Investigation into a former youth worker’s unauthorised access to private information about children
Date posted:Letter to the Legislative Council and the Legislative Assembly
To
The Honourable the President of the Legislative Council
and
The Honourable the Speaker of the Legislative Assembly
Pursuant to sections 25 and 25AA of the Ombudsman Act 1973 (Vic), I present to Parliament my Investigation into a former youth worker’s unauthorised access to private information about children.
Deborah Glass OBE
Ombudsman
14 September 2022
Foreword
I wanted information. I wanted to know everything. What information could be seen? How worried should we be that [Alexander Jones] was able to make good on the threats to my son ... We were walking on eggshells, and my son didn’t want to leave me in the house by myself either for fear I could be hurt.
Zack's mother
The sexual assault of a child by a former youth worker, a person once placed in a position of trust, is inherently shocking. But the impact on one family went far beyond the assault.
In February 2021, a former youth worker, Alexander Jones, was convicted of sexually assaulting a child we refer to as ‘Zack’. After his conviction, the media reported that Jones had misused credentials provided by his former employer, Melbourne City Mission, to access sensitive information about children, including Zack.
The media also reported that the Department of Health and Human Services misled Victoria’s Information Commissioner about the extent to which it had noticed those affected by the data breach, and that management at Melbourne City Mission were aware of concerns about Jones.
Following these reports, I decided to investigate how Jones came to be employed to work with children and young people; what information he actually accessed; and whether authorities did enough to identify and support those affected by his conduct – including whether they gave proper consideration to human rights.
The impact on the family was huge. Zack’s mother was not only dealing with the aftermath of a sexual assault on her child but was also concerned about Jones’s access to Zack’s information.
She sought answers from official sources and was provided inaccurate and contradictory information. She was told Jones was able to access all of Zack’s details and case notes – as well as information about other family members.This was incorrect and significantly contributed to her safety concerns.
As a result, she moved her family at considerable inconvenience and emotional cost. More contradictory information followed, by which time Zack’s mother did not know what to believe.
Ultimately, I found that Jones did not access Zack’s information. Yet the family’s longstanding suspicion was entirely understandable, and the Department’s poor communication plainly undermined its commitment to transparency following the data breach, not to mention its responsibility to support a victim-survivor.
But how did Jones get a job working with children in the first place? When he applied for a job in Victoria he was already the subject of multiple serious interstate child protection concerns and Apprehended Violence Orders. But because he was never charged with a crime, these did not appear in his national police check, nor were they disclosed to Working with Children Check Victoria.
Even more remarkably, the inadequacies in Victoria’s child safety screening legislation mean that these prior investigations would not have been grounds to refuse Jones a Working with Children clearance, even if the screening authority had been aware of them.
Jones was never qualified to work with children.He deceived Melbourne City Mission about his employment history and qualifications. Red flags emerged early in his employment but did not result in further scrutiny of his background – even when his behaviour was clearly at odds with the standards expected of a qualified and experienced case worker.
Jones’s access to confidential client information should have been revoked when he moved to another job in July 2017. But his account remained active until October 2018, when the data breach was identified. In that time, the Department received multiple child protection reports about Jones, who, it turned out, was regularly using his former credentials to access information about vulnerable young people.
Also in that time, Jones sexually assaulted Zack. Zack recalled Jones claimed to be a formerMarine who knew all about him, proving this by reciting private information about another young person known to Zack.
All the while, Jones had a Working with Children clearance. His clearance was not revoked until May 2019.
So what went wrong? This case has exposed serious flaws in our Working with Children Check scheme. The screening authority was unable to use police and child protection intelligence, even where it indicated serious child-safety concerns.
But just as significantly, Working with Children Check Victoria initially had no statutory basis for revoking Jones’s clearance, despite escalating concerns about him and the obvious frustration of officials.
Melbourne City Mission failed to deactivateJones’s access to the information system, unintentionally providing him continued access to sensitive information about vulnerable young people. They have apologised both publicly and privately and taken meaningful action to address all the risks highlighted in this case, which I commend.
Several authorities also breached human rights, following the data breach by failing to provide accurate and timely information to Zack’s mother.
We found good intentions by many, but a lack of meaningful collaboration between agencies meant authorities failed to identify Jones’s earlier misuse of the system – and the existence of many more young people potentially affected by his actions. Reassuringly, these failings appear to have been rectified, with systems and processes significantly overhauled.
The biggest remaining gap is the need to amend the Worker Screening Act 2020 (Vic). Working with Children Check Victoria should be able to act on information that indicates someone poses an unjustifiable risk to the safety of children, regardless of whether criminal charges are brought.
This is imperative: The powers of Victoria’s screening authority are among the most limited in Australia. Reforms to the legislation are needed to bring Victoria in line with other states and territories, and to promote the rights of children and families enshrined in Victoria’s Human Rights Charter.
Some painful lessons have been learnt. For the safety of our children, more needs to be done.
Deborah Glass
Ombudsman
Glossary
Term | Meaning | ||
---|---|---|---|
360 Degree Search | Search function in CRISSP used to find clients from a user’s | ||
360 Degree View | Page in CRISSP displaying a client’s case history, information and case | ||
Apprehended Violence | Order made by a New South Wales court for the protection of | ||
Centrelink Confirmation | Information system used by organisations to con rm a person’s | ||
Charter of Rights Act | Charter of Human Rights and Responsibilities Act 2006 (Vic) – | ||
Child Protection | Victorian Child Protection Service – business unit of the Department | ||
Common Client Layer | Function in CRISSP accessed via 360 Degree Search – displays limited information about clients currently receiving services from | ||
Concern Australia | Victorian not-for-pro t community service organisation providing | ||
CRIS | Client Relationship Information System – information system | ||
CRISSP | Client Relationship Information System for Service Providers – | ||
Department | Department of Health and Human Services – former Victorian | ||
Finding Solutions | Victorian Government-funded program supporting young people to | ||
Frontyard | Melbourne City Mission service based in the CBD providing assistance | ||
Inside Out | Victorian Government-funded program providing accommodation | ||
Melbourne City Mission | Not-for-pro t organisation and registered charity providing | ||
Privacy and Data | Privacy and Data Protection Act 2014 (Vic) – legislation providing for | ||
Reconnect | Australia-wide program supporting children and young people at risk | ||
Reportable Conduct | Scheme established by the Child Wellbeing and Safety Act 2005 (Vic) | ||
Sexual Exploitation | Register of children and young people deemed at risk of sexual | ||
Victorian Information | Person appointed under the Freedom of Information Act 1982 (Vic) | ||
Worker Screening Act | Worker Screening Act 2020 (Vic) – Victorian legislation establishing | ||
Working with Children | Screening scheme intended to assist in protecting children and young | ||
WWCC Victoria | Business unit of the Department of Justice and Community Safety | ||
Youth Justice | Business unit of the Department of Justice and Community Safety |
Timeline of key events
Time period | Key event |
---|---|
19 Jul 2016 - 13 Sep 2017 | Alexander Jones accesses 64 CRISSP client files – many without authorisation |
14 Sep 2017 - 18 OCT 2018 | Alexander Jones conducts 186 CRISSP searches and accesses about 25 client files without authorisation |
2008 - 2009 | Alexander Jones is identified as a ‘person of interest’ for alleged sexual offences in NSW but is not charged |
Jan 2016 | Alexander Jones begins volunteering at Concern Australia |
18 Apr 2016 | Alexander Jones begins working at Melbourne City Mission & is granted a Working with Children clearance |
19 Jul 2016 | Alexander Jones is assigned to the Finding Solutions program and given CRISSP access |
4 Jul 2017 | Alexander Jones is transferred to Melbourne City Mission’s Frontyard service; his CRISSPaccess is not revoked due to an oversight |
13 Sep 2017 | Alexander Jones resigns from Melbourne City Mission |
Nov 2017 | Child Protection investigates Alexander Jones’s contact with a former Melbourne City Mission client |
1 Feb 2018 | Victoria Police arrests but does not charge Alexander Jones for alleged possession of child exploitation material |
Apr - Sep 2018 | Child Protection investigates two further reports about Alexander Jones’s contact with young people |
5 May 2018 | Alexander Jones meets Zack at Flinders Street Station; shortly afterwards, he attempts to access Zack’s information in CRISSP |
27 May 2018 | Alexander Jones sexually assaults Zack |
18 Oct 2018 | The Department of Health and Human Services is notified of Alexander Jones’s unauthorised access to CRISSP; it subsequently deactivates his account & commences investigation |
22 Oct 2018 | Working with Children Check Victoria is first notified of concerns about Alexander Jones’s contact with young people |
10 Jan 2019 | Child Protection begins notifying individuals affected by the data breach |
5 Feb 2019 | Zack discloses details of the sexual assault to Child Protection; Alexander Jones is subsequently arrested and charged |
3 May 2019 | Alexander Jones’s Working with Children clearance is revoked |
14 May 2019 | Victorian Information Commissioner concludes investigation into the data breach |
29 July 2019 | Ombudsman investigation begins |
Executive summary
Why we investigated (summary)
On 18 April 2021, ABC News published a report about a significant data breach by a former youth worker, Alexander Jones.
The ABC News report revealed Alexander Jones misused credentials provided to him by his former employer, Melbourne City Mission, to access sensitive information about children and young people stored in CRISSP. CRISSP, the Client Relationship Information System for Service Providers, is owned by the former Department of Health and Human Services.
At the time, Alexander Jones was awaiting sentencing for sexually assaulting a child, referred to in media reports by the pseudonym ‘Zack’. The report by ABC News alleged that before and after the sexual assault, Alexander Jones used CRISSP to access private information about Zack.
On 8 June 2021, ABC News published a follow-up report about the data breach by Alexander Jones. This included new allegations that:
- the Department of Health and Human Services misled Victoria’s Information Commissioner about the extent to which it had notified children and other people affected by the data breach by Alexander Jones
- management at Melbourne City Mission had previously been notified of concerns about Alexander Jones indicating he did not ‘fit the profile’ of a credentialed youth worker.
On 9 June 2021, the Ombudsman commenced enquiries into these issues under section 13A of the Ombudsman Act 1973 (Vic). As part of this process, the Ombudsman reviewed relevant records from Victoria Police and the Magistrates’ and County Courts relating to the investigation and prosecution of Alexander Jones.
Through these materials, the Ombudsman learned that the Department of Health and Human Services had received reports raising concerns about Alexander Jones’s contact with children and young people.
Through these materials, the Ombudsman learned that the Department of Health and Human Services had received reports raising concerns about Alexander Jones’s contact with children and young people before October 2018 when the data breach was identified.
The Ombudsman also consulted with the Office of the Victorian Information Commissioner, the Commission for Children and Young People and Zack’s mother. Zack’s mother told the Ombudsman she received conflicting information about Alexander Jones’s level of access to Zack’s private information and supported an investigation into the matter.
I would definitely like to see it investigated properly … I still have no idea what happened … I’m hoping for closure – I know it’s not going to take back what happened.
Zack's mother
On 1 February 2021, the relevant functions of the Department of Health and Human Services were transferred to the newly created Department of Families, Fairness and Housing.
On 29 July 2021, the Ombudsman notified the Secretary to the Department of Families, Fairness and Housing, the Minister for Child Protection and the Chief Executive Officer of Melbourne City Mission of her intention to conduct an ‘own motion’ investigation into the circumstances surrounding the data breach.
Authority to investigate
Section 16A of the Ombudsman Act provides that the Ombudsman may conduct an own motion investigation into any administrative action taken by or in an ‘authority’.
The Department
Prior to 1 February 2021, the former Department of Health and Human Services was responsible for registering and funding community services to support at-risk children, young people and their families. The Department of Health and Human Services also administered the Finding Solutions program and maintained CRISSP which was used by service providers such as Melbourne City Mission.
The Department of Health and Human Services also administered the Victorian Child Protection Service (‘Child Protection’), which is responsible for receiving and investigating reports relating to children and young people who may be at risk of harm or abuse.
The definition of ‘authority’ in the Ombudsman Act includes a department such as the Department of Health and Human Services.
In this report, the term ‘the Department’ is used to refer to both the Department of Health and Human Services and the Department of Families, Fairness and Housing, depending on the relevant period.
Melbourne City Mission
Melbourne City Mission is a not-for-profit organisation and registered charity that has provided community services to vulnerable Victorians for more than 150 years.
Melbourne City Mission receives funding from the Department to deliver several initiatives, including the Finding Solutions program in which Alexander Jones was employed.
The definition of ‘authority’ in the Ombudsman Act includes:
- a registered community service carrying out any duty or function or exercising any power under the Children, Youth and Families Act 2005 (Vic)
- a body performing a public function on behalf of the State of Victoria or another authority.
Melbourne City Mission receives funding from the Department to deliver several initiatives, including the Finding Solutions program in which Alexander Jones was employed.
Under section 22 of the Children, Youth and Families Act, such organisations are expected to:
- receive referrals about vulnerable children and families where there are significant concerns about their wellbeing
- undertake assessments of needs and risks in relation to children and families
- make referrals to other relevant agencies if this is necessary to assist vulnerable children and families
- provide ongoing services to support vulnerable children and young people.
In delivering the Finding Solutions program, Melbourne City Mission performed these public functions.
Terms of Reference
The investigation examined the circumstances surrounding Alexander Jones’s access to Victorian Government information about children and young people. It specifically considered:
- the circumstances in which Alexander Jones was engaged to provide services to children and young people
- the nature and extent of Alexander Jones’s access to confidential information maintained by the Department about children and young people
- how Alexander Jones’s unauthorised access to information was identified and addressed
- whether authorities took appropriate action to identify and support children and young people affected by Alexander Jones’s conduct
- whether authorities acted compatibly with, and gave proper consideration to, human rights identified in the Charter of Rights and Responsibilities Act 2006 (Vic) (‘Charter of Rights Act’).
Procedural fairness and privacy
This report contains adverse comments about the Department and Melbourne City Mission. The report also contains information that could be considered adverse to some individuals. In accordance with section 25A(2) of the Ombudsman Act, the Ombudsman provided these parties a reasonable opportunity to respond to the material in this report. The report fairly sets out each party’s response.
In accordance with section 25A(3) of the Ombudsman Act, any other persons who are or may be identifiable in this report are not the subject of any adverse comment or opinion. They are identified because the Ombudsman is satisfied:
- it is necessary or desirable to do so in the public interest
- identifying those persons will not cause unreasonable damage to their reputation, safety or wellbeing.
Alexander Jones’s response to the investigation is summarised in Appendix 2 of this report.
About this report
This report is divided into two chapters. The first examines the circumstances surrounding the data breach by Alexander Jones. The second discusses Victoria’s Working with Children Check scheme, including proposed amendments to the Worker Screening Act 2020 (Vic).
Alexander Jones’s unauthorised access to CRISSP
Alexander Jones’s recruitment to Melbourne City Mission
AAlexander Jones commenced employment at Melbourne City Mission on 18 April 2016 as a Case Worker assigned to the Western Reconnect program.
Alexander Jones was then appointed to the Finding Solutions program three months later, on 19 July 2016. He was first provided with access to CRISSP in his role as a Case Worker on this program.
He worked as a Case Worker on both programs until his contract expired on 4 July 2017.
Alexander Jones was then briefly employed as an Initial Assessment and Planning Worker at Melbourne City Mission’s Frontyard youth homelessness service on a casual basis until his resignation from the organisation on 13 September 2017.
The essential criteria for Case Workers assigned to Western Reconnect and Finding Solutions are substantially the same. Melbourne City Mission relied on previous background and screening procedures undertaken during Alexander Jones’s recruitment to the Western Reconnect role when it appointed him to the Finding Solutions program.
Selection process
Alexander Jones applied for a fixed- term Case Worker role on the Western Reconnect program on 28 February 2016.
According to the position description, applicants were required to have:
- tertiary qualifications in social work, youth work or family work
- direct experience working with young people and families experiencing conflict and at risk of homelessness
- experience working with school and youth service provider networks.
In his application and resume, Alexander Jones stated that he was self-employed as a ‘Youth and Family Counsellor’ and had previously held several child-related positions within the youth services sector. These included:
- a Community Facilitator role at a national youth advocacy service between March 2007 and February 2011
- a Youth Homelessness Project Manager role at a Queensland youth service between July 2011 and October 2012
- an Intake, Assessment and Referral Worker role at a Victorian homelessness support service between October 2012 and May 2014
- a Community Engagement Consultant role at a registered training organisation between May 2014 and February 2015.
Alexander Jones stated that he held the following tertiary qualifications:
- a Dual Diploma in Community Service Work and Counselling from a Queensland TAFE
- a Certificate III in Disability and Home and Community Care from a Victorian registered training organisation
- a Certificate III in Community Welfare from a New South Wales TAFE.
Melbourne City Mission’s former Team Leader Early Intervention Services – who oversaw the hiring process and later supervised Alexander Jones in the Western Reconnect and Finding Solutions roles – recalled the selection panel’s first impressions of him:
He was nervous, but he was young. And he was very eager. You could tell he was really trying to impress us because he really wanted a job … It was almost like – how can I explain it – I don’t want to say he was begging for the job because that sounds really pathetic, but it was almost like he was saying, you know, ‘Please give me a go’ … And I think, if anything, we felt sorry for him.
Melbourne City Mission’s former Team Leader Early Intervention Services
Records from the selection panel indicate Alexander Jones related his interest in the role to his own personal experiences of the child protection system as a young person. The former Team Leader recalled:
He was in the system himself at some stage. I know he had a troubled upbringing. And I feel like that was what led him to want to go into this field of work, which is very common for a lot of people … I felt like he came out the other side, and he really wanted to help other people and had a sense of empathy.
Former team leader
Despite some misgivings about his performance at interview, records indicate the selection panel considered Alexander Jones generally met or exceeded the requirements for the position.
The former Team Leader recalled Alexander Jones out-performed other candidates and was ultimately recommended for the role:
If someone was better, we would have employed them. Because it's not just about feeling like, ‘Oh, you know, [let’s] give someone a go’. It's about someone who can fulfil the role. We need to make sure someone can do this job … He obviously got the job because he met the criteria.
Former team leader
Background and safety screening
In January 2016, the Minister for Families and Children issued the Child Safe Standards under section 17 of the Child Wellbeing and Safety Act 2005 (Vic). These standards required organisations such as Melbourne City Mission to adopt ‘screening, training and other human resources practices that reduce the risk of child abuse by new and existing personnel’.
Melbourne City Mission recognised this requirement in its Safety of Children and Young Persons Policy, which required that safety screening processes be undertaken for all staff prior to commencement at the organisation.
Melbourne City Mission’s Recruitment Procedure required that Managers and Team Leaders undertaking recruitment activities:
- thoroughly check candidates’ references
- inspect and copy qualifications identified by candidates
- arrange for a criminal history check
- ensure candidates had a current Working with Children clearance.
AlexanderJones supplied Melbourne City Mission with details of two referees in support of his application, identified as his former Team Leader at the Victorian homelessness support service and former Manager at the registered training organisation. These individuals were contacted by the selection panel and purported to confirm details of their past employment relationship with Alexander Jones. Both references were overwhelmingly positive.
Melbourne City Mission required Alexander Jones to undergo a national police history check. This check returned disclosable outcomes relating to minor shoplifting and dishonesty offences committed between 2008 and 2009.
In accordance with its Recruitment Procedure, Melbourne City Mission interviewed Alexander Jones about the disclosable outcomes. According to interview notes, Alexander Jones acknowledged the offences and affirmed he had since improved his circumstances and outlook. This information was assessed by a safety screening panel, which ultimately recommended the application be progressed to an offer of employment.
In accordance with the Working with Children Act 2005 (Vic), Melbourne City Mission required Alexander Jones to produce a current Working with Children Check card. This card was photocopied and placed in Alexander Jones’s personnel file.
Evidence of deception by Alexander Jones
The investigation established the information in Alexander Jones’s resume and cover letter was overwhelmingly false.
Contrary to the documents and representations made during the recruitment process, Alexander Jones had never had any paid child-related employment before he joined Melbourne City Mission.
Alexander Jones also did not hold the tertiary qualifications identified in his resume and accordingly was not qualified to be employed as a Case Worker on the Western Reconnect or Finding Solutions programs.
Previous Employment
The three community service organisations identified in Alexander Jones’s resume each advised the investigation they had no records of employing a person with that name. The Victorian homelessness support service informed the Ombudsman it also had no record of employing the person who purported to provide a reference on behalf of the organisation.
Alexander Jones did not hold a Victorian Working with Children clearance prior to April 2016. Child-safe screening authorities in Queensland and New South Wales advised the Ombudsman they had no records of Alexander Jones holding an equivalent clearance in those jurisdictions.
Records obtained from Westpac indicate Alexander Jones received Commonwealth income support benefits throughout the periods he claimed to have been employed in child-related work.
The registered training organisation confirmed it did employ Alexander Jones as a Community Engagement Consultant on a commission basis between May and December 2014. The role was administrative in nature and did not involve contact with children. This appeared to be Alexander Jones’s only remunerated employment in the five years preceding his application to Melbourne City Mission.
Alexander Jones was engaged as a volunteer with community service organisation Concern Australia between January 2016 and February 2018. However, he did not provide services to children in this role until after his recruitment to Melbourne City Mission.
Qualifications
The education providers identified in Alexander Jones’s resume each advised they had no record of awarding a tertiary qualification to Alexander Jones. The Queensland TAFE informed the Ombudsman it did not offer a Dual Diploma in Community Services and Counselling.
Evidence indicates staff at Melbourne City Mission did not take a copy of Alexander Jones’s purported qualifications during the background screening process. While a ‘New Employee Induction Checklist’ completed by Alexander Jones’s Team Leader claimed these documents were sent to the People and Culture team, copies were not located in Alexander Jones’s personnel file.
During interview with the investigation, the former Team Leader said they believed they would have taken copies of Alexander Jones’s qualifications but could not specifically remember doing so.
Melbourne City Mission’s omission to confirm details of Alexander Jones’s purported tertiary qualifications appeared contrary to its Service Agreement with the State of Victoria. Under the Department’s Safety Screening for Funded Organisations Policy, Melbourne City Mission should have taken certified copies of Alexander Jones’s tertiary qualifications before it assigned him to the Finding Solutions program.
Prior child protection concerns
Alexander Jones was the subject of serious interstate child protection concerns at the time he joined Melbourne City Mission.
NSW Police Force records indicate that between 2008 and 2009, Alexander Jones was investigated as a ‘person of interest’ in relation to several alleged offences. Most significantly, these included:
- an allegation he sexually exploited a child
- an alleged rape
- an allegation he posed as a young person to access supported youth accommodation.
While Alexander Jones was arrested and interviewed on one occasion, he was not charged with any offences relating to the above allegations.
The investigation also identified evidence that Alexander Jones was:
- flagged by New South Wales child protection authorities in 2009 as a person suspected of sexually abusing a child
- subject to multiple Apprehended Violence Orders in New South Wales, including an order restricting his interactions with a young person deemed at risk of sexual exploitation.
National police certificates available to organisations such as Melbourne City Mission identify ‘disclosable court outcomes’ and generally do not include information concerning uncharged allegations and Intervention Orders (including Apprehended Violence Orders). As Alexander Jones was not charged by police in relation to any of the above allegations, this information was not disclosed in the national police certificate obtained by Melbourne City Mission.
There is no evidence that Alexander Jones volunteered information about the allegations during the recruitment process or while employed at Melbourne City Mission.
Information about the above allegations was also not available to Working with Children Check Victoria when it granted Alexander Jones a Working with Children clearance. This is discussed further in the next chapter.
In response to a draft version of this report, Alexander Jones denied being investigated for alleged sexual offences in New South Wales. He said he was not interviewed in relation to these allegations and was never served with an Apprehended Violence Order in the jurisdiction.
Alexander Jones’s role on Finding Solutions
As a Case Worker assigned to the Finding Solutions program, Alexander Jones was responsible for providing support and advocacy to vulnerable young people and their families referred to Melbourne City Mission by organisations such as Child Protection.
According to the position description, Case Workers assigned to Finding Solutions were expected to:
- maintain a caseload of 10 clients
- participate in a duty system receiving referrals from Child Protection and other services
- deliver a ‘short term holistic response’ to young people and their parents to address relationship conflicts and underlying issues
- provide outreach to young people and their families at home and in other familiar settings.
While funding and referral pathways differed between programs, Alexander Jones held substantially similar responsibilities in his role on the Western Reconnect program.
According to Melbourne City Mission’s General Manager Homelessness and Family Services, support provided by Case Workers under both programs involved regular, unaccompanied off-site client outreach.
Records supplied by Melbourne City Mission and the Department indicate that while employed on the Finding Solutions program, Alexander Jones also:
- scheduled and attended case planning meetings with carers, the Department and other community service organisations
- delivered ‘motivational interviewing’ training to co-workers
- purported to conduct ‘intensive psychosocial assessments’ and deliver safe sex education to clients.
Conduct and performance
The investigation did not identify evidence of any complaints made to Melbourne City Mission about Alexander Jones’s contact with children and young people either during or following his time at Melbourne City Mission.
Yet evidence indicates co-workers and management recognised problems with his presentation and behaviour throughout his employment on the Finding Solutions program.
These concerns were mostly managed in accordance with standard disciplinary processes. However, they were not recognised by managers as ‘red flags’ pointing to Alexander Jones’s lack of qualifications or general unsuitability to work with vulnerable young people.
Presentation and behaviour concerns
Managers and co-workers at Melbourne City Mission identified several concerns about Alexander Jones, including:
- an ongoing failure to maintain basic standards of personal hygiene
- unprofessional standards of dress
- incidents of inappropriate remarks, aggression and conflict with co-workers.
Two former co-workers interviewed by the investigation said they generally felt uncomfortable working in the vicinity of Alexander Jones. One witness said there was immediately ‘something not quite right’ about him:
[I said to the Team Leader], ‘This isn’t quite right, this isn’t the standard that you would expect from an experienced worker.’ … [They said], ‘Well, this is the [employment] experience that he’s got.’ And that was it, basically, that [they] would deal with [the concerns] by [their] way of managing it, and then carrying on with the job. So it wasn’t really addressed as far as saying, ‘I will investigate these concerns’: like why he’s not showering or why he’s dressed inappropriately for work; why he’s saying inappropriate things.
Alexander Jones co-worker
One former co-worker told investigators the Team Leader seemed ‘obsessed with … fixing’ Alexander Jones and that management treated the latter ‘like a client’ rather than a credentialed case worker. In response to a draft version of this report, the former Team Leader strongly disagreed with both observations.
During interview with the investigation, the former Team Leader acknowledged there were issues with Alexander Jones’s presentation and interactions with some co-workers. They gave evidence that they had attempted to address these problems through verbal directions and informal mediation and ultimately escalated some concerns to People and Culture.
The former Team Leader said there was ‘a lot of game playing’ in the Braybrook office at the time, and that some co-workers who were initially hostile to Alexander Jones eventually came to enjoy his company:
If you change your perception, the whole situation can change. … I remember when we gave Alex a farewell … His whole team was there, and they all sang and sort of wished him well … I remember thinking by that point everyone was on the same page and everyone was good with each other.
Alexander Jones co-worker
In response to a draft version of this report, the former Team Leader observed that not all co-workers were initially hostile to Alexander Jones. They said the issues with his presentation were limited to isolated periods and were addressed at the time.
