Welcome back to TRANSPARENT – a quarterly newsletter providing information to help you meet your privacy obligations under the Student Identifiers Act 2014 (SI Act) and the Privacy Act 1988 (Privacy Act).
TRANSPARENT is published by the Unique Student Identifier (USI) Office and written in collaboration with the Office of the Australian Information Commissioner (OAIC), the regulator of the Privacy Act.
This newsletter is the second of a two-part series about personal information security.
IMPORTANT NOTE: The Privacy Act, including the Australian Privacy Principles (APPs), applies to APP entities only. To determine whether your training organisation is an APP entity, refer to Chapter B of the APP Guidelines. The steps outlined may also be used by non-APP entities as a model for better personal information handling practice.
Inside this edition:
- Access controls
- Restricting administrative access
- User logging and monitoring of audit logs
- Third party providers (including cloud computing)
- Destruction or de-identification of personal information
You may wish to consider the information in this edition alongside Bulletin 5: Personal Information Security (Part 1 of 2) which focused on ICT and physical security.
A privacy breach can occur when someone intentionally exploits your organisation’s security measures and gains unauthorised access to the personal information you hold. Access controls help you protect personal information from internal and external risks by ensuring that it is only accessed by authorised persons.
You should also be mindful of internal risks such as unauthorised disclosure or misuse of personal information by ‘trusted insiders’ such as staff and contractors. It is good practice to limit staff access to personal information on a ‘need-to-know’ basis ‒ that is, limiting access to those who require it to do their job. Remember to revoke staff access when it’s no longer required.
The Privacy Act requires entities to take reasonable steps to protect personal information from unauthorised access by internal and external parties. For more information about reasonable steps under APP 11, see Bulletin 5.
As a general rule, the more personal information you hold, and the greater the sensitivity of that information, the more you should do to reduce the risk of a privacy breach. Below are some questions to consider for common and effective access controls that your organisation can use.
Identity management and authentication
- Does your organisation have an identity management process to verify the identity of individuals seeking access to information on your systems?
- Does your organisation use multiple ways to check and authenticate an individual’s identity?
For example, do you check identity against one or more of the following – something the individual knows (such as a password), something the individual has (such as a mobile phone to receive SMS confirmation), or something the individual is (biometric information such as a fingerprint)?
- Do you control individual access by associating user permissions and restrictions with a user’s identity?
This limits both their access to information and what they can do to it. For example, a student may be permitted to update their personal information but is restricted from viewing other students’ records. Similarly, RTO staff may be permitted to update current students’ records but are restricted from amending past students’ records.
An example of access controls – USI Transcript Service
The USI Transcript Service allows students who have been assigned a student identifier to access their transcript online. An RTO is able to view the transcript of any student if that student gives them access from within their online USI account.
Students can set access controls by selecting which RTOs can view their transcript, and limiting the period of time it can be viewed.
If you would like students to give your organisation permission to see their transcript online you will need to ask them. It is also good privacy practice to remind students of their ability to set or change access controls by logging into their USI accounts.
Passwords and passphrases
- Do staff use complex passwords (for example, one that is a combination of upper and lower-case letters, numbers and punctuation symbols) or passphrases (a sequence of words)?
- Is there a minimum password length requirement?
- Are staff reminded to regularly change passwords?
Removing non-public content from web servers
- If you host content on your web server that is not intended to be accessed publicly, have you restricted access to authorised and authenticated users only? If not, is this content stored elsewhere?
Restricting administrative access
Restricting administrative access involves limiting the number of users (usually ICT staff and contractors) who have administrative privileges for your organisation’s operating systems and applications. This is one of the most effective ways of securing your systems, because fewer users can make significant changes to your ICT environment or access sensitive information.
Once you have identified which business activities require administrative privileges to be performed, you should grant these privileges only to relevant staff members and create separate administrative accounts for them. The Australian Cyber Security Centre provides more information about this.
User logging and monitoring of audit logs
The more systems you use and the greater the volume of personal information you handle, the more important it is to proactively monitor user access. One way to do this is by using an audit log which allows you to detect unauthorised access to files and databases when reviewing system activities.
You should also think about the various access points to your system that you could monitor and audit, as well as how audit logs are maintained and protected from interference.
Audit logs help your organisation to meet privacy obligations under the Notifiable Data Breaches scheme, which requires you to investigate and contain data breaches and assess the risk of serious harm to affected individuals. In the event of a data breach, reviewing an audit log will help you determine when and how your systems were compromised, and by whom. In other words, audit logs help you to reconstruct a sequence of events. The topic of data breaches will be covered in the next edition of TRANSPARENT.
Third party providers (including cloud computing)
If you outsource all or part of your organisation’s personal information management to a third party, you should conduct due diligence on their services by checking how they handle personal information and data breaches, and the security controls they use to protect data. This includes cloud computing, when your organisation stores data on remote servers run by a cloud service provider or uses software delivered via the Internet.
You should keep in mind that if you outsource personal information management to a third party, you may still have responsibility under the Privacy Act. Although your third party provider may be subject to the Privacy Act in their own right, if the third party provider is holding personal information on your behalf, you must still take reasonable steps to protect that personal information. Consider whether your organisation’s contract with the third party provider requires them to:
- take reasonable steps to secure personal information (APP 11)
- report eligible data breaches under the Notifiable Data Breaches scheme
- provide regular security or risk reports to you, and agree to regular monitoring and inspections by your organisation.
Destruction or de-identification of personal information
Your organisation must take reasonable steps to destroy or de-identify the personal information it holds once it is no longer needed for any purpose for which it may be used or disclosed under the APPs. This requirement does not apply if the personal information is contained in a Commonwealth record, or if an Australian law or court/tribunal order requires it to be retained (APP 11.2).
As a general rule, if you no longer need to use the personal information, you should destroy it. Personal information is destroyed when it can no longer be retrieved. If it is held electronically, check that backup copies are deleted securely. If you are de-identifying personal information, you must make sure that an individual is no longer identifiable or cannot be reasonably identified.
Consider whether your organisation:
- has policies, procedures and training resources to help your staff determine whether personal information needs to be destroyed or de-identified?
- trains and informs staff about your organisation’s destruction and de-identification policies for information held in both hardcopy and electronically?
The Guide to Data Breach Preparation and Response also provides guidance on managing data breaches.
The next edition of TRANSPARENT will focus on data breach response plans, including:
- content of a data breach response plan (containment, evaluation, notification and prevention)
- importance of identifying key staff
- regular review of the plan
- reporting breaches to the OAIC.