Upload
hoangkhanh
View
218
Download
1
Embed Size (px)
Citation preview
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 1
Pleasenotethatthisisanexampleonly.Theprivacy,datasecurityandrecordkeepingconsiderationsarelikelytodifferbetweeneachorganisationandtoolsused.Forstaffprivacyandbusinesssecuritypurposessomesectionsanddetailsofthisdocumenthavebeenremovedoredited.
PrivacyImpactAssessment:InstantMessengerPart1–GeneralDescriptionNameofProgram: ‘Messages’–JabberInstantMessenger
Date: May2016
NameofOrganisation: CPDP
PIADrafter:
Email: Phone:
ProgramManager:
Email: Phone:
AreyoualawenforcementagencyasdefinedinSection3ofthePDPA?Y/NNo.
Definition–ProgramForthepurposeofthisdocument,programwillbeusedtomeananysystem,legislation,project,initiativeoractivity.
1.DescriptionoftheProgramandPartiesMessagesor‘Jabber’isanapplicationpre-installedonallCPDPdesktopcomputersandlaptops.ItisanoptionalprogramintendedtoprovideallCPDPstaffwithaccesstointernalinstantmessagingservices.MessagesishostedinternallybyCPDPthroughaprogramcalledJabberwhichiscommunicationsoftwarebasedonXMPP(ExtensibleMessagingandPresenceProtocol)thatprovidessecure,nearreal-timeonlinecommunicationintheformof‘chat’.Jabberinstantmessaging(IM)servicesincludeone-to-onechat,groupconversations,filesharing,videocallsandcontactor‘buddies’lists.OnceconnectedtoaJabberaccount,usershavetheabilitytocommunicateinternallywithfellowCPDPstaffwhohavealsooptedintotheprogram.TheprimarybenefitofJabberisthatitenablesfast,convenientcommunicationbetweenstaffmembersforinformal,unofficialandtransitorymatters.Asthisprogramisnotintendedforofficialcommunicationordecision-making,theuseofJabberwillrelievethebuildupofemailclutterandsavetimeoninternalphonecalls.ItisalsousefulforcommunicatingwithoffsiteCPDPstaffwhoareconnectedtotheCPDPnetworkthoughaVirtualPrivateNetwork(VPN)connection.Thisenableseaseofcommunicationwithstaffwhoareworkingathomeoroutoftheofficeonbusiness.Jabberisanopt-inonlyprogram,togainaccessanduseemployeesarerequiredtosetupaJabberusernamewiththeICTCoordinatorthatincludesthefirstletteroftheirfirstnameandfullsurname.Forexample,JohnSmith’sJabberaccountwouldbejsmith@jss01.cpdp.vic.gov.au.Thisaccountislinkedtotheuser’sfullname.AstheJabberaccountincludesidentifiableinformation,anycommunicationscanbeassociatedwiththestaffmemberlinkedwiththatparticularJabberaccount.Allcontentofmessages(intextform)sentthroughJabberareautomaticallyloggedontheCPDPserverforaperiodof12months*,andstoredindefinitelyat[StorageServiceProvider]–anoffsitefacilitybasedinVictoria–intheformof
*Tobereviewedaftera12-monthtrialperiod
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 2
encryptedbackuptapes.AnyotherfiletransferredthroughJabber(documents,photos,videocontent)isnotloggedhoweverwillbestoredintherecipient’s‘downloads’folderuntilmanuallydeleted.LogsstoredontheCPDPserverwillbedeletedafterthe12-monthperiod.Thetime,date,jabberaccountandcontentofmessagearevisibleinthislog.TheICTCoordinatoraswellasanyonewithadministratorrightstotheCPDPserverscanaccesstheallinternallystoredlogs.Eachweek,theselogsarebackeduptotape(alongwithallotherCPDPelectronicdata)andtransferredto[StorageServiceProvider].Alltapesareencryptedandarenotaccessibleby[StorageServiceProvider]stafforcontractors.Thepurposeofthesebackuptapesistoensurebusinesscontinuityincaseofasecurityemergency.UseofJabberissecure,asitishostedinternallyandthroughCPDPWi-Fi,whichhasresistedpenetrationtestingandisdeemedsecure.Asoutlinedpreviously,anyonewithadministratorrightstotheCPDPservershasaccesstoallstoredJabberchatlogs.ThisincludesCPDP’sexternalITprovider,howevertheiraccesshasbeenrestrictedtowhileonCPDPpremises.AccesstotheJabberlogsrequiresanamedloginaccesscontrol,whichmeansthatanymanagementaccesstothelogsisitselfrecorded.ThepersonalinformationusedintheprocessofsettingupaJabberaccountisnotnewlycollected;ratheritisinformationpreviouslycollectedbyCPDP.Allpersonalinformationusedisnecessarytocompletethefunctionoftheprogram,andnounnecessaryextrapersonalinformationiscollectedintheprocessofsettingupuseraccesstoJabber.GiventhatJabberisanopt-inprogram,employeesgivetheirconsentfortheirpersonalinformationtobeusedinthiswayatthetimetheysignup.Jabberdoesnotrequireanyotherpersonalinformationthanthatlistedaboveinordertobesetup(fullname),andtofunctionrequirestheJabberusernameandcomputername.Anyotherinformationincludedwithinachatconversationwillberecordedandretainedregardlessofthecontent.Thismeansthatanypersonal,sensitiveorhealthinformationthatauserdisclosesduringachatwillberecordedandretainedalongsideanyotherchatcontent.WhileJabberdoesnotexpresslyintendtocollectthisinformation,theonusisontheindividualuserastotheinformationtheydisclosewithinchat.ThisisclearlyoutlinedintheTermsofUse(TOU)Policy,whichusersmustreadbeforesigninguptotheprogram(AppendixA).ThepurposeofcollectionandretentionofallcontentofIMchatconversationsisto:
• ensurecompliancewithpublicrecordkeepingrequirements• enableFOIrequeststobecompleted• respondtosecuritybreachoremergency• followupharassment,bullingordefamationissuesandcomplaints
Therisklevelfortheabovecircumstancesislow,astheintendeduseofJabberisforinformal,unofficialandtransitorymessagesonly,andnottobeusedfordecision-makingpurposesoranyofficialcorrespondence.However,asitisnottechnicallypossibletoenforcethis,messagesarerequiredtoberetainedincasethereisaneedtorevisitpriorconversationsforanyoftheabovepurposes.
