Minimising Personal Information Held: Strategies to mitigate the risk of privacy breaches
Every day, Queensland government agencies collect our personal information in connection with their provision of services to Queenslanders. The more personal information agencies collect and hold, the greater the risk of a privacy breach.
Government agencies can mitigate the risk of a privacy breach.
Government agencies should ensure they do not over collect personal information and collect only the information they need to deliver services. They should also ensure they do not hold the personal information they collect any longer than it is required. This includes the risk of unauthorised access, use, disclosure, and/or loss of personal information, whether intentional or accidental.
Privacy breaches can have serious consequences for affected individuals and the community. For government agencies, a privacy breach involving the unauthorised access or disclosure of personal information can impact public trust in government and undermine the ability of agencies to carry out and deliver important public services, particularly as government embraces digital services as part of the digital economy.
The Office of the Information Commissioner audited Urban Utilities to examine its management of privacy risks through minimising the amount of customer personal information it collects and holds.
We found that Urban Utilities:
- uses several systems and platforms to collect and hold its residential customers’ personal information
- generally only collects and holds the names, addresses and contact details of its residential customers, and
- manages privacy risks by only collecting the personal information it requires to deliver services to its residential customers.
We also found that Urban Utilities destroys most of its residential customers’ personal information when it is no longer required. It has a disposal framework and robust processes for its billing system. The framework is generally good, but could be strengthened and better integrated with Urban Utilities’ broader systems.
The report recommends Urban Utilities strengthen its processes for disposing of residential customers’ personal information. It also recommends Queensland government agencies implement good information practices, namely that they:
- identify and review all information holdings and systems that contain personal information
- assess the privacy risks of those holdings and systems
- collect the minimal amount of personal information required, and
- implement appropriate information disposal procedures.