Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Handling of personal information — Student Identifiers Office

pdfPrintable version928.65 KB

Assessment undertaken: August 2016
Draft report issued: October 2016
Final report issued: January 2017

Part 1: Introduction and summary of findings

Introduction

1.1 This report outlines the findings of an assessment by the Office of the Australian Information Commissioner (OAIC) of the Student Identifiers (SI) Office.

1.2 The purpose of this assessment was to determine whether the SI Office is:

  • managing personal information in an open and transparent manner as required by Australian Privacy Principle 1 (APP 1)
  • notifying individuals of the collection of personal information in accordance with its APP 5 obligations.

1.3 The OAIC has made four recommendations. If these are put in place by the SI Office they will, in the opinion of the OAIC, minimise the risks identified around the management of personal information. These are discussed in Part 4 of the report.

Background

SI Registrar

1.4 The SI Registrar is a statutory officer responsible for administering the Unique Student Identifiers (USI) initiative nationally. The Department of Education and Training provides resources, including staff to support the Registrar. The USI is a unique ten-digit number assigned to students undertaking nationally recognised vocational education and training.

1.5 The SI Registrar’s operations are governed by the Student Identifier Act 2014 (the SI Act) and the Privacy Act 1988 (the Privacy Act).

Unique student identifiers

1.6 The purpose of the USI is to:

  • create a secure, online record of all nationally recognised training and qualifications issued by any Registered Training Organisation (RTO) in Australia
  • give students online access to training records and transcripts (this function is expected to be available from December 2016).

1.7 Applicants may either register for a USI directly via the USI website, or through their nominated RTO. Applicants are required to provide one nominated form of identification on registration. This form of identification is generally verified using the Australian government’s digital verification service (DVS) to determine authenticity.[1] The SI Registrar is the authorised assignor of USIs under the SI Act.

1.8 This is the first assessment conducted by the OAIC under the Memorandum of Understanding established between the Student Identifiers Office and the OAIC on 23 December 2015.

1.9 The OAIC is the dedicated privacy regulator under the SI Act. In this role, the OAIC has oversight of the handling of SI information. This assessment is part of providing this oversight.

Summary of findings

1.10 The findings of the OAIC’s assessment show that the SI Office has a strong, privacy aware culture and good privacy training and management structures in place.

1.11 However, our findings also raise a number of privacy issues and we have made four recommendations that are set out in this report in Part 4. In summary they recommend that the SI Office:

  • review and update its policies
  • enhance its handling of external reviews
  • move its collection of personal information notice to the collection page on its website
  • enhance its monitoring of user access controls.

Back to Contents

Part 2: Description of assessment

Objective and scope of the assessment

2.1 The objective of the assessment was to assess whether the handling of personal information by the SI Office is in accordance with the Australian Privacy Principles (APPs) found in the Privacy Act and the SI Act.

2.2 The scope of this assessment was limited to the consideration of the SI Office’s handling of USIs and associated identifying information under APP 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information). Specifically, the assessment examined whether:

  • the policies and procedures of the SI Office were reasonable in the circumstances to ensure that USIs and associated identifying information are handled in an open and transparent manner (APP 1); and
  • that the SI Office provides reasonable and complete notifications when collecting SI information (APP 5).

Timing, location and methodology

2.3 The OAIC asked the SI Office to provide copies of relevant policies and procedures for review (see information request in Appendix A). The assessors then conducted the fieldwork component of the assessment, which included interviewing key members of staff and reviewing further documentation, at the SI Office in Canberra from 2 to 3 August 2016.

Assessment technique

2.4 The assessment of the SI Office was risk based. The focus was on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.

Privacy risks

2.5 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to the SI Office about how to address those risks.

2.6 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments — privacy risk guidance’. Further detail on this approach is provided in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

Back to Contents

Part 3: General overview

3.1 The SI Office appears to have a strong privacy culture. Based on the OAIC’s review of documents and interviews with the SI Office staff, there appears to be a general awareness of privacy and security issues and a strong general understanding of the importance of appropriate information handling practices. This culture reflects the SI Office’s core business: the collection of personal information for the purposes of assigning student identifiers.

