Department of Veterans' Affairs final report – Handling of personal information

8 July 2021

Part 1: Executive summary

1.1          This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC’s) privacy assessment of the Department of Veterans’ Affairs (DVA) management of personal information under the Privacy Act 1988 (Cth) (Privacy Act), conducted in October 2019.

1.2          This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

1.3          The purpose of the assessment was to determine whether DVA is taking reasonable steps to implement practices, procedures and systems relating to its data matching activities in accordance with APP 1.2 in the Privacy Act.

1.4          As DVA is an agency as defined in s 6 of the Privacy Act, it is bound by the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Privacy Code). [1] As part of this assessment, the OAIC also assessed DVA against the requirements of the Privacy Code. [2]

1.5          The assessment found that DVA has taken some steps to manage its privacy risks. However, DVA’s overall privacy culture is still developing and would not yet be considered mature. The OAIC has identified one high privacy risk and 8 medium privacy risks associated with DVA’s information handling and privacy practices. The combined purpose of the 9 recommendations in the report is to address these privacy risks and enhance the maturity of the privacy culture within DVA.

1.6          In relation to one identified high privacy risk, the OAIC recommends that DVA meets its privacy obligations under the Privacy Code by developing a record of personal information holdings.

1.7          In relation to 8 identified medium privacy risks, the OAIC recommends that DVA:

  • appoints a replacement Privacy Officer and maintains the position on an ongoing basis to ensure business continuity with the department’s privacy management functions
  • strengthens its privacy governance by:
    • raising staff awareness of and engagement with the Privacy Champion, as well as clearly outlining the roles and responsibilities of the Privacy Champion
    • including privacy representation on the Security Committee to ensure that privacy staff are aware of important risk management and security matters discussed by the Committee and to ensure appropriate consideration of relevant privacy issues by the Committee
  • raises awareness of privacy matters by informing staff of the available privacy resources on the staff intranet, including newly developed resources, such as the privacy management plan and data breach response plan
  • fosters a more privacy-aware culture by:
    • updating its current mandatory training modules to include more substantive privacy related training material, such as the definition of personal information, identifying and reporting non-compliance with the Privacy Act and obligations under the Notifiable Data Breaches (NDB) scheme
    • developing a stand-alone privacy training module and ensuring annual refresher training is provided to all staff
  • manages its internal data matching policies and procedures to ensure that they comply with the Data-matching Program (Assistance and Tax) Act 1990 (Data Matching Act) and are regularly reviewed to ensure they reflect current practices. This includes:
    • acquiring a copy of the program protocol and technical standards report from the then Department of Human Services (DHS, now known as Services Australia)[3] and reviewing them to ensure that it conducts data matching activities with DHS with consideration of the data quality, integrity and security of the data matching program and in accordance with the Data Matching Act
    • regularly reviewing and updating its internal data matching manuals and including information about the date those manuals were updated and approved in the document
    • documenting the assessment process around the data release forms, including any authorisations required as part of the review process, to ensure that appropriate assessments are undertaken and approved prior to the release of data for data matching purposes
  • continues to develop, review and update its internal privacy and cyber security policies and procedures to ensure they are up-to-date and continue to be effective. This includes:
    • consulting with staff across the department to obtain internal advice and feedback to be incorporated in the privacy management plan
    • considering whether existing agency-specific records authorities continue to cover the full scope of DVA’s records in relation to its data matching activities and engage with the National Archives of Australia to update any records authorities, if required, to ensure the accountable disposal of DVA’s data matching information and records
    • regularly reviewing its privacy documentation, such as data breach documentation, to incorporate more details in its Data Breach Response Plan (DBRP) to guide DVA staff with the correct handling of suspected data breaches and to ensure consistency across the department
    • continuing the development of its internal cyber security documentation, such as the security risk management plan and the security framework
    • developing its own cyber incident response plan tailored to DVA’s business needs and organisational structure instead of relying on DHS’s cyber incident response plan
  • documents the operational relationship between DVA’s Privacy team and DHS’s Cyber Security team as well as the roles and responsibilities of each business area in the event of a suspected or actual cyber security incident or an eligible data breach, and
  • strengthens its access security controls for systems used for its data matching activities, particularly in relation to its:
    • termination of user access at the end of the employment relationship
    • logging and monitoring of staff with privileged access, such as administrator accounts.

Part 2: Introduction

Background

The Department of Veterans’ Affairs (DVA) and data matching

2.1          Data matching is the bringing together of at least two data sets that contain personal information, and that come from different sources, and the comparison of those data sets with the intention of producing a match. [4] Agencies must comply with the Privacy Act including in relation to the data matching related activities that they undertake. [5]

2.2          The OAIC was funded to provide regulatory oversight of privacy implications arising from increasing data matching activities using new methodologies amongst Government agencies, for the period from 1 January 2016 to 30 June 2019. This funding is part of the ‘Enhanced Welfare Payment Integrity – non-employment income data matching’ 2015-16 budget measure.

2.3          DVA assists DHS, amongst other Government agencies, with compliance activities through data matching activities to ensure ongoing eligibility entitlements and to maintain the integrity of welfare payments and services. [6] This assessment is focussed on DVA’s data matching activities with DHS as a part of the welfare compliance ecosystem.

The OAIC and the Privacy Code

2.4          Under Part IIIB of the Privacy Act, the Australian Information Commissioner can approve and register enforceable codes, such as the Privacy Code.

2.5          The Privacy Code applies to all Australian Government agencies subject to the Privacy Act. Under the Privacy Code, agencies are required to have a Privacy Management Plan (PMP), a Privacy Officer, a senior official as a Privacy Champion, written PIAs for all high privacy risk projects, a record of personal information holdings, and appropriate privacy education or training for all staff. These obligations are further explored in the Findings section of this report. The OAIC has published a number of resources for Government agencies on its website, which provides guidance on PMPs and PIAs.

Overview of DVA’s data matching activities

2.6          DVA has over 80 systems comprised of over 200 software applications, which are used for a range of functions, including data matching. Since October 2017, DVA and DHS have maintained a shared services arrangement in relation to the provision of data matching infrastructure and applications for DVA’s data matching activities.

2.7          As a part of this arrangement, DHS manages and hosts all of DVA’s ICT systems infrastructure and technology associated with DVA’s data matching activities. DHS provides the technical support and manages the relationship with third party vendors while DVA owns the data that is held within DHS’s ICT systems.

2.8          Given DVA’s data is processed and kept in DHS’s systems, the OAIC has considered aspects of this arrangement and reviewed DHS’s procedural documentation where relevant to DVA’s management of privacy and information security risks. The OAIC did not consider DHS’s personal information handling practices as a part of this assessment.

Data matching process

2.9          DVA conducts data matching activities with DHS across 4 cycles per year, in accordance with the Data Matching Act. The data sets involved in the data matching process may include the customer’s full name, residential address, date of birth, gender, tax file number (TFN), customer file number and taxation details. 

2.10      DVA plans to streamline and replace the legacy [7] systems, such as the Mainframe system, which are currently used for DVA’s data matching programs, and replace them with DHS’s Veteran Centric Reform (VCR) system. Access to the VCR system is provided on a need-to-know basis to ensure user access is tightly controlled.

2.11      DVA advised that it does not apply any automated decision-making processes or systems to conduct data matching with DHS. 

2.12      The table below outlines the data flows between DVA and DHS when carrying out their respective data matching functions.

