Publication date: 24 October 2019

Assessment undertaken: August 2017
Final report issued: January 2018

Part 1: Introduction

1.1 The Office of the Australian Information Commissioner (OAIC) has a range of functions and powers directed towards protecting the privacy of individuals by ensuring the proper handling of personal information. These functions and powers are conferred by the Privacy Act 1988 and by other legislation containing privacy protection provisions.

1.2 The OAIC conducted a privacy self-assessment with five registered training organisations (RTOs) in August 2017. This report describes the assessment process and provides a summary of the key findings. All participating RTOs remain anonymous in this report.

Background

1.3 The Unique Student Identifiers (USI) scheme is a joint State and Commonwealth initiative administered by the Student Identifiers Registrar (SI Registrar). The Department of Education and Training (DET) provides resources, including staff, to support the Registrar. The SI Registrar’s operations are governed by the Student Identifiers Act 2014 (SI Act) and the Privacy Act.

1.4 The USI is a unique lifetime identifier consisting of ten digits and letters. All students in Australia undertaking nationally recognised vocational education and training require a USI to receive their qualifications or statements of attainment. The USI enables students to keep track of their training history and qualifications and gives permission to training providers to access their transcripts online for enrolment purposes, credit transfers and entitlement assessments. To obtain a USI, students may register either directly via the USI website, or through their nominated RTO. There are approximately 4,300 RTOs in Australia.

1.5 RTOs are required to collect a range of personal information to apply for USIs on behalf of their students, including:

  • name
  • gender
  • date of birth
  • place of birth
  • contact details.

1.6 While the SI Registrar is responsible for the administration of the USI scheme, RTOs are responsible for the collection, use, storage and disposal of USIs and associated personal information required to apply for USIs on behalf of their students. RTOs are also required to issue students with a collection notice, an example of which is available from the SI Office.

1.7 The OAIC is the dedicated privacy regulator of student identifiers under the SI Act. The SI Registrar and the OAIC have a Memorandum of Understanding (MOU) regarding the provision of dedicated privacy-related activities under the Privacy Act and the SI Act.

1.8 Under the 2015-17 MOU arrangement, the OAIC conducted a self-administered SmartForm survey to assess the privacy practices and procedures of five RTOs.

Objective and scope of the assessment

1.9 This assessment was conducted under s33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether personal information held by an entity is being maintained and handled in accordance with the Australian Privacy Principles (APPs).

1.10 In general, the objective of this assessment was to examine the maturity of selected RTOs privacy practices. Specifically, the assessment considered whether the RTOs were handling USIs and associated personal information in accordance with the requirements of APP 1 (open and transparent management of personal information) and APP 5 (notification of the collection of personal information). The assessment examined whether the RTOs have:

  • implemented practices, procedures and systems to manage personal information in an open and transparent manner (APP 1.2)
  • a clearly expressed and up-to-date APP Privacy Policy about how they manage personal information (APP 1.3 and 1.4)
  • made their APP Privacy Policy available free of charge and in an appropriate form (APP 1.5)
  • notified individuals or ensure their awareness of the APP 5 matters (APP 5).

Methodology

1.11 The five RTOs were nominated by the SI Registrar based on a number of considerations, including:

  • the size of the organisation
  • annual turnover (for jurisdictional purposes)
  • whether or not the organisation is a private entity
  • whether the RTO was likely to have a high number of international students
  • educational sectors covered by the RTO.

1.12 The assessment involved the following:

  • a desktop review of the privacy policy of the selected RTOs
  • data collection using a self-administered SmartForm questionnaire from the selected RTOs over a four-week period
  • analysis of RTOs’ responses against the requirements of APPs 1 and 5.

1.13 The questionnaire[1] consisted of 73 main questions, starting with 10 questions on statistical information about RTOs’ students and staff to help understand their business. The remaining questions were organised in three parts to be consistent with the steps outlined in the OAIC’s Privacy Management Framework. Most of the questions were presented as a statement to which RTOs were asked to select a response from a rating scale of five options. There were also questions which required a ‘yes’ or ‘no’ answer.

1.14 The findings presented in this report are based on RTOs’ self-reported data. The RTOs did not provide the OAIC with any supporting documents for their responses. The OAIC did not review any policy or procedure documents aside from the RTOs’ privacy policies, or undertake any inspections of the RTOs’ privacy practices. The OAIC provided individualised feedback to the RTOs on their survey responses and privacy policies and also made recommendations to address any identified privacy risks where applicable.

Privacy risks

1.15 This assessment was risk-based and focused on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.

1.16 Where the OAIC identified high or medium privacy risks, the OAIC made recommendations to the RTOs about how to address those risks. For guidance on how the OAIC assesses privacy risks, refer to Attachment A. Further detail on the OAIC’s approach to privacy assessments is provided in Chapter 7 of the OAIC’s Guide to Privacy Regulatory Action.

