Misuse of confidential information by public sector agencies: the case for reform

By Eleanor Dickens and Sam Weston
05 Mar 2020
Useful measures include improving information management systems and access control mechanisms, and undertaking regular information privacy awareness campaigns.

The misuse of confidential information by public sector agencies has always been a known corruption risk. However, as the volume and scope of the confidential and personal information holdings of public sector agencies continues to expand and community expectations rise, agencies must now respond to this risk with an increased focus and range of mechanisms to avoid the legal and reputational risks arising from the potential misuse of confidential information.

Victoria's Independent Broad-Based Anti-Corruption Commission and Queensland's Crime and Corruption Commission (CCC) have both recently released reports dealing with the misuse of confidential information held by public sector agencies.

This article considers how agencies can respond to this risk, by reference to recent reports released by State-based corruption regulators with a focus on the report by the CCC.

Operation Impala

On 21 February 2020, the CCC released the report titled "Operation Impala – Report on Misuse of Confidential Information in the Queensland Public Sector", examining the practices of a cross-section of the Queensland public sector with a particular focus on the misuse of confidential information of a personal nature by Queensland public sector agencies.

The issue of public sector misuse of confidential information of a personal nature has been in the CCC's crosshairs since 2016, as a "key enabler of other types of corrupt conduct".

After a spike in allegations from 2015 to 2019, the CCC commissioned Operation Impala to examine how and why confidential information can be misused, as well as the impacts of unauthorised access and disclosure on both agencies and victims of misuse. In November 2019, a public hearing for the Operation heard evidence from 31 witnesses including agency Chief Executives.

The CCC made 18 separate recommendations which provide a blueprint for how public sector agencies across all jurisdictions can better manage this increasing corruption risk.

Misuse of confidential information: how and why?

The CCC reported that agencies were at "varying levels of maturity" in confidential information management practices, which were influenced by the types of information collected and managed, as well as the strength of organisational culture in reinforcing the importance of protecting that information.

Consistent risk areas contributing to misuse of confidential information were said to stem from pressures on agencies to:

  • manage vast and diverse volumes of information;
  • ensure consistent approaches to information security across devolved entities; and
  • keep up with technological advances with the potential to impact on information security, access control systems and or database usability.

The CCC found the key motivations for improperly accessing confidential information from public sector databases include personal interest (curiosity), material benefit (such as a financial incentive), relationships (organised crime groups or calling on favours, threats) and personal circumstances (drug-related issues, anxiety, broken relationships).

The 18 recommendations: what's next?

Broadly, the CCC's recommendations in dealing with this corruption risk can be grouped into five categories:

  • recommendations 1-9 and 18: introducing several technical and organisational enhancements to strengthen information management systems to create a more "privacy-aware culture";
  • recommendation 10: creating a new offence in the Criminal Code better suited to offending related to misuse of confidential information, punishable by five years' imprisonment (increasing to ten years in aggravated circumstances).
  • The CCC found that section 408E of the Criminal Code ("Computer hacking and misuse"), which is currently used to prosecute public sector employees who improperly access or disclose confidential information, is inadequate. It noted, among other things, that section 408E does not address a situation where an employee accesses confidential information that is not stored on a secure database, and that current penalties do not reflect the seriousness of deliberate breaches;
  • recommendations 13 and 17: improving remedies available for victims of misuse of confidential personal information, notably including a recommendation that the State Government consider introducing a statutory tort for misuse of private information;
  • recommendations 11, 12, 14 and 15: extending and clarifying the Office of the Information Commissioner’s powers and practices, notably including the implementation of a mandatory data breach notification scheme in Queensland; and
  • recommendation 16: revising and consolidating the Information Privacy Principles and National Privacy Principles into a single set of principles consistent with the Human Rights Act 2019 (Qld).

How can agencies respond?

To best manage this corruption risk, public sector agencies should now move to enhance their information management and associated practices in line with the CCC's recommendations. That means taking measures, including:

  • improving information management systems and access control mechanisms, including updating ICT policies and introducing comprehensive auditing programs enabling routine auditing to proactively identify access to sensitive personal information and training to alert employees to this privacy and corruption risk;
  • undertaking regular information privacy awareness campaigns and promoting "Privacy by Design", to ensure privacy is considered at the outset and becomes a relevant consideration in agency decision making processes;
  • reviewing the agency's code of conduct and related employment procedures, such that a clear avenue for decisive action is outlined in instances of misuse of sensitive confidential information, including automatic referral of such cases to the Queensland Police Service; and
  • allocating responsibility for risks associated with data management and sharing, including embedding "privacy champions" at the senior officer level.
Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.