Publication date: 30 October 2019

Assessment undertaken: 13 May 2019
Draft report issued: 24 June 2019
Final report issued: 13 August 2019

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner (OAIC) on a privacy assessment of the Unique Student Identifier (USI) Office’s management of personal information under the Student Identifiers Act 2014 (SI Act).

1.2 The USI Office collects personal information for the purposes of assigning USIs to individuals, verifying individuals’ identities, and providing individuals with access to transcripts.

1.3 An individual’s authenticated Vocational Education and Training (VET) transcript is an online document prepared by the Student Identifiers Registrar (Registrar) that sets out information relating to nationally recognised training undertaken by an individual. Under the SI Act, the USI Office facilitates access to all or part of this transcript when certain conditions are met. This is known as the Transcript Service.

1.4 The purpose of the assessment was to determine whether the USI Office is taking reasonable steps to implement practices, procedures and systems relating to its Transcript Service that, in accordance with Australian Privacy Principle (APP) 1.2 in the Privacy Act 1988:

  • ensure it complies with the APPs and any applicable registered APP Code enable it to deal with inquiries or complaints from individuals about its compliance with the APPs or an applicable Code.

1.5 As the Registrar is an agency as defined in s 6 of the Privacy Act, it is bound by the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Privacy Code).[1] As part of this assessment, the OAIC assessed the USI Office against the requirements of the Privacy Code.[2]

1.6 This assessment finds that the USI Office has:

  • taken a ‘privacy by design’ approach to designing and operating the system it uses to manage transcripts
  • a privacy-aware culture that is supported by ongoing training, refresher courses and awareness initiatives
  • taken a proactive approach to privacy management by establishing an effective privacy organisational structure
  • comprehensive policies and procedures to help ensure that personal information is managed an open and transparent way.

1.7 The OAIC did not identify any medium or high-level privacy risks. As a result, the OAIC has not made any recommendations in this assessment. The OAIC has made suggestions to assist the USI Office to further enhance the privacy protective measures that apply to its processes. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A.

Part 2: Introduction

Background

The OAIC and the Privacy Code

2.2 The OAIC is the dedicated privacy regulator under the SI Act. In this role, the OAIC has oversight of the handling of USI information. The OAIC also has a Memorandum of Understanding with the USI Office to provide dedicated privacy-related services under the Privacy Act.

2.3 The Privacy Code applies to all Australian Government agencies subject to the Privacy Act. Under the Privacy Code, agencies are required to:

  • have a Privacy Management Plan (PMP)
  • appoint a Privacy Officer, or Privacy Officers, and ensure that the Privacy Officer(s) perform certain functions
  • appoint a senior official as a Privacy Champion to perform certain functions, including providing cultural leadership and promoting the value of personal information
  • undertake written Privacy Impact Assessments (PIAs) for all high privacy risk projects or initiatives that involve new or changed ways of handling personal information, and keep a register of completed PIAs
  • take steps to enhance internal privacy capability, including by providing appropriate privacy education or training in staff induction programs, and annually to all staff who have access to personal information.

2.4 The requirements specified in the Privacy Code are agencies’ minimum compliance obligations under APP 1.2. Compliance with the Privacy Code is an integral, but not exhaustive, part of agencies’ obligations under APP 1.2 to take reasonable steps to implement practices, procedures and systems that facilitate compliance with the APPs as a whole.

Student Identifiers Registrar and the USI Office

2.5 The Registrar is a statutory officer established under the SI Act to administer the USI initiative. The SI Act provides the Registrar with powers to create, verify, use and disclose USIs, and generate authenticated VET transcripts.

2.6 The Registrar is supported by the USI Office, based in the Commonwealth Department of Education and Training (Education).[3][4]

2.7 The USI Office works with a range of stakeholders, including registered training organisations (RTOs), state training authorities (STAs), the national and state VET regulators, and the National Centre for Vocational Education Research (NCVER) to provide transcripts to individuals.

