Mitigating the risks of privacy breach through staff education
Today the Speaker of the Queensland Legislative Assembly tabled our report in Parliament on how three government agencies mitigate the risk of privacy breach by educating and training their employees. This audit builds on our 2018 recommendations to all agencies and incorporates some of the findings from the Crime and Corruption Commission’s February 2020 report on Operation Impala into misuse of confidential information by public sector employees.
The inadvertent or deliberate disclosure of personal information can have serious consequences for the individual whose privacy was breached, the agency storing the information and the employee.
One risk mitigation strategy agencies can adopt is to train and educate their employees about information privacy and information security. Government agencies need to make sure their employees are aware of their obligations when it comes to protecting the personal information of Queenslanders.
We examined the practices in place at three government agencies and found that they have recognised the value of educating and training their employees about their privacy and information security obligations.
For training to be effective as a risk mitigation strategy, agencies should adopt tailored training packages specific to their functions, or supplement general information privacy and security training with agency specific training.
However, adopting comprehensive training content is not enough. Agencies must have enrolment and monitoring systems and processes that identify and follow up employees who do not complete the training within the prescribed period.
Agencies failing to appropriately address privacy and information security risks increase their exposure to privacy breaches. All Queensland government agencies should assess their progress against the recommendations made to the audited agencies to reduce privacy risks and evolving information security challenges.
