Department of Home Affairs Page 1
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Australian Government
Department of Home Affairs
REQUEST FOR TENDER (RFT) FOR
DELIVERING VISA SERVICES FOR AUSTRALIA – GLOBAL DIGITAL PLATFORM
RFT 22/17-B1 – Phase Two
ATTACHMENT A – STATEMENT OF REQUIREMENT
© Commonwealth of Australia 2019.
Department of Home Affairs Page 2
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Table of Contents Section 1:Introduction 4
1.1 Objectives 4 1.1.1 The Platform 4 1.1.2 Design principles – Governance and control 4 1.1.3 Design principles - Services 4
1.2 The Statement of Requirement 7 1.2.1 Structure 7 1.2.2 Core Government Services 7 1.2.3 Additional Commercial Services 7
1.3 How to read the Statement of Requirement 7 1.3.1 Approach 7 1.3.2 Mandatory Requirements 8 1.3.3 Minimum service requirements 8 1.3.4 Compliance requirements 8
Section 2:Core Government Services 9
2.1 Scope 9 2.1.1 Visas to be processed on the Platform 9 2.1.2 Users of the Platform 10 2.1.3 Departmental Users of the Platform include: 11
2.2 Required outcomes for the user 14 2.2.1 Introduction 14 2.2.2 Explore 14 2.2.3 Departmental User journey – Attract and match Applicants/Employers 16 2.2.4 Other Market Provider journey – Provide information 17 2.2.5 Other Organisation journey – Provide information 17 2.2.6 Connect 19 2.2.7 Introduction 19 2.2.8 Client journey – Lodge my Application 19 2.2.9 Department journey – Facilitate lodgement 26 2.2.10 Other Market Provider journey – Assist with lodgement 30 2.2.11 Other Organisation journey – Assist with lodgement 30 2.2.12 Assess 31 2.2.13 Introduction 31 2.2.14 Client journey – Provide additional information 31 2.2.15 Department journey – Perform assessments 33 2.2.16 Other Market Provider 38 2.2.17 Action 39 2.2.18 Introduction 39 2.2.19 Client 39 2.2.20 Department 41 2.2.21 Other Market Provider journey – Advised of a decision 42 2.2.22 Other Organisation journey – Advised of a decision 42 2.2.23 Resolve 43 2.2.24 Introduction 43 2.2.25 Client – Travel and comply 43 2.2.26 Department – Ensure compliance 45
Department of Home Affairs Page 3
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.27 Other Organisation journey – Check visa status 46
2.3 Required business enabling outcomes 47 2.3.1 Introduction 47 2.3.2 User support 48 2.3.3 Business Rule development and implementation 50 2.3.4 Workflow management 51 2.3.5 Program management 52 2.3.6 Quality assurance 52 2.3.7 Reporting and analytics 53
2.4 Required outcomes of the Platform and Successful Tenderer 55 2.4.1 Introduction 55 2.4.2 Platform operations 55 2.4.3 Service design and change 67 2.4.4 Maintenance 69 2.4.5 Policy and service design change 70 2.4.6 Platform interfaces and interoperability 72
2.5 Compliance requirements 75 2.5.1 Introduction 75 2.5.2 Data management 75 2.5.3 Security 79 2.5.4 Compliance with Commonwealth legislation, laws and policies 85
2.6 Delivery approach 86 2.6.1 Introduction 86 2.6.2 Delivery plan 87 2.6.3 Governance 88
2.7 Out of scope services 89
Section 3:Additional Commercial Services 91
3.1 Introduction 91 3.1.1 Additional Commercial Services 91 3.1.2 Implementing Additional Commercial Services 91
3.2 Governance 91 3.2.1 Submission of opportunities to the Department 91 3.2.2 Department consideration of opportunities 92 3.2.3 Review 92 3.2.4 Termination 92
3.3 Restrictions 93 3.3.1 Restrictions 93 3.3.2 Overall restrictions 93
Appendix A: Visa categories to be processed on the Platform initially 97
Appendix B: Business Rules 98
Department of Home Affairs Page 4
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Section 1: Introduction
1.1 Objectives
1.1.1 The Platform
1.1.1.1 Part 2 – Overview of this RFT outlines the broader Immigration Reform Program and the role
this RFT process and the Platform will play in its implementation.
1.1.1.2 As outlined in the REOI and the RFT Phase One the Government's priorities and objectives of
the Services to be delivered are:
a) enhancing the attractiveness and competitiveness of Australia’s global visa
and citizenship service delivery arrangements;
b) strengthening the national economy and supporting key export industries
by facilitating the travel and migration of genuine tourists, students and
migrants (and skilled migrants in particular);
c) strengthening national security by preventing the entry and stay of
individuals who would cause Australia and its society harm;
d) fostering social cohesion in Australian society;
e) improving decision quality, consistency, and efficiency;
f) improving user experience for Applicants and Sponsors, Departmental
Users, and other potential users of the Platform (e.g. Service Delivery
Partners);
g) improving financial outcomes for the Australian Government including
through generating efficiencies, and enhancing revenue from the visa
system;
h) providing flexibility to implement future visa policy changes quickly and
efficiently; and
i) facilitating the simplification of Australia’s visa and citizenship framework.
1.1.2 Design principles – Governance and control
1.1.2.1 This Statement of Requirement should be read in a manner that is consistent with the
Government’s intention and having regard to the relevant Australian Accounting Standards
(including as canvassed with Tenderers in Phase One).
1.1.3 Design principles - Services
1.1.3.1 In delivering the Services, Tenderers should consider the following design principles that are
central to the way in which the Department intends to operate.
For Clients
a) The Client experience, including the cost of using the Platform, is of utmost
importance as a means of providing high levels of service but also to give
Australia a competitive advantage in the global markets for highly desirable
Applicants.
Department of Home Affairs Page 5
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
b) The Department wants to be proactive in the provision of information to
enhance a positive compliance culture by assisting visa holders to
understand and meet their obligations. The Department also wants to take
advantage of being the conduit to all non-citizens in Australia and provide
helpful information to aid visa holders with their interactions with other
Government agencies.
c) The Department wants to meet the needs and expectations of Clients by
providing a globally accessible digital service, even in areas where there is
limited internet connectivity or mobile telecommunications capability.
Market providers will still be available to assist Clients in navigating
Australia’s visa system and to lodge applications, but this should be only in
circumstances where Clients are unwilling or unable to interact with a
digital service.
For the Department
d) The Departmental User experience is of equal importance as a means of
providing staff with the tools and information they require to effectively
discharge their duties.
e) Automation of processing steps in the end-to-end journey by the Platform
is critical for the Department to continue its role in managing the border
and securing revenue for the nation in the face of constrained resources
and increasing volumes of travellers.
f) In providing a flexible basis on which to deliver policy and service design
changes, the Platform is an opportunity to introduce a data-driven
approach that can model the impact of change ahead of implementation,
assisting in the development of policy but also to determine the most
efficient and effective approach to service delivery.
g) A comprehensive capability to assure the operation of the Platform and
audit the outcomes of both manual and automated assessments provides a
strong feedback loop into the decision making process. This will help to
ensure that the Platform is operating as intended, in particular ensuring
appropriate outcomes and removing any unwanted bias in automated
processing steps.
For the nation
h) Collection of information that increases the confidence in the identity of the
Clients interacting with Australia’s visa and citizenship system is critical in
supporting an intelligence-informed approach that manages the border
based on the particular risks presented by an individual.
Department of Home Affairs Page 6
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
i) In addition to identity, the Department wants to maximise the benefits that
come from stronger technological integration of the mutually reinforcing
visa and intelligence systems. Collecting high quality, comprehensive and
verifiable information about Clients improves the ability to treat Applications
based on risk, in turn enabling a streamlined and automated service to
Clients identified as low-risk. The addition of the high quality data and
information collected by the Platform will supplement the vast quantity of
information available to the Department's intelligence systems. This will not
only enable a greater ability to identify visa-related risk but also feed into
the broader identification of potential risk across all border activities.
j) The Platform will provide the capability to examine and audit, including in
real time, every interaction with the Platform (e.g. every step of every
transaction or interaction with the Platform will be collected including
deletion of material previously entered by Applicants). This functionality will
be critical in identifying attempts to exploit the visa system or Business
Rules and providing additional sources of information to ensure the
ongoing security of Australia’s border.
For the Successful Tenderer
k) The Department will determine the Business Rules that establish what the
Platform does, including visa processing workflows. The Department
expects that the Successful Tenderer will collaborate with the Department
in the development of the Business Rules to maximise their efficiency
including through automation. See Appendix B for further detail.
l) The Platform is expected to be flexibly designed and implemented so that
technology advances that occur over the Term of any Agreement can be
efficiently accommodated to provide new capabilities and benefits for
Clients and Departmental Users of the Platform.
m) The benefits of the flexible design of the Platform are expected to extend
towards the Department being able to easily and quickly implement policy
and business process changes, including an ability for Government to
target its visa product offerings to meet particular policy objectives.
n) Effective risk management requires the Successful Tenderer and the
Department to understand the nature of relevant risks and to systematically
identify, assess, treat, monitor and review those risks. The Department
expects that the Successful Tenderer will ensure that risk and fraud
identification capabilities, assessment, and prevention are embedded in the
Platform functions at all levels.
o) As outlined in paragraph 2.4.3(b) of Part Two – Overview and section 2.6
of this Attachment A – Statement of Requirement, the Department is
seeking a strong and cooperative working relationship with the Successful
Tenderer that will endure over the Term of any Agreement.
p) The security of Australia’s visa system is a paramount consideration. The
Platform must be uncompromising in its approach to securing the integrity
of the visa business, and its management of the data and Personal
Information collected in the course of providing the Services.
Department of Home Affairs Page 7
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
1.2 The Statement of Requirement
1.2.1 Structure
1.2.1.1 This Attachment A - Statement of Requirement outlines the Department’s business and
technical requirements and service outcomes for the Platform.
1.2.1.2 The requirements relate to two key outcomes:
a) Section 2: Core Government Services; and
b) Section 3: Additional Commercial Services.
1.2.2 Core Government Services
1.2.2.1 Requirements detailed in Section 2 comprising the Core Government Services include (see
Figure 1):
a) Section 2.1: Scope;
b) functional requirements comprising:
i. Section 2.2: Required outcomes for users; and
ii. Section 2.3: Required business enabling outcomes;
c) non-functional requirements comprising:
i. Section 2.4: Required outcomes of the Platform and Successful
Tenderer;
ii. Section 2.5: Compliance requirements;
iii. Section 2.6: Delivery approach; and
iv. Section 2.7: Out of scope services
1.2.3 Additional Commercial Services
Requirements detailed in Section 3 comprising the Additional Commercial Services
include:
a) Section 3.1: Introduction;
b) Section 3.2: Governance; and
c) Section 3.3: Restrictions.
1.3 How to read the Statement of Requirement
1.3.1 Approach
1.3.1.1 The functional requirements establish the range of required business-enabling functions
relevant to the Department’s management of its decision making workflows. The Platform
must provide capabilities to enable the Department to manage its visa business operations.
1.3.1.2 The non-functional requirements set out requirements the Successful Tenderer will need to
deliver to realise a number of outcomes related to the management of the Platform itself and
the Services provided.
Department of Home Affairs Page 8
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
1.3.2 Mandatory Requirements
1.3.2.1 Part 1 – RFT Details of this RFT sets out mandatory requirements for Phase Two Tenders,
as was foreshadowed in RFT Phase One
1.3.2.2 Failure by a Tenderer to meet one or more of the Department's Mandatory Requirements will
result in the Tenderer being excluded from the RFT process. Refer to clause 5.29 of
Part 5 – Terms and Conditions for further information.
1.3.3 Minimum service requirements
1.3.3.1 Each outcome includes minimum service requirements that are either:
a) functionality the Department considers to be critical, designated in the
requirements by the word “must”; or
b) functionality the Department considers to be important, designated in the
requirements by the word “should”.
For clarity, the use of the term "must" or "essential" in this Statement of Requirement
does not denote a Mandatory Requirement for the purposes of section 1.3.2
‘Mandatory Requirements’ (i.e. a requirement in relation to which a failure of a Tenderer
to comply will result in the Tenderer being excluded from the RFT process). However,
the Department will take into account a Tenderer's failure to meet such a requirement
in the evaluation of the Phase Two Tender.
1.3.3.2 Tenderers must deliver all of the critical functionality outlined in each minimum service
requirement. The Department expects Tenderers will respond to the outcome and where
appropriate, the proposed solution will exceed the minimum service requirement including,
but not limited to, responding to the described important functionality.
1.3.4 Compliance requirements
1.3.4.1 The requirements outlined in section 2.5 – Compliance Requirements of this Attachment A –
Statement of Requirement are not presented as outcomes or minimum service requirements.
Tenderers will need to demonstrate adherence to all of the requirements outlined in that
section.
Department of Home Affairs Page 9
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Section 2: Core Government Services
2.1 Scope
2.1.1 Visas to be processed on the Platform
2.1.1.1 The Platform must be flexible and able to quickly and efficiently accommodate policy changes
made by governments-of-the-day from time to time.
2.1.1.2 The first tranche of visas to be processed on the Platform (i.e. those in scope for this RFT)
are all temporary visas, including bridging visas, and one longer-term skilled work visa.
2.1.1.3 Temporary visas fall within the following functional categories:
a) visit;
b) study;
c) temporary work;
d) temporary protection;
e) Trans-Tasman;
f) special purpose; and
g) status pending and departure.
2.1.1.4 The current visa subclasses that map to these functional categories are listed in Appendix A
to this Attachment A – Statement of Requirement.
2.1.1.5 The Platform must consider the following core components of a visa decision and have the
capability to flexibly address and combine across different visa products into the future:
a) the identity used in an Application matches that of the person(s) who will
travel to, enter and remain in Australia;
b) the Applicant is genuinely intending to enter and remain in Australia for the
purpose that they have indicated in their Application;
c) the Applicant does not pose a threat to Australia’s national interests or
national security;
d) there is no past or present behaviour that indicates the Applicant does not
meet the character requirement;
e) the Applicant understands and will behave consistently with Australian
values;
f) the Applicant will not spread communicable diseases or place an
unreasonable burden on the Australian health care system;
g) the Applicant has not and is not committing fraud in the course of their
current application, or any previous, applications;
h) the Applicant will comply with any restrictions or requirements that are visa
conditions; and
i) where required, the Applicant has the ability to financially support
themselves during the course of their stay.
Department of Home Affairs Page 10
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.1.2 Users of the Platform
2.1.2.1 The Platform must deliver outcomes for a wide range of users including Clients, Departmental
Users, Other Market Providers, and Other Organisations.
2.1.2.2 The Platform must have role-based access controls to restrict access to specific data or user
interfaces (refer to requirements PR9 and CR4).
2.1.2.3 Clients include:
a) Potential Applicants, who use the Platform to obtain information about
the Application, Sponsorship or Nomination process, including how to use
the Attract and Match service;
b) Applicants, who use the Platform to apply for an Application, Sponsorship
or Nomination. For clarity, this refers to Applicants during the Application,
Sponsorship and Nomination process and after a Decision has been taken
on an Application, Sponsorship or Nomination;
c) Representatives of Applicants, who use the Platform on behalf of an
Applicant. These include:
i. Registered Migration Agents, who use the Platform to assist
Applicants with their Application and who may also act on their behalf.
Registered Migration Agents may also provide immigration assistance
and act as an Authorised Recipient (see below);
ii. Exempt Persons, who use the Platform to assist Applicants with their
Application and who may also act on their behalf but must not accept
a fee to do so. Exempt Persons may also provide immigration
assistance and act as an Authorised Recipient (see below);
iii. Authorised Recipients, who use the Platform to receive
communications on behalf of an Applicant or Group of Applicants. An
Authorised Recipient may be either a Registered Migration Agent or
another individual nominated by an Applicant (e.g. a friend or carer);
and
iv. Other Representatives of an individual Applicant or Group of
Applicants including travel agents, airline booking agents and family
members, who lodge an Application on behalf of an individual
Applicant or a Group of Applicants (e.g. a family of Applicants, tour
groups, sporting groups).
d) Sponsors of visa Applicants, who use the Platform to sponsor individual
Applicants. This includes:
i. Potential Business Sponsors, who use the Platform to obtain
information about the Sponsorship or Nomination process, including
how to use the Attract and Match service;
ii. Business Sponsors, who apply to be an approved business
sponsor, nominate positions, sponsor individual Applicants and
manage ongoing compliance with the undertakings and obligations of
their sponsorships; and
Department of Home Affairs Page 11
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
iii. Personal Sponsors, who sponsor individuals for non-work reasons
such as sponsoring a partner or family member.
2.1.3 Departmental Users of the Platform include:
a) Decision Makers, who use the Platform to perform visa assessments
and/or make Decisions whether to grant or refuse an Application, or cancel
a granted visa, and to make Decisions regarding Sponsorship and
Nomination Applications. The Platform will be the sole interface used by
Decision Makers to process, grant, refuse or cancel visas applied for on
the Platform);
b) Team Leaders, who use the Platform to manage teams of Departmental
Users that are users of the Platform, including in particular teams of
departmental Decision Makers or Identity Resolution Officers;
c) Program Managers, who use the Platform to manage the delivery of a
visa or citizenship program;
d) Assurance Officers, who use the Platform to ensure assessments and
Decisions are being managed appropriately;
e) Integrity Officers, who use the Platform to review Applications to detect
fraud;
f) Intelligence Analysts, who use the Platform and intelligence and risk
systems to manage risks to national interests, security and immigration
program integrity risks;
g) Identity Resolution Officers, who use the Platform and intelligence and
risk systems to manage identity records for visa Applicants;
h) Policy Officers, who use the Platform to inform new policy development;
i) Platform Business Management Officers, who use the Platform to
perform reporting, quality assurance, performance management and
contract management;
j) Legal Officers, who use the Platform to assist them in preparing for, or
responding to, litigation and other legal matters;
k) Border and Entry Officers including airport liaison officers, border entry
officers and border operations centre officers, who use the Platform to
manage immigration clearance processes at the border;
l) Compliance and Enforcement Officers including status resolution
officers and removals officers, who use the Platform to monitor compliance,
perform investigations and manage cancellations; and
m) Other Departmental Users.
2.1.3.2 Other Departmental Users of the Platform data (including through the use of relevant
departmental systems) include but are not limited to:
a) the Department’s Identity Function, which uses the Platform data to:
i. anchor an Applicant’s identity to a unique set of biometrics;
Department of Home Affairs Page 12
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
ii. resolve an Applicant’s identity to the Department’s identity holdings;
and
iii. set an Applicant’s identity to the required level of identity assurance;
b) the Department’s Risk and Intelligence Functions, which use the
Platform data to:
i. perform risk and security assessments of visa Applicants;
ii. identify and assess national security threats, organised crime, system
fraud and other threats; and
iii. conduct analysis on the Platform data to develop and manage profiles
and alerts.
2.1.3.3 Other Market Providers of visa services that use the Platform or the Platform data include:
a) Client Services Providers contracted by the Department including
Service Delivery Partners (SDPs) and other future market providers, who
use the Platform or the Platform data to deliver services including collection
of information, biometrics and payment;
b) User Support Providers, e.g. the Department’s contact centre; and
c) Other Providers engaged by the Department to provide other bundles of
services not in scope for this RFT.
2.1.3.4 Other Organisations that use the Platform or the Platform data include:
a) Authorised Third Party Organisations (e.g. educational providers), who
use the Platform to view or provide information relating to an Applicant or
an Application; and
b) Authorised Government Agencies, who use the Platform or the Platform
data for other Commonwealth purposes.
Department of Home Affairs Page 13
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Figure 1: Core Government Services
Department of Home Affairs Page 14
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2 Required outcomes for the user
2.2.1 Introduction
2.2.1.1 This Statement of Requirement sets out the functional requirements for each type of user
across five stages of the visa journey:
2.2.1.2 Underpinning the user journeys across each of these five stages are a range of required user
outcomes and enabling outcomes that the Platform must facilitate. Some user outcomes are
specific to a stage or combination of stages in the user journey, for example the attract
outcome and the information collection outcome, while other user and enabling outcomes
span the entire spectrum of the user journey, for example Client services and user support.
2.2.2 Explore
2.2.2.1 There are three types of required user outcomes in the Explore stage of the user journey:
a) Client services: assisting Clients to understand which visa products they
will be eligible to apply for, the conditions attached to each visa product
and the requirements for completing an Application;
b) Attract: these services assist Australia in competing for travellers and
migrants, in particular for the best and brightest potential Applicants to
deliver Australia’s immigration priorities including filling of identified gaps in
skilled employment; and
c) Match: having been successful in attracting Applicants to select Australia
as a destination of choice, the match service is targeted at directing these
Applicants towards specific opportunities.
Client journey – Decide to apply for a visa
2.2.2.2 For the Client, this first stage of the journey includes selecting Australia as the destination and
understanding the requirements for obtaining a visa.
Department of Home Affairs Page 15
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.2.3 Outcomes related to the Client journey in the explore stage include:
UR-C1
Client Services
As a Client I want to apply for the right visa
Clients must be able to outline their intent in wanting to travel to Australia and be presented with options on which visas may match this intent.
o This is limited to providing information on potentially suitable visa products based on Business Rules provided by the Department.
o The Platform must not provide immigration assistance within the meaning of the Migration Act 1958 (Cth).
Clients must be able to select a specific visa (and stream, where relevant) to commence a visa Application.
o This does not preclude an experience where the selection of a visa product is incorporated into a dynamic application form.
Clients must be able to select a visa using the Department’s website visa-finder and be connected to the Platform to commence the Application process.
Clients must be able to, part way through an Application process, opt to apply for another form of visa and any relevant data they have already entered should autofill the relevant fields in this new Application.
