Australian Government Department of Home Affairs · 2.4 Required outcomes of the Platform and Successful Tenderer 55 2.4.1 Introduction 55 2.4.2 Platform operations 55 2.4.3 Service

Department of Home Affairs Page 1

Request for Tender – RFT 22/17-B1 – Phase Two – Attachment A – Statement of Requirement

Australian Government

Department of Home Affairs

REQUEST FOR TENDER (RFT) FOR

DELIVERING VISA SERVICES FOR AUSTRALIA – GLOBAL DIGITAL PLATFORM

RFT 22/17-B1 – Phase Two

ATTACHMENT A – STATEMENT OF REQUIREMENT

© Commonwealth of Australia 2019.



Table of Contents Section 1:Introduction 4

1.1 Objectives 4 1.1.1 The Platform 4 1.1.2 Design principles – Governance and control 4 1.1.3 Design principles - Services 4

1.2 The Statement of Requirement 7 1.2.1 Structure 7 1.2.2 Core Government Services 7 1.2.3 Additional Commercial Services 7

1.3 How to read the Statement of Requirement 7 1.3.1 Approach 7 1.3.2 Mandatory Requirements 8 1.3.3 Minimum service requirements 8 1.3.4 Compliance requirements 8

Section 2:Core Government Services 9

2.1 Scope 9 2.1.1 Visas to be processed on the Platform 9 2.1.2 Users of the Platform 10 2.1.3 Departmental Users of the Platform include: 11

2.2 Required outcomes for the user 14 2.2.1 Introduction 14 2.2.2 Explore 14 2.2.3 Departmental User journey – Attract and match Applicants/Employers 16 2.2.4 Other Market Provider journey – Provide information 17 2.2.5 Other Organisation journey – Provide information 17 2.2.6 Connect 19 2.2.7 Introduction 19 2.2.8 Client journey – Lodge my Application 19 2.2.9 Department journey – Facilitate lodgement 26 2.2.10 Other Market Provider journey – Assist with lodgement 30 2.2.11 Other Organisation journey – Assist with lodgement 30 2.2.12 Assess 31 2.2.13 Introduction 31 2.2.14 Client journey – Provide additional information 31 2.2.15 Department journey – Perform assessments 33 2.2.16 Other Market Provider 38 2.2.17 Action 39 2.2.18 Introduction 39 2.2.19 Client 39 2.2.20 Department 41 2.2.21 Other Market Provider journey – Advised of a decision 42 2.2.22 Other Organisation journey – Advised of a decision 42 2.2.23 Resolve 43 2.2.24 Introduction 43 2.2.25 Client – Travel and comply 43 2.2.26 Department – Ensure compliance 45



2.2.27 Other Organisation journey – Check visa status 46

2.3 Required business enabling outcomes 47 2.3.1 Introduction 47 2.3.2 User support 48 2.3.3 Business Rule development and implementation 50 2.3.4 Workflow management 51 2.3.5 Program management 52 2.3.6 Quality assurance 52 2.3.7 Reporting and analytics 53

2.4 Required outcomes of the Platform and Successful Tenderer 55 2.4.1 Introduction 55 2.4.2 Platform operations 55 2.4.3 Service design and change 67 2.4.4 Maintenance 69 2.4.5 Policy and service design change 70 2.4.6 Platform interfaces and interoperability 72

2.5 Compliance requirements 75 2.5.1 Introduction 75 2.5.2 Data management 75 2.5.3 Security 79 2.5.4 Compliance with Commonwealth legislation, laws and policies 85

2.6 Delivery approach 86 2.6.1 Introduction 86 2.6.2 Delivery plan 87 2.6.3 Governance 88

2.7 Out of scope services 89

Section 3:Additional Commercial Services 91

3.1 Introduction 91 3.1.1 Additional Commercial Services 91 3.1.2 Implementing Additional Commercial Services 91

3.2 Governance 91 3.2.1 Submission of opportunities to the Department 91 3.2.2 Department consideration of opportunities 92 3.2.3 Review 92 3.2.4 Termination 92

3.3 Restrictions 93 3.3.1 Restrictions 93 3.3.2 Overall restrictions 93

Appendix A: Visa categories to be processed on the Platform initially 97

Appendix B: Business Rules 98



Section 1: Introduction

1.1 Objectives

1.1.1 The Platform

1.1.1.1 Part 2 – Overview of this RFT outlines the broader Immigration Reform Program and the role

this RFT process and the Platform will play in its implementation.

1.1.1.2 As outlined in the REOI and the RFT Phase One the Government's priorities and objectives of

the Services to be delivered are:

a) enhancing the attractiveness and competitiveness of Australia’s global visa

and citizenship service delivery arrangements;

b) strengthening the national economy and supporting key export industries

by facilitating the travel and migration of genuine tourists, students and

migrants (and skilled migrants in particular);

c) strengthening national security by preventing the entry and stay of

individuals who would cause Australia and its society harm;

d) fostering social cohesion in Australian society;

e) improving decision quality, consistency, and efficiency;

f) improving user experience for Applicants and Sponsors, Departmental

Users, and other potential users of the Platform (e.g. Service Delivery

Partners);

g) improving financial outcomes for the Australian Government including

through generating efficiencies, and enhancing revenue from the visa

system;

h) providing flexibility to implement future visa policy changes quickly and

efficiently; and

i) facilitating the simplification of Australia’s visa and citizenship framework.

1.1.2 Design principles – Governance and control

1.1.2.1 This Statement of Requirement should be read in a manner that is consistent with the

Government’s intention and having regard to the relevant Australian Accounting Standards

(including as canvassed with Tenderers in Phase One).

1.1.3 Design principles - Services

1.1.3.1 In delivering the Services, Tenderers should consider the following design principles that are

central to the way in which the Department intends to operate.

For Clients

a) The Client experience, including the cost of using the Platform, is of utmost

importance as a means of providing high levels of service but also to give

Australia a competitive advantage in the global markets for highly desirable

Applicants.



b) The Department wants to be proactive in the provision of information to

enhance a positive compliance culture by assisting visa holders to

understand and meet their obligations. The Department also wants to take

advantage of being the conduit to all non-citizens in Australia and provide

helpful information to aid visa holders with their interactions with other

Government agencies.

c) The Department wants to meet the needs and expectations of Clients by

providing a globally accessible digital service, even in areas where there is

limited internet connectivity or mobile telecommunications capability.

Market providers will still be available to assist Clients in navigating

Australia’s visa system and to lodge applications, but this should be only in

circumstances where Clients are unwilling or unable to interact with a

digital service.

For the Department

d) The Departmental User experience is of equal importance as a means of

providing staff with the tools and information they require to effectively

discharge their duties.

e) Automation of processing steps in the end-to-end journey by the Platform

is critical for the Department to continue its role in managing the border

and securing revenue for the nation in the face of constrained resources

and increasing volumes of travellers.

f) In providing a flexible basis on which to deliver policy and service design

changes, the Platform is an opportunity to introduce a data-driven

approach that can model the impact of change ahead of implementation,

assisting in the development of policy but also to determine the most

efficient and effective approach to service delivery.

g) A comprehensive capability to assure the operation of the Platform and

audit the outcomes of both manual and automated assessments provides a

strong feedback loop into the decision making process. This will help to

ensure that the Platform is operating as intended, in particular ensuring

appropriate outcomes and removing any unwanted bias in automated

processing steps.

For the nation

h) Collection of information that increases the confidence in the identity of the

Clients interacting with Australia’s visa and citizenship system is critical in

supporting an intelligence-informed approach that manages the border

based on the particular risks presented by an individual.



i) In addition to identity, the Department wants to maximise the benefits that

come from stronger technological integration of the mutually reinforcing

visa and intelligence systems. Collecting high quality, comprehensive and

verifiable information about Clients improves the ability to treat Applications

based on risk, in turn enabling a streamlined and automated service to

Clients identified as low-risk. The addition of the high quality data and

information collected by the Platform will supplement the vast quantity of

information available to the Department's intelligence systems. This will not

only enable a greater ability to identify visa-related risk but also feed into

the broader identification of potential risk across all border activities.

j) The Platform will provide the capability to examine and audit, including in

real time, every interaction with the Platform (e.g. every step of every

transaction or interaction with the Platform will be collected including

deletion of material previously entered by Applicants). This functionality will

be critical in identifying attempts to exploit the visa system or Business

Rules and providing additional sources of information to ensure the

ongoing security of Australia’s border.

For the Successful Tenderer

k) The Department will determine the Business Rules that establish what the

Platform does, including visa processing workflows. The Department

expects that the Successful Tenderer will collaborate with the Department

in the development of the Business Rules to maximise their efficiency

including through automation. See Appendix B for further detail.

l) The Platform is expected to be flexibly designed and implemented so that

technology advances that occur over the Term of any Agreement can be

efficiently accommodated to provide new capabilities and benefits for

Clients and Departmental Users of the Platform.

m) The benefits of the flexible design of the Platform are expected to extend

towards the Department being able to easily and quickly implement policy

and business process changes, including an ability for Government to

target its visa product offerings to meet particular policy objectives.

n) Effective risk management requires the Successful Tenderer and the

Department to understand the nature of relevant risks and to systematically

identify, assess, treat, monitor and review those risks. The Department

expects that the Successful Tenderer will ensure that risk and fraud

identification capabilities, assessment, and prevention are embedded in the

Platform functions at all levels.

o) As outlined in paragraph 2.4.3(b) of Part Two – Overview and section 2.6

of this Attachment A – Statement of Requirement, the Department is

seeking a strong and cooperative working relationship with the Successful

Tenderer that will endure over the Term of any Agreement.

p) The security of Australia’s visa system is a paramount consideration. The

Platform must be uncompromising in its approach to securing the integrity

of the visa business, and its management of the data and Personal

Information collected in the course of providing the Services.



1.2 The Statement of Requirement

1.2.1 Structure

1.2.1.1 This Attachment A - Statement of Requirement outlines the Department’s business and

technical requirements and service outcomes for the Platform.

1.2.1.2 The requirements relate to two key outcomes:

a) Section 2: Core Government Services; and

b) Section 3: Additional Commercial Services.

1.2.2 Core Government Services

1.2.2.1 Requirements detailed in Section 2 comprising the Core Government Services include (see

Figure 1):

a) Section 2.1: Scope;

b) functional requirements comprising:

i. Section 2.2: Required outcomes for users; and

ii. Section 2.3: Required business enabling outcomes;

c) non-functional requirements comprising:

i. Section 2.4: Required outcomes of the Platform and Successful

Tenderer;

ii. Section 2.5: Compliance requirements;

iii. Section 2.6: Delivery approach; and

iv. Section 2.7: Out of scope services

1.2.3 Additional Commercial Services

Requirements detailed in Section 3 comprising the Additional Commercial Services

include:

a) Section 3.1: Introduction;

b) Section 3.2: Governance; and

c) Section 3.3: Restrictions.

1.3 How to read the Statement of Requirement

1.3.1 Approach

1.3.1.1 The functional requirements establish the range of required business-enabling functions

relevant to the Department’s management of its decision making workflows. The Platform

must provide capabilities to enable the Department to manage its visa business operations.

1.3.1.2 The non-functional requirements set out requirements the Successful Tenderer will need to

deliver to realise a number of outcomes related to the management of the Platform itself and

the Services provided.



1.3.2 Mandatory Requirements

1.3.2.1 Part 1 – RFT Details of this RFT sets out mandatory requirements for Phase Two Tenders,

as was foreshadowed in RFT Phase One

1.3.2.2 Failure by a Tenderer to meet one or more of the Department's Mandatory Requirements will

result in the Tenderer being excluded from the RFT process. Refer to clause 5.29 of

Part 5 – Terms and Conditions for further information.

1.3.3 Minimum service requirements

1.3.3.1 Each outcome includes minimum service requirements that are either:

a) functionality the Department considers to be critical, designated in the

requirements by the word “must”; or

b) functionality the Department considers to be important, designated in the

requirements by the word “should”.

For clarity, the use of the term "must" or "essential" in this Statement of Requirement

does not denote a Mandatory Requirement for the purposes of section 1.3.2

‘Mandatory Requirements’ (i.e. a requirement in relation to which a failure of a Tenderer

to comply will result in the Tenderer being excluded from the RFT process). However,

the Department will take into account a Tenderer's failure to meet such a requirement

in the evaluation of the Phase Two Tender.

1.3.3.2 Tenderers must deliver all of the critical functionality outlined in each minimum service

requirement. The Department expects Tenderers will respond to the outcome and where

appropriate, the proposed solution will exceed the minimum service requirement including,

but not limited to, responding to the described important functionality.

1.3.4 Compliance requirements

1.3.4.1 The requirements outlined in section 2.5 – Compliance Requirements of this Attachment A –

Statement of Requirement are not presented as outcomes or minimum service requirements.

Tenderers will need to demonstrate adherence to all of the requirements outlined in that

section.



Section 2: Core Government Services

2.1 Scope

2.1.1 Visas to be processed on the Platform

2.1.1.1 The Platform must be flexible and able to quickly and efficiently accommodate policy changes

made by governments-of-the-day from time to time.

2.1.1.2 The first tranche of visas to be processed on the Platform (i.e. those in scope for this RFT)

are all temporary visas, including bridging visas, and one longer-term skilled work visa.

2.1.1.3 Temporary visas fall within the following functional categories:

a) visit;

b) study;

c) temporary work;

d) temporary protection;

e) Trans-Tasman;

f) special purpose; and

g) status pending and departure.

2.1.1.4 The current visa subclasses that map to these functional categories are listed in Appendix A

to this Attachment A – Statement of Requirement.

2.1.1.5 The Platform must consider the following core components of a visa decision and have the

capability to flexibly address and combine across different visa products into the future:

a) the identity used in an Application matches that of the person(s) who will

travel to, enter and remain in Australia;

b) the Applicant is genuinely intending to enter and remain in Australia for the

purpose that they have indicated in their Application;

c) the Applicant does not pose a threat to Australia’s national interests or

national security;

d) there is no past or present behaviour that indicates the Applicant does not

meet the character requirement;

e) the Applicant understands and will behave consistently with Australian

values;

f) the Applicant will not spread communicable diseases or place an

unreasonable burden on the Australian health care system;

g) the Applicant has not and is not committing fraud in the course of their

current application, or any previous, applications;

h) the Applicant will comply with any restrictions or requirements that are visa

conditions; and

i) where required, the Applicant has the ability to financially support

themselves during the course of their stay.



2.1.2 Users of the Platform

2.1.2.1 The Platform must deliver outcomes for a wide range of users including Clients, Departmental

Users, Other Market Providers, and Other Organisations.

2.1.2.2 The Platform must have role-based access controls to restrict access to specific data or user

interfaces (refer to requirements PR9 and CR4).

2.1.2.3 Clients include:

a) Potential Applicants, who use the Platform to obtain information about

the Application, Sponsorship or Nomination process, including how to use

the Attract and Match service;

b) Applicants, who use the Platform to apply for an Application, Sponsorship

or Nomination. For clarity, this refers to Applicants during the Application,

Sponsorship and Nomination process and after a Decision has been taken

on an Application, Sponsorship or Nomination;

c) Representatives of Applicants, who use the Platform on behalf of an

Applicant. These include:

i. Registered Migration Agents, who use the Platform to assist

Applicants with their Application and who may also act on their behalf.

Registered Migration Agents may also provide immigration assistance

and act as an Authorised Recipient (see below);

ii. Exempt Persons, who use the Platform to assist Applicants with their

Application and who may also act on their behalf but must not accept

a fee to do so. Exempt Persons may also provide immigration

assistance and act as an Authorised Recipient (see below);

iii. Authorised Recipients, who use the Platform to receive

communications on behalf of an Applicant or Group of Applicants. An

Authorised Recipient may be either a Registered Migration Agent or

another individual nominated by an Applicant (e.g. a friend or carer);

and

iv. Other Representatives of an individual Applicant or Group of

Applicants including travel agents, airline booking agents and family

members, who lodge an Application on behalf of an individual

Applicant or a Group of Applicants (e.g. a family of Applicants, tour

groups, sporting groups).

d) Sponsors of visa Applicants, who use the Platform to sponsor individual

Applicants. This includes:

i. Potential Business Sponsors, who use the Platform to obtain

information about the Sponsorship or Nomination process, including

how to use the Attract and Match service;

ii. Business Sponsors, who apply to be an approved business

sponsor, nominate positions, sponsor individual Applicants and

manage ongoing compliance with the undertakings and obligations of

their sponsorships; and



iii. Personal Sponsors, who sponsor individuals for non-work reasons

such as sponsoring a partner or family member.

2.1.3 Departmental Users of the Platform include:

a) Decision Makers, who use the Platform to perform visa assessments

and/or make Decisions whether to grant or refuse an Application, or cancel

a granted visa, and to make Decisions regarding Sponsorship and

Nomination Applications. The Platform will be the sole interface used by

Decision Makers to process, grant, refuse or cancel visas applied for on

the Platform);

b) Team Leaders, who use the Platform to manage teams of Departmental

Users that are users of the Platform, including in particular teams of

departmental Decision Makers or Identity Resolution Officers;

c) Program Managers, who use the Platform to manage the delivery of a

visa or citizenship program;

d) Assurance Officers, who use the Platform to ensure assessments and

Decisions are being managed appropriately;

e) Integrity Officers, who use the Platform to review Applications to detect

fraud;

f) Intelligence Analysts, who use the Platform and intelligence and risk

systems to manage risks to national interests, security and immigration

program integrity risks;

g) Identity Resolution Officers, who use the Platform and intelligence and

risk systems to manage identity records for visa Applicants;

h) Policy Officers, who use the Platform to inform new policy development;

i) Platform Business Management Officers, who use the Platform to

perform reporting, quality assurance, performance management and

contract management;

j) Legal Officers, who use the Platform to assist them in preparing for, or

responding to, litigation and other legal matters;

k) Border and Entry Officers including airport liaison officers, border entry

officers and border operations centre officers, who use the Platform to

manage immigration clearance processes at the border;

l) Compliance and Enforcement Officers including status resolution

officers and removals officers, who use the Platform to monitor compliance,

perform investigations and manage cancellations; and

m) Other Departmental Users.

2.1.3.2 Other Departmental Users of the Platform data (including through the use of relevant

departmental systems) include but are not limited to:

a) the Department’s Identity Function, which uses the Platform data to:

i. anchor an Applicant’s identity to a unique set of biometrics;



ii. resolve an Applicant’s identity to the Department’s identity holdings;

and

iii. set an Applicant’s identity to the required level of identity assurance;

b) the Department’s Risk and Intelligence Functions, which use the

Platform data to:

i. perform risk and security assessments of visa Applicants;

ii. identify and assess national security threats, organised crime, system

fraud and other threats; and

iii. conduct analysis on the Platform data to develop and manage profiles

and alerts.

2.1.3.3 Other Market Providers of visa services that use the Platform or the Platform data include:

a) Client Services Providers contracted by the Department including

Service Delivery Partners (SDPs) and other future market providers, who

use the Platform or the Platform data to deliver services including collection

of information, biometrics and payment;

b) User Support Providers, e.g. the Department’s contact centre; and

c) Other Providers engaged by the Department to provide other bundles of

services not in scope for this RFT.

2.1.3.4 Other Organisations that use the Platform or the Platform data include:

a) Authorised Third Party Organisations (e.g. educational providers), who

use the Platform to view or provide information relating to an Applicant or

an Application; and

b) Authorised Government Agencies, who use the Platform or the Platform

data for other Commonwealth purposes.



Figure 1: Core Government Services



2.2 Required outcomes for the user

2.2.1 Introduction

2.2.1.1 This Statement of Requirement sets out the functional requirements for each type of user

across five stages of the visa journey:

2.2.1.2 Underpinning the user journeys across each of these five stages are a range of required user

outcomes and enabling outcomes that the Platform must facilitate. Some user outcomes are

specific to a stage or combination of stages in the user journey, for example the attract

outcome and the information collection outcome, while other user and enabling outcomes

span the entire spectrum of the user journey, for example Client services and user support.

2.2.2 Explore

2.2.2.1 There are three types of required user outcomes in the Explore stage of the user journey:

a) Client services: assisting Clients to understand which visa products they

will be eligible to apply for, the conditions attached to each visa product

and the requirements for completing an Application;

b) Attract: these services assist Australia in competing for travellers and

migrants, in particular for the best and brightest potential Applicants to

deliver Australia’s immigration priorities including filling of identified gaps in

skilled employment; and

c) Match: having been successful in attracting Applicants to select Australia

as a destination of choice, the match service is targeted at directing these

Applicants towards specific opportunities.

Client journey – Decide to apply for a visa

2.2.2.2 For the Client, this first stage of the journey includes selecting Australia as the destination and

understanding the requirements for obtaining a visa.



2.2.2.3 Outcomes related to the Client journey in the explore stage include:

UR-C1

Client Services

As a Client I want to apply for the right visa

Clients must be able to outline their intent in wanting to travel to Australia and be presented with options on which visas may match this intent.

o This is limited to providing information on potentially suitable visa products based on Business Rules provided by the Department.

o The Platform must not provide immigration assistance within the meaning of the Migration Act 1958 (Cth).

Clients must be able to select a specific visa (and stream, where relevant) to commence a visa Application.

o This does not preclude an experience where the selection of a visa product is incorporated into a dynamic application form.

