Welcome back to TRANSPARENT – a quarterly newsletter providing information to help you meet your privacy obligations under the Student Identifiers Act 2014 (SI Act) and the Privacy Act 1988 (Privacy Act).
TRANSPARENT is published by the Unique Student Identifier (USI) Office and written in collaboration with the Office of the Australian Information Commissioner (OAIC), the regulator of the Privacy Act.
This Bulletin is the first of a two-part series about personal information security. In part one, we focus on how a Registered Training Organisation (RTO) can strengthen personal information security through the use of physical security controls and ICT protections. More information about these topics is available in the OAIC’s Guide to Security Personal Information: https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information.
We hope you find the newsletter helpful and look forward to receiving your feedback.
IMPORTANT NOTE: The Privacy Act, including the Australian Privacy Principles (APPs), applies to APP entities only. To determine whether your training organisation is an APP entity, refer to Chapter B of the APP Guidelines. The steps outlined in this newsletter may also be used by non-APP entities as a model for better personal information handling practice.
Inside this edition
- What is personal information security?
- What are ‘reasonable steps’ to protect and secure personal information?
- Physical security controls
- General ICT protections
- Examples of ICT protections
- OAIC resources
What is personal information security?
Information security involves all measures used to protect any information that is not intended to be made publicly available from compromise, loss of integrity or unavailability, including security classified and commercially confidential information.
Personal information security is a subset of information security, and specifically relates to entities taking reasonable steps to protect personal information. Our first Bulletin goes into more detail about the meaning of personal information as defined in the Privacy Act.
What are ‘reasonable steps’ to protect and secure personal information?
The Privacy Act requires entities to take active measures to ensure the security of personal information they hold.
Under APP 11, entities must take ‘such steps as are reasonable in the circumstances’ to:
protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure (APP 11.1)
destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs (APP 11.2).
What is considered ‘reasonable’ will depend on the individual circumstances of your organisation. These include the nature of the organisation (e.g. its size, resources and complexity) and the amount and sensitivity of personal information it holds. For example, training organisations that deliver nationally recognised training in Australia or offshore will hold sensitive information for the purposes of the National VET Provider Collection.
You should also consider the possible adverse consequences of a privacy breach (including whether you may be required to notify the affected individuals and OAIC of the breach under the Notifiable Data Breaches Scheme) and the practical implications of implementing security measures.
What qualifies as ‘reasonable steps’ for a large organisation that provides services to thousands of students may not be reasonable for smaller organisations. However, this does not mean that smaller organisations may refrain from taking steps to protect personal information altogether. Organisations are not excused from implementing a measure that may be inconvenient, time-consuming or impose some cost. More information about ‘reasonable steps’ is available in Bulletin 4: Privacy Risk Management.
You should integrate personal information security into all levels of your organisation by establishing clear procedures for oversight, accountability and lines of authority for decisions regarding personal information security. Ideally, your organisation should appoint an individual who understands what, where and how personal information is held within the organisation, and has a dedicated responsibility for ensuring the information is held securely.
You can minimise the risk of a privacy breach occurring by encouraging all staff to proactively identify, address and minimise privacy risks. Senior management should actively support this by promoting a privacy culture, having clear and effective governance arrangements and training for all staff. The risk of a privacy breach is higher when staff do not understand how much your organisation values privacy, their privacy obligations and how to manage privacy risks effectively. More information is available in Bulletin 3: Governance.
You are responsible for protecting the personal information you hold during every stage of its lifecycle. This starts before you may even hold personal information – for example, you should consider whether it is actually necessary to collect and hold it at all. You should also plan how the information will be handled, assess the risks involved in collecting the information, and put in place strategies to protect information that you hold. The lifecycle continues through to the decision about whether to destroy or de-identify personal information when it is no longer needed.
Physical security controls
Physical security is an important part of ensuring that personal information is not inappropriately accessed. You need to consider the steps you can take to make sure that physical copies of personal information are secure.
In assessing your organisation’s physical security controls, you should consider whether your organisation has integrated privacy and security into the design of the workspace – this includes how your organisation controls access to the workplace. Think about how your organisation secures physical files containing personal information, and in particular, consider the record management system, the segregation of work areas with particular access to personal information, and any policies around clean desks or the transport of personal information offsite.
General ICT protections
Effective ICT security requires protecting both your hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure.
You should regularly monitor the operation and effectiveness of your ICT security measures to check that they are still responsive to changing threats and vulnerabilities. Harmful software such as malware and computer viruses can threaten the security of your ICT systems, including your student management system. These risks can be mitigated by using anti-virus programs and deploying up-to-date security software.
You should also be aware of the personal information you hold on your ICT systems and where it is located. You need to consider the security of all systems that use or interact with your ICT systems, which includes securing your website(s), social media platforms, mobile device applications (apps) and all other Internet-connected end-user mobile devices (e.g. laptops), portable storage devices, desktop terminals, kiosks, Wi-Fi networks, remote access and other aspects of your systems.
ICT security measures help mitigate against internal and external threats, human errors, hardware or software malfunctions, power and/or system failures caused by external events.
Examples of ICT protections
There are a range of mitigation strategies your organisation could use to help protect the personal information you hold in your ICT systems. While no single mitigation strategy is guaranteed to prevent privacy breaches, here are some common protective measures:
Network security ensures appropriate controls are in place to secure your network. Preventing and detecting intrusion can be an effective way of identifying and responding to attacks. This may include using firewalls, which control the incoming and outgoing network traffic.
Email security involves developing procedures to manage the communication of personal information via email. Email is not a secure form of communication. You can protect personal information by using secure messaging instead of email, and sending password protected attachments.
- Encryption ensures that information is stored in a form such that only individuals with access to a password or ‘secret key’ can read it. It helps prevent data theft and unauthorised access.
- Penetration testing (or vulnerability testing) involves testing for security in your ICT security systems. Ideally, this should occur during their development, transition to operations and regularly once they are operational. Weaknesses should be reported and addressed in a timely manner. When considering how to scope your testing, you should think about how often testing is conducted, whether it covers all aspects or discrete elements of the system, who is responsible for conducting the testing (i.e. somebody internal or independent), how test data is handled and whether it includes actual personal information.
- A patch is a software update used to correct a problem with a program or a computer operating system. You should install updates as they become available to fix security vulnerabilities, but be aware that patches can come with extra features that should be assessed for their privacy impacts before they are installed.
- Whitelisting and blacklisting allow you to control who and what applications are allowed to access a device or network. Whitelisting involves drawing up a list of entities (users, devices and software applications) that are allowed access, whereas blacklisting identifies entities that are denied access. These lists should be maintained and updated to remain effective and responsive to new threats.
Finally, you should back up (i.e. make copies of) important files and store them securely on a physical device or online. Beyond ensuring that you back up data frequently so that information is not lost, you should also review your backups to check that personal information that is no longer needed is destroyed or de-identified as required under APP 11.2.
The OAIC website has a number of resources that provide guidance on personal information security.
You may find the Guide to Securing Personal Information useful in relation to the topics covered in this Bulletin.
The Guide to Data Breach Preparation and Response also provides guidance on managing data breaches. This topic will be covered in a later edition of TRANSPARENT (Bulletin 7).
The next edition of TRANSPARENT will continue our discussion on the security of personal information, including:
access controls (such as multifactor authentication)
restricting administrative access
user logging and monitoring of access logs
third party providers (including cloud computing)
destruction or de-identification of personal information.