2.ScopeofthisPIAandanyRelatedPrivacyImpactAssessmentsThisPIAcoverstheuseofexistingpersonalinformationnecessaryforaccesstoJabber(consistentwiththeprimarypurposeforwhichitwasoriginallycollectedbyCPDP),aswellasthecollection,useandretentionofpersonalinformationthroughtheuseofJabberservices.Inthissense,thisPIAistwo-tieredasitcoverstwopartsofthesameprogram.WhileitisbeyondthescopeofthisPIA,itisnotedthatthereareissuesrelatedtounsolicitedpersonal,sensitiveandhealthinformationthatmayoccurwithininstantmessengerconversations.ThereiscurrentlynootherPIAcompletedforanypartoftheinternaluseofJabberwithinCPDP.Asthisprogramisinternalbynature,therearenootherorganisationsinvolvedintheuseofJabberthatneedtobetakenintoaccount.However,therearethirdpartieswhichareindirectlyinvolved:[ITServiceProvider]hasadministratoraccessrightstotheCPDPserversandthereforeaccesstochatlogsincertaincircumstances,and[StorageServiceProvider]providesexternalserverstoragefacilitiesforencryptedbackupcopiesofallCPDPdata.
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 3
3.IdentifyingInformationElementsThissectionconsiderstheuseofinformationthatiscapableofidentifyinganindividual,whetherdirectlyorindirectly.Thisincludesanyinformationthatiscollected,usedordisclosedbyaCSPonbehalfofyourorganisationforthepurposeofthisprogram.
3.1PersonalInformationWhenassessingimpactstoprivacythefirstconsiderationiswhetheranypersonalinformationwillbeinvolvedintheprogram.Section3ofthePDPAdefinespersonalinformationasfollows:
ThefollowinginformationisusedforthepurposeofsettingupaJabberaccount:
• FirstName
• Surname
Thefollowinginformationiscollectedforthepurposeofretainingchatlogs:
• Jabberusername
• ComputerName
• Dateandtimeofmessage
• Contentofmessage(textonly)
Asnotedinsection1,anyfurtherinformation(includingpersonal,sensitiveandhealthinformation)disclosedbyauserduringachatconversationonJabberwillberetained.CPDPdoesnothavetheintentionofcollectingthisinformation,asitisbeyondwhatisnecessaryforthefunctionoftheprogram.TheonusisonindividualuserstonotincludethisinformationwithinJabberconversations,andshouldtheychoosetodoso,knowinglythatthisinformationwillbecollectedandretained.UserswillbemadeawareofthisthroughtheTermsofUsePolicy(AppendixA).
3.2SensitiveInformationThePDPAcontainsspecificprovisionsrelatingtothecollectionofsensitiveinformation(IPP10).Whiletherearemanytypesofinformationthatattractaheighteneddutyofcare,forexamplebankingdetails,theIPPsthatspecificallyapplytosensitivepersonalinformationinthePDPAonlyapplytothoseinthetablebelow.
Table1:SensitiveInformation
a Racialorethnicorigin
b Politicalopinions
c Membershipofapoliticalassociation
d Religiousbeliefsoraffiliations
e Philosophicalbeliefs
f Membershipofaprofessionalortradeassociation
g Membershipofatradeunion
h Sexualpreferencesorpractices
Definition–PersonalInformationPersonalinformationmeansinformationoranopinion(includinginformationoranopinionformingpartofadatabase),thatisrecordedinanyformandwhethertrueornot,aboutanindividualwhoseidentityisapparent,orcanreasonablybeascertained,fromtheinformationoropinion,butdoesnotincludeinformationofakindtowhichtheHealthRecordsAct2001applies.
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 4
i Criminalrecord
Thisprogramwillnotcollect,useordiscloseanyoftheaboveinformation✔
Jabberdoesnotexpresslycollectsensitiveinformation–however,asnotedinsection1,anysensitiveinformationthatisdisclosedwithinachatwillberetainedjustasanyothermessageisretained.UserswillbemadeawareofthisthroughtheTermsofUsePolicy.
3.3UniqueIdentifiersThePDPAhasspecificrequirementsforthecollection,useanddisclosureofuniqueidentifiers(IPP7).ThePDPAdefinesauniqueidentifierasfollows:
Definition–UniqueIdentifierUniqueidentifiermeansanidentifier(usuallyanumber)assignedbyanorganisationtoanindividualtouniquelyidentifythatindividualforthepurposesoftheoperationsoftheorganisationbutdoesnotincludeanidentifierthatconsistsonlyoftheindividual’sname,butdoesnotincludeanidentifierwithinthemeaningoftheHealthRecordsAct2001.
Anexampleofauniqueidentifierisataxfilenumber,adriver’slicensenumber,apassportnumberoraCentrelinkCustomerReferenceNumber.
