Privacy and registered training organisations – lessons from an OAIC privacy assessment

Slide 1

>> Brett: Hi, and thank you for joining us for today’s webinar about privacy and registered training organisations. My name is Brett Watson and I’m an assistant director at the Office of the Australian Information Commissioner, or OAIC.

I’m joined today by Kerry Hutchinson, who is the general manager of quality and compliance at Navitas. I’ll invite Kerry to describe her role and the work that Navitas does.

>> Kerry:  Good afternoon, Brett. Navitas is a public listed company, it has a global footprint. And we offer extensive range of educational services to around 80,000 students in 120 companies, in 31 countries, sorry about that.

>> Brett: Thanks, Kerry.

Slide 2

>> Brett:  Let’s have a look at the agenda for today’s webinar. We’ll start today with a brief overview of the OAIC, who we are, what we do, the legal framework for privacy in Australia, and the role of OAIC privacy assessments.

Next we’ll get into detail about the main topic for today, which was a privacy assessment that we conducted in 2017 with five RTOs. We’ll talk about the good privacy practices that we found and some areas of improvement that other organisations may be able to learn from.

Kerry will provide some insight on Navitas’s experience with the privacy assessment, and how Navitas has made some improvements in the time since.

Lastly, I’ll offer some brief privacy tips in a few key areas that arose from the privacy assessment. Then we’ll have some time to answer some of your questions.

Before we get started, I’d like to point out the interactive features of the webinar player if you’re watching live right now. Below me on the screen, next to the timeline, you’ll notice a speech bubble. That’s the ask button. If you’d like to pose a question or comment at any time during this webinar, just click on the speech bubble, fill out the form and click send. We’ll go through a selection of questions at the end of the speaking part of this webinar. I encourage you to provide your name and email address, along with your question or comment. That way if we don’t get to your question during the webinar, we can follow up with you afterwards.

We’ll do our best to answer all of your privacy questions. If you have any questions that are more relevant to unique student identifiers, please send them through, and we’ll refer them to our colleagues at the USI office. Whether you work for an RTO or any other organisation that handles personal information, we hope that you find today’s webinar helpful.

Slides 3 and 4

Let me begin with a brief overview of the OAIC. We are an independent Federal Government agency that regulates the laws relating to privacy and freedom of information. I’ll be talking today about our privacy functions. Ms Angelene Falk, who is pictured on the slide, is the acting Australian Information Commissioner and acting Privacy Commissioner.

We work with a number of external stakeholders to provide policy guidance, and to gain insights about the regulated community. These include other government departments, other regulators, and industry bodies. Some of our stakeholder relationships are based on memoranda of understanding that recognise a commitment to privacy between the OAIC and another entity. One of our MOU relationships is with the unique student identifiers office, and the work that I’m speaking about today is based on that relationship.

On that note, I’d like to give a brief plug to a couple of our other joint initiatives. There are a few editions of the Transparent Privacy Newsletter which we publish jointly with the USI office available for you to look through on the USI website. Also, the OAIC will be presenting on privacy issues with the USI office at the upcoming Velg National VET Conference in September in Adelaide.

As the privacy regulator, the OAIC works with organisations and agencies to ensure compliance with the Privacy Act. We have a range of regulatory powers. These include powers to promote privacy compliance, powers to handle complaints and conduct investigations, and powers to enforce compliance. Our preferred regulatory approach is to work with organisations and agencies to facilitate compliance with the Privacy Act. To use the analogy, we much prefer to use the carrot rather than the stick. We find that this is a much more effective way for agencies and businesses to understand their privacy obligations, and meet their privacy obligations under the Act.

Our website is oaic.gov.au, and the phone number on the slide is for our enquiries line, which is available during business hours to take privacy enquiries from anyone who would like to give us a call.

Slide 5

Before I start to talk more about the work that we do at the OAIC, I’ll provide a bit of background on the legal framework for privacy in Australia. It can be complicated, as there are multiple laws and regulations that can apply to an RTO, depending on where they’re based. The key point that I’d like you take away, though, is that the combined effect of the overlapping legislation, is that all RTOs are required by law, to collect, handle and protect personal information in a way that respects the privacy of individuals.

The OAIC is responsible for regulating entities that are covered by the Privacy Act 1988, which is Commonwealth legislation. The Privacy Act applies to most Commonwealth Government agencies, like the Tax Office or the Department of Human Services, and all private sector organisations that have an annual turnover of more than three million dollars, which may apply to some privately operated RTOs.

The Privacy Act also covers some other organisations that meet particular criteria, such as organisations that provide a health service.

