14 Information Security Assessment EVACS.PDF.pdf

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
1  Introduction
1.1  Purpose
This document provides ACT Government data owners with two stages to assist the determation of
the information security requirements of an ICT system (including cloud services):
•  Privacy Impact Assessment - Threshold Assessment (PTA) and Privacy Impact Assessment
(PIA)
•  Information Security Assessment
The approach to the assessment of information security recommended in this document is modelled
on the Information Privacy Act (ACT) 2014. This approach is recommended by the Office of the
Australian Information Commissioner (OAIC) when assessing a Public Sector body’s compliance under
the Information Privacy Act Guide to securing personal information, and related Guide to undertaking
privacy impact assessments). However, it cannot encompass all legislation with an enactment of
secrecy that Directorates must respond to, such as:
•  Health records falling under the Health Records (Privacy and Access) Act 1997
When handling information of this nature or under other legislation, Directorates must consult with
their own legal advisors or the ACT Government Solicitors Office (GSO).
When completed and authorised, attach the assessments to any security risk assessment (High or
Low Assurance) or Data Release request associated with Electronic Voting and Counting System
(EVACS).
This document will help you do the following:
1.  Identify what specific data is in the solution
2.  Identify if the information is OFFICIAL or UNOFFICIAL
3.  Identify if OFFICIAL information requires protective marking with an Information
Management Marker (IMM)
4.  Identify if Personal Information (PI) or Personal Health Information (PHI) is present
5.  Identify any security measures taken
6.  Identify links for data sharing between other solutions, systems, software, and agencies
7.  Identify current record management practices
8.  Acknowledgement and approval of this document by delegate.
1.2  Background
ICT Security has provided an interpretation of the ACT Information Security Guidelines in its Security
Plan template since 2011. This document provides an updated approach which can be applied to any
ICT system, not just those meeting the criteria for a Security Plan. The approach has the flexibility to
also apply to data release requests.
Personal Information
What is Personal Information (PI)? PI is defined by the Information Privacy Act 2014, as meaning:
…‘information or an opinion about an identified individual, or an individual who is reasonably
identifiable; whether the information or opinion is true or not, and whether the information or
opinion is recorded in a material form or not’.
ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 3 of 30

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
Common examples are an individual’s name, signature, email address, home address, telephone
number, date of birth, bank account details, employment details and commentary or opinion about a
person.
ACT public sector agencies are responsible and accountable for the personal information (PI)1 they
collect, hold, store, use and disclose, even when the information is held by external service providers
or contractors operating in Australia or overseas.
Health Information
For clinical systems, the handling personal health information (PHI)2, the Health Records (Privacy and
Access) Act 1997 may be a consideration, in addition to the Information Privacy Act. However, given
that health information requires a high standard of care and has specific legislation that governs its
control, you should indicate how you are going to comply with the legislation in your assessment.
The ISA does not provide a detailed approach to handling PFI, however it may be useful to still model
that assessment using the same approach as for the Information Privacy Act.
Privacy Impact Assessment - Threshold Assessments (PTAs)
The PTA will assist you to:
•  determine if a full PIA is required;
•  identify if other legislation is relevant to the handling of your data (e.g. s4, Health Records
(Privacy and Access) Act 1997) and what, if any, additional steps or information handling or
security requirements are needed; and
•  and identify what other security matters may still apply i.e. any protected security
classification needed (OFFICIAL: Sensitive – Personal Privacy, CABINET, etc)  in order to
protect the information ( (in addition to any IMM that may also apply).
It is best privacy practice to undertake a PTA when:
•  undertaking a new project or business activity that collects personal or sensitive information,
and
•  when making changes to the way in which personal and sensitive information is collected,
used or disclosed, stored and secured in existing projects or business activities.
Privacy Impact Assessments (PIAs)
A PIA is a systematic assessment of a project that identifies:
•  whether the proposed treatment of personal information is complaint with the Information
Privacy Act and Territory Privacy Principles (TPPs);
•  the impact the project might have on the privacy of individuals; and
•  sets out recommendations for managing, minimising or eliminating that impact.

