A follow-up privacy assessment of Access Canberra

30 April 2021

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) second privacy assessment of Access Canberra’s management of personal information through the administration of the Working with Vulnerable People (WWVP), Road Transport Authority (RTA) vehicle registration, and Births, Deaths and Marriages (BDM) services.

1.2 The OAIC conducted its first privacy assessment of Access Canberra in 2016-17. This assessment examined whether Access Canberra was handling personal information in accordance with the Territory Privacy Principles (TPPs) contained in the Information Privacy Act 2014 (ACT). Specifically, TPP 1 and 5 compliance risks associated with Access Canberra’s personal information management for vehicle registrations and WWVP program applications. The assessment found that Access Canberra treated personal information as a valuable business asset but made five recommendations to address a number of identified privacy risks. Access Canberra accepted these recommendations.

1.3 This assessment had two purposes:

  • firstly, to follow up on Access Canberra’s implementation of five recommendations made in 2017. These recommendations relate to risks associated with Access Canberra’s handling of personal information in accordance with Territory Privacy Principles (TTPs) 1 and 5 for vehicle registrations and WWVP applications, and
  • secondly, to consider Access Canberra’s handling of personal information collected in applications for birth, death and marriage registrations and certificates in accordance with TPPs 1 and 5.

1.4 The assessment found that Access Canberra has made some progress towards implementing measures to mitigate privacy risks identified during the 2017 assessment. However, Access Canberra has either not or only partially implemented actions to address the OAIC’s five recommendations from the 2017 assessment. In addition, the assessment identified new privacy risks in relation to Access Canberra’s management of personal information.

1.5 The OAIC identified 15 medium-level privacy risks yielding seven recommendations. The OAIC has made two suggestions to assist Access Canberra to further enhance privacy protective measures that may apply to its processes. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A.

1.6 Regarding privacy staffing, the OAIC recommends that Access Canberra:

  • embeds a privacy team or a staff member within Access Canberra to assist the Privacy Contact Officer (PCO) manage privacy issues particular to Access Canberra generally, and the WWVP, RTA and BDM services specifically, given that several recommendations from the OAIC’s 2017 assessment have not yet been actioned
  • considers and implements mechanisms to strengthen WWVP, RTA, and BDM staff awareness of the roles and responsibilities of the PCO. This could be affected through coordination between the PCO and Access Canberra’s yet to be identified Privacy Champion, and
  • formally identifies an individual in a senior leadership position as Access Canberra’s Privacy Champion and clearly defines their responsibilities with respect to privacy to facilitate consistent management of privacy projects, risks and issues related to the WWVP, RTA, and BDM services.

1.7 Regarding governance, the OAIC recommends that Access Canberra establish clearly documented governance mechanisms for reporting, escalating, overseeing, and coordinating privacy issues across Access Canberra’s business units and other relevant stakeholders in CMTEDD. This applies particularly to those responsible for the WWVP, RTA and BDM programs. This could include adding privacy as a standing agenda item within existing governance mechanisms.

1.8 Regarding privacy training, the OAIC recommends that Access Canberra implements regular, mandatory privacy training for all Access Canberra staff (including contractors and short-term staff) and track and report on staff privacy training completion. Best practice would be for refresher training to occur on an annual or biannual basis for all staff.

1.9 Regarding policies and procedures, the OAIC recommends that Access Canberra:

  • reviews and updates RTA, WWVP, and BDM policies and procedures and implements a mechanism for monitoring the currency of all related policies and procedures going forward
  • develops a Privacy Management Plan that identifies specific, measurable goals and targets that stipulate how Access Canberra will implement measures to embed a culture of privacy, establish and evaluate privacy processes and enhance its response to privacy issues as they relate to Access Canberra’s business units, particularly (for the purpose of this assessment) the WWVP, RTA, and BDM services
  • requires that plans for new projects consider whether the project involves handling personal information and, if so, includes provisions for conducting a privacy threshold assessment followed, if necessary, by a privacy impact assessment (PIA), particularly for new WWVP, RTA and BDM projects. Access Canberra could consider incorporating a privacy standing agenda item into relevant governance mechanisms for new projects as a way to examine the need to conduct threshold assessments or PIAs
  • implements a formal mechanism for tracking the PIAs it conducts and the subsequent implementation of PIA recommendations, particularly for projects relating to of affecting the WWVP, RTA and BDM services, and
  • finalises a Data Breach Response Plan and ensures the plan is applicable to or meets the specific requirements of Access Canberra’s business units, particularly WWVP, RTA and BDM.

1.10 Regarding privacy risk management, the OAIC recommends that Access Canberra establishes mechanisms for properly documenting, identifying, reporting, and managing privacy risks associated with Access Canberra’s business units, particularly WWVP, RTA and BDM.

1.11 Regarding ICT security, the OAIC recommends that Access Canberra reviews the existing Promadis security plan, ensure that it complies with the ACT Government’s ICT Security Policy, and implement any necessary interim security measures whilst its cloud-based solution is rolled out.

1.12 Regarding privacy notifications for the collection of personal information, the OAIC recommends that Access Canberra:

  • amends the presentation of the privacy notices in BDM and vehicle registration online applications so they present the privacy notice as a mandatory step in form completion
  • reviews and updates BDM paper forms that do not meet mandatory TTP 5 requirements including:
  1. provision of a privacy statement
  2. statement of the purpose of personal information collection
  3. consequences of not providing information
  • considers standardising a minimum set of privacy notice content for all BDM, RTA and WWVP application forms so that they consistently fulfill all TTP 5 requirements. A step in this process could include updating all paper BDM, WWVP and vehicle registration application forms so that privacy notices include a URL link to Access Canberra’s privacy policy as a mechanism for addressing all mandatory TTP 5 requirements.

Part 2: Introduction

Background

Overview of Access Canberra

2.1 Access Canberra is a subsection of the Chief Minister, Treasury and Economic Development Directorate (CMTEDD). CMTEDD is the central ACT government agency and has two divisions – the ‘Chief Minister stream’ and the ‘Treasury stream’. Each division has a diverse set of functions ranging from ‘Policy and Cabinet’, which dispenses advice to ACT public service executive and ‘VisitCanberra’ which implements tourism development programs; to ‘Economic and Financial’ which provides economic analysis and ‘Shared Services’ which delivers ICT and administrative services [1] . Access Canberra sits within the ‘Chief Minister stream’ of CMTEDD. CMTEDD, via CMTEDD Corporate, provides Access Canberra with strategic governance support and direction. Access Canberra also procures services from other CMTEDD functions such as Shared Services Information Communication Technology (ICT).

2.2 Access Canberra is the ‘one-stop shop’ for individuals and businesses to access ACT Government support, advice, and customer or regulatory services. It is made up of seven branches which cumulatively dispense over 700 distinct services and administer over 150 pieces of legislation which produces 8000 regulatory decisions each day on average. [2] Services include construction, amenities, gambling and environmental regulation, fair trading, occupational and road licencing. [3] Access Canberra dispenses these services across multiple shopfront service centres, a contact (call) centre, and its website.

2.3 This assessment considered Access Canberra’s management of personal information for the Working with Vulnerable People (WWVP), Road Transport Authority (RTA) and Birth, Death and Marriage (BDM) services. The WWVP [4] , RTA and BDM business units are members of the Licencing and Registration Branch of Access Canberra.

2.4 The Working with Vulnerable People (Background Checking) Act 2011 (WWVP Act) aims to reduce the risk of harm to vulnerable people [5] in the ACT. Consequently, those who work with vulnerable people must undergo a background check and be registered to be suitable for providing care. Access Canberra collects personal information to register or renew registrations as part of the WWVP program. Access Canberra issues a WWVP card as evidence of current WWVP registration. [6]

2.5 The RTA administers the registration of motor/heavy vehicles, trailers, and caravans under the Road Transport (General) Act 1999.

2.6 To collect personal information, the WWVP and RTA programs use a combination of paper and online forms available on the Access Canberra website or in Access Canberra Service Centres. The large volumes of personal information collected through the administration of these services are processed and stored on the Rego.ACT [7] and Objective document management ICT systems.

2.7 Access Canberra is responsible for registering all ACT births, deaths, and marriages, and for the provision certificates of these registrations to authorised applicants under the Births, Deaths and Marriages Registration Act 1997. Existing records range from 1930 to the present. Prior to 1930, records were registered in the New South Wales Registry of Births, Deaths and Marriages.

