Supporting Health, Education, Social, and Economic Research and Policy in South Australia and the Northern Territory

Delivering high quality linked data for evidence-based research and policy evaluation

Security Protocols at SA NT DataLink

SA NT DataLink’s privacy protecting information security protocols comply with the:

• South Australian Information Security Management Framework
• Australian Government ‘Protective Security Policy Framework’.
• Population Health Research Network ‘Information Governance Framework’.
• NHMRC ‘Code for Responsible Conduct of Research’.

SA NT DataLink has been ‘specifically established’ in accordance with best practice and leading data security practice to protect privacy and be a trusted third party that enables individual records from one or a number of agencies to be linked  together in such a way that no individual can be identified when being analysed.

SA NT DataLink provides a ‘privacy protecting data access service’ to make linked information available for:
 - Policy and program analysis and evaluation across a range of human services;
 - Research into the health, education, ageing, social services and well-being outcomes for whole, cohort or large populations in South Australia and nationally.

Security Standards

Security at SA NT DataLink is paramount, and outlined in the following documents and practices.

SA NT DataLink’s Security Manual Overview 

ISO 27001

ISO 27002

SA NT DataLink’s ISO 27001 Certification Project

Other Information Security Standards in the ISO 27000 Family

 

The ability to protect the privacy of individuals is not possible without data protection and secure of information held by SA NT DataLink on behalf of Data Owners and Data Custodians who are charged with the responsibility of safeguarding information on the citizens in South Australia, the Northern Territory and across Australia. SA NT DataLink receive, store and link data as authorised by the law and Data Custodians in accordance with security policies and practices established by the Australian Government to protect privacy and to ensure the trust and reputation of SA NT DataLink and the Data Providers is maintained. One of the key foundations of SA NT DataLink is the Information Security practices and protocols. In establishing SA NT DataLink and the SA NT Data Linkage Consortium a number of measures have been taken to address information security, as outlined in the SA NT DataLink’s Security Manual Overview. For more detail on the Information Security protocols and practices at SA NT DataLink please refer to  Security Manual Overview 

ISO 27001

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification defines a six-step planning process:

1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Implementing Information Security Management System.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005.

ISO 27002

The ISO 27002 documents the comprehensive set of information security control objectives and a set of generally accepted security controls and good practices that can be audited against under ISO 27001.

ISO 27002 contains 12 main sections:

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

SA NT DataLink’s ISO 27001 Certification Project

In order to demonstrate SA NT DataLink’s security credentials, SA NT DataLink operates an Information security Management System (ISMS) that includes security awareness, and a continual security risk monitoring and improvement program.

In accordance with, third-party accredited certification, SA NT DataLink is required to demonstrate the application of Information Security controls in line with operational activities and the identified risks. The project will ensure SA NT DataLink's policies, processes and operational procedures address key business risks and business impacts through the pragmatic implementation of the security controls outlined in ISO 27001.

Other Information Security Standard Documentation in the ISO 27000 Family

  • 27003 – implementation guidance.
  • 27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
  • 27005 – an information security risk management standard. (Published in 2008)
  • 27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
  • 27007 – ISMS auditing guideline.

Source: searchsecurity.techtarget.co.uk/sDefinition/0,,sid180_gci1351765,00.html