Interviewer: Hello and welcome to this IBAC podcast on why government organisations need to take information misuse seriously. IBAC is Victoria’s anti-corruption agency and our role is to expose and prevent public sector corruption and police misconduct.
We’ve recently published the last of three major reports looking into the dangers of confidential information being accessed and shared by people who work for Victorian government agencies, local councils and Victoria Police.
IBAC’s Deputy Commissioner, David Wolf, sees this as a major corruption issue. He’s here to explain why leaders, government employees and elected officials all need to take information misuse more seriously and what the consequences are when they don’t.
Thanks for joining us, Deputy Commissioner.
David Wolf: Thank you and hello, everyone.
Interviewer: We know that unauthorised access and misuse of information often enables other types of corruption and in fact can be corruption itself yet, despite this, many government agencies tend to rate it as low risk. They just don’t seem to see it as a major issue. Why do you think that is?
David Wolf: That’s a terrific question to start with. It’s a really interesting point you raise around how organisations treat and look at the risk of unauthorised information access and disclosure. What we’ve done is recently completed, as you said, three reports. One into local government, one into the public sector and one into police, that identifies where information has been released without authorisation and accessed without authorisation.
We looked at the risks that that poses to each of those sectors and we've talked about some of the processes that can be put in place to mitigate that risk.
So piecing the three pieces of work together, we’ve been able to develop a pretty strong narrative to inform the leaders of those organisations around the importance of it.
What we look at is all levels of behaviours that drive that sort of activity and the issues and the harm that it might cause for the organisations overall.
So what we’re trying to do is, address the issue itself, we’re trying to raise awareness about the risk and impacts and the consequences and look at what organisations can be done to provide some really clear advice around the steps and measures that they can take to prevent it occurring over time.
Interviewer: You’ve mentioned consequences. Can you tell us a bit about what some of the consequences are when people get away with accessing information they shouldn’t?
David Wolf: This is a really important part. The consequences for organisations are quite dire and can have a real ripple effect through all of those sectors. I guess the overarching issue at the moment is trusting public institutions is really challenged. It’s challenged for a whole range of reasons but where there is a breakdown in that trust, it makes it so much more difficult for either the police, council or the public sector to engage with the community and to be able to deliver the important services and work that those three sectors deliver.
So where you have a release of information and whether it be by mistake, so if an organisation collects information and then through some mistake, there is private community information released, then that really does break down the trust that the community has with the organisation.
Where it’s released through mischief, so somebody does it to try and destabilise a particular thing, then again, that breaks down the broader trust that the community have with the organisation. Of course, when we’re talking about unauthorised accessing and disclosure of information through malice or intended malfeasance, which reaches that corruption threshold, that has a significant effect on how people view the institutions.
Importantly, it doesn’t just apply to the one institution. So in the case of perhaps one police station or one council, where it occurs in those places, the community tend not to view it as just that isolated entity. They tend to view it as an entire organisation. So all police. All police stations or all councils and all councils across the state. So it’s important in terms of the damage of one isolated issue and the impact it can have across a broader sector.
Interviewer: You’ve made it quite clear that this is an endemic problem and that the consequences are really significant. I wonder if you can talk a bit about what you think drives people to such potentially corrupt behaviour.
David Wolf: Yeah, okay. So what we found is that there are consistent themes across the three sectors and particularly when it’s corrupt behaviour. So where someone sets out to or intends to advance themselves for payment or for gain or for their actions intended to be to the detriment or disadvantage of another, they’re quite consistent. They’re often planned. They have some forethought to them and they certainly meet either that malicious or malfeasance level. So that corrupt level.
But what we’ve also found is that each of the sectors, so police, local government and public sector, have some quite nuanced drivers as well. Starting off with police, really interesting in the policing environment, you have a large body, a large workforce that has information relating to quite interesting topics around criminal actions and criminal investigations. So therefore, it’s of interest in conversation to a lot of people.
What we find is, police are often found to be talking about quite confidential matters around police work with a view to being popular or grandstanding, for want of a better word. So we find that that is a real risk for particularly junior police trying to get a position within a social group.
When it comes to public servants, so the public sector, we find that particularly where there might be a political or a philosophical opposition to what the government of the day are doing, we have found that public sector employees might be predisposed to releasing information to embarrass the government. That is of course - it’s intended to provoke or to generate advantage for their own particular beliefs or views. So that’s a - quite a nuanced one for the public sector.
Then local government, you’ve got the blend between the administration and the elected class, the councillors. With the elected class, the councillors in particular, it is quite common and we’ve got many examples of information being released to either cause detriment to a political opponent or to disparage or cause detriment to a group that have a matter before council that they’re opposed to. We see that quite common through many of our investigations.
So you can see it’s - there’s some broad general themes across all sectors but when we’re dealing with the individual sectors themselves, we look at quite nuanced drivers behind those.
