Privacy Impact Assessment: Instant Messenger - CPDP · PDF fileinformation through the use of Jabber services. In this sense, this PIA is two-tiered as it covers two parts of the same

CommissionerforPrivacyandDataProtection

POBOX24014,MELBOURNEVIC3001T1300666444Wcpdp.vic.gov.auEprivacy@cpdp.vic.gov.au 1

Pleasenotethatthisisanexampleonly.Theprivacy,datasecurityandrecordkeepingconsiderationsarelikelytodifferbetweeneachorganisationandtoolsused.Forstaffprivacyandbusinesssecuritypurposessomesectionsanddetailsofthisdocumenthavebeenremovedoredited.

PrivacyImpactAssessment:InstantMessengerPart1–GeneralDescriptionNameofProgram: ‘Messages’–JabberInstantMessenger

Date: May2016

NameofOrganisation: CPDP

PIADrafter:

Email: Phone:

ProgramManager:

Email: Phone:

AreyoualawenforcementagencyasdefinedinSection3ofthePDPA?Y/NNo.

Definition–ProgramForthepurposeofthisdocument,programwillbeusedtomeananysystem,legislation,project,initiativeoractivity.

1.DescriptionoftheProgramandPartiesMessagesor‘Jabber’isanapplicationpre-installedonallCPDPdesktopcomputersandlaptops.ItisanoptionalprogramintendedtoprovideallCPDPstaffwithaccesstointernalinstantmessagingservices.MessagesishostedinternallybyCPDPthroughaprogramcalledJabberwhichiscommunicationsoftwarebasedonXMPP(ExtensibleMessagingandPresenceProtocol)thatprovidessecure,nearreal-timeonlinecommunicationintheformof‘chat’.Jabberinstantmessaging(IM)servicesincludeone-to-onechat,groupconversations,filesharing,videocallsandcontactor‘buddies’lists.OnceconnectedtoaJabberaccount,usershavetheabilitytocommunicateinternallywithfellowCPDPstaffwhohavealsooptedintotheprogram.TheprimarybenefitofJabberisthatitenablesfast,convenientcommunicationbetweenstaffmembersforinformal,unofficialandtransitorymatters.Asthisprogramisnotintendedforofficialcommunicationordecision-making,theuseofJabberwillrelievethebuildupofemailclutterandsavetimeoninternalphonecalls.ItisalsousefulforcommunicatingwithoffsiteCPDPstaffwhoareconnectedtotheCPDPnetworkthoughaVirtualPrivateNetwork(VPN)connection.Thisenableseaseofcommunicationwithstaffwhoareworkingathomeoroutoftheofficeonbusiness.Jabberisanopt-inonlyprogram,togainaccessanduseemployeesarerequiredtosetupaJabberusernamewiththeICTCoordinatorthatincludesthefirstletteroftheirfirstnameandfullsurname.Forexample,JohnSmith’sJabberaccountwouldbejsmith@jss01.cpdp.vic.gov.au.Thisaccountislinkedtotheuser’sfullname.AstheJabberaccountincludesidentifiableinformation,anycommunicationscanbeassociatedwiththestaffmemberlinkedwiththatparticularJabberaccount.Allcontentofmessages(intextform)sentthroughJabberareautomaticallyloggedontheCPDPserverforaperiodof12months*,andstoredindefinitelyat[StorageServiceProvider]–anoffsitefacilitybasedinVictoria–intheformof

*Tobereviewedaftera12-monthtrialperiod



encryptedbackuptapes.AnyotherfiletransferredthroughJabber(documents,photos,videocontent)isnotloggedhoweverwillbestoredintherecipient’s‘downloads’folderuntilmanuallydeleted.LogsstoredontheCPDPserverwillbedeletedafterthe12-monthperiod.Thetime,date,jabberaccountandcontentofmessagearevisibleinthislog.TheICTCoordinatoraswellasanyonewithadministratorrightstotheCPDPserverscanaccesstheallinternallystoredlogs.Eachweek,theselogsarebackeduptotape(alongwithallotherCPDPelectronicdata)andtransferredto[StorageServiceProvider].Alltapesareencryptedandarenotaccessibleby[StorageServiceProvider]stafforcontractors.Thepurposeofthesebackuptapesistoensurebusinesscontinuityincaseofasecurityemergency.UseofJabberissecure,asitishostedinternallyandthroughCPDPWi-Fi,whichhasresistedpenetrationtestingandisdeemedsecure.Asoutlinedpreviously,anyonewithadministratorrightstotheCPDPservershasaccesstoallstoredJabberchatlogs.ThisincludesCPDP’sexternalITprovider,howevertheiraccesshasbeenrestrictedtowhileonCPDPpremises.AccesstotheJabberlogsrequiresanamedloginaccesscontrol,whichmeansthatanymanagementaccesstothelogsisitselfrecorded.ThepersonalinformationusedintheprocessofsettingupaJabberaccountisnotnewlycollected;ratheritisinformationpreviouslycollectedbyCPDP.Allpersonalinformationusedisnecessarytocompletethefunctionoftheprogram,andnounnecessaryextrapersonalinformationiscollectedintheprocessofsettingupuseraccesstoJabber.GiventhatJabberisanopt-inprogram,employeesgivetheirconsentfortheirpersonalinformationtobeusedinthiswayatthetimetheysignup.Jabberdoesnotrequireanyotherpersonalinformationthanthatlistedaboveinordertobesetup(fullname),andtofunctionrequirestheJabberusernameandcomputername.Anyotherinformationincludedwithinachatconversationwillberecordedandretainedregardlessofthecontent.Thismeansthatanypersonal,sensitiveorhealthinformationthatauserdisclosesduringachatwillberecordedandretainedalongsideanyotherchatcontent.WhileJabberdoesnotexpresslyintendtocollectthisinformation,theonusisontheindividualuserastotheinformationtheydisclosewithinchat.ThisisclearlyoutlinedintheTermsofUse(TOU)Policy,whichusersmustreadbeforesigninguptotheprogram(AppendixA).ThepurposeofcollectionandretentionofallcontentofIMchatconversationsisto:

