QLDDigital SolutionsSyllabus dot point

How are the requirements of a complex, secure data exchange identified and specified?

Identify and specify the functional, security and data requirements of a complex data exchange problem, including the systems involved, the data exchanged and the conditions for reliable exchange

A focused answer to the QCE Digital Solutions Unit 4 dot point on data exchange requirements. Identifying the systems and data involved, specifying functional and security requirements, defining reliability and validation conditions, and scoping a complex exchange for IA3.

Generated by Claude Opus 4.76 min answerUpdated 2026-05-29

Reviewed by: AI editorial process; not yet individually human-reviewed

Have a quick question? Jump to the Q&A page

Jump to a section

What this dot point is asking
What makes an exchange complex
Identifying the systems and the data
Functional requirements of the exchange
Security requirements
Reliability conditions
Constraints, privacy and scope
How this appears in assessment

What this dot point is asking

Unit 4 Topic 2 is complex data exchange problems and solution requirements. Where Unit 3 requirements describe a single user-facing solution, here you specify the requirements of an exchange between systems: which systems, what data, in what format, over what protocol, with what security, and under what reliability conditions. This analysis defines the scope of your IA3 prototype, so getting it precise is what lets you build and evaluate a focused exchange rather than an unbounded one.

What makes an exchange complex

A complex data exchange involves more than one system passing structured data, where the systems may be built differently, owned by different parties, or separated by a network. Complexity comes from the need to agree a format, secure the data in transit, validate what arrives, handle failures, and respect privacy and legal obligations. Identifying this complexity is the first step: you state which systems take part, what role each plays (source, destination, intermediary), and why they must exchange data.

Identifying the systems and the data

Begin by mapping the participants and the payload:

Systems: name each system, its role, and the boundary between them.
Data: what data is exchanged, its structure and its sensitivity. Personal or financial data raises privacy and security requirements.
Direction and trigger: is the exchange one-way or two-way, and what triggers it (a user action, a schedule, an event).

This mirrors the data exchange diagram you produce as a design tool, and it grounds every later requirement in concrete systems and data.

Functional requirements of the exchange

Functional requirements state what the exchange must do, phrased as testable behaviours:

The source system shall send new member records to the destination within five minutes of creation.
The destination shall acknowledge receipt with a status response.
The system shall retry a failed transmission up to three times before alerting an operator.

Each should be specific enough to test in your prototype evaluation.

Security requirements

Because Unit 4 is about impacts, security requirements are central, not optional:

Confidentiality: sensitive data is encrypted in transit (HTTPS/TLS) and, where stored, at rest.
Authentication: each system proves its identity, for example with an API key or token.
Integrity: the receiver verifies the data was not altered, using hashing or checksums.
Authorisation: a system can only access the data it is entitled to.

Naming the threat each requirement addresses (interception, impersonation, tampering) shows genuine understanding.

Specifying a clinic-to-lab result exchange

Systems: a clinic booking system (source) sends test requests to a pathology lab system (destination), which returns results.
Data: patient identifier, test type and result; all sensitive personal health data.
Functional: send a request on booking; receive results within 24 hours; flag urgent results immediately.
Data: JSON payload with a defined schema; results validated for completeness and range before display.
Security: HTTPS for confidentiality, API tokens for authentication, a hash to verify integrity, access restricted to authorised staff.
Reliability: agreed JSON schema and HTTPS protocol on both ends, retries on failure, errors logged not silently dropped.

This specification is precise enough that each requirement can be built and then tested in the IA3 evaluation.

Reliability conditions

Reliable exchange requires several conditions to hold together: an agreed data format and schema, an agreed protocol, validation of incoming data, and explicit error handling so a failure does not corrupt either system. Stating these as conditions turns reliability from a vague hope into testable requirements.

Constraints, privacy and scope

Constraints shape the exchange: available APIs, network limits, the platform, and crucially the legal obligations around the data (privacy law for personal information). A clear scope statement says which exchanges are included in the prototype and which are out of scope, so IA3 stays achievable. Privacy and ethical considerations are themselves requirements when personal data is involved, linking this dot point to privacy and ethics.

How this appears in assessment

IA3 begins with exactly this analysis: you investigate a complex data exchange problem and specify its requirements before designing the prototype. The external exam can ask you to identify requirements or reliability conditions for a given exchange scenario. Practise turning a described exchange into a structured requirements list covering function, data, security and reliability.

Exam-style practice questions

Practice questions written in the style of QCAA exam questions on this dot point, with worked answer explainers. The year tag is the paper they imitate, not the source.

2024 QCAA6 marksA hospital has installed a boom gate at the entrance to the staff car park. The boom gate scans and records numberplates and requires drivers to swipe their ID card for access. Analyse the scenario to determine a risk to data confidentiality, integrity and availability and make a recommendation for reducing each of these risks.

Show worked answer →

Three marks are for analysing a risk to each property of the CIA triad and three for a recommendation that reduces each risk, so cover all three.

Confidentiality [risk 1 mark, recommendation 1 mark]: numberplate and staff name data could be linked and exposed in unexpected ways. Restrict the database to a single trusted role such as an IT manager, and only share specific records through an approved review process.

Integrity [risk 1 mark, recommendation 1 mark]: staff could abuse the system, e.g. lending an ID or obscuring a numberplate to gain entry, corrupting the access records. Cross-check a list of permitted numberplates against IDs before granting access.

Availability [risk 1 mark, recommendation 1 mark]: an online database is vulnerable to hacking that could deny access. Keep the data offline (e.g. on local storage), maintain physical security, purge data regularly, and encrypt captured numberplate data.

Markers reward a distinct, scenario-specific risk and a matching, practical recommendation for each property.