OVIC publishes audit report on managing personnel security risks during pre-engagement screening for VPS employees
The Victorian Public Sector (VPS) employs thousands of personnel who work across multiple organisations, carrying out a large number of functions. These personnel hold positions of trust as custodians of vast volumes of public sector information, much of which includes high-value information assets.
It is important that these personnel are eligible and suitable to have access to government assets. In instances where unsuitable or ineligible personnel have access to public sector information, there are significant risks to the VPS, including possible fraud and corruption.
Under Standard 10 of the Victorian Protective Data Security Standards (VPDSS), public sector organisations must establish, implement, and maintain personnel security controls addressing all persons’ continuing eligibility and suitability to access public sector information.
During 2023/2024, OVIC conducted an audit of four organisations’ implementation of Standard 10 focusing on the pre-engagement phase of the personnel lifecycle. This phase covers the time between completion of a merit selection process, and a new employee commencing at the organisation.
During the audit, OVIC sought to determine whether the four organisations have in place appropriate policies, practices and procedures addressing the pre-engagement phase of personnel security. This includes verifying a person’s identity, and undertaking appropriate screening measures to assess suitability and eligibility of prospective staff.
OVIC today releases its report with its observations, findings, and recommendations from the audit. The report reflects that none of the organisations fully met the criteria for any of the four questions tested in the audit. However, they were all rated as either ‘partially meets’ or ‘substantially meets’ across each of the audit questions – meaning that all audited organisations have the foundations necessary to ensure effective pre-engagement screening.
The report also finds that there is considerable scope for the audited organisations to improve their practices across all tested criteria.
All Victorian government organisations are encouraged to consider the report, reflect on their current approach to personnel screening, and consider scope for better practice improvements.
Key issues from the report that may be relevant to all organisations are:
- Organisations must understand the risk profile across their workforce to inform their approach to pre-engagement screening.
- Pre-engagement screening should not follow a one-size fits all approach; controls should be tailored to the risks associated with different roles and organisational contexts.
- It is important that policies and procedures are comprehensive, clear, and user-friendly to ensure the appropriate screening checks are carried out at the appropriate time, and in a consistent and thorough manner.
- When using third-party service providers to conduct pre-engagement screening, organisations must be clear about their requirements and obtain ongoing assurance that these are being met.
For guidance on personnel security during the pre-engagement phase
Audit of Standard 10 of the Victorian Protective Data Security Standards
Victorian Protective Data Security Standards
For media enquiries contact: media@ovic.vic.gov.au