Examination of Data Protection in Victorian Universities

Slide Note
Embed
Share

Report explores the need for robust data protection in Victorian universities due to high volumes of personal and sensitive information held. It highlights the responsibility to safeguard personal data, emphasizing a risk-based approach for security. The examination by OVIC focused on privacy and security policies, risk management methods, and procedures related to personal information security. For more details, refer to the OVIC examination report online.

oaklee
oaklee Follow

Uploaded on Jul 18, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Protection of personal information in Victorian universities Report of examination under s 8C(2)(b) Privacy and Data Protection Act 2014

  2. 2 Why universities? Hold high volumes of personal information and other sensitive information Significant security breaches have affected Australian universities in recent years Unlike other Victorian public organisations, universities are primarily subject to principles-based regulation of their personal information security practices ( reasonable steps to secure personal information ). Freedom of Information | Privacy | Data Protection

  3. 3 Responsibility to protect personal information Eight Victorian universities are bound by Information Privacy Principle (IPP) 4 in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic), which states: IPP 4.1: An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. IPP 4.2: An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. IPP 4.1 implies a risk-based approach to protecting personal information security. Freedom of Information | Privacy | Data Protection

  4. 4 Risk-based approach to personal information security To take a risk-based approach to personal information security universities should: Identify the personal information they hold Identify the security value and sensitivity of that information Identify and manage security risks to the information Apply protections proportionate to the value and risks to the information Our examination was framed around these activities. Freedom of Information | Privacy | Data Protection

  5. 5 OVIC examination report Available online at: https://ovic.vic.gov.au/regulatory- approach/investigations-audits- examinations/examination-of- victorian-universities-privacy-and- security-policies/ Freedom of Information | Privacy | Data Protection

  6. 6 What we examined OVIC examined Victorian universities : privacy and information security policies and procedures methods of identifying and recording holdings of personal information approaches to assessing the security value or nature of personal information approaches to risk management with respect to personal information security risks. Reviewed documented policies and procedures; did not examine application in practice. Freedom of Information | Privacy | Data Protection

  7. 7 What we found overview All universities had privacy and security policies in place, and there were areas of consistent performance. Some universities did not have procedures to methodically identify personal information holdings. Strong focus on cybersecurity less focus on other security areas. Absence of procedures to destroy or deidentify personal information. Varied approaches to with sharing personal information with third parties. Freedom of Information | Privacy | Data Protection

  8. 8 What we found - areas of strong performance We found that all Victorian universities: have a data breach response plan that includes the steps contain, assess, notify and review conduct Privacy Impact Assessments (PIAs) for significant new projects involving personal information conduct privacy and data security online training for staff have prioritised ICT and cyber security risks. Freedom of Information | Privacy | Data Protection

  9. 9 What we found identifying and assessing value of PI Universities need to take reasonable steps to protect personal information. Identifying what is reasonable requires an understanding of what information is held and its sensitivity. Not all universities had a procedure for cataloguing the personal information they held or assessing its value e.g., an Information Asset Register (IAR). Freedom of Information | Privacy | Data Protection

  10. 10 What we found identifying and assessing value of PI 1 university 3 universities 3 universities 2 universities 1 university 3 universities 5 universities 4 universities 2 universities Did the university say or show that it is aware of personal information held in business systems? Has the university developed an Information Asset Register (or similar register)? Did the university say it identifies when personal information is collected for new projects/initiatives? Yes Partial, planned or in progress No Freedom of Information | Privacy | Data Protection

  11. 11 What we found focus on cybersecurity and ICT risk 1 university 4 universities 7 universities 7 universities 3 universities Did the university have a procedure to assess security risks to information? Of the universities with a procedure, did the procedure set out how assess ICT security risks? Of the universities with a procedure, did the procedure set out how to assess personnel and physical security risks? Yes Partial, planned or in progress No Freedom of Information | Privacy | Data Protection

  12. 12 What we found destroying personal information While all universities had records management policies, not all of them dealt with the destruction of personal information: Three universities policies provided for disposal of information when permitted by the university s Retention and Disposal Authority Only one university s policy referred specifically to the obligation to destroy personal information when no longer required. No policies or procedures we reviewed contained instructions for staff about how records should be destroyed or deidentified where it is no longer needed. Freedom of Information | Privacy | Data Protection