Key process – information flows

Description

1)      Collection (DVA)

DVA collects personal information when a customer registers for DVA services online through the MyService portal, linked to the myGov account or when a customer visits one of DVA’s centres and fills out a paper form. This includes:

  • full name
  • date of birth
  • email address
  • phone number
  • residential address
  • TFN, and
  • proof of identification documentation, which may include passport information and marriage certification.

 

2)      Use (DVA)

DVA creates the client record/file and the customer information is stored in DVA’s legacy systems and databases. The information is collected and used by DVA for the primary purpose of ensuring the customer is receiving the correct entitlements.

 

3)      Disclosure (DVA to DHS)

According to a summary of the timetable of DVA’s data matching programs that are conducted through DHS’s systems, DVA discloses customer information to DHS who runs the automated data matching process. DVA verifies the number of matched records sent to and subsequently received by DHS.

 

The personal information that DVA sends to DHS for identity matching includes name, residential address, date of birth, gender and TFN.

 

4)      Collection/use (DHS)

DHS uses the VCR system to confirm the customer’s identity. The OAIC did not consider DHS’s personal information handling practices as a part of this assessment.

 

5)      Disclosure (DHS to DVA)

Once identities have been matched, DHS sends a response data file to DVA. The file contains personal information such as name, date of birth, gender, residential address and income details.

 

6)      Use (DVA)

Data received from DHS is uploaded on DVA’s legacy systems. DVA reviews the matched data in the response data file against its own records to identify discrepancies in the income declared by the customer. Where there is a match, DVA stores the matched data in its Mainframe system.

 

7)      Use (DVA)

Where there is a discrepancy with the matched data, DVA assigns a case manager to assess the eligibility for payment. DVA may verify the income discrepancy with the client through written correspondence. The letter informs the customer of the discrepancy and requests them to contact DVA to verify or correct the information, and to provide relevant documents and/or forms where relevant. 

 

8)      Collection (DVA)

The customer is asked to confirm the accuracy of their income information or to update it to ensure that DVA records are accurate. The additional information provided by customers may impact on the customer’s welfare payment. A new pension assessment is created and processed. If an overpayment of pension is suspected, this is investigated and calculated, with recovery action initiated.

 

9)      Use (DVA)

Where fraud is suspected, a customer’s matter may be referred to DVA’s fraud investigations and compliance team.

 

Part 3: Findings

Our approach

3.1          The key findings of the assessment are set out below under the following headings:

  • Privacy Code
  • Governance, culture and training
  • Risk management
  • Internal policies, practices and procedures
  • Information security and access controls.

3.2          For each issue, we have outlined a summary of the OAIC’s observations, the privacy risks arising from these observations, followed by recommendations or suggestions to address those risks.

3.3          As a part of this assessment, the OAIC has considered whether DVA has implemented its Privacy Code obligations, as a necessary precursor to meeting the broader requirements of APP 1.2.

3.4          APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will:

  • ensure that the entity complies with the APPs, and
  • enable the entity to deal with privacy related inquiries or complaints from individuals.

3.5          In considering the requirements related to APP 1.2, the OAIC was guided by the Privacy Management Framework and Chapter 1 of the APP Guidelines.

3.6          The Privacy Management Framework details steps that DVA is expected to take to meet its ongoing compliance obligations under APP 1.2. This includes governance around DVA’s ICT security and access controls in relation to its formal shared services and technology arrangement with DHS.[8]

3.7           The OAIC also considered the Data-matching Program (Assistance and Tax) Act 1990, which provides the legal authority under which DVA conducts data matching activities with DHS. The OAIC also had regard to the accompanying statutory Guidelines for the Conduct of Data Matching Program, which regulate how agencies, such as DVA, use tax file numbers to compare personal information to detect incorrect payments. The OAIC oversees compliance with these guidelines.

Privacy Code

3.8          The table below sets out the requirements of the Privacy Code and whether the OAIC considers DVA has met these requirements.

Section of Code

The Department of Veteran Affairs, has…

Requirement met?

(✓-Yes, X-No)

For further analysis, see paragraph

9

A PMP, which identifies the agency’s specific, measurable privacy goals and targets, and sets out how the agency will meet its compliance obligations under APP 1.2

2-7

10

Appointed a Privacy Officer who fulfils required functions as part of the Privacy Code

Partial

3.22-3.25

11

Appointed a senior official Privacy Champion who fulfils required functions as part of the Privacy Code

Partial

3.23 & 3.26-3.27

10

A centralised record of the personal information that it holds

X

3.58-3.62

12 & 15

Undertaken written PIA(s) for all high privacy risk projects, maintains a register of PIAs, and publishes this register, or a version of this register, on its website

✓*

3.51-3.57

16

Conducts appropriate privacy training and education for staff in its induction programs, and provides appropriate annual privacy training and education for staff who have access to personal information in the course of performing their duties

Partial

3.33-3.39

17

A process in place to proactively review and update its privacy practices, and monitor compliance with its privacy practices, procedures and systems regularly

Partial

3.72-3.88

*Code requirement was not implemented at the time of the assessment but evidence of compliance was subsequently provided.

Governance, culture and training

3.9          DVA’s organisational structure consists of a number of Divisions that are supported by Branches, including Shared Services and Technology, Clients Benefits Income Support Processing, Data and Insights, and Legal Services and Audit (discussed further below).

3.10       The diagram below outlines the different Branches and management roles within DVA that include privacy and data matching functions.

 

Data matching relationship between DVA and DHS

3.11       DVA and DHS manage their shared services arrangement through a number of Memorandum of Understanding (MOU) agreements, including a Statement of Intent between the 2 departments, individual Services Schedules through which DHS supports the delivery of DVA’s services, and letters of exchange for specific data matching programs. These documents are reviewed annually. DVA and DHS’s MOU agreements were under review at the time of the assessment. The OAIC suggests that DVA continues to regularly review these MOU arrangements to ensure that the agreements remain current and effective.

3.12       While the shared services arrangement is not legally binding, DVA and DHS have established a governance framework to provide oversight and to manage the shared privacy and ICT security risks. Various committees and working groups have been established with representation from both departments. This includes monthly meetings between DVA and DHS’s Secretaries, DVA-DHS partnership forums that oversee the delivery of services against the Statement of Intent, and a range of joint operational committees to ensure service delivery standards are met on an ongoing basis against the Service Schedules.

3.13      DVA is also subject to external audits from the Australian National Audit Office (ANAO), and relevant findings on shared services are reported to DVA’s Audit and Risk Committee (ARC). More information about the ARC is discussed in the ‘Risk Management’ section of the report.

3.14       DVA commissioned KPMG to conduct an internal audit of DVA’s shared services relationship with DHS in June 2019. It was found that DVA’s reporting and management practices are in line with the expectations of both agencies, however, improvements could be made to clarify obligations, governance and communications between DVA and DHS. DVA was working to address these recommendations at the time of the assessment.

3.15       Given that DVA’s shared services arrangement with DHS is regularly scrutinised through a number of external and internal audits, there is a low privacy risk that DVA and DHS’s data matching relationship is not managed appropriately to meet service standards. The OAIC suggests that DVA continues to address recommendations from the KPMG review on its shared services arrangements with DHS to ensure that their data matching relationship remains effective and managed appropriately.

Data governance

3.16       DVA’s Clients Benefits Income Support Processing Branch supports DVA’s data matching activities, including DVA’s engagement with internal and external stakeholders, such as DHS for batch processing. This Branch also handles customer inquiries about DVA’s data matching activities.

3.17       The Data and Insights Branch is responsible for the day-to-day governance of data and is headed by the Chief Data Officer. Responsibilities include the management of the handling of data, response to data incidents and the development of data management agreements. The Branch also maintains a data asset register which contains a record of all the data exchanges undertaken by DVA (discussed further at paragraphs 3.59-3.62).

