Handling of personal information: Housing and Community Services ACT

Part 1: Executive summary

1.1 This report outlines the findings of a privacy assessment undertaken by the Office of the Australian Information Commissioner (OAIC) of Housing and Community Services ACT (Housing ACT), an ACT public sector agency.

1.2 The purpose of this assessment was to determine whether Housing ACT is using, disclosing and securing personal information in accordance with the Territory Privacy Principles (TPPs), specifically TPPs 6 and 11 contained in the Information Privacy Act 2014 (ACT).

1.3 This assessment found that Housing ACT staff are aware of the sensitivity of personal information. The OAIC also observed some ICT system and physical security specific policies and procedures, which were supported by informal knowledge sharing.

1.4 However, the OAIC also identified several medium and one high level privacy risk arising from Housing ACT’s current practices.

1.5 The OAIC has made ten recommendations in response to these privacy risks. In particular, the OAIC recommends that Housing ACT should:

• create written policies and procedures which govern the use, disclosure and protection of personal information by staff, implement a policy document register, as well as review and update existing policies and its Memorandum of Understanding arrangements for sharing information with other entities
• implement regular privacy training that covers authorised uses and disclosures of personal information by staff as well as measures to be taken to protect personal information
• establish clear privacy governance mechanisms in the form of procedures for oversight, accountability and lines of authority for decisions related to privacy and personal information security
• review its risk management processes, including the use of risk registers to capture information security and privacy risks relevant to Housing ACT
• improve its ICT security by:
  • creating and maintaining an information asset register
  • considering updating its version of Homenet to a supported version as soon as practicable
  • implementing email security measures
  • implement comprehensive audit logging in relation to electronic systems that contain personal information as soon as practicable
  • improve the tracking, auditing and monitoring of access to hardcopy client files
• conduct a threshold assessment and if necessary, a full privacy impact assessment on the digitisation of hardcopy client files.

1.6 In addition, Housing ACT must, as a high priority, take steps to develop and implement a data breach response plan.

1.7 These recommendations, and Housing ACT’s responses, are set out in full in Part 4 of this report.

Part 2: Introduction

Overview of Housing ACT

2.1 Housing ACT is responsible for the provision of social (public and community) housing in the Territory to those most in need. These responsibilities include the allocation, management and maintenance of social housing properties, the maintenance of a social housing register (waiting list) of eligible applicants for public and community housing, the ongoing management of public housing tenancies, and the coordination of support services and community participation programs for its tenants. Housing ACT also funds services targeted at preventing homelessness and assisting people to transit through homelessness into stable housing, and assists people in the private rental market through interest-free bond loans.

2.2 Housing ACT has an estimated 12,000 properties spread across the ACT and processes approximately 700 applications for social housing each year.

2.3 Housing ACT cooperates with several ACT Government and Commonwealth Government agencies to administer these services.

Structure

2.4 Housing ACT is part of the Housing and Community Services Division within the ACT Government’s Community Services Directorate (CSD).

2.5 Shared Services (part of the Chief Minister, Treasury and Economic Development Directorate (CMTEDD)) manages the ICT infrastructure of Housing ACT, as it does for many other ACT public sector agencies.

Personal and sensitive information handled by Housing ACT

2.6 In the course of providing social housing services to individuals, Housing ACT collects and handles significant amounts of personal and sensitive information. In particular, Housing ACT collects documentation relating to:

• proof of residence in the ACT
• proof of sponsorship for migration
• proof of social security
• proof of income
• proof of child support payments
• proof of accounts with financial institutions
• proof of assets
• proof of identity (including potentially a passport, Medicare card, government issued licence or permit)
• Centrelink Customer Reference Number (CRN)
• proof of employment
• birth certificate
• proof of legal custody of dependent children.

2.7 Housing ACT uses these documents to assess an individual’s eligibility for housing assistance services provided under legislation. These documents typically contain contact details (name, address, date of birth), as well as personal and sensitive information related to an individual’s circumstances such as:

• homelessness
• their closest living relatives including any children
• formally diagnosed mental health issues
• serious and chronic health issues
• disability including frail-aged
• whether they identify as Aboriginal and/or Torres Strait Islander
• any difficulties with accessing private rental accommodation
• whether they are women with or without children escaping domestic violence
• whether they are children at risk of abuse or neglect.

2.8 Housing ACT uses a combination of paper based and electronic files and systems to administer services.

Paper based files and systems

Gateway Services

2.9 Gateway Services is responsible for receiving applications for social housing, assessing applicant eligibility and needs, managing the register, allocating properties to registered applicants, signing tenancy agreements, and calculating rental rebate assistance for new tenant households. Gateway Services also accepts applications for private rental bond loans and the provision of assistance to families escaping domestic and family violence under the Safer Families Assistance Program. Staff at Gateway Services process applications and conduct interviews with applicants to further assess their needs.[1]

2.10 Individuals provide their personal and sensitive information to Gateway Services through a hardcopy registration form known as the Registration to apply for Social Housing Assistance in the ACT. Housing ACT uses this form as the primary method of collecting information from applicants.

2.11 The majority of individuals provide their identification documents with their application in person at a Gateway Services office. Individuals can also send their applications via post.

Hardcopy client files

2.12 Housing ACT assigns a case officer to assess an application. The case officer can direct the applicant (referred to by Housing ACT as the client) to provide further personal information. The client will normally provide this additional information either via email or in hardcopy.

2.13 Housing ACT staff then collate this personal information into a hardcopy client file. This file is distinct from the files maintained for the individual properties owned and managed by Housing ACT. The Gateway staff within Housing ACT manage the client files. Once applicants enter a tenancy, the file is changed to a tenancy file and then becomes the responsibility of Records Management Unit (RMU).

2.14 Each hardcopy file normally contains a large amount of personal and sensitive information and may include details of any site visits by Housing ACT staff, any Ministerial correspondence relating to the individual’s file (discussed further at paragraphs 3.30-3.31), correspondence with the client, and any other documents created in the process of administering the client’s access to social housing. This includes information received from third parties and is not limited to information provided by the individual themselves.

Electronic files and systems

Homenet

2.15 Homenet is the ICT system used by Housing ACT to administer payments and communicate with clients.

2.16 The hardcopy physical file maintained by the case officer is still used as the primary source of information for the ongoing provision of client services. If there is a discrepancy between the hardcopy file and the electronic file on Homenet, staff refer to the hardcopy file in making any corrections.

2.17 Information stored on Homenet includes:

• electronic client files, which include personal information such as name, address, dates of birth, tenancy and bank account numbers, and Centrelink Reference Numbers (CRNs)
• property information such as maintenance undertaken on properties (via Spotless – discussed at paragraph 2.20) and monies spent on managing the property
• records of interactions with clients including file notes of phone conversations.

2.18 Homenet also receives information from various sources such as Australia Post and Centrelink (Commonwealth Department of Human Services). This information on the electronic client files is most often automatically uploaded by Australian Post and/or Department of Human Services. Homenet also includes the Social Housing Register which is used for the day-to-day management of social housing. The Register contains details on:

• the collection of rental payments
• property maintenance and inspections
• complaint handling.

