Access to Public Sector Information

Tabled: 10 December 2015

Overview

Public sector information (PSI) is a powerful resource that could be better used to drive open government, innovation, commerce, and community engagement for the benefit of Victorians.

In responding to the 2009 parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Data, government committed to transform the way the public sector provides access to its PSI by adopting an ‘open by default’ approach.

However, the agencies we examined are not providing the public with full and open access to the information to which they are entitled. This is largely because the critical foundation of comprehensive and sound information management practices has been neglected.

Ineffective whole-of-government leadership and governance of information management has failed to drive the significant cultural and operational changes needed to achieve open access to PSI.

Consequently, access to PSI has not significantly improved, falling well short of the government’s original intentions.

Back to top

Access to Public Sector Information: Message

Ordered to be published

VICTORIAN GOVERNMENT PRINTER December 2015

PP No 110, Session 2014-15 

The Hon. Bruce Atkinson MLC

President

Legislative Council

Parliament House

Melbourne
 
The Hon. Telmo Languiller MP

Speaker

Legislative Assembly

Parliament House

Melbourne
 

Dear Presiding Officers

Under the provisions of section 16AB of the Audit Act 1994, I transmit my report on the audit Access to Public Sector Information.

The audit assessed whether selected agencies are effectively facilitating access to public sector information (PSI) and whether whole-of-government leadership and oversight has supported improved performance.

I found that the agencies we examined are not providing the public with the full and open access to the information to which they are entitled. While I identified areas that had been progressed, the foundation of comprehensive and sound information management (IM) practices have been neglected. This is crucial because agencies need to first understand and properly manage the information they hold before they can effectively facilitate public access.

Critical to explaining this outcome is the partial and compromised implementation of the IM framework government committed to in early 2010 and the subsequent ineffective whole-of-government leadership and governance of information management. As a consequence access to PSI has not significantly improved, falling well short of government's original intentions.

I have made seven recommendations. Five of these target improving IM for the agencies examined in the audit. The remaining recommendations call for the Department of Premier & Cabinet to take the lead in creating a whole-of-government framework that will effectively support and oversee significantly improved performance.

Yours faithfully

Signature of Dr Peter Frost (Acting Auditor-General)

Dr Peter Frost

Acting Auditor-General

10 December 2015

Back to top

Auditor-General's comments



Dr Peter Frost

Acting Auditor-General

Audit team

Ray Winn—Engagement Leader

Michelle Tolliday—Team Leader

Celinda Estallo—Analyst

Engagement Quality Control Reviewer

Dallas Mischkulnig

The government's response to the 2009 Parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Data (PSI Inquiry) recognised:

  • the significance of the potential benefits from improving community access to public sector information (PSI) in terms of greater innovation, economic growth and improved transparency, accountability and public trust
  • the need to develop, and for public sector agencies to apply, a whole-of-government information management (IM) framework so they can effectively manage and provide access to PSI
  • the importance of establishing an online directory, where the public can search for and obtain information about the PSI held by government.

The response concluded that open access to PSI would foster creative, innovative and often unanticipated entrepreneurial activities when businesses and citizens are allowed to use PSI to create products and services. Open access also enhances engagement between citizens and government on critical policy issues leading to broad economic and social benefits.

The current government's policy platform is strongly aligned with using PSI more effectively to deliver economic growth, improved services and greater transparency. This is evident in the appointment of a Special Minister of State to oversee government transparency, integrity, accountability and public sector administration and reform.

Realising these significant and widely acknowledged benefits requires strong whole-of-government leadership to help public sector agencies reshape and transform their practices. Unless public sector agencies effectively manage the PSI they hold and create comprehensive directories to allow the public to search for and obtain it, this resource will remain largely inaccessible and underused.

The audit assessed whether, selected agencies are effectively facilitating access to PSI and whether whole-of-government leadership and oversight supports improved performance.

I found that ineffective whole‑of‑government leadership and governance has failed to drive the significant cultural and operational changes needed to achieve open access to PSI. The partial and compromised application of the government's IM framework is evidence of this deficiency.

In the context of these weaknesses it is not surprising that the three agencies examined in detail are not providing the public with full and open access to the information to which they are entitled. While none of these agencies had reached a level of maturity that fully facilitates access to PSI, I am encouraged by the progress of the Department of Health & Human Services and the State Revenue Office, and can see the potential for these agencies to reach maturity in the short term.

In light of the whole-of-government weaknesses, my conclusions and recommendations are likely to apply across the public sector beyond the selected agencies included in this audit.

Two recommendations for the Department of Premier & Cabinet (DPC) highlight its critical role in leading and overseeing the development and application of a whole-of-government IM Framework and improving compliance with the Freedom of Information Act 1982. The remaining five recommendations are designed to improve the practices of the three agencies in complying with current legislation and applying better practice IM principles and standards.

If acted upon effectively, these recommendations will provide the essential foundation for public sector agencies to give open access to PSI.

There is little prospect of delivering the significant benefits of open access if government's track record of a partial, siloed and compromised application is repeated. In practice, this means that Victorians are unlikely to experience the economic benefits and the enhanced, more transparent and accountable decision-making that open access to PSI can deliver.

I do not underestimate the challenges to develop and effectively apply the comprehensive IM framework that is needed. Our performance audits over the past 10 years have repeatedly found weaknesses with whole-of-government programs that were not adequately authorised, planned or coordinated.

This puts the onus on DPC to effectively oversee a comprehensive and rigorous approach to implementing the IM framework described in the government's response to the PSI Inquiry and in this report.

Signature of Dr Peter Frost (Acting Auditor-General)

Dr Peter Frost

Acting Auditor-General

December 2015

Audit summary

Background

All the information generated, collected, and funded by, or produced for government is known as public sector information (PSI). This includes structured data—traditional datasets that sit within databases—and unstructured data, or information, which includes all government records, emails, reports, briefings, photographs and more.

Governments around the world have committed to improving access to PSI to:

  • improve service outcomes—by providing relevant agencies with the quality and scope of information needed to effectively and efficiently deliver services
  • achieve greater accountability, transparency and engagement—by giving the community access to information to better understand agencies' performance
  • achieve greater levels of innovation and economic growth—by allowing businesses and citizens to use this information to create products and services.

In responding to the 2009 Parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Data (PSI Inquiry), government committed to transform the way the public sector provides access to its PSI by adopting an 'open by default' approach.

Critical to this approach was the development of a whole-of-government information management (IM) framework to help public sector agencies:

  • adopt the default position of open access to all PSI available
  • establish and apply systematic and consistent practices for categorising, storing and managing PSI, because agencies cannot effectively provide access to information that is not effectively catalogued, stored and managed
  • only restrict access to PSI through the application of clearly defined criteria where this is required by law, contractual obligations, or national or state security
  • promote and facilitate increased access to, and re-use of, Victorian PSI
  • make information available at no or marginal cost using the least restrictive licensing arrangements.

Government also committed to develop a whole-of-government PSI directory so the public could know what information it held and how to access it.

Progress was dependent on a clear mandate to improve IM strong governance, and accountability through timely and comprehensive progress reporting to senior government representatives.

Successive governments have committed to improve access to PSI and transparency by improving freedom of information (FOI) legislation and practices, publishing government datasets, and publicly committing to open up government to greater scrutiny. Since the PSI Inquiry, providing open access to PSI—except where this would breach criteria showing that it would not be in the public interest—has remained a clear policy goal.

Government created a project sponsors' board to implement its response to the PSI Inquiry. By late 2011 the board developed the Public Sector Information Release Framework (PSIRF) covering government's commitment to implement a holistic whole-of-government IM framework.

By early 2012, the Department of Treasury & Finance (DTF) assumed responsibility for implementing PSIRF. However, instead of proposing the framework for government endorsement, it advised government to proceed with only a partial application of PSIRF. The proposed policy—the DataVic access policy—mandated the release of data held by public sector agencies through a centralised data portal. Government endorsed the proposed policy and did not mandate that agencies establish and apply systematic and consistent practices for categorising, storing and managing PSI.

Over 2011 and 2012, the Victorian Government Chief Information Officers' Council (CIOC) endorsed and released a set of better practice IM principles and standards. While not mandatory, nor applicable to Victoria's entire public sector, they closely match those proposed under PSIRF.

Audit objective

We examined the IM maturity and approach to providing public access to PSI of the State Revenue Office (SRO), the Department of Health & Human Services (DHHS) and the Department of Environment, Land, Water & Planning (DELWP).

We examined their progress in facilitating access to PSI and whether whole-of-government leadership and oversight has supported improved performance in this area, specifically by DTF, the Department of Premier & Cabinet (DPC), the Public Record Office Victoria and the Department of Justice & Regulation.

Conclusions

The agencies we examined are not providing the public with full and open access to the information to which they are entitled.

While progress has been made in some areas, the critical foundation of comprehensive and sound IM practices has been neglected. Agencies need to first understand and properly manage the PSI they hold before they can effectively facilitate public access to that information.

This outcome is explained by the partial and compromised implementation of the IM framework originally envisioned by government. This left agencies without consistent practices for categorising, storing and managing PSI, which are essential for effectively facilitating access to it. Ineffective whole-of-government leadership and governance of IM has failed to drive the significant cultural and operational changes needed to achieve open access to PSI.

Consequently, access to PSI has not significantly improved, and falls well short of the government's original intentions.

Findings

Facilitating public access to PSI

The agencies we examined are not adequately facilitating access to their PSI. None of the agencies examined have implemented consistent agency-wide approaches to identifying the PSI that should be proactively released.

While comprehensive information asset registers are an essential tool for facilitating public access to their PSI, none of the sampled agencies publish these. DHHS is, however, close to publishing its newly created information asset register. It follows that government's clear commitment to a whole-of-government PSI register remains unfulfilled.

Agencies also fall well short of fully complying with their obligations under Part II of the Freedom of Information Act 1982, to publish registers of the information they hold.

The guidance issued in 2012 to improve this situation allowed for agencies to adopt a minimalist approach to publishing information indexes, and is unlikely to have improved agencies' performance.

DTF and contributing agencies cannot demonstrate that the expected benefits of the DataVic access policy have been achieved. These benefits were:

  • stimulating economic activity through new, innovative services
  • increasing productivity through better decision-making
  • improving research outcomes
  • delivering services more effectively and efficiently.