3.18       Since the shared services arrangement began in 2017, DHS has had primary oversight over DVA’s data matching activities because those activities are conducted on DHS’s ICT systems. DVA remains engaged through regular meetings with DHS to discuss specific data matching issues.

3.19       DVA recently established a data steward’s[9] group which is comprised of over 10 representatives from across the department. The group meets monthly and is responsible for ensuring the quality of data. Data subject matter experts (DSMEs) are intended to support the group to carry out its functions. However, at the time of the assessment, DVA had not assigned any DSMEs. Given DVA is involved in a number of data forums and committees with DHS, there is a low privacy risk that DVA is not aware of data quality issues associated with its data matching activities. However, the OAIC suggests that DVA assigns staff to support its internal data governance structure to proactively monitor and address data issues as an ongoing concern.

Privacy and cyber security governance

3.20       DVA’s privacy functions are carried out in the Information Law Section, within the Legal Services and Audit Branch. The Data and Insights Branch occasionally consults the Legal Services and Audit Branch on the management of data incidents.

3.21       The General Counsel, who is the head of the Legal Services and Audit Branch, has oversight and accountability over privacy risks.

3.22       The Privacy Officer within the Information Law team manages day-to-day privacy matters and prepares reports on data breaches, privacy assessments and related general policy advice to the General Counsel.

3.23       DVA recently appointed a Privacy Champion, who is also the Repatriation Commissioner, which is a statutory position. The Privacy Officer engages with the Privacy Champion to provide updates on DVA’s privacy obligations under the Privacy Code, such as the development and endorsement of the PMP and DBRP (discussed further in the ‘Privacy Management Plan’ and ‘Privacy and cyber security documentation’ sections respectively).  The Privacy Champion presents relevant privacy matters to the Executive Management Board (EMB) meetings, including a detailed privacy update each quarter.

3.24       At the time of the assessment, DVA’s Privacy Officer was leaving the department and DVA indicated that there were no replacements to take over the privacy role due to resourcing constraints and it would take time to train existing staff to take on privacy responsibilities.

3.25       Considering that the Privacy Officer plays an important role in promoting privacy governance and capability in an agency, there is a medium privacy risk that DVA’s privacy management functions may be compromised with the departure of its Privacy Officer. Therefore, the OAIC recommends that DVA appoints a replacement Privacy Officer and maintains the position on an ongoing basis to ensure business continuity with the department’s privacy management functions, as required under the Privacy Code.

Recommendation 1

The OAIC recommends that DVA appoints a replacement Privacy Officer and maintains the position on an ongoing basis to ensure business continuity with the department’s privacy management functions, as required under the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Privacy Code).

 

3.26       DVA advised that there are plans to introduce the Privacy Champion to DVA staff through department-wide emails, but this had not happened at the time of the assessment. Given the role of the Privacy Champion is to provide strategic oversight over privacy matters and promote a privacy-aware culture, there is a medium privacy risk that the lack of awareness of the role and existence of the Privacy Champion at DVA would negatively impact on privacy governance functions and structure.

3.27       Additionally, given the overlap in privacy governance functions between the General Counsel, as the privacy owner, and the Privacy Champion, DVA should clearly define the role of the Privacy Champion when introducing them to staff to ensure privacy matters are escalated appropriately. Therefore, the OAIC recommends that DVA strengthens its privacy governance by raising staff awareness of and engagement with the Privacy Champion, as well as clearly outlining the roles and responsibilities of the Privacy Champion.

3.28       At the time of assessment, DVA had appointed a Chief Information Security Officer (CISO) responsible for managing cyber security risks. The CISO sits on DVA’s Security Committee, which was newly established at the time of the assessment.

3.29       The Security Committee is comprised of senior managers across DVA and oversees the management of security matters, which may be escalated to the EMB or directly to the Secretary. It is a part of the Security Committee’s responsibility to ensure DVA has the processes and frameworks in place to effectively respond to security incidents.

3.30       There was no privacy representation on the Security Committee, which represents a medium privacy risk that privacy staff may not be aware of the security matters discussed in that forum, where they may impact on privacy. Therefore, the OAIC recommends that DVA includes privacy representation on the Security Committee to ensure that privacy staff are aware of important risk management and security matters discussed by the Committee and to ensure appropriate consideration of relevant privacy issues by the Committee.

Recommendation 2

The OAIC recommends that DVA strengthens its privacy governance by:

    • raising staff awareness of and engagement with the Privacy Champion, as well as clearly outlining the roles and responsibilities of the Privacy Champion, and
    • including privacy representation on the Security Committee to ensure that privacy staff are aware of important risk management and security matters discussed by the Committee and to ensure appropriate consideration of relevant privacy issues by the Committee.

 

3.31       DVA has developed its own privacy documentation, such as the PMP and DBRP (noted at paragraph 3.23), that are published on the intranet. However, at the time of the assessment, DVA staff, including those who developed an initial draft of the DBRP, were not aware of the document. DVA confirmed that there had been no official communication to staff on the available resources on the intranet.

3.32       Given the purpose of the DBRP is to guide DVA staff on the identification and handling of potential data breach incidents, there is a medium privacy risk that the lack of awareness of the available privacy resources would result in appropriate procedures and escalation processes not being followed by staff. Therefore, the OAIC recommends that DVA raises awareness of privacy matters by informing staff of the available privacy resources on the intranet, including newly developed privacy resources, such as the PMP and DBRP.

 

 

Recommendation 3

The OAIC recommends that DVA raises awareness of privacy matters by informing staff of the available privacy resources on the intranet, including newly developed privacy resources, such as the Privacy Management Plan (PMP) and Data Breach Response Plan (DBRP).

Privacy culture and training

3.33      DVA engages with Privacy Awareness Week where senior managers communicate with staff to raise awareness of privacy risks. DVA also educates staff on cyber security issues such as the dangers of phishing,[10] through messages on screensavers and posters around the department.

3.34      DVA plans to develop phishing-specific training as well as a spear phishing[11] training session for senior management and staff. These privacy events and training sessions are good practices to build privacy and risk awareness amongst DVA staff.

3.35      There are currently 2 mandatory training courses for staff, which contain limited components of privacy related information. All staff, including short term staff and contractors, must complete the ‘security risk awareness training’ and the ‘information and records awareness’ e-learning module at induction. Refresher training is conducted every 2 years. Staff need to achieve at least 80% for both training courses to successfully complete the modules.

3.36      Both mandatory training courses lack a sufficient focus on privacy risks and the privacy responsibilities of DVA staff. The ‘information and records awareness’ module mentions staff’s responsibility to retain and destroy records in accordance with the Privacy Act but does not detail any other privacy obligations under the legislation. Similarly, the security risk awareness training module briefly outlines some obligations under the Privacy Act, such as the access and disclosure of personal information to DVA customers. There is one module dedicated to security incidents and management but does not mention any potential impacts on privacy related risks that may arise.

3.37       While new graduates receive face-to-face privacy training, delivered by a member of the Information Law team, this training is not rolled out to other DVA staff. The OAIC reviewed the privacy training material for DVA graduates and noted that there are important aspects of privacy in the graduate training package which are not covered in the mandatory ‘security risk awareness training’ or the ‘information and records awareness’ training modules. For example, the definition of personal information, identifying and reporting non-compliance with the Privacy Act and obligations under the NDB scheme are only delivered through the graduate training sessions.