2.19 Housing ACT informed the OAIC that it intends to further develop Homenet’s functionality as part of its overall program to digitise its hardcopy client files. The OAIC understands that Housing ACT would also introduce a new electronic document and records management system (a future EDRMS) that would give staff access to the digitally stored administrative and policy information of Housing ACT. Homenet would remain the primary system for storing digital client information.

Spotless

2.20 Housing ACT contracts an external private company, Spotless, to administer repairs to Housing ACT properties and provide total facilities management.[2] Spotless manages a system (referred to as WMS) containing details of Housing ACT clients such as their name and address. This system is used by contractors to perform repairs.

TRIM and shared drives

2.21 Individual staff members also use TRIM and a Windows shared drive to store information (including personal information) electronically.

2.22 TRIM is an older electronic document and records management system. Housing ACT intends to implement a new EDRMS. TRIM can only be accessed by some Housing ACT staff, usually at Senior Manager and above levels, as there are only limited licences available, and is maintained by Shared Services. Housing ACT advised that most personal information stored electronically is maintained in the Homenet database.

2.23 Staff also make use of a Windows shared drive assigned as ‘G: Drive’ on all staff computers. The G: Drive is effectively used for storage of files created in the administration of Housing ACT matters, both for client management and for general purposes. Staff have access to the G: Drive for folders relating to their work area only.

Part 3: Findings

Our approach

3.1 This part of the report sets out the OAIC’s observations, our analysis of those observations, followed by suggestions and recommendations to address any risks identified.

3.2 The key findings of the assessment of Housing ACT are set out below under the following headings and subheadings:

• TPP 6 – use and disclosure of personal information
  • Use of personal information
  • Disclosure of personal information
• TPP 11 – security of personal information
  • Governance and culture
  • Internal practices, procedures and systems
  • Risk management
  • Risk assessments - privacy impact assessments and information security risk assessments
  • ICT Security
  • Access Security
  • Physical Security
  • Destruction and de-identification of personal information

3.3 As the TPPs are substantially similar to the Australian Privacy Principles (APPs) in the Privacy Act, in determining whether Housing ACT is handling personal information in accordance with its obligations under TPPs 6 and 11, the OAIC has applied the:

• Guide to securing personal information, which provides guidance on the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold
• APP Guidelines, which outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act.

TPP 6 - use and disclosure of personal information

3.4 Under TPP 6, an ACT public sector agency can only use or disclose the information for a particular purpose for which it was collected (known as the ‘primary purpose’ of collection), unless an exception applies. Where an exception applies the entity may use or disclose personal information for another purpose (known as the ‘secondary purpose’).

Use of personal information

Observations

3.5 The Housing Assistance Act 2007 (ACT) (the Housing Assistance Act) provides for the approval by the ACT’s Minister for Housing and Suburban Development of housing assistance programs. There are three approved housing assistance programs under the Act:

• Housing Assistance Housing Asset Assistance Program 2008 (HAAP)
• Housing Assistance Public Rental Housing Assistance Program 2013 (PRHAP)
• Housing Assistance Rental Bonds Housing Assistance Program 2017

3.6 The Housing Assistance Act establishes the statutory office of the Commissioner for Social Housing (the ‘Housing Commissioner’).[3] The Housing Commissioner is responsible for the delivery of approved housing assistance programs and has the power to make determinations and issue operation guidelines for programs.[4] Staff in Housing ACT perform many of the functions of the Housing Commissioner including the administration of approved housing assistance programs under delegation.[5]

3.7 Each of the three approved housing assistance programs reference privacy principles and their application to the Housing Commissioner. Under the Public Rental Housing Assistance Program, applicants need to provide information reasonably required by the Housing Commissioner to assess their eligibility for social housing. The Program states that the Housing Commissioner must comply with privacy law when assessing applications for the housing assistance program.[6]

3.8 Based on interviews with Housing ACT staff, it appears that Housing ACT understands the importance of handling personal information when undertaking their duties. However, the OAIC did not see any evidence of internal policies or procedures that describe or set out the types of personal information used by Housing ACT staff to complete their duties. The CSD has published its privacy policy online[7] which lists generally the legislation, including the Housing Act, which applies to the overall functions of its agencies.

3.9 The OAIC did not observe any policies or procedures which listed the appropriate uses for personal information under the Housing Act. Procedures for the handling of information are communicated informally by staff and managers.

3.10 While there is an ICT Security Plan for the Homenet system, the OAIC did not observe any written procedures for using other electronic systems or the handling of physical files. The ICT Security Plan is further discussed in Access Security section at paragraphs 3.108-3.117.

3.11 Housing ACT provides new staff with information during their induction about the use and physical storage of personal information. This knowledge is refreshed informally by colleagues and managers, as well as through emails sent to all staff by the Records Management Team. Any further clarification regarding the appropriate use of personal information collected by Housing ACT is at the discretion of managers and supervisors.

Privacy analysis

3.12 The use of personal information by Housing ACT appears to be in practice consistent with the Housing Assistance Act and related legislative instruments – in that it is used to administer the Public Rental Housing Assistance Program. However, the OAIC identified some privacy risks concerning the use of personal information.

3.13 Housing ACT staff largely rely on the Housing Assistance Act remaining unchanged to ensure their activities are still legally compliant. However, if the laws governing the use of personal information by Housing ACT were to change, it is unclear how this would be properly communicated to staff.

3.14 Informal knowledge and ‘on the job’ training on the appropriate use of personal information is not supported by documented information handling policies and procedures or regular formal privacy training. Informal and ad hoc measures could supplement formal regular training but do not replace the need for it. This raises the medium risk that Housing ACT staff may be unaware of their legal obligations when using personal information and may result in personal information being used inconsistently with what the law authorises. This risk may increase if housing laws were to change.

3.15 The OAIC recommends that Housing ACT documents policies and procedures managing the use of personal information. These policies and procedures should clearly set out how information can be used in accordance with relevant privacy and housing legislation and should capture relevant existing corporate knowledge on information handling. In addition, these policies and procedures should be regularly reviewed and updated to ensure their continual effectiveness.

3.16 The OAIC further recommends that Housing ACT conduct regular privacy training that includes authorised uses of personal information.

Disclosure of personal information

Observations

3.17 As stated earlier at paragraph 3.7, the Public Rental Housing Assistance Program requires the Housing Commissioner to comply with privacy law when administering the program.

3.18 Housing ACT staff advised the OAIC that under housing legislation, personal information can be disclosed to authorised third parties for the purposes of administering the Public Rental Housing Assistance Program, with the permission of the person.

3.19 Housing ACT advised the OAIC that staff receive induction training which covers the disclosure of personal information to other agencies. Staff receive further knowledge informally via ‘on the job’ training from colleagues and supervisors, including the handling of information requests from law enforcement agencies (LEAs). However, other than specific agreements with third parties the OAIC did not observe any policies, procedures or regular privacy training that specify how staff handle authorised third-party disclosures of personal information.

Disclosures under Memorandums of Understanding

3.20 Most third-party disclosures by Housing ACT staff are governed by Memorandums of Understanding (MoUs) with various ACT and Australian government agencies. The MoUs are non-legally binding agreements that set out the circumstances in which Housing ACT shares information, including personal information, with these agencies.

