9 February 1999. Thanks to Roger Clarke.
Source:
http://www.gpka.gov.au/working-groups/accreditation-evaluation/public/CAcriteria/CACriteria.htm
This document provides details of the GPKA accreditation process, the required standards for GPKA accreditation, contact details for evaluation authorities, and a list of references. It should be used by potential certification authorities (CAs) to identify the level of government standards to which their business facilities, policies, resources, procedures and technologies need to conform in order to qualify for GPKA accreditation.
GPKA accreditation is granted following evaluation of initial and ongoing compliance with the following criteria, first referenced in the GATEKEEPER strategy document released by the Office for Government Information Technology (now the Office for Government Online, Department of Communications, Information Technology and the Arts) in May 1998.
The standards for certification authorities detailed below will ensure an appropriate level of trust for the provision of CA services to the Commonwealth Government. The rigorous accreditation process against these standards will ensure that transactions using digital certificate and public key technology from GPKA accredited CAs provide a high level of trust to both agencies and users. Accreditation by the GPKA confers a recognised trusted status to companies supplying CA services to the Commonwealth. OGO will recommend the use of GPKA accredited CAs to Commonwealth agencies, and will discourage the use of non-accredited CAs for government business.
The GPKA recognises two levels of accreditation - entry level and full. Each criterion contains a reference to the requirement for evaluation for one or both levels. The major distinction between the two levels is the formal evaluation of CA technology through the Australian Information Security Evaluation Program (AISEP) to the ITSEC E3 level. Entry level accreditation will be gained following evaluation by approved organisations against these published criteria. Entry level CAs will be restricted to providing limited CA services (50 point certificates for individuals and organisations). Full accreditation requires qualification for an ITSEC E3 rating and upgrades of security measures to the Highly Protected level, and will qualify the CA to provide full services to Commonwealth agencies.
Although each criterion contains reference to specific standards, the underlying principles of security for the Commonwealth Government are referenced in the Protective Security Manual. All of the criteria below require compliance to the PSM as a minimum standard.
The audit requirement for ongoing compliance is an annual audit by qualified IT auditors approved by the GPKA against each criterion, to ensure that the standards met at initial evaluations are still being adhered to.
It should be noted that an accredited certification authority must be located and operated within Australia, and must not have an international root certification authority.
Most CAs will offer both authentication and confidentiality key services. In line with the OECD Guidelines on Cryptography Policy and the Protective Security Manual there must be no key recovery mechanisms for authentication keys. Many Commonwealth Government agencies will, however, require key recovery services for their confidentiality keys for business continuity purposes and may require the CA to provide this service.
The contents of these criteria may change over time, dependent on advances in technology and national security considerations. If there is any doubt as to the currency of the criteria, please contact the GPKA Secretariat. Any GPKA registered or accredited CAs will be notified of changes to this document. If a change is deemed to be significant by the GPKA, the review process may incorporate a consultative approach with industry and consumer bodies.
Contacts:
Government Public Key Authority Secretariat
C/- Standards Australia
1 The Crescent
HOMEBUSH NSW 2140
Ph: (02) 9746 4135
Ph: (02) 9746 4638
Fax: (02) 9746 8450.
Email: secretariat@gpka.gov.au
Project Manager, GATEKEEPER
Office for Government Online
PO BOX 258
DICKSON ACT 2602
Ph: 02 6271 4852
Ph: 02 6271 4888
STEP 1
The Certification Authority (CA) registers with the GPKA Secretariat
The registration should be in the form of a letter addressed to the Secretariat outlining the corporate objectives and services offered by the CA. The letter should also provide details such as the level of accreditation applied for (ie Entry Level or Full), and an indication of when the CA services will be offered.
The letter should be forwarded to: secretariat@gpka.gov.au
The letter may be posted to:
The GPKA Secretariat
C/- Standards Australia
1 The Crescent
Homebush NSW 2140
Ph: (02) 9746 4135
Ph: (02) 9746 4638
Fax: (02) 9746 8450
STEP 2
THE GPKA Secretariat notifies the Office for Government Online (OGO)*
The Secretariat opens a correspondence and accreditation file for the CA and forwards the letter (from CA) to OGO. A copy of the CA letter will also be distributed to the GPKA Board.
*Formerly Office of Government Information Technology (OGIT).
