Audit of awareness of privacy obligations
This report outlines how three government agencies educate and train their employees about their privacy obligations.
People continue to cause or contribute to a substantial proportion of privacy or data breaches by organisations. An inadvertent or deliberate disclosure of personal information can have serious consequences for the individual whose privacy the agency breached, the agency concerned and the employee.
One mitigation strategy agencies can adopt is to train and educate their employees about information privacy and information security obligations and expectations. To be effective, training and education activities should be regular, comprehensive, accurate and tailored to the context of each agency. There should also be systems and processes in place to ensure all employees complete mandatory training when due.
We audited three government agencies:
The Public Trustee
Department of Communities, Disability Services and Seniors
TAFE Queensland.
Key findings are that agencies need to:
- consider the privacy risks of their various functions and identify education and training as a risk mitigation strategy
- ensure training content is comprehensive, accurate and relevant to the context of the agency
- ensure training is mandated at induction and at regular intervals during the employee’s employment with the agency
- have systems and processes to enrol employees in the training module and identify and follow up employees who do not complete training within the prescribed period.
Government agencies that make employees aware of their privacy and information security obligations and expectations can better protect personal information against unauthorised access, loss, misuse and disclosure.
The report makes specific findings and recommendations for improvement about the three agencies. The report also identifies examples of good practice and makes recommendations to all government agencies.