Search

Criterion requirements

To successfully meet this criterion, agencies will need to:

1. Design for interoperability.
2. Join up services.

For existing services, this means that agencies should ensure that the service has the capability to support interoperability with other services where possible.

Checklist items

• Where possible, the service integrates with other relevant government systems or platforms (if not possible, also mark this as complete):

  Best practice approaches:

  • Review any obligations against privacy policies and the Privacy Act 1988. If external data is used, make the service interoperable and leverage governments’ open datasets. Support safe, ethical data-sharing practices by using the government’s DATA Scheme.
  • Assess the data the agency already collects and whether it can be reused for the service. Where it can be reused, eliminate unnecessary data entry requests and fulfil a ‘tell us once’ approach.
  • Thoroughly document the service’s APIs. Where appropriate, open them for other services and third parties to build upon existing government offerings. Align with the API Design Standard to support cross-jurisdictional data sharing, maintain a consistent, reusable vocabulary and support wider API literacy.
  • Where appropriate, endeavour to integrate the Australia Government Digital ID System, accredited by the Trusted Digital Identity Framework (TDIF). This will allow users to access the service with a single set of credentials.

Optional

• Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible

Criterion requirements

To successfully meet this criterion, agencies will need to:

1. Adopt transparent data handling.
2. Implement security measures.
3. Maintain a reliable service.
4. Be accountable for the service.

For existing services this means that agencies should have mechanisms in place to manage the transparency, security, reliability and accountability for the service.

Checklist items

• Transparent data handling practices for the service are adopted.

  Best practice approaches:

  • Safeguard user data by adhering to the Australian Privacy Principles and the Privacy Act 1988. Always gets explicit, informed consent before colleting a user’s data and provide a means to update or delete it. Allow users to report inaccurate data and respond with how it has been rectified. Notify all users about their responsibilities to protect their data, such as not sharing their password with others.
  • Tell users what information they need before they start a task, and where appropriate, allow them to pause and resume at their own pace.
  • Where appropriate, consider how to embed provenance information to help establish and main trust. Resources such as Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era should be consulted.
     

• There are processes in place to ensure ongoing compliance of the service with up-to-date security measures.

  Best practice approaches:

  • Use the Information Security Manual, the Essential Eight and other resources from the Australian Cyber Security Centre to thoroughly assess the service’s threats, posture and protections. Plan for the requirements and system hardening that will support the service throughout design, build, operation and decommissioning. 
     

• There are processes in place to manage reliability of the service for availability and consistency.

  Best practice approaches:

  • Make the service available, stable and consistent for users in different places and time zones, at different times, on different days. Schedule maintenance for a predictable period of downtime and give notice to users well ahead of time.
     

• There are accountability measures in place for the service to maintain contestability and periodic auditing.

  Best practice approaches:

  • Offer clear avenues for users to submit complaints, contest decisions or report issues, including security data and cyber concerns. To increase the likelihood of useful feedback, make avenues anonymous by default and identifying by choice wherever possible. To demonstrate that feedback has been addressed or will inform future action, provide users with timely and transparent responses. Responses should be tailored to the feedback.
  • Audit the service, data-handling practices, security incidents and compliance with whole-of-government policies. Use an independent review to test assumptions and identify issues that may be taken for granted. Use these results to improve and keep the service fit for purpose.

Optional

• Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible:

Criterion requirements

To successfully meet this criterion, agencies will need to:

1. ‘Build once, use many times’.
2. Design for a common, seamless experience.
3. Reuse data where possible.

For existing services, this means that agencies should enable the re-use of designs and data where it is possible to do so.

Checklist items

• Where possible, components, solutions and/or data, such as forms, content, workflows, APIs, design components or information, are able to be reused in other services (if not possible, also tick this box).

  Best practice approaches:

  • Share designs with other teams and agencies that are establishing services that could benefit from the work your agency is doing with your service. Similarly, share data, where possible, with other services that require the same data to provide a seamless experience for the users.  

Criterion requirements

To successfully meet this criterion, agencies will need to:

1. Protect users’ digital rights.
2. Understand privacy impacts.
3. Understand the limits of data.

For existing services, this means that agencies must have mechanisms in place to protect users’ digital rights and understand the privacy impacts of the services and the limits of data.

Checklist items 

• The digital rights of users are protected.

  Best practice approaches:

  • Consider how the service might impact the digital rights of users. Identify users facing greater personal risks and make sure they’re provided with the means to access, communicate and contest the service transparently or anonymously. If rights are breached, move quickly to implement changes that prevent future harm.
  • Consider the implications of the service beyond its immediate impacts. Workshop environmental, economic or social impacts and undertake scenario planning to explore unforeseen issues and opportunities. 
     

• The services’ privacy impacts are understood and appropriately responded to.

  Best practice approaches:

  • Undertake regular Privacy Impact Assessments to capture issues. Mitigate unwarranted and unauthorised surveillance, data collection and malicious data breaches and share these actions with users.
  • Where required, seek and obtain informed consent from users prior to collecting, storing or disclosing any of their data. Consider opt-out options and ensure the service requires as little user data as possible.
  • Communicate how data will be used or may be used in the future at the time of consent. This includes how it may be shared with other people or between services and secondary or less obvious uses.
     

• The limits of data that is collected and / or used by the service is understood.