Interviewer: David, I’d like to talk a little bit about some of the emerging risks mentioned in the report such as the rise of mobile technology and how this is facilitating information misuse. Are you seeing other emerging risks? Particularly over this past COVID dominated year?
David Wolf: Indeed. If you think about how our workforce has changed in recent times, it has been quite incredible. Literally overnight we went from a nine to five, Monday to Friday office-based workforce to an entire workforce across the state working from home. Working remotely. So you can think about that scale of change, what that brings into play in terms of some of the risks.
So we’ve got people working in new and remote environments. We’ve got the transfer of information from the workplaces to those environments, then amongst other employees via supervisors and generally back into a centralised place. That includes information transmission via email or IT solutions. It includes virtual meeting platforms, phone conversations and in some cases, hard copy papers being picked up and transferred around the metropolitan or regional areas of Victoria. So a significant change in the way we work, that brings significant risks.
Those risks are, are your IT platform secure? Are they able to prevent phishing attacks or scams? Are they able to detect if information has been accessed without authorisation? Are they able to audit and log where information has been sent? So they’re some of the key ones just around the workplace and then you’ve got some of the social issues around remote working. Around who else is in the environment where you are working. Can they overhear what you’re saying? Even down to your neighbour next door, can they hear what you’re saying through the fence which is often a risk that we know about as well.
So that change has been significant in a very short period of time and something that we’re still yet to see the fallout from that remote working environment and of course as you mentioned, the change in IT and mobile technology has really been exacerbated by the remote working environments.
Interviewer: So given that we understand the risks and how serious this is, what are the practical things that work places can do to stop confidential information being accessed and misused?
David Wolf: So the piece of work we’ve done, we’ve landed on five key levels for an organisation where the risk of unauthorised access and the unauthorised disclosure of information can be mitigated and these are the really important take-aways that I want to focus on today. They’re take-aways for all levels within the organisation, too.
The first one is at the front end employee induction and what I mean by that is, when you bring employees into the organisation that there is a really clear policy framework and the ground rules are clear around how information can be accessed and how it can be used. They’re also aware of what the consequences are if there is misuse of that information.
So setting the rules on literally day one is so, so important. The second area I want to focus on is around peers and work colleagues. What we’ve found in our investigations is, often when there’s been unauthorised disclosure of information, there has been a suspicion or an inkling within the workplace but colleagues have not known what to do about it. Where to raise the issue. Or haven’t had confidence to be able to raise the issue.
So it’s important there is a process within the workplaces that people can confidentially and confidently raise the issue with the workplace and ensure that something is done about it. That is without fear of reprisal.
The third level that we want to focus on and we ask organisations to think about is around that supervisory manager level. This is the important level in any organisation for a whole range of things but in terms of the risks of information use and disclosure, supervisors have a key role.
What we found in many of our investigations is that supervisor managers have been aware of minor early transgressions in an employee’s tenure with the organisation and have failed to hold them to account properly for that. Then over time, that has grown and escalated into, in many cases, corrupt conduct.
So our research work that we piece together says that it’s just so important for the supervisors to hold staff to account and deal with any infractions, no matter how small they might be. The fourth area that we’re focussing on, out of the five, is that executive and leadership in the organisations. Whether it be a police station, a council or a public sector agency, the leadership of that organisation is so important in setting the tone.
So, so important that staff when they see the executive, they see people that are dealing with things appropriately. They’re not speaking out of school around material or issues that they’re dealing with and they’re not compromising the integrity of the information holdings of that organisation.
Again, setting the tone at the top for the employees, in many respects across the organisation and functions, is important but particularly around information. We’ve seen many examples of leaders of organisations that have been talking about issues either in a private or a social environment that has compromised the organisation’s integrity. So tone at the top is critically important.
The fifth and the final focus area that we think is essential in terms of this issue is around the governance area and the importance of governance within an organisation. So by that, I mean making sure that the policies are up to date. That they’re well circulated and understood. That staff have the appropriate tools and resources to be able to do their work but also to make sure that their work is maintained confidential.
Also making sure that there’s a proper audit trail and IT systems that (1) can detect and raise red flags when there’s unauthorised access and (2) that if there is unauthorised access, there is a trail to determine the people that have accessed that information and have potentially released it.
So if you think about those five key points for an organisation and you look at focussing on those and strengthening those, organisations go a very long way to mitigating any risks of the information misuse.
Interviewer: That’s great, David. Thank you. You’ve certainly made a passionate case for why leaders need to take this issue more seriously. Thank you so much for talking with us today.
David Wolf: My pleasure, fantastic.
Interviewer: That was IBAC Deputy Commissioner, David Wolf, urging all leaders across State Government, local council and Victoria Police to take action to stop information misuse from happening.