Table2:UniqueIdentifiers
1 Willthisprogramassignauniqueidentifier?Y/N
YesCPDPassignsaJabberaccountusernameintheformofanemailaddressincludingthefirstinitialofthefirstnameandthefullsurname,forexample,[email protected],thisusernamehastheabilitytouniquelyidentifyanindividual.Emailaddressesarenotalwaysconsideredtobeuniqueidentifiers.ThepurposeofassigningtheJabberusernameisforbothcommunicationandidentificationpurposes,thereforeitisconsideredtobeauniqueidentifierinthiscase.
2 Willthisprogramcollect,useordiscloseauniqueidentifiercreatedbyanotherorganisation?Y/N
No
3.4HealthInformationWhilethePDPAdoesnotapplytohealthinformation,theprivacyprotectionsthatshouldbeconsideredarecomparabletothosenecessaryforpersonalinformationunderthePDPA.ThisisdemonstratedbythesimilaritybetweentheIPPsandtheHPPscontainedintheHRA.
Definition–HealthInformationTheHRAdefineshealthinformationas:a)informationoranopinionabout-
(i) thephysical,mentalorpsychologicalhealth(atanytime)ofanindividual;or(ii)adisability(atanytime)ofanindividual;or(iii)anindividual’sexpressedwishesaboutthefutureprovisionofhealthservicestohimorher;or(iv)ahealthserviceprovided,ortobeprovidedtoanindividual–thatisalsopersonalinformation;or
b)otherpersonalinformationcollectedtoprovide,orinproviding,ahealthservice;orc)otherpersonalinformationaboutanindividualcollectedinconnectionwiththedonation,orintendeddonation,bytheindividualofhisorherbodyparts,organsorbodysubstances;or
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 5
d)otherpersonalinformationthatisgeneticinformationaboutanindividualinaformwhichisorcouldbepredictiveofthehealth(atanytime)oftheindividualorofanyofhisorherdescendants–butdoesnotincludehealthinformation,oraclassofhealthinformationorhealthinformationcontainedinaclassofdocuments,thatisprescribedasexempthealthinformationforthepurposesofthisActgenerallyorforthepurposesofspecifiedprovisionsofthisAct.
Table3:HealthInformation
1 Willthisprogramcollect,useordisclosehealthinformation?Y/N
NoNote:Jabberdoesnotexpresslycollectanyhealthinformation–however,asnotedinsection1,anyhealthinformationthatisdisclosedwithinachatwillberetainedjustasanyothermessageisretained.UserswillbemadeawareofthisthroughtheTermsofUsePolicy.
3.5Re-identifiableInformationManyprogramsrelyontheuseofde-identifiedornon-identifiableinformation.Whensuchinformationisuseditneedstobetreatedwithcautionandaffordedmanyofthesameprivacyprotectionsaspersonalinformation,wherethereisthepotentialforre-identificationtooccur.Thisisparticularlythecasewhereaprograminvolvesdatamatching/linkingactivities.Forthatreason,whenassessingprivacyofpersonalinformation,potentiallyre-identifiableinformationshouldbeprotectedinthesamewayaspersonalinformation.TheNationalHealthandMedicalResearchCouncilofAustraliaprovidesthefollowingdefinitions,whichshouldassistindeterminingwheninformationshouldbeconsideredre-identifiable(https://www.nhmrc.gov.au/book/glossary).
Definition–Re-identifiableDataRe-identifiabledataisdatafromwhichidentifiershavebeenremovedandreplacedbyacode,butitremainspossibletore-identifyaspecificindividualby,forexample,usingthecodeorlinkingdifferentdatasets.
Definition–Non-identifiableDataNon-identifiabledataisdatathathasneverbeenlabelledwithindividualidentifiersorfromwhichidentifiershavebeenpermanentlyremoved,andbymeansofwhichnospecificindividualcanbeidentified.Subsetsofnon-identifiabledataarethosethatcanbelinkedwithotherdatasoitcanbeknowntheyareaboutthesamedatasubject,althoughtheperson’sidentityremainsunknown.
Table4:Re-identifiableInformation
Table5:ThresholdAssessment
Basedontheinformationabove,doesyourprogramcollect,useordisclose: Y N
Definition–De-identifiedThePDPAdefinesthetermde-identified,inrelationtopersonalinformationasmeaningthattheinformationnolongerrelatestoanidentifiableindividualoranindividualwhocanbereasonablyidentified.
1 Willthisprogramcollect,useordisclosere-identifiableinformation?Y/NNo
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 6
1 Personalinformation(whichmayincludeanyofsensitiveinformation,uniqueidentifiers,re-identifiableinformationorhealthinformation)?IfYES,pleaseproceedwiththerestoftheassessment.IfNO,continuetosignoffpage.
✔
2 HealthinformationONLY(andnoothertypesofpersonalinformation)?IfYES,pleaseproceedtosignoffpageandconsideryourobligationsundertheHRA.PleasecontacttheHealthServicesCommissionerforfurtherassistance.IfNO,pleaseproceedwiththerestoftheassessment.
✗
3 Personalinformation(includingsensitiveinformation,uniqueidentifiers,re-identifiableinformation)ANDhealthinformation?IfYES,pleaseproceedwiththerestofthisassessmentandconsideryourobligationsundertheHRA.PleasecontacttheHealthServicesCommissionerforfurtherassistance.