2.8 Similarly, to the RTA and WWVP programs, Access Canberra collects personal information for the BDM program via paper and online application forms. Payments for service, where applicable, are made by cash, cheque or using payment card via either a desktop merchant facility or online payment gateway). Forms are available at Service Centre kiosks and Access Canberra’s website. The Promadis ICT system is used to administer the BDM service. Objective is used to store some personal information collected during the administration of the BDM service.

2.9 Shared Services ICT administers ICT networks, infrastructure and assets and provides ICT support across the ACT Government’s Directorates and Agencies including CMTEDD and Access Canberra. Access Canberra’s ICT systems, including the Rego.ACT, Promadis and Objective systems are maintained by Shared Services ICT. Shared Services ICT maintains its own policies and procedures for the administration and maintenance of ICT systems across the ACT Government. Where appropriate, the OAIC has examined the policies and procedures of Shared Services ICT as these relate to the WWVP, RTA and BDM services. [8]

The OAIC and the Territory Privacy Principles

2.10 The Australian and ACT Governments have a Memorandum of Understanding (MoU) for the provision of privacy services by the OAIC to ACT public sector agencies. Under the terms of this MoU, the OAIC completes one privacy assessment of an ACT public sector agency each financial year.

2.11 As an agency of the ACT Government, Access Canberra is governed by the Information Privacy Act 2014 (ACT) (Information Privacy Act). The Information Privacy Act regulates how Access Canberra and other ACT public sector agencies handle personal information. The Act includes Territory Privacy Principles (TPPs) which set out standards, rights and obligations for the collection, use, disclosure, storage, access, and correction of personal information (including sensitive information). The TPPs are similar to the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth). The TPPs differ from the APPs by omitting APPs that are not relevant to information privacy regulation of ACT public sector agencies. [9] Further, there are minor textual differences, but the meaning and intent of each principle remains the same.

2.12 The legal scope of this assessment was TPP’s 1 and 5. TPP 1 states that ACT public sector agencies must manage personal information in an open and transparent way. Transparent management consists of agencies taking reasonable steps to implement practices, procedures and systems that ensure broader compliance with all TPPs. This includes a clearly expressed and up-to-date privacy policy and for agencies to have mechanisms for dealing with inquires and complaints about their personal information management practices.

2.13 TPP 5 requires ACT Government agencies that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in TPP 5.2) or to ensure the individual is aware of those matters at or before the time or, if that is not practicable, as soon as practicable after collection.

Previous assessments of Access Canberra

2.14 The OAIC conducted its first privacy assessment of Access Canberra in 2016-17. The assessment examined TPP 1 and 5 compliance risks associated with Access Canberra’s personal information management for vehicle registrations and WWVP program applications. The assessment found that Access Canberra treated personal information as a valuable business asset but made five recommendations to address a number of identified privacy risks. Access Canberra accepted these recommendations. See paragraph 3.4 further information.

2.15 The OAIC also assessed the online privacy policies of 10 ACT public sector agencies including Access Canberra in 2019. The assessment focused on whether Access Canberra’s privacy policy met requirements set out by TPPs 1.3, 1.4 and 1.5. As part of CMTEDD, Access Canberra had a three-layered, comprehensive privacy policy which largely met its TPP requirements. There were, however, some minor exceptions such as the need to improve readability. [10] This report does not further consider Access Canberra’s privacy policy.

Part 3: Findings

3.1 The first part of this section provides an overview of Access Canberra’s implementation of the OAIC’s 2017 recommendations. Subsequent sections provide more detailed observations and analysis of Access Canberra’s actions regarding these recommendations. The report also contains the OAIC’s analysis of Access Canberra’s management of personal information handled for the BDM service. Key areas for discussion are:

  • privacy culture, governance, and training
  • internal policies, practices, and procedures
  • privacy risk management
  • information security and access controls, and
  • privacy notices.

3.2 Regarding TPP 1, the OAIC applied it’s guide, Privacy management framework: enabling compliance and encouraging good practice, to evaluate Access Canberra’s management of personal information for the WWVP, RTA and BDM services.

3.2 The OAIC used it’s APP Guidelines, which describes APP mandatory requirements, to interpret TPP 5 personal information collection notification requirements for the WWVP, RTA, and BDM services.

Implementation of 2017 OAIC assessment recommendations

3.3 The table below lists recommendations the OAIC made in 2017, whether Access Canberra fulfilled the recommendation’s requirements and which sections of this report provide further information. In summary, the OAIC notes that while some progress has been made toward mitigating privacy risks identified in the 2017 assessment, most of the recommendations from the 2017 report have not been implemented or have only been partially implemented.

#

The OAIC’s 2017 Recommendations

Recommendation actioned

For further analysis, see paragraph

1.1

Regularly evaluate its policies and procedures to ensure their adequacy and currency. For general core policy documents which are the responsibility of policy agencies in other Directorates, or which are made at the CMTEDD level, Access Canberra should consider consulting with these agencies and CMTEDD on ways to ensure the adequacy and currency of its policies and procedures.

3.32

1.2

Continue to develop its “Application Portfolio Management tool” to assist with managing policy and procedure document updates

NA

3.34

1.3

Develop and implement a Privacy Management Plan

3.37

1.4

Develop a data breach response plan and consider linking or incorporating this plan into existing processes and policies

3.45

2

That Access Canberra considers, in consultation with the CMTEDD including in its governance arrangements a formal central privacy management function, which is responsible for coordinating privacy issues across business functions, including the RTA and WWVP program and reporting these issues to senior management

3.7

3.1

Review privacy risk management processes for both the RTA and WWVP program with a view to ensuring that all privacy risks are appropriately managed

3.57

3.2

Consider the use of the Strategic Risk Register to record privacy risks, including making privacy an individual risk area within the corporate risk register

3.55

4.1

Wait for the completion of the PIA before proceeding with the proposed data-matching project

3.40

4.2

Consider undertaking a threshold assessment to determine whether a larger PIA is needed in relation to the transfer of Promadis data to the Rego.ACT system

3.40

4.3

Encourage its staff to undertake the OAIC’s eLearning course on PIAs, especially those staff who work on large projects involving personal information

3.28

5

Access Canberra should implement regular and mandatory privacy training for all staff. This training should include short-term staff and contractors. Such training should cover privacy obligations for staff under the TPPs and how they fit into Access Canberra’s business processes

3.29

3.4 The OAIC’s 2017 assessment made two further suggestions. First was that Access Canberra continues to develop and implement its ‘Database Vulnerability Treatment Solution’. This ‘solution’ aimed to acquire a software tool to improve the security of information stored on all ACT Government databases, including the Rego.ACT and Promadis systems. Shared Services ICT investigated this solution and determined that it was not necessary. This is because the proposed software products were deemed to be too complex, unsuitable for the intended application and not financially viable. The OAIC did not consider this issue further.

3.5 The OAIC’s second suggestion was that WWVP, and RTA application form privacy notices should include a hyperlink to Access Canberra’s privacy policy (which contains a further link to CMTEDD’s more detailed privacy policy). This suggestion aimed to assist Access Canberra meets all its TPP 5 requirements by taking a layered approach to privacy notification. Access Canberra implemented the OAIC’s suggestion on some application forms, but not others. For further discussion, see paragraph 3.74.

Privacy culture, governance, and training

Privacy culture

Privacy contact officer

3.6 The OAIC’s 2017 assessment found that there was a risk Access Canberra was inconsistently treating or failing to address privacy issues for the WWVP and RTA services because they did not have dedicated privacy staff. Consequently, the OAIC recommended that Access Canberra implement a formal central privacy management function in consultation with CMTEDD. In response, in June 2018 CMTEDD recruited a Privacy Contact Officer (PCO) whose function is to coordinate privacy issues across CMTEDD’s entire portfolio, including Access Canberra. The PCO sits within CMTEDD Corporate. CMTEDD Corporate provide business enabling services to all of CMTEDD by overseeing internal audit, risk management, compliance functions and privacy.

3.7 The PCO’s has a wide range of privacy management functions including:

  • providing ad hoc privacy policy advice
  • developing internal privacy policies and procedures, including the currently in development CMTEDD/Access Canberra Privacy Management Plan and Data Breach Response Plan
  • responding to privacy related complaints
  • managing data breach responses
  • developing privacy training resources for staff
  • providing advice on Privacy Impact Assessments, and
  • participating in governance mechanisms such as committees to report and respond to privacy issues upon invitation.

