Progress made, but more to do: Information Commissioner’s follow-up audit highlights privacy training improvements and gaps
Today the Speaker of the Queensland Legislative Assembly tabled in Parliament the Information Commissioner’s,‘Follow-up of Report No. 1 for 2022-23: Mitigating the risks of privacy breach through staff education’.
The community relies on government agencies to collect their personal information fairly and be responsible for protecting it against loss, unauthorised access and other misuse.
Agencies can adopt various strategies to comply with their legislative obligations, minimise the risk of privacy breaches and meet community expectations. One strategy is to train and educate all their employees about information privacy and security. To be effective, the training should be mandatory, regular and tailored to the agency. Systems and processes should also ensure all employees complete mandatory training when due.
In 2018-19, the Information Commissioner examined how three government agencies educated and trained their employees about their privacy obligations within the Queensland public service. We found weakness and identified improvement opportunities. We made four recommendations to all government agencies in our 2018-19 Report (PDF, 1241.68 KB).
In 2022-23, we audited three further agencies and examined how they educated and trained their employees about their privacy obligations. We made ten recommendations to the audited agencies and tabled our 2022-23 Report (PDF, 943.82 KB).
The Information Commissioner’s follow-up audit report into each agency’s progress in implementing our ten recommendations was tabled in the Queensland Parliament today. We found that five recommendations are fully implemented, four recommendations are partially implemented, and one recommendation has seen some progress made.
Some agencies performed better in certain areas than others. While we have seen a general improvement and strengthening of the information privacy and information security training, there are still some areas that require attention. This includes improving the tailoring of the training content and assessment.
We also found mixed outcomes for how each agency ensured that its employees complemented training when required. A crucial part of any training is ensuring that new and existing employees complete it within a reasonable and defined time. Each agency made progress, but completion was not timely for two of the three agencies. There is more work to be done in this area.