Clients must be provided with an indicative cost of the visa product early in the Application process, and this must occur prior to the Client providing supporting information.
The Platform must redirect Clients to the appropriate part of the Department’s website or ImmiAccount if they wish to apply for a visa product not processed through the Platform.
UR-C2
Match
As a Potential Business Sponsor I want to be provided with the details of potential Applicants that could fill a position I am unable to fill in Australia
The Platform must enable Potential Business Sponsors to provide details of specific employment opportunities as part of the Platform’s individualised matching capabilities.
The Platform must match Potential Applicants to the specific employment opportunities and provide information to the Potential Business Sponsor about available candidates.
If a charge / fee is applied to this function/capability, the Platform must be able to capture and process payment.
Potential Business Sponsors are required to create an account prior to accessing this function/capability (see UR-C4 for further details).
The Platform must be capable of matching eligible Potential Applicants from a pool to individual potential employment opportunities.
The Platform must not perform any functions beyond identification and matching of Potential Applicants to an employment opportunity. In particular, the employment decision making process (e.g. short-listing, interview, selection processes by potential employers is out of scope).
UR-C3
Match
As a Potential Applicant I want to find employment opportunities which match my skillset so that I can work in Australia
The Platform must be able to identify and attract suitable and high calibre individuals and enable Potential Applicants to express interest in particular employment opportunities, or in employment in a particular field, profession and locality as part of the Platform’s individualised matching capabilities.
o The Platform must enable Potential Applicants to submit Expression of Interests (EOIs) for specific skilled visa programs, employment opportunities or based on their qualifications, skills, experience or expertise.
o The Platform must determine whether a Potential Applicant is eligible to submit an EOI based on the Potential Applicant’s self-declarations.
Department of Home Affairs Page 16
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
The Platform must match specific employment opportunities to Potential Applicants based on a single submitted EOI and provide information about available opportunities and Potential Business Sponsors to the Potential Applicants.
2.2.3 Departmental User journey – Attract and match Applicants/Employers
2.2.3.1 For the Department, this first stage of the journey, consistent with Australia’s policy framework
for identifying skills shortages and delivery requirements across the range of skilled visa
programs, is about matching potential visa Applicants to opportunities and potential Business
Sponsors to skilled workers.
2.2.3.2 Outcomes related to the Departmental User journey in the explore stage include:
UR-D1
Attract
As a Departmental User I want to target and encourage people to come to Australia in accordance with national objectives
The Department is seeking to attract unique high calibre individuals, global and business talent, and investors through the visa program.
The Successful Tenderer must assist the Department to attract visitors, students and skilled workers to Australia.
o The Attract and Match activity objectives and scope in relation to potential skilled migrants will be set by the Department. The Successful Tenderer will not decide the objectives and scope for an Attract and Match activity.
o Attract and Match activities may target general areas of demand, including skills shortages identified by the Department of Jobs and Small Business, or specific areas of unmet need identified utilising information collected by the Platform.
o The Successful Tenderer is not required to perform market research to identify areas of demand.
o Attract and Match activities must be delivered through digital channels only e.g. website, apps, email, digital advertising.
o Attract and Match activity material (e.g. emails, digital advertising) must only be sent to Clients if they have previously opted-in to receive such material.
The Platform must provide information to the Department to inform Attract and Match activity.
o This includes the ability to provide information including target areas of demand and supply shortfalls.
UR-D2
Match
As a Departmental User I want to manage potential Business Sponsors’ ability to engage in the Attract and Match functions
The Platform must allow the Department to permit genuine businesses to register as a potential employer accessing the Attract and Match function.
The Platform must ensure identified employment opportunities meet requirements set by the Department (e.g. on the skilled occupations list, regional location, salary level).
UR-D3
Match
As a Departmental User I want to know about the effectiveness of Attract and Match activities
The Platform must provide information for the Department on the performance and effectiveness of the Attract and Match functions, including areas of unmet skills need and reporting on the composition and characteristics of Applicants, Potential Applicants, Business Sponsors, Potential Business Sponsors, and visa enquirers.
Department of Home Affairs Page 17
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.4 Other Market Provider journey – Provide information
2.2.4.1 Clients may need assistance – via non-digital channels – to explore their options, understand
the different types of visas for which they are entitled, or even obtain assistance in lodging
their Application. These types of non-digital services are out of scope of this RFT and will be
provided through Other Market Providers contracted by the Department. The Platform must
allow Other Market Providers to assist Clients in using the Platform.
2.2.4.2 Outcomes related to the Other Market Providers’ journey in the explore stage include:
UR-M1
Client Services
As an Other Market Provider, I want to assist Potential Applicants to understand and/or participate in the Attract and Match functions
The Successful Tenderer must ensure Other Market Providers approved by the Department have access to the Platform and relevant information.
The Platform must permit Other Market Providers to assist a Potential Applicant in using the Platform.
2.2.5 Other Organisation journey – Provide information
2.2.5.1 Other Organisations contribute to the Application process through the provision of reference
data and/or supporting information (e.g. enrolment in an education institution) that underpins
the assessment of visa criteria or a Platform function (e.g. Attract and Match services). The
Platform must provide Other Organisations with appropriate access to the Platform.
2.2.5.2 Outcomes related to the Other Organisations’ journey in the explore stage include:
UR-O1
Client Services
As an Other Organisation I want to assist particular Clients
The Successful Tenderer must ensure Other Organisations approved by the Department have access to the Platform and relevant information.
The Platform must permit an Other Organisation to assist a Client in using the Platform.
Department of Home Affairs Page 18
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-O2
Attract
As an Other Organisation I want to have access to data about the Attract and Match function
The Platform must provide information to other responsible Commonwealth Agencies, State and Territory departments, Local governments, and regional and other entities for example Designated Area Migration Agreements (DAMA), on the operation of the Attract and Match function. For example, providing a State government with a list of potential Applicants that match State-based skill shortages.
The Platform must enable the responsible Commonwealth Agencies and State and Territory department(s) and Local Governments to update approved reference data and/or supporting information about the Attract and Match functions.
Department of Home Affairs Page 19
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.6 Connect
2.2.7 Introduction
There are six types of required user outcomes in the Connect stage of the user journey:
a) Client services: a visa Application process that provides a contemporary
user experience and makes it as easy as possible for Clients to meet their
obligations in completing the Application;
b) Identity and biometrics: ensuring the collection of identity and biometrics
information;
c) Information collection: ensuring that all the information that might be
required from the Client for their specific circumstances and the specific
visa they are applying for is collected at time of Application, and making
this as easy as possible;
d) Information validation and verification: where possible, verifying or
validating the information that has been collected so that the Application is
decision-ready;
e) Risk: ensuring the integrity of the visa Application process including
reporting on suspicious activity, as well as ensuring that the information
collected from individual users is able to be adjusted based on the
Business Rules determined by the Department; and
f) Payment: Clients are able to easily make payments for the all the relevant
fees and charges attributable to their Application (e.g. Service Fee, VAC,
biometric enrolment fee, medical examination) in one transaction and
monies are directed correctly to the relevant parties.
2.2.8 Client journey – Lodge my Application
2.2.8.1 For the Client, this second stage of the journey includes making an Application for a visa.
Clients want to be able to easily and efficiently complete an Application, including providing
documentation to support their Application, and have a good overall user experience that
makes it as easy as possible to complete their obligations. This includes having Applicants
Department of Home Affairs Page 20
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
represented by third parties to assist in some or all of the process.
UR-C4
Client Services
As a Client I want to have my own account on the Platform
The Platform must enable Clients to create a Platform account.
o Interactions between Clients and the Department must occur through a Client’s Platform account.
o Platform accounts must cater for different types of Clients (for example, Applicant or Registered Migration Agent). Refer requirement UR-C11 and UR-C12 that includes supporting Representatives, including Registered Migration Agents and Authorised Recipients, to manage multiple Applicants and Applications.
o Refer to requirements PR9 and CR4 for requirements regarding security access controls.
o Platform accounts must be created through a two factor account creation process.
The Platform must allocate a unique Client identifier for each new Platform account that is established on the Platform. The Platform will advise the Client of their unique Platform account identifier.
The Platform must allocate a unique Application identifier for each new Application that is commenced on the Platform. The Platform will advise the Client of their unique Application identifier.
The Platform account must enable Clients to access information about their interactions with the Department.
o Clients must be able to update information provided to the Department as described in requirement UR-C23 below.
o Clients must be able to access their current and historical Applications submitted using the Platform, incorporating all information and supporting documentation provided by the Client.
o The Platform account must provide Clients, through their Platform account, access to all correspondence between the Department and the Client conducted using the Platform.
o Information on the conditions and entitlements of a visa held by a Client must also be available through their Platform account.
o Historical information related to activities not conducted through the Platform is not required to be available through the Platform account.
The Platform must allow Applicants to be able to view all information about their Application(s) managed through the Platform while being represented and/or assisted by a Representative.
o The Platform must allow an Applicant to import an Application into an Applicant’s account that has been lodged by a representative by providing key identifying information.
The Platform should be capable of allowing Applicants to create an account and provide information using their Government provided digital identity, where an Applicant has one.
UR-C5
Client Services
As a Client I want to lodge an Application using a digital channel of my choice
Clients must be able to access their Platform account to complete Applications across a range of digital channels and devices as specified in Section 2.4 - Required outcomes of the Platform and Successful Tenderer of this Attachment A – Statement of Requirement.
Clients must be able to save an incomplete visa Application and continue later (including in another channel or on another device).
Department of Home Affairs Page 21
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C6
Client Services
As a Client I want the option to provide information for my Application and interact with the Department in my preferred language
In addition to English, the Platform must enable Clients to provide information for Applications, including free text responses, in the following Designated Platform Languages: simplified Chinese, Arabic, Vietnamese, Spanish, Korean, traditional Chinese, Japanese, Malay, German, Filipino, Indonesian, Italian, Thai, Portuguese, Sinhalese, Russian, French, Nepali, Hindi, Farsi, Tamil, Urdu, Fijian, Polish and Bengali. The list of required languages may be updated by the Department from time to time over the Term of any Agreement.
The Platform must be able to display form content in the language selected by the Client from the list of Designated Platform Languages. The Platform must include on-screen help text in all Designated Platform Languages.
The Platform must automatically translate all information provided in one of the Designated Platform Languages into English in accordance with the Department’s Translation Policy*.
Both the original information and translated Application must be available to both Departmental Users and the Client who will authorise the translated Application being lodged.
The Platform must allow Clients to review and correct a translated Application prior to lodgement.
The Platform must allow the Department to audit the quality of translations performed by the Platform including where a Client has reviewed and corrected a translated Application.
The Platform should automatically translate departmental correspondence, including requests for information, into the relevant Designated Platform Languages.
The Platform should provide other forms of digital support in all Designated Platform Languages. * to be made available the Data Room
UR-C7
Client Services
As a Client I want the supporting documents I provide in a foreign language to be automatically translated to English
The Platform should automatically translate documents provided by a Client.
o Translation to English must be in accordance with the Department’s Translation Policy*.
o Both the original document and translated document must be available through the Platform to both Departmental Users and Clients (through their Platform account) who will authorise the translated Application being lodged.
o The Platform must include capability which enables the Department to audit the quality of translations automatically translated by the Platform.
Where a document cannot be automatically translated by the Platform, the Platform must allow a Client to include in their Application documents in their original language as well as translated copies.
The Platform must be able to detect whether an English translated version of these documents has been provided.
o If no translated version is provided, the Platform must direct Applicants to obtain and provide an English translation of their supporting information.
* to be made available the Data Room
Department of Home Affairs Page 22
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C8
Client Services
As an Applicant I want to be able to be represented and/or assisted by a Representative
The Platform must allow for Applicants to authorise a Representative to assist them in the visa Application process, including for Group Applications.
o This includes being represented by a family member, tour organiser, Exempt Person or Registered Migration Agent.
The Applicant and/or Representative must both be able to provide information via the Platform in support of the same Application.
o The Platform must notify both Applicants and their Representative when information is required to complete an Application, for example biometric collection.
The Platform must enable the choice of Representative to be a standing or one-off appointment.
The Platform must enable the nominated representative to accept or decline a nomination.
UR-C9
Client Services
As an Applicant I want to be able to withdraw or change my authorisation to be represented and/or assisted by a Representative
The Platform must enable Applicants to withdraw the authorisation for a Representative to act on their behalf.
The Platform must ensure that following the withdrawal of the authorisation no further communication and no information relevant or relating to the Applicant or their Application is provided or accessible to the previously authorised Representative.
The Platform must ensure that the Applicant is able to continue accessing all relevant information through their Platform account.
The Platform must ensure that the Applicant is able to authorise a different Representative to represent and/or assist them, and have that Representative able to access all information as authorised by the Applicant.
The Platform must be able to track and report on all changes to the appointment of Authorised Representatives, by Applicant and by Authorised Representative.
UR-C10
Client Services
As an Applicant I want to be able to nominate an Authorised Recipient to receive correspondence on my behalf
The Platform must enable Applicants to appoint an Authorised Recipient to receive select communications on behalf of an Applicant.
o This can include circumstances where the Authorised Recipient has not assisted in the lodgement of a visa Application.
The Platform must allow Applicants to exclude specific types of information from being sent to their Authorised Recipient, for example health examination results.
The Platform must allow Applicants to be able to view information that has been sent to their Authorised Recipient about their Application(s) through their Platform account.
The Platform must enable Applicants to change or withdraw the appointment of an Authorised Recipient.
The Platform must enable the choice of an Authorised Recipient to be a standing or one-off appointment.
The Platform must enable the nominated Authorised Recipient to accept or decline a nomination.
Department of Home Affairs Page 23
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C11
Client Services
As a Representative of an Applicant I want the Platform to support me in representing my Applicant(s)
The Platform must enable Representatives to interact with the Platform on behalf of an Applicant, including lodging Applications, receiving correspondence and following up on Applications in progress.
The Platform must support Representatives to manage the Applicants they are representing, noting that some, such as Registered Migration Agents may manage multiple Applications or Group Applications.
o For example, this could include the use of dashboards or different views providing information about Applicants and the different states of progress of Applications.
UR-C12
Client Services
As an Authorised Recipient I want the Platform to support me in receiving correspondence on behalf my Applicant(s)
The Platform must enable Authorised Recipients to interact with the Platform on behalf of an Applicant to receive authorised correspondence.
The Platform must support Authorised Recipients to receive notification on behalf of an Applicant, noting that some Authorised Recipients may receive notifications in relation to multiple Applications or Group Applications.
o For example, this could include the use of dashboards or different views providing information about Applicant correspondence.
UR-C13
Client Services
As a Representative of a group of Applicants I want to efficiently lodge Group Applications
The Platform must auto-populate common information shared across members of Group Applications, such as travel itineraries.
The Platform must have capability to facilitate a single payment covering Group Applications.
The Platform must link Applications that form part of a Group Application.
A Representative must be able to add or withdraw members of a group that form part of a Group Application at any time with the consent of the Applicant.
The Platform must support Representatives of a group to manage Group Applications.
o For example, this could include the use of dashboards or different views providing information about Group Applications and the different states of progress of individual Applications that form part of the group.
UR-C14
Client Services
As a Client I want to be able to easily provide information for my Application
The Platform must collect only the information Clients need to provide based on Business Rules determined by the Department to constitute a complete Application for the relevant visa.
The Platform must provide clear instructions to Clients on what information is required (e.g. file formats, image quality, type of documentary evidence) to meet the Department’s requirements.
The Platform must provide clear guidance to Clients throughout the lodgement process and as a summary prior to completing the Application, as to what required information and/or documentation has not been provided or entered/uploaded correctly.
The Platform must not accept for final submission, including payment, any incomplete Application.
o The Platform must scan/check uploaded documentation to ensure it meets the requirements of the type of documentary evidence stipulated for a type of Application (e.g. where required, a police certificate has been submitted and not a photo of the Applicant).
The Platform should auto-populate answers wherever possible and legally permissible based on information already known about the Applicant.
Department of Home Affairs Page 24
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
o For example, subject to the provision of Applicant consent to share this information, the Platform should auto-populate sections of an Application where an Applicant has been referred to commence an Application by a third party e.g. authorised Other Organisations such as educational providers, or Business Sponsors, where an Applicant has previously applied for a visa, or where a Potential Applicant has submitted an EOI in relation to the Attract and Match function.
Clients must be prompted in the Application process to confirm or amend auto-populated parts of their Application.
The Platform must provide capability to link to a supporting assessment completed by the Applicant prior to lodging and/or completing the visa Application.
o For example, Applicants who undergo a medical examination or skills assessment prior to the Application.
UR-C15
Client Services
As a potential Sponsor I want to lodge a Sponsorship and/or Nomination
The Platform must accept Applications from individuals, employers and organisations to become an approved Sponsor.
The Platform must collect only the information Sponsors need to provide based on Business Rules determined by the Department to constitute a complete Application for the relevant Sponsorship.
The Platform must provide clear instructions to Sponsors on what information is required (e.g. file formats, image quality, type of documentary evidence) to meet the Department’s requirements.
The Platform should auto-populate answers wherever possible based on information already known about the Sponsor (including information provided by Potential Business Sponsors through the Attract and Match function).
Sponsors must be prompted in the Application process to confirm or amend auto-populated parts of their Application.
The Platform must allow Business Sponsors and Personal Sponsors to designate which individuals have authority to act on behalf of the Sponsor.
UR-C16
Client Services
As a Sponsor I want to nominate positions and sponsor individuals
The Platform must support Applications from Sponsors to nominate positions and sponsor individuals.
The Platform must have the capability to allow a potential Sponsor to lodge a Sponsorship, Nomination and a visa Application on behalf of the Applicant at the same time.
The Platform must collect information from Sponsors to support nominations for positions and sponsorship of individual Applicants according to Business Rules determined by the Department.
The Platform must be able to process the Sponsorship, Nomination and the visa Application in parallel.
Department of Home Affairs Page 25
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C17
Client Services
As an Applicant I want the option to pay a premium to have my visa processed quicker
The Platform must be capable of presenting Applicants with the option to purchase expedited consideration at an additional Visa Application Charge cost. The Service Fee will not change based on processing time.
o The Department will specify which visas are eligible for expedited consideration and at what additional Visa Application Charge.
The Platform must ensure expedited Applications are prioritised by the Platform for work allocation to manual Decision Makers and third parties so that the specified processing time is achieved. Specified processing times will be defined through the performance management framework.
o The Platform must be able to change the target processing time for an Application, either automatically or when manually requested by a Program Manager.
o The Platform must identify and be able to escalate Applications which are at risk of not meeting the target processing time.
UR-C18
Client Services
As a Client I want to be notified when my Application has been lodged
The Platform must notify the Client that their Application has been lodged.
The Platform must provide information about the next steps in processing the Application, including details of any actions to be performed by the Client.
UR-C19
Identity and biometrics
As an Applicant I want to digitally provide my biometrics using my personal device (where possible)
The Platform must have the capability to capture biometrics through a range of personal devices, including passport chip information (where available).
The Platform must have the capability to collect biometrics through other digital channels and trusted sources in the future.
UR-C20
Information collection
As a Client I want to link to external information sources to support my Application
The Platform should be capable of importing information relevant to an Application from external sources.
o For example, importing CV information, photos from an online or social media tool, English language results from English language testing providers, or financial information from banks and financial institutions
Department of Home Affairs Page 26
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C21
Payment
As a Client I want to use my preferred digital payment channels
The Platform must be capable of accepting differentiated Service Fees for different Applications.
The Platform must be capable of accepting differentiated VAC payments for different Applications.
The Platform must accept payment as the final step in lodging an Application.
The Platform must automatically calculate the single amount to be paid by Clients, incorporating all components of the VAC, the Service Fee, merchant fees, and other relevant fees and charges (e.g. in-person biometric collection).
o The Platform must have the capability to differentiate the above fees and charges by a range of conditions as applicable e.g. visa product, intent, etc.
The Platform must enable a third party to pay on behalf of an Applicant.
o For example, a Representative, family member or employer.
The Platform must allow a Representative to push the payment step of an Application to the Applicant or a third party.
Applicants must be shown the payment amount in Australian dollars.
The Platform must accept a range of online payment methods. At minimum this must include:
o Visa, Mastercard, American Express, Diners Club, Discover Card, China UnionPay, PayPal, BPay, JCB.
The Platform must provide Clients with an itemised receipt following a successful payment.
Clients must be able to view a copy of this receipt at any time through their Platform account.
The Platform must be able to support requests from Clients and Departmental Users for refunds or repayments.
The Platform should be capable of allowing Applicants to pre-pay for in-person assessments and client services required for an Application (e.g. in-person biometric collection or assisted Application at one of the Department’s contracted Service Delivery Partners). Where relevant, this must be included as part of the single payment at lodgement.
2.2.9 Department journey – Facilitate lodgement
2.2.9.1 For the Department, this second stage of the journey is primarily about collecting the
information required from the Client to begin processing the Application, and having
information validated or verified where possible so that the visa Application is Decision-ready.
The Department also wants to ensure that it receives complete Applications and that all
relevant fees and charges are paid at this stage of the journey.
UR-D4
Client Services
As a Departmental User I want to be able to manually enter Application information into the Platform for specified caseloads
The Platform must allow a Departmental User to manually enter an Application into the Platform for specific cohorts.
o Example cohorts include diplomats.
The Platform must allow a Departmental User to manually add or update information to an existing Application for specific cohorts.
Department of Home Affairs Page 27
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D5
Identity and biometrics
As a Departmental User I want to understand who is applying for a visa
The Platform must collect identity information for all Clients as part of the lodgement process according to Business Rules determined by the Department.
o Identity information includes biographics, biometrics, supporting documentation (for example national identity cards) and declared relationships of Applicants.
