Search

Exemption guidance

The Digital Transformation Agency (DTA) acknowledges that agencies may not be able to meet all the requirements of the Digital Experience (DX) Policy in every instance. Where appropriate, agencies can apply for an exemption.

Exemption eligibility

Exemptions should only be sought where there are genuine barriers in applying the standards to a digital service, including:

legacy technology barriers that cannot be reasonably overcome
substantial financial burden associated with modifying a service to meet requirements.

myGov integration exemptions

Specific exemptions for the Digital Access Standard may be available for services considered for integration with myGov.

This may include:

users not having access to myGov
users being ineligible for a myGov account
where it does not make sense for users to have a myGov account
legislative or regulatory barriers preventing the service from being delivered via myGov
circumstances where Services Australia has indicated that it is unable to onboard the service to myGov.

Exemption limits

Exemptions may apply to one or more criteria of a standard mandated by the DX Policy, or to an entire standard. Exemptions are not applied at a whole-of-policy level.

Where an exemption from a standard is granted, it may be permanent, temporary, partial or full. Exemption applications are assessed on a case-by-case basis.
On request, the DTA can work with agencies to interpret their eligibility for an exemption and support them through the exemption process.

Exemption scenarios

Examples of where a service may be granted an exemption if sufficient evidence is provided.

Sufficient evidence may include enhancement plans or future system changes, in line with the requirements of the relevant standard.

Digital Service Standard

An agency operates a grants system using technology that doesn’t easily support interoperability. This means it is not able to operate in conjunction with other systems.

The agency believes they can meet all Digital Service Standard requirements except Criterion 4 – Connect services. They would be exempt from designing for interoperability and joining services due to the limitations of the existing system.

Off

From 1 January 2025, services that meet the following criteria will be required to meet the Digital Inclusion Standard:
- public or staff-facing
- owned by non-corporate Commonwealth entities
- new (including redesigned) informational and transactional services.
From 1 January 2026, services that meet the following criteria, will be required to meet the Digital Inclusion Standard:
- public-facing
- owned by non-corporate Commonwealth entities
- all existing informational and transactional services.
Note: existing staff-facing services are excluded.

An agency operates a grants system using technology that doesn’t easily support interoperability. This means it is not able to operate in conjunction with other systems.
The agency believes they can meet all Digital Service Standard requirements except Criterion 4 – Connect services. They would be exempt from designing for interoperability and joining services due to the limitations of the existing system.
An agency operates an informational website about their suite of services – the website is available to the public. The agency understands that the new Digital Inclusion Standard is applicable to existing services from 1 January 2026.
The agency does not believe they will meet the deadline for compliance, without significant investment and risk to other priority programs.
An agency is replacing a digital platform that allows tourists to apply for tax refunds for goods they purchased in Australia, that they take with them on a plane or ship when they travel out of the country.
The agency believes they can meet all Digital Access Standard requirements except Criterion 4 – Follow the decision-making framework. In applying the decision-making criteria, the agency determines that most users are tourists who are not eligible for myGov accounts.
This means that myGov is not the best access point for their replacement service.
An agency provides a digital service that supports users who are experiencing extreme circumstances, such as trauma and hardship.
The agency believes they can meet all Digital Performance Standard requirements except Criterion 4 – Measure if your digital service is meeting customer needs, as they don’t feel it’s appropriate to ask their customers for feedback at the time of transaction.

Digital Inclusion Standard

An agency operates an informational website about their suite of services – the website is available to the public. The agency understands that the new Digital Inclusion Standard is applicable to existing services from 1 January 2026.

The agency does not believe they will meet the deadline for compliance, without significant investment and risk to other priority programs.

Off

Digital Access Standard

An agency is replacing a digital platform that allows tourists to apply for tax refunds for goods they purchased in Australia, that they take with them on a plane or ship when they travel out of the country.

The agency believes they can meet all Digital Access Standard requirements except Criterion 4 – Follow the decision-making framework. In applying the decision-making criteria, the agency determines that most users are tourists who are not eligible for myGov accounts.

This means that myGov is not the best access point for their replacement service.

Off

Digital Performance Standard

An agency provides a digital service that supports users who are experiencing extreme circumstances, such as trauma and hardship.

The agency believes they can meet all Digital Performance Standard requirements except Criterion 4 – Measure if your digital service is meeting customer needs, as they don’t feel it’s appropriate to ask their customers for feedback at the time of transaction.