• ensurecompliancewithpublicrecordkeepingrequirements• enableFOIrequeststobecompleted• respondtosecuritybreachoremergency• followupharassment,bullingordefamationissuesandcomplaints

Therisklevelfortheabovecircumstancesislow,astheintendeduseofJabberisforinformal,unofficialandtransitorymessagesonly,andnottobeusedfordecision-makingpurposesoranyofficialcorrespondence.However,asitisnottechnicallypossibletoenforcethis,messagesarerequiredtoberetainedincasethereisaneedtorevisitpriorconversationsforanyoftheabovepurposes.

2.ScopeofthisPIAandanyRelatedPrivacyImpactAssessmentsThisPIAcoverstheuseofexistingpersonalinformationnecessaryforaccesstoJabber(consistentwiththeprimarypurposeforwhichitwasoriginallycollectedbyCPDP),aswellasthecollection,useandretentionofpersonalinformationthroughtheuseofJabberservices.Inthissense,thisPIAistwo-tieredasitcoverstwopartsofthesameprogram.WhileitisbeyondthescopeofthisPIA,itisnotedthatthereareissuesrelatedtounsolicitedpersonal,sensitiveandhealthinformationthatmayoccurwithininstantmessengerconversations.ThereiscurrentlynootherPIAcompletedforanypartoftheinternaluseofJabberwithinCPDP.Asthisprogramisinternalbynature,therearenootherorganisationsinvolvedintheuseofJabberthatneedtobetakenintoaccount.However,therearethirdpartieswhichareindirectlyinvolved:[ITServiceProvider]hasadministratoraccessrightstotheCPDPserversandthereforeaccesstochatlogsincertaincircumstances,and[StorageServiceProvider]providesexternalserverstoragefacilitiesforencryptedbackupcopiesofallCPDPdata.



3.IdentifyingInformationElementsThissectionconsiderstheuseofinformationthatiscapableofidentifyinganindividual,whetherdirectlyorindirectly.Thisincludesanyinformationthatiscollected,usedordisclosedbyaCSPonbehalfofyourorganisationforthepurposeofthisprogram.

3.1PersonalInformationWhenassessingimpactstoprivacythefirstconsiderationiswhetheranypersonalinformationwillbeinvolvedintheprogram.Section3ofthePDPAdefinespersonalinformationasfollows:

ThefollowinginformationisusedforthepurposeofsettingupaJabberaccount:

• FirstName

• Surname

Thefollowinginformationiscollectedforthepurposeofretainingchatlogs:

• Jabberusername

• ComputerName

• Dateandtimeofmessage

• Contentofmessage(textonly)

Asnotedinsection1,anyfurtherinformation(includingpersonal,sensitiveandhealthinformation)disclosedbyauserduringachatconversationonJabberwillberetained.CPDPdoesnothavetheintentionofcollectingthisinformation,asitisbeyondwhatisnecessaryforthefunctionoftheprogram.TheonusisonindividualuserstonotincludethisinformationwithinJabberconversations,andshouldtheychoosetodoso,knowinglythatthisinformationwillbecollectedandretained.UserswillbemadeawareofthisthroughtheTermsofUsePolicy(AppendixA).

3.2SensitiveInformationThePDPAcontainsspecificprovisionsrelatingtothecollectionofsensitiveinformation(IPP10).Whiletherearemanytypesofinformationthatattractaheighteneddutyofcare,forexamplebankingdetails,theIPPsthatspecificallyapplytosensitivepersonalinformationinthePDPAonlyapplytothoseinthetablebelow.

Table1:SensitiveInformation

a Racialorethnicorigin

b Politicalopinions

c Membershipofapoliticalassociation

d Religiousbeliefsoraffiliations

e Philosophicalbeliefs

f Membershipofaprofessionalortradeassociation

g Membershipofatradeunion

h Sexualpreferencesorpractices

Definition–PersonalInformationPersonalinformationmeansinformationoranopinion(includinginformationoranopinionformingpartofadatabase),thatisrecordedinanyformandwhethertrueornot,aboutanindividualwhoseidentityisapparent,orcanreasonablybeascertained,fromtheinformationoropinion,butdoesnotincludeinformationofakindtowhichtheHealthRecordsAct2001applies.



i Criminalrecord

Thisprogramwillnotcollect,useordiscloseanyoftheaboveinformation✔

Jabberdoesnotexpresslycollectsensitiveinformation–however,asnotedinsection1,anysensitiveinformationthatisdisclosedwithinachatwillberetainedjustasanyothermessageisretained.UserswillbemadeawareofthisthroughtheTermsofUsePolicy.

3.3UniqueIdentifiersThePDPAhasspecificrequirementsforthecollection,useanddisclosureofuniqueidentifiers(IPP7).ThePDPAdefinesauniqueidentifierasfollows:

Definition–UniqueIdentifierUniqueidentifiermeansanidentifier(usuallyanumber)assignedbyanorganisationtoanindividualtouniquelyidentifythatindividualforthepurposesoftheoperationsoftheorganisationbutdoesnotincludeanidentifierthatconsistsonlyoftheindividual’sname,butdoesnotincludeanidentifierwithinthemeaningoftheHealthRecordsAct2001.