The Privacy Act does not regulate State and Territory Government agencies. These agencies are regulated by privacy laws that apply in their respective states and territories. I’m not going to go through the laws that apply in each State and Territory today, because there are differences in each case, but I wanted to mention this, because if you are watching from a TAFE training school, or another State Government training authority, you should be aware that there may be jurisdiction-specific privacy laws that could apply to you instead of the Privacy Act.

The third layer that I’m going to mention in terms of the legal framework is the Student Identifiers Act. Regardless of whether you’re covered by the Commonwealth Privacy Act or State legislation, if your RTO handles student identifiers and associated personal information, you will be covered by provisions in the Student Identifiers Act. This legislation contains provisions about handling and protecting personal information and student identifiers, that are very similar to some of the privacy principles in the Privacy Act and the State legislation.

So all put together, while all RTOs aren’t technically bound by the same legislation, in practice all RTOs are effectively bound by the same general principles of good privacy practice that we’re going to talk about today.

Slide 6

Now I’ll provide a brief overview of our privacy assessments, which are also known as audits.

Assessments are a proactive regulatory measure, that aim to identify privacy risks, and make recommendations for improvement. This is in contrast to investigations, which are typically a reactive measure to identify the cause of a privacy breach that has already happened.

You may have heard of privacy impact assessments or PIAs which are a good tool to build privacy into the design of a project from the beginning. It may be more helpful to think about the privacy assessments I’m talking about today as audits, because that’s essentially what they are.

An OAIC privacy assessment, or audit, is designed to identify areas for improvement once a project is already up and running. Participating in an OAIC privacy assessment doesn’t mean that an entity has done anything wrong. What it does tend to mean, though, is that the entity handles personal information as a core part of their business, and that it’s in the interests of the community that an independent regulator provides some guidance and oversight to minimise privacy risks.

We conduct our assessments in a variety of ways. For this assessment, we used a self-assessment survey to gather the information that we need.

Slide 7 and 8

The objective of this assessment was to examine whether selected RTOs were handling USIs and associated personal information in accordance with the requirements of Australian Privacy Principle, or APP1, which is open and transparent management of personal information; and APP5, which is notification of the collection of personal information.

Practically, what this scope meant was that we examined whether the RTOs had a privacy policy, and that privacy policy was clearly expressed, up to date and available free of charge; whether the RTOs had appropriate means to notify individuals about how their personal information would be collected and handled; and had effective practices, procedures and systems to ensure that personal information is managed in an open and transparent manner.

Slide 9

So how did the assessment work?

We conducted the assessment with five RTOs nominated by the USI office, based on a number of considerations, including:

• the size of the organisation
• the annual turnover, noting the three million dollar annual turnover requirement
• whether or not the organisation was a private entity
• whether the RTO was likely to have a high number of international students
• and the educational sectors covered by the RTO.

Navitas was one of those RTOs, and was kind enough to accept our invitation to speak at the webinar today. The other RTOs will remain anonymous, which was what was agreed at the start of the assessment.

We conducted the assessment in November 2017, and when we did we asked the RTOs to do two things:

• first, send us a copy of their privacy policy and collection notice, which we reviewed and made suggestions for improvement where necessary
• and secondly, complete a web-based questionnaire that was designed to allow each RTO to self-report their level of maturity against an extensive list of criteria based on the OAIC’s privacy management framework.

We asked the RTOs 73 questions in total. The questions asked them to tell us about:

• how they embed privacy culture in their business
• how they manage privacy risks
• how they collect, handle and protect the personal information that they hold
• and how they respond to incidents like complaints or data breaches.

Slide 10

Most of the questions asked an RTO to grade themselves on a sliding scale about how mature their privacy practices are, from “yes, we do this”, to “no, we have nothing”, with stages in between to indicate where they may be implementing a process and it’s a work in progress.

As with any survey of this nature, it’s important to recognise that there are some limitations. A survey that relies on self-reporting may not generate completely accurate results and the OAIC took the survey responses on face value. Having said that, we found that the RTOs participated in the survey in an open and productive way, which led to some informative results. We will be publishing a de-identified summary report on our website that sets out all of the findings.

Overall, we found some practices that were working well across the RTOs we assessed, and some areas of improvement that appear consistently. I’ll talk about the good news first. But before I do that, I’ll invite Kerry to talk about Navitas’s experience in participating in the privacy assessment. And also, just a short reminder that if you’d like to ask any questions please use the speech bubble icon below me on your screen. Kerry.

Slide 11 and 12

>> Kerry:  Thanks, Brett.

Navitas participated in this survey in November last year, and it was at the same time as we were involved in two other major projects relating to privacy. It was undertaken by our RTO, the Nativas English Proprietary Limited Group, based here in Sydney. But really for us it came against a landscape where there was increased data security and privacy regulation. We were looking at our global policies and procedures as a result of the General Data Protection Regulation in Europe, and we were also looking at them in the context of the mandatory data breach reporting amendment.