1 See the Privacy in the ACT section of the OAIC website for more information.
2 Personal Health Information, of a consumer, means any personal information, whether or not recorded in a
health record:
•  Relating to the health, an illness or a disability of the consumer; or
•  Collected by a health service provider in relation to the health, an illness or a disability of the
consumer.
[s4, Health Records (Privacy and Access) Act 1997]
ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 4 of 30

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
A PIA is more than a simple compliance checklist. It should ‘tell the full story’ of a project from a
privacy perspective, going beyond compliance to also consider the broader privacy implications and
risks, including whether the planned uses of personal information in the project will be acceptable to
the community.
A large part of a project’s success will depend on whether it meets legislative privacy requirements
and community privacy expectations. Privacy issues that are not properly addressed can impact on
the community’s trust in an organisation or agency and undermine the project’s success.
To be effective, a PIA should be undertaken early enough in the development of a project that it is
still possible to influence the project design or, if there are significant negative privacy impacts,
reconsider proceeding with the project. Making a PIA an integral part of a project from the beginning
means that you can identify any privacy risks early in the project and consider alternative, less
privacy-intrusive practices during development, rather than later in the project when changes will be
much more difficult and costly to implement.
1.3  Scope
An Information Security Assessment should be performed for all initiatives with ICT systems
(including cloud services) that handle official Australian or ACT Government information, particularly
those that form part of an ICT solution such as corporate applications or cloud services.
1.4  Audience
This self-assessment template should be completed by staff who are responsible for official
information including but not limited to:
•  Business system owners (SES-level executive with delegation to approve this assessment);
•  Information custodians/data stewards;
•  System managers;
•  Project managers; and
•  Embedded ICT managers.
ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 5 of 30

link to page 14 link to page 14 link to page 14

link to page 10 link to page 22 link to page 10 link to page 22 link to page 10 link to page 22 link to page 10 link to page 21 link to page 22

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
4  Information Security Assessment
An Information Security Assessment is performed on official Australian or ACT Government
information and consists of two stages:
1.  Privacy Assessment
2.  Information Classification Assessment.
Privacy Assessment Steps
This Privacy Assessment has two parts. It starts with a PIA Threshold Assessment to determind if a
Privacy Impact Assessment (PIA) needs to be conducted. Performing a PTA will help directorates
determine if a PIA is required for a new project or if a new PIA needs to be carried out.
Not all processes will require a full PIA, and some may only require a brief PIA where there is little
personal information being handled, or only minor changes to information handling practices.
The answer should also consider the risk of de-identified information becoming personal information
if it can be matched with another dataset (or publicly available information), enabling individuals to
be identified.
Information Classification Assessment
The Information Classification Assessment assists directorates in classifying their information and
determining whether the information requires protective marking with and Information
Management Marker (IMM).
ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 10 of 30

link to page 15 link to page 14 link to page 14 link to page 22 link to page 21 link to page 23 link to page 15 link to page 22 link to page 21 link to page 23

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)

Inappropriate handling of sensitive information can have adverse consequences for an individual or
those associated with the individual. Sensitive information consequently needs a higher level of
protection under the TPPs than other personal information (see TPP 11).
5.2  Territory Privacy Principles
This PIA will assist with identifying how compliant Electronic Voting and Counting System (EVACS) is
with the applicable TPPs7.
Open and Transparent Management of Personal Information (TPP 1)
☐  The system provides customers with a privacy statement explaining how their information will be used.
☐  The system provides customers with a link to an approved directorate Privacy Policy.
☐  The system provides customers with a mechanism for contacting the directorate Privacy Officer for questions or
compliants.
☐  Other (describe): Click or tap here to enter text.