Clients must be able to select a visa using the Department’s website visa-finder and be connected to the Platform to commence the Application process.

Clients must be able to, part way through an Application process, opt to apply for another form of visa and any relevant data they have already entered should autofill the relevant fields in this new Application.

Clients must be provided with an indicative cost of the visa product early in the Application process, and this must occur prior to the Client providing supporting information.

The Platform must redirect Clients to the appropriate part of the Department’s website or ImmiAccount if they wish to apply for a visa product not processed through the Platform.

UR-C2

Match

As a Potential Business Sponsor I want to be provided with the details of potential Applicants that could fill a position I am unable to fill in Australia

The Platform must enable Potential Business Sponsors to provide details of specific employment opportunities as part of the Platform’s individualised matching capabilities.

The Platform must match Potential Applicants to the specific employment opportunities and provide information to the Potential Business Sponsor about available candidates.

If a charge / fee is applied to this function/capability, the Platform must be able to capture and process payment.

Potential Business Sponsors are required to create an account prior to accessing this function/capability (see UR-C4 for further details).

The Platform must be capable of matching eligible Potential Applicants from a pool to individual potential employment opportunities.

The Platform must not perform any functions beyond identification and matching of Potential Applicants to an employment opportunity. In particular, the employment decision making process (e.g. short-listing, interview, selection processes by potential employers is out of scope).

UR-C3

Match

As a Potential Applicant I want to find employment opportunities which match my skillset so that I can work in Australia

The Platform must be able to identify and attract suitable and high calibre individuals and enable Potential Applicants to express interest in particular employment opportunities, or in employment in a particular field, profession and locality as part of the Platform’s individualised matching capabilities.

o The Platform must enable Potential Applicants to submit Expression of Interests (EOIs) for specific skilled visa programs, employment opportunities or based on their qualifications, skills, experience or expertise.

o The Platform must determine whether a Potential Applicant is eligible to submit an EOI based on the Potential Applicant’s self-declarations.



The Platform must match specific employment opportunities to Potential Applicants based on a single submitted EOI and provide information about available opportunities and Potential Business Sponsors to the Potential Applicants.

2.2.3 Departmental User journey – Attract and match Applicants/Employers

2.2.3.1 For the Department, this first stage of the journey, consistent with Australia’s policy framework

for identifying skills shortages and delivery requirements across the range of skilled visa

programs, is about matching potential visa Applicants to opportunities and potential Business

Sponsors to skilled workers.

2.2.3.2 Outcomes related to the Departmental User journey in the explore stage include:

UR-D1

Attract

As a Departmental User I want to target and encourage people to come to Australia in accordance with national objectives

The Department is seeking to attract unique high calibre individuals, global and business talent, and investors through the visa program.

The Successful Tenderer must assist the Department to attract visitors, students and skilled workers to Australia.

o The Attract and Match activity objectives and scope in relation to potential skilled migrants will be set by the Department. The Successful Tenderer will not decide the objectives and scope for an Attract and Match activity.

o Attract and Match activities may target general areas of demand, including skills shortages identified by the Department of Jobs and Small Business, or specific areas of unmet need identified utilising information collected by the Platform.

o The Successful Tenderer is not required to perform market research to identify areas of demand.

o Attract and Match activities must be delivered through digital channels only e.g. website, apps, email, digital advertising.

o Attract and Match activity material (e.g. emails, digital advertising) must only be sent to Clients if they have previously opted-in to receive such material.

The Platform must provide information to the Department to inform Attract and Match activity.

o This includes the ability to provide information including target areas of demand and supply shortfalls.

UR-D2

Match

As a Departmental User I want to manage potential Business Sponsors’ ability to engage in the Attract and Match functions

The Platform must allow the Department to permit genuine businesses to register as a potential employer accessing the Attract and Match function.

The Platform must ensure identified employment opportunities meet requirements set by the Department (e.g. on the skilled occupations list, regional location, salary level).

UR-D3

Match

As a Departmental User I want to know about the effectiveness of Attract and Match activities

The Platform must provide information for the Department on the performance and effectiveness of the Attract and Match functions, including areas of unmet skills need and reporting on the composition and characteristics of Applicants, Potential Applicants, Business Sponsors, Potential Business Sponsors, and visa enquirers.



2.2.4 Other Market Provider journey – Provide information

2.2.4.1 Clients may need assistance – via non-digital channels – to explore their options, understand

the different types of visas for which they are entitled, or even obtain assistance in lodging

their Application. These types of non-digital services are out of scope of this RFT and will be

provided through Other Market Providers contracted by the Department. The Platform must

allow Other Market Providers to assist Clients in using the Platform.

2.2.4.2 Outcomes related to the Other Market Providers’ journey in the explore stage include:

UR-M1

Client Services

As an Other Market Provider, I want to assist Potential Applicants to understand and/or participate in the Attract and Match functions

The Successful Tenderer must ensure Other Market Providers approved by the Department have access to the Platform and relevant information.

The Platform must permit Other Market Providers to assist a Potential Applicant in using the Platform.

2.2.5 Other Organisation journey – Provide information

2.2.5.1 Other Organisations contribute to the Application process through the provision of reference

data and/or supporting information (e.g. enrolment in an education institution) that underpins

the assessment of visa criteria or a Platform function (e.g. Attract and Match services). The

Platform must provide Other Organisations with appropriate access to the Platform.

2.2.5.2 Outcomes related to the Other Organisations’ journey in the explore stage include:

UR-O1

Client Services

As an Other Organisation I want to assist particular Clients

The Successful Tenderer must ensure Other Organisations approved by the Department have access to the Platform and relevant information.

The Platform must permit an Other Organisation to assist a Client in using the Platform.



UR-O2

Attract

As an Other Organisation I want to have access to data about the Attract and Match function

The Platform must provide information to other responsible Commonwealth Agencies, State and Territory departments, Local governments, and regional and other entities for example Designated Area Migration Agreements (DAMA), on the operation of the Attract and Match function. For example, providing a State government with a list of potential Applicants that match State-based skill shortages.

The Platform must enable the responsible Commonwealth Agencies and State and Territory department(s) and Local Governments to update approved reference data and/or supporting information about the Attract and Match functions.



2.2.6 Connect

2.2.7 Introduction

There are six types of required user outcomes in the Connect stage of the user journey:

a) Client services: a visa Application process that provides a contemporary

user experience and makes it as easy as possible for Clients to meet their

obligations in completing the Application;

b) Identity and biometrics: ensuring the collection of identity and biometrics

information;

c) Information collection: ensuring that all the information that might be

required from the Client for their specific circumstances and the specific

visa they are applying for is collected at time of Application, and making

this as easy as possible;

d) Information validation and verification: where possible, verifying or

validating the information that has been collected so that the Application is

decision-ready;

e) Risk: ensuring the integrity of the visa Application process including

reporting on suspicious activity, as well as ensuring that the information

collected from individual users is able to be adjusted based on the

Business Rules determined by the Department; and

f) Payment: Clients are able to easily make payments for the all the relevant

fees and charges attributable to their Application (e.g. Service Fee, VAC,

biometric enrolment fee, medical examination) in one transaction and

monies are directed correctly to the relevant parties.

2.2.8 Client journey – Lodge my Application

2.2.8.1 For the Client, this second stage of the journey includes making an Application for a visa.

Clients want to be able to easily and efficiently complete an Application, including providing

documentation to support their Application, and have a good overall user experience that

makes it as easy as possible to complete their obligations. This includes having Applicants



represented by third parties to assist in some or all of the process.

UR-C4

Client Services

As a Client I want to have my own account on the Platform

The Platform must enable Clients to create a Platform account.

o Interactions between Clients and the Department must occur through a Client’s Platform account.

o Platform accounts must cater for different types of Clients (for example, Applicant or Registered Migration Agent). Refer requirement UR-C11 and UR-C12 that includes supporting Representatives, including Registered Migration Agents and Authorised Recipients, to manage multiple Applicants and Applications.

o Refer to requirements PR9 and CR4 for requirements regarding security access controls.

o Platform accounts must be created through a two factor account creation process.

The Platform must allocate a unique Client identifier for each new Platform account that is established on the Platform. The Platform will advise the Client of their unique Platform account identifier.

The Platform must allocate a unique Application identifier for each new Application that is commenced on the Platform. The Platform will advise the Client of their unique Application identifier.

The Platform account must enable Clients to access information about their interactions with the Department.

o Clients must be able to update information provided to the Department as described in requirement UR-C23 below.

o Clients must be able to access their current and historical Applications submitted using the Platform, incorporating all information and supporting documentation provided by the Client.

o The Platform account must provide Clients, through their Platform account, access to all correspondence between the Department and the Client conducted using the Platform.

o Information on the conditions and entitlements of a visa held by a Client must also be available through their Platform account.

o Historical information related to activities not conducted through the Platform is not required to be available through the Platform account.

The Platform must allow Applicants to be able to view all information about their Application(s) managed through the Platform while being represented and/or assisted by a Representative.

o The Platform must allow an Applicant to import an Application into an Applicant’s account that has been lodged by a representative by providing key identifying information.

The Platform should be capable of allowing Applicants to create an account and provide information using their Government provided digital identity, where an Applicant has one.

UR-C5

Client Services

As a Client I want to lodge an Application using a digital channel of my choice

Clients must be able to access their Platform account to complete Applications across a range of digital channels and devices as specified in Section 2.4 - Required outcomes of the Platform and Successful Tenderer of this Attachment A – Statement of Requirement.

Clients must be able to save an incomplete visa Application and continue later (including in another channel or on another device).



UR-C6

Client Services

As a Client I want the option to provide information for my Application and interact with the Department in my preferred language

In addition to English, the Platform must enable Clients to provide information for Applications, including free text responses, in the following Designated Platform Languages: simplified Chinese, Arabic, Vietnamese, Spanish, Korean, traditional Chinese, Japanese, Malay, German, Filipino, Indonesian, Italian, Thai, Portuguese, Sinhalese, Russian, French, Nepali, Hindi, Farsi, Tamil, Urdu, Fijian, Polish and Bengali. The list of required languages may be updated by the Department from time to time over the Term of any Agreement.

The Platform must be able to display form content in the language selected by the Client from the list of Designated Platform Languages. The Platform must include on-screen help text in all Designated Platform Languages.

The Platform must automatically translate all information provided in one of the Designated Platform Languages into English in accordance with the Department’s Translation Policy*.

Both the original information and translated Application must be available to both Departmental Users and the Client who will authorise the translated Application being lodged.

The Platform must allow Clients to review and correct a translated Application prior to lodgement.

The Platform must allow the Department to audit the quality of translations performed by the Platform including where a Client has reviewed and corrected a translated Application.

The Platform should automatically translate departmental correspondence, including requests for information, into the relevant Designated Platform Languages.

The Platform should provide other forms of digital support in all Designated Platform Languages. * to be made available the Data Room

UR-C7

Client Services

As a Client I want the supporting documents I provide in a foreign language to be automatically translated to English

The Platform should automatically translate documents provided by a Client.

o Translation to English must be in accordance with the Department’s Translation Policy*.

o Both the original document and translated document must be available through the Platform to both Departmental Users and Clients (through their Platform account) who will authorise the translated Application being lodged.

o The Platform must include capability which enables the Department to audit the quality of translations automatically translated by the Platform.

Where a document cannot be automatically translated by the Platform, the Platform must allow a Client to include in their Application documents in their original language as well as translated copies.

The Platform must be able to detect whether an English translated version of these documents has been provided.

o If no translated version is provided, the Platform must direct Applicants to obtain and provide an English translation of their supporting information.

* to be made available the Data Room



UR-C8

Client Services

As an Applicant I want to be able to be represented and/or assisted by a Representative

The Platform must allow for Applicants to authorise a Representative to assist them in the visa Application process, including for Group Applications.

o This includes being represented by a family member, tour organiser, Exempt Person or Registered Migration Agent.

The Applicant and/or Representative must both be able to provide information via the Platform in support of the same Application.

o The Platform must notify both Applicants and their Representative when information is required to complete an Application, for example biometric collection.

The Platform must enable the choice of Representative to be a standing or one-off appointment.

The Platform must enable the nominated representative to accept or decline a nomination.

UR-C9

Client Services

As an Applicant I want to be able to withdraw or change my authorisation to be represented and/or assisted by a Representative

The Platform must enable Applicants to withdraw the authorisation for a Representative to act on their behalf.

The Platform must ensure that following the withdrawal of the authorisation no further communication and no information relevant or relating to the Applicant or their Application is provided or accessible to the previously authorised Representative.

The Platform must ensure that the Applicant is able to continue accessing all relevant information through their Platform account.

The Platform must ensure that the Applicant is able to authorise a different Representative to represent and/or assist them, and have that Representative able to access all information as authorised by the Applicant.

The Platform must be able to track and report on all changes to the appointment of Authorised Representatives, by Applicant and by Authorised Representative.

UR-C10

Client Services

As an Applicant I want to be able to nominate an Authorised Recipient to receive correspondence on my behalf

The Platform must enable Applicants to appoint an Authorised Recipient to receive select communications on behalf of an Applicant.

o This can include circumstances where the Authorised Recipient has not assisted in the lodgement of a visa Application.

The Platform must allow Applicants to exclude specific types of information from being sent to their Authorised Recipient, for example health examination results.

The Platform must allow Applicants to be able to view information that has been sent to their Authorised Recipient about their Application(s) through their Platform account.

The Platform must enable Applicants to change or withdraw the appointment of an Authorised Recipient.

The Platform must enable the choice of an Authorised Recipient to be a standing or one-off appointment.

The Platform must enable the nominated Authorised Recipient to accept or decline a nomination.



UR-C11

Client Services

As a Representative of an Applicant I want the Platform to support me in representing my Applicant(s)

The Platform must enable Representatives to interact with the Platform on behalf of an Applicant, including lodging Applications, receiving correspondence and following up on Applications in progress.

The Platform must support Representatives to manage the Applicants they are representing, noting that some, such as Registered Migration Agents may manage multiple Applications or Group Applications.

o For example, this could include the use of dashboards or different views providing information about Applicants and the different states of progress of Applications.

UR-C12

Client Services

As an Authorised Recipient I want the Platform to support me in receiving correspondence on behalf my Applicant(s)

The Platform must enable Authorised Recipients to interact with the Platform on behalf of an Applicant to receive authorised correspondence.

The Platform must support Authorised Recipients to receive notification on behalf of an Applicant, noting that some Authorised Recipients may receive notifications in relation to multiple Applications or Group Applications.

o For example, this could include the use of dashboards or different views providing information about Applicant correspondence.

UR-C13

Client Services

As a Representative of a group of Applicants I want to efficiently lodge Group Applications

The Platform must auto-populate common information shared across members of Group Applications, such as travel itineraries.

The Platform must have capability to facilitate a single payment covering Group Applications.

The Platform must link Applications that form part of a Group Application.

A Representative must be able to add or withdraw members of a group that form part of a Group Application at any time with the consent of the Applicant.

The Platform must support Representatives of a group to manage Group Applications.

o For example, this could include the use of dashboards or different views providing information about Group Applications and the different states of progress of individual Applications that form part of the group.

UR-C14

Client Services

As a Client I want to be able to easily provide information for my Application

The Platform must collect only the information Clients need to provide based on Business Rules determined by the Department to constitute a complete Application for the relevant visa.

The Platform must provide clear instructions to Clients on what information is required (e.g. file formats, image quality, type of documentary evidence) to meet the Department’s requirements.

The Platform must provide clear guidance to Clients throughout the lodgement process and as a summary prior to completing the Application, as to what required information and/or documentation has not been provided or entered/uploaded correctly.

The Platform must not accept for final submission, including payment, any incomplete Application.

o The Platform must scan/check uploaded documentation to ensure it meets the requirements of the type of documentary evidence stipulated for a type of Application (e.g. where required, a police certificate has been submitted and not a photo of the Applicant).

The Platform should auto-populate answers wherever possible and legally permissible based on information already known about the Applicant.



o For example, subject to the provision of Applicant consent to share this information, the Platform should auto-populate sections of an Application where an Applicant has been referred to commence an Application by a third party e.g. authorised Other Organisations such as educational providers, or Business Sponsors, where an Applicant has previously applied for a visa, or where a Potential Applicant has submitted an EOI in relation to the Attract and Match function.

Clients must be prompted in the Application process to confirm or amend auto-populated parts of their Application.

The Platform must provide capability to link to a supporting assessment completed by the Applicant prior to lodging and/or completing the visa Application.

o For example, Applicants who undergo a medical examination or skills assessment prior to the Application.

UR-C15

Client Services

As a potential Sponsor I want to lodge a Sponsorship and/or Nomination

The Platform must accept Applications from individuals, employers and organisations to become an approved Sponsor.

The Platform must collect only the information Sponsors need to provide based on Business Rules determined by the Department to constitute a complete Application for the relevant Sponsorship.

The Platform must provide clear instructions to Sponsors on what information is required (e.g. file formats, image quality, type of documentary evidence) to meet the Department’s requirements.

The Platform should auto-populate answers wherever possible based on information already known about the Sponsor (including information provided by Potential Business Sponsors through the Attract and Match function).

Sponsors must be prompted in the Application process to confirm or amend auto-populated parts of their Application.

The Platform must allow Business Sponsors and Personal Sponsors to designate which individuals have authority to act on behalf of the Sponsor.

UR-C16

Client Services

As a Sponsor I want to nominate positions and sponsor individuals

The Platform must support Applications from Sponsors to nominate positions and sponsor individuals.

The Platform must have the capability to allow a potential Sponsor to lodge a Sponsorship, Nomination and a visa Application on behalf of the Applicant at the same time.

The Platform must collect information from Sponsors to support nominations for positions and sponsorship of individual Applicants according to Business Rules determined by the Department.

The Platform must be able to process the Sponsorship, Nomination and the visa Application in parallel.



UR-C17

Client Services

As an Applicant I want the option to pay a premium to have my visa processed quicker

The Platform must be capable of presenting Applicants with the option to purchase expedited consideration at an additional Visa Application Charge cost. The Service Fee will not change based on processing time.

o The Department will specify which visas are eligible for expedited consideration and at what additional Visa Application Charge.

The Platform must ensure expedited Applications are prioritised by the Platform for work allocation to manual Decision Makers and third parties so that the specified processing time is achieved. Specified processing times will be defined through the performance management framework.

o The Platform must be able to change the target processing time for an Application, either automatically or when manually requested by a Program Manager.

o The Platform must identify and be able to escalate Applications which are at risk of not meeting the target processing time.

UR-C18

Client Services

As a Client I want to be notified when my Application has been lodged

The Platform must notify the Client that their Application has been lodged.

The Platform must provide information about the next steps in processing the Application, including details of any actions to be performed by the Client.

UR-C19

Identity and biometrics

As an Applicant I want to digitally provide my biometrics using my personal device (where possible)

The Platform must have the capability to capture biometrics through a range of personal devices, including passport chip information (where available).

The Platform must have the capability to collect biometrics through other digital channels and trusted sources in the future.

UR-C20

Information collection

As a Client I want to link to external information sources to support my Application

The Platform should be capable of importing information relevant to an Application from external sources.

o For example, importing CV information, photos from an online or social media tool, English language results from English language testing providers, or financial information from banks and financial institutions



UR-C21

Payment

As a Client I want to use my preferred digital payment channels

The Platform must be capable of accepting differentiated Service Fees for different Applications.

The Platform must be capable of accepting differentiated VAC payments for different Applications.

The Platform must accept payment as the final step in lodging an Application.

The Platform must automatically calculate the single amount to be paid by Clients, incorporating all components of the VAC, the Service Fee, merchant fees, and other relevant fees and charges (e.g. in-person biometric collection).

o The Platform must have the capability to differentiate the above fees and charges by a range of conditions as applicable e.g. visa product, intent, etc.

The Platform must enable a third party to pay on behalf of an Applicant.

o For example, a Representative, family member or employer.

The Platform must allow a Representative to push the payment step of an Application to the Applicant or a third party.

Applicants must be shown the payment amount in Australian dollars.

The Platform must accept a range of online payment methods. At minimum this must include:

o Visa, Mastercard, American Express, Diners Club, Discover Card, China UnionPay, PayPal, BPay, JCB.

The Platform must provide Clients with an itemised receipt following a successful payment.

Clients must be able to view a copy of this receipt at any time through their Platform account.

The Platform must be able to support requests from Clients and Departmental Users for refunds or repayments.

The Platform should be capable of allowing Applicants to pre-pay for in-person assessments and client services required for an Application (e.g. in-person biometric collection or assisted Application at one of the Department’s contracted Service Delivery Partners). Where relevant, this must be included as part of the single payment at lodgement.

2.2.9 Department journey – Facilitate lodgement

2.2.9.1 For the Department, this second stage of the journey is primarily about collecting the

information required from the Client to begin processing the Application, and having

information validated or verified where possible so that the visa Application is Decision-ready.

The Department also wants to ensure that it receives complete Applications and that all

relevant fees and charges are paid at this stage of the journey.

UR-D4

Client Services

As a Departmental User I want to be able to manually enter Application information into the Platform for specified caseloads

The Platform must allow a Departmental User to manually enter an Application into the Platform for specific cohorts.

o Example cohorts include diplomats.

The Platform must allow a Departmental User to manually add or update information to an existing Application for specific cohorts.