USIs

2.8 The USI is a unique ten-digit alphanumeric reference number assigned to individuals undertaking nationally recognised vocational education and training.

2.9 The purpose of the USI is to create a secure, online record of all nationally recognised training and qualifications issued by any RTO in Australia, and to allow individuals to access their training records and qualifications via a transcript.

2.10 Individuals can either create a USI directly via the USI website, or with the assistance of the USI Office’s contact centre or their nominated RTO. Since 2014, approximately 10 million USIs have been created.[5]

2.11 The USI Registry System is a web-based service operated by the USI Office that facilitates access to transcripts. It consists of different portals depending on who is accessing it. Through the Student Portal, individuals can create a USI, manage their accounts and access their transcripts. USI Office staff can log in to the Administration Portal to assist individuals with enquiries about their USIs or transcripts. RTOs use the Organisation Portal to create, collect or verify USIs, or view transcripts (with the individuals’ permission).

2.12 The USI Office collects personal information about an individual to verify their identity for the purposes of assigning them a USI. It collects individuals’ first, middle and last names, date of birth, place of birth, gender and contact details. This personal information is held indefinitely in the USI Registry System as a USI is held for life by an individual. The USI Office also uses one nominated form of identification to verify an individual’s identity (birth certificate, driver’s licence, Medicare card or passport). The USI Registry System does not hold the identity document numbers but records the type of document used for verification purposes.

Transcript Service

2.13 The USI Transcript Service commenced on 22 May 2017, allowing a USI account holder to access their national training record online in the form of a USI Transcript. Individuals can also provide access to their transcript or part of their transcript to RTOs through the USI Registry System. Transcripts contain the individual’s name and VET information drawn from the NCVER.

2.14 The NCVER is responsible for collecting and holding VET information and nationally recognised VET qualifications. The NCVER receives this information from VET bodies such as RTOs and STAs.

2.15 The USI links the personal information held by the USI Registry System to VET information held by the NCVER. When an individual uses their USI to generate an online transcript, an automatic and live feed between the USI Registry System and the NCVER retrieves and generates an individual’s transcript. Information from the NCVER is populated in real time so that individuals can view or download their transcript. This feed expires once a page is closed or the user logs out.

2.16 Figure 1 shows the flow of VET information to the USI Registry System, and the USI Office’s access into that system. Figure 2 shows the types of information held by the USI Office and the NCVER respectively, and the information that is used for a individual’s transcript.

Figure 1 — Overview of the USI Office’s Registry System information flows

The National Centre for Vocational Educational Research (NCVER) receives Vocational Education and Training (VET) information and qualifications from VET bodies such as Registered Training Organisations (RTOs) and State Training Authorities (STAs). This information is passed to the Unique Student Identifier (USI) Office Registry System. The scope of the assessment is limited to USI Office staff accessing USIs and transcript information through an Administration Portal to the USI Office Registry System.

Figure 2 — Overview of the types of information held by the USI Office and the NCVER, and the information that is used on an individual’s transcript

The USI Office receives the full name, date of birth, place of birth, gender and contact details relating to individuals. The NCVER receives VET information and qualifications. When an individual uses their USI to generate an online transcript, an automatic and live feed between the USI Registry System and the NCVER retrieves and generates an individual’s transcript. The individual’s full name from the USI Office and the VET information and qualifications from the NCVER are populated in real time to create a transcript that individuals can view or download.

Part 3: Findings

3.1 As meeting the specific requirements of the Privacy Code is a necessary precursor to meeting the broader requirements of APP 1.2, the first part of this section of the report considers whether the USI Office has implemented its Privacy Code obligations. The second part of this section will cover other substantive matters related to APP 1.2.

3.2 The OAIC was guided by the Privacy Management Framework and Chapter 1 of the APP Guidelines in its consideration of the reasonable steps that the USI Office has taken to address the requirements of APP 1.2.

