Watchdog calls for mandatory data breach notification laws in Victoria
Watchdog calls for mandatory data breach notification laws in Victoria
Joseph Brookes
Senior Reporter
15 September 2022
Share
Victoria’s privacy watchdog has called for data breach notification laws in the state after a government department failed to tell people their data had been exposed in a serious breach by a man convicted of sexually assaulting a child.
The former case worker, Alexander Jones, is currently serving a six-year prison sentence for sexually assaulting a 13-year-old boy, whose information he attempted to access through the government database.
He had unauthorised access to the system because it was not revoked by the government department when he left one of its service providers in 2017, despite serious concerns about his behaviour at the time.
When the data breach was investigated by the Office of the Victorian Information Commissioner (OVIC) in 2020, the department said it was voluntarily notifying the children whose data had been accessed by Jones.
This did not occur, according to a subsequent, wider investigation of the incident by the state’s Ombudsman released this week, prompting the call for a mandatory data breach notification scheme.
Spring Street
Parliament of Victoria, Spring Street
OVIC’s data breach inquiry revealed Jones had unauthorised access to the personal information of dozens of vulnerable people for more than a year through the state’s Client Relationship Information System for Service Providers or CRISSP system.
Published last year, the watchdog’s investigation was highly critical of Victoria’s Department of Health and Human Services, which contracted the service provider that employed Jones.
The Commissioner issued a compliance notice for the department to improve how it protects personal information and received assurances that it was voluntarily notifying all the children whose information was accessed.
A second investigation by Victorian Ombudsman published its findings on Wednesday, confirming this notification did not happen
It found the department had “provided inaccurate and ultimately misleading information to Victoria’s Information Commissioner”. All affected individuals were eventually notified but only after the oversight had been identified, a process that took years.
“While I am disappointed the department provided incorrect information to me, I note the Ombudsman’s finding that this was not intentional,” Victoria’s Information Commissioner Sven Bluemmel said in a statement.
“The department’s failure to notify all the children whose information was involved highlights the need for data breach notification laws in Victoria, which would require government agencies to tell individuals whose personal information is subject to a data breach that this has occurred.”
Victorian agencies are not subject to the notifiable data breach scheme that applies to federal agencies and is being progressed in New South Wales and Queensland.
“This means Victorian agencies are not legally obliged to notify individuals when their information has been compromised in a data breach,” Mr Bluemmel said.
“Laws that require notification would provide greater certainty to agencies about what they need to do when a data breach occurs and give confidence to members of the community that they will be informed if their information has been compromised. It would also allow individuals to take steps to protect themselves if their personal information has been impacted by a data breach.”
The Victorian Ombudsman’s investigation also found the department had managed some aspects of the data breach poorly. The breach was “facilitated by inadequate privacy measures” of the department which also failed to regularly audit access to the information system, despite multiple warnings about the need to improve privacy.
The poor handling of the breach included notifying the mother of Jones’ victim, referred to in the inquiries as ‘Zack’. She was told by the department Jones had accessed information about the child and his family.
While Jones had attempted to access information about Zack, he was unsuccessful, according to data logs examined in the investigations.
“The impact on the family was huge,” the Ombudsman, Deborah Glass said.
“Zack’s mother was not only dealing with the aftermath of a sexual assault on her child but was also concerned about Jones’s access to Zack’s information. She was given inaccurate and contradictory information about Jones’s access to her son’s information, which resulted in significant safety concerns and upheaval for her family.”
Joseph Brookes
Senior Reporter
15 September 2022
Share
Victoria’s privacy watchdog has called for data breach notification laws in the state after a government department failed to tell people their data had been exposed in a serious breach by a man convicted of sexually assaulting a child.
The former case worker, Alexander Jones, is currently serving a six-year prison sentence for sexually assaulting a 13-year-old boy, whose information he attempted to access through the government database.
He had unauthorised access to the system because it was not revoked by the government department when he left one of its service providers in 2017, despite serious concerns about his behaviour at the time.
When the data breach was investigated by the Office of the Victorian Information Commissioner (OVIC) in 2020, the department said it was voluntarily notifying the children whose data had been accessed by Jones.
This did not occur, according to a subsequent, wider investigation of the incident by the state’s Ombudsman released this week, prompting the call for a mandatory data breach notification scheme.
Spring Street
Parliament of Victoria, Spring Street
OVIC’s data breach inquiry revealed Jones had unauthorised access to the personal information of dozens of vulnerable people for more than a year through the state’s Client Relationship Information System for Service Providers or CRISSP system.
Published last year, the watchdog’s investigation was highly critical of Victoria’s Department of Health and Human Services, which contracted the service provider that employed Jones.
The Commissioner issued a compliance notice for the department to improve how it protects personal information and received assurances that it was voluntarily notifying all the children whose information was accessed.
A second investigation by Victorian Ombudsman published its findings on Wednesday, confirming this notification did not happen
It found the department had “provided inaccurate and ultimately misleading information to Victoria’s Information Commissioner”. All affected individuals were eventually notified but only after the oversight had been identified, a process that took years.
“While I am disappointed the department provided incorrect information to me, I note the Ombudsman’s finding that this was not intentional,” Victoria’s Information Commissioner Sven Bluemmel said in a statement.
“The department’s failure to notify all the children whose information was involved highlights the need for data breach notification laws in Victoria, which would require government agencies to tell individuals whose personal information is subject to a data breach that this has occurred.”
Victorian agencies are not subject to the notifiable data breach scheme that applies to federal agencies and is being progressed in New South Wales and Queensland.
“This means Victorian agencies are not legally obliged to notify individuals when their information has been compromised in a data breach,” Mr Bluemmel said.
“Laws that require notification would provide greater certainty to agencies about what they need to do when a data breach occurs and give confidence to members of the community that they will be informed if their information has been compromised. It would also allow individuals to take steps to protect themselves if their personal information has been impacted by a data breach.”
The Victorian Ombudsman’s investigation also found the department had managed some aspects of the data breach poorly. The breach was “facilitated by inadequate privacy measures” of the department which also failed to regularly audit access to the information system, despite multiple warnings about the need to improve privacy.
The poor handling of the breach included notifying the mother of Jones’ victim, referred to in the inquiries as ‘Zack’. She was told by the department Jones had accessed information about the child and his family.
While Jones had attempted to access information about Zack, he was unsuccessful, according to data logs examined in the investigations.
“The impact on the family was huge,” the Ombudsman, Deborah Glass said.
“Zack’s mother was not only dealing with the aftermath of a sexual assault on her child but was also concerned about Jones’s access to Zack’s information. She was given inaccurate and contradictory information about Jones’s access to her son’s information, which resulted in significant safety concerns and upheaval for her family.”