Media release: Compliance audit report – Sunshine Coast Regional Council
Queensland’s Office of the Information Commissioner’s (OIC) compliance audit report of Sunshine Coast Regional Council was tabled in Parliament today (30 November 2021).
This report presents OIC’s findings on the council’s compliance with the Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld).
OIC found that the council is committed to proactive disclosure and continuous improvement. However, current gaps in information governance at the strategic and operational levels mean that its practices are not always consistent with the Acts.
As it embarks on an ambitious overhaul of its information and records management practices, Sunshine Coast Regional Council has a great opportunity to incorporate the push model and privacy by design into its new framework.
OIC made 22 recommendations which the council supports and intends or has already started to implement. OIC will monitor the council’s progress.
Information Commissioner Rachael Rangihaeata said, “I am pleased to see that the council took ownership of its information management practices and compliance by commissioning a review and developing a road map to improve how it governs and manages information.”
“The recommendations of this compliance audit will support Sunshine Coast Regional Council’s project, including ensuring its policies and procedures facilitate a coordinated and consistent approach for releasing or publishing information ”
Sunshine Coast Regional Council:
- has a range of administrative access arrangements in place and encourages people to seek information through methods other than the legislative process
- has a good process for enrolling staff into mandatory privacy training, but it needs to ensure all staff complete it. Training in right to information is not yet mandatory at induction or as regular refresher.
- has limited performance measures for monitoring progress in achieving the broader objectives of the Acts
- like most Queensland local governments reported in 2018, has not yet embedded privacy impact assessments into its core business and therefore, cannot be sure it has identified and effectively mitigated the privacy risks of its activities or projects
- does not always give the community complete advice about right to information and information privacy
- lacks detailed policies and clear leadership to govern the effective operation and management of all its surveillance technologies
“Implementation of the audit recommendations will improve right to information and privacy practices and outcomes for the community. The council will build trust through greater transparency as a result.”