Handling of personal information: A follow-up privacy assessment of Housing and Community Services ACT

Privacy Assessment by the Office of the Australian Information Commissioner

1 June 2022

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) second privacy assessment of Housing and Community Services ACT (Housing ACT), an ACT public sector agency located within the Community Services Directorate (CSD).

1.2The OAIC conducted its first privacy assessment of Housing ACT in February 2018. That assessment examined whether Housing ACT was handling personal information in accordance with the Territory Privacy Principles (TPPs) contained in the Information Privacy Act 2014 (ACT) (Information Privacy Act). It revealed TPPs 6 and 11 compliance risks and the OAIC identified several medium and one high level privacy risk.  The OAIC made 10 recommendations in response to those privacy risks.

1.3 This assessment’s objective was to follow up on Housing ACT’s implementation of the recommendations made in 2018. It finds that, while Housing ACT had made progress implementing some of the recommendations made in the 2018 assessment, the majority of the recommendations were either not or only partially implemented.

1.4 In this assessment the OAIC identified several medium-level privacy risks yielding 9 recommendations. In particular, the OAIC recommends that Housing ACT:

  • implement 2018 Recommendations 1, 2 and 4 by documenting policies, procedures and processes on the use, disclosure and protection of personal information
  • use its QMS/IMS (policy register) to regularly review and update policies and procedures (both internal and public facing guidance available on their website) to ensure adequacy and currency
  • review its refresher privacy training to ensure it contains material on Housing ACT’s personal information handling practices and ensure all Housing ACT staff complete annual privacy training
  • implement 2018 Recommendation 3 and formalise privacy governance arrangements including nominating a Privacy Champion and a Privacy Officer to assist with the management of privacy issues across CSD, in particular Housing ACT
  • regularly review and test CSD’s data breach response plan to ensure its effectiveness. Housing ACT should also update the membership of its Data Breach Response Group by identifying the composition of the Group, roles and responsibilities as well as their contact details
  • fully implement 2018 Recommendation 6 and improve privacy risk monitoring by reviewing Housing ACT’s risk management processes so that they:
    • are consistent with the CSD Risk Management Framework
    • involve a risk governance forum which has privacy risks as a standing item
    • consider privacy and information security risks identified by Privacy Impact Assessments (PIA), privacy assessments conducted by the OAIC or other privacy assurance reviews
  • implement 2018 Recommendation 7 by:
    • conducting a PIA for the digitisation of hard copy files, Client Upload Tool project and development of a new electronic document and records management system (EDRMS) when these projects recommence
    • developing and implementing a policy applicable to all Housing ACT’s activities which sets out:
      • a process for identifying privacy and information security risks for a given project
      • how to undertake a Privacy Threshold Assessment to determine whether a full PIA is needed
      • outline a similar process for conducting information security risk assessments
  • fully implement 2018 Recommendation 8 by:
    • implementing measures to improve the security of personal information transmitted and received via email, including:
      • developing internal policies or procedures for staff sending personal information via email
      • developing educational material for clients highlighting the risks associated with sending personal information via email and promoting secure methods of communicating with Housing ACT
      • where possible, Housing ACT should consider more secure alternatives for communicating with clients, such as via a secure website, over the phone, in person, or using emails with password protected attachments to send personal information
    • developing and maintaining a register which provides a high-level description of the types of and location of personal information it handles
  • implement 2018 Recommendation 10 by reviewing its current physical security measures concerning hardcopy client files. This should inform the development of a physical security policy containing procedures for the handling and storing hardcopy personal information. The policy should:
    • include hard copy file handling procedures developed in response to the COVID-19 pandemic
    • reside within CSD’s records management framework though specific to Housing ACT’s activities and reflect the unique information handling practices of Housing ACT in relation to hard copy physical files.

Part 2: Introduction

Background

Previous assessment of Housing ACT

2.1The OAIC conducted its first privacy assessment of Housing ACT in February 2018 (2018 assessment).[1] The 2018 assessment examined whether Housing ACT was using, disclosing, and securing personal information in accordance with TPPs 6 and 11 contained in the Information Privacy Act.

2.2The 2018 assessment found that Housing ACT staff were aware of the sensitivity of personal information. The OAIC also observed Housing ACT’s information and communication technology (ICT) system and physical security policies and procedures supported by informal knowledge sharing. However, the OAIC also identified several medium and one high level privacy risk and made 10 recommendations in response to those risks.

Overview of Housing ACT

Structure

2.3Housing ACT is part of the Housing and Community Services Division within the ACT Government’s Community Services Directorate (CSD).

