In November 2022, new mandatory data breach notification regulations came into effect across NSW, including for local government. This legislative change has important implications for how councils must respond to and report data breaches going forward. The NSW Data Breach Notification Scheme creates prescriptive roles, responsibilities and actions that must be taken in the event of a suspected or confirmed data breach. At the core is the principle of promptly mitigating any potential harm. Heads of councils and other organisations covered by the legislation are now directly responsible for immediately notifying the Privacy Commissioner in the case of an "eligible data breach."
Under the Scheme, any council employee who has reasonable grounds to suspect a breach has occurred must report it to their agency head without delay. From there, heads of the agency or organisation must make every reasonable effort to contain the breach and conduct a thorough investigation within 30 days to determine if it meets the definition of an "eligible data breach." This includes assessing the types of information involved, the risk of harm to affected individuals, and whether remedial action is needed, such as notifying those impacted. Non-compliance can result in penalties, including fines, as well as significant reputational damage.
This stringent regulation underscores the growing emphasis on data security and accountability and urges organisations to fortify their defences against potential breaches. This includes people, process, and technology controls and should extend to streamlining their response processes to uphold data confidentiality and integrity. It is good practice for organisations to test their processes at least annually to ensure that all decision-makers are practised in their roles and aware of the end-to-end process for detecting and notifying suspected or actual data breaches.
Data breaches are not just the result of the failure of technical controls but are commonly the result of human error, such as emailing a file of personally identifiable or health identifiable information to the wrong recipients or losing a mobile phone or computer holding such data.
Click the link below to find out how Centium can keep you informed, help you stay vigilant, and prioritise compliance to safeguard your data and uphold the trust of stakeholders. This advice was prepared by Scott Thomson, Centium’s Director of Cyber &IM, who is a Certified by ISACA as a Data Privacy Solution Engineer (CDPSE).
Read more here https://centium.com.au/news/ppip-amendment-act-2022-mandatory-notification/
A recent seminar at the Sydney Law School considered the use of non-disclosure agreements (NDAs) in sexual harassment settlements.
The seminar discussed the Let’s Talk About Confidentiality: NDA Use in Sexual Harassment Settlements Since the Respect@Work Report[i] authored by Regina Featherstone from the Human Rights Law Centre and Sharmilla Bargon from the Redfern Legal Centre. The research was the product of Ms Featherstone and Ms Bargon’s work in the law school as Social Justice Practitioners-in-Residence.
The Let’s Talk About Confidentiality research raises important questions in the context of the ongoing conversation about sexual harassment in Australian workplaces following the publication of the Australian Human Rights Commission’s Respect@Work: Sexual Harassment National Inquiry Report in 2022 (Respect@Work).[ii]
Ms Featherstone and Ms Bargon surveyed 145 legal practitioners across Australia with experience managing sexual harassment matters. They found that:
These findings follow the use of NDAs being considered by the Australian Human Rights Commission (Commission) in Respect@Work. The Commission heard evidence that NDAs can protect the privacy of victim/survivors and help provide ‘closure’ but also ‘protect the reputation of the business or the harasser and contribute to a culture of silence.’
The Commission recommended (in Recommendation 38) that it work with the Workplace Sexual Harassment Council (SHC) to ‘develop a practice note or guideline’ identifying ‘best practice principles for the use of NDAs in workplace sexual harassment matters to inform the development of regulation on NDAs.’
The Commission and the SHC published Guidelines on the Use of Confidentiality Clauses in the Resolution of Workplace Sexual Harassment Complaints in 2022 (Guidelines).[iii] The Guidelines recommend among other things that:
The Guidelines provide practical advice to practitioners about the use and misuse of NDAs and about how settlement negotiations can adopt a best practice approach to balance the needs of victim/survivors and the requests of respondents and achieve a resolution.
Let’s Talk About Confidentiality builds on the practical advice contained in the Guidelines by including model confidentiality clauses that can be adapted to individual circumstances. The report is careful to recognise the potential use of the model confidentiality clauses while stating that they ‘should not automatically be included in a settlement agreement.’