Off

How to apply for an exemption

Agencies should contact the DTA to apply for an exemption. The DTA will provide all necessary information, forms and supporting documents for an exemption application.

New services

Exemptions for new services going through the budget process can be raised through the appropriate state of the Investment Oversight Framework (IOF).

Off

Existing services

Exemptions for existing services against the Digital Service Standard and Digital Inclusion Standard should be made in writing to standard@dta.gov.au.

Off

Criterion 1 – Have clear intent

Criterion requirements

To successfully meet this criterion, agencies need to:

Develop a business case for change
Survey the policy and service landscape
Understand the service’s lifecycle
Adopt an agile methodology.

For existing services, this means that agencies should have clearly identified the problem the service is addressing and the whole of government priorities it is contributing towards.

Checklist items

The current problem statement for the service is clear and addressed.
Best practice approaches:
- Consider the problems the service needs to solve and why they are important. Clearly state the risks of action and inaction, who might be impacted by the service, potential barriers to success and any knowledge gaps.
Government priorities the service is contributing towards have been identified.
Best practice approaches:
- Assess how the problems identified play out in the broader policy and government service ecosystems. Use resources such as the Australian Government Architecture and Delivering Great Policy Toolkit to understand the landscape and the intentions of different policies.
- Have a clear understanding of how the service will contribute to government priorities, including the achievement of the Data and Digital Government Strategy 2030 vision.

Optional

Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.