The work in developing the DataVic access policy and populating the centralised DataVic portal deals with a subset of PSI and is at a low level of maturity. The use of dataset quotas has resulted in the release of easy to access, often low value data and the splitting of some datasets to achieve quotas. One exception to this finding is DELWP's freely available spatial datasets—data that identifies the geographic location, size and shape of objects on planet Earth, which is usually stored as coordinates and topology. These are published in their entirety and include valuable information.

Agency information management

We assessed agencies' maturity with respect to CIOC's better practice principles and standards and rated them as being:

  • 'formative'—the lowest level of achievement
  • 'in development'
  • 'progressing'
  • or 'established'—operating in line with better practice.

The three sampled agencies have not reached a level of maturity where they effectively manage the PSI they hold. Progress has been slow, has been disrupted by machinery-of-government changes and a focus on responding to the DataVic access policy, and has not provided the public with quality tools to make the majority of their PSI discoverable.

We found that none of the sampled agencies had fully established practices consistent with CIOC's principles and standards, and that performance varied.

Department of Health & Human Services

DHHS is 'progressing' to better practice, with strong IM governance structures, clear senior level support and a comprehensive IM strategy that is integrated with its corporate objectives and planning.

However, it has experienced repeated delays in implementing many of its improvement initiatives due to machinery-of‑government changes, the Sustainable Government Initiative—which aimed to reduce the number of public sector staff across all departments—and more recently, the need to incorporate the former Department of Human Services' information holdings, which were substantially less mature.

This means that many of these initiatives have only just commenced or are in their early stages, and DHHS needs to maintain its current momentum to achieve a fully mature IM environment.

State Revenue Office

SRO is 'in development', having made positive progress toward a more open approach to sharing its information with the public. In 2012, SRO began making multiple changes to how it manages its PSI to better facilitate access to it. These included establishing essential IM governance arrangements and implementing an information custodianship model.

However, a number of initiatives still need to be fully implemented to effect the necessary improvements. We are confident that this is likely with continued effort and senior level support.

Department of Environment, Land, Water & Planning

DELWP's approach to managing PSI is 'formative'. Like DHHS, DELWP has also been impacted by machinery-of-government changes and the Sustainable Government Initiative. However, it lacks even the foundational governance and oversight requirements needed to ensure effective public access to more than just its spatial data.

DELWP's spatial data has long been recognised for its high quality, and efforts to ensure that it is supported by mature and robust governance and management processes have made it one of Victoria's most valuable and highly used data sources. However, this is only a portion of DELWP's total PSI holdings, and it has not applied the same level of effort to other valuable PSI such as research documents, outsourcing service agreements, and risk and performance reports.

Whole-of-government leadership and oversight

There is an absence of whole-of-government leadership and oversight for implementing a comprehensive framework to enable access to PSI.

Changes in the leadership arrangements and the scope of the implementation of the government's response to the PSI Inquiry have been critical in shaping the failure to establish an 'open by default' approach to PSI.

The initial arrangements, with leadership provided by a senior, cross-government project sponsors' board, and the subsequent development of PSIRF, provided a solid foundation for delivering effective public access to PSI.

Following consultation with DPC, DTF informed government in August 2012 that the scope for PSIRF's implementation had been narrowed. This involved excluding the goals of increased transparency and accountability and focusing on innovation, greater productivity and improved service delivery. These goals would be pursued by releasing only datasets, rather than all PSI as intended.

Government signed off on this alternative to PSIRF—the DataVic access policy—however, DTF did not adequately explain the reasons for this change or the clear risks this created for meeting the goals and existing legislative requirements of providing open access to PSI.

Progress toward an 'open by default' approach includes the release of a whole-of-government intellectual property policy and a default form of licensing that allows for the easier re-use of PSI.

DPC also maintains a web portal to which agencies can link their published datasets, providing centralised access to the public <www.data.vic.gov.au>.

Despite this, in mid-2015 we found a fragmented and confused governance framework and a proliferation of numerous unconnected, overlapping and inconsistent plans. This sits in contrast to the advice from DTF and DPC soon after the government's response to the PSI Inquiry, which identified the need for strong oversight to achieve open access to PSI.

Whole-of-government leadership and oversight have been inadequate for developing and implementing a framework to effectively provide public access to PSI because:

  • a single point of accountability for the intended framework was not maintained—IM oversight and leadership had been removed
  • parts of the intended framework essential for achieving open access—such as developing and implementing systematic and consistent practices for categorising, storing and managing PSI—were left without authorisation and oversight
  • advocacy efforts of CIOC to promote improved IM in a small number of agencies lacked authority and were ineffective in driving the necessary changes
  • the implementation of just a portion of the government's commitment meant that only some of the components needed to provide open access have been progressed and reported on.

Recommendations

  1. That the Department of Premier & Cabinet, as the agency responsible for supporting the Freedom of Information Act 1982, provides improved guidance for agency compliance with Part II of the Act, monitors that compliance, and forms and implements a plan to:
  • help agencies improve their compliance with the section 11 requirement to comprehensively list the material that they hold
  • review and advise government on how to modernise the Act to achieve its objectives in a way that is best aligned with a modern information management environment and Victoria's records and information management standards.
  1. That agencies review and improve their compliance with Part II of the Freedom of Information Act 1982 within the current legislative framework.
  2. That agencies develop a proactive public sector information release program, using comprehensive information asset registers as a core tool for release decisions in accordance with the Information Management Governance Standard.
  3. That agencies assess their information management maturity using the Public Record Office Victoria Information Management Maturity Measurement Tool, determine what improvements are needed and implement a plan to achieve these.
  4. That agencies implement better practice information management principles and standards for asset custodianship and governance.
  5. That agency information management governance bodies implement an oversight program that includes management of freedom of information and provides assurance that staff are complying with its information management policies and procedures.
  6. That the Department of Premier & Cabinet works with agencies that have whole-of-government information management responsibilities and in consultation with the wider public sector, to develop a whole-of-government information management framework that:
  • applies to all forms of public sector information
  • includes open access to public sector information as a default position
  • incorporates the data release requirements of the Department of Treasury & Finance's DataVic access policy
  • includes effective implementation, governance and monitoring arrangements
  • is underpinned by appropriate legislation.

Submissions and comments received

Throughout the course of the audit we professionally engaged with the:

  • Department of Premier & Cabinet
  • Department of Treasury & Finance
  • Department of Health & Human Services
  • Department of Environment, Land, Water & Planning
  • Department of Justice & Regulation
  • State Revenue Office
  • Public Record Office Victoria.

In accordance with section 16(3) of the Audit Act 1994 we provided a copy of this report to those agencies and requested their submissions or comments.

We have considered those views in reaching our audit conclusions and have represented them to the extent relevant and warranted. Their full section 16(3) submissions and comments are included in Appendix C.

Back to top

1 Background

1.1 Introduction

1.1.1 Open access to public sector information

The importance of providing access to public sector information (PSI) is being increasingly recognised by government, business, research bodies, and the community at large.

As there are multiple definitions of PSI in Victoria, we have selected the one most consistent with the 2009 Parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Data (PSI Inquiry) and the Inquiry committee's intended information management (IM) framework. Accordingly, in this report PSI includes all of the information that is generated, collected and funded by, or produced for government and is stored in all types of digital and physical media.

It is important to understand that the term PSI encompasses structured data—the traditional datasets that sit within databases—as well as unstructured data, or information—that includes all government records, emails, reports, briefings, photographs and more.

Governments across Australia and internationally have committed to improve access to PSI to:

  • improve service outcomes—by providing all relevant agencies with the quality and scope of information they need to effectively and efficiently deliver services
  • achieve greater accountability, transparency and engagement—by giving the community access to information to better understand agencies' performance
  • achieve greater levels of innovation and economic growth—by allowing businesses and citizens to use this information to create products and services.

Critical barriers to providing open access to PSI include agencies failing to:

  • understand and adequately manage their own PSI holdings—without recognising PSI as a valuable asset, assigning clear responsibilities for its management and ensuring that it is easy to discover and use, they cannot fully open it to the public
  • apply an 'open by default' approach, by identifying PSI as accessible to the public unless it meets clearly understood criteria that legitimately prevent its release
  • provide the tools the public need to understand what PSI they hold and how they can go about accessing it.

1.1.2 Victoria's commitment to open PSI

In its response to the PSI Inquiry, government committed to transform how the public sector provides access to the PSI it holds, by adopting an 'open by default' approach.

Government committed to helping public sector agencies:

  • adopt the default position of open access to all PSI
  • establish and apply systematic and consistent practices for categorising, storing and managing PSI
  • only restrict access to PSI through the application of clearly defined criteria where this is required by law, contractual obligations, or national or state security
  • promote and facilitate increased access to, and re-use of, Victorian PSI
  • develop a whole-of-government PSI directory so that the public can know what information is held by government and how to access it
  • make PSI available at no or marginal cost using the least restrictive licensing arrangements.

Government's response recognised two essential components of a successful approach to improving access to PSI—appropriate leadership, governance and accountability, and the implementation of an overarching IM framework.

Leadership, governance and accountability

Government's response recognised the need for a strong, appropriately authorised, whole-of-government governance framework if agencies were to achieve the type of transformation envisaged. The Department of Premier & Cabinet advised government about the scale of change required to achieve open access to PSI. Progress was dependent on a clear mandate to improve IM, strong governance, and accountability through timely and comprehensive progress reporting to senior government representatives.

Information management framework

The PSI Inquiry concluded that 'the best way for government to realise economic and efficiency gains from PSI is through the development and implementation of an overarching government information management framework'.

This framework was to provide government with systematic and consistent practices for categorising, storing and managing PSI. Doing this is essential to open access because agencies cannot effectively facilitate access to information that is not effectively catalogued, stored and managed.

1.2 Tools for facilitating access to PSI

1.2.1 Legislation and government policy

Open access to PSI, except where this would breach criteria showing that it would not be in the public interest, has remained a clear policy goal both before and since the PSI Inquiry. In responding to the Inquiry the government acknowledged the need to take account of legislative requirements in relation to personal information, privacy and confidentiality in developing an open access framework. Figure 1A describes how open access is embedded in legislation and policy.

Figure 1A

Open access requirements in legislation and government policy

Public Records Act 1973 and Records Management Standards

This Act and its standards mandate that access to public records is open, unless there is a justifiable reason for restriction or closure.

Freedom of Information Act 1982 (FOI Act) and the Freedom of Information (FOI) Obligations

The object of the FOI Act is to 'extend as far as possible the right of the community to access information in the possession of the Government of Victoria…'. This includes, 'creating a general right of access to information in documentary form in the possession of Ministers and agencies limited only by [necessary] exceptions and exemptions…'.

