Management of personal information — Access Canberra

Date: 1 December 2017

Assessment report

Assessment undertaken: February 2017
Draft report issued: September 2017
Final report issued: December 2017

Executive summary

  1. This report outlines the findings of an assessment of Access Canberra undertaken by the Office of the Australian Information Commissioner (OAIC).
  2. As an agency of the ACT Government, Access Canberra is governed by the Information Privacy Act 2014 (ACT) (the Information Privacy Act), specifically the Territory Privacy Principles (TPPs).
  3. The purpose of this assessment was to determine whether Access Canberra is:
    • managing personal information in an open and transparent manner as required by Territory Privacy Principle 1 (TPP 1)
    • notifying individuals of the collection of personal information in accordance with its TPP 5 obligations.
  4. The scope of the assessment was limited to determining how Access Canberra maintains and handles personal information related to transactions that involve vehicle registrations and applications for working with vulnerable people.
  5. The assessment found that Access Canberra has taken steps to foster a privacy aware culture and treats personal information as a valuable business asset. There is a general awareness of privacy issues and strong ICT security controls around systems holding personal information.
  6. Additionally, Access Canberra’s TPP 1 privacy policy adequately described how the agency manages personal information. Its current notification practices, specifically the collection of information by the Road Transport Authority (RTA) and Working with vulnerable people (WWVP) program appear reasonable and adequate.
  7. The assessment also identified a number of privacy risks related to the requirements of TPP 1.2. In summary, the OAIC found that:
    • the development and updating of internal policies and procedures is done in an ad hoc manner
    • while there is information available on the management of privacy breaches at the Directorate level, there is currently no data breach response plan for Access Canberra
    • while the Directorate has a dedicated privacy function, Access Canberra’s current governance arrangements do not include a dedicated privacy function allowing for agency wide coordination, discussion and response to privacy matters
    • privacy risks are inconsistently managed across the RTA and WWVP program
    • privacy impact assessments (PIAs) are not routinely considered for projects involving personal information
    • while privacy training is available, there is no mandatory, regular privacy training for staff.
  8. The OAIC has made five recommendations, which are set out in Part 4 of this report, to assist Access Canberra to address these risks, including:
    • regularly evaluate its policies and procedures to ensure their adequacy and currency
    • continue to develop its Application Portfolio Management (APM) tool, to assist with managing policy and procedure document updates
    • develop and implement a Privacy Management Plan
    • develop a data breach response plan and consider linking or incorporating this plan into existing processes and policies
    • consider, in consultation with Chief Minister, Treasury and Economic Development Directorate (CMTEDD), including a centralised privacy function as part of its governance arrangements to coordinate privacy matters across functions and reporting these issues to senior management
    • review privacy risk management processes for the RTA and WWVP program, and consider using the Strategic Risk Register for both these functions with privacy explicitly identified as a risk within the register
    • consider a threshold assessment on whether to widen the scope of the Privacy Impact Assessment on the transfer of data from the Promadis system to the Rego.ACT system, as well as consider similar assessments for all large projects involving personal information
    • implement regular and mandatory privacy training for all staff, including short-term staff and contractors.

Part 1: Description of assessment

Background

1.1 The Australian and ACT Governments have a Memorandum of Understanding (MoU) for the provision of privacy services by the OAIC to ACT public sector agencies. Under the terms of this MoU, the OAIC completes one privacy assessment of an ACT public sector agency each financial year.

1.2 In 2016/17, the OAIC considered Access Canberra an appropriate assessment target due to the nature and amount of personal information it holds.

1.3 As an agency of the ACT Government, Access Canberra is governed by the Information Privacy Act 2014 (ACT) (the Information Privacy Act), specifically the Territory Privacy Principles (TPPs).

Objective and scope of the assessment

1.4 The objective of the assessment was to assess whether Access Canberra handles personal information in accordance with the TPPs found in the Information Privacy Act.

1.5 Due to the vastness of Access Canberra and the large amount of transactions it administers, the scope of the assessment was limited to determining how Access Canberra maintains and handles personal information related to:

  • motor vehicle registrations
  • registrations and renewals for individuals taking part in the Working with Vulnerable People (WWVP) program.

1.6 From discussions held with Access Canberra, it was established that the RTA (specifically in handling motor vehicle registrations) and the WWVP program handled significant amounts of personal information, and in many instances the most sensitive personal information, within Access Canberra.

1.7 This assessment also involved:

  • examination of the processes and procedures of Shared Services ICT (discussed below) insofar as they relate to the management of personal information held by Access Canberra and;
  • consideration of the arrangements deployed by CMTEDD, which Access Canberra is a part of.

1.8 The scope of this assessment was limited to the consideration of Access Canberra’s handling of personal information under TPP 1 (open and transparent management of personal information) and TPP 5 (notification of collection of personal information). Specifically, the assessment examined whether:

  • the policies and procedures of Access Canberra were reasonable in the circumstances to ensure that personal information is managed in an open and transparent manner (TPP 1)
  • Access Canberra provides reasonable and adequate notifications to users of its services when collecting personal information (TPP 5).

Methodology

1.9 The assessment of Access Canberra was risk based. The focus was on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.

1.10 The assessment involved the following:

  • review of relevant policies and procedures provided by Access Canberra
  • a readability test of Access Canberra’s privacy policy (see Appendix A)
  • fieldwork, which included interviewing key members of staff and reviewing further documentation, at the Access Canberra offices in Canberra from 15 to 16 February 2017.

Privacy risks

1.11 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to the OAIC guidance, the OAIC made recommendations to Access Canberra about how to address those risks. These recommendations are set out in Part 4 of this report.

1.12 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Further detail on this approach is provided in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

Part 2: Overview of Access Canberra

2.1 Access Canberra is part of the Chief Minister and Treasury and Economic Development Directorate (CMTEDD) and is the agency responsible for providing government services on behalf of the ACT Government. It also functions as a single point of contact for customer and regulatory services for both private individuals and businesses in the ACT.

2.2 As previously discussed, this assessment focused on the RTA (specifically its motor vehicle registration function managed through the Rego.ACT information and communication technology (ICT) system) and the WWVP background checking within Access Canberra. Both the RTA and WWVP programs handle significant amounts of personal information.