2.4Shared Services (part of the Chief Minister, Treasury and Economic Development Directorate (CMTEDD)) manages the ICT infrastructure of Housing ACT, as it does for many other ACT public sector agencies.

Personal and sensitive information handled by Housing ACT

2.5Housing ACT has functions under the Housing Assistance Act 2007 (ACT) (Housing Assistance Act). Under this legislation, individuals provide information required by the Housing Commissioner (Director-General of the CSD), to assess their eligibility for social housing.[2]

2.6Housing ACT collects and handles significant amounts of personal information across a range of paper based and electronic systems.

2.7Housing ACT advised the OAIC that since the 2018 assessment there has not been any significant changes to their legislative functions or personal information handling practices. Relevant developments since the 2018 assessment include:

  • the system used by the Contractor to lodge and record repairs is referred to as ‘Maximo’ and contains details of Housing ACT clients such as their name and address
  • Housing ACT uses Salesforce to support the digital accounts for their public facing services and provides authentication services for individual users. The primary information retained by this system includes name, address and eligibility criteria evidence. The Salesforce relationship is managed by Shared Services (part of the CMTEDD) and the Office of the Chief Digital Officer (OCDO) within CMTEDD, as the lead agency responsible for the ACT Government’s digital agenda
  • staff members also have their own personal drive for storing information assigned as ‘H: Drive’ on all staff computers.

2.8Housing ACT noted that it has been attempting to increase its use of digital files and systems. Housing ACT’s clients are reluctant to engage through online channels, preferring ‘in person’ engagement and this poses significant barriers to such a change.

2.9More information regarding Housing ACT’s handling of personal information including specific systems can be found in paragraphs 2.6-2.23 of the 2018 assessment report.


Part 3: Findings

Our approach

3.1 This part of the report sets out the OAIC’s observations, and analysis of Housing ACT’s actions in response to the OAIC’s 2018 recommendations, followed by suggestions and recommendations to address any risks identified.

3.2 As an agency of the ACT Government, Housing ACT is governed by the Information Privacy Act which includes the TPPs. The TPPs set out standards, rights and obligations for the collection, use, disclosure, storage, access, and correction of personal information (including sensitive information) by ACT public sector agencies.

3.3 The objective of this assessment was to:

  • identify how Housing ACT has addressed recommendations made by the OAIC in the 2018 assessment
  • assess the adequacy of Housing ACT’s responses to the OAIC’s recommendations with regard to TPPs 6 and 11.

3.4 The OAIC considered Housing ACT’s response to the 2018 recommendations, in particular the timeframes cited for implementing each recommendation. Appendix A provides an overview of Housing ACT’s implementation of the OAIC’s 2018 recommendations.

3.5 Under TPP 6, an ACT public sector agency can only use or disclose personal information for a particular purpose for which it was collected (known as the ‘primary purpose’ of collection), unless an exception applies. Where an exception applies the entity may use or disclose personal information for another purpose (known as the ‘secondary purpose’).

3.6 Under TPP 11, an ACT public sector agency must take reasonable steps to protect personal information it holds from misuse, interference or loss; and from unauthorised access, modification or disclosure. It must also take reasonable steps to destroy or de-identify personal information it holds about an individual:

  • it no longer needs for a purpose for which the information may be used or disclosed by the ACT public sector agency under the TPPs
  • that is not contained in a territory record, and
  • is not required by or under an Australian law, or a court or tribunal order to retain.

3.7 As the TPPs are substantially similar to the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act)[3], in determining whether Housing ACT handled personal information in accordance with its obligations under TPPs 6 and 11, the OAIC has made reference to the following guidance:

3.8The Privacy Champion and Privacy Officer descriptions referred to in the report are derived from the OAIC’s guidance material on the application of the APPs contained in the Privacy Act.[1]

3.9 The OAIC also refers Housing ACT to the Australian Government Agencies Privacy Code (the Code). Even though the Code only applies to Australian Government agencies, Housing ACT may find it a useful example of best privacy practice in relation to privacy management and governance.

Follow-up of 2018 OAIC assessment

Implementation of 2018 assessment recommendations

3.10 The table below lists

  • recommendations the OAIC made in the 2018 assessment
  • whether Housing ACT has implemented each recommendation
  • residual privacy risks identified by this assessment, and
  • recommendations and suggestions from this assessment to mitigate any identified residual privacy risks.

