The Department of Health has admitted it breached privacy laws after contracted staff at COVID-19 call centres were able to access and misuse citizen’s personal information.

While Victorians experienced some of the world’s longest lockdown periods during the global pandemic, citizens relied heavily on COVID-19 call centres for information and support regarding vaccination bookings and rapidly changing health directions.

Now, Victoria’s privacy watchdog has found the Department of Health contravened privacy laws

by failing to protect citizen’s personal information against misuse by contracted third-party staff.

In a report released Tuesday, The Office of the Victorian Information Commissioner (OVIC) found that while outsourcing call centre operations to an external provider to help with increased call volumes, the department “failed to take steps” to ensure all external staff could be trusted with access to department-held information.

“Public trust was a necessary foundation for the Department’s pandemic response,” said OVIC.

“Asking so much of the public comes with an expectation that the information will be treated with great care.”

An OVIC investigation found the department did not ensure sufficient pre-employment screening of external staff – particularly when it came to handling police checks.

One instance in 2021 saw a casual employee at external provider Acquire access and misuse a woman’s address while she was self-isolating at home.

The employee – who had a relevant criminal history for using a carriage service to menace and unauthorised use of information, and who was also on bail at the time – attended the woman’s home under false pretence of being a COVID-19 compliance inspector.

He told the woman she was breaching isolation requirements and “could get into a lot of trouble” before attempting to coerce her into participating in sexual acts.

The employee did provide a completed police check application when they began work at Acquire. However, over a period of eight months the Department of Health did not submit any police check applications for processing for Acquire staff.

“There was confusion and inconsistency within the Department about which party was, in fact,

responsible for submitting police check applications,” said OVIC.

After “limited training”, the employee was allowed access to departmental information systems required for his job in the COVID-19 response call centre, and continued to have access for over 59 days.

The department said it “deeply regrets that the private information was able to be misused by a third-party employee, and that it “acknowledges the profound impact of this.”

Information Age spoke with an anonymous source who worked in response call centres during 2021 – firstly with an external provider before later becoming directly employed with the Department of Health.

“Things were hasty back then,” they said.

“Recruiting was really quick because of the nature of the pandemic and how quickly things were changing and moving.”

When asked about the lack of processing on police check applications, they said they were unaware this was the case.

“It was never processed? See, that's the biggest issue here then,” they said.

“We needed to apply with criminal record checks – I’m not sure how criminal record checks slipped by them.

“If this cowboy activity has happened… it’s pretty straightforward: it was through the engagements with external providers.”

As part of its report, OVIC’s deputy commissioner provided recommendations for the Department of Health to review its emergency management planning policies and procedures, particularly regarding its readiness for surge workforce recruitment and associated privacy risk mitigation.

The commissioner noted contingency planning for expedited police checks as an example of risk mitigation, and pointed out a need to “review the appropriateness” of access controls for externally contracted staff.

It also recommended assigning a senior department employee to manage contracts with external providers, placing an emphasis on the protection of personal information.

The department said it accepted “more could have been done to protect the privacy of Victorians” and would "carefully consider the recommendations to determine the specific practicable action to implement consistent with their intent".

The Department of Health said it would provide OVIC with an update regarding its progress on the recommendations by 1 March next year.