3.38      DVA plans to develop standalone privacy-specific training for all staff. However, the lack of privacy- specific training at the time of the assessment represents a medium privacy risk that staff are not routinely informed of the importance of privacy matters. Therefore, the OAIC recommends that DVA fosters a more privacy-aware culture by:

  • updating its current mandatory training modules to include more substantive privacy related training material, such as the definition of personal information, identifying and reporting non-compliance with the Privacy Act and obligations under the NDB scheme
  • developing a stand-alone privacy training module and ensuring that annual refresher training is provided to all staff.

3.39       The OAIC also suggests that DVA continues to develop its privacy and ICT security awareness training to include phishing and to ensure refresher training is conducted on at least an annual basis.

Recommendation 4

The OAIC recommends that DVA fosters a more privacy-aware culture by:

    • updating its current mandatory training modules to include more substantive privacy related training material, such as the definition of personal information, identifying and reporting non-compliance with the Privacy Act and obligations under the Notifiable Data Breaches (NDB) scheme, and
    • developing a stand-alone privacy training module and ensuring annual refresher training is provided to all staff.

Risk management

3.40       The implementation of privacy and security risk management processes is integral to establishing robust and effective privacy and security practices, procedures and systems. These risk management processes allow an entity to identify, assess, treat and monitor privacy risks related to its activities. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks.

3.41       The OAIC reviewed a range of DVA’s internal risk management documentation, including its Business Continuity Plan, Enterprise Risk Management Framework, and various risk assessments and registers for different business areas. DVA manages risks by adopting a systematic process to identify and rectify risks, and by implementing risk treatments to mitigate the impacts. The Legal Services and Audit Branch report high privacy risk or sensitive privacy matters to relevant executive on a ‘need to know’ basis as at the most pertinent time regardless of the stage the privacy matter may be at, including before quarterly reporting. This is in addition to the reports provided more generally to senior management through the Privacy Champion.

3.42       DVA also manages its risks through regular participation in the ARC meetings, which are comprised of external and internal representation. The ARC members meet at least quarterly and have oversight over a range of functions including DVA’s risk management systems. The ARC’s role is to provide independent advice to the Secretary and to provide quarterly risk management updates to the EMB.

3.43      DVA tracks the progress of ANAO findings and recommendations, which are reported monthly. The audit manager in the Legal Services and Audit Branch prepares a closure report for completed recommendations which are submitted to senior management and presented to the ARC and other relevant committees.

3.44       The OAIC did not identify any privacy risks associated with DVA’s risk management of its data matching activities with DHS.

Internal policies, practices and procedures

3.45       Entities should document the internal policies, practices and procedures that they use to handle personal information. This documentation should outline the privacy measures that are in place to manage the risks and threats to personal information. These documents should be regularly reviewed and updated to ensure they reflect the entity’s current acts and practices.

3.46       DVA has a range of department-wide policies and procedures, including those specific to its data matching activities. DVA also has privacy and ICT security documentation that outlines how staff are expected to handle personal information.

Managing customer complaints

3.47      APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will enable the entity to deal with privacy related inquiries or complaints from individuals.

3.48      DVA has an APP 1 privacy policy, which was last updated within 6 months of this assessment, and explicitly states that the document is updated annually or when practices change in handling personal information. The privacy policy provides customers with information on how DVA handles customers’ personal information, as well as the process and contact information for any privacy complaints about DVA. 

3.49      There are a number of ways a customer can make a privacy related inquiry or complaint to DVA. Customers are able to contact DVA via post, phone, email or in person at a DVA centre. DVA’s privacy policy advises customers on how to make a privacy complaint and explains how DVA will deal with such a complaint. Once a complaint is received, DVA will aim to resolve the issue within 30 calendar days. If this is not possible, DVA will notify the customer and advise other options available to resolve their complaint.

3.50      DVA’s privacy policy promotes transparent handling of personal information at the department. The OAIC did not identify any privacy risks associated with DVA’s handling of privacy related inquiries or complaints.

Privacy Impact Assessments

3.51      DVA undertakes PIAs for new projects that involve changes to personal information handling processes. This includes when new technologies and functions, such as the VCR system, are implemented. This is a requirement under the Privacy Code and a good privacy protective measure to help ensure that DVA proactively addresses and documents its privacy risk and security profile choices.

3.52      The Information Law team has:

  • developed guidance material, such as DVA’s Privacy Management Operational Guide (Privacy Guide), which provides information on how to determine if a PIA is required and stipulates that business areas must notify the Privacy Officer about any PIAs conducted
  • published general information on DVA’s intranet on PIAs and instructions for DVA staff on conducting Privacy Threshold Assessments (PTAs) before a PIA
  • implemented business processes to ensure that senior management is aware of the privacy risks involved in projects by requesting business areas:
    • complete PTAs at a minimum and to seek clearance from their respective Branch Managers before sending through to the Information Law team
    • liaise with the Privacy Officer if any procurement projects impact on privacy.

3.53       At the time of the assessment, DVA outsources all of its PIAs. The OAIC has reviewed the PIAs related to the implementation of the VCR system, which are conducted jointly by DVA and DHS but owned by DHS. These PIAs are published on DHS’s website.[12] The PIAs for the VCR system considered several privacy risks and mitigation strategies in relation to reforming DVA’s ICT capabilities using DHS’s infrastructure. Since DHS manages the VCR infrastructure, the OAIC did not consider how DHS addressed the identified privacy risks in response to the recommendations in the PIAs.

3.54       However, the OAIC notes that at the time of the assessment there were a number of unactioned recommendations specific to DVA in its latest PIA on the VCR project, such as updating DVA’s privacy policy to explain the circumstances under which a complainant may make an anonymous complaint and the associated procedures used to handle complaints. The OAIC encourages DVA to continue to implement the recommendations in the PIAs to ensure information handling processes using the VCR system is appropriately managed.

3.55       Since the Privacy Code came into effect on 1 July 2018, DVA has conducted 2 PIAs. The OAIC did not review these PIAs as they do not relate to data matching and are therefore outside the scope of this assessment.

3.56       The Privacy Code requires agencies to keep a register of all PIAs conducted and publish this register, or a version of the register, on their websites. The OAIC reviewed the PIA register, maintained by the Privacy Officer. At the time of the assessment, DVA’s PIA register was not published on DVA’s website. Following assessment fieldwork, DVA advised the OAIC that DVA published its PIA Register on its website in January 2020[13].

3.57       Following its publication, the OAIC did not identify any privacy risks associated with DVA’s PIA Register. DVA should regularly review and update its PIA register to ensure that the list remains current.

Record of personal information holdings

3.58       Under the requirements of the Privacy Code, it is the Privacy Officer’s role to maintain a record of personal information holdings. The record assists agencies with their privacy governance to ensure that they are aware of all the personal information they handle, where the information is kept and the risks associated with that information. It is the Privacy Officer’s role to maintain this record.

3.59       At the time of the assessment, DVA did not have a record of personal information holdings. However, the Data and Insights Branch was developing a data asset register, which includes the types of data that DVA holds, the business areas and/or individual users who access the information, and where the information is stored.

3.60      The OAIC considers that a record of personal information holdings could include the purpose of the collection of personal information, the law authorising the collection, access restrictions to personal and/or sensitive information, and any indication of the disposal timeframes for data when they are no longer required, in accordance with good privacy practice. These details were not included in DVA’s data asset register at the time of the assessment. Further, the Privacy Officer did not have responsibility for developing and maintaining the document.

3.61      Given DVA’s data asset register lacks a privacy focus and is not maintained by the Privacy Officer, this represents a high privacy risk that DVA’s privacy obligations are not appropriately managed according to the requirements of the Code.