The Platform must digitally collect passport information and facial biometrics directly from Applicants as specified in the Department’s Identity Policy*.
o The Platform must be able to collect biographic and travel document information from the Machine-Readable Zone (MRZ) of an Applicant's passport (for Applicants with machine-readable passports).
o The Platform must be able to collect the photograph and biographic details from the Visual Inspection Zone (VIZ) of an Applicant's passport.
o The Platform must be able to collect biographic information and biometrics from an Applicant's ePassport chip where possible.
o The Platform must differentiate between biographical information collected from the identity page and the biographic details collected from the MRZ, labelling the two data sets accordingly.
o The Platform must make use of anti-fraud measures when capturing biometrics (e.g. identify pre-recorded videos to pass liveness testing).
o The Department seeks to gather all useful data about a Client’s identity. However, collection of Applicant biometrics from a third party digital identity service does not substitute for direct collection.
The Platform must be able to collect document metadata of identity information provided by an Applicant, including images, and send this to the Department’s identity management system.
The Platform must ensure digital biometrics collected by the Platform meet the Department’s quality standards and are collected in accordance with the Department’s Identity Assurance Framework and Information Trust Framework.
o These Frameworks will be made available to Tenderers in the Data Room.
o The Platform must collect a digital biometric from the Applicant even if the standard cannot be met and mark images “standard met”/“not met” accordingly.
The Platform must facilitate digital biometric collection from individual Applicants whose Application has been submitted as part of a Group Application.
The Platform must adjust the identity information requested during the Application based on Business Rules determined by the Department.
The Platform must have the capability to collect alternate forms of digital biometric capture in the future.
Where a Client is required to provide an in-person biometric, the Platform must collect information about the collection from the relevant Other Market Provider.
o The biometric collected in-person from an Applicant will be provided directly to the Department’s enterprise biometric and identification system.
The Platform must display the results of an identity resolution to Departmental Users upon receiving results from Departmental APIs.
*To be provided in the Data Room
Department of Home Affairs Page 28
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D6
Information collection
As a Departmental User I want the Platform to collect the information I need to assess an Application
The Platform must collect information as determined by the Business Rules determined by the Department, based on the Applicant’s intent and individual characteristics.
o The Application must dynamically update based on the Applicant’s responses according to Business Rules determined by the Department.
The Platform must ensure information is clearly named and classified (i.e., assigning keywords or terms to the information) according to conventions approved by the Department. This should enable information to be easily identified by Departmental Users.
Note: Collection of other information about Clients, e.g. API scrapes of social media, is out of scope.
UR-D7
Information validation and verification
As a Departmental User I want the Platform to automatically validate data
The Platform must ensure the Applicant has completed all the information required for their Application to be valid, in accordance with Business Rules determined by the Department.
The Platform must perform data validation on information provided by Clients e.g. valid address, valid email address, active email address, valid mobile number, active mobile number.
The Platform must ensure digital biometrics collected by the Platform meet the Department’s quality standards and that identity information is collected in accordance with the Department’s Identity Assurance Framework and Information Trust Framework.
In relation to Business Sponsors, verification of information includes verifying relevant information with other Government agencies including the Australian Business Register, the Australian Taxation Office and the Australian Securities & Investments Commission, to confirm that the potential Business Sponsor is lawful, established and actively operating.
The Platform must perform real-time validation during the Application process where possible.
The Platform must record the details of how all automatic Validation activities are carried out.
o For example, the source against which the data was Validated, the time it was Validated.
Note: This requirement applies to information provided by the Applicant at any stage of the Application or post-decision.
UR-D8
Information validation and verification
As a Departmental User, I want the Platform to prevent the lodgement of Invalid Applications
The Platform must not accept Invalid Applications, in accordance with Business Rules determined by the Department.
UR-D9
Risk
As a Departmental User I want the Platform to collect the information needed to assess an Application
The Platform must adjust the information requested of individual Clients based on their circumstances in accordance with Business Rules determined by the Department (i.e. a dynamic, guided Application).
o The Platform must also adjust the information requested of individual Clients upon receiving advice from the Department’s internal systems (i.e. risk, identity).
The Platform must provide a non-editable PDF version of the complete set of information provided by an Applicant as part of the Application process to the Department for the purposes of compliance with the Department’s record keeping obligations.
Department of Home Affairs Page 29
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D10
Risk
As a Departmental User I want the Platform to collect information about Representatives that have been authorised to act on behalf of an Applicant
The Platform must collect information about Representatives that have been authorised to act on behalf of an Applicant, including contact information, biographic information and metadata.
If the representative is a Registered Migration Agent, the Platform must collect the Migration Agent Registration Number (MARN).
o For each new Application, the Platform must verify in real time the MARN with the Office of the Migration Agents Registration Authority (OMARA) and that the MARN is being used only by the relevant Registered Migration Agent and not fraudulently.
UR-D11
Risk
As the Department’s Risk and Intelligence Functions I want the Platform to identify attempts to identify and exploit weaknesses or other risks in the Platform and associated business processes
The Platform must collect behavioural information about the Client and send this information to the Department’s Risk and Intelligence Functions.
o At a minimum, this includes the Client’s metadata, document metadata, and changes to their Application responses.
Further information regarding this requirement will be made available to authorised personnel of Tenderers, in the Data Room, in accordance with the Deed of Confidentiality.
UR-D12
Payment
As a Departmental User I want the relevant fees and charges to be remitted to the Department appropriately
The Platform must adhere to the Payment Card Industry Data Security Standards (PCI DSS).
The Platform must allow the Department to specify individuals or classes of individuals who are exempt from particular payments.
The Platform must ensure that any charges collected on behalf of other third parties for in-person services (such as medical examination or biometric collection or to pass through fees such as credit card fees) are remitted to the relevant party no later than one Business Day after the payment is collected from a Client.
The Platform must ensure the VAC and any other departmental charges are managed and remitted to the Department in accordance with the Public Governance, Performance and Accountability Act 2013 (Cth) and the requirements set out in the Agreement, including to remit to the Department no later than one Business Day after the payment is collected from a Client.
The Platform must provide the details of a Client's payment, excluding charges collected on behalf of other third parties for in-person services, to the Department’s financial management systems.
Each payment must be linked to an invoice, Client, Application and a unique identifier.
The Platform must provide automated reporting on Application-related payments to the Department.
o The Platform must automatically provide reconciliation information for payments received and remitted by the Platform.
o The Platform must provide support processes for reconciliation discrepancies.
The Platform must employ real-time fraud protection capabilities and protocols across all payment channels.
o The Platform must maintain interoperability with fraud protection capabilities and protocols employed by the Department*.
* to be provided in the Data Room
Department of Home Affairs Page 30
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.10 Other Market Provider journey – Assist with lodgement
2.2.10.1 Outcomes related to Other Market Providers in the connect stage include:
UR-M2
Client Services
As an Other Market Provider, I want to lodge Applications on behalf of certain Clients
The Platform must allow Other Market Providers to act as a Representative for a Client.
The Platform must support Other Market Providers to manage the Applications that they have lodged.
o For example, this could include the use of dashboards or different views providing information about Applications and the different states of progress of individual Applications.
2.2.11 Other Organisation journey – Assist with lodgement
2.2.11.1 Outcomes related to the journey of Other Organisations in the connect stage include:
UR-O3
As an Other Organisation, I want to lodge Applications on behalf of certain Clients
The Platform must allow Other Organisations to act as a Representative for a Client.
The Platform must support Other Organisations to manage the Applications that they have lodged.
o For example, this could include the use of dashboards or different views providing information about Applications and the different states of progress of individual Applications.
Department of Home Affairs Page 31
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.12 Assess
2.2.13 Introduction
2.2.13.1 There are six types of required user outcomes in the assess stage of the user
journey:
a) Client services: including self-service mechanisms to ensure that the
information provided is up-to-date, to follow progress of an Application (or
withdraw it), and to provide any further documentation that may be required
to support an Application;
b) information collection: including the ability to request and collect further
information required to support an Application, including from Other Market
Providers or Other Organisations;
c) information validation and verification: where possible, verifying or
validating the information that has been collected so that the Application is
decision-ready;
d) risk: ensuring that processing has appropriately considered the risk
inherent in a particular Application;
e) identity and biometrics: ensuring that there are appropriate levels of
confidence in the identity of an Applicant and that any relevant information
about this identity is considered in the processing of the visa Application;
and
f) assessment: undertaking all necessary steps and analysis to support the
processing of a visa Application.
2.2.14 Client journey – Provide additional information
2.2.14.1 For the Client, this third stage of the journey includes supporting the processing of an
Application by knowing how and when to supply further information, and also wanting to
follow the progress of an Application through a self-service mechanism.
Department of Home Affairs Page 32
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C22
Client Services
As a Client I want to know what additional information has been requested from me and how I can provide this
The Platform must automatically request additional information from Clients through their preferred channels.
o Additional information requested from Clients must be provided through the Platform.
The Platform must alert Clients, through their preferred channels, when there are outstanding actions for them to perform (e.g. where there is a timeframe to provide the additional information).
The Platform must enable Clients to request additional time to respond to these requests.
o The request will be processed in accordance with Business Rules determined by the Department.
UR-C23
Client Services
As a Client I want to be able to update my information when my circumstances change or information needs to be corrected
The Platform must allow Clients to update their information.
o This includes but is not limited to changes to travel document information, biographic details, family status, employment status, contact details and address details.
The Platform must collect documentary evidence and reasons in support of the change.
o For example, to update passport information the Platform must collect new passport information as evidence of all identity changes (e.g. change of name). This includes new biographics from the chip of an ePassport, VIZ details, MRZ details, and images according to the passport type.
o The Platform must initiate and undertake functional liveness face verification before allowing an Applicant to commence an update to their identity.
o The Platform must validate contact details (refer requirement UR-D7).
The Platform must allow Clients to correct information provided as part of their visa Application. However, the Platform must keep a record of all changes made by a Client to an Application (refer requirement PR10 regarding keeping and generating historical records).
Where the Client holds a current visa, the Platform must update current visa details held by the Department with the accepted change of information.
The workflow of updates and changes to Client information will be based on Business Rules determined by the Department.
o Some updates and changes to Client information may be automatically accepted, while others may require assessment by a Departmental User. Business Rules determined by the Department will determine how updates and changes to Client information will be managed.
The Platform must allow an Applicant to change Sponsors according to Business Rules determined by the Department.
Note: This requirement applies to changes in a Client’s circumstances throughout the user journey including post-grant of a visa.
Department of Home Affairs Page 33
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C24
Client services
As a Client I want to be notified when an in-person assessment is required
The Platform must notify Clients in cases where an in-person assessment is required. This could be an interview with the Department or an assessment conducted by an Other Market Provider.
o For appointments with the Department, the Platform must integrate with the Department’s appointment booking system to provide details on appointment times and locations.
The Platform must provide Clients with information needed to book an in-person assessment (e.g. location and contact details for approved physicians).
The Platform must notify Clients when the specified time period for completing these assessments will elapse and once it has elapsed.
The Platform should, where possible, enable Clients to book an assessment appointment with Other Market Providers through the Platform.
Note: Key parties to integrate with include the Department’s onshore and offshore offices, Service Delivery Partners, Other Market Providers and physicians conducting immigration medical examinations.
UR-C25
Client services
As a Client I want to check the status of my Application
The Platform must track the progress of Applications against each milestone specified in the Business Rules determined by the Department.
The Platform must pro-actively update Clients as their Application progresses against the agreed milestones.
The Platform must allow Clients to check the status of their Application through their Platform account.
UR-C26
Client services
As a Client I want to be able to withdraw my Application
The Platform must allow Clients to withdraw their Application.
Note: withdrawing an Application must not result in lodged Application data being deleted and the Platform must retain all data entered into the Platform by Clients.
2.2.15 Department journey – Perform assessments
2.2.15.1 For the Department, this third stage of the journey is about ensuring that all
information is available to perform the required workflow steps to process a visa Application,
and the undertaking of the processing of an Application.
Department of Home Affairs Page 34
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D13
Client services
As a Departmental User I want the Platform to automatically generate correspondence to Clients
The Platform must automatically generate correspondence to Clients based on templates determined by the Department. This may be in response to actions by Clients, Departmental Users, Other Organisations or the Platform.
The Platform must either automatically send correspondence to Clients and/or their Representatives, or present the correspondence to relevant Departmental Users for review, in accordance with Business Rules determined by the Department.
o The Platform must allow Departmental Users to edit the content of correspondence presented to them for review and prior to being sent (and record any changes and their justification).
o The Platform must keep an audit record of when a Departmental User edits the content of correspondence and what has been changed.
The Platform must send formal correspondence to Clients and/or their Representatives to their Platform account.
The Platform must send notification of correspondence to Clients and/or their Representatives through their preferred digital communication channel(s).
The Platform must notify Clients and/or their Representatives when the specified time period for responding to correspondence will elapse and once it has elapsed.
The Platform must add details of correspondence to the record of the Application, including the timing of responses.
UR-D14
Identity and biometrics
As a Departmental User I want the Platform to identify potentially fraudulent biographics and biometrics information
The Platform must check for consistency between the live facial biometric and passport biometrics.
The Platform must provide basic assurance that biographics and biometrics collected from passports without an NFC chip read are not fraudulent.
o This includes comparing MRZ data to text on the passport's identity page.
o This includes running basic validation checks on key document data, including checking the MRZ characters and the passport number format.
The Platform should identify potentially fraudulent documents (excluding travel documents) and notify the Department of such potentially fraudulent documents.
Note 1: Direct verification of foreign travel documents with the issuing authority is out of scope.
Note 2: Direct verification of biometrics against Government sources is out of scope (excluding DVS and FVS). The Platform will call the Department’s identity function, which will perform verification against these sources.
UR-D15
Identity and biometrics
As a Departmental User I want to prescribe treatments in relation to identity resolution and risk assessment and automatically receive the outcomes from these treatments
The Platform must adjust the Application workflow based on prescribed treatments in accordance with Business Rules determined by the Department.
o For example, for Decision Makers to perform specific assessments, request additional information, ask clarifying questions to help resolve the identity against the Department’s identity holdings, or to request further information to address particular risks.
The Platform must allow the Departmental User to record the action taken and the outcome (including the reason for any Decisions taken).
The Platform must provide the Department with the results of any treatments administered through the Platform, including any information collected.
Department of Home Affairs Page 35
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D16
Information collection
As a Departmental User I want to be able to request further information from Clients
The Platform must trigger requests for additional information from Clients and/or their Representatives.
o This could be as a result of the Platform acting in accordance with Business Rules determined by the Department, a one-off request from a Departmental User and/or requests from Other Market Providers.
The Platform must notify Clients and/or their Representatives that additional information has been requested through their preferred communication channels.
The Platform must have the capability to impose time limits on responses to requests for information according to Business Rules determined by the Department.
The Platform must notify Clients and/or their Representatives when the specified time period for responding to a request for information will elapse and once it has elapsed.
UR-D17
Information validation and verification
As a Departmental User I want the Platform to automatically verify information provided by Clients
The Platform must have the capability to detect potentially fraudulent documents.
o Priority documents include bank statements, police clearances, employment letters and education transcripts.
o Priority areas of focus include plagiarism or re-use of supporting statements by multiple Applicants.
The Platform must automatically verify information directly with external sources including:
o an Applicant’s enrolment at an Australian educational provider e.g. with the Provider Registration and International Student Management System (PRISMS); and/or
o that an address provided by an Applicant is legitimate.
The Platform should verify an Applicant’s:
o English language proficiency with English language assessment providers;
o financial information with their financial institution;
o professional skills with an approved skills assessment authority;
o educational history with educational providers;
o identity documents with official sources (excluding travel documents and biometrics); and/or
o other information provided by a Client directly with external sources, where the Successful Tenderer and the Department identify appropriate use cases.
The Platform must facilitate verification of information provided by Applicants with additional sources over time.
o This may occur as information required from Applicants changes, new sources become available or as the sources named above evolve over time.
The Platform must notify the Department of potential fraud.
The Platform must record and retain the details of how all verification activities were performed.
Definition: data verification involves increasing confidence that the information provided is authentic and true.
This can involve using fraud detection techniques e.g. police clearance is not authentic as the logo is incorrect.
This can involve checking the information with a trusted source e.g. confirming an ABN belongs to the Applicant by checking with the Australian business register, confirming the Applicant can receive emails at provided email address.
Note 1: Direct verification of foreign travel documents with the issuing authority is out of scope.
Note 2: Direct verification of biometrics against Government sources is out of scope.
Department of Home Affairs Page 36
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D18
Risk
As a Departmental User I want to know when a visa Applicant has been represented by a third party
In providing a visa Application to the Department for risk assessment, the Platform must ensure that information about their Representative(s) has been included.
o This includes where an Applicant may have changed representation during the visa Application lodgement process.
UR-D19
Assessment
As a Departmental User I want the Platform to automatically determine which assessments must be performed and workflow these tasks to the relevant parties
The Platform must determine which assessments need to be performed in accordance with Business Rules determined by the Department.
This includes where a Client has updated their information. The Platform must determine whether to accept the change of information in accordance with Business Rules determined by the Department.
o This could include determining that an additional assessment is required (for example an in-person interview).
The Platform must automatically workflow Applications in accordance with Business Rules determined by the Department.
UR-D20
Assessment
As a Departmental User I want the Platform to automatically perform analysis to support assessments
The Platform must have the capability to support assessment of Applications against specific visa criteria. Examples include:
o calculation of funds available to assess an Applicant against financial criteria;
o identification of plagiarism in statements in support of genuine temporary entrant criteria; and
o identification of anomalies or inconsistencies in Application metadata and information provided by the Client.
The Platform must perform automated analysis and assessments to support Decisions to approve Sponsors.
UR-D21
Assessment
As a Departmental User I want the Platform to provide the necessary information for me to perform a manual assessment against specific visa criteria
The Platform must provide the Departmental User with all relevant information, verification outcomes and analysis.
o This must include identification of visa criteria met in accordance with Business Rules determined by the Department, as well as matters requiring a manual assessment.
o This information must be clearly structured by visa criteria and labelled in accordance with naming conventions set by the Department.
o The Platform must provide all information necessary to perform the assessment.
The Platform must require the Departmental User to record the assessment outcome and the reasons supporting the assessment.
Upon completion of a manual assessment, the Platform must progress Applications in accordance with Business Rules determined by the Department.
Department of Home Affairs Page 37
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D22
Assessment
As a Departmental User I want to be able to manage the assessment of Group Applications
Where a manual assessment is required for a member of a Group Application, in accordance with Business Rules determined by the Department, the Platform must workflow the complete Group Application to a Departmental User.
The Platform must allow Departmental Users to manually add or remove individuals from a Group Application.
o The Platform must enable Departmental Users to return the Group Application to the automated Platform workflow.
The Platform must be capable of prioritising the order in which the Applications of group members is assessed and finalised.
o This could include assessing Applications for the parents in a family of Group Applications before the children.
o This could include not finalising the Applications of any members of the Group Application until all members have been assessed.
o The Platform must be able to link related Applicants, such as family members, together within a larger group.
Department of Home Affairs Page 38
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.16 Other Market Provider
2.2.16.1 For Other Market Providers, this third stage of the journey is about ensuring that all
information is available to perform the requested activities, the outcomes of which contribute
to the assessment of a visa Application.
UR-M3
Identity and biometrics
As a Client Services Provider I want the Platform to give me the information I need to collect an Applicant’s biometrics in person
The Platform must determine which biometrics must be collected in-person based on Business Rules determined by the Department.
The Platform must provide the Client Services Provider with the necessary information about an Applicant to collect their biometrics in-person.
The Platform must allow Client Services Providers to provide the Platform with information about the in-person collection of biometrics from an Applicant.
o The biometric collected by the Client Services Provider will be provided directly to the Department’s enterprise biometric and identification system.
UR-M4
Assessment
As an Other Market Provider I want to have the information I need about an Applicant so that I can perform assessments as requested
The Platform must be capable of interfacing with the systems of Other Market Providers as required.
The Platform must be capable of supplying Other Market Providers with relevant supporting information.
The Platform must be capable of recording the assessment outcomes and supporting notes from Other Market Providers.
Note: The required functionality and timing will be agreed during the separate procurement process(es) of any Other Market Providers.
Department of Home Affairs Page 39
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.17 Action
2.2.18 Introduction
2.2.18.1 There are three types of required user outcomes in the action stage of the user
journey:
a) Client services: includes being informed of the outcome of a visa
Application and being provided any additional information that may benefit
the Client, for example correspondence including refusal reasons and
review rights;
b) compliance: informing Clients about the conditions associated with their
visa; and
c) Decision making: includes the making of a visa Decision, whether
auto-granted according to Business Rules or manually by a Departmental
User.
2.2.19 Client
2.2.19.1 For the Client, this fourth stage of the journey includes wanting to know about the
outcome of the visa Application and, where granted, the conditions associated with the visa.
There may also be opportunities for information about Australia to be provided that will benefit
the Client’s journey.
UR-C27
Client services
As a Client I want to be notified about the outcome of my Application
The Platform must automatically notify Clients about Decisions on their Applications in accordance with Business Rules determined by the Department. This includes Decisions on visa Applications, Sponsorship Applications and Nomination Applications.
Department of Home Affairs Page 40
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C28
Client services
As an Applicant I want to be guided to information about Australia and Government services
The Platform should have the capability to provide Applicants with relevant information about Australia.
o This includes information about Australia that could be important to a visa holder, for example safety information for swimming at Australian beaches or obligations of travellers in relation to Customs.
o Information should include directing Applicants to other Australian Government services that might be relevant to their intent of coming to Australia, such as directing a temporary skilled worker to information about the Australian taxation and superannuation systems.
o Information provided must not be related to any Additional Commercial Services.
o Content will be approved by the Department as part of governance arrangements and the Successful Tenderer must ensure that the Platform does not provide any information to Applicants which is not approved by the Department.