Section 16 notes that access to documents should be timely and inexpensive, and can occur outside the FOI Act:

  • Ministers and agencies shall administer this Act with a view to making the maximum amount of government information promptly and inexpensively available to the public.
  • Nothing in the FOI Act is intended to prevent or discourage Ministers and agencies from publishing or giving access to documents (including exempt documents), otherwise than as required by the FOI Act, where they can properly do so or are required by law to do so.
  • This is reinforced in the Attorney General's 2009 FOI Guidelines on the responsibilities and obligations of principal officers and agencies: 'freedom of information applications should be a means of last resort to gain access to information on the policies and activities of government'.

Ensuring Openness and Probity in Victorian Government Contracts Policy Statement (2000)

This policy requires agencies to publish, through a central register, details of contracts for the procurement of goods and services, and for the transfer of assets to the private sector. Contracts over $100 000 must be disclosed in summary and contracts over $10 million must be published.

Whole of Government Intellectual Property Policy (2012) and Guidelines (2015)

The policy is consistent with an open access approach, with the intent of granting rights to the state's intellectual property in a manner that maximises its impact, value, and accessibility consistent with the public interest. The guidelines stipulate how public sector agencies should identify, record, value and manage intellectual property so they can achieve the policy intent.

DataVic access policy Standards and Guidelines (2013)

The intent of this policy is to make public sector datasets freely available with minimum restrictions, and this includes proactively removing cost as a barrier to access.

The guidelines emphasise the need to implement the IM framework's standards for creating an information asset register and putting in place governance arrangements to ensure the effective management of, and accountability for, the datasets they hold.

Financial Reporting Directions—FRD22F: Standard Disclosures in the Report of Operations (2015)

The directions require agencies to disclose certain information in annual reports, including organisational charts, key initiatives and projects, consultancy expenditure, and government advertising expenditure.

Source: Victorian Auditor-General's Office summary of legislation, standing directions and government policies.

1.2.2 Information asset registers and metadata profiles

The PSI Inquiry report and government's response highlight that the failure to adequately identify and describe information critically undermines public access. In particular, the PSI Inquiry stated that 'one of the most critical issues to consider when improving access to PSI is the means by which information and data owned by government can be identified'.

Government accepted the PSI Inquiry's recommendation that metadata be a key aspect of the government's open access policy and IM framework. It also accepted recommendations that agencies create information asset registers and apply metadata to agency PSI.

1.2.3 Part II of the Freedom of Information Act 1982

Part II of the FOI Act has been in place since 1982 and requires agencies to publish material so the public can understand what PSI they hold and how to access it.

Part II requires agencies to publish statements—also called indexes—that specify their PSI, such as policies and procedures, documents used in making decisions affecting persons and in enforcing Acts and schemes that they administer, together with reports, advice and recommendations created in or for the agency. Figure 1B summarises the requirements.

Figure 1B

Summary of FOI Act Part II requirements

Part II of the FOI Act is designed to assist the public by providing information about what the agency does, how it acts, what information it holds and how to access the information. Specifically, agencies are required to publish and annually update statements—also called indexes—describing:

  • under sections 7 and 8, their functions, how they are organised, procedures for requesting access to documents, a list of internal bodies whose meetings are open to the public and of documents available for inspection and purchase
  • under section 11:
    • documents containing advice or recommendations from prescribed bodies, committees or organisations set up by the agency or interdepartmental committees involving the agency
    • reports prepared for the agency by internal staff or external consultants and experts
    • reports on the performance or efficiency of the agency, plans or proposals for reorganising the agency or establishing new or modifying existing policies, programs and projects
    • drafting instructions for legislation and submissions prepared within the agency for Cabinet—except for those made by the responsible minister.

In addition, under section 10, the Premier is required to publish on a continuing basis a register containing details of the terms of all Cabinet decisions made, as well as the reference number assigned to each such decision and the date on which the decision was made. This information shall be entered on the register at the discretion of the Premier.

Source: Victorian Auditor‑General's Office based on the FOI Act.

1.2.4 Data portals and PSI directories

Data portals—also known as data directories—allow users to search for, locate, download and re-use data for commercial or non-commercial purposes, through common metadata profiles. A whole-of-government data portal enables users to access data stored on the websites of public sector bodies.

Where the portal provides access to both structured and unstructured data—i.e. information—they are also referred to as PSI directories.

Government's response to the PSI Inquiry committed to establishing a whole-of-government PSI directory.

1.3 Government PSI initiatives

1.3.1 The Public Sector Information Release Framework

Government created a project sponsors' board to implement its response to the PSI Inquiry. By late 2011 the board had developed the Public Sector Information Release Framework (PSIRF) that addressed government's commitment.

By early 2012 the Department of Treasury & Finance assumed responsibility for PSIRF's implementation. However, instead of proposing the framework for government endorsement, it advised government to proceed with only a partial application of PSIRF. The proposed policy—the DataVic access policy—mandated the release of data held by public sector agencies through a centralised data portal. Government endorsed the policy, without mandating that agencies implement the underpinning actions of establishing and applying systematic and consistent practices for categorising, storing and managing PSI.

1.3.2 Victorian information management principles and standards

In 2011 and 2012, Victoria's Chief Information Officers' Council (CIOC) released a non-mandatory set of IM principles and standards that applied to government departments, VicRoads, Victoria Police and the State Revenue Office. Figure 1C summarises the high-level principles guiding IM, and the two standards that partially cover the application of these principles.

These principles closely match those proposed under PSIRF for the effective management of PSI. While the standards released by CIOC largely mirror PSIRF's intentions relating to agency information governance and custodianship, a number of additional intended PSIRF standards—in particular, those relating to metadata, information release, and charging for PSI—were not developed.

Figure 1C

CIOC IM principles and standards

IM principles

1. Information is recognised as a valuable asset—agencies develop an information asset register, integrate IM into their organisational planning and educate and encourage staff to exploit information to the full.

2. Significant information assets are managed by an accountable custodian—agencies manage significant information assets through their life cycle in line with their security risk profile, privacy, confidentiality and other statutory requirements. Agencies define roles and responsibilities in the management of these assets (custodianship model) and educate staff on their responsibilities.

3. Information meets business needs—custodians work with users to determine business needs and to manage, maintain and communicate information quality. Information use should be considered as it is being collected or developed and data quality statements are developed for significant information assets. Agencies put processes in place to improve data quality and work towards a single point of truth for key information assets.

4. Information is easy to discover—agencies describe information using appropriate metadata, appropriately restrict access on the basis of security, privacy, confidentiality or commercial risks and work towards a common, cross-government information directory and other mechanisms for facilitating information discovery.

5. Information is easy to use—agencies adopt and work towards using common standards across government for collecting, defining, storing and sharing information. Custodians work with users to define appropriate standards and sufficient metadata is provided to potential users so they know how to use information.

6. Information is shared to the maximum extent possible—agencies manage information with sharing, collaboration and interoperability in mind, and facilitate and actively promote sharing in accordance with security and statutory requirements. Agencies seek to re-use and build on existing information, release information to the public where appropriate while applying licences to promote reuse.

IM standards

  • Standard 1 Information Asset Custodianship—significant information assets must be registered and assigned an accountable custodian in accordance with this standard.
  • Standard 2 Agency Information Management Governance—agencies must establish and maintain an Information Management Governance Committee to lead, monitor and report on IM activities in accordance with this standard.

Source: Victorian Auditor-General's Office based on three Victorian Government CIOC documents—Whole of Government Principles: Information Management Principles (September 2011), Victorian Government Standard: Agency IM Governance (July 2012), Victorian Government Standard: Information Asset Custodianship (June 2012).

In 2013, the Public Record Office Victoria released an Information Management Maturity Measurement Tool—also referred to as the IM3. The tool is designed to assess agency IM practices and their alignment with the standards of the Public Records Act 1973 and CIOC.

While a 2012 guideline released by CIOC states that compliance against their standards would be measured through a coordinated survey, this never occurred.

1.3.3 DataVic access policy

The DataVic portal was first established in 2010, the accompanying policy was released in August 2012, and the standards for releasing datasets in February 2013.

The government's DataVic access policy mandated the use of the DataVic portal. The former government's information and communications technology strategy set quotas for the number of datasets that agencies were required to make available through the DataVic portal.

1.4 Audit objectives and scope

This audit examined agencies' progress in facilitating access to PSI and whether:

  • whole-of-government leadership and oversight has supported improved performance in this area
  • sampled agencies have effectively implemented the better practice IM essential to facilitating open access to PSI
  • sampled agencies are effectively facilitating access to the PSI they own and hold
  • sampled agencies and the Department of Treasury & Finance, in its oversight role, are achieving the DataVic access policy objectives.

The agencies with whole-of-government responsibilities included in this audit are the Department of Treasury & Finance, the Department of Premier & Cabinet, the Public Record Office Victoria and the Department of Justice & Regulation.

The sampled agencies, where we examined the application of open access were the State Revenue Office, the Department of Health & Human Services and the Department of Environment, Land, Water & Planning.

1.5 Audit method and cost

The audit was conducted in accordance with the Australian Auditing and Assurance Standards. Pursuant to section 20(3) of the Audit Act 1994, unless otherwise indicated any persons named in this report are not the subject of adverse comment or opinion.

The cost of the audit was $420 000.

1.6 Structure of this report

This report has three further parts:

  • Part 2 examines how well sampled agencies have facilitated access to their PSI
  • Part 3 examines the quality of the IM that underpins the sampled agencies' access to PSI
  • Part 4 examines whole-of-government leadership and oversight.

Back to top

2 Facilitating public access to public sector information

At a glance

Background

A critical component of providing the public with access to the public sector information (PSI) that agencies hold is communicating what PSI is held and if and how a member of the public can access this information. This Part discusses how well agencies facilitate public access to PSI.

Conclusion

The agencies we examined are not adequately facilitating access to their PSI and are not fully meeting the requirements of Part II of the Freedom of Information Act 1982 (FOI Act). Agencies have complied with the DataVic access policy's dataset release quotas, but there is no evidence to demonstrate that this has resulted in its intended benefits.

Findings

  • Agencies do not publish comprehensive information asset registers, which are an essential tool for facilitating public access to their PSI.
  • Agencies have not implemented consistent agency-wide approaches to identifying PSI for proactive release.
  • Agencies do not fully comply with the FOI Act's Part II requirements.
  • Agencies have largely achieved targets for the number of datasets posted on the DataVic site. However a quota-driven approach has not encouraged agencies to prioritise posting datasets that are likely to best deliver on the policy's intended benefits. This, combined with the basic functionality of the DataVic portal, means the policy is falling well short of its potential.