UR-D5


As a Departmental User I want to understand who is applying for a visa

The Platform must collect identity information for all Clients as part of the lodgement process according to Business Rules determined by the Department.

o Identity information includes biographics, biometrics, supporting documentation (for example national identity cards) and declared relationships of Applicants.

The Platform must digitally collect passport information and facial biometrics directly from Applicants as specified in the Department’s Identity Policy*.

o The Platform must be able to collect biographic and travel document information from the Machine-Readable Zone (MRZ) of an Applicant's passport (for Applicants with machine-readable passports).

o The Platform must be able to collect the photograph and biographic details from the Visual Inspection Zone (VIZ) of an Applicant's passport.

o The Platform must be able to collect biographic information and biometrics from an Applicant's ePassport chip where possible.

o The Platform must differentiate between biographical information collected from the identity page and the biographic details collected from the MRZ, labelling the two data sets accordingly.

o The Platform must make use of anti-fraud measures when capturing biometrics (e.g. identify pre-recorded videos to pass liveness testing).

o The Department seeks to gather all useful data about a Client’s identity. However, collection of Applicant biometrics from a third party digital identity service does not substitute for direct collection.

The Platform must be able to collect document metadata of identity information provided by an Applicant, including images, and send this to the Department’s identity management system.

The Platform must ensure digital biometrics collected by the Platform meet the Department’s quality standards and are collected in accordance with the Department’s Identity Assurance Framework and Information Trust Framework.

o These Frameworks will be made available to Tenderers in the Data Room.

o The Platform must collect a digital biometric from the Applicant even if the standard cannot be met and mark images “standard met”/“not met” accordingly.

The Platform must facilitate digital biometric collection from individual Applicants whose Application has been submitted as part of a Group Application.

The Platform must adjust the identity information requested during the Application based on Business Rules determined by the Department.

The Platform must have the capability to collect alternate forms of digital biometric capture in the future.

Where a Client is required to provide an in-person biometric, the Platform must collect information about the collection from the relevant Other Market Provider.

o The biometric collected in-person from an Applicant will be provided directly to the Department’s enterprise biometric and identification system.

The Platform must display the results of an identity resolution to Departmental Users upon receiving results from Departmental APIs.

*To be provided in the Data Room



UR-D6


As a Departmental User I want the Platform to collect the information I need to assess an Application

The Platform must collect information as determined by the Business Rules determined by the Department, based on the Applicant’s intent and individual characteristics.

o The Application must dynamically update based on the Applicant’s responses according to Business Rules determined by the Department.

The Platform must ensure information is clearly named and classified (i.e., assigning keywords or terms to the information) according to conventions approved by the Department. This should enable information to be easily identified by Departmental Users.

Note: Collection of other information about Clients, e.g. API scrapes of social media, is out of scope.

UR-D7

Information validation and verification

As a Departmental User I want the Platform to automatically validate data

The Platform must ensure the Applicant has completed all the information required for their Application to be valid, in accordance with Business Rules determined by the Department.

The Platform must perform data validation on information provided by Clients e.g. valid address, valid email address, active email address, valid mobile number, active mobile number.

The Platform must ensure digital biometrics collected by the Platform meet the Department’s quality standards and that identity information is collected in accordance with the Department’s Identity Assurance Framework and Information Trust Framework.

In relation to Business Sponsors, verification of information includes verifying relevant information with other Government agencies including the Australian Business Register, the Australian Taxation Office and the Australian Securities & Investments Commission, to confirm that the potential Business Sponsor is lawful, established and actively operating.

The Platform must perform real-time validation during the Application process where possible.

The Platform must record the details of how all automatic Validation activities are carried out.

o For example, the source against which the data was Validated, the time it was Validated.

Note: This requirement applies to information provided by the Applicant at any stage of the Application or post-decision.

UR-D8


As a Departmental User, I want the Platform to prevent the lodgement of Invalid Applications

The Platform must not accept Invalid Applications, in accordance with Business Rules determined by the Department.

UR-D9

Risk

As a Departmental User I want the Platform to collect the information needed to assess an Application

The Platform must adjust the information requested of individual Clients based on their circumstances in accordance with Business Rules determined by the Department (i.e. a dynamic, guided Application).

o The Platform must also adjust the information requested of individual Clients upon receiving advice from the Department’s internal systems (i.e. risk, identity).

The Platform must provide a non-editable PDF version of the complete set of information provided by an Applicant as part of the Application process to the Department for the purposes of compliance with the Department’s record keeping obligations.



UR-D10

Risk

As a Departmental User I want the Platform to collect information about Representatives that have been authorised to act on behalf of an Applicant

The Platform must collect information about Representatives that have been authorised to act on behalf of an Applicant, including contact information, biographic information and metadata.

If the representative is a Registered Migration Agent, the Platform must collect the Migration Agent Registration Number (MARN).

o For each new Application, the Platform must verify in real time the MARN with the Office of the Migration Agents Registration Authority (OMARA) and that the MARN is being used only by the relevant Registered Migration Agent and not fraudulently.

UR-D11

Risk

As the Department’s Risk and Intelligence Functions I want the Platform to identify attempts to identify and exploit weaknesses or other risks in the Platform and associated business processes

The Platform must collect behavioural information about the Client and send this information to the Department’s Risk and Intelligence Functions.

o At a minimum, this includes the Client’s metadata, document metadata, and changes to their Application responses.

Further information regarding this requirement will be made available to authorised personnel of Tenderers, in the Data Room, in accordance with the Deed of Confidentiality.

UR-D12

Payment

As a Departmental User I want the relevant fees and charges to be remitted to the Department appropriately

The Platform must adhere to the Payment Card Industry Data Security Standards (PCI DSS).

The Platform must allow the Department to specify individuals or classes of individuals who are exempt from particular payments.

The Platform must ensure that any charges collected on behalf of other third parties for in-person services (such as medical examination or biometric collection or to pass through fees such as credit card fees) are remitted to the relevant party no later than one Business Day after the payment is collected from a Client.

The Platform must ensure the VAC and any other departmental charges are managed and remitted to the Department in accordance with the Public Governance, Performance and Accountability Act 2013 (Cth) and the requirements set out in the Agreement, including to remit to the Department no later than one Business Day after the payment is collected from a Client.

The Platform must provide the details of a Client's payment, excluding charges collected on behalf of other third parties for in-person services, to the Department’s financial management systems.

Each payment must be linked to an invoice, Client, Application and a unique identifier.

The Platform must provide automated reporting on Application-related payments to the Department.

o The Platform must automatically provide reconciliation information for payments received and remitted by the Platform.

o The Platform must provide support processes for reconciliation discrepancies.

The Platform must employ real-time fraud protection capabilities and protocols across all payment channels.

o The Platform must maintain interoperability with fraud protection capabilities and protocols employed by the Department*.

* to be provided in the Data Room



2.2.10 Other Market Provider journey – Assist with lodgement

2.2.10.1 Outcomes related to Other Market Providers in the connect stage include:

UR-M2

Client Services

As an Other Market Provider, I want to lodge Applications on behalf of certain Clients

The Platform must allow Other Market Providers to act as a Representative for a Client.

The Platform must support Other Market Providers to manage the Applications that they have lodged.

o For example, this could include the use of dashboards or different views providing information about Applications and the different states of progress of individual Applications.

2.2.11 Other Organisation journey – Assist with lodgement

2.2.11.1 Outcomes related to the journey of Other Organisations in the connect stage include:

UR-O3

As an Other Organisation, I want to lodge Applications on behalf of certain Clients

The Platform must allow Other Organisations to act as a Representative for a Client.

The Platform must support Other Organisations to manage the Applications that they have lodged.

o For example, this could include the use of dashboards or different views providing information about Applications and the different states of progress of individual Applications.



2.2.12 Assess

2.2.13 Introduction

2.2.13.1 There are six types of required user outcomes in the assess stage of the user

journey:

a) Client services: including self-service mechanisms to ensure that the

information provided is up-to-date, to follow progress of an Application (or

withdraw it), and to provide any further documentation that may be required

to support an Application;

b) information collection: including the ability to request and collect further

information required to support an Application, including from Other Market

Providers or Other Organisations;

c) information validation and verification: where possible, verifying or

validating the information that has been collected so that the Application is

decision-ready;

d) risk: ensuring that processing has appropriately considered the risk

inherent in a particular Application;

e) identity and biometrics: ensuring that there are appropriate levels of

confidence in the identity of an Applicant and that any relevant information

about this identity is considered in the processing of the visa Application;

and

f) assessment: undertaking all necessary steps and analysis to support the

processing of a visa Application.

2.2.14 Client journey – Provide additional information

2.2.14.1 For the Client, this third stage of the journey includes supporting the processing of an

Application by knowing how and when to supply further information, and also wanting to

follow the progress of an Application through a self-service mechanism.



UR-C22

Client Services

As a Client I want to know what additional information has been requested from me and how I can provide this

The Platform must automatically request additional information from Clients through their preferred channels.

o Additional information requested from Clients must be provided through the Platform.

The Platform must alert Clients, through their preferred channels, when there are outstanding actions for them to perform (e.g. where there is a timeframe to provide the additional information).

The Platform must enable Clients to request additional time to respond to these requests.

o The request will be processed in accordance with Business Rules determined by the Department.

UR-C23

Client Services

As a Client I want to be able to update my information when my circumstances change or information needs to be corrected

The Platform must allow Clients to update their information.

o This includes but is not limited to changes to travel document information, biographic details, family status, employment status, contact details and address details.

The Platform must collect documentary evidence and reasons in support of the change.

o For example, to update passport information the Platform must collect new passport information as evidence of all identity changes (e.g. change of name). This includes new biographics from the chip of an ePassport, VIZ details, MRZ details, and images according to the passport type.

o The Platform must initiate and undertake functional liveness face verification before allowing an Applicant to commence an update to their identity.

o The Platform must validate contact details (refer requirement UR-D7).

The Platform must allow Clients to correct information provided as part of their visa Application. However, the Platform must keep a record of all changes made by a Client to an Application (refer requirement PR10 regarding keeping and generating historical records).

Where the Client holds a current visa, the Platform must update current visa details held by the Department with the accepted change of information.

The workflow of updates and changes to Client information will be based on Business Rules determined by the Department.

o Some updates and changes to Client information may be automatically accepted, while others may require assessment by a Departmental User. Business Rules determined by the Department will determine how updates and changes to Client information will be managed.

The Platform must allow an Applicant to change Sponsors according to Business Rules determined by the Department.

Note: This requirement applies to changes in a Client’s circumstances throughout the user journey including post-grant of a visa.



UR-C24

Client services

As a Client I want to be notified when an in-person assessment is required

The Platform must notify Clients in cases where an in-person assessment is required. This could be an interview with the Department or an assessment conducted by an Other Market Provider.

o For appointments with the Department, the Platform must integrate with the Department’s appointment booking system to provide details on appointment times and locations.

The Platform must provide Clients with information needed to book an in-person assessment (e.g. location and contact details for approved physicians).

The Platform must notify Clients when the specified time period for completing these assessments will elapse and once it has elapsed.

The Platform should, where possible, enable Clients to book an assessment appointment with Other Market Providers through the Platform.

Note: Key parties to integrate with include the Department’s onshore and offshore offices, Service Delivery Partners, Other Market Providers and physicians conducting immigration medical examinations.

UR-C25

Client services

As a Client I want to check the status of my Application

The Platform must track the progress of Applications against each milestone specified in the Business Rules determined by the Department.

The Platform must pro-actively update Clients as their Application progresses against the agreed milestones.

The Platform must allow Clients to check the status of their Application through their Platform account.

UR-C26

Client services

As a Client I want to be able to withdraw my Application

The Platform must allow Clients to withdraw their Application.

Note: withdrawing an Application must not result in lodged Application data being deleted and the Platform must retain all data entered into the Platform by Clients.

2.2.15 Department journey – Perform assessments

2.2.15.1 For the Department, this third stage of the journey is about ensuring that all

information is available to perform the required workflow steps to process a visa Application,

and the undertaking of the processing of an Application.



UR-D13

Client services

As a Departmental User I want the Platform to automatically generate correspondence to Clients

The Platform must automatically generate correspondence to Clients based on templates determined by the Department. This may be in response to actions by Clients, Departmental Users, Other Organisations or the Platform.

The Platform must either automatically send correspondence to Clients and/or their Representatives, or present the correspondence to relevant Departmental Users for review, in accordance with Business Rules determined by the Department.

o The Platform must allow Departmental Users to edit the content of correspondence presented to them for review and prior to being sent (and record any changes and their justification).

o The Platform must keep an audit record of when a Departmental User edits the content of correspondence and what has been changed.

The Platform must send formal correspondence to Clients and/or their Representatives to their Platform account.

The Platform must send notification of correspondence to Clients and/or their Representatives through their preferred digital communication channel(s).

The Platform must notify Clients and/or their Representatives when the specified time period for responding to correspondence will elapse and once it has elapsed.

The Platform must add details of correspondence to the record of the Application, including the timing of responses.

UR-D14


As a Departmental User I want the Platform to identify potentially fraudulent biographics and biometrics information

The Platform must check for consistency between the live facial biometric and passport biometrics.

The Platform must provide basic assurance that biographics and biometrics collected from passports without an NFC chip read are not fraudulent.

o This includes comparing MRZ data to text on the passport's identity page.

o This includes running basic validation checks on key document data, including checking the MRZ characters and the passport number format.

The Platform should identify potentially fraudulent documents (excluding travel documents) and notify the Department of such potentially fraudulent documents.

Note 1: Direct verification of foreign travel documents with the issuing authority is out of scope.

Note 2: Direct verification of biometrics against Government sources is out of scope (excluding DVS and FVS). The Platform will call the Department’s identity function, which will perform verification against these sources.

UR-D15


As a Departmental User I want to prescribe treatments in relation to identity resolution and risk assessment and automatically receive the outcomes from these treatments

The Platform must adjust the Application workflow based on prescribed treatments in accordance with Business Rules determined by the Department.

o For example, for Decision Makers to perform specific assessments, request additional information, ask clarifying questions to help resolve the identity against the Department’s identity holdings, or to request further information to address particular risks.

The Platform must allow the Departmental User to record the action taken and the outcome (including the reason for any Decisions taken).

The Platform must provide the Department with the results of any treatments administered through the Platform, including any information collected.



UR-D16


As a Departmental User I want to be able to request further information from Clients

The Platform must trigger requests for additional information from Clients and/or their Representatives.

o This could be as a result of the Platform acting in accordance with Business Rules determined by the Department, a one-off request from a Departmental User and/or requests from Other Market Providers.

The Platform must notify Clients and/or their Representatives that additional information has been requested through their preferred communication channels.

The Platform must have the capability to impose time limits on responses to requests for information according to Business Rules determined by the Department.

The Platform must notify Clients and/or their Representatives when the specified time period for responding to a request for information will elapse and once it has elapsed.

UR-D17


As a Departmental User I want the Platform to automatically verify information provided by Clients

The Platform must have the capability to detect potentially fraudulent documents.

o Priority documents include bank statements, police clearances, employment letters and education transcripts.

o Priority areas of focus include plagiarism or re-use of supporting statements by multiple Applicants.

The Platform must automatically verify information directly with external sources including:

o an Applicant’s enrolment at an Australian educational provider e.g. with the Provider Registration and International Student Management System (PRISMS); and/or

o that an address provided by an Applicant is legitimate.

The Platform should verify an Applicant’s:

o English language proficiency with English language assessment providers;

o financial information with their financial institution;

o professional skills with an approved skills assessment authority;

o educational history with educational providers;

o identity documents with official sources (excluding travel documents and biometrics); and/or

o other information provided by a Client directly with external sources, where the Successful Tenderer and the Department identify appropriate use cases.

The Platform must facilitate verification of information provided by Applicants with additional sources over time.

o This may occur as information required from Applicants changes, new sources become available or as the sources named above evolve over time.

The Platform must notify the Department of potential fraud.

The Platform must record and retain the details of how all verification activities were performed.

Definition: data verification involves increasing confidence that the information provided is authentic and true.

This can involve using fraud detection techniques e.g. police clearance is not authentic as the logo is incorrect.

This can involve checking the information with a trusted source e.g. confirming an ABN belongs to the Applicant by checking with the Australian business register, confirming the Applicant can receive emails at provided email address.

Note 1: Direct verification of foreign travel documents with the issuing authority is out of scope.

Note 2: Direct verification of biometrics against Government sources is out of scope.



UR-D18

Risk

As a Departmental User I want to know when a visa Applicant has been represented by a third party

In providing a visa Application to the Department for risk assessment, the Platform must ensure that information about their Representative(s) has been included.

o This includes where an Applicant may have changed representation during the visa Application lodgement process.

UR-D19

Assessment

As a Departmental User I want the Platform to automatically determine which assessments must be performed and workflow these tasks to the relevant parties

The Platform must determine which assessments need to be performed in accordance with Business Rules determined by the Department.

This includes where a Client has updated their information. The Platform must determine whether to accept the change of information in accordance with Business Rules determined by the Department.

o This could include determining that an additional assessment is required (for example an in-person interview).

The Platform must automatically workflow Applications in accordance with Business Rules determined by the Department.

UR-D20

Assessment

As a Departmental User I want the Platform to automatically perform analysis to support assessments

The Platform must have the capability to support assessment of Applications against specific visa criteria. Examples include:

o calculation of funds available to assess an Applicant against financial criteria;

o identification of plagiarism in statements in support of genuine temporary entrant criteria; and

o identification of anomalies or inconsistencies in Application metadata and information provided by the Client.

The Platform must perform automated analysis and assessments to support Decisions to approve Sponsors.

UR-D21

Assessment

As a Departmental User I want the Platform to provide the necessary information for me to perform a manual assessment against specific visa criteria

The Platform must provide the Departmental User with all relevant information, verification outcomes and analysis.

o This must include identification of visa criteria met in accordance with Business Rules determined by the Department, as well as matters requiring a manual assessment.

o This information must be clearly structured by visa criteria and labelled in accordance with naming conventions set by the Department.

o The Platform must provide all information necessary to perform the assessment.

The Platform must require the Departmental User to record the assessment outcome and the reasons supporting the assessment.

Upon completion of a manual assessment, the Platform must progress Applications in accordance with Business Rules determined by the Department.



UR-D22

Assessment

As a Departmental User I want to be able to manage the assessment of Group Applications

Where a manual assessment is required for a member of a Group Application, in accordance with Business Rules determined by the Department, the Platform must workflow the complete Group Application to a Departmental User.

The Platform must allow Departmental Users to manually add or remove individuals from a Group Application.

o The Platform must enable Departmental Users to return the Group Application to the automated Platform workflow.

The Platform must be capable of prioritising the order in which the Applications of group members is assessed and finalised.

o This could include assessing Applications for the parents in a family of Group Applications before the children.

o This could include not finalising the Applications of any members of the Group Application until all members have been assessed.

o The Platform must be able to link related Applicants, such as family members, together within a larger group.



2.2.16 Other Market Provider

2.2.16.1 For Other Market Providers, this third stage of the journey is about ensuring that all

information is available to perform the requested activities, the outcomes of which contribute

to the assessment of a visa Application.

UR-M3


As a Client Services Provider I want the Platform to give me the information I need to collect an Applicant’s biometrics in person

The Platform must determine which biometrics must be collected in-person based on Business Rules determined by the Department.

The Platform must provide the Client Services Provider with the necessary information about an Applicant to collect their biometrics in-person.

The Platform must allow Client Services Providers to provide the Platform with information about the in-person collection of biometrics from an Applicant.

o The biometric collected by the Client Services Provider will be provided directly to the Department’s enterprise biometric and identification system.

UR-M4

Assessment

As an Other Market Provider I want to have the information I need about an Applicant so that I can perform assessments as requested

The Platform must be capable of interfacing with the systems of Other Market Providers as required.

The Platform must be capable of supplying Other Market Providers with relevant supporting information.

The Platform must be capable of recording the assessment outcomes and supporting notes from Other Market Providers.

Note: The required functionality and timing will be agreed during the separate procurement process(es) of any Other Market Providers.



2.2.17 Action

2.2.18 Introduction

2.2.18.1 There are three types of required user outcomes in the action stage of the user

journey:

a) Client services: includes being informed of the outcome of a visa

Application and being provided any additional information that may benefit

the Client, for example correspondence including refusal reasons and

review rights;

b) compliance: informing Clients about the conditions associated with their

visa; and

c) Decision making: includes the making of a visa Decision, whether

auto-granted according to Business Rules or manually by a Departmental

User.

2.2.19 Client

2.2.19.1 For the Client, this fourth stage of the journey includes wanting to know about the

outcome of the visa Application and, where granted, the conditions associated with the visa.

There may also be opportunities for information about Australia to be provided that will benefit

the Client’s journey.

UR-C27

Client services

As a Client I want to be notified about the outcome of my Application

The Platform must automatically notify Clients about Decisions on their Applications in accordance with Business Rules determined by the Department. This includes Decisions on visa Applications, Sponsorship Applications and Nomination Applications.



UR-C28

Client services

As an Applicant I want to be guided to information about Australia and Government services

The Platform should have the capability to provide Applicants with relevant information about Australia.

o This includes information about Australia that could be important to a visa holder, for example safety information for swimming at Australian beaches or obligations of travellers in relation to Customs.

o Information should include directing Applicants to other Australian Government services that might be relevant to their intent of coming to Australia, such as directing a temporary skilled worker to information about the Australian taxation and superannuation systems.

o Information provided must not be related to any Additional Commercial Services.

o Content will be approved by the Department as part of governance arrangements and the Successful Tenderer must ensure that the Platform does not provide any information to Applicants which is not approved by the Department.