3.3 The Privacy Management Framework details steps that the USI Office is expected to take to meet its ongoing compliance obligations under APP 1.2. Step 2 of the Framework requires that an agency establishes robust and effective privacy practices, procedures and systems, including ICT security controls as a risk management process. This is to allow an organisation to address privacy risks, including personal information security risks.

3.4 Accordingly, the OAIC considered the governance around the USI Office’s ICT security and access controls in this assessment. The scope of the assessment did not extend to a detailed analysis of the ICT controls that the USI Office has implemented to protect the personal information in the USI Registry System.

Privacy Code

3.5 The table below sets out the requirements of the Privacy Code and whether the USI Office has met these requirements. In summary, the OAIC is satisfied that the USI Office is meeting its obligations under the Privacy Code. Further analysis on the ways in which the USI Office has met these requirements is provided in the following section.

Section of Code The Registrar, through the USI Office, has… Requirement met? For further analysis, see paragraph…
9 A PMP, which identifies specific, measurable privacy goals and targets, and sets out how the agency will meet its compliance obligations under APP 1.2 3.16
10 Appointed a Privacy Officer who fulfils required functions as part of the Privacy Code 3.8
11 Appointed a senior official Privacy Champion who fulfils required functions as part of the Privacy Code 3.8
10 A centralised record of the personal information that it holds 3.20
12 & 15 Undertaken written PIA for all high privacy risk projects, maintains a register of PIAs, and publishes this register, or a version of this register, on its website 3.17-19
16 Conducts appropriate privacy training and education for staff in its induction programs, and provides appropriate annual privacy training and education for staff who have access to personal information in the course of performing their duties 3.10-11
17 A process in place to proactively review and update its privacy practices, and monitor compliance with its privacy practices, procedures and systems regularly 3.13-15

Governance, culture and training

3.6 The USI Office consists of three business units, including the Business Operations Team that is the first point of contact for individuals and RTOs, the Digital and Finance Team that manages the technical components of the USI Registry System, and the Policy, Engagement and Integrity Team that develops policy in accordance with the USI Office’s legislative obligations.

3.7 The USI Office’s contact centre operates out of the Business Operations Team and handles individuals’ USI and transcript-related telephone and email enquiries and provides dedicated specialist support to RTOs. The OAIC interviewed staff across these teams and observed a positive culture of privacy awareness. Staff interviewed during the assessment demonstrated a sound understanding of the Office’s process and the privacy implications of their work.

3.8 The USI Office has taken a structured approach to meeting its privacy governance requirements under the Privacy Code by appointing staff with privacy focused responsibilities. The USI Office’s Privacy Team operates out of the Policy, Engagement and Integrity Team. The Privacy Team includes a Privacy Champion, the Registrar who promotes a culture of privacy and provides leadership on strategic privacy matters, and a Privacy Officer, a senior staff member, who is the primary contact for internal privacy advice. In addition, the Privacy Officer has a dedicated staff member who assists with operationalising key privacy management activities, such as reviewing and monitoring privacy practices.

3.9 Senior management from the Business Operations Team and the Digital and Finance Team regularly liaise with the Privacy Team on privacy matters. The managers of the three teams meet with the Registrar weekly. The USI Office receives legal advice, including on privacy matters, from Education. The USI Office’s frequent internal communication and collaboration between the Privacy Team and senior management from the business areas reflect good privacy practices.

3.10 The USI Office has taken a proactive approach to privacy management by establishing a privacy organisational structure and reporting mechanism across all levels of the Office. There is a reporting procedure that allows issues, including privacy issues, to be escalated from front-line staff to more senior members of the team who are subject matter experts in their field. The Business Operations Team hold weekly meetings where privacy announcements are made. Serious privacy matters are escalated to the Registrar who has overall responsibility for privacy.

