From time to time the State Services Commission (SSC) will contract with an individual or an organisation to carry out research using unit record data from the Human Resource Capability Survey (HRC). These guidelines set out the principles that the Commission expects an agency to follow to implement a secure environment for unit record statistical datasets supplied by the SSC for use on an agency's own site.
Off-site access to unit record data will only be granted to individuals or agencies carrying out work on behalf of the SSC. People carrying out research for other purposes will not be granted access to the unit record data. On-site access is preferred to off-site access, and contractors or employees are expected to provide sound reasons why they cannot use the data at the SSC.
Only authorised staff may access unit record datasets. Authorised staff are those:
- whose names are advised to the SSC as requiring access
- who understand their obligations in respect of confidentiality as set out in the Access and Security Protocols for the Human Resource Capability Survey
- who have signed the confidentiality agreement contained in these protocols.
Agencies must take all reasonable steps to provide a safe environment for unit record datasets for the period of the contract. A safe environment means one in which:
- a deliberate attempt by an unauthorised person (whether external or internal) is extremely unlikely to succeed
- unintentional access by an unauthorised person is unlikely
- unnecessary access by systems staff, who may have the ability to access a dataset but not the need, is controlled.
The minimum requirements for access to unit record datasets off site are:
- Data are only stored on local drives, not on shared networks where they could be accessed by unauthorised users or included in routine backups.
- All copies of the unit record dataset are returned to the SSC upon completion of the contract or are destroyed.
- The published results of any research carried out by a contractor must not divulge any more information than the State Services Commission would publish and must comply with the reporting conventions outlined in the Access and Security Protocols for the Human Resource Capability Survey.
Examples of appropriate security measures are:
- password protection with passwords changing regularly
- encrypted storage
- secure PCs, standalone networks
- code of practice for operations staff
- internal authorisation process for access
- internal confidentiality checking process