SISS DATA SERVICES - DATA STEWARDSHIP AND GOVERNANCE POLICY

Background Information

SISS Data Services is a software company, specialising in Data feed solutions for the banking, accounting and financial services industry where software users can create Data feeds and receive electronic Data files from Banks via their software package of choice.
The process of electronically transferring Data eliminates manual Data entry and reconciliation, reducing time and costs for the accountants, advisers and customers.

Purpose

The purpose of this policy is to define the Data stewardship and governance policies implemented and adhered to by SISS Data Services.
Data stewardship provides management and oversight of SISS Data Services Data to provide its customers with high-quality and accurate information through easily accessible and consistent methods.
Data governance is the management of the confidentiality, integrity, availability and quality of the Data collected and provided by SISS Data Services.

Scope

Data collected via bank feeds and provided by SISS Data Services are considered in the scope of this policy.

Data Lifecycle

The following diagram highlights the phases of the Data lifecycle.

Definations

Individuals or organisations in physical or logical possession of Data for the Data Owner.

Data Custodians

Individuals or organisations in physical or logical possession of Data for the Data Owner.

Data Managers

Personnel directly responsible for the operational access and management of Data.

Data Owner

SISS Data Services is the owner of all Data collected, stored or managed by personnel of SISS Data Services.

Data Sources

The Bank or Financial Institution the Data Owner maintains an account with and obtains the Data feeds from

Data Stewards

Personnel responsible for the integrity, availability, confidentiality, and quality of Data management. There should be at least one designated Data Steward for each business unit or department.

Financial Information

Data that relates to a financial product or transaction from Data Sources that may contain information as detailed in Data Types.

Personal Information or PII

Any information or an opinion about an identified individual, or an individual who is reasonably identifiable.

SISS Data Services Data Resource

Data owned by SISS Data Services may reside in various systems and locations as required and justified by the business, these are consistently referred to as a single, shared resource.
All such Data owned and managed by or on behalf of SISS Data Services is considered part of the SISS Data Services Data Resource.

Third Party

An individual, company or other entity that an individual has granted consent to access their personal information.

Data Types

SISS Data Services, through their feeds, may store the information as detailed below.

Credit Card Data

Direct from Financial Institution

  • Tokenised Credit Card Number
  • Card Name
  • Transaction Details
  • Balance Details

Contract Note Data

PDF of Contract Note emailed to SISS & direct from Financial Institution

  • Name of Account
  • Account ID

Wrap & Managed Fund Data

Direct from Financial Institution

  • Account Number
  • Account ID
  • Investment Holding Details
  • Transaction Details
  • Balance Details

Principles

The following principles outline the acceptable minimum requirements that must be adhered to by SISS Data Services and its personnel to provide high quality and easily accessible Data while protecting the confidentiality, integrity and availability of Data collected and provided by SISS Data Services.

Collection of Data Principles

  1. SISS Data Services owns the Data collected, created, and provided via its services.
  2. A delegated Data Steward is responsible to ensure the ongoing confidentiality, integrity, availability and quality of information collected and provided.
  3. There is at least one Data Steward identified for each Data type collected, created and provided by SISS Data Services.
  4. SISS Data Services will obtain consent from individuals for the processing, storing, and transfer of personally identifying information where applicable and relevant as required by the Privacy Act.
  5. Consent from an individual must be informed and explicit.
  6. SISS Data Services will never utilise screen scraping to obtain or collect information.

Plan to Distribute Principles

  1. A delegated Data Manager is provided for each business unit or Data type to ensure the Data is available in accordance with operational requirements to authorised parties only.
  2. Collected Data is verified to be accurate and true from the supplying feed prior to delivery to SISS Data Services customers.
  3. SISS Data Services will be transparent in the use and purpose of the Data sourced.

Assess Classification Principles

Open Banking in Australia was created to give consumers the power to control their own Data. As holders of this Data, every bank has a responsibility to ensure Data protection when the Data is shared across various Data holders and recipients. A key aspect of building trust is through transparency.

  1. SISS Data Services will ensure the accuracy and integrity of the information provided via its services.
  2. Data is classified as public or protected.
    1. Public Data is any Data that is made publicly available in accordance with compliance requirements such as media releases or is already directly available via public systems.
    2. Protected Data is all SISS Data Services Data Resource that is not considered public.
  3. Data classified as public will require no special treatment or imposition of access controls.
  4. Data classified as protected will be stored securely and only made accessible where a suitable business need or justification has been demonstrated by the authorised party.
  5. The principles of least privilege and need to know are adhered to by SISS Data Services.
    1. Only authorised parties are provided access to Data they require access to.
    2. Unauthorised parties are not provided access to any SISS Data Services Data Resource.
    3. Suitable business justification must be provided prior to access being authorised, enforcing the principle of "need to know".