3.8 Currently, the PCO undertakes these functions with the support of two corporate officers and an administrative assistant.

3.9 At the time of the assessment, CMTEDD had not formally communicated the existence and function of the PCO’s role to all CMTEDD staff. The OAIC was advised that the choice not to promote the PCO’s role was to allow the PCO time to review existing privacy resources and to develop and implement new resources for CMTEDD more broadly. The PCO noted that Access Canberra’s business units, including BDM, WWVP and RTA had become aware of their role within the preceding six months when they requested assistance from CMTEDD in relation matters requiring the expertise of a privacy officer. At the time of the assessment, the PCO had been in their role for approximately 20 months.

3.10 The OAIC observed that Access Canberra’s business units do not routinely communicate and collaborate with the PCO to address privacy issues. Some staff responsible for administering the WWVP, RTA, and BDM services had only recently become aware of the PCO’s role. [11] Key staff for these services indicated that their communication with the PCO was primarily ad hoc and generally regarded specific issues such as addressing privacy complaints.

3.11 As highlighted in paragraphs 2.3-2.9, Access Canberra handles large volumes of personal information collected through the administration of numerous services including the WWVP, RTA and BDM programs. Access Canberra also implements polices relating to its services developed by other ACT Government agencies which may have broader implications for their management of personal information. CMTEDD functions such as Shared Services ICT also regularly provide ad hoc privacy related advice to Access Canberra’s business units, including those responsible for the WWVP, RTA and BDM services.

3.12 These circumstances introduce an acute need for privacy staff to coordinate incoming privacy related matters to ensure Access Canberra consistently treats and responds effectively to emerging privacy issues. Importantly, Access Canberra is one of a group of 19 entities to which the PCO has responsibility for executing the above listed functions (paragraph 3.8). Consequently, there is a risk that the PCO may be under resourced to effectively dispense their duties given the breadth of their role and the number of stakeholders with whom they engage. This introduces the medium risk that privacy issues particular to Access Canberra generally, and to the WWVP, RTA and BDM services specifically, remain untreated. This is reflected by the absence of essential privacy documentation such as an Access Canberra Privacy Management Plan, discussed below at paragraph 3.42.

3.13 The OAIC recommends that Access Canberra embeds a privacy team or a staff member within Access Canberra to assist the PCO manage privacy issues particular to Access Canberra generally, and the WWVP, RTA and BDM services specifically, given that several recommendations from the OAIC’s 2017 assessment have not yet been actioned. Further, the OAIC recommends that Access Canberra considers and implements mechanisms to strengthen WWVP, RTA, and BDM staff awareness of the roles and responsibilities of the PCO. This could be through coordination between the PCO and Access Canberra’s yet to be identified Privacy Champion (discussed below). Increasing privacy awareness of the PCO will enhance Access Canberra’s privacy culture by facilitating greater collaboration and coordination on privacy related matters.

3.14 The PCO has, taken steps to increase organisational awareness of privacy more broadly. For example, Access Canberra has, in collaboration with the PCO, promoted internal privacy awareness via all staff emails and newsletters. Emails covered issues such as Privacy Awareness Week, privacy training and reminders for staff to be mindful of their obligations when handling personal information.

Privacy champion

3.15 Access Canberra reported that it does not have a person in senior leadership with a formally defined ‘Privacy Champion’ role and responsibilities. That is, an individual whose role includes overall accountability for privacy and promoting a privacy aware culture across all of Access Canberra’s seven business units. However, the Executive Branch Manager Corporate within CMTEDD [12] is nominally responsible for promoting privacy across CMTEDD’s entire portfolio.

3.16 The absence of a properly defined Privacy Champion introduces the medium risk that Access Canberra may not take a coordinated, top-down approach to creating a privacy aware culture that embeds privacy protections into service design and delivery. Consequently, this introduces the risk that the privacy issues across the WWVP, RTA and BDM services will not be consistently and effectively managed from a senior leadership position. The OAIC recommends that Access Canberra formally identify an individual in a senior leadership position as Access Canberra’s Privacy Champion and clearly define their responsibilities with respect to privacy to facilitate consistent management of privacy projects, risks and issues related to the WWVP, RTA, and BDM services.

Recommendation 1

The OAIC recommends that Access Canberra:

  • embeds a privacy team or a staff member within Access Canberra to assist the PCO manage privacy issues particular to Access Canberra generally, and the WWVP, RTA and BDM services specifically, given that several recommendations from the OAIC’s 2017 assessment have not yet been actioned
  • considers and implements mechanisms to strengthen staff awareness of the roles and responsibilities of the PCO. This could be affected through coordination between the PCO and Access Canberra’s yet to be identified Privacy Champion
  • formally identifies an individual in a senior leadership position as Access Canberra’s Privacy Champion and clearly define their responsibilities with respect to privacy to facilitate consistent management of privacy projects, risks and issues related to the WWVP, RTA and BDM services.

Governance

3.17 Complex governance mechanisms operate within Access Canberra and between Access Canberra and CMTEDD identify, treat, and monitor privacy issues related to WWVP, RTA, and BDM services in an ad hoc manner.

3.18 Access Canberra use governance mechanisms such as boards, committees, working groups and the authority conferred upon executive staff to govern their business operations, including the WWVP, RTA, and BDM services. See the table below for five examples of identified applications of these governance mechanisms.

#

Governance applications

Example

1

Service specific committees or working groups for each of Access Canberra’s seven business units

The Rego.ACT Working Group deals with risks, issues, or project initiatives specifically related to vehicle licencing and registration

2

Governance mechanisms that address generic, common operational needs for all operations of Access Canberra

Access Canberra Executive ICT Steering Committee advises and guides the Deputy Director-General on development and management of ICT software, systems, infrastructure, and data

3

Executive committees that consider broader operational matters and strategic initiatives for Access Canberra as a whole

The Access Canberra Executive Meeting. Meeting members include Executive Branch Managers who are executives responsible for management of a single business unit, Executive Group Manager, and the Deputy Director-General. These high-level committees facilitate coordinated governance across Access Canberra’s entire portfolio

4

Governance mechanisms operating across the three tiers within CMTEDD whose remit includes Access Canberra

The CMTEDD Audit and Risk Committee handle internal whole of directorate audit functions

5

Governance arrangements established by Memorandums of Understanding (MoUs) between Access Canberra as whole or specific Access Canberra business units and other government agencies

The BDM program has an MoU with the other state and territory BDM registries to share Fact of Death information

3.19 The OAIC observed some ambiguity about the nature of the relationships between the various governance mechanisms operating across Access Canberra and how they address privacy-related matters. In some cases, there are clear reporting lines between governance mechanisms in different domains. For example, the Rego.ACT working group may escalate issues, risks, or project initiatives to the Access Canberra Executive Meeting which may optionally feed issues up to CMTEDD Corporate. In other cases, some governance functions between business units appear to be siloed and it is unclear how these governance functions fit into Access Canberra and CMTEDD’s broader governance structure.

3.20 This ambiguity is partially because of the failure to clearly document governance structures and how they function within Access Canberra and between Access Canberra and CMTEDD. In particular, the OAIC was not provided with any documents which set out clear procedures for oversight, accountability, and lines of authority for decisions regarding privacy. There are, however, documents distributed across Access Canberra’s intranet that reflect the general role and function of specific governance silos. For example, there is a flow chart that states the reporting lines from RTA related working groups to the Access Canberra Executive Meeting, but no further information is provided about whether and how these working groups address privacy related matters. In principle, the overarching governance structure could be inferred from reviewing these documents. Importantly, however, key governance documents do not consider the management of privacy across Access Canberra more broadly, or for the WWVP, RTA and BDM services specifically.

3.21 Details about how these governance arrangements unfold in practice is contained in the corporate memory of staff. This introduces the risk that important operational knowledge may be lost when staff leave Access Canberra. Further, new staff may not be aware of the relevant governance structures for reporting privacy issues.

3.22 Access Canberra staff reported that the identified governance mechanisms do not systematically report, escalate, oversee, or coordinate privacy issues related to the WWVP, RTA, and BDM services or of privacy more broadly. Further, it is unclear how these mechanisms interact with the PCO’s role discussed earlier in paragraph 3.8. Rather, governance mechanisms appear to address privacy issues on an ad hoc basis rather than as an ongoing concern.