3.2 The SI Office takes a dynamic approach to privacy and appears to be open to changing its practices in order to facilitate best privacy practice. One such example is the recent development of the compliance section of the Engagement, Policy and Integrity Team.

3.3 The SI Office has implemented a detailed staff training program for contact centre staff, who directly handle personal information. All new SI Office staff are required to undertake privacy training upon commencing employment.

3.4 Contact centre staff performance is regularly assessed against a comprehensive quality assurance framework. Staff are provided with numerous policy resources and are encouraged to raise matters with floor supervisors if necessary. Furthermore, refresher training is available where needed.

3.5 From its assessment, the OAIC considers that the SI Office has an effective, although not clearly documented, governance structure which appears to facilitate information security awareness and compliance. The OAIC understands that generally, floor supervisors and the directors of the Business Services Branch are responsible for managing client interaction issues. Where there is a formal privacy complaint or issue, this is referred to the Engagement, Policy and Integrity Team for action.

3.6 The Director of the Engagement, Policy and Integrity team receives weekly privacy briefings from the other SI Office teams and in turn briefs the SI Registrar on these matters where necessary. The Director of the Engagement, Policy and Integrity team is the nominated SI Registrar’s Privacy Officer, although this is not currently documented.

3.7 The SI Registrar has a detailed privacy policy which explains how it will manage personal information. The policy, apart from one issue, complies with the requirements of APP 1. The policy appears to require a high education level to easily read and understand. This is discussed in Part 4 of this report. A separate report on our assessment of this policy is annexed to this document.

3.8 The USI collection notice is clear and plainly explains what the personal information collected will be used for. However, the notice is difficult to locate and thus may not be entirely effective. This is discussed in Part 4 of this report.

Back to Contents

Part 4: Areas for Improvement

4.1 The OAIC’s assessment of the SI Office has raised some privacy issues. Our findings are set out below under the following headings:

  • Internal practices, procedures and systems
  • Monitoring user access.

4.2 For each issue, we have outlined a summary of the OAIC’s observations, the privacy risks arising from these observations, followed by recommendations to address those risks.

Internal practices, procedures and systems

Internal Policies

Observations

4.3 From the documentation provided, it appears that the SI Registrar has good privacy policy coverage spanning a range of areas. This coverage includes data management and data quality, client confidentiality, data security and the collection of personal information. Furthermore, the SI Registrar has a strong privacy culture, which is reinforced in both written policies and staff training.

4.4 From our interviews, it appears that staff are provided with readily available privacy resources, such as the ‘Usipedia’ program and the staff ‘frequently asked questions’ (FAQs) guide, and are encouraged to consult floor supervisors when necessary.

4.5 SI Office staff are also encouraged to raise privacy matters during weekly team meetings. Furthermore, we are informed that the FAQ guide is regularly updated to include queries raised during these meetings. The majority of these resources did not appear to be documented in the SI Registrar’s policy documents.

Privacy risks

4.6 While the SI Office has demonstrated good policy coverage with respect to the topics covered by its policies, the OAIC found that the policies were considerably dated and due for review. Additionally, several policies refer to staff who no longer work in the SI Office.

4.7 The SI Office has no policy register or other guidance document which clearly details the SI Office’s policies, their date of issue, ownership and when they are due for review. The OAIC notes that the SI Office currently has a draft data breach response plan pending approval.

4.8 The SI Office appears to rely on key staff to handle matters relating to changes in policies and practices within their business area. There is very little documented information about these matters. When those staff members move on from the SI Office, new staff are often unaware or uncertain of the status and progress of these matters and are unable to action them. For example, due to recent staff changes, there are currently a number of questions surrounding changes and practices in the ICT branch such as the update of the risk plan, disaster recovery plan and risk register.

4.9 There are also a number of policy gaps created during machinery of government changes which have not yet been addressed, particularly in the areas of risk management, reporting and policy management. From the interviews, we understand that SI office is in the process of adopting a number of new policies to address these issues. The OAIC was unable to understand the full extent of these gaps at the time of the assessment due to staff movements.

