The Office of the Victorian Information Commissioner (OVIC) recently found the Victorian Department of Health (Department) failed to take reasonable steps to secure personal information in its call centres during the pandemic – and a lack of personnel screening processes as a key factor.
In the case, a contractor was able to access personal information and then harassed and engaged in an offence against the individual whose personal information had been accessed.
OVIC found that the Department allowed contractors to commence work before checks were complete, and this was a factor in the breach. This happened at the height of COVID, when there was immense pressure to staff the call centre without delay.
Many not-for-profit organisations which receive Victorian government funding or provide health, care or education services are contracted service providers (CSPs), and are therefore bound by the Privacy and Data Protection Act 2014 (Vic) (PDP Act) by virtue of funding agreements.
The takeaway: Check your funding agreement to see if your organisation must comply with the Privacy and Data Protection Act 2014 (Vic) PDP Act. If you are, your first step should be to refer to OVIC’s website.
OVIC found that the Department did not ensure there was sufficient pre-employment screening of external staff (i.e., contractors) to determine their suitability to handle personal information that had been entrusted to the Department by the public.[1] The breach was a breach of IPP 4.1, which states:
IPP 4.1: An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.[2]
APP 11.1: An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.[3]
For organisations bound instead by the Privacy Act 1988 (Cth), APP 11.1 is extremely similar and findings of OVIC regarding IPP 4.1 support interpretation of obligations under the Australian Privacy Principles (APPs).
The takeaway: Information security is not just about software protections, phishing training and securing your cloud storage systems. Think bigger. Personnel screening is also relevant to information security.
Key lessons
We recommend you consider:
- Are your volunteers and contractors suitable to access your databases?
- Do your personnel know how they are expected to handle personal information?
- What if a data breach was to impact one of the contractors you work with? For example, a camp provider, or a software provider?
- What protections or security measures do you have in place regarding your work with other organisations that involve sharing information about your clients, stakeholders, staff and/or students?
This investigation highlights the risks associated with allowing third-party contractors to access information and systems, because contractors engaged by the Department of Health who failed to take reasonable steps to perform security checks, and a subcontractor misused personal information.
How we can help
We can help you identify the right questions to ask about your information handling operations and processes. We can also help you answer them and manage the change process to align your organisation’s operations with your risk appetite. It is commonly said in the cyber security industry that “It’s not a matter of if you are faced with a breach, but when.” Moores can help you prepare.
Contact us
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to your organisation.
[1] Office of the Victorian Information Commissioner, Misuse of Department of Health information by third party employees during pandemic response (July 2023) page 5 https://ovic.vic.gov.au/wp-content/uploads/2023/07/DOH-INV-20230628-Report-v1-1.pdf.
[2] Privacy and Data Protection Act 2014 (Vic) Sch 1, IPP 4.2.
[3] Privacy Act 1988 (Cth) Sch 1, APP 11.1.