Recommendations

  • That the Department of Premier & Cabinet provides improved guidance for agency compliance with Part II of the FOI Act, monitors that compliance, and advises government on how the Act should be modernised.
  • That agencies review and improve compliance with Part II of the FOI Act.
  • That agencies develop a proactive PSI release program.

2.1 Introduction

A critical component of providing the public with access to the public sector information (PSI) agencies hold is communicating what PSI is held and if and how a member of the public can access it. This Part discusses how well agencies facilitate public access to PSI by examining whether they:

  • provide tools that enable the public to fully understand what PSI they hold and how to go about obtaining it, including a published information asset register and clear approach to the proactive release of PSI
  • more specifically meet their long-standing obligations under Part II of the Freedom of Information Act 1982 (FOI Act) to publish indexes that help the public understand what PSI they hold and how to access it
  • apply the DataVic access policy in a way that achieves government's intended objectives of innovation, improved productivity and improved services through providing access to the datasets they hold.

2.2 Conclusion

The agencies we examined are not providing the public with full and open access to the information to which they are entitled.

Sampled agencies do not publish comprehensive registers, which are an essential tool for facilitating public access to their PSI. Nor have they implemented consistent agency-wide approaches to identifying the PSI that should be proactively released. The Department of Health & Human Services (DHHS) is, however, close to publishing its newly created register.

These agencies have not fully met the requirements of Part II of the FOI Act. The guidance issued to improve this situation in 2012 was inadequate and is unlikely to have improved agencies' performance.

Along with the Department of Treasury & Finance (DTF), the sampled agencies cannot demonstrate that their application of the DataVic access policy has resulted in the intended benefits of stimulating economic activity through new, innovative services, increasing productivity through better decision-making, improving research outcomes and delivering services more effectively and efficiently. While agencies have largely achieved targets for the number of datasets posted, the quota-driven approach has not encouraged agencies to prioritise posting datasets that are likely to best deliver on the policy's intended benefits. This, combined with the DataVic portal's basic functionality, means the policy is falling well short of its potential.

2.3 Tools critical for public access to PSI

Part 1 of this report identifies a number of tools that can be used to effectively facilitate access to PSI. The most critical is a comprehensive, accessible information asset register, supported by a consistent approach to the proactive release of PSI. The agencies we examined currently do not publish this type of register and have not applied a consistent cross-agency approach to the proactive release of the PSI that they hold.

2.3.1 Information asset registers

The agencies we examined do not publish information asset registers, and the Department of Environment, Land, Water & Planning's (DELWP) does not have an information asset register, as required by the Information Management Governance Standard. Consequently, the public has no way to understand the agencies' full PSI holdings, limiting—and in some cases, even removing—their ability to access the PSI that they hold.

Agencies often point to their websites as the repository of information of relevance and value to the public. However, this approach to information disclosure and providing access is inadequate. Discovery of information depends on the search skills of the person examining the website, what agencies have placed there, and the way in which they have stored and described information within the site.

There are specific weaknesses in relying on users' research skills as a substitute for a public information asset register:

  • Information assets may not be published on the website—or at all—and are therefore not able to be located this way. Examples include agency contracts and unpublished internal reports, datasets, and performance information.
  • A range of information assets might be considered exempt from open access and excluded from website publication listings. However the 2009 Parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Data considered that a register should be comprehensive in identifying all PSI and clearly showing where access to particular information assets has been restricted.
  • Those seeking a specific information asset may not know its title or how the agency has categorised it, rendering discovery through a website or publication search difficult, if not impossible.
  • Websites are becoming increasingly complex and multi‑layered and this is likely to make finding information more challenging and time consuming.

Information asset registers have the potential to address these weaknesses. We note that DHHS is close to publishing its recently created information asset register.

2.3.2 A consistent approach to the proactive release of PSI

The absence of a coordinated approach to identifying PSI for release can result in decisions being subjective, and being made without a full understanding of the different legislative considerations. For example, under the Public Records Act 1973, access to a record is open unless there is a justifiable reason for restriction or closure. Under the FOI Act, where access is open the record is expected to be made available.

None of the agencies we examined applied a consistent, cross-agency approach to the proactive release of PSI. We also found no evidence of agency FOI staff working with information management (IM) staff to identify PSI for release.

Instead, decisions about proactive release were being made at the business unit level on a case-by-case basis. This may or may not include consultation with FOI staff, who have no authority to require business units to release their information outside of applications made under the FOI Act.

There appears to be a general perception that if information is required to be restricted from general public access, there is no obligation for agencies to make the public aware that such information exists.

Figure 2A illustrates how a recent DELWP initiative—the upcoming Know Your Council website—while being a positive and important step in facilitating public access to government information, is not fully consistent with an open access approach to PSI.

Figure 2A

DELWP's approach to proactive release

The premise of open access to PSI is that it is made freely available for everyone to use, re-use and distribute with, at most, the requirement to attribute and share-alike(a).

As part of the upcoming 'Know Your Council' website, citizens will have unrestricted access to a dataset of all 66 performance measures of all 79 councils. This is a very positive first step toward improving public access to PSI, and a welcome innovation that enables the public to better understand council performance.

However, while this represents improved access to PSI, it falls short of being open access.

To fully understand a performance measure, it is also necessary to understand the data that sits underneath it (the 'raw data'). This data will not be publicly accessible.

DELWP advised us that councils commented that there was a possibility that a portion of the raw data underpinning the performance measures could be commercial‑in‑confidence—as a result of individual councils having entered into contracts with private providers.

DELWP did not seek to identify the specific measures for which the councils' raw data was commercial-in-confidence, with a view to opening up the data as much as possible by:

  • obtaining permission to publish the data, or
  • developing an acceptable 'work-around' so that the only restricted data would be that which was clearly restricted by law.

In response to the advice it received from councils, DELWP decided that it would not publish any of the raw data.

(a) Share-alike is a copyright licensing requirement for copies or adaptations of works to be released under the same or similar licence as the original work.

Source: Victorian Auditor-General's Office adapted from documentation provided by DELWP.

2.4 The FOI Act—Part II compliance

The agencies examined do not fully comply with the Part II requirements of the FOI Act to publish registers of the documents that they own or hold.

Agencies often provide a wide range of PSI through their websites, easily meeting the requirements of sections 7 and 8 of the Act. However, they fail to meet section 11 requirements to specify the particular documents and reports generated each year. Instead, agencies provided a general statement and, at best, a snapshot of the kinds of documents they hold.

Agencies may very well be making some or all of the relevant information available to the public through their websites and other publications. However, without such registers, it is unlikely that the public will understand what is available and therefore access to it is impeded.

It is important to understand that the FOI Act was passed in a predominantly paper-based environment and is now a significantly outdated piece of legislation. Agencies argued that the 'digital age' renders such registers unnecessary as they now simply publish straight to their websites. Section 4.3.1 of this report describes the weaknesses and flaws in this approach.

On the contrary, the 'digital age' means the use of registers is essential. The number of potential places where PSI may be held within a website's many pages means that discovering the exact information wanted is more difficult, making the register a key navigational tool.

We have seen no evidence that the agencies examined maintain an internal, comprehensive list of their documents and we conclude that they are not currently in a position to comply with this requirement. This shortfall was identified by the Ombudsman's 2006 report Review of the Freedom of Information Act 1982, but no meaningful action has been taken.

We also established that the Department of Premier & Cabinet has never published a register of Cabinet decisions. While the content of such a register is at the discretion of the Premier, its existence is mandated by law.

2.4.1 Explaining FOI Act Part II compliance shortfalls

The Ombudsman's 2006 report concluded that:

  • '…few Victorian agencies fully comply with the publication requirements of Part II statements' …'This affects applicants' knowledge of the documents available and their ability to clearly frame requests.'
  • 'It is not acceptable for departments and other agencies to ignore statutory provisions or to choose to implement those provisions as they see fit and not in accordance with the statute.'

The 2006 report recommended that government agencies review their compliance with Part II, that government review, as a matter of urgency, Part II with a view to modernising and improving the publication scheme, and that the former Department of Justice (DOJ)—the agency responsible for the Act at that time—should monitor agencies' compliance with Part II.

DOJ prepared proposed legislative amendments to the FOI Act in 2008, including:

  • the kind of information to be published on the agency's own website or another agency or government website
  • how frequently the information is to be published, reviewed and updated
  • the form in which the information is to be published
  • the circumstances in which an agency may publish information on behalf of another agency.

However, these amendments were not passed.

VAGO's 2012 report, Freedom of Information, recognised the challenges of meeting obligations that were crafted in a different technological age, but recommended that DOJ provide guidelines to help agencies meet their obligations.

We found that no meaningful progress has been made towards improving agencies' compliance with Part II of the FOI Act and better using Part II statements to communicate what information agencies hold.

DOJ's efforts to better guide agencies about their Part II responsibilities were inadequate. Practice Note 14, issued in response to our Freedom of Information audit, infers that agencies can acquit their requirements through a statement describing what the agency does, how a person can access information, and through a 'snapshot of the types of documents held'. This creates the potential for agencies to use compliance with this instruction as a mechanism to avoid listing the specific documents they hold.

DOJ's more detailed guidance relating to Section 11 states only that the agency must make a wide range of materials available. It fails to explain that agencies must specify the documents in a register or index.

The nature of this guidance helps to explain the inadequacy of the statements produced by the agencies examined in this audit.

DOJ published the guideline before it handed over its FOI responsibilities to the FOI Commissioner. DOJ has not provided any evidence describing how it implemented and evaluated the impact of these guidelines or that it had assessed and managed the risks to improving compliance prior to handing over responsibility.

We found that agencies used this guidance to justify their clear lack of compliance with the Part II requirements. For example DHHS stated that 'The department acknowledges Part II statements could be more detailed. The department took the reasonable approach of following the guidance issued by DOJ, the agency previously responsible for the FOI Act'. DELWP also advised us that the content of its Part II statements were framed to meet the requirements as set out in DOJ's guidance.

2.4.2 Implications of the lack of compliance with Part II of the FOI Act

Providing a comprehensive listing of information held by agencies is critical to effectively facilitating public access to PSI. The current system is in a state of disarray where we are not confident agencies understand what PSI they hold and we are certain that they are not providing the public with the means to request this information.

Currently the absence of a rigorous approach to managing information and publishing comprehensive registers has significant implications for public access and the sharing of information across government.

