Secure Environment for Analysing Data (SEAD)

The Australian Bureau of Statistics (ABS) developed SEAD to address demand for secure cloud-based data access services across the Australian government. It aims to support government agencies to incorporate the Office of the National Data Commissioner (ONDC) Data Sharing Principles into regular operations, safely manage data sharing and access modern data science tools by leveraging ABS investment and expertise.

The SEAD service is an innovative solution providing a series of secure, self-contained environments known as “SEADpods” within the ABS DataLab’s cloud-based infrastructure. SEADpods operate independently from the DataLab but adhere to the same Safe Settings risk management controls, in line with the Five Safes framework.

The SEAD service enables government agencies engaging this service, referred to as “SEAD partners”, to adopt a SEADpod and inherit exclusive administration of that self-contained environment via self-service features. This allows them to retain full control and management of their data, users, projects and outputs in accordance with their legislative, policy and risk requirements, while the ABS continues to maintain the system's Safe Settings protections.

• Meets Australian government and ‘PROTECTED’ level security standards.
• Can be tailored to the SEAD partner’s business requirements and budget.
• Provides industry leading infrastructure and modern data science tools.
• Aligns with the ABS Data Strategy 2021–22 to 2025 and Australian Data Strategy.
• Rapid to setup and exclusively cost recovered.
• Supports data sharing under arrangements such as the Data Availability and Transparency Act 2022.

The SEAD service does not permit SEAD partners to access ABS data held in the DataLab. To enquire about access to ABS data, please see our other data service offerings. 

Distinguishing itself from the DataLab which services end-users from government and academic sectors, SEAD is designed for use by individual government departments. SEAD enables areas within departments to service their own end-users who may be internal or external to that department and have contemporary analysis requirements.  

SEAD is currently offered to:

• Federal agencies,
• State and territory departments,
• Local government bodies.

The SEAD service can be applied to a variety of use cases. Some of our most common SEAD partner use cases include:

• "We need contemporary analysis tools."
• “Our current solution is too expensive or unstable."
• "We need a proven system setup soon.”
• "We need a secure platform for 3rd party users to engage with our data.”
• “We need an easy way to securely share data in-house.”
• "We don’t have resources to manage software licensing.”
• “We don’t have staff to setup and manage a new system.”

Since its release in June 2022, growing demand and positive feedback from existing SEAD partners demonstrates its position as a valuable addition to the Australian data landscape. Notable mentions of SEAD have occurred in the:

• 2023 United Nations Economic and Social Commission for Asia and the Pacific (UN ESCAP) Expert Meeting on Data Governance,
• 2023 Melbourne Institute Public Economics Forum,
• 2023 Life Course Centre Data for Policy Summit,
• 2023-24 ABS Corporate Plan, 
• 2022-23 ABS Annual Report, 
• 2021-22 Department of Finance Annual Report. 

The ABS has extensive experience in keeping data secure as Australia’s national statistical organisation and as an Accredited Data Service Provider (formally Accredited Integrating Authority). 

The SEAD system is hosted in Microsoft Azure and meets 'PROTECTED' level security standards as prescribed in the Australian Government Information Security Manual (ISM). It is subject to Independent Security Registered Assessors Program (IRAP) certification, ongoing security audits and robust IT security testing and patching. 

The technology underpinning the SEAD system includes:

• Data encryption at rest to mitigate against unauthorised access to microdata.
• Azure Storage Accounts to securely hold individual research products and allow querying from authorised users.
• Cloud servers (including backup servers) hosted exclusively onshore, with access only authorised for use in Australia unless approved by the ABS.
• Closed network virtual machines to provide secure, isolated research spaces for the analysis of microdata.
• Guarded access through multi-factor authentication and workspace segmentation inhibiting data sharing between projects.
• The SEAD Product Storage Account is protected with Microsoft Defender providing threat detection against malicious/unusual behaviour.

The ABS employs the above with a focus on industry standard security posture management to provide a safe and secure platform for policy and program delivery work. 

For more information about SEAD system security or compliance with IRAP, please Contact us.  

The SEAD service enables partners to leverage the existing Safe Settings protections maintained by the ABS. 

Responsibility for upholding the remaining Five Safes controls moves to the SEAD partner, with each element in this context as follows:

Safe Data

- Has appropriate and sufficient protection been applied to the data?

SEAD partners retain the responsibility for the security of their data within their SEADpod, by managing data ingress and egress within their data governance safeguards. SEAD partners must also ensure that appropriate confidentialisation and treatments are applied to any form of data, code or packages before being made accessible to their users.

Safe People 

- Is the researcher authorised to access and use the data appropriately?

SEAD partners oversee user access to their SEADpod, ensuring that only authorised researchers can utilise and interact with their data. SEAD partners are responsible for providing the appropriate people vetting and onboarding processes for access to their SEADpod.

Safe Projects 

- Is the data to be used for an appropriate purpose?

SEAD partners have the autonomy to approve and manage projects within their SEADpod, streamlining their workflow and data analysis. It is the SEAD partner's responsibility to ensure appropriate project governance. 

Safe Outputs 

- Are the statistical results non-disclosive?

SEAD partners are responsible for ensuring all outputs are validated prior to release from the system against organisational tolerances, to ensure appropriate governance and legal obligations are adhered to (e.g., preventing the re-identification of an individual or organisation).