Anexampleofauniqueidentifierisataxfilenumber,adriver’slicensenumber,apassportnumberoraCentrelinkCustomerReferenceNumber.

Table2:UniqueIdentifiers

1 Willthisprogramassignauniqueidentifier?Y/N

YesCPDPassignsaJabberaccountusernameintheformofanemailaddressincludingthefirstinitialofthefirstnameandthefullsurname,forexample,[email protected],thisusernamehastheabilitytouniquelyidentifyanindividual.Emailaddressesarenotalwaysconsideredtobeuniqueidentifiers.ThepurposeofassigningtheJabberusernameisforbothcommunicationandidentificationpurposes,thereforeitisconsideredtobeauniqueidentifierinthiscase.

2 Willthisprogramcollect,useordiscloseauniqueidentifiercreatedbyanotherorganisation?Y/N

No

3.4HealthInformationWhilethePDPAdoesnotapplytohealthinformation,theprivacyprotectionsthatshouldbeconsideredarecomparabletothosenecessaryforpersonalinformationunderthePDPA.ThisisdemonstratedbythesimilaritybetweentheIPPsandtheHPPscontainedintheHRA.

Definition–HealthInformationTheHRAdefineshealthinformationas:a)informationoranopinionabout-

(i) thephysical,mentalorpsychologicalhealth(atanytime)ofanindividual;or(ii)adisability(atanytime)ofanindividual;or(iii)anindividual’sexpressedwishesaboutthefutureprovisionofhealthservicestohimorher;or(iv)ahealthserviceprovided,ortobeprovidedtoanindividual–thatisalsopersonalinformation;or

b)otherpersonalinformationcollectedtoprovide,orinproviding,ahealthservice;orc)otherpersonalinformationaboutanindividualcollectedinconnectionwiththedonation,orintendeddonation,bytheindividualofhisorherbodyparts,organsorbodysubstances;or



d)otherpersonalinformationthatisgeneticinformationaboutanindividualinaformwhichisorcouldbepredictiveofthehealth(atanytime)oftheindividualorofanyofhisorherdescendants–butdoesnotincludehealthinformation,oraclassofhealthinformationorhealthinformationcontainedinaclassofdocuments,thatisprescribedasexempthealthinformationforthepurposesofthisActgenerallyorforthepurposesofspecifiedprovisionsofthisAct.

Table3:HealthInformation

1 Willthisprogramcollect,useordisclosehealthinformation?Y/N

NoNote:Jabberdoesnotexpresslycollectanyhealthinformation–however,asnotedinsection1,anyhealthinformationthatisdisclosedwithinachatwillberetainedjustasanyothermessageisretained.UserswillbemadeawareofthisthroughtheTermsofUsePolicy.

3.5Re-identifiableInformationManyprogramsrelyontheuseofde-identifiedornon-identifiableinformation.Whensuchinformationisuseditneedstobetreatedwithcautionandaffordedmanyofthesameprivacyprotectionsaspersonalinformation,wherethereisthepotentialforre-identificationtooccur.Thisisparticularlythecasewhereaprograminvolvesdatamatching/linkingactivities.Forthatreason,whenassessingprivacyofpersonalinformation,potentiallyre-identifiableinformationshouldbeprotectedinthesamewayaspersonalinformation.TheNationalHealthandMedicalResearchCouncilofAustraliaprovidesthefollowingdefinitions,whichshouldassistindeterminingwheninformationshouldbeconsideredre-identifiable(https://www.nhmrc.gov.au/book/glossary).

Definition–Re-identifiableDataRe-identifiabledataisdatafromwhichidentifiershavebeenremovedandreplacedbyacode,butitremainspossibletore-identifyaspecificindividualby,forexample,usingthecodeorlinkingdifferentdatasets.

Definition–Non-identifiableDataNon-identifiabledataisdatathathasneverbeenlabelledwithindividualidentifiersorfromwhichidentifiershavebeenpermanentlyremoved,andbymeansofwhichnospecificindividualcanbeidentified.Subsetsofnon-identifiabledataarethosethatcanbelinkedwithotherdatasoitcanbeknowntheyareaboutthesamedatasubject,althoughtheperson’sidentityremainsunknown.

Table4:Re-identifiableInformation

Table5:ThresholdAssessment

Basedontheinformationabove,doesyourprogramcollect,useordisclose: Y N

Definition–De-identifiedThePDPAdefinesthetermde-identified,inrelationtopersonalinformationasmeaningthattheinformationnolongerrelatestoanidentifiableindividualoranindividualwhocanbereasonablyidentified.

1 Willthisprogramcollect,useordisclosere-identifiableinformation?Y/NNo



1 Personalinformation(whichmayincludeanyofsensitiveinformation,uniqueidentifiers,re-identifiableinformationorhealthinformation)?IfYES,pleaseproceedwiththerestoftheassessment.IfNO,continuetosignoffpage.

✔

2 HealthinformationONLY(andnoothertypesofpersonalinformation)?IfYES,pleaseproceedtosignoffpageandconsideryourobligationsundertheHRA.PleasecontacttheHealthServicesCommissionerforfurtherassistance.IfNO,pleaseproceedwiththerestoftheassessment.

✗

3 Personalinformation(includingsensitiveinformation,uniqueidentifiers,re-identifiableinformation)ANDhealthinformation?IfYES,pleaseproceedwiththerestofthisassessmentandconsideryourobligationsundertheHRA.PleasecontacttheHealthServicesCommissionerforfurtherassistance.

