Public sector agencies collect, hold and disseminate a range of confidential and sensitive information which should only be used for legitimate purposes. Unfortunately this is not always the case as illustrated in the Commission report tabled today in Parliament, ‘Report into unauthorised release of confidential information of the Public Transport Authority’.
Mr Andrew Forrester was employed as a Senior Catenary Maintainer from May 2012 until he resigned in December 2017. During this period, the Public Transport Authority (PTA) was involved in negotiations with the Australian Rail Tram and Bus Industry Union (RTBU) in relation to the industrial agreement that covered the Network and Infrastructure Division, which covers catenary maintainers. Mr Forrester was a member of the RTBU, and was aware of the acrimonious state of those negotiations.
The investigation concluded that Mr Forrester accessed the personal details of 1,750 PTA employees on the PTA’s computer systems and saved those details on a USB – this included annual leave details, rates of pay and dates of birth. Furthermore, Mr Forrester then disclosed that information to the RTBU, downloading it onto a union organiser’s computer.
The information provided to the RTBU was subsequently used by the union organiser at a negotiation meeting between RTBU and PTA. The information disclosed was used as leverage by the union organiser to highlight the differences between the ways annual leave was being dealt with amongst PTA employees.
While the Commission acknowledges that Mr Forrester has denied saving and disclosing these details to the RTBU, evidence from various witnesses aligns with the Commission's digital forensic examination of data from the PTA and RTBU. Based on the weight of this evidence, the Commission has formed an opinion of serious misconduct in respect of Mr Forrester’s conduct in disclosing the personal details of PTA employees to RTBU in circumstances where he was not authorised to do so.
The report includes two recommendations to the PTA. Firstly, that it tightens access controls over confidential information, including individual logins; and that it reinforces the seriousness of accessing confidential information to all staff.
It also serves as a reminder to all public sector agencies of the importance of IT security measures, particularly when it comes to accessing confidential information; and to the public officers accessing this information the need to ensure it is managed appropriately.