2.3 The Rego.ACT ICT system was specifically designed for the administration of the RTA functions, including vehicle registration and renewal. This system stores information of all licenced drivers and registered vehicles in the ACT, including the associated information for vehicle owners. Information for vehicle registrations is collected from vehicle owners via the Access Canberra website and through Access Canberra Service Centres, and is stored on the Rego.ACT system.

2.4 The WWVP program handles registrations and registration renewals under the Working withVulnerable People (Background Checking) Act 2011 (WWVP Act). The WWVP Act requires those who work or volunteer with vulnerable people to have a background check and be registered.

2.5 The WWVP registration and its renewal involve collecting information from individuals. Once their registration or renewal is successful, individuals are then issued with a WWVP card as evidence of current WWVP registration.

2.6 Presently, the WWVP program uses a computer system called Promadis. The OAIC was advised that Access Canberra intends to move all information (including personal information) stored on Promadis into the Rego.ACT system. This is discussed in further detail in Part 4 of the report.

2.7 Access Canberra’s ICT systems, including the Rego.ACT and Promadis systems are maintained by Shared Services ICT, which is a division within CMTEDD. Shared Services ICT provides a range of ICT services across the ACT Government’s Directorates and Agencies.

2.8 Specifically, Shared Services ICT administers ICT networks, infrastructure and assets and provides ICT support for the ACT Government including CMTEDD and Access Canberra, in consultation with ACT Government directorates. Shared Services ICT maintains its own policies and procedures for the administration and maintenance of ICT systems across the ACT Government. Where appropriate, the OAIC has examined the policies and procedures of Shared Services ICT as these relate to the Rego.ACT system and WWVP program.

Part 3: Privacy analysis

3.1 The key findings of the assessment of Access Canberra are set out below under the following headings:

  • Implementing practices, procedures and systems to ensure TPP compliance
  • TPP privacy policy
  • Privacy notices

3.2 For each issue, we have outlined a summary of the OAIC’s observations, the privacy risks arising from these observations, followed by suggestions or recommendations to address those risks.

3.3 As the TPPs are substantially similar to the Australian Privacy Principles (APPs), the OAIC has applied its guide, Privacy management framework: enabling compliance and encouraging good practice, which outlines the steps to take to comply with APP 1.2, to consider the reasonable steps that Access Canberra has taken to address the requirements of TPP 1.2.

3.4 The OAIC also considered its APP Guidelines, which outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act, in the analysis reported in this section.

Implementing practices, procedures and systems to ensure TPP compliance

3.5 TPP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will:

  • ensure that the entity complies with the TPPs; and
  • enable the entity to deal with privacy related enquiries or complaints from individuals.

Internal policies and procedures

Observations

3.6 The OAIC noted a general awareness of privacy and security issues through review of policy and procedure documents provided by Access Canberra and interviews with staff working on the Rego.ACT system and WWVP program.

3.7 CMTEDD have a number of policy documents that are applicable to all of its agencies, including Access Canberra. These include training and risk management policies, which are discussed separately later in this report.

3.8 Access Canberra advised that responsibility for core policy documents relevant to:

  • the RTA and WWVP program are published by policy agencies in the Justice and Community Safety Directorate and the Community Services Directorate respectively. Access Canberra applies these policies in undertaking its regulatory and customer service function.
  • overarching governance arrangements associated with the administration of privacy and records handling sits at the Directorate level with CMTEDD Corporate Management providing advice to agencies. Access Canberra would apply these corporate policies to its operations and develop documentation relevant to the operational application of these policies where required and appropriate.
  • the administration of ICT networks, infrastructure and assets at the whole government level is managed by Shared Services ICT, in consultation with ACT Government directorates.

3.9 The OAIC noted that Access Canberra does not have a policy register or other guidance document which clearly details all of Access Canberra’s internal privacy policies and procedures, their date of issue, ownership, and when they are due for review. This finding also applies to the Rego.ACT system and WWVP program.

3.10 At present, individual business functions are responsible for developing and updating their documentation. There is no formal schedule for such updates at an organisational level, and individual business functions update their documentation as needed. As a result, there is a lack of consistency between business functions on how regularly policies and procedures are reviewed.

3.11 At the time of the assessment, the OAIC noted that Access Canberra was involved in the implementation of an Application Portfolio Management (APM) tool. Access Canberra advised that the APM tool will allow all ACT Government agencies (including Access Canberra), who adopt the tool, to monitor system lifecycle and keep track of information relevant to individual ICT system administration (including management of privacy and security) and review schedules.

3.12 The Rego.ACT system has a reasonable policy coverage spanning a range of areas relevant to the handling of personal information. Of particular note is the Rego.ACT Security Plan (developed with the assistance of Shared Services ICT) that includes information about access controls, audit logging and quality assurance. This is supported by the Rego.ACT Terms of Access Protocol that, along with other documents, details how the team that administers the Rego.ACT system (referred as Strategic IT within Access Canberra) manages access to this system.

3.13 In particular, this protocol details the information handling processes that Strategic IT staff should follow. These include physical security of information, the way in which access is granted to external parties such as law enforcement agencies, and the circumstances under which Rego.ACT information can be released to authorised external parties.

3.14 The WWVP program relies largely on high-level policies, which apply to all of CMTEDD and Access Canberra. While the WWVP program has developed its own privacy and security policy document, also in consultation with Shared Services ICT, this document was being updated at the time of fieldwork.

3.15 The OAIC was advised that Shared Services ICT has developed a suite of information security documents regarding its functions. In particular, it has developed an ICT security incident plan.

3.16 There is, however, no plan, which outlines how Access Canberra staff are to handle and respond to data breaches, including breaches that are identified outside of Shared Services ICT. Access Canberra advised that it uses the OAIC’s Data breach notification — A guide to handling personal information security breaches (DBN guide) (which is applied at the CMTEDD level).

Privacy risks

3.17 Overall, good privacy management requires the development and implementation of robust and effective internal policies, practices, procedures and systems that ensure the handling of personal information in line with Access Canberra’s privacy obligations. This includes the development and implementation of a Privacy Management Plan (PMP).

3.18 A PMP assists with embedding a culture of privacy that enables privacy compliance. A PMP identifies specific, measurable privacy goals and targets and sets out how an entity will implement the four steps outlined in the OAIC’s Privacy management framework and meet its goals for managing privacy.