3.11 In summary, the OAIC notes that while Housing ACT had made progress implementing some of the recommendations made in the 2018 assessment, the majority of the recommendations were either not implemented or only partially implemented.

Part 4: Recommendations and Housing ACT’s responses

OAIC Recommendation 1

4.1The OAIC recommends that Housing ACT should implement parts of recommendations 1, 2 and 4 from the 2018 assessment by:

  • documenting policies and procedures related to the use, disclosure, and protection of personal information. These policies and procedures should include:
    • permitted uses and disclosures under privacy, housing and other relevant legislation as well as relevant Memorandums of Understanding (MoUs) and sharing agreements
    • how authorised uses and disclosures should occur, including procedures for using and disclosing personal information
    • internal practices, procedures and systems that are used to protect personal information
    • ensuring staff are aware of and have access to these documented policies and procedures and are used to inform induction and refresher privacy training undertaken by staff.
  • reviewing its MoU and other information sharing arrangements to ensure they are up to date and contain sufficient detail on current information handling practices.

Response by Housing ACT

Agreed.

Housing ACT is one division of the Community Services Directorate (CSD). The CSD is developing a whole of directorate approach to privacy which will cover those specific issues that relate to a particular division in an annexure.

(a)

The CSD has now endorsed a Data Release Policy, which will provide guidance to staff in assessing use, and disclosure of personal information, this will form the basis of a Housing assessment, with additional information being able to be provided specifically regarding the controls for Housing ACT.

CSD

(b)

A CSD will develop a training module to ensure have an awareness of these policies The training module will include but not be limited to information on how to use and the disclosure of information.  Where there are specific areas such as legislation in relation to privacy to a division, these will be targeted at those division within the training module(s).

CSD

(c)

In relation to Housing ACT MoU and other information sharing arrangements will be reviewed and loaded onto the Information Management System (IMS). The IMS has the capability to assigned review periods and the authorisation hierarchy.

Housing ACT

OAIC Recommendation 2

4.2The OAIC recommends that Housing ACT should review its refresher privacy training to ensure it

  • contains material on Housing ACT’s specific and unique personal information handling practices.
  • is informed by documented policies and procedures related to the use, disclosure and protection of personal information by Housing ACT
  • is mandatory and undertaken annually by all Housing ACT staff.

Response by Housing ACT

Agreed

(a)

All corporate training is maintained and delivered by CSD. The CSD as part of the privacy policy and framework are developing the prerequisites for training which will include type and frequency. Where there are specific needs in relation to Housing ACT or other divisions these will be included as part of the overall training package.

CSD

(b)

As per recommendation 1 the CSD policy document will outline training deliverables. Any specific requirements will be an annexure in relation to Housing ACT or divisional requirements such as the Housing Assistance Public Rental Housing Assistance Program 2005 (No 2) PHAP.

CSD

(c)

Housing ACT will assist in providing specific information for the policy/framework

Housing ACT

OAIC Recommendation 3

4.3The OAIC recommends that Housing ACT should fully implement 2018 recommendation 3 and formalise privacy governance arrangements including the ‘Privacy Champion’ and a ‘Privacy Officer’ to assist the Privacy Champion in managing privacy issues. This documented governance should clearly establish clear procedures for oversight, accountability and lines of authority for decisions related to privacy and personal information security.

4.4This would involve CSD and/or Housing ACT developing a formal central privacy management function, consisting of a privacy officer or a privacy team responsible for coordinating privacy and information security matters across Housing ACT’s business areas and reporting these issues to CSD’s senior management. Documented governance arrangements should clearly note which staff members within Housing ACT and CSD have been appointed to key roles and responsibilities in privacy and information security management.

Response by Housing ACT

Agreed

(a)

The Chief Information Officer has the responsibility of Privacy Management within CSD. Within Housing ACT, the Policy and Business Solutions Executive Branch Manager has the responsibility of the Privacy Officer. This includes however not limited to coordinating privacy and information security matters across Housing ACT’s business areas and reporting these issues where appropriate through to CSD.

CSD

(b)

These roles and responsibilities will be clearly reported within the privacy and information security management system documentation.

CSD

OAIC Recommendation 4

4.5The OAIC recommends that Housing ACT should use its QMS/IMS so that its policies and procedures (both internal and public facing guidance available on their website) are regularly reviewed and updated to ensure their continual adequacy and currency.

Response by Housing ACT

Agreed

(a)

The IMS/QMS is a Housing ACT system.  Any specific Housing ACT documents will be loaded onto this environment however CSD documents will be loaded onto the CSD Intranet site and accessed via links within the IMS/QMS. This will still provide a method to flag when a review is required and the associated approval and release controls.