4.10 The privacy governance structure is only referred to in general terms in the policy documents provided and is not explicitly documented. Additionally, the recent change to the Engagement, Policy and Integrity Team to facilitate both privacy policy and compliance functions, with designated compliance officers, is not reflected in SI policies.

4.11 There is a medium risk that the policies currently in place are no longer relevant or effective. A number of policies are approximately two to three years old and refer to staff who no longer work in the SI Office. There is no policy register setting out what policies exist and when those policies are due for review.

Recommendation 1 — Review and update policies

4.12 The OAIC recommends that the SI Office:

  • review and update its policies and procedures that relate to privacy and security and document all reviews and changes
  • create a registry of its policies and procedures.

Privacy policy

Observations

4.13 The SI Office Privacy Policy is readily available on the USI website and clearly explains how the SI Office handles the personal information it gathers.

4.14 There is an issue regarding the readability of the policy, which assessors tested using the Flesch-Kincaid Reading Ease test as found at www.read-able.com. This test analyses text, and provides an estimated education grade and reading age required by readers to easily understand the text. The SI Office privacy policy, whilst accurate and informative, has an estimated reading age of approximately 22-23 years. A detailed report on the privacy policy is set out at Annexure B.

Privacy risks

4.15 Noting that students from the age of 14 may apply for a USI, there is a medium risk that younger readers and people with a lower education grade may have difficulty reading or fail to understand the privacy policy.

Recommendation 1 (continued) — Review privacy policy

4.16 The OAIC recommends that the SI Office review its privacy policy in order to make it more comprehensible to younger readers and people with a lower education grade.

Risk assessments

Observations

4.17 The SI Office has a comprehensive risk matrix detailing specific risks to student identifier data and associated personal information and the measures which have been taken in order to address them. However, in the paper format provided to the OAIC, the risks are not rated in order of seriousness, nor is it clear who is responsible for addressing each risk.

4.18 From our interviews, we have learned that the interactive version of this document provides risk ratings and further details, which are not evident in the paper based form. The risk matrix is not reviewed regularly; however, we note that its format is currently under review.

4.19 The SI Office has undertaken three privacy impact assessments and two security reviews in the past. There was no documentation relating to responses to the PIA recommendations. There was one document for each of the two security reviews setting out the status of the responses to some (but not all) of the review recommendations. However, the status documents had not been updated since 2014. Understanding the current status of the implementation of these responses relied on the memory of long-standing staff members.

4.20 The most recent PIA was undertaken in 2013 and the most recent security review was undertaken in 2014. The OAIC considers that a new PIA could prove beneficial to the SI Office, in particular to take account of the proposed launch of the SI Office transcript function.

Privacy risks

4.21 Currently, the SI Office relies on senior staff to keep track of the organisation’s responses to recommendations made by various external reviews. No up to date written status of the implementation of the recommendations were kept. Should those staff leave, there is no system in place to determine the status of the actions being taken. There is a medium risk that this could lead to a failure to address identified risks.

Recommendation 2 — Enhance its handling of external reviews

4.22 The OAIC recommends that the SI Office:

  • document its responses to security and privacy reviews, and the status of each response at regular intervals
  • ensure that responses to security and privacy reviews are effectively communicated to relevant staff
  • consider undertaking a new PIA to anticipate the launch of the transcripts function.

APP 5 collection notice

Observations

4.23 In the case of direct registration, the SI Office collection notice is located in the terms and conditions page of the USI website. In order to access the notice, applicants must click on the terms and conditions link on the sign-up page, and then scroll through various sections to find the relevant information. It is also noted that the terms and conditions are not presented in a way that require students to read it before indicating their agreement with the terms and conditions, which is required to complete sign-up. Where student applies for a USI through an RTO, the RTO is required to provide them with the SI Office collection notice on registration.

4.24 The SI Office collection notice is comprehensive and appropriate, and clearly explains what kind of information will be collected and how it will be used. However, the notice is difficult to locate and may not be entirely effective.

Privacy risks

4.25 There is a medium risk that USI applicants will not see or read the collection notice before providing their personal information, as it is currently very difficult to locate.