STEP 3
OGO forwards a letter of approval to the CA
This letter will be used by the CAs to request the services of evaluators (and certifiers). The evaluator (and certifier) for each criterion is shown below each CA accreditation criterion.
STEP 4
The CA obtains certification from the Evaluators
This is the major step in the GPKA accreditation process. CAs are required to arrange their own evaluation schedule with the evaluating and certifying agencies. Contacts for each agency are listed after the criteria. In most cases the evaluators and certifiers are Commonwealth Government agencies. This may change in the future as other suitable evaluators are identified against each criteria.
Some evaluators will both carry out the evaluation work and certify that the CA meets those relevant criteria and produce a letter/certificate to that effect. Other evaluators will carry out evaluation work on behalf of a Government agency, which will then certify that the CA meets those relevant criteria and produce a letter or certificate to that effect.
The CA will need to identify, where appropriate, which evaluator best meets their objectives in terms of cost, efficiency and logistics for each criterion. All evaluations are the responsibility of the CA to arrange and fund. The CA will need to contact individual agencies to make arrangements for their evaluations and subsequent billing for services. Assistance in setting up evaluations can be provided by the GPKA Secretariat and OGO.
It may be necessary for evaluators to make a number of site visits or reviews of documentation, dependent on the need for further evaluation. For example, a physical security review may recommend changes to locks, doors etc. The CA will need to carry out any work recommended and be re-evaluated to ensure compliance.
It is important to note that there are some dependencies within the criteria, which will affect the timing of certain elements of the overall evaluation process. Please refer to the table below to determine a suitable schedule for all components of the evaluation:
CRITERIA REF. |
CRITERIA CLASS |
DEPENDENT ON |
DIRECT DEPENDENCIES |
SE01 |
Security Policy |
PO01 |
SE02 |
SE02 |
Security Policy |
SE01 |
SE03,SE04 |
SE03 |
Security Policy |
SE02,PO02 |
none |
SE04 |
Security Policy |
SE02 |
SE05,AD01 |
SE05A/B |
Security Policy |
SE04 |
TE01A/B |
PH01A/B |
Physical Security |
SE05A/B |
none |
PO01 |
CA Policy |
none |
SE01,PO02 |
PO02 |
CA Policy |
PO01 |
PO03 |
PO03 |
CA Policy |
PO02 |
SE03 |
TE01A/B |
Technology Evaluation |
none |
SE05A/B |
AD01 |
CA Administration |
SE04 |
AD02 |
AD02 |
CA Administration |
AD01 |
none |
PE01 |
Personnel Vetting |
none |
PE02 |
PE02 |
Personnel Vetting |
PE01 |
none |
PP01 |
Procurement Policy |
none |
none |
PC1-12 |
Privacy Considerations |
none |
none |
CO01 |
Contracts |
none |
none |
CO02 |
Contracts |
all bar PC1-12 |
none |
STEP 5
CA forwards certified letters/certificates from the Evaluators to the Secretariat
The Secretariat will check that all relevant documentation has been forwarded for each CA criterion. The Secretariat and the CA will liaise to ensure all certificates/letters of evaluation are forwarded by the CA prior to progressing to the next step. The CA will also forward a signed off form of all the accreditation criteria indicating that that all criteria required for the level of accreditation has been forwarded to the Secretariat.
STEP 6
Secretariat forwards a letter of recommendation to OGO and GPKA
The Secretariat will prepare a report to OGO and the GPKA based on the forwarded certificates/letters from evaluators (and certifiers). This report will identify any conditions that the evaluators have identified during the evaluation and the periodic audit requirements.
STEP 7
Head Agreement signed with OGO
Each CA will be required to sign a whole-of-government Head Agreement with OGO (on behalf of the Commonwealth). This will be done once all other criteria have been evaluated and certified.
STEP 8
Secretariat forwards recommendation to GPKA for authorisation
The report (produced by the Secretariat at step 6) will be forwarded to the GPKA Board for review, and recommendation for accreditation by the Chief Government Information Officer (CGIO). Prior to the GPKA Board recommending for accreditation, it may be required that the CA present its service delivery strategy to the GPKA Board, and clarify any queries of the Board.
STEP 9
Secretariat informs CA of accreditation
Following endorsement by the CGIO, a certificate of accreditation will be prepared by the Secretariat and forwarded to the CA. This may include a formal presentation of the certificate.