Reading this report

1.17 Part 2 of this report summarises the key findings from the assessment. It outlines areas of good privacy practices as well as areas for improvement that were identified from the assessment. The findings are presented under four main headings:

  • Privacy management
  • Policies, procedures and practices
  • Privacy training and resources
  • Risk management.

1.18 In addition to this report, the OAIC also hosted a webinar to discuss the key findings in this privacy assessment. The webinar was co-presented by a representative of one of the RTOs that participated in the assessment, and is available to view on the OAIC’s website.

Part 2: Summary of findings

Areas of good privacy practice

2.1 The OAIC’s analysis of the RTOs’ responses to the privacy assessment survey identified the following good privacy practices.

Privacy management

2.2 All RTOs reported to regularly brief senior management and other staff with responsibility for privacy management on privacy risks or issues identified.

2.3 The majority of RTOs reported to have:

  • a senior staff member entrusted with overall privacy accountability
  • management groups/committees that deal with privacy issues as they arise
  • reporting mechanisms to ensure senior management are routinely informed about privacy issues (one RTO reported to be developing these mechanisms)
  • a privacy officer or equivalent role.

2.4 Most RTOs reported to have:

  • adopted a ‘privacy by design’ approach to managing business projects and making decisions that involve personal information
  • one or more designated privacy champions.

A Privacy Champion is ideally an individual within the senior management of an entity. The role has a strategic focus — a Privacy Champion should promote a culture of privacy and provide leadership on broad privacy issues.

Policies, procedures and practices

Collecting personal information

2.5 To apply for a USI on behalf of a student, all RTOs reported to have:

  • an internal policy or process that governs the collection of personal information
  • a procedure to verify the identity of students.

2.6 All RTOs reported to have an up-to-date privacy policy, which is available to students on the RTOs’ websites and in hard copy upon request.

2.7 The majority of RTOs reported to:

  • have an up-to-date collection notice setting out how they handle personal information that they collect
  • provide the collection notice to students at or shortly after the collection of their personal information.

2.8 The SI Office has a sample collection notice which entities can use to comply with the notification requirements in APP 5. One RTO reported to provide students with this collection notice at or shortly after the collection of their personal information.

Entities collecting personal information about an individual must take reasonable steps to notify the individual of the purposes of the collection, disclosures to other parties, and certain other matters specified in APP 5. Entities may include information about these matters in their collection notice. Entities should provide the collection notice before or at the time of collecting personal information, or if this is not practicable, as soon as possible afterwards.

Handling personal information

2.9 The majority of RTOs reported to have policies and procedures to manage the disclosure of USIs and associated personal information to third parties, i.e. persons other than the student such as the National Centre for Vocational Education Research.

2.10 The majority of RTOs also reported to keep:

  • a record of the type and location (physical and virtual) of USIs and associated personal information they hold. Most RTOs reported to regularly update these records
  • a list or register of policies or procedures that apply to personal information, including how USIs and associated personal information are handled (one RTO reported to be developing this register).

2.11 Most RTOs reported that they did not keep copies of documents used to prove a student’s identity.

2.12 None of the RTOs reported to:

  • use USIs (in any form) for any purpose (including administrative purposes) other than the uses permitted in the SI Act
  • disclose USIs or related personal information to a parent company or affiliate overseas, or to an overseas entity (such as a service provider).
Securing personal information

2.13 All RTOs reported to:

  • have a policy that requires staff to change their passwords regularly, with the majority also reported that this policy requires staff to have strong passwords
  • have all staff, including casual staff and contractors, sign confidentiality agreements or have confidentiality clauses included in their service contracts
  • review staff access rights to ensure they remain appropriate
  • log user access to/activity in the IT systems. Most RTOs also reported that they monitor these logs
  • actively manage and restrict the number of staff with administrator rights to the IT systems.

2.14 The majority of RTOs reported to have:

  • an internal policy that sets out how they manage information security (one RTO reported to be developing this policy)
  • an access control policy that limits staff access to information and systems on a need to know basis (one RTO reported to be developing this policy)
  • effective security measures such as access card or locked cabinets in place to protect USIs and associated person information held in hard copy (one RTO reported to be developing these measures)
  • processes that provide for secure destruction and de-identification of personal information (one RTO reported to be developing these processes).

2.15 The majority of RTOs also reported to log administrator access to/activity in the IT systems. Some RTOs reported to monitor these administrator access logs.

2.16 To protect their IT systems, all RTOs reported to use firewalls, regularly patch applications and operating systems and undertake backups. The majority also reported to use encryption and penetration testing, followed by application whitelisting.

Accessing and correcting personal information

2.17 All RTOs reported to have a process in place to manage requests from students to access and/or correct their personal information. The majority also reported to have policies and procedures to ensure personal information they hold is accurate and up-to-date.

Privacy training and resources

2.18 All RTOs reported to have privacy resources available to staff. The majority also reported to train their staff on information security risks.

