Accreditation of an Integrating Authority
The steps involved in gaining accreditation
Who can apply for accreditation?
Will the accreditation process be reviewed?
The appointment of an integrating authority for each statistical data integration project is an essential pillar in establishing a safe and effective environment for data integration involving Commonwealth data. An integrating authority is the single organisation ultimately responsible for the sound conduct of the statistical data integration project.
For each data integration project involving Commonwealth data for statistical and research purposes (a project), a risk assessment should be conducted by the data custodian(s) to assess whether a project should proceed and its level of systemic risk (high/medium/low). This risk rating is determined through the Risk Assessment Guidelines, which is available on the National Statistical Service website.
If a project is assessed as posing a high risk, the integrating authority must be accredited.
This information sheet provides an overview of the accreditation process.
Accreditation of an integrating authority is the recognition by the Cross Portfolio Data Integration Oversight Board (the Oversight Board) that the organisation has the requisite expertise, skills and knowledge, infrastructure and secure environment to undertake data integration projects, particularly those considered to be a high risk rating.
It is important to note, the accreditation scheme is an administrative arrangement which does not override legislation. All legal obligations (e.g. with regard to the Privacy Act 1988 or privacy and secrecy provisions in agency-specific legislation) must be met.
The process for accreditation of integrating authorities involves:
a) Self-assessment. Integrating authorities apply for accreditation by preparing a self-assessment report explaining how they meet the criteria for accreditation and evidenced by supporting documentation. The self-assessment should be succinct and avoid qualitative statements that cannot be directly verified in the supporting documentation provided. The assessment should be signed off by the head of the agency.
b) Audit. An independent third party audits the integrating authority’s self-assessment to verify the statements of the claims made in the self-assessment. This verification is made on the basis of the documentary evidence. This audit is paid for by the integrating authority applying to become accredited.
c) Decision. The Oversight Board will make the final decision on interim accreditation, based on the self-assessment and results of the audit.
d) Publication of list of accredited agencies. The Secretariat publishes a list of accredited integrating authorities, together with a summarised version of the integrating authority’s application and a summary of the audit report (see nss.gov.au/dataintegration).
It is recommended that potential applicants contact the Cross Portfolio Data Integration Secretariat (email@example.com) before starting the application, as well as at any point where guidance is needed during the application.
The interim accreditation arrangements will be tested on Commonwealth government agencies first. While this does not preclude State/Territory government agencies applying for accreditation against the interim arrangements (provided that they meet all the requirements), it will not be possible for any State/Territory government agencies to be accredited in the short term, as this would not allow time for sufficient testing and evaluation of the arrangements with Commonwealth agencies. The system is not yet mature enough to ensure that adequate safeguards apply to private firms. State/Territory government agencies and private firms can continue to apply for access to Commonwealth data under existing arrangements.
The Oversight Board will only consider applications for accreditation, against the interim accreditation arrangements, for those agencies covered by privacy legislation (either the Privacy Act 1988 or State/Territory equivalent).
 Systemic risk in this context is the ability of a project, by its very nature or where a breach occurs, to either harm data providers and/or create a loss of public trust in the Australian Government or its institutions.
For more information
To learn more about the Commonwealth arrangements and their development, see the Statistical Data Integration pages on the National Statistical Service website or contact the Cross Portfolio Data Integration Secretariat at firstname.lastname@example.org