Digital Authorisations and workflows

Digital authorisations and workflows improve business efficiency, support end-to-end digital processes and increase the availability of more complete and meaningful information.

Australian Government agencies are required to record business interactions, decisions and authorisations digitally to meet the Digital Continuity 2020 targets of Principle 2 – Information is managed digitally of the Digital Continuity 2020 Policy.

The most efficient and effective way to do this is through the application of appropriate digital authorisation tools and workflows. The digital authorisation framework can help you choose which tool is best for your agency's business.

Digital Authorisations Framework

Digital Authorisations Framework (docx 420kb) is a risk-based assessment tool for transforming analogue approval processes to fit for purpose digital approvals. It provides Australian Government agencies with a consistent approach for determining appropriate digital approval methods for business processes.

The framework helps to support:

  • end-to-end digital workflows and processes
  • more timely and efficient decision making
  • more complete and meaningful information
  • greater accountability and transparency

What's in the framework?

The framework has three phases:

  • Phase 1: Business process risk assessment
  • Phase 2: Approval requirements
  • Phase 3: Approval implementation

Phase 1: Business process risk assessment

Phase 1 helps to determine the risk level associated with implementing a digital approval for a specific business process. This top-level risk assessment should be carried out on each existing analogue approval process to help determine which other phases need to be completed.

The risk assessment includes five questions to be applied against an existing approval process to determine the level or extent of:

  • expenditure involved
  • authority required
  • external interaction required
  • external scrutiny involved or likely to be involved
  • sensitivity involved.

Depending on the level of risk determined, you will either be directed to complete Phases 2 and 3 for higher risk processes, or Phase 3 for lower risk processes.

You should speak with your agency's risk and/or security advisor regarding higher risk processes to identify any specific requirements that need to be included in a digital approval process.

Refer to the Phase 1 – Business process risk assessment workflow diagram (pdf 235kb) for an overview of the assessment process.

Phase 2: Approval requirements

Phase 2 includes questions and guidance to help determine an appropriate digital approval method. If completing Phase 2 is recommended, you will answer questions divided into four modules to identify and resolve potential issues associated with implementing a digital approval method.

The modules are:

  • Stakeholder identification and agreement
  • Security and Access
  • Business requirements
  • Information Management

Module 1: Stakeholder identification and agreement

Module 1 ensures all stakeholders involved in the approval process can be identified and all parties agree to complete the approval digitally.

The questions in this module will help determine compliance with relevant obligations under the Electronic Transactions Act 1999.

Module 2: Security and access

Module 2 considers the level of security and access needed for the digital approval process based on the security classification of the information, its value and the risks associated with it.

The questions in Module 2 should be used in conjunction with your agency's information governance, policies and procedures to determine appropriate controls for the approval process. The requirements of the Australian Government's Information Security Manual and the Protective Security Policy Framework, should also be considered.

Module 3: Business requirements

Module 3 helps ensure the digital approval process is fit for purpose and meets the requirements of the business area(s) involved, including the applicable stakeholders.

Module 4: Information management

Module 4 helps ensure the approval and associated information and metadata can be accountably managed and accessed for as long as required, and incorporated into existing information governance practices. You should liaise with your agency's information management area to complete this module.

Refer to the Phase 2 - Approval requirements diagrams (pdf 250kb) for an overview of this module or Phase 2 - Approval requirements checklist (pdf 692kb).

Phase 3: Approval implementation

Phase 3 consists of two questions, and supporting guidance to help determine and implement the most appropriate digital approval method based on the results of your assessments in Phases 1 and 2.

Refer to the Phase 3 – Approval implementation workflow diagram (pdf 244kb) for an overview of this module.

Digital approval methods

The Digital Authorisations Framework helps to provide appropriate levels of assurance for using a variety of digital approval methods. The digital approval methods specified in the framework are:

  • Email
  • Action tracking
  • System workflows

Other approval methods can be used in conjunction with those recommended in the framework. For example, where required for high risk processes, a digital signature can be used in conjunction with the recommended approval method to provide a higher level of user authentication and security.

Digital signatures

Digital signatures, which use digital keys and certificates to authenticate identity and encryption technology, represent a specific type of electronic signature. They are supported under the framework but should only be used as necessary, based on the risk and requirements associated with a specific business process.

The Gatekeeper Public Key Infrastructure (PKI) Framework governs the use of digital signatures (digital keys and certificates) by the Australian Government, to assure the identity of subscribers to authentication services.

Preparing to use the Framework

An information review of your agency's core information assets should be carried out before applying the Digital Authorisations Framework, to identify:

  • manual or inefficient workflows and approval processes, including those currently requiring a wet-ink signature,
  • high volume and / or low risk business processes that can be prioritised for transformation to fully digital processes
  • business processes with a legislative requirement to complete an approval process in a pre-defined way, including a documented requirement for a hard copy signature
  • existing tools or software that could be used to support end-to-end digital processes, including fit for purpose digital approvals
  • agency specific risk methodologies that can be used to identify potential risks associated with implementing end-to-end digital processes or digital approvals.

Development

The Digital Authorisations Framework was developed by the Archives in consultation with Australian government agency representatives through a consultative working group. An exposure draft was published on the Archives website in August 2017 for wider review. Advice and feedback received were incorporated into the final version provided.

Please contact the Agency Service Centre if you would like further information about the framework, or advice on applying it within your agency.

Copyright National Archives of Australia 2017