Performance and Evaluation Division

DATA PROTOCOL

December 2017

http://www.education.vic.gov.au/about/contact/Pages/data.aspx

Contents

1. INTRODUCTION.............................................................................................................................3

1.1 Overview................................................................................................................................3

1.2 Data collection by PED...........................................................................................................4

1.3 Purpose of the PED Data Protocol.........................................................................................5

2. GUIDING PRINCIPLES.....................................................................................................................6

2.1 Purpose..................................................................................................................................6

2.2 Personal information, privacy and privacy complaints..........................................................7

2.3 Information sharing provisions..............................................................................................9

2.4 Data security........................................................................................................................10

2.5 Data quality..........................................................................................................................11

2.6 Accountability......................................................................................................................11

2.7 Ongoing review....................................................................................................................12

2.8 Transparency.......................................................................................................................12

3. ACCESS TO PED DATA..................................................................................................................12

3.1 Overview..............................................................................................................................12

3.2 PED consideration of data requests.....................................................................................13

3.3 Disclosure requirements......................................................................................................14

3.4 Breach of this Protocol.........................................................................................................14

3.5 Process for requesting PED data..........................................................................................15

3.6 Fees and charges.................................................................................................................15

4. FORMS.........................................................................................................................................16

4.1 PED Data Request Form.......................................................................................................16

4.2 PED priority request form....................................................................................................20

Appendix 1: Minimum required privacy and data security measures.................................................21

1. INTRODUCTION1.1 Overview

1.1.1 This Protocol assists key client groups seeking datasets from the Performance and Evaluation Division (PED) of the Victorian Department of Education and Training (DET). These client groups include internal DET users, other government users and the research community.

1.1.2 DET is the principal agency responsible for providing a high standard of education and training for all Victorians.

1.1.3 DET’s various specific central functions are performed by seven Groups:

People and Executive Services Infrastructure and Finance Services Early Childhood and School Education Policy Reform Strategy and Performance Regional Services Higher Education and Skills.

PED sits within the Strategy and Performance Group.

1.1.4 PED’s purpose is to collect, analyse and disseminate high-quality evidence to influence decision-making across all levels of government and service providers, in order to improve outcomes for children, young people and adult learners.

1.1.5 Increasingly, DET is committed to empowering sector policy makers, service providers and stakeholders through the provision of better data, information, evidence and insights that are most relevant to local decisions. Information portals such as DataVic, DataZone, the School Information Portal (SIP) and the Victorian Children and Adolescent Monitoring System (VCAMS) offer corporate, sector and community stakeholders direct access to a wide range of data and outcomes information.

1.1.6 PED also coordinates and supports priority research and strategic evaluations, while also undertaking specialist analytical projects that link datasets and generate deeper insights. Through monitoring client outcomes against measures in DET’s Outcomes Framework, PED has a key role in supporting Groups to plan and identify the evidence and data needed to support strategic and operational imperatives.

3PED Data Protocol v. 01

1.2 Data collection by PED

1.2.1 PED collects data from a wide range of sources. These may vary from time to time, but in general terms may be summarised as follows:

Australian Government data Data from other States and Territories Data from other Victorian departments and agencies Data from Victorian schools, parents and students.

1.2.2 Australian Government data: The Australian Government provides Victoria with extensive data. Two key Australian Government datasets received and frequently used by PED and other DET users are:

National Assessment Programs—Literacy and Numeracy (NAPLAN) results. These are the annual assessment for students in Years 3, 5, 7 and 9 that tests skills in literacy and numeracy

the Australian Early Development Census (AEDC). This is a nationwide measure taken every three years that looks at whether children in their first year of full-time school are developmentally vulnerable, at risk or on track.

1.2.3 Data from other States and Territories: PED does not currently receive data directly from other Australian States and Territories, although this may change from time to time. However, PED does receive information about other States and Territories as a component of data received from the Australian Government.