3.19 Currently Access Canberra, including the RTA and WWVP program, does not have an overall policy document for managing privacy. As part of meeting its obligations under TPP 1.2, Access Canberra should develop and implement a PMP that sets out specific goals and objectives for its privacy management with consideration of the specific privacy issues that apply to its operations. The OAIC has developed a Privacy management plan template, which should assist in the development of a PMP.

3.20 While staff within Access Canberra demonstrated good overall knowledge of their information management practices, this did not always align with the policies and procedures reviewed by the OAIC. The documentation that is meant to support this knowledge was in many instances either dated or more generally applicable to Access Canberra and CMTEDD instead of the RTA and WWVP program.

3.21 Overall, there is a lack of consistency between the information handling policies of the RTA and WWVP program. Strategic IT has developed policies and procedures around the security and access to the Rego.ACT ICT system whereas WWVP program does not have similar documents for Promadis.

3.22 While some of this inconsistency is mitigated by Access Canberra and CMTEDD documents or may simply represent differences in how both systems are used and operated, this may represent an issue if the WWVP program proceeds to using the Rego.ACT ICT system for information management but operate under different information handling policies. Access Canberra should take steps to ensure that their information handling policies are consistent for all business functions accessing the Rego.ACT system, unless there is a specific need to handle information differently. Access Canberra could also consider liaising with CMTEDD’s privacy section to develop policies and procedures relating to personal information handling.

3.23 There is a medium risk that both Access Canberra and business function specific internal policies and procedures currently in place are no longer relevant or effective. A number of policies are approximately two to three years old and refer to the corporate structures that existed prior to the formation of Access Canberra.

3.24 The OAIC noted that at the time of the assessment, implementation of the APM tool was underway and this tool would provide an opportunity to monitor review cycles for information of relevance to system administration. The OAIC encourages Access Canberra to continue its adoption of the use of this tool as it will assist in ensuring system administration policy and procedure documentation (e.g. security plans) as well as practices remain relevant and up to date.

3.25 Access Canberra should regularly evaluate and enhance its policies and procedures to ensure their adequacy and currency. As general core policy documents are the responsibility of policy agencies in other Directorates or at the CMTEDD level, Access Canberra should consider consulting with relevant policy agencies and CMTEDD on ways to ensure the adequacy and currency of its policies and procedures.

3.26 Further to the points outlined above, there is a medium risk that in the event of a data breach, there may be confusion around which staff should be engaged and the process to be followed. In particular, it is unclear how aware staff in the WWVP program and RTA are of the ICT security incident plan developed by Shared Services ICT, and how their respective areas are to respond in the event of a breach.

3.27 The OAIC was advised that CMTEDD relies on the OAIC’s DBN guide for its data breach response. While this document provides general guidance on responding to a breach, Access Canberra should have its own data breach response plan which sets out:

  • contact details for appropriate staff to be notified
  • the roles and responsibilities of staff
  • processes that will assist Access Canberra to contain breaches, coordinate investigations and breach notifications, and cooperate with external investigations.

3.28 Such a plan could be linked to, or incorporated into, existing processes and policies, such as the ICT security incident plan developed by Shared Services ICT and covered in privacy training for staff (discussed below).

3.29 For more information, the OAIC suggests reviewing the Guide to developing a data breach response plan that is published on its website.

Recommendation 1

The OAIC recommends that Access Canberra should:

  • regularly evaluate its policies and procedures to ensure their adequacy and currency. For general core policy documents which are the responsibility of policy agencies in other Directorates or which are made at the Chief Minister, Treasury and Economic Development Directorate level, Access Canberra should consider consulting with these agencies and CMTEDD on ways to ensure the adequacy and currency of its policies and procedures.
  • continue to develop its “Application Portfolio Management tool” to assist with managing policy and procedure document updates
  • develop and implement a Privacy Management Plan
  • develop a data breach response plan and consider linking or incorporating this plan into existing processes and policies.

Governance and culture

Observations

3.30 Overall, Access Canberra has taken steps to foster a privacy aware culture. It has put resources into protecting personal information as a business asset, and Access Canberra staff generally have a good awareness of privacy issues.

3.31 Access Canberra advised that core policy documents relating to overarching governance arrangements associated with the administration of privacy and records handling sit at the Directorate level, with CMTEDD Corporate Management providing advice to agencies. Further, Access Canberra then applies these corporate policies in the context of its operational focus and develops documentation relevant to the operational application of these policies where required and appropriate.

3.32 There are governance mechanisms within CMTEDD and Access Canberra in the form of boards and committees that allow for discussion of issues regarding the RTA and WWVP program. Senior staff of the RTA and WWVP program attend and participate in these fora. Privacy issues are handled when they arise, and are not a regular agenda item of these committees.

3.33 At present these mechanisms include the Rego.ACT Working Group, Access Canberra Change Advisory Board, Shared Services ICT Change Advisory Board, Access Canberra Executive ICT Committee, as well as other groups for the management of specific business functions. The OAIC understands that many of these governance mechanisms come from the previous agencies that now comprise Access Canberra.

3.34 Although there is a privacy section within CMTEDD that is responsible for assisting with privacy issues, it appears that Access Canberra rarely utilise this service. For example, the OAIC was advised that Access Canberra had little consultation with CMTEDD on the development of privacy and security policies for the Rego.ACT system and WWVP program.

3.35 There are also CMTEDD staff who can provide similar guidance on records management, but Access Canberra do not regularly consult these staff on matters related to the handling of personal information.

3.36 The OAIC understands that the WWVP program was, at the time of the assessment, developing a dedicated complaints team. All other business functions, as far as the OAIC is aware, handled complaints through a central system administered by Access Canberra. Individual business functions within Access Canberra collaborated with this central function when responding to complaints, including those related to privacy matters.

3.37 At the time of the assessment, Access Canberra also advised that it is currently developing a complaints register and in the next few months will be introducing a new complaints-handling system, including a new complaint handling policy, which will apply across the agency and include privacy complaints. This has since been progressed.

3.38 There is also a complaints function at the CMTEDD level, however this is not regularly used by staff of the Rego.ACT system or the WWVP program.