UR-C29
Compliance
As a Client I want to know the conditions associated with my visa or my Sponsorship obligations
The Platform must notify Clients who have been granted a visa of the conditions and entitlements of the visa.
o This will be included in formal correspondence based on templates provided by the Department, however this does not preclude other innovations that might be able to be provided by the Platform.
The conditions and entitlements of a visa held by a Client must be available through their Platform account.
The Platform must notify approved Sponsors of their sponsorship obligations.
o This will be included in formal correspondence based on templates provided by the Department, however this does not preclude other innovations that might be able to be provided by the Platform.
The details of any Sponsorship obligations must be available to a Sponsor through their Platform account.
Department of Home Affairs Page 41
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.20 Department
2.2.20.1 For the Department, this fourth stage of the journey is about the making of Decisions
regarding visa Applications, Sponsorship Applications and Nomination Applications, and any
reviews that need to be undertaken of a Decision that has been made.
UR-D23
Client Services
As a Departmental User I want to notify Clients of the outcomes of their Application
The Platform must automatically notify Clients about Decisions on their Applications in accordance with Business Rules determined by the Department. This includes decision on visa Applications, Sponsorship Applications and Nomination Applications.
The Platform must allow a Departmental User to efficiently manually edit any correspondence to be sent to the Client.
o For example, correspondence for refusals must include reasons for the decision. These reasons could be either automatically created through Business Rules or manually entered by the Departmental User.
The Platform must have the capability to implement a minimum time between lodgement of an Application and notifying the Applicant of the visa Decision.
UR-D24
Decision making
As a Departmental User I want to maximise automation and streamlining of decision making
The Platform must make automated decisions to grant visa Applications in accordance with Business Rules determined by the Department.
The Platform must make automated decisions to approve Sponsorship Applications and Nomination Applications in accordance with Business Rules determined by the Department.
UR-D25
Decision making
As a Departmental User I want to be able to manually make a decision about an Application
Where Business Rules determine that an Application, including a visa Application, Sponsorship Applications and Nomination Applications, cannot be decided automatically, the Platform must support Departmental Users to make a decision.
o The Platform must provide the Departmental User with relevant information, verification outcomes, analysis on this information and assessment outcomes.
o This includes clearly identifying why the Application was not decided automatically.
The Platform must allow the Departmental User to record the Decision, reasons for the Decision and supporting information used to make the Decision.
Department of Home Affairs Page 42
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D26
Decision making
As a Departmental User I want the Platform to support the management of legal issues
The Platform must be able to provide relevant information to a departmental Legal Officer.
o This information may include the Application, supporting information provided by the Applicant, correspondence with the Department, and assessment and Decision outcomes with supporting reasoning.
The Platform must have the capability to respond to any request for information from a relevant review body, for example the Administrative Appeals Tribunal (also refer requirement PR10 in relation to audit of operations).
2.2.21 Other Market Provider journey – Advised of a decision
2.2.21.1 Outcomes related Other Market Providers in the action stage include:
UR-M5
Client Services
As an Other Market Provider I want to be notified about the outcome of an Application
Where appropriate, the Platform must notify Other Market Providers about Decisions on certain Applications in accordance with Business Rules determined by the Department.
2.2.22 Other Organisation journey – Advised of a decision
2.2.22.1 Outcomes related to Other Organisations in the action stage include:
UR-O4
Client services
As an Other Organisation I want to be notified about the outcome of an Application
Where appropriate, the Platform must notify Other Organisations about Decisions on certain Applications in accordance with Business Rules determined by the Department.
Department of Home Affairs Page 43
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.2.23 Resolve
2.2.24 Introduction
2.2.24.1 There are two types of required user outcomes in the resolve stage of the user
journey:
a) Client services: ensuring that Applicants, visa holders, Sponsors and
relevant third parties have access to relevant information;
b) Compliance: ensuring that Departmental Users have the information
required to perform their tasks, particularly in relation to managing the
border as travellers enter and leave Australia and to manage immigration
compliance activities; and
c) Decision making: ensuring that Departmental Users have the information
required to perform any Decision making activities as a result of any
Compliance activities.
2.2.25 Client – Travel and comply
2.2.25.1 For the Client, this fifth stage of the journey includes being aware of the conditions of
the visa held to ensure compliance, allowing Sponsors and relevant Representatives to assist
in compliance activities, and ensuring visa holders are supported as their visa expiry date
approaches.
Department of Home Affairs Page 44
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C30
Client services/ Compliance
As a Business Sponsor I want to manage, view and update information
The Platform must allow Business Sponsors to view information about the approved Sponsorship, Nominations and sponsored Applicants.
The Platform must enable Business Sponsors to check and understand the undertakings and obligations of their Sponsorship.
The Platform must allow Business Sponsors to provide evidence of their compliance with the undertakings and obligations of their Sponsorship.
o This includes the ability to upload into the Platform supporting information such as payslips.
The Platform must allow Business Sponsors to report changes in the work circumstances of a sponsored Applicant.
The Platform must notify Business Sponsors of upcoming changes in the visa status of their sponsored Applicants.
UR-C31
Client services/ Compliance
As an Applicant I want to be reminded of the conditions of my visa
Applicants must be able to check the details and conditions of their visa using the Platform.
o The Platform must provide this functionality for holders of all visa products, not only those processed through the Platform. This is supported by APIs provided by the Department.
The Platform must nudge Applicants to comply with the conditions of their visa by sending automated reminders to Applicants where appropriate.
o This requirement applies only to visas processed through the Platform.
UR-C32
Client services/ Compliance
As a Client I want to provide evidence of compliance with my visa conditions
The Platform must allow Clients to provide evidence of their ongoing compliance with the conditions of their visa.
o For example, compliance with a health undertaking or evidence of residence in a particular regional area (which may be relevant to a future Application for permanent residency or citizenship).
Business Rules determined by the Department will determine the action to be taken by the Platform following a Client providing compliance information.
UR-C33
Client services
As a Client I want to explore options for staying longer in Australia
Clients must be able to outline their intent in wanting to stay longer in Australia and be presented with visa options that may match this intent.
Note: effectively this requirement loops the Client back to the explore stage of the user journey and requirement UR-C1.
Department of Home Affairs Page 45
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-C34
Client services
As a Client I want to request the cancellation of my visa
Clients must be able to request the cancellation of a visa through their Platform account.
Business Rules determined by the Department will determine the action to be taken by the Platform following a Client requesting a visa cancellation.
o That is, whether cancellation tasks can automatically be undertake prior to being referred to an appropriate Decision Maker for decision.
2.2.26 Department – Ensure compliance
2.2.26.1 For the Department, this fifth stage of the journey is about ensuring that Departmental
Users have a “single view” of a Client’s Application history and information about visa holders,
and the compliance and border activities of the Department and its portfolio agencies are
effectively supported.
UR-D27
Compliance/ Decision making
As a Decision Maker I want to cancel a visa
The Platform Decision making must support Decision Makers to undertake the cancellation of a visa. This includes but is not limited to:
o cancelling a visa under sections 109, 116, 128, 140 and 501 of the Migration Act 1958 (Cth); and
o cancellations initiated at the request of a Client (refer UR-C34).
The Platform must provide the Decision Maker with a single view of all relevant information as determined by the Business Rules, verification outcomes, analysis of this information and assessment outcomes.
The Platform must allow a Decision Maker to undertake the cancellation process, record cancellation Decisions, reasons for the Decision and supporting information used to make the Decision.
The Platform must support Departmental Users to group cancellations for workflow purposes.
UR-D28
Compliance/ Decision making
As a Border and Entry Officer I want to view Applicant information, update Applicant information and grant or cancel visas
The Platform Decision making must support Border and Entry Officers in managing the border. This includes:
o a single view of all information about an Applicant, including their visa status;
o updating information about an Applicant, such as passport information, contact details;
o recording additional notes about an Applicant; and
o undertaking a visa Decision (grant, refuse and cancel), including recording the Decision, reasons for the Decision and supporting information used to make the Decision.
Department of Home Affairs Page 46
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D29
Compliance
As a Departmental User I want to view information about Clients to support compliance activities
The Platform must support Departmental Users to conduct investigations and manage compliance activities.
o The Platform must allow authorised Departmental Users to refer Clients to appropriate departmental teams for compliance activity, cancellation consideration or investigation.
o The Platform must provide Departmental Users with a single view of all information about an Applicant. This includes reviewing information provided by an Applicant as part of natural justice proceedings.
o The Platform must provide role-based access to the Platform for Departmental Users as authorised.
o The Platform must allow Departmental Users to record supporting evidence and the outcomes of a compliance activity, such as a compliance field visit.
UR-D30
Compliance
As a Departmental User I want to access information about a visa Applicant
The Platform must include the functionality to search for Applicants and/or Applications that meet a set of characteristics specified by a Departmental User. The Applicant/Application search will be across the Platform’s data holdings and where required, utilise departmental APIs to search and retrieve Applicant/Application information from the Department’s systems.
The Platform must provide role-based access to the Platform for Departmental Users as authorised.
The Platform should automate the extraction of information regarding an Applicant from the Platform.
Note 1: This includes responding to requests for information made under the Freedom of Information Act 1982 (Cth), the Privacy Act 1998 (Cth) and corresponding state and territory legislation.
Note 2: This includes requests made by law enforcement agencies, the Australian Taxation Office, the Australian Competition and Consumer Commission, the Australia Securities & Investments Commission, and other relevant Commonwealth Agencies.
2.2.27 Other Organisation journey – Check visa status
2.2.27.1 For Other Organisations, this fifth stage of the journey is about ensuring Other
Organisations are able to access current information about an Applicant’s visa status.
UR-O5
Client services
As an Other Organisation I want to check an Applicant’s visa status and conditions
Authorised Other Organisations must be able to check the entitlements of an Applicant’s visa using the Platform.
o The Platform must provide this functionality for all holders of visa products, not only those processed through the Platform. This is supported by APIs provided by the Department.
Examples of Other Organisations who may need to know the visa status of an individual include Registered Migration Agents, employers, labour suppliers, sharing economy organisations, education providers, financial institutions, real estate agents, telecommunication companies and Commonwealth Agencies.
Department of Home Affairs Page 47
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.3 Required business enabling outcomes
2.3.1 Introduction
2.3.1.1 The Platform must provide capabilities to enable the Department to manage visa business
operations effectively. This includes functional requirements that deliver the following
outcomes:
a) User support: the Platform must provide specified user support for all
users including Clients, Departmental Users, Other Market Providers of
visa services and Other Organisations including self-service support
through the Platform and escalated technical support. The Successful
Tenderer is required to provide the support necessary for the Department’s
provider of client enquiry services to assist Clients where possible. In
addition, the Successful Tenderer is required to provide training and
support for Departmental Users on the effective use of the Platform;
b) Business Rule development: the Department will determine the Business
Rules for the Platform. The Successful Tenderer will collaborate with the
Department in the development of the Business Rules to maximise their
efficiency and automation;
c) Single view of Client: the Platform must provide a “single view” of all
Clients, underpinned by an anchored identity (i.e. an identity linked to
biometric records), that includes real time access to all Client interactions
with or accessible by the Platform and all actions undertaken by
Departmental Users in respect of a Client. A “single view” of a Client is
integral to effective and efficient Decision making and program
management for the Department;
d) Workflow management: visa processing often involves an ongoing
exchange between an Applicant, the Department and the Australian Border
Force, and the service providers who are collectively responsible for
performing visa processing tasks. This exchange means that managing the
workflow of the processing effort is a critical factor in end-to-end
automation of the visa journey. As such, the Platform must provide an
automated solution for managing this workflow throughout the visa journey;
e) Program management: visa processing involves the ongoing
management of a number of factors, including service levels, risk
tolerance, budget and program caps. The Platform must provide
functionality to support the Department’s management of these factors;
f) Quality assurance: the Department will perform ongoing quality
assurance checks on tasks carried out by the Platform, Departmental
Users, Other Market Providers, Other Organisations, and other
departmental functions involved in visa processing. The Platform must
provide functionality to support these processes (including in real time) and
the Successful Tenderer is expected to perform sufficient internal quality
assurance to meet the requirements outlined in this Attachment A -
Statement of Requirement;
Department of Home Affairs Page 48
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
g) Reporting and analytics: the Platform must provide automated reporting
and analytics capabilities for a range of data, including visa Application
data and operational performance data; and
h) Real time access: complete transparency of all Platform functions and
operations is a critical functionality. The Department must have real time
access to all aspects of the Platform’s operations. This includes anything
from the physical location of an Applicant at any time while using the
Platform, through to real time analysis of Platform operations.
2.3.2 User support
2.3.2.1 Client
UR-C35
User support
As a Client I want to get help when I have problems using the Platform or have enquires about my Application
The Platform must provide digitally delivered, automated Tier 0 support to Clients.
o Tier 0 user support includes online help content for users, help pointers during the Application process and an automated chatbot in the Designated Platform Languages defined in UR-C6.
The Successful Tenderer must develop Tier 1 and Tier 2 knowledge articles to be used by the Department’s provider of client enquiry services.
The Successful Tenderer must provide 24/7 Tier 3 technical support for clients.
o It is expected that Tier 3 user support is delivered over the phone and through online chat.
o Tier 3 technical support capability must be located in Australia.
o Enquiries will be routed via the Department’s client enquiry service centre and include access to the translating and interpreting service for language support.
The Successful Tenderer must document and maintain records of each person’s support interactions and provide reporting to the Department.
2.3.2.2 Department
UR-D31
User support
As a Departmental User I want to get help when I have problems using the Platform
The Platform must provide digitally delivered, automated Tier 0 support to Departmental Users.
o This includes developing and maintaining support for each feature, including online help content through an automated chatbot. Online help content must be available from the initial deployment of a feature.
The Successful Tenderer must develop Tier 1 knowledge articles to be used by the Department’s User Support Provider.
The Successful Tenderer must provide 24/7 Tier 2 and Tier 3 technical support for Department Users.
o It is expected that Tier 2 and Tier 3 Departmental User support is delivered over the phone.
o Enquiries will be routed via the Department’s user service centre.
o The Successful Tenderer will be required to integrate with the Department’s service management tool (e.g. Service Manager 9).
Department of Home Affairs Page 49
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D32
User training
Departmental Users are able to confidently use the Platform to perform their duties
The Successful Tenderer must provide training on effective and efficient use of the Platform to Departmental Users.
o This includes design and development of online training modules as well as design, development and delivery of face-to-face training modules to the global workforce where appropriate.
The Successful Tenderer must support Department Users of the Platform by developing and maintaining up-to-date Platform operating instructions and standard operating procedures.
The Platform must allow Departmental support and instructional information relating to manual assessment and decision making tasks to be uploaded and maintained.
The Platform must provide Departmental Users contextual support and instructions relating to manual assessment and decision making tasks based on information provided by the Department.
The Tenderers must provide the Department with a Training Plan for approval as follows:
o a draft as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed; and
o an update annually on the anniversary of the Commencement Date.
UR-D33
User support
As an authorised Departmental User I want to be able to manage my team’s use of the Platform
The Platform must support the Department to manage its use of the Platform. This includes the capability to:
o establish and change team/organisation structure and allocate roles and responsibilities;
o support Team Leaders to manage their team including the ability to add, remove or reallocate Departmental Users within the organisation structure;
o support Team Leaders to adjust parameters determining task assignments within their team structure; and
o support Team Leaders to re-assign any tasks to another Departmental User.
2.3.2.3 Other Market Provider
UR-M6
User support
As an Other Market Provider I want to get help when I have problems using the Platform
The Platform must provide digitally delivered, automated Tier 0 support to Other Market Providers.
o This includes developing and maintaining support for each feature, including online help content and an automated chatbot. Online help content must be available from the initial deployment of a feature.
The Successful Tenderer must develop Tier 1 knowledge articles to be used by Other Market Providers.
The Successful Tenderer must provide 24/7 Tier 2 and Tier 3 technical support for Other Market Providers.
o It is expected that Tier 2 and Tier 3 user support is delivered over the phone.
o Enquiries will be routed via the Department’s user service centre.
o The Successful Tenderer will be required to integrate with the Department’s service management tool (e.g. Service Manager 9).
Department of Home Affairs Page 50
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-M7
User support
As a User Support Provider I want to access information about an Application and the Platform so that I can help users resolve their problems
User Support Providers must have role-based access to Applicant and Application information.
User Support Providers must be able to record their interactions with the Applicant in the Platform.
2.3.2.4 Other Organisation
UR-O6
User support
As an Other Organisation I want to get help when I have problems using the Platform
The Platform must provide digitally delivered, automated Tier 0 support to Other Organisations.
o This includes developing and maintaining support for each feature, including online help content and an automated chatbot. Online help content must be available from the initial deployment of a feature.
The Successful Tenderer must develop Tier 1 knowledge articles to be used by an external user enquiry service provider.
The Successful Tenderer must provide 24/7 Tier 2 and Tier 3 technical support for Other Organisations.
o It is expected that Tier 2 and Tier 3 user support is delivered over the phone.
o Enquiries will be routed via the Department’s user service centre.
o The Successful Tenderer will be required to integrate with the Department’s service management tool (e.g. Service Manager 9).
2.3.3 Business Rule development and implementation
2.3.3.1 The Department will determine the Business Rules for the Platform. The Department expects
that the Successful Tenderer will collaborate with the Department in the development of the
Business Rules to maximise their efficiency and automation.
2.3.3.2 This includes as a minimum, but not limited to, Business Rules that specify Application
processing and decision making workflows including in relation to:
a) what information the Platform will collect from Clients, the Department and
third parties and the order of collection;
b) what information provided by the Client the Platform will verify to increase
confidence in authenticity;
c) what information the Platform will analyse to enable a specific criteria to be
assessed; and
d) what process the Platform will follow to determine whether an Application
should be referred to a Departmental User or autogranted.
Department of Home Affairs Page 51
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D34
Business Rules
The Successful Tenderer will assist the Department to develop appropriate Business Rules and implement those rules on the Platform
The Successful Tenderer must, when required by the Department, provide input on the development of Business Rules.
The Successful Tenderer must implement the Business Rules in accordance with any Agreement.
o The Successful Tenderer must not implement any Business Rules that have not been determined by the Department.
2.3.4 Workflow management
UR-D35
Workflow
As a Departmental User I want the Platform to determine the next step in processing
The Platform must automatically advance Applications to the next processing step in accordance with Business Rules determined by the Department.
o This must include triggering re-assessment of risk and identity assurance in accordance with the Business Rules determined by the Department.
o This must include determining the next step in response to receiving information from an Applicant or other parties, actions taken by the Department or the Applicant, treatments prescribed by the Department’s identity, risk and intelligence functions, or by other conditions e.g. the expiry of a visa or change of circumstances.
o Having determined the next step in processing, the Platform must allocate tasks for action in accordance with Business Rules determined by the Department.
The Platform must optimise the visa processing workflow to both improve the user experience and the efficiency of Decision making
o (e.g. by triggering concurrent assessments such as initiating a health assessment requirement in conjunction with other workflow steps).The Platform must have an ability to check that Applications are actively progressing through the defined processing workflow and have not become stalled, lost or incorrectly work flowed.
UR-D36
Workflow
As a Departmental User I want Applicants to be assessed according to the policy and Business Rules that apply at the time of lodgement
The Platform must assess Applicants in accordance with the Business Rules applicable at the time of lodgement.
o Note: There may be some exceptions including where legislative changes retrospectively apply to Applications which have already been lodged. This will be specified in the Business Rules determined by the Department.
If manual assessment is required, the Platform must provide Departmental Users with the policy and Business Rules that apply to the Application.
UR-D37
Workflow
As a Departmental User I want to be able to adjust the sequencing of processing steps or the time taken between processing steps
The Platform must allow the Department to determine new Business Rules in accordance with the Agreement.
o Authorised Department Users must be able to set and adjust time intervals between automated steps in the workflow.
Department of Home Affairs Page 52
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D38
Workflow
As a Departmental User I want the Platform to support me to complete my allocated tasks
The Platform must automatically provide Departmental Users with the information required to perform their allocated task(s) (refer requirement UR-D21).
The Platform must allow Departmental Users to refer individual Applications and particular tasks to other Departmental Users.
o For example, allowing a Decision Maker to refer an Application to their Team Leader or a departmental specialist in a particular area.
UR-D39
Workflow
As a Team Leader I want to be able to adjust the workflow parameters for my team and manually re-allocate tasks
Team leaders must be able to adjust workflow parameters for their team and manually re-allocate tasks.
2.3.5 Program management
UR-D40
Program management
As an Authorised Departmental User I want to adjust the Business Rules for automated processing
The Platform must be capable of giving Authorised Departmental Users the ability to adjust Business Rules which affect automated processing (in accordance with processes set out in the Agreement).
o This includes the ability to change automated risk thresholds, the approach to data collection, data verification and assessments (within the bounds of visa legal requirements and policy) and processing speed.
o This includes the ability to vary the approach by product and caseload.
The Platform must be able to restrict who has authority to access and modify Business Rules (refer requirement PR9 relating to access security).
The Platform must keep records of all changes made, including who undertook the change and the date and time it was made (refer requirement PR10 relating to audit of operations).
The Platform must be capable of giving authorised Departmental Users the ability to manually intervene in the processing of any Application at any point*.
Note: more information will be provide in the Data Room on this requirement.