Recommendation 3 — Move collection of personal information notice to the collection page

4.26 The OAIC recommends that SI Office move its collection notice to a prominent location likely to be seen by USI applicants, preferably to the collection page.

Monitoring user access

Observations

4.27 The SI Registry system (IT system) exists in order to create and manage USIs and their associated information. Thus, there are varying levels of staff access to the system within the office to undertake this function. From our interviews, we understand that the SI Office has strict user access control provisions in place. However, there is no written user access policy which explains the various access levels assigned to staff profiles, how often the access profiles are reviewed and the criteria upon which access is assigned. The OAIC notes, however, the existence of a user control matrix, which details the various access levels and their permitted functions.

4.28 The data management framework indicates that regular reports on user access and use are to be run by the SI Office. The OAIC notes from the interviews that the SI Registry system has some capability to run these reports; however, these are not used as often as they might be because the software package is cumbersome and difficult to use.

4.29 The software does not currently have the capability to run automated audits and does not permit real-time or prospective auditing. As a result, the audits are run on an ad-hoc basis. It further appears from the interviews that only one member of staff has the capability to use the software to run a report effectively.

Privacy risks

4.30 The lack of a written user access policy and the potential limitations of its audit log reporting pose a medium risk of user access abuse. Due to the ad hoc nature of the current reporting system, the SI Office may not identify any access abuse until it is aware of a specific incident.

Recommendation 4 — Enhance monitoring, access controls and reporting

4.31 The OAIC recommends that the SI Office:

  • develop and implement:
    • a written user access policy capable of being audited against
    • a set plan for monitoring access controls
    • a more effective reporting system
  • as soon as practicable
    • consider whether it can implement a proactive audit process.

Back to Contents

Part 5: Recommendations and SI Office’s responses

Summary of recommendations

5.1 The OAIC made the following recommendations to address the issues discussed in Part 4 of this report.

Recommendation 1– Review and update policies

5.2 The OAIC recommends that the SI Office:

  • review and update its policies and procedures that relate to privacy and security and document all reviews and changes.
  • create a registry of its policies and procedures.
  • review its privacy policy in order to make it more comprehensible to younger readers and people with a lower education grade.
Assessee response

The Student Identifiers Registrar accepts recommendation 1 — Review and update policies

The Student Identifiers Registrar has:

  • Created a register of policies and procedures to provide an authoritative source for all policy documents that support the delivery of services under the Student Identifiers Act 2014;
  • Developed a review schedule and commenced a review of all relevant policies used to support the delivery of services under the Student Identifiers Act 2014; and,
  • Noted a review of the Student Identifiers Privacy Policy is under way, taking account of the needs of younger readers, readers who might have English as a second language, and readers who have poor literacy skills. The review of the policy is expected to be completed by January 2017.

Recommendation 2 — Enhance its handling of external reviews

5.3 The OAIC recommends that the SI Office:

  • document its responses to security and privacy reviews, and the status of each response at regular intervals
  • ensure that responses to security and privacy reviews are effectively communicated to relevant staff
  • consider undertaking a new PIA to anticipate the launch of the transcripts function.
Assessee response

The Student Identifiers Registrar accepts Recommendation 2 — Enhance its handling of external reviews.

Responses to security and privacy reviews and response status will be documented in the Policy Library and noted in the Policy Register. Action is being taken to codify the outcomes of past reviews and their outcomes.

Responses to security and privacy reviews will be communicated to relevant staff through the regular meetings between the Registrar and his executive team, and where appropriate relayed by the Registrar in the regular all-staff meeting. In addition, the actions specified in the response will be incorporated into relevant training and procedural resources and refresher training will be conducted to ensure that staff understand the new material and associated procedures.

Where responses require specific action(s) be undertaken by a particular team, the responsible team will report to the Registrar the status of the action and update the Policy Register to reflect the implementation status of the action/recommendation.

The Student Identifiers Registrar has initiated the conduct of a new PIA with a focus on changes made since the most recent PIA in the lead up to the launch of the Transcript Service.

Recommendation 3 — Move collection of personal information notice to the collection page

5.4 The OAIC recommends that SI Registrar move the collection notice to a prominent location likely to be seen by USI applicants, preferably to the collection page.

