Confidential information is any information with restrictions placed on its dissemination. Public sector agencies often hold and manage large amounts of confidential information. Corruption causing, or resulting from, the release of confidential information may lead to financial, functional and reputational costs to an agency, and financial loss and distress to the affected individuals.
NSW agencies are legally obliged to ensure confidential information is securely held and used only for the purposes for which it was collected. This must be done in accordance with the NSW Government Digital Information Security Policy, which describes the government’s system for classifying, labelling and handling sensitive information. Guidance on following the policy is outlined in the NSW Government Information Classification, Labelling and Handling Guidelines (July 2015).
The policy and the guidelines are underpinned by legislation that apply to both state agencies and local government, as follows:
• Privacy and Personal Information Protection Act 1998, which sets privacy standards for dealing with personal information
• Health Records and Information Privacy Act 2002, which sets privacy standards for dealing with health information
• State Records Act 1998.
At a national level, labelling and handling of sensitive information is guided by the Australian Government’s Protective Security Policy Framework, and its Information security management guidelines – Australian Government security classification system (April 2015).
|University chancellor misuses confidential information to further personal business interests
The ICAC investigated allegations that a chancellor of a prominent
university had passed on confidential information obtained through his
position at the university to an associate, resulting in a business
advantage for both parties.
The ICAC found that the chancellor
had disclosed information pertaining to the valuation of a hotel asset
that was to be sold, as well as given an indication of prices being
offered by other interested purchasers. His associate went on to
purchase the hotel. Soon after, the chancellor himself became part-owner
of the property and business.
This unauthorised sharing of privileged information was found by the ICAC to constitute corrupt conduct.
Source: Investigation into the conduct of John Cassidy, then chancellor
of the University of New England, in relation to the sale of the
Tatersalls Hotel, October 2014.
|Trading sensitive information for illicit drugs
Victoria Police’s Taskforce Keel examined the activities of a senior
constable at a suburban station who accessed and printed sensitive
information and shared it with individuals engaged in the trafficking of
The senior constable used colleagues’ passwords to access classified
information systems and traded this information in exchange for illicit
drugs. Although auditing of Victoria Police’s systems assisted in the
investigation of the senior constable, proactive auditing may have led
to the earlier detection of the unauthorised activities.
Source: Organised crime group cultivation of public sector employees,
Independent Broad-based Anti-corruption Commission, September 2015.
When an agency engages a contractor or third-party provider, the agency is responsible for ensuring the contractor or third-party provider complies with government policy and guidelines regarding confidential information. Improper use of confidential information can constitute corrupt conduct under the Independent Commission Against Corruption Act 1988.
Whether information becomes security classified or not will depend on the nature of the information. The NSW Government divides official information into two types: information that does not need increased security, and information that needs increased security to protect its confidentiality. Most official information does not need increased security and will simply be marked UNCLASSIFIED or left unmarked.
For classifying and handling security classified information, NSW public sector agencies must use terms such as PROTECTED, SECRET and TOP SECRET. There are also nine categories of SENSITIVE information that denote limitations on dissemination; for example, “SENSITIVE: NSW Cabinet” and “SENSITIVE: Law Enforcement”.
Common corruption risks around confidential information include:
• a former public official providing confidential information to a new private sector employer to aid dealings with his or her former agency
• a public official providing confidential information to a third-party to gain an advantage when dealing with an agency
• a public official using personal information about a client for private purposes, such as debt collection, fraud, stalking or other harassment.
The level and cost of security processes used to secure confidential information have an impact on operational performance. Classification should therefore be applied following a risk assessment around the value of information, the harm its release might cause and the potential for corrupt conduct to occur. As it may be difficult to quantify the financial costs and performance impact of new security systems before they are implemented, it is advisable to pilot new security measures before an agency-wide implementation is made.
While it is safer to err on the side of caution and decide that information should be security classified using PROTECTED, SECRET or TOP SECRET, overly cautious classification can hamper operational performance, reduce transparency and create opportunities for corruption. If information that should be publicly available is not available, this creates an incentive for public officials to sell the information to interested parties. This may also occur in cases where information is available to the public, but the process has unnecessary financial obstacles or access is so slow that people will pay “speed money” to get it more quickly.
Confidentiality of information is an issue that needs to be addressed in the planning phase of an information management system, such as a new database. This is because it is impossible to recover confidential information once it has leaked into the public domain, and it can be difficult to redesign a security system once it is in place (for example, changing the security settings may influence the design of the security system itself) so these things need to be identified in advance.
Developing a strategy
Written policy and procedures can help ensure consistency and compliance around confidential information, but only if staff understand the policy, are able to comply and are motivated to comply. Training in the policy is useful for this reason, but only if complemented by other corruption control measures, such as including confidential information in internal audit and risk management programs.
Consider the following additional measures:
• defining and identifying what information should be security classified, and the extent of that classification (that is, in what circumstances and to whom it can be disseminated)
• including clauses in contracts for high-risk positions around releasing confidential information, as well as “use of information” requirements for employees exiting the organisation
• referring to confidential information in relevant corporate documents, such as codes of conduct
• securely storing any documents containing confidential information
• tracking copies of documents containing confidential information
• putting password protections on work laptops and other mobile devices
• implementing procedures for removing confidential information as soon as possible from laptops and other mobile devices
• implementing processes for protecting confidential information before engaging in any information-sharing arrangements with another organisation
• assigning overall responsibility for protecting confidential information to a senior employee
• maintaining, wherever possible, control over intellectual property rights
• releasing non-confidential information promptly and reliably.
The following recordkeeping requirements should be part of a general strategy focused on confidential information:
• assigning all agency documents a security category that is recorded on all printed and electronic copies and denotes their accessibility
• using security labels (for example, CONFIDENTIAL or PROTECTED) on security classified information
• maintaining a record of who has access to confidential information with an audit trail to monitor this access
• restricting access to confidential information to those staff who need it.
The following two ICAC investigation reports focused on the release of confidential information by public officials, and contain details on the systemic weaknesses that allowed this to occur, as well as recommendations on how to fix those vulnerabilities:
• Report on investigation into the alleged leaking of a draft Cabinet minute (2006)
• Attorney General’s Department – corrupt offers of assistance to defendants by an officer of the Local Court Registry at Penrith (2006).
Reviewed November 2018