2.3.6 Quality assurance
UR-D41
Quality assurance
As a Departmental User I want to perform quality assurance on manual assessments and decisions
The Platform must allow Applications to be selected for audit in real time.
o This must include selection or referral of specific cases, selection of a random subset of cases or selection of a subset of cases based on adjustable parameters, at the program level and at the officer level.
o This includes the ability to search for Applicants/Applications that meet a set of characteristics specified by the Departmental User. The Applicant/Application search will be across the Platform’s data holdings and where required, utilise departmental APIs to search and retrieve Applicant/Application information from the Department’s systems.
The Platform must provide information to support the audit activity. This includes which assessments were made manually and the confidence rating for outcomes of any automated tasks.
The Platform must only allow Authorised Departmental Users, identified based on their role, to manually select an Application for review or processing.
Department of Home Affairs Page 53
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D42
Quality assurance
As a Departmental User I want to review processing steps automated by the Platform
The Platform must allow Applications to be selected for audit in real time.
o This must include selection or referral of specific cases, selection of a random subset of cases or selection of a subset of cases based on adjustable parameters, at the program level and at the officer level.
The Platform must supply information on verification, assessment and decision steps for individual Applications.
UR-D43
Quality assurance
As a Departmental User I want to be informed of cases where an Applicant breaches the conditions of their visa
In accordance with Business Rules determined by the Department, the Platform must have the capability to notify Departmental Users and facilitate reviews in response to compliance breaches and other requirements flagged by the Department’s systems.
2.3.7 Reporting and analytics
2.3.7.1 The Platform must provide reporting and analytics capabilities for a range users including
Departmental Users, Other Departmental Users, Other Market Providers, and Other
Organisations. This includes:
a) the provision of standardised reporting and the capability for users to build
customised reports;
b) the ability to save reports, export reports and create dashboards;
c) the ability to segment data by key variables including but not limited to visa
type, risk level, nationality, user type, processing location and processing
task;
d) the ability to present identified and de-identified data of individual
Applicants or other individual users or the operation of the Platform; and
e) the ability to generate new or ad-hoc reports where requested by the
Department.
2.3.7.2 The Successful Tenderer must also supply reports as evidence of compliance with any
Agreement in the form required by the Department.
2.3.7.3 The reports outlined in this section and any additional reports must be supplied to the
Department on an as requested basis.
UR-D44
Reporting
As a Departmental User I want to see reporting and analytics about my team
The Platform must provide the capability for Departmental Users to extract data to create standard and customised reports in real time.
o This includes the number and nature of tasks performed, time taken, Decision outcomes, percentage of completed tasks or outstanding work.
o This includes generating reports for individuals and teams over different time periods, for example on a daily, weekly, and/or monthly basis.
Department of Home Affairs Page 54
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D45
Reporting
As a Departmental User I want the Platform to monitor the completion of tasks
The Platform must track the processing time for individual Applications in real time.
o This must include tracking the overall processing time i.e. the time from lodgement through to notifying an Applicant of the visa Decision.
o This includes monitoring the processing time for individual processing tasks, for example verifying a particular type of document or performing a particular assessment.
The Platform must monitor the completion of tasks allocated to Clients, Departmental Users, Other Market Providers and any Other Organisations. This includes providing historical data for comparison.
The Platform must notify the Department regarding Other Market Providers and departmental teams which are performing tasks at slower than target levels. This must include providing relevant supporting information to the Department.
UR-D46
Reporting
As a Departmental User I want to review the performance of the Successful Tenderer against key metrics set by the Department
The Platform must track its own performance against service levels and other performance measures in the Performance Management Framework.
The Platform must notify the Department when it has not met or is at risk of not meeting the service levels or other performance measures in the Performance Management Framework.
The Platform must provide the capability for real-time monitoring on the Platform’s performance against key metrics as set by the Department. The Successful Tenderer must provide other written reports in accordance with the Performance Management Framework. For example, these will include reports on:
o workplace health and safety incidents;
o the current condition of equipment used to supply the Services, including details of maintenance, repairs and upgrades undertaken; and
o performance against other key performance indicators, service levels or other performance measures.
UR-D47
Reporting
As a Departmental User I want to be alerted regarding any security issues so that I can resolve issues and escalate when required
The Successful Tenderer must immediately notify the Department of any security incidents, unauthorised contact with security classified material, unauthorised access to individual Client records, non-compliance, or becoming aware of suspicious behaviour or malicious activity.
UR-D48
Reporting
As a Departmental User I want to analyse data and receive regular reports on the results of assessments, risk treatments and identity treatments
The Platform must provide reporting and analytics capabilities which enable the Department to review the results and effectiveness of assessments, risk treatments and identity treatments.
o This must include near-real-time reporting, regular standardised reporting, and the capability for Departmental Users to build customised reports.
Department of Home Affairs Page 55
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
UR-D49
Reporting
As a Departmental User I want to analyse visa Application data
The Platform must provide reporting and analytics on visa Applications both at a point in time and over a time period. The type of analytics required includes:
o number of Applications at each stage of the Application process by visa type and nationality, including draft Applications which are not completed and Applications that are abandoned (no activity for 28 days);
o the ability to filter data, for example by user type, visa type and nationality, assessment type; and
o the ability to segment data by key variables including visa type, risk level, nationality, processing location and processing task.
The Platform must provide information required for the Department to fulfil its public disclosure obligations, for example the departmental annual report.
The Platform will provide the capability to examine and audit, including in real time, every interaction with the Platform (i.e. every step of every transaction or interaction with the platform will be collected including deletion of material previously entered by Applicants).
2.4 Required outcomes of the Platform and Successful Tenderer
2.4.1 Introduction
2.4.1.1 In delivering the Core Government Services, the Successful Tenderer will need to deliver a
number of non-functional requirements that realise outcomes related to the management of
the Platform and the Services.
2.4.1.2 This section is divided into the following:
a) Platform operations, which describes required outcomes for operational
aspects of the Platform;
b) Platform revision, which describes required outcomes related to changing
the Platform (to be read in conjunction with Attachment D - Draft
Agreement and section 4.3 in Part 4 -Commercial Parameters and
Settings); and
c) Platform interfaces and interoperability, which describes the extent to
which the Platform is required to couple, work with or interface with other
systems.
2.4.1.3 Outcomes are presented as Platform or Successful Tenderer requirements with the prefix PR
and are shaded orange.
2.4.2 Platform operations
2.4.2.1 The Department has a number of operational outcomes for the Platform that the Successful
Tenderer will be required to achieve.
2.4.2.2 These requirements deal with the following:
Department of Home Affairs Page 56
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
a) outcomes that relate to the provision of the Services: including that the
Platform is consistently available and accessible to users, and that Core
Government Services are identified to users as a service of the Australian
Government;
b) outcomes that relate to management of the Platform: including ensuring
that the sovereignty of the visa system is protected through adequate
controls such as those relating to system access controls, fraud and risk
management. The Department must also be able to readily access
information and documentation about the Platform; and
c) outcomes that relate to providing a safe workplace.
2.4.2.3 Outcomes related to the provision of the Services
PR1
Omni-channel
The Platform supports a seamless user experience
The experience for Clients must be consistent and integrated across all supported channels.
o For example, a Client must be able to start an Application on a mobile device and complete it on a computer or laptop.
The Platform should ensure that the number of points at which a Client must switch between devices, functions or Platform capabilities to complete a given task is minimised as much as possible.
The experience for Departmental Users must be consistent and integrated across all Departmental supported channels.
o For example, a Departmental User must be able to use Platform capabilities on mobile or tablet devices as well as on a computer or laptop.
PR2
Accessibility
The Platform is widely accessible to the general public in key markets
The Platform must operate across a range of operating systems and devices (including laptops, personal computers, and mobile devices such as mobile phones and tablets) and is required to ensure that the operating systems used by at least 97 per cent (in aggregate) of the public in a key market are supported at any given point in time over the Term of any Agreement.
The Platform must operate across a range of internet browsers on devices to ensure that the browsers used by at least 97 per cent (in aggregate) of the public in a key market are supported at any given point in time over the Term of any Agreement.
This must include the most current minor version, the previous two minor versions and any major version from the past two (2) years.
Note 1: Key market is defined as the 20 countries with the highest number of Australian visa lodgements in the most recent financial year.
Note 2: The Department will define the industry source that will be used to determine what percentage of the public use a particular operating system or browser. This will defined prior to execution of the Agreement (if any) with the Successful Tenderer.
Department of Home Affairs Page 57
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR3
Accessibility
The Platform is as widely accessible as possible globally
Clients should be able to access key components of the Platform where there is limited internet connectivity or mobile telecommunications coverage.
o For example, providing Clients the ability to access Application lodgement services through a basic HTML view even if more sophisticated Platform services such as chatbots are not viable.
The Successful Tenderer must be able to tell the Department where geographical areas will not be adequately serviced by the Platform so that the Department is able to organise suitable arrangements with Other Market Providers.
The Tenderers must provide the Department with a list of geographical areas that will not be adequately serviced by the Platform for approval as follows:
o a draft as part of their Phase Two Tender
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed; and
o an update annually on the anniversary of the Commencement Date.
PR4
Accessibility
The Platform is compliant with accessibility guidelines
The Platform and all its products, services and outputs must at a minimum, be compliant with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. This includes adherence to the four principles that provide the foundation for web accessibility by ensuring content is:
o perceivable - information and user interface components must be presentable to users in ways they can perceive. This means that users must be able to perceive the information being presented (it cannot be invisible to all of their senses);
o operable - user interface components and navigation must be operable. This means that users must be able to operate the interface (the interface cannot require interaction that a user cannot perform);
o understandable - information and the operation of user interface must be understandable. This means that users must be able to understand the information as well as the operation of the user interface (the content or operation cannot be beyond their understanding); and
o robust - content must be robust enough that it can be interpreted reliably by a wide variety of user agents, including assistive technologies. This means that users must be able to access the content as technologies advance (as technologies and user agents evolve, the content should remain accessible.
The Platform and all its products, services and outputs should be compliant with the latest version of the Web Content Accessibility Guidelines (WCAG) Level AAA within three (3) years of the Commencement Date.
In the event a new major version of the WCAG is released, the Platform and all its products, services and outputs must at a minimum, be compliant with the major version released immediately prior to the latest major version (i.e. upon the release of WCAG 4.0, the Platform must at a minimum be compliant with WCAG 3.0).
The Platform must comply with the accessibility standard contained within the Digital Service Standard issued by the Digital Transformation Agency.
Department of Home Affairs Page 58
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR5
Availability
The Platform supports the Department’s management of the border by being available and functioning with minimal downtime
The Platform must provide, as a minimum, 99.9 per cent uptime per month for Clients, excluding scheduled downtime.
The Platform must provide, as a minimum, 99.5 per cent uptime per month for all users other than Clients, excluding scheduled downtime.
The Successful Tenderer must immediately notify the Department of any unscheduled downtime or outage.
The Platform must have no more than 12 scheduled outages in a year, which last no longer than 12 hours in total.
o Any particular scheduled outage must not last longer than 1 hour without approval from the Department. Approval will be granted on a case by case basis.
o Scheduled outages should be planned to minimise the impact on the relevant users (for example outside AEST business hours for outages impacting Decision Makers).
o There may be a need from time to time for any scheduled outages for the Platform to be arranged to coincide with a departmental release cycle.
o The Successful Tenderer must notify the Department ahead of any scheduled downtime, and the scheduled downtime must in accordance with processes set out in the performance management framework.
o Any specific scheduled outage should not impact the entire Platform but should be restricted to either the Client facing functionality or non-Client facing functionality only (not both).
In addition to scheduled outages, the Successful Tenderer must immediately notify the Department of an emergency outage and advise actions being undertaken in response to address critical issues (e.g. denial of service attack).
PR6
Efficiency
The Platform provides adequate response times for all users, at all times
In the context of user interaction being defined as any action taken by a user which then requires the Platform to provide a response, the Department expects the following minimum response times to be met:
o for a Client: a Platform response time of less than 2 seconds in 95 per cent of user interactions, to allow for Clients to experience a response time of less than 4 seconds in 95 per cent of user interactions;
o for all users other than Clients: a Platform response time of less than 3 seconds in 95 per cent of user interactions, to allow for relevant users to experience a response time of less than 5 seconds in 95 per cent of user interactions; and
o The Platform must not exceed the following response times: 95% less than 2 seconds; 97% less than 5 seconds; 98% less than 10 seconds; 99% less than 15 seconds across each user group.
The Platform must be designed, developed and deployed in such a manner that response times are achieved at all times, including during peak periods of user activity (for example periods where high levels of Applications are received in relation to Chinese New Year, Christmas, and student intakes).
Note: The Platform response time is calculated from the point at which the Platform receives the first part of the request from the user to the time that the Platform submits the last part of its response to the user.
Department of Home Affairs Page 59
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR7
Platform scale
The Platform makes services available regardless of volume
The Platform must expand its processing capabilities to support business growth.
The Platform must be designed, developed, tested and deployed to accommodate increased concurrent users, Application volumes, and workloads, specifically:
o the Platform must scale in real time to accommodate increases in the number of concurrent users; and
o the Platform must maintain consistent response times with increased Application volumes and concurrent users.
PR8
Branding
Core Government Services include the Department’s branding
The components of the Platform that deliver Core Government Services must include the brand of the Department.
The Platform must be able to adapt to any changes in the Department’s branding, in timelines set by the Performance Management Framework.
Co-branding with both the Department’s and the Successful Tenderer’s branding is permitted and any co-branding must be approved by the Department.
2.4.2.4 Outcomes related to management of the Platform
PR9
Access Security
Access to the Platform is restricted to authorised users and the Successful Tenderer safeguards against deliberate, intrusive and and/or unauthorised access from internal and external sources
The Platform must have role-based security access controls to ensure that only those with appropriate authority are able to use particular user interfaces and/or access particular functionality of the Platform.
Access control must be tailorable down to the attribute level. This must include controls to ensure there is no unauthorised access to the Business Rules contained within the Platform or the configuration of the Platform.
The Platform must retain a historical record of the access controls that were applied to each role/individual at any given point in time and a record of all changes to access controls for a particular role/individual.
For a particular role, the Platform must enable the Department to easily change access to data, user interfaces and/or functionality.
The Platform’s role based security access controls should be integrated with the Department’s existing Identity and Access Management (IAM) system.
Department of Home Affairs Page 60
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR10
Audit of operations
The Platform is able to trace activities and provide information necessary for the Department to audit the Platform’s operations
The Platform must be able to generate a version of all historical visa Applications, Sponsorship Applications and Nomination Applications commenced or lodged on the Platform in their original form, including where a visa Application form is later updated. This must be down to the attribute level.
The Platform must be able to generate a version of all audit information supporting all historical visa Applications, Sponsorship Applications and Nomination Applications commenced or lodged on the Platform.
The Platform must be able to generate a version of the Business Rules that applied to any visa Application, Sponsorship Application and Nomination Application commenced or lodged and processed on the Platform.
The Platform must be able to generate a record of all changes to Business Rules, including the specific changes that were made, who undertook the change, and the date and time the change was made.
On Acceptance and release of each visa product, the Successful Tenderer must provide the Department with a copy of all Business Rules contained in that version of the Platform. The Successful Tenderer must do this regardless of whether there were any Business Rule changes contained in the release.
The Platform must be able to generate an audit log describing when any particular user accessed particular functionality of the Platform. The audit log must be securely stored to prevent any deletion or modification.
PR11
Reliability
The Platform consistently performs its functions without failure
The Platform must have the ability to rectify issues identified with the operation of the Platform with little or no human intervention.
The Successful Tenderer must have a comprehensive approach (including tools and processes) to system monitoring; that is monitoring the performance and health of the Platform.
The Successful Tenderer must have a comprehensive approach to event management which addresses the entire event lifecycle, including event occurrence, event notification, event detection, event logging, event filtering and correlation, and event response.
The Tenderers must provide the Department with an Event Management Approach for approval as follows:
o a draft as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed; and
o an update annually on the anniversary of the Commencement Date.
Department of Home Affairs Page 61
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR12
Business continuity
Business Continuity Plans are maintained throughout the Term of any Agreement
The Tenderers must provide the Department with a Business Continuity Plan for approval as follows:
o a draft as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed; and
o an update annually on the anniversary of the Commencement Date.
Each Tenderer’s draft Business Continuity Plan provided as part of their Phase Two Tender must address the following:
o describe the roles and responsibilities of the Tenderer (should it be the Successful Tenderer), the Department and any third party respectively. It is envisaged that the Successful Tenderer will take primary responsibility for ensuring business continuity in the event of a business continuity event;
o describe the strategies and actions to ensure continuity of the Platform when normal operations are disrupted or circumstances exist that may threaten the operation of the Platform;
o align with recognised standards for business continuity including:
ISO 22301:2012 Societal Security Business Continuity Management Systems Requirement; and
ISO 5050:2010 Business Continuity Managing Disrupted Related Risk or equivalent;
o be consistent with and reflect the approved Risk Management and Fraud Control Plan;
o include criteria for identifying and managing business continuity risks, including descriptions of likelihood and consequence criteria, and appropriate risk management criteria;
o describe how business continuity issues will be reported internally and to the Department; and
o describe the threshold for escalation and management of business continuity issues.
Each Tenderer’s draft Business Continuity Plan must at a minimum consider the following scenarios:
o the Tenderer losing access to their workplace or worksite;
o the Tenderer losing access to regular staff who perform activities for a critical process;
o one or more IT application(s) the Platform relies upon is down, including the Department’s internal systems or the API Gateway;
o an unscheduled outage of the Platform or a failure of one or more critical pieces of equipment the Platform relies upon to function; and
o critical suppliers are not supplying the services required for the Platform to function, including if the internet is unavailable in a specific country.
Department of Home Affairs Page 62
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR13
Disaster recovery
ICT Disaster Recovery Plans are maintained throughout the life of the term
The Tenderers must provide the Department with an ICT Disaster Recovery Plan for approval as follows:
o a draft as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed; and
o an update annually on the anniversary of the Commencement Date.
Each Tenderer’s draft ICT Disaster Recovery Plan must address the following:
o describe the roles and responsibilities of the Tenderer, the Department and any third party respectively. It is envisaged that the Successful Tenderer will take primary responsibility for enacting the ICT Disaster Recovery Plan;
o describe the strategies and actions to ensure continuity of ICT services when normal operations are disrupted or circumstances exist that may threaten the operation of the ICT services;
o align with recognised standards for ICT disaster recovery including:
ISO 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity;
be consistent with and reflect the approved Risk Management and Fraud Control Plan; and
include details of the business impact analysis (BIA) undertaken for each of the systems and services;
o include the strategies around people, technology, data and policies and procedures to ensure that the principles of incident prevention, detection, response, recovery and restoration are able to be put in place;
o include criteria for identifying and managing ICT disaster recovery risks, including descriptions of likelihood and consequence criteria, and appropriate risk management criteria;
o include details of how ‘practice drills’ will be undertaken to ensure the effectiveness of the ICT disaster recovery procedures;
o describe how ICT disaster recovery issues will be reported internally and to the Department;
o describe the threshold for escalation and management of ICT disaster recovery issue; and
o details of how the ICT Disaster Recovery plan will be tested, results provided to the Department, along with a plan to remediate any issues identified as part of the testing.
The Platform must have a disaster recovery environment for all capabilities utilised in the delivery of the Core Government Services.
The Successful Tenderer should have disaster recovery backup systems located in a different Australian state or territory to the primary system; such that if there is a disaster at the primary location the entire Platform can be operated from systems in a different state.
PR14
Recovery
The Platform is recoverable when faced with an incident relating to business continuity or ICT Disaster
The Client-facing functionality of the Platform must have a Recovery Time Objective (RTO) of less than 4 hours and a Recovery Point Objective (RPO) of less than 15 minutes, with the Department’s expectation as it relates to RTO and RPO illustrated below.
The non-Client facing functionality of the Platform must have a RTO of less than 8 hours and a RPO of less than 15 minutes, with the Department’s expectation as it relates to RTO and RPO illustrated in the figure below.
Department of Home Affairs Page 63
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR15
Documentation
Documentation relating to the design and operation of the Platform is available to the Department
The Successful Tenderer must maintain documentation* relating to the design and operation of the Platform in its entirety and be able to provide it to the Department when requested. The documentation must include:
o the end-to-end process flow;
o application architecture and business logic;
o software currency and support;
o Platform release procedures;
o system interfaces;
o grandfathering process;
o Platform recovery process;
o system administration and maintenance;
o training materials;
o major and minor release information;
o cyber security incident response procedures;
o departmental approved changes to the Platform; and
o business Rules configured on the Platform.
*Note: Information about documentation requirements will be made available in the Data Room.
Department of Home Affairs Page 64
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR16
Risk management
A systematic and stringent approach to managing risk, as well as preventing and detecting fraud, is adopted by the Successful Tenderer
The Tenderers must provide the Department with a Risk Management and Fraud Control Plan and Risk Register for approval in accordance with the following:
o a draft as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed;
o at a minimum, an update annually on the anniversary of the Commencement Date; and
o at other times where a review and update as appropriate to ensure the Risk Management and Fraud Control Plan or Risk Register remains current, including a review undertaken at the request of the Department.
The Risk Management and Fraud Control Plan must be consistent with the Department’s risk management strategies and the Commonwealth Fraud Control Framework, and must, at a minimum, describe:
o how the Successful Tenderer will identify, seek to prevent and manage risks in relation to the Services;
o the level of conformance to recognised standards for risk management (AS/NZS ISO 21000:2009);
o criteria for identifying and managing risks, including descriptions of likelihood and consequence criteria;
o how risks will be categorised and appropriate risk treatment strategies applied;
o how risks will be reported internally and to the Department;
o the thresholds for escalation and management of risks;
o how the Successful Tenderer will identify, prevent and manage risk of fraud in the performance of the Services; and
o how any instances of fraud or suspected fraud will be managed by the Successful Tenderer and reported to the Department.
