Part 1 — Introduction and summary of findings
1.1 This report outlines the findings of an assessment by the Office of the Australian Information Commissioner (OAIC) of the policies and procedures for information handling by the ACT Revenue Office (ACTRO). The assessment had a specific focus on the protection of personal information held by the ACTRO from misuse, interference, loss, unauthorised access, modification or disclosure.
1.2 The OAIC examined the relevant policies and procedures of the ACTRO, and the implementation of these policies regarding the Community 2011 system and the Territory Revenue System (TRS). The OAIC made a limited assessment of the proposal for the development of a replacement system for Community 2011 and TRS.
1.3 The OAIC has made a number of recommendations. If these are put in place by the ACTRO they will, in the opinion of the OAIC, minimise the risks identified around how the security of personal information is managed. These are set out in detail within the report and summarised at Part 4.
1.4 The recommendations in this assessment report may service as a guide for other Directorates of the ACT Government. They could assist in developing or revising other ACT Government information security policies and procedures.
The Information Privacy Act and the Territory Privacy Principles
1.5 The Territory Privacy Principles (TPPs) set out in the Information Privacy Act 2014 (ACT) (IPA) state the obligations of ACT public sector agencies, including the ACTRO, in regards to the handling of personal information.
1.6 Of particular relevance to this assessment is TPP 11. TPP 11.1 requires ACT public sector agencies that hold personal information to take reasonable steps to protect the information. Specifically, it obligates to protect information against misuse, interference, loss, unauthorised access, modification or disclosure.
1.7 TPP 11.2 states that an ACT public sector agency must take reasonable steps to destroy the personal information it holds or to ensure that the information is de-identified where:
- the ACT public sector agency holds personal information about an individual
- the agency no longer needs the information for a purpose for which the information be used or disclosed by the agency under the TPPs
- the information is not contained in a territory record
- the agency is not required by or under an Australian law, or a court or tribunal order, to retain the information.
1.8 The ACTRO is also subject to the confidentiality provisions of the Taxation Administration Act 1999 (ACT) (TAA). The TAA is important to the activities of the ACTRO and the ACTRO consider the TAA its primary legislation.
1.9 As taxation law is outside of the scope of this assessment, the OAIC did not assess compliance with the TAA. We do note however that from our assessment, staff appear to understand clearly the TAA obligations, with the ACTRO having a strong fraud prevention culture.
1.10 Fraud prevention training is provided to staff, both formally and informally as part of supervisory guidance, with a focus on the personal liability (including criminal liability) that can arise from a breach of the TAA obligations by staff.
1.11 However, as noted during the course of the assessment, the IPA and TPPs apply more broadly to ACT public sector agencies. Although compliance with taxation law may have some commonalities with TPP compliance, they are separate obligations that the ACTRO must comply with. Penalties under the TPPs apply to entities, and do not impose personal liability on individual staff members.
Summary of findings
1.12 The findings of the OAIC’s assessment show that ACTRO:
- has good access control practices for its IT systems that limit access to information to those that need access, as well as having monitoring of these controls
- appears to have a good fraud prevention culture
- has a good password policy, available to all staff and reinforced as part of work practices
- has well-established physical security practices.
1.13 However, the OAIC’s findings also raise a number of privacy issues and has made four recommendations that are set out in this report in the following sections:
- Governance, Culture and Training
- Processes and policies
1.14 The OAIC has based its risk assessment from the content in Appendix A of the Guide to privacy regulatory action. This document can be found on the OAIC website.
Part 2 — Description of assessment
Overview of the scope of the assessment
2.1 The OAIC assessed the ACTRO, who are responsible for administering the various payments and tax benefits provided by the ACT Government. The assessment reviewed the policies and procedures of the ACTRO in regards to information security practices, with a particular focus on the obligations of TPP 11.
2.2 The OAIC conducted the assessment under a Memorandum of Understanding between the OAIC and the ACT Government, providing for the assessment of a Directorate of the ACT Government every financial year. It was determined that given the nature of the personal information held by the ACTRO, it would be an appropriate assessment target.