The former Team Leader noted privacy considerations limited the information they could share with staff who raised concerns about Alexander Jones. They accepted there may have been incidents where Alexander Jones displayed aggressive behaviour towards co-workers but said this was not reported to them at the time.
Formal complaints pathway
Melbourne City Mission’s Staff Grievance Resolution Procedure provided a mechanism for staff to formally report and escalate grievances about co-workers to their line manager, Director and ultimately the Chief Executive Officer.
During interview with the investigation, the former Team Leader acknowledged concerns from co-workers about Alexander Jones were not treated as formal complaints under this procedure.
Yet the investigation received evidence that staff were not given clear information about how to formally escalate concerns about Alexander Jones’s presentation and behaviour.
One former co-worker gave evidence that information about making a complaint was not offered to them. The other former co-worker said they believed they had actually made a formal complaint about a particular incident. Yet the investigation could not identify evidence the matter was reported to Melbourne City Mission’s People and Culture team.
‘We thought we were complaining about him.’
Alexander Jones co-worker
Performance management
Alexander Jones’s former Team Leader gave evidence they had no ‘major’ concerns about his performance on the Finding Solutions program:
"He said all the right things, you know? And it’s almost like now, on reflection I’m thinking, did he know what the right things were to say? … I feel like he played us all … He was very smart in his role … always kind and appreciative … He had the gift of the gab. He knew how to say things so that he seemed caring and empathetic."
‘He said all the right things… I feel like he played us all.’
Former team leader
One former co-worker interviewed by the investigation similarly observed:
"He knew everything about the [Children, Youth and Families] Act, the law around Child Protection. I thought he was very smart … Did he say he worked for Child Protection? I can’t remember. He knew everything about Child Protection here and in New South Wales and Queensland… He knew a lot of stuff."
The former Team Leader said they couldn’t recall receiving any specific complaints about Alexander Jones’s performance, although opportunities for others to witness his work would have been limited. The former Team Leader noted Alexander Jones was initially accompanied by a more experienced co-worker during home visits who did not identify any concerns. However, the Team Leader acknowledged the role subsequently involved ‘predominantly … solo outreach’:
"[After the initial induction period] no one [else] would’ve seen his work. Solo outreach work is really difficult. Once you’ve been doing it for a while, you trust that they know what they’re doing and that they’re acting professionally."
The former Team Leader nevertheless identified issues with Alexander Jones’s written output and capacity to meet deadlines. They said efforts to address the performance issues were complicated by the need to make reasonable adjustments for his reported learning disability.
‘There’s a fine line about being fair to people … I certainly would not let it go on for that long (again).'
Former team leader
Alexander Jones was ultimately made subject to an ‘Employee Performance Improvement Plan’ on 31 October 2016. Among other things, this document instructed him to think before speaking to others, clean and trim his fingernails, wear age-appropriate clothing and ensure his shoelaces were tied ‘to avoid a tripping hazard’.
During interview with the investigation, the former Team Leader accepted these instructions should not have been necessary for somebody with Alexander Jones’s claimed credentials and employment experience. They acknowledged that the underlying behaviours should have been investigated:
"I think it [the Performance Improvement Plan] came down to me being open to the possibility that he was going through a very rough time and trying not to be judgmental … In hindsight of course it would’ve been a much more appropriate approach to look at it from a different angle. I guess my downfall is that I’m trying to be fair to everybody and not think the worst, but yeah, unfortunately that was probably not the right thing in this situation."
The former Team Leader observed that managing Alexander Jones proved ‘a bit exhausting in the end’ and they would not have re-employed him after his contract expired in July 2017. They told investigators they would take a different approach to the situation today:
"I wouldn't say he was the best Case Worker. I would say he was exhausting. I would say he was a lot of work … There's a fine line about being fair to people. At the end of the day, I learnt a lot from the experience of employing Alex. I wouldn't do that again. I certainly would not let it go on for that long. And, yeah, I guess I've changed as a person. This is where we change as people based on our experiences."
Attempted resignation
The investigation received evidence that Alexander Jones attempted to resign from his position on the Western Reconnect program on 11 July 2016. In his letter of resignation, Alexander Jones stated it had ‘become clear’ during probation that he was ‘ill-suited’ for the role.
Yet one week later, on 18 July 2016, the former Team Leader completed an end of probation assessment recommending Alexander Jones’s appointment be confirmed. In this assessment, the former Team Leader indicated Alexander Jones was ‘meeting expectations’ in relation to all criteria, including ‘professionalism’ and ‘teamwork’. Alexander Jones was assigned to the Finding Solutions program the following day.
During interview with the investigation, the former Team Leader said they couldn’t recall Alexander Jones’s attempt to resign in July 2016 and acknowledged the end of probation assessment seemed ‘odd’ in light of the contents of his resignation letter. The former Team Leader observed it was possible they encouraged Alexander Jones to withdraw his resignation:
"We would have had [a] conversation. ‘Remember at your interview, “Give me a go”? Well if you leave now, what is that going to mean for you?’ Because I guess my role has two parts. My role has a duty of care for our clients, absolutely – we have to make sure we appoint the most appropriate skilled people in the role – and the other part is also about staff wellbeing."
The former Team Leader nevertheless emphasised they would not have endorsed Alexander Jones’s progression from probation if they had significant concerns about his performance or conduct.
Evidence of further deception
The investigation identified evidence of further dishonesty by Alexander Jones during his employment on the Finding Solutions program.
Some of this evidence was apparently not recognised by management at Melbourne City Mission, even when highlighted by co- workers.
Further misrepresentation of qualifications
At interview, one former co-worker gave evidence that Alexander Jones sometimes claimed to hold a Social Work qualification:
"I said to, to him, ‘Where did you study?’ He [identified a university in Queensland]… He was really young … and he had all this experience, had done a four-year degree in Queensland and it just didn’t add up. It made no sense … I even said to [the Team Leader], ‘How do you know that he has a degree?’ And [they] said, ‘HR does checks.’"
The investigation received evidence that Alexander Jones made similar claims to other parties. Yet records from the Queensland university indicate he was not awarded a degree by the institution.
The former Team Leader told investigators they couldn’t recall anyone approaching them with doubts about Alexander Jones’s credentials. They acknowledged his Performance Improvement Plan included a reference to attending university and that this claim appeared inconsistent with the qualifications identified in his resume.
The Team Leader gave evidence that they didn’t recognise the discrepancy at the time and did not necessarily accept it was evidence of deception:
"I don’t have a photographic memory … If he passed the recruitment round then I [would] sort of file that away. I wouldn’t have remembered whether he went to university or not … It could have been one of those situations where he’s talking about ‘uni’ but actually talking about TAFE. He wouldn’t be the first person that’s done that."
Misrepresentations to external parties
Email records reviewed by the investigation indicate Alexander Jones used his Melbourne City Mission credentials to apply for child-related work at other organisations while employed on the Finding Solutions program.
In some applications, he claimed to hold a Bachelor of Community and Health Services from a Queensland university and a Diploma of Counselling from the Chisholm Institute of TAFE. Records obtained from both institutions indicate these claims were false.
The investigation identified evidence that in email correspondence with external parties, Alexander Jones sometimes also:
- embellished his official title and qualifications
- falsely suggested he was employed by the Department.
Alexander Jones did not include these claims in internal correspondence with co-workers, and there is no evidence they were reported to or identified by Melbourne City Mission during his time at the organisation.
Client Record Keeping Incident
The investigation received evidence of an incident where, following a routine enquiry from the Department, the former Team Leader identified that Alexander Jones had possibly provided services to a client without creating a case file or corresponding records.
During interview with the investigation, the former Team Leader recalled contacting Alexander Jones after his transfer to Frontyard to query the issue:
"I couldn’t find anything anywhere. It was a bit of mystery and he didn’t answer my questions, so I don’t know what happened in the end … I would have had another conversation with [the Department] about it because I wouldn’t have just ignored it. I remember, but I just do not for the life of me know how it was resolved."
The former Team Leader accepted that providing services to a client without creating corresponding records ‘absolutely’ raised client safety issues. They said they couldn’t recall creating an incident report but believed one would have been made to the Department as the referring body.
However, the investigation was unable to identify evidence of an incident report being submitted to the Department. Melbourne City Mission also advised the Ombudsman it had no record of an internal incident report relating to the issue.
One former co-worker gave evidence that supervision and record keeping practices at the Braybrook office were updated following the incident. This witness recalled the matter was primarily treated as a record keeping failure, rather than an indication Alexander Jones had possibly concealed contact with a client.
The client in question was later interviewed by Child Protection following the CRISSP data breach. Child Protection did not identify any concerns about Alexander Jones’s interactions with them, but noted they appeared connected to another young person known to associate with Alexander Jones.
Failure to deactivate CRISSP access
Alexander Jones’s contract as a Case Worker expired on 4 July 2017. The following day, he was transferred to a new role at Melbourne City Mission’s Frontyard service. Staff assigned to the Frontyard service are not required or authorised to use CRISSP.
At the time, the Department’s CRISSP Privacy Policy required Melbourne City Mission to review access to CRISSP when a staff member changed roles or left the organisation.
According to established practice, Team Leaders and other supervisors were expected to reallocate a departing worker’s clients, deactivate the worker’s CRISSP account and then submit a corresponding ‘Remove User Access’ form to the Department.
Alexander Jones’s access to CRISSP should have been revoked at the time of his transfer.
Records supplied by the Department indicate his CRISSP account was not deactivated at this time and remained active until October 2018, when the data breach was identified.
The evidence indicates staff at Melbourne City Mission did not submit a Remove User Access form to the Department confirming deactivation of his CRISSP account.
According to a privacy review commissioned by Melbourne City Mission following the data breach, these steps were neglected due to the change in supervisors associated with Alexander Jones’s transfer to Frontyard.
During interview with the investigation, the former Team Leader acknowledged it was possible they overlooked the need to deactivate Alexander Jones’s CRISSP access at the time he left the Finding Solutions program.
Frontyard role and resignation
Alexander Jones commenced as a casual Initial Assessment and Planning Worker at Melbourne City Mission’s Frontyard service on 5 July 2017.
According to Melbourne City Mission’s General Manager Homelessness and Family Services, Alexander Jones’s responsibilities in this role involved meeting new clients and undertaking initial assessments to connect them with appropriate services.
Unlike his prior roles on Western Reconnect and Finding Solutions, Alexander Jones’s position at Frontyard did not involve offsite client outreach and all interactions with clients were subject to direct supervision.
On 13 September 2017, Alexander Jones resigned from his Frontyard position without providing notice, citing health reasons.
Immediately prior to this, Melbourne City Mission notified him that it was preparing to investigate an allegation that he had discussed his past intravenous drug use with a client. The internal investigation did not proceed due to Alexander Jones’s resignation and further enquiries into his background were not made at the time.
The investigation did not identify evidence of any other complaints or concerns relating to Alexander Jones’s conduct at Frontyard.
Subsequent child protection concerns
Alexander Jones was the subject of several child protection notifications between November 2017 and September 2018, shortly before the data breach was detected.
The first of these was received by the Department in November 2017, in the months following his departure from Melbourne City Mission.
The investigation did not identify evidence of any child protection reports made about Alexander Jones during his time at Melbourne City Mission or concerning his activities during this period.
First child protection notification
In late November 2017, the Department was notified of concerns that Alexander Jones was maintaining personal contact with a former Melbourne City Mission client. The Department was told he was allegedly visiting the family, had purchased gifts for the young person and was taking them for drives.
Child Protection interviewed the young person and their carer about the allegation in December 2017 but did not receive information allowing it to intervene. The investigation was nevertheless kept open.
Child Protection and Victoria Police re-interviewed the young person and their carer after Alexander Jones was
stood down from his volunteer position at Concern Australia (discussed below) and following identification of the data breach and his related offending. These interviews did not identify evidence of sexual abuse.
Melbourne City Mission was not notified of the Child Protection investigation at the time. Nor was Concern Australia, where Alexander Jones was still volunteering. In response to a draft version of this report, the Department said there was not enough evidence of sexual exploitation to justify notifying these bodies.
Reportable conduct investigation
On 1 February 2018, Victoria Police arrested Alexander Jones after child exploitation material was found on his laptop. Alexander Jones had previously reported the laptop as stolen from a Concern Australia property where he was volunteering as a Lead Tenant.
Victoria Police notified Child Protection of the arrest, and Child Protection in turn notified Concern Australia.
Concern Australia immediately suspended Alexander Jones and directed him to vacate the organisation’s property. Concern Australia also reported the allegation to the Commission for Children and Young People in accordance with Victoria’s Reportable Conduct Scheme.
Child Protection and Concern Australia worked collaboratively to investigate and respond to the reportable conduct allegation. This included joint interviews with Alexander Jones’s former clients at
Concern Australia and other young people he appeared to be associating with. These interviews did not identify any additional child protection concerns.
Alexander Jones was himself interviewed by Victoria Police but denied accessing the child exploitation material. Victoria Police were ultimately unable to establish who was in possession of the laptop when the material was downloaded, and Alexander Jones was not charged in relation to the matter.
Owing to substantially the same considerations, Concern Australia subsequently closed its reportable conduct investigation as ‘unsubstantiated’. Concern Australia nevertheless terminated Alexander Jones’s volunteer position at the organisation.
During this period, the Department notified Melbourne City Mission that Alexander Jones was the subject of a Victoria Police sexual exploitation and child abuse investigation. Melbourne City Mission was not provided with details of the alleged offending.
Further child protection concerns
Throughout 2018, the Department continued to receive Child Protection reports about Alexander Jones’s interactions with young people.
These included:
- a report in April 2018 alleging that he was associating with and purchasing gifts for two young people
- a report in September 2018 alleging that he was arrested for dishonesty offences following a motor vehicle collision involving other young people.
Child Protection investigated these allegations and interviewed the young people involved. Although Child Protection did not receive information allowing it to intervene, Alexander Jones was added
to the Department’s Sexual Exploitation Register as a ‘person of interest’. Child Protection also directed him to cease contact with two young people deemed at risk of exploitation.
In response to a draft version of this report, Alexander Jones denied engaging in inappropriate contact with children.
Detection of Centrelink eBusiness account
In July 2018, a manager at Melbourne City Mission’s Frontyard service identified that a Centrelink eBusiness account assigned to Alexander Jones was still active and had not been deprovisioned when he left the organisation.
Melbourne City Mission promptly deactivated Alexander Jones’s Centrelink eBusiness account when the mistake was identified, but did not investigate whether he still had access to other client information systems.
When interviewed, Melbourne City Mission’s General Manager Homelessness and Family Services acknowledged this was a missed opportunity to identify Alexander Jones’s unauthorised access to CRISSP.
Service providers such as Melbourne City Mission do not have direct access to Centrelink eBusiness user access logs. On 31 October 2018, after the CRISSP data breach was identified, Melbourne City Mission wrote to the Australian Government Department of Social Services to request records of Alexander Jones’s user activity. Melbourne City Mission did not receive a response and subsequently reported the incident to the Office of the Australian Information Commissioner, which said it would make further enquiries.
According to Melbourne City Mission’s General Manager Homelessness and Family Services, the organisation is still unsure whether Alexander Jones accessed Centrelink Confirmation e-Services following his departure from Frontyard.
Alexander Jones’s unauthorised access to CRISSP
Alexander Jones continued to use the CRISSP information system following his departure from Melbourne City Mission until his access to the system was identified by the Department and Melbourne City Mission in October 2018.
CRISSP
CRISSP is an electronic client information system owned by the Department and made available to organisations funded to provide child, youth and disability services, such as Melbourne City Mission.
CRISSP can be used to record detailed case notes, as well as information about a client’s issues, activities (such as types of support or referrals provided), accommodation and allocated funds.
Under the Finding Solutions Program Guidelines, service providers delivering the Finding Solutions program are required
to use CRISSP to report their work with clients. Case Workers assigned to Finding Solutions are instructed to make case notes of all client interactions in this system.
Registered users can access CRISSP through a work or private device. CRISSP users do not have to be connected to an organisation’s network to log in.
CRISSP integrates with the Client Relationship Information System (‘CRIS’), which is the system used by Child Protection and Youth Justice workers. This integration allows service providers to refer clients between organisations and share some information.
Case Workers assigned to Finding Solutions at Melbourne City Mission are not provided access to CRIS.
360 Degree Search and 360 Degree View
CRISSP includes a search function known as ‘360 Degree Search’. Users can search for clients by entering specific criteria such as a person’s first or last name, date of birth or address.
Depending on the circumstances, 360 Degree Search may display clients assigned to:
- the user’s organisation
- other organisations funded by the Department, via the ‘Common Client Layer’.
Users can view the ‘360 Degree View’ page to access more information about active clients assigned to their organisation. This allows the user to see the client’s case history, information and case notes.
The 360 Degree View page only displays cases assigned to the user’s organisation. For example, when accessing a client’s 360 Degree View page, a Finding Solutions Case Worker at Melbourne City Mission:
- can view a list of the client’s Finding Solutions cases allocated to Melbourne City Mission
- can access, create and delete case notes and other records within these cases
- cannot see cases or associated records created by other service providers.
The 360 Degree Search function is shown in Figure 3. Figure 4 shows an example of the search returns page. In the example, the search has returned two matching clients from the user’s organisation and 142 matching clients from the Common Client Layer. Figure 5 shows an example of a client’s 360 Degree View page.
Common client layer
CRISSP and CRIS interface through the Common Client Layer. The Common Client Layer is intended to improve coordination between service providers and the Department by helping workers identify clients receiving services from multiple organisations.
Search returns from the Common Client Layer initially display only basic details such as the person’s name, date of birth, contact number and address. This is referred to as ‘pre-match’ information and is intended to help the user identify if their client has an existing entry in CRISSP.
CRISSP then allows the user to ‘match’ an entry from the Common Client Layer to indicate they are providing services to the relevant client. Matching a client creates a client record assigned tothe user’s organisation and displays additional information. This includes other organisations (including Child Protection) that are currently working with the client, as well as details of the client’s lead worker.
Search returns from the Common Client Layer do not include a link to the client’s 360 Degree View page, meaning users cannot access that client’s case history or case notes.
According to the Department’s CRISSP Privacy Guidelines, the ‘fundamental rule’ governing access to information in the Common Client Layer is that a user must be about to enter a new client in CRISSP. One witness interviewed by the investigation described the process of accessing the Common Client Layer in the following terms:
"If [my organisation] had a referral for a young person, say their name was John Smith, and I went to add them to
CRISSP, I would type ‘John Smith’ … [If] he had worked with another program funded in the same way his name would come up and it would have his name, his date of birth and possibly an address.
You could [answer], ‘Is this the same person?’ and click ‘Yes’, so all of John Smith’s information was together. But you couldn’t see the case notes."
While Child Protection clients may appear in search returns from the Common Client Layer, CRISSP does not allow a user to view Child Protection case records.
Detection of the CRISSP data breach
Alexander Jones’s unauthorised access to CRISSP was first detected on 18 October 2018 by an employee of the Youth Justice division of the former Department of Justice and Regulation.
This followed a routine consultation between the Youth Justice worker and a Child Protection practitioner, in which the former was notified that Child Protection was investigating a report about Alexander Jones’s interactions with a shared client.
At the time, the Youth Justice worker recalled that a CRISSP user account belonging to a person named Alexander Jones had created an ‘information sharing link’ between the client’s Melbourne City Mission entry in CRISSP and their Youth Justice entry in CRIS.
The Youth Justice worker immediately notified Child Protection of the information sharing link created by Alexander Jones and contacted the Department’s Service Implementation and Support team to request an audit of his CRISSP account and user activity.
This audit determined the account was:
- linked to Alexander Jones’s former role at Melbourne City Mission
- currently active
- last used on 6 October 2018.
Subsequent checks by the Department confirmed Alexander Jones was no longer employed by a funded service provider and had no allocated clients in CRISSP.
Further audits of CRISSP identified that the user account allocated to Alexander Jones had been used following his departure from Melbourne City Mission to:
- conduct 186 searches using the 360 Degree Search function
- access case information relating to about 25 Melbourne City Mission clients.1
The Department deactivated Alexander Jones’s CRISSP user account on 29 October 2018. The Department subsequently contacted Melbourne City Mission to inform it of the incident.
During this period, and in the weeks that followed, the Department also notified the following bodies of the data breach:
- Victoria Police
- the Office of the Victorian Information Commissioner
- the Commission for Children and Young People.
Detection by Melbourne City Mission
On about 25 October 2018, by apparent coincidence, an employee of Melbourne City Mission separately queried the inclusion of Alexander Jones’s name in a list of the organisation’s Finding Solutions team members in CRISSP.
According to Melbourne City Mission’s General Manager Homelessness and Family Services, staff promptly deactivated Alexander Jones’s CRISSP user account at the local level and were preparing a formal notification when the organisation was itself contacted by the Department on 31 October 2018.
Melbourne City Mission subsequently reviewed all user access to CRISSP within the organisation. Melbourne City Mission also voluntarily reported the data breach to the Commission for Children and Young People under the Reportable Conduct Scheme.
In response to a draft version of this report, the Commission for Children and Young People said the data breach was not subsequently investigated under the Reportable Conduct Scheme because accessing CRISSP without authorisation was not a ‘reportable allegation’ under the Child Wellbeing and Safety Act.
Internal investigation of the data breach
In early November 2018, the Department formed a privacy incident working group to investigate and respond to the data breach by Alexander Jones. This body comprised senior staff, Child Protection practitioners and other relevant officers from across the Department’s regional divisions.
The working group liaised closely with Victoria Police and met weekly until March 2019. According to records supplied to the investigation, the Department’s early response to the data breach was guided by four key priorities:
- protection of children, including through containment of the incident
- assisting the police investigation into Alexander Jones’s activities
- identifying any systemic issues and security flaws
- managing the Department’s relationship with Melbourne City Mission and other service providers.
Among other things, during this period, the Department:
- audited the IP addresses used by Alexander Jones to access CRISSP
- obtained a list of Alexander Jones’s clients from his Western Reconnect and Frontyard roles
- investigated Alexander Jones’s access to other client information systems
- looked into Alexander Jones’s past child-related employment
- liaised with interstate authorities to obtain child protection and police intelligence relating to Alexander Jones
- assisted Victoria Police to identify any child protection clients in Alexander Jones’s phone records
- contacted Working with Children Check Victoria to request suspension of Alexander Jones’s Working with Children clearance.
The Department also commenced a Child Protection investigation into Alexander Jones’s possible contact with children and young people affected by the data breach, the details and progress of which were reported back to the internal working group.
Although the Department liaised with Melbourne City Mission to ensure relevant information was supplied to the internal investigation and Victoria Police, Melbourne City Mission was not
invited to meaningfully participate in the Department’s response to the data breach.
During this period, the Department also declined requests from Melbourne City Mission to clarify which of the
organisation’s clients had been affected by the incident.
During interview with the investigation, Melbourne City Mission’s General Manager Homelessness and Family Services commented on the level of coordination between the two bodies:
"I don’t feel like it was a coordinated approach. [The Department] didn’t bring us along for that piece of work to ensure we were all on the same page at each and every step. We were well and truly a long arm’s length away from what was going on and were only asked for little bits and pieces of information with no context."
[Melbourne City Mission was] well and truly a long arm’s length away from what was going on
General Manager Homelessness and Family Services
In response to a draft version of this report, the Department said its ability to involve Melbourne City Mission in the response
to the data breach was limited due to the Victoria Police investigation and the fact that some affected parties were not Melbourne City Mission clients.
Notifications to affected parties
At the request of Victoria Police, the Department refrained from notifying or interviewing individuals whose details were accessed by Alexander Jones while police investigated the incident.
While Victoria Police investigated, Child Protection reviewed its records relating to the affected children and young people and, in consultation with the privacy incident working group, developed a list of individuals to be interviewed.
With the consent of Victoria Police, Child Protection practitioners began notifying and interviewing affected young people and their carers on 10 January 2019. Most planned interviews were completed by 30 March 2019.
The Department’s Practice Leader Sexual Exploitation told investigators the interview process had two primary objectives:
"It was about informing the families of the privacy breach, letting them know that this had occurred, and then trying to ascertain whether or not the parents had any sort of understanding of this guy [Alexander Jones]; in terms of [whether he was] in their world or in their child’s world, and to see if potentially the contact had been inappropriate, or was ongoing."
Those interviewed were provided general information about the data breach and were encouraged to contact a senior Child Protection practitioner to obtain further information and support. Carers were also provided with a factsheet and letter containing details about how to make a complaint to the Office of the Victorian Information Commissioner.
In total, Child Protection notified and interviewed about 33 affected children and young people or their carers during this period. Practitioners also interviewed a further six individuals who were not affected by the data breach but were reported to have been in contact with Alexander Jones.
196. Through these interviews Child Protection identified several young people who had previously associated with Alexander Jones. However, with the exception of Zack’s disclosure (discussed in the next section of this report), the interviews did not identify actionable evidence of sexual exploitation.
Subsequent notifications
Records supplied by the Department indicate eleven affected parties were not approached by Child Protection or notified of the data breach until several years later, in mid-2021.
These comprised:
- eight individuals who were over the age of 17 years when their details were accessed
- one young person who was mistakenly excluded because Child Protection believed them to be over 17
- two individuals who lacked CRIS or CRISSP files at the time of the data breach, but whose names were searched by Alexander Jones. 2
These affected parties were not selected for interview because, owing to their age or other factors, they were not considered to be at risk of sexual exploitation by Alexander Jones and therefore did not fall within Child Protection’s protective remit.
Records supplied by the Department indicate it began interviewing and notifying the remaining affected parties in April 2021, following media reports about the data breach.
Over the following months, the Department managed to notify nine of these individuals. Despite robust efforts, the Department was ultimately unable to locate two affected parties, both of whom were adults at the time Alexander Jones attempted to access their information.
Reports to the Information Commissioner
The Department formally notified the Office of the Victorian Information Commissioner of the data breach on 7 January 2019. In its notification, the Department stated that Child Protection would interview ‘impacted young people and their carers’, without providing further detail.
The Information Commissioner subsequently commenced an investigation into the data breach on 25 February
2019. About one year later, on 11 February 2020, a representative of the Information Commissioner wrote to the Department to confirm whether it had successfully notified all affected parties. In response, the Department accurately reported that some individuals had been excluded due to child protection considerations. The Department stated it would ‘now work with [Melbourne City Mission] to notify those clients.’
In fact, the Department did not attempt to notify the remaining affected parties until April 2021, following the first ABC News report about the data breach.
Records reviewed by the investigation do not suggest the Department intentionally misled the Information Commissioner. Instead, the failure to make the remaining notifications appeared be the result of poor internal coordination.
Further unauthorised access identified by the investigation
The Department’s response to the data breach focused on Alexander Jones’s unauthorised access to CRISSP following his departure from Melbourne City Mission.
However, audit logs reviewed by the investigation indicate Alexander Jones likely began misusing CRISSP significantly earlier, and within weeks of being provided access to the system.
These records show he used CRISSP to access Melbourne City Mission client files relating to about 64 individuals during his time at the organisation, including after his transfer to Frontyard.
Yet records supplied by Melbourne City Mission indicate he was allocated a total of just 13 clients in his role on the Finding Solutions program.
In accordance with section 26FB(1) of the Ombudsman Act, the Deputy Ombudsman wrote to the Secretary to the Department on 12 October 2021 to disclose evidence of Alexander Jones’s possible earlier misuse of CRISSP.
Following consultation with the Department and a review of its records, Melbourne City Mission subsequently confirmed some files viewed by Alexander Jones during his employment were likely accessed without authorisation.
The Department subsequently decided to notify a further 27 people whose files were accessed by Alexander Jones during his employment. On 6 May 2022, it wrote to the Office of the Victorian Information Commissioner to confirm it had managed to contact most of these individuals, including three assessed as ‘high risk’.
Prior to the investigation, Melbourne City Mission was not provided with copies of the audit logs showing Alexander Jones’s CRISSP access, and would not have been able to identify this issue earlier.
Zack’s disclosure
Child Protection practitioners first interviewed Zack and his mother about the data breach by Alexander Jones in February 2019. Zack was 13 years old at the time of the interview.
At the time, the Department was aware that Alexander Jones had searched for Zack’s information in CRISSP following his departure from Melbourne City Mission.
When interviewed about the data breach, Zack told Child Protection he was first approached by Alexander Jones at Flinders Street Station in early 2018. He said they traded social media details and subsequently arranged to meet again.
Zack disclosed that Alexander Jones later took him to a hotel room and raped him.
Zack said Alexander Jones threatened him not to tell anybody about the sexual assault. He recalled Alexander Jones claimed to be a former Marine who had ‘done background checks’ and knew all about him. Zack said to prove this, Alexander Jones looked up and recited private information about another young person known to Zack.
Child Protection encouraged Zack to immediately make a statement to Victoria Police. During interview with
the investigation, Zack’s mother recalled feeling pressured and worrying about the family’s safety:
"[I remember] saying, ‘I don't know what information this guy has on me. I don't know what to do.’ I was worried about our safety, you know, making a statement if it's not guaranteed that they're going to get locked up straight away. And then I was worried that they've typed in notes to say that [Zack]’s now disclosed this, and is he [Alexander Jones] looking at that; able to see that?"
Child Protection subsequently developed a Case Plan for Zack and assisted the family to connect with a number of support organisations. After Zack’s mother expressed safety concerns, the Department also helped the family relocate to another property.
In a personal statement to the Ombudsman, Zack’s mother explained:
"The Department moved us, [because we felt] worried and scared and our home didn’t feel like a safe place. We were walking on eggshells, and my son didn’t want to leave me in the house by myself either for fear I could be hurt. [We were concerned that Alexander Jones] had been able to see things like my workplace, our address.
All the children suffered – we had gone from a home with a lot of space to one child living in the loungeroom until other accommodation was sorted about six months later. The kids had to leave all their friends, not being able to just walk to see the friendship [groups] they had had for eight years. They hated it. They didn’t know what had happened, and I had made them disconnect from those groups of friends by moving."
During interview with the investigation, Zack’s mother said she appreciated some of the Department’s assistance, but contrasted it with the level of support previously offered to her when she sought help with Zack’s behaviours around the time of the sexual assault:
"I guess I really had no understanding of how their system worked. I called them several times trying to get … help, because I felt like everything I was doing was not working. And each time I called, I just got, ‘You're doing everything we can, and you're doing the right things. You're being a protective parent; we don't need to get involved.’
…
"Then they've contacted me about the data breach, and [Zack] disclosed [the connection between the data breach and the sexual assault]. And then, all of a sudden, they were reengaging … They were involved, and very heavily involved with everything, with his school, with his workers, setting up meetings."
Zack made a recorded statement to Victoria Police in April 2019. Zack’s mother told investigators that contact from
the Department ‘pretty much’ stopped after this. She observed that many of the services offered to Zack also later
‘dropped off’ due to funding limitations or staff turnover.
At interview, Zack’s mother and advocate each said they felt this lack of continuity in support was a critical issue hampering Zack’s recovery as a survivor of sexual abuse.
In response to a draft version of this report, the Department said it believed Child Protection had supported Zack before
and after his disclosure. The Department also said it connected Zack with several ongoing support services following his disclosure. The Department said it believed it had ‘provided appropriate services’ to Zack, but ‘acknowledge[d] Zack’s mother’s experience’.
Zack’s mother told investigators the family continued to struggle with the impacts of the sexual assault:
"I don't think I can even put into words how very, very, very much it has impacted us with every aspect of our lives … It
was just horrible. I've always been very forthcoming with DHHS, you know, I've got nothing to hide – ‘This is exactly what's going on’. And it just really hasn't been like that from their end. I've just felt it's more about saving them than actually protecting my children."
Meeting with Melbourne City Mission
Zack’s mother recalled meeting with representatives of Melbourne City Mission with the Department’s assistance in March 2019, following Zack’s disclosure.
She said those attending from Melbourne City Mission ‘couldn’t understand why [she] was there’ and didn’t seem to be aware of the sexual assault:
"They didn't seem to know a lot of what was going on. They specifically said to me in the meeting, ‘We're just so glad that nothing's come out of it.’ At that point, I was trying to be smart, and not say what had happened, because I wanted some information … I was trying to play it smart, as hard as it was to sit there and hear them say, you know, ‘We’re just so glad…’
Zack’s mother recalled Melbourne City Mission wasn’t able to clarify details of the data breach, and ultimately reneged on an undertaking to get back in touch with her with further information:
"They were going to get me a timeline of what they had. They were going to be calling me the next day. [The General Manager Homelessness and Family Services] was going to be calling [the Department’s senior manager].
My assumption is he did call [the senior manager], and [the senior manager] disclosed what had happened to [Zack], because after that I did not get a call back. I called, I left messages … I got nothing ever after that meeting."
During interview, Melbourne City Mission’s General Manager Homelessness and Family Services confirmed the organisation was not briefed by the Department about Zack’s disclosure prior to the meeting. The General Manager explained:
"I had a phone call randomly from [the Department] asking if I’d be happy to talk to any [individuals who] were Melbourne City Mission [clients] who had been affected or had some interaction with Alex Jones, that came to them. I said ‘Absolutely, [although] I’m not sure what I can tell them because all I know is that there was a breach,’ and that was all I really knew at that point in time.
The General Manager said they weren’t familiar with CRISSP’s Common Client Layer function at the time and were a ‘bit in the dark’ about the purpose of the meeting and Zack’s possible connection to the data breach, given he was not a Melbourne City Mission client. They recalled they attempted to obtain further information about Zack’s situation from the Department but did not receive a response by the time the meeting began.
In response to a draft version of this report, the General Manager commented:
"It is important to make clear that Zack was not a client of Melbourne City Mission, which is the main reason neither I nor, so far as I could tell, [Zack’s mother or advocate] had a clear understanding of why DHHS had requested us to meet, what information they were seeking or what could be provided to them by Melbourne City Mission."
The General Manager acknowledged the organisation undertook to provide further information to Zack’s mother after the meeting. The General Manager said they subsequently recognised Melbourne City Mission was not in a position to provide the information Zack’s mother was seeking. The General Manager said they instead contacted somebody at the Department, who confirmed they would clarify the circumstances of the data breach directly with the family.
The General Manager observed Melbourne City Mission should have ‘closed the loop’ with Zack’s mother at the time and acknowledged the family would be justified in feeling upset with the organisation.
In response to a draft version of this report, the General Manager commented:
"I regret that this meeting contributed to Zack and [his mother’s] confusion about Melbourne City Mission’s role in the occurrence and resolution of [Alexander] Jones’s actions and that Melbourne City Mission didn’t directly contact [Zack’s mother] again to provide the information she had requested, despite my understanding that the Department would do that."
In response to a draft version of this report, the Department denied facilitating the meeting between Zack’s mother and Melbourne City Mission.
After receiving a draft version of this report, Melbourne City Mission’s Chief Executive Officer and Chair met with Zack’s mother and provided an apology on behalf of the organisation.
Information provided to Zack’s family
The investigation found that Zack’s mother was provided inaccurate and contradictory information about Alexander Jones’s access to Zack’s information in CRISSP.
According to Zack’s mother, the family was initially provided only very general information about the data breach:
"[The Child Protection practitioner] didn't say a lot, it was very general: ‘He's been able to access some files, he's accessed quite a few children's files.’ … I guess her main thing was trying to see whether there had been any inappropriate contact."
Zack’s mother told investigators she subsequently contacted Child Protection to request further information and spoke with a senior practitioner. This person consulted with the Department’s legal team and informed her Alexander Jones had been able to view all of Zack’s case information in CRISSP, as well as details about Zack’s siblings. This was incorrect.
The Department’s Practice Leader Sexual Exploitation acknowledged providing this information to Zack’s mother. This was based on confusion within the Department at the time about the different levels of access to case information in CRISSP:
"I’d got a bit confused about the situation as well. … Initially the information was that [Alexander Jones] could see [information in the Common Client Layer]. If it was discussed at any level with a parent, that’s what was discussed.
…
I had a phone call with someone from Central division, and in that conversation they had said, ‘No, he could see [case] notes and docs’. … And then I followed it up with [Zack]’s mother and said that he could see all notes and docs. And then afterwards [they’ve] come back and said, ‘No, he could only see the [Common Client Layer information]’. … At that point I’m like, ‘Look, we’ve actually just given this lady mixed information.’
Zack’s mother said she was later contacted by a senior manager within the Department, who took back the previous advice and purported to clarify that Alexander Jones was only able to access limited information about Zack through CRISSP’s Common Client Layer function.
