Compliance audit report – Sunshine Coast Regional Council
This report presents the results of our audit about Sunshine Coast Regional Council’s compliance with the Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld) tabled in Parliament on 30 November 2021.
Sunshine Coast Regional Council has recognised that it needs to improve how it manages information. While the council is committed to proactive disclosure and continuous improvement, current gaps in information governance at the strategic and operational levels mean that its practices are not always consistent with the Acts.
Key findings are that Sunshine Coast Regional Council:
- has a range of administrative access arrangements in place and encourages people to seek information through methods other than the legislative process
- has a good process for enrolling staff into mandatory privacy training, but needs to ensure all staff complete it. Training in right to information is not yet mandatory at induction or as regular refresher
- has limited performance measures for monitoring progress in achieving the broader objectives of the Acts
- like most Queensland local governments reported in 2018, has not yet embedded privacy impact assessments into its core business and therefore, it cannot be sure it has identified and effectively mitigated the privacy risks of its activities or projects
- does not always give the community complete advice about right to information and information privacy
- lacks detailed policies and clear leadership to govern the effective operation and management of all its surveillance technologies.
We made 22 recommendations. The council supports our recommendations and intends to implement them. We will monitor the council’s progress.
As it embarks on an ambitious overhaul of its information and records management practices, Sunshine Coast Regional Council has a great opportunity to incorporate the push model and privacy by design into its new framework, including policies and procedures that support a coordinated and consistent approach around releasing information.