We were also reviewing our information security environment, and our general IT architecture. As you can imagine, with some 80,000 students spread across the world, we collect an enormous amount of information and we have to make sure we manage that and importantly store it, and at the time we need to, dispose of it with security.

We also manage information that’s both personal to individual data subjects, and has commercial and confidence importance to the company. So it was a very complex landscape that the audit took place against.

Slide 13

For us we found the audit really, really helpful, the OAIC, that’s a hard one to say, isn’t it, is a key resource. We found it to be really, really important, because we’re dealing with issues around protecting privacy, data sovereignty, it’s a global phenomenon these days. And we now found we had a number of new regulators to meet and to deal with, and the OAIC was one of those. It gave us an opportunity to meet them and to work closely with them.

But importantly for a company like Navitas, it gave us an objective external perspective on our privacy management systems, processes and policies. We thought we were doing very well, but that’s because we were looking at it with an internal eye. It was really helpful to have the outside view, particularly of our privacy policy, and the procedures that supported that. And it also enabled us to recognise the need for us as a company to embed the privacy principles as part of our move to standardising what is good practice when it comes to managing privacy across our company.

Slide 14

It also raised and again highlighted for us that we had some really important things to do as a company, that we did have to improve and enhance the awareness that all of our staff had about the privacy principles. We discovered it was no good really just the leadership team knowing about them; it was really important that everyone in the company knows about them and understands them.

We also had to work out how we were going to operationalise those privacy principles, and ensure that everyone in our company takes responsibility for protecting the privacy of the information they are managing in their day-to-day jobs.

The other important initiative for us was to embed ‘privacy by design’ into our company culture. I think what we discovered was we were doing some things really well in managing privacy, but it was more by default than it was by good practice in terms of managing it by design. So, we’ve now taken the steps to embed that in our company culture.

We also really understood as a result of this audit, because we canvassed, as you can imagine, with some 70-plus questions, we had to ask a lot of staff for their input, and that meant that we then had to look at how we were going to standardise our training and make that a general part of all of the stuff that we did with our staff as they joined us, and on an annual basis.

We also have built in and decided to build in the real need for privacy impact assessments. Now we as a company have projects running all over the world, all of the time, and now as part of the standard format we have built in the PIA, and in some instances a DPIA, as standard practice. So, they can’t get the project approved until that’s taken place.

And as I said, when we were looking at staff training it wasn’t just about our administrative staff, it included our academic staff. We have many hundreds of academic staff, and they are also managing, handling and privy to information about their students that they needed to be aware of how to manage properly.

Slide 15 and 16

>> Brett:  Well, thanks very much for that, Kerry.

I’ll go into the results across-the-board from the audit now and a number of the results will touch on a number of matters that you mentioned there, Kerry, at Navitas.

First on the positive findings. All the RTOs reported that they had an internal policy or process governing the collection of personal information, and four out of five of the RTOs reported that they had policies and procedures to manage the disclosure of USIs and associated personal information to third parties or affiliates.

Keeping close control over the reasons why you would or perhaps wouldn’t collect personal information in the first place, and then what you’ll do with it once you have collected it, is crucial to handling personal information appropriately. So, these survey responses were a good result.

Four out of the five RTOs reported that they have policies and processes in place to ensure that the personal information they hold is accurate and up to date. Handling poor-quality information can have significant privacy impacts for individuals, particularly where that personal information could be linked to other data. So it was pleasing to see that most RTOs had processes in place to ensure the quality of personal information, which is a requirement under APP10.

All five RTOs reported that they had a process in place to manage requests from students to access or correct their personal information. This is a good indication that the RTOs we surveyed were handling personal information transparently, by allowing individuals to keep effective control over their own personal information.

Also, all five RTOs reported that they had a complaints policy and a complaints register. This is another good result that shows that the RTOs we surveyed are responsive to individuals when handling their personal information.

Slide 17

I’ll now talk about some of the consistent areas for improvement that we identified during the assessment.

The RTOs we surveyed performed well in a number of operational areas. When I say operational areas, I’m talking about systems and processes that are in the day to day running of a business, like collecting personal information or complaints handling.

We found that all of the RTOs we surveyed could improve if the same attention to privacy matters was escalated from the operational level, to the governance level, which was what Kerry was referring to earlier. What I’m talking about here with the governance level is the strategic management of privacy on an enterprise-wide basis at the senior levels of an organisation.

We asked the RTOs whether they had a privacy management plan, or a documented privacy management structure as a way to demonstrate oversight of privacy matters across the business. None of the five RTOs reported that they had implemented a privacy management plan, and one RTO had a documented privacy management structure.