2.3 In addition to general policies and procedures, the assessment focussed on two specific systems used by the ACTRO, Community 2011 and the TRS, which comprise the bulk of the ACTRO’s personal information holdings. We note that these systems are being replaced in the near future. The matters discussed in this assessment will assist in developing their replacement system(s).
Objective and scope
2.4 The objective of the assessment was to assess the extent to which ACTRO had taken reasonable steps to protect the personal information held by it from misuse, interference, loss, unauthorised access, modification or disclosure.
2.5 The scope of the assessment included consideration of:
- governance, risk management and training policies and procedures
- security of personal information
- policies for protecting personal information, including access controls
- procedures for implementing these policies.
Timing, location and methodology
2.6 The OAIC asked the ACTRO to provide the information set out in Appendix A. This included copies of relevant policies and procedures, including details of access controls relevant to Community 2011 and TRS.
2.7 The assessors then conducted the fieldwork component of the assessment at the premises of the ACTRO on 2 and 3 December 2015, which included interviewing key members of staff and reviewing further documentation.
2.8 The assessment of the ACTRO was risk based. The focus was on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.
2.9 Where the OAIC identified privacy risks and considered those risks to be high or medium risks according to OAIC guidance, we made recommendations to the ACTRO about how to address those risks.
2.10 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Further detail on this approach is provided in Chapter 7 of the OAIC’s Guide to privacy regulatory action.
2.11 This report sets out a discussion of the privacy risks identified in the assessment, and makes a series of recommendations. While the findings and recommendations relate to the ACTRO, they contain helpful information for all Directorates of the ACT Government.
2.12 This report is a consolidated report of the findings made in assessments of several business areas. This report summarises the findings across those assessed, and does not identify the specific business areas.
Part 3 — Privacy issues
3.1 The findings of the OAIC’s assessment raised some privacy issues. Our findings are set out below under the following headings:
- Governance, culture and training
- Processes and procedures
- Access controls
3.2 The privacy issues relate to the information security policies and procedures of the assessed business areas of the ACTRO. The privacy issues further relate to the implementation of these policies and procedures against the obligations of TPP 11.
3.3 For each issue we have outlined the OAIC’s observations, the privacy risks arising from these observations, and the OAIC’s recommendations to address those risks.
3.4 The recommendations are based on the risks observed across the business areas of the ACTRO. They might also provide useful privacy guidance for other Directorates across the ACT Government, particularly given the Shared Services ICT model. The OAIC has also published a Guide to securing personal information that provides further assistance on these issues.
Governance, culture and training
Governance and culture
3.5 In all business areas of the ACTRO, fraud control is a central focus. We were informed that management of such risks is underpinned by both formal and informal training, to ensure that staff are aware of their obligations under taxation law.
3.6 The assessment found that there was a less consistent understanding of obligations under the IPA and the TPPs, specifically regarding the recognition of privacy risks and management of those risks. In general, there appears to be less focus on these issues compared to the efforts placed towards fraud control.
3.7 The Commissioner for ACT Revenue, following input from senior management, signs off the ACTRO risk register each year. Although the security of personal information is an implied factor in some of the risks identified in the register, neither privacy nor the misuse or loss of personal information is considered as a separate risk.
3.8 Currently there are no nominated privacy contact officers in the ACTRO. Each business area handles information security and privacy matters as part of staff day-to-day duties. None of the business areas assessed were aware of any resource, either in another business area or an intranet page, where staff could go with privacy issues. Staff are expected to seek answers to any questions from their direct managers.
3.9 There is a strong understanding within the ACTRO of the need for an expedient response to a data breach. All of the assessed business areas had an informal understanding of the immediate action they should take in the event of a data breach.
3.10 The general understanding of the business areas was that the first step is to notify the Commissioner for ACT Revenue. The Commissioner is then responsible for coordinating further action in response to the breach. This would appear to include contacting Shared Services ICT for technical assistance. We note that Shared Services ICT stated that they would expect to be involved in the response to any data breach.