UR-C29

Compliance

As a Client I want to know the conditions associated with my visa or my Sponsorship obligations

The Platform must notify Clients who have been granted a visa of the conditions and entitlements of the visa.

o This will be included in formal correspondence based on templates provided by the Department, however this does not preclude other innovations that might be able to be provided by the Platform.

The conditions and entitlements of a visa held by a Client must be available through their Platform account.

The Platform must notify approved Sponsors of their sponsorship obligations.

o This will be included in formal correspondence based on templates provided by the Department, however this does not preclude other innovations that might be able to be provided by the Platform.

The details of any Sponsorship obligations must be available to a Sponsor through their Platform account.



2.2.20 Department

2.2.20.1 For the Department, this fourth stage of the journey is about the making of Decisions

regarding visa Applications, Sponsorship Applications and Nomination Applications, and any

reviews that need to be undertaken of a Decision that has been made.

UR-D23

Client Services

As a Departmental User I want to notify Clients of the outcomes of their Application

The Platform must automatically notify Clients about Decisions on their Applications in accordance with Business Rules determined by the Department. This includes decision on visa Applications, Sponsorship Applications and Nomination Applications.

The Platform must allow a Departmental User to efficiently manually edit any correspondence to be sent to the Client.

o For example, correspondence for refusals must include reasons for the decision. These reasons could be either automatically created through Business Rules or manually entered by the Departmental User.

The Platform must have the capability to implement a minimum time between lodgement of an Application and notifying the Applicant of the visa Decision.

UR-D24

Decision making

As a Departmental User I want to maximise automation and streamlining of decision making

The Platform must make automated decisions to grant visa Applications in accordance with Business Rules determined by the Department.

The Platform must make automated decisions to approve Sponsorship Applications and Nomination Applications in accordance with Business Rules determined by the Department.

UR-D25

Decision making

As a Departmental User I want to be able to manually make a decision about an Application

Where Business Rules determine that an Application, including a visa Application, Sponsorship Applications and Nomination Applications, cannot be decided automatically, the Platform must support Departmental Users to make a decision.

o The Platform must provide the Departmental User with relevant information, verification outcomes, analysis on this information and assessment outcomes.

o This includes clearly identifying why the Application was not decided automatically.

The Platform must allow the Departmental User to record the Decision, reasons for the Decision and supporting information used to make the Decision.



UR-D26

Decision making

As a Departmental User I want the Platform to support the management of legal issues

The Platform must be able to provide relevant information to a departmental Legal Officer.

o This information may include the Application, supporting information provided by the Applicant, correspondence with the Department, and assessment and Decision outcomes with supporting reasoning.

The Platform must have the capability to respond to any request for information from a relevant review body, for example the Administrative Appeals Tribunal (also refer requirement PR10 in relation to audit of operations).

2.2.21 Other Market Provider journey – Advised of a decision

2.2.21.1 Outcomes related Other Market Providers in the action stage include:

UR-M5

Client Services

As an Other Market Provider I want to be notified about the outcome of an Application

Where appropriate, the Platform must notify Other Market Providers about Decisions on certain Applications in accordance with Business Rules determined by the Department.

2.2.22 Other Organisation journey – Advised of a decision

2.2.22.1 Outcomes related to Other Organisations in the action stage include:

UR-O4

Client services

As an Other Organisation I want to be notified about the outcome of an Application

Where appropriate, the Platform must notify Other Organisations about Decisions on certain Applications in accordance with Business Rules determined by the Department.



2.2.23 Resolve

2.2.24 Introduction

2.2.24.1 There are two types of required user outcomes in the resolve stage of the user

journey:

a) Client services: ensuring that Applicants, visa holders, Sponsors and

relevant third parties have access to relevant information;

b) Compliance: ensuring that Departmental Users have the information

required to perform their tasks, particularly in relation to managing the

border as travellers enter and leave Australia and to manage immigration

compliance activities; and

c) Decision making: ensuring that Departmental Users have the information

required to perform any Decision making activities as a result of any

Compliance activities.

2.2.25 Client – Travel and comply

2.2.25.1 For the Client, this fifth stage of the journey includes being aware of the conditions of

the visa held to ensure compliance, allowing Sponsors and relevant Representatives to assist

in compliance activities, and ensuring visa holders are supported as their visa expiry date

approaches.



UR-C30

Client services/ Compliance

As a Business Sponsor I want to manage, view and update information

The Platform must allow Business Sponsors to view information about the approved Sponsorship, Nominations and sponsored Applicants.

The Platform must enable Business Sponsors to check and understand the undertakings and obligations of their Sponsorship.

The Platform must allow Business Sponsors to provide evidence of their compliance with the undertakings and obligations of their Sponsorship.

o This includes the ability to upload into the Platform supporting information such as payslips.

The Platform must allow Business Sponsors to report changes in the work circumstances of a sponsored Applicant.

The Platform must notify Business Sponsors of upcoming changes in the visa status of their sponsored Applicants.

UR-C31


As an Applicant I want to be reminded of the conditions of my visa

Applicants must be able to check the details and conditions of their visa using the Platform.

o The Platform must provide this functionality for holders of all visa products, not only those processed through the Platform. This is supported by APIs provided by the Department.

The Platform must nudge Applicants to comply with the conditions of their visa by sending automated reminders to Applicants where appropriate.

o This requirement applies only to visas processed through the Platform.

UR-C32


As a Client I want to provide evidence of compliance with my visa conditions

The Platform must allow Clients to provide evidence of their ongoing compliance with the conditions of their visa.

o For example, compliance with a health undertaking or evidence of residence in a particular regional area (which may be relevant to a future Application for permanent residency or citizenship).

Business Rules determined by the Department will determine the action to be taken by the Platform following a Client providing compliance information.

UR-C33

Client services

As a Client I want to explore options for staying longer in Australia

Clients must be able to outline their intent in wanting to stay longer in Australia and be presented with visa options that may match this intent.

Note: effectively this requirement loops the Client back to the explore stage of the user journey and requirement UR-C1.



UR-C34

Client services

As a Client I want to request the cancellation of my visa

Clients must be able to request the cancellation of a visa through their Platform account.

Business Rules determined by the Department will determine the action to be taken by the Platform following a Client requesting a visa cancellation.

o That is, whether cancellation tasks can automatically be undertake prior to being referred to an appropriate Decision Maker for decision.

2.2.26 Department – Ensure compliance

2.2.26.1 For the Department, this fifth stage of the journey is about ensuring that Departmental

Users have a “single view” of a Client’s Application history and information about visa holders,

and the compliance and border activities of the Department and its portfolio agencies are

effectively supported.

UR-D27

Compliance/ Decision making

As a Decision Maker I want to cancel a visa

The Platform Decision making must support Decision Makers to undertake the cancellation of a visa. This includes but is not limited to:

o cancelling a visa under sections 109, 116, 128, 140 and 501 of the Migration Act 1958 (Cth); and

o cancellations initiated at the request of a Client (refer UR-C34).

The Platform must provide the Decision Maker with a single view of all relevant information as determined by the Business Rules, verification outcomes, analysis of this information and assessment outcomes.

The Platform must allow a Decision Maker to undertake the cancellation process, record cancellation Decisions, reasons for the Decision and supporting information used to make the Decision.

The Platform must support Departmental Users to group cancellations for workflow purposes.

UR-D28

Compliance/ Decision making

As a Border and Entry Officer I want to view Applicant information, update Applicant information and grant or cancel visas

The Platform Decision making must support Border and Entry Officers in managing the border. This includes:

o a single view of all information about an Applicant, including their visa status;

o updating information about an Applicant, such as passport information, contact details;

o recording additional notes about an Applicant; and

o undertaking a visa Decision (grant, refuse and cancel), including recording the Decision, reasons for the Decision and supporting information used to make the Decision.



UR-D29

Compliance

As a Departmental User I want to view information about Clients to support compliance activities

The Platform must support Departmental Users to conduct investigations and manage compliance activities.

o The Platform must allow authorised Departmental Users to refer Clients to appropriate departmental teams for compliance activity, cancellation consideration or investigation.

o The Platform must provide Departmental Users with a single view of all information about an Applicant. This includes reviewing information provided by an Applicant as part of natural justice proceedings.

o The Platform must provide role-based access to the Platform for Departmental Users as authorised.

o The Platform must allow Departmental Users to record supporting evidence and the outcomes of a compliance activity, such as a compliance field visit.

UR-D30

Compliance

As a Departmental User I want to access information about a visa Applicant

The Platform must include the functionality to search for Applicants and/or Applications that meet a set of characteristics specified by a Departmental User. The Applicant/Application search will be across the Platform’s data holdings and where required, utilise departmental APIs to search and retrieve Applicant/Application information from the Department’s systems.

The Platform must provide role-based access to the Platform for Departmental Users as authorised.

The Platform should automate the extraction of information regarding an Applicant from the Platform.

Note 1: This includes responding to requests for information made under the Freedom of Information Act 1982 (Cth), the Privacy Act 1998 (Cth) and corresponding state and territory legislation.

Note 2: This includes requests made by law enforcement agencies, the Australian Taxation Office, the Australian Competition and Consumer Commission, the Australia Securities & Investments Commission, and other relevant Commonwealth Agencies.

2.2.27 Other Organisation journey – Check visa status

2.2.27.1 For Other Organisations, this fifth stage of the journey is about ensuring Other

Organisations are able to access current information about an Applicant’s visa status.

UR-O5

Client services

As an Other Organisation I want to check an Applicant’s visa status and conditions

Authorised Other Organisations must be able to check the entitlements of an Applicant’s visa using the Platform.

o The Platform must provide this functionality for all holders of visa products, not only those processed through the Platform. This is supported by APIs provided by the Department.

Examples of Other Organisations who may need to know the visa status of an individual include Registered Migration Agents, employers, labour suppliers, sharing economy organisations, education providers, financial institutions, real estate agents, telecommunication companies and Commonwealth Agencies.



2.3 Required business enabling outcomes

2.3.1 Introduction

2.3.1.1 The Platform must provide capabilities to enable the Department to manage visa business

operations effectively. This includes functional requirements that deliver the following

outcomes:

a) User support: the Platform must provide specified user support for all

users including Clients, Departmental Users, Other Market Providers of

visa services and Other Organisations including self-service support

through the Platform and escalated technical support. The Successful

Tenderer is required to provide the support necessary for the Department’s

provider of client enquiry services to assist Clients where possible. In

addition, the Successful Tenderer is required to provide training and

support for Departmental Users on the effective use of the Platform;

b) Business Rule development: the Department will determine the Business

Rules for the Platform. The Successful Tenderer will collaborate with the

Department in the development of the Business Rules to maximise their

efficiency and automation;

c) Single view of Client: the Platform must provide a “single view” of all

Clients, underpinned by an anchored identity (i.e. an identity linked to

biometric records), that includes real time access to all Client interactions

with or accessible by the Platform and all actions undertaken by

Departmental Users in respect of a Client. A “single view” of a Client is

integral to effective and efficient Decision making and program

management for the Department;

d) Workflow management: visa processing often involves an ongoing

exchange between an Applicant, the Department and the Australian Border

Force, and the service providers who are collectively responsible for

performing visa processing tasks. This exchange means that managing the

workflow of the processing effort is a critical factor in end-to-end

automation of the visa journey. As such, the Platform must provide an

automated solution for managing this workflow throughout the visa journey;

e) Program management: visa processing involves the ongoing

management of a number of factors, including service levels, risk

tolerance, budget and program caps. The Platform must provide

functionality to support the Department’s management of these factors;

f) Quality assurance: the Department will perform ongoing quality

assurance checks on tasks carried out by the Platform, Departmental

Users, Other Market Providers, Other Organisations, and other

departmental functions involved in visa processing. The Platform must

provide functionality to support these processes (including in real time) and

the Successful Tenderer is expected to perform sufficient internal quality

assurance to meet the requirements outlined in this Attachment A -

Statement of Requirement;



g) Reporting and analytics: the Platform must provide automated reporting

and analytics capabilities for a range of data, including visa Application

data and operational performance data; and

h) Real time access: complete transparency of all Platform functions and

operations is a critical functionality. The Department must have real time

access to all aspects of the Platform’s operations. This includes anything

from the physical location of an Applicant at any time while using the

Platform, through to real time analysis of Platform operations.

2.3.2 User support

2.3.2.1 Client

UR-C35

User support

As a Client I want to get help when I have problems using the Platform or have enquires about my Application

The Platform must provide digitally delivered, automated Tier 0 support to Clients.

o Tier 0 user support includes online help content for users, help pointers during the Application process and an automated chatbot in the Designated Platform Languages defined in UR-C6.

The Successful Tenderer must develop Tier 1 and Tier 2 knowledge articles to be used by the Department’s provider of client enquiry services.

The Successful Tenderer must provide 24/7 Tier 3 technical support for clients.

o It is expected that Tier 3 user support is delivered over the phone and through online chat.

o Tier 3 technical support capability must be located in Australia.

o Enquiries will be routed via the Department’s client enquiry service centre and include access to the translating and interpreting service for language support.

The Successful Tenderer must document and maintain records of each person’s support interactions and provide reporting to the Department.

2.3.2.2 Department

UR-D31

User support

As a Departmental User I want to get help when I have problems using the Platform

The Platform must provide digitally delivered, automated Tier 0 support to Departmental Users.

o This includes developing and maintaining support for each feature, including online help content through an automated chatbot. Online help content must be available from the initial deployment of a feature.

The Successful Tenderer must develop Tier 1 knowledge articles to be used by the Department’s User Support Provider.

The Successful Tenderer must provide 24/7 Tier 2 and Tier 3 technical support for Department Users.

o It is expected that Tier 2 and Tier 3 Departmental User support is delivered over the phone.

o Enquiries will be routed via the Department’s user service centre.

o The Successful Tenderer will be required to integrate with the Department’s service management tool (e.g. Service Manager 9).



UR-D32

User training

Departmental Users are able to confidently use the Platform to perform their duties

The Successful Tenderer must provide training on effective and efficient use of the Platform to Departmental Users.

o This includes design and development of online training modules as well as design, development and delivery of face-to-face training modules to the global workforce where appropriate.

The Successful Tenderer must support Department Users of the Platform by developing and maintaining up-to-date Platform operating instructions and standard operating procedures.

The Platform must allow Departmental support and instructional information relating to manual assessment and decision making tasks to be uploaded and maintained.

The Platform must provide Departmental Users contextual support and instructions relating to manual assessment and decision making tasks based on information provided by the Department.

The Tenderers must provide the Department with a Training Plan for approval as follows:

o a draft as part of their Phase Two Tender;

o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed; and

o an update annually on the anniversary of the Commencement Date.

UR-D33

User support

As an authorised Departmental User I want to be able to manage my team’s use of the Platform

The Platform must support the Department to manage its use of the Platform. This includes the capability to:

o establish and change team/organisation structure and allocate roles and responsibilities;

o support Team Leaders to manage their team including the ability to add, remove or reallocate Departmental Users within the organisation structure;

o support Team Leaders to adjust parameters determining task assignments within their team structure; and

o support Team Leaders to re-assign any tasks to another Departmental User.

2.3.2.3 Other Market Provider

UR-M6

User support

As an Other Market Provider I want to get help when I have problems using the Platform

The Platform must provide digitally delivered, automated Tier 0 support to Other Market Providers.

o This includes developing and maintaining support for each feature, including online help content and an automated chatbot. Online help content must be available from the initial deployment of a feature.

The Successful Tenderer must develop Tier 1 knowledge articles to be used by Other Market Providers.

The Successful Tenderer must provide 24/7 Tier 2 and Tier 3 technical support for Other Market Providers.

o It is expected that Tier 2 and Tier 3 user support is delivered over the phone.





UR-M7

User support

As a User Support Provider I want to access information about an Application and the Platform so that I can help users resolve their problems

User Support Providers must have role-based access to Applicant and Application information.

User Support Providers must be able to record their interactions with the Applicant in the Platform.

2.3.2.4 Other Organisation

UR-O6

User support

As an Other Organisation I want to get help when I have problems using the Platform

The Platform must provide digitally delivered, automated Tier 0 support to Other Organisations.

o This includes developing and maintaining support for each feature, including online help content and an automated chatbot. Online help content must be available from the initial deployment of a feature.

The Successful Tenderer must develop Tier 1 knowledge articles to be used by an external user enquiry service provider.

The Successful Tenderer must provide 24/7 Tier 2 and Tier 3 technical support for Other Organisations.

o It is expected that Tier 2 and Tier 3 user support is delivered over the phone.



2.3.3 Business Rule development and implementation

2.3.3.1 The Department will determine the Business Rules for the Platform. The Department expects

that the Successful Tenderer will collaborate with the Department in the development of the

Business Rules to maximise their efficiency and automation.

2.3.3.2 This includes as a minimum, but not limited to, Business Rules that specify Application

processing and decision making workflows including in relation to:

a) what information the Platform will collect from Clients, the Department and

third parties and the order of collection;

b) what information provided by the Client the Platform will verify to increase

confidence in authenticity;

c) what information the Platform will analyse to enable a specific criteria to be

assessed; and

d) what process the Platform will follow to determine whether an Application

should be referred to a Departmental User or autogranted.



UR-D34

Business Rules

The Successful Tenderer will assist the Department to develop appropriate Business Rules and implement those rules on the Platform

The Successful Tenderer must, when required by the Department, provide input on the development of Business Rules.

The Successful Tenderer must implement the Business Rules in accordance with any Agreement.

o The Successful Tenderer must not implement any Business Rules that have not been determined by the Department.

2.3.4 Workflow management

UR-D35

Workflow

As a Departmental User I want the Platform to determine the next step in processing

The Platform must automatically advance Applications to the next processing step in accordance with Business Rules determined by the Department.

o This must include triggering re-assessment of risk and identity assurance in accordance with the Business Rules determined by the Department.

o This must include determining the next step in response to receiving information from an Applicant or other parties, actions taken by the Department or the Applicant, treatments prescribed by the Department’s identity, risk and intelligence functions, or by other conditions e.g. the expiry of a visa or change of circumstances.

o Having determined the next step in processing, the Platform must allocate tasks for action in accordance with Business Rules determined by the Department.

The Platform must optimise the visa processing workflow to both improve the user experience and the efficiency of Decision making

o (e.g. by triggering concurrent assessments such as initiating a health assessment requirement in conjunction with other workflow steps).The Platform must have an ability to check that Applications are actively progressing through the defined processing workflow and have not become stalled, lost or incorrectly work flowed.

UR-D36

Workflow

As a Departmental User I want Applicants to be assessed according to the policy and Business Rules that apply at the time of lodgement

The Platform must assess Applicants in accordance with the Business Rules applicable at the time of lodgement.

o Note: There may be some exceptions including where legislative changes retrospectively apply to Applications which have already been lodged. This will be specified in the Business Rules determined by the Department.

If manual assessment is required, the Platform must provide Departmental Users with the policy and Business Rules that apply to the Application.

UR-D37

Workflow

As a Departmental User I want to be able to adjust the sequencing of processing steps or the time taken between processing steps

The Platform must allow the Department to determine new Business Rules in accordance with the Agreement.

o Authorised Department Users must be able to set and adjust time intervals between automated steps in the workflow.



UR-D38

Workflow

As a Departmental User I want the Platform to support me to complete my allocated tasks

The Platform must automatically provide Departmental Users with the information required to perform their allocated task(s) (refer requirement UR-D21).

The Platform must allow Departmental Users to refer individual Applications and particular tasks to other Departmental Users.

o For example, allowing a Decision Maker to refer an Application to their Team Leader or a departmental specialist in a particular area.

UR-D39

Workflow

As a Team Leader I want to be able to adjust the workflow parameters for my team and manually re-allocate tasks

Team leaders must be able to adjust workflow parameters for their team and manually re-allocate tasks.

2.3.5 Program management

UR-D40

Program management

As an Authorised Departmental User I want to adjust the Business Rules for automated processing

The Platform must be capable of giving Authorised Departmental Users the ability to adjust Business Rules which affect automated processing (in accordance with processes set out in the Agreement).

o This includes the ability to change automated risk thresholds, the approach to data collection, data verification and assessments (within the bounds of visa legal requirements and policy) and processing speed.

o This includes the ability to vary the approach by product and caseload.

The Platform must be able to restrict who has authority to access and modify Business Rules (refer requirement PR9 relating to access security).

The Platform must keep records of all changes made, including who undertook the change and the date and time it was made (refer requirement PR10 relating to audit of operations).

The Platform must be capable of giving authorised Departmental Users the ability to manually intervene in the processing of any Application at any point*.

Note: more information will be provide in the Data Room on this requirement.

2.3.6 Quality assurance

UR-D41

Quality assurance

As a Departmental User I want to perform quality assurance on manual assessments and decisions

The Platform must allow Applications to be selected for audit in real time.

o This must include selection or referral of specific cases, selection of a random subset of cases or selection of a subset of cases based on adjustable parameters, at the program level and at the officer level.

o This includes the ability to search for Applicants/Applications that meet a set of characteristics specified by the Departmental User. The Applicant/Application search will be across the Platform’s data holdings and where required, utilise departmental APIs to search and retrieve Applicant/Application information from the Department’s systems.

The Platform must provide information to support the audit activity. This includes which assessments were made manually and the confidence rating for outcomes of any automated tasks.

The Platform must only allow Authorised Departmental Users, identified based on their role, to manually select an Application for review or processing.



UR-D42

Quality assurance

As a Departmental User I want to review processing steps automated by the Platform

The Platform must allow Applications to be selected for audit in real time.

o This must include selection or referral of specific cases, selection of a random subset of cases or selection of a subset of cases based on adjustable parameters, at the program level and at the officer level.

The Platform must supply information on verification, assessment and decision steps for individual Applications.

UR-D43

Quality assurance

As a Departmental User I want to be informed of cases where an Applicant breaches the conditions of their visa

In accordance with Business Rules determined by the Department, the Platform must have the capability to notify Departmental Users and facilitate reviews in response to compliance breaches and other requirements flagged by the Department’s systems.

2.3.7 Reporting and analytics

2.3.7.1 The Platform must provide reporting and analytics capabilities for a range users including

Departmental Users, Other Departmental Users, Other Market Providers, and Other

Organisations. This includes:

a) the provision of standardised reporting and the capability for users to build

customised reports;

b) the ability to save reports, export reports and create dashboards;

c) the ability to segment data by key variables including but not limited to visa

type, risk level, nationality, user type, processing location and processing

task;

d) the ability to present identified and de-identified data of individual

Applicants or other individual users or the operation of the Platform; and

e) the ability to generate new or ad-hoc reports where requested by the

Department.

2.3.7.2 The Successful Tenderer must also supply reports as evidence of compliance with any

Agreement in the form required by the Department.

2.3.7.3 The reports outlined in this section and any additional reports must be supplied to the

Department on an as requested basis.

UR-D44

Reporting

As a Departmental User I want to see reporting and analytics about my team

The Platform must provide the capability for Departmental Users to extract data to create standard and customised reports in real time.

o This includes the number and nature of tasks performed, time taken, Decision outcomes, percentage of completed tasks or outstanding work.

o This includes generating reports for individuals and teams over different time periods, for example on a daily, weekly, and/or monthly basis.



UR-D45

Reporting

As a Departmental User I want the Platform to monitor the completion of tasks

The Platform must track the processing time for individual Applications in real time.

o This must include tracking the overall processing time i.e. the time from lodgement through to notifying an Applicant of the visa Decision.

o This includes monitoring the processing time for individual processing tasks, for example verifying a particular type of document or performing a particular assessment.

The Platform must monitor the completion of tasks allocated to Clients, Departmental Users, Other Market Providers and any Other Organisations. This includes providing historical data for comparison.

The Platform must notify the Department regarding Other Market Providers and departmental teams which are performing tasks at slower than target levels. This must include providing relevant supporting information to the Department.

UR-D46

Reporting

As a Departmental User I want to review the performance of the Successful Tenderer against key metrics set by the Department

The Platform must track its own performance against service levels and other performance measures in the Performance Management Framework.

The Platform must notify the Department when it has not met or is at risk of not meeting the service levels or other performance measures in the Performance Management Framework.

The Platform must provide the capability for real-time monitoring on the Platform’s performance against key metrics as set by the Department. The Successful Tenderer must provide other written reports in accordance with the Performance Management Framework. For example, these will include reports on:

o workplace health and safety incidents;

o the current condition of equipment used to supply the Services, including details of maintenance, repairs and upgrades undertaken; and

o performance against other key performance indicators, service levels or other performance measures.

UR-D47

Reporting

As a Departmental User I want to be alerted regarding any security issues so that I can resolve issues and escalate when required

The Successful Tenderer must immediately notify the Department of any security incidents, unauthorised contact with security classified material, unauthorised access to individual Client records, non-compliance, or becoming aware of suspicious behaviour or malicious activity.

UR-D48

Reporting

As a Departmental User I want to analyse data and receive regular reports on the results of assessments, risk treatments and identity treatments

The Platform must provide reporting and analytics capabilities which enable the Department to review the results and effectiveness of assessments, risk treatments and identity treatments.

o This must include near-real-time reporting, regular standardised reporting, and the capability for Departmental Users to build customised reports.



UR-D49

Reporting

As a Departmental User I want to analyse visa Application data

The Platform must provide reporting and analytics on visa Applications both at a point in time and over a time period. The type of analytics required includes:

o number of Applications at each stage of the Application process by visa type and nationality, including draft Applications which are not completed and Applications that are abandoned (no activity for 28 days);

o the ability to filter data, for example by user type, visa type and nationality, assessment type; and

o the ability to segment data by key variables including visa type, risk level, nationality, processing location and processing task.

The Platform must provide information required for the Department to fulfil its public disclosure obligations, for example the departmental annual report.

The Platform will provide the capability to examine and audit, including in real time, every interaction with the Platform (i.e. every step of every transaction or interaction with the platform will be collected including deletion of material previously entered by Applicants).

2.4 Required outcomes of the Platform and Successful Tenderer

2.4.1 Introduction

2.4.1.1 In delivering the Core Government Services, the Successful Tenderer will need to deliver a

number of non-functional requirements that realise outcomes related to the management of

the Platform and the Services.

2.4.1.2 This section is divided into the following:

a) Platform operations, which describes required outcomes for operational

aspects of the Platform;

b) Platform revision, which describes required outcomes related to changing

the Platform (to be read in conjunction with Attachment D - Draft

Agreement and section 4.3 in Part 4 -Commercial Parameters and

Settings); and

c) Platform interfaces and interoperability, which describes the extent to

which the Platform is required to couple, work with or interface with other

systems.

2.4.1.3 Outcomes are presented as Platform or Successful Tenderer requirements with the prefix PR

and are shaded orange.

2.4.2 Platform operations

2.4.2.1 The Department has a number of operational outcomes for the Platform that the Successful

Tenderer will be required to achieve.

2.4.2.2 These requirements deal with the following:



a) outcomes that relate to the provision of the Services: including that the

Platform is consistently available and accessible to users, and that Core

Government Services are identified to users as a service of the Australian

Government;

b) outcomes that relate to management of the Platform: including ensuring

that the sovereignty of the visa system is protected through adequate

controls such as those relating to system access controls, fraud and risk

management. The Department must also be able to readily access

information and documentation about the Platform; and

c) outcomes that relate to providing a safe workplace.

2.4.2.3 Outcomes related to the provision of the Services

PR1

Omni-channel

The Platform supports a seamless user experience

The experience for Clients must be consistent and integrated across all supported channels.

o For example, a Client must be able to start an Application on a mobile device and complete it on a computer or laptop.

The Platform should ensure that the number of points at which a Client must switch between devices, functions or Platform capabilities to complete a given task is minimised as much as possible.

The experience for Departmental Users must be consistent and integrated across all Departmental supported channels.

o For example, a Departmental User must be able to use Platform capabilities on mobile or tablet devices as well as on a computer or laptop.

PR2

Accessibility

The Platform is widely accessible to the general public in key markets

The Platform must operate across a range of operating systems and devices (including laptops, personal computers, and mobile devices such as mobile phones and tablets) and is required to ensure that the operating systems used by at least 97 per cent (in aggregate) of the public in a key market are supported at any given point in time over the Term of any Agreement.

The Platform must operate across a range of internet browsers on devices to ensure that the browsers used by at least 97 per cent (in aggregate) of the public in a key market are supported at any given point in time over the Term of any Agreement.

This must include the most current minor version, the previous two minor versions and any major version from the past two (2) years.

Note 1: Key market is defined as the 20 countries with the highest number of Australian visa lodgements in the most recent financial year.

Note 2: The Department will define the industry source that will be used to determine what percentage of the public use a particular operating system or browser. This will defined prior to execution of the Agreement (if any) with the Successful Tenderer.



PR3

Accessibility

The Platform is as widely accessible as possible globally

Clients should be able to access key components of the Platform where there is limited internet connectivity or mobile telecommunications coverage.

o For example, providing Clients the ability to access Application lodgement services through a basic HTML view even if more sophisticated Platform services such as chatbots are not viable.

The Successful Tenderer must be able to tell the Department where geographical areas will not be adequately serviced by the Platform so that the Department is able to organise suitable arrangements with Other Market Providers.

The Tenderers must provide the Department with a list of geographical areas that will not be adequately serviced by the Platform for approval as follows:

o a draft as part of their Phase Two Tender



PR4

Accessibility

The Platform is compliant with accessibility guidelines

The Platform and all its products, services and outputs must at a minimum, be compliant with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. This includes adherence to the four principles that provide the foundation for web accessibility by ensuring content is:

o perceivable - information and user interface components must be presentable to users in ways they can perceive. This means that users must be able to perceive the information being presented (it cannot be invisible to all of their senses);

o operable - user interface components and navigation must be operable. This means that users must be able to operate the interface (the interface cannot require interaction that a user cannot perform);

o understandable - information and the operation of user interface must be understandable. This means that users must be able to understand the information as well as the operation of the user interface (the content or operation cannot be beyond their understanding); and

o robust - content must be robust enough that it can be interpreted reliably by a wide variety of user agents, including assistive technologies. This means that users must be able to access the content as technologies advance (as technologies and user agents evolve, the content should remain accessible.

The Platform and all its products, services and outputs should be compliant with the latest version of the Web Content Accessibility Guidelines (WCAG) Level AAA within three (3) years of the Commencement Date.

In the event a new major version of the WCAG is released, the Platform and all its products, services and outputs must at a minimum, be compliant with the major version released immediately prior to the latest major version (i.e. upon the release of WCAG 4.0, the Platform must at a minimum be compliant with WCAG 3.0).

The Platform must comply with the accessibility standard contained within the Digital Service Standard issued by the Digital Transformation Agency.



PR5

Availability

The Platform supports the Department’s management of the border by being available and functioning with minimal downtime

The Platform must provide, as a minimum, 99.9 per cent uptime per month for Clients, excluding scheduled downtime.

The Platform must provide, as a minimum, 99.5 per cent uptime per month for all users other than Clients, excluding scheduled downtime.

The Successful Tenderer must immediately notify the Department of any unscheduled downtime or outage.

The Platform must have no more than 12 scheduled outages in a year, which last no longer than 12 hours in total.

o Any particular scheduled outage must not last longer than 1 hour without approval from the Department. Approval will be granted on a case by case basis.

o Scheduled outages should be planned to minimise the impact on the relevant users (for example outside AEST business hours for outages impacting Decision Makers).

o There may be a need from time to time for any scheduled outages for the Platform to be arranged to coincide with a departmental release cycle.

o The Successful Tenderer must notify the Department ahead of any scheduled downtime, and the scheduled downtime must in accordance with processes set out in the performance management framework.

o Any specific scheduled outage should not impact the entire Platform but should be restricted to either the Client facing functionality or non-Client facing functionality only (not both).

In addition to scheduled outages, the Successful Tenderer must immediately notify the Department of an emergency outage and advise actions being undertaken in response to address critical issues (e.g. denial of service attack).

PR6

Efficiency

The Platform provides adequate response times for all users, at all times

In the context of user interaction being defined as any action taken by a user which then requires the Platform to provide a response, the Department expects the following minimum response times to be met:

o for a Client: a Platform response time of less than 2 seconds in 95 per cent of user interactions, to allow for Clients to experience a response time of less than 4 seconds in 95 per cent of user interactions;

o for all users other than Clients: a Platform response time of less than 3 seconds in 95 per cent of user interactions, to allow for relevant users to experience a response time of less than 5 seconds in 95 per cent of user interactions; and

o The Platform must not exceed the following response times: 95% less than 2 seconds; 97% less than 5 seconds; 98% less than 10 seconds; 99% less than 15 seconds across each user group.

The Platform must be designed, developed and deployed in such a manner that response times are achieved at all times, including during peak periods of user activity (for example periods where high levels of Applications are received in relation to Chinese New Year, Christmas, and student intakes).

Note: The Platform response time is calculated from the point at which the Platform receives the first part of the request from the user to the time that the Platform submits the last part of its response to the user.



PR7

Platform scale

The Platform makes services available regardless of volume

The Platform must expand its processing capabilities to support business growth.

The Platform must be designed, developed, tested and deployed to accommodate increased concurrent users, Application volumes, and workloads, specifically:

o the Platform must scale in real time to accommodate increases in the number of concurrent users; and

o the Platform must maintain consistent response times with increased Application volumes and concurrent users.

PR8

Branding

Core Government Services include the Department’s branding

The components of the Platform that deliver Core Government Services must include the brand of the Department.

The Platform must be able to adapt to any changes in the Department’s branding, in timelines set by the Performance Management Framework.

Co-branding with both the Department’s and the Successful Tenderer’s branding is permitted and any co-branding must be approved by the Department.

2.4.2.4 Outcomes related to management of the Platform

PR9

Access Security

Access to the Platform is restricted to authorised users and the Successful Tenderer safeguards against deliberate, intrusive and and/or unauthorised access from internal and external sources

The Platform must have role-based security access controls to ensure that only those with appropriate authority are able to use particular user interfaces and/or access particular functionality of the Platform.

Access control must be tailorable down to the attribute level. This must include controls to ensure there is no unauthorised access to the Business Rules contained within the Platform or the configuration of the Platform.

The Platform must retain a historical record of the access controls that were applied to each role/individual at any given point in time and a record of all changes to access controls for a particular role/individual.

For a particular role, the Platform must enable the Department to easily change access to data, user interfaces and/or functionality.

The Platform’s role based security access controls should be integrated with the Department’s existing Identity and Access Management (IAM) system.



PR10

Audit of operations

The Platform is able to trace activities and provide information necessary for the Department to audit the Platform’s operations

The Platform must be able to generate a version of all historical visa Applications, Sponsorship Applications and Nomination Applications commenced or lodged on the Platform in their original form, including where a visa Application form is later updated. This must be down to the attribute level.

The Platform must be able to generate a version of all audit information supporting all historical visa Applications, Sponsorship Applications and Nomination Applications commenced or lodged on the Platform.

The Platform must be able to generate a version of the Business Rules that applied to any visa Application, Sponsorship Application and Nomination Application commenced or lodged and processed on the Platform.

The Platform must be able to generate a record of all changes to Business Rules, including the specific changes that were made, who undertook the change, and the date and time the change was made.

On Acceptance and release of each visa product, the Successful Tenderer must provide the Department with a copy of all Business Rules contained in that version of the Platform. The Successful Tenderer must do this regardless of whether there were any Business Rule changes contained in the release.

The Platform must be able to generate an audit log describing when any particular user accessed particular functionality of the Platform. The audit log must be securely stored to prevent any deletion or modification.

PR11

Reliability

The Platform consistently performs its functions without failure

The Platform must have the ability to rectify issues identified with the operation of the Platform with little or no human intervention.

The Successful Tenderer must have a comprehensive approach (including tools and processes) to system monitoring; that is monitoring the performance and health of the Platform.

The Successful Tenderer must have a comprehensive approach to event management which addresses the entire event lifecycle, including event occurrence, event notification, event detection, event logging, event filtering and correlation, and event response.

The Tenderers must provide the Department with an Event Management Approach for approval as follows:






PR12

Business continuity

Business Continuity Plans are maintained throughout the Term of any Agreement

The Tenderers must provide the Department with a Business Continuity Plan for approval as follows:




Each Tenderer’s draft Business Continuity Plan provided as part of their Phase Two Tender must address the following:

o describe the roles and responsibilities of the Tenderer (should it be the Successful Tenderer), the Department and any third party respectively. It is envisaged that the Successful Tenderer will take primary responsibility for ensuring business continuity in the event of a business continuity event;

o describe the strategies and actions to ensure continuity of the Platform when normal operations are disrupted or circumstances exist that may threaten the operation of the Platform;

o align with recognised standards for business continuity including:

ISO 22301:2012 Societal Security Business Continuity Management Systems Requirement; and

ISO 5050:2010 Business Continuity Managing Disrupted Related Risk or equivalent;

o be consistent with and reflect the approved Risk Management and Fraud Control Plan;

o include criteria for identifying and managing business continuity risks, including descriptions of likelihood and consequence criteria, and appropriate risk management criteria;

o describe how business continuity issues will be reported internally and to the Department; and

o describe the threshold for escalation and management of business continuity issues.

Each Tenderer’s draft Business Continuity Plan must at a minimum consider the following scenarios:

o the Tenderer losing access to their workplace or worksite;

o the Tenderer losing access to regular staff who perform activities for a critical process;

o one or more IT application(s) the Platform relies upon is down, including the Department’s internal systems or the API Gateway;

o an unscheduled outage of the Platform or a failure of one or more critical pieces of equipment the Platform relies upon to function; and

o critical suppliers are not supplying the services required for the Platform to function, including if the internet is unavailable in a specific country.



PR13

Disaster recovery

ICT Disaster Recovery Plans are maintained throughout the life of the term

The Tenderers must provide the Department with an ICT Disaster Recovery Plan for approval as follows:




Each Tenderer’s draft ICT Disaster Recovery Plan must address the following:

o describe the roles and responsibilities of the Tenderer, the Department and any third party respectively. It is envisaged that the Successful Tenderer will take primary responsibility for enacting the ICT Disaster Recovery Plan;

o describe the strategies and actions to ensure continuity of ICT services when normal operations are disrupted or circumstances exist that may threaten the operation of the ICT services;

o align with recognised standards for ICT disaster recovery including:

ISO 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity;

be consistent with and reflect the approved Risk Management and Fraud Control Plan; and

include details of the business impact analysis (BIA) undertaken for each of the systems and services;

o include the strategies around people, technology, data and policies and procedures to ensure that the principles of incident prevention, detection, response, recovery and restoration are able to be put in place;

o include criteria for identifying and managing ICT disaster recovery risks, including descriptions of likelihood and consequence criteria, and appropriate risk management criteria;

o include details of how ‘practice drills’ will be undertaken to ensure the effectiveness of the ICT disaster recovery procedures;

o describe how ICT disaster recovery issues will be reported internally and to the Department;

o describe the threshold for escalation and management of ICT disaster recovery issue; and

o details of how the ICT Disaster Recovery plan will be tested, results provided to the Department, along with a plan to remediate any issues identified as part of the testing.

The Platform must have a disaster recovery environment for all capabilities utilised in the delivery of the Core Government Services.

The Successful Tenderer should have disaster recovery backup systems located in a different Australian state or territory to the primary system; such that if there is a disaster at the primary location the entire Platform can be operated from systems in a different state.

PR14

Recovery

The Platform is recoverable when faced with an incident relating to business continuity or ICT Disaster

The Client-facing functionality of the Platform must have a Recovery Time Objective (RTO) of less than 4 hours and a Recovery Point Objective (RPO) of less than 15 minutes, with the Department’s expectation as it relates to RTO and RPO illustrated below.

The non-Client facing functionality of the Platform must have a RTO of less than 8 hours and a RPO of less than 15 minutes, with the Department’s expectation as it relates to RTO and RPO illustrated in the figure below.



PR15

Documentation

Documentation relating to the design and operation of the Platform is available to the Department

The Successful Tenderer must maintain documentation* relating to the design and operation of the Platform in its entirety and be able to provide it to the Department when requested. The documentation must include:

o the end-to-end process flow;

o application architecture and business logic;

o software currency and support;

o Platform release procedures;

o system interfaces;

o grandfathering process;

o Platform recovery process;

o system administration and maintenance;

o training materials;

o major and minor release information;

o cyber security incident response procedures;

o departmental approved changes to the Platform; and

o business Rules configured on the Platform.

*Note: Information about documentation requirements will be made available in the Data Room.



PR16

Risk management

A systematic and stringent approach to managing risk, as well as preventing and detecting fraud, is adopted by the Successful Tenderer

The Tenderers must provide the Department with a Risk Management and Fraud Control Plan and Risk Register for approval in accordance with the following:


o a final version incorporating any changes requested by the Department is to be provided by the preferred Tenderer before any Agreement is signed;

o at a minimum, an update annually on the anniversary of the Commencement Date; and

o at other times where a review and update as appropriate to ensure the Risk Management and Fraud Control Plan or Risk Register remains current, including a review undertaken at the request of the Department.

The Risk Management and Fraud Control Plan must be consistent with the Department’s risk management strategies and the Commonwealth Fraud Control Framework, and must, at a minimum, describe:

o how the Successful Tenderer will identify, seek to prevent and manage risks in relation to the Services;

o the level of conformance to recognised standards for risk management (AS/NZS ISO 21000:2009);

o criteria for identifying and managing risks, including descriptions of likelihood and consequence criteria;

o how risks will be categorised and appropriate risk treatment strategies applied;

o how risks will be reported internally and to the Department;

o the thresholds for escalation and management of risks;

o how the Successful Tenderer will identify, prevent and manage risk of fraud in the performance of the Services; and

o how any instances of fraud or suspected fraud will be managed by the Successful Tenderer and reported to the Department.

Each Tenderer must:

o incorporate or otherwise address any comments or feedback on the Risk Management and Fraud Control Plan;

o comply with and implement the approved Risk Management and Fraud Control Plan over the Term of any Agreement;

o perform its obligations under any Agreement in a manner that facilitates identification, control, management and mitigation of the risks in connection with the Agreement, whether or not a risk is identified in the approved Risk Management and Fraud Control Plan;

o provide the Department with information and documents in relation to the Risk Management and Fraud Control Plan promptly on request by the Department; and

o promptly report to the Department on the status of the Risk Management and Fraud Control Plan, and any significant new or changed risks.



2.4.2.5 Outcomes related to a safe workplace

PR17

Workplace safety

Staff have a safe working environment that complies with work, health and safety standards

The preferred Tenderer must provide the Department with a Work Health and Safety (WHS) Plan for approval as follows:

o a draft at an agreed date during negotiations (if any) in relation to the Agreement;

o a final version incorporating any changes requested by the Department to be provided prior to Commencement Date;


o at other times where a review and update of the WHS Plan is appropriate to ensure the WHS Plan remains current.

The preferred Tenderer’s WHS Plan must, at a minimum, address the following:

o describe how the Successful Tenderer will comply with its WHS obligations under the Agreement and applicable legislation and any current industry standards and practice, including the Work Health and Safety Act 2011 (Cth);

o identify, prevent and manage the risk of work health and safety issues for Successful Tenderer staff in the performance of the Services;

o be consistent with AS/NZS 4801:2001 – Occupational Health and Safety Management System; and

o include policies and procedures relating to:

hazard control;

infection control, where appropriate;

occupational hygiene;

safety and security of persons working at a facility;

WHS training requirements for the Successful Tenderer’s personnel working onsite at a facility;

emergency and disaster management procedures in the event of cyclones and bushfires where relevant to risk; and

Successful Tenderer’s personnel support including post-incident management and debrief activities.

The Successful Tenderer must comply with the WHS Plan.

Environment

The Successful Tenderer must inform the Department about ozone depleting substances and hazardous substances that are used in the build, operation and maintenance of the Platform or the delivery of the Services.

The Successful Tenderer must inform the Department about any claims it makes regarding the environmental benefit associated with the build, operation and maintenance of the Platform or delivery of the Services. The Successful Tenderer must substantiate their claims and state how their claims take into account the provisions of any applicable legislation and Government policies that relate to the environment.



2.4.2.6 Outcomes related to access and equity

PR17a

Access and Equity

A stringent approach to providing an environment which understands and is aware of the needs of a diverse multicultural society

As part of Phase Two Tenders, Tenderers must demonstrate how they will comply with the Australian Government’s Multicultural Access and Equity Policy (the ‘policy’), including at a minimum, by demonstrating:

o a sound knowledge of the needs, circumstances, cultural and other characteristics of Clients and assessment of the direct impact of the Requirement on those Clients;

o how they will provide the Requirement to a culturally and linguistically diverse population, consistently with the policy; and

o that they have:

planning, implementation, monitoring and review mechanisms that incorporate the policy;

performance standards that use the cultural and linguistic diversity of personnel or their awareness of issues (Note: data collection on the Requirement, including on performance standards must be consistent with Standards for Statistics on Cultural and Language Diversity);

complaint mechanisms that enable people from culturally and linguistically diverse backgrounds to raise concerns about the Requirement provided; and

recruited, as relevant, culturally diverse employees, volunteers, grantees and subcontractors.

Information on the policy and related documents is available at https://archive.homeaffairs.gov.au/busi/engaging-with-the-department/contracts-and-tenders/multicultural-access-and-equity-policy-guidance-on-procurement-and-contracting.

The preferred Tenderer must provide the Department with a Multicultural Access and Equity Plan for approval as follows:

o a draft at an agreed date during negotiations (if any) in relation to the Agreement;

o a final version incorporating any changes requested by the Department to be provided prior to Commencement Date; and

o at a minimum, an update annually on the anniversary of the Commencement Date.

https://archive.homeaffairs.gov.au/busi/engaging-with-the-department/contracts-and-tenders/multicultural-access-and-equity-policy-guidance-on-procurement-and-contracting

https://archive.homeaffairs.gov.au/busi/engaging-with-the-department/contracts-and-tenders/multicultural-access-and-equity-policy-guidance-on-procurement-and-contracting



2.4.3 Service design and change

2.4.3.1 The Platform must be able to accommodate Change over the Term of any Agreement.

Changes that could be expected to be required include:

a) Technology enablement: the Platform is expected to become more

effective and efficient over time, and is flexible enough to easily

accommodate continuous improvements;

b) Maintenance: given that updates to software are expected to occur over

the Term of any Agreement, the Successful Tenderer must ensure that the

Platform continues to provide a high level of service by keeping the

Platform up to date and identifying and managing defects;

c) Policy and service design change: visa policy will continue to evolve

over the Term of any Agreement and the way in which the Services are

required to be delivered is subject to continual change. The Successful

Tenderer must support the Department in delivering policy and service

design changes. In particular, policy makers are expecting to be supported

by simulating the impact of policy changes, and size the effort required to

implement and deliver these changes; and

d) Technology innovation: the Successful Tenderer is expected to

continually locate technological innovations and make recommendations

about enhancements to the Platform that could drive efficiencies and

improved user outcomes.

2.4.3.2 Technology enablement

2.4.3.3 The Department expects that the Platform will become more effective and efficient over time.

2.4.3.4 The Department therefore expects that the Platform will be developed in such a way that it is

flexible enough to quickly and easily implement small continuous improvements and respond

to identified defects.

PR18

Continuous improvement

Continuous improvement ensures that the Platform becomes more effective and efficient over the Term of any Agreement

The Successful Tenderer must ensure the Platform becomes more effective and efficient over time.

o For example, optimising the workflow engine to improve the user experience.

The Successful Tenderer must maintain a backlog of work that provides a continuous release of value to Departmental Users, Clients, Other Market Providers and Other Organisations.



PR19

Upgrade

Changes to the Platform are developed, tested and deployed efficiently

The Platform must support rolling upgrades with minimum impact on Platform availability (i.e. the Platform must support upgrades while remaining available). However, during an upgrade the Platform may reduce its capacity by up to 50 per cent.

The Platform must be highly serviceable within the limited scheduled outages; that is the Platform must be easily and quickly maintained and repaired.

The Platform must have the ability to support a continuous integration capability that is the ability to integrate code into the main code branch on a continuous basis as required.

The release schedule for the Platform may be independent from the Department release schedule, however the release schedule must be approved by the Department.

Department APIs will be upgraded in line with the Department’s major and minor release schedule. Planned upgrades will be communicated to the Successful Tenderer.

PR20

Flexibility

Changes to the Platform are implemented quickly with minimal impact on the Services

The Platform must be developed in such a way that it is flexible enough to accommodate small, continuous improvements as minor releases and larger, more complex improvements as major releases.

The Platform must be able to be configured or re-configured without an outage.

The Platform should be developed in such a way that it can accommodate changes to departmental interfaces within scheduled outages, specifically changes to the information the Platform must provide to departmental systems and the information sent from departmental systems to be consumed by the Platform.

PR21

Testability

A testing strategy ensures that changes to the Platform function as intended

Each Tenderer must provide the Department and maintain a testing strategy for approval in accordance with the following:




o at other times where a review and update is appropriate to ensure the testing strategy remains current, including a review undertaken at the request of the Department.

The testing strategy must include, but is not limited to:

o unit testing;

o functional testing;

o integration testing;

o performance testing;

o smoke testing;

o regression testing; and

o user acceptance testing.

The Platform must support automated testing practices that cover a high percentage of system capability.

The testing strategy must consider impacts of a particular change on all users, in particular Departmental Users and interfaces with departmental systems.

The Successful Tenderer must comply with the testing strategy approved by the Department.



2.4.4 Maintenance

PR22

Currency

Software and products used to deliver the Platform must be kept current

The Successful Tenderer must ensure any software solutions and products used as part of the Platform are kept current and ‘in life’ for the Term of any Agreement.

Security patches must be deployed within recommended timeframes by vendors or ASD.

o The Successful Tenderer must use the latest major version of the software solution and product within 12 months of it becoming available or as soon as possible where it addresses a security risk.

o The Department expects that appropriate testing will be undertaken by the Successful Tenderer before deploying security patches for compatibility and reliability with the other software solutions and products used as part of the Platform in accordance with the testing strategy approved by the Department.

The Successful Tenderer must have a comprehensive approach to configuration management that has been successfully implemented in a system of similar scale.

Each Tenderer must provide the Department and maintain a configuration management strategy for approval in accordance with the following:



o at a minimum, an update annually on the anniversary of the Commencement Date;

o at other times where a review and update is appropriate to ensure the configuration management strategy remains current, including a review undertaken at the request of the Department; and

o The configuration management strategy must track the configurations of, and relationships between, the various components used as part of the Platform, including software solutions and products.



PR23

Incident management

An incident management strategy will be implemented to ensure incidents are resolved in a timely and efficient manner

The Tenderer must develop a comprehensive incident management strategy for production incidents (also referred to as defects) for approval by the Department. Each Tenderer must provide the Department with:




o at other times where a review and update is appropriate to ensure the incident management strategy remains current, including a review undertaken at the request of the Department.

Each Tenderer’s incident management strategy must at a minimum include:

o the full incident management lifecycle (identification, logging, severity classification, prioritisation, diagnosis, escalation, investigation, remediation, testing, implementation, resolution and recovery, maintenance);

o communication frameworks that support the implementation and governance of incident management; and

o the ability for any user (including the Department) to identify and report incidents.

The Successful Tenderer must ensure there is an ability for specific incident reports to be transferred between the Department’s incident management system/tools and the Platform’s incident management system/tools as necessary, and the ability for the Department to provide input on how incidents are prioritised.

Where incidents are related and have the same root cause (a problem), the Successful Tenderer must also have a comprehensive approach to problem management which must include the full problem management lifecycle (problem detection, logging, categorisation, prioritisation, investigation and diagnosis, resolution).

The Department will prioritise incidents to be addressed and will determine which incidents are addressed in a particular release.

Note: Information about the Department’s current incident management process will be made available in the Data Room.

2.4.5 Policy and service design change

2.4.5.1 The Australian Government, through the Parliament, has the authority and prerogative to set

the legislative policy framework and direction of Australia’s immigration system. From time to

time, the Department may also need to make adjustments to the way Government policy is

implemented.

2.4.5.2 The Department expects that the Platform will be responsive to these changes in policy, and

assist in simulating expected outcomes to evaluate different policy options.

2.4.5.3 The types of changes that can reasonably be expected include but are not limited to:

a) changes to validity criteria (e.g. the maximum age necessary to be eligible

for a particular visa);

b) changes to data collection requirements (e.g. changes to the specific data

that must be collected or the length of data fields);

c) changes to the types of validation or verification checks performed by the

Platform on information provided by Clients;



d) changes to which types of analyses are performed by the Platform on

information provided by Clients. For example, how average bank balance

is calculated or the types of analysis performed on a document to

determine if it has been tampered with;

e) changes to specific visa criteria, for example the dollar amount required to

satisfy the ‘adequate means of support’ criteria;

f) changes to the workflow associated with a particular visa; that is the

Business Rules which specify the next step(s) for an application depending

on the outcome of the previous step(s); and/or

g) new visa products including both wholly new visa products, and/or variants

of existing visa products.

2.4.5.4 The Department expects the Platform to be capable of being extended to accommodate

additional functionality including the delivery of all visa products, beyond those particular visa

products included in the scope of this Attachment A - Statement of Requirement, expanding

the health related functionality to include the creation and management of health cases, and

the development of a departmental appointment booking capability.

PR24

Developing policy options

The Platform can simulate the impact of changes to policy and service design

The Platform must include automated tools to simulate the impact of changes to policy and service design on a range of output parameters.

o This will enable Departmental Users to understand the likely impact of changes prior to implementation. For example, simulating the impact of changing information verification requirements on levels of manual work-effort.

PR25

Implementing change

Policy and service design changes are deployed quickly

The Successful Tenderer must implement Business Rule changes, in accordance with the timeframes and requirements set out in any Agreement.

PR26

Extending the Platform

The Platform can accommodate the additional functionality required to implement new temporary visa products, longer term visa products, permanent residence and citizenship and the ability to create health cases and the implementation of an appointment booking capability.

In addition to being flexible to policy change in relation to the visa products in scope of this Attachment A - Statement of Requirement, the Platform must be developed in such a way that it easily enables the inclusion of any additional functionality required to extend the Platform (including following foreshadowed future procurement processes). This includes the ability to:

o to accommodate other longer term visa products, permanent residence and citizenship.

o new temporary visa products introduced by Government over the life of any Agreement.

o create health cases for an Applicant based on Business Rules determined by the Department.

o manage appointments and appointment bookings.

2.4.5.5 The Department expects that, over the Term of any Agreement, technological innovations will

become available that could improve the way the Platform achieves the outcomes or

requirements outlined in this Attachment A – Statement of Requirement. This could include,

for example, improvements that drive efficiency or the user experience.



2.4.5.6 These innovations are over and above the upgrades required to ensure software deployed as

part of the Platform remains current.

PR27

Identifying innovation

Potential technological innovations are identified and assessed for deployment as part of the Platform

The Successful Tenderer must continually identify potential technological innovations to the Platform to drive efficiencies and improved user outcomes.

o New automation technology and solutions should be geared towards increasing automation of the end-to-end visa journey within the bounds accepted by the Department.

o The Successful Tenderer must not pursue solutions that increase the work performed by the Department unless explicitly requested by the Department.

2.4.6 Platform interfaces and interoperability

2.4.6.1 For the Department to achieve its objectives from the new visa business operating model, the

Platform will need to operate in conjunction with systems maintained by the Department,

other Commonwealth Agencies and Other Market Providers.

2.4.6.2 The requirement to interface with these systems can reasonably be expected to change over

the term of the Agreement. The Successful Tenderer will need to ensure that the Platform is

able to interface with the required systems, including to add and/or remove interfaces to

systems in a timely way.

2.4.6.3 Interacting with systems of the Department

2.4.6.4 Interactions with systems of the Department will be managed through an Application

Programming Interface (API) gateway.

2.4.6.5 The Department anticipates the APIs will cover a range of domains, and currently expects

those domains to include but not be limited to:

a) information, which will be used by the Platform to supply visa-related data

and information to the Department;

b) identity, which will be used by the Platform to request identity resolution

and assurance from the Department and provide biographic and/or

biometric data to the Department, and used by the Department to return an

identity resolution outcome (a unique identity match or other outcome

requiring the Client to provide more information) or return an identity

assurance assessment outcome (which may require the Client to provide

more information);

c) records, which will be used to support records management;

d) finance, which will be used by the Department to provide the Platform with

an invoice for each visa Application at the time of lodgement;

e) risk, which will be used by the Platform to provide the Department with

information about Applicants and their Application, and will be used by the

Department to provide the Platform with a risk assessment;

f) traveller, which will be used to manage the visa lifecycle for a granted visa;



g) health, which will be used to enable the Platform to provide requests for

health assessments and to receive details of health assessments

undertaken;

h) identity access management, which will be used to enable the Platform to

apply access control to users;

i) Bookings, which will be used to enable the Platform to book and manage

appointments; and

j) Service Management, which will be used to enable the Platform to

integrate with the Department’s service management system.

2.4.6.6 The exact domains may be subject to change. Further details on the APIs the Department

intends to build and expose will be made available through the Data Room.

2.4.6.7 The Department will enable access to RESTful APIs, and any other integration interfaces as

specified by the Department. An enterprise event hub will publish events (callbacks) for the

Platform to consume.

2.4.6.8 The Platform will be required to publish events based on a set of agreed lifecycle change

point which will allow departmental systems to subscribe to updates of interest. The Platform

will also be required to expose each resource stored on the Platform through RESTful GET

APIs which gives each departmental system access to any relevant information stored on the

Platform.

2.4.6.9 Required outcomes

PR28

Interfacing with the Department

The Platform interfaces with the Department as required

The Platform must interact with departmental systems, including intelligence and risk assessment capabilities, through the Department’s API gateway.

With any event driven distributed system, it is reasonable to assume that some events will be missed (e.g. because the subscriber system is down for longer than the time the message is available on the queue). Although rare, this will cause gradual misalignment between distributed data replicas. Therefore, as loss of data during normal operation must be minimised, the Platform must employ a compensation mechanism to ensure consistency.



PR29

Interfacing with other agencies

The Platform interfaces with other Australian Government systems as required

The Platform must have the capability to interface with a range of other Commonwealth Agencies and their systems, including but not limited to:

o a fully automated, near real-time interface with the Office of the Migration Agents Registration Authority (OMARA);

o a fully automated, near-real-time interface with the Document Verification Service (DVS);

o a fully automated, near-real-time interface with the Face Verification Service (FVS);

o a fully automated, near-real-time interface with the Australia Business Register;

o a fully automated, near-real-time link to any Australian Government issued digital identity service (e.g. GovPass);

o a fully automated interface with the Australian Taxation Office (ATO);

o a fully automated interface with the Australian Securities & Investments Commission (ASIC); and

o a fully automated interface with the Provider Registration and International Student Management System (PRISMS).

The Platform must have the capability to interface with a range of other Commonwealth Agencies as suitable opportunities are identified.

PR30

Interfacing with third parties

The Platform interfaces with third parties as required

The Platform must have the capability to interface with a range of other third party organisations including, but not limited to:

o a fully automated, near real time interface with Other Market Providers of assessment services (if required by the Other Market Provider);

o a fully automated, near-real-time interface with Client Services Providers (as required); and

o a fully automated, near-real-time interface with address validation services.

The Platform should have the capability to interface with a range of other third party organisations including, but not limited to:

o a fully automated, near-real-time interface with English language assessment providers;

o a fully automated, near-real-time interface with an Applicant’s financial institution;

o a fully automated, near-real-time interface with certified skills assessment bodies;

o a fully automated, near-real-time interface with education providers; and

o a fully automated, near-real-time interface with address validation services for countries other than Australia.



PR31

Interface changes

The Platform quickly and easily adapts to changes in interface requirements

The Platform must support major version changes to any departmental interfaces in alignment with the changes’ scheduled release timeframe.

o A major version change is one where previous versions of the interface can no longer be supported, due to either a significant system change or functionality is no longer valid.

o Major version changes will be scheduled for release as determined by the Department.

The Platform must support minor version changes as soon as practical but no longer than three months after release by the Department.

o Minor version changes are changes that are non-breaking and with new features to be added.

PR32

Open source

The Platform adheres to Australian Government direction to use open source software where appropriate

The Successful Tenderer must actively consider open source software throughout the provision of the Services in order to produce a product that demonstrates value for money and is fit for purpose. This may include incorporating open source software components together with proprietary software components.

2.5 Compliance requirements

2.5.1 Introduction

2.5.1.1 The Platform, including the security provided by the Platform, must comply with all laws,

Australian Government and departmental policies and all relevant standards. Some of the

specific requirements are set out in this section.

2.5.2 Data management

2.5.2.1 The Department anticipates the Platform will use or collect four types of data:

a) Content data: defined as data supporting the content on the various

channels including the website and mobile app. Examples of content data

include the Application questions, templates and logos, guidance for visa

Applicants, disclaimers, letters and compliance messages;

b) Applicant data: defined as data provided by Clients as part of the

Application process. Examples include account information (e.g.

username, password), an Applicant’s passport details, biometrics, financial

information, age and gender, Applicant correspondence and records,

metadata collected from Applicants during the Application process, risk

ratings and treatments, and details on opportunities provided by

employers. This includes data provided as part of draft Applications which

have not been lodged;

c) Operational data: defined as data describing the operation of the Core

Government Services. Examples include workflow data (e.g. number of

applications, progress of cases, and duration of manual tasks), data on

responses to marketing activities, data related to user support, issues logs,

security logs, audit logs and event logs. Operational data associated with

the Additional Commercial Services is not included; and



d) External data: defined as data not related to Applications or the provision

of Core Government Services, including data associated exclusively with

the Additional Commercial Services.

CR1 Data ownership

The Department will retain all rights, title and interest in and to data collected, created or modified by the Successful Tenderer in performing its obligations under any Agreement in relation to the Core Government Services, including data inputted by users into the Platform, and the Department will grant a licence to the Successful Tenderer to use the data only for the purpose of providing the Core Government Services. Further information is set out in Attachment D – Draft Agreement.

CR2 Data under management

The Successful Tenderer must work with the Department to develop a data model and data dictionary.

o The data model and data dictionary must be provided to and approved by the Department (specifically the Chief Data Officer) no later than six (6) months prior to the scheduled production release of the first visa product on the Platform.

o The data model and data dictionary work must be based on and be consistent with the data format and structure and the data model specified by the Department for its APIs (refer requirement CR3).

o Any changes to the data model over the Term of any Agreement must also be approved by the Department.

The Platform must store all Applicant data for the Term of the Agreement and any additional time required to migrate data to Department systems at the end of the Agreement, except in the case of biometric data in which case, following the provision of biometric data to the Department’s internal systems, the Platform may be required to remove this data based on Business Rules determined by the Department.

Where an Applicant updates a data element, the Platform must store both the previous element and the current element.

The Platform must be able to store both structured and unstructured Applicant data.

Applicant data will be classified based on the PSPF, as either, UNCLASSIFIED – Sensitive: Personal (which is expected to be the case for the majority of Applicant data) or PROTECTED – Sensitive: Personal (which is expected to be the case for a small proportion of Applicant data).

The Platform must store all operational data from the Platform for the Term of any Agreement and any additional time required to migrate data to Department systems at the end of the Agreement.

The Platform must store all content data for the Platform for the Term of any Agreement and any additional time required to migrate data to Department systems at the end of any Agreement.