2.5 Application of the DataVic access policy

The application of the DataVic access policy is at a relatively low level of maturity and needs to be improved. In this section we examine:

  • the limitations inherent in the approach to making datasets available, describing the weaknesses of a quota-driven approach and limited functionality in the way these data are presented to the public
  • the absence of a structured approach to assessing the achievement of the policy's intended outcomes.

2.5.1 Meeting data release quotas

In January 2015, DTF reported to government on the negative impacts of the quota-driven approach to dataset publication. Specifically, the report confirmed that this approach resulted in agencies quickly releasing large volumes of data. However, it also encouraged them to reach their quotas by releasing their low-value data and splitting their large datasets into many smaller ones.

We observed several examples of this type of dataset splitting during the audit as shown in Figure 2B.

Figure 2B

'Split' datasets observed in the DataVic portal

  • DHHS provides on its website, and in one EXCEL workbook, comparative health data for 79 local government areas. DHHS posted these profiles on the DataVic portal as 79 separate datasets—one EXCEL workbook for each council area. More recently it added the single, comparative workbook while retaining the individual council datasets. This approach inflates the number of datasets posted while potentially confusing a member of the public examining this information.
  • DTF publishes quarterly expenditure against approximately 44 of its State Purchasing Contracts for 2010–11 and 2011–12 as individual datasets. Data for 2012–13, 2013–14 and 2014–15 is not available via the portal.
  • The State Revenue Office appears to take a similar approach and posted several individual rather than combined datasets on the portal for:
    • Insurance Duty from 2000–01
    • Land Tax from 2000–01
    • Land Transfer Duty from 2000–01
    • Motor Vehicle Duty from 2000–01
    • Payroll Tax from 2000–01
    • Total revenue collected by the State Revenue Office from 2000–01
    • Congestion Levy from 2005–06
    • Growth Areas Infrastructure Contribution from 2011–12
    • Fire Services Property Levy from 2013–14

Source: Victorian Auditor‑General's Office based on DataVic portal.

Setting dataset release quotas has made the portal more difficult to navigate and, in some cases, made it more complicated to collate and analyse data. Combining datasets where appropriate allows public users to compare data more efficiently and effectively. In the DTF example cited in Figure 2B, instead of there being one dataset with all contract expenditure data, there are 44, and for the DHHS example, instead of one dataset, there are 80.

Functionality and ease of use of the DataVic portal

Our examination of the DataVic portal shows it to be at a low level of maturity.

The portal has recently been improved to provide 15 categorised 'sub‑portals' to help a user find the information of interest. However, this has only marginally improved the site's functionality and ease of use.

There are several weaknesses in the DataVic portal:

  • Data ownership—the number of datasets shown in the organisational listing and the number shown by searching using the organisation's name often differ.
  • Links to datasets—we found multiple instances of links being broken for extended periods. In these cases, the portal simply refers the user to the agency website. This degrades the user experience and defeats the portal's purpose.
  • Metadata profiles—little beyond the dataset's title and a few words of description are accessible without drilling down into the record. The exception to this is DELWP's spatial datasets. Providing a consolidated view of the basic metadata profiles of each dataset would increase users' ability to access the data that they are seeking without needing to guess its owner, title, assigned category, and other attributes.
  • Data quality—currently, including this information is optional and we found very few examples where agencies had elected to provide a data quality statement for its datasets. Again, the clear exception to this is DELWP, whose spatial data includes a rich metadata profile for each of its datasets that enables a full understanding of the data being made available.

2.5.2 Demonstrating the achievement of policy objectives and managing the risks

There is no framework in place to measure the achievement of the DataVic access policy's intended outcomes and agencies have no clear idea about the extent to which the policy has been a success.

Performance reporting to government is confined to the number of datasets being released. We found no assessment of their contribution to the government's intended outcomes of:

  • economic stimulation
  • improved productivity
  • better access for researchers to critical and useful data
  • improvements to the efficiency and effectiveness of government through improved management practices and the better use of data.

DTF has demonstrated an understanding of the current weaknesses in the application, evaluation and oversight of the policy that are constraining its potential. We have seen evidence of recent activity by DTF to change the focus from data release quotas to value-adding releases. The approach includes consulting with data providers and likely data user groups to raise awareness of the benefits of information sharing, enhance government's understanding of user demand for PSI, and increase that demand.

DTF has also commenced a project to encourage the adoption of creative commons licensing by agencies for appropriate documents and websites.

However, many of the actions to address the policy's weaknesses are still in the planning phase and need to be progressed. They also lack consideration of the importance of agencies first implementing the whole-of-government IM principles and standards to achieve the policy's intended outcomes.

The success of any efforts to increase demand for PSI depends on users first being able to understand what exists in agencies' information holdings. This requires agencies to publish comprehensive and well-structured information asset registers.

DTF needs to revise its approach to implementing the DataVic access policy by:

  • helping agencies move from a quota focus to prioritising the publication of high-value data collections
  • developing and applying an evaluation framework to better understand the potential and realised benefits, as the basis for better using resources to deliver on the intended benefits
  • integrating the policy into a more comprehensive whole-of-government IM framework.

Agencies also need to adopt a methodical, fully informed approach to dataset release based on an assessment of the costs and policy benefits.

Recommendations

  1. That the Department of Premier & Cabinet, as the agency responsible for supporting the Freedom of Information Act 1982, provides improved guidance for agency compliance with Part II of the Act, monitors that compliance, and forms and implements a plan to:
  • help agencies improve their compliance with the section 11 requirement to comprehensively list the material that they hold
  • review and advise government on how to modernise the Act to achieve its objectives in a way that is best aligned with a modern information management environment and Victoria's records and information management standards.
  1. That agencies review and improve their compliance with Part II of the Freedom of Information Act 1982 within the current legislative framework.
  2. That agencies develop a proactive public sector information release program, using comprehensive information asset registers as a core tool for release decisions in accordance with the Information Management Governance Standard.

Back to top

3 Agency information management

At a glance

Background

This part examines information management (IM) practices in a sample of agencies and rates agencies' maturity using the Victorian IM better practice principles and standards.

Conclusion

None of the sampled agencies had fully established practices consistent with the better practice principles and standards.

Findings

  • The Department of Health & Human Services (DHHS) is progressing to better practice, with strong IM governance, clear senior level support and a comprehensive IM strategy. However, many initiatives are still in their early stages.
  • The State Revenue Office (SRO) has established good foundations, and is refining its IM approach, with many plans in development.
  • The Department of Environment, Land, Water & Planning has formative IM practices and has not yet established the minimum framework needed to effectively manage all of its public sector information (PSI).
  • While none of the agencies have reached a level of maturity that fully facilitates access to their PSI, there is evidence that all are working towards this and that DHHS and SRO can potentially achieve this in the short term (one to two years).

Recommendations

That agencies:

  • assess their IM maturity using the Public Record Office Victoria's Information Management Maturity Measurement Tool and address any deficiencies
  • implement better practice IM principles and standards for asset custodianship and governance
  • implement an oversight program that provides assurance that staff are complying with IM policies and procedures.

3.1 Introduction

This part examines information management (IM) practices in a sample of agencies as these practices critically determine how easily the public can access their public sector information (PSI).

Section 1.3 discussed the Victorian IM principles and standards including:

  • establishing appropriate IM governance and custodianship arrangements
  • developing and maintaining an information asset register for significant information assets and assigning responsibility for the assets to custodians
  • establishing policies and processes to ensure that information assets are fit for purpose as they are being created or received, including information quality management and access mechanisms
  • ensuring information is easy to discover by applying appropriate metadata
  • adopting common IM standards, and contributing to a cross-government PSI directory and other information access mechanisms
  • devising systems and encouraging behaviours for sharing information to the maximum extent possible.

The 2009 Parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Data also recognised that one of the biggest barriers to improving access to PSI is agencies not cataloguing information in a way that it can be identified or discovered. Hence the importance in creating comprehensive and accurate information asset registers that are populated with metadata describing the information held, its location, content, how it has or could be used, and its quality.

We assessed the IM maturity of the:

  • Department of Health & Human Services (DHHS)
  • State Revenue Office (SRO)
  • Department of Environment, Land, Water & Planning (DELWP).

3.2 Conclusion

None of the sampled agencies had fully established practices consistent with the Victorian IM principles and standards and their performance varied:

  • DHHS is progressing to better practice, with strong IM governance, clear senior level support and a comprehensive IM strategy. However, many initiatives are still in their early stages.
  • SRO has established good foundations, and is refining its IM approach, with many essential plans and projects in development.
  • DELWP only has formative IM practices and has not yet established the minimum framework needed to effectively manage all of its PSI.

While none of the agencies has reached a level of maturity that fully facilitates access to their PSI, we saw evidence that all are working towards this and that DHHS and SRO have the potential to achieve this in the short term.

A key reason for the slow progress in improving PSI practices is the absence of a coherent and appropriately authorised whole-of-government governance framework to help agencies. It is therefore likely that the problems seen at DHHS, SRO and DELWP will be replicated at the vast majority of public sector agencies.

Where agencies are not effectively managing their PSI, there is little confidence that they are able to effectively facilitate access to it. Agencies that are not facilitating access to their PSI are failing to uphold one of the fundamental tenets of a democratic government.

3.3 Public sector information management

3.3.1 Agency information management

We assessed agencies' maturity with respect to the Victorian Government IM principles and standards and rated them as either:

  • formative (~) where there is no agency-wide IM strategy, senior level support or adequate governance, and improvements are generally reactive
  • in development (✔) where good IM structures are in place, but gaps remain where they are not being effectively applied
  • progressing (✔✔) where the approach to IM is structurally sound, but not yet fully applied to all PSI
  • established (✔✔✔) where agencies can demonstrate that they are effectively applying the better practice principles and standards in managing their entire information holdings and can provide assurance about information quality.

A comprehensive description of these ratings can be found in Appendix A.

Figure 3A shows the overall ratings for the three sampled agencies as:

  • 'progressing' to better practice for DHHS
  • 'in development' for SRO because it is refining its IM structures and processes
  • 'formative' for DELWP because it had not yet established the minimum framework needed to effectively manage its entire PSI holdings.

Figure 3A

Information management maturity assessment

Criteria

Ratings

DHHS

SRO

DELWP

1. Information is recognised as a valuable asset

✔✔

✔✔

~

2. Significant information assets are managed by an accountable custodian

✔✔

~

3. Information meets business needs

~

4. Information is easy to discover

✔✔

5. Information is easy to use

~

6. Information is shared to the maximum extent possible

~

~

~

Overall assessment

✔✔

~

Source: Victorian Auditor‑General's Office.