1.2.4 Data from other Victorian departments and agencies: A number of Victorian departments and agencies provide data to PED in the performance of their respective functions. This data includes:

Victoria in Future (VIF) population projections—the official State Government projections of population and households from the Department of Environment, Land, Water and Planning (DELWP)

ATAR scores for Year 12 students provided by the Victorian Tertiary Admissions Centre (VTAC) crime statistics involving children from Victoria’s Crime Statistics Agency (CSA), which are published on the

VCAMS portal.

1.2.5 Data from Victorian schools, parents and students: The majority of the data collected by PED is from Victorian schools, parents and students. This includes:

the Student Enrolment Census the School Staff Survey student surveys such as Attitudes to School, the Victorian Student Health and Wellbeing Survey (About

You) and the Parent Opinion Survey.

PED also collects some data directly from specified cohorts in the Victorian population through surveys such as On Track (school leavers) and the Victorian Child Health and Wellbeing Survey (parents of children aged 0-12 years).

1.2.6 PED’s Enterprise Reporting and Business Intelligence (ERBI) data warehouse is also a repository for selected data from other business units within DET, such as Finance.

4PED Data Protocol v. 01

1.3 Purpose of the PED Data Protocol

1.3.1 The purpose of this Protocol is to clarify the rights and responsibilities of all users of data provided by PED, and to ensure the appropriate and effective use of that data while maximising the benefits that data access can bring, particularly for policy development and service planning and design. The PED Data Protocol sets out the principles, rules and procedures governing the access, use and dissemination of the data in datasets held by DET for which PED is either the owner or custodian.

1.3.2 This Protocol explains arrangements to ensure that disclosure by PED of DET and other data complies with all legal, contractual and policy requirements, with the principal aim of protecting the privacy of individuals and maintaining the confidentiality and integrity of the data to an appropriate standard.

1.3.3 For the purpose of this Protocol, the following definitions apply:

Authorising officer: (a) for the purpose of making a data request to PED, the authorising officer is the manager of the applicant; (b) for the purpose of PED’s response to a data request, the authorising officer is the officer whose function is to communicate conditions to which supply of data by PED in given circumstances is subject, and usually to supply the data to the applicant. The Project Manager, Data Governance, generally performs this function, and can be contacted at datagovernance@edumail.vic.gov.au or (03) 9637 2378.

Custodian: the recognised officer responsible for implementing and maintaining information assets according to the rules set by the owner. A custodian is responsible for specific classifications or categorisations of data and is accountable for the delegated assets in their care. This person is the knowledge holder, the gatekeeper, and the responsible officer.

Data: any information (including personal information) obtained, received or held by DET, whether or not DET obtained, received or holds that information in connection with DET’s functions.Dataset: data held and stored in a variety of machine-readable, reusable formats including hardcopy, electronic (digital), graphical, cartographic, textual, geospatial or numerical form.

Information governance: the system by which the current and future use of information and its management is directed and controlled through a system of policies, procedures, standards and guidelines. The business processes that ensure the effective and efficient use of information may include committees for decision-making, documented processes for information flow, roles and responsibilities for information workers and managers and gateways for approvals or access to information.

Owner: The recognised officer who is identified as having the authority and accountability under legislation, regulation or policy for the collection and management of information assets for the business area. The owner is the officer with overall accountability (usually an Executive Director at DET).

Publish: make publicly available information contained in documents including files, reports, articles, presentations and fact sheets.

5PED Data Protocol v. 01

1.3.4 The Guiding Principles below govern the disclosure and dissemination of PED data. They are intended to ensure that entities to which PED data is disclosed (including DET Groups and Divisions outside PED) use that data in an appropriate and effective manner.

