This report outlines how three government agencies educate and train their employees about their privacy obligations.
People continue to cause or contribute to a substantial proportion of privacy or data breaches by organisations. An inadvertent or deliberate disclosure of personal information can have serious consequences for the individual whose privacy the agency breached, the agency concerned and the employee.
One mitigation strategy agencies can adopt is to train and educate their employees about information privacy and information security obligations and expectations. To be effective, training and education activities should be regular, comprehensive, accurate and tailored to the context of each agency. There should also be systems and processes in place to ensure all employees complete mandatory training when due.
We audited three government agencies:
The Public Trustee
Department of Communities, Disability Services and Seniors
Key findings are that agencies need to:
Government agencies that make employees aware of their privacy and information security obligations and expectations can better protect personal information against unauthorised access, loss, misuse and disclosure.
The report makes specific findings and recommendations for improvement about the three agencies. The report also identifies examples of good practice and makes recommendations to all government agencies.