STEP 10
Post list of accredited CAs on GPKA web site
The Secretariat will list the GPKA accredited CAs on the GPKA web site under entry level or full accreditation, as appropriate.
NOTE: A similar process for Organisational Certification Authority (OCA) and Registration Authority (RA) accreditation is currently being developed. The CA's accreditation criteria involves the requirement to produce an RA (and an OCA) operations manual (see criteria AD 02). This will address the functions and the day-to-day operations of the RA. A subset of the following CA criteria will apply for the accreditation of an RA. The specific criteria required will be considered within the Accreditation and Registration Work group prior to obtaining approval from the GPKA.
E/L denotes Entry Level Accreditation
F denotes Full Accreditation
M denotes Mandatory requirement
Y denotes (Yes) required for the specified level of accreditation.
| PP | CRITERION | E/L | F | |
01 |
Endorsed Supplier |
M |
Y |
Y |
Evaluator (and Certifier):
Competitive Tendering and Contracting Branch Department of Finance and Administration
The Endorsed Supplier Arrangement is part of the Commonwealth Government's commitment to streamlining and simplifying government purchasing, cutting the cost of doing business and providing greater opportunities for all businesses including Small to Medium Enterprises (SMEs).
The Competitive Tendering and Contracting Group, Department of Finance and Administration http://www.ctc.gov.au/esa/index.htm provides the process for this criterion to be achieved.
Suppliers will be assessed against the following criteria:
The application form can be downloaded from http://www.ctc.gov.au/esa/index.htm
| SE | CRITERION | E/L | F | |
01 |
Security policy |
M |
Y |
Y |
Evaluator (and Certifier):
DSD
The main purpose of a Security Policy (which is a public document) is to state what protection is needed for the system and information it is to process. Evaluation will be based on the following three criteria:
Australian Communications Security Instruction No.33 (ACSI33) Security Guidelines for Australian Government IT Systems - Section 2 - paragraphs 210 to 214 addresses this criteria.
Other supplementary documents include the following:
| SE | CRITERION | E/L | F | |
02 |
Protective Security Risk Review |
M |
Y |
Y |
Evaluator:
DSD or its nominee
Certifier:
DSD
The evaluation will identify if an appropriate threat and risk analysis has been carried out by the CA in accordance with the methodology outlined in the following sources of information:
A mechanism must be in place to update risk reviews to meet changes to CA/RA operations ie a configuration management program.
Other supplementary information is available in the following AS/NZS Standards:
| SE | CRITERION | E/L | F | |
03 |
Disaster Recovery and Business Continuity Plan |
M |
Y |
Y |
Evaluator (and Certifier):
OGO
The Disaster Recovery and Business Continuity Plan describes how services will be restored in the event of a system crash or failure. In particular, the document describes restoration priority to ensure the continuity of government business reliant on the operation of the CA. This document will also describe the emergency response procedures to be followed in the event of a natural disaster affecting the function of the CA operable product, a security incident or suspected security incident affecting the operation of the operable product, a compromise of the CA's private key or the failure of the audit trail mechanisms.
The plan will include mechanisms for the preservation of evidence of system misuse, the purpose of which could be evidence admissible in court of law at some later date.
| SE | CRITERION | E/L | F | |
04 |
Protective Security Plan |
M |
Y |
Y |
Evaluator:
DSD or its nominee
Certifier:
DSD
The Protective Security Plan describes the practice of ensuring the security and integrity of the overall operation of the CA service, including the establishment of standards for the access and operation of CA service elements.
The plan will detail those procedures which are necessary to ensure that CA clients can have the highest possible level of assurance that critical functions have been identified and have been provided at appropriate levels of trust. Particular areas of concern will be CA private key security, key/data recovery (ie. lost keys or legal access), privileged user management, certificate publication and integrity, key generation and transfer mechanisms
Evaluation will be based on the criteria addressed in the following templates:
Physical security compliance (PH), technology compliance (TE), administrative compliance (AD) and personnel compliance (PE) that follow this criterion form part of the documentation required for the protective security plan. The following protection classes should also be addressed in the protective security plan:
Other supplementary information is addressed in:
AS/NZS 4444:1996 - Information security management.