✗
Part2–PrivacyAnalysisTable6:LegalAuthority
2.1InformationFlowTable/Diagram
Jabberinformationflowdiagram
1 Ifyouhavelegalauthorityunderyourorganisation’senablinglegislationtocollect,useordisclosepersonalinformationforthepurposesofthisprogram,pleasecitetherelevantlegislationandsectionwithinthatactandcontinuewiththeassessment.Ifyourenablinglegislationdoesnotexplicitlypermitorrequirethecollection,useofdisclosureoftheinformation,pleaseproceedwiththerestoftheassessment.
Relevantlegislation:CPDPisabletousethepersonalinformationtosetupaJabberaccount,asitisconsistentwiththeprimarypurposeofcollectionunderIPP2ofthePrivacyandDataProtectionAct2014.Further,IPP2.1(b)isalsosatisfiedastheuseofJabberisoptional,theuserconsentstotheuseoftheirpersonalinformationforthispurposewhensettingupaccesstoJabberwiththeICTCoordinator.
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 7
2.2InformationPrivacyPrinciples
CollectionofPersonalInformation(includingsensitiveinformationanduniqueidentifiers)(RefertoIPPs1,7,8&10)
Collection(Pleaseanswerthesequestionsifyourprogramwillcollectpersonalinformation)
Y N IPP
1 IsalltheinformationcollectedNECESSARYfortheprogram? 1.1
2 Isitlawfulorpracticablefortheindividualtoremainanonymousforthepurposeoftheprogram?
8.1
RiskIdentifier:Iftheanswertoquestion1isNO,pleaseaddressCollectionasariskinPart3–PrivacyRiskMitigation.Iftheanswertoquestion2isYESandtheprogramwillcollectpersonalinformation,pleaseaddressAnonymityasariskinPart3–PrivacyRiskMitigation.
Notice(Pleaseanswerthesequestionsifyourprogramwillcollectpersonalinformation)
3(a) Haveyoutakenreasonablestepstoensurethattheindividualwhoseinformationiscollectedismadeawareoftheinformationbelow?IfYES,pleasedescribehow:AlthoughpersonalinformationisnotcollectedforestablishingaccesstoJabber,employeesareprovidedwithaTermsofUsePolicy,whichincludesaprivacystatement.
✔ 1.3
3(b) Iftheanswertoquestion3(a)isNO,isthecollectiondonebyalawenforcementagencyforalawenforcementfunctionoractivity?(ForfurtherinformationseeSection15ofthePDPA).
RiskIdentifier:Iftheanswerstoquestions3(a)and(b)arebothNOpleaseaddressNoticeasariskinPart3–PrivacyRiskMitigation.
Direct/IndirectCollection(Pleaseanswerthesequestionsifyourprogramwillcollectpersonalinformation)
4(a) IstheinformationbeingcollectedDIRECTLYfromtheindividual?IfNO,proceedtoquestion4(c).
1.4
4(b) WillanyinformationalsobecollectedINDRECTLYabouttheindividual?IfNO,proceedtoquestion5.
4(c) Iftheanswertoquestion4(a)isNOortheanswertoquestion4(b)isYES,pleasechecktheexceptiontothenoticerequirementthatapplies.
Reasonablestepshavebeentakentoensuretheindividualwhomtheinformationisabouthasbeenmadeawareoftheinformationinquestion3;OR
1.5
Itwouldposeaseriousthreattothelifeorhealthofanyindividualifthemattersinquestion3werecommunicatedtotheindividual
Thecollectionisbyalawenforcementagencyforalawenforcementfunctionoractivity(forfurtherinformationseeSection15ofthePDPA).
RiskIdentifier:Iftheanswerstoquestions4(a)and(b)areallNO,pleaseaddressIndirectCollectionasariskinPart3–PrivacyRiskMitigation.
UniqueIdentifier(Pleaseanswerthesequestionsifyourprogramwillcollect,useordisclosepersonalinformation)
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 8
5(a) Willthisprogramassignorcollectauniqueidentifier(seeTable2above).IfNO,proceedtoquestion6.
✔
5(b) IsitNECESSARYtoassignauniqueidentifiertoenableyourorganisationtocarryoutitsprogram?
✔ 7.1
5(c) WillauniqueidentifierofanotherorganisationbeusedONLYifoneofthefollowingconditionsismet?
✗ 7.2
Itisnecessaryforyourorganisationtocarryoutitsfunctions(thisshouldbedescribedinTable2above);OR
Theindividualhasconsentedtotheuse;OR
ItisanoutsourcingorganisationadoptingtheuniqueidentifierofaCSPperformingobligationsunderastatecontract
5(d) Anindividualwillnotberequiredtoprovideauniqueidentifierunlessauthorisedbylaworinconnectionwiththepurposeforwhichtheuniqueidentifierwasoriginallyassigned.IfYES,pleaseexplain:
✗ 7.4
RiskIdentifier:Iftheanswerstoquestions5(b)-(d)areallNO,pleaseaddressUniqueIdentifiersasariskinPart3–PrivacyRiskMitigation.
SensitiveInformation(Pleaseanswerthesequestionsifyourprogramwillcollectpersonalinformation)
6(a) Willthisprogramcollectsensitiveinformation(seeTable1above).IfNO,proceedtoquestion8.
✗
6(b) SensitiveinformationidentifiedinTable1willnotbecollectedunlessoneofthefollowingapply:
10.1
Theindividualhasconsented 10.1(a)
Thecollectionisrequiredunderlaw 10.1(b)
Thecollectionisnecessarytopreventorlessenaseriousandimminentthreattothelifeorhealthofanyindividual,wheretheindividualthattheinformationisaboutisphysicallyorlegallyincapableofconsentingorphysicallycannotcommunicatetheconsent
10.1(c)
Thecollectionisnecessaryforthedefenceofalegalorequitableclaim 10.1(d)
RiskIdentification:Iftheanswertoquestion6(b)isNOpleaseaddressSensitiveInformationasariskinPart3–PrivacyRiskMitigation.