3.23 The absence of systematic consideration of privacy by Access Canberra’s governance mechanisms introduces the medium privacy risk that Access Canberra’s business units and relevant stakeholders in CDMTEDD will not effectively identify and treat privacy related issues. Ambiguity about how the PCO and Privacy Champion integrate into the diversity of governance mechanisms operating within Access Canberra, and between Access Canberra and CMTEDD, also creates privacy risk. The OAIC recommends that Access Canberra establishes clearly documented governance mechanisms for reporting, escalating, overseeing and coordinating privacy issues across Access Canberra’s business units and other relevant stakeholders in CMTEDD. This could include adding privacy as a standing agenda item within existing governance mechanisms. This applies particularly to the WWVP, RTA, and BDM services given the privacy risks associated with their services that this report identifies.

3.24 Executive staff are aware of the need to clarify Access Canberra’s governance structures and have created the Operation Bedrock Steering Committee to streamline and homogenise Access Canberra’s approach to governance. Operation Bedrock aims to achieve this by advising and assisting existing governance structures to commit to incorporating risk-based regulation, accountability and transparency into their activities. The Operation Bedrock Terms of Reference does not require the committee to consider incorporating privacy into governance structures where relevant (i.e. those related to the WWVP, RTA and BDM). Access Canberra could consider using Operation Bedrock to assist with the incorporation of privacy into existing Access Canberra governance mechanisms.

Recommendation 2

The OAIC recommends that Access Canberra establishes clearly documented governance mechanisms for reporting, escalating, overseeing and coordinating privacy issues across Access Canberra’s business units and other relevant stakeholders in CMTEDD. This applies particularly to those responsible for the WWVP, RTA and BDM programs. This could include adding privacy as a standing agenda item within existing governance mechanisms.

Privacy training

3.25 The OAIC’s 2017 assessment found that Access Canberra did not provide regular, mandatory privacy specific training and refresher training to its all staff and contractors. Consequently, the OAIC recommended that Access Canberra develops a mandatory, regular privacy training program that addresses privacy obligations for staff and contractors under the TPPs.

3.26 The OAIC observed that Access Canberra has implemented a number of different forms of training for staff. Access Canberra provides mandatory induction training covering core responsibilities of all front-line and back-office staff. Privacy is a mandatory component of this induction training. Access Canberra reported that they have implemented a ‘no training, no access policy’ for the Rego.ACT system. Access Canberra staff who use the Rego.ACT system to administer RTA and the WWVP services are provided with training before they access the system, which includes consideration of information security and privacy. For the BDM service, Access Canberra provides mandatory informal ‘on the job’ training for BDM staff who use the Promadis ICT system.

3.27 Regarding privacy specific training, Access Canberra has provided some staff with opt-in privacy training run by the Australian Government Solicitor (AGS) on at least seven occasions since 2017. Access Canberra has not documented or tracked which staff have undertaken the AGS’s privacy training. Access Canberra reported that they encouraged staff to undertake the OAIC’s eLearning course on PIAs following the OAIC’s 2017 recommendation. However, it was not clear at the time of the assessment who had undertaken this training and at what time.

3.28 The absence of regular, mandatory privacy specific training for all staff and contractors introduces the medium risk that staff administering the WWVP, RTA, and BDM services (particularly new or inexperienced staff) may not have the knowledge and skill to appropriately handle the personal information they receive. [13] Consequently, a lack of appropriate privacy training increases the risk of adverse events such as data breaches. The OAIC recommends that Access Canberra implements regular, mandatory privacy training for all staff (including contractors and short-term staff) and track and report on staff privacy training completion. Best practice would be for refresher training to occur on an annual or biannual basis for all staff.

3.29 The OAIC notes that CMTEDD is in the process of developing a privacy specific e-Learning Module which will replace AGS administered opt-in privacy training. Access Canberra advised that it was considering leveraging the e-Learning Module to provide refresher training, however at the time of the assessment this decision had not been finalised. The e-Learning Module may also facilitate reporting and tracking of staff who have completed privacy training. Access Canberra could consider using the e-Learning module as a way to implement regular privacy refresher training.

Recommendation 3

The OAIC recommends that Access Canberra implements regular, mandatory privacy training for all staff (including contractors and short-term staff) and track and report on staff privacy training completion. Best practice would be for refresher training to occur on an annual or biannual basis for all staff.

Internal policies, practices, and procedures

3.30 The OAIC’s 2017 assessment found that policy and procedure documentation relating to the WWVP and RTA services, including their associated ICT systems, needed to be updated. A related factor was the absence of a policy and procedure document register that listed current policies, their date of issue, ownership, and their review schedule. The OAIC also noted the absence of essential privacy documentation including a Privacy Management Plan (PMP) and Data Breach Response Plan (DBRP).

Monitoring policies and procedures

3.31 Access Canberra does not currently have a formal, overarching mechanism for tracking the currency of all policies and procedures related to the handling of personal information for the WWVP, RTA, and BDM services.

3.32 The OAIC observed that Access Canberra has several WWVP, RTA and BDM policy and procedure documents that require review and update. Some policy and procedure documents do not state version histories or have review schedules. For example, the BDM Practice Manual, published in 2014, does not include version control information and does not reflect legislative changes that have occurred since its publication. Current BDM staff are, however, aware of the relevant legislative changes and administer the BDM service accordingly. A new staff member would be reliant on existing staff to instruct them on the relevant legislative changes and associated business practices not represented in the BDM Practice Manual.

3.33 Other policy documents, particularly ICT security policies, such as the Rego.ACT Security Risk Management Plan do have a yearly review cycles. Access Canberra previously used the Application Portfolio Management (APM) tool to track ICT systems documentation. Specifically, the APM tool tracked contract end dates, system maintenance cycles and system security plan sign-off dates and criticality ratings. Access Canberra, however, advised that CMTEDD has decommissioned the APM tool. Access Canberra reported that they have developed an interim register to replace the APM tool while Shared Services ICT develop the ServicesNow Case Management System. However, the ServiceNow system will not be used as a policy document tracking system.

3.34 The absence of clear mechanisms to monitor, review and update policies introduces the medium privacy risk that personal information may be mishandled. This is because such documents, for example, may not reflect current legislative personal information handling requirements or reflect contemporary ICT security risks (see paragraph 3.65). The OAIC recommends that Access Canberra reviews and updates WWVP, RTA, and BDM policies and procedures and implement a mechanism for monitoring the currency of all related policies and procedures going forward.

Agreements with other entities

3.35 As mentioned earlier, Access Canberra has established agreements such as MoUs with other entities to facilitate various business arrangements. For example, Access Canberra has an MoU with other state and territory Birth, Death and Marriage registries to share the ‘fact of death’ information of recently deceased individuals in the ACT.

Privacy management plan

3.36 Access Canberra does not currently have a Privacy Management Plan (PMP) or any overarching privacy management documentation that fulfils the role of a PMP.

3.37 The PCO is currently in the process of drafting a CMTEDD-wide PMP that will apply generally to Access Canberra. As a result, the OAIC was advised that the proposed PMP would likely not consider privacy risks and issues specific to the WWVP, RTA, and BDM services.

3.38 A PMP should be used to manage and coordinate the handling of personal information for the WWVP, RTA and BDM services. In particular, a PMP would facilitate identification and treatment of privacy risks and emerging privacy issues related to these services. The absence of such a core guiding document introduces the medium privacy risk that personal information used for the WWVP, RTA, and BDM services may be handled incorrectly. Consequently, the OAIC recommends that Access Canberra develops a PMP that identifies specific, measurable goals and targets that stipulate how Access Canberra will implement measures to embed a culture of privacy, establish and evaluate privacy processes and enhance its response to privacy issues as they relate to Access Canberra’s business units, particularly (for the purpose of this assessment) the WWVP, RTA and BDM services.

Privacy impact assessments

3.39 In 2016-17, Access Canberra foreshadowed a project to shift the ICT administration of its WWVP service from the Promadis to the Rego.ACT ICT system. This shift had substantial implications for Access Canberra’s management of personal information. Access Canberra hired an external consultant to conduct a Privacy Impact Assessment (PIA). The OAIC recommended in the 2017 assessment that Access Canberra wait for the consultant to complete their PIA prior to starting the project. Access Canberra reported that that they adhered to this recommendation. Access Canberra also followed the OAIC’s recommendation to consider a threshold assessment to determine whether a larger PIA was needed in relation to the transfer of Promadis data to the Rego.ACT system. Access Canberra did not demonstrate how they tracked the implementation of the consultant’s PIA recommendations.

