The Office of the Victorian Information Commissioner (OVIC) has welcomed the Victorian Ombudsman’s report on a youth worker’s unauthorised access to private information about children.
Information Commissioner Sven Bluemmel said the Ombudsman’s investigation followed an earlier investigation completed by OVIC in March 2021 that examined aspects arising from the same incident.
Mr Bluemmel said OVIC’s investigation resulted in a compliance notice which required the Department of Families, Fairness and Housing to make substantial improvements to how it protected personal information.
“The Department told me during my investigation that it was voluntarily notifying all the children whose information was accessed,” Mr Bluemmel said.
“The Ombudsman found that this did not occur,” he said.
“While I am disappointed the Department provided incorrect information to me, I note the Ombudsman’s finding that this was not intentional.”
Mr Bluemmel said the Department’s failure to notify all the children whose information was involved highlighted the need for data breach notification laws in Victoria that required Government Agencies to notify individuals if their personal information had been subject to a data breach.
He said that currently, Agencies must notify OVIC of certain data breaches under the Victorian Protective Data Security Standards (VPDSS), and his Office encouraged organisations to voluntarily notify individuals who had been impacted by privacy breaches.
“However, a mandatory data breach notification scheme like that which applies to companies and the Australian Government does not apply to Victorian Government Agencies,” the Commissioner said.
“This means Victorian Agencies are not legally obliged to notify individuals when their information has been compromised in a data breach,” he said.
“Laws that require notification would provide greater certainty to Agencies about what they need to do when a data breach occurs and give confidence to members of the community that they will be informed if their information has been compromised.”
OVIC’s 36-page March 2021 investigation report, Unauthorised access to client information held in the CRISSP database, can be accessed at this PS News link.
