Victorian public sector agencies must make their staff more aware of corruption risks surrounding unauthorised access to information, according to a new report by the state corruption watchdog.
The latest report from the Independent Broad-based Anti-corruption Commission looked at how the misuse of information or material by public servants could lead to corruption.
IBAC Commissioner Robert Redlich argued it was “vital” for information held by the public sector to be properly secured and managed.
“The unauthorised use of data has serious adverse consequences. It can threaten community safety, increase the costs of government funded projects and contracts, reduce the amount of money available for much needed public services, and make people reluctant to share information with the public sector,” he said.
“Any misuse of information, including unauthorised access or release, whether intentional or unintentional, jeopardises the valued trust that citizens have in our public institutions.”
He said the unauthorised access and disclosure of information has often been rated as low risk by agencies, despite it enabling corrupt behaviour. The commissioner encouraged public sector agencies to be more “proactive” in implementing safeguards.
The report noted that in 2016, a team leader at VicRoads — whose father had “strong links” to organised crime — had accessed and disclosed agency information without authorisation, and had modified data. In response to IBAC’s findings, VicRoads reviewed and updated its information systems as well as its education and training.
Another case study outlined in the report referred to a graduate recruit with the Department of Defence, who in 2012, posted classified government information to an online forum.
The recruit wrote “Julian Assange is my hero” and “I release what I feel should be in the media: bombings, civilian deaths, actions of the ‘terrorists’ that just aren’t reported in the media”, according to the report. They were sentenced to one year in prison.
Other case studies referred to issues including the misuse of databases, sharing of system login credentials, and organised crime groups targeting public sector employees for information.
Agencies could prevent and detect misuse of information through comprehensive audit programs, improved procurement processes, and increased awareness among employees and the community on risks and the importance of reporting incidents, the report said.
The watchdog suggested agencies implement the Victorian Protective Data Security Framework, and report all security incidents.
It also recommended an increased level of employee training in the legislative requirements for handling official information and data, to encourage reporting and educate workers on the serious consequences associated with information misuse.
Cultural change programs could also benefit agencies, IBAC said, in reference to a project undertaken by Victoria Police. The program was informed by surveys of police officers, and allowed Victoria Police to track changes in attitudes towards information security, and to assess the effectiveness of controls and initiatives.
“This project was able to set a practical baseline to measure cultural change, and assess identified strengths and weaknesses in attitudes, behaviours, processes and systems across the organisation,” the report stated.
“Public sector agencies could replicate this project using their own surveys to initiate action and measure their cultural change program towards information security. This could assist in minimising opportunities and instances of unauthorised information access and disclosure.”