3.11 However, this understanding was not consistent across all business areas, and was generally subject to the experience of individual managers. There is otherwise no formal data breach plan in place as a reference guide for staff.
3.12 Training in privacy matters is presently undertaken in an inconsistent manner across the ACTRO. Although there is induction training provided to new staff, which in part addresses broader privacy issues, the majority of learning is done on the job. Further training is specific to the activities of the business area, and does not address how privacy law affects these activities.
3.13 There is a different understanding across business areas of what privacy training is available, and who is responsible for providing this training. One business area is responsible for providing limited training on information management, but this is not intended to act as comprehensive privacy training. The assessors observed that this may have led to an incorrect impression in other business areas that this business area is broadly responsible for privacy training.
3.14 The ACT Government provides privacy training for staff at a Directorate level; however, this is relatively infrequent and not tailored to the specific activities of the ACTRO. The ACTRO only keeps attendance logs for training provided at a Directorate level.
3.15 In some business areas, information handling issues are raised in meetings, either as a form of refresher training or to seek clarification of processes, although this is not done in a formal or structured manner.
Governance and culture
3.16 The ACTRO holds a large proportion of the ACT population’s personal information within its electronic and physical files. Its staff have access to much of this information and there are strong access controls placed on these files, with general guidelines as to how to administer these controls.
3.17 However, in the view of the OAIC, in the absence of a broad understanding of privacy obligations and governance there is a medium risk that:
- privacy risks are not properly recognised
- there are no clear lines of accountability and responsibility for privacy issues, including data breaches.
3.18 As a result, the ACTRO may not take appropriate actions to mitigate privacy risks or deal with data breaches.
3.19 In the OAIC’s view, this risk warrants consideration of a more formal governance structure for privacy matters by the ACTRO, and the adoption of a privacy management plan. 
3.20 A privacy management plan can provide the structure and methodology to enable entities to build privacy into their business processes. It emphasises governance, leadership and accountability as forming the basis of robust privacy management. It enables the integration of privacy management into core business practices to make privacy compliance a part of an entity’s culture.
Recommendation 1 — adopt privacy management plan and related processes
3.21 The OAIC recommends that the ACTRO consider:
- developing a formal privacy management plan and integrating it into its overall management processes
- including privacy related matters in its risk register when it is next reviewed, including the protection of personal information held by the ACTRO from misuse, interference, loss, unauthorised access, modification or disclosure
- creating a data breach response plan, or adapting current disaster recovery plans/business continuity plans to deal with data breaches involving personal information
- appointing key roles and responsibilities for privacy management, including a senior member of staff with overall accountability for privacy. Also have at least one member of staff act as the privacy contact officer, who can assist other staff with privacy issues.
3.22 There is a medium risk that staff of the ACTRO will not be aware of their obligations under the IPA. Training currently focusses on fraud control as the primary issue regarding information handling.
3.23 The lack of a centralised reference for ACTRO’s practices and procedures may further risk compliance with privacy law. Although staff are able to clarify information handling issues informally with colleagues, this is primarily in the context of their day-to-day work.
3.24 We note that the Commissioner for ACT Revenue is currently considering developing a formal training program, which will include the engagement of all business areas.
3.25 The ACTRO operates in a unique environment given the breadth of services and payments it administers. The ACTRO will need to tailor any privacy training program to this environment.
Recommendation 2 — implement a formal privacy training program
3.26 The OAIC recommends that the ACTRO implements a formal privacy training program in the near future, accompanied by a manual that supports this training program. Records of training activity should also be kept current.
Policies and procedures
3.27 In all the business areas assessed, there was a strong general understanding of the importance of appropriate information handling practices. This included the importance of controlling access to that information, and the reputational risks of mismanaging the handling of that information.
3.28 However, the majority of the limited documentation held by the ACTRO on its practices was at a high-level and intended for management. It did not provide a practical guide to privacy compliance by staff. Of the business areas assessed, only one had documented practices that touched upon the handling of personal information in an operational context, although this was not comprehensive in its coverage.