The seminar included a panel discussion.
Mia Pantechis, a Principal Lawyer at Maurice Blackburn, and Amanda Lyras, a partner at Clayton Utz, provided the perspectives of practitioners experienced in representing applicants and respondents. Ms Pantechis and Ms Lyras agreed that NDAs may play a role in settling sexual harassment complaints and that an individualised approach sensitive to the needs of victim/survivors is necessary.
Key take home messages
Regina Featherstone and Sharmilla Bargon have published contemporary, relevant and thought-provoking research and practical guidance to assist those who are involved in sexual harassment complaints.
The research adds to growing recognition that workplace sexual harassment is common and that employers have obligations to respond in protect the interests of victim/survivors.
One size rarely fits all. This is true of resolving sexual harassment complaints.
Approaching the settlement of sexual harassment complaints from a victim-centric perspective that considers if a non-disclosure agreement is used, and if used in what terms, is one means of further ensuring the progress that Respect@Work called for.
Get in touch
Centium’s Principal Investigator Scott Fanker attended the Let’s Talk About Confidentiality seminar.
Scott is experienced in managing sexual harassment from the perspectives of an employer, mental health clinician, and an investigator. He is leading Centium’s work to implement our sexual harassment policy and other actions to meet the new positive duty to eliminate sexual harassment and discrimination contained in section 47 of the Sex Discrimination Act 1984 (Cth).
Scott can be contacted on 0499 187 804 or at Scott.Fanker@centium.com.au
References
[i] Regina Featherstone and Shamilla Bargon, Let’s Talk About Confidentiality: NDA Use in Sexual Harassment Since the Respect@Work Report (2024, University of Sydney Law School) <https://rlc.org.au/sites/default/files/202403/Let%27s%20talk%20about%20confidentiality%20final_0.pdf>.
[ii] Australian Human Rights Commission, Respect@Work: Sexual Harassment National Inquiry Report (2020, AHRC) <https://humanrights.gov.au/our-work/sex discrimination/publications/respectwork-sexual-harassment-national-inquiry-report-2020>.
[iii] Australian Human Rights Commission, Respect@Work, Guidelines on the Use of Confidentiality Clauses in the Resolution of Workplace Sexual Harassment Complaints (2022, AHRC) < https://www.respectatwork.gov.au/sites/default/files/202212/Guidelines%20on%20the%20Use%20of%20Confidentiality%20Clauses%20in%20the%20Resolution%20of%20Workplace%20Sexual%20Harassment%20Complaints.pdf>
Audit Office Report: On 26 March 2024 the NSW Audit Office tabled an audit on Cyber Security in Local Government, which reinforces the risks of not having an effective cyber security plan in place and calls on all councils to take urgent action [1].
The report highlighted that Councils should improve governance over cyber security risks, assess against the OLG Cyber Security Guidelines (developed by Cyber NSW), take a risk-based approach to improvement plans, and conduct regular testing of their cyber incident response plan.
Cyber Security Risks: Cyber security is a key set of risks that all organisations are facing across the nation. The Australian Cyber Security Center (ACSC) has quantified the cost of a cyber incident for a medium-sized organisation at nearly $100,000 per incident in 2022-23 [2].
Recently, the ACSC provided a series of alerts regarding vulnerabilities in specific technology widely used in Councils and the urgent need to remediate the vulnerability. Such vulnerabilities are being used by attackers at an accelerating rate and, in some cases, within 24 hours of the announcement being made.
The top three cybercrimes reported in 2022-23 were email compromise, business email compromise fraud and online banking fraud, with social engineering a key strategy that criminals use to gain access or manipulate a staff member [3]. These focus on the humans and less on the technology, reinforcing the need to ensure that the cyber security plan includes people, processes and technology.
Cyber Security in Councils: Cyber security is not just an IT problem where technical controls can mitigate the risks. To address the cyber security threats faced daily, a whole-of-organisation response is required. Effective governance, cyber risk management, staff training and awareness, monitoring and incident response, and reporting all need to work in a coordinated framework. The OLG Cyber Security Guideline spans all of these elements and provides a holistic assessment for Councils.
