The Department uses a network of Contracted Employment Service Providers (Providers) to deliver its programmes. To support this, Providers access various Department IT systems which also support programmes administered by other government departments. Providers may also develop their own systems or use accredited employment systems developed by third party vendors.
Assurance of employment systems is required where:
- a third party IT system interoperates in any way with any of the Department’s systems
- a Provider has a Deed with any government body that stipulates the Provider is to only use third party employment systems accredited by the Department, whether or not the Department is a party to the Deed.
Accreditation provides assurance that there are safeguards to protect programme data and information.
Providers – Use of an Accredited TPES
Any Provider choosing to use a Third Party Employment System (TPES) has a responsibility under their Deed to ensure the system is secure before using it to process or store data relating to the delivery of government programmes.
Any intention to change an accredited TPES must be explicitly authorised by the Department.
Accreditation provides the Department with assurance that each system has adequate safeguards to protect programme data and information. Accreditation is for the benefit of the Department, and is not a warranty that a TPES is fit for its intended use or for a Provider’s specific business processes.
To reduce Provider costs, the Department works directly with TPES vendors to assess and accredit their systems. This also makes it quicker and easier for Providers wishing to purchase or change TPES. Alternatively, the Department provides secure in-house IT systems that can be used as-is by Providers to meet their obligations under their deeds.
Accreditation of a TPES is valid for up to two years from the date granted. Unless otherwise advised by the Department, systems must be reaccredited before the accreditation’s expiry date in order to ensure continuity of use.
What third party IT systems are accredited?
The Department only accredits TPES, not vendors, and does not recommend the use of any particular TPES.
Systems are accredited for functionality from the date of accreditation, but any changes to system design or functionality require re-accreditation by the Department.
Any functionality added after the accreditation date is not accredited for use without re-accreditation or partial re-accreditation. If a system has undergone a partial re-accreditation, then the most recent partial re-accreditation date will be listed.
The current re-accreditation process began during October 2018, and expiry has been extended to 30 June 2019. There will be no further extensions beyond 30 June 2019.
The accreditation status of the third party employment systems is outlined in the table below.
|Accredited Third Party Provider||Accreditation Status||Accredited System||Notes||Accreditation Expiry|
|Hivetec||Provisional Accreditation||Bridge, Analytics||-||30/6/2019|
|KV Interactive||Provisional Accreditation||JDE-MAX||-||30/6/2019|
|SoNET Systems||Provisional Accreditation||iCase||-||30/6/2019|
|Leading Directions||Provisional Accreditation||BuddyNote, Performance Reports||DES Only||-|
|Be Software||Not Accredited||Iignite||-||Expired|
- Systems (with explicitly assessed functionality) accredited for use by Providers.
- Use of accredited systems does not ensure a system is fit-for-purpose, suits business processes, or meets Provider obligations to protect programme data.
- The Department will not endorse a move from a fully accredited third party employment system to another system with less advanced accreditation or reaccreditation.
- Systems which have already met specific requirements and are being actively assessed for full accreditation or reaccreditation.
- Provisionally accredited systems may be used by existing users only (limited to functionality already in use).
- New users or the use of increased functionality is not authorised.
Provisional Plus Accreditation
- The Department has limited assurance the third party employment system has safeguards to protect programme data, and the Department considers the risk acceptable.
- Providers will generally be able to start using this third party employment system, subject to endorsement by the Department.
- Limited Accreditation systems are NOT on track for accreditation or reaccreditation.
- New users or increased functionality use is unauthorised.
- Existing users may continue to use their existing systems where they are limited to accredited functionality only.
- Accreditation will expire if the third party employment system vendor:
- withdraws their product and no longer requires accreditation
- will not be seeking reaccreditation for their product
- has not made sufficient, timely progress with reaccreditation to assure the Department that security risks are managed.
- Existing users of expired systems must implement their transition plans and cease using the system as soon as possible. Providers requiring more than 30 days must contact the Department.
- New use is not permitted.
Third Party Employment Systems - Vendors
Third party employment systems handling information or data relating to programmes delivered by the Department must gain and maintain accreditation prior to use.
Third party employment system vendors who are unsure whether their systems require accreditation should contact the Security Compliance Support mailbox with the following information:
- Outline of the system and services offered.
- The nature of how these systems are delivered, e.g. software as a service (SaaS), cloud service, contracted outsourcing.
- How this system assists Providers to deliver Australian Government Programmes, and which programmes.
- An overview of system design and access, e.g. basic architecture, data centre locations, access, authentication, admin staff locations.
- How the third party employment systems are intended to inter-operate with the Department’s system, e.g. daily bulk download and upload of data, real-time via screen scraping, real-time via APIs.
- Any existing IT Security certification or accreditations held.
- The Providers considering your product, and the programmes they are to be used for.