Confidential information
Confidential information is any information with restrictions placed on its dissemination.
Public sector agencies often hold and manage large amounts of confidential information. Improper use of this information can constitute corrupt conduct under the Independent Commission Against Corruption Act 1988. Commission annual reports show that each year a high proportion of corruption allegations received by the Commission relate to the improper use of records or information.
The unauthorised release or misuse of such information by public officials may lead to:
NSW government agencies are legally obliged to ensure confidential information is securely held and used only for the purposes for which it was collected. This must be done in accordance with the NSW Government Digital Information Security Policy, which describes the government’s system for classifying, labelling and handling sensitive information. Guidance on following the policy is outlined in the NSW Government Information Classification, Labelling and Handling Guidelines (July 2015).
The policy and the guidelines are underpinned by the following legislation, which applies to both state agencies and local government:
- Privacy and Personal Information Protection Act 1998, which sets privacy standards for dealing with personal information
- Health Records and Information Privacy Act 2002, which sets privacy standards for dealing with personal health information
- State Records Act 1998, which prescribes the records management responsibilities of public offices, including protection of state records.
When an agency engages a contractor or third-party provider, the agency is responsible for ensuring the contractor or third-party provider complies with government policy and guidelines regarding confidential information.
Senior NSW public official discloses confidential information to a select group of stakeholders |
The ICAC found a Deputy Director General (DDG) of the then NSW Department of Primary Industry-Water misused information acquired in the course of his duties.
The now former DDG had established an exclusive group of stakeholders for the purpose of targeted consultation and shared information with this group that was not publicly available. Materials shared by the public official included sensitive government policy positions, target figures still under consideration by government, certain details included in protected legal advice and confidential information relating to commercial negotiations being undertaken by government at that time. In some cases, this was despite the materials having security classifications prohibiting such disclosure.
The Commission found that while the public official’s conduct was not corrupt, he had breached both the Department’s Code of Conduct and his contractual obligations. The Commission recommended that the Department improve the training it provides to staff regarding classifying and handling confidential and sensitive information.
Source: Investigation into complaints of corruption in the management of water in NSW and systemic non-compliance with the Water Management Act 2000, November 2020. |
Common corruption risks associated with confidential information include a:
- public official providing confidential information to a third party to assist that party to gain an advantage, for example, during a tendering process
- public official using personal information about a client for private purposes, such as debt collection, fraud, stalking or other harassment, or providing such information to others for these purposes
- public official enabling others to improperly access confidential information
- former public official providing confidential information to their new private sector employer to assist the employer to gain an advantage
Some examples of confidential information that could be misused include the following:
- In a procurement situation, information about a competitor’s tender or pricing, or about an agency’s project budget, pre-tender estimate or evaluation methodology.
- Personal information that could facilitate identity fraud or unauthorised access to a person’s or agency’s bank account.
- In a recruitment situation, interview questions or model answers.
- The valuation of land that an agency wishes to purchase or sell.
- Information about a person’s health or other sensitive information that could be stored on a personnel or customer file.
- Occasionally, public officials are privy to market-sensitive unreleased policy information, which once released, could alter the value of a listed company (or even a sector), commodity or parcel of land.
- Documents that are cabinet-in-confidence, business papers for closed meetings of local councils, or otherwise not intended for public circulation.
In addition, most important IT systems are only accessible via a unique login and password, which are themselves highly confidential.
The Queensland Crime and Corruption Commission’s 2020 Operation Impala investigation report lists key reasons/drivers that have motivated public sector employees to misuse confidential information, which include:
- curiosity
- to obtain a material benefit
- to benefit friends, family members and associates.
The Queensland Crime and Corruption Commission has also published a short video to raise awareness of the seriousness of misuse of confidential information.
Service NSW employee discloses confidential customer information to benefit family and friends
|
To perform their role, customer service representatives at Service NSW have access to databases that hold large amounts of personal and other information about Service NSW customers. The ICAC found a customer service representative engaged in serious corrupt conduct by accessing customer information without authority to benefit her family and friends. The unauthorised access was not detected by Service NSW.
The Service NSW employee agreed to share the address of a customer with a friend for financial benefit. She also disclosed the address of another customer and related vehicle ownership details to a family member.
