Information Commissioner finds department responsible for failing to protect citizens’ data during COVID-19 pandemic
Investigation recommends VPS agencies review emergency management procedures to enhance personal privacy protection measures
Today, the Victorian Information Commissioner published an investigation report into the misuse of personal information by third-party call centre staff contracted to carry out work for the Department of Health (the Department) in responding to the COVID-19 pandemic.
The investigation found the Department contravened the Privacy and Data Protection Act 2014 (Vic) by failing to take reasonable steps to protect against the misuse of citizens’ personal information as required by Information Privacy Principle (IPP) 4.1.
While acknowledging the unprecedented circumstances due to the COVID-19 public health response – including responding to changing health directions and massive demands on its call centre operations – Information Commissioner Sven Bluemmel found the Department failed to ensure there was adequate pre-employment screening of third-party contractors.
In one instance of misuse of personal information, a call centre staff member – who had a criminal history and was on bail at the time – used a Department system to access the personal information of a young woman isolating at home. He impersonated a COVID-19 Authorised Official to gain unlawful entry into the woman’s home and attempted to pressure her into performing sexual acts.
The report found that the Department did not have adequate pre-employment screening processes of its own. It also found that its contract with the external staffing provider was unclear about responsibility for other staff screening processes and performing police checks, and failed to specify measures to review whether the contractual obligations were being met. This led to the Department not submitting any police check applications for processing for a period of eight months.
“I understand the unique pressures that the Department was under in managing the sudden increase in demand for its services and acknowledge that aspects of the situation it encountered were unprecedented,” said Mr Bluemmel.
“But it remains the case that government agencies are rightly held to a high standard, and the failure to protect personal information resulted in serious and life-altering crimes being committed against a young woman.”
The investigation made four recommendations about preparedness for future emergency situations requiring contractual arrangements with third parties and surge workforces that handle personal information.
The Department responded to the Commissioner’s findings, accepting that it contravened IPP 4.1 and that the contraventions were serious. It expressed deep regret about the misuse of personal information and acknowledged the profound impact of this. Importantly, the Department welcomed OVIC’s recommendations and will provide an update on its progress on implementing them by March 2024.
Commissioner Bluemmel welcomed the Department’s constructive response to the investigation and stressed that the lessons from this case should be considered by all public sector organisations.
“We know that there will be future health and other emergencies requiring rapid responses that place government agencies under pressure,” said Mr Bluemmel.
“What we can learn from the events of this case is that it is extremely difficult to make large-scale adjustments to an emergency public health response when you are in the middle of it. Agencies must consider risks and be prepared.”
“That is why the Department and indeed all government agencies should think now about emergency management planning that considers privacy implications and contract arrangements at the design stage.”
For media enquiries contact:
t: 0466 097 816
For enquiries about privacy data breaches and contracting third party agencies in Victoria contact:
Office of the Victorian Information Commissioner (OVIC)
t: 1300 006 842