Victoria's Independent Broad-based Anti-corruption Commission (IBAC) special report on Operation Turton, identified 'a problematic workplace culture at the then Metropolitan Fire Brigade (MFB) that led to repeated instances where employees misused sensitive information to advance personal and industrial interests'.
IBAC states
Operation Turton investigated allegations of unauthorised access and disclosure of information by employees of the MFB. The investigation was prompted by allegations that an MFB network administrator had accessed the email accounts of MFB executives without authorisation. The investigation commenced in January 2019 and concluded in June 2021. The fire services are an essential part of Victoria’s emergency response and management sector and, with its firefighters, perform a crucial role in keeping the community safe. To do this, these agencies must operate efficiently, effectively, and free from undue influence. Over the past two decades, issues within Victorian fire services have been documented in several reports, inquiries, and investigations. These issues have included instances of misconduct as well as more systemic cultural and workplace issues identified across the former Metropolitan Fire Brigade (MFB), the Country Fire Authority (CFA), their boards of management and the respective workforces.
In June 2018, MFB notified the Independent Broad-based Anti-corruption Commission (IBAC) of allegations that an MFB Network Administrator, Stephan Trakas, had accessed the email accounts of MFB executives without authority. IBAC conducted preliminary inquiries and in January 2019, determined to progress this matter to an investigation, Operation Turton, under section 60(1)(b) of the Independent Broad-based Anti-corruption Commission Act 2011 (Vic) (IBAC Act).
IBAC concluded Operation Turton in June 2021. Operation Turton investigated allegations of unauthorised access and disclosure of information by some employees of the then MFB. IBAC found deficiencies in information and data security practices and processes and instances of individual employees who were motivated by personal and industrial interests.
IBAC identified five separate incidents where MFB information was accessed or disclosed without authorisation, with three incidents involving MFB employees from the Information and Communications Services business area (ICS). The impact of the conduct varied but included breaches of privacy, risks to the integrity of investigations and impeding the efficient operation of MFB.
It appears these incidents were largely driven by a desire to further the interests of the Victorian Branch of the United Firefighters Union (UFU) or its Secretary, Peter Marshall. It was clear these incidents were facilitated by a workplace culture where employees did not trust management and did not believe them to be acting in the best interests of the organisation or its employees.
In relation to these specific incidents, IBAC heard evidence that some employees were sharing MFB information directly with the Union without authority or the awareness of MFB management. One factor in the unauthorised disclosures to the Union was some employees’ belief that eventually the Union would be able to access this information through legitimate means.
Employees have the right to be unionised and have access to union representation, and unions have rights to lawfully enter workplaces and to organise and represent employees.4However, IBAC found that a particular clause in the industrial agreement between MFB and the UFU, often referred to as ‘consult and agree’, gave the UFU a significant level of influence over the operations of MFB. The clause impaired MFB’s governance and ability to operate effectively and efficiently, giving rise to a misconduct and corruption vulnerability within the organisation.
The incidents of unauthorised information disclosure and the broader industrial environment suggest a culture where MFB could not operate effectively and independently of the Union. ...
Operation Turton highlights how a problematic culture within MFB, information security vulnerabilities and an industrial environment that impaired MFB’s ability to address these issues contributed to an environment where information misuse appeared commonplace.
Over the years IBAC has routinely highlighted corruption risks associated with unauthorised information access and disclosure.
Operation Turton highlights how misuse of information can enable further misconduct and can be used to advance personal and industrial interests. The investigation emphasises the importance of a positive information security culture, where governance, information security, personnel security, information communications technology security and physical security are appropriately designed to protect against information misuse. On 1 July 2020, MFB employees and approximately 1400 career firefighters from the CFA were merged into a new agency, Fire Rescue Victoria (FRV). In addition to its employees, MFB’s systems, policies and procedures were transitioned into FRV, creating a risk that the deficiencies identified by IBAC through Operation Turton would continue.
While FRV provided an opportunity for a fresh start, it employs the same workforce as MFB, albeit with an altered executive and oversight structure. Therefore, the risks identified in Operation Turton continue. Accordingly, IBAC is making recommendations (detailed in section 6.2) to FRV to address long-standing and systemic corruption risks to improve workplace culture and information security. It is hoped the management of FRV will continue to work with its workforce to strengthen its ICT systems and processes and to address the structural and cultural issues identified in Operation Turton. ...
Section 159 recommendations IBAC makes the following recommendations (pursuant to section 159(1) of the IBAC Act):
Recommendation 1
Fire Rescue Victoria develops clear policies and procedures regarding the matters that may be the subject of consultation with employees and their representatives at the Consultation Committee, and in what circumstances Fire Rescue Victoria information may be disclosed to employees and their representatives to inform that consultation.
Recommendation 2
Fire Rescue Victoria addresses the information and communication technology security vulnerabilities and risks identified in Operation Turton by: (a) actioning the consolidated findings of the audit and reviews conducted in this area since 2018 (b) engaging an appropriately qualified independent person to review information security infrastructure, policy and procedures to identify any remaining deficiencies against the Victorian Protective Data Security Standards and Framework or any other issues (c) consulting with the Office of the Victorian Information Commissioner on the adequacy of its information security in line with the Privacy and Data Protection Act 2014 (Vic), including how it is addressing any shortfalls identified in the review recommended above. To support and inform this consultation, FRV must provide the Office of the Victorian Information Commissioner with the full final report of the independent person referred to in Recommendation 2(b).
Recommendation 3
Fire Rescue Victoria reviews and strengthens its policies and procedures for employees on how to appropriately share information with their unions in line with the enterprise bargaining agreements, the Privacy and Data Protection Act 2014 (Vic) and the Victorian public sector Code of Conduct. Alongside these policies being appropriately enforced, they should also clearly state that non- compliance could lead to disciplinary action being taken, termination of employment or constitute a criminal offence.
Recommendation 4
Fire Rescue Victoria conducts a review of its internal complaint processes, including an anonymous survey of employees on these processes and employees’ willingness to report improper conduct, and implements any recommendations arising from that review to ensure: (a) Fire Rescue Victoria employees understand the importance of reporting suspected corrupt or improper conduct and how they can report such matters (b) Fire Rescue Victoria employees understand how they will be supported and protected if they make a report.
IBAC requests that Fire Rescue Victoria provide a progress report on the action taken in response to Recommendations 1 to 4 in six months and a full report on its outcomes within 12 months. (b) engaging an appropriately qualified independent person to review information security infrastructure, policy and procedures to identify any remaining deficiencies against the Victorian Protective Data Security Standards and Framework or any other issues (c) consulting with the Office of the Victorian Information Commissioner on the adequacy of its information security in line with the Privacy and Data Protection Act 2014 (Vic), including how it is addressing any shortfalls identified in the review recommended above. To support and inform this consultation, FRV must provide the Office of the Victorian Information Commissioner with the full final report of the independent person referred to in Recommendation 2(b). .