Data Breaches and RTOs: A Practical RTO Data Security Guide

Recent data breaches involving external service providers used widely across the VET sector are a timely reminder for RTOs to review the systems they use, and the providers that hold their data. 

Coast Wide Training Solutions has put together guidance to help you review your arrangements, document what you have done, and show that your RTO is actively managing system and data security risks. 

Coast Wide Training Solutions recommends undertaking the following: 

 1. Contact your service providers We have provided a template below that you can use to email your external service providers, including your SMS, LMS, finance system, cloud storage, and email platform. Their responses will help you assess risk and decide whether any further action is required. 

2. Review your governance 

Alongside provider due diligence, we recommend you check the following internal controls. 

Roles and accountability 

Confirm who within your RTO is responsible for data security and privacy, and ensure their role includes oversight of system risk, breach response, and ongoing monitoring of critical systems. 

Policies and procedures 

Make sure you have current, approved policies covering privacy and the management of personal information, records management (retention, storage, disposal), information security (access controls, passwords, MFA), data incident response and business continuity, and the management and review of your system and service providers. 

Registers and monitoring 

Your Compliance Risk Register (or equivalent) should capture each key system and provider, including the provider and product, the data held, hosting location (where known), risk rating, and the date of last security review.

If this isn't currently documented, the attached provider request will help you build that record. 

Technical controls 

You should be able to demonstrate that multi-factor authentication is enforced across all critical systems, user access is approved, recorded, and promptly removed when roles change or staff leave, system access is reviewed at least annually, and backups are completed and restoration testing is performed at least annually.

Evidence management 

When providers respond, retain all responses and supporting documents, update your risk and/or continuous improvement register, and record any risk decisions and review dates. 

3. Keep the evidence 

When these actions are documented and retained, they form a clear, auditable record that your RTO is actively managing system and data security risk. 

If you would like a help reviewing your current arrangements or working through any provider responses, Coast Wide Training Solutions is here to help.