3.21 The OAIC was presented with MoUs between Housing ACT and the following ACT and Australian government agencies and non-government organisations:

• Australian Federal Police (AFP)
• ACT Corrective Services
• Royal Society for the Prevention of Cruelty to Animals
• Domestic Violence Crisis Service ACT
• ACT Department of Justice and Community Safety
• Youth Supported Accommodation Assistance Program Service (YSAAPS).

3.22 These MoUs generally cover information exchange arrangements, information request procedures and collaborative activities between MoU parties. The OAIC observed the following:

• the MoUs referenced outdated privacy law and have not been updated to reflect current law
• some MoUs have expired (including dating back to 2011) and have not been renewed. However, Housing ACT is still continuing to share information under these expired MoUs
• apart from the MoU with the AFP, there is limited information on the specific procedures for disclosing personal information to the other party
• some MoUs specify information sharing protocols that were not observed by or provided to the OAIC.

3.23 The OAIC was also provided with the ACT Human Services Early Intervention Information Sharing Protocol which was published in January 2017. The protocol provides general guidance on how agencies within the Community Services Directorate share information.

3.24 The OAIC was advised that at the time of the assessment, the MoU arrangements are being reviewed.

Other third-party disclosures

3.25 In addition to general information sharing arrangements governed by MoUs, there is a separate process for handling warrants issued by Law Enforcement Agencies (LEAs) including the AFP.

3.26 In regard to the handling of warrants, LEAs make a request to Housing ACT to disclose personal information. Housing ACT receives warrants from LEAs that state the legislation that authorises the warrant and the requested disclosure. In practice, the OAIC was advised that senior staff are responsible for overseeing requests from LEAs and information sharing arrangements with MoU agencies. This is done based on their experience.

3.27 The OAIC was not provided with any documents that set out how LEA requests should be handled, the specific information that can be disclosed by Housing staff and procedures to be followed in the event that such a request is made, for example verifying the identity of the officer from the other agency before disclosing the information.

3.28 Housing ACT maintains a centralised social housing register (waiting list) of eligible applicants for both public and community housing. Housing ACT will therefore disclose applicant information to community housing providers. Staff review applications community housing and forward the most suitable applications to community housing providers. When information about clients is provided to a community housing provider, this generally concludes the interactions between the applicant and Housing ACT. The community housing provider will then handle the application and provide services to the applicant. If the individual needs additional social housing, they will need to make a new application to Housing ACT.

3.29 Regular disclosures are made to Housing ACT’s total facilities manager (at the time of the assessment – Spotless), who undertakes maintenance work on Housing ACT properties. Spotless uses a dedicated computer portal to access service requests which typically contain tenants’ names, addresses and contact numbers.

3.30 The Housing Assistance Act also gives the responsible Minister the authority to request information (including protected information such as personal information about housing assistance applicants and recipients) from the Housing Commissioner.[8] The Executive Support Unit of Housing ACT handles Ministerial correspondence and can disclose personal information in response to requests for information from the Minister.

3.31 The OAIC was provided with the ‘Executive Level Correspondence’ business rule, which sets out how Housing ACT responds to Ministerial requests for information. The business rule includes procedures for seeking further information from other business areas in Housing ACT, and how to store Ministerial correspondence on Housing ACT systems. However, it appears that the document was last reviewed in 2011. Staff in the Executive Support Unit are also trained informally regarding information handling by supervisors and colleagues.

Privacy analysis

3.32 The lack of documented policies and procedures regarding the disclosure of personal information as well as the absence of regular mandatory privacy training raises the medium risk of staff disclosing personal information in a manner inconsistent with TPP 6. Some of these disclosures may contain sensitive information such as an individual’s criminal record. The consequences of an unauthorised disclosure under these circumstances would likely cause serious harm to individuals whose information was part of the data breach.

3.33 More specifically, there is a risk of unauthorised disclosures by less experienced staff disclosing personal information to the incorrect recipient or making disclosures to correct recipients that go beyond what is authorised by law. In particular, this could be a risk with disclosures to LEAs, given that some of these requests may require a timely response from Housing ACT. If there are staffing changes, the corporate knowledge about good information handling practices may be lost due to the lack of documented policies and procedures and regular training.

3.34 The OAIC recommends that Housing ACT create clearly written policies and procedures which govern compliance with TPP 6, including authorised disclosures of personal information by staff under privacy, housing and other relevant legislation. The ‘Executive Level Correspondence’ business rule could act as a model for such process documents, noting that the rule should be reviewed to ensure it remains relevant and effective.

3.35 The OAIC also recommends that Housing ACT conducts regular privacy training that includes compliance with TPP 6 obligations, including the disclosures that are authorised by law. Training should cover MoU and non-MoU related third party disclosures (e.g. Spotless, ministerial correspondence, LEA warrants). Such training should be provided to all staff and contractors on a regular basis.

3.36 Policies and procedures as well as regular training should include:

• permitted disclosures under privacy, housing and other relevant legislation as well as relevant MoUs (i.e. the types of personal information that can be disclosed)
• how authorised disclosures should occur, including:
  • the process for verifying the identification of authorised recipients before the personal information is disclosed, particularly when responding to requests for information that involve sensitive information, such as those related to LEA warrants
  • details regarding the specific communications channels used to facilitate the disclose and the security measures employed to ensure information is protected
  • details regarding which staff members or positions within Housing ACT are responsible for approving and actioning disclosures
  • any relevant existing corporate knowledge on how Housing ACT handles personal information in these circumstances.

3.37 The OAIC was advised that a review is being conducted of Housing ACT’s MoU arrangements. The OAIC recommends that the review include ensuring that the MoUs are up to date, reflect current information handling practices and provide sufficient detail on the authorised disclosure of personal information. This should include ensuring that information sharing protocols are in place where required by a MoU.

TPP 11 - security of personal information

3.38 This section of the report considers the reasonable steps taken by Housing ACT under TPP 11 to protect personal information it holds from misuse, interference or loss; and from unauthorised access, modification or disclosure; as well as the reasonable steps Housing ACT has taken to destroy or de-identify personal information it holds about an individual:

• it no longer needs for a purpose for which the information may be used or disclosed by Housing ACT under the TPPs; and
• that is not contained in a territory record; and
• is not required by or under an Australian law, or a court or tribunal order to retain.

Governance, culture and training

Observations

3.39 The OAIC did not observe an individual or team with overall responsibility for privacy and information security management across Housing ACT. There were no documents that specifically set out Housing ACT’s privacy governance arrangements. As will also be discussed later in the ‘Risk management’ section at paragraphs 3.70-3.75, most governance documentation viewed by the OAIC related to or concerned CSD.

3.40 There are staff within Housing ACT whose responsibilities involve elements of privacy and information security management, including senior staff within the ICT function of Housing ACT. There is also an embedded team from Shared Services that assist with administering ICT functions and handle some elements of information security management.

3.41 The OAIC was not provided with any processes or policies for handling data breaches that are experienced by Housing ACT. This will be discussed in further detail under the heading ‘Internal practices, procedures and systems’ at paragraphs 3.66-3.69.

3.42 Staff managers are responsible for monitoring access controls for their staff and advising ICT staff on any changes needed. ICT security risks are handled through information security meetings every 6 weeks, with security incidents part of the normal agenda. These regular meetings are in addition to informal communication between senior staff.

