Audit on mitigating the risks of privacy breach through staff education
Australia has seen some of the largest corporate data breaches when the personal information of millions of Australians was breached as a result of cyberattacks on Optus and Medibank Private. The impact of these breaches have reverberated across the nation and left many Australians wondering how secure is their personal information when they hand it over to an organisation.
All public sector agencies need to take heed of this as a reminder of the devastating impact a breach can have on the people affected and the reputation of the agency involved.
Our audits have helped agencies entrusted with personal information improve their practices to minimise the risk of harm and privacy breach. This audit follows on from our 2018 recommendations to all agencies and incorporates some of the findings from Crime and Corruption Commission’s February 2020 report on Operation Impala into misuse of confidential information by public sector employees.
One risk mitigation strategy agencies can adopt is to train and educate their employees about information privacy and information security. They need to make sure their employees are aware of their obligations when it comes to protecting the personal information of Queenslanders.
For training to be effective as a risk mitigation strategy, agencies should adopt tailored training packages specific to their functions, or supplement general information privacy and security training with agency specific training.
However, adopting comprehensive training content is not enough. Agencies must have enrolment and monitoring systems and processes that identify and follow up employees who do not complete the training within the prescribed period.
Agencies failing to appropriately address privacy and information security risks increase their exposure to privacy breaches. All Queensland government agencies should assess their practices and progress in implementing the four recommendations to all agencies in the 2018 report on to reduce privacy risks.
