Data breach by the Victorian Department of Health and Human Services

July 12, 2016 |

Control of data and the consequential protection of privacy, is to a large degree dependent on staff receiving the proper training in information management and having an understanding of how the Privacy Principles operate.  The consequences of personal information being misused in being disclosed to someone who was not authorised to receive it can have dramatic consequences.  As has been reported in  Government gives violent father address of his children in foster care  where personal information of children was given to a violent father.  That sort of breach bespeaks a complete breakdown in managing data.  This has prompted the usually heavy handed response of a review in Foster care security breach prompts Victorian child protection system review.   A starting point to any review is the level of understanding of how the Privacy and Data Protection Act operates and how the Information Privacy Principles work.  Proper training goes a long way to resolve that. Unfortunately the standards in this area are poor in both the Department and private agencies used by the Department who have care of children.

The initial article provides:

A father jailed for violently attacking his sons was accidentally handed a confidential court report by Victoria’s child protection agency containing the exact location of the other children removed from his care due to abuse and neglect.

The major security breach has prompted the Department of Health and Human Services to undertake a risk assessment in consultation with police, and it has offered to pay for a sophisticated security system at the carers’ home in country Victoria.

Leaked documents reveal the department’s settlement offer, conditional on the carers signing a confidentiality clause, was for the installation of infrared security cameras and motion detector flood lighting worth more than $4000.

The carers had asked for compensation and financial assistance to move to a new rental property in the event the father came to their home, but the department rejected their request.

“The department does not agree to cover the cost of relocation should you move from your current residential address in the event [the father] attended your home,” a DHHS senior staffer wrote. “In the event [he] attends your current residential address, the department will investigate the matter and take the necessary steps to ensure the safety of the children and yourselves.”

Fairfax Media has confirmed DHHS gave the father a confidential Children’s Court file that included the carers’ home address and phone number as well as the names and mobile numbers for the two traumatised children’s counsellors and doctor.

The children are on an undisclosed placement, meaning the father was not allowed to know where they lived. Undisclosed placements are ordered when a child’s safety is in jeopardy or when caregivers are at risk of violence from parents. Often their mail is redirected through their foster care agency.

The father, who has a number of children who have all been under state care, is described in DHHS documents as a man who relies on physical punishment for discipline. He has not seen the children in question for years but is fighting an application for them to be placed with the foster carers long-term. He has previously been convicted for violent assaults against his children.

Director of Kinship Carers Victoria, Anne McLeish, said the privacy breach put the foster family at “extreme risk” and that a solution had still not being agreed to despite weeks of talks with DHHS.

“We can understand human error and forgive it, especially since the pressures on DHHS staff seems to be building day by day,” she said. “However, this family is now fearful and [they] should be our first concern.”

Ms McLeish called on the state government to reassure all Victorian carers that this was an isolated incident and that procedures were in place to protect them should other breaches occur.

The government said security breaches were rare but legal sources have told Fairfax Media they are becoming more common. Lawyers said there had been a number of compensation claims over DHHS breaches involving foster carers, most settled confidentially, and that recent changes to the child services’ database that caseworkers use to generate court reports left more children exposed.

“It happens all the time,” Children’s Court solicitor Liz Dowling said. “I’ve gone to the department and told them about breaches in their reports. It’s usually a typographical error but it’s a bigger issue than just in this instance. Social workers are told at the last minute to prepare a report in relation to a matter and they press a button which results in all these details coming out.”

The state’s peak body for carers, the Foster Care Association of Victoria, said breaches occurred when caseworkers did not forensically check what was being included in DHHS reports.

“Absolutely, they occur,” chief executive Katie Hooper said. “Carers hope that the system has taken steps to avoid this. But I think that’s a big hope.”

Another Children’s Court lawyer said there had been “several occasions” when court reports produced by the department contained pre-populated “confidential and highly sensitive information”.

A Department of Health and Human Services spokeswoman said strict policies about the handling and sharing of sensitive information were in place, and that client confidentiality was taken “very seriously, with client safety the utmost priority”.

She said privacy breaches were always investigated and, where appropriate, a forensic security audit undertaken. “In the rare cases where breaches of privacy occur due to human error, the staff involved are counselled and processes are reviewed to identify any opportunities for improvement.”

In the case identified by Fairfax Media, the spokeswoman said the department was investigating and would take action to prevent the breach from happening again.

She said the government was working with the family and police to ensure their safety and to find a solution. She also apologised for the wording in the letter rejecting the carer’s proposal, which she said “does not reflect the department’s approach to this issue”.

A spokeswoman for Families and Children Minister, Jenny Mikakos, said she expects DHHS will review its processes following this breach.

Deb Tsorbaris, chief executive of the Centre for Excellence in Child and Family Welfare, said the department was likely to be watching this case closely.

“I would be very surprised if the department didn’t do everything it could do, even if it was relocating these foster carers if it came to that,” she said.

Fairfax Media approached the foster carers but they declined to comment.

The article regarding the review provides:

The Andrews government has ordered a “full review” of security breaches in Victoria’s child protection system after social workers gave a violent criminal the address of children removed from his care for their own safety.

It comes as other Victorian foster carers come forward to report major privacy breaches at the hands of the beleaguered Department of Health and Human Services, and say they too have been offered expensive security upgrades at their homes.

Fairfax Media revealed on Tuesday that the department mistakenly gave a father a confidential court report revealing where his protected children were living in foster care, raising serious questions about the government’s ability to protect the state’s most vulnerable children.

The children are on an undisclosed placement because of the threat the father poses to them and their foster carers. After the breach was exposed the department met with police and proposed a $4000 security system be installed at the carers’ rental house.

But it rejected their request for financial assistance to move to another rental property in the event the father – who has been jailed for brutal assaults on some of his children – came to their house.

It is understood senior DHHS officials are now planning to meet with the foster carers on Tuesday afternoon.

Earlier, Families and Children Minister Jenny Mikakossaid she had asked DHHS to review the case and identify whether there were systemic problems with the agency’s handling of confidential information.

“What has happened in this case is totally unacceptable,” she said. “I have asked the Secretary of the Department of Health and Human Services for a full independent review and to work with the family to reach a solution.”

Ms Mikakos said she understood the security breach in this case was the result of human error but that the review would identify whether there had been other serious privacy breaches.

Childrens’ Court lawyers and groups representing foster carers have told Fairfax Media that DHHS privacy breaches are not uncommon. They warned overloaded social workers and flawed internal reporting systems will lead to more security breaches in the future.

Opposition spokeswoman for families and children, Georgie Crozier, said carers and children at risk from violent parents needed to be protected following the “disturbing” revelations of privacy breaches in the child protection system. She called for the government’s review to be made public.

“Minister Mikakos and Daniel Andrews need to ensure that we’ve got a system that is workable. Carers need to have faith in the system, and the priority of course should be that children who are most vulnerable … are protected,” she said.

“If the system is overloaded, as indications suggest, then it’s up to Daniel Andrews to fix the system and to ensure that there is additional resources and that those child protection workers and the carers, in particular, have the resources that they need to keep those children safe.”

Fairfax Media has asked the Department of Health and Human Services how many foster carers had been compensated or received security upgrades at their homes following a privacy breach in the past 12 months.

The government said the review would not be made public due to privacy reasons, but the recommendations and the department’s response would be made public.

One Response to “Data breach by the Victorian Department of Health and Human Services”

  1. Data breach by the Victorian Department of Health and Human Services | Australian Law Blogs

    […] Data breach by the Victorian Department of Health and Human Services […]

Leave a Reply

Verified by MonsterInsights