Information Commissioner welcomes Victorian Ombudsman’s investigation into youth worker’s unauthorised access to private information about children
Investigation shows data breach notification laws needed in Victoria
Today the Victorian Ombudsman published a report of an investigation into a former youth worker’s unauthorised access to sensitive information about vulnerable children.
The Ombudsman’s investigation follows an earlier investigation completed by my office in March 2021 that examined aspects arising from the same incident. OVIC’s investigation resulted in a compliance notice requiring the Department of Families, Fairness and Housing to make substantial improvements to how it protects personal information.
I welcome the Ombudsman’s investigation, which examined a wider range of issues, including the adequacy of recruitment processes and working with children checks.
The department told me during my investigation that it was voluntarily notifying all the children whose information was accessed. The Ombudsman found that this did not occur. While I am disappointed the department provided incorrect information to me, I note the Ombudsman’s finding that this was not intentional.
The department’s failure to notify all the children whose information was involved highlights the need for data breach notification laws in Victoria, which would require government agencies to tell individuals whose personal information is subject to a data breach that this has occurred.
Currently, agencies must notify OVIC of certain data breaches under the Victorian Protective Data Security Standards (VPDSS). OVIC also encourages organisations to voluntarily notify individuals that have been impacted by privacy breaches.
However, a mandatory data breach notification scheme like that which applies to companies and the Australian Government does not apply to Victorian government agencies. This means Victorian agencies are not legally obliged to notify individuals when their information has been compromised in a data breach.
Laws that require notification would provide greater certainty to agencies about what they need to do when a data breach occurs and give confidence to members of the community that they will be informed if their information has been compromised. It would also allow individuals to take steps to protect themselves if their personal information has been impacted by a data breach.
I welcome the Victorian Ombudsman’s investigation and subsequent report.
For more information, refer to:
- Victorian Ombudsman investigation report – Investigation into a former youth worker’s unauthorised access to private information about children
- OVIC investigation report – Unauthorised access to client information held in the CRISSP database
For media enquiries contact