Note: ABS system administrators hold an overarching administrator role but will not view or interact with SEAD partner data or activities unless requested. 

SEAD leverages the underlying systems and resources that support the operation of the DataLab. This ensures that both SEAD and DataLab users have access to the same software and virtual machine offerings outlined below. 

SEAD runs on the Windows operating system and is equipped with the following standard tools:

• LibreOffice 7.5
• Acrobat Reader
• Notepad ++ 8.5.2
• QGIS 3.30
• WinMerge 2.16
• Git 2.40
• Stata MP18
• CUDA 12.1.1
• R 4.1.3. including:
  • RStudio 2023.03
  • RTools 42
• Python 3.9 (Anaconda3 distribution) including:
  • Jupyter Notebook & JupyterLab
  • Spyder
• PostgreSQL 15
• 7Zip

SEAD can also accommodate the following non-standard tools upon request:

• SAS 9.4
• Azure Databricks

All software is licensed, maintained and administered by the ABS through the SEAD service. All data is hosted onshore by Microsoft Azure cloud computing services and accessed through a virtual desktop.   

Note: Microsoft Word and Excel are not currently available, as these applications require an internet connection which is not supported in a secure system like SEAD. Libreoffice is the alternative offered in the system, with similar capabilities to Microsoft Office. Firefox and Edge are available to support access for Databricks and Jupyter notebooks to use Python/R. These browsers cannot be used to browse the internet.

As of July 2023, potential SEAD partners can request a quote to adopt a SEADpod based on the following cost recovered components charged up front:  

Starting from approximately $65,000 per annum, these charges cover information technology and administration support, system development, maintenance and licensing involved in subscribing to the SEAD service.

These charges will vary based on marginal cost of service levels agreed to in a Memorandum of Understanding (MoU).  

Inclusions: 

• Business administration support (including ABS account management, training, reporting and code/package support). 
• Information and Communications Technology (ICT) support (including system security maintenance, feature design, testing, technical support and development). 
• Licensing (including Microsoft Azure, Azure Active Directory and all relevant software), security monitoring and account provisioning. 
• Relevant infrastructure governance measures (Privacy Impact and Information Security Registered Assessor Program (IRAP) assessments). 

Additional charges apply for customised SEAD services. These services may include additional administrative support, data confidentialisation and output clearance, all in accordance with SEAD partner tolerances and instructions. 

Starting from approximately $2,000 per annum, per active Virtual Machine (VM), inclusive of standard software licensing.

An annual cost projection is produced in negotiation with the SEAD partner, based on estimated use. All charges reflect actual data and system usage passed on from Microsoft Azure to the ABS.

Inclusions:  

• Initial account setup. 
• Standard cloud user/administrator account access. 
• Standard project workspace (1TB each) and VM (Large, E8-2s v3, 8 CPU & 64gb Memory). 
• Standard software licensing (R, Python, STATA, LibreOffice etc).

Additional charges apply for non-standard software, such as SAS, Databricks, or other requested software. 

Note: The above charges apply to the SEAD service only; costs cannot be transferred or negotiated with the DataLab service. All charges adhere to the ABS user charging policy, exclude GST and may be subject to periodic review. Inactive VM (unused for over 30 days) and administrator accounts will incur minimal maintenance fees.  

For criteria, refer to Who can access SEAD.

Potential SEAD partners should ensure that their use case aligns with the SEAD services provided, for more information and a summary on how the ABS handle privacy as part of the SEAD service please refer to the SEAD Privacy Impact Assessment.

To register your interest and an initial consultation, please Contact us to discuss your requirements. We encourage potential SEAD partners to have an initial discussion with the ABS to determine if SEAD is the right service for you. 

After an initial consultation, once the ABS receives confirmation to proceed, SEAD partners are requested to complete a system usage and software requirements form which is used to provide a tailored quote. 

The MoU drafting and requirement gathering process will continue, and relevant system specification sharing will also commence. The MoU will outline the terms, conditions and responsibilities for both parties, providing a clear framework for the partnership.

Following the completion of a networking specifications form and confirmation to proceed has been received, the ABS will facilitate setup of the partner SEADpod and initiate a complimentary 30-day trial period. Partner organisations will be required to setup Azure Storage Explorer, via their IT department at this point.

The ABS will assist in initial account setup and provide instruction guides and relevant training on how to use the system. The ABS will also present a live demonstration of SEAD administrator functions to address any outstanding knowledge gaps. 

Note: ABS does not provide any training for users on conducting analysis or modelling within the system itself.

If the SEAD partner's requirements are met following the completion of the trial, the MoU will be finalised. The SEAD partner service will formally commence upon agreement by both parties, and invoicing is paid. 

The ABS will continue to provide ongoing account and system support, licensing and development services as outlined. The SEAD partner takes on the responsibility of administering their SEADpod in accordance with their governance and legislative requirements.  

The ABS will provide a service usage report every 6 months to assist the SEAD partner in managing their costs and usage. 

The ABS privacy policy and SEAD privacy notice outline how the ABS handles any personal information that you provide to us.

The SEAD Privacy Impact Assessment considers the potential privacy impacts on people whose personal information may be used as part of the SEAD service.