1.3.5 Failure to comply with this Protocol may result in the rejection of subsequent data requests made to PED.

2 GUIDING PRINCIPLES2.1 Purpose

2.1.1 PED regularly publishes or otherwise makes publicly available the datasets it owns, as well as (by agreement) those datasets for which it is the custodian. PED has committed to making DET data directly available not only to DET staff but also to the public and private sectors, where it is lawful and practicable to do so, and is in the public interest. Examples of disclosure and use of DET data in the public interest include:

to support schools and other service providers, and researchers, with high-quality and timely information for analysis and to design evidence-based decisions and strategies for improvements in student learning and wellbeing

to support employers and industry with improved information flows that enable competitive recruitment, training and services, and reduce the administrative burden associated with collection and reporting

to strengthen DET’s capacity to analyse and report on system and provider performance to improve system management and policy design.

2.2 Personal information, privacy and privacy complaints

2.2.1 In performing its data functions DET is committed to protecting the personal information of all identifiable individuals, in accordance with the legislation by which the Department is governed, and the terms of agreements reached with third party providers.

2.2.2 DET complies with the Victorian Privacy and Data Protection Act 2014 and the Health Records Act 2001. It should also be noted that some recent Victorian legislation modifies the operation of Victorian privacy law, for example the Family Violence Protection Act 2008 when its sharing provisions commence. For more information concerning legislated provision to facilitate information sharing in specified circumstances, see 2.3 below.

2.2.3 Where, by reason of agreements reached, DET is also bound by provisions of the legislation of other jurisdictions, such as the Commonwealth Privacy Act 1988 or the European Union’s General Data Protection Regulation (GDPR), to the extent of any inconsistency, the higher requirement will prevail wherever practicable. For example, organisations covered by the Commonwealth’s Notifiable Data breaches scheme (which takes effect from February 2018), are required to notify any individuals likely to be at risk of serious harm by a data breach. The Australian Information Commissioner must also be notified. However, under the Victorian privacy regime law data breach notification is recommended but not mandatory. Any breach detected in relation to data supplied by PED should be referred to the Data Governance and Policy team in the first instance.

2.2.4 Persons to whom PED discloses personal information are also bound by and must comply with the Information Privacy Principles (IPPs), Health Privacy Principles (HPPs) or Australian Privacy Principles (APPs) as applicable when collecting, using, managing, storing and disclosing personal information contained in data provided by PED.

6PED Data Protocol v. 01

2.2.5 The Privacy and Data Protection Act 2014 defines personal information as follows:

Personal information means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 applies.

2.2.6 The Health Records Act 2001 defines personal information that is health information similarly, but note that the privacy of persons who have been deceased for less than 30 years is also protected under this legislation.

2.2.7 The definition of personal information in the Privacy Act 1988 is as follows:

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:(a) whether the information or opinion is true or not; and(b) whether the information or opinion is recorded in a material form or not.

Note that the Commonwealth definition of personal information is broader than the Victorian one since it includes unrecorded information or opinions.

2.2.8 To ensure compliance with the above legislative and contractual requirements, PED will:

require clients to:

(a) submit applications for data via the PED Data Request process(b) provide all information sought by the Data Governance and Policy team in respect of the request (c) modify any requests that are considered by PED to be inconsistent with legislative and/or contractual

requirements not release unit record files or data that identifies individuals unless specifically authorised or required by law

to do so use appropriate secure file transfer methods to provide data files to clients require both external and internal requestors to comply with all specific privacy and data security measures

set out in Appendix 1 for DET staff, restrict access to ERBI data cubes. Access to ERBI data cubes requires the staff member to submit

a Request for Access to ERBI Data Cubes form, which outlines staff responsibilities in relation to the privacy and confidentiality of information they have access to in the course of their business. This form must be signed by their manager to verify that the staff member requires access to the data in the course of their work. Enquiries regarding access to the data cubes can be sent to datazone@edumail.vic.gov.au

generally disclose data only where the identity of individuals is not apparent and cannot reasonably be ascertained (by providing de-identified or aggregated data; generally where the cell value is less than five no data is provided). Aggregated data is generally available in DataZone, which is available to all corporate and regional DET staff but not external clients. DataZone can be accessed as follows: go through the My Workspace tab on eduGate, then go to Applications, View all and click on DataZone.