  13. 13 What we found sharing personal information Universities may share personal information with third parties. Sharing personal information with third parties creates significant privacy risks. However, OVIC found that of eight universities: Four said that staff need to obtain their legal teams approval for sharing personal information. Two said they used PIAs to determine if sharing of personal information is appropriate. Only one university had a documented procedure for deciding when it was appropriate to share personal information with third parties. Freedom of Information | Privacy | Data Protection

  14. 14 Recommendations to Victorian universities OVIC recommended Victorian universities consider, where they have not already done so: implement policies that clearly set out expectations on staff regarding destruction of personal information. include in data breach response plans a step that requires staff to consider whether notification to OVIC is appropriate. document their approach and requirements when sharing personal information with third parties. make privacy and information security training available to all personnel that have access to personal information held by the university, including contractors. Freedom of Information | Privacy | Data Protection

  15. 15 Considerations for other universities Consider whether your university has: procedures to identify the personal information it holds, determine its security value, and apply proportionate security controls? procedures to manage third party risk when sharing personal information? established the categories of policies, procedures, and mechanisms listed at pages 10 and 21-23 of OVIC s examination report? See: OVIC (2021) Examination of Victorian universities privacy and security policies. Available at www.ovic.vic.gov.au. Freedom of Information | Privacy | Data Protection

Related


Examination of Personal Information Protection in Victorian Universities

Examination of Personal Information Protection in Victorian Universities

rowen
Data Use and Protection: Key Issues and Future Direction by Sven Bluemmel, Victorian Information Commissioner

Data Use and Protection: Key Issues and Future Direction by Sven Bluemmel, Victorian Information Commissioner

darciemae
Academic Department Management Workshop on Examination Processes and Irregularities

Academic Department Management Workshop on Examination Processes and Irregularities

dion
Comprehensive Guide to Ophthalmic Examination in Veterinary Medicine

Comprehensive Guide to Ophthalmic Examination in Veterinary Medicine

shivani
Victorian Curriculum F-10 Version 2.0 Revision Overview

Victorian Curriculum F-10 Version 2.0 Revision Overview

aaron
Revival of Drama and Poetry in Victorian Era

Revival of Drama and Poetry in Victorian Era

penn
The Association of Arab Universities: Promoting Higher Education Cooperation

The Association of Arab Universities: Promoting Higher Education Cooperation

harm
Empowering African Universities through Data Sharing Surveys

Empowering African Universities through Data Sharing Surveys

maalikf
Understanding the General Data Protection Regulation (GDPR) and Data Protection Bill

Understanding the General Data Protection Regulation (GDPR) and Data Protection Bill

helena
The Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act 2023

edelweiss
Understanding Data Protection Regulations and Definitions

Understanding Data Protection Regulations and Definitions

nicholes_p
Veterinary Clinical Examination Techniques and Procedures

Veterinary Clinical Examination Techniques and Procedures

lenore
Examination of Witnesses under Indian Evidence Act, 1872

Examination of Witnesses under Indian Evidence Act, 1872

aamina
Comprehensive Guide to Neurological Examination in Dogs and Cats

Comprehensive Guide to Neurological Examination in Dogs and Cats

nicode
Comprehensive CNS Examination Guidelines by Dr. Kiran Nandeshwar

Comprehensive CNS Examination Guidelines by Dr. Kiran Nandeshwar

imperato_r
Customs Brokers Licensing Training Program: Entry and Examination Procedures

Customs Brokers Licensing Training Program: Entry and Examination Procedures

dayl_68
Exploring Victorian Poetry: Sensory Imagery and Social Realism

Exploring Victorian Poetry: Sensory Imagery and Social Realism

ledger
Overview of Victorian Curriculum F-10 Mathematics Curriculum Revisions

Overview of Victorian Curriculum F-10 Mathematics Curriculum Revisions

klaudia
Victorian Portrayal of Love and Female Independence in Maude Clare

Victorian Portrayal of Love and Female Independence in Maude Clare

kieron
Understanding the Victorian Era and Charles Dickens through

Understanding the Victorian Era and Charles Dickens through "Bleak House

conrad
Understanding Context in Jekyll and Hyde: Victorian Britain and Robert Louis Stevenson

