Aboriginal Participation Portal

The Aboriginal Participation Portal gathers information on the effectiveness of the Aboriginal Procurement Policy (APP) and the Aboriginal Participation in Construction (APIC) Policy.

The portal collects NSW Government supplier reporting to:

  • increase accountability and transparency
  • enhance decision-making to inform future directions
  • help with contract management
  • increase accessibility.

The information collected in the portal have been determined by the APP and the APIC policies and NSW Government priorities. The portal has features to reduce suppliers' administrative burden of adding the information required, such as field automation, drop down boxes and bulk uploads.

Portal user guides

Download the user guide for agencies (PDF, 500KB).

Download the user guide for suppliers (PDF, 553KB).


Aboriginal Participation Plans are part of the tender response and approved by the contracting agency. The requirements of the approved plan must be entered in the portal and reported against, monthly or quarterly as required by the policies.

A final Aboriginal Participation Report must be provided by suppliers through the portal at the completion of the contract and identify if Aboriginal participation requirements were met.

Safeguards are in place for careful and diligent protection of the dataset including special access controls that protect confidentiality.

The Aboriginal Participation Portal Data Protection Framework

OneGov is an e-Government platform supporting NSW Government’s commitment to provide simpler services to the people of NSW. It is used by several NSW Departments through a Software-as-a-Service (SaaS) model and other services.

The framework is part of OneGov’s social license to operate as a trusted-user of government data. It provides an overview of the intelligent wrap around safeguards in place for the careful, diligent and rigorous protection of the data, especially sensitive data, and the assets we create.

The framework communicates the protections that enable OneGov to ensure the highest standard of behaviour and the best dynamics and environment.

The framework is informed by principles in safe and secure data management and analytics that were developed in New Zealand, the United Kingdom and the European Union. The framework also accommodates Australian Commonwealth and State legislation and regulations. The seven protections in the Framework are:

  • Project Protections
  • Safe & Secure Management 
  • Compliance with Legislation & Policy
  • Identity Is Protected
  • Safe Output
  • Screened & Trained Personnel
  • In the Public Interest

Project Protections
Privacy and data protections are key considerations at each stage of the design and development of a dataset and throughout its lifecycle.

Privacy Impact Assessments are conducted as required.

Decisions about protections
Decisions about protections are based on the probability of identification and

  • risk of injury (physical, psychological, social, economic or legal harms; devaluation of personal worth; discrimination and social stigmatisation, and findings of previously unknown paternity status).
  • public expectation
    The growth of digitisation and increasing acceptance and reliance on it for faster, cheaper, real time, more convenient and individually tailored services is correlated with increasing public interest in privacy and the protection of personal data. In safeguarding, and releasing and sharing data consideration is given to public expectations about:
    • an individual’s control over their personal data
    • transparency—what data is being shared, with whom, how, and why
    • understanding the purposes and benefits of opening and sharing data
    • security of personal data and enforceable safeguards i.e. penalties for breaches (legal remedies and fines)
    • trust in the organisations holding, releasing and sharing data, their competence in looking after it, ethical boundaries, processes and controls
    • specific rights of access, deletion and portable personal data.
  • public interest (public interest concerns under Government Information (Public Access) Act 2009 (NSW) s12-15 which are threats (to responsible and effective government; law enforcement and security; business interests of agencies, and other persons; environment, culture, economy and general matters; secrecy provisions and exempt documents under interstate Freedom of Information legislation). Where there are potential threats to privacy completing an Identifying Privacy Issues early Checklist and/or privacy impact assessment may be required.

Protections for the Aboriginal Participation Portal
Contracting agencies and suppliers enter data into the portal as part of their reporting requirements under the Aboriginal Procurement Policy for goods and services and the Aboriginal Participation in Construction policy.
In addition to the data protections outlined above, there are specific protections on data gathered through the Aboriginal Participation Portal:

  • Access to the dataset will be controlled, and considered on a case-by-case basis.
  • The dataset may be publicly released without personally identifying information.
  • Data is provided by suppliers in compliance with their own legislation, policy and protections.

Safe and Secure Management 
Practice guides ensure consistent management that aligns with national and international best practice, as well as industry standards and practices.

NSW Government Policy
All data is managed in accordance with the NSW Digital Information Security Policy 2015, the NSW Information Management Framework which includes classification, labelling and handling of data sets, and ISO/IEC 27001.

ISO 27000 series
ISO/IEC 27001 - an information security standard, part of the ISO/IEC 27000 family of standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee. ISO/IEC JTC 1/SC 27.[2]. ISO/IEC 27001 specifies a management system that brings information security under management control and gives specific requirements. This safeguards data by:

  • Systematically examine information security risks, taking account of the threats, vulnerabilities, and impacts
  • Designing and implementing a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
  • Adopting an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

ISMS controls and practices
Stringent Information Security Management System (ISMS) controls and practices are in place to prevent unauthorised access—permissions-based user and developer access to the Platform, applications, data and solutions. Certification for Payment Card Industry (PCI) Data Security Standards (DSS) compliance is in the final stages. PCI certification ensures the security of data through the installation of firewalls, encryption of data transmissions, the use of anti-virus software, and the restriction and monitoring of access to network resources. Breaches have severe repercussions such as legal remedies, dismissal and fines. The platform implements Network Intrusion protection, Web application Firewall, and Protection against Denial of Service attacks. The environment implements a vulnerability management program that includes regular external and internal penetration testing. Customer data is segregated between agencies, and strict system and process controls are in place to facilitate secure access to data, including the latest authentication and identity verification/management technologies and strategies.