7PED Data Protocol v. 01

2.2.9 In addition, if data containing personal information is provided internally or externally by PED, it will show the appropriate protective marking – a dissemination limiting marker ‘Sensitive: Personal’. Depending on the dataset’s content, it may also show one or more additional dissemination limiting markers and/or a security classification such as ‘Confidential’, which signifies that the information needs a substantial degree of protection.

2.2.10 If authorised, data, including unit level data where necessary, may be disclosed to DET’s contracted service providers for the purpose of conducting educational research commissioned by DET or other functions on behalf of DET. The Privacy and Data Protection Act 2014 defines a contracted service provider as a ‘person or body who provides services under a State contract’ to an outsourcing party. In this case the contracted service providers are bound by their agreements with DET to comply with the legislative and contractual obligations concerning the data by which DET itself is bound, for example to comply with the Information Privacy Principles.

2.2.11 Any individual or group wishing to make a complaint about the handling of data supplied to a third party by PED should, in the first instance, lodge that complaint with the third party data user concerned.

2.2.12 Individuals or groups not satisfied with the outcome of a complaint lodged with a user of data supplied by PED may raise the issue with PED to be addressed on behalf of DET. Similarly, complaints about PED’s handling of data should be directed to PED in the first instance.

2.2.13 DET will be efficient and fair when investigating and responding to complaints concerning information privacy. DET will investigate and respond to complaints in accordance with the Department's Information Privacy Complaints Handling Policy. For more information about DET’s Information Privacy Policy and how to make a privacy complaint, please go to http://www.education.vic.gov.au/pages/privacypolicy.aspx or contact the Department’s privacy officer on privacy@edumail.vic.gov.au or (03) 9637 3141.

2.3 Information sharing provisions

2.3.1 The Victorian government is introducing a range of legislation intended to modernise Victoria’s data and information sharing regime.

2.3.2 In 2017, the Family Violence Protection Amendment (Information Sharing) Act 2017 was passed, amending the Family Violence Protection Act 2008 for the purpose of providing for the sharing of information that is relevant to assessing and managing a risk of family violence. As at December 2017 not all relevant sections have commenced operation.

2.3.3 Also in 2017, the Victorian Data Sharing Act 2017 commenced operation on 6 December 2017. This Act gives express authority for government to share identifiable data for the purpose of data linkage, and provides a general override of secrecy and confidentiality provisions in other legislation. Data must be handled under this Act only for the purpose of informing government policy making, service planning and design.

2.3.4 Further, the Children Legislation Amendment (Information Sharing) Bill 2017 was introduced into the Legislative Assembly in December 2017. The Bill is for an Act to amend the Child Wellbeing and Safety Act 2005, primarily to provide for specific entities to share information to promote the wellbeing and safety of children, to create a register of children born or resident in Victoria to improve child wellbeing and safety outcomes for those children

8PED Data Protocol v. 01

and to monitor and support their participation in government-funded programs and services. This Protocol will be updated subsequent to further legislative change that addresses information sharing.

2.3.5 One section of the PED Data Request form (v2) is set aside for requests made pursuant to information sharing provisions under these and further data sharing legislation being developed. Requestors submitting requests under the terms of information sharing legislation will be asked for additional information. This information will inform an assessment of DET’s obligations in response to requests made under the specific provisions of the relevant enabling Act.

2.4 Data security

2.4.1 DET has established policies including the following requiring compliance by DET’s executive and officers (including by internal DET applicants for data):

DET Information Security Classification Policy (February 2015) ICT Security Policy (June 2017) ICT Security Incident Policy (January 2015) ICT Disaster Recovery Policy (April 2016) Password Policy (June 2017) Information Privacy Policy (February 2016) Portable Storage Device Security Policy (For SENSITIVE and PROTECTED Departmental information) (November

2015) Records Management Policy (February 2011)

A DET Data Release Policy is currently under development.