7(a) Willthesensitiveinformationbeusedforaresearchpurpose?IfNO,proceedtoquestion8.
7(b) Ifsensitiveinformationisusedforresearchpurposesallofthefollowingconditionsmustbemet:
Thecollectionisnecessaryforresearch,compilationoranalysisofstatisticsforagovernmentfundedwelfareoreducationalserviceorifrelatingtoracialorethnicorigin,theinformationiscollectedforprovidinggovernmentfundedwelfareoreducationalservices;ANDThereisnoreasonablypracticablealternativetocollectingthesensitiveinformationforthatpurpose;ANDItisimpracticablefortheindividualtoconsent.
10.2(a)(i)10.2(a)(ii)10.2(b)10.2(c)
RiskIdentification:Iftheanswertoquestion7(b)isNO,pleaseaddressSensitiveInformationasariskinPart3–Privacy
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 9
RiskMitigation.
UseandDisclosureofPersonalInformation(RefertoIPPs2&7)
UseandDisclosure(Pleaseanswerthesequestionsifyourprogramwilluseordisclosepersonalinformation,includinguniqueidentifiers)
Y N IPP
8 InformationwillONLYbeusedordisclosedfortheprimarypurposeidentifiedinPart1.NonewpersonalinformationiscollectedtoestablishaccesstoJabber,rather,itwaspreviouslycollectedbyCPDPandthisprogramisconsistentwiththeprimarypurposeofcollection.AnyfurtherinformationcollectedthroughtheuseofJabberwillonlybeusedordisclosedfortheprimarypurposeidentifiedinPart1.
✔ 2.1
9(a) Inadditiontousinganddisclosinginformationfortheprimarypurposeitwascollected,personalinformationwillbeusedordisclosedforasecondarypurpose.IfYES,pleasecheckwhichofthefollowingsecondarypurposesbelowapply(9(b)-9(j)):
✗
9(b) a)Thesecondarypurposeisrelatedtotheprimarypurpose,orforsensitiveinformation,directlyrelatedtotheprimarypurpose;ANDb)theindividualwouldreasonablyexpecttheorganisationtouseordisclosetheinformationforthesecondarypurposeIfYES,pleasedescribethesecondarypurpose:
2.1(a)
9(c) Theindividualhasconsented(expressorimplied)totheuseordisclosure 2.1(b)
9(d) Asnecessaryforresearch,orthecompilationoranalysisofstatisticsINTHEPUBLICINTEREST
2.1(c)
9(e) Wherenecessarytolessenorpreventaseriousandimminentthreattoanindividual’slife,health,safetyorwelfare;oraseriousthreattopublichealth,publicsafetyorpublicwelfare
2.1(d)
9(f)
Wherenecessaryonsuspicionorunlawfulactivityaspartofitsinvestigationorreportingitsconcernstorelevantpersonsorauthorities
2.1(e)
9(g)
AsrequiredorauthorisedbylawIfYES,pleasesitetherelevantlaw:
2.1(f)
9(h)
Byoronbehalfofalawenforcementagencyforoneofthefollowingpurposes:(*awrittennotemustbemadeofanyuseordisclosuremadeunderthissection)
2.1(g)/2.2
(i) theprevention,detection,investigation,prosecutionorpunishmentofcriminaloffencesorbreachesofalawimposingapenaltyorsanction
(ii) theenforcementoflawsrelatingtotheconfiscationoftheproceedsofcrime
(iii)theprotectionofthepublicrevenue
(iv)theprevention,detection,investigationorremedyingofseriouslyimproperconduct
(v) thepreparationorconductofproceedingsorimplementationoftheordersofanycourtortribunal
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 10
9(i)
Asrequested,inwritingbytheAustralianSecurityIntelligenceOrganisation(ASIO)ortheAustralianSecretIntelligenceService(ASIS)
2.1(h)
9(j) Theuseordisclosureisbyalawenforcementagencyforalawenforcementfunctionoractivity(forfurtherinformationseeSection15ofthePDPA)
Riskidentification:Iftheanswertoquestion9(a)isYESand9(b)-(j)areallNOpleaseaddressSecondaryPurposeasariskinPart3–PrivacyRiskMitigation.
UseandDisclosureofaUniqueIdentifier(assignedbyanotherorganisation)(Pleaseanswerthesequestionsifyourprogramwilluseordiscloseauniqueidentifier)
Y N IPP
10(a)
Thisprogramwilluseordiscloseauniqueidentifierassignedtoanindividualbyanotherorganisation(seeTable2above).IfNO,proceedtoquestion11.
✗ 7.2
10(b)
Theuniqueidentifierassignedtoanindividualbyanotherorganisationwillnotbeusedordisclosedunlessoneofthefollowingapply:
7.3
10(c) Itisnecessaryfortheorganisationtofulfilitsobligationtotheotherorganisation
7.3(a)
10(d) Theindividualhasconsented 7.3(c)
10(e) Oneormoreofthefollowingapply:(seeIPP2.1(d)-(g)forfullconditions) 7.3(b)
10(f) Aseriousthreattoindividualorpublichealth,safetyorwelfare
10(g) Reportingasuspectedunlawfulactivitytotherelevantpersonorauthorityaspartofaninvestigation
10(h) ItisrequiredorauthorisedbylawIfYES,pleasesitetherelevantlaw:
10(i)
Theorganisationreasonablybelievestheuseordisclosureisreasonablynecessarybyoronbehalfofalawenforcementagency(seeIPP2.1(g)forfulldescription)
RiskIdentifier:Iftheanswertoquestion10(a)isYESand10(c)-(i)areallNOpleaseaddressSecondaryPurposeasariskinPart3–PrivacyRiskMitigation.
