Save articles for later
Add articles to your saved list and come back to them any time.
The Department of Health contravened privacy laws at COVID-19 call centres by failing to stop contracted staff from misusing personal information, allowing a third-party employee to visit a woman and attempt to coerce her into sex acts while she isolated at home.
The Office of the Victorian Information Commissioner published its report on the misuse of personal information at COVID-19 call centres on Tuesday, finding the Department failed to take reasonable steps to stop breaches.
The Health Department accepted it had breached the law through serious contraventions, and expressed regret.Credit: Jason South
In one instance in 2021, a casual employee hired by external provider Acquire, took down a woman’s address while she self-isolated at home.
Abdulfatah Omar Awow later posed as a COVID-19 compliance inspector to con his way into her home and tried to coerce her into sex acts. He falsely told the international student she was not complying with isolation requirements and “could get into a lot of trouble”, implying she could be deported.
Awow, who had a criminal history including for using a carriage service to menace and was on bail at the time, pleaded guilty to aggravated burglary and attempting to procure a sexual act by threat and was jailed last year. Awow was not named in the report.
He had provided a completed police check, as required, but it was never processed. Awow had also signed a statutory declaration that he did not have any criminal charges or convictions and a confidentiality agreement stating he would not disclose information to outside sources.
Because of the rapid recruitment process, it was intended that staff would begin work while police checks were processed. Acquire had uploaded completed forms to a Dropbox link created by the department, but no police checks were processed for eight months.
“There was confusion and inconsistency within the department about which party was, in fact, responsible for submitting police check applications,” the office’s report said.
Awow would have been precluded from working at the call centre had the police check been done, “and from carrying out the criminal conduct which eventuated”.
The office found that there was insufficient pre-employment screening, and that the department did not sufficiently plan for or mitigate risks that staff at external providers could misuse personal information they were given access to, in contravention of the Privacy and Data Protection Act.
Minimal training was provided due to the urgency, but the office found that did not breach privacy laws because the misuse of personal information was so clearly inappropriate and unauthorised.
In a second breach, another casual employee at the Acquire call centre in 2021 was arrested on multiple criminal charges including armed robbery. A search of their mobile phone revealed he had taken a photo of the department’s data management system that included an address, but there was no evidence the address was used for criminal activity.
The report made four recommendations about preparedness for future emergencies requiring contractual arrangements with third parties, and surge workforces that handle personal information.
The department accepted it breached the law through serious contraventions, and expressed regret. The department and Acquire have already taken steps to improve onboarding processes.
In its response to the office’s report, the Department of Health accepted more could have been done to protect the privacy of Victorians.
However, it said the office’s recommendation to have a better surge workforce model, “respectfully, does not sufficiently appreciate and recognise the magnitude of the challenges in pre-planning a surge workforce nor the limitations on advance pre-screening where it is not known when those resources will be required”.
“The urgency for getting third-party surge workforces in place at that time cannot be underestimated,” the department said.
“So, while the department accepts that more should have been done to protect the privacy of Victorians and deeply regrets that the system was able to be misused by a third-party employee, I would hope that you appreciate and accept that, at that time, efforts had to be focused on disease transmission containment and protecting the lives of Victorians.”
Information Commissioner Sven Bluemmel, who will leave OVIC next month to become the state’s next Electoral Commissioner, said he understood the unique pressures the department faced.
“But it remains the case that government agencies are rightly held to a high standard, and the failure to protect personal information resulted in serious and life-altering crimes being committed against a young woman,” Bluemmel said.
“We know that there will be future health and other emergencies requiring rapid responses that place government agencies under pressure.
“That is why the department, and indeed all government agencies, should think now about emergency management planning that considers privacy implications and contract arrangements at the design stage.”
Get the day’s breaking news, entertainment ideas and a long read to enjoy. Sign up to receive our Evening Edition newsletter here.
Most Viewed in Politics
From our partners
Source: Read Full Article