3.29 For all other business areas, the majority of practices relating to the handling of personal information were not formally documented. Practices were instead communicated and reinforced informally as part of undertaking work duties. These work practices were broadly similar.
3.30 There were inconsistencies relating to differences in work responsibilities; in the view of the OAIC, these may arise from the lack of formal documentation.
3.31 For example, the Community 2011 and TRS security policies prepared by Shared Services ICT provide information about the obligations that the TPPs place on the ACTRO. Both documents state that responsibility for implementing practices to comply with TPPs lies with the business area (ie the ACTRO). From our assessment, the ACTRO has not taken steps to document such practices.
3.32 We understand that Shared Services ICT are available to advise on how to develop and implement security practices and to provide training on information security issues. At present however, the ACTRO has no written procedures setting out when ACTRO staff should engage with Shared Services ICT.
3.33 The OAIC appreciates the role of high-level documentation for managerial purposes, but we believe more practically focused policies could support privacy compliance. A failure to formalise corporate knowledge may ultimately lead to the loss of that knowledge.
3.34 There are various legislative requirements in the Territory Records Act 2002 (ACT) regarding document retention, and these apply to both physical and electronic records. In addition to those obligations, the ACTRO is also subject to the TPPs. TPP 11.2 specifically obligates ACT public sector agencies to not hold personal information after they are no longer in need of that information and that such information should be destroyed or de-identified.
3.35 The ACTRO presently manages its physical document retention with the assistance of a third party contractor, who provides advice on the retention requirements for the ACTRO to act on. In our assessment, we found that the ACTRO does not have consistent practices regarding the retention of documents across business areas. There are no written policies that deal with retention and destruction of documentation containing personal information.
3.36 There was an inconsistent understanding of whether the same rules applied to electronic records. We again note that there was no written policy on such issues.
Conflict of interest register
3.37 When staff working for the ACTRO come across matters relating to someone they know, they are required to fill out a form identifying the conflict, and forward this to their supervisor. Completion of the form depends on the diligence of the individual staff members.
3.38 The broader formal induction training covers what constitutes a conflict of interest and we understand the slides are available to staff; however, the content is not set out in a written policy. Staff are otherwise made aware of the general risks of conflict of interest through informal reminders. This informal reinforcement appears to be more frequent in those areas that regularly deal with customers.
3.39 There is no requirement to nominate people who may present a conflict of interest prior to commencing employment. Given the size of the community in which the ACTRO operates, the ACTRO believes that administering such a register may be impractical.
Proof of Identity
3.40 In general, business areas are reluctant to collect personal information beyond what is directly needed for administrating access to payments and services. We understand that the ACTRO is concerned that such additional collection could potentially be in breach of taxation law. This principle shapes the way in which Proof of Identity (POI) checks are performed when interacting with the public.
3.41 In certain areas POI checks include only limited personal information directly related to the customer, as such information is not consistently stored on the ACTRO systems.
3.42 Only using limited personal information for POI checks may lead to unauthorised third parties gaining access to customer records. We do note that this risk is in part mitigated by the strong fraud prevention culture within the ACTRO.
3.43 We acknowledge that the ACTRO has a narrow view of the personal information the TAA allows it to collect and store to administer payments and services. The ACTRO may however wish to revisit its collection of personal information in these circumstances to ensure it can undertake effective POI checks.
Informal and/or unwritten policies and procedures
3.44 Currently, the lack of documentation may compromise the effectiveness of ACTRO staff identifying and dealing with privacy risks. The OAIC considers there to be a medium risk of staff not meeting their obligations under privacy law as a result.
3.45 Formalising policies would also allow ACTRO to review them when necessary, for instance where there is a change to its structure or functions. The ACTRO has been subject to significant change over the last few years. Without written policies there is a risk that corporate knowledge may be lost in future transitions.
Recommendation 3 — formalise policies and procedures
3.46 The OAIC recommends that the ACTRO formalises its policies and procedures for the handling of personal information. These should include practical reference materials for staff. To the extent possible, the ACTRO should make such policies and procedures standard across all of its business areas.