✗

Part2–PrivacyAnalysisTable6:LegalAuthority

2.1InformationFlowTable/Diagram

Jabberinformationflowdiagram

1 Ifyouhavelegalauthorityunderyourorganisation’senablinglegislationtocollect,useordisclosepersonalinformationforthepurposesofthisprogram,pleasecitetherelevantlegislationandsectionwithinthatactandcontinuewiththeassessment.Ifyourenablinglegislationdoesnotexplicitlypermitorrequirethecollection,useofdisclosureoftheinformation,pleaseproceedwiththerestoftheassessment.

Relevantlegislation:CPDPisabletousethepersonalinformationtosetupaJabberaccount,asitisconsistentwiththeprimarypurposeofcollectionunderIPP2ofthePrivacyandDataProtectionAct2014.Further,IPP2.1(b)isalsosatisfiedastheuseofJabberisoptional,theuserconsentstotheuseoftheirpersonalinformationforthispurposewhensettingupaccesstoJabberwiththeICTCoordinator.



2.2InformationPrivacyPrinciples

CollectionofPersonalInformation(includingsensitiveinformationanduniqueidentifiers)(RefertoIPPs1,7,8&10)

Collection(Pleaseanswerthesequestionsifyourprogramwillcollectpersonalinformation)

Y N IPP

1 IsalltheinformationcollectedNECESSARYfortheprogram? 1.1

2 Isitlawfulorpracticablefortheindividualtoremainanonymousforthepurposeoftheprogram?

8.1

RiskIdentifier:Iftheanswertoquestion1isNO,pleaseaddressCollectionasariskinPart3–PrivacyRiskMitigation.Iftheanswertoquestion2isYESandtheprogramwillcollectpersonalinformation,pleaseaddressAnonymityasariskinPart3–PrivacyRiskMitigation.

Notice(Pleaseanswerthesequestionsifyourprogramwillcollectpersonalinformation)

3(a) Haveyoutakenreasonablestepstoensurethattheindividualwhoseinformationiscollectedismadeawareoftheinformationbelow?IfYES,pleasedescribehow:AlthoughpersonalinformationisnotcollectedforestablishingaccesstoJabber,employeesareprovidedwithaTermsofUsePolicy,whichincludesaprivacystatement.

✔ 1.3

3(b) Iftheanswertoquestion3(a)isNO,isthecollectiondonebyalawenforcementagencyforalawenforcementfunctionoractivity?(ForfurtherinformationseeSection15ofthePDPA).

RiskIdentifier:Iftheanswerstoquestions3(a)and(b)arebothNOpleaseaddressNoticeasariskinPart3–PrivacyRiskMitigation.

Direct/IndirectCollection(Pleaseanswerthesequestionsifyourprogramwillcollectpersonalinformation)

4(a) IstheinformationbeingcollectedDIRECTLYfromtheindividual?IfNO,proceedtoquestion4(c).

1.4

4(b) WillanyinformationalsobecollectedINDRECTLYabouttheindividual?IfNO,proceedtoquestion5.

4(c) Iftheanswertoquestion4(a)isNOortheanswertoquestion4(b)isYES,pleasechecktheexceptiontothenoticerequirementthatapplies.

Reasonablestepshavebeentakentoensuretheindividualwhomtheinformationisabouthasbeenmadeawareoftheinformationinquestion3;OR

1.5

Itwouldposeaseriousthreattothelifeorhealthofanyindividualifthemattersinquestion3werecommunicatedtotheindividual

Thecollectionisbyalawenforcementagencyforalawenforcementfunctionoractivity(forfurtherinformationseeSection15ofthePDPA).

RiskIdentifier:Iftheanswerstoquestions4(a)and(b)areallNO,pleaseaddressIndirectCollectionasariskinPart3–PrivacyRiskMitigation.

UniqueIdentifier(Pleaseanswerthesequestionsifyourprogramwillcollect,useordisclosepersonalinformation)



5(a) Willthisprogramassignorcollectauniqueidentifier(seeTable2above).IfNO,proceedtoquestion6.

✔

5(b) IsitNECESSARYtoassignauniqueidentifiertoenableyourorganisationtocarryoutitsprogram?

✔ 7.1

5(c) WillauniqueidentifierofanotherorganisationbeusedONLYifoneofthefollowingconditionsismet?

✗ 7.2

Itisnecessaryforyourorganisationtocarryoutitsfunctions(thisshouldbedescribedinTable2above);OR

Theindividualhasconsentedtotheuse;OR

ItisanoutsourcingorganisationadoptingtheuniqueidentifierofaCSPperformingobligationsunderastatecontract

5(d) Anindividualwillnotberequiredtoprovideauniqueidentifierunlessauthorisedbylaworinconnectionwiththepurposeforwhichtheuniqueidentifierwasoriginallyassigned.IfYES,pleaseexplain:

✗ 7.4

RiskIdentifier:Iftheanswerstoquestions5(b)-(d)areallNO,pleaseaddressUniqueIdentifiersasariskinPart3–PrivacyRiskMitigation.

SensitiveInformation(Pleaseanswerthesequestionsifyourprogramwillcollectpersonalinformation)

6(a) Willthisprogramcollectsensitiveinformation(seeTable1above).IfNO,proceedtoquestion8.

✗

6(b) SensitiveinformationidentifiedinTable1willnotbecollectedunlessoneofthefollowingapply:

10.1

Theindividualhasconsented 10.1(a)

Thecollectionisrequiredunderlaw 10.1(b)

Thecollectionisnecessarytopreventorlessenaseriousandimminentthreattothelifeorhealthofanyindividual,wheretheindividualthattheinformationisaboutisphysicallyorlegallyincapableofconsentingorphysicallycannotcommunicatetheconsent

10.1(c)

Thecollectionisnecessaryforthedefenceofalegalorequitableclaim 10.1(d)

RiskIdentification:Iftheanswertoquestion6(b)isNOpleaseaddressSensitiveInformationasariskinPart3–PrivacyRiskMitigation.