Assessee response

The Student Identifiers Registrar accepts Recommendation 3 — Move collection of personal information notice to the collection page.

The collection of personal information notice is being moved to two locations to ensure that it is in a more prominent location than its previous position to increase its visibility to individuals who seek a USI.

The collection of personal information notice has been moved to a more prominent position on the USI website — see: www.usi.gov.au/students. Moving the notice to the collection page of the Student Identifiers Registry system will require changes to the system. This change is identified as a priority in the Student Identifiers IT Forward Work program. It is anticipated this change will be actioned by June 2017.

Recommendation 4 — Enhance monitoring, access controls and reporting

5.5 The OAIC recommends that the SI Office:

  • Develop and implement:
    • a written user access policy capable of being audited against
    • a set plan for monitoring access controls
    • a more effective reporting system
  • as soon as practicable
    • consider whether it can implement any proactive audit process
Assessee response

The Student Identifiers Registrar accepts Recommendation 4 — Enhance monitoring, access controls and reporting.

Noting the points raised in this assessment report, the Student Identifiers Registrar has:

  • Drafted a written user access policy capable of being audited against. This draft policy reflects existing controls specified in the Student Identifiers Registry System control matrix.
    • Upon approval of the policy it will be registered in the Student Identifiers Policy Register and placed electronically in the Student Identifiers Policy Library
  • Drafted a set plan for monitoring access controls, noting that this plan may be reviewed more often than its schedule depending upon external influences such as technological change and Government policy changes
  • Drafted a plan that outlines a new reporting regime which will see the development of a mechanism to facilitate the Engagement, Policy and Integrity Team to:
    • Run regular reports that monitor access and use of the Student Identifiers Registry system
    • Conduct regular audits of access to individual USIs selected on a random basis

Any future development of the Student Identifiers Registry system will consider the requirement to strengthen reporting capability as a priority.

Back to Contents

Appendix A — Information request for assessment

  • The USI Registrar’s current privacy policy
  • Details of key areas and staff with responsibility for privacy management and governance
  • Privacy notices provided to individuals (online, phone script, paper forms etc.)
  • Any policies and procedures for handling privacy complaints and enquiries (such as a complaints management policy)
  • Details of processes that allow individuals to promptly and easily access and correct their personal information
  • The USI Registrar’s data breach response plan
  • Copies of staff instructions/memorandums addressing legal and privacy obligations, including any material relevant to staff training around privacy obligations
  • Policies and procedures that address the handling of USIs and associated information (for example, relevant information security policies and procedures, policies on maintaining data quality)
  • Details of any risk management processes for identifying, assessing and managing privacy risks to USIs and associated personal information, such as any Privacy Impact Assessments (PIAs), information security risk assessments, risk registers or any other similar reviews
  • Any existing information/documents which outline:
    • the USI Registrar’s USI and associated personal information holdings, including the specific types of personal information held
    • how and where USIs and associated personal information is held (for example is it held off-shore or in the physical possession of a third party)
    • the typical uses and disclosures of USIs and associated information collected from individuals.
  • Any other information the USI Registrar considers relevant to the scope of this assessment.

Back to Contents

Appendix B — APP Summary Report

Privacy assessment of Student Identifiers Office

Open and transparent management of Personal Information
Assessment of Privacy Policies in relation to Australian Privacy Principles 1.3, 1.4 and 1.5
Section 33C(1)(a) Privacy Act 1988
Assessment undertaken: August 2016

Privacy assessment of Australian Privacy Principle 1: Open and transparent management of personal information

Entity Name: Student Identifiers Office
Review Date: 1 August 2016

Overall Summary

APP 1.5 - Availability and Accessibility

Privacy risks: Nil risks found.

Recommendations: N/A

APP 1.3 - Readability

Privacy risks: Policy has a high reading age and may be difficult for younger readers to comprehend.

Recommendations: Simplify privacy policy.

APP 1.4 - Contactability

Privacy risks: Nil risks found.

Recommendations: N/A

APP 1.4 - Content

Privacy risks: Nil risks found.