Access on a ‘need to know’ basis
3.47 As previously discussed, the ACTRO relies primarily upon the Community 2011 and TRS for the storage of personal information. Personal information is also stored in a limited capacity on various share drives maintained by business areas.
3.48 The ACT Government has published an Access Control Policy that applies to the ACTRO; however, this document is for managerial guidance. Similarly, the Security Policy created by Shared Services ICT provides general guidance on ICT security, but it does not purport to act as a practical guide. The document explicitly states that it is the responsibility of individual ACT public sector agencies to implement the guidance.
3.49 From the observations made, the ACTRO has comprehensive access controls over all of these systems. Access to Community 2011 and TRS, as well as to the business area share drives, is administered centrally. Managers request access for their staff based on work and financial delegations, and staff are unable to access other parts of the system. The ACTRO audits these access controls every quarter.
3.50 Information from property, payroll and debt is stored on an internal storage system. This information was previously stored on CD, but is now subject to further access controls that are part of the internal storage system. The system further incorporates an electronic logbook to record access to that information.
3.51 ACTRO additionally has access to information from the Australian Taxation Office (ATO) through a Memorandum of Understanding. Only a small number of key staff have access to this information, which is further restricted by the data only being kept offline and in a secure cabinet. Where this data is copied to staff computers, it is deleted after it has been used.
3.52 As with access controls for electronic information, physical security practices in the ACTRO are comprehensive. A clean-desk policy is strictly enforced in all business areas, and lockable cabinets are consistently used for personal information. Where there are storage cabinets containing significant amounts of personal information, access is monitored by senior staff.
3.53 Further to this, compliance files are not taken home by staff under any circumstances, and this is communicated to staff. Any files that are taken from the Compliance business area by other areas, when returned, are reviewed to ensure their integrity has been maintained.
3.54 In addition to these measures, passes are required to access the ACTRO premises. However, as with many elements of the ACTRO’s privacy policies and practices, there is limited written documentation for physical and electronic security practices.
Monitoring of access
3.55 At the end of each month there is an internal audit on a number of random transactions. This is to ensure that staff are accessing personal information appropriate to their duties. In the event of a suspected unauthorised access or data breach, there are means to review accesses to consumer records.
3.56 ACTRO receives personal information from a number of other ACT Government agencies, and this data is stored on a secure drive. In many instances, ACTRO staff are required to fill out access forms, with their searches monitored by the entities whose data they are accessing.
3.57 Monitoring staff access to personal information is an important tool in mitigating insider risks. At present there are a number of measures taken by the ACTRO to undertake such monitoring. The ACTRO believes the new system that will eventually replace Community 2011 and TRS will further enhance these measures.
3.58 Following a review of password policies, the ACTRO updated its policies, resulting in effective password protection for its systems. All staff were made aware of these updated policies when they were introduced. Further to this, the TRS requires a secondary password that is compliant with the ACTRO password policy, further strengthening the password protection on that system.
3.59 The OAIC found that the ACTRO has minimal use of remote access. Both Community 2011 and TRS are accessible via Citrix, however such access must be specially approved and setup and is not provided by default.
3.60 Few staff use their own devices, and there is limited use of Citrix to access work systems. Only a limited number of senior staff have remote access to ACTRO systems, primarily for email.
Secondary storage of personal information
3.61 In some instances, the personal information of customers, including de-identified statistical information, is copied to business area shared drives. This is done to facilitate work duties, and where such data is no longer needed it is deleted. Access to these shared drives is strictly controlled, limited only to those staff members who need access.
3.62 Except where informal arrangements may need to be formalised in accordance with Recommendation 3, there are no privacy risks in this section of the report.
Observations on existing systems
3.63 The two main systems that the ACTRO uses, Community 2011 and TRS, are currently undergoing review. The ACTRO intends to replace these systems with a new system in the next few years.
3.64 At present, the age of both Community 2011 and TRS systems mitigate some of the risks to personal information that might otherwise exist with a more modern system.