3.40 Access Canberra advised the OAIC that they generally conduct PIAs when looking to procure services, or for planning administrative or functional changes to its services. In support of this practice, CMTEDD have published resources available on Access Canberra’s intranet which aim to increase staff awareness of the importance of PIAs. Specifically, these resources, developed by the OAIC, provide guidance on what PIAs are and include templates for conducting internal PIAs for new projects.

3.41 At the time of the assessment fieldwork Access Canberra is undertaking several large-scale projects that will alter its personal information handling practices. For example, ICT infrastructure for administering the WWVP service is shifting from Rego.ACT to a cloud-based solution. At the time of the assessment, it was unclear whether Access Canberra formally requires business units to either conduct privacy threshold assessments or PIAs for all new projects that involve handling personal information.

3.42 The absence of a formal requirement to consider privacy and personal information management during the design stages of projects introduces the medium risk that these projects will not take a privacy by design approach. This raises the possibility that executed projects may not appropriately manage personal information in accordance with one or more TPPs. The OAIC recommends that Access Canberra requires that plans for new projects consider whether the project involves handling personal information and, if so, includes provisions for conducting a privacy threshold assessment followed, if necessary, by a PIA, particularly for new WWVP, RTA, and BDM projects. Access Canberra could consider incorporating a privacy standing agenda item into relevant governance mechanisms for new projects as a way to examine the need to conduct threshold assessments or PIA’s.

3.43 Access Canberra reported that it does not keep a record of the PIAs it conducts or make completed PIAs or summaries publicly available. The PCO reported that they are in the process of developing a record of PIAs conducted across CMTEDD which includes Access Canberra PIAs. The OAIC recommends that Access Canberra implements a formal mechanism for tracking the PIAs it conducts and the subsequent implementation of PIA recommendations, particularly for projects relating to or affect the WWVP, RTA, and BDM services.

Data breach response plan

3.44 Access Canberra does not currently have a finalised Data Breach Response Plan (DBRP). The PCO reported that they are drafting a CMTEDD wide DBRP. In the interim, Access Canberra has basic data breach management and response resources available to staff on the intranet. These resources include an email template and instructions on how to report data breaches. In the event of a data breach, staff would be expected to follow the email template for ‘small breaches’ or contact the PCO for larger breaches. However, as pointed out at paragraph 3.10, as there has been no communication to all Access Canberra staff about the PCO’s existence, staff may not be initially aware of the need to contact them in the event of a breach. This introduces the risk that Access Canberra’s responses to data breaches may be delayed or data breaches may not be reported at all. Rapid responses to data breaches are important because it is an effective measure to mitigate breach severity.

3.45 Access Canberra reported that the BDM program suffered a data breach in December 2018. Personal information of one individual was unintentionally mailed to a different individual sharing the same name who had requested a BDM certificate. BDM staff became aware of the breach following finalising their records keeping processes. BDM staff notified the PCO and proactively contacted the individual prior to their receipt of the incorrect certificate. The certificate was invalidated once the error was identified and arranged to recall (through Australia Post registered mail) one of the incorrectly issued certificates. Staff contacted the receiving party to arrange return of the incorrectly issued certificate which could not be recalled. Once recovered by Access Canberra, the physical certificate was destroyed. Staff also notified the individual whose information had been breached and apologised.

3.46 The manner in which the WWVP, RTA, and BDM business units handle personal information varies. For example, the WWVP program may collect sensitive information about an individual’s criminal history whereas the vehicle registration does not require such information. Consequently, there is a need for an DBRP to be nuanced and appropriate to the manner in which a given business unit interacts with customers, and collects, uses, discloses, and stores personal information including sensitive information. The absence of a nuanced DBRP introduces the risk that Access Canberra may not mitigate all harms associated with a data breach. This links in with the importance of privacy training imbuing staff with the skills to reduce the probability of a human error-based breach via a sound understanding of privacy and the ability to recognise when breaches have occurred. Training can be used to good effect with a service specific DBRP that outlines procedures to remedy breaches. The OAIC recommends that Access Canberra finalises a Data Breach Response Plan and ensure the plan is applicable to or meets the specific requirements of Access Canberra’s business units, particularly WWVP, RTA and BDM.

Recommendation 4

The OAIC recommends that Access Canberra:

  • reviews and updates RTA, WWVP, and BDM policies and procedures and implement a mechanism for monitoring the currency of all related policies and procedures going forward
  • develops a PMP that identifies specific, measurable goals and targets that stipulate how Access Canberra will implement measures to embed a culture of privacy, establish and evaluate privacy processes and enhance its response to privacy issues as they relate to Access Canberra’s business units, particularly (for the purpose of this assessment) the WWVP, RTA and BDM services
  • requires that plans for new projects consider whether the project involves handling personal information and, if so, includes provisions for conducting a privacy threshold assessment followed, if necessary, by a PIA, particularly for new WWVP, RTA and BDM projects. Access Canberra could consider incorporating a privacy standing agenda item into relevant governance mechanisms for new projects as a way to examine the need to conduct threshold assessments or PIAs
  • implements a formal mechanism for tracking the PIAs it conducts and the subsequent implementation of PIA recommendations, particularly for projects relating to of affecting the WWVP, RTA and BDM services
  • finalises a Data Breach Response Plan and ensure the plan is applicable to or meets the specific requirements of Access Canberra’s business units, particularly WWVP, RTA and BDM.

Complaints handling

3.47 Access Canberra’s Complaints Management Team (CMT) manage complaints received either via Access Canberra’s website or from individual business units who forward complaints received from the public. The CMTEDD ‘Information Privacy Complaint Handling Policy and Procedures’ available on the CMTEDD intranet provides Access Canberra staff with procedural information for referring complaints to the CMT. The CMT aim to address complaints within 21 days of their receipt per Access Canberra’s complaints policy.

3.48 Privacy related complaints are referred either directly by individual business units, or via the CMT to the PCO. In addition to Access Canberra related privacy complaints, the PCO manages privacy complaints received from other CMTEDD functions. Privacy complaints are recorded and tracked by the PCO. The PCO’s is currently developing tailored privacy complaint handling guidance for Access Canberra.

3.49 Access Canberra reported that they have received one privacy complaint in the preceding financial year which related to the WWVP program. [14] Access Canberra staff reported that complaints made to the WWVP program typically relate to application outcomes and not Access Canberra’s management of personal information. No complaints received by Access Canberra have been referred to the OAIC in the 2017-2020 period.

Privacy risk management

3.50 In 2017, the OAIC found that it was unclear how the WWVP and RTA programs manage the identification, treatment, and reporting of service specific privacy risks other than ICT security risks. Further, Access Canberra’s high-level strategic risk management register did not clearly consider privacy risks related to its services. The OAIC recommended that Access Canberra review risk management processes for the WWVP and RTA programs and use of the Strategic Risk Register to record and manage privacy risks.

3.51 Consistent with the 2017 assessment, the OAIC observed that Access Canberra, in collaboration with CMTEDD, take a ‘top down, bottom up’ approach to risk management. Risk mechanisms operating at different levels of the Access Canberra/CMTEDD governance hierarchy develop and maintain risk management tools in the form of risk registers.

3.52 Starting from the bottom of the risk management hierarchy, each business unit contributes to the development of a divisional risk plan. Specifically, the WWVP, RTA, and BDM programs provide input to the Licencing and Registration Branch divisional risk register. This register is reviewed and updated quarterly with risk owners (typically Executive Branch Managers) reporting on risk intervention outcomes where applicable. This risk register does not refer to privacy risks and treatments specific to the WWVP, RTA, and BDM services. It does, however, generally consider data and information management risks such as physical and technological data security, staff training and data breaches. As noted, personal information management practices and ICT systems differ between the WWVP, RTA and BDM services. Consequently, they may be exposed to different operational privacy risks.

3.53 The Rego.ACT and Promadis ICT Security Plans both contain risk registers that identify and propose treatments for ICT security related privacy risks. For example, they consider unauthorised access to personal information, secondary disclosure and use and database systems failure.

3.54 The Access Canberra Strategic Risk Register is updated on a quarterly basis. This risk register is designed to track macro risks that apply to Access Canberra as a whole. It may receive input from business units or CTMEDD functions such as CMTEDD Corporate and SharedServices ICT. Access Canberra has followed the OAIC’s recommendation and incorporated consideration of privacy issues into its strategic risk register. For example, the register now includes consideration of PIAs for new projects where relevant and the need to conduct privacy training for staff.