7(a) Willthesensitiveinformationbeusedforaresearchpurpose?IfNO,proceedtoquestion8.

7(b) Ifsensitiveinformationisusedforresearchpurposesallofthefollowingconditionsmustbemet:

Thecollectionisnecessaryforresearch,compilationoranalysisofstatisticsforagovernmentfundedwelfareoreducationalserviceorifrelatingtoracialorethnicorigin,theinformationiscollectedforprovidinggovernmentfundedwelfareoreducationalservices;ANDThereisnoreasonablypracticablealternativetocollectingthesensitiveinformationforthatpurpose;ANDItisimpracticablefortheindividualtoconsent.

10.2(a)(i)10.2(a)(ii)10.2(b)10.2(c)

RiskIdentification:Iftheanswertoquestion7(b)isNO,pleaseaddressSensitiveInformationasariskinPart3–Privacy



RiskMitigation.

UseandDisclosureofPersonalInformation(RefertoIPPs2&7)

UseandDisclosure(Pleaseanswerthesequestionsifyourprogramwilluseordisclosepersonalinformation,includinguniqueidentifiers)

Y N IPP

8 InformationwillONLYbeusedordisclosedfortheprimarypurposeidentifiedinPart1.NonewpersonalinformationiscollectedtoestablishaccesstoJabber,rather,itwaspreviouslycollectedbyCPDPandthisprogramisconsistentwiththeprimarypurposeofcollection.AnyfurtherinformationcollectedthroughtheuseofJabberwillonlybeusedordisclosedfortheprimarypurposeidentifiedinPart1.

✔ 2.1

9(a) Inadditiontousinganddisclosinginformationfortheprimarypurposeitwascollected,personalinformationwillbeusedordisclosedforasecondarypurpose.IfYES,pleasecheckwhichofthefollowingsecondarypurposesbelowapply(9(b)-9(j)):

✗

9(b) a)Thesecondarypurposeisrelatedtotheprimarypurpose,orforsensitiveinformation,directlyrelatedtotheprimarypurpose;ANDb)theindividualwouldreasonablyexpecttheorganisationtouseordisclosetheinformationforthesecondarypurposeIfYES,pleasedescribethesecondarypurpose:

2.1(a)

9(c) Theindividualhasconsented(expressorimplied)totheuseordisclosure 2.1(b)

9(d) Asnecessaryforresearch,orthecompilationoranalysisofstatisticsINTHEPUBLICINTEREST

2.1(c)

9(e) Wherenecessarytolessenorpreventaseriousandimminentthreattoanindividual’slife,health,safetyorwelfare;oraseriousthreattopublichealth,publicsafetyorpublicwelfare

2.1(d)

9(f)

Wherenecessaryonsuspicionorunlawfulactivityaspartofitsinvestigationorreportingitsconcernstorelevantpersonsorauthorities

2.1(e)

9(g)

AsrequiredorauthorisedbylawIfYES,pleasesitetherelevantlaw:

2.1(f)

9(h)

Byoronbehalfofalawenforcementagencyforoneofthefollowingpurposes:(*awrittennotemustbemadeofanyuseordisclosuremadeunderthissection)

2.1(g)/2.2

(i) theprevention,detection,investigation,prosecutionorpunishmentofcriminaloffencesorbreachesofalawimposingapenaltyorsanction

(ii) theenforcementoflawsrelatingtotheconfiscationoftheproceedsofcrime

(iii)theprotectionofthepublicrevenue

(iv)theprevention,detection,investigationorremedyingofseriouslyimproperconduct

(v) thepreparationorconductofproceedingsorimplementationoftheordersofanycourtortribunal



9(i)

Asrequested,inwritingbytheAustralianSecurityIntelligenceOrganisation(ASIO)ortheAustralianSecretIntelligenceService(ASIS)

2.1(h)

9(j) Theuseordisclosureisbyalawenforcementagencyforalawenforcementfunctionoractivity(forfurtherinformationseeSection15ofthePDPA)

Riskidentification:Iftheanswertoquestion9(a)isYESand9(b)-(j)areallNOpleaseaddressSecondaryPurposeasariskinPart3–PrivacyRiskMitigation.

UseandDisclosureofaUniqueIdentifier(assignedbyanotherorganisation)(Pleaseanswerthesequestionsifyourprogramwilluseordiscloseauniqueidentifier)

Y N IPP

10(a)

Thisprogramwilluseordiscloseauniqueidentifierassignedtoanindividualbyanotherorganisation(seeTable2above).IfNO,proceedtoquestion11.

✗ 7.2

10(b)

Theuniqueidentifierassignedtoanindividualbyanotherorganisationwillnotbeusedordisclosedunlessoneofthefollowingapply:

7.3

10(c) Itisnecessaryfortheorganisationtofulfilitsobligationtotheotherorganisation

7.3(a)

10(d) Theindividualhasconsented 7.3(c)

10(e) Oneormoreofthefollowingapply:(seeIPP2.1(d)-(g)forfullconditions) 7.3(b)

10(f) Aseriousthreattoindividualorpublichealth,safetyorwelfare

10(g) Reportingasuspectedunlawfulactivitytotherelevantpersonorauthorityaspartofaninvestigation

10(h) ItisrequiredorauthorisedbylawIfYES,pleasesitetherelevantlaw:

10(i)

Theorganisationreasonablybelievestheuseordisclosureisreasonablynecessarybyoronbehalfofalawenforcementagency(seeIPP2.1(g)forfulldescription)

RiskIdentifier:Iftheanswertoquestion10(a)isYESand10(c)-(i)areallNOpleaseaddressSecondaryPurposeasariskinPart3–PrivacyRiskMitigation.

