Data storage and record retention
Data provided and created for this study are stored in accordance with AIHW information security protocols. No third parties (including DVA) have access to any identified linked data. Any data provided to DVA by the AIHW are in aggregated and de-identified form and stored in accordance with DVA’s security processes and procedures.
Data stored and analysed at the AIHW are protected under the Privacy Act 1988 and the Australian Institute of Health and Welfare Act 1987. The AIHW is subject to the Public Service Act 1999 and the APS Code of Conduct. As well, it has issued formal Guidelines for the Custody of Institute Data as a further measure to ensure data protection.
The AIHW performs data linkage projects on a separate secure private network to which only Data Integration Services Centre (DISC) staff and the Systems Manager have access. Dedicated DISC infrastructure capabilities replicate the hardware already used with success on other large data integration projects across the AIHW. This environment is separate from any other AIHW systems. The AIHW connects, through the Intra Government Communications Network, to an Internet gateway provider accredited by the Australian Signals Directorate. The AIHW’s Internet gateway is certified to the PROTECTED level. DISC projects are undertaken on a separate secure network not connected to the Internet.
The AIHW uses best practice technology, procedures and policies to protect its information and communication technology assets. A layered system of security is in place, with different technologies and techniques used at different levels. In line with the Australian Government Protective Security Policy Framework:
- passwords are changed regularly
- accounts are locked out after 3 failed attempts
- Operating System patching of desktops, networking equipment and servers is done in line with Australian Signals Directorate guidelines
- application software updates are tested and applied as soon as practical after release
- access to the data centre is controlled by swipe card
- the network has a state-of-the art firewall to protect against external intrusion, beyond which the accredited gateway has its firewalls
- anti-virus software is constantly updated
- regular backups are taken, including rotation to a secure off-site storage facility
- desktops have been hardened to prevent users from installing software or tampering with the system.
These security measures are backed up by an auditing regime, based around tightly controlled separate information domains (staging, linking, and consolidation domains) that exist for each stage of creating the project data. Each project in each information domain is in a separate storage location, with access limited by user (different users in different information domains for separation requirements).
This architecture determines who can access what data at any time, and access is therefore predetermined and logged. Work logs of basic user and time/date information are generated when code is run against these data and are stored as part of the audit trail.
In summary, access is provided to individuals for each stage of a project. This allows the AIHW to determine and log all access rights to the data throughout the process. At the completion of the project, and in line with the data retention date, the AIHW uses Delete (Microsoft) to remove all files relating to a project from the hard disk. In line with DISC data retention/backup cycle procedures, data are overwritten on a 4-weekly cycle. Data are encrypted as part of the archival process using Commvault.