Off

Criterion requirements
To successfully meet this criterion, agencies need to:
1. Develop a business case for change
2. Survey the policy and service landscape
3. Understand the service’s lifecycle
4. Adopt an agile methodology.
For existing services, this means that agencies should have clearly identified the problem the service is addressing and the whole of government priorities it is contributing towards.
Checklist items
- The current problem statement for the service is clear and addressed.
  Best practice approaches:
  - Consider the problems the service needs to solve and why they are important. Clearly state the risks of action and inaction, who might be impacted by the service, potential barriers to success and any knowledge gaps.
- Government priorities the service is contributing towards have been identified.
  Best practice approaches:
  - Assess how the problems identified play out in the broader policy and government service ecosystems. Use resources such as the Australian Government Architecture and Delivering Great Policy Toolkit to understand the landscape and the intentions of different policies.
  - Have a clear understanding of how the service will contribute to government priorities, including the achievement of the Data and Digital Government Strategy 2030 vision.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. Understand the service’s users.
2. Conduct user research.
3. Test and validate designs.
For existing services, this means agencies should know who the service users are, have a deep understanding of user experiences with the service and how to improve those experiences.
Checklist items:
- The current users of the service and their needs are understood.
  Best practice approaches:
  - Regularly conduct user research to understand who your current users are and why they are accessing your service.
  - Make sure you also understand what devices, platforms, or technologies they use to access the service.
- Users’ experiences accessing your service and how to improve those experiences are understood.
  Best practice approaches:
  - Analyse any identified pain points or negative feedback to understand the root cause, make incremental changes based on feedback and test these changes with users to assess their effectiveness.
  - Prioritise action on pain points that have the most significant impact on user experience and ensure resources are allocated effectively.
Methods and tools to use:
- Interviews, surveys, observation or analytics to gather data on your users' needs, goals, expectations, and behaviours.
- existing research from other agencies or sources that are relevant to your service.
- past research reports, journey maps or project summaries from historical internal documentation, internal databases, project archives or management systems.
- relevant studies or research papers, from academic and industry journals.
- professional networks and opportunities to engage with experts and practitioners across the APS to share research findings, reports and insights.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. Understand the diversity of your users.
2. Comply with legislation and standards, including the:
3. Implement a feedback mechanism.
For existing services, this means that agencies must ensure they understand the diversity of the services’ users, actively manage compliance with relevant legislation and standards as part of service development and ongoing operations, and have a feedback mechanism in place.
Checklist items
- The different cohorts that may be impacted by or use the service is understood.
  Best practice approaches:
  - Expand on the learnings from Criterion 2 of the Digital Service Standard, by conducting targeted and ethical user research with the diverse users of the service. Make sure the service captures and responds to unique circumstances and needs.
  - Collect and analyse information about different users to understand the different barriers they might experience when using the service. Eliminate these barriers through design and validate the effectiveness of solutions with real-world users.
  - Some types of users are under-represented in research, may be difficult to reach or require different or tailored engagement approaches. If this is the case, collaborate with other agencies, community groups or the private and not-for-profit sector to reach them.
- The service is compliant with relevant legislation and standards, including the:
  - Disability Discrimination Act 1992
  - Latest version of the Web Content Accessibility Guidelines (WCAG)
  - Australian Government Style Manual.
- A feedback mechanism is in place.
  Best practice approaches:
  - Provide a user feedback mechanism that supports issue reporting and service improvement suggestions, with timely, transparent responses. Act promptly on feedback and provide timely, transparent responses describing how it’s being actioned. Promote the mechanism through an ongoing, multichannel awareness campaign.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. Design for interoperability.
2. Join up services.
For existing services, this means that agencies should ensure that the service has the capability to support interoperability with other services where possible.
Checklist items
- Where possible, the service integrates with other relevant government systems or platforms (if not possible, also mark this as complete):
  Best practice approaches:
  - Review any obligations against privacy policies and the Privacy Act 1988. If external data is used, make the service interoperable and leverage governments’ open datasets. Support safe, ethical data-sharing practices by using the government’s DATA Scheme.
  - Assess the data the agency already collects and whether it can be reused for the service. Where it can be reused, eliminate unnecessary data entry requests and fulfil a ‘tell us once’ approach.
  - Thoroughly document the service’s APIs. Where appropriate, open them for other services and third parties to build upon existing government offerings. Align with the API Design Standard to support cross-jurisdictional data sharing, maintain a consistent, reusable vocabulary and support wider API literacy.
  - Where appropriate, endeavour to integrate the Australia Government Digital ID System, accredited by the Trusted Digital Identity Framework (TDIF). This will allow users to access the service with a single set of credentials.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. Adopt transparent data handling.
2. Implement security measures.
3. Maintain a reliable service.
4. Be accountable for the service.
For existing services this means that agencies should have mechanisms in place to manage the transparency, security, reliability and accountability for the service.
Checklist items
- Transparent data handling practices for the service are adopted.
  Best practice approaches:
  - Safeguard user data by adhering to the Australian Privacy Principles and the Privacy Act 1988. Always gets explicit, informed consent before colleting a user’s data and provide a means to update or delete it. Allow users to report inaccurate data and respond with how it has been rectified. Notify all users about their responsibilities to protect their data, such as not sharing their password with others.
  - Tell users what information they need before they start a task, and where appropriate, allow them to pause and resume at their own pace.
  - Where appropriate, consider how to embed provenance information to help establish and main trust. Resources such as Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era should be consulted.
- There are processes in place to ensure ongoing compliance of the service with up-to-date security measures.
  Best practice approaches:
  - Use the Information Security Manual, the Essential Eight and other resources from the Australian Cyber Security Centre to thoroughly assess the service’s threats, posture and protections. Plan for the requirements and system hardening that will support the service throughout design, build, operation and decommissioning.
- There are processes in place to manage reliability of the service for availability and consistency.
  Best practice approaches:
  - Make the service available, stable and consistent for users in different places and time zones, at different times, on different days. Schedule maintenance for a predictable period of downtime and give notice to users well ahead of time.
- There are accountability measures in place for the service to maintain contestability and periodic auditing.
  Best practice approaches:
  - Offer clear avenues for users to submit complaints, contest decisions or report issues, including security data and cyber concerns. To increase the likelihood of useful feedback, make avenues anonymous by default and identifying by choice wherever possible. To demonstrate that feedback has been addressed or will inform future action, provide users with timely and transparent responses. Responses should be tailored to the feedback.
