Media release: Progress made, but more to do: Information Commissioner’s follow-up audit highlights privacy training improvements and gaps

The Queensland Information Commissioner’s report was tabled in Parliament today (11 June 2025), ‘Follow-up of Report No. 1 for 2022-23: Mitigating the risks of privacy breach through staff education’.

The report presents the results of a follow-up audit to assess what progress three agencies made in implementing ten recommendations made in an Information Commissioner audit report tabled in our 2022-23 Report (PDF, 943.82 KB).

The community relies on government agencies to collect their personal information fairly and be responsible for protecting it against loss, unauthorised access and other misuse.

Agencies can adopt various strategies to comply with their legislative obligations, minimise the risk of privacy breaches and meet community expectations. One strategy is to train and educate all their employees about information privacy and security. To be effective, the training should be mandatory, regular and tailored to the agency. Systems and processes should also ensure all employees complete mandatory training when due.

In 2018-19, we examined how three government agencies educated and trained their employees about their privacy obligations within the Queensland public service. We found weakness and identified improvement opportunities. We made four recommendations to all government agencies in our 2018-19 Report (PDF, 1241.68 KB).

In 2022-23, we audited three other government agencies and examined how they educated and trained their employees about their privacy obligations: the Department of Transport and Main Roads, WorkCover Queensland and Queensland Rural and Industry Development Authority. We made ten recommendations – one to the Department of Transport and Main Roads, two to WorkCover Queensland and seven to Queensland Rural and Industry Development Authority.

Broadly, the recommendations involved:

• mandating education and training requirements
• developing and rolling out comprehensive information privacy and information security training; and
• implementing robust enrolment and monitoring systems to ensure information privacy and information security is completed when due.

The agencies accepted our recommendations and proposed actions to implement them by November 2023.

In 2024-25, we commenced a follow-up audit to assess what progress the three agencies made in implementing the recommendations. Information Commissioner, Joanne Kummrow said, ‘Our follow-up audit found progress. Five Recommendations are fully implemented, four recommendations are partially implemented, and one recommendation has seen some progress made.’

’Some agencies performed better in certain areas than others. While we identified a general improvement and strengthening of privacy and information security training within government agencies, there are areas that require further attention. These include tailoring training content to an agency’s particular functions and personal information holdings. It also includes ensuring programs include post training assessment in order to assess a participant’s knowledge and to evaluate the program's effectiveness’, said Ms Kummrow.

Ms Kummrow also said that there were ‘mixed outcomes for how each agency ensured that its employees completed privacy and information securitytraining. A crucial part of any training is ensuring that all employees complete it within a reasonable and defined timeframe. While each agency made progress, completion of training was not timely for two of the three agencies. There is more work to be done in this area.’

Read the full report (PDF, 937.66 KB)

Media contact: Steve Haigh
Phone: 3234 7373