All Data Users must comply with the data access, storage and handling requirements outlined in section 8 of the AEDC Data Guidelines.
Data will only be released to individuals and/or organisations once a certification form, agreement or application has been signed.
An ‘Authorised Data User’, the individual(s) that completes the AEDC Certification form or AEDC application form, can give access to other individuals within the same organisation (Permitted Data Users) to access the data.
General security guidelines require that:
- computers with AEDC data must be kept in a locked room and be password protected
- data or results stored on a computer network must have access restricted to Authorised Data Users and, where required, Permitted Data Users
- printouts or physical media containing AEDC data must be securely stored in a locked room or filing cabinet when not in use.
For a full list of data security requirements, refer to section 8.3 of the AEDC Data Guidelines.
Maintenance of data security
If it is discovered that the security arrangements for AEDC data are at any time below the standards required in the AEDC Data Guidelines, the Department or AEDC Support will provide a written notice to the Authorised Data User notifying them of this. The Data User will be given 14 days from the notification date to increase the security standards to meet the requirements. If these are not met within the 14 day period, the Department may give notice in writing of the termination of the Data User’s approval immediately.
Data transfer security requirements
When AEDC unit record data is in transit, appropriate security measures must be used to ensure only authorised access occurs. This may include (but is not limited to) use of encryption software.
When AEDC data containing identifying variables is in transit, a record of information exchange, release authorisations and recipient acknowledgements is maintained by AEDC Support to ensure the passage of the data can be tracked through each step.
Reporting adverse events
An adverse event is any unforeseen or unexpected event that results in having negative impacts on key stakeholders of the AEDC, including the AEDC Data Custodian, states and territory governments, as well as the children, teachers and schools that participate in the collection. While adverse events are project-specific, they commonly result in:
- higher than expected probability of risk linked to the research
- higher than expected negative or serious impacts on AEDC children or teachers
- a breach of HREC approval for the project.
While all adverse events are significant, the Department is particularly concerned about events that lead to the re-identification of children, teachers, and schools and/or the disclosure of sensitive information about people and communities.
In the case of an adverse event, the Authorised Data User must investigate the matter and submit an Adverse Event Form to AEDC Support. Any breaches will be referred to the Department's legal and privacy areas for examination and may result in sanctions such as approvals to access AEDC data being revoked.
Secure destruction of data
If required at any time by the Department to do so, Data Users must, without limitation, deliver to the Department or destroy all Documents containing, any URL data (whether identified or unidentified) in their possession, custody, or control. Once carried out, Data Users must provide a signed Secure Data Destruction Form to the Department, stating that this has been completed.