TransborderDataFlows(RefertoIPP9)
TransborderDataFlows(Pleaseanswerthesequestionsifyourprogramwilldisclosepersonalinformation)
Y N IPP
11(a) TheprogramwilltransferpersonalinformationtoanorganisationorpersonoutsideofVictoria(otherthantheorganisationortheindividual).IfNO,proceedtoquestion12.IfYES,pleasedescribe:
✗
11(b) PersonalinformationwillonlybetransferredtosomeoneoutsideofVictoria(otherthantheorganisationortheindividual)ifoneofthefollowing(11(c)-11(h))apply:
9.1
11(c) TheorganisationreasonablybelievesthattherecipientissubjecttolawsoracontractenforcinginformationhandlingprinciplessubstantiallysimilartotheIPPs
9.1(a)
11(d) Theindividualconsentstothetransfer 9.1(b)
11(e) Thetransferisnecessaryfortheperformanceofacontractbetweentheindividualandtheorganisation
9.1(c)
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 11
11(f) Thetransferisnecessaryaspartofacontractintheinterestoftheindividualbetweentheorganisationandathirdparty
9.1(d)
11(g) Allofthefollowingapply:Thetransferisforthebenefitoftheindividual;ANDItisimpracticaltoobtainconsent;ANDIfitwerepracticabletheindividualwouldlikelyconsent.
9.1(e)
11(h) Theorganisationhastakenreasonablestepssothattheinformationtransferredwillbeheld,usedanddisclosedconsistentlywiththeIPPsIfYES,pleasedescribesteps:
9.1(f)
RiskIdentification:Iftheanswertoquestion11(a)isYESand11(c)-(h)areallNOpleaseaddressTransborderDataFlowsasariskinPart3–PrivacyRiskMitigation.
DataQuality(RefertoIPP3)DataQuality(Pleaseconsiderdataqualityifyourprogramwillcollect,useordisclosepersonalinformation)
IPP3.1
TheinformationrequiredtosetupaccesstoJabberisalreadyknownbyCPDPandthepersonalinformationwasalreadyensuredtobeaccurate,completeanduptodateatthetimeofcollection.ThelogscreatedontheCPDPserverrolloverevery1-2weeksinordertokeepfilesizesmanageablewithinagiventimeframe.TheICTcoordinatorisresponsibleformanagingtheselogsandensuringtheyareaccurate,completeanduptodate.Accesstothelogsisrecordedthroughnamedaccesscontrolsinordertomitigateagainsttheriskoflogsbeingretrospectivelyalteredortamperedwith.CPDPcannotguaranteeorcontrolthequalityofanyinformationcommunicatedbyusersviaJabberasitdoesnotcontrolthecontentthatuserschoosetodisclose.
RiskIdentification:Iftheprogramdoesnotensurethatalldatacollected,usedordisclosedisaccurate,completeanduptodate,pleaseaddressDataQualityasariskinPart3–PrivacyRiskMitigation.
SecurityofPersonalInformation(RefertoIPP4)IPP4requiresanorganisationtotakereasonablestepstoprotectthepersonalinformationitholdsfrommisuse,lossandfromunauthorisedaccess,modificationanddisclosure.Oncedevelopedandapproved,theVictorianProtectiveDataSecurityFramework(VPDSF)willprovideimplementationguidanceondatasecurityfortheVictorianpublicsector.ForthisprogrampleaseensureyouhaveconsideredtherequirementsoftheAustraliangovernment’sProtectedSecurityPolicyFrameworkasadaptedtoVictoriauntiltheVPDSFisissued.
DataSecurity(Pleaseanswerthisquestionifyourprogramwillcollect,useordisclosepersonalinformation)
Y N IPP
13(a) Theprogramhastakenreasonablestepstoprotectthepersonalinformationitholdsfrommisuseandlossandfromunauthorisedaccess,modificationordisclosure.
• Informationaccess:TheICTCoordinatorhasfullaccessandmanagementresponsibilitiesoverJabberaccountsandallchatlogs.AnyotherstaffmembergrantedadministrationrightsontheCPDP
✔ 4.1&VPDSF
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 12
serverscanalsoaccessthechatlogs.[ITServiceProvider]alsohasaccesstothelogsundercertaincircumstances(seethirdpartymanagementbelow).
• Securitytrainingandawareness:UserresponsibilityinlinewithTOUPolicy
• Securityincidentmanagementandbusinesscontinuitymanagement:Allchatlogsareencryptedandstoredoffsiteforanindefiniteperiodandcanberetrievedshouldtherebeasecurityincidentorinordertomaintainbusinesscontinuity.
• Thirdpartymanagement:[ITServiceProvider]hasadministratorrightstoCPDPserversonlywhileintheCPDPoffice.AnyoffsiteaccessisonlygrantedforaspecificreasonandismonitoredbytheICTCoordinatorandanyaccesstothelogsisrecorded.Allbackuptapesareretainedwith[StorageServiceProvider],CPDP’sexternalstoragefacilitybasedinVictoria.Tapesareencryptedand[StorageServiceProvider]doesnothaveaccesstotheircontent.
• Informationsecurity:AspertheTOUPolicy,anyofficialCPDPinformationshouldbehandledappropriatelyandthereforenotcommunicatedviaJabber.