TransborderDataFlows(RefertoIPP9)

TransborderDataFlows(Pleaseanswerthesequestionsifyourprogramwilldisclosepersonalinformation)

Y N IPP

11(a) TheprogramwilltransferpersonalinformationtoanorganisationorpersonoutsideofVictoria(otherthantheorganisationortheindividual).IfNO,proceedtoquestion12.IfYES,pleasedescribe:

✗

11(b) PersonalinformationwillonlybetransferredtosomeoneoutsideofVictoria(otherthantheorganisationortheindividual)ifoneofthefollowing(11(c)-11(h))apply:

9.1

11(c) TheorganisationreasonablybelievesthattherecipientissubjecttolawsoracontractenforcinginformationhandlingprinciplessubstantiallysimilartotheIPPs

9.1(a)

11(d) Theindividualconsentstothetransfer 9.1(b)

11(e) Thetransferisnecessaryfortheperformanceofacontractbetweentheindividualandtheorganisation

9.1(c)



11(f) Thetransferisnecessaryaspartofacontractintheinterestoftheindividualbetweentheorganisationandathirdparty

9.1(d)

11(g) Allofthefollowingapply:Thetransferisforthebenefitoftheindividual;ANDItisimpracticaltoobtainconsent;ANDIfitwerepracticabletheindividualwouldlikelyconsent.

9.1(e)

11(h) Theorganisationhastakenreasonablestepssothattheinformationtransferredwillbeheld,usedanddisclosedconsistentlywiththeIPPsIfYES,pleasedescribesteps:

9.1(f)

RiskIdentification:Iftheanswertoquestion11(a)isYESand11(c)-(h)areallNOpleaseaddressTransborderDataFlowsasariskinPart3–PrivacyRiskMitigation.

DataQuality(RefertoIPP3)DataQuality(Pleaseconsiderdataqualityifyourprogramwillcollect,useordisclosepersonalinformation)

IPP3.1

TheinformationrequiredtosetupaccesstoJabberisalreadyknownbyCPDPandthepersonalinformationwasalreadyensuredtobeaccurate,completeanduptodateatthetimeofcollection.ThelogscreatedontheCPDPserverrolloverevery1-2weeksinordertokeepfilesizesmanageablewithinagiventimeframe.TheICTcoordinatorisresponsibleformanagingtheselogsandensuringtheyareaccurate,completeanduptodate.Accesstothelogsisrecordedthroughnamedaccesscontrolsinordertomitigateagainsttheriskoflogsbeingretrospectivelyalteredortamperedwith.CPDPcannotguaranteeorcontrolthequalityofanyinformationcommunicatedbyusersviaJabberasitdoesnotcontrolthecontentthatuserschoosetodisclose.

RiskIdentification:Iftheprogramdoesnotensurethatalldatacollected,usedordisclosedisaccurate,completeanduptodate,pleaseaddressDataQualityasariskinPart3–PrivacyRiskMitigation.

SecurityofPersonalInformation(RefertoIPP4)IPP4requiresanorganisationtotakereasonablestepstoprotectthepersonalinformationitholdsfrommisuse,lossandfromunauthorisedaccess,modificationanddisclosure.Oncedevelopedandapproved,theVictorianProtectiveDataSecurityFramework(VPDSF)willprovideimplementationguidanceondatasecurityfortheVictorianpublicsector.ForthisprogrampleaseensureyouhaveconsideredtherequirementsoftheAustraliangovernment’sProtectedSecurityPolicyFrameworkasadaptedtoVictoriauntiltheVPDSFisissued.

DataSecurity(Pleaseanswerthisquestionifyourprogramwillcollect,useordisclosepersonalinformation)

Y N IPP

13(a) Theprogramhastakenreasonablestepstoprotectthepersonalinformationitholdsfrommisuseandlossandfromunauthorisedaccess,modificationordisclosure.

• Informationaccess:TheICTCoordinatorhasfullaccessandmanagementresponsibilitiesoverJabberaccountsandallchatlogs.AnyotherstaffmembergrantedadministrationrightsontheCPDP

✔ 4.1&VPDSF



serverscanalsoaccessthechatlogs.[ITServiceProvider]alsohasaccesstothelogsundercertaincircumstances(seethirdpartymanagementbelow).

• Securitytrainingandawareness:UserresponsibilityinlinewithTOUPolicy

• Securityincidentmanagementandbusinesscontinuitymanagement:Allchatlogsareencryptedandstoredoffsiteforanindefiniteperiodandcanberetrievedshouldtherebeasecurityincidentorinordertomaintainbusinesscontinuity.

• Thirdpartymanagement:[ITServiceProvider]hasadministratorrightstoCPDPserversonlywhileintheCPDPoffice.AnyoffsiteaccessisonlygrantedforaspecificreasonandismonitoredbytheICTCoordinatorandanyaccesstothelogsisrecorded.Allbackuptapesareretainedwith[StorageServiceProvider],CPDP’sexternalstoragefacilitybasedinVictoria.Tapesareencryptedand[StorageServiceProvider]doesnothaveaccesstotheircontent.

• Informationsecurity:AspertheTOUPolicy,anyofficialCPDPinformationshouldbehandledappropriatelyandthereforenotcommunicatedviaJabber.