2.4.2 DET also complies with any security policies or procedures issued from time to time by the Information Commissioner and the Commissioner for Privacy and Data Protection Deputy Commissioner, pursuant to the Privacy and Data Protection Act 2014 (Vic).

2.4.3 IPP 4 of Schedule 1 to that act requires DET to take reasonable steps to protect the personal information it holds from misuse or loss and from unauthorised access, modification and disclosure. In addition, the Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS) provide implementation guidance on data security for the Victorian public sector. Both internal and external applicants are expected to inform themselves about and comply with the privacy and data protection regime that is applicable to their own organisation, but in any case must agree to comply with the specific privacy and data protection measures set out in Appendix 1 before any data will be supplied by PED.

2.5 Data quality

2.5.1 PED has introduced a number of measures to ensure that:

all procedures undertaken in the collection and subsequent handling of data, including data linkage, are undertaken to high standards

9PED Data Protocol v. 01

the data it holds, including personal information contained in the data, is as accurate, complete and up to date as possible as required by the Privacy and Data Protection Act 2014 (Vic)

requests for data are assessed in a consistent manner (see 3.2 below) where applicable, data requested is provided within the time frames set out in the PED Data Request form.

2.6 Accountability

2.6.1 Applicants are responsible for the completeness and accuracy of all information included in a data request to PED. An authorising officer must endorse each application made on behalf of organisations. Where a priority request is made, it must be endorsed by an executive.

2.6.2 Data provided by PED should only be used in accordance with terms specified on the PED Data Request form, this protocol and any formal agreement governing the provision by PED of a specific dataset or sets. In particular, the data must not be disclosed or published in any medium without the prior written consent of PED’s authorising officer.

2.6.3 DET and PED reserve the right to conduct or commission compliance audits or reviews of data recipients’ compliance with the terms on which PED has supplied data to them. A breach by the applicant of these terms, and in particular of an undertaking given not to link, disclose or publish the data, may result in the rejection of future requests for data by the applicant or his or her organisation.

2.7 Ongoing review

2.7.1 To ensure that its Data Protocol remains current and relevant to the evolving needs of its client community, PED will review and may amend this protocol from time to time as necessary.

2.8 Transparency

2.8.1 PED’s Data Request form sets out how to make a data request, and the information PED seeks in order to understand specific client objectives and the details of the data requested.

2.8.2 PED uses the ‘Five Safes’ framework for assessing and mitigating risk in relation to the specific project, data, people, output and setting for data handling. Each request is assessed against these risk criteria as well as suitability criteria (such as data quality) before a decision about release is made, so it is important that the request form is completed as fully as possible. For example, a client’s answer to the question ‘Who will have access to the data (don’t forget any relevant contractors)?’ helps PED to assess the level of people risk attached to the request as it stands, and to take steps to mitigate that risk in order to supply the data requested. Such steps might include, for example, sighting relevant confidentiality agreements between requestors and their contractors.

2.8.3 Where appropriate, data that has been customised to meet an individual data request will also be made publicly available via the DataVic portal or elsewhere at DET’s discretion.

3 ACCESS TO PED DATA 3.1 Overview

10PED Data Protocol v. 01

3.1.1 PED has a number of standing arrangements for supply of specific data on a regular basis, for example, annually. All other (ad hoc) requests for access to PED data will initially be received, reviewed and given a preliminary assessment by the PED Data Governance and Policy team, who may then contact requestors by telephone or email to obtain further information. This team will assess whether the request is simple or complex.

3.1.2 Simple requests are generally those that:

do not include the provision of unit record data or information derived from the Victorian Student Register;

do not include the provision of sensitive or confidential information; do not require data linkage by PED; do not have other significant resource implications, eg where the data is readily available from a report

that is regularly run.

3.1.3 In the case of all other requests, considered complex requests, generally within five working days, the Data Governance and Policy team convenes a meeting of the PED managers responsible for the data requested and a full risk and suitability assessment is conducted. Where a valid need for priority consideration has been established (see the form at 4.2 below), requests will be addressed sooner.

