Noting Paper 330 - UNSW Reports

[CDR-API-Stream]

In 2022, the Data Standards Chair (Chair) commissioned the University of New South Wales (UNSW) to provide two reports to him about cyber security issues related to the CDR and, in particular, the Data Standards:

• Considerations for Managing Cyber Threats to the Consumer Data Standards _A Report to the Data Standards Chair PUBLIC version
• Risk Management for the Consumer Data Standards: A Report to the Data Standards Chair PUBLIC version

The scope of both papers was developed in early 2022 through consultation with Treasury, the OAIC and the ACCC.
The final Cyber Threats report was accepted and circulated to CDR agencies in October 2022; and was used extensively in consideration of the public data breaches occurring at the time, and the CDR’s cyber security posture. The final Risk report was accepted in May 2023, after minor edits. The Chair thanks the UNSW team for their expertise and work that has progressed the CDR’s understanding and mitigation of key risks.

In reading the reports, it should be noted that they were drafted based on information then publicly available in 2022. This means UNSW was not provided with Treasury’s Risk Management Framework, which is now currently being used. Additionally, UNSW’s analysis was conducted under a prior version of the Commonwealth’s Risk Management Policy.

Since undertaking this work, the Treasury has undertaken a consultation on screen scraping policy and regulatory implications which sought to compare data accessed through screen scraping with the CDR. UNSW was not asked to compare or contrast the risks of screen-scraping against the CDR and consequently, these reports should not be considered as an evaluation of the CDR; nor an assessment of respective pros or cons of either policy setting.

Noting Paper 330 UNSW Reports

[CDR-API-Stream]

The UNSW Reports have been published and can be found in the original post.

A video summarising the Reports can be found here.