• Informationvalue:AllusersofJabbershouldbeawareoftheBusinessImpactLevel(BIL)informationclassificationlevels,andusersneedtobeabletoassessthevalueofinformationbeingcommunicatedviachat.AsoutlinedintheTOUpolicy,anyinformationofvalueshouldbecommunicatedthroughanofficialchannelwiththeappropriateprotectivemarkingforbothsecurityandpublicrecordspurposes.

• ICTsecurity:JabberishostedinternallyCPDP’ssecureWi-Finetwork.Alllogsstoredoffsiteareencrypted.

• Physicalsecurity:Allcomputersanddevicesarepasswordprotectedandshouldbelockedwhenunattended.CPDPstaffshouldnotbeaccessingotheremployees’computersordevicesforanypurpose,includingtheuseofJabber.

RiskIdentification:Iftheprogramdoesnotaddressthesecurityrisksidentifiedin13(a)pleaseaddressDataSecurityasariskinPart3–PrivacyRiskMitigation.

RecordsManagement(Pleaseanswerthisquestionifyourprogramwillcollect,useordisclosepersonalinformation)

Y N IPP

13(b) Theprogramwilltakereasonablestepstodestroyorde-identifypersonalinformationifitisnolongerneededforanypurpose.ThePublicRecordsActdoesnotrequirelogstobekeptmorethan7years,howeveralllogsarestoredindefinitelyintheformofencryptedtapesatanoffsitefacilityforthepurposeshighlightedinPart1relatedtosecurityincidentandbusinesscontinuitymanagement.ChatlogsstoredoninternalCPDPserversareretainedforaperiodof12monthsbeforebeingdeleted.

✔ 4.2



RiskIdentification:Iftheanswertoquestion13(b)isNO,pleaseaddressRecordsManagementasariskinPart3–PrivacyRiskMitigation.

Openness(RefertoIPP5)

Openness(Pleaseanswerthesequestionsifyourprogramwillcollect,useordisclosepersonalinformation)

Y N IPP

14(a) Theorganisationhasadocumentavailableforpublicreviewthatsetsoutthepoliciesforthemanagementofpersonalinformation.Pleaseidentifydocument(s)andprovidelinkwhereavailable:CPDPPrivacyPolicyhttps://www.cpdp.vic.gov.au/menu-about/about-privacy-policy

✔ 5.1

14(b) Theorganisationhasstepsinplacetoallowanindividualtoknowwhatpersonalinformationitholdsaboutthemandforwhatpurposesitcollects,usesanddisclosesit.

✔ 5.2

RiskIdentification:Iftheanswertoquestion14(a)or(b)isNO,pleaseaddressOpennessasariskinPart3–PrivacyRiskMitigation.

AccessandCorrection(RefertoIPP6)

TheAccessandCorrectionprinciple(IPP6)entitlesindividualstoviewandobtaincopiesoftheirpersonalinformationandtocorrectpersonalinformationheldaboutthem.IPP6isdesignedtosupplementexistingaccessandcorrectionrightsundertheFreedomofInformationAct1982(FOIAct).InformationheldbyaVictorianpublicsectororganisationissubjecttotheFOIActandthereforedonotneedtoassessagainstIPP6.

WherethepublicsectoroutsourcespartoftheirprogramservicestoaCSP,theCSPwillberequiredtocomplywithIPP6butonlyinrelationtotheCSP’sprovisionofserviceunderastatecontract.PleaserefertoOutsourcingandPrivacyGuidelinesforadditionalinformationonCSPsandtheirobligationsunderIPP6.

Part3–PrivacyRiskMitigationTable7:RiskMitigation

RiskMitigationTable

IdentifiedRisk MitigationStrategy Likelihood Impact RiskRating



AppendixA:

Jabber(Messages)TermsofUsePolicyforCPDPEmployeesTheOfficeoftheCommissionerforPrivacyandDataProtection(CPDP)isoperatingavoluntaryinstantmessagingserviceavailabletoallCPDPstaffforinformalinternalcommunication.Thisdocumentoutlinesthetermsofuse(TOU)fortheuseofJabberbyallCPDPemployees(hereinreferredtoas‘users’).Itappliestoalldesktops,notebooksandhomecomputerswhereCPDPbusinessistransacted.Thepurposeofthisdocumentistoserveasguidelinesforappropriate,legalandethicaluseofJabber,consistentwiththeaims,valuesandobjectivesofCPDPanditsresponsibilitiesunderthePrivacyandDataProtectionAct2014andthePublicRecordsAct1973.AllusersareexpectedtoadheretothisTOUpolicywhileusingJabber.

DescriptionofJabberJabberor‘Messages’isanapplicationthatispre-installedonallCPDPdesktops.Itisanoptionalprogramintendedtoprovidestaffwithaccesstointernalinstantmessagingservices.Jabberenablessecure,near-realtimeonlinecommunicationbetweenusersintheformofone-to-oneconversations,groupchat,video-callsandfilesharing.OnceconnectedtoaJabberaccount,usershavetheabilitytocommunicateinternallywithallotherCPDPstaffwhohavealsochosentoopt-intotheservice.

Jabberenablesfast,convenientcommunicationbetweenusersforinformal,unofficialandtransitorymatters.Itshouldnotbeusedformakingdecisionsoranyotherofficialcommunication(seebelowforfurtherdetails).Whenusedappropriately,Jabbercanincreasetheeaseofcommunicationbysavingtimeonphonecalls,reducingclutterinemails,andenablingfastcommunicationwithoffsiteusers.AlltextualcontentofJabberconversationswillbestoredontheCPDPserverforaperiodof12months,andbackedupindefinitelyonencryptedtapesatanexternalfacility.