Each Tenderer must:
o incorporate or otherwise address any comments or feedback on the Risk Management and Fraud Control Plan;
o comply with and implement the approved Risk Management and Fraud Control Plan over the Term of any Agreement;
o perform its obligations under any Agreement in a manner that facilitates identification, control, management and mitigation of the risks in connection with the Agreement, whether or not a risk is identified in the approved Risk Management and Fraud Control Plan;
o provide the Department with information and documents in relation to the Risk Management and Fraud Control Plan promptly on request by the Department; and
o promptly report to the Department on the status of the Risk Management and Fraud Control Plan, and any significant new or changed risks.
Department of Home Affairs Page 65
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.4.2.5 Outcomes related to a safe workplace
PR17
Workplace safety
Staff have a safe working environment that complies with work, health and safety standards
The preferred Tenderer must provide the Department with a Work Health and Safety (WHS) Plan for approval as follows:
o a draft at an agreed date during negotiations (if any) in relation to the Agreement;
o a final version incorporating any changes requested by the Department to be provided prior to Commencement Date;
o at a minimum, an update annually on the anniversary of the Commencement Date; and
o at other times where a review and update of the WHS Plan is appropriate to ensure the WHS Plan remains current.
The preferred Tenderer’s WHS Plan must, at a minimum, address the following:
o describe how the Successful Tenderer will comply with its WHS obligations under the Agreement and applicable legislation and any current industry standards and practice, including the Work Health and Safety Act 2011 (Cth);
o identify, prevent and manage the risk of work health and safety issues for Successful Tenderer staff in the performance of the Services;
o be consistent with AS/NZS 4801:2001 – Occupational Health and Safety Management System; and
o include policies and procedures relating to:
hazard control;
infection control, where appropriate;
occupational hygiene;
safety and security of persons working at a facility;
WHS training requirements for the Successful Tenderer’s personnel working onsite at a facility;
emergency and disaster management procedures in the event of cyclones and bushfires where relevant to risk; and
Successful Tenderer’s personnel support including post-incident management and debrief activities.
The Successful Tenderer must comply with the WHS Plan.
Environment
The Successful Tenderer must inform the Department about ozone depleting substances and hazardous substances that are used in the build, operation and maintenance of the Platform or the delivery of the Services.
The Successful Tenderer must inform the Department about any claims it makes regarding the environmental benefit associated with the build, operation and maintenance of the Platform or delivery of the Services. The Successful Tenderer must substantiate their claims and state how their claims take into account the provisions of any applicable legislation and Government policies that relate to the environment.
Department of Home Affairs Page 66
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.4.2.6 Outcomes related to access and equity
PR17a
Access and Equity
A stringent approach to providing an environment which understands and is aware of the needs of a diverse multicultural society
As part of Phase Two Tenders, Tenderers must demonstrate how they will comply with the Australian Government’s Multicultural Access and Equity Policy (the ‘policy’), including at a minimum, by demonstrating:
o a sound knowledge of the needs, circumstances, cultural and other characteristics of Clients and assessment of the direct impact of the Requirement on those Clients;
o how they will provide the Requirement to a culturally and linguistically diverse population, consistently with the policy; and
o that they have:
planning, implementation, monitoring and review mechanisms that incorporate the policy;
performance standards that use the cultural and linguistic diversity of personnel or their awareness of issues (Note: data collection on the Requirement, including on performance standards must be consistent with Standards for Statistics on Cultural and Language Diversity);
complaint mechanisms that enable people from culturally and linguistically diverse backgrounds to raise concerns about the Requirement provided; and
recruited, as relevant, culturally diverse employees, volunteers, grantees and subcontractors.
Information on the policy and related documents is available at https://archive.homeaffairs.gov.au/busi/engaging-with-the-department/contracts-and-tenders/multicultural-access-and-equity-policy-guidance-on-procurement-and-contracting.
The preferred Tenderer must provide the Department with a Multicultural Access and Equity Plan for approval as follows:
o a draft at an agreed date during negotiations (if any) in relation to the Agreement;
o a final version incorporating any changes requested by the Department to be provided prior to Commencement Date; and
o at a minimum, an update annually on the anniversary of the Commencement Date.
Department of Home Affairs Page 67
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.4.3 Service design and change
2.4.3.1 The Platform must be able to accommodate Change over the Term of any Agreement.
Changes that could be expected to be required include:
a) Technology enablement: the Platform is expected to become more
effective and efficient over time, and is flexible enough to easily
accommodate continuous improvements;
b) Maintenance: given that updates to software are expected to occur over
the Term of any Agreement, the Successful Tenderer must ensure that the
Platform continues to provide a high level of service by keeping the
Platform up to date and identifying and managing defects;
c) Policy and service design change: visa policy will continue to evolve
over the Term of any Agreement and the way in which the Services are
required to be delivered is subject to continual change. The Successful
Tenderer must support the Department in delivering policy and service
design changes. In particular, policy makers are expecting to be supported
by simulating the impact of policy changes, and size the effort required to
implement and deliver these changes; and
d) Technology innovation: the Successful Tenderer is expected to
continually locate technological innovations and make recommendations
about enhancements to the Platform that could drive efficiencies and
improved user outcomes.
2.4.3.2 Technology enablement
2.4.3.3 The Department expects that the Platform will become more effective and efficient over time.
2.4.3.4 The Department therefore expects that the Platform will be developed in such a way that it is
flexible enough to quickly and easily implement small continuous improvements and respond
to identified defects.
PR18
Continuous improvement
Continuous improvement ensures that the Platform becomes more effective and efficient over the Term of any Agreement
The Successful Tenderer must ensure the Platform becomes more effective and efficient over time.
o For example, optimising the workflow engine to improve the user experience.
The Successful Tenderer must maintain a backlog of work that provides a continuous release of value to Departmental Users, Clients, Other Market Providers and Other Organisations.
Department of Home Affairs Page 68
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR19
Upgrade
Changes to the Platform are developed, tested and deployed efficiently
The Platform must support rolling upgrades with minimum impact on Platform availability (i.e. the Platform must support upgrades while remaining available). However, during an upgrade the Platform may reduce its capacity by up to 50 per cent.
The Platform must be highly serviceable within the limited scheduled outages; that is the Platform must be easily and quickly maintained and repaired.
The Platform must have the ability to support a continuous integration capability that is the ability to integrate code into the main code branch on a continuous basis as required.
The release schedule for the Platform may be independent from the Department release schedule, however the release schedule must be approved by the Department.
Department APIs will be upgraded in line with the Department’s major and minor release schedule. Planned upgrades will be communicated to the Successful Tenderer.
PR20
Flexibility
Changes to the Platform are implemented quickly with minimal impact on the Services
The Platform must be developed in such a way that it is flexible enough to accommodate small, continuous improvements as minor releases and larger, more complex improvements as major releases.
The Platform must be able to be configured or re-configured without an outage.
The Platform should be developed in such a way that it can accommodate changes to departmental interfaces within scheduled outages, specifically changes to the information the Platform must provide to departmental systems and the information sent from departmental systems to be consumed by the Platform.
PR21
Testability
A testing strategy ensures that changes to the Platform function as intended
Each Tenderer must provide the Department and maintain a testing strategy for approval in accordance with the following:
o a draft as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed;
o at a minimum, an update annually on the anniversary of the Commencement Date; and
o at other times where a review and update is appropriate to ensure the testing strategy remains current, including a review undertaken at the request of the Department.
The testing strategy must include, but is not limited to:
o unit testing;
o functional testing;
o integration testing;
o performance testing;
o smoke testing;
o regression testing; and
o user acceptance testing.
The Platform must support automated testing practices that cover a high percentage of system capability.
The testing strategy must consider impacts of a particular change on all users, in particular Departmental Users and interfaces with departmental systems.
The Successful Tenderer must comply with the testing strategy approved by the Department.
Department of Home Affairs Page 69
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.4.4 Maintenance
PR22
Currency
Software and products used to deliver the Platform must be kept current
The Successful Tenderer must ensure any software solutions and products used as part of the Platform are kept current and ‘in life’ for the Term of any Agreement.
Security patches must be deployed within recommended timeframes by vendors or ASD.
o The Successful Tenderer must use the latest major version of the software solution and product within 12 months of it becoming available or as soon as possible where it addresses a security risk.
o The Department expects that appropriate testing will be undertaken by the Successful Tenderer before deploying security patches for compatibility and reliability with the other software solutions and products used as part of the Platform in accordance with the testing strategy approved by the Department.
The Successful Tenderer must have a comprehensive approach to configuration management that has been successfully implemented in a system of similar scale.
Each Tenderer must provide the Department and maintain a configuration management strategy for approval in accordance with the following:
o a draft as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed;
o at a minimum, an update annually on the anniversary of the Commencement Date;
o at other times where a review and update is appropriate to ensure the configuration management strategy remains current, including a review undertaken at the request of the Department; and
o The configuration management strategy must track the configurations of, and relationships between, the various components used as part of the Platform, including software solutions and products.
Department of Home Affairs Page 70
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR23
Incident management
An incident management strategy will be implemented to ensure incidents are resolved in a timely and efficient manner
The Tenderer must develop a comprehensive incident management strategy for production incidents (also referred to as defects) for approval by the Department. Each Tenderer must provide the Department with:
o a draft as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed;
o at a minimum, an update annually on the anniversary of the Commencement Date; and
o at other times where a review and update is appropriate to ensure the incident management strategy remains current, including a review undertaken at the request of the Department.
Each Tenderer’s incident management strategy must at a minimum include:
o the full incident management lifecycle (identification, logging, severity classification, prioritisation, diagnosis, escalation, investigation, remediation, testing, implementation, resolution and recovery, maintenance);
o communication frameworks that support the implementation and governance of incident management; and
o the ability for any user (including the Department) to identify and report incidents.
The Successful Tenderer must ensure there is an ability for specific incident reports to be transferred between the Department’s incident management system/tools and the Platform’s incident management system/tools as necessary, and the ability for the Department to provide input on how incidents are prioritised.
Where incidents are related and have the same root cause (a problem), the Successful Tenderer must also have a comprehensive approach to problem management which must include the full problem management lifecycle (problem detection, logging, categorisation, prioritisation, investigation and diagnosis, resolution).
The Department will prioritise incidents to be addressed and will determine which incidents are addressed in a particular release.
Note: Information about the Department’s current incident management process will be made available in the Data Room.
2.4.5 Policy and service design change
2.4.5.1 The Australian Government, through the Parliament, has the authority and prerogative to set
the legislative policy framework and direction of Australia’s immigration system. From time to
time, the Department may also need to make adjustments to the way Government policy is
implemented.
2.4.5.2 The Department expects that the Platform will be responsive to these changes in policy, and
assist in simulating expected outcomes to evaluate different policy options.
2.4.5.3 The types of changes that can reasonably be expected include but are not limited to:
a) changes to validity criteria (e.g. the maximum age necessary to be eligible
for a particular visa);
b) changes to data collection requirements (e.g. changes to the specific data
that must be collected or the length of data fields);
c) changes to the types of validation or verification checks performed by the
Platform on information provided by Clients;
Department of Home Affairs Page 71
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
d) changes to which types of analyses are performed by the Platform on
information provided by Clients. For example, how average bank balance
is calculated or the types of analysis performed on a document to
determine if it has been tampered with;
e) changes to specific visa criteria, for example the dollar amount required to
satisfy the ‘adequate means of support’ criteria;
f) changes to the workflow associated with a particular visa; that is the
Business Rules which specify the next step(s) for an application depending
on the outcome of the previous step(s); and/or
g) new visa products including both wholly new visa products, and/or variants
of existing visa products.
2.4.5.4 The Department expects the Platform to be capable of being extended to accommodate
additional functionality including the delivery of all visa products, beyond those particular visa
products included in the scope of this Attachment A - Statement of Requirement, expanding
the health related functionality to include the creation and management of health cases, and
the development of a departmental appointment booking capability.
PR24
Developing policy options
The Platform can simulate the impact of changes to policy and service design
The Platform must include automated tools to simulate the impact of changes to policy and service design on a range of output parameters.
o This will enable Departmental Users to understand the likely impact of changes prior to implementation. For example, simulating the impact of changing information verification requirements on levels of manual work-effort.
PR25
Implementing change
Policy and service design changes are deployed quickly
The Successful Tenderer must implement Business Rule changes, in accordance with the timeframes and requirements set out in any Agreement.
PR26
Extending the Platform
The Platform can accommodate the additional functionality required to implement new temporary visa products, longer term visa products, permanent residence and citizenship and the ability to create health cases and the implementation of an appointment booking capability.
In addition to being flexible to policy change in relation to the visa products in scope of this Attachment A - Statement of Requirement, the Platform must be developed in such a way that it easily enables the inclusion of any additional functionality required to extend the Platform (including following foreshadowed future procurement processes). This includes the ability to:
o to accommodate other longer term visa products, permanent residence and citizenship.
o new temporary visa products introduced by Government over the life of any Agreement.
o create health cases for an Applicant based on Business Rules determined by the Department.
o manage appointments and appointment bookings.
2.4.5.5 The Department expects that, over the Term of any Agreement, technological innovations will
become available that could improve the way the Platform achieves the outcomes or
requirements outlined in this Attachment A – Statement of Requirement. This could include,
for example, improvements that drive efficiency or the user experience.
Department of Home Affairs Page 72
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.4.5.6 These innovations are over and above the upgrades required to ensure software deployed as
part of the Platform remains current.
PR27
Identifying innovation
Potential technological innovations are identified and assessed for deployment as part of the Platform
The Successful Tenderer must continually identify potential technological innovations to the Platform to drive efficiencies and improved user outcomes.
o New automation technology and solutions should be geared towards increasing automation of the end-to-end visa journey within the bounds accepted by the Department.
o The Successful Tenderer must not pursue solutions that increase the work performed by the Department unless explicitly requested by the Department.
2.4.6 Platform interfaces and interoperability
2.4.6.1 For the Department to achieve its objectives from the new visa business operating model, the
Platform will need to operate in conjunction with systems maintained by the Department,
other Commonwealth Agencies and Other Market Providers.
2.4.6.2 The requirement to interface with these systems can reasonably be expected to change over
the term of the Agreement. The Successful Tenderer will need to ensure that the Platform is
able to interface with the required systems, including to add and/or remove interfaces to
systems in a timely way.
2.4.6.3 Interacting with systems of the Department
2.4.6.4 Interactions with systems of the Department will be managed through an Application
Programming Interface (API) gateway.
2.4.6.5 The Department anticipates the APIs will cover a range of domains, and currently expects
those domains to include but not be limited to:
a) information, which will be used by the Platform to supply visa-related data
and information to the Department;
b) identity, which will be used by the Platform to request identity resolution
and assurance from the Department and provide biographic and/or
biometric data to the Department, and used by the Department to return an
identity resolution outcome (a unique identity match or other outcome
requiring the Client to provide more information) or return an identity
assurance assessment outcome (which may require the Client to provide
more information);
c) records, which will be used to support records management;
d) finance, which will be used by the Department to provide the Platform with
an invoice for each visa Application at the time of lodgement;
e) risk, which will be used by the Platform to provide the Department with
information about Applicants and their Application, and will be used by the
Department to provide the Platform with a risk assessment;
f) traveller, which will be used to manage the visa lifecycle for a granted visa;
Department of Home Affairs Page 73
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
g) health, which will be used to enable the Platform to provide requests for
health assessments and to receive details of health assessments
undertaken;
h) identity access management, which will be used to enable the Platform to
apply access control to users;
i) Bookings, which will be used to enable the Platform to book and manage
appointments; and
j) Service Management, which will be used to enable the Platform to
integrate with the Department’s service management system.
2.4.6.6 The exact domains may be subject to change. Further details on the APIs the Department
intends to build and expose will be made available through the Data Room.
2.4.6.7 The Department will enable access to RESTful APIs, and any other integration interfaces as
specified by the Department. An enterprise event hub will publish events (callbacks) for the
Platform to consume.
2.4.6.8 The Platform will be required to publish events based on a set of agreed lifecycle change
point which will allow departmental systems to subscribe to updates of interest. The Platform
will also be required to expose each resource stored on the Platform through RESTful GET
APIs which gives each departmental system access to any relevant information stored on the
Platform.
2.4.6.9 Required outcomes
PR28
Interfacing with the Department
The Platform interfaces with the Department as required
The Platform must interact with departmental systems, including intelligence and risk assessment capabilities, through the Department’s API gateway.
With any event driven distributed system, it is reasonable to assume that some events will be missed (e.g. because the subscriber system is down for longer than the time the message is available on the queue). Although rare, this will cause gradual misalignment between distributed data replicas. Therefore, as loss of data during normal operation must be minimised, the Platform must employ a compensation mechanism to ensure consistency.
Department of Home Affairs Page 74
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR29
Interfacing with other agencies
The Platform interfaces with other Australian Government systems as required
The Platform must have the capability to interface with a range of other Commonwealth Agencies and their systems, including but not limited to:
o a fully automated, near real-time interface with the Office of the Migration Agents Registration Authority (OMARA);
o a fully automated, near-real-time interface with the Document Verification Service (DVS);
o a fully automated, near-real-time interface with the Face Verification Service (FVS);
o a fully automated, near-real-time interface with the Australia Business Register;
o a fully automated, near-real-time link to any Australian Government issued digital identity service (e.g. GovPass);
o a fully automated interface with the Australian Taxation Office (ATO);
o a fully automated interface with the Australian Securities & Investments Commission (ASIC); and
o a fully automated interface with the Provider Registration and International Student Management System (PRISMS).
The Platform must have the capability to interface with a range of other Commonwealth Agencies as suitable opportunities are identified.
PR30
Interfacing with third parties
The Platform interfaces with third parties as required
The Platform must have the capability to interface with a range of other third party organisations including, but not limited to:
o a fully automated, near real time interface with Other Market Providers of assessment services (if required by the Other Market Provider);
o a fully automated, near-real-time interface with Client Services Providers (as required); and
o a fully automated, near-real-time interface with address validation services.
The Platform should have the capability to interface with a range of other third party organisations including, but not limited to:
o a fully automated, near-real-time interface with English language assessment providers;
o a fully automated, near-real-time interface with an Applicant’s financial institution;
o a fully automated, near-real-time interface with certified skills assessment bodies;
o a fully automated, near-real-time interface with education providers; and
o a fully automated, near-real-time interface with address validation services for countries other than Australia.
Department of Home Affairs Page 75
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
PR31
Interface changes
The Platform quickly and easily adapts to changes in interface requirements
The Platform must support major version changes to any departmental interfaces in alignment with the changes’ scheduled release timeframe.
o A major version change is one where previous versions of the interface can no longer be supported, due to either a significant system change or functionality is no longer valid.
o Major version changes will be scheduled for release as determined by the Department.
The Platform must support minor version changes as soon as practical but no longer than three months after release by the Department.
o Minor version changes are changes that are non-breaking and with new features to be added.
PR32
Open source
The Platform adheres to Australian Government direction to use open source software where appropriate
The Successful Tenderer must actively consider open source software throughout the provision of the Services in order to produce a product that demonstrates value for money and is fit for purpose. This may include incorporating open source software components together with proprietary software components.
2.5 Compliance requirements
2.5.1 Introduction
2.5.1.1 The Platform, including the security provided by the Platform, must comply with all laws,
Australian Government and departmental policies and all relevant standards. Some of the
specific requirements are set out in this section.
2.5.2 Data management
2.5.2.1 The Department anticipates the Platform will use or collect four types of data:
a) Content data: defined as data supporting the content on the various
channels including the website and mobile app. Examples of content data
include the Application questions, templates and logos, guidance for visa
Applicants, disclaimers, letters and compliance messages;
b) Applicant data: defined as data provided by Clients as part of the
Application process. Examples include account information (e.g.
username, password), an Applicant’s passport details, biometrics, financial
information, age and gender, Applicant correspondence and records,
metadata collected from Applicants during the Application process, risk
ratings and treatments, and details on opportunities provided by
employers. This includes data provided as part of draft Applications which
have not been lodged;
c) Operational data: defined as data describing the operation of the Core
Government Services. Examples include workflow data (e.g. number of
applications, progress of cases, and duration of manual tasks), data on
responses to marketing activities, data related to user support, issues logs,
security logs, audit logs and event logs. Operational data associated with
the Additional Commercial Services is not included; and
Department of Home Affairs Page 76
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
d) External data: defined as data not related to Applications or the provision
of Core Government Services, including data associated exclusively with
the Additional Commercial Services.
CR1 Data ownership
The Department will retain all rights, title and interest in and to data collected, created or modified by the Successful Tenderer in performing its obligations under any Agreement in relation to the Core Government Services, including data inputted by users into the Platform, and the Department will grant a licence to the Successful Tenderer to use the data only for the purpose of providing the Core Government Services. Further information is set out in Attachment D – Draft Agreement.
CR2 Data under management
The Successful Tenderer must work with the Department to develop a data model and data dictionary.
o The data model and data dictionary must be provided to and approved by the Department (specifically the Chief Data Officer) no later than six (6) months prior to the scheduled production release of the first visa product on the Platform.
o The data model and data dictionary work must be based on and be consistent with the data format and structure and the data model specified by the Department for its APIs (refer requirement CR3).
o Any changes to the data model over the Term of any Agreement must also be approved by the Department.
The Platform must store all Applicant data for the Term of the Agreement and any additional time required to migrate data to Department systems at the end of the Agreement, except in the case of biometric data in which case, following the provision of biometric data to the Department’s internal systems, the Platform may be required to remove this data based on Business Rules determined by the Department.
Where an Applicant updates a data element, the Platform must store both the previous element and the current element.