  - Audit the service, data-handling practices, security incidents and compliance with whole-of-government policies. Use an independent review to test assumptions and identify issues that may be taken for granted. Use these results to improve and keep the service fit for purpose.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible:
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. ‘Build once, use many times’.
2. Design for a common, seamless experience.
3. Reuse data where possible.
For existing services, this means that agencies should enable the re-use of designs and data where it is possible to do so.
Checklist items
- Where possible, components, solutions and/or data, such as forms, content, workflows, APIs, design components or information, are able to be reused in other services (if not possible, also tick this box).
  Best practice approaches:
  - Share designs with other teams and agencies that are establishing services that could benefit from the work your agency is doing with your service. Similarly, share data, where possible, with other services that require the same data to provide a seamless experience for the users.
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. Protect users’ digital rights.
2. Understand privacy impacts.
3. Understand the limits of data.
For existing services, this means that agencies must have mechanisms in place to protect users’ digital rights and understand the privacy impacts of the services and the limits of data.
Checklist items
- The digital rights of users are protected.
  Best practice approaches:
  - Consider how the service might impact the digital rights of users. Identify users facing greater personal risks and make sure they’re provided with the means to access, communicate and contest the service transparently or anonymously. If rights are breached, move quickly to implement changes that prevent future harm.
  - Consider the implications of the service beyond its immediate impacts. Workshop environmental, economic or social impacts and undertake scenario planning to explore unforeseen issues and opportunities.
- The services’ privacy impacts are understood and appropriately responded to.
  Best practice approaches:
  - Undertake regular Privacy Impact Assessments to capture issues. Mitigate unwarranted and unauthorised surveillance, data collection and malicious data breaches and share these actions with users.
  - Where required, seek and obtain informed consent from users prior to collecting, storing or disclosing any of their data. Consider opt-out options and ensure the service requires as little user data as possible.
  - Communicate how data will be used or may be used in the future at the time of consent. This includes how it may be shared with other people or between services and secondary or less obvious uses.
- The limits of data that is collected and / or used by the service is understood.
  Best practice approaches:
  - Data should only be collected and used for the stated purpose that the user agrees to. Account for how data models, datasets and algorithms may produce discriminatory results and provide transparent detail to users on how decisions and calculations are made. Before sharing data, apply the DATA Scheme’s Data Sharing Principles to help assess whether it would be safe to do so.
  - Quantitative data, which is numeric or measurable, helps us understand what is happening on a service. Qualitative data, which is descriptive or observable, helps us understand why. Use both to fully understand the story and match any correlation with a provable causation. Do this before making important decisions.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. Follow guidance on critical and emerging technologies.
2. Maintain interoperability in the face of new technology.
3. Track adoption of new technology.
For existing services, this means that agencies must demonstrate that they have adopted emerging technologies only when there is an inherent benefit, maintain interoperability where relevant, and have implemented measures to monitor for changes relating to critical and emerging technologies that may impact the service.
Checklist items
- There are processes in place to monitor and implement guidance for critical and emerging technologies for the service.
  Best practice approaches:
  - Stay current, technology can advance at a staggering pace. If available, refer to government guidance on risks, opportunities and developments for up-to-date advice on critical or emerging technology that may impact the service.
  - Regularly check the Australian Government Architecture: Follow published guidance in the Australian Government Architecture for the adoption of critical and emerging technologies.
- There are processes in place to maintain the interoperability of the service in the face of new technology.
  Best practice approaches:
  - Consider if new technologies will impact the service’s interoperability. Plan for its introduction or implementation in partnership with other affected agencies to prevent further divergence or disconnection.
  - Undertake an assessment of the preparedness for new technologies. Consider the resources and training for a new technology that will be required by the agency and team.
- There are processes in place to track adoption of new technology.
  Best practice approaches:
  - Prior to implementing a new technology, determine whether it aligns with the clear intent of the service and whether it risks leaving certain types of users behind. If implemented, monitor how users respond to the new technology and respond to any accessibility or usability concerns.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. Establish a baseline for the service.
2. Identify the right performance indicators.
3. Measure, report and improve according to strategies.
For existing services, this means that agencies must demonstrate that there is continuous monitoring and measurement of services to ensure they operate smoothly, remain secure and cater for users’ evolving needs.
Checklist items
- There is an established performance baseline for the service.
  Best practice approaches:
  - Determine the current state by identifying and reviewing existing metrics for the service. Use this as a yardstick to measure progress.
  - Compare the service to similar services or existing standards to identify areas of improvement. Seek out best practices of similar and well-performing services to consider if they can be adopted.
- Appropriate performance indicators have been identified for the service.
  Best practice approaches:
  - Use metrics that accurately capture the service’s ability to deliver the outcomes that users expect. These might include adherence to design standards and privacy legislation, site/app performance, security benchmarks or tasks completed by users.
- The service is measured, reported against and improved according to strategies.
  Best practice approaches:
  - Make sure the service meets the Data and Digital Government Strategy and consider how information collected and reported could improve the service in line with the Strategy’s implementation plan. All digital and ICT-enabled investment proposals must define their purpose, outcomes and methods for measuring, monitoring and optimising them. Find out more in the Benefits Management Policy.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.
Criterion requirements
To successfully meet this criterion, agencies will need to:
1. Improve the service across its life.
2. Schedule regular assessments.
3. Communicate service upgrades.
For existing services, this means that agencies must seek to continuously improve their services, schedule regular assessments and communicate service upgrades.
Checklist items
- There are mechanisms in place to make improvements to the service across its life.
  Best practice approaches:
  - Increase people’s use of the service by continuously optimising performance, enhancing security, introducing relevant features, addressing bugs and increasing compatibility. Use metrics identified in Criterion 9 (‘Monitor your service’) to reveal the biggest opportunities for impact and ground improvements in evidence. Provide ongoing training and materials for staff to support change.
- Regular assessments are scheduled to review the performance and experience of the service over time.
  Best practice approaches.
  - Define the goals and scope of the assessment then observe performance and experience over time. Performance metrics might include load times, responsiveness or bottlenecks. Experience metrics might include entry/exit points, dwell time or task abandonment. Ongoing monitoring should be part of business-as-usual processes and a detailed review part of regular service evaluation.
- Service upgrades appropriately communicated with users.
  Best practice approaches.
  - Develop an iterative communication plan for how, when and through what channels updates and findings will be shared with users. When writing content, show how users’ feedback informed the actions that have been taken. Highlight key achievements or milestones reached and use real-life stories to demonstrate how users shaped change.
Optional
- Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.

