The confidentiality of personal information collected and used by the public sector can be, and has been, easily compromised, a Victorian Auditor-General report has found.
The Maintaining the Integrity and Confidentiality of Personal Information report, which examined information security in three Victorian government departments, found that the ability to penetrate databases, the consistency of its findings and the lack of effective oversight and coordination of information security practices strongly indicate that this phenomenon is widespread.
“This situation has arisen partly because information security policy, standards and guidance for the sector are incomplete and too narrowly focused on ICT security,” the report reads.
“The central direction and effective coordination of the broad scope of information security risks remains weak. Neither the Department of Treasury and Finance nor the Department of Premier and Cabinet have addressed all aspects of information security following the disbanding of the Office of the Chief Information Officer and its supporting committees in 2006.”
According to the report, in the absence of strong and consistent central leadership and effective oversight, the importance of protecting personal information had not been properly understood by the sector.
“The departments examined have recently strengthened their information security governance, but information security risks have not been managed effectively,” the report reads. “Elements of organisational culture, practices and controls all have weaknesses that can be exploited to breach confidentiality in the systems examined.
There was also little assurance that the integrity of data has been maintained in these systems, the report found. Weaknesses in controls over the confidentiality and integrity of financial information had also been identified through the Victorian Auditor-General’s annual financial audits and reported to the Parliament for a number of years.
“It is disappointing that the important lessons about security of information also translate into non-financial information,” the report reads.
On the issue of governance, the report said the way in which the Victorian public sector did business was increasingly sophisticated and the relationships it developed, increasingly complex.
The exchange of information with other agencies, the private sector and across jurisdictions also created a range of challenges around ownership of information and providing equivalent standards of privacy and security over shared information.
“The approach to managing information security has not met these challenges or kept up with how the sector does business nor the complexity of its business relationships,” the report reads. “It is imperative that action is taken quickly to provide more effective governance and leadership so that these situations are remedied.”
One the issue of culture, practice and technology, the report noted that “fundamental flaws” were evident in the way the Victorian Government Risk Management Framework was applied, and greater guidance across the sector was needed.
“Risks cannot be managed where an agency is not aware of them, or does not understand their significance,” the report reads. “Without substantiation, attestations by agency heads about the effectiveness of controls have no value.”
The Victorian Auditor-General also made a number of recommendations to resolve these issues which can be read in the report.