recovery, deletion of back-up files, and for very sensitive information at high risk, degaussing might be considered (this involves demagnetisation using alternating electric currents and renders any previously stored data on the storage media as unreadable). The recommended form of destruction of paper records or physical media, such as DVDs, is shredding.
- Linkage keys that have been created to facilitate future studies involving data linkage, should always be stored separately from the integrated dataset and the source dataset, with appropriate security and authorisation controls.
- If integrated datasets are being retained, the reasons for retention as well as storage and disposal arrangements should be well documented in the project agreements, and a review of storage and access process set up. If such retention was not part of the initial approval process then the integrating authority must get approval of the decision to retain the dataset from the data custodian(s). This is essential to comply with High Level Principle 6 – Preserving Privacy and Confidentiality.
- Where identifiers need to be retained, for example for longitudinal studies, they will be kept separate from the integrated dataset and the separation principle observed. The integrating authority is responsible for the integrated dataset and must strictly control access for the life of the data.
For more information about other aspects of data security see: