Maintaining compliance

To maintain compliance with the Digital Service Provider (DSP) Operational Security Framework (OSF), you will need to undertake an annual review, notify the Digital Partnership Office (DPO) of any changes to your operating environment, and report any data breaches immediately. 

The DPO undertakes regular ad-hoc reviews to ensure DSPs remain compliant with the requirements of the DSP OSF.

On this page

Annual reviews

You must provide annual assurance that your products and services remain compliant with the controls and requirements of the DSP OSF. This can be done by completing the annual review ticket via the DSP service desk in Online services for DSPs which will require you to respond to appropriate questions and provide relevant evidence.

The annual review includes a review of your self-assessment or independent certification currency.

A self-assessment is deemed current for 2 years from the date of our initial approval. The validity of the independent certification currency is determined by the expiry date listed on the certificate.

If you do not meet the requirements

We are committed to protecting taxation, accounting, payroll, business registry and superannuation information and treat issues of non-compliance seriously. Therefore, you are expected to meet and remain compliant with the DSP OSF requirements.

If you do not meet the requirements, we will endeavour to work with you to address the non-compliance issues. Failure to do so will result in restricting access to services or de-whitelisting.

You will not be de-whitelisted without prior notice unless extreme circumstances apply, in which de-whitelisting would be temporary. To find out more, check out the DSP de-whitelisting process (PDF, 303KB).

Changes to your operating environment

The DPO must be notified as soon as practicable of significant changes to your business or product environment via Online services for DSPs.

These changes may relate to the:

  • legal entity - mergers, acquisitions, divesting or large corporate restructures
  • infrastructure - new platform, hosting provider or control of the hosting environment (DSP versus Client)
  • client base – if it increases to greater than 10,000 unique Taxation, Accounting Payroll or Superannuation client records.

The DPO will work with you to minimise the impacts these changes may have on your clients.

If you are unsure of the significance of a change in your operating environment, contact the DPO for guidance via Online services for DSP.

Awareness of other obligations

In addition to the requirements of the DSP OSF, DSPs also need to be aware of their obligations under the:

Last modified date