PrivacyStatement–Collection,handlingandretentionofpersonalinformation1. ForthepurposeofcreatingaJabberaccount,CPDPwillonlyuselimitedpersonalinformation(the

employee’sfullname),alreadyheldbyCPDP.

2. Forthepurposesofsecurityandrecordkeepingrequirements,allcontentof‘chat’conversationsthroughJabberwillbeloggedandstoredontheCPDPserver,andsecurelybackedupoffsite.Thisincludesdateandtimeofcommunication,Jabberusername,thecomputername,andallmessagecontent(intextformonly).

2.1 CPDPdoesnotexpresslyseektocollectanyfurtherpersonal,sensitiveorhealthinformationthanthatwhichisrequiredforthefunctionalpurposeofJabberasoutlinedinpoints1and2.

2.2. Userswhochoosetodisclosefurtherpersonal,sensitiveorhealthinformationwithinthecontextofaJabberconversationdosoknowingthatallcontentofconversationsarecollectedandstoredontheCPDPserverfor12months,andheldindefinitelyonexternalbackuptapes.

3. CPDPwillcollect,handleandretainyourpersonalinformationinaccordancewiththeInformationPrivacyPrinciplesunderthePrivacyandDataProtectionAct2014.

3.1 PersonalinformationusedtoforthepurposeofsettingupaJabberaccountispersonalinformationthathasbeenpreviouslycollectedbyCPDP.Nonewpersonalinformationwillbecollectedforthispurpose.

3.2 AccesstopersonalinformationandchatlogsisrestrictedtotheICTcoordinator,[ITServiceProvider](whileonsite),andthosewithadministratorrightstotheCPDPserver.Encryptedtapesarestoredexternallyat[StorageServiceProvider]whoisnotgrantedaccesstocontent.

3.3 ContentofJabberconversationswillonlybeaccessedandusedbyCPDPshouldtherebearequirementunderthePublicRecordsAct1973,aFreedomofInformationrequest,orinthecaseofasecuritybreach,bullying,harassmentordefamationclaims,orwhererequiredbylaw.



3.4 UserscanrequestaccesstotheinformationthatCPDPholdsaboutthemforthepurposesofthisprogrambycontactingtheICTCoordinator.

3.5 EmployeeswhodonotconsenttotheuseoftheirpersonalinformationforthepurposesofJabberwillnotbeabletouseJabberservices.

UserresponsibilitiesTheintendeduseofJabberisforinternalCPDPcommunicationforinformal,unofficialandtransitorymessagesonly.Itshouldnotbeusedinplaceofestablishedrecordkeepingprotocolswhencommunicatingofficialmattersormakingdecisionsrequiringdocumentation.Jabberisatoolthatcanaidcollaborativeworkingandcommunication.Itshouldnotbeusedinsuchawaythatinterfereswithjobresponsibilityoftheuserorothers.FailuretocomplywiththisTOUpolicymayresultinsuspensionordeletionoftheusersJabberaccount.Inseriouscasesfurtherdisciplinaryactionmaybetakenwherenecessary.

Securityofcommunication

WhileriskofexternalaccesstoJabberisminimal,itremainsimportancetomakesecurityofinformationapriority.Electroniccommunicationsmaybeeasilycopied,forwardedandsavedbyarecipientoranyonewithaccesstotheconversation.Theaudienceofanelectronicmessagemaybeunexpectedandwidespread.Assuch,Jabbershouldnotbeusedtosendmaterialthatisinappropriatewithinaworkenvironment,orthatwouldbeharmfulinanywayshoulditbecapturedandviewedbyanunintendedthirdparty.

UsersneedtobeawareofandunderstandthevalueoftheinformationcontainedinthecontentofanyJabberchat.AsJabberdoesnotrequireaclassificationsimilartoemailcontent,theonusisupontheusertobeawareofandtakeresponsibilityfortheconversationstheyarein,andtocontinuallyassessthevalueofinformationandwherenecessaryswitchtoanappropriateformofcommunication(suchasanemailwithaprotectivemarking).

Appropriateness

ContentofconversationsonJabbershouldbeappropriateforaworkplaceenvironment.Bullying,harassment,anddefamationwillnotbetolerated.Further,whileitisnottheintentionofCPDPtocollectanypersonal,sensitiveorhealthinformationthroughJabber,itistheresponsibilityofeachusertorefrainfromdisclosingsuchinformationshouldtheynotwantittobestoredwithallotherJabbercontent.AllusersareonlypermittedtousetheirownJabberaccount,andshouldnotcommunicatewithothersundertheguiseofanotheruser.SeethetablebelowforexamplesofwhenJabbershouldandshouldnotbeused.

AppropriateuseofJabber

Use Don’tuseü Substituteforphone

callsandemailregardingroutinematterswherebusinessdecisionsarenotmade

ü Casualconversations,day-to-daychatandquestions

ü Arrangingashortnoticemeeting

× Classifiedinformationorcontent(includingfiletransfer,wherethecontentisclassified)

× Personal,sensitiveorhealthinformationofthoseintheconversationoraboutothers.

× Financialinformation,authorisationsanddecisions

× Conversationswherethereisneedtomaintainevidenceoranofficialrecord

× DetailsofspecificCPDPexternalbusiness.Forexample,privacycomplaintsandinquiries,anorganisation’sPIAetc.

× Inappropriateactivitiesincludingpornography,fraud,defamation,breachofcopyright,unlawfuldiscriminationorvilification,harassment,includingsexualharassment,stalking,privacyviolations,bullying,andillegalactivity.

Documents

Privacy Impact Assessment: Instant Messenger - CPDP · PDF fileinformation through the use of Jabber services. In this sense, this PIA is two-tiered as it covers two parts of the same