Following an assessment against the OLG Guideline, Councils need to establish a long-term cyber security plan to ensure that all elements are addressed and that maturity across the organisation increases year on year.
Centium and Cyber Security: A number of local councils have engaged Centium to undertake an independent assessment of their cyber security posture against the NSW Office of Local Government Cyber Security Guideline. These assessments, which are a critical first step in a longer journey for Councils in managing their cyber security risks, gave those councils clarity over what cyber security controls are in place and what they still need to implement.
Centium strongly recommends all organisations assess their current cyber security posture, evaluate the effectiveness of current controls and build a comprehensive plan to address gaps and weaknesses. We can undertake an independent assessment and give you a baseline of where you are today https://centium.com.au/contact-us/
1. https://www.audit.nsw.gov.au/our-work/reports/cyber-security-in-local-government
2. Australian Cyber Security Centre. ASD Cyber Threat Report 2022-2023 | Cyber.gov.au. 2023 14/11/23 [cited 2023 29/12/23]; Available from: https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023
3. Voce I & Morgan A 2023. Cybercrime in Australia 2023. Statistical Report no. 43. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sr77031
The integration of artificial intelligence (AI) technologies in government funded agencies has garnered considerable attention, with a growing body of work dedicated to safely realising the benefits AI offers. Early initiatives such as Australia’s voluntary AI ethics principles, draw upon the development of Australia’s AI ethics framework consisting of eight principles that organisations can use to:
This effort will be further supported and expanded through the Australian Government’s recently announced AI expert group, which will provide guidance on testing, transparency, and accountability measures for AI in legitimate yet high risk contexts. The group comprises expertise in Indigenous Cultural and Intellectual Property, Law, technology and ethics.
The Australian Government is behind a push to reach 1.2 million tech related jobs by 2030 and is offering a new free course in AI 101 to small and medium business owners. The program covers topics including challenges and risks, common misconceptions, real world applications, and advice from industry experts to start your career in AI.
The 2023 Report from the Australian Government Department of Prime Minister and Cabinet, titled "How might artificial intelligence affect the trustworthiness of public service delivery?" offers valuable insights. Citizens increasingly demand higher standards of care, personalised services, and greater efficiency when interacting with government services. AI holds the potential to revolutionise public service delivery, offering enhanced experiences and outcomes for the community. Current AI applications in the public sector include chatbots, virtual assistants, document and image recognition for border control, fraud detection and data mapping.
AI has the potential to transform how local councils deliver services, enhancing efficiency in areas such as planning applications, rate collection, and aiding in data analysis and cost-preventative maintenance. Data-driven decision-making can assist local councils in making well-informed choices regarding resource distribution, financial planning, and policy development. Advanced sensors and AI-driven algorithms can anticipate maintenance or repair needs for infrastructure components such as roads, bridges, and utility systems.
Emerging evidence suggests that unregulated AI can exacerbate societal disparities. Studies, like a recent examination of AI bias in America, reveal prejudices against marginalised groups, potentially influencing practices and perpetuating endemic biases in employment, education, insurance, and housing sectors. Furthermore, using AI for data collection and analysis raises privacy and security concerns that must be effectively managed. Without proper controls, AI systems may rely on flawed algorithms, making it difficult to track or explain decisions, akin to the issues seen with Robodebt.
In response to these challenges, public agencies must adopt a framework that ensures trustworthy stewardship of AI systems by:
As AI capabilities advance rapidly, public organisations in Australia must position themselves to maximise opportunities for improving government service provision. By adopting a framework for trustworthy stewardship, agencies can mitigate risks and harness the full potential of AI in serving the community.
Centium is an independent assurance and audit firm that focuses on helping clients manage their risks. We partner with Australian state and local government, not-for-profit organisations and private sector clients to provide a complete solution to managing organisational risk, enhancing governance and improving operational performance. We believe that the principles of effective governance and risk management apply to all aspects of managing an organisation, from procurement, to probity to technology and business transformation.