3.1.4 The majority of data requested from PED is provided in whole or in part, subject to both general conditions and any specific conditions considered necessary in the case of individual requests.

3.2 PED consideration of data requests

3.2.1 Decisions about simple requests will be made by the PED Data Governance and Policy team. At the committee meetings convened by the PED Data Governance and Policy team in respect of complex requests, PED managers apply the risk and suitability criteria adopted and developed by PED to both the specific data requested in each case, and the written and verbal information provided by requestors as to its intended use.

3.2.2 These criteria are consistently applied in order to:

ensure a fair and orderly approach to addressing all requests facilitate data sharing with government and non-government agencies and optimise data usage minimise risk.

3.2.3 If the circumstances of a particular request warrant it, a request may be escalated by PED managers to PED executives for further consideration and decision. These circumstances include but are not limited to:

where executives have indicated that they wish to make contact with a requestor or negotiate a request themselves

where the managers seek additional guidance as to DET policy on particular points, having already researched them

where the managers, not having reached agreement on a particular request outcome, seek a decision from a responsible Executive; and

11PED Data Protocol v. 01

where the managers have identified a high risk request and seek executive approval for release.

3.3 Disclosure requirements

3.3.1 Before making a data request to PED, clients should always check whether the data they seek has been published. The following sites are a good starting point:

the Victorian Child and Adolescent Monitoring System (VCAMS) portal at www.education.vic.gov.au/about/research/Pages/ vcams tableau.aspx

the DataVic portal at www.data.vic.gov.au the Victorian Curriculum and Assessment Authority (VCAA) at www.vcaa.edu.au the Victorian Public Sector Commission (VPSC) portal at vpsc.vic.gov.au ACARA My School at www.myschool.edu.au the Report on Government Services at www.pc.gov.au/gsp/rogs the Australian Bureau of Statistics (ABS) at www.abs.gov.au for internal DET applicants, DET internal portals, such as Datazone.

The Data Governance and Policy team may be able to suggest publicly-available additional sources of data.

3.3.2 Data that is not publicly available must be sought via the data request process. PED does not (re)supply data that is already publicly available.

3.3.3 Publicly available data may not be presented in the style and format that suits each client’s individual needs. However, please note that PED is unable to supply formatting or graphic design services in respect of either published data or the unpublished data that it may provide in response to data requests.

3.4 Breach of this Protocol

3.4.1 Potential breach of this Protocol takes two main forms:

failure of an applicant to provide complete or accurate details as requested on the PED Data Request form and/or by telephone or email that would be material to PED’s decision to provide data and the terms of any data supply by PED, for example failure to advise that third party subcontractors will handle the data, and the terms of any agreement with them;

failure of the recipient of data from PED to comply with the requirements of the data request form or of specific conditions imposed, such as breach of an undertaking not to disclose or publish the data received without prior written consent from PED.

3.4.2 Breach may result in the rejection by PED of future requests for data by the applicant or his or her organisation. Any breach involving personal information may also give rise to a privacy complaint by affected individuals.

3.5 Process for requesting PED data

12PED Data Protocol v. 01

3.5.1 Completed and signed Data Request Forms should be directed to the PED Data Governance and Policy team by email at datagovernance@edumail.vic.gov.au.

3.5.2 Alternatively, forms can be mailed to:

Data Governance and Policy teamLevel 3, 33 St Andrews PlaceEast MelbourneVIC 3001

3.6 Fees and charges

3.6.1 Currently, PED does not charge for the provision of existing datasets or discrete information. However, some requests are very substantial in size and would entail significant manipulation or customisation of data to meet client requirements. In these cases it may be necessary for PED to negotiate with clients to cover labour costs.

13PED Data Protocol v. 01

4 FORMS4.1 PED Data Request Form

The form below should be used by both DET and external requestors of data.

PED DATA REQUEST FORM

Request for one or more datasets held by the Performance and Evaluation Division (PED)of the Victorian Department of Education and Training.

