Official information is a valuable commodity. As a result, unauthorised access to, disclosure and modification of information is a key enabler of corrupt conduct. This corruption vulnerability is one of the most prevalent of the matters brought to ACLEI’s attention through our investigations.
Misuse of information or systems is an ongoing corruption vulnerability affecting all agencies within ACLEI’s jurisdiction. Misuse of information is not a risk unique to law enforcement agencies. Information is a key commodity for organised criminal groups, corporate entities, foreign actors and others who may seek to exploit it for personal gain.
Inappropriate or unlawful access to or disclosure of this information could cause serious harm:
- to the ongoing efficacy of the agency’s (and other law enforcement agencies’) operations, through the disclosure of law enforcement methodologies
- to the personal safety, privacy and reputation of individuals about whom the agency holds information
- to fair and open market competition, when confidential tender, project or commercial information is disclosed to individuals or corporate entities seeking to gain an advantage
- to the community in circumstances where sensitive information is provided to criminal entities to facilitate further criminality, avoiding law enforcement detection and/or defeating law enforcement agency investigations
It is essential that staff members understand the value of the information they have access to and their decision-making role and avoid ‘self-managing’ risk. If someone does approach you for information, act early and report it.
Agencies should regularly assess the information they hold and review information security controls to ensure they remain fit for purpose. This includes:
- maintaining appropriate oversight and audit controls over information and communications systems
- ensuring officer training and awareness programs regarding information management obligations and responsibilities are relevant and targeted.
- considering the appropriateness of the use of personal electronic devices in the workplace, particularly where employees regularly access sensitive information as part of their duties
- regular auditing of accesses to those systems or databases to identify any instances of access that is not for a legitimate purpose.
Accessing or modifying restricted data without authorisation may constitute a criminal offence. The Protective Security Policy Framework (PSPF) requires all non-corporate Commonwealth entities to implement information security measures. This includes maintaining the confidentiality, integrity and availability of all official information and assets owned by the Australian Government, or those entrusted to the Australian Government by third parties or through international agreements within Australia.
The risk of unauthorised access is also heightened in a COVID-19 context with increased numbers of the workforce working remotely on personal or portable devices. Access to information systems may not be able to be audited in the same way on portable devices and individuals are not subject to the usual in-person oversight that occurs in the workplace.
An unauthorised disclosure occurs when a Commonwealth officer, whether deliberately or inadvertently, makes information (including documents and other things) available or accessible to others without having the authority to do so. Unauthorised disclosure may sometimes be referred to as ‘a leak’ and may constitute corrupt conduct.
ACLEI investigations have identified the unauthorised disclosure of information – to criminal entities, the media, family and friends, and other parties – as a key corruption risk for law enforcement agencies. Serious and organised criminal entities place a high value on law enforcement information.
It is an offence for a Commonwealth officer (or persons performing services for or on behalf of the Commonwealth) to communicate any information or publish any document which comes into their knowledge or possession (except when authorised to do so).
The Australian Public Service (APS) Code of Conduct provides that APS employees ‘must not improperly use inside information or the employee’s duties, status, power or authority to gain a benefit or cause a detriment’.
It is essential that staff members understand the value of the information they have access to, and if approached by someone in their social network for favours or information, act early and report it to their agency or ACLEI.