26 September 2023

Unis get top marks for privacy protection

Start the conversation

An examination by the Office of the Victorian Information Commissioner (OVIC) into whether universities protect the personal information of students, staff and research participants has found universities had sufficient data breach response plans in place.

Information Commissioner, Sven Bluemmel said the Report, Examination of Victorian universities’ privacy and security policies, found all eight universities examined conducted Privacy Impact Assessments (PIAs) for new projects involving personal information.

“All universities also conduct privacy and data security online training for staff,” Mr Bluemmel said.

“However, the examination found that many universities do not have clear policies and procedures to guide staff to destroy personal information when it is no longer needed, and do not have written guidance about sharing personal information with third parties to support staff to consider information security risks,” he said.

“Universities are prioritising ICT [Information and Communication Technology] and cyber-security risks, but, in general, have less of a focus on managing risks to personal information related to physical and personnel security.”

Mr Bluemmel said attacks on a number of Australian universities over recent years had highlighted the risks posed by data breaches and the potential impact on thousands of students, staff and research participants.

The Information Commissioner said most Victorian universities were taking steps, such as internal and external audits and assessments, to obtain an accurate picture of their capability and threat landscape with respect to information security.

“The Report shows that Victorian universities are taking cyber security seriously,” he said.

Mr Bluemmel made six recommendations to universities, including that they develop policies to support staff in considering the nature of personal information; develop a mechanism to apply protective markings to information; implement policies on the destruction of personal information; modify data breach response plans to include potential notification to OVIC; document requirements when sharing personal information with third parties; and make privacy and information security training available to all personnel.

The Information Commission’s 31-page Report can be accessed at this PS News link.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.