3.62      The OAIC recommends that DVA must meet privacy obligations under the Privacy Code by developing a record of personal information holdings. The Privacy Officer should be responsible for the maintenance of the record to ensure its currency over time.

3.63      The OAIC suggests that this record of personal information holdings includes the types of personal information that the department holds, including sensitive information, the purpose of the collection, the legal authority for the collection, the persons authorised to access the personal information, and how and where the information is securely stored. DVA could either update its current data asset register with an increased focus on the department’s handling of personal information or develop a separate document which provides a centralised record of all personal information held by the department. 

 

 

Recommendation 5

The OAIC recommends that DVA meets the privacy obligations under the Privacy Code by developing a record of personal information holdings. The Privacy Officer should be responsible for the maintenance of the record to ensure its currency over time.

Data matching documentation

3.64       DVA conducts data matching activities with DHS under the Data Matching Act (previously noted at paragraph 2.9). Under the Data Matching Act, DVA is a source agency, while DHS is the matching agency and the primary user of data matching information.

3.65       In accordance with Guideline 3.1 of the Guidelines for the Conduct of Data Matching Program (statutory Data Matching Guidelines) which accompany the Data Matching Act, the matching agency has the responsibility to maintain a program protocol in consultation with its source agencies. The matching agency must also maintain a Technical Standards Report (TSR) which details the data quality, integrity and security of the data matching program, and provide copies of the TSR to the source agencies.[14]

3.66       Following fieldwork, DVA advised that there is a Statement of Intent between DVA and Services Australia which has a number of clauses that relate to the data responsibilities between the 2 agencies, including a requirement that DVA recognise and adhere to Services Australia’s ICT policies, procedures and guidelines as applicable. However, the OAIC was not provided with a copy of the Statement of Intent. 

3.67       While DVA is a source agency, the OAIC did not receive any program protocols or TSRs from DVA in relation to its data matching programs with DHS. This represents a medium privacy risk that DVA may not be fulfilling its data matching responsibilities as the source agency under the Data Matching Act. Therefore, the OAIC recommends that DVA acquires a copy of the program protocol and TSR from DHS and reviews them to ensure that it conducts data matching activities with DHS with consideration of the data quality, integrity and security of the data matching program and in accordance with the Data Matching Act.

3.68       The OAIC reviewed DVA’s internal data matching manuals which guide its staff on the handling of personal information for its data matching activities. The manuals outline decisions where specific business rules apply, such as the prerequisites for data matching. DVA staff must follow those procedural steps and document the decision-making process when handling the extraction and verification of data containing personal information in relation to a data matching program.

3.69       DVA’s data matching manuals also outline the different types of information and forms to be requested from customers and directs staff to other resources where relevant.

3.70       While DVA provides manuals to staff on data matching activities, it is unclear how regularly these manuals are reviewed and updated. None of the manuals used for data matching indicate when they were last updated and/or when the next review will be conducted. This presents a medium privacy risk that DVA staff may not be following the most up-to-date manuals when handling personal information associated with the data matching programs or that the manuals are not maintained in line with changes to data matching activities. Therefore, the OAIC recommends that DVA regularly reviews its data matching manuals to ensure they reflect current practices and include the date the manuals were updated and approved in the document. This could be done annually, and after any major change to DVA’s data matching programs or relevant legislation, for best privacy practice.

3.71       The Data and Insights Branch handles internal and external data requests, which includes data used for data matching activities. The Branch assesses each request against the requirements of the data release form and provides recommendations. Any requests for personal information are scrutinised. In particular, the Data and Insights Branch ensures that a data management agreement is in place, which states the purpose of the disclosure of data and requires the external party’s signature to ensure that they agree to abide by the terms of the agreement. While DVA staff interviewed during the assessment were familiar with the data release processes, the OAIC did not receive any documentation on the assessment process. There is a medium privacy risk that the correct data release procedures may not be followed, particularly if corporate knowledge is lost through the departure of more experienced staff.

3.72       Therefore, the OAIC recommends that DVA documents the internal assessment process for data release, including any approvals required as part of the review process, to ensure that appropriate assessments are undertaken and approved prior to the release of data for data matching purposes.

Recommendation 6

The OAIC recommends that DVA manages its internal data matching policies and procedures to ensure that they comply with the Data-matching Program (Assistance and Tax) Act 1990 (Data Matching Act) and are regularly reviewed to ensure they reflect current practices. This includes:

    • acquiring a copy of the program protocol and Technical Standards Report (TSR) from DHS and reviewing them to ensure that it conducts data matching activities with DHS with consideration of the data quality, integrity and security of the data matching program and in accordance with the Data Matching Act
    • regularly reviewing and updating its data matching manuals and including information about the date those manuals were updated and approved in the document, and
    • documenting the assessment process around the data release forms, including any sign-offs required as part of the review process, to ensure that appropriate assessments are undertaken and approved prior to the release of data for data matching purposes.

 

Privacy Management Plan

3.73       DVA has a PMP that was recently endorsed at the time of the assessment and DVA plans to conduct annual reviews of privacy procedures and documentation. The PMP was initially developed by an external contractor, using the OAIC’s PMP template as a guide, and later revised by the Privacy Officer.

3.74       From interviews with DVA staff conducted by the OAIC, it appears that staff across the department were not consulted on the PMP and were not aware that the document was finalised and available on DVA’s intranet.  While the PMP identifies specific privacy goals and sets out how it will meet its compliance obligations under APP 1.2 and the Privacy Code, the document focuses on the roles and responsibilities of the Information Law team and lacks a department-wide focus.

3.75       This represents a medium privacy risk that the PMP may not have considered department-wide responsibilities in relation to privacy risks and DVA staff may also lack the awareness of privacy compliance as an individual responsibility. Therefore, the OAIC recommends that DVA reviews and updates its PMP following consultation with staff across the department to obtain internal advice and feedback to be incorporated in the department-wide privacy documentation.

Destruction and de-identification of personal information

3.76       Under APP 11.2, where an entity holds personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes such steps as are reasonable in the circumstances to destroy or de-identify the personal information.

3.77       DVA has a records management system and a recently updated Records Management Policy that are used to manage electronic and hard copy records. A dedicated Records Management team handles the destruction of personal information records that the department collects and maintains, in accordance with the National Archives of Australia’s Disposal Authorities. The Records Management team considers the life cycle of the record and schedules a timeframe to review the documents. When the record is being reviewed, business areas are consulted prior to the destruction of any records. Business areas do not administer the destruction of documents.

3.78       The OAIC reviewed a number of DVA’s agency-specific records authorities which set out the retention and destruction requirements of records for different functions within the agency. However, most of those documents are over 10 years old and it is unclear whether and when they will be reviewed and/or updated. This represents a medium privacy risk that data retention policy documentation may not be up-to-date and may not reflect current practices. Therefore, the OAIC recommends that DVA considers whether existing agency-specific records authorities continue to cover the full scope of DVA’s records in relation to its data matching activities and engage with the National Archives of Australia to update any records authorities, if required, to ensure the accountable disposal of DVA’s data matching information and records.

Privacy and cyber security documentation
Data breach response

3.79       A data breach response plan that includes procedures and clear lines of authority can assist an entity to contain any data breaches and manage its response. Ensuring that staff (including contractors) are aware of the plan and understand the importance of reporting breaches is essential for the plan to be effective.

3.80       DVA has methods for identifying, assessing, rectifying and reporting data breaches, which are outlined in its DBRP. The OAIC has reviewed the DBRP and DVA’s Privacy Investigation Flowchart, which outline the reporting processes from the receipt of a reported privacy incident, including complaints and potential data breaches.