☐  N/A, this system does not collect PI.
Anonymity and Pseudonymity (TPP 2)
The ways in which individuals can interact with the system without identifying themselves or by using
pseudonyms are (select all that apply):
☐  N/A
This Principle is not applicable, because we are required by law to deal with individuals who have identified
themselves.
☐  This Principle is not applicable, because it is impracticable to deal with individuals who have not identified
themselves or who have used a pseudonym.
☐  The system provides the option of leaving contact details if the individual wants us to contact them, or to not leave
any contact details, if they do not want us to get back to them.
☐  Other (describe): Click or tap here to enter text.

Collection of Solicited Information (TPP 3), Quality (Accuracy and
Completeness) of Personal Information (TPP 10), and Correction of Personal
Information (TPP 13)
The procedures used to ensure that personal information collected is kept accurate, up-to-date and
complete are (select all that apply):
☐  Every time a customer presents at the counter, staff ask for confirmation of data: name, address, phone number
etc.
☐  The only personal data in the system is mastered from another system and downloaded from this system
whenever a new record (requiring personal information) is created.
☐  At the counter, customers are requested to verify current data on the system.

7 See the Territory Privacy Principles section of the OAIC website for more information.
ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 16 of 30

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
☐  Personal information is stored against a public enquiry or against an accident as a “point in time” record i.e. the
information stored is intended to be an accurate record as at the time of the request/incident, and not intended to
be an on-going reflection of the current attributes of the person involved.
☐  Customers/users of this system are responsible for keeping their information up to date by submitting change of
circumstances forms/calling the counter/updating from the account information page/etc
☐  Other (describe): Click or tap here to enter text.

☐  N/A
Dealing with Unsolicited Personal Information (TPP 4)
The procedures used to destroy or de-identify unsolicited personal information are (select all that
apply):
☐  The system has no free text fields so there is no scope to enter (and record) unsolicited personal information.
☐  When a person fills in a form on the system, we have clearly marked response boxes, to minimise the chance that a
person will enter information we do not need.
☐  We have a written policy that tells our staff members that if they find an individual has entered unrequested
personal information the staff member is to refer that to the supervisor.
☐  The supervisor will either delete or redact the information if it is not the sort of information that the Directorate
ever collects, if it is lawful to do so under the Territory Records Act, and make a log entry to record that he/she has
edited the record.
☐  The supervisor will leave the information untouched if it is the sort of information that the Directory does collect
and if it is part of a Territory Record.
☐  Other (describe): Click or tap here to enter text.

☐  N/A
Notification of the Collection of Personal Information (TPP 5)
The procedures used to notify individuals that their personal information has been collected are
(select all that apply):
☐  The system requires a customer to acknowledge that they have read our “Territory Privacy Principle 5 - Notification
of Collection of Personal Information” (which directs the individual to our Privacy Policy that explains how we
collect, use, share and store personal information, and how a user may access/correct it).
☐  A standard message is played to all callers: “your call may be recorded for training purposes”
☐  Other (describe): Click or tap here to enter text.

☐  N/A
ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 17 of 30

link to page 18 OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
Use or Disclosure for the Primary Purpose Collected (TPP 6), Security of
Personal Information (TPP 11), and Access to Personal Information (TPP12)
The following procedures ensure that personal information is used for the lawful purpose for which it
was collected or the primary purpose of collection (select all that apply):
☐  Regularly instructing all persons with access that they are bound under the Information Privacy Act (ACT) 2014,
which forbids unauthorised use, modification or disclosure to parties not entitled to receive it.
☐  Checking that information collected or used complies with the Information Privacy Act or other applicable
legislation governing the information i.e. secrecy provisions, or the Heatlh Records (Privacy and Access) Act.
☐  All requests for information are accepted only if they approved by the appropriate delegate. Please note the
delegate will differ for some Directorates:
•
If the information belongs to the Health Directorate
-
refer to the Health Directorate policy.
•
For all other Directorates
-
either the Business System Owner of the system from which the data originated; or
-
a decision maker under the Freedom of Information Act 2016.
☐  All requests for de-identified information for the purpose of research must be approved by the following. Please
note this will differ for some Directorates:
•
If the information belongs to the Health Directorate
-
as per the Health Directorate policy.
•
For other Directorates (insert positions of delegated data stewards):
Click or tap here to enter text.
☐  All Production data used in non-production environments have privacy-related items de-identified.
See also: Use or Disclosure of Personal Information in Non-Production Environments (TPP6)
☐  Other (describe): Click or tap here to enter text.