3.3.2 Department of Health & Human Services

We rated DHHS as progressing in its IM maturity.

In terms of positive IM attributes, DHHS has:

  • a strong IM governance framework with clear senior level support
  • a comprehensive IM strategy that is integrated with its corporate objectives and planning
  • frequently assessed its maturity and acted to continuously improve it.

These positive attributes have to be balanced against the need to:

  • fully implement its IM strategy's objectives and actions
  • fully populate its asset register to cover all of its information holdings
  • ensure that the register includes metadata that fully describes each information asset
  • implement its agreed IM training program
  • publish its information register to appropriately facilitate public access to its PSI and to comply with Part II of the Freedom of Information Act 1982 (FOI Act)
  • develop and implement a program for proactive PSI release—with clear and structured processes and criteria for assessing and authorising restrictions to an 'open by default' approach.

DHHS is now clearly on a pathway to improving its IM. However, progress towards applying the whole-of-government principles and standards has been slow and inconsistent. It is essential that DHHS maintains its current momentum and fully applies its IM framework to its PSI.

For DHHS, machinery-of-government changes since 2009 and job cuts made through the Sustainable Government Initiative (SGI), which aimed to reduce the number of public sector staff across all departments, between 2011 and 2013 impeded the application of these principles and standards. Figure 3B shows how the changes disrupted progress towards better practice IM.

Figure 3B

The impact of machinery-of-government changes and SGI cuts on DHHS IM

Event

Impact

August 2009 machinery-of-government change:

DHHS split into Department of Health (DH) and Department of Human Services (DHS)

  • Departmental information asset register—consisting almost entirely of health data—not maintained after October 2010
  • Disrupted human services IM reform project

Between 2011 and 2013—SGI cuts(a)

DHS loses 659 staff—IM staff reduced from 10 to 0.5

  • Critically slowed DHS' progress in improving its IM

December 2014 machinery-of-government change:

Re-amalgamated DH and DHS into DHHS

  • Slowed application of DH reform program because of need to realign the framework and incorporate less advanced DHS practices in the process

(a) From <http://www.afr.com/news/policy/industrial-relations/victoria-cuts-4000-public-service-jobs-to-save-surplus-20131021-jgvgd>.

Source: Victorian Auditor‑General's Office based on information provided by DHHS.

We do not want to understate the scale of the challenge DHHS faces in fully applying the IM framework that it has built. The former DHS has a significantly larger amount of unmanaged information in its holdings than the former DH, and its IM practices have been criticised by VAGO in the 2012 audit report on Freedom of Information, and the Ombudsman in the 2012 report on its Own motion investigation into the management and storage of ward records by the Department of Human Services.

Figure 3C illustrates this by describing the challenges presented in effectively managing the large volume of records for former wards of the state. It illustrates the scale of the tasks, what DHHS has and is doing, and the significant risks that remain.

Figure 3C

Ward of the state records

In 2012, the Victorian Ombudsman found that DHS was holding around 80 linear kilometres of historical records in boxes, a 'considerable portion' of which had not been inspected or indexed. These boxes included collections relating to former wards of the state and the institutions responsible for their care, as well as those relating to child migrants and aboriginal children removed from the care of their families and placed in institutional care.

The former DHS' failure to index these critical records over the years significantly compromised its ability to effectively respond to FOI requests. As a result, DHS would not have been able to give any applicant any assurance that they were being given all the existing records about themselves.

The former DHS commenced implementation of a Ward Records Plan in 2012 and has now indexed a large number of ward records. However, more records are yet to be indexed—such as its mental health records collection. DHHS advised us that it will complete the indexing of all DHHS ward, disability and mental health files by September 2016 and is reporting progress quarterly to the Ombudsman.

DHS—now DHHS—was required to notify the Royal Commission into Institutional Responses to Child Sexual Abuse that there was an inherent risk of it being unable to provide certainty over the completeness of records provided in response to a summons.

This risk, of course, also extends to former wards currently or previously seeking access to information about themselves and their time in care. This risk will continue as long as DHHS holds records that could potentially hold evidence of abuse of wards of the state and where the contents of those records is unclear.

Further, while this risk may decrease with the decrease in records still to be indexed, this must be weighed against the value that they hold to an abuse survivor who is required to demonstrate evidence of abuse in order to access redress opportunities.

The 2012 Ombudsman report estimated that from 1960 to 1986, there were at least 50 000 wards of the state and that approximately 21 per cent of searches for records relating to FOI requests by former wards resulted in no documents being found.

Source: Victorian Auditor‑General's Office.

3.3.3 State Revenue Office

We rated SRO as 'in development' with respect to its IM maturity.

In terms of positive IM attributes, SRO has:

  • a strong IM governance framework with clear senior level support
  • assessed its IM maturity and used the findings to develop improvement plans
  • developed and implemented an information asset register and PSI custodianship arrangements.

These positive attributes have to be balanced against the need to:

  • implement its IM strategy
  • focus on using its information asset register for information assets, rather than repositories and software, and include metadata that fully describes each information asset
  • improve custodianship arrangements so that their responsibilities include ensuring information assets are discoverable, easy to use and shared to the maximum extent possible
  • implement an IM training program
  • implement IM performance monitoring
  • publish its information register to facilitate public access to PSI and to comply with Part II of the FOI Act
  • develop and implement a program for proactive PSI release—with clear and structured processes and criteria for assessing and authorising restrictions to an 'open by default' approach.

Unlike DHHS and DELWP, SRO is a largely process-oriented organisation. It has historically prioritised the security of its highly sensitive data over achieving broader IM effectiveness.

After the 2009 Inquiry into Improving Access to Victorian Public Sector Information and Data, SRO resolved to examine how to align its predominantly non-disclosure environment with an 'open by default' approach to PSI. SRO's executive also recognised the opportunity to improve its information release framework.

SRO commissioned an internal review in 2012 that found that SRO did not have an overall policy or procedures on information release, or a coordinated approach to IM and information release. It found that each branch of the organisation had developed its own procedures for managing information release and there was no consistency.

This review triggered a large-scale change in SRO's approach to managing PSI and it has worked diligently since that time to implement the changes necessary to achieve a higher level of IM maturity. SRO has made positive progress and is currently implementing a number of IM initiatives designed over the past two years. It needs to continue down this path to improve information discoverability, ease of access and re-use.

3.3.4 Department of Environment, Land, Water & Planning

We rated DELWP as 'formative' with respect to IM maturity.

In terms of positive IM attributes, DELWP has:

  • committed to the development of an IM strategy and governance arrangements covering the whole department, including standards, frameworks, training and reporting requirements
  • areas of practice that manage information in a sophisticated way—for example the spatial information coordinated by DELWP's Information Services Division.

However, these positives have to be balanced against some significant weaknesses and the need to:

  • develop and implement the governance, standards, frameworks, training and reporting requirements needed to consistently and adequately manage information across the department—DELWP does not have a departmental strategy or consistent cross-departmental IM governance arrangements
  • develop and implement an agency-wide information asset register, custodianship arrangements, and metadata management program for all PSI—currently these only exists for the department's spatial data
  • develop and publish an information register to appropriately facilitate public access to its PSI and to comply with Part II of the FOI Act
  • develop and implement a program for proactive PSI release—with clear and structured processes and criteria for assessing and authorising restrictions to an 'open by default' approach.

DELWP can show that in the specific area of spatial information it has highly developed management practices. However, DELWP's whole-of-department governance structures and practices fall well short of the IM standards and principles to the point where, outside of spatial information, we cannot see how it has adequately identified and managed its significant information assets.

Like DHHS, DELWP has been impacted by machinery-of-government changes and SGI cuts since 2009. Functions and divisions were added and subtracted as it transitioned from the former Department of Sustainability and Environment to the former Department of Primary Industries to the former Department of Environment and Primary Industries and then to DELWP.

Our review of evidence showed that the department—over the course of its many past iterations—made multiple attempts to build the infrastructure critical to improving IM. This included efforts to convey the need for improvement to its senior executive, establish appropriate governance structures, develop and implement an IM strategy, and educate staff.

DELWP advised, however, that the frequently changing executive environment and a series of temporary and unfilled IM roles created an unstable operating environment that impeded progress towards a mature approach to whole-of-department IM.

The negative impacts of different whole-of-government decisions were also discussed in the 2014 Chief Information Officers' Council IM working group review of agency IM. The report noted that actions such as the SGI—including the resulting fast-tracked natural attrition—and budget reductions had resulted in a loss of IM specialist staff. It concluded that the effect of such losses was that agencies were only able to deal with urgent matters and tended to operate more reactively.

3.3.5 The impact of weak governance across government

The partial implementation of the IM framework defined under the Public Sector Information Release Framework (PSIRF) undermined government's commitments to a unified, better practice approach to managing information. The varied performance of the agencies we examined verifies this.

Without a common approach to categorising information assets, assigning metadata to them, and establishing information asset registers, agencies have had to determine for themselves how to achieve this, and in some cases, whether to even make the attempt. Specifically, there is a stark contrast between the maturity levels of:

  • DHHS—although PSIRF was never released, it elected to implement the whole-of-government IM principles and standards as if they had been mandated
  • DELWP—focused specifically on meeting the requirements of the DataVic access policy, which did not include effective IM. As a result, it lacks the systems and processes needed to achieve a true open access approach.

Without registers at the agency level, a common information classification approach and standardised metadata profiles, there is no possibility that a whole-of-government PSI directory can exist.

These weaknesses are likely to exist more broadly across the public sector, and were highlighted in the 2014 IM working group review of IM across Victoria's departments and agencies. The review pointed out that organisations have a great many different, inefficient, and manual processes, cannot manage or mine the large amounts of information that they collect, and often do not know how much of their information holdings are inaccurate or redundant.

Recommendations

  1. That agencies assess their level of information management maturity using the Public Record Office Victoria Information Management Maturity Measurement Tool, determine what improvements are needed and implement a plan to achieve these.
  2. That agencies implement better practice information management principles and standards for asset custodianship and governance.
  3. That agency information management governance bodies implement an oversight program that includes management of freedom of information and provides assurance that staff are complying with its information management policies and procedures.

Back to top

4 Governance

At a glance

Background

Government's response to the 2009 parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Data recognised the need for a strong, appropriately authorised, whole-of-government governance approach if agencies were to achieve the type of transformation envisaged.

This Part examines how well whole-of-government leadership and oversight have supported improvements in providing public access to public sector information (PSI).