3.39 We understand that since the assessment was conducted, Access Canberra has established a Complaints Management Team, the responsibilities of which include management and response to complaints associated with the various administrative responsibilities of Access Canberra (including the RTA and WWVP functions), complaints about the operation of the agency itself (including the management of privacy) and complaints about services delivered by other ACT Government entities.

Privacy risks

3.40 Compliance with APP 1.2 is fundamentally about good privacy governance. Underpinning the policies and procedures should be strong leadership from senior management, with governance arrangements that support effective privacy practices.

3.41 The OAIC acknowledges that there are a number of existing governance mechanisms within Access Canberra where privacy issues could be reported and discussed. While privacy matters can be raised through the various committees discussed at 3.32-3.33, it is done in an ad hoc manner and not as a regular item for discussion. Access Canberra’s current governance arrangements do not include a dedicated privacy function allowing for agency wide coordination, discussion and response to privacy matters.

3.42 As mentioned at 3.36, the WWVP program is developing a dedicated complaints team for customers. At the time of this assessment, it was unclear how this team, the centrally administered complaints handling system which services the entirety of Access Canberra, and the complaints function at CMTEDD will collaborate with each other. Access Canberra has since advised that this separate WWVP complaints team has now been combined into the new Complaints Management Team referred to above at 3.39.

3.43 The situation regarding complaints handling at the time of the assessment raised the medium risk that privacy matters, including complaints related to Rego.ACT and WWVP could be handled inconsistently within Access Canberra and between Access Canberra and the CMTEDD. The OAIC was of the view that the situation could have led to inconsistency or gaps in the application of privacy law and privacy practice across both the RTA and WWVP program.

3.44 Furthermore, this also creates a risk that privacy issues are not being properly assessed due to the ambiguity over ownership of privacy overall. The OAIC did not assess the functionality of the Complaints Management Team, however, the establishment of this team may address this privacy risk.

3.45 To address the above risks, Access Canberra should consider including a formal central privacy management function in its governance arrangements. This central function will be responsible for coordinating privacy matters across business functions, including the RTA and WWVP program, and reporting these issues to senior management. Issues identified by complaints teams in specific business functions could be raised through the central function. It may also assist in addressing some of the risks and recommendations identified in the ‘Internal policies and procedures’ section above.

3.46 The privacy management function should involve appointing staff to key roles and responsibilities in privacy management. This includes appointing a senior member of staff with overall accountability for privacy. This person would be given responsibility for promoting a culture of privacy and the value and protection of personal information within Access Canberra. Further to this, the role could include responsibility for providing advice within Access Canberra on broader privacy issues.

3.47 There should also be specific staff responsible for managing privacy, including a privacy officer. The privacy officer should be responsible for coordinating privacy matters including privacy advice and solutions, the handling of internal and external privacy enquiries, complaints, as well as access and correction requests across Access Canberra. This position would also ensure that senior management and those with responsibility for privacy management are regularly briefed on privacy risks or issues identified.

3.48 Given the potential complexity of such governance arrangements, Access Canberra should regularly evaluate its governance mechanisms to ensure their continued effectiveness. This ties in to the need for a PMP (discussed earlier at 3.17-3.19) which would include the establishment of these privacy governance arrangements as part of its privacy goals. Access Canberra should then measure its performance against the PMP, as the implementation of the arrangements is as important as the arrangements themselves.

3.49 As indicated earlier, responsibility for core policy documents relevant to overarching governance arrangements for privacy sit at the Directorate level within CMTEDD. Accordingly, Access Canberra should consult with CMTEDD before making any changes to its governance arrangements.

3.50 The OAIC was advised that the current structure of committees and working groups within Access Canberra is under review. As part of implementing the OAIC’s recommendation for a formal central privacy management function, Access Canberra could consider:

  • further involving the CMTEDD’s privacy section in existing governance committees and boards
  • add privacy as a regular agenda item for discussions within relevant existing committees, boards and working groups
  • monitor and review the policies and practices of the Access Canberra complaints handling unit, the central complaints function administered by Access Canberra and the CMTEDD complaints function to ensure a consistent approach to handling privacy matters, including complaints across these functions.

Recommendation 2

The OAIC recommends that Access Canberra consider, in consultation with the Chief Minister, Treasury and Economic Development Directorate including in its governance arrangements a formal central privacy management function, which is responsible for coordinating privacy issues across business functions, including the RTA and WWVP program and reporting these issues to senior management.

Risk management

Observations

3.51 The OAIC was advised that Access Canberra is continually addresses risks relating to the handling of personal information. This includes the various governance mechanisms (discussed at 3.32-3.33), through which risks can be discussed when they arise.

3.52 Access Canberra maintains a corporate risk register that is positioned to deal with risks at the whole of Access Canberra level. This is the Access Canberra Strategic Risk Register, which covers those risks that are considered to be of significance to Access Canberra, with the treatment of these risks warranting oversight and monitoring by staff at the senior executive level. CMTEDD have developed risk management policies to support the corporate register. These policies include the Risk Management Framework and Policy Statement and Risk Management Plan.

3.53 Access Canberra provided the OAIC with a risk register for this assessment. This register refers to privacy in the context of overall compliance with legislation and issues regarding information management. It does not explicitly identify specific privacy risks or risks associated with the handling of personal information.

3.54 The ICT Security Plans for the Promadis and Rego.ACT systems included risk registers relating to those systems. Both registers refer to privacy in the context of access controls when discussing the impact/outcome of the risk. The Promadis ICT Security Plan has a specific risk regarding non-compliance to the Information Privacy Act.

3.55 It is not clear how the RTA and WWVP program manage the identification, treatment, reporting and ongoing monitoring of privacy risks associated with their respective activities. It appears that both the RTA and WWVP program currently do not maintain their own risk registers. RTA does maintain a document of ongoing issues (which could include risks) but this does not conform to typical risk management methodologies.

3.56 Access Canberra’s information security risk management is handled comprehensively by Shared Services ICT, with risk assessments undertaken before any changes to ICT systems are made. Risk registers are maintained by the project team, and reporting of identified information security risks occurs via the Shared Services ICT Change Advisory Board and the Access Canberra Change Advisory Board.