3.43 Although there is no formal privacy management function for the agency, staff are generally expected to report privacy matters and conflicts of interest to their supervisors, who will then escalate matters as appropriate on an ad-hoc basis.

3.44 There are some formal governance mechanisms within Housing ACT and CSD in the form of boards and committees that allow for discussion of privacy and information security issues, albeit in an ad-hoc manner. These include the Quality and Assurance Committee, the Audit and Risk Management Committee, and an ICT Steering Committee.

3.45 Senior staff within Housing ACT regularly attend and participate in these forums. Privacy and information security issues are handled when they arise but are not a regular agenda item of these committees. Housing ACT advised that these governance structures are being reviewed, with the aim of streamlining their functionality by consolidating several of these existing committees.

3.46 Privacy and information security related complaint handling is not formally documented, although staff exhibited an understanding of how to escalate such matters. There is a Senior Manager with responsibility for complaints, who will coordinate with business areas and case managers to develop a response.

Privacy analysis

3.47 The personal information security requirements of TPP 11 extends to ensuring that all staff are aware of their privacy and security obligations, including senior management. Governance arrangements and regular training foster a privacy and security aware culture among staff and promote awareness and compliance with privacy obligations.

3.48 The OAIC acknowledges that Housing ACT has a number of existing governance mechanisms, however these do not specifically address privacy and associated risks and privacy is only discussed on an ad-hoc basis through these forums.

3.49 Housing ACT’s dedicated Senior Manager, who coordinates responses to complaints, including privacy complaints, is a good privacy measure. Housing ACT also provides mandatory initial privacy training to all staff. However, the overall lack of dedicated privacy governance mechanisms and as well as the absence of regular ongoing mandatory privacy training within Housing ACT raises a medium risk that privacy and information security issues are not being properly identified and addressed. More comprehensive agency wide governance measures specific to privacy matters would, in the opinion of the OAIC, enhance Housing ACT’s privacy culture.

3.50 The OAIC recommends that Housing ACT establish clear procedures for oversight, accountability and lines of authority for decisions related to privacy and personal information security. This would involve Housing ACT developing a formal central privacy management function that is responsible for coordinating privacy and information security matters across Housing ACT’s business areas and reporting these issues to senior management.

3.51 The privacy management function should involve appointing staff to key roles and responsibilities in privacy and information security management. For example, this would include appointing a senior member of staff with overall accountability for privacy and information security. This person would be given responsibility for promoting a culture of privacy and the value and protection of personal information within Housing ACT.

3.52 This position would also ensure that senior management and those with responsibility for privacy management are regularly briefed on privacy risks or issues identified. Housing ACT could leverage existing committees or positions currently in place for handling complaints in creating such a function or linking to, or incorporated into, existing governance processes that may be in place for engaging with Shared Services on ICT security matters.

3.53 Housing ACT should regularly evaluate its governance mechanisms to ensure their continued effectiveness. To achieve this, Housing ACT could implement a Privacy Management Plan (PMP) which could include the establishment of privacy governance arrangements as part of its privacy goals. Housing ACT could then measure its performance against the PMP, as the implementation of these arrangements is as important as the arrangements themselves. The OAIC has developed a PMP template[9] that could be of assistance with such efforts.

3.54 In addition, the OAIC also recommends that Housing ACT implement regular ongoing training for all staff (as previously discussed above) which would also cover the how personal information should be protected. This training should also include how staff respond in the event of a data breach (also discussed below at paragraphs 3.68-3.69).

3.55 The OAIC’s Privacy management framework: enabling compliance and encouraging good practice,[10] as well as resources developed for the Australian Government Agencies privacy Code,[11] while they provide guidance to private sector and Australian Government agencies on how to meet their obligations under APP 1.2, may assist Housing ACT as it also provides guidance on good privacy governance which mirrors governance requirements under TPP 11.

Internal practices, procedures and systems

Observations

3.56 Overall, the OAIC did not observe any overarching privacy and information security policies or procedures within Housing ACT. The OAIC was provided with an ICT Security Plan for Homenet which did contain a documented process for undertaking information security risk assessments for the Homenet system (discussed at paragraph 3.82). However, no other documented process was observed by the OAIC in relation to Housing ACT’s other systems such as the shared drive, TRIM, WMS and handling of hardcopy files.

3.57 Housing ACT does not have a policy register or other way of clearly recording all of Housing ACT’s data related internal policies and procedures, their date of issue, ownership, and when they are due for review. This finding applies to both physical and electronic information handling practices.

3.58 Housing ACT does not have a data breach response plan or any other processes or policies for handling data breaches that are specific to Housing ACT. Staff are expected to go to their supervisor in the event of a privacy incident or query, though it is unclear how they identify such incidents. The supervisor will then if necessary, escalate the privacy issue to their manager. Some matters are progressed to the Housing ACT legal team, however there are no procedures in place to determine when this occurs.

3.59 The OAIC did not observe any ICT security incident response plans or CSD data breach response plans. The only related document observed by the OAIC is Housing ACT’s Business Continuity Plan (BCP). However, the BCP only refers to physical risks such as destruction of property or risks to the health and safety of staff. The document does not consider privacy and information security as specific issues, and consequently does not list contacts for such situations. The OAIC was advised that there is no training which covers data breach management and response.

3.60 Housing ACT did not advise whether the creation of new privacy and information security policies and procedures were being considered as part of digitising hardcopy client files and creation of the new EDRMS.

Privacy analysis

3.61 As discussed in the OAIC’s Guide to securing personal information, complying with TPP 11 involves documenting internal practices, procedures and systems that are used to protect personal information. This includes outlining security measures established and maintained against the risks and threats to personal information. These documents should also be regularly reviewed and updated to ensure they are current.

3.62 Based on interviews with Housing ACT staff, there is a general awareness and understanding of information security. Housing ACT staff rely on informal knowledge sharing to handle information security matters, as there is limited information security documentation. The lack of documented privacy and information security policies and procedures regarding its other practices and systems raises the medium risk that Housing ACT staff are not properly identifying and managing privacy and information security matters.

3.63 The OAIC recommends that Housing ACT ensure that it sufficiently documents all internal practices, procedures and systems that are used to protect personal information. This includes all personal information security measures that have been established and maintained against the risks and threats to personal information.

3.64 These documents should be regularly reviewed and updated to ensure they reflect Housing ACT’s current acts and practices, for example following the digitisation of hardcopy client files and the implementation of the new EDRMS. This can be supported by the creation of a policy and procedures document register which clearly sets out all of Housing ACT’s internal policies and procedures for privacy and information security, their date of issue, ownership, and when they are due for review. The register would also cover policies and procedures around the use and disclosure of personal information recommended in paragraph 3.15. Internal practices, procedures and systems which relate to personal information security may be addressed in a single policy or in a number of separate policies. Additionally, Housing ACT should make sure that staff are aware of, and have access to, these policies and are trained regarding their responsibilities.

3.65 The OAIC also recommends that Housing ACT regularly evaluate its current policies and procedures to ensure their adequacy and currency. For example, presently, the current version of the BCP does not cover unique systems used by the agency and it does not consider privacy and information security as specific issues.

