Search

To meet criteria 3 of the Digital Service Standard, refer to the Digital Inclusion Standard. The Digital Inclusion standard is an extension of criteria 3 of the Digital Service Standard.

• Share data: Always begin by reviewing any obligations against privacy policies and the Privacy Act 1988. If external data can be used, make the service interoperable and leverage governments’ open datasets. Support safe, ethical data-sharing practices by using the government’s DATA Scheme. 
• Request information once: Assess the data the agency already collects and whether it can be reused to deliver the service. Where it can be reused, eliminate unnecessary data entry requests and fulfil a ‘tell us once’ approach.
• Publish open APIs: Thoroughly document the service’s APIs. Where appropriate, open them for other services and third parties to build upon existing government offerings. Align with the API Design Standard to support cross-jurisdictional data sharing, maintain a consistent, reusable vocabulary and support wider API literacy.
• Plan for scale and flexibility: Make sure the service can cater for growth and changing preferences without impacting performance, functionality or stability. Embed adaptability into the design patterns from the outset to allow malleability that future changes may require.
• Utilise a Digital ID: Where appropriate, endeavour to integrate the Australia Government Digital ID System, accredited by the Trusted Digital Identity Framework (TDIF), to allow users to access the service with a single set of credentials.

• Orient to life events: Design services around users’ life circumstances, such as birth registrations or changes to their name, rather than forcing users to adapt to how government is organised. Clearly describe expected or potential next steps to contribute to a seamless experience and explore interlinking with other federal, state and territory services to reduce data-entry burden on users.

To meet criteria 4 of the Digital Service Standard, refer to the Digital Access Standard. The Digital Access standard is an extension of criteria 4 of the Digital Service Standard. 

• Consider privacy, consent and control: Safeguard user data by adhering to the Australian Privacy Principles and the Privacy Act 1988. Always get explicit, informed consent before collecting a user’s data and provide a means to update or delete it. Allow users to report inaccurate data and respond with how it has been rectified. Notify users about their responsibilities to protect their data, such as not sharing their password with others.
• Eliminate ambiguity in the user interface: Provide validating feedback and progress tracking as users interact with the service. Design to eliminate the need for error messages in the first place. When creating error messages, make them understandable and actionable. Tell users what information they need before they start a task and, where appropriate, allow them to pause and resume at their own pace.

• Secure by design: Use the Information Security Manual, the Essential Eight and other resources from the Australian Cyber Security Centre to thoroughly assess the service’s threats, posture and protections. Plan for the requirements and system hardening that will support the service throughout design, build, operation and decommissioning.

• Available and consistent: Make the service available, stable and consistent for users in different places and time zones, at different times, on different days. Schedule maintenance for a predictable period of downtime, and give notice to users well ahead of time.

• Embrace contestability: Offer clear avenues for users to submit complaints, contest decisions or report issues, including security data and cyber concerns. To increase the likelihood of useful feedback, make avenues anonymous by default and identifying by choice wherever possible. To demonstrate that feedback has been addressed or will inform future action, provide users with timely and transparent responses. Responses should be tailored to the feedback.
• Undertake periodic audits: Audit the service, data-handling practices, security incidents and compliance with whole-of-government policies. Use an independent review to test assumptions and identify issues that may be taken for granted. Use these results to improve and keep the service fit for purpose (Criterion 10 ‘Keep it relevant’). 

Prioritise service security measures and have processes in place to ensure that they are efficient and current. Use methods or tools such as:

• Conduct regular and comprehensive security audits to identify vulnerabilities in the digital service. This includes penetration testing and assessments to keep security measures robust and up to date.
• Regularly update software, hardware and security protocols to protect against new and emerging threats. This includes prompt application of patches, updates and security fixes. 
• Implement ongoing security training for staff on best practices, include phishing recognition attempts and secure handling of sensitive data.
• Establish and regularly update an incident response plan to prepare for potential security breaches. Outline steps for detecting security incidents, responding to them and recovering.

Prioritise the accuracy of information provided. Put processes in place for regular checks and updates. Use methods or tools such as:

• Establishing clear guidelines for content moderation to prevent misinformation. This includes procedures for reviewing and verifying information before it is published.
• Implement reporting mechanisms so users can flag misinformation or content they believe is inaccurate. This encourages user engagement and helps maintain the integrity of information provided.
• Maintain processes for regular content updates and corrections when information inaccuracies are identified. Transparent correction processes build trust.

Have processes in place to make sure the service is resilient and updated against current and imminent cyber threats. Use methods or tools such as:

• Implement a layered security strategy that includes firewalls, intrusion detection systems and encryption to create multiple anti cyber barriers.
• Develop and test disaster recovery and business continuity plans to ensure the service runs quickly to recover from cyber incidents, including data breaches or denial-of-service attacks.
• Continuously monitor and assess emerging cyber threats. This involves subscribing to threat intelligence services and keeping abreast of industry developments.
• Educate users about cybersecurity best practices, such as using strong passwords and recognising phishing attempts. An informed user base enhances overall security.

Document your findings and recommendations to apply criterion 5:

• Ensure timely updates of software and hardware to protect against the latest threats and implement ongoing training programs for staff on security best practices.
• Establish and regularly update an incident response plan outlining procedures for handling security breaches. 
• Create guidelines for content moderation to prevent misinformation.
• Make sure the data is collected and documented in a centralised knowledge repository. 

• Protect yourself | Cyber.gov.au
• Cyber Security | Australian Signals Directorate (asd.gov.au)
• Information security | Protective Security Policy Framework
• Preventing data breaches: advice from the Australian Cyber Security Centre | OAIC
• Update your devices | vic.gov.au (www.vic.gov.au)
• Cyber incident management plan | vic.gov.au (www.vic.gov.au)
• Cyber Security | Australian National Audit Office (ANAO)
• ACSC Emergency Response Guide (cyber.gov.au)
• Cyber Security Incident Response Planning: Practitioner Guidance | Cyber.gov.au

• Apply reuse in decision-making: Use the Australian Government Architecture to understand the tools, capabilities, policies and standards for building government services. Identify and document how they are applied in decision-making.
• Apply learnings from predecessors: Reach out to teams and agencies for their experiences and lessons creating similar services and how to apply them to other services.

• Adopt open standards where appropriate: Consider how reuse and open standards can support other services across government. Where appropriate, design and build with them to bring the service to more platforms, improve data sharing capability, prevent vendor lock-in and create familiarity for users.

• Review existing data: Review the data already collected and how it can be reused in the service. Where appropriate, consider if safe, ethical data-sharing arrangements under the Data Availability and Transparency Act Scheme can be employed. Actions to leverage ethical, data-driven decision making can be found in Criteria 5 (‘Build Trust in Design’) and Criteria 7 (‘Do No Harm’).