• Informationvalue:AllusersofJabbershouldbeawareoftheBusinessImpactLevel(BIL)informationclassificationlevels,andusersneedtobeabletoassessthevalueofinformationbeingcommunicatedviachat.AsoutlinedintheTOUpolicy,anyinformationofvalueshouldbecommunicatedthroughanofficialchannelwiththeappropriateprotectivemarkingforbothsecurityandpublicrecordspurposes.
• ICTsecurity:JabberishostedinternallyCPDP’ssecureWi-Finetwork.Alllogsstoredoffsiteareencrypted.
• Physicalsecurity:Allcomputersanddevicesarepasswordprotectedandshouldbelockedwhenunattended.CPDPstaffshouldnotbeaccessingotheremployees’computersordevicesforanypurpose,includingtheuseofJabber.
RiskIdentification:Iftheprogramdoesnotaddressthesecurityrisksidentifiedin13(a)pleaseaddressDataSecurityasariskinPart3–PrivacyRiskMitigation.
RecordsManagement(Pleaseanswerthisquestionifyourprogramwillcollect,useordisclosepersonalinformation)
Y N IPP
13(b) Theprogramwilltakereasonablestepstodestroyorde-identifypersonalinformationifitisnolongerneededforanypurpose.ThePublicRecordsActdoesnotrequirelogstobekeptmorethan7years,howeveralllogsarestoredindefinitelyintheformofencryptedtapesatanoffsitefacilityforthepurposeshighlightedinPart1relatedtosecurityincidentandbusinesscontinuitymanagement.ChatlogsstoredoninternalCPDPserversareretainedforaperiodof12monthsbeforebeingdeleted.
✔ 4.2
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 13
RiskIdentification:Iftheanswertoquestion13(b)isNO,pleaseaddressRecordsManagementasariskinPart3–PrivacyRiskMitigation.
Openness(RefertoIPP5)
Openness(Pleaseanswerthesequestionsifyourprogramwillcollect,useordisclosepersonalinformation)
Y N IPP
14(a) Theorganisationhasadocumentavailableforpublicreviewthatsetsoutthepoliciesforthemanagementofpersonalinformation.Pleaseidentifydocument(s)andprovidelinkwhereavailable:CPDPPrivacyPolicyhttps://www.cpdp.vic.gov.au/menu-about/about-privacy-policy
✔ 5.1
14(b) Theorganisationhasstepsinplacetoallowanindividualtoknowwhatpersonalinformationitholdsaboutthemandforwhatpurposesitcollects,usesanddisclosesit.
✔ 5.2
RiskIdentification:Iftheanswertoquestion14(a)or(b)isNO,pleaseaddressOpennessasariskinPart3–PrivacyRiskMitigation.
AccessandCorrection(RefertoIPP6)
TheAccessandCorrectionprinciple(IPP6)entitlesindividualstoviewandobtaincopiesoftheirpersonalinformationandtocorrectpersonalinformationheldaboutthem.IPP6isdesignedtosupplementexistingaccessandcorrectionrightsundertheFreedomofInformationAct1982(FOIAct).InformationheldbyaVictorianpublicsectororganisationissubjecttotheFOIActandthereforedonotneedtoassessagainstIPP6.
WherethepublicsectoroutsourcespartoftheirprogramservicestoaCSP,theCSPwillberequiredtocomplywithIPP6butonlyinrelationtotheCSP’sprovisionofserviceunderastatecontract.PleaserefertoOutsourcingandPrivacyGuidelinesforadditionalinformationonCSPsandtheirobligationsunderIPP6.
Part3–PrivacyRiskMitigationTable7:RiskMitigation
RiskMitigationTable
IdentifiedRisk MitigationStrategy Likelihood Impact RiskRating
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 1
AppendixA:
Jabber(Messages)TermsofUsePolicyforCPDPEmployeesTheOfficeoftheCommissionerforPrivacyandDataProtection(CPDP)isoperatingavoluntaryinstantmessagingserviceavailabletoallCPDPstaffforinformalinternalcommunication.Thisdocumentoutlinesthetermsofuse(TOU)fortheuseofJabberbyallCPDPemployees(hereinreferredtoas‘users’).Itappliestoalldesktops,notebooksandhomecomputerswhereCPDPbusinessistransacted.Thepurposeofthisdocumentistoserveasguidelinesforappropriate,legalandethicaluseofJabber,consistentwiththeaims,valuesandobjectivesofCPDPanditsresponsibilitiesunderthePrivacyandDataProtectionAct2014andthePublicRecordsAct1973.AllusersareexpectedtoadheretothisTOUpolicywhileusingJabber.
DescriptionofJabberJabberor‘Messages’isanapplicationthatispre-installedonallCPDPdesktops.Itisanoptionalprogramintendedtoprovidestaffwithaccesstointernalinstantmessagingservices.Jabberenablessecure,near-realtimeonlinecommunicationbetweenusersintheformofone-to-oneconversations,groupchat,video-callsandfilesharing.OnceconnectedtoaJabberaccount,usershavetheabilitytocommunicateinternallywithallotherCPDPstaffwhohavealsochosentoopt-intotheservice.
Jabberenablesfast,convenientcommunicationbetweenusersforinformal,unofficialandtransitorymatters.Itshouldnotbeusedformakingdecisionsoranyotherofficialcommunication(seebelowforfurtherdetails).Whenusedappropriately,Jabbercanincreasetheeaseofcommunicationbysavingtimeonphonecalls,reducingclutterinemails,andenablingfastcommunicationwithoffsiteusers.AlltextualcontentofJabberconversationswillbestoredontheCPDPserverforaperiodof12months,andbackedupindefinitelyonencryptedtapesatanexternalfacility.