Pleasingly, though, four out of five RTOs had a senior member of staff with overall accountability for privacy, and mechanisms for routinely reporting privacy matters to senior management. So it shouldn’t take too much additional effort to build on that structure and to simply document the organisation’s approach to managing privacy.

An organisation’s approach to privacy training is another key area that we often find is an accurate indicator of the strength of overall privacy governance. In this assessment,

• two out of the five RTOs reported that they conduct initial mandatory privacy training for all staff;
• two out of five of the RTOs reported that they conduct regular privacy refresher training for existing staff;
• and all RTOs reported that staff could refer to centrally available privacy resources for further information, such as on the intranet.

It’s good that RTOs were making privacy resources available to staff on an adhoc basis, but we would have liked to have seen that all staff, regardless of whether they’re temporary or permanent, are proactively trained on their privacy obligations. While it’s very well to tell staff that they’re expected to comply with the Privacy Act, we’d say that this isn’t a particularly reasonable expectation if staff are not made aware of what that means for their role, through education and training.

None of the five RTOs reported that they provide their collection notice in a language other than English. Or in an alternative format, like Braille or an Auslan video. APP1 doesn’t specify that you need to have a privacy policy available in multiple languages and formats, but it does say that the policy needs to be available in an appropriate form. One of the factors that is relevant to whether your policy is in an appropriate form or not is the needs of the audience who’ll be reading it. To use an example of an English language training school, we would assume that there is a good chance that many of the clients will not have English as their first language. You should therefore consider the demographics of your client base and think about whether your privacy policy is accessible to everyone in that group.

Slide 18

One out of the five RTOs we surveyed reported that they had a data breach response plan, or an equivalent document. We would have liked to have seen all RTOs with a data breach response plan. This assessment was conducted last year, before the introduction of the Notifiable Data Breaches Scheme in February this year. So I imagine that if the assessment were done today, the results would hopefully have been different. And I’ll come back to the NDB Scheme a bit later in the webinar.

We didn’t delve into the information security controls that each RTO was using in this assessment, as we were relying on the RTOs to self-report. We were pleased to see that four out of the five RTOs reported that they felt they had reasonable information security controls.

There were a couple of areas of improvement in the security space that were consistent across the survey results, however. Firstly, two out of the five RTOs reported conducting reviews of their information security policy in the last 18 months, and two out of five reported conducting reviews in the last three years. Given the rapid rate at which ICT vulnerabilities can arise and proliferate, we would have liked to have seen reviews of information security policies at more regular intervals, ideally at 12-month intervals, or even on an adhoc basis if an urgent change is required.

The second area was around access security and access controls. Three out of five RTOs reported that they monitor ordinary user access logs, and two out of five reported that they monitor administrative access logs. While external threats to IT networks rightly receive a lot of attention, organisations shouldn’t overlook the potential vulnerabilities from inside their organisation. The trusted insider who either acts with malicious intent or perhaps is simply careless about the way that they handle personal information and about information security, is a risk that all organisations need to manage, and monitoring access logs is a key way that organisations can do this.

I’ll talk more about some tips to manage ICT security risks and other tips for good privacy practice shortly, but first I’ll hand back over to Kerry, who can discuss Navitas’s lessons learned from the privacy assessment. Kerry.

Slide 19 and 20

>> Kerry:  Thanks again, Brett.

If we were to do that audit today, we would indeed have a different result. There’s no doubt about that. What has happened since the audit, and it has been part of our general data protection project and our breach reporting projects, is that privacy has now become fundamental to our company culture. It’s something people talk about and understand in a far more comprehensive manner than previously.

We’ve made a global commitment to embedding privacy by design across our operational activity. We’ve also worked to building in the APPs into terms and conditions of employment, so that when people join our company in Australia, they actually have to read the APPs, and they have to read the privacy policy, and they have to acknowledge that they’ve done so, and that they understand in reading them what that means for their role.

We’ve also decided as a company that, given the global move to greater scrutiny of the management of privacy, that we have adopted the GDPR across all of our operating regions, which has been quite an enormous undertaking for us. But we believe that it’s best to aim for the benchmark rather than working below it.

We also have taken from that audit that privacy management is not something that can work effectively in silos. It’s a global responsibility, it has to come out of the individual entities and be treated across our global footprint as a company initiative. And the other lesson for us, having a look at some of the penalties for getting it wrong, is that it is a way more costly business to get it wrong than it is for doing it correctly.

