Achieving effective privacy and information security training

The Information Privacy Act 2009 (Qld) (the IP Act) requires agencies to handle personal information in accordance with the privacy principles1. This includes protecting personal information against loss, unauthorised access, and other misuse2.

Effective training and education is one strategy agencies can adopt to reduce privacy and information security risks. When agencies effectively train their staff on their obligations,3 it supports and maintains a robust privacy culture.4 Reports by the OIC5 and the Crime and Corruption Commission6 identified key requirements for all Queensland government agencies for effective privacy and information security training, including that it should:

  • be mandatory and periodic
  • be monitored and followed up to ensure completion
  • cover all relevant elements of information privacy and information security
  • be accurate and consistent with the IP Act, any confidentiality and security obligations, and relevant policies and procedures
  • be practical, contemporary and tailored to the agency’s context; and
  • include an assessment component.

Individual agencies are responsible for implementing OIC recommendations7 made to all Queensland government agencies, monitoring and reporting on progress to leadership, and taking appropriate action. OIC will continue to assess agency progress in its audit program and report to Parliament.

Training must be mandatory and periodic

Privacy and information security training should be mandatory. It forms part of an agency's induction package. Employees should complete it before having access to systems containing personal information.

Mandatory periodic refresher training is just as important. It increases the likelihood of employees retaining their awareness of information privacy and security risks. Agencies can use refresher training to alert staff to any changes in their privacy and information security policies.

By requiring their staff to undertake refresher training  periodically, agencies will be able to:

  • demonstrate that their employees are aware of their privacy and information security obligations; and
  • reinforce an effective privacy culture.

Training must be monitored and followed-up

For training strategies to be effective, agencies must put robust systems and procedures in place to ensure all employees complete the required training.

Alternative training delivery

Privacy and information security training is often computer-based, which means agencies must make other arrangements for frontline and other employees who do not have ongoing access to IT networks. Alternative training methods and reminders, such as face to face or self-paced workbooks, must be put in place, along with procedures to report on training completion and follow up as needed.

When a very high proportion of staff complete the training, it reinforces an agency’s privacy culture and reduces the likelihood of privacy and information security risks materialising. This goal can be achieved by, for example:

  • automatically enrolling employees into training programs
  • setting dates by which training must be completed
  • sending prompts and email reminders to employees to complete the training when it is due
  • copying individual managers into reminder emails sent to employees
  • providing regular reports on training completion to management and/or senior executives; and
  • ensuring follow up of incomplete training with individual employees.

Examples

Agencies have set up the following systems and processes:

  • a central learning management system automatically prompts users to complete their training and produces quarterly completion reports for management
  • regional human resource teams responsible for generating compliance forward reports to individual managers where necessary; managers are then responsible for following up outstanding training with employees
  • a system which automatically enrols employees and prompts them to complete training when due (including employees with limited or no access to the IT network); individual managers are copied into reminder emails sent to staff; and
  • senior executives receive quarterly strategic reports on training completion in their areas and business areas follow up incomplete training with individual employees.

Training needs to target high-risk areas

An important part of effective training is recognising which parts of the agency present greater privacy and information security risks. These might be areas that, for example, handle more sensitive information or use contractors.

In addition to their privacy obligations, many agencies work with legislation that imposes confidentiality obligations on the employees, including after they leave the agency. These obligations need to be addressed in the training, as they represent an area of potential high-risk. Failure to comply can also have significant consequences for employees and the community.

Agencies should address these heightened risks in their training to increase its effectiveness as a risk mitigation strategy.

Example

An agency introduced a mandatory confidentiality obligations module in its induction package. This ensured new employees read and understood their duty of confidentiality. The module clearly defined confidential information and the confidentiality obligations under the agency's legislation.

Training must be contemporary, practical and tailored to the agency

To be effective, training needs to be comprehensive, contemporary and relevant to the agency. Agencies can use training packages tailored to their work or offer general privacy and information security training and supplement it with agency specific training.

Whichever option the agency choses, it is important that the training contains practical scenarios that show employees how to apply privacy and information security principles in their day-to-day duties. Including real-life scenarios and de-identified case studies can be particularly beneficial.8

The training content should be up to date and incorporate all aspects of the agency's privacy and information security framework, including relevant privacy and information security policies and procedures.

Examples

As part of developing effective training, agencies have:

  • developed a training module that reflects the content of the agency's Information Privacy Plan, including examples of the types of personal information the agency collects, and how the Information Privacy Principles apply to collection, use and disclosure of personal information
  • incorporated detailed scenarios into their training package, specific to the work of the agency, which cover a wide range of situations, including collecting, using and disclosing personal information
  • developed induction training which captures key features of the agency's information security policy, including a detailed list of employee responsibilities, and how to classify and handle information; and
  • developed mandatory refresher training that captures key elements of the agency's information security policy, including safeguarding user ID and passwords.

Training needs to include an assessment

When training includes an assessment component, it increases the likelihood of employees understanding and retaining its content. Requiring employees to test their knowledge as part of the training gives agencies greater assurance that staff are aware of their obligations. It also enhances the effectiveness of training as a risk mitigation strategy.9

Example

Incorporating a quiz into practical, agency-based scenarios that prompts employees to consider the correct course of action.

Additional steps

Effective training is only one part of ensuring employees understand their privacy and information security obligations. Awareness raising activities, such as email campaigns and posting information on the agency intranet, are another way to remind employees of their privacy obligations and reinforce appropriate privacy behaviours in their everyday work.

Examples

  • A series of short 'did you know' articles, published on the agency intranet home page, which includes practical privacy topics, such as misdirected emails, shredding documents, floor security and privacy impact assessments.
  • Using all-staff emails and intranet campaigns to promote the agency's privacy and information security policies, including the development of a virtual cyber security champion, promoting information security in various online channels.
  • 1 The National Privacy Principles (NPPs) for health-agencies and the Information Privacy Principles (IPPs) for non-health agencies.
  • 2 NPP 4 and IPP 4.
  • 3 Report No. 1 for 2018-19, Awareness of privacy obligations and the Follow-up of Report No. 1 for 2018-19, Awareness of privacy obligations, Report No. 3 to the Queensland Legislative Assembly for 2020-21 (the follow-up report). Examples used in this guideline come from the follow-up report.
  • 4 The Crime and Corruption Commission's Operation Impala Report on misuse of confidential information in the Queensland public sector, tabled in February 2020 (Operation Impala report).
  • 5 The follow-up report.
  • 6 Operation Impala report.
  • 7 Report No. 1 for 2018-19, Awareness of privacy obligations.
  • 8 Operation Impala report.
  • 9 The follow-up report.

Current as at: March 23, 2021