QLD Crime Commission exposes systemic misuse of public data, urges creation of mandatory data breach notification scheme

Queensland’s Crime and Corruption Commission (CCC) has released a damning report exposing systemic misuse of citizens' data by state agencies, proposing 18 recommendations to boost information protection provisions and eliminate corrupt conduct.
 

Among the recommendations, the CCC has urged for the creation of a state-based mandatory notifiable data breaches (NDB) scheme to be overseen by the Queensland Office of the Information Commissioner.

The report comes after a six-month investigation by the CCC – dubbed Operation Impala – triggered by a spike in allegations relating to the misuse of confidential information within public agencies – from 713 allegations in 2015/16 to 1,060 in 2018/19, a 32 per cent jump in four years. The CCC also noted the possibility of “significant underreporting” of data misuse.

The CCC defines the ‘misuse of confidential information’ as the unauthorised use of “commercially sensitive information such as that contained in contracts or tender documents and highly sensitive information relating to law enforcement methodology… [to the] disclosure of confidential information of a personal nature” – a primary focus of Operation Impala.

Misuse of public data, either through unauthorised access or disclosure – was acknowledged by the CCC as “a longstanding issue” within Queensland’s public service.

It added: “Such misuse of information can be a key enabler of other types of corrupt conduct.”

The report identified several causes or motivations for public sector staff to misuse agency-held data, from the personal interest (curiosity or voyeurism) to the material benefits that can be gained by accessing private information on individuals, opening the door to organised crime groups to exploit or harass staff for this data.

The report also noted the inherent insecurities introduced by the rapid digitisation of public records, making it “easier to access extensive data holdings no matter where they are located”.

Seven public sector agencies came under the scope of the investigation, which the CCC believed would offer a sufficient “representative cross-section of the broader Queensland public sector”. These included the Queensland Police Service (QPS), Queensland Corrective Services (QCS), the Department of Education, the Department of Transport and Main Roads, the Department of Health, Gold Coast Hospital and Health Service, and Mackay Hospital and Health Service.

Upwards of 300 allegations of information misuse were levelled against the QPS alone in 2018/19 – triple the number of made against Corrective Services, the agency with the second-highest number of recorded allegations.

Notably, however, QPS was the only public agency to see a year-on-year decrease in allegations, down from a high of nearly 500 allegations in 2015/16.

Curiously, all health agencies examined by Operation Impala recorded notable spikes in data misuse allegations in the 2018/19 period, with the Mackay Hospital and Health Service leaping from zero allegations in 2017/18 to upwards of 50 last year.

Among 18 recommendations tabled in the report, the CCC has pushed for the introduction of legislative reform to address the concerns of victims of privacy breach, creating a new offence in Queensland's Criminal Code ('misuse of confidential information by public officers') to aid in the prosecution of offences relating to the misuse of confidential information, as well as remedial avenues for victims of data misuse by public sector staff.

Addressing concerns within the existing digital databases across Queensland’s health service, the report urged the state's health department to assist all hospitals and health services in removing backlogs of potential breaches of their eMR (electronic medical records) and ieMR (integrated electronic medical records) databases detected by the P2Sentinel software – a database auditing tool managed by eHealth Queensland.

As part of the recommendations, public agencies were also advised on a number of access control mechanisms, privacy training and awareness messaging, from unique user identification log-ins for databases containing confidential information to real-time notifications for staff when accessing data on members of the public.

The full Operation Impala report can be found here.