Slide 21

So, what are we doing now? And Brett mentioned this, that people need, or data subjects as the parlance is, need to be able to access their data quickly and easily. We’ve developed a very detailed and very user friendly Data Subject Access Request Procedure, and that’s already in operation across our UK and European operations, and we’ve used it recently in terms of New Zealand.

We’ve also established and tested our Data Breach Management procedure. We developed a triage approach, so we have our first responders who get in there and stop it. Then move to a task force which looks at how we manage it going forward, and if there’s a case where it’s a major breach — there are many pieces of personal information that have been impacted and we need to report this to the supervisory authority — then our crisis management team, which is a global team make that decision, and we go ahead and report.

We’ve also implemented a global privacy management platform, which is really important. For us, we felt that it was no good taking it piece by piece. We needed to do it globally.

We’ve also implemented compulsory training for staff who manage personal information in any form or part of their job. And we have posters up around all of our colleges, rather like reporting terrorism, I suppose, and I think some people see reporting privacy as a terrorist activity, but they do report it.

And importantly we have a detailed privacy framework, with policies, procedures all having been revitalised in line with the APPs and the GDPR requirements.

Slide 22

We’ve also as part of our governance of privacy established a global network of Data Protection Managers. I happen to wear that hat for Australasia, which picks up New Zealand, Singapore, and Indonesia, and a few other countries. We’ve got those in each region in which we operate, and they operate as a global community of practice. So we will meet on a regular basis to talk through what’s happening in our independent regions.

We’ve already implemented privacy by design workshops, and they are an ongoing part of what we’re doing.

We’ve already had our privacy notice translated into seven languages other than English, and there are at least three more on the scoping table at the moment.

We’ve revised our consent or our approach to consent - Brett mentioned that earlier - that people need to understand why we’re gathering their information, and what we’re going to do with it. So we’ve come up with quite a detailed approach to consent.

We have also revised how we will manage complaints and make that a far more user friendly exercise. And making it easy for people to access their personal information.

And as I mentioned earlier, the PIA and DPIA process are now a formal part of any new project, or indeed general initiative, that has to be designed and developed, and if that’s not undertaken, the project is unlikely to get off the ground.

Slide 23

>> Brett:  Well, thanks very much for that, Kerry, and I think the initiative of implementing PIAs as sort of a stage-gate for a project is a really positive one. I think that will really set up projects to be privacy protective so I think that’s a really good initiative.

I’ll continue now and I’ll go through some brief tips for good privacy practice in four of the key areas that we highlighted in the results of the RTO survey, which are privacy governance, training, data breach response and information security.

Slide 24

First, privacy governance. The assessment results indicated that privacy was being handled reasonably well at an operational level, and there was some visibility of privacy at the senior levels of the business. Like any governance issue, it’s important that senior management are informed about privacy issues, because this will build a privacy culture in your organisation that proactively identifies and addresses privacy risks.

There isn’t any formula as to how an organisation can to this. We’ve seen a variety of approaches at different organisations in other assessments, and it generally comes down to the size of an organisation as the key factor of whether there are specially appointed privacy officers in the executive team, or the executives manage privacy as part of a broader role.

I mentioned earlier that one of the results from the survey was that most RTOs were not documenting their approach to privacy governance. One way that organisations can do this is to create a privacy management plan, or a PMP. A PMP is different to a privacy impact assessment, or a PIA, which Kerry has mentioned. While PIAs are effective at managing privacy risks on a project by project basis, a more holistic approach to privacy is necessary to manage privacy risks across an organisation.

Slide 25

A PMP is a document that identifies specific measurable goals and targets for your organisation to meet in complying with your obligations under APP1. Risks that are identified through project specific PIAs can feed into an organisation’s PMP, particularly where similar risks are identified across multiple projects. An effective PMP will set out the timeframes for addressing any identified privacy risks and will be refreshed at least annually.

The OAIC privacy management framework on our website is a key resource that sets out the matters that an organisation can consider for effective privacy governance., and it also has a template PMP which is available for download and use.

Slide 26

Next, privacy training. Staff training plays a vital role in managing and minimising privacy risks in any organisation that handles personal information. All staff that handle personal information should undergo privacy training, including new starters, contractors and temporary staff.

It’s probably impossible to completely eradicate the potential for human error in your organisation, but privacy training will help to manage the risk. Things like

• sending an email containing personal information to the wrong person;
• leaving documents in places where they can be accessed without authorisation, like leaving a laptop on the train or on the bus;
• or publishing information or data sets online, when they haven’t been properly de-identified

can all carry significant privacy risks and are more common than you might think.

In the first quarter of the Notifiable Data Breaches Scheme, 51% of the notifications the OAIC received were reportedly the result of human error. While it can be easy to set and forget with privacy training, you should also consider that adhoc privacy training may be necessary if circumstances change. For example, if a staff member changes roles, and the new role involves handling large volumes of personal information or sensitive information, they should be provided with privacy training that aligns with their new responsibilities.

