Examination of Data Protection in Victorian Universities
Report explores the need for robust data protection in Victorian universities due to high volumes of personal and sensitive information held. It highlights the responsibility to safeguard personal data, emphasizing a risk-based approach for security. The examination by OVIC focused on privacy and security policies, risk management methods, and procedures related to personal information security. For more details, refer to the OVIC examination report online.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Protection of personal information in Victorian universities Report of examination under s 8C(2)(b) Privacy and Data Protection Act 2014
2 Why universities? Hold high volumes of personal information and other sensitive information Significant security breaches have affected Australian universities in recent years Unlike other Victorian public organisations, universities are primarily subject to principles-based regulation of their personal information security practices ( reasonable steps to secure personal information ). Freedom of Information | Privacy | Data Protection
3 Responsibility to protect personal information Eight Victorian universities are bound by Information Privacy Principle (IPP) 4 in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic), which states: IPP 4.1: An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. IPP 4.2: An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. IPP 4.1 implies a risk-based approach to protecting personal information security. Freedom of Information | Privacy | Data Protection
4 Risk-based approach to personal information security To take a risk-based approach to personal information security universities should: Identify the personal information they hold Identify the security value and sensitivity of that information Identify and manage security risks to the information Apply protections proportionate to the value and risks to the information Our examination was framed around these activities. Freedom of Information | Privacy | Data Protection
5 OVIC examination report Available online at: https://ovic.vic.gov.au/regulatory- approach/investigations-audits- examinations/examination-of- victorian-universities-privacy-and- security-policies/ Freedom of Information | Privacy | Data Protection
6 What we examined OVIC examined Victorian universities : privacy and information security policies and procedures methods of identifying and recording holdings of personal information approaches to assessing the security value or nature of personal information approaches to risk management with respect to personal information security risks. Reviewed documented policies and procedures; did not examine application in practice. Freedom of Information | Privacy | Data Protection
7 What we found overview All universities had privacy and security policies in place, and there were areas of consistent performance. Some universities did not have procedures to methodically identify personal information holdings. Strong focus on cybersecurity less focus on other security areas. Absence of procedures to destroy or deidentify personal information. Varied approaches to with sharing personal information with third parties. Freedom of Information | Privacy | Data Protection
8 What we found - areas of strong performance We found that all Victorian universities: have a data breach response plan that includes the steps contain, assess, notify and review conduct Privacy Impact Assessments (PIAs) for significant new projects involving personal information conduct privacy and data security online training for staff have prioritised ICT and cyber security risks. Freedom of Information | Privacy | Data Protection
9 What we found identifying and assessing value of PI Universities need to take reasonable steps to protect personal information. Identifying what is reasonable requires an understanding of what information is held and its sensitivity. Not all universities had a procedure for cataloguing the personal information they held or assessing its value e.g., an Information Asset Register (IAR). Freedom of Information | Privacy | Data Protection
10 What we found identifying and assessing value of PI 1 university 3 universities 3 universities 2 universities 1 university 3 universities 5 universities 4 universities 2 universities Did the university say or show that it is aware of personal information held in business systems? Has the university developed an Information Asset Register (or similar register)? Did the university say it identifies when personal information is collected for new projects/initiatives? Yes Partial, planned or in progress No Freedom of Information | Privacy | Data Protection
11 What we found focus on cybersecurity and ICT risk 1 university 4 universities 7 universities 7 universities 3 universities Did the university have a procedure to assess security risks to information? Of the universities with a procedure, did the procedure set out how assess ICT security risks? Of the universities with a procedure, did the procedure set out how to assess personnel and physical security risks? Yes Partial, planned or in progress No Freedom of Information | Privacy | Data Protection
12 What we found destroying personal information While all universities had records management policies, not all of them dealt with the destruction of personal information: Three universities policies provided for disposal of information when permitted by the university s Retention and Disposal Authority Only one university s policy referred specifically to the obligation to destroy personal information when no longer required. No policies or procedures we reviewed contained instructions for staff about how records should be destroyed or deidentified where it is no longer needed. Freedom of Information | Privacy | Data Protection
13 What we found sharing personal information Universities may share personal information with third parties. Sharing personal information with third parties creates significant privacy risks. However, OVIC found that of eight universities: Four said that staff need to obtain their legal teams approval for sharing personal information. Two said they used PIAs to determine if sharing of personal information is appropriate. Only one university had a documented procedure for deciding when it was appropriate to share personal information with third parties. Freedom of Information | Privacy | Data Protection
14 Recommendations to Victorian universities OVIC recommended Victorian universities consider, where they have not already done so: implement policies that clearly set out expectations on staff regarding destruction of personal information. include in data breach response plans a step that requires staff to consider whether notification to OVIC is appropriate. document their approach and requirements when sharing personal information with third parties. make privacy and information security training available to all personnel that have access to personal information held by the university, including contractors. Freedom of Information | Privacy | Data Protection
15 Considerations for other universities Consider whether your university has: procedures to identify the personal information it holds, determine its security value, and apply proportionate security controls? procedures to manage third party risk when sharing personal information? established the categories of policies, procedures, and mechanisms listed at pages 10 and 21-23 of OVIC s examination report? See: OVIC (2021) Examination of Victorian universities privacy and security policies. Available at www.ovic.vic.gov.au. Freedom of Information | Privacy | Data Protection