The Platform will not be the ‘system of record’ (i.e. the authoritative data source) for an Applicant’s identity data.

The Platform will be the ‘system of record’ (i.e. the authoritative data source) for all operational data, as defined above.



CR3 Data transfer

The Successful Tenderer must have the capability to provide all Applicant data to the Department in near real-time; that is upon the completion of each relevant section of a visa Application, in line with ISO16175.

In addition, the Successful Tenderer will be required to provide a range of data through Department provided APIs, as detailed in PR28 and information made available in the Data Room.

The Successful Tenderer must be able to periodically provide the Department a portable, unencrypted, and generally consumable record of all data contained within the Platform and any other data required by the Department.

o The Successful Tenderer must be able to do this at the Department’s request and in the format specified by the Department (e.g. CSV, XML tables, SQL tables).

o It is anticipated that the Department will require this data prior to any major upgrade as well as on a regular schedule.

o The Department will establish the protocols for the transfer of the portable record, which the Successful Tenderer must adhere to.

CR4 Data access

The Platform must have role-based security access controls to ensure that only those with appropriate authority are able to access and modify data stored on the Platform. This must include:

o Client-level security access controls to ensure only the Client who originally supplied the information and the supporting documentation is able to access and/or modify it; and

o Client-level security access controls to allow a Client to nominate an additional person, or people, (such as a Registered Migration Agent) to have access to their supplied information and supporting documentation. These controls must by default include the ability to automatically limit access after a particular period of time or after a particular event such as when a visa Application Decision has been made.

The Platform must have a real time audit trail that records what data is accessed and/or modified by each user and when.

o The audit trail must extend to system administrators as well as users of the Platform.

o The audit trail must be securely stored to prevent deletion or modification.

The Platform must notify the Department within 24 hours if there are any attempts by users to access and/or modify data where they do not have the authority and/or if any user exhibits unusual data access patterns (even if they have relevant approval).

CR5 Data breach

The Successful Tenderer must notify the Department immediately in the event of a data breach or suspected data breach and assist the Department to meet its obligations under the notifiable data breaches scheme in Part IIIC of the Privacy Act 1988 (Cth).

The Successful Tenderer must put in place appropriate measures to ensure a similar data breach does not occur again.

The Department may choose to:

o provide reasonable assistance to the Successful Tenderer in relation to the investigation; and

o further investigate any data breach or suspected data breach and may require the Successful Tenderer to put in place additional measures as a result of its investigation.

CR6 Data quality

The Platform must be able to track and report on the completeness and validity of key data contained within it. The specific data that the Platform will be responsible for validating will be defined at a later stage.



CR7 Data storage

Applicant data, including all data, information and any supporting documentation collected from clients or third party organisations acting on the Department’s behalf as part of Application lodgement and assessment is deemed, under the PSPF and Information Security Manual (ISM), to be official information and as such, must be held and stored in Australia.

Content data and operational data as defined above must be held and stored in Australia.

If the Successful Tenderer intends to use a cloud solution for delivery of any part of the Platform than in order to meet the ISM requirement for the protection of information, the Successful Tenderer must only use outsourced cloud services, listed on ASD’s Certified Cloud Services List (CCSL). These certified cloud services are located in Australia.

If the Platform uses cloud services or data centres, they must comply with the following Commonwealth policies (in addition to ISM and PSPF):

o gateway certification by the Australian Signals Directorate (ASD)

o ASIO-T4 protective security audit of data centre by the Australian Security Intelligence Organisation (ASIO).

The Successful Tenderer must:

o create, maintain, store securely and transfer records to the Department in accordance with the Australian and International Standard for Records Management, AS ISO 15489;

o produce timely, legible, accurate and comprehensive records of all services provided;

o ensure any backups have been validated to be accurate and tested to ensure they can be used to restore data;

o ensure that no record is inappropriately accessed, removed, lost, corrupted or misplaced;

o notify the Department within 24 hours if any record is inappropriately accessed, removed, lost, corrupted or misplaced; and

o ensure as under the Archives Act 1983 (Cth), Administrative Functions Disposal Authority (AFDA), system logs which are used to show a history of access or change to data (eg system access logs, internet access logs, system change logs and audit trails etc) are retained for seven (7) years.

Data collected, managed, stored, used and/or created by the Platform must be encrypted both at rest and for transport. The Successful Tenderer may propose the specific form of encryption, however it must be approved by the Department.

The Platform must have adequate storage capacity to store any data required for the operation of the Platform. The Successful Tenderer will be responsible for determining the exact storage capacity required, based on the volume data made available by the Department.

CR8 Data privacy

The Successful Tenderer must ensure identifying information, as defined under the Migration Act 1958 (Cth), is handled in accordance with the obligations under Part 4A of the Migration Ac 1958 (Cth). This includes activities relating to access, disclosure, unauthorised modification and retention of identifying information.

The Successful Tenderer must ensure Personal Information will be collected, handled, stored and managed in accordance with the Privacy Act 1988 (including the Australian Privacy Principles) and any relevant instruments or codes made under that Act, such as the notifiable data breach scheme.

The Successful Tenderer must comply with the General Data Protection Regulation of the European Union and similar regulations of other states, insofar as it is applicable to the Successful Tenderer, or as otherwise required by the Department.

The Successful Tenderer must put in place processes for obtaining and recording Client consent for the collection, use and disclosure of Personal Information.

The Successful Tenderer must deliver clear separation between production and non-production (testing and staging) environments to ensure use of production data is restricted to the production environment only.

Note: The Department requires all of its service providers and contractors, including the Successful Tenderer (if any) to comply with the EU GDPR, if applicable to their activities.



CR9 Data secrecy

The Successful Tenderer must ensure data will be collected, handled, stored and managed in accordance with applicable secrecy provisions in relevant legislation, including in particular:

o Migration Act 1958 (Cth);

o Australian Border Force Act 2015 (Cth);

o Australian Citizenship Act 2007 (Cth); and

o Taxation Administration Act 1953 (Cth) (relevant to tax file numbers and taxation information).

The Successful Tenderer must put in place processes for obtaining and recording Client consent for the collection, use and disclosure of data subject to secrecy provisions.

Note: Consent is not a defence to the unauthorised recording, use or disclosure of tax file numbers and taxation information under the Taxation Administration Act 1953 (Cth).

2.5.3 Security

2.5.3.1 Security policies, standards and frameworks

CR10 Protective Security Policy Framework (PSPF)

The Successful Tenderer must comply with the Protective Security Policy Framework (PSPF). Requirements of the PSPF are incorporated into the Department’s Security Practice Statement (https://www.protectivesecurity.gov.au/Pages/default.aspx).

CR11 Information Security Manual (ISM – 2017)

The Successful Tenderer must comply with the Australian Government Information Security Manual (https://asd.gov.au/infosec/ism/index.htm).

The Successful Tenderer must have cyber security controls in place to protect the security and privacy of information processed, stored and transmitted on behalf of the Department. The Successful Tenderer will be assessed, certified and accredited against the Information Security Manual at the appropriate classification level for the information that they are collecting, storing and/or processing.

CR12 ASD Top 4 and Essential Eight

The Successful Tenderer must implement the ACSC top 4 mitigation strategies (https://acsc.gov.au/publications/protect/top_4_mitigations.htm).

Essential eight mitigation strategies encompasses the top 4 mitigation strategies and includes four more strategies to prevent malware running, to limit the extent of incidents and enable the recovery of data. The Successful Tenderer should comply with the essential eight. (https://asd.gov.au/infosec/mitigationstrategies.htm).

CR13 ISO/IEC 27001 – Information Technology – Security Techniques – Information Security Management Systems – Requirement

ISO/IEC 27001 – Information Technology – Security Techniques – Information Security Management Systems – Requirements specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.

The Successful Tenderer must have their information security management system certified to ISO/IEC 27001.

https://www.protectivesecurity.gov.au/Pages/default.aspx

https://asd.gov.au/infosec/ism/index.htm

https://asd.gov.au/infosec/mitigationstrategies.htm



CR14 ISO/IEC 27034 – Information Technology – Security Techniques – Application security

ISO/IEC 27034 – Information Technology – Security Techniques – Application security provides a systematic approach that guides organisations to implement security concepts, principles, and processes in the application security structure.

The Successful Tenderer must have their systems development life cycle certified to ISO/IEC 27034.

CR15 Department Security Practice Statement

The Successful Tenderer must comply with the Department’s Security Practice Statement, which sets out a protective security framework for the Department.

CR16 Department Enterprise Architecture Principles

The Department’s Enterprise Architecture Principles provides a foundation for achieving strategic outcomes, as they establish the basis for a set of rules and behaviours for an organisation, particularly in relation to the strategic priorities for ICT and the practice of security design.

The Successful Tenderer must comply with Department Enterprise Architecture Principles, which include the security architecture principles described in CR22.

CR17 Payment Card Industry Data Security Standard

Payments must be processed securely by the Successful Tenderer. The payment processing systems, whether internal or external, must comply with the industry standard Payment Card Industry Data Security Standard (PCI-DSS).

CR18 AS/NZS ISO 31000:2009 Risk Management and Guidelines, and Australian Standards HB 167:2006 Security Risk Management

The Department has a mature risk management framework that is based on ISO 31000:2009 and incorporates HB 167 (refer to the Department Risk Management Policy).

The Successful Tenderer must comply with AS/NZS ISO 31000:2009 Risk Management and Guidelines, and Australian Standards HB 167:2006 Security Risk Management.

CR19 Physical Security of ICT Equipment

The Successful Tenderer's data processing and storage facilities must comply with PSPF Requirement for a Zone 2 area, as documented in “Australian Government physical security management guidelines - Physical security of ICT equipment, systems and facilities”, and independently assessed by a SCEC endorsed assessor.

2.5.3.2 Security documentation

CR20 Security compliance statements

The Successful Tenderer must supply annual Security Compliance Statements to the Department, confirming the following:

o all Services are being delivered in accordance with the Australian Government Protective Security Policy Framework, Information Security Manual and Department’s security policies. This explicitly includes verification of the correct disposal of any decommissioned assets;

o the annual security Information Security Registered Assessors Programme (IRAP) assessments have been completed, reports provided to the Department and any required security remediation plans have been developed and implemented; and

o all Successful Tenderer Personnel working on the Platform have the appropriate security clearance and qualifications.

Where any of the above requirements have not been achieved, the non-compliance is documented in the Security Compliance Statement including what actions were taken to mitigate and address the non-compliance.



CR21 External Service Successful Tenderer Security Responsibilities and Requirement document

The Successful Tenderer must specify to the Department their detailed roles and responsibilities, in compliance with their security obligations, in an external service Successful Tenderer security responsibilities and requirements document. This will provide a clear understanding of the broader security responsibilities in the provision of contracted services.

To gain the level of assurance that the contracted services are compliant, the document will include sections for “External Security Successful Tenderer Security Controls” and “Technical Solution Documentation” which provide information regarding the provision and collection of evidence that is required for the Department to undertake due diligence activities.

Each Tenderer must provide the Department with:

o a draft Security Responsibilities and Requirement document as part of their Phase Two Tender;



o at other times where a review and update is appropriate to ensure the security responsibility and requirement document remains current, including a review undertaken at the request of the Department.

2.5.3.3 Security principles

CR22 Security architecture principles

Selection and implementation of Platform security controls must be based on sound risk assessment. It must reflect the value and sensitivity of the digital assets that are being protected, as well as the threats to the Platform.

Solutions must be designed, implemented, operated and maintained in accordance with Australian Governmental and departmental security requirements.

Solutions must support and enable the fundamental requirement that there is strong accountability for the use of and access to departmental information resources.



CR23 Design principles

Platform security must be designed to defend against deliberate malicious actions.

Platform security must be designed so that the Platform can continue to function as intended in a trustworthy and reliable manner in spite of deliberate attack or partial compromise.

Platform security must be designed so that failure or inadequacy of preventative controls will be detected and response controls must be in place to detect and contain the impact of failure.

Layers of diverse security controls must be implemented so that any one control failure will not result in a complete loss of security. Defence-in-depth protection should be built into the Platform.

Platform security must be designed with resilience in the face of deliberate attack.

The security of the Platform or a security mechanism should not depend on the secrecy of its design or implementation.

Security mechanisms should be as simple as possible.

Platform security must be designed with mechanisms (audit, access logging) which enable users to be held accountable for their actions.

Platform security must be designed to rely on enterprise security capabilities which include but are not limited to: identity, credential and access management; system event logging; monitoring and auditing; single sign-on (where implemented), patch management, system wide confidentiality and governance. These security capabilities need to be employed in a consistent manner across all the systems which make up the Platform.

Platform security must be designed based on either departmental approved security patterns or in their absence industry standard security patterns.

Platform security must be applied using departmental security principles to the development of the design.

Prescribed templates must be used for communicating the security design to stakeholders.

CR24 Platform principles

An entity (user or software) should have the least privilege necessary to carry out their responsibilities for the minimum time necessary.

High privilege operations must be removed from components which are interacted with by external entities (user or software) and assigned to a separate higher assurance component.

The Platform should depend on secure defaults and in the event of failure, should deny access.

All access to a resource should be checked to ensure they are allowed.

Access to a resource should not be granted on the basis of a single condition.

Mechanisms used to access resources should not be shared.

Platform functions, interfaces, channels, methods and data which could be accessible to a malicious actor should be minimised.

The elements that need to be trusted, including system components, Client software, actual users and other systems should be minimised.



2.5.3.4 Technical security requirements

CR25 Platform security mechanisms

The Platform must enforce departmental access control requirements. Access to a system, its interfaces, components, functions, services, resources and data must be restricted to those authorised for use and access.

The Platform must audit use and access. Log events recorded must include authorised activity, privileged use, security violations, suspicious behaviour and clear malicious activity.

The Platform must monitor activity and state to identify and escalate security violations, non-compliance, suspicious behaviour and malicious activity.

The Platform must provide a reporting function over security activity and state.

The Platform must provide a management function so that system users, credentials, access, keys, secrets, policies and configuration can be managed.

The Platform must propagate the identity of the user initiating the business process/transaction to dependent systems for audit purposes.

CR26 Platform security qualities

The level of security protection must reflect the threats to, the criticality of, and the risks to the Platform.

The Platform security mechanisms should be as simple as possible.

The Platform must be implemented defensively.

The Platform should resist deliberate attack.

The Platform should be resilient in the face of deliberate attack.

The Platform should be dependable in fulfilling its mission in the face of deliberate attack.

CR27 Platform security constraints

The Platform must include security mechanisms which secure information held by or passing through the Platform against unauthorised use, disclosure, interception, modification, fabrication, disruption and destruction.

The Platform security mechanisms must be secured against unauthorised use, disclosure, escalation, interception, modification, fabrication, disruption, destruction and avoidance.

The Platform should implement consistent security mechanisms, provided by enterprise security capabilities (refer CR23 in relation to design principles), across all of its systems.

2.5.3.5 Non-technical security requirements

CR28 Platform classification

The Platform must be formally classified in accordance with Australian Government classification framework.

The Platform must not process, store or communicate information above the classification for which the system has received accreditation.

Any departmental staff member or employee of the Successful Tenderer requiring access to any departmental information or Business Rules classified at Unclassified up to Protected require as a minimum a current Australian Government Baseline security clearance.

CR29 Security architecture work products

The Platform must have its security design documented in the architecture work products as required by the Department, including the Security Solution Architecture.



2.5.3.6 Approval and accreditation

CR30 System security Accreditation Framework

The Department’s System Security Accreditation Framework outlines the framework to ensure activities are performed to identify security risks and manage them to an acceptable level as part of formal accreditation.

The System Security Accreditation Framework is a combination of accountable security artefacts, including but not limited to:

o security risk management plan – identifies security risks and appropriate mitigation measures for systems.

o system security plan – provides details of how security requirements are implemented in a system and how the required security controls will protect departmental and Client information.

o standard operating procedure(s) – ensures that security procedures are followed in an appropriate and repeatable manner; and

o incident management plan – provides details of how an incident will be detected, managed, communicated and resolved.

Depending upon the complexity of a system, additional components may be required to satisfy the Department’s accreditation objectives.

The Successful Tenderer must prepare the documents set out above in consultation with Department's Cyber Risk Services Branch and be provided before any Agreement is signed..

The Successful Tenderer must undertake an independent assessment of security compliance, initially prior to production cutover and then biennially. Independence can be demonstrated by the Successful Tenderer engaging a qualified Information Security Registered Assessor Program assessor at the Successful Tenderer's cost.

The Successful Tenderer must ensure the security documents, plans and procedures are reviewed annually or when a significant change or increase in threat exposure to the system occurs. The Department may require the Platform to undergo a more regular or rigorous review at any time.

CR31 CISO Approval

The Department Risk Management Policy outlines the Department’s approach to risk through assessments, monitoring and mitigation activities. Security risk assessments are conducted for new and existing ICT systems and applications to ensure that appropriate, cost-effective information security controls are implemented. The Platform must undergo accreditation activities and be formally approved by the Department.

CR32 Security design approval

The Platform high-level design must be supported by a Solution Security Architecture document developed by the Successful Tenderer and be provided before any Agreement is signed, which outlines the application of security principles and consideration of the Department’s security requirements, the ISM and the PSPF. This document is required to demonstrate that effective security will be built into the Platform.



2.5.4 Compliance with Commonwealth legislation, laws and policies

CR35 Record keeping

The Successful Tenderer must comply with General Records Authority 40 2017/00045834 – Transfer of custody of records under Australian Government outsourcing arrangements.

CR36 Trade Sanctions

The Successful Tenderer must comply with any trade sanctions that apply to the Services to be provided by the Successful Tenderer under any Agreement.

CR37 National Identity Security Strategy (NISS)

In the Platform’s interaction with the Department’s identity management capability, the Platform must be consistent with the described principles, objectives and goals outlined in the Australian Government National Identity Security Strategy (NISS) and consistent with the associated identity security guidelines and standards.

The NISS will be made available to Tenderers in the Data Room.

CR38 Trusted Digital Identity Framework

The Platform must comply with the Trusted Digital Identity Framework for the identity and access management solution and processes.

Refer to https://www.dta.gov.au/what-we-do/policies-and-programs/identity/join-the-identity-federation/accreditation-and-onboarding/trusted-digital-identity-framework/.

CR41 Data security, storage and records management policies

The Successful Tenderer must comply with the following legislation and policies:

o Archives Act 1983 (Cth) and Archives Regulations 2018 (Cth);

for additional non-legislative resources such as record keeping standards, policies and guidance material, please see the National Archives of Australia's website: http://www.naa.gov.au/information-management. Relevant resources include General Records Authorities, Digital Continuity 2020 Policy, Guidelines on Records Issues for Outsourcing, and ISO 16175 (Principles and Functional Requirement for Records in Electronic Office Environments);

o Data-matching Program (Assistance and Tax) Act 1990 (Cth);

o Electronic Transactions Act 1999 (Cth);

o Electronic Transactions Regulations 2000 (Cth);

o Evidence Act 1995 (Cth);

o Freedom of Information Act 1982 (Cth) – see in particular s 6C (provision of documents by contracted service providers)

additional FOI resources such as guidelines and fact sheets issued by the Office of the Australian Information Commissioner, such as the guidelines issued by the Australian Information Commissioner under s 93A of the Freedom of Information Act 1982 (Cth), which are available at https://www.oaic.gov.au/;

o Guidelines for the Conduct of the Data-Matching Program (Cth) (made under s 12(2) of the Data-matching Program (Assistance and Tax) Act 1990 (Cth)); and

o Public Governance, Performance and Accountability Act 2013 (Cth).

CR43 Crime

The Successful Tenderer must not breach the Cybercrimes Act 2001 (Cth) and Crimes Act 1914 (Cth).

CR45 Disability

The Successful Tenderer must comply with the Disability Discrimination Act 1992 (Cth).

https://www.dta.gov.au/what-we-do/policies-and-programs/identity/join-the-identity-federation/accreditation-and-onboarding/trusted-digital-identity-framework/

https://www.dta.gov.au/what-we-do/policies-and-programs/identity/join-the-identity-federation/accreditation-and-onboarding/trusted-digital-identity-framework/

http://www.naa.gov.au/information-management

https://www.oaic.gov.au/



2.6 Delivery approach

2.6.1 Introduction

2.6.1.1 Delivery approach refers to the approach taken to finance, build, operate and maintain the

Platform over the Term of any Agreement, including all activities performed by the

Successful Tenderer and the Department to release visa products on the Platform. As part of

outlining proposed governance and decision making structures, Tenderers should include in

their Phase Two Tenders a description of how they see those arrangements and broader

relationship working in practice, as well as the structurally focused elements.

2.6.1.2 The Successful Tenderer is responsible for delivering the Platform, and is expected to work

collaboratively with the Department in doing so, in keeping with governance arrangements to

be set out in the Agreement. The ability of the Successful Tenderer to work in a partnership

with the Department will be critical to the success of the proposed approach. This will rest on

both the proper functioning of the formal governance structures and decision making

arrangements set out in the Agreement, as well as on the culture and behaviour the

Successful Tenderer and the Department bring to the necessary collaboration and

cooperative work effort in delivering visa services for Australia. The Successful Tenderer will

be expected to:

a) deliver to the visa product release timeline and quality standards specified

in the Agreement;

b) actively engage with the Department where required in the development of

Business Rules for determination by the Department, and in the delivery of

visa services using the Platform;

c) support the Department’s sovereign functions and responsibilities,

including in relation to policy, decision making, and national security ;

d) minimise transitional and operational risk to deliver timely and measurable

benefits to the Australian Government;

e) identify innovative ideas and opportunities to improve the operation and

capability of the Platform; and

f) demonstrate a collaborative and cooperative approach to working with the

Department to implement the Agreement.