Housing ACT

OAIC Recommendation 5

4.6The OAIC recommends that Housing ACT should:

  • test the Data Breach Policy to ensure its continued effectiveness
  • update the membership of the Group found in the Data Breach Policy, clearly setting out the staff making up the Group, their roles, responsibilities, and authorities as well as their contact details. Housing ACT should ensure these contact details remain updated, particularly in the event of organisational changes. Each role in the Group should have a second point of contact in case the first person is not available.

Response by Housing ACT

Agreed

The Data Breach Policy has now been tested within the Community Services Directorate and has successfully been used to respond to several data breaches. The roles of the CIO, Data Breach Officer, and Data Custodians has demonstrated the ability to respond to data breaches in a timely manner, to ensure effective communication with effected parties, and remediate the reasons for the breach occurring.

The data breach policy/process has also been tested within Housing ACT. With the role of the Policy and Business Solutions Executive Branch Manager (PBT EBM), Data breach Officer, Privacy Officer has demonstrated an effective process to assess and report on data breaches. Where the PBT EBM is not available the Infrastructure and Contract or Client Service EBM will provide redundancy.

(a)

The process will be reflected in the CSD documentation in relation to policy and data breach process.

CSD

OAIC Recommendation 6

4.7The OAIC recommends that Housing ACT should fully implement 2018 recommendation 6 and improve privacy risk monitoring by reviewing Housing ACT’s risk management processes so that they:

  • are consistent with the CSD Risk Management Framework
  • involve a risk governance forum which has privacy risks as a standing item
  • record and consider privacy and information security risks identified by PIAs, privacy assessments conducted by the OAIC or other privacy assurance reviews.

Response by Housing ACT

Agreed

In relation to risk and reporting on privacy and information security risks the following structures are currently in place.

Housing ACT

(a)

Privacy will be included as agenda items for discussion where required in both the Strategic Board of Management (SBoM) and the Audit and Risk Committee (ARMC) meetings.

CSD

OAIC Recommendation 7

4.8The OAIC recommends that Housing ACT should implement 2018 recommendation 7 by:

  • conducting a PIA for the digitisation of hard copy files, Client Upload Tool and development of a new EDRMS when these planned projects recommence
  • developing and implementing a PTA, PIA and information security risk assessment policy across all Housing ACT’s activities which requires project planners to consider ‘privacy by design’ and sets out:
    • a process for identifying privacy and information security risks for a given project
    • how to undertake a PTA to determine whether a full PIA is needed
    • outline a similar process for conducting information security risk assessments.

Response by Housing ACT

Agreed

(a)

The development and implementation of a PTA and PIA process will be incorporated within the overarching CSD Policy and training information/documentation. Guidance material will be included on how and who will undertake a PTA to determine whether a full PIA is needed.

CSD

(b)

Housing ACT will however move to have a PTA conducted on the upgrade of Homenet to assess whether or not a PIA is required.

Housing ACT

OAIC Recommendation 8

4.9The OAIC recommends that Housing ACT should fully implement 2018 recommendation 8 by:

  • establishing measures to improve the security for personal information transmitted and received via email, including:
    • developing internal policies or procedures for staff sending personal information via email
    • developing educational material for clients highlighting the risks associated with sending personal information via email and promoting secure methods for communicating with Housing ACT
    • where possible, Housing ACT should consider more secure alternatives for communicating with clients, such as via a secure website, over the phone, in person, or using emails with password protected attachments to send personal information.
  • undertaking some basic information asset management by developing and maintaining a list or register which provides a high-level description of the types of and location of personal information it handles.

Response by Housing ACT

Agreed in Principle

Whilst the CSD and Housing ACT agree that there is a need for an Information Asset Management system, advice has been sought, and at present there is a possible Whole of Government (WhOG) approach to Data Asset Management being considered, where a Directorate and or Division can enter high-level description of the types of and location of personal information it handles.

The CSD and Housing ACT will pause on acting on this recommendation until further advice from an WhOG is provided prior to committing resources into the development of a specific Directorate approach.

OAIC Recommendation 9

4.10The OAIC recommends that Housing ACT should implement 2018 recommendation 10 and review its current physical security measures concerning hardcopy client files. This review should then inform the development of a Housing ACT physical security policy containing procedures for the handling and storing of hardcopy personal information. The policy should:

  • include hard copy file handling procedures developed in response to the COVID-19 pandemic
  • reside within CSD’s records management framework though be specific to Housing ACT’s activities and reflect the unique information handling practices of Housing ACT in relation to hard copy physical files.