We have a number of training resources on our website that you can use to develop privacy training that is tailored your organisation’s systems and processes.

Slide 27

Next, data breach response. Most of the RTOs we surveyed lacked a plan to respond to a data breach. Data breach responses come into sharp focus of organisations this year, since the commencement of the Notifiable Data Breaches Scheme in February. We released our second quarterly report under the NDB Scheme last week in which the education sector was the fourth most common sector for entities which reported data breaches, with 19 in total.

Under the scheme, you may need to report data breaches to the OAIC and to affected individuals. The main criteria for notification is whether the data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. We have published guidelines on our website that will help you identify when you might be dealing with a breach of this kind. These guidelines include what sort of data breaches you need to report, how to assess a suspected data breach, and how to manage data breaches both for yourself and your customers. You must take all reasonable steps to complete the assessment of a possible data breach within 30 calendar days after you become aware that a breach may have occurred.

The law doesn’t specify how these assessments should take place. However, we suggest that there is a four-step process.

• Step one: contain the breach and prevent any further compromise of personal information.
• Step two: assess the data breach by gathering the facts and evaluating the risks, including the potential harm to affected individuals, and if possible take any steps to remediate the risk of further harm.
• Step three: notify individuals and the OAIC, noting that if the breach is an eligible data breach under the scheme it may be mandatory for you to notify us and individuals.
• And step four: review the incident and consider what actions can be taken to prevent future breaches.

If you’ve identified an eligible data breach, we have developed an electronic form which guides you on the information that we need to assess and respond to the data breach. Once submitted we’ll get in touch if we need further information from you. We also have a guide on notifying individuals of an eligible data breach, which is available on our website.

Returning to the key area of improvement in the RTO survey, there is also guidance on our website for developing a data breach response plan. Without a clear plan, it can be difficult to respond to, to coordinate an effective response to a data breach in a short timeframe. If your organisation already has a data breach response plan, that’s great. You should test it periodically to make sure it does what it needs to do.

Slide 28

Lastly, I’ll offer some tips on personal information security.

Privacy law requires you to take reasonable steps to protect the personal information that you hold. What is reasonable will depend on the circumstances of your organisation. One of the main circumstances of the nature of the organisation, including the size, resources, the complexity of the operations, and the business model. What is reasonable for a major organisation like Coles and Woollies, may not be reasonable for smaller organisations.

However, this is not to say that smaller organisations are excused from taking steps to protect their personal information altogether. You’re not excused from implementing a measure that may be inconvenient, time-consuming in some way or impose some cost.

Personal information security is more than just ensuring compliance with the requirements of the Privacy Act. If you mishandle personal information of your customers, they could face significant consequences, like financial loss. In turn, it could also lead to a loss of trust in your business and your reputation in the market.

The OAIC’s Guide to securing personal information goes into detail in what an organisation can do when designing its information handling practices. I won’t go into detail in all of the steps covered in the guide here, but I encourage you to take a look through the guide if you have particular information security matters or concerns that you would like to look in to.

Within the guide we discussed the concept of the information life cycle, which is pictured on the slide. This is one way that organisation can think about handling personal information security through the lifecycle that personal information has in an organisation. The lifecycle goes as follows.

• Initially, consider whether you need to collect personal information in the first place and what types of personal information you will collect.
• Secondly, privacy by design. This means considering personal information security when designing or updating your systems and processes.
• Next, assess any risks associated with handling the personal information you collect.
• Next, take appropriate steps and put into place strategies to protect the personal information that you’ve collected.
• And lastly, destroy or de-identify personal information when you no longer need it.

All of the steps are important, but I’d like to take a moment to highlight that last step, which is destroying or de-identifying personal information when you no longer need it. Aside from being good practice, it’s also a legal requirement under APP11, and the Student Identifiers Act. Organisations that keep more personal information than they need, increase their exposure to risk. Sometimes this can happen because organisations lose track of the personal information they hold. Or sometimes we find that organisations are holding on to their personal information for a rainy day, or just in case it becomes handy in the future in some way. This isn’t good practice. We would say that you should have a good understanding of the personal information that you hold in your organisations and if you can’t articulate a reason why you need to keep it, get rid of it securely.

In addition to our guidance, the Australian Computer Emergency Response Team, or CERT Australia has published some reference material that you may find helpful. The resources available for individuals and small businesses include the Stay Smart Online Small Business Guide, which summarises common online threats, and what organisations can do to counter them.

Slide 29

Well that brings us to the end of the speaking part of today’s webinar. So I’ve got my colleague standing by, my colleague Karen standing by behind the camera, to ask a few questions that we may have received today. Karen.

