In a recent guest lecture I highlighted structural and cultural problems that contribute to universities having trouble with the protection of personal information (and non-personal information). The Office of the Victorian Information Commissioner has now initiated an examination of privacy and security in Victorian higher education.
The media release from the Privacy and Data Protection Deputy Commissioner states
The governance practices and policies of eight Victorian universities that have privacy obligations under the Privacy and Data Protection Act 2014 (Vic) (PDP Act) will be examined.
The examination will consider each university’s approach to identifying and managing security risks to personal information and supporting policy documentation. The purpose of the examination is to ensure that Victorian universities protect personal information as required by the Information Privacy Principles (IPPs).
The IPPs are the foundation of privacy law in Victoria and set out the minimum standard for how Victorian public sector organisations should manage personal information.
IPP 4.1 requires Victorian public sector organisations to take reasonable steps to protect the personal information they hold from misuse, loss, unauthorised access, modification, and disclosure.
To comply with IPP 4.1, organisations should identify security risks to the personal information they hold and take reasonable precautions to manage those risks.
At the conclusion of the examination the Privacy and Data Protection Deputy Commissioner will prepare a report outlining the results of the examination.