Risk management

2.19 Most RTOs have a risk register that includes:

  • privacy risks and issues
  • mitigation strategies and actions, with clear accountability for implementation
  • processes and mechanisms for regular monitoring and review.

Complaints and enquiries

2.20 All RTOs reported to:

  • have a process for receiving and responding to privacy complaints and privacy enquiries
  • maintain a complaints register.

2.21 None of the RTOs received any privacy complaints in the financial year of 2015–16.

Evaluating and enhancing privacy management

2.22 All RTOs reported to have:

  • channels for staff and students to provide feedback on their privacy processes
  • processes for:
    • reviewing policies and procedures, with the most recent review conducted within the last 18 months
    • conducting threat risk/security assessments and reviewing their outcomes, with the majority of the most recent assessments conducted within the last 18 months
  • a process for incorporating changes to their policies and procedures from issues identified in the ordinary course of business, for example, from complaints or data breaches.

2.23 All RTOs also reported to keep copies of their reviews and assessments.

Areas for improvement

2.24 The OAIC also noted the following areas for improvement in the RTOs’ responses and made recommendations to the respective RTOs accordingly to improve their privacy management and practices.

Privacy management

2.25 None of the RTOs reported to have a privacy management plan that sets out how they manage personal information and privacy risks, however, the majority of them reported to be developing such a plan.

2.26 None of the RTOs reported to have a process in place for determining whether to undertake a privacy impact assessment (PIA) on any new project or changed business process that involve the collection, storage, use or disclosure of personal information. However, two RTOs reported to be developing such a process at the time of the survey.

2.27 Only one RTO reported to have a documented privacy management structure, including appointments to key roles/responsibilities and clear reporting lines for privacy management. Two RTOs reported to be developing this document.

A privacy management plan (PMP) is a document that identifies specific, measurable goals and targets for an entity to meet in complying with its obligations under APP 1.2. Risks that are identified through project specific PIAs can feed into a PMP, particularly where similar privacy risks are identified across multiple projects. An effective PMP will set out the timeframes for addressing any identified privacy risks and will be refreshed at least annually.

The OAIC’s Privacy Management Framework offers guidance on developing and maintaining a PMP.

Policies, procedures and practices

2.28 The OAIC reviewed the RTOs’ privacy policies and identified the following privacy risks:

  • the language of the policies was too complex, which may be difficult for younger people or people with lower literacy to comprehend
  • as required by APP 1.4, information was not included about:
    • how the RTO will handle complaints
    • how an individual can access or correct their personal information held by the RTO
    • whether the RTO discloses personal information overseas
  • the policies were not published to the WCAG 2.0 standard, which is intended to make web content more accessible to people with disabilities.

2.29 None of the RTOs have their privacy policies or collection notices available in:

  • languages other than English for their overseas students
  • alternative accessible formats, for example, braille, video or large print, for students with disabilities.

APP 1 does not specify that a privacy policy should be available in multiple languages and accessible formats, but it does state that the policy needs to be available in an appropriate form. One of the factors that is relevant to whether a policy is in an appropriate form is the needs of the people who will be reading it. Entities should therefore consider whether their privacy policy is accessible to everyone that is likely to read it. Many students at an English language school, for example, may not have English as their first language.

Privacy training and resources

2.30 Only one RTO reported to provide mandatory privacy training for all new staff and regular refresher privacy training for all staff. Two RTOs reported to be developing mandatory privacy training for all new staff at the time of the survey.

Training can ensure staff are conscious of privacy obligations and handle personal information accordingly. This can both reduce the likelihood of a privacy breach occurring and enable staff to manage privacy risks effectively. Entities should schedule refresher training at regular intervals and provide privacy training when there is a change in circumstances, such as when an individual changes roles or new information handling requirements are introduced.

Risk management

2.31 Only two RTOs reported to have a risk management plan that includes consideration of privacy risks, and one RTO reported to be developing this plan.

Regularly reviewing information security risks and controls allows entities to develop a plan to address the privacy and security risks that apply to them. A PIA is one tool which may assist with this review. You can find guidance and training on conducting PIAs on the OAIC’s website.

Privacy incidents and data breaches

2.32 Only one RTO reported to have policies and procedures that set out clear processes to deal with privacy related incidents, for example, a data breach response plan or an incident management plan that deals with privacy. Two RTOs reported to be developing these policies and procedures.

In the event of a data breach, having a response plan that includes procedures and clear lines of authority can assist entities to contain the breach and manage their response. The plan should be tested periodically to ensure its effectiveness.

This assessment occurred prior to the introduction of the Notifiable Data Breaches scheme, which introduced requirements for entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. Refer to the OAIC’s Notifiable Data Breaches Scheme resources for more information.

Attachment A: Privacy risk guidance

Privacy risk rating Entity action required Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnote

[1] The questionnaire can be viewed at: RTO privacy assessment survey

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia