Review of information security practices and procedures in relation to the home based care and family violence operations of the Department of Health and Human Services (DHHS)

Research and analysis prepared by Lucinda Nolan

January 2017

2

Unclassified

Unclassified

Published by the Commissioner for Privacy and Data Protection PO Box 24014 Melbourne Victoria 3001

January 2017

Also published on: http://www.cpdp.vic.gov.au

ISBN 978-0-9946370-7-9

3

Unclassified

Unclassified

DOCUMENT DETAILS

Security Classification UNCLASSIFIED

Dissemination Limiting Marker

Nil

Dissemination Instructions For public release

Issue Date January 2017

Document Status Final

Authority Office of the Commissioner for Privacy and Data Protection

4

Unclassified

Unclassified

Contents

Executive summary .....................................................................................................................................................6

Background ...................................................................................................................................................................7

Methodology ................................................................................................................................................................8

Previous reviews of DHHS information privacy and security ..............................................................................9

Internal audit – Information Security and Management .................................................................................... 9

Implementation status ......................................................................................................................................... 9

Internal audit – Application of Information Privacy Principles ...................................................................... 10

Implementation status ....................................................................................................................................... 10

External audit – Victorian Auditor General’s Office ..........................................................................................11

External audit – The Leatherland review .............................................................................................................11

The family violence landscape ................................................................................................................................12

Review findings and recommendations ................................................................................................................13

Areas of strength ........................................................................................................................................................13

Areas requiring improvement ................................................................................................................................13

Provision of the necessary knowledge and training to frontline workers ...............................................13

Document classification .................................................................................................................................... 14

Appropriate oversight of CSPs’ information privacy and security ............................................................ 14

Enhancing stakeholder relationships ..............................................................................................................15

Further considerations ..............................................................................................................................................17

The impact of workload on privacy breaches .....................................................................................................17

Continuing lack of clarity .........................................................................................................................................17

Sharing of better practice across the sector .......................................................................................................17

Attachment A – Summary of recommendations.................................................................................................18

Attachment B – Interviews and consultations .....................................................................................................19

Attachment C – Family violence case study ....................................................................................................... 20

5

Unclassified

Unclassified

GLOSSARY

BIL Business Impact Level

BTIM Business, Technology, Information Management Executive Board (DHHS)

CPDP Commissioner for Privacy and Data Protection

CPU Complaints and Privacy Unit (DHHS)

CSP Contracted Service Provider

DHHS Department of Health and Human Services

IPP Information Privacy Principle

PDPA Privacy and Data Protection Act 2014

PIA Privacy Impact Assessment

VPDSF Victorian Protective Data Security Framework

VPDSS Victorian Protective Data Security Standards

6

Unclassified

Unclassified

The Department of Health and Human Services (DHHS) is a large government department that operates in a complex legislative environment. The nature of home based care1, child protection and family violence is such that the work is frequently emotionally charged and deals with often very sensitive personal information. The difficulties frequently posed by these areas and the important work done by DHHS and its contracted service providers (CSPs) is acknowledged by this review.

That said, there is room for improvement, particularly with regard to:

• providing clarity across the sector around information sharing practices

• providing clarity to carers and CSPs with regard to their roles and responsibilities and good privacy and security practices

• taking steps to minimise the possibility of human error in the handling of personal information by addressing systems interfaces and work ‘overload’ on front-line staff.

1 Refers to foster care and kinship care

Executive summary

7

Unclassified

Unclassified

Background

In July 2016, The Age of Melbourne ran a series of articles highlighting seeming weaknesses in DHHS’ information security practices. The specific matter was an incident involving a serious breach of a foster carer’s privacy. The articles included critical commentary on the lack of a speedy resolution, similar previous incidents, and the fact that the system was perceived as being ‘overloaded’.

The articles brought to a head ongoing concerns by CPDP with regard to the adequacy of DHHS’s information security practices in relation to the handling of personal information.

Over a period of months, CPDP had received a number of serious self-reported privacy breaches concerning DHHS and its CSPs, many of which involved confusion around which party was liable and possible remedies.

CPDP had also received in 2016 a large number of enquiries/complaints from members of the public concerning the alleged mishandling of personal information by DHHS and its CSPs with specific regard to foster care, kinship care and family violence operations. The Foster Care Association of Victoria conveyed to CPDP its own concerns about the handling of personal information by DHHS in matters of foster care, child protection and relevant court proceedings.

In response to the articles in The Age, the Minister for Families and Children announced an independent review of a sample of child protection privacy incidents over a five-year period to examine the extent to which DHHS’s policies and practices contributed to the reported privacy incidents. Mr. John Leatherland undertook this review and produced a final report (the Leatherland review) on 26 August 2016.2

On 15 July 2016, pursuant to section 103(1)(d) of the Privacy and Data Protection Act 2014 (PDPA), CPDP announced its own reviews as regulator of DHHS’ information security practices in order to understand the fundamental causes of any systemic security shortcomings. These consisted of a broad review of DHHS’ information governance, conducted for CPDP by PricewaterhouseCoopers, and targeted reviews of home based care and family violence operations, conducted by Ms Lucinda Nolan.

The reviews were conducted concurrently. Both reviewers worked in tandem to minimise any negative impact on DHHS resources. Working in collaboration also ensured a complementary understanding of DHHS’s approach to information management, from both a high-level policy position and practical implementation.

Key recommendations from all these reviews can be found in the broad information governance report. The current report contains further supporting recommendations.

2 Leatherland, John. Review of Child Protection Privacy Incidents and Carer and Client Safety for Department of Health and Human Services. Final Report. 26 August 2016.

8

Unclassified

Unclassified

Methodology

The reviewer was tasked to:

1. Review current practices and procedures regarding the collection and handling of personal and sensitive information by DHHS and its CSPs with respect to home based care and family violence operations, having regard to any relevant legislation (including the Children, Youth and Families Act 2005 and the Privacy and Data Protection Act 2014)

2. Review a sample of contracts (up to five) with CSPs to ascertain the extent to which DHHS oversees and enforces its security obligations

3. Review the way in which other government agencies, including the Children’s Court of Victoria, collect and handle personal information with respect to out of home care operations.3

4. Make recommendations for improvements to comply with Information Privacy Principle 4.1 (data security) and the Victorian Protective Data Security Standards.

The review included:

• an assessment of previous DHHS/CSP privacy complaints and breach notifications received by CPDP

• a desktop review of DHHS/CSP frameworks, policies, procedures and practices in place to inform the collection and handling of personal information

• a desktop review of the findings, recommendations and implementation status of internal and external audits and reviews of DHHS information privacy and security, including the Leatherland review

• interviews with key DHHS staff, out of home care advocacy bodies and both out of home care and family violence CSPs.

3 This task was unable to be completed due to inability to schedule a meeting with the Children’s Court registrar and staff. The importance of the task was considered to be secondary given the legislative exemption to the IPPs given to the Court under the PDPA and the unauthorised disclosures being attributable to human error rather than failings in DHHS systems and processes.

9

Unclassified

Unclassified

Previous reviews of DHHS information privacy and security

A number of internal and external reviews of DHHS information privacy and security have been previously conducted. They include reviews of the Department of Health and Department of Human Services before their amalgamation to form DHHS.

Internal audit – Information Security and Management

In April 2015, an internal audit, Information Security and Management,4 reviewed DHHS policies and procedures for protecting the security of client information when travelling between the then DHS and metropolitan and rural Children’s Courts.

The findings and recommendations were:

1. Unauthorised access to confidential information

• Recommendation – the Department reinforce requirements to encrypt and password-protect information when sharing it electronically, and implement controls to mitigate against a compromise of confidential documentation in transit.

2. Inconsistent physical security of confidential information

• Recommendation – secure printing function is used when printing confidential documents and all confidential documents are locked in cabinets at the end of the working day. Spot audits should also be conducted by management to ensure clean desk policies are complied with.

3. Inadequate controls over copies of client information

• Recommendation – controls are implemented to ensure each copy is individually identifiable and an audit trail is recorded for the distribution of those copies, clearly identifying the parties that received the documents.

4. TRIM not updated in a timely manner

• Recommendation – Child Protection reinforce the current policy and procedure to ensure that TRIM is updated in a timely manner to accurately reflect the location of client files.

Implementation status

On 1 December 2015 DHHS published a revised child protection practice advice, Information Security, to include specific references to lock printing and secure emails and facsimiles. This was supported by a memorandum to divisional Child Protection Directors on 12 February 2016 requesting that they reinforce information security and management requirements with child protection practitioners, including that:

• emails sent to external parties are encrypted and password protected

• secure ‘follow me’ printing, clear screens and clear desk practices are adhered to

• the movement of paper files is kept up to date in TRIM to ensure their location is known at all times

• secure containers such as satchels or brief cases are used when transporting documents outside the office.

The Business Information Technology Management Team will be including spot audits in relation to information security management through the review of the electronic document system to ensure familiarity with TRIM which will occur in 2017.

4 RSM Bird Cameron Department of Health and Human Services – Internal Audit Report – Information Security and Management April 2015

10

Unclassified

Unclassified

Internal audit – Application of Information Privacy Principles

In July 2015, an internal audit, Application of Information Privacy Principles,5 was conducted. Its findings and recommendations were:

1. Lack of department-wide oversight of compliance with the Information Privacy Principles

• Recommendation – the Board formally assigns the responsibility of privacy governance and oversight to an existing Board Committee and formally report on privacy compliance to the Department’s Board.

2. Lack of consistency in ongoing general privacy training for the department

• Recommendation – the Complaints, Integrity and Privacy Unit (CIPU), in collaboration with Divisions, implement a formal ongoing privacy training regime that has monitoring mechanisms in place to record attendance and identify staff that require further training.

3. Lack of formal program-specific privacy training

• Recommendation – CIPU ensure that a role-based training regime is established, which should also have a formal mechanism to monitor and report on staff attendance, or lack thereof.

4. Lack of awareness regarding privacy impact assessments

• Recommendation – CIPU, in collaboration with Divisions, ensure formal guidelines are implemented and communicated to raise awareness of when a privacy impact assessment (PIA) needs to be completed. This includes ensuring that all projects and activities complete a set of threshold questions to determine if a detailed PIA is required.

Implementation status

The implementation of recommendations is nearing completion. An overarching Privacy Improvement Plan is being drafted to embed Privacy by Design principles across the department and articulate an approach to improving privacy maturity in the short-medium term.

Recommendation 1 has been implemented through the creation of the Privacy & Information Security and Information and Records Management Reference Groups that report to the Business Technology and Information Management (BTIM) Executive Board Subcommittee. These arrangements will be reviewed following the completion of the review currently being undertaken by CPDP.

Recommendations 2-4 are being implemented through:

• the recent release of a refreshed Privacy Policy (on 20 September 2016), which will be supplemented by various fact sheets

• a refreshed generic Privacy and Confidentiality eLearning program, with scenarios, that is currently being re-assessed following the release of the Leatherland review report

• a whole of department Training Strategy that is under development, with program-specific eLearning modules to be developed to complement the strategy

• the development of a guide and tools for undertaking PIAs (being revised following consultation) and the establishment of a panel of providers for specialist advice on complex PIAs

• the development of a guide to managing privacy incidents and an enhanced privacy breach checklist, currently being reviewed following the release of the Leatherland review report.

• additionally, the CIPU (now CPU) has been delivering divisional training to Child Protection and other departmental staff in relation to information security and management. This training is intended to be delivered on an ongoing basis as part of the departmental training calendar, and Child Protection practitioners are encouraged to attend.

5 RSM Bird Cameron – Department of Health and Human Services – Internal Audit Report – Application of Information Privacy Principles July 2015

11

Unclassified

Unclassified

External audit – Victorian Auditor General’s Office

In December 2015 an audit on Access to Public Sector Information was conducted by the Victorian Auditor General’s Office (VAGO). The audit recognised that DHHS was progressing well towards better practice, with strong information management governance structures, clear senior level support, and a comprehensive information management strategy that is integrated with its corporate objectives and planning. There was recognition by VAGO, however, that due to the machinery of government changes, the Sustainable Government Initiative, and the need to incorporate the less mature DHS intelligence holdings into the new DHHS, there had been repeated delays in achieving the progress anticipated and required.

External audit – The Leatherland review

The Review into Child Protection Privacy Incidents by John Leatherland analysed 58 substantiated breaches of privacy by DHHS and noted that while the contributing factors were many and varied, ‘the common denominator in all but one of the incidents was human error which caused the inadvertent release of information or loss of information’.6

Breaches of privacy were generally attributed to inexperienced case practitioners, lack of appropriate management oversight and assurance, a small number of errors by administration or support staff and a small number of incidents where the Community Service Organisations failed to use secure transmission methods. The Leatherland review further noted that, ‘it appears that busy people under pressure to meet deadlines appear to have been working too quickly and not undertaking appropriate checks’.7

The review made seven of recommendations, principally addressing:

• the development and support needs of child protection practitioners and senior child protection staff

• the needs of carers

• Court related documents

• the need to strengthen the privacy framework as it relates to child protection

• specific pressure points of the interface of child practitioners with the Children’s Court

• the need to ensure privacy issues are appropriately reflected in program documentation.

All recommendations made in the Leatherland review were accepted by DHHS and are currently being progressed, with four of the seven recommendations finalised. All recommendations have been assigned to a single point of accountability.

6 Leatherland, John. Review of Child Protection Privacy Incidents and Carer and Client Safety for Department of Health and Human Services. Final Report. 26 August 2016.

7 Ibid

12

Unclassified

Unclassified

DHHS has outsourced all front-line family violence services to CSPs. The effectiveness with which DHHS passes on its information privacy and security obligations (for it cannot outsource its ultimate accountability) under contracts with CSP is of prime importance when it comes to the Department’s family violence operations.

All CSPs interviewed with regard to family violence operations identified the possibility of a privacy breach as a key risk to their organisation and claimed to have appropriate policy, procedures, controls, monitoring and reporting mechanisms in place. We know that while DHHS has an audit program in place, it has not performed any information privacy/security specific audits on CSPs that could substantiate these claims. It should be noted that CSPs working in family violence are operating in a less complex legislative environment than those in home based care and have a lower attrition rate.

A further issue with regard to privacy and security in the family violence sphere was the extreme difficulty the reviewer had in isolating any ‘pure’ family violence privacy breaches.8 The lack of such breaches meant it was near impossible to see any common cause for breaches, other than human error.

Finally, implementation of the recommendations from the Royal Commission into Family Violence (Victoria) should radically change the environment for handling family violence in Victoria, including with regard to the sharing of personal information. Any family violence specific recommendations made by CPDP may well address issues that are superseded in the near future. Our broader recommendations regarding contractual arrangements, monitoring and training made with regard to home based care should also be seen as applicable to family violence.

That said, we have included in this report a case study that highlights issues around information sharing within the highly charged areas of family violence and child protection. CPDP is not judging or endorsing the positions taken by either side in this matter. However the case study does indicate the need for greater clarity around information sharing and the roles and responsibilities of DHHS and CSPs (their staff), which are dealt with more broadly below.

8 As family violence frequently appears within or as a root cause of a related matter, say child protection or out of home care, it may not be reported separately.

The family violence landscape

13

Unclassified

Unclassified

Review findings and recommendations

Areas of strength

Although progress has been delayed on a number of occasions, and often by forces beyond DHHS’s control, there has been a significant commitment to embracing best practice in information privacy and security by departmental executives. This has clearly been displayed in the setting of strategic direction, the proliferation of supporting policy and practice guides, multifactorial communication plans, and commitment to the progress of audit and review recommendations.

There has also been recognition by the DHHS of the ongoing risk of human error, particularly given the complex legislative and regulatory environment, the high-risk nature of the work and the ever-increasing workload of frontline practitioners. DHHS is endeavouring to mitigate remaining risk by introducing technical and process remedies where possible.

The successful implementation of the recommendations made in both the internal and external reviews will go a long way to strengthen DHHS’s information privacy and security practices and specifically compliance with IPP 4.1 (data security) and the VPDSS.

Areas requiring improvement

Provision of the necessary knowledge and training to frontline workers

The internal audit of the Application of Information Privacy Principles found that ‘the Department places a high degree of reliance on staff ‘doing the right thing’ when it comes to complying with IPPs’.9

It is therefore vital that the key controls and mitigation strategies in place be robust, clear and consistently monitored.

In order to mitigate the risk of privacy breaches, home based care practitioners within DHHS require:

• clear, consistent and simply documented policy hierarchies, showing the flow and interconnectedness of all relevant instructional documents, down to and including into specific functional areas

• consistency in the naming of documents (e.g.: Framework; Policy; Principles; Guidelines)

• consistency in the protective marking of documents, following the VPDSF Business Impact Level table

• clear and consistent departmental communication strategies to ensure awareness, understanding and application of relevant new and existing instructional documents

• tailored, targeted and operationally based e-learning and other training packages to ensure information provided is fit for purpose

• audit and monitoring programs appropriate to the risk, likelihood and impact of breaches

• rigorous monitoring of the take-up and successful completion of relevant training programs, including timely intervention for non-compliance

• scheduled work programs to ensure documentation is reviewed and updated regularly.

It is acknowledged that significant work has been done to develop fit for purpose and risk-based training. However more robust and targeted, practitioner focused information privacy and security

9 RSM Bird Cameron – Department of Health and Human Services – Internal Audit Report – Application of Information Privacy Principles July 2015

14

Unclassified

Unclassified

training and awareness-raising is needed. Some current training modules still refer to the now repealed Information Privacy Act 2000 and have out of date content. While a targeted e-learning package is being developed for Child Protection staff, other earlier e-learning packages have not always been fit for purpose or targeted to key functional areas and activities.

DHHS has limited capacity to develop and deliver training to all priority areas, and delivery of training is currently prioritised on a risk or request basis. Given an annual attrition rate among child protection practitioners of 13.5 to 15.5%, training takes on added importance as a risk mitigation strategy.

The broad information governance review conducted by PwC makes recommendations with regard to privacy and security training (recommendations 5.1 and 5.2). The training requirements of home based care practitioners should be taken into account when implementing those recommendations.

There also needs to be a strong assurance framework for the monitoring of compliance with and the successful completion of training by all staff and managers. Previous results for the completion of important training programs have been very poor, with no clear indication that non-compliance is followed up as a matter of priority.

Recommendation 1

Develop an assurance program around take-up and successful completion of information privacy and security training.

Document classification

Following the merger of the Department of Health and the Department of Human Services, work has been undertaken to standardise documentation. This includes a revamped document classification policy, which is currently in draft form and is yet to be formally adopted. Under the VPDSF, Business Impact Levels (BILs) are used to assess official information in order to apply appropriate protective markings. By adopting a consistent assessment tool, Victorian public sector organisations will enable the sharing of information across the public sector without the need to undertake complex mapping exercises. The review noted some confusion among DHHS staff as to the applicability and appropriateness of the VPDSF BILs and protective markings, which was reflected in the proposed draft policy.

Recommendation 2

Modify the current draft policy around document classification to ensure that it aligns with the VPDSF Business Impact Level table and the protective markings.

Appropriate oversight of CSPs’ information privacy and security

Section 13 of the PDPA sets out the types of organisation that have information privacy obligations under that Act. DHHS and CSPs that are providing services to it under a State contract have direct obligations. Section 17(4) of the PDPA states that a CSP will be directly liable for a breach or privacy where:

• it is providing services under a current State contract

• the contract binds the CSP to the PDPA and IPPs

• the IPPs are capable of being enforced against the CSP.

15

Unclassified

Unclassified

DHHS contracts with CSPs very clearly set out the CSP’s information privacy and security obligations. However there still seems to be some confusion by CSPs as to responsibility/accountability when a breach occurs. On occasion, CPDP has been contacted by CSPs for advice in relation to roles, responsibilities and how to effectively deal with privacy and security obligations. This indicates that contractual requirements have not translated into practice on the ground.

As accountable officer, the Secretary of DHHS needs to be assured that CSPs meet their information management and security obligations. To achieve this DHHS should include powers of review and audit within CSP contracts and enact those powers throughout the lifetime of the contract. The review understands that to date DHHS has not exercised its right to audit or review CSPs with specific regard to their information handling practices.

Residual responsibility (and proper reputational management) in the case of an information privacy breach may still rest with the outsourcing organisation (DHHS) irrespective of any contract with a CSP.

There needs to be broader thinking to identify the type of assurance model that will enable DHHS to be confident of the information management and security practices of its external home based care and family violence providers. The need for a risk based approach to CSPs is established in the PwC review of DHHS’ information governance. Recommendations 1.2 and 1.3 regarding improved monitoring and auditing of CSPs address the issues raised in the current report.

Enhancing stakeholder relationships

The understanding and expectations of home based carers and their advocacy bodies in particular do not always align with those of DHHS and the legislative and privacy environment in which it operates. This appears to have caused some angst in the past, impacting on the reputation of DHHS and the perception of its commitment to carers. This review considers that to be a perception, not a reality.

Uncertainty remains among stakeholders as to when and under what circumstances personal information may be disclosed to third parties. The legislative right of parents to know the whereabouts of their children and legal requirements for certain information in reports made to a Court may conflict with the belief by a number of carers and staff of domestic violence related CSPs that their personal details will at all times be withheld and protected. This perception may be exacerbated by departmental documentation not providing the clarity required (e.g. Commitment to Carers and their families – Be protected from dangerous behaviours from children or their families and as far as possible, have their privacy protected).

IPP 3 states that an organisation ‘must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date’. Carer advocacy bodies believe that procedures for information collection, handling and security are not standardised across DHHS divisions. They also expressed the belief that the quality of information captured is often poor and inaccurate. A number of examples of this were provided to the reviewer. Senior managers within DHHS acknowledged that practices differ across the five entities (HQ and the four divisions) which impacts on information quality assurance.

To strengthen relationships, DHHS could consider:

• developing and implementing an annual review process allowing stakeholders, notably key advocacy groups, to provide formal feedback to DHHS regarding concerns, emerging issues, risks and trends over time.

• expanding the Foster Care Charter to include Kinship Carers.

• ensuring that the intent of the Charter is applied consistently across DHHS divisions and CSPs

• improving practitioners’ and carers’ understanding of information privacy, including considerations around sharing personal information and the rights of parents to know the location of their children in most circumstances

• creating a more open, independent and understandable review process for carers regarding complaints made to the Department.

16

Unclassified

Unclassified

Recommendation 3

Take active steps to engage home based care stakeholders, providing clear guidance on information privacy and security.

17

Unclassified

Unclassified

Some issues were identified that did not fall within the official scope of the review. In the hope of assisting DHHS to continuously improve, these issues have been included for further consideration.

The impact of workload on privacy breaches

The workload of frontline child protection practitioners continues to rise, as does the complexity of the environment and the risks involved. Anecdotally, there seems to be a direct link between the workload of child protection workers and the number of inadvertent privacy breaches. The risk of error is compounded by a reliance on manual data entry and transporting it to a myriad of systems without common interfaces. To mitigate the risk of human error, and cognizant of resource implications, serious consideration needs to be given to providing relief at the child practitioner level or the support/administrative level in order to reduce administrative burden. Consideration might also be given to a whole-of-system technology solution.

Continuing lack of clarity

Child protection practitioners and their managers expressed on-going difficulty in understanding the complex legislative framework within which they operate and which generates uncertainty around information sharing. Practitioners are committed to acting in the best interests of the child, and to balancing those interests with the right to privacy. There is a need for greater clarity around the range of circumstances in which information may need to be and can be shared, in order to provide a solid reference point for practitioners. DHHS should consider developing a set of information sharing protocols with the input of practitioners in order to ensure that they are fit for purpose.

Sharing of better practice across the sector

Representatives of the CSPs interviewed said they would like to improve their understanding of best practice in information management and security, outside of an audit or compliance framework. They believed that there was a lack of shared understanding and practice across agencies in the sector. Clear direction regarding better practice and the encouragement of an environment of sharing and discussion amongst agencies would be extremely beneficial for CSPs to continue to improve and ensure their information management and security obligations are met.

Further considerations

18

Unclassified

Unclassified

Attachment A – Summary of recommendations

Recommendation 1

Develop an assurance program around take-up and successful completion of information privacy and security training.

