Site navigation
 
Department of Transport and Main Roads

Robust management standards

Information management

Information underpins the Department of Transport and Main Roads' (TMR) service delivery, supports informed decision making, and provides evidence and transparency for customers. Good information management is also fundamental to TMR fulfilling its compliance obligations, such as under the Public Records Act 2023.

Through the Information Management Program, TMR continues to make significant strides on its five-year Information Management Strategy (2021–26), with strong foundations for its next chapter now established.

In 2024–25 TMR has:

  • implemented best practice information governance frameworks to support a resilient, whole-of-agency information ecosystem
  • completed process mapping in readiness to uplift and innovate information management business practices
  • developed targeted education campaigns to improve information management literacy and culture across the agency ahead of upcoming technologies
  • migrated TMR's intranet content, forms, and workflows from TMR's legacy on-premise intranet to SharePoint Online, enabling faster, accessible, and easily discoverable trusted information in one authoritative source.

Building on these cornerstones, TMR continues towards the adoption of a new fit-for-purpose enterprise content management solution for information and correspondence.

Milestones achieved included:

  • considerable data cleansing and disposal activities in readiness for data migration
  • selection of a solution and prime supplier
  • progression towards a final business case for internal and external government approval.

Information privacy

Queensland's information privacy laws establish a compliance framework for the lawful management and handling of personal information. The Information Privacy Act 2009 governs the collection, storage, use, and disclosure of personal information by all Queensland Government agencies and their contracted service providers. TMR is dedicated to safeguarding the personal information it collects and manages, in line with its responsibilities under the Act.

Throughout 2024–25, TMR prepared new privacy guidelines and policies, and a training course in readiness for legislative changes to the Act, which will commence from 1 July 2025. The newly developed privacy resources will ensure that TMR is able to incorporate its new responsibilities efficiently, which will assist in maintaining close adherence to compliance obligations in the effective management of personal information.

TMR provides employees with awareness on information privacy through face-to-face training, in addition to a mandatory online course undertaken at induction and then on an annual basis. TMR's privacy culture is further supported through regular internal communications, including animated case studies, Viva Engage publications, and screensavers. These regular communications provide employees with comprehensive awareness of how the Queensland privacy principles apply to an employee's day-to-day responsibilities.

Information relating to privacy on TMR's website explains how TMR meets its obligations under the Act to members of the public. This information demonstrates TMR's commitment to respecting the privacy rights of employees and members of the public.

TMR continues to adopt emerging technologies to perform its functions, shape policies, and deliver services. To comply with the Information Privacy Act and Queensland Privacy Principles, TMR proactively conducts Privacy Impact Assessments, ensuring privacy protections are integrated into the planning and execution of projects and programs that handle personal information.

During the 2024–25 period, TMR was notified of 43 confirmed instances where information privacy had been compromised. These breaches involved 7 instances of unauthorised use of information, 32 instances of improper disclosure of information, and 4 instances of lapses in data security. The prevalent cause of these breaches stemmed from misdirected emails, attributed to a failure to verify recipient details and the accuracy of information prior to distribution.

As TMR's dedicated Privacy Champion, the Director-General offers ongoing support for privacy awareness campaigns and resources prepared for TMR staff. Continued support from the Director-General aids in fostering a culture that respects and safeguards the personal information of both staff and customers.

For more information: https://www.tmr.qld.gov.au/Help/Privacy

Information Security Management System

Given TMR's reliance on digital technologies for transport services across Queensland, maintaining an effective Information Security Management System (ISMS) is crucial to address and manage the escalating cyber threat landscape. TMR's effective ISMS ensures TMR governs, controls, and protects its information and systems maintaining confidentiality, integrity, and availability.

TMR adheres to the Queensland Government Information Security Policy (IS18), ensuring a consistent, risk-based approach to managing and safeguarding information and critical assets. A key requirement of IS18 is undergoing external and independent annual assurance. The latest ISMS Annual Assurance Report highlighted TMR's continuous improvement and significant investment in compulsory annual security awareness training for all staff, consistently achieving exceptional completion rates of over 90 per cent across the organisation.

The report commended TMR's proactive approach to addressing the evolving cyber threat landscape, exemplified by the successful execution of the Cyber Security Accelerated Hardening Project, which enhanced key security controls. It noted TMR fosters a culture of continuous improvement in their ISMS, which strengthens security posture against sophisticated threats.

TMR is dedicated to advancing its ISMS maturity through robust governance and a cyber-aware workforce, alongside deploying enhanced tools and resources to respond to security incidents. Continued security enhancements and maturity are critical to the successful implementation of the TMR Cyber Security Strategy 2023–26, utilising contemporary technologies, including Artificial Intelligence, to detect and respond to security threats efficiently.

During the mandatory annual Information Security reporting process, the Director-General attested to the appropriateness of the information security risk management within TMR to the Queensland Government Chief Information Security Officer, noting that appropriate assurance activities have been undertaken to inform this opinion and TMR's information security risk position.

Last updated
29 September 2025