  Best practice approaches:

  • Data should only be collected and used for the stated purpose that the user agrees to. Account for how data models, datasets and algorithms may produce discriminatory results and provide transparent detail to users on how decisions and calculations are made. Before sharing data, apply the DATA Scheme’s Data Sharing Principles to help assess whether it would be safe to do so.
  • Quantitative data, which is numeric or measurable, helps us understand what is happening on a service. Qualitative data, which is descriptive or observable, helps us understand why. Use both to fully understand the story and match any correlation with a provable causation. Do this before making important decisions.

Optional

• Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.

Criterion requirements

To successfully meet this criterion, agencies will need to:

1. Follow guidance on critical and emerging technologies.
2. Maintain interoperability in the face of new technology.
3. Track adoption of new technology.

For existing services, this means that agencies must demonstrate that they have adopted emerging technologies only when there is an inherent benefit, maintain interoperability where relevant, and have implemented measures to monitor for changes relating to critical and emerging technologies that may impact the service.

Checklist items

• There are processes in place to monitor and implement guidance for critical and emerging technologies for the service.

  Best practice approaches:

  • Stay current, technology can advance at a staggering pace. If available, refer to government guidance on risks, opportunities and developments for up-to-date advice on critical or emerging technology that may impact the service.
  • Regularly check the Australian Government Architecture: Follow published guidance in the Australian Government Architecture for the adoption of critical and emerging technologies.
     

• There are processes in place to maintain the interoperability of the service in the face of new technology.

  Best practice approaches:

  • Consider if new technologies will impact the service’s interoperability. Plan for its introduction or implementation in partnership with other affected agencies to prevent further divergence or disconnection.
  • Undertake an assessment of the preparedness for new technologies. Consider the resources and training for a new technology that will be required by the agency and team.
     

• There are processes in place to track adoption of new technology.

  Best practice approaches:

  • Prior to implementing a new technology, determine whether it aligns with the clear intent of the service and whether it risks leaving certain types of users behind. If implemented, monitor how users respond to the new technology and respond to any accessibility or usability concerns.

Optional

• Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.

Criterion requirements 

To successfully meet this criterion, agencies will need to: 

1. Establish a baseline for the service.
2. Identify the right performance indicators.
3. Measure, report and improve according to strategies.

For existing services, this means that agencies must demonstrate that there is continuous monitoring and measurement of services to ensure they operate smoothly, remain secure and cater for users’ evolving needs.

Checklist items

• There is an established performance baseline for the service.

  Best practice approaches:

  • Determine the current state by identifying and reviewing existing metrics for the service. Use this as a yardstick to measure progress.
  • Compare the service to similar services or existing standards to identify areas of improvement. Seek out best practices of similar and well-performing services to consider if they can be adopted.
     

• Appropriate performance indicators have been identified for the service.

  Best practice approaches:

  • Use metrics that accurately capture the service’s ability to deliver the outcomes that users expect. These might include adherence to design standards and privacy legislation, site/app performance, security benchmarks or tasks completed by users.
     

• The service is measured, reported against and improved according to strategies.

  Best practice approaches:

  • Make sure the service meets the Data and Digital Government Strategy and consider how information collected and reported could improve the service in line with the Strategy’s implementation plan. All digital and ICT-enabled investment proposals must define their purpose, outcomes and methods for measuring, monitoring and optimising them. Find out more in the Benefits Management Policy.

Optional

• Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.

Criterion requirements 

To successfully meet this criterion, agencies will need to:

1. Improve the service across its life.
2. Schedule regular assessments.
3. Communicate service upgrades.

For existing services, this means that agencies must seek to continuously improve their services, schedule regular assessments and communicate service upgrades.

Checklist items

• There are mechanisms in place to make improvements to the service across its life.

  Best practice approaches:

  • Increase people’s use of the service by continuously optimising performance, enhancing security, introducing relevant features, addressing bugs and increasing compatibility. Use metrics identified in Criterion 9 (‘Monitor your service’) to reveal the biggest opportunities for impact and ground improvements in evidence. Provide ongoing training and materials for staff to support change.
     

• Regular assessments are scheduled to review the performance and experience of the service over time.

  Best practice approaches.

  • Define the goals and scope of the assessment then observe performance and experience over time. Performance metrics might include load times, responsiveness or bottlenecks. Experience metrics might include entry/exit points, dwell time or task abandonment. Ongoing monitoring should be part of business-as-usual processes and a detailed review part of regular service evaluation.
     

• Service upgrades appropriately communicated with users.

  Best practice approaches.

  • Develop an iterative communication plan for how, when and through what channels updates and findings will be shared with users. When writing content, show how users’ feedback informed the actions that have been taken. Highlight key achievements or milestones reached and use real-life stories to demonstrate how users shaped change.
     

Optional

• Describe how the digital service complies with this criterion, referencing best practice approaches deployed where possible.

Be outcomes focused: Consider what problems your service needs to solve and why they are important. Share your early-stage assumptions, gather diverse perspectives from stakeholders and take advantage of pre-existing data and resources. Clearly state the risks of action and inaction, who might be impacted, potential barriers to success and your knowledge gaps.

Frame the problem: Form a simple, clear problem statement from the evidence that’s already available. Use it as the basis of further research and validation, and to identify the users you need to engage with.

Don’t jump to solutions: Don’t anticipate a technical or design solution before validating the problems you’ve identified. Evaluate the rest of the Standard’s criteria to understand what else could drive the problem. Consider whether a new solution is required or if an existing platform or service might achieve the best outcome.

Align stakeholders to a vision: Engage key stakeholders to establish a shared vision for success. Ensure clear expectations are set for the project and everyone knows why change is necessary.