MEDIA RELEASE
Tuesday, 27 October 2009
Sorting out ACC information security
Conflicting and out–of–date internal information policies, multiple databases with varying
degrees of security and low staff morale increased the risk of confidential Australian
Crime Commission (ACC) intelligence falling into the wrong hands, according to
Commonwealth Ombudsman Professor John McMillan.
The Ombudsman today released the findings of a review of the ACC’s policies, practices
and procedures for information collection, storage and dissemination. The review was
prompted by a request from the ACC’s Chief Executive, following a leak to the media in
September 2008 of an ACC document detailing conversations at a Ministerial dinner.
‘The review established that the Australian Crime Commission performs its intelligence
gathering role in accordance with its legislation and that it does not appear to hold
improper or unauthorised records,’ Professor McMillan said. ‘The creation of the
document in question was entirely inappropriate, but seems to have been an anomaly.
‘However, the ACC does need to improve the way it handles sensitive information.’
Professor McMillan said that central to the issue were the conflicting policies,
procedures, guidelines and other documents, such as all staff emails from senior
management, that the ACC had in place.
‘Staff can be confused about whether the organisation endorses a need–to–share or a
need–to–know policy,’ he said.
‘This problem is compounded by a lack of clarity in the ACC’s definition of what
constitutes unauthorised access to information, while a lack of transparency in censuring
officers found to have breached policy has led to resentment and threatens staff morale.
‘The ACC's main record keeping database has a default that allows anybody to look at
any record, unless the creator has remembered to change the setting to restrict access.’
Professor McMillan acknowledged the ACC’s recent efforts to build a culture of integrity
and improve information handling and made six recommendations to assist, including
that the ACC should:
develop an overarching information governance policy as a matter of high priority
review the guidance given to consultants in relation to the use of ACC information
develop a definition for unauthorised information access and enforce it
consider improving audit and incident reporting systems.
The ACC has accepted the recommendations.
The Ombudsman’s report, Australian Crime Commission—Review of collection, storage
and dissemination of information, is attached. It is also available from
__________________________________
Media contact:
Fiona Skivington, Director Public Affairs
0408 861 803
NEWS 