Privacy risks

3.57 Privacy risk management processes are integral to establishing robust and effective privacy practices, procedures and systems. These risk management processes allow for an entity to identify, assess, treat and monitor privacy risks related to its activities. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks.

3.58 The risk registers that were noted in the ICT security plans for both the Rego.ACT and Promadis systems comprehensively cover security risks at a system level and these risks do overlap with privacy risks, for example, risk of inappropriate system access to personal information. However, the security plans themselves acknowledge that the only risks to be shown in the risk registers are security risks i.e. risks to Confidentiality, Integrity or Availability.

3.59 If a threat has other implications, for example other privacy aspects of personal information handling not related to both systems and to security but relevant to privacy issues such as those around access and correction by customers, as stated in the security plans, those other implications should be recorded elsewhere. Whilst there are processes in place at an agency level to record corporate risks and to manage information security risks (which would cover many privacy elements such as access controls), at present, however, it is unclear how both the RTA and WWVP programs manage privacy risks proactively on an ongoing basis.

3.60 As a result, there is a medium risk that the RTA and WWVP program do not properly monitor, identify, treat, or report all privacy risks in the corporate register and to senior management. Access Canberra should consider reviewing its privacy risk management processes for both the RTA and WWVP program with a view to ensuring that all privacy risks are appropriately managed.

3.61 The proposed privacy governance arrangements discussed earlier will help in this regard. The creation of these arrangements could act as one of the goals of a PMP and could support the ongoing overall risk management work within Access Canberra.

3.62 The risk register can be an important document to help summarise any issues identified and allow for them to be properly considered by senior management, which should complement the earlier recommendation to review internal governance arrangements. Accordingly, it is recommended that the role of the Access Canberra’s Strategic Risk Register is clarified, specifically, in the way privacy risks are treated within the document.

Recommendation 3

The OAIC recommends that Access Canberra:

  • review privacy risk management processes for both the RTA and WWVP program with a view to ensuring that all privacy risks are appropriately managed
  • consider the use of the Strategic Risk Register to record privacy risks, including making privacy an individual risk area within the corporate risk register.

Privacy Impact Assessments

Observations

3.63 As identified earlier, at present there are two main systems being used by Access Canberra for the administration of the RTA and the WWVP functions. Access Canberra is proposing to move data held on the Promadis system (currently being used for the WWVP program) to the Rego.ACT system. This will allow Access Canberra to undertake data-matching between the two datasets to improve the quality of information held by Access Canberra.

3.64 Access Canberra sought advice from the OAIC in late 2016 on the proposed change to its systems and the OAIC advised Access Canberra to undertake a Privacy Impact Assessment (PIA). A consultant was then hired to undertake the PIA. The OAIC was advised that Shared Services ICT were consulted on the data matching PIA, and Access Canberra was awaiting the outcome of the PIA at the time of the OAIC’s assessment.

3.65 The OAIC received conflicting information as to whether Access Canberra was waiting on the outcome of the PIA before proceeding with the data-matching project. Information received during interviews with relevant staff appeared to suggest that the RTA is progressing on the basis that the project is compliant, while the WWVP program is exercising greater caution and waiting for the PIA’s findings.

3.66 It was not clear from the interviews what decision making process was used by Access Canberra for deciding to undertake the PIA or PIAs generally. It is also unclear if PIAs have been undertaken before for other high risk projects involving personal information.

Privacy risks

3.67 PIAs help to embed privacy culture, as they are a key component of ‘privacy by design’, which means treating privacy as a fundamental consideration in the way policies, procedures and systems are created and developed.

3.68 PIAs can also assist with establishing robust and effective practices, procedures and systems, which are fundamental to an entity’s privacy management. As a general rule, PIAs should be sought for business projects or decisions that involve new or changed personal information handling practices. This particularly includes the implementation of new technologies that may create new ways in which personal information may be handled by an entity.

3.69 The OAIC understands that a PIA was undertaken for the migration of Promadis data to the Rego.ACT system to ensure the proposed data-matching is compliant with privacy law.

3.70 The PIA was intended to assess whether personal information collected for a particular purpose can be used for a secondary purpose (data-matching). Under TPP 6, there are certain circumstances where personal information collected for one purpose can be used for a secondary purpose. It should be noted that the OAIC did not consider this issue as part of this assessment.

3.71 The OAIC recommends a consistent approach and that all relevant business functions of Access Canberra wait for the completion of the data-matching PIA before proceeding with the project. The PIA will either be able to provide some assurance that the data-matching is permissible under privacy law or highlight privacy risks and implications which Access Canberra should address before proceeding with the project.

3.72 The OAIC understands that the PIA is only considering the issue of data-matching and will not cover other issues that would typically be considered by a PIA. Given the amount of personal information (including sensitive information) involved in moving Promadis data onto the Rego.ACT system, there is a medium risk that the narrow scope of the PIA may not address important information handling issues, and may ultimately compromise the handling of personal information within Access Canberra.

3.73 Therefore, Access Canberra should consider undertaking a threshold assessment to determine whether the data risks associated with the migration of Promadis data to the Rego.ACT system requires a full PIA. A full PIA would assist in identifying all potential privacy impacts and information flows arising from the project, not just specific matters related to data-matching.

3.74 It was not clear from the interviews how decisions regarding PIAs in general are made. Access Canberra should consider undertaking PIAs for all projects involving personal information. Where it is uncertain whether a full PIA is needed, Access Canberra can first undertake a threshold assessment to determine the privacy risks around a given project. As discussed in the ‘Governance’ section, a formal central privacy management function will assist in decision making regarding PIAs.

3.75 The OAIC has published the Guide to undertaking privacy impact assessments, which may be of assistance in considering future PIAs. The OAIC has also recently published an eLearning course on PIAs, and we recommend the course to Access Canberra staff as an introduction into the steps required when conducting a PIA.

Recommendation 4

The OAIC recommends that Access Canberra should:

  • wait for the completion of the PIA before proceeding with the proposed data-matching project
  • consider undertaking a threshold assessment to determine whether a larger PIA is needed in relation to the transfer of Promadis data to the Rego.ACT system
  • encourage its staff to undertake the OAIC’s eLearning course on PIA, especially those staff who work on large projects involving personal information.