3.55 Finally, the CMTEDD Strategic Risk register only considers risks tangentially related to privacy such loss of key staff (who maintain corporate memory of privacy governance). It does not consider high level privacy risks such privacy staff resourcing or the absence of key privacy governance artefacts such as PMPs or DBRPs.

3.56 The management of privacy risks associated with the WWVP, RTA and BDM services appears to be ad hoc. The OAIC did not observe any documentation which describes how privacy risks specific to the WWVP, RTA, and BDM services are identified, reported and managed on an ongoing basis. The absence of clear structures for risk reporting and management introduces the medium risk that privacy risks related to these services may not be treated effectively or in a timely fashion. The OAIC recommends that Access Canberra establishes mechanisms for properly documenting, identifying, reporting and managing privacy risks associated with Access Canberra’s business units (WWVP, RTA and BDM).

Recommendation 5

The OAIC recommends that Access Canberra establishes mechanisms for properly documenting, identifying, reporting and managing privacy risks associated with Access Canberra’s business units, particularly WWVP, RTA and BDM.

Information security and access controls

3.57 As with the 2017 assessment, OAIC examined the ICT access control practices and procedures applied to ICT systems used for administering the WWVP, RTA, and BDM services. [15]

3.58 The key documents underpinning these practices and procedures are security plans for Rego.ACT, Promadis and the ACT Government Security Policy. In addition to risk reporting described above, security plans clearly articulate access controls whose design and operation appears to remain unchanged since 2017. For example, the Rego.ACT and Promadis systems continue to have a ‘no training, no access’ policy bolstered by role-based system access that is monitored by Shared Services ICT and Promadis. System access tracking includes information about the timing of a particular staff members access to a system. These logs are audited on an ‘exception’ basis e.g., when it is believed that unauthorised access has occurred.

3.59 Access Canberra is in the process of undertaking two major ICT projects which impact upon the ICT administration of the WWVP and BDM services. The WVVP program will shift its administration from the Rego.ACT system to a new platform. Access Canberra reported that they are planning to conduct a PIA for this project. As mentioned earlier, Access Canberra is also engaging in a process to shift its personal information storage to a cloud-based platform. Access Canberra cited this as one reason why Promadis Security plan had not been updated since 2015. Both projects have major security implications for the administration and storage of the personal information. The OAIC supports Access Canberra’s intent to conduct a PIA.

3.60 Importantly, the Rego.ACT Security Plan was updated late 2019 and details its version history and annual update schedule. In contrast, the Promadis ICT Security Plan has not been updated since October of 2015. Consequently, ICT security risks and their treatments as detailed in the Promadis ICT security plan may be outdated. This introduces the medium risk that Promadis system administrators have not adequately documented, tracked or treated ICT security risks associated with the administration of the BDM service. The OAIC recommends that Access Canberra reviews the existing Promadis security plan, ensures that it complies with the ACT Government’s ICT Security Policy, and implements any necessary interim security measures whilst its cloud-based solution is rolled out.

3.61 Access Canberra digitises all new BDM registrations and store data on the Objective document management system. Access to personal information stored on Objective is monitored and controlled by Shared Services ICT. Paper application forms are destroyed after digitisation. There is, however, a large physical store of historical BDM paper records which have not been digitised. Access Canberra monitors physical access to this storage facility; however, they are unable to track what staff members do with records once they have entered the facility. The OAIC considers that this poses a low privacy risk insofar as the vast majority of records are of historical, genealogical interest and do not contain the personal information of living individuals. To ensure that all records are protected from any unauthorised handling and minimise risks around identity fraud, the OAIC suggests that Access Canberra commences digitisation of these records, particularly those records that contain information about living individuals. This is such that these records can be protected by the access control and audit logging functions available on digital platforms such as Promadis.

Recommendation 6

The OAIC recommends that Access Canberra reviews the existing Promadis security plan, ensure that it complies with the ACT Government’s ICT Security Policy, and implements any necessary interim security measures whilst its cloud-based solution is rolled out.

Privacy notices

3.62 TPP 5 requires ACT Government agencies that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in TPP 5.2) or to ensure the individual is aware of those matters at or before the time or, if that is not practicable, as soon as practicable after collection.

3.63 The WWVP, RTA and BDM privacy notices contained in paper and online application forms were reviewed to assess whether they fulfilled all TPP 5 requirements. Each service has several application forms for different functions, some of which are detailed below.

Online form privacy notices

3.64 WWVP, vehicle registration and BDM online form display privacy notices in two different ways. The privacy notice for BDM and vehicle registration applications are not directly displayed to customers when they fill out the form. Rather, there is a hyperlink at the bottom of the data entry box which only displays the privacy notice when a customer clicks on it. This privacy notice includes a link to Access Canberra’s privacy policy. Given its location on the screen, a customer would have to actively seek out the privacy notice to be aware of its content. As such, there is the medium risk that customers are not notified of their privacy rights when supplying personal information to Access Canberra. In contrast, the WWVP online form includes display of a basic privacy notice as a step in completing the online form which includes a hyperlink to Access Canberra’s more detailed privacy policy. This mode of privacy notice presentation ensures that customers have the opportunity to be made aware of how their information will be handled. The OAIC recommends that Access Canberra modifies the presentation of the privacy notices in BDM and vehicle registration online form applications so that it incorporates the presentation of the privacy notice as a mandatory step in form completion.

Paper application form privacy notices

3.65 Regarding WWVP, RTA, and BDM paper application forms, the OAIC noted that some privacy notices do not consistently meet all TPP 5 requirements.

WWVP and RTA paper application forms

3.66 Some WWVP and RTA paper application forms do not have a privacy notice. The WWVP ‘Part-B - Circumstances of an Offence’ paper form available for download on Access Canberra’s website does not have a privacy notice. For vehicle registrations, three paper forms listed below do not have privacy notices:

  • ‘Application for concessional registration of a motor vehicle’
  • ‘Primary producer declaration for farmer concession’
  • ‘Application for duty exemption for a motor vehicle’.

3.67 However, for these forms there is a link to a privacy notice which contains a download link to the ‘CMTEDD Information Privacy Policy’ on the page from which a person downloads the forms. As with the online application forms discussed above, a customer would have to actively seek out this privacy notice to find it.

3.68 In 2017, the OAIC suggested that Access Canberra include a hyperlink to Access Canberra’s privacy policy (which contains a further link to CMTEDD’s detailed privacy policy). The OAIC noted that some application forms, including BDM application forms, contained this hyperlink, whereas others did not.

BDM paper application forms

3.69 The OAIC noted some inconsistency in the content and detail of privacy notices for the 23 BDM paper application forms available for download on the Access Canberra website. This is partly due to different applications requiring different types of information or needing to satisfy different legislative obligations. Some specific issues are as follows.

3.70 ‘Application for recognised details’ does not state the purpose of personal information collection. Only two forms (‘207 CNC’ and ‘206 – CAN’) state consequences for not providing personal information. However, denial of service is the implied consequence of failing to provide the personal information requested.

3.71 Only seven BDM paper forms include a URL link to Access Canberra’s short form privacy policy (ACT Govt.), which itself includes a link to CMTEDD’s Information Privacy Policy. These more detailed privacy notices do not stipulate consequences of failure to provide information. The form ‘Declaration of a civil union (form 901)’ does not have a privacy notice. Consequently, the OAIC recommends that Access Canberra reviews and updates BDM paper forms that do not meet mandatory TTP 5 requirements including:

  • provision of a privacy statement
  • statement of the purpose of personal information collection
  • consequences of not providing information.

3.72 Five BDM paper forms do not provide information about how to access translation or interpretation services:

  • ‘Application to terminate a civil union’
  • ‘Application to alter birth register to record change of ex’
  • ‘Application to register as a civil union celebrant’
  • ‘Declaration of a civil union’
  • ‘Withdrawal of a termination of a civil union’.

3.73 The OAIC suggests that Access Canberra add to the five BDM paper forms information about how to access translation or interpretation services. This may assist individuals with special needs for example, individuals from a non-English speaking backgrounds who may not readily understand APP 5 matters.