Protection of Data Principles

  1. Data is protected against misuse, misconduct, and failing integrity through access control and authorisation limitations.
  2. All entities using SISS Data Services API or other interfaces to access SISS Data Services Data Resources must agree and adhere to terms and conditions with SISS Data Services.
  3. All entities using SISS Data Services API or other interfaces to access SISS Data Services Data Resources must implement appropriate and reasonable information security protections and controls.
  4. SISS Data Services may verify and request evidence of appropriate security protections and controls being applied by any entity accessing SISS Data Services Data Resources.
  5. Access to the API and other interfaces are reviewed and audited periodically to identify any potential misuse.
  6. SISS Data Services does not share personal or financial information with individuals or third-parties without completing identification verification.
  7. SISS Data Services will ensure that any breach of personally identifiable information collected or provided is identified and mitigated in a reasonable time period.
  8. SISS Data Services will ensure that any breach of personally identifiable information collected or provided is notified in accordance with the Notifiable Data Breaches Scheme.

Disposal of Data Principles

  1. Data that is no longer of value to SISS Data Services or its customers is securely destroyed within a reasonable time frame.
  2. All Data, unless there no longer exists a value of personally identifying information, will undergo a de-identification process or be destroyed.
  3. All entities using SISS Data Services API or other interfaces to access SISS Data Services Data Resources must implement appropriate and reasonable information security protections and controls.
  4. Personally identifiable information will be destroyed in accordance with the Privacy Act 1988, ensuring PII is destroyed when it is no longer required.
  5. SISS Data Services will comply with appropriate legislation, for any requests made by an individual for the extraction, correction, or deletion of their own records.
  6. SISS Data Services provides individuals with the right to be forgotten (delete all Data) when an individual has been identified accurately, via their financial institution or via an authorised third-party.
    1. SISS Data Services will, at their discretion, either destroy the client information where any record may result in or cause harm to an individual or anonymise it such that the individual can no longer be identified.

Review

SISS Data Services commits to reviewing and updating this policy on an annual basis or more frequently where required.

Definitions

Data Custodians

Individuals or organisations in physical or logical possession of data for the data owner.

Data Managers

Personnel directly responsible for the operational access and management of data.

Data Owner

SISS Data Services is the owner of all data collected, stored or managed by personnelof SISS Data Services.

Data Sources

The Bank or Financial Institution the Data Owner maintains an account with and obtains the data feeds from

Data Stewards

Personnel responsible for the integrity, availability, confidentiality, and quality of data management. There should be at least one designated data steward for each business unit or department.

Financial Information

Data that relates to a financial product or transaction from Data Sources that may contain information as detailed in Table 3 below.

Personal Information or PII

Any information or an opinion about an identified individual, or an individual who is reasonably identifiable.

SISS Data Services Data Resource

Data owned by SISS Data Services may reside in various systems and locations as required and justified by the business, these are consistently referred to as a single, shared resource.
All such data owned and managed by or on behalf of SISS Data Services is considered part of the SISS Data Services Data Resource.

Third Party

An individual, company or other entity that an individual has granted consent to access their personal information.

Data Types

We'll help you comply with the regulation's Open API and security requirements

We are part of the Data Standards technical working group and follow the regulation closely. We will ensure that the open banking solution is updated as and when the specification and security updates are released. This frees your team’s time to focus on more pressing tasks.

Our technology model and team, work well with yours

We provide both cost-based and deployment-based engagement models catering to banks of any size. We also provide training programs that get your teams up-and-running with our technology in record time.

We assist in communicating the benefits of open banking to your customers

Our work with European banks revealed some key concerns consumers had with open banking. We’ll use these as examples to address perceptions for Australian banking customers. The earlier you educate your customers, the more trust you build in them.

Use us to prepare for digital banking initiatives in Australia

As open banking takes off, your customers will demand more services and products that make their lives easier. Your IT infrastructure needs to scale to meet these new demands. Our platform and domain expertise make us the ideal technology partner to help you become a market leader in digital banking.

Data Types

SISS Data Services, through their feeds, may store the information as detailed in the table below.

Bank Account Data

Direct from Financial Institution

  • Account Number
  • Account Name
  • BSB
  • Transaction details
  • Balance details

Credit Card Data

Direct from Financial Institution

  • Tokenised Credit Card Number
  • Card Name
  • Transaction details
  • Balance details

Contract Note Data

PDF of contract Note emailed to SISS & Direct from Financial

  • Name of Account
  • Account ID

Institutions system

  • Email Address
  • Transaction details
  • Brokers details

Wrap & Managed Fund Data

Direct from Financial Institution

  • Account Number
  • Account ID
  • Investment Holding details
  • Transaction details
  • Balance Details

Share Registry Data

Direct from Financial Institution

  • HIN
  • Account Name
  • Investment Holding Details
  • Transaction details
  • Balance Details

Principles

The following principles outline the acceptable minimum requirements that must be adhered to by SISS Data Services and its personnel to provide high quality and easily accessible data while protecting the confidentiality, integrity and availability of data collected and provided by SISS Data Services.