The Platform must be able to store both structured and unstructured Applicant data.
Applicant data will be classified based on the PSPF, as either, UNCLASSIFIED – Sensitive: Personal (which is expected to be the case for the majority of Applicant data) or PROTECTED – Sensitive: Personal (which is expected to be the case for a small proportion of Applicant data).
The Platform must store all operational data from the Platform for the Term of any Agreement and any additional time required to migrate data to Department systems at the end of the Agreement.
The Platform must store all content data for the Platform for the Term of any Agreement and any additional time required to migrate data to Department systems at the end of any Agreement.
The Platform will not be the ‘system of record’ (i.e. the authoritative data source) for an Applicant’s identity data.
The Platform will be the ‘system of record’ (i.e. the authoritative data source) for all operational data, as defined above.
Department of Home Affairs Page 77
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
CR3 Data transfer
The Successful Tenderer must have the capability to provide all Applicant data to the Department in near real-time; that is upon the completion of each relevant section of a visa Application, in line with ISO16175.
In addition, the Successful Tenderer will be required to provide a range of data through Department provided APIs, as detailed in PR28 and information made available in the Data Room.
The Successful Tenderer must be able to periodically provide the Department a portable, unencrypted, and generally consumable record of all data contained within the Platform and any other data required by the Department.
o The Successful Tenderer must be able to do this at the Department’s request and in the format specified by the Department (e.g. CSV, XML tables, SQL tables).
o It is anticipated that the Department will require this data prior to any major upgrade as well as on a regular schedule.
o The Department will establish the protocols for the transfer of the portable record, which the Successful Tenderer must adhere to.
CR4 Data access
The Platform must have role-based security access controls to ensure that only those with appropriate authority are able to access and modify data stored on the Platform. This must include:
o Client-level security access controls to ensure only the Client who originally supplied the information and the supporting documentation is able to access and/or modify it; and
o Client-level security access controls to allow a Client to nominate an additional person, or people, (such as a Registered Migration Agent) to have access to their supplied information and supporting documentation. These controls must by default include the ability to automatically limit access after a particular period of time or after a particular event such as when a visa Application Decision has been made.
The Platform must have a real time audit trail that records what data is accessed and/or modified by each user and when.
o The audit trail must extend to system administrators as well as users of the Platform.
o The audit trail must be securely stored to prevent deletion or modification.
The Platform must notify the Department within 24 hours if there are any attempts by users to access and/or modify data where they do not have the authority and/or if any user exhibits unusual data access patterns (even if they have relevant approval).
CR5 Data breach
The Successful Tenderer must notify the Department immediately in the event of a data breach or suspected data breach and assist the Department to meet its obligations under the notifiable data breaches scheme in Part IIIC of the Privacy Act 1988 (Cth).
The Successful Tenderer must put in place appropriate measures to ensure a similar data breach does not occur again.
The Department may choose to:
o provide reasonable assistance to the Successful Tenderer in relation to the investigation; and
o further investigate any data breach or suspected data breach and may require the Successful Tenderer to put in place additional measures as a result of its investigation.
CR6 Data quality
The Platform must be able to track and report on the completeness and validity of key data contained within it. The specific data that the Platform will be responsible for validating will be defined at a later stage.
Department of Home Affairs Page 78
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
CR7 Data storage
Applicant data, including all data, information and any supporting documentation collected from clients or third party organisations acting on the Department’s behalf as part of Application lodgement and assessment is deemed, under the PSPF and Information Security Manual (ISM), to be official information and as such, must be held and stored in Australia.
Content data and operational data as defined above must be held and stored in Australia.
If the Successful Tenderer intends to use a cloud solution for delivery of any part of the Platform than in order to meet the ISM requirement for the protection of information, the Successful Tenderer must only use outsourced cloud services, listed on ASD’s Certified Cloud Services List (CCSL). These certified cloud services are located in Australia.
If the Platform uses cloud services or data centres, they must comply with the following Commonwealth policies (in addition to ISM and PSPF):
o gateway certification by the Australian Signals Directorate (ASD)
o ASIO-T4 protective security audit of data centre by the Australian Security Intelligence Organisation (ASIO).
The Successful Tenderer must:
o create, maintain, store securely and transfer records to the Department in accordance with the Australian and International Standard for Records Management, AS ISO 15489;
o produce timely, legible, accurate and comprehensive records of all services provided;
o ensure any backups have been validated to be accurate and tested to ensure they can be used to restore data;
o ensure that no record is inappropriately accessed, removed, lost, corrupted or misplaced;
o notify the Department within 24 hours if any record is inappropriately accessed, removed, lost, corrupted or misplaced; and
o ensure as under the Archives Act 1983 (Cth), Administrative Functions Disposal Authority (AFDA), system logs which are used to show a history of access or change to data (eg system access logs, internet access logs, system change logs and audit trails etc) are retained for seven (7) years.
Data collected, managed, stored, used and/or created by the Platform must be encrypted both at rest and for transport. The Successful Tenderer may propose the specific form of encryption, however it must be approved by the Department.
The Platform must have adequate storage capacity to store any data required for the operation of the Platform. The Successful Tenderer will be responsible for determining the exact storage capacity required, based on the volume data made available by the Department.
CR8 Data privacy
The Successful Tenderer must ensure identifying information, as defined under the Migration Act 1958 (Cth), is handled in accordance with the obligations under Part 4A of the Migration Ac 1958 (Cth). This includes activities relating to access, disclosure, unauthorised modification and retention of identifying information.
The Successful Tenderer must ensure Personal Information will be collected, handled, stored and managed in accordance with the Privacy Act 1988 (including the Australian Privacy Principles) and any relevant instruments or codes made under that Act, such as the notifiable data breach scheme.
The Successful Tenderer must comply with the General Data Protection Regulation of the European Union and similar regulations of other states, insofar as it is applicable to the Successful Tenderer, or as otherwise required by the Department.
The Successful Tenderer must put in place processes for obtaining and recording Client consent for the collection, use and disclosure of Personal Information.
The Successful Tenderer must deliver clear separation between production and non-production (testing and staging) environments to ensure use of production data is restricted to the production environment only.
Note: The Department requires all of its service providers and contractors, including the Successful Tenderer (if any) to comply with the EU GDPR, if applicable to their activities.
Department of Home Affairs Page 79
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
CR9 Data secrecy
The Successful Tenderer must ensure data will be collected, handled, stored and managed in accordance with applicable secrecy provisions in relevant legislation, including in particular:
o Migration Act 1958 (Cth);
o Australian Border Force Act 2015 (Cth);
o Australian Citizenship Act 2007 (Cth); and
o Taxation Administration Act 1953 (Cth) (relevant to tax file numbers and taxation information).
The Successful Tenderer must put in place processes for obtaining and recording Client consent for the collection, use and disclosure of data subject to secrecy provisions.
Note: Consent is not a defence to the unauthorised recording, use or disclosure of tax file numbers and taxation information under the Taxation Administration Act 1953 (Cth).
2.5.3 Security
2.5.3.1 Security policies, standards and frameworks
CR10 Protective Security Policy Framework (PSPF)
The Successful Tenderer must comply with the Protective Security Policy Framework (PSPF). Requirements of the PSPF are incorporated into the Department’s Security Practice Statement (https://www.protectivesecurity.gov.au/Pages/default.aspx).
CR11 Information Security Manual (ISM – 2017)
The Successful Tenderer must comply with the Australian Government Information Security Manual (https://asd.gov.au/infosec/ism/index.htm).
The Successful Tenderer must have cyber security controls in place to protect the security and privacy of information processed, stored and transmitted on behalf of the Department. The Successful Tenderer will be assessed, certified and accredited against the Information Security Manual at the appropriate classification level for the information that they are collecting, storing and/or processing.
CR12 ASD Top 4 and Essential Eight
The Successful Tenderer must implement the ACSC top 4 mitigation strategies (https://acsc.gov.au/publications/protect/top_4_mitigations.htm).
Essential eight mitigation strategies encompasses the top 4 mitigation strategies and includes four more strategies to prevent malware running, to limit the extent of incidents and enable the recovery of data. The Successful Tenderer should comply with the essential eight. (https://asd.gov.au/infosec/mitigationstrategies.htm).
CR13 ISO/IEC 27001 – Information Technology – Security Techniques – Information Security Management Systems – Requirement
ISO/IEC 27001 – Information Technology – Security Techniques – Information Security Management Systems – Requirements specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.
The Successful Tenderer must have their information security management system certified to ISO/IEC 27001.
Department of Home Affairs Page 80
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
CR14 ISO/IEC 27034 – Information Technology – Security Techniques – Application security
ISO/IEC 27034 – Information Technology – Security Techniques – Application security provides a systematic approach that guides organisations to implement security concepts, principles, and processes in the application security structure.
The Successful Tenderer must have their systems development life cycle certified to ISO/IEC 27034.
CR15 Department Security Practice Statement
The Successful Tenderer must comply with the Department’s Security Practice Statement, which sets out a protective security framework for the Department.
CR16 Department Enterprise Architecture Principles
The Department’s Enterprise Architecture Principles provides a foundation for achieving strategic outcomes, as they establish the basis for a set of rules and behaviours for an organisation, particularly in relation to the strategic priorities for ICT and the practice of security design.
The Successful Tenderer must comply with Department Enterprise Architecture Principles, which include the security architecture principles described in CR22.
CR17 Payment Card Industry Data Security Standard
Payments must be processed securely by the Successful Tenderer. The payment processing systems, whether internal or external, must comply with the industry standard Payment Card Industry Data Security Standard (PCI-DSS).
CR18 AS/NZS ISO 31000:2009 Risk Management and Guidelines, and Australian Standards HB 167:2006 Security Risk Management
The Department has a mature risk management framework that is based on ISO 31000:2009 and incorporates HB 167 (refer to the Department Risk Management Policy).
The Successful Tenderer must comply with AS/NZS ISO 31000:2009 Risk Management and Guidelines, and Australian Standards HB 167:2006 Security Risk Management.
CR19 Physical Security of ICT Equipment
The Successful Tenderer's data processing and storage facilities must comply with PSPF Requirement for a Zone 2 area, as documented in “Australian Government physical security management guidelines - Physical security of ICT equipment, systems and facilities”, and independently assessed by a SCEC endorsed assessor.
2.5.3.2 Security documentation
CR20 Security compliance statements
The Successful Tenderer must supply annual Security Compliance Statements to the Department, confirming the following:
o all Services are being delivered in accordance with the Australian Government Protective Security Policy Framework, Information Security Manual and Department’s security policies. This explicitly includes verification of the correct disposal of any decommissioned assets;
o the annual security Information Security Registered Assessors Programme (IRAP) assessments have been completed, reports provided to the Department and any required security remediation plans have been developed and implemented; and
o all Successful Tenderer Personnel working on the Platform have the appropriate security clearance and qualifications.
Where any of the above requirements have not been achieved, the non-compliance is documented in the Security Compliance Statement including what actions were taken to mitigate and address the non-compliance.
Department of Home Affairs Page 81
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
CR21 External Service Successful Tenderer Security Responsibilities and Requirement document
The Successful Tenderer must specify to the Department their detailed roles and responsibilities, in compliance with their security obligations, in an external service Successful Tenderer security responsibilities and requirements document. This will provide a clear understanding of the broader security responsibilities in the provision of contracted services.
To gain the level of assurance that the contracted services are compliant, the document will include sections for “External Security Successful Tenderer Security Controls” and “Technical Solution Documentation” which provide information regarding the provision and collection of evidence that is required for the Department to undertake due diligence activities.
Each Tenderer must provide the Department with:
o a draft Security Responsibilities and Requirement document as part of their Phase Two Tender;
o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed;
o at a minimum, an update annually on the anniversary of the Commencement Date; and
o at other times where a review and update is appropriate to ensure the security responsibility and requirement document remains current, including a review undertaken at the request of the Department.
2.5.3.3 Security principles
CR22 Security architecture principles
Selection and implementation of Platform security controls must be based on sound risk assessment. It must reflect the value and sensitivity of the digital assets that are being protected, as well as the threats to the Platform.
Solutions must be designed, implemented, operated and maintained in accordance with Australian Governmental and departmental security requirements.
Solutions must support and enable the fundamental requirement that there is strong accountability for the use of and access to departmental information resources.
Department of Home Affairs Page 82
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
CR23 Design principles
Platform security must be designed to defend against deliberate malicious actions.
Platform security must be designed so that the Platform can continue to function as intended in a trustworthy and reliable manner in spite of deliberate attack or partial compromise.
Platform security must be designed so that failure or inadequacy of preventative controls will be detected and response controls must be in place to detect and contain the impact of failure.
Layers of diverse security controls must be implemented so that any one control failure will not result in a complete loss of security. Defence-in-depth protection should be built into the Platform.
Platform security must be designed with resilience in the face of deliberate attack.
The security of the Platform or a security mechanism should not depend on the secrecy of its design or implementation.
Security mechanisms should be as simple as possible.
Platform security must be designed with mechanisms (audit, access logging) which enable users to be held accountable for their actions.
Platform security must be designed to rely on enterprise security capabilities which include but are not limited to: identity, credential and access management; system event logging; monitoring and auditing; single sign-on (where implemented), patch management, system wide confidentiality and governance. These security capabilities need to be employed in a consistent manner across all the systems which make up the Platform.
Platform security must be designed based on either departmental approved security patterns or in their absence industry standard security patterns.
Platform security must be applied using departmental security principles to the development of the design.
Prescribed templates must be used for communicating the security design to stakeholders.
CR24 Platform principles
An entity (user or software) should have the least privilege necessary to carry out their responsibilities for the minimum time necessary.
High privilege operations must be removed from components which are interacted with by external entities (user or software) and assigned to a separate higher assurance component.
The Platform should depend on secure defaults and in the event of failure, should deny access.
All access to a resource should be checked to ensure they are allowed.
Access to a resource should not be granted on the basis of a single condition.
Mechanisms used to access resources should not be shared.
Platform functions, interfaces, channels, methods and data which could be accessible to a malicious actor should be minimised.
The elements that need to be trusted, including system components, Client software, actual users and other systems should be minimised.
Department of Home Affairs Page 83
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.5.3.4 Technical security requirements
CR25 Platform security mechanisms
The Platform must enforce departmental access control requirements. Access to a system, its interfaces, components, functions, services, resources and data must be restricted to those authorised for use and access.
The Platform must audit use and access. Log events recorded must include authorised activity, privileged use, security violations, suspicious behaviour and clear malicious activity.
The Platform must monitor activity and state to identify and escalate security violations, non-compliance, suspicious behaviour and malicious activity.
The Platform must provide a reporting function over security activity and state.
The Platform must provide a management function so that system users, credentials, access, keys, secrets, policies and configuration can be managed.
The Platform must propagate the identity of the user initiating the business process/transaction to dependent systems for audit purposes.
CR26 Platform security qualities
The level of security protection must reflect the threats to, the criticality of, and the risks to the Platform.
The Platform security mechanisms should be as simple as possible.
The Platform must be implemented defensively.
The Platform should resist deliberate attack.
The Platform should be resilient in the face of deliberate attack.
The Platform should be dependable in fulfilling its mission in the face of deliberate attack.
CR27 Platform security constraints
The Platform must include security mechanisms which secure information held by or passing through the Platform against unauthorised use, disclosure, interception, modification, fabrication, disruption and destruction.
The Platform security mechanisms must be secured against unauthorised use, disclosure, escalation, interception, modification, fabrication, disruption, destruction and avoidance.
The Platform should implement consistent security mechanisms, provided by enterprise security capabilities (refer CR23 in relation to design principles), across all of its systems.
2.5.3.5 Non-technical security requirements
CR28 Platform classification
The Platform must be formally classified in accordance with Australian Government classification framework.
The Platform must not process, store or communicate information above the classification for which the system has received accreditation.
Any departmental staff member or employee of the Successful Tenderer requiring access to any departmental information or Business Rules classified at Unclassified up to Protected require as a minimum a current Australian Government Baseline security clearance.
CR29 Security architecture work products
The Platform must have its security design documented in the architecture work products as required by the Department, including the Security Solution Architecture.
Department of Home Affairs Page 84
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.5.3.6 Approval and accreditation
CR30 System security Accreditation Framework
The Department’s System Security Accreditation Framework outlines the framework to ensure activities are performed to identify security risks and manage them to an acceptable level as part of formal accreditation.
The System Security Accreditation Framework is a combination of accountable security artefacts, including but not limited to:
o security risk management plan – identifies security risks and appropriate mitigation measures for systems.
o system security plan – provides details of how security requirements are implemented in a system and how the required security controls will protect departmental and Client information.
o standard operating procedure(s) – ensures that security procedures are followed in an appropriate and repeatable manner; and
o incident management plan – provides details of how an incident will be detected, managed, communicated and resolved.
Depending upon the complexity of a system, additional components may be required to satisfy the Department’s accreditation objectives.
The Successful Tenderer must prepare the documents set out above in consultation with Department's Cyber Risk Services Branch and be provided before any Agreement is signed..
The Successful Tenderer must undertake an independent assessment of security compliance, initially prior to production cutover and then biennially. Independence can be demonstrated by the Successful Tenderer engaging a qualified Information Security Registered Assessor Program assessor at the Successful Tenderer's cost.
The Successful Tenderer must ensure the security documents, plans and procedures are reviewed annually or when a significant change or increase in threat exposure to the system occurs. The Department may require the Platform to undergo a more regular or rigorous review at any time.
CR31 CISO Approval
The Department Risk Management Policy outlines the Department’s approach to risk through assessments, monitoring and mitigation activities. Security risk assessments are conducted for new and existing ICT systems and applications to ensure that appropriate, cost-effective information security controls are implemented. The Platform must undergo accreditation activities and be formally approved by the Department.
CR32 Security design approval
The Platform high-level design must be supported by a Solution Security Architecture document developed by the Successful Tenderer and be provided before any Agreement is signed, which outlines the application of security principles and consideration of the Department’s security requirements, the ISM and the PSPF. This document is required to demonstrate that effective security will be built into the Platform.
Department of Home Affairs Page 85
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.5.4 Compliance with Commonwealth legislation, laws and policies
CR35 Record keeping
The Successful Tenderer must comply with General Records Authority 40 2017/00045834 – Transfer of custody of records under Australian Government outsourcing arrangements.
CR36 Trade Sanctions
The Successful Tenderer must comply with any trade sanctions that apply to the Services to be provided by the Successful Tenderer under any Agreement.
CR37 National Identity Security Strategy (NISS)
In the Platform’s interaction with the Department’s identity management capability, the Platform must be consistent with the described principles, objectives and goals outlined in the Australian Government National Identity Security Strategy (NISS) and consistent with the associated identity security guidelines and standards.
The NISS will be made available to Tenderers in the Data Room.
CR38 Trusted Digital Identity Framework
The Platform must comply with the Trusted Digital Identity Framework for the identity and access management solution and processes.
Refer to https://www.dta.gov.au/what-we-do/policies-and-programs/identity/join-the-identity-federation/accreditation-and-onboarding/trusted-digital-identity-framework/.
CR41 Data security, storage and records management policies
The Successful Tenderer must comply with the following legislation and policies:
o Archives Act 1983 (Cth) and Archives Regulations 2018 (Cth);
for additional non-legislative resources such as record keeping standards, policies and guidance material, please see the National Archives of Australia's website: http://www.naa.gov.au/information-management. Relevant resources include General Records Authorities, Digital Continuity 2020 Policy, Guidelines on Records Issues for Outsourcing, and ISO 16175 (Principles and Functional Requirement for Records in Electronic Office Environments);
o Data-matching Program (Assistance and Tax) Act 1990 (Cth);
o Electronic Transactions Act 1999 (Cth);
o Electronic Transactions Regulations 2000 (Cth);
o Evidence Act 1995 (Cth);
o Freedom of Information Act 1982 (Cth) – see in particular s 6C (provision of documents by contracted service providers)
additional FOI resources such as guidelines and fact sheets issued by the Office of the Australian Information Commissioner, such as the guidelines issued by the Australian Information Commissioner under s 93A of the Freedom of Information Act 1982 (Cth), which are available at https://www.oaic.gov.au/;
o Guidelines for the Conduct of the Data-Matching Program (Cth) (made under s 12(2) of the Data-matching Program (Assistance and Tax) Act 1990 (Cth)); and
o Public Governance, Performance and Accountability Act 2013 (Cth).
CR43 Crime
The Successful Tenderer must not breach the Cybercrimes Act 2001 (Cth) and Crimes Act 1914 (Cth).
CR45 Disability
The Successful Tenderer must comply with the Disability Discrimination Act 1992 (Cth).
Department of Home Affairs Page 86
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.6 Delivery approach
2.6.1 Introduction
2.6.1.1 Delivery approach refers to the approach taken to finance, build, operate and maintain the
Platform over the Term of any Agreement, including all activities performed by the
Successful Tenderer and the Department to release visa products on the Platform. As part of
outlining proposed governance and decision making structures, Tenderers should include in
their Phase Two Tenders a description of how they see those arrangements and broader
relationship working in practice, as well as the structurally focused elements.
2.6.1.2 The Successful Tenderer is responsible for delivering the Platform, and is expected to work
collaboratively with the Department in doing so, in keeping with governance arrangements to
be set out in the Agreement. The ability of the Successful Tenderer to work in a partnership
with the Department will be critical to the success of the proposed approach. This will rest on
both the proper functioning of the formal governance structures and decision making
arrangements set out in the Agreement, as well as on the culture and behaviour the
Successful Tenderer and the Department bring to the necessary collaboration and
cooperative work effort in delivering visa services for Australia. The Successful Tenderer will
be expected to:
a) deliver to the visa product release timeline and quality standards specified
in the Agreement;
b) actively engage with the Department where required in the development of
Business Rules for determination by the Department, and in the delivery of
visa services using the Platform;
c) support the Department’s sovereign functions and responsibilities,
including in relation to policy, decision making, and national security ;
d) minimise transitional and operational risk to deliver timely and measurable
benefits to the Australian Government;
e) identify innovative ideas and opportunities to improve the operation and
capability of the Platform; and
f) demonstrate a collaborative and cooperative approach to working with the
Department to implement the Agreement.