3.74 Access Canberra reported that it has been approximately three years since privacy notices for the WWVP, RTA and BDM services had been reviewed. Staff acknowledged that there is no formal mechanism for tracking the version history or scheduling for periodic review of privacy notices. Access Canberra staff and the PCO are aware of the need to streamline and resolve inconsistencies in privacy notices for WWVP, RTA and BDM service application forms. The PCO reported that they had liaised with and provided advice to the Licencing and Registration Branch executives on standardising privacy notices. Further, BDM staff have liaised with the ACT Government Solicitor’s Office on the content of its BDM application form privacy notices. The development of a PMP and a policy and procedure tracking tool provide an opportunity to remedy these deficiencies.

3.75 The OAIC recommends that Access Canberra considers standardising a minimum set of privacy notice content for all BDM, RTA and WWVP application forms so that they consistently meet all TTP 5 requirements. A step in this process could include updating all paper BDM, WWVP and vehicle registration application forms so that privacy notices include a URL link to Access Canberra’s privacy policy as a mechanism for addressing all mandatory TTP 5 requirements.

Recommendation 7

The OAIC recommends that Access Canberra:

  • amends the privacy notices in BDM and vehicle registration online form applications so that they incorporate the presentation of the privacy notices as a mandatory step in form completion
  • review and update BDM paper forms that do not meet mandatory TTP 5 requirements including:
  1. provision of a privacy statement
  2. statement of the purpose of personal information collection
  3. consequences of not providing information
  • consider standardising privacy notice content for all BDM, RTA and WWVP application forms so that they consistently fulfill all TTP 5 requirements. A step in this process could include updating all paper BDM, WWVP and vehicle registration application forms so that privacy notices include a URL link to Access Canberra’s privacy policy as a mechanism for addressing all mandatory TTP 5 requirements.

Part 4: Description of assessment

Objective and scope of the assessment

4.1 This privacy assessment of Access Canberra had two objectives:

  • to follow up on Access Canberra’s implementation of five recommendations made in 2017 related to risks associated with Access Canberra’s handling of personal information for vehicle registrations and WWVP applications
  • to consider AC’s handling of personal information collected in applications for birth, death and marriage registrations and certificates.

4.2 The scope of this assessment was limited to TPP’s 1 and 5. TPP 1 requires that Access Canberra takes taking reasonable steps to implement practices, procedures and systems relating to its WWVP and RTA services that will:

  • ensure that it complies with the TPPs
  • enable it to deal with inquiries or complaints from individuals about its compliance with the TPPs.

4.3 For an entity to meet the obligations of TPP 1, that entity must be proactive in establishing, implementing and maintaining privacy processes. This is an ongoing obligation and TPP 1 necessitates good governance.

4.4 TPP 5 requires ACT Government agencies to take reasonable steps either to notify individuals or to make individuals aware of items listed in TPP 5 upon collection of their personal information.

Timing, location and assessment techniques

4.5 The OAIC reviewed policy and procedure documents provided by Access Canberra. The OAIC conducted the fieldwork component of the assessment at Access Canberra’s Woden Office, where key staff from Access Canberra and CMTEDD were interviewed on 25 and 26 February 2020. Following this, the OAIC reviewed further documentation provided by Access Canberra.

4.6 The assessment of Access Canberra was risk-based. The focus was on identifying privacy risks to the effective handling of personal information in the WWVP, RTA and BDM services.

Privacy risks

4.7 The OAIC makes recommendations to address ‘medium’ and ‘high’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action

4.8 OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken.

4.9 The OAIC has made seven recommendations and two suggestions that will, in the OAIC’s opinion, assist Access Canberra to further protect the personal information it handles. These suggestions are set out in the body of the report.

Reporting

4.10 This report has been prepared for Access Canberra. The OAIC will publish the full report and will provide Access Canberra with the opportunity to comment on the report before doing so.

Part 5: Recommendations and Access Canberra’s responses

OAIC recommendation 1

5.1 The OAIC recommends that Access Canberra:

  • embeds a privacy team or a staff member within Access Canberra to assist the PCO manage privacy issues specific to Access Canberra generally, and the WWVP, RTA and BDM services specifically given that several recommendations from the OAIC’s 2017 assessment have not yet been actioned
  • considers and implements mechanisms to strengthen staff awareness of the roles and responsibilities of the PCO. This could be affected through coordination between the PCO and Access Canberra’s yet to be identified Privacy Champion
  • formally identifies an individual in a senior leadership position as Access Canberra’s Privacy Champion and clearly define their responsibilities with respect to privacy to facilitate consistent management of privacy projects, risks and issues related to the WWVP, RTA and BDM services.

Response by Access Canberra

5.2 Agreed in part - Access Canberra is an agency within the Chief Minister, Treasury and Economic Development Directorate (CMTEDD) and works within overarching governance structures developed at the Directorate level by the CMTEDD Corporate Management Unit which cascade to sub-units of the Directorate (such as Access Canberra). Adjustments are applied where required in response to context specific constraints or opportunities that exist at operational levels. Rather than creating a new position for a privacy officer within Access Canberra, an existing Access Canberra staff member will be assigned to assist CMTEDD’s Privacy Contact Officer to promote awareness and consideration of privacy issues relevant to Access Canberra’s functions and the WWVP, RTA and BDM services specifically. This arrangement is expected to ensure business “subject matter” expertise and “privacy” expertise are working collaboratively and cohesively towards the development of a privacy positive culture for the directorate and Access Canberra while avoiding the inefficiency of establishing duplicate governance arrangements.

5.3 Agreed - Access Canberra will work with the PCO to build staff awareness of the roles and responsibilities of the PCO.

5.4 Agreed – The Executive Champion for Privacy within CMTEDD is the Executive Group Manager Corporate. However, Access Canberra is moving to establish and recruit to a Chief Operating Officer position at the Executive Group Manager level. It is intended this position would become the senior executive responsible (Privacy Champion) in Access Canberra who will focus apply focus and champion various corporate governance responsibilities including privacy.

OAIC recommendation 2

5.5 The OAIC recommends that Access Canberra establishes clearly documented governance mechanisms for reporting, escalating, overseeing and coordinating privacy issues across Access Canberra’s business units and other relevant stakeholders in CMTEDD. This applies particularly to those responsible for the WWVP, RTA and BDM programs. This could include adding privacy as a standing agenda item within existing governance mechanisms.

Response by Access Canberra

5.6 Agreed - Access Canberra will ensure oversight arrangements and processes are applied to focus the attention and consideration of relevant committees or groups on appropriate handling of personal information considerations through change management processes. The CMTEDD Privacy Contact Officer will be invited to participate as a member of the ICT Project Advisory Group operating within Access Canberra to ensure awareness of new initiatives at the point they are proposed.

OAIC recommendation 3

5.7 The OAIC recommends that Access Canberra implements regular, mandatory privacy training for all staff (including contractors and short-term staff) and track and report on staff privacy training completion. Best practice would be for refresher training to occur on an annual or biannual basis for all staff.

Response by Access Canberra

5.8 Agreed - Development of the CMTEDD Privacy E-learning training module has been completed and will be rolled out to all AC staff on an annual basis. The data for completion of this training can be tracked and reported on.

OAIC recommendation 4

5.9 The OAIC recommends that Access Canberra:

  • reviews and updates RTA, WWVP, and BDM policies and procedures and implement a mechanism for monitoring the currency of all related policies and procedures going forward
  • develops a PMP that identifies specific, measurable goals and targets that stipulate how Access Canberra will implement measures to embed a culture of privacy, establish and evaluate privacy processes and enhance its response to privacy issues as they relate to Access Canberra’s business units, particularly (for the purpose of this assessment) the WWVP, RTA and BDM services
  • requires that plans for new projects consider whether the project involves handling personal information and, if so, includes provisions for conducting a privacy threshold assessment followed, if necessary, by a PIA, particularly for new WWVP, RTA and BDM projects. Access Canberra could consider incorporating a privacy standing agenda item into relevant governance mechanisms for new projects as a way to examine the need to conduct threshold assessments or PIAs
  • implements a formal mechanism for tracking the PIAs it conducts and the subsequent implementation of PIA recommendations, particularly for projects relating to of affecting the WWVP, RTA and BDM services
  • finalises a Data Breach Response Plan and ensure the plan is applicable to or meets the specific requirements of Access Canberra’s business units, particularly WWVP, RTA and BDM.

Response by Access Canberra

5.10 Agreed - a document register will be established to record key dates for review and document control relevant to policies and procedures utilised by Access Canberra teams.

5.11 Agreed in part - Acknowledging that Access Canberra is an agency within the CMTED Directorate, the CMTEDD Privacy Management Plan (CMTEDD PMP), which is in development, would be the overarching governance document developed and applied to build awareness and understanding of arrangements and obligations arising from processes for handling personal information.