3.66 Also, Housing ACT does not have a data breach response plan or other policy that would provide specific guidance to staff responding to a data breach. This is particularly concerning given the:

• amount and sensitivity of the personal information held by Housing ACT
• lack of any other procedural documents or policies which may be leveraged by Housing ACT for data breach management, for example a CSD data breach plan or ICT security incident plan
• lack of regular mandatory privacy training which covers data breach management.

3.67 In the event of a data breach involving Housing ACT, especially where the data breach is likely to result in serious harm to individuals whose personal information is involved in the breach it is very important that Housing ACT staff are aware of the appropriate steps to protect those affected individuals. The lack of a data breach response plan means that there is uncertainty around data breach management and therefore creates a high privacy risk that staff will not respond effectively in such a situation. The OAIC recommends that Housing ACT, as a high priority take steps to develop a data breach response plan which sets out:

• contact details for appropriate staff to be notified
• the roles and responsibilities of staff
• processes that will assist Housing ACT to identify and contain data breaches, coordinate investigations and breach notifications, and cooperate with external investigations.

3.68 Such a plan could be linked to, or incorporated into, or leverage existing processes and policies, such as any ICT security incident plans developed by Shared Services, the BCP or any crisis management policies and procedures and should also be covered in staff privacy training.

3.69 The OAIC has published detailed guidance on responding to data breaches under privacy law, the Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth), which covers what should be considered when drafting a data breach response plan. While this guide is primarily for Australian Government agencies and private sector organisations with obligations under the Commonwealth Privacy Act, the information provided is useful to a territory agency like Housing ACT. Taken holistically, the information provided in this guide provides a framework for meeting expectations for accountability and transparency in data breach prevention and management.

Risk management

Observations

3.70 The OAIC was advised that Housing ACT has existing measures to manage risks relating to the handling of personal information. This includes the various governance mechanisms (discussed at 3.46-3.54) which allow senior staff to discuss privacy risks as they arise. Within Housing ACT’s ICT team there are risk management discussions led by senior staff in that area, including weekly discussions of any incidents that have occurred on ICT systems.

3.71 There were some risk management processes observed at the CSD level, however these processes applied more generally to all areas of CSD and are not specific to Housing ACT. In particular, there is a risk management framework and corporate risk register that applies broadly across the CSD, but this does not include management of information security or privacy risks specific to Housing ACT. The OAIC also noted that the CSD risk management framework states that risk registers are to be used for each team, project, program, business unit and division within CSD. The framework states that these risk registers must be updated quarterly. Housing ACT does maintain a risk register as part of its ICT security plan for the Homenet system which does include specific privacy and information security risks relevant to Homenet. Other systems used by Housing ACT that draw data from Homenet are covered by this register. Third party and other government systems are covered by their own plans There were no further risk registers observed by the OAIC within Housing ACT.

3.72 Also, there are monthly meetings held by CSD regarding the digitisation of services. These meetings include representatives of Housing ACT, Shared Services and CSD. It is understood that these discussions include the planned digitising of Housing ACT’s hardcopy client files. It was otherwise not made clear what risk management arrangements Shared Services has in place as part of its role in managing Housing ACT’s ICT infrastructure.

3.73 Housing ACT further provided the OAIC with the terms of reference for the steering committee leading the digitisation of hardcopy client files. Risk management and best practice considerations were included, but there was no specific mention of privacy. The business case for the project did not consider the potential risks to privacy and information security.

3.74 Housing ACT staff advised they will be implementing a risk management system. Housing ACT will use the risk management system to centrally manage risk from around June 2018 onwards.

3.75 The actual undertaking of risk assessments in the form of PIAs and information security risk assessments is discussed in the paragraphs 3.82-3.92 below.

Privacy analysis

3.76 Privacy and information security risk management processes are integral to establishing robust and effective privacy practices, procedures and systems. Risk management processes allow for an entity to identify, assess, treat and monitor privacy and information security risks related to its activities. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy and information security risks.

3.77 Overall, it is not clear how Housing ACT manages the identification, treatment, reporting and ongoing monitoring of privacy and information security risks associated with their activities. This is particularly an issue as CSD’s corporate risk register does not identify privacy and information security as specific, ongoing risks to be managed. Only the Homenet risk register covers privacy and information security risks in any detail. The OAIC did not otherwise see any documents which show how Housing ACT manages risks associated with other electronic systems and hardcopy files.

3.78 As stated above, it is not clear to what extent information security risk management is handled by Shared Services in its role as manager of the ICT infrastructure used by Housing ACT. Housing ACT also advised that a risk management system is being implemented which should assist in better managing ongoing risks, but in the interim, there are only limited risk management processes within Housing ACT relating to privacy and information management. As a result, there is a medium risk that Housing ACT does not properly identify, monitor, treat, record and report all privacy and information security risks.

3.79 The OAIC recommends that Housing ACT review its risk management processes to ensure that all privacy and information security risks are appropriately monitored, identified, treated, recorded and reported to senior management. These processes could link into or leverage any information security risk management procedures currently employed by Shared Services in its role as manager of the ICT infrastructure used by Housing ACT. The proposed privacy governance arrangements discussed at paragraphs 3.47-3.55 will also help in managing privacy risks. The Homenet risk register could act as a model for other risk registers, as it includes the sort of details that would allow for business areas to properly monitor privacy and information security related risks and how to treat them.

3.80 Risk registers can be an important document to help summarise any issues identified and allow for them to be properly considered by senior management, which complements the earlier recommendation to review internal governance arrangements. Accordingly, as part of the above recommendation, Housing ACT should apply the existing CSD risk management framework policy on the use of risk registers, at least until RiskMan has been implemented. Accordingly, it is also recommended that CSD’s Corporate Risk Register be reviewed so that it captures information security and privacy risks relevant to Housing ACT. Though outside the scope of this assessment, the CSD Corporate Risk Register should also capture information security and privacy risks relevant to all of CSD.

3.81 Housing ACT’s risk management processes should not only capture ongoing ‘business as usual’ risks but risks related to new projects such as the digitisation of hardcopy client files and establishment of the EDRMS.

Risk assessments - privacy impact assessments and information security risk assessments

Observations

3.82 The OAIC did not observe any documented policies or procedures for undertaking PIAs or privacy threshold assessments at Housing ACT. The ICT Security Plan for Homenet did contain a documented process for undertaking information security risk assessments for the Homenet system. However, no other documented process was observed by the OAIC in relation to risk management for Housing ACT’s other systems. Housing ACT advised the OAIC that Shared Services handle many elements of ICT security, including approving any changes made to Housing ACT systems and therefore may have policies in place regarding risk assessments, but no such documentation was provided to the OAIC.

3.83 Housing ACT staff advised the OAIC that they are considering conducting a PIA and information security assessment as part of compliance activities for the digitisation of hardcopy client files but did not provide further details on how or when they will be conducted. The ICT team within Housing ACT advised they will perform additional compliance activities regarding this project. It was unclear whether these activities would be the same as a PIA and an information security risk assessment.

3.84 The OAIC was also informed that the new EDRMS will undergo a security review in that it is intended to be certified through the Information Security Registered Assessors Program developed by the Australian Signals Directorate (also known as an IRAP assessment).

