Queensland’s corruption watchdog has called for state government agencies to be subjected to a mandatory data breach notification scheme after uncovering corruption risks around confidential information.
The Crime and Corruption Commission made the recommendation in its Operation Impala report [pdf] into the misuse of confidential information in the state’s public sector.
Operation Impala was established last August to investigate corruption and its risks “in relation to the improper access to and disclosure of confidential information in the public sector”.
The inquiry found “potential corruption risks associated with confidential information” at seven government agencies, including police, health, transport, education and corrective services.
The report, handed down on Friday, has recommended the mandatory data breach scheme be developed and managed by the Office of the Information Commissioner Queensland (OIC).
OIC first called for the mandatory scheme in response to the government’s 2016 statutory review of the Right to Information and Information Privacy (IP) Act.
Like other jurisdictions, Queensland government agencies are currently not required to notify affected individuals or the OIC of privacy breaches under the state’s IP Act.
They are also not covered by the federal mandatory data breach notification reporting scheme, along with local councils and organisation with a turnover of less than $3 million a year.
Government agencies are instead “encouraged to voluntarily report data breaches to OIC”, though only 24 voluntary notifications were received during the 2018-19 financial year.
But there is a requirement to report information security incidents to the Queensland Government Chief Information Office.
The recommendation – which would require legislative reform – comes as the NSW government continues to review the adequacy of its voluntary data breach notification scheme.
It will use the review to determine whether to introduce a mandatory scheme extending to state government agencies, which the state's former privacy commissioner first called for in 2015.
The report has also called for the creation of a “single set of privacy principles” under the IP Act by bringing together the information privacy principles and national privacy principles.
This would involve taking on some data security and privacy principles within the European Union’s General Data Protection Regulation and the Commonwealth Privacy Act.
Other recommendations to strengthen agency privacy practices include adding a new criminal offence relating to the misuse of confidential by information public officers.
This would be punishable by up to ten years imprisonment for offences with aggravating circumstances.
“Creating a new offence in the Criminal Code will leave public servants in no doubt as to the seriousness of accessing, or disclosing, confidential information without a lawful reason,” CCC chairperson Alan MacSporran QC said.
“A new offence will appropriately classify this type of conduct as criminal in nature, and in our view this aligns with the seriousness and consequences of accessing and disclosing Queenslanders’ confidential information.”
The report similarly recommends stronger IT access controls, including “ensur[ing] all computer databases where confidential information is stored have unique user identification log-ons”, and audits of access.
Agencies are also urged to develop a “ICT information access policy” and improve prevention and detection systems that monitor outbound emails or remote accesses to repot unusual accesses.