When and how to apply this criterion

When to apply

Apply Criterion 1 during the Discovery phase to gain a deep understanding of your problem, the service’s business case and the policy and strategic landscape.

As government is always evolving, revisit this criterion across the Service Design and Delivery Process to ensure your service remains fit for purpose.

How to apply

Questions for consideration

What problem exists?
What is happening in the policy and service landscape?
What government priorities and initiatives align to the problem space?
What might success look like?

Off

Criterion 2 – Know your user

Criterion requirements

To successfully meet this criterion, agencies will need to:

Understand the service’s users.
Conduct user research.
Test and validate designs.

For existing services, this means agencies should know who the service users are, have a deep understanding of user experiences with the service and how to improve those experiences.

Checklist items:

The current users of the service and their needs are understood.
Best practice approaches:
- Regularly conduct user research to understand who your current users are and why they are accessing your service.
- Make sure you also understand what devices, platforms, or technologies they use to access the service.
Users’ experiences accessing your service and how to improve those experiences are understood.
Best practice approaches:
- Analyse any identified pain points or negative feedback to understand the root cause, make incremental changes based on feedback and test these changes with users to assess their effectiveness.
- Prioritise action on pain points that have the most significant impact on user experience and ensure resources are allocated effectively.

Methods and tools to use:

Interviews, surveys, observation or analytics to gather data on your users' needs, goals, expectations, and behaviours.
existing research from other agencies or sources that are relevant to your service.
past research reports, journey maps or project summaries from historical internal documentation, internal databases, project archives or management systems.
relevant studies or research papers, from academic and industry journals.
professional networks and opportunities to engage with experts and practitioners across the APS to share research findings, reports and insights.

Optional

Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.

Off

Criterion 3 – Leave no one behind

Criterion requirements

To successfully meet this criterion, agencies will need to:

Understand the diversity of your users.
Comply with legislation and standards, including the:
Implement a feedback mechanism.

For existing services, this means that agencies must ensure they understand the diversity of the services’ users, actively manage compliance with relevant legislation and standards as part of service development and ongoing operations, and have a feedback mechanism in place.

Checklist items

The different cohorts that may be impacted by or use the service is understood.
Best practice approaches:
- Expand on the learnings from Criterion 2 of the Digital Service Standard, by conducting targeted and ethical user research with the diverse users of the service. Make sure the service captures and responds to unique circumstances and needs.
- Collect and analyse information about different users to understand the different barriers they might experience when using the service. Eliminate these barriers through design and validate the effectiveness of solutions with real-world users.
- Some types of users are under-represented in research, may be difficult to reach or require different or tailored engagement approaches. If this is the case, collaborate with other agencies, community groups or the private and not-for-profit sector to reach them.
The service is compliant with relevant legislation and standards, including the:
- Disability Discrimination Act 1992
- Latest version of the Web Content Accessibility Guidelines (WCAG)
- Australian Government Style Manual.
A feedback mechanism is in place.
Best practice approaches:
- Provide a user feedback mechanism that supports issue reporting and service improvement suggestions, with timely, transparent responses. Act promptly on feedback and provide timely, transparent responses describing how it’s being actioned. Promote the mechanism through an ongoing, multichannel awareness campaign.