3.85 CSD is also developing a new tool which will allow clients to upload their personal information to multiple organisations simultaneously (the Client Upload Tool). The list of organisations will include Housing ACT. The Client Upload Tool will also allow clients to nominate their contacts and allow Housing ACT to verify these contacts. Housing ACT has conducted a PIA on this project, and documentation for the Client Upload Tool is still being developed.

Privacy analysis

3.86 Assessing the security risks to personal information is also an important element of ‘privacy by design’ which means treating privacy as a fundamental consideration in the way policies, procedures and systems are created and developed. PIAs and information security risk assessments provide an entity with information concerning the security risks it faces, including threats and vulnerabilities, along with the possible impacts before it designs and implements its personal information security framework. They also assist in integrating privacy into an entity’s risk management strategies.

3.87 As a general rule, PIAs should be sought for business projects or decisions that involve new or changed personal information handling practices, for example, when implementing new technologies that may create new ways in which personal information may be handled. PIAs can allow for privacy to be considered during the design of major projects, and for any issues to be mitigated proactively. Where an entity is unsure of whether a full PIA is needed, it can conduct a privacy threshold assessment to determine whether the changes to personal information handling warrant such action.

3.88 The OAIC understands that a PIA and an information security risk assessment are being considered for the digitisation of hardcopy client files, and an IRAP assessment for the new EDRMS, though no evidence for either was provided.

3.89 It was not otherwise clear from the interviews how Housing ACT decides on whether to undertake PIAs or security assessments. The lack of any discernible policy or procedure across all of its activities raises a medium privacy risk that Housing ACT will not adequately consider privacy issues at the design and development stage of new projects involving personal information.

3.90 The OAIC recommends that Housing ACT conduct a threshold assessment and if necessary a full PIA in conjunction with an information security risk assessment on the digitisation of hardcopy client files, and any other major projects involving the handling of personal information, notable the development of the new EDRMS and the Upload Tool which will allow clients to upload personal information to multiple organisations simultaneously.

3.91 The OAIC further recommends that Housing ACT develops and implements a PIA and information security risk assessment policy across all its activities. Such a policy will provide a process for identifying privacy and information security risks for a given project, and how to undertake a privacy threshold assessment to determine whether a full PIA is needed. The policy would also outline a similar process for conducting information security risk assessments. Such a policy could be linked to, or incorporated into, or leverage any existing approaches to information security assessments employed by Shared Services.

3.92 The OAIC has published guidance and tools that will be of assistance in considering future PIAs, including the role of ‘privacy by design’ in business projects and decisions that involve personal information. They include the:

• Guide to undertaking privacy impact assessments
• eLearning course on PIAs
• Privacy management framework: enabling compliance and encouraging good practice
• Part A of the Guide to securing personal information.

ICT Security

Observations

3.93 Housing ACT provided the OAIC with an ICT security plan for Homenet, a physical security policy for communications rooms developed by Shared Services, and a questionnaire designed to assess ICT service providers. Housing ACT further advised the OAIC that Shared Services handle many elements of ICT security, including approving any changes made to Housing ACT systems.

3.94 Shared Services has an embedded team within Housing ACT, but senior staff have overall responsibility for Homenet and manage the relationship with vendors of ICT services. These include the vendors for Homenet and TRIM, as well as the vendor for the software interface between Housing ACT and Centrelink systems. Housing ACT also advised that the current version of Homenet is not supported by the vendor as it is outdated.

3.95 Housing ACT provided a questionnaire that is intended to be used to assess vendors on their ICT security capabilities. However, the OAIC was advised that it is not often used with the assessment of a vendor’s suitability as well as the ongoing relationship management relying heavily upon the experience and expertise of senior staff.

3.96 Disaster recovery testing of the Homenet system is conducted twice annually and includes a check of the data currently stored on the system. Shared Services is otherwise responsible for penetration testing on Housing ACT systems, administering the server on which Housing ACT systems are stored, and monitoring the patching of Housing ACT systems.

3.97 The OAIC did not observe an information asset register or other method for tracking Housing ACT’s information holdings. There was particular uncertainty as to what personal information is stored on the G: Drive. The OAIC was advised that staff in some instances may create spreadsheets that contain personal information (extracted from Homenet or hardcopy client files) to assist with their duties and save them on the shared drive. It is not clear how many of these files are deleted once a staff member has completed their work and how many are left on the G: Drive. These files could contain significant volumes of personal and sensitive information.

3.98 The G: Drive is currently being audited for the personal information it stores. The OAIC understands that this auditing capability exists across all of Housing ACT’s systems but that it has never been used. This is different to audit logging of user activity on these systems.

3.99 Housing ACT also maintains a separate test and training environment within Homenet, as well as a development environment. The OAIC was advised that real data from Homenet is required for testing system errors. This was explained as necessary because errors can only be replicated using the exact same data. However, access to the testing environment is heavily restricted, more than other systems used by Housing ACT staff. Senior staff within the ICT function of Housing ACT have only limited access to this testing environment. The data in the development environment is all de-identified.

3.100 Housing ACT advised that unsecured email is used to conduct the majority of communication between staff and clients. The normal process is that the case officer will receive the emailed information directly to their email inbox. Housing ACT staff also use unsecured email when receiving health and financial information about clients from third parties.

3.101 Housing ACT advised the OAIC that group inboxes are used in some instances when receiving personal information via email. The OAIC did not observe any policy on the use of such group inboxes or on the use of email generally.

Privacy analysis

3.102 Effective ICT security requires protecting both hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure. However, ICT security measures should also ensure that the hardware, software and personal information stored on it remain accessible and useful to authorised users.

3.103 The OAIC understands that senior staff within Housing ACT have extensive experience in managing vendor relationships. However, there is a privacy risk that this experience will be lost in the event of staff turnover. Housing ACT has a process in place to assess the ICT security of potential vendors in the form of a questionnaire, though this remains mostly unused. However, the risk concerning vendors is partly mitigated by the ongoing nature of many of the vendor relationships, and the other security mechanisms used to monitor access security discussed at paragraphs 3.118-3.122, specifically the monitoring of vendor access to Homenet by Housing ACT staff. As Housing ACT will likely be engaging with new vendors as part of the digitisation of hardcopy client files, the OAIC suggests that the vendor selection process be reviewed to ensure it adequately assesses the ICT security of potential vendors.

3.104 Housing ACT should be fully aware of all the personal information it handles, where it is kept, and the risks associated with that information before deciding what reasonable steps to take to protect it. Given the advice provided regarding the use of G: Drive to potentially store personal information, Housing ACT may not be fully aware of all of its personal information holdings and this raises the medium privacy risk that Housing ACT is not taking reasonable steps to protect this personal information. The OAIC recommends that Housing ACT undertake some basic information asset management by developing and maintaining a list or register which provides a high-level description of the types of and location of personal information it handles. This will provide Housing ACT with an understanding of where personal information is stored and what steps to be taken to take to protect it. Housing ACT could also leverage any new information asset management capabilities which may come out of process of digitising hardcopy client files and the new EDRMS.

3.105 A more immediate ICT security issue is that the current version of Homenet is no longer supported by the developer. This is problematic given that Housing ACT might not be able to rely upon the vendor’s support should issues arise with Homenet particularly regarding any information security issues. If no further updates, patches and other fixes are made available by the vendor, it does raise the medium risk of security vulnerabilities with the software which, if discovered and exploited by malicious parties may result in a data breach. The OAIC recommends that Housing ACT consider updating its version of Homenet to a supported version as soon as practicable as any current security vulnerabilities may have been fixed in newer versions of the software.