Training

Observations

3.76 Following the OAIC’s review of documentation and interviews with relevant staff, it appears that there are four types of training offered to Access Canberra staff.

3.77 The first of these is the mandatory induction training provided to new staff who will use the Rego.ACT and WWVP systems. This includes staff who work in Access Canberra’s service centres and contact centre. The training covers practical issues such as appropriate system use, how to conduct proof of identity checks, and a briefing on privacy law as it applies to their duties.

3.78 Secondly, Shared Services ICT provides its own mandatory orientation training of ICT systems. This training covers privacy and the TPPs. We understand this training is not refreshed.

3.79 Thirdly, the CMTEDD privacy section recently provided records management and privacy training to Access Canberra staff. This training focuses on the legal obligations under privacy law, and how this impacts the work of CMTEDD. This training is not mandatory nor does it happen in regular intervals.

3.80 Fourthly, privacy training is provided for service centre and contact centre staff and is mandatory and refreshed annually. In addition, Access Canberra advised that relevant procedural documentation is published to a network drive or system specific intranet site (as is the case for the Rego.ACT system), which is accessible by staff with appropriate permissions.

Privacy risks

3.81 Effective privacy training promotes privacy awareness within an entity. This is important because training helps to establish robust and effective privacy practices, procedures and systems as well as embedding a culture of privacy. Although the OAIC acknowledges that privacy is referred to in the ICT systems training provided to staff, we understand that the training has a greater focus on the potential penalties individual staff may face under other laws.

3.82 As noted earlier, with the exception of training provided to service centre and contact centre staff, there is no regularly scheduled mandatory refresher privacy training provided to Access Canberra staff. While CMTEDD training was well attended by Access Canberra staff, it was not attended by all staff. Only induction training is mandatory. This raises a medium risk that gaps may exist in staff awareness of privacy law and how it applies to their duties.

3.83 Access Canberra should promote privacy awareness by implementing regular and mandatory privacy training for all staff. This training should include short-term staff and contractors. Such training should cover privacy obligations for staff under the TPPs and how they fit into Access Canberra’s business processes, for example responding to a data breach.

3.84 In developing regular and mandatory privacy training for all staff, Access Canberra could consider leveraging existing privacy training initiatives such as CMTEDD’s privacy training and/or the mandatory refresher training provided to contact centre/service centre staff. The OAIC was informed that CMTEDD is investigating the possibility of developing privacy training in the form of an electronic training module.

Recommendation 5

The OAIC recommends that Access Canberra should implement regular and mandatory privacy training for all staff. This training should include short-term staff and contractors. Such training should cover privacy obligations for staff under the TPPs and how they fit into Access Canberra’s business processes.

ICT and access security

Observations

3.85 Overall, Access Canberra has, through Shared Services ICT, established robust and effective privacy practices, procedures and systems regarding ICT Security. In particular, there are comprehensive risk management processes that allow for the identification, assessment and management of information security risks by Shared Services ICT.

3.86 This includes annual threat risk assessments of systems used by Access Canberra, including Promadis and the Rego.ACT system. These assessments have shaped the security controls that have been put in place on Access Canberra systems.

3.87 During the assessment, the OAIC was advised of the security controls employed for both the Rego.ACT and the Promadis systems. Due to this assessment’s scope, the OAIC did not consider most of these controls in detail.

3.88 However, the OAIC was were informed of an important access security issue regarding audit logging. Within certain databases used, specifically those built on the Unix operating system, there is no function that logs activity on those databases. This means that access to those particular databases is not tracked, which includes access by system administrators from Shared Services ICT, who can potentially access all parts of Access Canberra’s systems.

3.89 Audit logging is available to monitor activity on both Promadis and Rego.ACT systems. However this is done reactively, meaning that system administrators review an activity after it has occurred, though the OAIC was informed that both systems can identify certain anomalous activities in real time.

3.90 While there are limitations on the Promadis system, the Rego.ACT system provides for highly detailed logging, including keystrokes and timing for record access. These logs are swept every 3-5 seconds and stored centrally on a database that is only accessible to a specific senior member of Shared Services ICT. Backups of logs are done daily, weekly, monthly, quarterly and then bi-annually. These backups are then stored on a separate database which is not linked to Access Canberra systems.

3.91 There is also a plan to implement a ‘database vulnerability treatment solution’ across Access Canberra. The OAIC was advised that this implementation will enhance ICT security measures, including live monitoring of the Rego.ACT and WWVP databases and the use of encryption.

Privacy issues

3.92 As noted above, the OAIC was informed that administrators can potentially access all parts of Access Canberra’s systems, and any such access to a database built on the Unix operating system will not be logged.

3.93 Shared Services ICT has recognised this risk and has taken a number of mitigating steps, particularly by limiting the actual number of staff with such access to approximately three to four people, and by undertaking security vetting of these staff prior to their commencement of employment with the ACT Government.

3.94 The OAIC was also advised that it would in practice be extremely difficult to circumvent the logging that occurs on these databases, including Promadis and the Rego.ACT system. The aforementioned planned ‘database vulnerability treatment solution’ could potentially further strengthen these protections with live monitoring of databases. While the databases are not presently encrypted, there is also a plan to implement this through the ‘database vulnerability treatment solution’.

3.95 Access Canberra should continue to examine and address the privacy implications, risks and benefits of new technologies such as new encryption methods and enhanced audit logging. However, the OAIC understand that there may be significant resource implications, both in terms of cost and system capability.

3.96 Therefore, the OAIC suggests that Access Canberra continue to roll out the ‘database vulnerability treatment solution’ as soon as practicable, given that it will allow for encryption and enhanced audit logging, which are highly effective means to protect personal information.

TPP privacy policy

3.97 The object of TPP 1 is ‘to ensure that TPP entities manage personal information in an open and transparent way’ (TPP 1.1). This enhances the accountability of TPP entities for their personal information handling practices and can build community trust and confidence in those practices.

3.98 Under TPP 1.3, ACT agencies must have a clearly expressed and up to date TPP privacy policy about the management of personal information by the agency. TPP 1.4 – 1.6 set out some requirements for privacy policies, including requirements for content and availability.

Observations

3.99 Access Canberra use CMTEDD’s TPP privacy policy. Accordingly, the OAIC understands that maintaining the privacy policy that applies to Access Canberra is the responsibility of the CMTEDD privacy team.

