Examination of Personal Information Protection in Victorian Universities
Report of examination under s 8C(2)(b)
Privacy and Data Protection Act 2014
Protection of personal
information in
Victorian universities
Why universities?
•
Hold high volumes of personal information and other sensitive
information
•
Significant security breaches have affected Australian universities in
recent years
•
Unlike other Victorian public organisations, universities are primarily
subject to principles-based regulation of their personal information
security practices (‘reasonable steps to secure personal information’).
Responsibility to protect personal information
Eight Victorian universities are bound by Information Privacy Principle
(IPP) 4 in Schedule 1 of the
Privacy and Data Protection Act 2014
(Vic),
which states:
IPP 4.1: An organisation must take reasonable steps to protect the
personal information it holds from misuse and loss and from
unauthorised access, modification or disclosure.
IPP 4.2: An organisation must take reasonable steps to destroy or
permanently de-identify personal information if it is no longer needed for
any purpose.
IPP 4.1 implies a risk-based approach to protecting personal information
security.
Risk-based approach to personal information security
To take a risk-based approach to personal information security
universities should:
•
Identify the personal information they hold
•
Identify the security value and sensitivity of that information
•
Identify and manage security risks to the information
•
Apply protections proportionate to the value and risks to the
information
Our examination was framed around these activities.
OVIC examination report
Available online at:
•
https://ovic.vic.gov.au/regulatory-
approach/investigations-audits-
examinations/examination-of-
victorian-universities-privacy-and-
security-policies/
What we examined
OVIC examined Victorian universities’:
•
privacy and information security policies and procedures
•
methods of identifying and recording holdings of personal
information
•
approaches to assessing the security value or nature of personal
information
•
approaches to risk management with respect to personal
information security risks.
Reviewed documented policies and procedures; did not examine
application in practice.
What we found – overview
•
All universities had privacy and security policies in place, and there
were areas of consistent performance.
•
Some universities did not have procedures to methodically identify
personal information holdings.
•
Strong focus on cybersecurity – less focus on other security areas.
•
Absence of procedures to destroy or deidentify personal information.
•
Varied approaches to with sharing personal information with third
parties.
What we found - areas of strong performance
We found that all Victorian universities:
•
have a data breach response plan that includes the steps contain,
assess, notify and review
•
conduct Privacy Impact Assessments (PIAs) for significant new projects
involving personal information
•
conduct privacy and data security online training for staff
•
have prioritised ICT and cyber security risks.
What we found – identifying and assessing value of PI
•
Universities need to take ‘reasonable steps’ to protect personal
information.
•
Identifying what is ‘reasonable’ requires an understanding of what
information is held and its sensitivity.
•
Not all universities had a procedure for cataloguing the personal
information they held or assessing its value – e.g., an Information
Asset Register (IAR).
What we found – identifying and assessing value of PI
What we found – focus on cybersecurity and ICT risk
What we found – destroying personal information
While all universities had records management policies, not all of them
dealt with the destruction of personal information:
•
Three
universities’ policies provided for disposal of information when
permitted by the university’s Retention and Disposal Authority
•
Only
one
university’s policy referred specifically to the obligation to
destroy personal information when no longer required.
•
No
policies or procedures we reviewed contained instructions for staff
about how records should be destroyed or deidentified where it is no
longer needed.
What we found – sharing personal information
Universities may share personal information with third parties.
Sharing
personal information with third parties creates significant privacy risks.
However, OVIC found that of eight universities:
•
Four
said that staff need to obtain their legal teams’ approval for
sharing personal information.
•
Two
said they used PIAs to determine if sharing of personal
information is appropriate.
•
Only
one
university had a documented procedure for deciding when it
was appropriate to share personal information with third parties.
Recommendations to Victorian universities
OVIC recommended Victorian universities consider, where they have not
already done so:
•
implement policies that clearly set out expectations on staff regarding
destruction of personal information.
•
include in data breach response plans a step that requires staff to
consider whether notification to OVIC is appropriate.
•
document their approach and requirements when sharing personal
information with third parties.
•
make privacy and information security training available to all
personnel that have access to personal information held by the
university, including contractors.
Considerations for other universities
Consider whether your university has:
•
procedures to identify the personal information it holds, determine
its security value, and apply proportionate security controls?
•
procedures to manage third party risk when sharing personal
information?
•
established the categories of policies, procedures, and mechanisms
listed at pages 10 and 21-23 of OVIC’s examination report?
See: OVIC (2021)
Examination of Victorian universities’ privacy and security policies.
Available at
www.ovic.vic.gov.au
.