Recommendations: N/A

Australian Privacy Principles

Assessment criteria

Assessment result

APP 1.5 - Availability and Accessibility

This criterion examines how accessible the privacy policy is from the website, taking into account the requirements of APP 1.5

APP 1.5 requires APP entities to take reasonable steps to make its privacy policy available free of charge, and in an appropriate form. Generally, the policy should be displayed on the entity’s website, be easily accessible and easy to download. For example, a prominent link or privacy icon, displayed on each page of the entity’s website, could provide a direct link to the privacy policy.

Can the privacy policy be located on the website?

Yes

Is there a link to the privacy policy from the home page?

Yes

If no direct link exists, can the privacy policy be easily accessed?

Not applicable

Is the privacy policy available in a format other than as an online publication?

Yes

Is the privacy policy available free of charge, if provided in a non-web based format?

Yes

Is the privacy policy provided in HTML (a WCAG 2.0 compliant accessible format)?

No

Are there any concerns around accessibility?

Yes

Policy is not currently avilable in an HTML format. The SI Office may wish to provide the policy directly on their website in order to facilitate easy access to those who use page reading software.

APP 1.3 - Readability

Readability is the ease with which text can be read and understood.

APP 1.3 requires APP entities to have a clearly expressed and up-to-date privacy policy. At a minimum, a clearly expressed policy should be easy to understand, easy to navigate, and only include information relevant to the management of personal information by the entity.

The OAIC recommends that privacy policies use simple language with a reading age level of around 14 years.

Does the policy appear to be clearly expressed?

Yes

Does the policy appear to be of a structure and length suitable for web publication?

Yes

What is the Flesch Kincaid Reading Ease raw score of the privacy policy?

23.8

The average Flesch Kincaid Reading Ease score of the 50 Australian websites assessed in the Global Privacy Enforcement Network (GPEN) 2013 sweep was 55.

Scores lower than 65 indicate the text is harder to read, and more suitable for readers aged over 15 years or at higher school grade levels.

Scores higher than 65 indicate the text is easier to read, and suitable for readers aged under 15 or at lower school grade levels.

Can this privacy policy be easily read by a 14 year old?

No

What average age should be able to easily understand this policy?

22-23 years

What average grade level should be able to read this policy?

Above Grade 12

To read the privacy policies of the 50 Australian websites assessed in the GPEN 2013 sweep required an average ability of Grades 10-12

How many words are in this privacy policy?

2,237

The average number of words in the 50 Australian websites assessed in the GPEN 2013 sweep was 2,738.

The median (half of the policies have more words, half of the policies have less words) in the 50 Australian websites was 2,262.

Does the policy reflect current APP privacy obligations?

Yes

When was the privacy policy last updated?

17/09/2014

Is the Privacy Policy up-to-date?

Yes

The SI Privacy Policy is complex and may be difficult for younger readers to comprehend.

APP 1.4 - Contactability

This criterion relates to whether individuals can locate entity contact details on the website to ask privacy questions or make privacy complaints

Is contact information available for individuals to submit privacy questions or complaints to the entity on the website?

Yes - in privacy policy

APP 1.4 - Content

This APP lists the specific content that must be covered in the entity's privacy policy.

Each entity's privacy policy must contain information about the following areas….

the kinds of personal information the entity collects

Yes

the kinds of personal information the entity holds

Yes

how the entity collects and holds personal information

Yes

the purposes for which the entity collects personal information

Yes

the purposes for which the entity holds personal information

Yes

the purposes for which the entity uses and discloses personal information

Yes

how an individual can request access to their personal information

Yes

how an individual can correct their personal information

Yes

how an individual can complain about a breach of the APPs

Yes

how the entity will deal with the complaint

Yes

whether the entity is likely to disclose personal information to overseas recipients

Yes

which countries the entity is likely to disclose personal information to (if applicable, and where practicable)

No

Are there any APP concerns around the privacy policy content?

Yes

Summary: no issues identified.

Back to Contents

Footnotes

[1] There is a DVS override function that enables a student’s identity to be verified without using the DVS. The Director of Business Services must authorise any such override.

Back to Contents