3.11 Privacy awareness is promoted through a suite of mandatory training that covers topics such as fraud, security and privacy. This training is conducted online and face-to-face. All staff, including short term staff and contractors, complete this training at induction and through annual refreshers. The USI Office has procedures in place to identify when staff have not completed their training. For example, there is a corporate register that tracks staff completion of training and senior management follows up on any non-completion. At the time of the assessment, all staff had undertaken the mandatory training.

3.12 Regular privacy awareness initiatives such as educational videos, webinars, newsletters and information sessions reinforce staff’s privacy obligations and the importance of safeguarding personal information as a valuable business asset. The OAIC observed several of the USI Office’s e-learning training modules and presentation material, including training on data breach response procedures.

3.13 The USI Office has established clear procedures for oversight, communication, and accountability for decisions regarding personal information, such as personal information handled within its Transcript Service. Its training and awareness activities help to ensure that all staff are aware of their privacy and security obligations. The Privacy Team’s regular engagement with senior management helps to create a privacy and security-aware culture among staff. The OAIC did not identify any privacy risks in relation to the USI Office’s governance, culture or training.

Internal policies, practices and procedures

3.14 The USI Office has a range of organisation-wide documented policies and procedures, including policies and procedures related to the Transcript Service specifically. These are approved by the Registrar. The USI Office completes annual reviews and updates to ensure the effectiveness and appropriateness of its policies, practices, procedures and systems. The USI Office also has technical procedures and standards that apply to the USI Registry System.

3.15 The USI Office has a privacy policy and procedural documents that outline how staff are expected to handle personal information, including as it relates to the Transcript Service. For example, staff must follow documented steps in order to check and verify the identity of a caller before access to personal information is granted. The USI Office has an operational manual that details how staff must handle personal information when assigning a USI for an individual. It also has quality assurance framework documentation and supporting tools used to ensure that staff involved in the Transcript Service follow best privacy practice when handling personal information. The OAIC reviewed these policies, procedures, manuals and frameworks as part of this assessment.

3.16 The USI Office recently participated in an internal privacy audit that was undertaken by Education. This was to help the USI Office identify if there were any areas for improvement and gaps in privacy compliance measures. There weren’t any findings or recommendations for the USI Office.

Privacy Management Plan

3.17 The USI Office has a PMP that identifies specific and measurable privacy goals and targets and sets out how it will meet its compliance obligations under APP 1.2. As part of the development of the PMP, the Privacy Team conducted an assessment of the USI Office’s privacy maturity and consulted with staff across the Office to obtain internal advice and feedback. The OAIC has reviewed the USI Office’s PMP and found that it complies with the Privacy Code.

Privacy Impact Assessments

3.18 The USI Office undertakes PIAs for new projects that involve changes to personal information handling processes. This includes when new technologies and functions, such as the Transcript Service are implemented. This is a requirement under the Privacy Code and a good privacy protective measure to help ensure that the USI Office proactively addresses and documents its privacy risk and security profile choices.

3.19 The OAIC has reviewed the PIA related to the implementation of the Transcript Service. The PIA considered several privacy risks and mitigation strategies. Since the time that the PIA was completed, the USI Office has successfully addressed these identified privacy risks through targeted actions in response to the recommendations.

3.20 Since the Privacy Code came into effect on 1 July 2018, the USI Office has not had any business need to conduct a PIA. The USI Office advised that, for this reason, it does not have a register of PIAs published on its website. The OAIC is satisfied with this approach in the circumstances and suggests that the USI Office maintains and publishes a register that records any future PIAs to ensure compliance with the Privacy Code.

Record of Personal Information Holdings

3.21 The USI Office records their office’s personal information holdings in a register maintained by Education. This register includes the types of personal information that the USI Registry System holds, including sensitive information, the purpose of the collection, the law authorising the collection, the persons authorised to access the personal information, and how and where the information is stored. The OAIC has sighted the register, which has been kept up to date

Destruction and de-identification of personal information

3.22 As stated in paragraph 2.12, the USI Office collects and retains individuals’ personal information for identity verification purposes. The USI Office retains all personal information that it collects indefinitely, even where that information has been updated. For example, if an individual updates their address details in the USI Registry System, the USI Office will retain the new address and the old address record.

