Compliance audit report - Bundaberg Regional Council
This report presents the results of our audit about Bundaberg Regional Council’s compliance with the Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld) tabled in Parliament on 27 November 2019.
We set the scope of the compliance audit to focus on the key areas of risk the council identified in the 2018 electronic audit, and the risks identified across all agencies reported in: 10 years on: Queensland government agencies’ self-assessment of their progress in right to information and information privacy.
Bundaberg Regional Council has embarked on a program of change following our 2018 self-assessment electronic audit. It identified several aspects of its practices it could improve and developed an action plan to address them.
We found that the council is committed to right to information and information privacy. Although it still needs to develop and implement some policies, systems and processes, it has worked hard to comply with its legislative obligations. For example, it has established a good process for training new staff about their right to information and information privacy responsibilities.
Key findings are that Bundaberg Regional Council:
- does not have an information governance framework that supports the proactive disclosure objectives of the Right to Information Act 2009. However, during the audit, it assigned responsibility for proactive disclosure across the council to its Information Services Steering Committee
- has limited performance measures for monitoring progress in achieving the broader objectives of the Acts
like most Queensland local governments, has not yet embedded privacy impact assessments into its core business and therefore, cannot be sure it has identified and effectively mitigated the privacy risks of its activities or projects
- is open and transparent about the personal information it holds, but the collection notice it often uses is too broad for individuals to make an informed decision whether to share their personal information
- needs to do more work about how it operates and manages its surveillance cameras
- has a range of administrative access arrangements in place, thus supporting the push model, however it could promote them better.
We made 12 recommendations. The council supports our recommendations and intends to implement them. We will monitor the council’s progress.