Optional

Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible

Off

Criterion 4 – Connect services

Criterion requirements

To successfully meet this criterion, agencies will need to:

Design for interoperability.
Join up services.

For existing services, this means that agencies should ensure that the service has the capability to support interoperability with other services where possible.

Checklist items

Where possible, the service integrates with other relevant government systems or platforms (if not possible, also mark this as complete):
Best practice approaches:
- Review any obligations against privacy policies and the Privacy Act 1988. If external data is used, make the service interoperable and leverage governments’ open datasets. Support safe, ethical data-sharing practices by using the government’s DATA Scheme.
- Assess the data the agency already collects and whether it can be reused for the service. Where it can be reused, eliminate unnecessary data entry requests and fulfil a ‘tell us once’ approach.
- Thoroughly document the service’s APIs. Where appropriate, open them for other services and third parties to build upon existing government offerings. Align with the API Design Standard to support cross-jurisdictional data sharing, maintain a consistent, reusable vocabulary and support wider API literacy.
- Where appropriate, endeavour to integrate the Australia Government Digital ID System, accredited by the Trusted Digital Identity Framework (TDIF). This will allow users to access the service with a single set of credentials.

Optional

Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible

Off

Criterion 5 – Build trust in design

Criterion requirements

To successfully meet this criterion, agencies will need to:

Adopt transparent data handling.
Implement security measures.
Maintain a reliable service.
Be accountable for the service.

For existing services this means that agencies should have mechanisms in place to manage the transparency, security, reliability and accountability for the service.

Checklist items

Transparent data handling practices for the service are adopted.
Best practice approaches:
- Safeguard user data by adhering to the Australian Privacy Principles and the Privacy Act 1988. Always gets explicit, informed consent before colleting a user’s data and provide a means to update or delete it. Allow users to report inaccurate data and respond with how it has been rectified. Notify all users about their responsibilities to protect their data, such as not sharing their password with others.
- Tell users what information they need before they start a task, and where appropriate, allow them to pause and resume at their own pace.
- Where appropriate, consider how to embed provenance information to help establish and main trust. Resources such as Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era should be consulted.
There are processes in place to ensure ongoing compliance of the service with up-to-date security measures.
Best practice approaches:
- Use the Information Security Manual, the Essential Eight and other resources from the Australian Cyber Security Centre to thoroughly assess the service’s threats, posture and protections. Plan for the requirements and system hardening that will support the service throughout design, build, operation and decommissioning.
There are processes in place to manage reliability of the service for availability and consistency.
Best practice approaches:
- Make the service available, stable and consistent for users in different places and time zones, at different times, on different days. Schedule maintenance for a predictable period of downtime and give notice to users well ahead of time.
There are accountability measures in place for the service to maintain contestability and periodic auditing.
Best practice approaches:
- Offer clear avenues for users to submit complaints, contest decisions or report issues, including security data and cyber concerns. To increase the likelihood of useful feedback, make avenues anonymous by default and identifying by choice wherever possible. To demonstrate that feedback has been addressed or will inform future action, provide users with timely and transparent responses. Responses should be tailored to the feedback.
- Audit the service, data-handling practices, security incidents and compliance with whole-of-government policies. Use an independent review to test assumptions and identify issues that may be taken for granted. Use these results to improve and keep the service fit for purpose.

Optional

Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible:

Off

Criterion 6 – Don’t reinvent the wheel

Criterion requirements

To successfully meet this criterion, agencies will need to:

‘Build once, use many times’.
Design for a common, seamless experience.
Reuse data where possible.

For existing services, this means that agencies should enable the re-use of designs and data where it is possible to do so.

Checklist items

Where possible, components, solutions and/or data, such as forms, content, workflows, APIs, design components or information, are able to be reused in other services (if not possible, also tick this box).
Best practice approaches:
- Share designs with other teams and agencies that are establishing services that could benefit from the work your agency is doing with your service. Similarly, share data, where possible, with other services that require the same data to provide a seamless experience for the users.

Off

Exemption guidance

Exemption eligibility

myGov integration exemptions

Exemption limits

Exemption scenarios

How to apply for an exemption

Criterion requirements

Checklist items

Optional

When to apply

How to apply

Criterion requirements

Checklist items:

Methods and tools to use:

Optional

Criterion requirements

Checklist items

Optional

Criterion requirements

Checklist items

Optional

Criterion requirements

Checklist items

Optional

Criterion requirements

Checklist items

Connect with the digital community