Security, legal and privacy
AITSL digital products must ensure that they meet the appropriate legal, privacy and security measures.
When developing and maintaining a digital product, you must ensure that:
- any information users provide is confidential and stored appropriately
- the system they’re using is safe and secure
- users know how their information will be used
- users easily retrieve information they provide.
To do this, you must:
- identify secure and private methods of generating or processing data within or between datastores, the solution and users
- identify appropriate authentication methods that are as seamless as possible to the user
- understand to what degree the solution has to comply with the Information Security Manual and Protective Security Policy Framework, and internal agency security policies, and create a plan on how to achieve this
- conduct a privacy impact assessment
- conduct a threat and risk assessment, and an Information Security Registered Assessors Program Assessment (IRAP) if appropriate
- identify potential threats to your service, including potential pathways for insider threats and hackers, and demonstrate an understanding of how to mitigate the identified threats
You should also contact those responsible for Legal and Privacy within AITSL so that you can understan your requirements relating to:
- legal constraints
- records management
- privacy, including the Privacy Act and Australian Privacy Principles
- copyright and open licensing, including the principles on open public sector information, Australian Government intellectual property rules and Australia’s commitment to the Open Government Partnership
- the Freedom of Information Act
- the Spam Act
- state and territory government policies, if relevant