PrivacyStatement–Collection,handlingandretentionofpersonalinformation1. ForthepurposeofcreatingaJabberaccount,CPDPwillonlyuselimitedpersonalinformation(the
employee’sfullname),alreadyheldbyCPDP.
2. Forthepurposesofsecurityandrecordkeepingrequirements,allcontentof‘chat’conversationsthroughJabberwillbeloggedandstoredontheCPDPserver,andsecurelybackedupoffsite.Thisincludesdateandtimeofcommunication,Jabberusername,thecomputername,andallmessagecontent(intextformonly).
2.1 CPDPdoesnotexpresslyseektocollectanyfurtherpersonal,sensitiveorhealthinformationthanthatwhichisrequiredforthefunctionalpurposeofJabberasoutlinedinpoints1and2.
2.2. Userswhochoosetodisclosefurtherpersonal,sensitiveorhealthinformationwithinthecontextofaJabberconversationdosoknowingthatallcontentofconversationsarecollectedandstoredontheCPDPserverfor12months,andheldindefinitelyonexternalbackuptapes.
3. CPDPwillcollect,handleandretainyourpersonalinformationinaccordancewiththeInformationPrivacyPrinciplesunderthePrivacyandDataProtectionAct2014.
3.1 PersonalinformationusedtoforthepurposeofsettingupaJabberaccountispersonalinformationthathasbeenpreviouslycollectedbyCPDP.Nonewpersonalinformationwillbecollectedforthispurpose.
3.2 AccesstopersonalinformationandchatlogsisrestrictedtotheICTcoordinator,[ITServiceProvider](whileonsite),andthosewithadministratorrightstotheCPDPserver.Encryptedtapesarestoredexternallyat[StorageServiceProvider]whoisnotgrantedaccesstocontent.
3.3 ContentofJabberconversationswillonlybeaccessedandusedbyCPDPshouldtherebearequirementunderthePublicRecordsAct1973,aFreedomofInformationrequest,orinthecaseofasecuritybreach,bullying,harassmentordefamationclaims,orwhererequiredbylaw.
CommissionerforPrivacyandDataProtection
POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 2
3.4 UserscanrequestaccesstotheinformationthatCPDPholdsaboutthemforthepurposesofthisprogrambycontactingtheICTCoordinator.
3.5 EmployeeswhodonotconsenttotheuseoftheirpersonalinformationforthepurposesofJabberwillnotbeabletouseJabberservices.
UserresponsibilitiesTheintendeduseofJabberisforinternalCPDPcommunicationforinformal,unofficialandtransitorymessagesonly.Itshouldnotbeusedinplaceofestablishedrecordkeepingprotocolswhencommunicatingofficialmattersormakingdecisionsrequiringdocumentation.Jabberisatoolthatcanaidcollaborativeworkingandcommunication.Itshouldnotbeusedinsuchawaythatinterfereswithjobresponsibilityoftheuserorothers.FailuretocomplywiththisTOUpolicymayresultinsuspensionordeletionoftheusersJabberaccount.Inseriouscasesfurtherdisciplinaryactionmaybetakenwherenecessary.
Securityofcommunication
WhileriskofexternalaccesstoJabberisminimal,itremainsimportancetomakesecurityofinformationapriority.Electroniccommunicationsmaybeeasilycopied,forwardedandsavedbyarecipientoranyonewithaccesstotheconversation.Theaudienceofanelectronicmessagemaybeunexpectedandwidespread.Assuch,Jabbershouldnotbeusedtosendmaterialthatisinappropriatewithinaworkenvironment,orthatwouldbeharmfulinanywayshoulditbecapturedandviewedbyanunintendedthirdparty.
UsersneedtobeawareofandunderstandthevalueoftheinformationcontainedinthecontentofanyJabberchat.AsJabberdoesnotrequireaclassificationsimilartoemailcontent,theonusisupontheusertobeawareofandtakeresponsibilityfortheconversationstheyarein,andtocontinuallyassessthevalueofinformationandwherenecessaryswitchtoanappropriateformofcommunication(suchasanemailwithaprotectivemarking).
Appropriateness
ContentofconversationsonJabbershouldbeappropriateforaworkplaceenvironment.Bullying,harassment,anddefamationwillnotbetolerated.Further,whileitisnottheintentionofCPDPtocollectanypersonal,sensitiveorhealthinformationthroughJabber,itistheresponsibilityofeachusertorefrainfromdisclosingsuchinformationshouldtheynotwantittobestoredwithallotherJabbercontent.AllusersareonlypermittedtousetheirownJabberaccount,andshouldnotcommunicatewithothersundertheguiseofanotheruser.SeethetablebelowforexamplesofwhenJabbershouldandshouldnotbeused.
AppropriateuseofJabber
Use Don’tuseü Substituteforphone
callsandemailregardingroutinematterswherebusinessdecisionsarenotmade
ü Casualconversations,day-to-daychatandquestions
ü Arrangingashortnoticemeeting
× Classifiedinformationorcontent(includingfiletransfer,wherethecontentisclassified)
× Personal,sensitiveorhealthinformationofthoseintheconversationoraboutothers.
× Financialinformation,authorisationsanddecisions
× Conversationswherethereisneedtomaintainevidenceoranofficialrecord
× DetailsofspecificCPDPexternalbusiness.Forexample,privacycomplaintsandinquiries,anorganisation’sPIAetc.
× Inappropriateactivitiesincludingpornography,fraud,defamation,breachofcopyright,unlawfuldiscriminationorvilification,harassment,includingsexualharassment,stalking,privacyviolations,bullying,andillegalactivity.