Understanding Context in Jekyll and Hyde: Victorian Britain and Robert Louis Stevenson

tybalt
Victorian Literary Movement: Aestheticism and Social Critique

Victorian Literary Movement: Aestheticism and Social Critique

jaan663
Overview of Victorian Curriculum Mathematics F-10

Overview of Victorian Curriculum Mathematics F-10

jeppesen_a
Overview of Victorian English Curriculum

Overview of Victorian English Curriculum

muul306

More Related Content

UCAT ANZ 2023: University Clinical Aptitude Test Overview
UCAT ANZ 2023: University Clinical Aptitude Test Overview
Understanding Times Higher Education Impact Rankings 2020
Understanding Times Higher Education Impact Rankings 2020
Certified Protection Professional (CPP) Certification Examination Review
Certified Protection Professional (CPP) Certification Examination Review
Groundskeeping Safety and Personal Protective Equipment Training
Groundskeeping Safety and Personal Protective Equipment Training
ISACA Annual General Meeting Highlights and Insights
ISACA Annual General Meeting Highlights and Insights
Understanding Historical Significance in Victorian Curriculum History
Understanding Historical Significance in Victorian Curriculum History
Understanding the European Union General Data Protection Regulation (GDPR)
Understanding the European Union General Data Protection Regulation (GDPR)
Waterbeach Community Forum Updates and Examination Progress
Waterbeach Community Forum Updates and Examination Progress
Understanding Physical Examination: Importance and Purpose
Understanding Physical Examination: Importance and Purpose
Objective Structured Clinical Examination (OSCE): A Modern Approach to Assessing Clinical Competence
Objective Structured Clinical Examination (OSCE): A Modern Approach to Assessing Clinical Competence
Comprehensive Guide to Acute Knee Examination in Urgent Care
Comprehensive Guide to Acute Knee Examination in Urgent Care
Newborn Infant Physical Examination (NIPE) and Neonatal Checks Overview
Newborn Infant Physical Examination (NIPE) and Neonatal Checks Overview
Understanding General Urine Examination and Stool Examination
Understanding General Urine Examination and Stool Examination
Comprehensive Approach to Fixed Partial Prosthodontics Diagnosis and Treatment Planning
Comprehensive Approach to Fixed Partial Prosthodontics Diagnosis and Treatment Planning
Comprehensive Clinical Evaluation of Children with Cardiac Abnormalities
Comprehensive Clinical Evaluation of Children with Cardiac Abnormalities
Effective Trial Advocacy: Cross-Examination Strategies by Professor Stephen A. Saltzburg
Effective Trial Advocacy: Cross-Examination Strategies by Professor Stephen A. Saltzburg
Mastering Cross-Examination of Witnesses in Legal Settings
Mastering Cross-Examination of Witnesses in Legal Settings
Comprehensive Guide to Clinical Examination Techniques
Comprehensive Guide to Clinical Examination Techniques
Preparing for EU General Data Protection Regulation with Revd. Mark James
Preparing for EU General Data Protection Regulation with Revd. Mark James
Understanding the Data Protection Act 2017: A Comprehensive Overview
Understanding the Data Protection Act 2017: A Comprehensive Overview
Improving Consumer Protection in Ghana: Insights from the Sixth Annual African Dialogue Consumer Protection Conference
Improving Consumer Protection in Ghana: Insights from the Sixth Annual African Dialogue Consumer Protection Conference
Understanding Carnegie Mellon's Protection and Security Concepts
Understanding Carnegie Mellon's Protection and Security Concepts
Achieving Environmental Sustainability in Australian Universities: NTEU's Campaign and Successes
Achieving Environmental Sustainability in Australian Universities: NTEU's Campaign and Successes
Central Universities Entrance Test (CUET) 2022-23: Admissions Information for Undergraduate Programmes
Central Universities Entrance Test (CUET) 2022-23: Admissions Information for Undergraduate Programmes