3.65 In the first instance, there are limitations to the amount of data that can be searched for, accessed and downloaded, with the system liable to crash in the event of a large search/download request. We note that this does not normally present an issue for the ordinary duties of ACTRO staff.
3.66 Further to this, the way personal information is stored is not centrally searchable. Each transaction a customer has with the ACTRO is stored as a separate record within Community 2011 or TRS, and these records are not necessarily linked. Access to these databases is tightly controlled by a specific team within the ACTRO.
3.67 The practical effect of these limitations is that for a member of staff to perform a ‘data dump’, they would require a significant amount of time outside of normal working hours. Given the strong physical security practices of the ACTRO, such behaviour is likely to come to the notice of relevant ACTRO management.
3.68 We understand that the proposed new system to replace Community 2011 and TRS is intended to have greater functionality than the present systems. The new system will also require the ACTRO to develop new business processes.
3.69 Given the additional functionality that will be present in any updated system, there will be additional risks that need to be assessed. The mitigation of potential privacy risks afforded by the age of the current systems will be removed. For example, there may be the capacity for far greater access to personal information by staff. Continued monitoring of this access will be an important element in the design of any new system.
3.70 As advised in the OAIC’s Guide to undertaking privacy impact assessments, a privacy impact assessment (PIA) is an effective way of assessing the privacy risks of a particular system at an early stage of a project. We understand that a PIA was not performed on either the Community 2011 or TRS systems.
3.71 A PIA helps to identify privacy issues relating to a given project. This includes identifying stakeholder interests, personal information flows, and privacy risks. It allows mitigation strategies to be identified to meet those risks. By undertaking a PIA, an entity can assess its information handling practices for how they support privacy compliance. There is flexibility in the scope and methodology of a PIA; it can be adapted to the needs of the project.
3.72 By commencing a PIA process at the design stage of the new system, the ACTRO will be able to incorporate privacy compliance as part of the design of that system. It will also present an opportunity to develop formal business practices and workflows to support it. This is particularly important given how central such a system will be to the business activities of the ACTRO.
3.73 The OAIC’s guide may assist the ACTRO in undertaking a PIA on the new system.
Recommendation 4 — Undertake a privacy impact assessment
3.74 The OAIC recommends that the ACTRO undertake a PIA for the replacement system for Community 2011 and TRS.
Part 4 — Recommendations and the ACTRO’s responses
Summary of recommendations
4.1 The OAIC made the following recommendations to address the issues discussed in Part 3 of this report.
When ACTRO’s Risk Register is next updated, matters of breach of privacy will be considered. The Chief Minister, Treasury and Economic Development Directorate (CMTEDD) has a formal Security Incident Form and a Privacy Officer to manage privacy issues.
ACTRO will provide awareness training to highlight these procedures and resources to staff.
The OAIC recommends that the ACTRO implements a formal privacy training program in the near future, accompanied by a manual that supports this training program. Records of training activity should also be kept current.
The AGS privacy training, conducted by the Australian Government Solicitor, will be included as part of the training program for ACTRO.
The OAIC recommends that the ACTRO formalises its policies and procedures for the handling of personal information. These should include practical reference materials for staff. To the extent possible, the ACTRO should make such policies and procedures standard across all of its business areas.
ACTRO has undertaken training for the newly introduced policies and procedures (Dec 2015) and will highlight the other CMTEDD policies and procedures to staff.
The OAIC recommends that the ACTRO undertake a PIA for the replacement system for Community 2011 and TRS.
The Justice and Community Safety Directorate (JACSD) is currently working on the requirement to introduce Privacy Impact Assessment (PIA) as a mandatory feature of future ACT Government projects. Meanwhile, SS ICT is working with ACTRO to develop Cloud Information Security and Privacy Considerations as part of the RCTP implementation. The Head Agreement with the current RCTP vendor has a privacy requirement to comply with the Territory Privacy Principles and any applicable TPP Code, and ACTRO project team will be working to ensure compliance to that requirement.