3.106 Email is not the most secure way of transmitting and receiving personal information. There is a privacy risk that without additional security measures in place, the personal information may be intercepted and viewed by an unauthorised third party. Although Housing ACT is implementing an updated system for receiving personal information, the issues surrounding the current use of email use have not been addressed, and the OAIC considers there to be a medium privacy risk that Housing ACT has not taken reasonable steps to secure personal information transmitted via email.

3.107 Before the updated system is implemented, the OAIC recommends that Housing ACT implement measures to improve the security for personal information transmitted and received via email. For example, Housing ACT could consider including personal information in emails as password protected attachments and encouraging individuals and agencies interacting with Housing ACT to similarly protect their email attachments. This can be done using freely available software and would not require any changes to Housing ACT systems. More examples of email security measures can be found in the OAIC’s Guide to securing personal information .

Access security

Observations

3.108 The OAIC was provided with access security policies and procedures, specifically, the ICT security plan for Homenet and the business rule regarding Homenet user access auditing.

3.109 Staff access is role-based. Housing ACT manages staff access through electronic profiles, with each user assigned job roles that permit them to perform certain functions within Homenet.

3.110 Around 250 Housing ACT and wider CSD staff having access to personal information on Homenet. Housing ACT executives are normally only given read-only access to the same personal information.

3.111 To access Homenet, Housing ACT staff need to fill out an access form. The supervisor or Senior Manager then receives the form and approves access, with the Business Solutions team verifying this access and in turn setting the level of access required. For those requesting access outside of Housing ACT, Shared Services ICT will create and/or modify the user profile as required and require approval of the Executive Director. The business rule regarding Homenet user access auditing sets out the responsibilities for staff regarding access, including requiring users to report where their Homenet access is not consistent with their current job role.

3.112 Housing ACT advised that the current ICT system does not allow staff to accrue new accesses in addition to their current authorisations. This appears to be inconsistent with the description of job roles in the ICT security plan for Homenet. The ICT security plan for the Homenet system states that a user may be assigned multiple job roles, and that the Homenet system places no limits on how many are assigned. Housing ACT advised that its business practice is that users only have a maximum of two roles: one access related job role, and one financial delegation role if required.

3.113 Housing ACT revokes access to Homenet through the same form used to grant access. This form is used when staff permanently leave their role or change roles. When revoking access, ICT management work closely with the payroll team to ensure access is blocked for former staff.

3.114 A staff member’s position is linked to their level of access to Housing ACT systems, meaning information is accessed on a ‘need to know’ basis. The Business Solutions team within Housing ACT provides managers with a report each quarter that lists staff and their position. Managers are then required to confirm with ICT that their staff have appropriate access to Housing ACT systems. The report must be completed and returned to ICT no later than 10 days after being issued.

3.115 Passwords are assigned to each electronic profile created for accessing Homenet, which will then expire every 45 days. There is a password policy specifically for Homenet access in the Homenet ICT Security Plan, as well as a separate password policy applicable to general usage of other ICT systems used by Housing ACT staff. Other systems used by Housing ACT are set on a similar expiry timeline, in which staff are required to change their password regularly and must meet password complexity requirements. Managers informally ask staff to change their passwords regularly.

3.116 Housing ACT conducts audit logging of access to Homenet. Audit logging is limited by the technical capacity of Homenet as it is an older system. Presently logs include entry and exit to the Homenet system, and certain information fields within Homenet. Housing ACT advised that browsing, where a user will search through records outside of their normal duties, is not included in current audit logging. There is no logging of such accesses if personal information is not changed.

3.117 In addition to Homenet, there are a number of staff who have access to a web portal that allows Housing ACT to collect personal information from Centrelink. However, only three certified staff members from ICT have access to the DHS/Homenet Income Confirmation and Rent Reduction processes. Some staff also have access to a system for exchanging information with the TFM provider system, with the vendor providing Housing ACT monthly reports on what accesses were made to its system.

Privacy analysis

3.118 Access security and monitoring controls help protect against internal and external risks by ensuring that personal information is only accessed by authorised persons.

3.119 Housing ACT employs access security controls to ensure that only authorised staff access personal information. Housing ACT’s process of periodically reviewing staff access helps to prevent unauthorised access to personal information.

3.120 Housing ACT’s usage and enforcement of passwords that are specific for the Homenet system and other ICT systems to ensure secure access to its systems is a good privacy protective measure. Therefore, the OAIC encourages Housing ACT to continue the enforcement of passwords and regular reminders from managers to protect user access and accounts.

3.121 Audit logging is a reasonable measure to protect the security of personal information. Audit logs can help detect unauthorised access of personal information as they show records of system activities, for example, actions undertaken by individual users on a network, what time users logged on and off, which files they accessed and what they changed. The OAIC recognises that certain systems present additional difficulties in implementing audit logging. Moving from paper files to digital solves some issues but raises other challenges as well. With the digitisation of hardcopy client files, audit logs will become more important to be able to determine which staff are accessing what records.

3.122 Although Housing ACT uses audit logging over some elements of Homenet, there are several shortcomings. Staff can browse through personal information and this activity is not logged. This creates a medium risk that unauthorised access may not be identified through current audit logging as trusted insiders may access personal information without authorisation. The OAIC recommends that Housing ACT should implement comprehensive audit logging in relation to electronic systems that contain personal information as soon as practicable so that it has detailed records of system activity involving access to personal information.

3.123 There was also inconsistency between the nature of a staff member’s role as described in the ICT Security Plan for Homenet and the business rule regarding Homenet user access auditing. Homenet documentation states that a single user can have multiple job roles, giving them different access rights to personal information, which may or may not be appropriate based on their duties. The OAIC understands that in practice this is not the case, and that staff understand what the correct policies are, but suggests that Housing ACT updates its policies to reflect current practices.

Physical security

Observations

3.124 Housing ACT stores personal information gathered from clients in hardcopy records. Staff duplicate this information in electronic form as needed to perform their duties. Housing ACT advised that physical records are regarded as the source of truth if discrepancies are found.

3.125 The hardcopy records are maintained in two separate locations, Housing ACT offices for current files and in archives maintained by the ACT Records Office for older files. Access to the rooms containing current files is mostly limited by swipe cards, with one room secured by a lock. However, the doors to these rooms were all observed to be open during the OAIC fieldwork. Housing ACT advised that there is no alarm system to notify staff if doors are left opened. The compactuses within the rooms were not observed to use locks.

3.126 Hardcopy files are tracked using a unique case identification system which utilises an identifier that is linked to the electronic file on the TRIM system rather than the name of the client. These identifiers are only available to and searchable by the Records Management Team, so case managers must get assistance from the team when retrieving hardcopy files.

3.127 As discussed in more detail at paragraphs 3.97-3.98, the OAIC was advised that the G: Drive is used by staff in some instances to create spreadsheets that contain personal information to assist with their duties. This personal information is extracted from Homenet, and possibly from hardcopy client files themselves and may include identifiers for hardcopy files and the names of the clients associated with those files.