3.81       DVA advised the OAIC that DHS notifies DVA when suspected data breaches are detected in their systems, where they relate to DVA’s data matching programs. DVA assesses the incident and reports any eligible data breaches to the OAIC, as required under the NDB scheme. At the time of the assessment, DVA reported no known eligible data breaches and attributed most of the internally reported incidents to misdirected emails, which were remediated.

3.82       If DVA staff identify a suspected eligible data breach, the standard process is for the staff to report the incident to their manager. For small incidents, such as a misdirected email, staff will undertake remedial action by contacting the unintended recipient, notifying them of the email which they have received in error and requesting them to delete the content. All suspected eligible data breaches are reported to the Privacy Officer in the Information Law team. The Privacy Officer assesses the issue and provides feedback to the business line manager, including advice on the recommended action and the associated privacy risk, to educate and raise awareness of the privacy implications.

3.83       DVA outlines these processes in the Privacy Investigation Flowchart, which categorises incident reporting based on the severity of the breach by minor, systemic and serious, where the OAIC may be involved. The Flowchart requires all incidents, regardless of severity, to be recorded in statistics.

3.84      The OAIC reviewed DVA’s DBRP which contains procedures and reporting requirements for suspected data breaches, obligations under the NDB scheme, circumstances where external stakeholders may be involved such as notifications to the OAIC, as well as a detailed risk assessment guide to assist DVA staff with assessing eligible data breaches. However, there are several areas which can be more detailed and/or included in the DBRP to strengthen DVA’s handling of data and privacy breaches. These include:

  • a brief description of the roles and responsibilities of the members of the data breach response team to increase transparency around the handling of data breaches
  • processes that outline when individuals are notified, including who is responsible for the notifications, as it is currently unclear whether the Privacy Officer or the DVA officer who identified the breach is responsible for the notification, particularly for external customers
  • requirements under agreements with third parties, such as service agreements with DHS, where a data breach impacts on both agencies. There is currently no reference to third parties who may be impacted by a suspected data breach and DVA staff would benefit from a brief description or link to relevant policy advice relating to those circumstances
  • regularly reviewing, updating and testing the DBRP to increase key stakeholders’ familiarity with their roles. DVA noted that its DBRP had not been tested at the time of the assessment and the plan is not dated, hence it is unclear whether this document reflects the most up-to-date procedures.

3.85       While DVA has some processes and procedures in place which support the identification and management of privacy breaches, the OAIC considers that there is a medium privacy risk that staff may not be following the most up-to-date processes.  The OAIC considers some of the internal processes outlined in the current DBRP are unclear (see paragraph 3.83 above). Therefore, the OAIC recommends that DVA reviews its data breach documentation and incorporates more details in its DBRP to guide DVA staff in relation to the correct handling of suspected eligible data breaches. DVA should also consider undertaking internal privacy audits to assess areas for improvement and gaps in privacy compliance measures.

3.86       DVA also provided its Privacy Breach Response Plan (PBRP), which is substantially the same as the DBRP except the terminology ‘data breach’ is sometimes replaced with ‘privacy breach’ in the PBRP. However, the OAIC found a discrepancy under the ‘Privacy breach reporting’ section in both reports relating to senior management who are listed as responsible for privacy breach reporting.

3.87       Given that DVA has processes in place to triage reported incidents through the Privacy Officer, there is a low privacy risk that privacy and data breaches are not escalated to the appropriate stakeholders. However, the OAIC suggests that DVA combines the DBRP and PBRP to reduce confusion for DVA staff about which procedure to use and to mitigate the risks of inconsistency between its privacy documentation.

3.88       DVA also has an internal Privacy Guide (previously mentioned at paragraph 3.52) which outlines DVA’s collection, storage, security, access, use and disclosure of personal information. The Privacy Guide is a useful privacy resource, which includes the PMP, DVA’s current APP 1 privacy policy, as well as guidance on PIAs and data breaches. While the information is available on the intranet, there had been no formal email notification to staff to inform them of the available resources. Recommendation 2 will assist in addressing this issue.

Cyber security response

3.89       DVA uses DHS’s Incident Response Plan (IRP) when a potential cyber security incident in relation to data matching is identified and reports to DHS for review and remedial action. DVA advised the OAIC that it has plans to develop its own IRP. At the time of the assessment, DVA was in the process of developing a number of cyber security policies and frameworks, such as an updated security risk management plan and a security framework.

3.90       The OAIC reviewed DVA’s ICT security protocol, electronic information policy and security risk management plan that were last updated between 3 to 5 years before the time of the assessment. The lack of up-to-date internal cyber security documentation represents a medium privacy risk that appropriate action and processes on security incidents may not be followed or reported by DVA staff. Therefore, the OAIC recommends that DVA continues to develop its internal cyber security documentation, such as the security risk management plan and the security framework, and to regularly review its internal policies and procedures to ensure that they are up-to-date and remain effective. DVA should also develop its own IRP which is tailored to DVA’s business needs and organisational structure instead of relying on DHS’s IRP when handling cyber security incidents in relation to data matching.

3.91       Following fieldwork, DVA advised that it endorsed a Cybersecurity Incident Response Plan (CSIRP) in March 2021.  DVA noted that this plan integrates with DHS (now Services Australia’s) Incident Response framework and capabilities but is designed to ensure DVA retains oversight of cyber incidents and critical decision making. As the OAIC was advised of this development several months after fieldwork and was not provided with a copy of the CSIRP, the OAIC was not able to consider it as part of this assessment.

Recommendation 7

The OAIC recommends that DVA continues to develop, review and update its internal privacy and cyber security policies and procedures to ensure they are up-to-date and continue to be effective. This includes:

    • consulting with staff across the department to obtain internal advice and feedback to be incorporated in the PMP
    • considering whether existing agency-specific records authorities continue to cover the full scope of DVA’s records in relation to its data matching activities and engage with the National Archives of Australia to update any records authorities, if required, to ensure the accountable disposal of DVA’s data matching information and records
    • regularly reviewing its privacy documentation, such as data breach documentation to incorporate more details in its DBRP to guide DVA staff with the correct handling of suspected data breaches and to ensure consistency across the department
    • continuing the development of its internal cyber security documentation, such as the security risk management plan and the security framework, and
    • developing its own cyber incident response plan tailored to DVA’s business needs and organisational structure instead of relying on DHS’s cyber incident response plan when handling cyber security incidents in relation to data matching.

 

3.92       In the event that DHS becomes aware of a cyber security incident that impacts on privacy, DHS analyses the cyber security incident and defers to DVA to assess the privacy impact. There is currently no formalised documentation which outlines the operational relationship between DVA’s Privacy team and DHS’s Cyber Security team.

3.93       Given the overlap between the 2 business areas in terms of breach assessment, management and mitigation, this represents a medium privacy risk that the appropriate action and escalation processes may not be followed in the event of a suspected data breach or security incident. Therefore, the OAIC recommends that DVA develops documentation to highlight the operational relationship between DVA’s Privacy team and DHS’s Cyber Security team as well as the roles and responsibilities of each area in the event of a suspected or actual cyber security incident or an eligible data breach.

Recommendation 8

The OAIC recommends that DVA documents the operational relationship between DVA’s Privacy team and DHS’s Cyber Security team as well as the roles and responsibilities of each business area in the event of a suspected or actual cyber security incident or an eligible data breach.

Information security and access controls

3.94       Access security and monitoring controls help agencies protect against internal and external risks by ensuring that personal information is only accessed by authorised persons. Weaknesses in an agency’s ICT security controls, such as audit logging and access controls, increases the likelihood of unauthorised access to systems.