3.100 The OAIC reviewed Access Canberra’s TPP privacy policy against the requirements of TPP 1, the findings of which can be found in Attachment A. The review applied the requirements of APP 1 to Access Canberra’s TPP privacy policy as TPP 1 is almost identical, and can be considered equivalent to APP 1.

3.101 As part of this review of the privacy policy, the OAIC applied a Flesch-Kincaid test[1] to provide a general indication of the complexity and readability of the privacy policy.

Privacy issues

3.102 As noted in Attachment A, the OAIC’s assessment of the TPP privacy policy found that it generally complies with the requirements of TPP 1. However, to easily read the policy, it requires someone with an average age of 19-20 years and an education level of above grade 12. This means that the policy may be too complex for many readers to understand, which could impact on some users of Access Canberra.

3.103 In addition, the privacy policy at present contains details about Rego.ACT and the way it handles personal information. However, the policy only provides general high level descriptions of the WWVP program and little specific detail about how it handles personal information.

3.104 The OAIC was informed that the TPP privacy policy is currently under review by the CMTEDD’s privacy section. Regularly evaluating privacy practices, procedures and systems is important to ensure their continued effectiveness. Accordingly, this review could include ensuring that the TPP privacy policy is current and accurately reflects Access Canberra’s handling of personal information.

3.105 Given that the Promadis system used by the WWVP program will likely have its functionality absorbed into the Rego.ACT system, the TPP privacy policy review presents an opportunity to:

  • update the policy to reflect the merging of both systems and include more specific detail regarding the information handling practices of the WWVP program, which may also assist in addressing the points raised below about the use of privacy collection notices by both the WWVP program and RTA; and
  • where possible simplify the language of the policy to enhance its readability.

Privacy notices

3.106 TPP 5 requires ACT Government agencies that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in TPP 5.2) or to ensure the individual is aware of those matters.

Observations

3.107 The RTA’s privacy notices were reviewed as part of the assessment, to ensure that they met the requirements of TPP 5. Specifically, this meant reviewing the application forms used by the RTA to collect personal information from individuals.

3.108 There are a number of application forms used by the RTA to collect information, both for vehicle registration and the renewal of vehicle registration. We understand these forms are available electronically, either online or through computers at Access Canberra service centres. Otherwise, individuals can print the forms and send them to RTA for processing.

3.109 The forms themselves contained prominent and comprehensive privacy notices, which were placed near the signature blocks on the forms. There was, however, no reference to Access Canberra’s (also CMTEDD’s) TPP 1 privacy policy within these ‘privacy statements’.

3.110 Although personal information is collected for the WWVP program through Access Canberra service centres, most information is collected when applicants respond to letters sent to them requesting personal information. There is considerable detail included in the letters that functions as a privacy notice. The public WWVP website is similarly comprehensive, with information provided on the website that leads users to registration forms.

3.111 The WWVP program and RTA review and update their respective privacy notices as required, with no involvement with the CMTEDD privacy section.

Privacy issues

3.112 It was noted during the interviews that the CMTEDD privacy section was not involved in the drafting of privacy notices for Access Canberra. Although it is accepted that the RTA and WWVP program will have greater expertise with the specific legislation under which they operate, they could consult the CMTEDD privacy section when updating their privacy notices to ensure consistency in the approach to compliance with TPP 5.

3.113 One suggestion for ensuring that future iterations of the privacy notices properly cover TPP 5 requirements is to include in the collection notice a hyperlink to Access Canberra’s (also CMTEDD’s) TPP 1 privacy policy.

3.114 Referring to the privacy policy in the privacy notices would highlight important information for individuals on how their personal information will be handled, whilst also ensuring the privacy notices are an appropriate length. For this to be effective, Access Canberra will need to ensure that its TPP 1 privacy policy is up to date and accurate (discussed in ‘TPP privacy policy’ section above).

Part 4: Recommendations and response

OAIC recommendation 1

The OAIC recommends that Access Canberra:

  • regularly evaluate its policies and procedures to ensure their adequacy and currency. For general core policy documents which are the responsibility of policy agencies in other Directorates or which are made at the Chief Minister, Treasury and Economic Development Directorate level, Access Canberra should consider consulting with these agencies and CMTEDD on ways to ensure the adequacy and currency of its policies and procedures
  • continue to develop its “Application Portfolio Management tool” to assist with managing policy and procedure document updates
  • develop and implement a Privacy Management Plan
  • develop a data breach response plan and consider linking or incorporating this plan into existing processes and policies.

Access Canberra response

Noted. Access Canberra will continue to evaluate and update its policies and procedures for currency. Where core documents are the responsibility of the Chief Minister, Treasury and Economic Development Directorate or of policy directorates, Access Canberra will continue to consult and work collaboratively to ensure currency of this documentation.

The use of the Application Portfolio Management tool will continue.

While the security plans for both systems currently provide opportunities to document processes and risks relevant to privacy management; privacy management and data breach plans for the Rego.ACT and Working With Vulnerable people system will be developed and maintained as those systems evolve or are decommissioned.

OAIC recommendation 2

The OAIC recommends that Access Canberra consider, in consultation with the Chief Minister, Treasury and Economic Development Directorate including in its governance arrangements a formal central privacy management function, which is responsible for coordinating privacy issues across business functions, including the RTA and WWVP program and reporting these issues to senior management.

Access Canberra response

Noted. Access Canberra will work with the Chief Minister, Treasury and Economic Development Directorate to establish a clear understanding across its business units of the support role provided by the central directorate Privacy Manager. Access Canberra will seek the advice of the CMTEDD Privacy Manager to identify where opportunities exist to set in place processes or to ensure appropriate oversight arrangements are applied to systemically treat any existing privacy risk within the business, including encouraging greater awareness of privacy as a key consideration when planning change processes or in messaging associated with change.

OAIC recommendation 3

The OAIC recommends that Access Canberra:

  • review privacy risk management processes for both the RTA and WWVP program with a view to ensuring that all privacy risks are appropriately managed
  • consider the use of the Strategic Risk Register to record privacy risks, including making privacy an individual risk area within the corporate risk register.

