A youth case worker stood down from a Victorian health department service provider on suspicion of accessing child pornography continued to access sensitive information about clients for months afterwards, according to a data breach inquiry into the incident.
Failings in the department’s privacy protections meant the man – who was also subject to a separate investigation into an alleged child sex offence – had unauthorised access to the personal information of dozens of vulnerable people for more than a year, according to the report which found “serious” contraventions of Victorian privacy principals by the department.
Details of the incident, which occurred between 2017 and 2018, have been revealed in a report into the data breach by the Victorian Information Commissioner, which held back the report due to separate police investigations and a trial of the former case worker.
The man, named as ‘XYZ’ in the report, was employed by a service provider contracted by Victoria’s Department of Health and Human Services (DHHS), now known as Department of Fairness, Families and Housing.
XYZ worked for over a year for the service provider, which was administering the DHHS’s Finding Solutions program, a Victorian government early intervention initiative to keep young people and families out of the child protection and out-of-home care systems.
In that role XYZ had access to the DHHS maintained Client Relationship Information System for Service Providers (CRISSP). Records held in CRISSP include names, addresses, DOBs, relationships, case notes, and any history of sexual abuse or exploitation.
The man ceased working for the service provider around September 2017 but his access to CRISSP was not revoked despite formal procedures requiring so.
About five months later police found child pornography on a laptop owned by XYZ but could not prove it belong to him because of multiple user accounts on the computer. Police told the DHHS that they had “serious concerns about B’s access to vulnerable and at-risk children”, according to the report into the data breach.
By then XYZ was working for another youth service provider, also managed by the DHHS but via a separate division. The DHHS notified the provider of XYZ’s suspected access to child pornography and he was stood down.
However, the DHHS did not discuss XYZ’s access to the CRISSP system as he had not required it in the new role. He was able to continue accessing the records until October 2018 when a staff members from two service providers noticed XYZ had accessed their clients’ files.
When notified, the DHHS revoked XYZ’s access, more than a year after it should have been when he left the original service provider. By then, though, XYZ had had accessed CRISSP 260 times involving 27 clients. XYZ also conducted 150 searches of the client record system, on each occasion accessing the personal and sometimes sensitive information of vulnerable people.
On Thursday Victoria’s information commissioner released his report into the data breach, finding both the DHHS and the service provider that initially provided XYZ access to the CRISSP had failed to take reasonable steps to protect personal information in the records system.
“The [Privacy and Data] Deputy Commissioner found that both DHHS and the [contracted service provider] contravened the [Information Privacy Principles] and issued a compliance notice against DHHS,” Victorian Information Commissioner Sven Bluemmel wrote in the report.
The service provider has already implemented the privacy watchdog’s recommendations while the DHHS is on schedule to complete all the specified actions required by the compliance notice.
Under the compliance notice the DHHS must:
• Implement a risk tiering framework for contracted service providers delivering the Finding Solutions program
• Update and simplify its contractual framework and guidance material for CRISSP
• develop training that is specifically directed at the information security and privacy obligations of systems administrators and organisation authorities
• implement a procedure to periodically check the currency of user lists for CRISSP
Commissioner Bluemmel said the finding shows public sector organisations can’t outsource their privacy responsibilities.
“Outsourcing arrangements cannot be ‘set and forget’.”
“When a government agency shares personal information and system access with its contractors, the agency retains both a legal and a moral duty to protect the personal information it collects, uses, holds, and discloses. Government organisations can outsource the management of a program, but they cannot outsource this responsibility.”