I read this a few days ago with increasing alarm…
Watchdog calls for mandatory data breach notification laws in Victoria
Joseph Brookes
Senior Reporter
The former case worker, Alexander Jones, is currently serving a six-year prison sentence for sexually assaulting a 13-year-old boy, whose information he attempted to access through the government database.
He had unauthorised access to the system because it was not revoked by the government department when he left one of its service providers in 2017, despite serious concerns about his behaviour at the time.
When the data breach was investigated by the Office of the Victorian Information Commissioner (OVIC) in 2020, the department said it was voluntarily notifying the children whose data had been accessed by Jones.
This did not occur, according to a subsequent, wider investigation of the incident by the state’s Ombudsman released this week, prompting the call for a mandatory data breach notification scheme.
OVIC’s data breach inquiry revealed Jones had unauthorised access to the personal information of dozens of vulnerable people for more than a year through the state’s Client Relationship Information System for Service Providers or CRISSP system.
Published last year, the watchdog’s investigation was highly critical of Victoria’s Department of Health and Human Services, which contracted the service provider that employed Jones.
The Commissioner issued a compliance notice for the department to improve how it protects personal information and received assurances that it was voluntarily notifying all the children whose information was accessed.
A second investigation by Victorian Ombudsman published its findings on Wednesday, confirming this notification did not happen
It found the department had “provided inaccurate and ultimately misleading information to Victoria’s Information Commissioner”. All affected individuals were eventually notified but only after the oversight had been identified, a process that took years.
“While I am disappointed the department provided incorrect information to me, I note the Ombudsman’s finding that this was not intentional,” Victoria’s Information Commissioner Sven Bluemmel said in a statement.
Lots more here:
This all deserves a careful read.
That the original data breach happened was problematic enough, it is hard not to draw the conclusion that there was a coverup by the responsible officers for not taking all the steps necessary to protect any other children who were potentially at risk!
The whole thing is a classic example of extended access to information existing long after it should have been revoked and then a series of ‘stuff-ups’ as the initial problem was the subject of multiple failed remediation attempts.
Yet again we see no apparent significant consequences for those involved. We really need to treat this sort of incident more severely so what is done can act as some sort of deterrent.
No wonder confidence in Government handling of private data is so low!
At the very least there needs to be much improved internal system checks to try and prevent the initial problem! Just having a junior staff member managing the exit process without in-depth supervision is begging for accidents!
David.
No comments:
Post a Comment