A fundamental principle of protective security is to ensure access to information that the government holds in trust is on a need-to-know basis only. There are a number of technical security measures that are commonly used to monitor and control access to confidential information, in accordance with the requirements of the Australian Government Protective Security Policy Framework. These measures should be applied for all data integration projects involving Commonwealth data:

• Assignment of unique personal identification code and a secure means of authentication for system access.
• User accounts, access rights and security authorisations managed through an accountable system or records management process.
• Protocols that ensure access rights are not shared with or provided to others.
• Audit trails that include date and user identification to track and monitor access to systems and data and how they are used.
• Control mechanisms to prevent unauthorised access, deletion, modification, duplication, printing or transmission of files.
• Systems maintenance plans that provide adequate ongoing resources for security upgrades.

The safe transmission of data, including source data, linkage keys, as well as that associated with remote or electronic access to integrated datasets, is a primary consideration for data integration projects. The following security measures for the transmission of data are essential for all data linkage projects:

• A secure internet gateway. For high risk projects this gateway must be reviewed annually by Australian Signals Directorate, or equivalent.
• Encryption of all electronic data transfer to restrict access to information to authorised users and prevent deciphering of intercepted information. Electronic data transfer should only occur where there is a secure internet gateway.
• Use of a courier, if there are technical, security or other reasons that restrict the transfer of data electronically. At media level, it is expected that all information contained on the disc or other medium will be encrypted.

Measures for the secure storage and disposal of integrated data are largely the same as for any information being held in trust by the Australian government. Some additional considerations also apply for data integration projects in managing linkage keys and the confidentiality of the combined data.

The integrating authority is responsible for the ongoing storage or destruction of the integrated dataset, in accordance with the requirements of the data custodians. Information must be protected for the life of the data – that is, it should only be released in a way that will not allow the identification of any individual or organisation, unless otherwise agreed with data custodians and permitted by legislation.

The following measures are recommended as best practice to ensure that data is stored and destroyed securely for all data integration projects involving Commonwealth data:

Protocols and control mechanisms to prevent storage of sensitive or confidential information on portable devices such as laptops or thumb drives unless they are both encrypted and password protected. This requirement is consistent with the Protective Security Framework.

Storage of datasets associated with an integration project on a password protected stand-alone computer in a secure room or on a password protected server on a computer network with a secure firewall.

To preserve privacy and confidentiality in accordance with High Level Principle 6, identifying information (such as name, address and date of birth) should be used only for the purpose of creating linkage keys and not stored on the integrated dataset, unless specifically required and approved for the project purpose and enabled by legislation.

Project specific linkage keys should not enable links to be established with other datasets or projects. The code (algorithm) used to create linkage keys should also be kept confidential to prevent anyone re-identifying records through their knowledge of the key.

Once the approved purpose of the project is met, the integrated dataset and project linkage keys should be destroyed in a way that complies with secure disposal requirements, unless retention of the dataset is required for long-term studies or has otherwise been agreed by data custodians