Summary
As members of the community, we all require services from government agencies at some time. For example, we may apply for a fishing permit or want a copy of a birth certificate. Our children could be enrolled in state schools, or we may have to be admitted into a public hospital.
Every day, government agencies collect and hold our personal information to carry out their roles in serving Queenslanders. It might be as simple as checking our personal details, such as our name, address and date of birth, to renew a driver’s licence. There could also be more complex reasons and extra personal information is required, for example, when the police are investigating an incident.
It does not mean that government agencies need to collect all our personal information or that they can hold on to it indefinitely. Collecting more information than necessary and not disposing of it when it is no longer required increases the risk of a privacy breach, including the risk of unauthorised access, use, disclosure, and/or loss of personal information, whether intentional or accidental.
The community expects that government agencies collect our personal information responsibly and fairly, and keep it safe. Agencies must meet their legislative and privacy obligations under the Information Privacy Act 2009 (Qld) and the information privacy principles.
Privacy breaches can, and do, have serious consequences for affected individuals, the community and agencies. In its Data breach preparation and response guide, the Office of the Australian Information Commissioner states:
Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.
For government agencies, a privacy breach involving personal information collected and held by government can impact public trust in government and undermine the ability of agencies to carry out and deliver important public services.
Agencies can adopt various strategies to mitigate risks of privacy breaches. The simplest, and perhaps easiest, strategies are to collect the minimal amount of personal information required and not to keep it for longer than necessary.
The Office of the Information Commissioner audited Urban Utilities to determine whether the agency adequately manages its privacy risks and obligations by minimising the amount of customer personal information it collects and holds.
Context
In Queensland, the Information Privacy Act 2009 (Qld) provides a framework to secure individuals personal information and protect their privacy. Agencies must comply with the information privacy principles (IPP) and legislative requirements of the Act when they collect and handle personal information. They should also ensure compliance with other pertinent information management and data security frameworks. These include the Public Records Act 2002, relevant retention and disposal schedules and information security, access and use policies, standards and guidelines.
For example, under IPP1, agencies must not collect personal information unless it is necessary to fulfil the purpose and directly related to the function of the agency. And, under IPP4, agencies must protect documents containing personal information against loss, unauthorised access or disclosure and any other misuse. These are strict obligations that the Information Privacy Act 2009 (Qld) places on how an agency handles personal information. This means that agencies need to consider what they collect and how it is managed.
Government agencies should also build privacy protections into systems and practice design upfront. This embeds a 'privacy by design' approach into agency practices.
It is critical that government agencies collect and dispose of personal information in an accountable and transparent way. Agencies need to outline why they need the personal information and whether it is necessary for their functions. They also need to discard the information at the end of its lifecycle.
All government agencies can adopt strategies to mitigate privacy risk at various stages of the information's lifecycle. Figure 1 identifies these stages.
Figure 1 Securing personal information
Each stage in the lifecycle of personal information is critical to risk management. This audit focussed on two distinct phases:
- minimising what personal information is collected (phase 1)
- disposing of personal information when no longer required (phase 5).
We assessed one Queensland government agency's practices for collecting and disposing of its customers' personal information – Queensland Urban Utilities (Urban Utilities).
Urban Utilities
Urban Utilities is a statutory authority responsible for retail water supply and wastewater services across five local government areas in South East Queensland. This includes the councils of Brisbane, Ipswich, Lockyer Valley, Scenic Rim, and Somerset. Figure 2 shows this geographic area.
Urban Utilities is the retail water and sewage service provider for approximately 633 300 residential properties and 30 300 commercial properties. If you live within the geographic perimeter of Urban Utilities’ responsibility, it is highly likely that you receive services from Urban Utilities in some form. If this is the case, it is also probable that you or someone in your household is a customer. This means that Urban Utilities holds your personal information.
In 2022, Urban Utilities conducted an internal audit of aspects of its privacy management framework. It led to changes to its practices, particularly surrounding key internal systems that collect, hold and dispose of customers’ personal information. These changes have been formative to how Urban Utilities manages its risks for collecting and disposing of personal information.
Audit scope and objective
The objective of this audit was to determine whether Urban Utilities adequately manages its privacy risk and obligations by minimising the amount of customer personal information it collects and holds.
We set the scope of the audit to focus on two key area of risk and examine whether Urban Utilities:
- only collects the personal information it requires to deliver services to its customers
- disposes of customer personal information when it is no longer required.
The audit scope did not include:
- Urban Utilities' practices about personal information holdings relevant to its employee and human resources functions
- implications that may arise from the Information Privacy and Other Legislation Amendment Act 2023 (Qld).
We commenced our audit of Urban Utilities in February 2024. We met with key Urban Utilities business units and examined evidence from this time until August 2024. This report presents our findings from evidence gathered during this period.
We have, at section 3.3 of this report, referred to information Urban Utilities has subsequently provided to us.
Report structure
We structured our report as follows:
| Section | Contents |
|---|---|
| Chapter 1 | discusses personal information, the audit objective and scope and provides a general overview of the audited agency |
| Chapter 2 | examines what personal information Urban Utilities collects |
| Chapter 3 | examines how Urban Utilities disposes of customer personal information |
| Chapter 4 | contains Urban Utilities’ response and action plan |