>> Karen:  Thanks to Kerry and Brett, that was all very informative. Unfortunately we’ve been experiencing some technical difficulties so we haven’t been able to receive your questions live. I do have some questions here that may help those of you watching at home. However, once you’ve all caught up on the webinar, which will be published on the OAIC website, please do contact our enquiries line, or email, and we’ll endeavour to answer your questions. So, first question for either Kerry or Brett. How often should RTOs be updating their privacy policies?

>> Kerry:  If I can answer that one from our perspective, we have a controlled document management system going into operation, which has been part of this process we’ve been going through with updating all of our policies and processes. And there will be policy owners, and they will have to update according to the schedule. Now, in terms of the privacy policy, that sits within my bailiwick, and I will be reviewing that on an annual basis. And or as Brett said previously, should something happen in regulatory environment we’re operating in, it will be revisited, and then staff will be bought up to date on that change, and trained if it impacts their day-to-day jobs.

>> Brett:  Yes, look, I’d agree with that, Kerry. I think we’d say that annual reviews are good practice of the privacy policy, but as you say, on an adhoc basis if there’s a significant change, you know like the NDB Scheme or the GDPR, that can come midway through a review interval, so it’s important to jump on things like that when they happen. We would say that annually is good practice.

>> Karen:  Great, thank you. And on a similar note, when should a PIA be done? And perhaps for you Kerry, do you have any advice for RTOs on conducting a PIA?

>> Kerry:  They should be done at the very beginning of setting a project proposal in place. The reason that we’ve put it at the very beginning of the process is that we want people to understand that a project, large or small, has consequences for people across the organisation, and particularly where information relating to individuals is concerned, how they’re going to manage that, and what risks that may pose to our existing systems. Because it can impact the resources we may need to put in place with respect to making sure that the risk assessment is an appropriate level, so that the risk isn’t overwhelming and the project fails as a consequence. So we’ve put it at the very beginning, we’ve formulated a fairly straightforward, but albeit comprehensive questionnaire that people have to fill in, the project owner has to fill in, and then it goes to the Data Protection Manager, who in this instance would be me. And I will work through that with them, to make sure that it meets the concerns I would have, from a privacy perspective, and the implications it might have for how the project will be implemented, and if I’m comfortable and tick it off, the project then moves on to the next stage of approval.

>> Brett:  I’d agree with that, Kerry. I think doing a PIA at the initial stages of a project is important because you can’t really build privacy in at the start, unless you’re doing it at the beginning. One point that I’d make in addition to that, is that something that we say in our guidance a lot, is to treat the PIA as a living document. So, yes, it’s important to do it at the initial stage, but if there’s a material change to the project as you’re going through, then we would encourage people to revisit the PIA to see if there’s been a change in the way that privacy is impacted by the project, and then you can implement controls accordingly.

>> Karen:  Definitely, thank you, and on top of that guidance that Brett mentioned, we also have some really great eLearning materials on the OAIC website for agencies and organisations undertaking a PIA perhaps for the first time. So another question, I’ll go a bit more general. What advice would you both have for agencies in going about building a good privacy culture, and implementing good privacy practices?

>> Kerry:  Oh goodness. In a company like ours, which is enormous in terms of its global footprint, that’s quite an issue. What we’ve done though, is taken some quite, I suppose draconian steps, and we’ve made training compulsory. And it’s going to be, as I said, in the presentation, it’s going to be part of coming to work for Navitas. So that people who, particularly in our areas like HR, finance, IT, who do handle enormous amounts of personal information, actually understand that part of their job is protecting that information. So we will be building that in as standard operating procedure. It means you have to really engage people. We did with the help of our corporate affairs team in Navitas, some really good PR work across the group, particularly in Australia. We used lots of posters, and opportunities for question and answer sessions through Zoom conferences, so that people who were going to be impacted by our requirements understood why, and how it impacted their jobs. And we’re building some handbooks for particular roles, so an admissions person in a college will have some ready to go to helpful hints about how they do that. But it only works if you can bring the troops along with you. That takes a lot of ongoing effort, and being available to answer what even may appear to be the silliest question, but giving it credibility, dealing with it and reassuring people that what they’re doing isn’t wrong, we just all need to do it appropriately and together.