3.95       DHS uses its active directory to manage the information security risks and access requests associated with the systems used for DVA’s data matching activities. This includes the approval and revocation of access to data matching systems for incoming and exiting DVA staff.

3.96       DVA reviews requests for access by its staff before sending the request forms to DHS. Most application forms are first submitted through DVA’s system, which requires approval from DVA managers. Depending on the sensitivity of the information that staff are seeking to access, further approval from senior management may be required. Once DVA managers have approved the application, a separate request is sent to DHS which grants the access to the relevant systems. This is a good privacy practice to help ensure that staff only have access to systems that are appropriate to their roles.

3.97       While DHS manages the data matching systems and user access, DVA must also notify DHS for any removal of access for its staff. A recent ANAO audit of found that a number of accounts remained ‘active’ at the end of the employment relationship. DHS confirmed that none of those accounts were accessed after the termination date and attributed the cause in the delay of terminating user access to DVA’s delayed notification to DHS.

3.98       While no unauthorised access was detected at this time, there is a medium privacy risk that systems used for DVA’s data matching activities may be more susceptible to unauthorised access without the timely termination of user access. Therefore, the OAIC recommends that DVA develops processes to proactively review and monitor user access to DHS ICT systems used for DVA’s data matching activities and ensure user access is terminated at the end of the employment relationship.

3.99       Unauthorised access to personal information can be detected by reviewing a record of system activities, such as an audit log. Maintaining a chronological record of system activities (by both internal and external users) is a useful way to capture activity on a computer system to detect and investigate privacy incidents.

3.100   DVA relies on DHS for the detection and management of cyber security incidents that relate to DVA’s data matching activities. DHS has a Cyber Security Operations Centre (CSOC) that provides ongoing monitoring of cyber security incidents, which was not within the scope of this assessment.

3.101   DHS notifies DVA’s CISO via phone if a serious cyber incident occurs and impacts on DVA, but reporting is conducted on an ad hoc basis. Based on previous assessments of DHS, the OAIC did not identify any privacy risks associated with DHS’s CSOC.[15] Therefore, there is a low privacy risk of undetected and unreported serious cyber security incidents which may impact on the systems used for DVA’s data matching activities. However, the OAIC suggests that DVA develops more regular and formal reporting processes to ensure that DVA proactively addresses cyber security incidents in a timely manner.

3.102   DHS uses a fraud identification tool to detect and monitor unauthorised access to systems used for DVA’s data matching programs. This tool records access by staff through both desktop computers and via remote access. DVA’s CISO receives monthly reports on this from DHS, which lists DVA staff who have privileged access[16] to different software applications. The report requires confirmation by both CISOs that the list of DVA staff with privileged access remains current.

3.103   The OAIC reviewed the report for October 2019 generated by the DHS fraud identification tool and noted that DVA had flagged a number of ‘high risk’ action items in relation to an excessive number of users with administrator access,[17] which includes access to legacy systems used for data matching activities. This represents a medium privacy risk that information held within the systems used for DVA’s data matching activities may be more susceptible to unauthorised access. Therefore, the OAIC recommends that DVA strengthens its access security controls in relation to its logging and monitoring of staff with privileged access, such as administrator accounts linked to DVA’s data matching activities.

 

Recommendation 9

The OAIC recommends that DVA strengthens its access security controls for systems used for its data matching activities, particularly in relation to its:

    • termination of user access at end of the employment relationship, and
    • logging and monitoring of staff with privileged access, such as administrator accounts.

Part 4: Recommendations and responses

Recommendation 1 

OAIC recommendation

4.1          The OAIC recommends that DVA appoints a replacement Privacy Officer and maintains the position on an ongoing basis to ensure business continuity with the department’s privacy management functions, as required under the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Privacy Code).

Response by DVA to the recommendation

4.2          Agreed. The functions of the Privacy Officer, as noted under section 10.5 of the Privacy Code are currently performed by the Department’s Information Law Section within the Legal Services and Audit Branch. The Director who is an ongoing APS employee is the designated Privacy Officer. Further, each member of the Information Law Section also manage Privacy functions and are designated Privacy Officers.

Recommendation 2

OAIC recommendation

4.3          The OAIC recommends that DVA strengthens its privacy governance by:

  • raising staff awareness of and engagement with the Privacy Champion, as well as clearly outlining the roles and responsibilities of the Privacy Champion, and
  • including privacy representation on the Security Committee to ensure that privacy staff are aware of important risk management and security matters discussed by the Committee and to ensure appropriate consideration of relevant privacy issues by the Committee.

Response by DVA to the recommendation

4.4          Agreed. The Privacy Champion and his role is known to all staff. The Department’s Privacy Champion played an active role in the 2020 and 2021 Privacy Awareness Week communications and activities and continues to take an active role in raising awareness of privacy related issues at the senior executive level. The roles and responsibilities of the Privacy Champion are to be incorporated into the Department’s Privacy Management Plan.

4.5          Noted. The Information Law Section, ICT Security, Data and Insights, an Integrity, Assurance and Security teams communicate regularly about security matters that affect the Department. Further, the team cooperate and coordinate to respond effectively to security issues that arise. The Information Law Section is a member of the Procurement Compliance Advisory Group which is a subset of the Security Committee. Further options are to be explored to generate greater communications between these business areas, including direct representation of the Legal Services and Audit Branch on the Security Committee.

Recommendation 3

OAIC recommendation

4.6          The OAIC recommends that DVA raises awareness of privacy matters by informing staff of the available privacy resources on the intranet, including newly developed privacy resources, such as the Privacy Management Plan (PMP) and Data Breach Response Plan (DBRP).

Response by DVA to the recommendation

4.7          Agreed. The Department has explored various ways to communicate with staff on privacy matters, including through Privacy Awareness Week, messaging from the Covid-19 Pandemic Taskforce and provision of ad-hoc privacy training to staff, including business areas who are high users of personal information. Staff also have access to the Department’s intranet where information about privacy and resources is available. Those materials will be reviewed and updated where necessary, along with communications to advise staff of new materials or updates that are made.

4.8          Business areas are involved in reviewing and contributing to the Department’s Privacy Management Plan to ensure matters relevant to them are considered.

Recommendation 4

OAIC recommendation

4.9   The OAIC recommends that DVA fosters a more privacy-aware culture by:

  • updating its current mandatory training modules to include more substantive privacy related training material, such as the definition of personal information, identifying and reporting non-compliance with the Privacy Act and obligations under the Notifiable Data Breaches (NDB) scheme, and
  • developing a stand-alone privacy training module and ensuring annual refresher training is provided to all staff.

Response by DVA to the recommendation

4.10       Agreed. All staff mandatory training is currently being developed by the Department’s Information Law Section. This training will provide all staff with a baseline of privacy knowledge. In particular, this training will cover what personal and sensitive information is, the Australian Privacy Principles (APPs), identifying non-compliance with the Privacy Act, the need for Privacy Impact Assessments and the Department’s obligations under the Notifiable Data Breaches scheme, amongst other important privacy issues.

4.11       Agreed. All staff will be required to undertake mandatory privacy training annually.

Recommendation 5

OAIC recommendation

4.12       The OAIC recommends that DVA meets the privacy obligations under the Privacy Code by developing a record of personal information holdings. The Privacy Officer should be responsible for the maintenance of the record to ensure its currency over time.

Response by DVA to the recommendation

4.13       Noted. The Department maintains a PIA register on its website. The register can be found on the privacy page which lists all PIAs finalised since 2016.