Response by Housing ACT

Agreed

(a)

As part of the policy and training development all data information handling requirements will be updated and or documented along with those specific requirements to those divisions which may include Housing ACT.

CSD

Part 5: Description of assessment

The Role of the OAIC

5.1The Australian and ACT Governments have a Memorandum of Understanding (MoU) for the provision of privacy services by the OAIC to ACT public sector agencies. Under the terms of this MoU, the OAIC completes one privacy assessment of an ACT public sector agency each financial year.

5.2For 2020-21, the OAIC considered Housing ACT an appropriate assessment target due to the:

  • nature and amount of personal information it holds
  • number and significance of issues found in the 2018 assessment, including a high-level privacy risk

5.3Therefore, the OAIC formed the view that there was value in doing an assessment which examined how Housing ACT had addressed the ten recommendations from the 2018 assessment.

Objective and scope of the assessment

5.4The objective of this assessment was to:

  • identify how Housing ACT has addressed recommendations made by the OAIC in the 2018 assessment of Housing ACT
  • assess the appropriateness and adequacy of Housing ACT’s responses to the OAIC’s recommendations with regard to TPPs 6 and 11.

5.5The scope of this assessment was limited to TPPs 6 and 11.

5.6The scope of this assessment included a review of the privacy and information security arrangements deployed by Housing ACT, in particular a review of policies, procedures, systems, governance and training applicable to the use, disclosure and security of personal information. The assessment did not include a physical review or testing of the technical capabilities of the ICT systems used by Housing ACT, CSD or Shared Services.

Timing, location and assessment techniques

5.7The OAIC reviewed policy and procedure documents provided by Housing ACT.

5.8The OAIC conducted the fieldwork component of the assessment at Housing ACT’s Belconnen Office in Canberra, where key staff from Housing ACT and CSD were interviewed on 30 and 31 March 2021.

5.9Following fieldwork, the OAIC reviewed further documentation provided by Housing ACT.

5.10The assessment of Housing ACT was risk-based and focused on identifying the privacy risks related to the implementation of the OAIC’s 2018 assessment.

5.11The assessment considered the privacy and security measures put in place by Housing ACT, following the 2018 assessment. Housing ACT’s implementation of policies, procedures, systems, governance, training as well as particular information security measures were assessed on the basis of staff interviews and review of documents.

5.12The OAIC makes recommendations to address ‘medium’ and ‘high’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

5.13OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken.

5.14The OAIC has made 9 recommendations and several suggestions that will, in the OAIC’s opinion, assist Housing ACT to further protect the personal information it handles. Recommendations are set out in Part 4 of the report. Suggestions are set out in the body of the report.

Reporting

5.15The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security, or privilege. This report has been published in full.

Appendix A: Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely   breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, Part VIIIA) or not likely to meet significant   requirements of a specific obligation (for example, an enforceable   undertaking).
  • Likely   adverse or negative impact upon the handling of individuals’ personal   information.
  • Likely   violation of entity policies or procedures.
  • Likely   reputational damage to the entity, such as negative publicity in national or   international media.
  • Likely   adverse regulatory impact, such as Commissioner Initiated Investigation   (CII), enforceable undertakings, material fines.
  • Likely   ministerial involvement or censure (for agencies).

Medium risk

Entity should, as a medium priority, take steps to address OAIC expectations around requirements of Privacy and related legislation

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible   breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, Part VIIIA) or   meets some (but not all) requirements of a specific obligation.
  • Possible   adverse or negative impact upon the handling of individuals’ personal   information.
  • Possible   violation of entity policies or procedures.
  • Possible   reputational damage to the entity, such as negative publicity in local or   regional media.
  • Possible   adverse regulatory impacts, such as Commissioner Initiated Investigation   (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible   ministerial involvement or censure (for agencies).

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks   are limited and may be within acceptable entity risk tolerance levels.
  • Unlikely   to breach relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, Part VIIIA).
  • Minimum   compliance obligations are being met.

Footnotes

[1] Report for the 2018 assessment is available at: https://www.oaic.gov.au/privacy/privacy-assessments/handling-of-personal-information-housing-and-community-services-act/.

[2] Part 3, section 9.

[3] The TPPs differ from the APPs by omitting APPs that are not relevant to information privacy regulation of ACT public sector agencies. Further, there are minor textual differences, but the meaning and intent of each principle remains the same.