Recommendation 2

Modify the current draft policy around document classification to ensure that it aligns with the VPDSF Business Impact Level table and the protective markings.

Recommendation 3

Take active steps to engage home based care stakeholders, providing clear guidance on information privacy and security.

19

Unclassified

Unclassified

Attachment B – Interviews and consultations

Representatives from the following external agencies were formally interviewed:

• Foster Care Association of Victoria

• Kinship Carers Victoria

• Berry Street

• Anglicare

• WRISC Family Violence Support

• Family Life.

Representatives from the following DHHS functional areas were also interviewed:

• Executive Services and Oversight

• Complaints and Privacy Unit

• Business Technology and Information Management

• Safeguarding and Community Services

• Client Outcomes and Service Improvement (North Division)

• Local Connections (West and North Divisions)

• Quality South Division

• Child Protection practitioners (South, West and North divisions)

• Corporate Services

• Procurement and Contract Management

• Statutory and Forensic Services

• General Counsel, Melbourne Children’s Court

• Child Protection Liaison Officers.

20

Unclassified

Unclassified

Attachment C – Family violence case study

In 2016, a confidential court report was prepared by a child protection practitioner for a regional Children’s Court hearing. The hearing concerned the breach of a supervision order and a recommendation for the court to place the children concerned on a supervised custody order to the Secretary for a 12-month period.

Part of the report detailed breaches of an intervention order and described injuries sustained by the mother that were highly likely to have been inflicted by her partner and father of the children. Four FV support workers (all female) from a CSP were named in full in this part of the report.

This report was then provided to the solicitors acting for both the father and mother of the children and subsequently handed to each of the parents.

The father had five outstanding warrants in regards to assault charges. Three of the warrants were related to incidents interstate, while two had occurred where the father currently resided and the FV service was located. The warrants allegedly related to assault charges both within the family and outside of the family and were all against women.

One of the FV workers was working with three of the four children involved when one of the children stated that ‘I dreamt that my dad wants to kill you. Where do you live?’

The FV worker was distressed by this comment, given the age of the child, the violent propensity of the father and his knowledge of her personal details. She subsequently reported the issue to police and sought counseling over the matter. She also made a formal complaint via her managers about the release of her confidential information without her knowledge and/or consent.

A few months later, another of the children stated to her ‘My Dad wants to kill you’ during a further counseling session. This threat was also reported to police. She also formally wrote to DHHS outlining her concerns and outlining the outcomes she sought.

DHHS responded in writing to her concerns and outlined three key areas that supported the release of this information:

1. When Child Protection provide a report to the Courts, they are required to not only gather and supply relevant information but to also include the source of that information so that the court and parties can test the evidence and weight it appropriately.

2. In addition, the Children, Youth and Families Act 2005 does provide for Child Protection workers to ask the court to restrict a party’s access to some or all the report if information in the report may be prejudicial to the physical or mental health of the child or parent of the child. Unfortunately, this protection does not extend to professionals who are working with the family.

3. The PDPA 2014 sets out when an organization like the department may share personal information. The department considered the personal information of the FV worker to be highly relevant in the proceedings, therefore not a breach of their obligations under the act.

Meetings have been held with DHHS representatives to resolve the FV worker’s concerns, however they have not been addressed to her satisfaction. Her outstanding concerns are as follows:

• Lack of communication and documentation by DHHS around what information shared by CSPs to other related workers in the field is collected, supplied or reported in other matters. (e.g.: not informed that information passed to child protection workers could be shared with other parties, without the knowledge or permission of the FV worker).

• Lack of visibility or clarity around DHHS’ position in regards to the confidentiality of front line practitioners’ personal details.

• No attempt to overlay a risk management or harm minimization approach to such information provision, for individual cases where there is an increased risk to those involved.

21

Unclassified

Unclassified

• Lack of formal guidelines or directions to staff around the inclusion or exclusion of practitioners’ personal information in reports – left to individuals to assess and decide.

• A gap in the service level agreements between DHHS and CSPs around responsibility and accountability of risks to staff. It should be clearly articulated that any risk to staff is the responsibility of the relevant organization and not DHHS.