Managing confidential information in the public sector

01 February 2018

Adam Fairhurst, Senior Manager, Forensic Services |

Did you know one of the top corrupt conduct allegations reported to regulatory authorities in the public sector, is computer misuse?  Australian Corruption watchdogs are consistently seeing more cases each year.

For example, police officers have access to a substantial amount of private information of the citizens within the community they serve. Media coverage of criminal proceedings within the Queensland Police Service (QPS), by the Crime and Corruption Commission (CCC) in Queensland for offences of ‘Computer Hacking and Misuse’ under section 408E Qld Criminal Code 1899, have highlighted misuse or suspected hacking cases by public officials. Unfortunately, some officer’s usage appears to have been without permission or to search for things unrelated to his/her job.

It is not only law enforcement that have access to your personal information. We often forget how  often our information is recorded and taken for granted; e.g. a hospital visit, renewing a driver’s licence, applying for a job, completing a warranty form, and so on. Undoubtedly your personal information held will be accessed by someone for legitimate reasons, it’s the integrity or ethics of that person, and the organisation holding your personal details, as to whether there is a risk that information is compromised.

Culture plays a role, but don’t assume

Organisations with a strong ethical culture will employ people with the same core integrity and ethics. The commitment and promotion of that integrity will reduce the risk that a client’s personal information will be compromised. But hackers don’t always come in the form of a shady cybercriminal using a home computer and are always looking for new ways to find information.

If a rogue employee was to ‘access’ your personal information without authority via a restricted computer, then they commit only part of this listed criminal offence. If the information obtained is then ‘disclosed’ to another or ‘used’ by the person who accessed with intent to cause a detriment or damage, or gains or intends to gain a benefit, then the penalty increases. If the information obtained is utilised to commit an indictable offence, or the benefit is over $5,000 then the penalty increases again.

The offence section with the Queensland Criminal Code, states the only defence to a charge under this section is to prove that the use of the restricted computer that holds the personal information was authorised (e.g. in the execution of one’s duties/employment), justified (e.g. to ensure the safety of a person) or excused by law (e.g. a statutory reason for accessing the personal information). For public sector agencies computer misuse can be suspected as corrupt conduct.

If your personal information is compromised then it’s unlikely the perpetrator who accessed the information is in the media, it will be the name, brand and a representative of the organisation. This negative exposure will cause more organisational detriment, both financially and in reputation, than the offender who accessed the information.

For organisations subject to the recent ‘Financial Services Royal Commission’ focusing on misconduct in the banking, superannuation and financial services industry, a review of systems and culture is pertinent. For public sector agencies, especially in Queensland, with the recent ‘Machinery of Government and administrative changes’ it is timely for corporate governance reviews of systems that could cause public discontent if breached.

Are your systems adequate and reviewed regularly?

BDO has recently assisted private sector organisations and two large Queensland State Government Departments regarding corporate governance reviews of their systems. This includes; but is not limited to a full assessment of policies, procedures, frameworks, training and templates surrounding corrupt conduct, misconduct, compliance and investigations.

Our BDO team review and determine whether the culture of the organisation is of concern in relation to the issue of computer misuse. We also examine all other suspected corrupt conduct, misconduct or breach of compliance related activities within an organisation.

For more information or a confidential consult, please contact Adam Fairhurst or email [email protected].