Follow-up audit report – Sunshine Coast Regional Council
This report presents the results of our follow-up audit of Sunshine Coast Regional Council’s progress in implementing 22 recommendations for improving compliance with the Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld) tabled in Parliament on 28 November 2023.
The objective of our 2021 audit was to determine whether the council was complying with specific prescribed requirements. We made 22 recommendations to improve practices and compliance. The council supported all 22 recommendations and agreed to their implementation within what was, a limited timeframe. It was an ambitious and commendable undertaking by the council.
The council has made considerable progress. It has undertaken a significant body of work to improve its right to information and privacy practices. It has fully implemented eleven recommendations, partially implemented four and is on track to implement a further five recommendations. The council has made some progress to implement the remaining two recommendations.
Sunshine Coast Regional Council has:
- made significant changes to its information management and governance framework, particularly, its key information governance body which now has an explicit focus on proactive disclosure objectives and privacy by design
- strengthened its proactive disclosure and administrative release framework
- made training across right to information and information privacy mandatory for all new and existing council employees
- grown its resources to better manage and process formal access applications and provided the community with useful information about the application process
- settled a comprehensive and clear framework for storing and securing its optical surveillance footage, including against unauthorised access or misuse.
There is some more work to do. We found that:
- while the council’s information governance framework is robust, there are currently insufficient plans, policies or procedures to support the framework and drive right to information and privacy aims.
- the council’s new optical surveillance framework, while clear and logical, has some overlapping legacy policies still in place, creating a risk of inconsistent practices and inefficiencies
- the council has not fully integrated privacy impact assessments in its risk management and project management methodologies
- the council does not have a framework in place to manage the release of de-identified data, although it has developed two policies currently under review. This creates a risk that individuals may be re-identified from documents the council has released.
