Coding Service security

WoAG Occupation Coding Service User Guide

Coding Service system security controls.

Cite
Released
30/06/2025

The WoAG Occupation Coding Service and API has been security assessed by an independent registered assessor within the Australian Signals Directorate (ASD) Information Security Registered Assessors Program (IRAP) Program. This assessment found the Coding Service and API to have met the control and security objectives defined through the Australian Government Information Security Manual (ISM). 

Agencies may need to sign off in-house on using an external API, for business, legal, or security reasons. They may also need to check on their own behalf that the API response is from the address they sent the request to.

 The following security controls, drawn from the ISM, are included to assist partner agencies in assessing their risks when using this service.

Control nameSystem security controls
Cryptography
  • Data is encrypted in transit to and from the API. All APIs created with Amazon API Gateway expose HTTPS endpoints only. API Gateway does not support unencrypted (HTTP) endpoints.
  • API Gateway has been configured to choose a minimum Transport Layer Security (TLS) protocol version of TLS 1.2.
  • Data is encrypted at rest if it is to be stored by the request action; only file-based batch requests require the storage of request data. KMS Keys will be created for each environment and applied to data (or metadata) storage components e.g., S3 buckets, DynamoDB tables. 
Data transfers
  • Bulk data transfers only occur for asynchronous requests. This occurs through the AWS WAF and the AWS ABS Gateway.
  • Data transferred as part of an asynchronous request is scanned.
  • Resources involved in the coding of file-based requests (e.g. Lambda, SageMaker) are able to read data from bucket(s) containing post-scanned/validated data, not raw ingress data, and are only able to write to a specific egress bucket.
  • For file-based batch coding, consumers are provided S3 pre-signed URLs for data file ingress and egress. This aligns with ISM cryptographic control requirements (ISMF 1123–1126), access control measures for external interfaces (ISMF 1295–1300), and secure transmission/storage of sensitive data (ISMF 1352–1354).
  • These URLs are configured with expiration times aligned with the time required to perform a coding request. This is a dynamic value and is configured based on performance data from implemented models.
  • Data stored in service of file-based batch coding (e.g. ingressed request data and egressed coded response data) is configured for automated expiry (deletion). Minimal expiry time is configured based on the time required to perform a coding request, pending performance data from implemented models. 
Data sovereignty
  • No data will be stored or processed outside Australia.
  • Services will never failover to services outside of Australia.
Machine Learning (ML)
  • There is no external connection (outside of the dedicated ABS accounts) or other ML reference used in the WoAG Coding Service or in the training of the ML models.
  • Only isolated instances of Machine Learning within ABS-owned secure AWS accounts are used to train the models that underpin the Coding Service.
  • While the ABS is exploring the use of Distilbert - Large Language Models (LLM) combined with Census data to train coder models, only more traditional ML models such as Hierarchical Support Vector Machine (HSVM) models, trained only using Census data, will be used in the external service.
  • Only specific response text, separated from all other response data, is used to create the ML models and in the Coding Service.
  • The service can only respond with the classification codes and labels defined in the relevant classification standard and version, unless a record identifier is also provided by the user. In this instance, the record identifier is returned to the user with the data.
  • The application of the models used in the Coding Service, and all data passed through the coders, remains within the ABS secure accounts at all times. No user data is stored or retained. User data is temporarily stored within ABS secure accounts while being processed, and then deleted.