| SE | CRITERION | E/L | F | |
05A |
Basic Implementation of the Protective Security Plan |
M |
Y |
. |
Evaluator:
DSD or its nominee
Certifier:
DSD
The basic implementation should provide an indication that the fundamentals of the protective Security Plan are in place so as to give confidence that there is sufficient security for entry level applications. This will also consist of a review of the plan and a brief visit to the CA's and RA's premises.
| SE | CRITERION | E/L | F | |
05B |
Full Implementation of the Protective Security Plan |
M |
. |
Y |
Evaluator:
DSD or its nominee
Certifier:
DSD
Full implementation requires a demonstration that the Protective Security plan has been fully implemented and is applied in the day-to-day operations of the CA. Certification under this criterion must be renewed annually or on change to the system which results in significant change to the risk assessment (see SE 02), which ever is sooner.
| PH | CRITERION | E/L | F | |
01A |
Compliance with Physical Security for - IN-CONFIDENCE |
M |
Y |
. |
Evaluator (and Certifier):
ASIO T4 Protective Security Group
ASIO is the physical security authority for the Commonwealth Government and will provide advice on security standards, threat assessment and physical security reviews.
To obtain entry level accreditation, evaluation will be based on ACSI 33 - Section 6 - Physical Security available at http://www.dsd.gov.au/acsi33/ .
| PH | CRITERION | E/L | F | |
01B |
Compliance with Physical Security for - HIGHLY PROTECTED |
M |
. |
Y |
Evaluator (and Certifier):
ASIO T4 Protective Security Group:
ASIO is the physical security authority for the Commonwealth Government and will provide advice on security standards, threat assessment and physical security reviews.
To obtain full accreditation, evaluation will be based on ACSI 37 - Chapter 6. The required level of physical security is PHY-1 as defined in the Supplement to ACSI 37 - Section 9.
| TE | CRITERION | E/L | F | |
01A |
Has met the conditions of entry of the CA and RA technology into AISEP |
M |
Y |
. |
Evaluator (and Certifier):
DSD
| TE | CRITERION | E/L | F | |
01B |
Certified CA and RA Technology ITSEC E3 (or Common Criteria ) |
M |
. |
Y |
Evaluator:
AISEF
Certifier:
DSD
The technology requirement is an evaluation and certification by an Australian Information Security Evaluation Facility (AISEF) to the Information Technology Security Evaluation Criteria (ITSEC) E3 standard/ Common Criteria available at http://www.dsd.gov.au/downloads/itsec.pdf
Accreditation will involve the preparation of a Functionality Specification. Implementation of the functionality class in fielded product will be required to conform with ACSI 37 and Section 11 of the Supplement to ASCI 37 - SSM-1 System Security Mechanisms. The functionality specification should also include the following:
| AD | CRITERION | E/L | F | |
01 |
Certification Authority Operations manual |
M |
Y |
Y |
Evaluator (and Certifier) :
OGO
The CA Operations manual describes how the CA service will be operated and managed on a day to day basis, and details of the functions and responsibilities of the personnel within the CA.
The CA Operations manual shall describe the methodologies followed in carrying out the following policy criteria:
Project GATEKEEPER and the draft ISO/CD-15782-1 (Banking-Certificate Management Part 1: Public key certificates) provides some guidance on developing a CA Operations manual. (Note that the ISO document is at Committee Draft stage and is subject to change).
| AD | CRITERION | E/L | F | |
02 |
Registration Authority Operations manual |
M |
Y |
Y |
Evaluator (and Certifier):
OGO
The RA Operations manual describes how the RA service will be operated and managed on a day to day basis, and details of the functions and responsibilities of the personnel within the RA.
The RA Operations manual shall describe the methodologies followed in carrying out the following policy criteria:
References:
Project GATEKEEPER and draft ISO/CD-15782-1 (Banking-Certificate management Part 1: Public key certificates) provides some guidance on developing a RA Operations manual. (Note that the ISO document is at Committee Draft stage and is subject to change).
| PE | CRITERION | E/L | F | |
01 |
Fully vetted employment profiles to Highly Protected |
M |
Y |
Y |
Evaluator:
Australian Security Vetting Service
Certifier:
OGO
All operational certification authority staff will need to be cleared to the Highly Protected level of personnel clearance. This includes all staff with access to CA secure areas and back up personnel. These positions are classified as Positions of Trust, and should be kept to a minimum.
