The misuse of confidential information by public sector agencies has always been a known corruption risk.
However, as the volume and scope of the confidential and personal information held by public sector agencies continues to expand and community expectations rise, agencies must now respond to this risk with an increased focus and range of mechanisms to avoid the legal and reputational risks arising from the potential misuse of confidential information.
This article considers how agencies can best respond to these risks, by reference to recent reports released by state-based corruption regulators, including Victoria’s Independent Broad-based Anti-corruption Commission, with a focus on a report released by Queensland’s Crime and Corruption Commission (CCC).
On 21 February 2020, the CCC released its ‘Operation Impala – Report on Misuse of Confidential Information in the Queensland Public Sector’ (the report).1
The report examines the practices of a crosssection of Queensland’s public sector, with a particular focus on the misuse of confidential information of a personal nature by Queensland public sector agencies – an issue that has been in the CCC’s crosshairs since 2016, as a “key enabler of other types of corrupt conduct”.
After a spike in allegations from 2015 to 2019, the CCC commissioned Operation Impala to examine how and why confidential information can be misused, as well as the impacts of unauthorised access and disclosure on both agencies and victims of misuse. In November 2019, a public hearing for the operation heard evidence from 31 witnesses, including agency chief executives.
The CCC made 18 separate recommendations, which provide a blueprint for how public sector agencies across all jurisdictions can better manage this increasing corruption risk.
Misuse: How and why?
Agencies were reported to be at “varying levels of maturity” in confidential information management practices, which were influenced by the types of information collected and managed, as well as the strength of organisational culture in reinforcing the importance of protecting that information.
Consistent risk areas contributing to misuse of confidential information were said to stem from agency pressures to:
- manage vast and diverse volumes of information
- ensure consistent approaches to information security across devolved entities
- keep up with technological advances that can impact on information security, access control systems and or database usability.
The CCC found the key motivations for improperly accessing confidential information from public sector databases include personal interest (curiosity), material benefit (such as a financial incentive), relationships (organised crime groups or calling on favours, threats) and personal circumstances (drugrelated issues, anxiety, broken relationships).
18 recommendations: What’s next?
Broadly, the CCC’s recommendations for dealing with this corruption risk can be grouped into five categories:
- Recommendations 1-9 and 18: Introducing several technical and organisational enhancements to strengthen information management systems to create a more “privacy-aware culture”.
- Recommendation 10: Creating a new offence in the Criminal Code better suited to offending related to misuse of confidential information, punishable by five years’ imprisonment (increasing to 10 years in aggravated circumstances). The CCC found that section 408E of the Criminal Code (Computer hacking and misuse), currently used to prosecute public sector employees who improperly access or disclose confidential information, is inadequate.
- Recommendations 13 and 17: Improving remedies available for victims of misuse of confidential personal information, notably including a recommendation that the State Government consider introducing a statutory tort for misuse of private information.
- Recommendations 11, 12, 14 and 15: Extending and clarifying the Office of the Information Commissioner’s powers and practices, notably including the implementation of a mandatory data breach notification scheme in Queensland.
- Recommendation 16:Revising and consolidating the Information Privacy Principles and National Privacy Principles into a single set of principles consistent with the Human Rights Act 2019 (Qld).
How can public sector agencies respond?
Agencies should now move to enhance their information management and associated practices in line with the CCC’s recommendations. That means taking measures like:
- Improving information management systems and access control mechanisms, including updating ICT policies and introducing comprehensive auditing programs enabling routine auditing to proactively identify access to sensitive personal information and training to alert employees to this privacy and corruption risk.
- Undertaking regular information privacy awareness campaigns and promoting ‘privacy by design’, to ensure privacy is considered at the outset and becomes a relevant consideration in agency decision-making processes.
- Reviewing the agency’s code of conduct and related employment procedures, such that a clear avenue for decisive action is outlined in instances of misuse of sensitive confidential information, including automatic referral of such cases to the Queensland Police Service.
- Allocating responsibility for risks associated with data management and sharing, including embedding ‘privacy champions’ at the senior officer level.
Eleanor Dickens is a partner in the Clayton Utz Brisbane office and a member of the QLS Privacy and Data Committee. Sam Weston is a lawyer at Clayton Utz.
This story was originally published in Proctor May 2020.