2.6.1.3 Delivery is considered to include the following activities as described in section 2.4 –

Required outcomes of the Platform and Successful Tenderer of this Attachment A –

Statement of Requirement:

a) build, defined as creating the capability required to deliver a user outcome

or component of an end-to-end visa product as defined in this Statement of

Requirement;

b) operate, defined as activities required to perform the basic operations of

the Platform, including to provide support to Platform users;

c) maintenance, defined as activities required to ensure compliance on an

ongoing basis with the Statement of Requirement, including incident and

problem management;



d) continuous improvement, defined as activities driven by the Successful

Tenderer to reduce operational costs or improve defined operational key

performance indicators;

e) innovation, defined as the identification, incubation and/or implementation

of significant technological innovations that are intended to drive a

step-change in performance, functionality and/or effectiveness of the

Platform;

f) policy and service design change, defined as activities required to ensure

compliance with policy or service design changes due to:

i. a change in legislation, policy and/or procedure; or

ii. implementation of a new visa product;

iii. cessation/grandfathering/transitioning old visa products;

g) Modification, defined as incorporating a decision to change the scope of

the Services to be delivered over the Platform (necessitating a change to

this Attachment A – Statement of Requirement and an amendment to any

Agreement).

2.6.2 Delivery plan

2.6.2.1 Product sequencing

2.6.2.2 The Department’s expectation is that the first visa product will be released in the first half of

2021 and subsequent visas will be progressively rolled out. Tenderers will be invited to outline

their proposed rollout schedules as part of the Structured Dialogue Process (see Part 3 – RFT

Process).

2.6.2.3 The Department defines ‘released’ as having an eligible Client able to apply through the

Platform and be processed and decided on the Platform for the relevant visa product.

2.6.2.4 Interfacing with the Department and other third parties

2.6.2.5 To enable the Platform to undertake its various functions, the Platform must interact with a

number of departmental systems through a departmental API gateway and any other

integration interfaces as specified by the Department. The final API high-level structure along

with any other identified integration capabilities will be made available via the Data Room.

2.6.2.6 The Department is responsible for ensuring that any contracts covering services delivered by

Other Market Providers have considered integration with the Core Government Services

delivered by the Platform.

2.6.2.7 The Department is responsible for maintaining contractual relationships with Other Market

Providers it determines are necessary to support the delivery of Australia’s visa and

citizenship framework. The Successful Tenderer is responsible for ensuring Other Market

Providers can interface with access the Platform as determined by the Business Rules (refer

requirement PR30).



2.6.3 Governance

2.6.3.1 As part of Phase 1 Responses, Tenders provided views regarding proposed governance

arrangements over the term of any Agreement.

2.6.3.2 As part of Phase 2 Structured Dialogues Tenderers will be invited to expand on those

proposed arrangements including in light of relevant accounting standards.

2.6.3.3 In preparing a response, the Tenders should consider the following:

a) Notwithstanding the proposed commercial arrangements for delivering the

Platform, the Australian Government is and will remain accountable for the

delivery of Australia’s visa system.

b) The Platform will be financed, built, operated and maintained by the

Successful Tenderer.

c) The Commonwealth will not direct or control the day to day operations of

the Successful Tenderer.

d) However, the Department will exercise protective controls as set out in the

any Agreement in relation to protection of Commonwealth interests

including national security

e) The Department will determine the Platform Business Rules.

f) The Department and the Successful Tenderer will work collaboratively and

co-operatively together but with clearly defined roles and responsibilities

(as set out in any Agreement).

2.6.3.4 The Department expects that governance bodies would normally exist over the Term of any

Agreement, but intensity and focus may shift over time to reflect the evolving focus of work

required to build and operate the Platform.

2.6.3.5 The Department also expects:

a) governance will be based on the APSC Governance Framework

incorporating the principles of accountability, transparency/openness,

integrity, stewardship, efficiency and leadership;

b) the Department and Successful Tender will maintain their own separate

governance arrangements. Neither will be a sitting member of the other’s

governance bodies but may be required to attend and participate; and

c) in accordance with the any Agreement there will be formal governance

bodies to govern the operation of the Platform, that the Department will

chair.

d) there will be regular governance meetings between entities in relation to

identified topics such as deliverables and design.

2.6.3.6 The Tenderers must provide the Department with proposed governance arrangements for

approval as follows:

a) a draft as part of their Phase Two Tender;



b) a final version incorporating any changes requested by the Department is

to be provided by the preferred Tenderer before any Agreement is signed;

and

c) governance arrangements will be reviewed annually

2.7 Out of scope services

2.7.1 The following services and functions are out of scope and not included in the Services:

a) in-person or human-delivered client services and visa processing services,

including:

i. Client acquisition through non-digital channels e.g. storefronts;

ii. human-run or specialist client services, data collection and verification

processes (e.g. in-person or over-the-phone) either within or outside

of Australia;

iii. non-automated translation services;

iv. in-person biometric collection or verification services, including

provision of biometrics collection at the departing port or upon arrival

in Australia; and

v. non-digital visa processing capabilities;

b) risk or security-related assessments, including risk tiering across all

criteria. All risk and security-related assessments will be performed by the

Department’s risk function;

c) identity resolution and identity assurance activities;

d) direct verification of foreign travel documents with the issuing authority,

and direct verification of biometrics against Australian Government sources

(excluding verification against DVS and FVS);

e) health case creation (including which medical examinations are required),

automated health assessments, management of health undertakings, or

the provision of health information to external users to inform refugee

settlements;

f) health services for Applicants within Australia or overseas;

i. this includes performing medical examinations and performing

manual health assessments, in the case where an Applicant cannot

be auto-cleared;

g) provision of an interface for Applicant’s to record their medical history or

for physicians to record the results of health examinations;

h) collection of non-disclosed information about an Applicant through API

scrapes e.g. scraping social media profiles;

i) services relating to border management and clearance;



j) services to enable the processing of visas not specified as being part of the

Services.

k) services relating to the management of contracts with Other Market

Providers; and

l) services relating to organisational design for the Department and

change management.



Section 3: Additional Commercial Services

3.1 Introduction

3.1.1 Additional Commercial Services

3.1.1.1 This section should be read in conjunction with:

a) paragraph 2.3.2 of Part 2 – Overview that provides a description of the

Additional Commercial Services that may be delivered by the Platform;

b) Attachment D - Draft Agreement; and

c) Part 4 – Commercial Parameters and Settings that contains clauses

relevant to funding the development and operation of any

Additional Commercial Services, as well as revenue sharing arrangements

(including in relation to indemnification of the Department).

3.1.1.2 The opportunity to provide Additional Commercial Services is available to the

Successful Tenderer only as a direct result of the Client’s interaction with the

Australian Government in the course of applying for a visa, Sponsorship or Nomination.

Therefore, the Department will maintain strong and strict governance controls in relation to

the provision of any Additional Commercial Services.

3.1.1.3 All providers of, and the nature of any, Additional Commercial Services will require prior

approval of the Department.

3.1.2 Implementing Additional Commercial Services

3.1.2.1 Proposed Additional Commercial Services will be implemented as set out in the Agreement.

3.1.2.2 While the restrictions refer to ‘the Successful Tenderer’, certain restrictions extend beyond the

Successful Tenderer to third parties the Successful Tenderer engages with, or partners with,

to deliver any Additional Commercial Services.

3.2 Governance

3.2.1 Submission of opportunities to the Department

3.2.1.1 The Successful Tenderer must submit a business case for each Additional Commercial

Service opportunity to the Department for consideration. The business case for each

opportunity will at a minimum include:

a) a description of the opportunity;

b) a plan for how the Successful Tenderer will develop, implement and

operate the opportunity;

c) the costs of developing, financing, implementing, and operating the

opportunity;

d) the expected revenue and benefits profile from providing the opportunity;

e) interdependencies with the delivery or operation of the Core Government

Services, or with the operation of the Department or Commonwealth; and

f) any risks to the delivery or operation of the Platform, or with the operations

or reputation of the Department or Commonwealth.



3.2.1.2 The mechanism and process for the submission of business cases, and timeframes for the

Department to consider opportunities, will be finalised in conjunction with the overall

governance arrangements.

3.2.2 Department consideration of opportunities

3.2.2.1 The Department will evaluate the business case for each Additional Commercial Service

opportunity and retains absolute discretion (i.e. including a veto) over which opportunities may

be implemented or continue to be offered to Clients.

3.2.2.2 The Successful Tenderer must not pursue any Additional Commercial Services, in full or in

part, except in strict compliance with the Department’s approval including any conditions

attached to that approval.

3.2.3 Review

3.2.3.1 Prior to release of an Additional Commercial Service opportunity to Clients, the Department

will conduct a review of how the opportunity has been developed and will be implemented.

3.2.3.2 The Department may provide feedback to the Successful Tenderer following its review, which

may require the Successful Tenderer to undertake changes to the way the opportunity would

be delivered. It is anticipated that this would only occur if the way the opportunity would be

delivered violated (or was at risk of violating) the restrictions, would not meet the

Department’s requirements or objectives as outlined in this RFT, or was materially different

from what was initially proposed in the business case.

3.2.3.3 The Department will also conduct regular ongoing reviews of each opportunity once launched.

The Department may provide feedback to the Successful Tenderer following its reviews,

which may require the Successful Tenderer to undertake changes to the way the opportunity

is delivered. It is anticipated that this would only occur if the way an opportunity was being

delivered caused it to violate (or was at risk of violating) the restrictions, would not meet the

Department’s requirements or objectives as outlined in this RFT, or was materially different

from what was initially proposed in the business case.

3.2.4 Termination

3.2.4.1 The Department may:

a) approve an Additional Commercial Service opportunity at any time;

b) withdraw or otherwise amend its approval of an Additional Commercial

Service opportunity at any time.

3.2.4.2 The Successful Tenderer must abandon delivery of any Additional Commercial Service

opportunity if directed to do so by the Department or if the Department withdraws its approval

in relation to that Additional Commercial Service opportunity. It is anticipated that this will only

occur if there was a significant change in the way an opportunity was being delivered that

caused it to violate (or was at risk of violating) the restrictions, would not meet the

Department’s requirements or objectives as outlined in this RFT, or caused it to diverge

materially from what was initially proposed as part of the business case.



3.3 Restrictions

3.3.1 Restrictions

3.3.1.1 Restrictions applying to the Additional Commercial Services are divided as follows:

a) overall restrictions, which specifies the overarching restrictions which apply

to any and all Additional Commercial Services;

b) restrictions on the sale of goods and services to Clients, which specifies

the restrictions that apply to opportunities which involve the sale, or

facilitating the sale, of goods and services to Clients; and

c) restrictions on data commercialisation, which specifies the restrictions that

apply to opportunities which involve the commercialisation of data.

3.3.2 Overall restrictions

3.3.2.1 The Successful Tenderer must comply with the following restrictions on the Additional

Commercial Services.

Area Restriction

National security The Successful Tenderer must not pursue any opportunity that may negatively impact on Australia’s national security in any way.

Reputation The Successful Tenderer must not pursue any opportunity that the Department determines would damage the reputation of the Australian Government or the Department.

Government or departmental endorsement

The Successful Tenderer must not represent or convey that any goods or services supplied through the Additional Commercial Services are endorsed or approved by the Department or the Australian Government. This must include the provision of adequate and prominent statements and disclaimers that any goods or services available through the Additional Commercial Services are not endorsed by the Commonwealth or the Department, and are not inherent to the granting of a visa through the Core Government Services. These statements and disclaimers mustbe approved by the Department.

In providing Additional Commercial Services, the Successful Tenderer must not use the brands of the Australian Government, the Commonwealth of Australia or the Department unless that use is explicitly authorised by the appropriate brand owner.

The Platform must clearly notify users when they are leaving Core Government Services to go to another site including in relation to Additional Commercial Services.

Relationship to Core Government Services

The Successful Tenderer must maintain a certain standard of performance with respect to the Core Government Services. This standard will be defined in the Agreement according to the Performance Management Framework.

The operation of Additional Commercial Services must not adversely impact the operation, security or reputation of the Core Government Services in any way.

The Successful Tenderer may only begin developing Additional Commercial Services once the first visa product is launched on the Platform to the satisfaction of the Department, with formal acknowledgement by the relevant governance body.



Area Restriction

Fraudulent activities

The Successful Tenderer must put into place appropriate measures to prevent illegal or improper services or circumstances from being facilitated as part of the Additional Commercial Services.

Prohibited and restricted entities

In the provision of the Additional Commercial Services the Successful Tenderer must not promote or engage with any Prohibited Criminal Group, Prohibited Company or individual, or Restricted Country.

Unlawful activities The Successful Tenderer must not pursue any opportunity that is inconsistent with the laws of the Commonwealth of Australia and all States and Territories of Australia, or any jurisdiction in which the Successful Tenderer operates or purports to operate.

Data privacy and secrecy

The Successful Tenderer must ensure Personal Information is handled, stored and managed in accordance with the Privacy Act 1988 (Cth) (including the Australian Privacy Principles) and any relevant instruments or codes made under that Act.

The Successful Tenderer must put in place processes for obtaining and recording Client consent in relation to participation in the consideration or provision of Additional Commercial Services for the collection, use and disclosure of Personal Information (or other categories of 'protected information') in accordance with the relevant legislation. Participation in any Additional Commercial Service opportunity by a Client is entirely optional and must in no way be part of the visa process.

The Successful Tenderer must uphold any relevant legislative requirement related to data management (including secrecy requirements) as outlined in section 2.5 – Compliance Requirements of this Attachment A – Statement of Requirement.

Security In the Provision of Additional Commercial Services, the Successful Tenderer’s systems should:

o not create a risk to the security of the data and operations of the Core Government Services;

o audit use and access-log events recorded shall include authorised activity, privileged use, security violations, suspicious behaviour and clear malicious activity;

o monitor activity and state to identify and escalate security violations, non-compliance, suspicious behaviour and malicious activity;

o resist deliberate attack and remain resilient in the face of deliberate attack;

o include security mechanisms which secure assets held by or passing through the system against unauthorised use, disclosure, interception, modification, fabrication, disruption and destruction; and

o be secured against unauthorised use, disclosure, escalation, interception, modification, fabrication, disruption, destruction and avoidance.



Area Restriction

Contestability principles

The Department expects that the Successful Tenderer will adhere to the following contestability principles in developing, delivering and operating the Additional Commercial Services. The Successful Tenderer will:

o develop, deliver and operate the Additional Commercial Services on an open access, non-discriminatory and contestable basis, and in a way that maintains competition in relation to the supply of goods or services offered as part of the Additional Commercial Services;

o not favour or provide an advantage to any member or affiliate of the Successful Tenderer with respect to the provision of goods / services offered through the Additional Commercial Services;

o develop, deliver and operate the Additional Commercial Services separately from the Core Government Services, so that the different types of services are clearly delineated;

o not bundle or tie (directly or indirectly, including by way of a discount or rebate), the supply of services through the Core Government Services and Additional Commercial Services;

o not offer discounts, inducements or other incentives on services offered through the Core Government Services on condition that Clients acquire one or more goods / services through the Additional Commercial Services;

o not represent or convey that Clients need to acquire goods / services through the Additional Commercial Services in order to obtain any services through the Core Government Services; and

o implement appropriate protections to ensure that any member or affiliate of the Successful Tenderer is not able to access any competitively sensitive or confidential information relating to goods / services offered through the Additional Commercial Services (including information of third parties providing or seeking to provide such services).

The Successful Tenderer must obtain the Department's prior approval where an opportunity proposes to involve an exclusive or preferred supply arrangement with a limited group of suppliers of goods and services. Where the Department approves such an opportunity, the right to be the exclusive supplier or a preferred supplier must be periodically competitively tendered through a fair, open market tender process. Any consortium partner or affiliate of the Successful Tenderer must be subject to the same open competitive tender process. Any preferred supply arrangement with a limited group of suppliers, must at a minimum include at least two independent suppliers (who are not consortium members or affiliates of the Successful Tenderer).

The Department notes that the procurement of suppliers by the Successful Tenderer to support the sale, or facilitation of the sale, of goods and services is not subject to the Commonwealth Procurement Rules.

o The Successful Tenderer must disclose to the Department any benefits received in return for facilitating the sale of any third party’s goods or services through the Additional Commercial Services.



Restrictions on the sale, or the facilitation of the sale, of goods and services to Clients

Area Restriction

Relationship to visa application experience

The Successful Tenderer must not attempt to sell (or attempt to facilitate the sale, including through marketing or advertising) of any good or service available through the Additional Commercial Services or any other place during a Client’s interaction with the Core Government Services. This includes but is not limited to various types of advertising such as banner advertisements and pop-up advertisements.

Consent provisions As outlined in Part 2 – Overview, Additional Commercial Services must be provided on an opt-in basis only.

The Successful Tenderer must not:

o market goods and services to a Client;

o supply goods or services; or

o use or disclose Personal Information for the purposes of marketing or facilitating the marketing or sale of goods or services to a Client, unless the Client has given their express consent to the particular marketing activity and has elected to access the Additional Commercial Services.

The consent must be clear about the scope of the marketing purposes, the Personal Information that will be involved and who will have access to or be disclosed the Personal Information; and in a form approved by the Department that is clear and accessible to the Client.

The Successful Tenderer must never force a Client to purchase Additional Commercial Services, irrespective of whether or not they have opted in to being marketed a given opportunity.

Promotion of other countries

The Successful Tenderer must not encourage tourism or travel to, or study and work opportunities in any country other than Australia.

Commercialisation of data

The Commonwealth will not agree to any commercialisation of data relating to the provision of Core Government Services.



Appendix A: Visa categories to be processed on the Platform initially Visa categories Current Visas

Tem

pora

ry V

isas

Visit

For people visiting for

leisure, family or

business activities

Visitor, Electronic Travel Authority, eVisitor, Transit

Study

For people studying

and guardians of

students

Student, Student Guardian

Temporary Work

For people working or

partaking in cultural or

business-related

activities

Temporary Skilled Shortage, Temporary Graduate,

Temporary Work (International Relations), Working Holiday,

Work and Holiday, Skilled-Recognised Graduate, Temporary

Activity, Training, Temporary Work (Short Stay Specialist),

Retirement, Investor Retirement, Maritime Crew, Medical

Treatment

Temporary

Protection

For people in

humanitarian need or

engage Australia’s

protection obligations

Temporary Protection, Humanitarian Stay (Temporary)

Temporary (Humanitarian Concern), Safe Haven Enterprise,

Resolution of Status.

Trans-Tasman

For New Zealanders

visiting or residing in

Australia

Special Category, New Zealand Citizen Family Relationship

(Temporary)

Special Purpose

For people with a

prescribed status or

declared by the

Minister

Special Purpose visa, Diplomatic (Temporary), Enforcement

visa

Status Pending and

Departure - for

regularising

non-citizens status or

in very limited

circumstances,

allowing entry to

Australia on a

temporary basis

Bridging A, Bridging B, Bridging C, Bridging D (Prospective

Applicant), Bridging E, Bridging F, Bridging (Removal

Pending), Border, Criminal Justice visas

Longer term

visa (To be

determined)

Longer Term

Skilled work

category (Visa type to

be determined)



Appendix B: Business Rules

In keeping with the requirements of Part 2 – Overview and Part 4 – Commercial Parameters and

Settings, the Department will determine the Business Rules for the Platform.

Attachment A – Statement of Requirement also makes it clear the Platform must be flexible and able

to quickly and efficiently accommodate policy and Business Rule changes as determined by the

Department.

The Department expects that the Successful Tenderer will collaborate with the Department in the

development of detailed Business Rules to maximise their efficiency and automation including in

relation to Platform capability and functionality.

Business Rules will be determined by the Department in accordance with the agreed rollout schedule.

Without diminishing the requirement for flexibility outlined above, the Department expects the

Business Rules to address, in varying compositions depending on relevant legislation, Ministerial

Directions, policies and operational workflows, one or more of the following core components of a visa

decision. The Platform must have the capability to flexibly address and combine these components

across different visa products into the future:

identity of the Applicant

genuine intent of the Applicant

character of the Applicant

financial circumstances of the Applicant

Australian values

visa-specific eligibility or other requirements

national security

health assessments

work rights

travel rights

sponsorship requirements

fraud prevention

English language proficiency

English language requirements

Particular requirements in relation to child custody and minors

Payment

Immigration history

welfare eligibility (under other Portfolio’s legislation).

To supplement the detailed information about decision making pathways provided to Tenderers

during the REIO Phase Three Co-design, the Department is providing Tenderers with access to

LEGENDcom. LEGENDcom is the Department's online database providing access to

1. Legislation and regulations (including Public Interest Criteria)

2. Policy and procedures

3. Ministerial directions.

Instructions for accessing LEGENDcom will be made available in the Data Room. Further supportive

information may also be made available in the Data Room during the Phase Two process.

Documents

Australian Government Department of Home Affairs · 2.4 Required outcomes of the Platform and Successful Tenderer 55 2.4.1 Introduction 55 2.4.2 Platform operations 55 2.4.3 Service