3.23 Under APP 11.2, where an entity holds personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes reasonable steps to destroy or de-identify the personal information. As the USI Office retains personal information to verify the identity of individuals, the OAIC considers this as a permitted purpose for continuing to hold it.

3.24 However, given the increasing volume of personal information that the USI Office will collect over time, it is likely that the USI Office will hold increasing volumes of personal information that is out of date. The USI Office does not have policies relating to the destruction or de-identification of individuals’ personal information. The OAIC suggests that the USI Office consider whether there is a business need to hold this personal information and conduct a risk analysis to determine the impact and acceptability of any associated security risks.

3.25 The OAIC also suggests that, pending the outcome of this risk analysis, the USI Office creates detailed policies, procedures and resources to enable it to determine what personal information will need to be retained, destroyed, or de-identified, and when and how this should occur.

Information security and access controls

3.26 Overall, good privacy management requires that an agency has a robust information security posture. Once an agency collects and holds personal information, it must consider what appropriate security measures are required to protect the personal information, including access controls, audit logging and data breach response plans.

Trusted Insider risk and identity management

3.27 The USI Office advised that staff access to the USI Office’s operating systems, databases and applications is role-based and managed by one of two system administrators within the Digital and Finance Team. For new staff members to access the USI Office’s systems or networks, their manager must make a system access request, which is managed through the USI Office’s IT system.

3.28 The USI Office’s IT system provides access to user accounts that are limited to business requirements, and an active directory controls staff access to specific systems or system components, such as the USI Registry System. This is a good privacy practice to help ensure that staff only have access to systems that are appropriate to their roles. In addition to the above process, staff must sign a confidentiality agreement, which outlines their confidentiality obligations.

3.29 When staff leave the USI Office or change roles within the USI Office, their system access is managed through the IT system with a System Access Request that is approved by their manager and the system administrator. Periodically, system administrators conduct audits of user access lists to systems to ensure that staff listed still require access to perform their roles.

Audit logs, trails and monitoring access

3.30 The USI Registry System has audit and event logging capability that allows the Digital and Finance Team to monitor staff activities across the USI Registry System. The USI Registry System automatically captures each access by the user. A report based on the audit logs is produced upon request by the Digital and Finance Team if management has any concerns related to a possible misuse or unauthorised staff access. The OAIC has sighted the audit logs and reports produced by the USI Registry System.

3.31 The OAIC suggests that audit logging be conducted on a proactive and regular basis as an additional measure to ensure that security incidents involving unauthorised or inappropriate access can be detected in a timely manner.

Data Breach Response Plan

3.32 The USI Office has methods for identifying, assessing, rectifying and reporting data breaches. These methods apply to frontline and specialist staff in the Business Operations, and Digital and Finance Teams. The OAIC has reviewed documentation that outlines staff roles and responsibilities for these processes. This data breach response plan has been approved by the Registrar.

3.33 Data breaches are classified based on the level of the risk of harm they pose to individuals. The classifications include ‘low-risk,’ ‘high-risk,’ or ‘eligible’ data breaches. This approach to assessing data breaches aligns with the requirements of the Notifiable Data Breaches (NDB) scheme, which is good privacy practice. Staff interviewed during the assessment demonstrated a sound understanding of conducting risk assessments of potential breaches based on these classifications.

3.34 The data breach response procedure involves staff notifying senior management of suspected data breaches, which then go to the Privacy Officer for review, investigation and resolution. Serious data breaches are escalated to the Registrar.

