Confidential information

Confidential information is any information with restrictions placed on the communication or dissemination of that information.

NSW public sector agencies often hold and manage large amounts of confidential information. Corruption from the release of confidential information to individuals not entitled to view it may lead to financial, functional and reputational costs to an agency.

Public sector agencies must ensure that confidential information is securely held and used only for the purposes for which it was collected.

The Privacy and Personal Information Protection Act 1998 (NSW) sets privacy standards for dealing with personal information and the Health Records and Information Privacy Act 2002 (NSW) sets privacy standards for dealing with health information. Both apply to NSW state and local government agencies.

The improper use of confidential information can constitute corrupt conduct as defined by the Independent Commission Against Corruption Act 1988


Corruption risks

A risk assessment of confidential information in a public sector agency may identify some or all of the following corruption risks:

  • A former employee providing confidential information to a new employer to aid dealings with the agency.
  • An employee providing confidential information to a third party to gain an advantage when dealing with an agency.
  • An employee leaking politically sensitive information to a member of the public or other stakeholder, such as the media.
  • An employee using personal information about a client for private purposes such as debt collection or stalking.

 

Managing corruption risks

As a minimum your agency should:

  • Introduce policy and procedures for confidential information that contain elements listed in the Policy Development Guide and Checklist (see Tips and tools below).
  • Include in the policy sanctions for any breach of the policy and procedures. 
  • Review the policy every two years.
  • Train all relevant employees in the policy and procedures to ensure they are aware of their responsibilities.
  • Include confidentiality clauses in contracts.
  • Include 'use of information' requirements for employees exiting the organisation.
  • Refer to confidential information in all relevant corporate documents such as codes of conduct.
  • Include confidential information as a risk to be assessed in the agency's internal audit and corruption risk management processes.

The following record-keeping requirements should be included in the policy:

  • Information contained in records is classified as confidential or non-confidential.
  • Security labels (such as "in-confidence", "protected") are assigned to particularly sensitive documents.
  • An audit trail, which logs access to electronic documents that contain confidential information.
  • Restrict access to confidential information to those officers, or other individuals, that need to access it.
  • The processes for gaining access to, releasing, modifying or releasing confidential information are all clearly documented.

Following your risk assessment of confidential information consider these risk management strategies: 

  • Clearly defining and identifying what information is confidential and the extent of that sensitivity (ie. in what circumstances and to whom it can be communicated)
  • Securely storing any documents containing confidential information.
  • Tracking copies of documents containing confidential information.
  • Implementing procedures for removing confidential information as soon as possible from laptops and other mobile computing devices.
  • Implementing processes for protecting confidential information before engaging in any sharing arrangements with another organisation.
  • Assigning overall responsibility for protecting confidential information to a senior employee(s).
  • Maintaining, wherever possible, control over intellectual property rights.
  • Releasing publicly available information promptly, reliably and cost effectively.

 

Case studies

 Case study 1: Insider information
An agency contacted the ICAC about the conduct of one of its employees in relation to a tender.

The employee had taken leave without pay indicating that he was looking for employment elsewhere. He was informed by the agency that he could not participate in an upcoming tender because of the knowledge he had obtained from working for the agency.

One of the tenderers hired him as a consultant and they subsequently won the contract. When it was revealed that his inside knowledge had helped them, the contract was revoked, as it was not possible to reverse the advantage from the information provided by the agency employee.

 Case study 2: Corrupt trade in information
One of the ICAC's largest public inquiries involved allegations that NSW public officials, including police officers, corruptly sold confidential information in their care to insurance companies, financial institutions, private inquiry and commercial agents, lawyers and others.

 

The inquiry revealed that buying and selling government information had been standard practice over many years, mainly for the purpose of locating debtors and preparing for litigation but also for other inappropriate purposes.

Evidence showed that there was no consistent government policy to determine what information should be protected and what information should be available to the public. In addition, access to information that was legitimately available had often been slow so that a parallel illicit trade developed with greater speed its main selling point.

At the same time, information that had been classified as confidential was generally not well protected.

A total of 155 people were found to have engaged in corrupt conduct, and a further 101 were found to have engaged in conduct which allowed, encouraged or caused the occurrence of corrupt conduct.

The recommendations to reduce the risk of this kind of corruption related to:

  • the need for consistent classification of information that is confidential
  • having procedures for the legitimate release of public information that are quick and cost effective, and
  • improving the security of information that is classified as confidential.


Frequently asked questions

Would it be safer to treat any agency information as confidential? 

If in doubt, it is probably safer to err on the side of caution and classify information as confidential.

However, there is a risk from over-classification of information. If information that should be publicly available is not, agency employees may sell this information to interested parties. This may also apply in cases where such information is available to members of the public but the process has unnecessary financial or temporal obstacles.

Over-classification may also adversely impact the efficiency of agency employees.

We have a large collection of confidential information. How do we prioritise the security of this information?

The level and cost of security processes used to secure confidential information should depend on:

  • the value of the information
  • the harm its release might cause
  • the potential for corrupt conduct to occur.

It may be difficult to quantify the financial costs and performance impact of new security systems before they are implemented. Consequently, it is often advisable to pilot new security measures before an agency-wide implementation is made.

How should the issue of confidentiality of information be addressed in the context of a new information system (such as a database)?

Confidentiality is an issue that needs to be addressed in the planning phase of an information system because:

  • it is difficult to recover confidential information once it is made public
  • it is difficult to change a security system once it is in place; for example, the amount of confidential information may influence the design of the security system.

Resources
 

Relevant ICAC investigations

 

Relevant websites

Legislation

  • Privacy and Personal Information Protection Act 1998 (NSW)
  • Health Records and Information Privacy Act 2002 (NSW) 

 

Related topics on the ICAC website