5.12 Agreed - Initiatives linked with ICT system changes or updates will include a privacy threshold assessment to determine the need for a PIA to be conducted to inform the approach to be applied when implementing a solution.

5.13 Agreed - PIAs completed by Access Canberra will be released for access by the community where appropriate and will be archived as a record in the Objective Electronic Document and Records Management System used by Access Canberra. Implementation of recommendations raised in the PIAs are to be tracked, actioned, and reported on through project governance meetings established to oversight and direct change initiatives.

5.14 Agreed in part - A CMTEDD Data Breach Response Plan is being developed and will soon be promoted for use by agencies across the Directorate, including Access Canberra.

OAIC recommendation 5

5.15 The OAIC recommends that Access Canberra establishes mechanisms for properly documenting, identifying, reporting and managing privacy risks associated with Access Canberra’s business units, particularly WWVP, RTA and BDM.

Response by Access Canberra

5.16 Agreed - Access Canberra will develop risk management plans which identify repositories (i.e., registers, databases, systems or archives) hosting or containing personally identifying information, rate identified risks relevant to processes, practices or repositories involving personally identifying information and identify risk treatments to be applied in response.

OAIC recommendation 6

5.17 The OAIC recommends that Access Canberra reviews the existing Promadis security plan, ensure that it complies with the ACT Government’s ICT Security Policy, and implements any necessary interim security measures whilst its cloud-based solution is rolled out.

Response by Access Canberra

5.18 Agreed - Access Canberra will engage in a process to review and update the Promadis System Security Plan, establish a Promadis System Security Risk Management Plan (SRMP) and track the implementation of risk treatments identified in the SRMP.

OAIC recommendation 7

5.19 The OAIC recommends that Access Canberra:

  • amends the privacy notices in BDM and vehicle registration online applications so that they incorporate the presentation of the privacy notices as a mandatory step in form completion
  • review and update BDM paper forms that do not meet mandatory TTP 5 requirements including:
  1. provision of a privacy statement
  2. statement of the purpose of personal information collection
  3. consequences of not providing information
  • consider standardising privacy notice content for all BDM, RTA and WWVP application forms so that they consistently fulfill all TTP 5 requirements. A step in this process could include updating all paper BDM, WWVP and vehicle registration application forms so that privacy notices include a URL link to Access Canberra’s privacy policy as a mechanism for addressing all mandatory TTP 5 requirements.

Response by the Access Canberra

5.20 Agreed - Access Canberra will ensure privacy notices are presented as a mandatory step in completion of online forms used for RTA and BDM services or requests.

5.21 Agreed - Access Canberra will ensure hard copy BDM application forms include a privacy statement, statement of the purpose of personal information collection and consequences of not providing information.

5.22 Agreed - Current practice is to use the CMTEDD Privacy notice however, Access Canberra (given the nature of the functions it administers on behalf of the ACT Government and linkages to other directorates) will consider developing a specific privacy notice which also refers and links with the CMTEDD Privacy Policy. A “short form privacy notice” covering requirements of a TPP5 notice has been drafted by the CMTEDD PCO and provided for Access Canberra’s consideration and use.

 

Appendix A: Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

 

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking).
  • Likely adverse or negative impact upon the handling of individuals’ personal information.
  • Likely violation of entity policies or procedures.
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines.
  • Likely ministerial involvement or censure (for agencies).

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

 

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation.
  • Possible adverse or negative impact upon the handling of individuals’ personal information.
  • Possible violation of entity policies or procedures.
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies).

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited and may be within acceptable entity risk tolerance levels.
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit).
  • Minimum compliance obligations are being met.

Glossary

AGS

Australian Government Solicitor

APM

Application Portfolio Management (tool)

APP

Australian Privacy Principle

BDM

Births, Deaths, and Marriages

CMTEDD

Chief Minister, Treasury and Economic Development Directorate

CMTEDD function

An administrative responsibility assigned to a unit within the CMTEDD Directorate.

CMT

Complaints Management Team

DBRP

Data Breach Response Plan

DVS

Document Verification Service

ICT

Information Communication Technology

MoU

Memorandum of Understanding

OAIC

Office of the Australian Information Commissioner

PCO

Privacy Contact Officer

PIA

Privacy Impact Assessment

PMP

Privacy Management Plan

RTA

Road Transport Authority

TPP

Territory Privacy Principle

WWVP

Working with Vulnerable People

Footnotes

[1] See the organisation chart for more information about the array of functions CMTEDD oversee and perform: https://www.cmtedd.act.gov.au/__data/assets/pdf_file/0018/711216/Executive_StreamOrgChart.pdf (accessed on 17 March 2021).

[3] WorkSafe ACT was part of Access Canberra when the assessment was undertaken. Subsequently, the OAIC was advised that WorkSafe ACT was removed from Access Canberra’s administrative arrangements and is now recognised as a distinct ‘statutory’ entity which operates as a function of the CMTEDD Directorate.

[4] At the time of the assessment the WWVP function was managed by the Customer Coordination Branch of Access Canberra. The OAIC has since been advised that the WWVP program administrative responsibility has passed to the Fair Trading and Compliance Regulatory Strategy unit in Access Canberra.

[5] A person is defined by Access Canberra as being vulnerable if they are a child under the age of 18 years or an adult who is experiencing disadvantage and accesses a regulated activity or service related to the disadvantage. This definition is a basis for determining the types of services or activities that might attract background checking. The definition also recognises people’s changing circumstances, as they may not considered vulnerable at all times.

[6] For more information see ACT Working with Vulnerable People Scheme document available from the Access Canberra website.

[7] Following the assessment fieldwork, the OAIC was advised that WWVP information was migrated to a new information management system (Salesforce) as of 16 November 2020.

[8] Due to the ACT Auditor General having published its Data Security report of ACT Government agencies ICT infrastructure, the OAIC’s assessment focused on the governance of Access Canberra’s ICT infrastructure. The scope of the assessment did not extend to a detailed analysis of the ICT controls that the Access Canberra has implemented to protect the personal information in the Rego.ACT or Promadis systems. However, this report echoes some key finding of the Auditor General’s report such as the critical need for Access Canberra to implement a data breach response plan, to undertake staff training and to clarify how governance mechanisms manage privacy issues related to the WWVP, RTA and BDM services. For further information, see https://www.audit.act.gov.au/__data/assets/pdf_file/0020/1561223/Report-No.-3-of-2020-Data-Security.pdf (accessed 16 March 2021).

[9] Specifically, APP’s 7 (direct marketing) and 9 (adoption, use or disclosure of government related identifiers) do not have TPP equivalents. See for further information: https://www.oaic.gov.au/privacy/privacy-in-your-state/privacy-in-the-act/territory-privacy-principles/#:~:text=The%20Territory%20Privacy%20Principles%20(TPPs,obligations%20under%20a%20government%20contract (accessed 18 March 2021).

[10] For more information, see the OAIC’s summary assessment report at: https://www.oaic.gov.au/privacy/privacy-assessments/summary-of-the-oaics-assessment-of-privacy-policies-of-10-act-public-sector-agencies/ (accessed 18 March 2021).

[11] At the time of the assessment Access Canberra staff had been aware of the PCO’s role for approximately 6 months.

r

[12] The CMTEDD Executive Branch Manager Corporate oversees the Information Management Team, which includes the PCO.

[13] The ACT Auditor General’s Data Security report, published after the fieldwork for this assessment was conducted, further highlighted the need for training and education increase staff understanding of how to use and share data securely. This finding generally extends to the management of personal information through Access Canberra’s ICT Systems. See for more information: https://www.audit.act.gov.au/__data/assets/pdf_file/0020/1561223/Report-No.-3-of-2020-Data-Security.pdf (accessed 18 March 2021)

[14] The complaint was in relation to a refusal by Access Canberra to correct an ACIC National Police History Check under the Information Privacy Act 2014 (ACT). The matter was subject to a subsequent review by the Ombudsman, and Access Canberra advised the OAIC that the Ombudsman upheld Access Canberra’s decision.

[15] This assessment’s scope was limited to TPP 1.2 and appraising Access Canberra’s privacy management practices relating to ICT projects and system access governance for the WWVP, RTA and BDM services. The assessment did not consider in great detail steps Access Canberra and Shared Services have taken to secure personal information across all of its ICT systems.