Conclusion

Whole-of-government leadership and oversight are inadequate for developing and implementing a framework to effectively provide public access to PSI.

Findings

  • Victoria's information environment is fragmented and confused, with a proliferation of numerous unconnected, overlapping and inconsistent plans, strategies, standards and guidelines.
  • There is an absence of a single point of accountability for the intended framework with information management oversight and leadership dispersed across multiple, uncoordinated bodies.
  • Essential elements of an effective framework, such as developing and implementing information management better practices, lack effective authorisation and oversight.
  • The framework's scope was narrowed. Only a subset of the changes needed to provide open access have been progressed and reported on.

Recommendation

That the Department of Premier & Cabinet works with agencies that have whole-of-government information management responsibilities and in consultation with the wider public sector, to develop a whole-of-government information management framework.

4.1 Introduction

Government's response to the 2009 parliamentary Inquiry into Improving Access to Victorian Public Sector Information and Data (PSI Inquiry) recognised that implementing a whole-of-government information management (IM) framework would require significant coordination. It acknowledged that substantial investment across government was required, including dedicated project funding, and the cooperation of all Victorian Government departments.

The leadership and oversight arrangements established to enact the government's commitments included a project sponsors' board of deputy secretaries from the Department of Premier & Cabinet (DPC), the Department of Treasury & Finance (DTF) and the former Department of Innovation, Industry and Regional Development. The board was supported by a dedicated project director, interdepartmental working group, and interdepartmental committee.

In 2011, the board developed the Public Sector Information Release Framework (PSIRF) to guide public sector information (PSI) management and release. PSIRF included seven principles that were supported by standards setting out the framework's minimum requirements.

PISRF was intended to be implemented initially across government departments, the Environment Protection Authority, VicRoads, Victoria Police and the State Revenue Office, and later, the wider public sector.

In early 2012, DTF assumed responsibility for delivering PSIRF to government for endorsement. In late 2012, DTF informed government that the objectives of the implementation had been narrowed to exclude improved transparency and accountability, and to focus on the release of datasets, rather than providing access to all PSI. The intended standards, necessary to achieve a consistent approach to managing information so that it can be easily released, accessed and re-used, were not included in the 'new' policy proposal, the DataVic access policy.

The remainder of this Part describes the key evidence underpinning our findings and highlights how DPC has the opportunity to put the delivery of open access to PSI back on track.

4.2 Conclusion

There is a fragmented and confused governance framework and a proliferation of numerous unconnected, overlapping and inconsistent plans. This sits in contrast to the advice from DTF and DPC soon after the government's response to the PSI Inquiry, identifying the need for strong oversight to achieve open access to PSI.

Whole-of-government leadership and oversight have been inadequate for developing and implementing a framework to effectively provide public access to PSI:

  • Information management oversight and leadership had been removed and parts of the intended framework essential for achieving open access—such as developing and implementing systematic and consistent practices for categorising, storing and managing PSI—lacked effective authorisation and oversight. There is now no single point of accountability for implementing the full range of actions needed to provide effective open access to PSI.
  • The advocacy efforts of the Chief Information Officers' Council (CIOC) to promote improved information management in a small number of agencies lacked authority and were ineffective in driving the necessary changes.

4.3 Governance weaknesses

4.3.1 Inadequate leadership and oversight

The governance structures put in place in 2010 in response to the PSI Inquiry had the potential to significantly improve public access to PSI. However, DTF advised government to narrow the scope of the implementation and excluded parts of the framework critical for achieving open access to PSI. These critical aspects were no longer mandated and the governance and leadership of IM became fractured and confused.

The rest of this Section explains how this happened together with our assessment of the quality of advice provided to government in support of these changes.

The project sponsors' board's terms of reference were consistent with government's commitment to develop and implement a holistic framework to facilitate open access to PSI and establish a comprehensive online directory so the public could search for and obtain PSI.

PSIRF broadly addressed the requirements set out in government's response to the PSI Inquiry. Importantly PSIRF recognised that agencies needed to effectively manage their PSI if they were to achieve government's goal of open access.

In early 2012, DTF assumed responsibility for PSIRF and the project sponsors' board ceased to meet shortly after this. The reasons for this are unclear and there are no records explaining these actions.

Following consultation with DPC, DTF informed government in August 2012 that the scope for PSIRF's implementation had been narrowed. This involved excluding the goals of increased transparency and accountability, and focusing on innovation, greater productivity and improved service delivery. These goals were to be pursued by releasing only datasets instead of all PSI.

While government signed off on the DataVic access policy, DTF did not adequately explain the reasons for this change or the clear risks for meeting the policy goals and the existing legislative requirements for providing open access to PSI.

The supporting documentation justifying this change was inadequate given its significance. It refers to a June 2012 discussion between DTF's Secretary and the Assistant Treasurer, noting that the scope of the policy had been narrowed considerably as a result of feedback from DPC. DTF has been unable to provide any further records on the nature of DPC's concerns or the content of the discussion that cemented this major change.

The advice to government was likewise manifestly inadequate. It contained no discussion of the likely consequences of not implementing the IM framework needed to achieve effective open access. Such an approach runs counter to the Public Administration Act 2004 principles of providing frank and impartial advice to government, objectively considering all relevant facts and fair criteria, and being honest, open and transparent in dealings.

As a result, only a small number of the government's commitments were progressed. DTF, already responsible for government's intellectual property policy, took on the responsibility for developing and implementing the DataVic access policy.

4.3.2 CIOC's efforts to improve information management

In 2011 and 2012, CIOC—convened initially under DTF, then under the former Department of State Development, Business and Innovation (DSDBI) and now under DPC—endorsed and released better practice principles and standards for IM mirroring those intended under PSIRF.

However, these lacked the authority to drive government's envisioned compliance with systematic and consistent practices for categorising, storing and managing PSI.

The absence of a coherent approach is also discussed in a 2014 review of IM that was commissioned by CIOC's Information Management Working Group. The review examined IM across departments, the Public Record Office Victoria, VicRoads, Victoria Police, the State Revenue Office and the Environment Protection Authority and found that agencies vary in maturity.

The report, Victorian Government Information Management: Stage 1 Report – Current state review and initial framework assessment, discusses how the absence of a whole-of-government IM framework means that both whole-of-government and individual agencies are unable to approach IM in a coordinated and methodical way.

The report also refers to the effect of poor coordination of IM across government on information and communications technology (ICT) projects. It notes agency concerns around ICT initiatives—particularly large-scale programs—being developed without engaging IM expertise.

The report calls for cultural change around the coordination of both whole-of-government IM and ICT initiatives. It concludes that the government needs to publish an IM strategy, provide agencies with a common IM baseline, and align IM activities across the whole Victorian Government.

4.4 Impact of governance changes

The revised approach weakened and confused oversight and governance by replacing the framework with government-endorsed policies only for intellectual property and dataset release. A set of IM principles and standards then emerged, but these that had no real authority. There was no effective accountability for implementing better practice information management.

This also meant that there was no central point of authority or accountability for IM across the public sector. Despite the clear commitment to a consistent whole‑of‑government approach to managing PSI, Victoria's current IM area is now crowded and confused.

We identified a confused governance environment, with multiple and uncoordinated IM requirements:

  • At least seven different government departments or agencies develop and oversee information management.
  • Various requirements are applied to between 18 departments and inner budget agencies, and over 200 agencies.
  • Agencies use different definitions to describe the information and systems covered.
  • There is no one strategic view of the contributions the various requirements make to government's policy objectives.

Figure 4A illustrates this dispersed and confused IM environment. A wide range of legislation, policies, strategies and guidelines affecting IM are applied to different subsets of the Victorian public sector by up to nine public sector agencies.

We found no overall framework or narrative that connected these diverse requirements into a coherent IM strategy for all public sector agencies.

Figure 4A

Victorian IM requirements mid-2015

  Application

Responsibility

Whole-of-government general legislation affecting IM

FOI Act—community rights to access PSI

Departments, agencies, councils and prescribed authorities

DPC

Public Records Act 1973, Standards and Specifications—standards for agency management of public information (in the form of records)

All Victorian public offices and state-owned enterprises

Public Record Office Victoria

Financial Management Act 1994 and Standing Directions: Information Collection and Management Direction—requires that public sector agencies ensure a prudent approach to information management

Departments, administrative offices and the Victorian Public Sector Commission

DTF

Public Administration Act 2004 and VPS Code of Conduct—public officials should demonstrate accountability by submission to appropriate scrutiny

Departments, administrative offices and the Victorian Public Sector Commission

Victorian Public Sector Commission

IM

FOI Standards, Guideline and Proactive Publication Scheme—non-mandatory requirements for providing access to public sector information

Departments, agencies, councils and prescribed authorities

DPC

Ensuring Openness and Probity in Victorian Government Contracts Policy Statement (2000)—publishing goods and services procurement contracts

Departments, Victoria Police, Chief Commissioner, VAGO, Office of Public Prosecutions, Victorian Ombudsman, Essential Services Commission, Legal Services Commissioner, Victorian Electoral Commission, Commissioner for Environmental Sustainability

Victorian Government Purchasing Board

WoVG Information Management Principles, Standards and Guidelines—describe expected behaviours and best practice information management

Departments, Victorian Police, VicRoads, State Revenue Office, Environment Protection Authority

None assigned

WoVG Discoverability Standard 2004 and AGLS Victoria Metadata Implementation Manual—to ensure agency website information is discoverable

Departments, VicRoads, Victoria Police, Environment Protection Authority and State Revenue Office, CenITex

DPC

VicGovAu Thesaurus 2005—an information classification/metadata application tool

Non-mandatory

DPC

Victorian Data Linkages Initiative—establishing map of population linkable data

N/A

Former DSDBI, Department of Health & Human Services

Information Strategy (in development)—focusing on information sharing between government agencies and services and with the public

Undefined

DPC

Data management

DataVic Access Policy 2012, Standards and Guidelines—requirements for the publication of public sector datasets

All organisations subject to the Annual Financial Report of the State of Victoria

DTF

Data Futures 2013 (status unknown)—vision for data management and use

Undefined

DPC

Intellectual property

Intellectual Property Policy 2012 and Guidelines—framework for the ownership and management of intellectual property

All public bodies

DTF

Cost Recovery Guidelines (2013)—framework for ensuring that cost recovery arrangements are transparent, efficient, effective and consistent with legislation/policy

