Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Thursday, 8 February 2007
Page: 8


Mr Kelvin Thomson asked the Minister for Health and Ageing, in writing, on 14 September 2006:

(1)   For each financial year since 1 July 2000, on how many occasions have departmental employees accessed files or records without proper authorisation.

(2)   In each instance identified in Part (1), (a) what action was action taken against the employee and (b) if the unauthorised access involved customer records, in how many instances was the customer notified.

(3)   Are employees able to access personal or customer files without (a) being detected, or (b) leaving a record of their access.

(4)   What auditing procedures exist to monitor employee access to files and records.


Mr Abbott (Minister for Health and Ageing) —The answer to the honourable member’s question is as follows:

(1)   During this period the Department has identified one employee who accessed a record without proper authorisation.

(2)  

(a)   The employee was formally reprimanded and was provided counseling about the incident.

(b)   The customer whose record was accessed was deceased.

(3)   The Department has a range of controls in place to protect its customer files and information assets.

(a)   Departmental information is stored (electronically and physically) in such a way that access is limited to those employees that require access for the performance of their duties.

(b)   Departmental systems and applications require password access and authentication to enable access to electronic information, and have the capacity to log and record the time and date that an employee has logged on and off a system.

(4)   There are controls and processes in place to audit and continually review employees level of authorisation to access Departmental systems and information. Controls and processes are also in place to enable and ensure that all instances or suspected instances of non-compliance and/or inappropriate access to departmental systems or information are documented and reported to the IT Security Advisor and Agency Security Advisor.