Background

The Performance and Evaluation Division:

provides high quality evidence to support informed, confident decision-making; develops, collects and integrates data to conduct high-quality system analysis that informs strategy, policy development and

investment decisions; promotes a research and evaluation culture that involves working in partnership to investigate important questions and share

evidence widely; monitors the Department’s performance against internally and externally set measures and targets; monitors, evaluates and reports on the performance of the portfolio and on how Victoria’s children and young people are

faring, with a focus on vulnerable population groups; and conducts priority evaluation of what works for whom, and in what circumstances.

Making a data request to the PED

Requests for one or more data sets held by the PED will be considered and decided by PED’s leadership team.

This form must be completed and submitted to PED before any data request will be assessed for action. The form should be submitted electronically to data.governance@edumail.vic.gov.au

PED will generally acknowledge and consider your data request within 5 working days. If your request is successful, we will endeavour to provide a response within 5-10 working days, depending on the nature of the request and/or PED’s other operational requirements. PED will contact you if more information or time is required or, in the case of requests for customised data, any charges that may apply.

Before completing this form, you should check whether the data sought is already available to you, for example via:

the Victorian Child and Adolescent Monitoring System (VCAMS) portal at www.education.vic.gov.au/about/research/Pages/ vcams tableau.aspx

the DataVic portal at https://www.data.vic.gov.au/ the Victorian Curriculum and Assessment Authority (VCAA) at www.vcaa.edu.au the Victorian Public Sector Commission (VPSC) portal at http://vpsc.vic.gov.au/ ACARA My School at http://www.myschool.edu.au the Report on Government Services at http://www.pc.gov.au/gsp/rogs

14PED Data Protocol v. 01

the Australian Bureau of Statistics (ABS) at http://www.abs.gov.au/ for internal DET applicants, via a DET internal portal.

Information to be provided by applicants

1. Details of applicant

Agency/Organisation:Government? Non-government? Other?Agency/Organisation contact: Position:ABN (external only):Address/Location:Telephone number:Email address:

2. Details of data request

1. Please describe in detail the data sought, i.e. the information you wish PED to supply/ disclose.

2. Please describe the intended public purpose of the data request, or anticipated derived benefits that are in the public interest.

3. Please explain in detail how you intend to use the information.

4. Please provide details of relevant legislative provisions, if applicable. Consider: Is this data needed in order for your

organisation/area to perform work that falls within one of your agency/organisation’s legislated functions e.g. to perform [function x] set out in [section x] of the [x Act]?

Yes ☐ No ☐If yes, which legislation?

Is your request made pursuant to specific information sharing provisions in legislation, e.g. in the Victorian Family Violence Protection Act 2008?

15PED Data Protocol v. 01

Yes ☐ No ☐ If yes, which legislation?(We will contact you to request all relevant details.)

5. Would the data as requested (e.g. attendance records for defined cohorts of students at specified schools) contain information that identifies individuals, or from which they could be identified?

Yes ☐ No ☐If yes, please explain why it would not be possible to achieve the specified purpose in any other way e.g. by using de-identified data.

6. Who will have access to the data (don’t forget any relevant contractors)?

7. Will you engage in any data matching/linking activities?

Yes ☐ No ☐If yes, please provide details.

8. Will the data be disclosed to any third parties?

Yes ☐ No ☐If yes, please provide details.

9. Will the data be published?

Yes ☐ No ☐If yes, please provide details.

10. Have you requested this data before?

Yes ☐ No ☐If yes, please provide details. (e.g. a copy of any written agreement or email).

3. Acknowledgment and declaration

I declare that the information I have given on this form is true and correct in every respect.

I have read the Performance and Evaluation Division’s Data Protocol v. 02 and agree

16PED Data Protocol v. 01

to be bound by all applicable DET terms and conditions in respect of the data sought.

4. Undertaking

I undertake to comply with the Protocol v. 02’s Appendix 1: Minimum required privacy and data security measures. I acknowledge that a breach of this undertaking may result in the rejection of future requests for data submitted by me or by the organisation/area I represent.