Government departments and agencies

DTF

Information security

Victorian Cyber Security Strategy

Cabinet in Confidence

DPC

Victorian Information Management Security Policy (and framework) 2012, standards and guidelines—for the security of PSI

Departments, VicRoads, Victoria Police, Environment Protection Authority and State Revenue Office

DPC

Privacy and Data Protection Act 2014 and Framework—establishes a protective data security regime and the handling of personal information in the public sector

All of the public sector, with some exceptions

Commissioner for Privacy and Data Protection

ICT

Victorian Government ICT Governance Framework 2013—description of ICT roles and responsibilities at the whole of government and agency levels, as well as guiding principles for establishing ICT governance within agencies

All Victorian Government staff who are involved in government ICT

DPC

Data Interoperability Policy 2006—enable IT systems to exchange information

Departments and agencies

DTF

Identity and Access Management Policy 2013 and standards—for consistent identity and access management across its departments and agencies

Departments, Victoria Police, Chief Commissioner, VAGO, Office of Public Prosecutions, Victorian Ombudsman, Essential Services Commission, Legal Services Commissioner, Victorian Electoral Commission, Commissioner for Environmental Sustainability

DPC

Victorian Government Digital Strategy 2013 (status unknown)—principles and actions required to ensure that Victorian Government services and information are accessible online to all Victorian citizens, businesses and communities

Undefined

Former DSDBI

Victorian Government ICT Strategy 2012–14 (status unknown)—direction on the design and use of ICT to deliver better government services

Undefined

Former DSDBI

Sector-specific legislation

Health Records Act 2001

Councils, departments and agencies, courts, Victoria Police, hospitals and health services

Department of Health & Human Services

Source: Victorian Auditor-General's Office based on legislation, policies and plans.

4.5 Next steps

The current government's 2014 election platform demonstrates its commitment to greater transparency and public sector accountability, through the appointment of the Special Minister of State—whose role is to oversee government transparency, integrity and accountability, public sector administration and reform, and the consolidation of cross-government IM responsibilities in DPC.

DPC is now responsible for:

  • leading whole-of-government policy and responses to significant issues
  • public sector governance, accountability and reform including:
    • direct portfolio management of the Public Record Office Victoria and the state's archives
    • public administration advice and support through the Victorian Public Sector Commission
    • public sector integrity, including the oversight of Victoria's protective data security regime, freedom of information and responsibility for enhancing the government's transparency and openness and providing advice, education and guidance to public sector agencies
  • public sector ICT and digital government by supporting more effective investment, procurement and management of ICT in government, encouraging the innovative use of ICT to improve service delivery and business processes, and providing information and services to Victorian citizens and businesses through digital and other channels—functions transferred from the former DSDBI.

Helping agencies reach a level of maturity where they effectively manage their entire information holdings is fundamental to enabling open access to PSI.

Harmonising the many different sets of standards and guidelines that dictate how Victoria's PSI should be managed is a critical step in delivering an IM framework that agencies can easily follow, understand, implement, and measure and report against. PSIRF is a good starting point for developing a strategic framework to do this.

As we have found in many past audits, the release of policies, standards and guidelines without supporting legislation and appropriate centralised oversight and accountability, carries the high risk of slow and ineffective implementation. Accordingly, DPC needs to ensure that efforts to reset Victoria's IM landscape are underpinned by appropriate legislation and by defined and authorised governance arrangements.

Our review of the documents describing DPC's Public Sector Reform Agenda shows that it includes improving information management and acknowledges that 'information is at the heart of everything government's do'. The agenda describes a clear commitment to improved and centralised and coordinated PSI governance structures, and recognises that effective PSI access must be underpinned by clear governance and monitoring arrangements, coordinated whole-of-government approaches, and the support, further development, and authorisation of existing standards.

Our key recommendation is for DPC to develop a holistic and comprehensive whole-of-government approach to information management.

Recommendation

  1. That the Department of Premier & Cabinet works with agencies that have whole-of-government information management responsibilities and in consultation with the wider public sector, to develop a whole-of‑government information management framework that:
  • applies to all forms of public sector information
  • includes open access to public sector information as a default position
  • incorporates the data release requirements of the Department of Treasury & Finance's DataVic access policy
  • includes effective implementation, governance and monitoring arrangements
  • is underpinned by appropriate legislation.

Back to top

Appendix A. Agency information management maturity ratings

Formative (~) Information management is reactive.

There is an absence of an agency-wide information management strategy, senior level support and adequate governance structures. Policies and procedures are incomplete with decisions being made locally and improvements are generally driven by reactions to adverse events.

In development (✔) Information management is basic and partial.

Good governance structures, strategies, frameworks, policies and procedures are in place. However, gaps remain where the strategy and governance framework are not being effectively applied. For example, the inadequate application of the custodianship model and metadata means that any asset registers falls short of the minimum standards needed to effectively facilitate information access.

Progressing (✔✔) Information management is structurally sound but not fully applied.

A well-structured and comprehensive strategy is supported by strong governance structures coordinating activities across the agency. Active senior-level support drives improvement and maturity is regularly and thoroughly assessed. The information asset register is underpinned by robust custodianship and an appropriate metadata scheme. Education and training materials are accessible. However, these attributes are not yet fully applied to all public sector information.

Established (✔✔✔) Information management is comprehensive, integrated and proactive.

Agencies can demonstrate that they are effectively applying the better practice principles and standards in managing their entire information holdings and can provide assurance about information quality. A robust information asset register and mature governance arrangements are used as the critical mechanism to facilitate decision-making about access to information for agency staff, other public sector agencies and the wider community. The agency regularly assesses and takes appropriate action to address issues that threaten performance. Education and training is regular and well-tailored.

Back to top

Appendix B. Agency information management assessment criteria

Information is recognised as a valuable asset:

  • Information is included in and linked to organisational strategic planning.
  • The agency complies with the government's Agency Information Management Governance Standard.
  • A governance framework has been established with appropriate policies, strategies, procedures, etc.
  • The agency has a register of significant information assets based on an appropriate definition of a significant asset.

Significant information assets are managed by an accountable custodian:

  • The agency complies with the government's Information Asset Custodianship Standard.

Information meets business needs:

  • Custodians work with users to determine information needs.
  • Information use is considered as the information is being collected or developed.
  • Custodians manage, maintain and communicate information quality.
  • Quality statements are developed for significant information assets.
  • Agencies put in place processes to improve information quality where needed.
  • Agencies are working towards having a single point of truth for key information assets.
  • Agencies have identified what information is required to meet business needs.

Information is easy to discover:

  • Information is described by appropriate metadata.
  • The agency is working towards a common cross-government information directory and other mechanisms for facilitating information discovery.
  • The agency's information is publicly accessed through a single or limited number of portals.
  • Agency staff can easily find information when required to.
  • There are clear lines of authority and processes for decisions on information publication and release.

Information is easy to use:

  • Custodians work with users to determine appropriate standards.
  • Sufficient metadata is provided to users so they know how to use the information.
  • The agency is adopting and working towards using common standard across government.

Information is being shared to the maximum extent possible:

  • Information is collected, developed, stored and maintained with sharing, collaboration and interoperability in mind.
  • Information sharing is facilitated and actively promoted.
  • Where appropriate, information is released to the public.
  • Information is shared in accordance with security and statutory requirements.
  • Staff seek to re-use and build on existing information rather than re‐collecting or recreating information.
  • Agencies apply appropriate licences to information to promote re-use.
  • The agency has an adequate and accessible information asset register that:
    • is accessible to the public
    • allows the public to gain a full and accurate appreciation of its information holdings
    • is clear about the access status of information assets
    • is regularly updated and republished so the register remains current.
  • The approach for classifying public sector information in terms of its public use is:
    • based on clear, endorsed and documented criteria consistent with Victorian legislation and standards
    • applied as intended to information assets
    • publicly available—criteria are published so the public can understand the reasons for restrictions
    • regularly reviewed together with the regular review of restricted assets to determine if it is appropriate to revise their status in line with the commitment to open access to public sector information by default.
  • The agency facilitates adequate access to assets classified as open by providing:
    • information on how to access the asset and, where practical, direct access to assets—through Part II of the Freedom of Information Act 1982 and a public information asset register
    • clear directions about access and re-use conditions—through Creative Commons licensing requirements and metadata on the public information asset register
    • assets in a format that promotes re-use—machine-readable, re-usable, open format.
  • For public sector information assets that are closed, the agency—through freedom of information indexes and its information asset register:
    • adequately explains why and this explanation is published
    • identifies the source of authorisation for the closure.

Back to top

Appendix C. Audit Act 1994 section 16—submissions and comments

Introduction

In accordance with section 16(3) of the Audit Act 1994, a copy of this report, or part of this report, was provided to the Department of Premier & Cabinet, the Department of Treasury & Finance, the Department of Health & Human Services, the Department of Environment, Land, Water & Planning, the Department of Justice & Regulation, the State Revenue Office and the Public Record Office Victoria.

The submissions and comments provided are not subject to audit nor the evidentiary standards required to reach an audit conclusion. Responsibility for the accuracy, fairness and balance of those comments rests solely with the agency head.

Responses were received as follows:

RESPONSE provided by the Secretary, Department of Premier & Cabinet

Response provided by the Secretary, Department of Premier & Cabinet, pg1.

Response provided by the Secretary, Department of Premier & Cabinet, pg2.

RESPONSE provided by the Secretary, Department of Treasury & Finance

Response provided by the Secretary, Department of Treasury & Finance, pg1.

RESPONSE provided by the Secretary, Department of Health & Human Services

Response provided by the Secretary, Department of Health & Human Services, pg1.

Response provided by the Secretary, Department of Health & Human Services, pg2.

Response provided by the Secretary, Department of Health & Human Services, pg3.

RESPONSE provided by the Secretary, Department of Environment, Land, Water & Planning

Response provided by the Secretary, Department of Environment, Land, Water & Planning, pg1.

RESPONSE provided by the Secretary, Department of Justice & Regulation

Response provided by the Secretary, Department of Justice & Regulation, pg1.

Response provided by the Secretary, Department of Justice & Regulation, pg2.

Response provided by the Secretary, Department of Justice & Regulation, pg3.

RESPONSE provided by the Commissioner of State Revenue, State Revenue Office

Response provided by the Commissioner of State Revenue, State Revenue Office, pg1.

Response provided by the Commissioner of State Revenue, State Revenue Office, pg2.

RESPONSE provided by the Director and Keeper of Public Records, Public Record Office Victoria

Response provided by theDirector and Keeper of Public Records, Public Record Office Victoria , pg1.

Back to top