Private Cloud
Services being hosted in a private cloud, operated within the ISO27001 certified Government Data Centres (GovDC). A private cloud is where IT services are provisioned over private IT infrastructure for the dedicated use of a single organization, within the corporate firewall. The private cloud is managed through internal resources.

Commonwealth Privacy Commissioner’s Guidelines on Data Matching in Australian Government Administration
In compliance with this guideline OneGov maintains a comprehensive register of data assets transferred to it, employs specialist Data Stewards to oversee the management and governance of its data sharing activities, and uses Secure File Transfer Protocol and Encrypted Storage Devices. OneGov provides:

  • Enhanced automation of data governance processes within the custom-built platform.
  • Series of Application Programming Interface connections for the transfer of data to the Platform.
  • Regular independent IT audits and security testing of OneGov Platform.
  • Internal/external access and storage of documents is consistent with legal, regulatory and policy requirements.

Compliance with legislation and policy
OneGov works within more than 40 pieces of State legislation and additional Commonwealth legislation (see list below) that have specific protections on all or part of collections.

Government agencies and industries that share data with OneGov must comply with their legal, regulatory and policy obligations. Administrative, civil and criminal remedies apply to breaches.

OneGov works within

NSW legislation

  • Adoption Act 2000
  • Assisted Reproductive Technology Act 2007 
  • Bail Act 2013
  • Biofuel (Ethanol Content) Act 2007
  • Children and Young Persons (Care and Protection) Act 1998
  • Child Protection (Offenders Registration) Act 2000
  • Criminal Records Act 1991
  • Crimes (Administration of Sentences) Act 1999 victims register
  • Crimes (Forensic Procedures) Act 2000
  • Crimes (Sentencing Procedure) Act 1999
  • Criminal Procedure Act 1986
  • Data Sharing (Government Sector) Act 2015
  • Dust Diseases Tribunal Act 1989
  • Education Act 1990
  • Gaming and Liquor Administration Act 2007 
  • Government Information (Public Access) Act 2009
  • Government Information (Information Commissioner Act) 2009
  • Health Records and Information Privacy Act 2002
  • Health Administration Act 1982
  • Health Care Complaints Act 1993
  • Independent Commission Against Corruption Act 1988
  • Judicial Officers Act 1986
  • Jury Act 1977S
  • Local Government Act 1993
  • National Parks and Wildlife Act 1974
  • Privacy and Personal Information Protection Act 1998
  • Parliamentary Budget Officer Act 2010
  • Parliamentary Electorates and Elections Act 1912
  • Passenger Transport Act 1990
  • Public Interest Disclosures Act 1994
  • Police Act 1990
  • Police Integrity Commission Act 1996
  • Police Regulation 2008
  • Public Lotteries Act 1996
  • Threatened Species Conservation Act 1995
  • Royal Commission (Police Service) Act 1994
  • State Records Act 1998
  • Totalizator Act 1997

Commonwealth legislation

  • Anti-Money Laundering and Counter-Terrorism Financing Act 2016
  • Crimes Act 1917
  • Copyright Act 1968
  • Data-matching Program (Assistance and Tax) Act 1990
  • Health Identifiers Act 2010
  • My Health Records Act 2012
  • National Health Act 1953
  • Personal Property Securities Act 2009
  • Privacy Act 1988
  • Telecommunications Act 1997
  • Telecommunications (Interception and Access) Act 1979

Identity is protected

Personally identifying information
Personally identifying information is highly sensitive and treated accordingly. Personally identifying information identifies a specific individual through one or more factors specific to physical, physiological, mental, economic, cultural or social identity. Personally identifying information, is distinct from personal information which identifies a subject as a person.

Wherever possible, the data is used in a de-identified form, which means personal identifying information such as names, exact dates, ages or other unique characteristics are removed from the dataset. Particularly sensitive datasets have additional access restrictions, and may only be accessed by approved individuals.

OneGov ensures that the data held is adequate, relevant and not excessive in relation to the purpose for which it is processed. They also apply proportionate protections for each dataset.

Tests for risk of identification
The risk of identification is tested by:

  • ‘motivated intruder’—whether a reasonably competent motivated person with no specialist skills with access to resources such as the internet and public documents, and making reasonable enquiries to gain more information would be able to identify the data or information.
  • ‘in the round’—assessing whether any entity or member of the public could identify any individual from the data or information being disclosed, either in itself or in combination with other available information or data.

Safe output
To ensure safe output reporting does not contain any personally identifying results. Reports may have controlled release and protected findings where there is sensitive information. Data that is shared with OneGov is used only for the purposes for which it was provided. The NSW Procurement Board owns the dataset and controls the release of data and reports.

Screened and trained personnel
To ensure OneGov personnel use data appropriately and follow procedures all personnel and vendors satisfy reference checks, and Criminal Record before being allowed to work with data. Personnel sign the Code of Conduct and undergo risk and ethics training. Significant penalties exist for breaches of requirements—dismissal, blacklisting, and/or prosecution.

In the public interest
OneGov only undertakes projects that are in the public interest to improve government services and the lives of the people of NSW. Collections must be related to the core business of an agency—its legislation and or policy, and or a government commitment. The acquisition of data is directly related to meeting the purpose of a project. Projects are aligned with NSW Government priorities.