5. Signatures

Full name of applicant: Signature of applicant:

Date:

Name of your authorising officer: Signature of your authorising officer:

Privacy notice: The data DET holds is ‘public sector data’ under the Privacy and Data Protection Act 2014 (PDP Act). Public sector data means any information (including personal information) obtained, received or held by an agency or body to which Part 4 (Protective Data Security) applies, whether or not the agency or body obtained, received or holds that information in connection with the functions of that agency or body.

DET collects personal information on this form in order to process the data request detailed above. This personal information will be handled in accordance with the requirements of the Privacy and Data Protection Act 2014 and the Information Privacy Principles set out in Schedule 1. For further information please refer to DET’s privacy notice and online privacy notice at

http://www.education.vic.gov.au/Pages/privacypolicy.aspx

17PED Data Protocol v. 01

4.2 PED Priority Data Request Form

If you consider that your request merits priority handling, please fill out the PED Priority Date Request form and send it with your PED Data Request form to the Data Governance team.

PED PRIORITY DATA REQUEST

This form is required only where applicants consider that their request to the Performance and Evaluation Division (PED) merits priority handling. Effective project planning should mean it is rarely needed.

Summary of data requested:

Date data requested by:

Reason for requested priority eg for DET internal requests, urgent and unforeseen Ministerial request [internal DET applicants only]

Declaration and Acknowledgment

I declare that all the information I have given on this form is true and correct I acknowledge that if my request for priority handling is agreed by PED, other operational commitments and approved Data

Requests from other applicants will be delayed in consequence.

Signatures

Full name of applicant: Signature of applicant:

Authorisation (Director level or above)

Name of Executive: Signature of Executive:

NOTE: This document may be subject to access requests under the Freedom of Information Act 1982 (Vic)

Appendix 1: Minimum required privacy and data security measures IPP 4 of Schedule 1 (Data Security) of the Privacy and Data Protection Act 2014 obliges organisations including DET to take reasonable steps to protect the personal information they hold from misuse or loss and from unauthorised access,

18PED Data Protocol v. 01

modification and disclosure. Organisations are also required to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.

In line with this obligation, and although not all data to be supplied by PED contains either personal or confidential information, PED requires both internal and external applicants to comply with the following privacy and data security controls as a minimum:

On request, provide PED with links to the requesting organisation’s privacy policy or policies, and details of its security training and awareness regime;

On request, facilitate penetration testing by DET to identify any system vulnerabilities prior to supply of data; Store the electronic data supplied on a secure server that can be accessed only by agreed specified persons or classes

of persons; Store in locked cabinets any devices containing, or printouts of, data that could enable identification of individuals or

organisations; Use the data only for the stated purposes for which it was requested, and for which supply was agreed by PED; Not attempt to identify particular persons or organisations represented in the data; Not attempt to match the information supplied, whether or not using identifiers, with any other lists of persons or

organisations; Not disclose the data, either directly or indirectly, to any person not specified in the Data Request or otherwise

indicated to PED before supply was agreed; Not transfer the data outside Victoria without the express written permission of PED; Obtain the express written permission of DET before publishing any data, analysis or commentary based on the data; Advise PED if any issue of data quality, such as accuracy or completeness, is identified in data supplied; In the case of research projects, seek a new agreement from DET if the lead researcher moves to a different research

facility/organisation; Not copy or retain the data other than for the purpose for which the data was requested and supplied, and at the end

of the purpose or project:- Delete the data from any servers or devices containing it- Delete any output from analysis of the data, whether electronic or printed, that could result in a person or

organisation being identified- Return to PED all copies of data or other information supplied or made accessible

Acknowledge that DET and PED have the right to conduct or commission compliance audits or reviews of data recipients’ compliance with the terms on which PED has supplied data to them, by means of processes and procedures including monitoring and reporting by PED staff, and audit or review by DET’s internal audit unit.

19PED Data Protocol v. 01