An examination by the Office of the Victorian Information Commissioner (OVIC) into whether universities protect the personal information of students, staff and research participants has found universities had sufficient data breach response plans in place.
Information Commissioner, Sven Bluemmel said the Report, Examination of Victorian universities’ privacy and security policies, found all eight universities examined conducted Privacy Impact Assessments (PIAs) for new projects involving personal information.
“All universities also conduct privacy and data security online training for staff,” Mr Bluemmel said.
“However, the examination found that many universities do not have clear policies and procedures to guide staff to destroy personal information when it is no longer needed, and do not have written guidance about sharing personal information with third parties to support staff to consider information security risks,” he said.
“Universities are prioritising ICT [Information and Communication Technology] and cyber-security risks, but, in general, have less of a focus on managing risks to personal information related to physical and personnel security.”
Mr Bluemmel said attacks on a number of Australian universities over recent years had highlighted the risks posed by data breaches and the potential impact on thousands of students, staff and research participants.
The Information Commissioner said most Victorian universities were taking steps, such as internal and external audits and assessments, to obtain an accurate picture of their capability and threat landscape with respect to information security.
“The Report shows that Victorian universities are taking cyber security seriously,” he said.
Mr Bluemmel made six recommendations to universities, including that they develop policies to support staff in considering the nature of personal information; develop a mechanism to apply protective markings to information; implement policies on the destruction of personal information; modify data breach response plans to include potential notification to OVIC; document requirements when sharing personal information with third parties; and make privacy and information security training available to all personnel.
The Information Commission’s 31-page Report can be accessed at this PS News link.
