ABS responds to Australian Financial Review enquiry regarding arrest of ABS staff member on 12 May 2014
The Australian Bureau of Statistics issued the following statement on 12 May 2014 in response to questions received from the Australian Financial Review:
1. What is the ABS doing to review your internal processes?
2. How is access to sensitive data/reports being handled? Are there changes to the levels of staff that have access? What measures are being taken to tighten access?
3. How is the ABS reviewing its staff risk management processes? Are new systems of monitoring or evaluating staff behaviour being considered?
4. What are the current staff screening processes? How are potential staff assessed, and granted access to sensitive information?
5. What assurances can the ABS give in regards the security of its information and systems?
1. What is the ABS doing to review your internal processes?
ABS internal processes comply with the Australian Government’s Protective Security Policy Framework, and our security policies and practices are regularly reviewed and continually reinforced with ABS staff.
However, the ABS will conduct a review of the incident that resulted in the arrest of an ABS staff member for disclosing sensitive, embargoed statistics. An external expert will be engaged to undertake the review.
The staff member who is alleged to have leaked the embargoed statistics had trusted access to sensitive information. The review will assess what was leaked and the extent to which the staff member’s access to information was consistent with his duties. The review will ensure that the ABS is best positioned to maintain the security of the information that it holds.
2. How is access to sensitive data/reports being handled? Are there changes to the levels of staff that have access? What measures are being taken to tighten access?
There is no evidence that any other ABS staff are involved in leaking sensitive information. The AFP believes no other staff are involved in this case.
Sensitive data/reports can only be accessed by ABS staff if they have a genuine 'need to know' that information – that is they could not perform their ABS work without the information. ABS staff are only provided with the minimum amount of information they 'need to know'.
3. How is the ABS reviewing its staff risk management processes? Are new systems of monitoring or evaluating staff behaviour being considered?
These matters will be considered in the review into this incident.
4. What are the current staff screening processes? How are potential staff assessed, and granted access to sensitive information?
ABS staff screening processes are consistent with the requirements of the Australian Government’s Protective Security Policy Framework.
The ABS conducts criminal history checks on potential employees. All ABS staff sign an Undertaking of Fidelity and Secrecy in relation to the secrecy of information collected under the Census and Statistics Act 1905 and sign an Employee Declaration to Confidentiality and Secrecy under the Public Service Act 1999 and Crimes Act.
ABS staff are highly aware of embargo, privacy and confidentiality policies and their obligations relating to the collection, production and dissemination of statistics. As part of his induction process, the staff member involved in allegedly leaking sensitive information undertook education and training on handling sensitive data and his obligations under legislation and the APS code of conduct.
5. What assurances can the ABS give in regards the security of its information and systems?
This is the first time in our history of more than 100 years that a staff member has been arrested for leaking statistics. There is no evidence that the unauthorised disclosure included details about an individual person or business.
We can reassure the public that they can participate in ABS surveys with confidence and the information collected and stored by the ABS is secure and strictly confidential. We have a long-standing reputation for preserving the confidentiality of information provided.
The ABS protects the security of its information using access, record and other technical controls, complying with Australian Government policy, building a culture of trust reinforced through education and training, and making data available to staff on a ‘need to know’ basis.
This incident is a serious breach of trust and does not reflect the professionalism or values of ABS staff. Our values are underpinned by the legislation governing the ABS and under which ABS staff operate, including the Census and Statistics Act 1905, the Privacy Act 1988, the Public Service Act 1999 and the Crimes Act. Any suspected breaches are investigated thoroughly.
ABS responds to Australian Financial Review enquiry regarding arrest of ABS staff member on 12 May 2014