☐  N/A
Use or Disclosure of Personal Information in Non-Production Environments
(TPP6)
Personal information is used in the following non-Production environments8, 9:
☐  No personal information is used in non-Production environments.
☐  PI is used in ACTTST or Training
☐ The Business System Owner approved the use of PI for this secondary purpose (attach written evidence to this
Information Security Assessment).
☐ The target environment is secured to the same standard as ACTGOV, including access control, logging and
monitoring, auditing, password and encryption standards.

8 Development and Vendor access to PI
Advice from the Privacy Commissioner and the Government Solicitor’s Office is that Privacy-related
information SHALL NOT be used in its raw form in a Development environment.
If production information is to be used in a DEV or vendor environment, then it MUST be de-identified
(that is: the personal information has been replaced with artificial data from which the identity of the
individuals cannot be ascertained). This is a ruling of the ACT Attorney-General. Penalties are
described in the Information Privacy Act (ACT) 2014.
9 Test and Training

ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 18 of 30

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
☐  PI is used in ACTDEV or any vendor non-Production environment
☐ The data is de-identified using methods approved by ICT Security before exporting from Production.
☐  Other (describe): Click or tap here to enter text.

☐  N/A
Cross-Border Disclosure of Personal Information (TPP 8)
Data sovereignty is an ongoing concern for ACT Government. Differing legal frameworks and
potential inability to enforce contractual terms between the ACT Government, off-shore provider
and/or off-shore country where the information is being handled.
The ability of the ACT Government or affected citizens to enforce legislation, public regulations or
contract terms to off-shore providers and countries outside of borders of Australia could be limited.
The following procedures ensure that personal information is not disclosed to overseas recipients
(select all that apply):
☐  Not applicable. No information held in this application is transmitted abroad.
☐  The Directorate’s intention is that no personal information held in the database will be transmitted/disclosed cross
border. Should the need arise, the Directorate will release personal information only to organisations for which the
Business System Owner has provided written authorisation after seeking advice of the Directorate’s legal staff.
☐  Other (describe): Click or tap here to enter text.

☐  N/A
Security of Personal Information (Prevention of Unauthorised Use, TPP 11)
The following procedures guard personal information against interference, misuse and loss and
unauthorised access, modification and disclosure10 (select all that apply):
☐  Active monitoring of audit trails, to track activity in the system.
☐  Restricting users of the system to just ACT Government staff - who are vetted and informed of their responsibilities
upon employment.
☐  Employing individual usernames and passwords to restrict access to the application.
☐  Employing role-based permissions to restrict read-access and write-access to staff who have a need to see or to
change that data.

Production data containing personal data can ONLY be used in a TEST or TRAINING environment if the
business owner deems it as an appropriate secondary purpose AND data held in Test is protected from
misuse, interference or loss, and from unauthorised access, modification or disclosure.
Production data containing personal data covered under the Information Privacy Act 2014 can be used
in a Test or Training environment only if the business owner explicitly deems it as an appropriate
secondary purpose AND data held in Test is protected from misuse, interference or loss, and from
unauthorised access, modification or disclosure. (In practice, that means being secured to a
comparable standard to that applied in Production). If both conditions are met, the information may
be used in Test as the compliance risks have been treated/accepted. If either of the sign offs are
missing, then it SHALL NOT be used in TEST.
10 See GSO privacy advice for SSICT managed cloud environments for advice on privacy in cloud environments
(AWS, Azure), especially regarding TPP11 considerations on ‘disclosure’.
ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 19 of 30