ACS urges action as AI disruption looms | Information Age
Artificial Intelligence Ethics Policy | Digital.NSW and
Mandatory Ethical Principles for the use of AI - Digital.NSW
Following a review of submissions, on 29 February 2024 the Parliament of Australia's Joint Committee of Public Accounts and Audit (JCPAA) expanded its terms of reference. Initially tasked with examining the Department of Home Affairs' failed visa privatisation process, JCPAA has now broadened its scope to encompass at least eight additional IT procurement processes across the public sector. This decision reflects mounting concerns regarding IT procurement spending within the Australian Government and issues surrounding the ethical use of resources and behavior. It marks the latest in a series of inquiries by the JCPAA into probity and ethics within the Australian Public Service (APS), including scrutiny of systemic factors contributing to unethical behaviour, and other procurement activities including those within Services Australia, the National Disability Insurance Agency, and Defence.
In the last few weeks, we’ve also seen the NSW Auditor General issue a number of reports that underscore the need for robust probity and governance frameworks to safeguard public resources and maintain public trust. Adverse findings were made in relation to the design of the WestInvest program, where a lack of documentation relating to program design and allocation of funding has called into question the basis on which $5 billion in public money was given to Western Sydney recipients. Safework NSW was called out for a range of governance failures and was referred to the Independent Commission Against Corruption for one of its procurement activities. Transport for NSW’s management of the Driver vehicle System (DRIVES) to support its regulatory functions was also reported on, highlighting deficiencies in strategic planning (including waste of funds), cyber security measures, and service management.
In his recent address to The Mandarin’s Rebuilding Trust and Integrity in the APS conference, Commissioner Paul Brereton highlighted that thousands of referrals had been made to the National Anti-Corruption Commission less than a year since its establishment. He stated “[t]he nature [of the issues being referred to the Commission] illustrates the point that we’re no longer dealing with cash in brown paper bags, but the misuse of information and access, or lapses in ethical decision-making”. Amongst the issues referred to the Commission, procurement, recruitment and promotion feature prominently. The Commissioner noted it’s not just about training and personal responsibility, but also about creating structures that encourage integrity.
Probity serves as a safeguard against corruption, ensuring that decision-making processes are fair, impartial, and in the public interest. It encompasses a range of principles and practices aimed at promoting honesty, integrity and ethical behaviour within organisations and institutions. From procurement to contracting, to recruitment, regulatory compliance and decision-making, probity standards play a vital role in maintaining the trust and confidence of citizens in the public service.
In Australia, where democratic principles and the rule of law are fundamental, upholding probity is not just a matter of good governance, it is a moral imperative. The public expects their elected representatives and public officials to act with integrity and accountability, safeguarding public resources and the interests of the community above all else.
Effective probity frameworks can help prevent ethical lapses by establishing clear guidelines, procedures and oversight mechanisms to detect and address misconduct. This includes clear conflict of interest policies, robust documentation, whistleblower protections, independent auditing and monitoring processes, and regular training and awareness programs.
Moreover, investing in probity strengthens the resilience of institutions against external pressures and undue influence, ensuring that decisions are made based on merit and evidence rather than personal gain or vested interests. It promotes a culture of transparency and accountability, where public officials are held to the highest ethical standards and accountable.
By implementing transparent processes guided by probity principles, organisations can enhance trust, integrity and accountability in their activities. This not only reduces the risk of corruption or unethical behaviour, it also fosters confidence among stakeholders and strengthens public trust.
Centium is an independent assurance advisory firm that focuses on helping clients manage their risks. We partner with Australian state and local government, not-for-profit organisations and private sector clients to provide a complete solution to managing organisational risk, enhancing governance and improving operational performance. We believe that the principles of effective governance and risk management apply to all aspects of managing an organisation, from procurement, to probity to technology and business transformation.
Parliament of Australia, Joint Committee of Public Accounts and Audit, Inquiry into he failed visa privatisation process and the implementation of other public sector IT procurements and projects, https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit/IT_procurement_and_projects.
The Mandarin, Anti-corruption commissioner recaps the first months of the NACC, 23 February 2024, https://www.themandarin.com.au/240053-paul-brereton-first-six-months-of-nacc/.
