Follow-up audit of awareness of privacy obligations
This report outlines the progress made by three government agencies in implementing the recommendations of our 2018-19 audit. Our audits have helped agencies entrusted with personal information improve their practices to minimise the risk of harm to the community.
While the original audit focused on the Department of Communities, Disability Services and Seniors, TAFE Queensland and The Public Trustee, we also made recommendations to all Queensland government agencies.
An inadvertent or deliberate disclosure of personal information can have serious consequences for the individual whose privacy has been breached, the agency concerned and the employee.
One risk mitigation strategy agencies can adopt is to train and educate their employees about information privacy and information security obligations and expectations. Government agencies that make employees aware of their obligations can better protect personal information against unauthorised access, loss, misuse and disclosure.
Over the last two years, the three audited agencies have done significant work on educating their staff about information privacy and security obligations. They have implemented all 12 recommendations from our original audit.
The three agencies now mandate periodic refresher training and have set up systems and processes to monitor and report on completed training. They have also updated their training material to better reflect policies and procedures and include practical scenarios.
All Queensland government agencies should assess their own progress against the four recommendations we made to all agencies in the 2018-19 report, and take action to reduce information privacy and security risks:
- include information privacy and information security training in their mandatory induction process for all employees.
- mandate periodic refresher training on information privacy and information security for all employees.
- ensure the training content on information privacy and information security is comprehensive, contemporary and tailored to the agency’s context.
- implement systems and procedures to ensure all employees complete mandatory training on information privacy and information security when due.
OIC will continue to assess agencies against these recommendations in future audits and report to Parliament.