Search

Embrace contestability: Offer clear avenues for users to submit complaints, including security data and cyber concerns, contest decisions or report issues. 

Wherever possible, make avenues anonymous by default and identifying by choice to grow the likelihood of useful feedback. Provide users with timely and transparent responses, tailored to their feedback, to demonstrate it has been addressed or will inform future action.

Undertake periodic audits: Audit your service, data-handling practices, security incidents and compliance with whole-of-government policies. Use an independent review to test assumptions and identify issues that may be taken for granted. Use these results to improve and keep your service fit for purpose (Criterion 10 ‘Keep it relevant’). 

Apply reuse in decision making: Use the Australian Government Architecture to understand the tools, capabilities, policies and standards for building government services. Identify and document how they are applied in your decision making. 

Apply learnings from predecessors: Reach out to teams and agencies for their experiences and lessons creating similar services and how to apply them to yours. 

Adopt open standards where appropriate: Consider how reuse and open standards can support other services across government. Where appropriate, design and build with them to bring your service to more platforms, improve data sharing capability, prevent vendor lock-in and create familiarity for users.

Review your existing data: Review what data you already collect and how it can be reused in your service. Where appropriate, consider if you can employ safe, ethical data sharing arrangements under the Data Availability and Transparency Act Scheme. Actions to leverage ethical, data-driven decision making can be found in Criteria 5 (‘Build Trust in Design’) and 8 (‘Do No Harm’).

When to apply

Apply Criterion 7 throughout Discovery, Alpha, Beta and Live to identify and manage existing and emergent risks to users.

Adhere to the criterion through the entire life of your service to minimise and, ideally, eliminate negative impacts on users, even if unintentional. 

How to apply

Questions for consideration: 

• are there any adverse or unintended consequences foreseeable? 
• which user rights will be most affected? 
• what data is drawn upon for decision making? 
• how will the findings of your Privacy Impact Assessment be addressed? 
• how is the collection, use and storage of data being made clear to users? 
• how is users’ informed consent being obtained? 

Uphold digital rights: Consider how your service might impact the digital rights of your users. Build with pre-emptive measures in mind (such as net neutrality, access to information without censorship and freedom of online assembly). Identify users facing greater personal risks and ensure they’re provided with the means to access, communicate and contest the service transparently or anonymously. If rights are breached, move quickly to implement changes that prevent future harm. 

Consider flow-on effects: Consider the implications of your service beyond its immediate impacts. Workshop environmental, economic or social impacts and undertake scenario planning to explore unforeseen issues and opportunities.

Undertake a Privacy Impact Assessment: Undertake a Privacy Impact Assessment to capture issues. Mitigate unwarranted and unauthorised surveillance, data collection and malicious data breaches, and share these actions with users.

Obtain consent: Where required, seek and obtain informed consent from users prior to collecting, storing or disclosing any of their data. Consider opt-out options and build your service to require as little user data as possible. 

Be transparent: Communicate how data your service will be used or may be used in the future at the time of consent. This includes how it may be shared with other people or between services and secondary or less obvious uses. 

Use data ethically: Data should only be collected and used for the stated purpose that the user agrees to. Account for how data models, datasets and algorithms may produce discriminatory results and provide transparent detail to users on how decisions and calculations are made. Before sharing data, apply the DATA Scheme’s Data Sharing Principles to help assess whether it would be safe to do so.  

Use qualitative and quantitative data: Quantitative (numeric, measurable; metrics) data helps us understand what is happening on a service, while it takes qualitative (descriptive, observable; user observation) data will help us understand why. Use both to fully understand the story and match any correlation with a provable causation before making important decisions.