4.14       Agreed. The Department’s Data Assets Register (DAR) is in the process of being updated to include the requirements noted by the OAIC for personal information holdings.

Recommendation 6

OAIC recommendation

4.15       The OAIC recommends that DVA manages its internal data matching policies and procedures to ensure that they comply with the Data-matching Program (Assistance and Tax) Act 1990 (Data Matching Act) and are regularly reviewed to ensure they reflect current practices. This includes:

  • acquiring a copy of the program protocol and Technical Standards Report (TSR) from DHS and reviewing them to ensure that it conducts data matching activities with DHS with consideration of the data quality, integrity and security of the data matching program and in accordance with the Data Matching Act
  • regularly reviewing and updating its data matching manuals and including information about the date those manuals were updated and approved in the document, and
  • documenting the assessment process around the data release forms, including any sign-offs required as part of the review process, to ensure appropriate assessments are undertaken and approved prior to the release of data for data matching purposes.

Response by DVA to the recommendation

4.16       Agreed. A copy of the TSR from Services Australia will be obtained to ensure the Department’s data matching activities are compliant with the Data Matching Act.

4.17       Agreed. The Department will review its data matching process and procedures.

4.18       Agreed. The Department will document the current processes around data release.

Recommendation 7

OAIC recommendation

4.19       The OAIC recommends that DVA continues to develop, review and update its internal privacy and cyber security policies and procedures to ensure they are up-to-date and continue to be effective. This includes:

  • consulting with staff across the department to obtain internal advice and feedback to be incorporated in the Privacy Management Plan (PMP)
  • considering whether existing agency-specific records authorities continue to cover the full scope of DVA’s records in relation to its data matching activities and engage with the National Archives of Australia to update any records authorities, if required, to ensure the accountable disposal of DVA’s data matching information and records
  • regularly reviewing its privacy documentation, such as data breach documentation to incorporate more details in its Data Breach Response Plan (DBRP) to guide DVA staff with the correct handling of suspected data breaches and to ensure consistency across the department
  • continuing the development of its internal cyber security documentation, such as the security risk management plan and the security framework, and
  • developing its own cyber incident response plan tailored to DVA’s business needs and organisational structure instead of relying on DHS’s cyber incident response plan.

Response by DVA to the recommendation

4.20       Noted. As mentioned at 4.8 above, Business areas are involved in reviewing and contributing to the Department’s PMP to ensure matters relevant to them are considered. The PMP is reviewed and updated as required to reflect DVA’s evolving privacy requirements.

4.21       Noted. The Department manages the retention and destruction of department documents in accordance with the National Archives of Australia’s Disposal Authorities. The Department will liaise with the National Archives of Australia on this recommendation.

4.22       Agreed. All privacy documentation, including the DBRP are updated as required.

4.23       Agreed. The Department’s cyber security documentation is continually updated when required as cyber threats evolve.

4.24       Noted. Where a cyber-incident affects the Department’s IT services provided by Services Australia, the Services Australia incident response plan will be used by Services Australia. Where the cyber incident directly affects the Department’s IT infrastructure as managed by the Department, the Department’s ICT Security team will investigate the incident and take the appropriate actions.

Recommendation 8

OAIC recommendation

4.25       The OAIC recommends that DVA documents the operational relationship between DVA’s Privacy team and DHS’s Cyber Security team as well as the roles and responsibilities of each business area in the event of a suspected or actual cyber security incident or an eligible data breach.

Response by DVA to the recommendation

4.26       Agreed. The Department will review the current roles and responsibilities of relevant teams to apply when a suspected or actual cyber security incident or an eligible data breach.

Recommendation 9

OAIC recommendation

4.27       The OAIC recommends that DVA strengthens its access security controls for systems used for its data matching activities, particularly in relation to its:

  • termination of user access at the end of the employment relationship, and
  • logging and monitoring of staff with privileged access, such as administrator accounts.

Response by DVA to the recommendation

4.28       Noted. The Department will review the current access controls used for data matching activities and assess if such access security controls are appropriate.

Part 5: Description of assessment

Objective and scope of the assessment

5.1          This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.

5.2          The objective of this assessment was to determine whether DVA maintains personal information, in accordance with its obligations under the APPs.

5.3          The scope of this assessment was limited to the consideration of DVA’s handling of personal information against the requirements of APP 1.2. Specifically, the assessment examined whether DVA, in conducting its data matching activities:

  • is taking reasonable steps to implement practices, procedures and systems
  • will ensure that it complies with the APPs and the Privacy Code
  • is able to deal with inquiries or complaints from individuals about its compliance with the APPs or the Privacy Code.

5.4          For an entity to meet the obligations of APP 1.2, that entity must be proactive in establishing, implementing and maintaining privacy processes. This obligation is a constant one and compliance with APP 1.2 should be understood as a matter of good governance.

5.5          As part of this assessment, the OAIC also considered DVA’s data matching practices under the Data-matching Program (Assistance and Tax) Act 1990 and the accompanying statutory Guidelines for the Conduct of Data Matching Program. The OAIC oversees compliance with these guidelines, which regulate how agencies, such as DVA, use tax file numbers to conduct data matching activities.

Privacy risks

5.6          Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (Appendix A refers), the OAIC made recommendations to DVA about how to address those risks. These recommendations are set out in Part 4 of this report.

5.7          OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken.

5.8          For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Timing, location and assessment techniques

5.9          The OAIC conducted a risk-based assessment of DVA’s handling of personal information when conducting data matching activities. The focus was on identifying privacy risks to the effective handling of personal information in relation to the APPs.

5.10      The assessment involved the following:

  • review of relevant policies and procedures provided by DVA
  • fieldwork, which included interviewing key staff at DVA’s Canberra and Sydney offices on 9 and 10 October 2019, and 21 October 2019 respectively.

Reporting

5.11       The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

 

 

 

Appendix A: Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

 

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

 

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

 

 

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

 

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

 



[1] The Australian Government Agencies Privacy Code came into effect on 1 July 2018. It requires Australian Government agencies to move to a best practice approach to privacy governance.

[2] The Privacy Code sets out specific requirements and key practical steps that agencies must take as part of complying with APP 1.2. For more information, see https://www.oaic.gov.au/privacy-law/australian-government-agencies-privacy-code/.

[3] The Department of Human Services (DHS) has since been renamed Services Australia due to machinery of government changes. However, this report refers to DHS throughout, as it was known at the time this assessment was conducted.

[4] Office of the Australian Information Commissioner, Guidelines on Data Matching in Australian Government Administration, June 2014.

[5] In addition to their Privacy Act obligations, Government agencies who conduct data matching activities can voluntarily adopt the OAIC’s Guidelines on Data Matching in Australian Government Administration.

[6] DVA factsheet on data matching, see https://www.dva.gov.au/factsheet-is154-data-matching (accessed 17 February 2020).

[7] A legacy system is an old technology, application or computer system which is still in use and continues to serve critical business needs.

[8] Step 2 of the Privacy Management Framework requires that an entity covered by the Privacy Act establishes robust and effective privacy practices, procedures and systems, including ICT security controls as a risk management process. This is to allow an entity to address privacy risks, including personal information security risks.

[9] A data steward is responsible for the management of data, which includes the development and implementation of policies and procedures to comply with regulatory obligations.

[10] Phishing typically involves sending an email that appears to come from a legitimate organisation and attempts to trick the recipient into supplying personal information.

[11] Spear phishing is a personalised attack utilising personally relevant information to attempt to appear legitimate to a particular user.

[16] Privileged access is access to a system that is above and beyond that which a ‘normal’ user has access to.

[17] Administrative access allows a user to make major changes to a system and install software.