Australia: With great data comes great responsibility: How government agencies can mitigate data breach risks
Queensland Government Bulletin part 1

Government agencies collect and hold significant amounts of personal information, including home addresses; phone numbers; driver licence, Medicare and passport numbers; health records; photographs; criminal records; and credit card details.

While it is accepted that agencies may collect and hold this information, the public expects that the information they provide to government agencies will be protected from misuse by third parties.

Following the recent Optus and Medibank data breaches, information privacy and protection has become a fundamental issue for Queenslanders looking to maintain their personal information from corruption, compromise or loss.

As a result, government agencies should consider their personal information holdings and assess how they continue to collect, retain and dispose of personal information.

Queensland's data protection regime

Queensland's data protection and retention regime is set out across two Acts. First, government agencies in Queensland must comply with the Information Privacy Principles (IPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act). The IPPs provide for the fair collection and handling (in the public sector environment) of personal information by placing strict obligations on an agency when it collects, stores, provides access to, amends, uses and discloses personal information.

Additionally, government agencies are required to adhere to the Public Records Act 2002 (Qld) (PR Act) which governs how the state's public records are made, managed, kept and, if appropriate, preserved.

What information can be collected?

Under the IPPs, a government agency may request personal information from an individual, provided the following criteria are met:

• the specific personal information required will fulfil a lawful purpose that is directly related to the function of the agency
• if the information is collected directly from an individual, the agency must tell the individual what the information is going to be used for before, at the point of collection, or as soon as practicable after collection
• the agency must not collect information by unlawful or unfair means, including by trickery, deception or misleading conduct.

Once collected, personal information may become a public record per the PR Act, where it is dealt with by an agency in the in the course of their business or conduct of their affairs.

Thereby, collecting only the personal information that a government agency is entitled to under law will mitigate the risk and potential impact of a data breach.

What information should not be collected?

The question of what information should not be collected is not only relevant to whether an entity is meeting its obligations under the IP Act and the PR Act, but also represents important risk mitigation in the event of a data breach. The release of records that an agency had no entitlement to collect or store is likely to be far more problematic and receive higher levels of criticism.

Accordingly, entities need to consider whether there is an ongoing need or legal basis for their collection. There should be clear and justifiable reasons for collecting personal information, and these reasons may change (and reduce) over time.

If there is no law requiring or authorising the collection of personal information, government agencies should also review whether it is reasonably necessary for their functions or activities to continue collecting personal information.

The 'reasonably necessary' test is an objective test - that is, would a reasonable person who is properly informed agree that the collection is necessary?

This will require consideration of several factors such as whether there are any applicable workplace laws and contractual obligations that make the collection of personal information reasonably necessary for an agency's functions and activities.

If there is no longer a requirement or a reason to collect personal information, then steps should be taken to ensure this information is no longer collected.

How should information be disposed of?

As with the consideration of whether entities should be collecting information in the first place, compliance with the IP Act and PR Act also require consideration of what information should be deleted from time to time. Similarly, this consideration may be a risk mitigation factor as records which ought to have been deleted, but were not, fall into a category open to greater criticism than others. For example, some former customers of Optus whose data was leaked had not been customers for, in some cases, decades.

Disposal has a specific definition under the PR Act and includes destroying, damaging, abandoning, transferring, donating, giving away or selling a record in whole or in part. Disposal of a public record without proper authorisation is a criminal offence.

Of course, disposal must be balanced with the obligation for public records to be retained for the appropriate retention periods listed in the current General Retention and Disposal Schedule.

It is recommended that agencies follow the State Archivist's Records governance policy and plan for how and when records will be disposed of, using a risk-based approach. Records must be disposed of in a planned and authorised way by:

• using the disposal authorities issued by the State Archivist, that provide proper coverage of the specific records that are created and kept
• developing and implementing a disposal plan, which details disposal decisions and actions for the agency. The plan must, at a minimum, cover:
  • disposal endorsement, including how internal endorsement is given
  • disposal methods, including how records will be disposed of (physical and digital)
  • disposal frequency, including specifying how often certain types of records will be disposed of
  • formally documenting the disposal of records.

It is important to identify the various ways in which personal information has been collected and stored, as this may impact the destruction and de-identification process. For example, if the information is stored in a hard copy, secure disposal might include methods such as secure shredding before recycling or throwing away. In contrast, if the information is stored electronically, such as in cloud-based storage, servers, USBs or with a third-party provider, you should ensure that the digital records are permanently destroyed, including in any back-up system or offsite storage.

Regular, authorised disposal ensures that only important, useful and accurate records are kept. This is particularly relevant as IPP 8 under the IP Act in particular requires government agencies to ensure personal information they have collected is accurate, up to date, complete and not misleading.

While agencies are not required to continually check the personal information they hold, they must take reasonable steps when the information is collected to ensure that it is correct. And, where there is reason to believe that the source information may not be accurate or may have become inaccurate over time, amendment or disposal may be required.

Conclusion

For government agencies, the collection and storage of information is a necessary function. However, it is important that when doing so they comply with the obligations under the IP and PR Acts to better mitigate the risks of potential data breaches. In light of the Optus and Medibank data breaches, we recommend agencies reflect on the following questions:

• is the personal information the agency is collecting necessary for the function the agency is performing?
• does the agency need to collect all the information that is proposed to be collected?
• what are the security protocols that the agency has in place around the personal information that has been collected?
• is the agency required to retain the personal information that it has collected?
• if you are to use the personal information, is that personal information up to date? If not, can you dispose of the outdated personal information?

How we can help?

Our government team can assist you in understanding your collection and retention of personal information obligations and can provide training for your team to ensure they are able to comply with the above and give appropriate consideration to these matters.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.