RTOs from all around Australia are given the responsibility of maintaining the security of large quantities of data – much of it personal or sensitive in nature. The VET industry is seen by cyber attackers as an attractive target for stealing personal information and financial gains through ransomware attacks. The Australian government reported that in the past year it handled 10,351 incidents affecting businesses, of which 363 were more serious incidents affecting systems of national interest.
When formulating your plan to protect against data breaches it is important to remember that most breaches occur as a result of complacency and failures in the delivery and management of ICT services and information. The Australian Red Cross was a victim to this last year in September when a third party ICT service provider inadvertently published blood donors personal information on their public website and was only found 5 weeks later. Spend some time with your IT team or third party ICT service provider(s) to understand how they are protecting you from malicious or accidental data breaches. Administrators need greater access privileges than normal users so they can undertake activities that may impact several users or business processes. Avoid software that gives standard users the same access privileges as administrators. In addition, employees should have individual access credentials for each business system (not shared credentials).
We may live in the Internet age, but many RTOs will store personal data the old fashioned way – on paper. This will often be as an adhoc backup strategy, computer systems are not trusted and if data is lost online then the fall back is to hunt down enrolment or assessment papers. The same security principals that apply to data stored in computer systems also need to be applied to your filing cabinet full of personal information – what controls are in place for who can access the files? What measures are in place for preventing a data breach? What retention policies are required (special care needs to be taken with sensitive information such as credit card details)?
How do you recover if your data is lost or damaged? The best insurance is to take regular backups of your data using an automated system. The backups should not be stored on the same computer system (offsite is preferable) and you should regularly test your recovery procedures. This shouldn’t be new to you – It is an ASQA requirement that RTOs should have a backup of your student data.
Thinking about taking your RTO paperless? Concerned about data security and related compliance issues? Seek out the friendly VETtrak staff at the VELG Training National VET Conference to find out how we can help.
Useful Links/Further Reading