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
☐  Access is restricted by way of fixed IP addresses to gain access to the server and username and passwords to gain
access to the database. If officers leave their workspace they are required to log out of the system. Physical access
to servers is restricted by swipe cards access.
☐  Regularly instructing all persons with access that they are bound by the Information Privacy Act 2014, which forbids
unauthorised use, modification, or disclosure to parties not entitled to receive it.
☐  Other (describe): Click or tap here to enter text.

☐  N/A
TPP Conclusion
Based on the above answers, use the following table to show which TPPs apply to Electronic Voting
and Counting System (EVACS):
Table 8: Territory Privacy Principles checklist
☐
TPP 1 - open and transparent management of personal information
☐
TPP 2 - anonymity and pseudonymity
☐
TPP 3 - collection of solicited personal information
☐
TPP 4 - dealing with unsolicited personal information
☐
TPP 5 - notification of the collection of personal information
☐
TPP 6 - use or disclosure of personal information
☐
TPP 8 - cross-border disclosure of personal information
☐
TPP 10 - quality of personal information
☐
TPP 11 - security of personal information
☐
TPP 12 - access to personal information
☐
TPP 13 - correction of personal information

ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 20 of 30

link to page 26

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
Appendix A: OFFICIAL Information Identification Flowchart
Figure 1: Official information process flow

ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 24 of 30

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
Appendix B: ISA process flowchart
Figure 2: Information Security Assessment process flow

ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 25 of 30

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
Appendix C: Information Classification Assistance
Actions for Classified Information with a Protective Marking
The following activities should be carried out for information classified with a protective marking.
IMPORTANT: ICT Security recommends documenting these business activities in a Standard
Operating Procedure (SOP) for the system or service.
1.  Where feasible, mark the information with the IMM so that consumers of the information
understand the security with which it must be handled.
2.  Apply the Principle of need-to-know, which requires the restricting of an individual’s access
to only the information they require to fulfil the duties of their role.
a.  All ICT systems holding information with a protective marking must force users to
authenticate with a unique and attributable identity.
b.  Authentication must comply with the ACT Government Password Standard.
c.  Authentication attempts must be logged and periodically audited by the system
manager.
3.  Apply the Principle of least privilege, which requires that an individual should only be able to
access the information and resources they require for legitimate reasons.
a.  Roles and permissions must be defined within the system and authorised by the
system manager in a documented request (electronic or paper).
4.  Apply the Principle of separation of duties, which requires that the person who authorises
and/or audits user access is not also the person or team who provisions user access.
5.  Cyber Security awareness training and understanding of the ICT Acceptable Use Policy to
ensure those who handle the information follow the requirements to protect the
information appropriately.
6.  Extra protective measures such as:
a.  Those derived from the Cyber Security Policy15 on a risk assessment basis.
b.  Typically, the Business System Owner is required to seek strategic security advice
from the IT Security Advisor (ITSA), to determine the appropriate security controls.
c.  Apply the appropriate technical controls around classified documents with a
protective marking as per the PSPF Information Security Guidelines 16 including:
i.  Preparation and Handling.
ii.  Removal of documents or files.
iii.  Auditing.
iv.  Copying, storage and destruction.

15 See Cyber Security Policy for more information.
16 See p14 of the ACT Government Protect Security Information Security Guidelines (2017) for more
information.
ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 26 of 30

OFFICIAL: Sensitive
Information Security Assessment

Electronic Voting and Counting System (EVACS)
Figure 3: Information Classification Assessment process flow

ISA Electronic Voting and Counting System (EVACS) V0.1, published 14/08/2023

Page 28 of 30