3.35 The USI Office’s processes and clear lines of authority for managing and escalating data breaches are good privacy practice. The OAIC suggests that the USI Office lists the contact details of staff listed on the data breach response plan by their roles. This will help to ensure business continuity if staff listed on the plan change roles or leave the organisation.

Part 4: Description of assessment

Objective and scope of the assessment

4.1 The objective of this assessment was to establish whether the USI Office is taking reasonable steps in the circumstances to implement practices, procedures and systems relating to its Transcript Service that will, in accordance with APP 1.2:

  • ensure that it complies with the APPs and the Privacy Code
  • enable it to deal with inquiries or complaints from individuals about its compliance with the APPs or the Privacy Code.

4.2 For an entity to meet the obligations of APP 1.2, that entity must be proactive in establishing, implementing and maintaining privacy processes. This obligation is a constant one and compliance with APP 1.2 should be understood as a matter of good governance.

Timing, location and assessment techniques

4.3 The OAIC reviewed policy and procedure documents provided by the USI Office. The OAIC conducted the fieldwork component of the assessment at the USI Office’s Canberra Office, where we interviewed key staff on 13 and 14 May 2019.[6] Following this, the OAIC reviewed further documentation provided by the USI Office.

4.4 The assessment of the USI Office was risk-based. The focus was on identifying privacy risks to the effective handling of personal information in the Transcript Service.

Privacy risks

4.5 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

4.6 OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken.

4.7 The OAIC has not made any recommendations in this assessment as it did not identify any medium or high-level privacy risks. There are two suggestions that will, in the OAIC’s opinion, help the USI Office further protect the personal information that it handles. These suggestions are set out in the body of the report.

Reporting

4.8 This report has been prepared for the USI Office. The OAIC will publish the full report and will provide the USI Office with the opportunity to comment on the report before doing so.

Part 5: The USI Office’s response

OAIC suggestion 1

3.36 The USI Office:

  • conduct audit logging on a proactive and regular basis as an additional measure to ensure that security incidents involving unauthorised or inappropriate access can be detected in a timely manner.

Response by the USI Office

3.37 The USI Office has agreed to implement regular audit logging of staff activities.

OAIC suggestion 2

3.38 The USI Office:

  • consider whether there is a business need to hold personal information and conduct a risk analysis to determine the impact and acceptability of any associated security risks, given the increasing volume of personal information that the USI Office will collect over time.

Response by the USI Office

3.39 The USI Office has noted this suggestion and will conduct an analysis of the future business need to hold personal information that is out of date.

Appendix A: Privacy risk guidance

Privacy risk rating Entity action required Likely outcome if risk is not addressed
High risk
Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation
Immediate management attention is required.
This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects
  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)
Medium risk
Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation
Timely management attention is expected.
This is an internal control or risk management issue that may lead to the following effects
  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)
Low risk
Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation
Management attention is suggested.
This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.
  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnotes

[1] The Australian Government Agencies Privacy Code came into effect on 1 July 2018. It requires Australian Government agencies to move to a best practice approach to privacy governance.

[2] The Privacy Code sets out specific requirements and key practical steps that agencies must take as part of complying with APP 1.2. For more information, see: Privacy for government agencies.

[3] While the Privacy Act obligations considered in this assessment technically attach to the Registrar, in practice these obligations are carried out through the work of the USI Office. References to the USI Office throughout this report should be taken as recognising this relationship.

[4] At the time of the assessment, the USI Office was based in the Commonwealth Department of Education and Training. As part of Machinery of Government changes, the USI Office moved to the Commonwealth Department of Employment, Skills, Small and Family Business on 26 July 2019. As an OAIC assessment is conducted as a ‘point in time’ exercise, all references to the Commonwealth Department of Education and Training, henceforth, refer to arrangements in place during the assessment in May 2019.

[5] See: USI Bulletin Number 11 - 2 October 2018.

[6] Since this time, operations of the USI Office have been transitioned to Adelaide.

Footnotes