The ASVS is being tasked to undertake vetting of non-Commonwealth people employed in the private sector, who, either as individual contractors or employees of a company which has secured a contract with a Commonwealth agency, require access to sensitive national security or non-national security matter as a result of those contractual obligations.
Currently, the ASVS cannot undertake vetting of private sector personnel without Commonwealth sponsorship. CAs wishing to clear their personnel should provide names and contact details of vettees to OGO for sponsorship and processing of their application.
A fact sheet providing details of ASVS and relevant costs for evaluation is provided below:
The process to have a security clearance undertaken is provided below. Please note that OGO is responsible for steps 1-3, 9, and 10:
| PE | CRITERION | E/L | F | |
02 |
Facility Security Officer (FSO) |
M |
Y |
Y |
Evaluator:
Australian Security Vetting Service /DSD
Certifier:
OGO
Evaluation will be based on the CA's compliance with Section 5 of the current Protective Security Manual or Volume D of the proposed new PSM
NOTE: if the FSO is functionally equivalent to an ITSM (see ACSI 37), then section 4 of ACSI 37 will form part of the evaluation criteria.
| PO | CRITERION | E/L | F | |
01 |
Certificate Policy Statement |
M |
Y |
Y |
Evaluator (and Certifier):
The Australian Government Solicitor
The Certificate Policy Statement (which is a public document) describes the conditions of use that are attached to the use and application of certificates.
Two forms of certificates will be addressed in the policy-
| PO | CRITERION | E/L | F | |
02 |
Certificate Practice Statement |
M |
Y |
Y |
Evaluator (and Certifier):
The Australian Government Solicitor
The Certificate Practice Statement (which is a public document) describes the practices that the CA service will employ in managing the certificates it issues. These statements will describe the PKI certification framework, mechanisms supporting the application, insurance, acceptance, usage, suspension/revocation and expiration of certificates signed by the CA, and the CA's legal obligations, limitations and miscellaneous provisions.
| PO | CRITERION | E/L | F | |
03 |
Certification Authority Concept of Operations (commercial-in-confidence) |
M |
Y |
Y |
Evaluator (and Certifier):
Australian Government Solicitor
The Certification Authority Concept of Operations describes how the CA Service provider will operate and manage the service. Essentially this document will provide an overview model for service operation and security arrangements supporting the functions performed.
The CA will also be required to demonstrate interoperability mechanisms to ensure that CAs use a standards-based approach to such things as encoding rules for content within the certificate and subscriber naming rules etc.
| CO | CRITERION | E/L | F | |
01 |
Customer (Subscriber) agreement |
M |
Y |
Y |
Evaluator (and Certifier):
The Australian Government Solicitor
This document defines the undertakings that subscribers will make in order to obtain and use certificates confirming their digital identities. It is expected that this will be part of the terms and conditions used to encourage user participation in electronic service delivery.
| CO | CRITERION | E/L | F | |
02 |
Whole of Government Agency/Service Provider (CA) supply contract |
M |
Y |
Y |
Evaluator (and Certifier):
Head Agreement with OGO
The Head Agreement provides a standard framework for contractual conditions across the Commonwealth Government and links the GPKA criteria to a legal framework. The model agency contract contained as a schedule of the Head Agreement provides a standard set of terms for issues as service availability, mean downtime, support functions and restoration guarantees.
Note: Only the titles under these criteria are documented in the tables below. Links to the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) are given below which provide full details for each criterion.
