The Office of the Information Commissioner (OIC) is aware of a recent global cyber incident impacting public agencies that contracted with a company called ‘Instructure’.
Instructure is an education technology company that owns Canvas, a learning management system. Instructure works with education providers around the world.
Education providers in Australia, including universities, vocational providers and some state schools, have been affected.
Understanding who is the regulator
Privacy is an area of shared responsibility between the different Australian jurisdictions, such as at the state and national level.
OIC has authority over Queensland state government schools, public universities, and Technical and Further Education (TAFEs). These agencies must meet requirements under Queensland’s Information Privacy Act 2009 (IP Act). Agencies must take reasonable steps to ensure that their contracted service providers are bound to meet certain requirements under the IP Act.
The Office of the Australian Information Commissioner (OAIC) has authority over private companies under the Privacy Act 1988 (Cth), unless an exception applies. Schools that operate as private entities may be covered by OAIC. OAIC has released a statement about the cyber incident.
Instructure has also published a statement and status updates relating to the incident on its company website.
How individuals can make a privacy complaint
Under the IP Act, if you wish to lodge an individual privacy complaint you must first lodge a privacy complaint directly with the Queensland public agency or contracted service provider.
Queensland agencies must have a privacy policy that contains information about how an individual may complain. Agencies have a response period of 45 business days after the privacy complaint is received. Find out more about privacy complaints.
Information for individuals who are impacted by the cyber incident
If you have been told by a Queensland government agency that your privacy may have been breached, you should act quickly to reduce your risk of harm. The action you should take depends on the type of personal information involved.
We provide a guide for the community about Queensland's data breach scheme.
If you were affected, you should direct any specific enquiries to Instructure or your education provider.
National guidance and resources for individuals
In their statement about the cyber incident, OAIC has shared steps you can take to protect your personal information and online accounts, particularly if you think your information, such as logins or passwords, might have been caught in a cyber incident.
The Australian Government advises three simple steps you can take to be more secure online:
- Set up multi-factor authentication whenever available to add an extra layer of security to your online accounts.
- Create strong and unique passphrases of 14 or more characters long. These passphrases should be different for each account you hold.
- Install software updates regularly to keep your devices secure.
For more information, visit Act Now. Stay Secure.
You can learn how to protect yourself from scams by visiting the National Anti-Scam Centre’s (NASC) ScamWatch.
Reminder to public agencies
OIC wishes to remind all Queensland public agencies of their legal responsibility to notify OIC of any eligible data breaches. An eligible data breach is one that involves unauthorised access to or disclosure of personal information held by the agency that is likely to result in serious harm to an individual.
Information is considered to be held by the agency if the personal information is contained in a document in the possession, or under the control, of the agency. Documents are in the agency’s control if the agency has a present legal entitlement to take physical possession of them, or to handle or access them, such as due to a contractual or other legal right. Depending on the circumstances, this may include documents held by the agency’s service providers.
If an agency does not know whether a data breach is an eligible data breach requiring notification under the act, they are required to complete an assessment within 30 days after a suspicion is formed that it might be an eligible data breach. Agencies may extend the period if the assessment cannot reasonably be completed within the 30-day period. You can make notifications and report extensions in the OIC Agency Portal.