Welcome back to TRANSPARENT – a quarterly newsletter providing information to help you meet your privacy obligations under the Student Identifiers Act 2014 (SI Act) and the Privacy Act 1988 (Privacy Act).
This newsletter is published by the Unique Student Identifier (USI) Office and written in collaboration with the Office of the Australian Information Commissioner (OAIC), the regulator of the Privacy Act.
In this newsletter, we focus on key components of good privacy governance — including training for staff, establishing clear lines of accountability for privacy matters, and maintaining privacy management policies and procedures.
We hope you find this newsletter helpful and look forward to receiving your feedback.
IMPORTANT NOTE: The Privacy Act, including the Australian Privacy Principles (APPs), applies to APP entities only. To determine whether your training organisation is an APP entity, refer to Chapter B of the APP Guidelines.
Inside this edition:
- Privacy training
- Policies and Procedures
- OAIC resources
You should use staff training to manage and minimise privacy risks.
Human error can cause significant privacy risks. For instance, fifty-one percent of the mandatory data breach notifications received by the OAIC in the first quarter of 2018, in accordance with Australia’s Notifiable Data Breaches scheme, were reportedly the result of human error. Examples of human error are sending an email containing personal information to the wrong person, leaving documents in places where they can be accessed without authorisation, or publishing information or datasets online when they have not been properly de-identified.
Training improves staff awareness of privacy obligations, with resulting positive outcomes for personal information handling. This reduces the likelihood of a privacy breach occurring and helps staff to manage privacy risks effectively.
When to conduct privacy training
You should conduct privacy training for all staff who handle personal information and USIs, including new starters, contractors, and temporary staff.
You should schedule the privacy training during the onboarding stage for new staff, regardless of whether they are ongoing or are on a short-term contract. You should also schedule refresher training at regular intervals to ensure staff are up-to-date on their obligations as well as your organisation’s business processes relating to privacy.
Ad hoc privacy training may also be required when there is a change in circumstances. For example, if staff members change roles to a position that requires the handling of large amounts of personal information or USIs, you should provide them with privacy training that aligns with their new responsibilities. Changes in privacy laws, such as the recent introduction of the Notifiable Data Breaches scheme, may also prompt you to provide updated privacy training.
Keeping a record of when staff complete privacy training is essential to ensuring staff are up-to-date. You can ensure staff have undergone the appropriate privacy training by linking credential access with the completion of training.
What to include in privacy training
Privacy training should inform staff about the full extent of their privacy obligations and emphasise issues relevant to their role and your organisation. Accordingly, your organisation’s privacy training should contain:
- an outline of why privacy is important and the role of personal information and USIs in your organisation’s operation
- references to internal practices, procedures, and systems that involve handling personal information and USIs
- tips on avoiding information security risks, including:
- creating strong and unique passphrases
- recognising and avoiding ‘phishing’ and ‘spear phishing’ attacks and ‘social engineering’.
- data breach response procedures
- a staff code of conduct
- guidance on where staff can access further information about privacy.
Establishing roles within your organisation that oversee privacy matters can ensure privacy risks are reported and managed quickly and effectively.
It is important to have one or more staff members who are aware of what personal information your organisation holds, where and how it is held, and who is responsible for ensuring it is secure and handled correctly. These staff should be the contact point for other staff if they have privacy questions or issues to report.
It is also important to ensure senior management are informed about privacy issues. This will assist your organisation maintain a privacy culture that proactively identifies and addresses privacy risks.
Depending on the size of your organisation, one way to foster accountability could be to appoint staff members with roles that have particular privacy responsibilities. Two roles that can fulfil these functions are a ‘Privacy Officer’ and a ‘Privacy Champion’.
Appointing a Privacy Officer, or multiple Privacy Officers, is a great way to ensure your organisation follows privacy policies and procedures. You can appoint Privacy Officers as a standalone role or as part of a staff member’s responsibilities, depending on the scale of your organisation’s work.
The recommended functions of a Privacy Officer are operational rather than strategic, and include:
- handling internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information made under the Privacy Act
- maintaining a record of your organisation’s personal information holdings
- assisting with the preparation of privacy impact assessments (PIAs)
- measuring and documenting your organisation’s performance against its Privacy Management Plan, at least annually.
A Privacy Champion reflects a commitment to promoting the value of privacy protection at the highest levels of your organisation.
The Privacy Champion role should be filled by an individual within the senior management of your organisation. The role has a strategic focus — a Privacy Champion should promote a culture of privacy and provide leadership on broad privacy issues.
The functions of a Privacy Champion can also include:
- reviewing and/or approving your organisation’s Privacy Management Plan, and monitoring progress against the Privacy Management Plan
- providing regular reports to the organisation’s senior leaders on privacy issues arising from the way personal information and USIs have been handled.
Policies and procedures
Having clear policies and procedures around privacy will ensure your staff can perform their duties in accordance with best practice.
You should consider:
- keeping a centralised up-to-date record of your personal information holdings (including the type of information and where it is held). This should include information held off-shore, or that is in the physical possession of a third party
- promoting privacy awareness by integrating privacy into induction and regular staff training programs
- implementing risk management processes that identify, assess, and manage privacy risks, including personal information security risks
- undertaking PIAs for projects or decisions that involve new or changed personal information and USI handling practices (including implementing new technologies)
- establishing processes for receiving and responding to privacy enquiries and complaints
- establishing processes that allow individuals to promptly and easily access and correct their personal information
- developing a data breach response plan.
The OAIC provides several resources that can help you implement the practices outlined in this newsletter.
The OAIC’s eLearning course provides easy-to-understand information that will help you conduct a PIA.
The Guide to undertaking privacy impact assessments describes a process for undertaking a PIA. The next edition of TRANSPARENT will describe the PIA process in more detail.
The Guide to handling privacy complaints provides guidance and a step-by-step checklist on how to address privacy complaints.
The OAIC provides a range of resources that outline the key requirements of the Notifiable Data Breaches scheme. The OAIC’s Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) provides a comprehensive framework for meeting community expectations and legislative obligations when a data breach occurs.
The next edition of TRANSPARENT will discuss the benefits of privacy risk management, including:
- general privacy risk management
- privacy management plan.