Examination report on the protection of personal information in Victorian universities published
Universities collect, handle, and hold the personal information of thousands of Victorians including that of students, staff, or research participants.
In Victoria, most universities are required to comply with Part 3 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act), which outlines the responsible handling of personal information by public sector organisations.
In line with OVIC’s regulatory priorities, on 21 October 2020, Victoria’s Privacy and Data Protection Deputy Commissioner commenced an examination into the protection of personal information in Victorian universities.
The purpose of the examination was to ensure that Victorian universities protect personal information as required by the Information Privacy Principles (IPPs). The IPPs are the foundation of privacy law in Victoria and set out the minimum standard for how Victorian public sector organisations should manage personal information.
The examination looked at the policies and procedures of eight Victorian universities that have privacy obligations under the PDP Act. The examination considered how each university assesses the sensitivity of the personal information they hold, the implementation of security measures and privacy governance.
The examination found that all Victorian universities involved in the examination have a sufficient data breach response plan, and conduct Privacy Impact Assessments (PIAs) for new projects involving personal information. All universities also conduct privacy and data security online training for staff.
However, the examination found that many universities do not have clear policies and procedures to guide staff to destroy personal information when it is no longer needed, and do not have written guidance about sharing personal information with third parties to support staff to consider information security risks.
Universities are prioritising ICT and cyber security risks, but, in general, have less of a focus on managing risks to personal information related to physical and personnel security.
The examination report includes recommendations for universities to strengthen the protection of personal information by developing policies and procedures to identify and document the personal information they hold, where it is held, and for sharing information with third parties and contracted service providers.
- Examination of Victorian universities’ privacy and security policies
- Guidelines to the Information Privacy Principles: IPP 4 – Data Security
- Privacy Management Framework
- Privacy Officer Toolkit
For media enquiries contact:
For enquiries about privacy in Victoria contact:
Office of the Victorian Information Commissioner (OVIC)
t: 1300 006 842