3.128 The Records Management Team keeps records of what files are taken and by which staff member. Part of the agreement when signing out files requires staff to declare when a file is lost or misplaced. Housing ACT advised however that there is no follow up process to determine if a file is lost. The Records Management Team expects that files will normally be returned even if they have been missing for an extended period of time. Client files will normally be duplicated until the original is returned. Housing ACT advised that there have been no reported file losses. Staff however do not generally report when files go missing or are otherwise misplaced and are not advised to actively monitor what files they have. Staff are expected to keep files locked away in cabinets near their desks or in their offices.

3.129 Hardcopy files related to high-profile cases are also maintained by senior staff in locked cabinets held in their respective offices. The OAIC was advised that while those files are kept separately, the Records Management Team have visibility over which files are kept by senior staff, and it is further understood that once no longer needed they are archived in the same way as other files.

3.130 As noted previously at paragraph 3.125, the ACT Records Office maintains the collection of archived hardcopy files in a separate location. Housing ACT staff need to request archived files from the ACT Records Office. As the ACT Records Office is separate to Housing ACT, it was not assessed by the OAIC during fieldwork.

Privacy analysis

3.131 Physical security is an important part of ensuring that personal information is not inappropriately accessed. Entities need to consider what steps, if any, are necessary to ensure that physical copies of personal information are secure.

3.132 Although no hardcopy client files have been permanently misplaced, as there is no process to follow up on files which have been missing for long periods of time there is a medium privacy risk that personal information may be lost or misplaced by staff.

3.133 Further, as discussed in paragraph 3.126, staff may in some instances extract information from the unique case identification system such as the case identification number and the client’s name and placing this information onto the G: Drive where it can be accessed by other staff. With this information, staff could potentially trace and then access specific case files that they are not authorised to view. Current practices also do not prevent unauthorised staff access to hardcopy files held in unlocked hardcopy storage rooms. As a result, the OAIC views current practices surrounding physical security as potentially leading to increased trusted insider risk of unauthorised access or misuse of personal information by staff, including contractors.

3.134 At present, Housing ACT has limited measures in place to identify any unauthorised access to the personal and sensitive information held in hardcopy storage rooms. With the advent of smartphones and other discreet means of capturing personal information quickly and without detection, there is a medium privacy risk of unauthorised access to personal and sensitive information held in the hardcopy storage rooms.

3.135 The OAIC recommends that Housing ACT should consider reviewing its current physical security measures concerning hardcopy client files and consider better tracking, auditing and monitoring of access to its hardcopy client files, especially files which have been taken out of the hardcopy storage rooms for extended periods of time. As part of this process Housing ACT could consider the following:

• alarms for open doors to control entry into the hardcopy storage rooms
• better logging of staff movements into the hardcopy storage rooms
• keeping hardcopy client files in lockable cabinets in the hardcopy storage rooms
• develop a physical security policy around the storage of personal information by Housing ACT in the hardcopy storage rooms. Shared Services has developed a physical security policy around its communications rooms. Although this policy is focussed on protecting ICT infrastructure, it could act as a model for updating physical security policies around the storage of personal information by Housing ACT in the hardcopy storage rooms.

Destruction and de-identification of personal information

Observations

3.136 Housing ACT staff advised that when a tenancy ends, client files will be archived for a period of two years. This is the responsibility of the Records Management Team. Housing ACT liaises with the ACT Records Office regarding the destruction and de-identification of personal information. Housing ACT client files will be archived by the ACT Records Office if they are not needed after the two year period. The OAIC did not observe any documents that summarise these processes. As discussed previously, the Records Management Team will occasionally publish email updates to staff, but there is otherwise no training provided.

3.137 Housing ACT relies upon senior staff to ensure that legal obligations are met regarding the destruction and de-identification of personal information. There is otherwise limited effective training or documentation to help staff understand the processes around the destruction and de-identification of client files.

3.138 Housing ACT is also currently developing sharing protocols for research purposes, as its files may occasionally be the subject of historical research regarding Canberra. Currently research requests are handled through Freedom of Information processes on a case-by-case basis. The information sharing protocols are to be introduced in the near future. Housing ACT is additionally developing a training package that will support these sharing protocols.

Privacy analysis

3.139 Housing ACT, as an ACT public sector agency, is bound by the Territory Records Act 2002 in relation to the retention and destruction of documents.

3.140 TPP 11.2 exempts public sector agencies from the requirement to destroy or de-identify personal information where it is required by law to retain that information. As the Territory Records Act places various requirements on how Housing ACT handles personal information, it is likely that they would fall under the exemption in TPP 11.2.

3.141 The lack of documented policies and training on record management raises the risk of staff not destroying or de-identifying personal information as required by law. However, the OAIC considers this to be a low risk as Housing ACT regularly liaises with the ACT Records Office to ensure they meet their obligations. The OAIC suggests that Housing ACT formalises these practices through documented policies and procedures as well as training, for example as is being done for disclosures for research purposes.

Part 5: Description of assessment

Background

5.1 The Australian and ACT Governments have an MoU for the provision of privacy services by the OAIC to ACT public sector agencies. Under the terms of this MoU, the OAIC completes one privacy assessment of an ACT public sector agency each financial year.

5.2 In 2017/18, the OAIC considered Housing ACT an appropriate assessment target due to the nature and amount of personal information it holds.

5.3 As an agency of the ACT Government, Housing ACT is governed by the Information Privacy Act 2014 (ACT) (the Information Privacy Act), specifically the Territory Privacy Principles (TPPs).

Objective and scope of the assessment

5.4 The objective of the assessment was to assess whether Housing ACT handles personal information in accordance with the TPPs found in the Information Privacy Act.

5.5 The scope of this assessment was limited to the consideration of Housing ACT’s handling of personal information under TPP 6 (use or disclosure of personal information) and TPP 11 (security of personal information). Specifically, the assessment examined whether Housing ACT is:

• using and disclosing the personal information held about individuals for the purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if the individual has consented to the use and disclosure of the information or an exception applies under TPP 6; and
• taking reasonable steps to:
  • protect personal information it holds from misuse, interference and loss; and from unauthorised access, modification or disclosure
  • destroy the information or to ensure that the information is de-identified.

Privacy risks

5.6 Where the OAIC identified privacy risks and considered those risks to be medium or high risks, the OAIC made recommendations to Housing ACT about how to address those risks. These ten recommendations are set out in Part 4 of this report.

5.7 OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and opinions are only applicable to the time period during which the assessment was undertaken.

5.8 For more information privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A. Further detail on this approach is provided in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

Timing, location and assessment techniques

5.9 The assessment of Housing ACT was risk-based. The focus was on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.

5.10 The assessment involved the following:

• review of relevant documents including policies and procedures provided by Housing ACT
• fieldwork, which included interviewing key members of staff and reviewing further documentation at the Housing ACT offices in Canberra from 20 to 21 February 2018.

5.11 On the completion of fieldwork, the OAIC’s preliminary findings were conveyed to Housing ACT at the assessment’s closing conference.

5.12 Subsequently, the OAIC received further documents and conducted additional interviews with Housing ACT staff. Upon receiving this additional information, the OAIC’s preliminary findings were updated and sent to Housing ACT in March 2018.

Reporting

5.13 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.