The report discusses the importance of protecting personal information in Victorian universities due to the high volumes of sensitive data they hold. It emphasizes the responsibility to safeguard personal information through a risk-based approach, as outlined in the Privacy and Data Protection Act 2014. The examination focused on privacy and security policies, risk management practices, and approaches to assessing the security value of personal information in these institutions.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Protection of personal information in Victorian universities Report of examination under s 8C(2)(b) Privacy and Data Protection Act 2014
2 Why universities? Hold high volumes of personal information and other sensitive information Significant security breaches have affected Australian universities in recent years Unlike other Victorian public organisations, universities are primarily subject to principles-based regulation of their personal information security practices ( reasonable steps to secure personal information ). Freedom of Information | Privacy | Data Protection
3 Responsibility to protect personal information Eight Victorian universities are bound by Information Privacy Principle (IPP) 4 in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic), which states: IPP 4.1: An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. IPP 4.2: An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. IPP 4.1 implies a risk-based approach to protecting personal information security. Freedom of Information | Privacy | Data Protection
4 Risk-based approach to personal information security To take a risk-based approach to personal information security universities should: Identify the personal information they hold Identify the security value and sensitivity of that information Identify and manage security risks to the information Apply protections proportionate to the value and risks to the information Our examination was framed around these activities. Freedom of Information | Privacy | Data Protection
5 OVIC examination report Available online at: https://ovic.vic.gov.au/regulatory- approach/investigations-audits- examinations/examination-of- victorian-universities-privacy-and- security-policies/ Freedom of Information | Privacy | Data Protection
6 What we examined OVIC examined Victorian universities : privacy and information security policies and procedures methods of identifying and recording holdings of personal information approaches to assessing the security value or nature of personal information approaches to risk management with respect to personal information security risks. Reviewed documented policies and procedures; did not examine application in practice. Freedom of Information | Privacy | Data Protection
7 What we found overview All universities had privacy and security policies in place, and there were areas of consistent performance. Some universities did not have procedures to methodically identify personal information holdings. Strong focus on cybersecurity less focus on other security areas. Absence of procedures to destroy or deidentify personal information. Varied approaches to with sharing personal information with third parties. Freedom of Information | Privacy | Data Protection
8 What we found - areas of strong performance We found that all Victorian universities: have a data breach response plan that includes the steps contain, assess, notify and review conduct Privacy Impact Assessments (PIAs) for significant new projects involving personal information conduct privacy and data security online training for staff have prioritised ICT and cyber security risks. Freedom of Information | Privacy | Data Protection
9 What we found identifying and assessing value of PI Universities need to take reasonable steps to protect personal information. Identifying what is reasonable requires an understanding of what information is held and its sensitivity. Not all universities had a procedure for cataloguing the personal information they held or assessing its value e.g., an Information Asset Register (IAR). Freedom of Information | Privacy | Data Protection
10 What we found identifying and assessing value of PI 1 university 3 universities 3 universities 2 universities 1 university 3 universities 5 universities 4 universities 2 universities Did the university say or show that it is aware of personal information held in business systems? Has the university developed an Information Asset Register (or similar register)? Did the university say it identifies when personal information is collected for new projects/initiatives? Yes Partial, planned or in progress No Freedom of Information | Privacy | Data Protection
11 What we found focus on cybersecurity and ICT risk 1 university 4 universities 7 universities 7 universities 3 universities Did the university have a procedure to assess security risks to information? Of the universities with a procedure, did the procedure set out how assess ICT security risks? Of the universities with a procedure, did the procedure set out how to assess personnel and physical security risks? Yes Partial, planned or in progress No Freedom of Information | Privacy | Data Protection
12 What we found destroying personal information While all universities had records management policies, not all of them dealt with the destruction of personal information: Three universities policies provided for disposal of information when permitted by the university s Retention and Disposal Authority Only one university s policy referred specifically to the obligation to destroy personal information when no longer required. No policies or procedures we reviewed contained instructions for staff about how records should be destroyed or deidentified where it is no longer needed. Freedom of Information | Privacy | Data Protection
13 What we found sharing personal information Universities may share personal information with third parties. Sharing personal information with third parties creates significant privacy risks. However, OVIC found that of eight universities: Four said that staff need to obtain their legal teams approval for sharing personal information. Two said they used PIAs to determine if sharing of personal information is appropriate. Only one university had a documented procedure for deciding when it was appropriate to share personal information with third parties. Freedom of Information | Privacy | Data Protection
14 Recommendations to Victorian universities OVIC recommended Victorian universities consider, where they have not already done so: implement policies that clearly set out expectations on staff regarding destruction of personal information. include in data breach response plans a step that requires staff to consider whether notification to OVIC is appropriate. document their approach and requirements when sharing personal information with third parties. make privacy and information security training available to all personnel that have access to personal information held by the university, including contractors. Freedom of Information | Privacy | Data Protection
15 Considerations for other universities Consider whether your university has: procedures to identify the personal information it holds, determine its security value, and apply proportionate security controls? procedures to manage third party risk when sharing personal information? established the categories of policies, procedures, and mechanisms listed at pages 10 and 21-23 of OVIC s examination report? See: OVIC (2021) Examination of Victorian universities privacy and security policies. Available at www.ovic.vic.gov.au. Freedom of Information | Privacy | Data Protection
