Third party service providers: It’s so much more than the contract
Victoria’s privacy watchdog, the Office of the Victorian Information Commissioner (OVIC), released a report into how the Victorian of Health and Human Services Victoria protected Victorian’s data during the COVID-19 pandemic. And it’s not good news for the Department of Health …
We discuss some of the findings and recommendations from the report bellow.
Findings in report
In a report released in July 2023, OVIC examined how the Department of Health managed the access of third-party call centre staff to personal information as the Department responded to the COVID-19 pandemic. In particular, OVIC’s investigation considered whether the Department took reasonable steps to protect personal information it holds from misuse, as required by the Privacy and Data Protection Act 2014 (Vic) and Information Privacy Principle (IPP) 4.1.
OVIC found the Department failed to protect against the misuse of personal information during the COVID pandemic. In particular, OVIC found that the use of third-party call centres to meet the increased demand for staff during COVID led to the misuse of personal information, covering a range of different issues that contributed to some very serious cases of misuse.
What went wrong?
The report outlines a series of issues with the engagement of the service provider, Acquire, to provide customer support services, including:
- Failure to properly vet service provider staff
- Lack of clarity around responsibilities
- A flawed implementation of MFA requiring access to personal devices (introducing additional risk of misuse of personal information)
Failure to vet service provider staff
There was at least one instance of an Acquire staff member with a criminal record taking photographs of the database, although there was also no evidence that the details were subsequently used for criminal purposes.
A separate and more serious incident involved a member of staff of Acquire with a criminal history misusing the personal information obtained from the Department to visit the home of an international student. “He pretended to be an inspector from the Department and falsely told the woman that she was breaching her isolation requirements and could get into a lot of trouble, including being deported,” the OVIC report says.
The staffer, who was on bail at the time, was charged and later convicted of aggravated burglary and attempting to procure a sexual act by threat.
The report held that the Department “failed to take steps to ensure that all external staff who had access to that information could be trusted with it”. In particular, the investigation found “that the Department did not ensure there was sufficient pre-employment screening of external staff to determine their suitability to handle personal information that had been entrusted to the Department by the public.”
Lack of clarity around service provider responsibilities
Part of the vetting failure could be attributed to the manner of the initial engagement.
The initial retention of the service provider, Acquire, by the Department was informal and the initial process of assigning responsibility for submitting police check applications was also informal.
Although a formal standard form contract was later entered into, there were unclear lines of responsibility in relation to these checks, and nobody seemed quite sure of who was doing what. Suffice to say that the Department did not check to ensure that staff hired by Acquire were checked to make sure they could be trusted with personal information that was disclosed to them.
Use of MFA by service provider staff
The multi-factor authentication system deployed by the Department over the relevant databases that could be accessed under the outsourcing arrangement meant that Acquire’s ill-vetted staff actually needed their mobile phones in order to access the system. That meant that a ‘no phones’ policy was impractical to mandate (if able to be implemented, it would have meant that the outsourced service providers couldn’t take digital images of the database outputs).
Issues with outsourcing
This is not the first time the Department of Health and Human Services Victoria has run foul of OVIC in relation to outsourcing problems. In 2020, OVIC investigated that department in relation to an outsourcing arrangement which allowed third party employed caseworkers to access personal information relating to vulnerable people, including children, through what was called the Client Relationship Information System for Service Providers or CRISSP system.
A case worker, stood down from the service provider on suspicion of accessing child pornography was not shut out of the CRISSP for some months after he was stood down. OVIC’s consequent data breach inquiry was scathing of the Department’s handling of the issue and issued a compliance notice requiring the Department to improve its data handling practices.
Recommendations made in the report include that the Department of Health reviews its emergency management planning policies and procedures to ensure they adequately address the following:
1. Preparedness for the recruitment of surge workforces which adequately considers and mitigates associated privacy risks including:
a. the risk of ineligible or unsuitable externally contracted staff gaining access to personal information held by the Department (this may include, for example,
contingency planning for expedited police checks, and the development of minimum recruitment and character standards to be adhered to by contracted
service providers); and
b. the need to review appropriateness of access controls to Department systems for externally contracted staff.
2. Assignment of responsibility to a senior department employee (reporting directly to the Secretary) to ensure that, for contracts executed with contracted service providers associated with emergency management response, there is appropriate:
c. contract creation – responsibility for obligations relating to the protection of personal information is clearly and appropriately assigned between the
Department and the contracted service provider; and
d. contract management – adherence by both parties to obligations relating to the protection of personal information, which is systematically reviewed and verified.
More than just the contract
The report into the earlier incident includes the following pithy quote from Sven Bluemmel, the Victorian Information Commissioner:
“Outsourcing arrangements cannot be ‘set and forget’. When a government agency shares personal information and system access with its contractors, the agency retains both a legal and a moral duty to protect the personal information it collects, uses, holds, and discloses. Government organisations can outsource the management of a program, but they cannot outsource this responsibility.”
Privacy legislation of the Australian Commonwealth, States and Territories regulate contracted service provider arrangements in various ways. Many of them mandate provisions that need to be included into outsourcing arrangements that involve personal information, and there is usually a great deal of attention that goes into ensuring compliance with those requirements.
Both of these Victorian examples demonstrate that what the contract says is one thing, but attention needs to be given to the entire data processing operation, as if it were occurring in-house and each step of the activity needs to be carefully considered in order to protect the privacy (and safety) of the relevant data subjects.
How can we help?
Privacy 108 are expert in assisting with managing third party supplier risk including:
- establishing policies and procedures
- developing security and privacy questionnaires
- reviewing third parties and reporting on risk
- drafting appropriate contractual provisions
- conducting on-gong monitoring and surveillance reviews.
We have also published the following blog post that might be of interest:
Contact us for more information on how we can support your team.