Confidential information is any information with restrictions placed on the communication or dissemination of that information.
NSW public sector agencies often hold and manage large amounts of confidential information. Corruption from the release of confidential information to individuals not entitled to view it may lead to financial, functional and reputational costs to an agency.
Public sector agencies must ensure that confidential information is securely held and used only for the purposes for which it was collected.
The Privacy and Personal Information Protection Act 1998 (NSW) sets privacy standards for dealing with personal information and the Health Records and Information Privacy Act 2002 (NSW) sets privacy standards for dealing with health information. Both apply to NSW state and local government agencies.
The improper use of confidential information can constitute corrupt conduct as defined by the Independent Commission Against Corruption Act 1988.
A risk assessment of confidential information in a public sector agency may identify some or all of the following corruption risks:
- A former employee providing confidential information to a new employer to aid dealings with the agency.
- An employee providing confidential information to a third party to gain an advantage when dealing with an agency.
- An employee leaking politically sensitive information to a member of the public or other stakeholder, such as the media.
- An employee using personal information about a client for private purposes such as debt collection or stalking.
Managing corruption risks
As a minimum your agency should:
- Introduce policy and procedures for confidential information that contain elements listed in the Policy Development Guide and Checklist (see Tips and tools below).
- Include in the policy sanctions for any breach of the policy and procedures.
- Review the policy every two years.
- Train all relevant employees in the policy and procedures to ensure they are aware of their responsibilities.
- Include confidentiality clauses in contracts.
- Include 'use of information' requirements for employees exiting the organisation.
- Refer to confidential information in all relevant corporate documents such as codes of conduct.
- Include confidential information as a risk to be assessed in the agency's internal audit and corruption risk management processes.
The following record-keeping requirements should be included in the policy:
- Information contained in records is classified as confidential or non-confidential.
- Security labels (such as "in-confidence", "protected") are assigned to particularly sensitive documents.
- An audit trail, which logs access to electronic documents that contain confidential information.
- Restrict access to confidential information to those officers, or other individuals, that need to access it.
- The processes for gaining access to, releasing, modifying or releasing confidential information are all clearly documented.
Following your risk assessment of confidential information consider these risk management strategies:
- Clearly defining and identifying what information is confidential and the extent of that sensitivity (ie. in what circumstances and to whom it can be communicated)
- Securely storing any documents containing confidential information.
- Tracking copies of documents containing confidential information.
- Implementing procedures for removing confidential information as soon as possible from laptops and other mobile computing devices.
- Implementing processes for protecting confidential information before engaging in any sharing arrangements with another organisation.
- Assigning overall responsibility for protecting confidential information to a senior employee(s).
- Maintaining, wherever possible, control over intellectual property rights.
- Releasing publicly available information promptly, reliably and cost effectively.
|Case study 1: Insider information|
An agency contacted the ICAC about the conduct of one of its employees in relation to a tender.
The employee had taken leave without pay indicating that he was looking for employment elsewhere. He was informed by the agency that he could not participate in an upcoming tender because of the knowledge he had obtained from working for the agency.
One of the tenderers hired him as a consultant and they subsequently won the contract. When it was revealed that his inside knowledge had helped them, the contract was revoked, as it was not possible to reverse the advantage from the information provided by the agency employee.
|Case study 2: Corrupt trade in information|
One of the ICAC's largest public inquiries involved allegations that NSW public officials, including police officers, corruptly sold confidential information in their care to insurance companies, financial institutions, private inquiry and commercial agents, lawyers and others.
The inquiry revealed that buying and selling government information had been standard practice over many years, mainly for the purpose of locating debtors and preparing for litigation but also for other inappropriate purposes.
Evidence showed that there was no consistent government policy to determine what information should be protected and what information should be available to the public. In addition, access to information that was legitimately available had often been slow so that a parallel illicit trade developed with greater speed its main selling point.
At the same time, information that had been classified as confidential was generally not well protected.
A total of 155 people were found to have engaged in corrupt conduct, and a further 101 were found to have engaged in conduct which allowed, encouraged or caused the occurrence of corrupt conduct.
The recommendations to reduce the risk of this kind of corruption related to:
Frequently asked questions
Would it be safer to treat any agency information as confidential?
If in doubt, it is probably safer to err on the side of caution and classify information as confidential.
However, there is a risk from over-classification of information. If information that should be publicly available is not, agency employees may sell this information to interested parties. This may also apply in cases where such information is available to members of the public but the process has unnecessary financial or temporal obstacles.
Over-classification may also adversely impact the efficiency of agency employees.
We have a large collection of confidential information. How do we prioritise the security of this information?
The level and cost of security processes used to secure confidential information should depend on:
It may be difficult to quantify the financial costs and performance impact of new security systems before they are implemented. Consequently, it is often advisable to pilot new security measures before an agency-wide implementation is made.
How should the issue of confidentiality of information be addressed in the context of a new information system (such as a database)?
Confidentiality is an issue that needs to be addressed in the planning phase of an information system because:
Relevant ICAC investigations
- Report on investigation into the alleged leaking of a draft Cabinet minute (Operation Derwent) (April 2006)
- Attorney General's Department - corrupt offers of assistance to defendants by an officer of the Local Court Registry at Penrith (Operation Hunter) (February 2006)
NSW Department of Commerce, Government Chief Information Office, www.gcio.nsw.gov.au
Office of the NSW Privacy Commissioner, www.lawlink.nsw.gov.au/privacynsw
NSW Department of Premier and Cabinet, www.dpc.nsw.gov.au
Crime and Corruption Commission (Queensland), www.ccc.qld.gov.au
- Privacy and Personal Information Protection Act 1998 (NSW)
- Health Records and Information Privacy Act 2002 (NSW)