To maintain compliance with the Digital Service Provider (DSP) Operational Security Framework (OSF), you will need to undertake an annual review, notify the Digital Partnership Office (DPO) of any changes to your operating environment, and report any data breaches immediately.
We undertake regular ad-hoc reviews to ensure DSPs remain compliant with the requirements of the DSP OSF.
On this page
- Annual reviews
- If you do not meet the requirements
- Changes to your operating environment
- Awareness of other obligations
Annual reviews
You must provide annual assurance that your products and services remain compliant with the controls and requirements of the DSP OSF. We will raise an OSF annual review ticket via the DSP service desk and email you instructions on the actions you should take for your annual review.
The annual review includes a review of your self-assessment or independent certification currency. A self-assessment is deemed current for 2 years from the date of our initial approval. The validity of the independent certification currency is determined by the expiry date listed on the certificate.
If you do not meet the requirements
We are committed to protecting taxation, accounting, payroll, business registry and superannuation information and treat issues of non-compliance seriously. Therefore, you are expected to meet and remain compliant with the DSP OSF requirements.
If you do not meet the requirements, we will endeavour to work with you to address the non-compliance issues. Failure to do so will result in restricting access to services or de-whitelisting.
You will not be de-whitelisted without prior notice unless extreme circumstances apply, in which de-whitelisting would be temporary. To find out more, check out the DSP de-whitelisting process (PDF, 303KB).
Changes to your operating environment
The DPO must be notified as soon as practicable of significant changes to your business or product environment via Online services for DSPs.
These changes may relate to the:
- legal entity – mergers, acquisitions, divesting or large corporate restructures
- infrastructure – new platform, hosting provider or control of the hosting environment (DSP versus Client)
- client base – if it increases to greater than 10,000 unique Taxation, Accounting Payroll or Superannuation client records.
We will work with you to minimise the impacts these changes may have on your clients.
If you are unsure of the significance of a change in your operating environment, contact the DPO for guidance via Online services for DSP.
Awareness of other obligations
In addition to the requirements of the DSP OSF, DSPs also need to be aware of their obligations under the:
- Notifiable Data Breach scheme under Part IIIC of the Privacy Act 1988 (Privacy Act). Refer to further information on Notifiable Data Breach scheme.
- Australian Privacy Principles, contained in schedule 1 of the Privacy Act 1988 (Privacy Act). Refer to further information on the Australian Privacy Principles.