PC |
CRITERIA |
E/L |
F |
|
01 |
Manner and extent of collection of personal information Deemed to Comply Standards/ Documents IPP 1, 2 and 3 & Protective Security Manual |
M |
Y |
Y |
02 |
Security safeguards in relation to personal information Deemed to Comply Standards/ Documents IPP 4 & Protective Security Manual |
M |
Y |
Y |
03 |
Openness about the types of personal information held and information handling policies Deemed to Comply Standards/ Documents IPP 5 & Protective Security Manual |
M |
Y |
Y |
04 |
Availability of procedures to allow subjects of personal information to access and correct the information Deemed to Comply Standards/ Documents IPPs 6 and 7 & Protective Security Manual |
M |
Y |
Y |
05 |
Accuracy of personal information Deemed to Comply Standards/ Documents IPP 8 & Protective Security Manual |
M |
Y |
Y |
06 |
Personal information is used only for relevant purposes Deemed to Comply Standards/ Documents IPP 9 & Protective Security Manual |
M |
Y |
Y |
07 |
Limits placed on the use of personal information Deemed to Comply Standards/ Documents IPP 10 & Protective Security Manual |
M |
Y |
Y |
08 |
Limits placed on disclosure of personal information Deemed to Comply Standards/ Documents IPP 11 & Protective Security Manual |
M |
Y |
Y |
09 |
Privacy protection is provided for personal information published in publicly accessible lists / registers (Controls over how personal information is accessed, searched and used)
|
M |
Y |
Y |
10 |
Multiple certificates Users will be allowed to have more than one certificate from the same CA, wherever the use of multiple certificates is not inconsistent with the purpose of those certificates. Ie users should not be required only to use one certificate when dealing with any government agency (or agencies). |
M |
Y |
Y |
11 |
Notification Procedure CAs will establish and follow procedures to notify users, in relation to each certificate provided, whether the IPPs or National Privacy Principles (NPPs) apply to personal information collected and held by the CA relating to that certificate, and the applicable mechanism for making and investigating privacy complaints. |
M |
Y |
Y |
12 |
Support of Anonymous or Pseudonymous Certificates The CA should have the ability to provide anonymous or pseudonymous certificates where appropriate. |
M |
Y |
Y |
Evaluator:
The statutory functions of the Privacy Commissioner do not currently extend to fulfilling the role of an evaluator. An audit of conformance with the privacy standards listed above will be carried out by nominated individuals (or organisations) specialising in privacy, following accreditation by the GPKA. The GPKA will inform accredited certification authorities of the requirements.
The privacy criteria PC01 - 12 describe how privacy of an individual's information is maintained. This includes guidance on privacy enforcing functionality and privacy safeguards.
References:
(i) Information Privacy Principles (IPPs) set out in section 14 of the Privacy Act 1988: http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s14.html
(ii) The National Privacy Principles (NPPs) issued by the Privacy Commission http://www.privacy.gov.au/news/p6_4_1.html
(iii) AS/NZS 4444:1996 - Information security management (Appendix C).
CRITERIA |
EVALUATOR / CERTIFIER |
PP01 |
Competitive Tendering and Contracting Branch Department of Finance and Administration GPO Box 1920 Canberra ACT 2601 Ph: 1800 650 531 |
SE01 SE02 SE04 SE05A/B PE03 |
Defence Signals Directorate (DSD) Attn: Mr Roger Bower Locked Bag 5076 Kingston, ACT 2604 Ph: (02) 6265 0335 Fax: (02) 6265 0328 Website: http://www.dsd.gov.au E-mail: assist@dsd.gov.au |
TE01A/B |
Defence Signals Directorate (DSD) Attn: Ms Anne Robins Locked Bag 5076 Kingston, ACT 2604 Ph: (02) 6265 0342 Fax: (02) 6265 0328 Website: http://www.dsd.gov.au Email: aisep@dsd.gov.au |
PH01A/B |
ASIO T4 Protective Security Group Attn: Mr Mike Askew Australian Security Intelligence Organisation GPO Box 2176 Canberra ACT 2601. Ph: 02 6249 6299 |
TE01B |
Admiral Computing (Australia) Pty. Ltd AISEF Controller Suite 2, 26-28 Napier Close, Deakin, ACT 2600 Ph: (02) 6260 4211 Fax: (02) 6260 4255 |
TE01B |
CSC Australia AISEF Controller PO Box 522, Canberra, ACT 2601 Ph: (02) 6246 8122 Fax: (02) 6246 8200 |
PE01 PE02 |
Australian Security Vetting Service Attn: Mr Keith Hefler Robert Garran Offices National Circuit, Barton, ACT 2600 Ph: (02) 6250 5335 Fax: (02) 6250 5988 |
PO01 PO02 PO03 CO01 |
The Australian Government Solicitor Attn: Rupert Hammond 50 Blackall St Barton, ACT 2600 Ph: (02) 6250 6278 Email: rupert.hammond@ags.gov.au |
AD01 AD02 CO02 PE01 PE02 |
Office for Government Online Level 4, 470, Northbourne Avenue, Dickson, ACT 2602 Ph: (02) 6271 4852 Fax: (02) 6271 4899 |
PC01-12 |
Individuals/organisations specialising in privacy consultancy (as approved by the GPKA). |
|
Page last updated 1998-12-23 |