2.6.1.3 Delivery is considered to include the following activities as described in section 2.4 –
Required outcomes of the Platform and Successful Tenderer of this Attachment A –
Statement of Requirement:
a) build, defined as creating the capability required to deliver a user outcome
or component of an end-to-end visa product as defined in this Statement of
Requirement;
b) operate, defined as activities required to perform the basic operations of
the Platform, including to provide support to Platform users;
c) maintenance, defined as activities required to ensure compliance on an
ongoing basis with the Statement of Requirement, including incident and
problem management;
Department of Home Affairs Page 87
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
d) continuous improvement, defined as activities driven by the Successful
Tenderer to reduce operational costs or improve defined operational key
performance indicators;
e) innovation, defined as the identification, incubation and/or implementation
of significant technological innovations that are intended to drive a
step-change in performance, functionality and/or effectiveness of the
Platform;
f) policy and service design change, defined as activities required to ensure
compliance with policy or service design changes due to:
i. a change in legislation, policy and/or procedure; or
ii. implementation of a new visa product;
iii. cessation/grandfathering/transitioning old visa products;
g) Modification, defined as incorporating a decision to change the scope of
the Services to be delivered over the Platform (necessitating a change to
this Attachment A – Statement of Requirement and an amendment to any
Agreement).
2.6.2 Delivery plan
2.6.2.1 Product sequencing
2.6.2.2 The Department’s expectation is that the first visa product will be released in the first half of
2021 and subsequent visas will be progressively rolled out. Tenderers will be invited to outline
their proposed rollout schedules as part of the Structured Dialogue Process (see Part 3 – RFT
Process).
2.6.2.3 The Department defines ‘released’ as having an eligible Client able to apply through the
Platform and be processed and decided on the Platform for the relevant visa product.
2.6.2.4 Interfacing with the Department and other third parties
2.6.2.5 To enable the Platform to undertake its various functions, the Platform must interact with a
number of departmental systems through a departmental API gateway and any other
integration interfaces as specified by the Department. The final API high-level structure along
with any other identified integration capabilities will be made available via the Data Room.
2.6.2.6 The Department is responsible for ensuring that any contracts covering services delivered by
Other Market Providers have considered integration with the Core Government Services
delivered by the Platform.
2.6.2.7 The Department is responsible for maintaining contractual relationships with Other Market
Providers it determines are necessary to support the delivery of Australia’s visa and
citizenship framework. The Successful Tenderer is responsible for ensuring Other Market
Providers can interface with access the Platform as determined by the Business Rules (refer
requirement PR30).
Department of Home Affairs Page 88
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
2.6.3 Governance
2.6.3.1 As part of Phase 1 Responses, Tenders provided views regarding proposed governance
arrangements over the term of any Agreement.
2.6.3.2 As part of Phase 2 Structured Dialogues Tenderers will be invited to expand on those
proposed arrangements including in light of relevant accounting standards.
2.6.3.3 In preparing a response, the Tenders should consider the following:
a) Notwithstanding the proposed commercial arrangements for delivering the
Platform, the Australian Government is and will remain accountable for the
delivery of Australia’s visa system.
b) The Platform will be financed, built, operated and maintained by the
Successful Tenderer.
c) The Commonwealth will not direct or control the day to day operations of
the Successful Tenderer.
d) However, the Department will exercise protective controls as set out in the
any Agreement in relation to protection of Commonwealth interests
including national security
e) The Department will determine the Platform Business Rules.
f) The Department and the Successful Tenderer will work collaboratively and
co-operatively together but with clearly defined roles and responsibilities
(as set out in any Agreement).
2.6.3.4 The Department expects that governance bodies would normally exist over the Term of any
Agreement, but intensity and focus may shift over time to reflect the evolving focus of work
required to build and operate the Platform.
2.6.3.5 The Department also expects:
a) governance will be based on the APSC Governance Framework
incorporating the principles of accountability, transparency/openness,
integrity, stewardship, efficiency and leadership;
b) the Department and Successful Tender will maintain their own separate
governance arrangements. Neither will be a sitting member of the other’s
governance bodies but may be required to attend and participate; and
c) in accordance with the any Agreement there will be formal governance
bodies to govern the operation of the Platform, that the Department will
chair.
d) there will be regular governance meetings between entities in relation to
identified topics such as deliverables and design.
2.6.3.6 The Tenderers must provide the Department with proposed governance arrangements for
approval as follows:
a) a draft as part of their Phase Two Tender;
Department of Home Affairs Page 89
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
b) a final version incorporating any changes requested by the Department is
to be provided by the preferred Tenderer before any Agreement is signed;
and
c) governance arrangements will be reviewed annually
2.7 Out of scope services
2.7.1 The following services and functions are out of scope and not included in the Services:
a) in-person or human-delivered client services and visa processing services,
including:
i. Client acquisition through non-digital channels e.g. storefronts;
ii. human-run or specialist client services, data collection and verification
processes (e.g. in-person or over-the-phone) either within or outside
of Australia;
iii. non-automated translation services;
iv. in-person biometric collection or verification services, including
provision of biometrics collection at the departing port or upon arrival
in Australia; and
v. non-digital visa processing capabilities;
b) risk or security-related assessments, including risk tiering across all
criteria. All risk and security-related assessments will be performed by the
Department’s risk function;
c) identity resolution and identity assurance activities;
d) direct verification of foreign travel documents with the issuing authority,
and direct verification of biometrics against Australian Government sources
(excluding verification against DVS and FVS);
e) health case creation (including which medical examinations are required),
automated health assessments, management of health undertakings, or
the provision of health information to external users to inform refugee
settlements;
f) health services for Applicants within Australia or overseas;
i. this includes performing medical examinations and performing
manual health assessments, in the case where an Applicant cannot
be auto-cleared;
g) provision of an interface for Applicant’s to record their medical history or
for physicians to record the results of health examinations;
h) collection of non-disclosed information about an Applicant through API
scrapes e.g. scraping social media profiles;
i) services relating to border management and clearance;
Department of Home Affairs Page 90
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
j) services to enable the processing of visas not specified as being part of the
Services.
k) services relating to the management of contracts with Other Market
Providers; and
l) services relating to organisational design for the Department and
change management.
Department of Home Affairs Page 91
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Section 3: Additional Commercial Services
3.1 Introduction
3.1.1 Additional Commercial Services
3.1.1.1 This section should be read in conjunction with:
a) paragraph 2.3.2 of Part 2 – Overview that provides a description of the
Additional Commercial Services that may be delivered by the Platform;
b) Attachment D - Draft Agreement; and
c) Part 4 – Commercial Parameters and Settings that contains clauses
relevant to funding the development and operation of any
Additional Commercial Services, as well as revenue sharing arrangements
(including in relation to indemnification of the Department).
3.1.1.2 The opportunity to provide Additional Commercial Services is available to the
Successful Tenderer only as a direct result of the Client’s interaction with the
Australian Government in the course of applying for a visa, Sponsorship or Nomination.
Therefore, the Department will maintain strong and strict governance controls in relation to
the provision of any Additional Commercial Services.
3.1.1.3 All providers of, and the nature of any, Additional Commercial Services will require prior
approval of the Department.
3.1.2 Implementing Additional Commercial Services
3.1.2.1 Proposed Additional Commercial Services will be implemented as set out in the Agreement.
3.1.2.2 While the restrictions refer to ‘the Successful Tenderer’, certain restrictions extend beyond the
Successful Tenderer to third parties the Successful Tenderer engages with, or partners with,
to deliver any Additional Commercial Services.
3.2 Governance
3.2.1 Submission of opportunities to the Department
3.2.1.1 The Successful Tenderer must submit a business case for each Additional Commercial
Service opportunity to the Department for consideration. The business case for each
opportunity will at a minimum include:
a) a description of the opportunity;
b) a plan for how the Successful Tenderer will develop, implement and
operate the opportunity;
c) the costs of developing, financing, implementing, and operating the
opportunity;
d) the expected revenue and benefits profile from providing the opportunity;
e) interdependencies with the delivery or operation of the Core Government
Services, or with the operation of the Department or Commonwealth; and
f) any risks to the delivery or operation of the Platform, or with the operations
or reputation of the Department or Commonwealth.
Department of Home Affairs Page 92
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
3.2.1.2 The mechanism and process for the submission of business cases, and timeframes for the
Department to consider opportunities, will be finalised in conjunction with the overall
governance arrangements.
3.2.2 Department consideration of opportunities
3.2.2.1 The Department will evaluate the business case for each Additional Commercial Service
opportunity and retains absolute discretion (i.e. including a veto) over which opportunities may
be implemented or continue to be offered to Clients.
3.2.2.2 The Successful Tenderer must not pursue any Additional Commercial Services, in full or in
part, except in strict compliance with the Department’s approval including any conditions
attached to that approval.
3.2.3 Review
3.2.3.1 Prior to release of an Additional Commercial Service opportunity to Clients, the Department
will conduct a review of how the opportunity has been developed and will be implemented.
3.2.3.2 The Department may provide feedback to the Successful Tenderer following its review, which
may require the Successful Tenderer to undertake changes to the way the opportunity would
be delivered. It is anticipated that this would only occur if the way the opportunity would be
delivered violated (or was at risk of violating) the restrictions, would not meet the
Department’s requirements or objectives as outlined in this RFT, or was materially different
from what was initially proposed in the business case.
3.2.3.3 The Department will also conduct regular ongoing reviews of each opportunity once launched.
The Department may provide feedback to the Successful Tenderer following its reviews,
which may require the Successful Tenderer to undertake changes to the way the opportunity
is delivered. It is anticipated that this would only occur if the way an opportunity was being
delivered caused it to violate (or was at risk of violating) the restrictions, would not meet the
Department’s requirements or objectives as outlined in this RFT, or was materially different
from what was initially proposed in the business case.
3.2.4 Termination
3.2.4.1 The Department may:
a) approve an Additional Commercial Service opportunity at any time;
b) withdraw or otherwise amend its approval of an Additional Commercial
Service opportunity at any time.
3.2.4.2 The Successful Tenderer must abandon delivery of any Additional Commercial Service
opportunity if directed to do so by the Department or if the Department withdraws its approval
in relation to that Additional Commercial Service opportunity. It is anticipated that this will only
occur if there was a significant change in the way an opportunity was being delivered that
caused it to violate (or was at risk of violating) the restrictions, would not meet the
Department’s requirements or objectives as outlined in this RFT, or caused it to diverge
materially from what was initially proposed as part of the business case.
Department of Home Affairs Page 93
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
3.3 Restrictions
3.3.1 Restrictions
3.3.1.1 Restrictions applying to the Additional Commercial Services are divided as follows:
a) overall restrictions, which specifies the overarching restrictions which apply
to any and all Additional Commercial Services;
b) restrictions on the sale of goods and services to Clients, which specifies
the restrictions that apply to opportunities which involve the sale, or
facilitating the sale, of goods and services to Clients; and
c) restrictions on data commercialisation, which specifies the restrictions that
apply to opportunities which involve the commercialisation of data.
3.3.2 Overall restrictions
3.3.2.1 The Successful Tenderer must comply with the following restrictions on the Additional
Commercial Services.
Area Restriction
National security The Successful Tenderer must not pursue any opportunity that may negatively impact on Australia’s national security in any way.
Reputation The Successful Tenderer must not pursue any opportunity that the Department determines would damage the reputation of the Australian Government or the Department.
Government or departmental endorsement
The Successful Tenderer must not represent or convey that any goods or services supplied through the Additional Commercial Services are endorsed or approved by the Department or the Australian Government. This must include the provision of adequate and prominent statements and disclaimers that any goods or services available through the Additional Commercial Services are not endorsed by the Commonwealth or the Department, and are not inherent to the granting of a visa through the Core Government Services. These statements and disclaimers mustbe approved by the Department.
In providing Additional Commercial Services, the Successful Tenderer must not use the brands of the Australian Government, the Commonwealth of Australia or the Department unless that use is explicitly authorised by the appropriate brand owner.
The Platform must clearly notify users when they are leaving Core Government Services to go to another site including in relation to Additional Commercial Services.
Relationship to Core Government Services
The Successful Tenderer must maintain a certain standard of performance with respect to the Core Government Services. This standard will be defined in the Agreement according to the Performance Management Framework.
The operation of Additional Commercial Services must not adversely impact the operation, security or reputation of the Core Government Services in any way.
The Successful Tenderer may only begin developing Additional Commercial Services once the first visa product is launched on the Platform to the satisfaction of the Department, with formal acknowledgement by the relevant governance body.
Department of Home Affairs Page 94
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Area Restriction
Fraudulent activities
The Successful Tenderer must put into place appropriate measures to prevent illegal or improper services or circumstances from being facilitated as part of the Additional Commercial Services.
Prohibited and restricted entities
In the provision of the Additional Commercial Services the Successful Tenderer must not promote or engage with any Prohibited Criminal Group, Prohibited Company or individual, or Restricted Country.
Unlawful activities The Successful Tenderer must not pursue any opportunity that is inconsistent with the laws of the Commonwealth of Australia and all States and Territories of Australia, or any jurisdiction in which the Successful Tenderer operates or purports to operate.
Data privacy and secrecy
The Successful Tenderer must ensure Personal Information is handled, stored and managed in accordance with the Privacy Act 1988 (Cth) (including the Australian Privacy Principles) and any relevant instruments or codes made under that Act.
The Successful Tenderer must put in place processes for obtaining and recording Client consent in relation to participation in the consideration or provision of Additional Commercial Services for the collection, use and disclosure of Personal Information (or other categories of 'protected information') in accordance with the relevant legislation. Participation in any Additional Commercial Service opportunity by a Client is entirely optional and must in no way be part of the visa process.
The Successful Tenderer must uphold any relevant legislative requirement related to data management (including secrecy requirements) as outlined in section 2.5 – Compliance Requirements of this Attachment A – Statement of Requirement.
Security In the Provision of Additional Commercial Services, the Successful Tenderer’s systems should:
o not create a risk to the security of the data and operations of the Core Government Services;
o audit use and access-log events recorded shall include authorised activity, privileged use, security violations, suspicious behaviour and clear malicious activity;
o monitor activity and state to identify and escalate security violations, non-compliance, suspicious behaviour and malicious activity;
o resist deliberate attack and remain resilient in the face of deliberate attack;
o include security mechanisms which secure assets held by or passing through the system against unauthorised use, disclosure, interception, modification, fabrication, disruption and destruction; and
o be secured against unauthorised use, disclosure, escalation, interception, modification, fabrication, disruption, destruction and avoidance.
Department of Home Affairs Page 95
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Area Restriction
Contestability principles
The Department expects that the Successful Tenderer will adhere to the following contestability principles in developing, delivering and operating the Additional Commercial Services. The Successful Tenderer will:
o develop, deliver and operate the Additional Commercial Services on an open access, non-discriminatory and contestable basis, and in a way that maintains competition in relation to the supply of goods or services offered as part of the Additional Commercial Services;
o not favour or provide an advantage to any member or affiliate of the Successful Tenderer with respect to the provision of goods / services offered through the Additional Commercial Services;
o develop, deliver and operate the Additional Commercial Services separately from the Core Government Services, so that the different types of services are clearly delineated;
o not bundle or tie (directly or indirectly, including by way of a discount or rebate), the supply of services through the Core Government Services and Additional Commercial Services;
o not offer discounts, inducements or other incentives on services offered through the Core Government Services on condition that Clients acquire one or more goods / services through the Additional Commercial Services;
o not represent or convey that Clients need to acquire goods / services through the Additional Commercial Services in order to obtain any services through the Core Government Services; and
o implement appropriate protections to ensure that any member or affiliate of the Successful Tenderer is not able to access any competitively sensitive or confidential information relating to goods / services offered through the Additional Commercial Services (including information of third parties providing or seeking to provide such services).
The Successful Tenderer must obtain the Department's prior approval where an opportunity proposes to involve an exclusive or preferred supply arrangement with a limited group of suppliers of goods and services. Where the Department approves such an opportunity, the right to be the exclusive supplier or a preferred supplier must be periodically competitively tendered through a fair, open market tender process. Any consortium partner or affiliate of the Successful Tenderer must be subject to the same open competitive tender process. Any preferred supply arrangement with a limited group of suppliers, must at a minimum include at least two independent suppliers (who are not consortium members or affiliates of the Successful Tenderer).
The Department notes that the procurement of suppliers by the Successful Tenderer to support the sale, or facilitation of the sale, of goods and services is not subject to the Commonwealth Procurement Rules.
o The Successful Tenderer must disclose to the Department any benefits received in return for facilitating the sale of any third party’s goods or services through the Additional Commercial Services.
Department of Home Affairs Page 96
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Restrictions on the sale, or the facilitation of the sale, of goods and services to Clients
Area Restriction
Relationship to visa application experience
The Successful Tenderer must not attempt to sell (or attempt to facilitate the sale, including through marketing or advertising) of any good or service available through the Additional Commercial Services or any other place during a Client’s interaction with the Core Government Services. This includes but is not limited to various types of advertising such as banner advertisements and pop-up advertisements.
Consent provisions As outlined in Part 2 – Overview, Additional Commercial Services must be provided on an opt-in basis only.
The Successful Tenderer must not:
o market goods and services to a Client;
o supply goods or services; or
o use or disclose Personal Information for the purposes of marketing or facilitating the marketing or sale of goods or services to a Client, unless the Client has given their express consent to the particular marketing activity and has elected to access the Additional Commercial Services.
The consent must be clear about the scope of the marketing purposes, the Personal Information that will be involved and who will have access to or be disclosed the Personal Information; and in a form approved by the Department that is clear and accessible to the Client.
The Successful Tenderer must never force a Client to purchase Additional Commercial Services, irrespective of whether or not they have opted in to being marketed a given opportunity.
Promotion of other countries
The Successful Tenderer must not encourage tourism or travel to, or study and work opportunities in any country other than Australia.
Commercialisation of data
The Commonwealth will not agree to any commercialisation of data relating to the provision of Core Government Services.
Department of Home Affairs Page 97
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Appendix A: Visa categories to be processed on the Platform initially Visa categories Current Visas
Tem
pora
ry V
isas
Visit
For people visiting for
leisure, family or
business activities
Visitor, Electronic Travel Authority, eVisitor, Transit
Study
For people studying
and guardians of
students
Student, Student Guardian
Temporary Work
For people working or
partaking in cultural or
business-related
activities
Temporary Skilled Shortage, Temporary Graduate,
Temporary Work (International Relations), Working Holiday,
Work and Holiday, Skilled-Recognised Graduate, Temporary
Activity, Training, Temporary Work (Short Stay Specialist),
Retirement, Investor Retirement, Maritime Crew, Medical
Treatment
Temporary
Protection
For people in
humanitarian need or
engage Australia’s
protection obligations
Temporary Protection, Humanitarian Stay (Temporary)
Temporary (Humanitarian Concern), Safe Haven Enterprise,
Resolution of Status.
Trans-Tasman
For New Zealanders
visiting or residing in
Australia
Special Category, New Zealand Citizen Family Relationship
(Temporary)
Special Purpose
For people with a
prescribed status or
declared by the
Minister
Special Purpose visa, Diplomatic (Temporary), Enforcement
visa
Status Pending and
Departure - for
regularising
non-citizens status or
in very limited
circumstances,
allowing entry to
Australia on a
temporary basis
Bridging A, Bridging B, Bridging C, Bridging D (Prospective
Applicant), Bridging E, Bridging F, Bridging (Removal
Pending), Border, Criminal Justice visas
Longer term
visa (To be
determined)
Longer Term
Skilled work
category (Visa type to
be determined)
Department of Home Affairs Page 98
Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement
Appendix B: Business Rules
In keeping with the requirements of Part 2 – Overview and Part 4 – Commercial Parameters and
Settings, the Department will determine the Business Rules for the Platform.
Attachment A – Statement of Requirement also makes it clear the Platform must be flexible and able
to quickly and efficiently accommodate policy and Business Rule changes as determined by the
Department.
The Department expects that the Successful Tenderer will collaborate with the Department in the
development of detailed Business Rules to maximise their efficiency and automation including in
relation to Platform capability and functionality.
Business Rules will be determined by the Department in accordance with the agreed rollout schedule.
Without diminishing the requirement for flexibility outlined above, the Department expects the
Business Rules to address, in varying compositions depending on relevant legislation, Ministerial
Directions, policies and operational workflows, one or more of the following core components of a visa
decision. The Platform must have the capability to flexibly address and combine these components
across different visa products into the future:
identity of the Applicant
genuine intent of the Applicant
character of the Applicant
financial circumstances of the Applicant
Australian values
visa-specific eligibility or other requirements
national security
health assessments
work rights
travel rights
sponsorship requirements
fraud prevention
English language proficiency
English language requirements
Particular requirements in relation to child custody and minors
Payment
Immigration history
welfare eligibility (under other Portfolio’s legislation).
To supplement the detailed information about decision making pathways provided to Tenderers
during the REIO Phase Three Co-design, the Department is providing Tenderers with access to
LEGENDcom. LEGENDcom is the Department's online database providing access to
1. Legislation and regulations (including Public Interest Criteria)
2. Policy and procedures
3. Ministerial directions.
Instructions for accessing LEGENDcom will be made available in the Data Room. Further supportive
information may also be made available in the Data Room during the Phase Two process.