>> Brett:  Look, I agree I think there’s a few key points that I mentioned, this is perhaps paraphrasing parts of what you’re saying, Kerry, is visibility is crucial, and I know a lot of that comes down to training and education, so making people aware of what their privacy obligations are as part of their work. On the question of organisational culture and how to embed a privacy culture in an organisation, I’d suggest that it starts at the top. It starts at those senior levels, and then it should feed down throughout the organisation from there, so coming back to the governance points that I was making earlier in the presentation, if privacy is really understood as a matter that’s openly discussed and full consideration at the senior levels of a business, and the senior leaders lead from the front on privacy, then I’d imagine that it would effectively infiltrate throughout an organisation, so with that also comes resourcing. Just affording privacy some resourcing, whether that’s the time for executives, or developing some training materials, there is a resourcing imperative that comes with it, so that shouldn’t be ignored also.

>> Karen:  Great, thank you. I know that was quite a big question, so thanks for that. I’ll go a bit more specific now. Could you talk a little bit about what would be considered serious harm, as under the Data Breach Notifications Scheme?

>> Kerry:  What we deal with, which is a lot of students, and they’re doing a variety of courses in a number of countries around the world, and we collect enormous amounts of information from them, from their name and their address, which is quite straight forward, but we do collect what is classified as sensitive information, and if that information was to be breached in any way whatsoever, we could cause serious harm to them, through for example, someone could steal their identity — we were dealing with some instances recently of curriculum vitae and it seems to us that people need to be very careful when they write a CV, because information they put in there is a blueprint for someone to assume their identity. And we will actually build that into our courses, because we do help students write CVs. But really importantly, the serious harm comes to people who will find their privacy through their bank details being leaked. It will comes through any medical information being leaked. It will come through even their home address being leaked, because we all like to think that when we go home we’re safe and secure, and if someone we don’t want to know our address gets that, or uses that for building a credit reputation that they don’t actually have, then that’s a serious harm incident from our perspective. We are very cognizant of the fact that there are two categories of personal information: there’s the general and the sensitive. But what we’re trying to do is overlay our systems with the notion that it’s all sensitive, and that staff should treat every piece of information they received as if it was their own. And ask themselves the question, “Would they like that information being out there without their permission?” And if the answer’s no, then they should act accordingly. But it’s the information that will infringe their rights as an individual or that will cause them serious personal harm or embarrassment.

>> Brett:  For anyone interested in forming that calculation of what is serious harm, I agree with the impacts that Kerry is talking about. If the eligible data breach involves things that are in the category of what’s defined in the Privacy Act as sensitive information - so sexual history, or sexual preference, religious beliefs, political affiliations, genetic or biometric information, medical information, things like that - then I’d say there’s an increased likelihood that the data breach will result in serious harm. It’s not a formulaic thing, it’s not a A + B = C = serious data breach. I would encourage people to look at the guidance on the OAIC’s website that sets out a number of matters that will help you decide whether the circumstances surrounding a particular breach may be serious, or not. So you consider things like how many individuals are caught up in the breach, are we talking about five or 500? What steps can we take after we become aware that the breach has happened, to potentially prevent that the information getting out, was the laptop left on a train with no password protection? Or was the laptop left on a train with an encrypted hard disc that no-one should be able to get into? Things like that, that will help you decide the seriousness of the breach. And then that in turn will help you work out whether to notify us. But if you’re in doubt, call our enquiries line, they’re there to help.

>> Karen:  Thanks very much, and I think that was a really good point, Kerry, about always assuming that it is always sensitive information because you don’t always know what impact that could have on in individual. So thanks very much and apologies again to those watching at home at a later time. As mentioned, please feel free to send in your questions, and we’ll endeavour to respond with some more specific advice. Thanks again.

>> Kerry:  Can I just say one more thing. I deal in my role with regulators and their websites globally, and I must say, and it’s not just because I’m here today, and I wasn’t paid, I must say, but importantly what happens with the OAIC site, is it’s probably the most user friendly I’ve used. And some of the tips and diagrams, and I must say I have plagiarised it mercilessly, in preparing our own documentation, because it’s very informative, and it has got what to do and how, and the examples that are given are actually very relatable, particularly to my industry, anyway. So for anyone watching who hasn’t gone and had a good look around that website, they’re missing a trick in managing privacy.

>> Brett:  Thanks for that feedback, Karen. I mean, obviously we try to design it to be as user friendly as possible and it is there to be plagiarised. So please do if it can assist.

Look that brings us to the end for today. Thank you very much for joining us. The presentation will be made available shortly after we end today’s webinar. And you can watch on demand by clicking on the same link that brought you to the live programme. If you’d like to share this presentation with your colleagues, simply click on the envelope icon, which is below me on the screen. And you can forward the presentation via an email link.

As Karen mentioned, if you asked a question today that might come through later, and we didn’t cover it in today’s presentation, and you included your email address, we’ll endeavour to respond to you as soon as possible. And please remember that you can also contact us via our enquiries line and the number was on the slide from earlier. Thanks again for watching.