Please see Letter of transmittal

Certification for risk assessments and fraud control plans

Please see Letter of transmittal

Certification of appropriate mechanisms to address fraud

Please see Letter of transmittal, please see Fraud control

Compliance with Section 10

Please see Letter of transmittal

Risk oversight and management

The ABS continued its efforts to overhaul its Risk Management Framework through 2017–18. This renewed engagement with risk leveraged independent advice from external risk experts to set out a new risk action plan to further develop the risk competence of staff and managers and embed fit-for-purpose processes and tools.

Throughout the year, the Executive Board dedicated considerable attention to getting the core settings right. Working with a specialist risk advisor, and the general managers, the Board revised the ABS strategic risks to take account of changes in the external environment and emerging dependencies for continued ABS delivery of quality statistics. These revised strategic risks have been promulgated throughout the ABS and serve as the reference point for operational risk assessments within each division.

The Executive Board has been routinely communicating the importance of improved risk consciousness within the business. A new corporate risk policy team was created in order to ensure that all employees are made aware of good risk management disciplines and have access to best-practice policy and materials to support their efforts to implement risk management as an operational imperative.

The ABS drew on best-practice risk management to deliver the Australian Marriage Law Postal Survey (AMLPS) within an unusually short lead time. By drawing on good risk management principles and independent assurance processes, the AMLPS project managed to deliver rigorous discipline in its assessment, treatment, monitoring and oversight of risk.

While progress has been made this year, the plan to enhance risk management capability within the ABS is not yet complete. Further work on accountability arrangements, risk monitoring, and embedding risk practice down to the program level are continuing. New risk categories and practical tools for implementing risk assessments are being developed to better guide the work of operational managers. A new risk software solution will improve the standardisation of risk terminology and consistency in the documentation of risks and controls. The strengthening of the central repository of risk assessments is also assisting corporate teams to better appreciate enterprise-wide risks that are best addressed through cross-agency treatments.

The ABS Audit Committee has also continued to make risk a central driver of its efforts to assure critical processes in the ABS. Awareness of the very technical nature of ABS operations and the potential for risk to emerge in periods of significant internal and external change while experiencing real resourcing pressures has led the Audit Committee to pay increasing attention to very fundamental aspects of corporate practice including performance measurement, records destruction, and conflict of interest. This independent assurance provides important assistance to the Australian Statistician in the task of overseeing the ABS’s performance. The 2018–19 strategic risks were signed off by the Executive Board in June 2018.

Fraud control

The ABS has a Fraud Control Plan to provide the framework and associated guidance for fraud prevention, detection, investigation, reporting and data collection procedures and processes that meet the specific needs of the ABS and broader government obligations. It is supported by a Fraud Risk Assessment which records identified fraud risks, treatment strategies, responsibilities, dates for implementation and reporting obligations.

The ABS Fraud Control Plan is reviewed and updated two-yearly. The fraud risk assessment is reviewed twice a year or more frequently where the ABS has identified significant changes to fraud risk exposure. The ABS Audit Committee has oversight of ABS fraud control activity.

A Fraud Control Assessment was conducted by an independent assessor in the December– January period. This assessment found that ‘Compared to 2016, the ABS’s residual fraud risk has decreased due to increased oversight of existing controls and the implementation of new controls in key areas’. Nonetheless, changes in the nature of fraud risk mean that the ABS must continue to be alert to the potential for fraud. The Fraud Risk Assessment specifically pointed to the growing use of flexible working arrangements and the risk posed by third parties as aspects of ABS operations that require close attention in future.

Security

Security of information provided to the ABS is key to maintaining the high levels of trust that enable the ABS to operate effectively and fulfil its mission. In May 2017 a new Information Security Branch was formed to provide extra focus on transforming security within the ABS.

All ABS premises are physically secured against unauthorised access. Entry is through electronically controlled access systems, activated by individually coded access cards and monitored by closed circuit television. Areas of the ABS producing particularly sensitive data, such as market sensitive statistics, are subject to further protective security measures.

The ABS computer network has a secure gateway which allows connection to internet services including the ABS website. The secure gateway was established in accordance with Australian Government guidelines and is reviewed bi-annually by an accredited independent assessor. Access to ABS computing systems is based on personal identifiers and strong authentication services. Databases are accessible only by approved users. The computer systems are regularly monitored and usage is audited. There were no unauthorised access incidents into ABS computing systems during 2017–18.

On 9 August 2017, the Treasurer directed the Australian Statistician to undertake a statistical collection from all Australians on the Commonwealth Electoral Roll, as to their views on whether or not the law should be changed to allow same-sex couples to marry. The ABS drew on existing strong security controls and its security personnel, as well as engaged with key departments and agencies including the Australian Electoral Commission (AEC), the Australian Signals Directorate (ASD), the Digital Transformation Agency (DTA), the Australian Security Intelligence Organisation (ASIO) and the Department of the Prime Minister and Cabinet (PM&C) in developing a robust security strategy for the AMLPS process. The ABS contracted Ernst & Young to provide independent assurance on cyber security architecture and processes and seconded senior staff from the ASD and the DTA to ensure implementation of the best cyber security arrangements. The ABS also worked with the Special Adviser to the Prime Minister on Cyber Security, the Australian Federal Police and the Australian Cyber Security Centre. The ABS maintained regular communication with these entities to share intelligence and agree action plans allowing the ABS to respond quickly to issues.

Privacy

As an Australian Government agency, the ABS must comply with the Privacy Act 1988, including the Australian Privacy Principles. These govern the way personal information about any person – including staff, clients and respondents – should be collected, stored, used and disclosed. The ABS’s Privacy Policy is published on the ABS website: link

In 2018 the Australian Government amended the Privacy Act 1988 to further protect the privacy of Australians. The amendments introduced the Privacy Amendment (Notifiable Data Breaches) Act 2017 on 22 February 2018 and the Privacy (Australian Government Agencies– Governance) APP Code 2017 (Privacy Code) on 1 July 2018. There have been no notifiable data breaches since the scheme came into effect (Feb 2018).

The ABS has formally appointed a Privacy Officer and a Privacy Champion as required by the Privacy Code. These persons provide advice on privacy issues and promote a positive privacy culture while also assisting the ABS in meeting the legislative requirements of the Privacy Code, including:

• the development and review of an ABS privacy management plan
• maintaining a personal information holdings register
• advancing agency privacy capability through training and education
• ensuring privacy impact assessments are undertaken as required
• investigating and acting on allegations of misuse or unauthorised disclosures regarding personal information, including reporting notifiable data breaches to the Australian Information Commissioner
• monitoring the external environment to keep up-to-date on privacy issues that could affect ABS operations.

The ABS participated in Privacy Awareness Week in 2017–18 to promote awareness of privacy, including the impending legislative amendments. The ABS has also established an internal privacy community of practice, chaired by the ABS Privacy Officer and participates in cross-government privacy collaboration opportunities. Privacy awareness forms an integral part of the ABS culture.