This standard helps entities ensure that data exchange practices are lawful, secure and inclusive. It promotes robust compliance, audit and governance measures to track data activity, assess system security and manage risks. Resilience is supported through breach detection, incident response and disaster recovery planning. Efficiency is realised through the reuse of existing frameworks and solutions.
Apply this standard
These statements detail what entities need to do to comply with the Secure data exchange policy.
Implement security, data protection and access controls
Entities must:
- identify the security classification of data being exchanged and ensure that data exchange controls are in line with the highest security classification
- apply encryption to stored and transmitted data using approved cryptographic standards (e.g. AES-256) to prevent unauthorised access as per Guidelines for cryptography
- develop, implement and maintain additional processes and procedures to reduce the likelihood of Australian Eyes Only, Australian Government Access Only and Releasable To data crossing into unsuitable foreign systems
- enforce end-to-end encryption for highly sensitive data exchanges and ensure secure transmission via Secure File Transfer Protocol (SFTP) for file-based exchanges and secure protocols for real-time data transfers
- implement multi-factor authentication (MFA) and role-based access control (RBAC) to restrict system access based on user roles and responsibilities
- embed privacy-by-design principles using anonymisation or pseudonymisation where appropriate to protect personal information.
Ensure standardisation and interoperability
Entities should:
- develop and maintain standardised data transfer processes to ensure consistent and secure data exchanges across systems
- adopt common data standards and protocols to enable interoperability and seamless data exchange between diverse systems and entities
- apply metadata management practices to ensure accurate data classification and handling during exchanges.
Use governance practices to ensure compliance
Entities should:
- implement comprehensive audit logging for all data transfer activities to maintain traceability and support compliance audits
- conduct regular security audits and assessments of data exchange systems to ensure ongoing compliance and identify potential vulnerabilities.
Entities can:
- quarantine data in cases where security fails, until data can be reviewed and subsequently approved or not approved for release.
Manage risk and implement resilience measures
Entities should:
- establish a risk management framework to identify, assess and mitigate risks associated with data exchanges
- implement breach detection systems such as intrusion detection systems and establish clear incident response protocols
- develop and maintain business continuity and disaster recovery plans to ensure resilience and rapid recovery from disruptions affecting data exchange processes.
Align to guidelines and standards
Entities must:
- ensure that all data exchanges align with the Protective security policy framework (PSPF) and Information security manual (ISM).
Entities should:
- ensure that data exchanges align with controls, processes and procedures in the ASD’s Guidelines for data transfers
- ensure third-party providers meet the same security standards as government entities by following the Standards for digital sourcing.
Entities can:
- refer to Australian Government Architecture guidance in cases where an API is the selected method for data exchange.
Adhere to reuse principles
The Australian Government Architecture provides information for entities on reuse.
Entities should:
- meet the requirements of the Digital and ICT reuse policy
- canvass whether proposed activities could be managed through shared and common services or existing entity structures, business processes, technology and infrastructure, including in other portfolios
- prioritise the reuse of existing secure data exchange frameworks, protocols and infrastructure before developing new solutions to maximise cost-effectiveness, reduce duplication and enhance interoperability across government systems
- access previous solutions and leverage previous investments where applicable
- document lessons learned and best practices from previous implementations to inform future projects and improve whole-of-government data exchange capabilities.
Comply with relevant legislation
Entities must:
- comply with relevant Commonwealth legislation including (but not limited to):
- Archives Act 1983 (Cth): ensuring the proper management and preservation of government records
- Data Availability and Transparency Act 2002 (Cth): facilitating secure and responsible data sharing
- Disability Discrimination Act 1992 (Cth): ensuring accessibility and non-discrimination for individuals with disabilities
- Freedom of Information Act 1982 (Cth): providing access to government information
- Privacy Act 1988 (Cth): protecting the privacy of individuals’ personal information.
- comply with any other legislation applicable to specific functions and circumstances including:
- Strategies to mitigate cyber security incidents: prioritised mitigation strategies to help organisations mitigate cyber security incidents caused by various cyber threats.