Further, the employee asked a colleague to find the sale price of a vehicle to help ascertain the vehicle’s current value. She admitted that she asked a colleague to retrieve the information from the database rather than accessing it herself in an attempt to avoid detection.
The Commission recommended that Service NSW improve its approach to detecting unauthorised access to assist in preventing further privacy breaches of this kind.
Source: Investigation into the conduct of a Service NSW officer, May 2021.
|
Developing a strategy
The misuse of confidential information is prevented most effectively when there are:
- robust systems that ensure information is classified according to risk, stored securely and where access is managed appropriately
- public officials aware of their legal and other obligations with respect to access to confidential information, and there are audit systems and other policies in place to both detect and sanction misuse.
To help protect confidential information from misuse, classification should be applied following a risk assessment examining the value of information, the harm its release might cause and the potential for corrupt conduct to occur.
There are benefits to ensuring information classification is carefully managed according to risk. While it might be seen as safer to err on the side of caution and decide that information should be security classified using PROTECTED or TOP SECRET, overly cautious classification can hamper operational performance and reduce transparency. The higher the classification, the fewer people can access and potentially misuse the information but the more difficult it is for others to access the information for oversight purposes.
Overly cautious classification may also create opportunities for corruption. For instance, if information that could be publicly available is unnecessarily restricted, an incentive may be created for public officials to sell the information to interested parties. This may also occur in cases where information is available to the public, but the process to access it is unnecessarily expensive or so slow that interested parties will pay “speed money” to obtain it more quickly.
Written policies and procedures within an agency help ensure consistency and compliance with regard to protecting confidential information. Measures should be taken to ensure staff understand such policies, and are able and motivated to comply with them. This can be achieved through both specific training on the policies themselves and general awareness raising of information privacy issues, preferably occurring on a regular basis.
The following general prevention measures should also be considered:
- ensuring relevant corporate documents, such as codes of conduct, appropriately consider the organisation’s responsibilities and expectations regarding confidential information
- assigning an overall responsibility for managing confidential information to a senior employee
- including clauses in contracts for high-risk positions around releasing confidential information, as well as “use of information” requirements for employees exiting the organisation
- restricting access to confidential information to those staff who need it, and reviewing access rights on a regular basis
- ensuring password protections are placed on work laptops and other mobile devices and implementing procedures for removing confidential information from such devices as soon as possible
- tracking copies of documents containing confidential information
- maintaining a record of who has access to confidential information, with an audit trail to monitor this access and systems in place to assist in detecting unauthorised access
- implementing processes for protecting confidential information before engaging in any information-sharing arrangements with another organisation
- maintaining control over intellectual property rights wherever possible
- releasing non-confidential information promptly and reliably (including when aspects of confidentiality change – for example, outcomes of a tender assessment process should be made public as soon as practicable).
- ensuring a document’s security classification appears on all printed and electronic copies.
University chancellor misuses confidential information to further personal business interests
|
The ICAC investigated allegations that the chancellor of a prominent university had passed on confidential information obtained through his position at the university to an associate, resulting in a business advantage for both parties.
The ICAC found that the chancellor had disclosed information pertaining to the valuation of a hotel asset that was to be sold and had given an indication of prices being offered by other interested purchasers. His associate went on to purchase the hotel. Soon after, the chancellor himself became part-owner of the property and business.
This unauthorised sharing of privileged information was found by the ICAC to constitute corrupt conduct.
Source: Investigation into the conduct of John Cassidy, then chancellor of the University of New England, in relation to the sale of the Tattersalls Hotel, October 2014.
|
The following ICAC investigation reports concern the release of confidential information by public officials, and examine the systemic weaknesses that allowed this to occur, as well as recommendations on how to fix those vulnerabilities:
- Investigation into complaints of corruption in the management of water in NSW and systemic non-compliance with the Water Management Act 2000 (Operations Avon and Mezzo - 2020).
- Investigation into the conduct of John Cassidy, then chancellor of the University of New England, in relation to the sale of the Tattersalls Hotel (Operation Verdi - 2014).
[1] Queensland Crime and Corruption Commission, Operation Impala, A report on the misuse of confidential information in the Queensland public sector, February 2020
Reviewed May 2021