NSW Audit Office, Design and administration of the WestInvest program, 28 February 2024, https://www.audit.nsw.gov.au/our-work/reports/design-and-administration-of-the-westinvest-program.
NSW Audit Office, Effectiveness of SafeWork NSW in exercising its compliance functions, 27 February 2024, https://www.audit.nsw.gov.au/our-work/reports/design-and-administration-of-the-westinvest-program.
NSW Audit Office, Driver vehicle system, 20 February 2024, https://www.audit.nsw.gov.au/our-work/reports/driver-vehicle-system.
Lisa Braid recently joined Centium to enhance and lead our Probity and Governance practice. With a background in senior executive roles within various government sectors and not-for-profit organisations, Lisa brings a wealth of experience in governance, procurement, and fostering an ethics-driven environment.
Lisa has a proven track record in developing operational policies, implementing systems and controls, and prioritising risk management. Throughout her career, she has successfully led workplace change initiatives, managed audit and compliance functions, spearheaded policy reforms, and championed culture change efforts. Committed to public and community service, Lisa is excited to contribute to Centium's legacy of excellence by assisting organisations in managing risk, improving governance, and enhancing operational performance.
At Centium, we assist government agencies in ensuring integrity and safeguarding the welfare of the public across such activities as procurement, divestment, planning and development, contract discussions and variations, grant distribution and management, award ceremonies, as well as executive recruitment and Board appointments. We assist clients with ensuring effective, transparent and robust decision-making, especially in relation to complex, high value and sensitive matters.
We achieve this via our proven Probity Methodology, extensive suite of Ethical Conduct training packages and tailored advisory services, which are all based on Collaboration, Knowledge Transfer and Empowerment.
Centium welcomes Lisa to the Centium executive leadership team and invites you to learn more about her and Centium’s suite of Probity and Governance services by visiting our website at www.centium.com.au.
Centium offers a comprehensive evaluation of your asset management controls that can help you accomplish your business goals.
Our assessment model, based on the Strategic Asset Management Framework: Public Sector, measures the maturity of a variety of controls, including strategic, tactical, and operational planning; information and support systems; performance improvement; and outcomes realisation. The model also incorporates relevant asset management standards and inputs from the Asset Institute’s Public Asset Collaborative Group to enhance accuracy and effectiveness.
Using our expertise, we can conduct a thorough review of your organisation's internal controls and benchmark your organisation using our asset management maturity model. Our reviews are also customisable to address specific asset classes and elements, catering to your unique needs and risk profile.
See also our previous insights regarding the development of a procurement and contract management maturity model https://centium.com.au/news/procurement-contract-management-maturity-model/
If you are interested in hearing more about either model, or in engaging Centium to review your asset management controls, contact Penny Corkill:
Centium recently gave a presentation to the Local Government Internal Auditors Network (LGIAN) meeting on the recently regulated Office of Local Government (OLG) Risk Management and Internal Audit Guidelines and what those changes mean to Council. These Guidelines have been in the pipeline for several years and are issued under section 23 A of the Local Government Act.
The Guidelines now give statutory force to three crucial elements that will help to strengthen governance in NSW Local Government:
Councils have until 1 July 2024 to comply, noting that there are some criteria whereby Councils may seek exemptions from the OLG. Annual attestation requirements from ARICs and the General Manager will be required from 2024-2025.
If you haven’t already started to consider all or some of these elements, now is the time to complete a gap analysis to determine how your Council complies and/or identify components that may need an uplift before July 2024.
Please see our presentation for a suggested approach or call Penny Corkill, Director Risk & Assurance on 1300 237 810.
Advice from Scott Thomson Director Cyber & IM at Centium.
Many of us are careful in all our online activities, including finding a bargain when shopping online, but many of our family and friends may not be as informed or careful when undertaking these activities. This risk increases when they are motivated to find the ‘best deal’ or get the ‘best present’ for the holiday season.