Access Canberra response

Agreed. The current risk registers for the individual systems will be amended to ensure management of privacy risks. The Strategic Risk Register of Access Canberra will be amended to make clear that privacy is being managed through review processes applied to its Risk Registers.

OAIC recommendation 4

The OAIC recommends that Access Canberra should:

  • wait for the completion of the PIA before proceeding with the proposed data-matching project
  • consider undertaking a threshold assessment to determine whether a larger PIA is needed in relation to the transfer of Promadis data to the Rego.ACT system
  • encourage its staff to undertake the OAIC’s eLearning course on PIA, especially those staff who work on large projects involving personal information.

Access Canberra response

Agreed. In response to preliminary advice provided by the OAIC following fieldwork conducted in February 2017, Access Canberra engaged KPMG to determine the scope required for a PIA to be undertaken in relation to the proposed data migration from the Promadis system to Rego.ACT. This PIA was completed in June 2017.

Access Canberra will formalise arrangements to promote regular (mandatory) privacy training which will include a package of options such as face to face, regular tips and reminders, and online e-learning, and will encourage those staff with responsibility for administering ICT systems to undertake the OAIC’s eLearning course on PIA.

OAIC recommendation 5

The OAIC recommends that Access Canberra should implement regular and mandatory privacy training for all staff. This training should include short-term staff and contractors. Such training should cover privacy obligations for staff under the TPPs and how they fit into Access Canberra’s business processes.

Access Canberra response

Noted. Access Canberra will continue to work with the Chief Minister, Treasury and Economic Development Directorate Privacy Manager to ensure staff at Access Canberra are provided access to regular privacy training and that the training provided is relevant to the business processes in use at Access Canberra.

Attachment A

Privacy assessment of Access Canberra

Open and transparent management of Personal Information

Assessment of Privacy Policies in relation to Australian Privacy Principles 1.3, 1.4 and 1.5
Section 33C(1)(a) Privacy Act 1988
Assessment undertaken: January 2017

Entity Name: Access Canberra
Review Date: 19/01/2017

Overall Summary
APP 1.5 - Availability and Accessibility

Privacy risks: Nil risks found.
Recommendations: N/A

APP 1.3 - Readability

Privacy risks: Policy has a relatively high reading age and may be difficult for younger readers to comprehend.
Recommendations: Simplify policy.

APP 1.4 - Contactability

Privacy risks: Nil risks found.
Recommendations: N/A

APP 1.4 - Content

Privacy risks: Nil risks found.
Recommendations: N/A

Australian Privacy PrinciplesAssessment criteriaAssessment result

APP 1.5 - Availability and Accessibility

This criterion examines how accessible the privacy policy is from the website, taking into account the requirements of APP 1.5

APP 1.5 requires APP entities to take reasonable steps to make its privacy policy available free of charge, and in an appropriate form. Generally, the policy should be displayed on the entity’s website, be easily accessible and easy to download. For example, a prominent link or privacy icon, displayed on each page of the entity’s website, could provide a direct link to the privacy policy.

Can the privacy policy be located on the website?

Yes

Is there a link to the privacy policy from the home page?

Yes

If no direct link exists, can the privacy policy be easily accessed?

Yes

Is the privacy policy available in a format other than as an online publication?

Yes

Is the privacy policy available free of charge, if provided in a non-web based format?

Unknown

Is the privacy policy provided in HTML (a WCAG 2.0 compliant accessible format)?

Yes

Are there any concerns around accessibility?

No

No issues.

APP 1.3 - Readability

Readability is the ease with which text can be read and understood.

APP 1.3 requires APP entities to have a clearly expressed and up-to-date privacy policy. At a minimum, a clearly expressed policy should be easy to understand, easy to navigate, and only include information relevant to the management of personal information by the entity.

The OAIC recommends that privacy policies use simple language with a reading age level of around 14 years.

Does the policy appear to be clearly expressed?

Yes

Does the policy appear to be of a structure and length suitable for web publication?

Yes

What is the Flesch Kincaid Reading Ease raw score of the privacy policy?

15.4

The average Flesch Kincaid Reading Ease score of the 50 Australian websites assessed in the General Privacy Enforcement Network (GPEN) 2013 sweep was 55.

Scores lower than 65 indicate the text is harder to read, and more suitable for readers aged over 15 years or at higher school grade levels.

Scores higher than 65 indicate the text is easier to read, and suitable for readers aged under 15 or at lower school grade levels.

Can this privacy policy be easily read by a 14 year old?

No

What average age should be able to easily understand this policy?

19-20 years

What average grade level should be able to read this policy?

Above Grade 12

To read the privacy policies of the 50 Australian websites assessed in the GPEN 2013 sweep required an average ability of Grades 10-12

How many words are in this privacy policy?

5,719

The average number of words in the 50 Australian websites assessed in the GPEN 2013 sweep was 2,738

The median (half of the policies have more words, half of the policies have less words) in the 50 Australian websites was 2,262.

Does the policy reflect current APP privacy obligations?

Yes

When was the privacy policy last updated?

18/12/2015

Is the Privacy Policy up-to-date?

Yes

The privacy policy may be too complex for younger readers to comprehend.

APP 1.4 - Contactability

This criterion relates to whether individuals can locate entity contact details on the website to ask privacy questions or make privacy complaints

Is contact information available for individuals to submit privacy questions or complaints to the entity on the website?

Yes - in privacy policy

APP 1.4 - Content

This APP lists the specific content that must be covered in the entity’s privacy policy.

Each entity’s privacy policy must contain information about the following areas….

the kinds of personal information the entity collects

Yes

the kinds of personal information the entity holds

Yes

how the entity collects and holds personal information

Yes

the purposes for which the entity collects personal information

Yes

the purposes for which the entity holds personal information

Yes

the purposes for which the entity uses and discloses personal information

Yes

how an individual can request access to their personal information

Yes

how an individual can correct their personal information

Yes

how an individual can complain about a breach of the APPs

Yes

how the entity will deal with the complaint

Yes

whether the entity is likely to disclose personal information to overseas recipients

Yes

which countries the entity is likely to disclose personal information to (if applicable, and where practicable)

No

Are there any APP concerns around the privacy policy content?

No

No issues.

Footnotes

[1] This test can be found at https://www.webpagefx.com/tools/read-able/

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au