Information Commissioner publishes report on investigation into a data breach involving Department of Health and Human Services
Victorian public sector organisations must take steps to ensure the personal information they hold is protected from unauthorised access. This includes when information is being handled by contracted service providers on their behalf.
Information Commissioner Sven Bluemmel has published a report on an investigation into a data breach involving the former Department of Health and Human Services (DHHS), now known as the Department of Fairness, Families and Housing (DFFH).
The investigation found that DHHS failed to take reasonable steps to protect personal information held by a contracted service provider (CSP) it had engaged to deliver services, as required by Information Privacy Principle (IPP) 4.1.
In 2018, OVIC was notified of a data breach from DHHS involving a former employee of a CSP it had engaged to deliver services. The former employee had accessed information about clients without authorisation after having left employment at the CSP. The information accessed during the data breach included personal information and some sensitive information.
On 25 February 2019, the Privacy and Data Protection Deputy Commissioner commenced an investigation under section 8C(2)(e) of the Privacy and Data Protection Act 2014 (PDP Act) to examine whether DHHS or the CSP had breached the PDP Act.
The investigation considered whether the CSP and DHHS took reasonable steps to protect personal information held in its information systems as required by IPP 4.1.
On 14 May 2020, the Privacy and Data Protection Deputy Commissioner concluded the investigation.
The investigation found that the data breach had two main causes. The first cause was a failure by a supervisor to initiate the process to terminate access to the information system when the former employee no longer needed access to the system. The second cause was the absence of any effective secondary procedure or system for when the primary mechanism for terminating a user’s access to the information system failed.
The Deputy Commissioner found that both DHHS and the CSP had contravened the PDP Act. The Deputy Commissioner made recommendations to both agencies and imposed a compliance notice on DHHS.
OVIC recognises and thanks DHHS and the CSP for their cooperation and willingness to respond constructively throughout this investigation. The CSP acted promptly in response to this investigation and has already implemented the recommendations in this report including new processes and training on off-boarding staff. OVIC recognises that DHHS is implementing the recommendations from the report, in accordance with the schedule of the compliance notice.
OVIC has published the investigation report to highlight the need for systems and controls to protect against unauthorised access to personal information, and to provide guidance to organisations about securing information when delivering services through contracted service providers.
The investigation also contains lessons for Victorian public sector organisations on managing personnel security risks by maintaining robust off-boarding processes.
Government can outsource the delivery of services, but not its responsibility to protect the information it holds.
Questions and answers
What kind of information was accessed in this data breach?
The information accessed during the data breach included personal information and some sensitive information, as detailed in the report. The PDP Act defines personal information as:
information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
The PDP Act defines sensitive information as:
Sensitive information is a subset of personal information that is afforded additional protections by the IPPs and includes, for example, information about sexual preferences or practices, and criminal record information.
What is a compliance notice?
For a compliance notice to be issued, the Deputy Commissioner must be satisfied that a serious, repeated, or flagrant contravention of the IPPs has occurred. A compliance notice requires an organisation to take specified action within a specified period for the purpose of ensuring compliance with the IPPs. If an organisation does not comply with a Compliance Notice, OVIC can prosecute and seek penalties.
What can I do if I am worried that my personal information was impacted in this data breach?
DHHS has checked system logs to confirm whose information was accessed and has contacted all individuals whose information was accessed as part of the data breach. If an individual has not been told by DHHS already that they were affected by the breach, then their personal information was not accessed.
If you are concerned that your personal information may have been compromised, contact the Department of Families, Fairness and Health in the first instance.
OVIC has published guidance for members of the public on what to do if you have been impacted by a data breach.
What can I do if I am worried about my personal information held by government agencies?
In Victoria, you have privacy rights under the PDP Act. The PDP Act contains 10 Information Privacy Principles that outline how Victorian public sector organisations must handle your personal information. Read more about your privacy rights in Victoria.
If you have concerns about the way your personal information has been handled by a specific Victorian government agency, we encourage you to contact that agency in the first instance. If this does not resolve the issue, you can make a privacy complaint to OVIC by post or emailing us at email@example.com.
What services can I access if this incident has caused me distress?
1800 RESPECT: 1800 737 732 or 1800respect.org.au
Lifeline: 13 11 14 or lifeline.org.au
For media enquiries contact:
t: (03) 8684 7585
For enquiries about privacy in Victoria contact:
Office of the Victorian Information Commissioner (OVIC)
t: 1300 006 842