Unfortunately, many of our family and friends are the perfect target for cyber criminals who use the urgency of the ‘sales’ season to get access to bank accounts, credit card details and commit other online crimes.
As we gather together over the upcoming holiday season, it is a good time to help our families and friends understand the threats that are out there, how easy it is to be a victim and provide some steps that they can take to decrease the risk of them becoming the next victim of these criminals.
The Australian Cyber Security Centre has provided the following great advice that we can use to check our own habits against and also share these tips with others to help them be more resilient to cybercrimes through the 2-minute quiz that is available on the ACSC page linked below.
Shop using secure devices
Make sure the devices you use for online shopping have the latest updates installed and are connected to a trusted network. For example, use your home Wi-Fi or (4G/5G) cellular rather than public Wi-Fi.
Protect your payment information and accounts
Be careful saving payment information on an online shopping account. If you do save payment information to an account, you should turn on multi-factor authentication (MFA) to protect it. Where this is not possible, set a long, complex and unique passphrase as the account’s password to help keep cyber criminals out. You could also use a password manager to generate and store passwords for you.
Use trusted sellers
Research online shopping websites before you buy and stick to well-known, trusted businesses.
Know the warning signs
Extremely low prices, payments through direct bank deposits, and online stores that are very new or have limited information about delivery, return and privacy policies can all be signs of a scam.
Use secure payment methods
Never pay by direct bank deposits, money transfers or digital currencies such as Bitcoin, because it is rare to recover money sent this way. You should pay by PayPal or with your credit card. You may want to set up a second card with a low credit limit and keep it specifically for online shopping. This will help minimise financial losses if your card details are compromised after shopping online.
Don’t engage, and report suspicious contact
Be aware of any strange phone calls, messages or emails you get about online orders. It could be someone trying to get you to share your personal or financial details. If someone contacts you about an order you don’t remember placing, it could be a scam. Stop contact and reach out to the store using the details on their official website to check.
Watch out for fake delivery scams
Don’t let your guard down while you’re waiting for your goods to arrive. Cybercriminals can send fake parcel delivery notifications with links that could trick you into downloading malware or giving away your personal details. If you receive such a message, do not click on the link. Delete the message immediately. You can contact the seller or the courier company using the details on their official website. Scamwatch has examples of what these fraudulent text messages may look like.
Some of Centium’s 50 plus Staff and Associates gathered together last Friday 8 December to celebrate our 8th Anniversary. As part of the celebrations Managing Director, Phil O’Toole, presented an overview of our significant client growth and market presence within the State and Local Government sectors, right across the Australian eastern seaboard, as well as our growing presence in working with Australian Government.
In particular, Phil thanked his visionary Directors and diligent teams for their excellent efforts in delivering our core client services over the past year (i.e. Risk & Assurance, Cyber Security, Workplace Investigations and Probity & Ethics).
Phil then provided an overview of the enhanced risk assurance management strategies that we will be providing to support our clients in 2024, including a suite of maturity assessment models, tailored training programs, and governance frameworks that will enable the introduction of Artificial Intelligence initiatives.
We wish to thank all of our clients, stakeholders and team members for contributing to the Centium growth journey over the past eight years and look forward to continuing our partnership with you for many years to come.
The festive season has arrived: end of year celebrations, lunches, dinners, drinks, gifts. Can you have it all?
Navigating professional relationships and managing conflict of interest, particularly in the public sector, is paramount. Receiving and giving gifts and benefits is a common practice at this time of year, and its intersection with probity issues is of relevant importance.
Probity matters that might arise within this context are:
Gifts and benefits policies offer great guidance to staff and stakeholders in relation to the ethical matters to consider in a professional setting, serving as a shield against improper behaviour. The key components of an effective gifts and benefits policy include:
Integrating probity principles into your Gifts & Benefits Policy supports ethical and robust decision making.
Does your organisation have a Gifts & Benefits Policy? Is it customized to your work environment and cover all potential scenarios?
If you would like to explore how Centium can help your organisation enhance its probity posture, please reach out to Joan Cavalieri, Director Probity & Ethics on Email: joan.cavalieri@centium.com.au.
Our Clients
