The Information Privacy Act 2009 (Qld) (the IP Act) requires agencies to handle personal information in accordance with the privacy principles1. This includes protecting personal information against loss, unauthorised access, and other misuse2.
Effective training and education is one strategy agencies can adopt to reduce privacy and information security risks. When agencies effectively train their staff on their obligations,3 it supports and maintains a robust privacy culture.4 Reports by the OIC5 and the Crime and Corruption Commission6 identified key requirements for all Queensland government agencies for effective privacy and information security training, including that it should:
Individual agencies are responsible for implementing OIC recommendations7 made to all Queensland government agencies, monitoring and reporting on progress to leadership, and taking appropriate action. OIC will continue to assess agency progress in its audit program and report to Parliament.
Privacy and information security training should be mandatory. It forms part of an agency's induction package. Employees should complete it before having access to systems containing personal information.
Mandatory periodic refresher training is just as important. It increases the likelihood of employees retaining their awareness of information privacy and security risks. Agencies can use refresher training to alert staff to any changes in their privacy and information security policies.
By requiring their staff to undertake refresher training periodically, agencies will be able to:
For training strategies to be effective, agencies must put robust systems and procedures in place to ensure all employees complete the required training.
Privacy and information security training is often computer-based, which means agencies must make other arrangements for frontline and other employees who do not have ongoing access to IT networks. Alternative training methods and reminders, such as face to face or self-paced workbooks, must be put in place, along with procedures to report on training completion and follow up as needed.
When a very high proportion of staff complete the training, it reinforces an agency’s privacy culture and reduces the likelihood of privacy and information security risks materialising. This goal can be achieved by, for example:
Agencies have set up the following systems and processes:
An important part of effective training is recognising which parts of the agency present greater privacy and information security risks. These might be areas that, for example, handle more sensitive information or use contractors.
In addition to their privacy obligations, many agencies work with legislation that imposes confidentiality obligations on the employees, including after they leave the agency. These obligations need to be addressed in the training, as they represent an area of potential high-risk. Failure to comply can also have significant consequences for employees and the community.
Agencies should address these heightened risks in their training to increase its effectiveness as a risk mitigation strategy.
An agency introduced a mandatory confidentiality obligations module in its induction package. This ensured new employees read and understood their duty of confidentiality. The module clearly defined confidential information and the confidentiality obligations under the agency's legislation.
To be effective, training needs to be comprehensive, contemporary and relevant to the agency. Agencies can use training packages tailored to their work or offer general privacy and information security training and supplement it with agency specific training.
Whichever option the agency choses, it is important that the training contains practical scenarios that show employees how to apply privacy and information security principles in their day-to-day duties. Including real-life scenarios and de-identified case studies can be particularly beneficial.8
The training content should be up to date and incorporate all aspects of the agency's privacy and information security framework, including relevant privacy and information security policies and procedures.
As part of developing effective training, agencies have:
When training includes an assessment component, it increases the likelihood of employees understanding and retaining its content. Requiring employees to test their knowledge as part of the training gives agencies greater assurance that staff are aware of their obligations. It also enhances the effectiveness of training as a risk mitigation strategy.9
Incorporating a quiz into practical, agency-based scenarios that prompts employees to consider the correct course of action.
Effective training is only one part of ensuring employees understand their privacy and information security obligations. Awareness raising activities, such as email campaigns and posting information on the agency intranet, are another way to remind employees of their privacy obligations and reinforce appropriate privacy behaviours in their everyday work.
Current as at: March 23, 2021