Zack’s mother recalled the Department later wrote to her to confirm this position. In the letter, the Department stated that Alexander Jones ‘was able to see [Zack]’s name and address and no other information’. This was also incorrect.
At the time of her interview with the investigation, Zack’s mother said this was still the most recent advice she had received from the Department. She said she was later dismayed when, during a sentencing hearing, prosecutors told the County Court of Victoria that Zack’s information was ‘not successfully accessed’ by Alexander Jones. Zack’s mother told investigators she was still seeking confirmation of what information Alexander Jones actually accessed about Zack in CRISSP.
What information did Alexander Jones see about Zack?
CRISSP 360 Degree Search logs supplied to the investigation indicate Alexander Jones first searched for Zack’s information in CRISSP on 5 May 2018, corresponding with the evening he approached Zack at Flinders Street Station.
Alexander Jones conducted five further searches for variations of Zack’s details between 5 May and 9 June 2018. This included one search on the afternoon of the sexual assault.
These searches are depicted in chronological order in Figure 14.
While the 360 Degree Search logs confirm Alexander Jones searched for Zack’s information in CRISSP, they do not specify what client information was returned through these searches or clarify whether this included a client entry corresponding to Zack.
In response to a summons from the Ombudsman, the Department said it no longer considered Zack’s information was displayed in any of the search returns accessed by Alexander Jones.
The Department clarified that Zack did not have a client entry in CRISSP because he had not previously received services from a funded program using this system.
The Department advised that although Zack did have a client entry in CRIS arising from past Child Protection involvement, this would not have been displayed in search returns from the Common Client Layer because Zack was not an ‘active’ client at the time of Alexander Jones’s searches.
The Department’s Manager Client System Support explained that not all clients in CRISSP and CRIS are ‘visible’ in the Common Client Layer, and that a client’s visibility can change with time.
For a client to be visible to all CRISSP users and therefore appear in search returns from the Common Client Layer, they must be both:
- classified as ‘unrestricted’ (CRIS and CRISSP allow organisations to identify ‘restricted’ and ‘confidential’ clients
to prevent them appearing in the Common Client Layer, but by default, all clients are initially classified as unrestricted) - currently ‘active’, meaning they must have an open case recorded in CRIS or CRISSP (Child Protection and service providers are expected to close cases when they finish providing services to a client).
The Manager Client System Support explained that each CRISSP search is a ‘point in time’ event, meaning search
returns can differ depending on when a search is conducted.
For example, the same search conducted in January 2021 may return substantially different search results if conducted a year later, because:
- new client entries matching the search terms may have been created
- clients that were previously ‘visible’ in the Common Client Layer may no longer be visible (i.e. if they are updated to the ‘restricted’ status or no longer have an open case), and vice versa.
According to the Manager Client System Support, identifying whether a particular unrestricted client entry was displayed in the Common Client Layer involves manually checking whether the client was active in CRIS or CRISSP when the search was conducted.
This can be determined by reviewing the client’s 360 Degree View page to determine what cases, if any, would have been open at the time. If no cases were open, the client would not have appeared in search returns.
At the request of the investigation, the Department provided a demonstration of the CRISSP system and the methodology used to determine whether Alexander Jones accessed Zack’s information.
This demonstration showed Zack did not have an open Child Protection case at the time Alexander Jones searched for his information.
The Department’s position was supported by separate audit logs supplied to the investigation showing Alexander Jones’s access to CRISSP case information.
These indicate Alexander Jones only ever accessed case information relating to clients of Melbourne City Mission. They do not suggest Alexander Jones viewed Zack’s 360 Degree View page or associated case records or purported to ‘match’ Zack’s information in the Common Client Layer, as these actions would have each created an audit trail.
Based on this evidence, and considering other information supplied by the Department, the investigation was ultimately satisfied that Alexander Jones did not use CRISSP to access information about Zack.
The evidence indicates the Department first identified Alexander Jones did not successfully access Zack’s information on 31 October 2018. In an internal email to senior officers, the Department’s Manager Client System Support reported that searches relating to Zack would have returned ‘no results’.
This was three months before the Department first notified Zack’s mother that Zack’s information was accessed in the data breach.
During interview with the investigation, the Manager Client System Support said they couldn’t explain why this occurred or why their previous advice concerning the issue wasn’t heeded.
In July 2021, when the Ombudsman commenced her investigation, the Department still hadn’t advised the family that it no longer considered Zack’s information was accessed by Alexander Jones.
Lawyers for the Department notified Zack’s mother of this issue in February 2022, towards the end of the investigation.
In a personal statement to the investigation, Zack’s mother reflected:
"It has now been three years since this all started, and the emotional toll of fighting for information [about what Alexander Jones accessed] has been exhausting and draining. We have been misled, spoken
to by people who did not have the right information, lied to, or just refused answers. …
"It has taken time away from my kids, both physically and emotionally – me trying to get answers. Time [where] I should have only been focused on what happened [to Zack] and dealing with the repercussions of the assault on my son, dealing with all of our feelings – being sad and angry about what had happened [and] comforting my son with nothing
else weighing in. Instead I was left fighting for answers.
"[I was] playing detective at a time when the Department and Melbourne City Mission should have just been
forthcoming with information. … It should have been about [Zack’s] welfare, his needs, his safety! To date we have never received an apology from the Department … [about] how [the data breach] was all handled. … As recently as this year,
[the Department] informed me they only [became] aware [Alexander Jones did not access Zack’s information] once the Ombudsman started this investigation. Also, not true. This has impacted our family so very, very much, at a time that was already [so] traumatic."
Response to the data breach
Based on Zack’s evidence, Alexander Jones was charged and ultimately pleaded guilty in the County Court of Victoria to sexually penetrating a child under the age of 16 years.
Alexander Jones was also separately prosecuted in the Magistrates’ Court of Victoria for accessing CRISSP without authorisation. In total, he was sentenced to an effective period of six years’ imprisonment for both offences.
The investigation received evidence of several reforms implemented by Melbourne City Mission and the Department following identification of the data breach by Alexander Jones.
These appeared to largely address the most significant privacy risks and other vulnerabilities highlighted by the incident.
Reforms implemented by Melbourne City Mission
Following identification of the data breach, Melbourne City Mission engaged a former Victorian Privacy Commissioner to conduct a broad review of the organisation’s privacy practices.
This review found Melbourne City Mission’s policies and procedures appeared ‘ad hoc’ and did not result in a ‘coherent, overarching [or] consistent organisation- wide approach to privacy compliance’.
The review made nine recommendations to Melbourne City Mission, including that it:
- revise each of its policies and procedures to better integrate privacy considerations
- implement a ‘double-lock’ system for deactivating CRISSP user accounts
- conduct quarterly audits of employee CRISSP access
- review each its service delivery arrangements to identify and ensure compliance with all contractual privacy obligations.
Melbourne City Mission accepted and implemented all recommendations from the review. As part of this process, the organisation recruited a fulltime Privacy Officer, responsible for coordinating privacy education and compliance activities and undertaking secondary consultations with staff.
Melbourne City Mission also engaged a consultancy firm to review its recruitment, onboarding and offboarding practices. The review assessed these practices as ‘developing’ and made six recommendations for improvement, including that the organisation clarify the specific safety screening checks required for each position. Melbourne City Mission subsequently accepted and implemented all recommendations.
According to Melbourne City Mission’s General Manager Homelessness and Family Services, the organisation
has also implemented a new Human Resources information system to centralise onboarding, offboarding and training processes. Senior Managers and Operations Managers are now also required to submit monthly reports confirming their onboarding and offboarding activities.
During interview with the investigation, Melbourne City Mission’s General Manager Corporate Services gave evidence that the organisation is also in the process of introducing an integrated client information system for use across its Homelessness, Youth, Justice and Family Services programs. This system, which Melbourne City Mission is seeking to integrate with CRISSP, will allow managers to directly monitor user access to client information.
Reforms implemented by the Department
In December 2018, the Department undertook a ‘root cause analysis’ into the circumstances of the data breach. This review found the incident resulted from a combination of local process failures, inadequate compliance monitoring of
contracted service providers and a failure to regularly audit CRISSP user access.
The Department subsequently developed a process for CRISSP user information to be regularly shared with funded service providers. Under a new attestation process, organisations are required to conduct quarterly self-audits of this information and declare its accuracy or risk having their CRISSP access disabled.
In response to a recommendation from the Information Commissioner, the Department also developed proposed amendments to the contractual framework governing CRISSP access to clarify the respective obligations of the Department and funded service providers.
In a March 2021 report to the Information Commissioner, the Department confirmed it was also:
- developing a risk-tiering approach to identify funded service providers requiring greater oversight
- delivering new training sessions to service providers about their privacy obligations.
Victoria’s Working with Children Check scheme
Victoria’s Working with Children Check scheme is intended to assist in protecting children and young people from harm
by ensuring that people who work with or care for children are screened by the Victorian Government.
Under the scheme, individuals seeking to work with children must first apply to Working with Children Check Victoria (‘WWCC Victoria’), a business unit within the Department of Justice and Community Safety, for a Working with Children clearance. It is an offence for a person to knowingly or recklessly engage in child- related work without a current clearance.
Alexander Jones was first granted a Working with Children clearance in April 2016, when he commenced working at Melbourne City Mission. This clearance was later revoked by WWCC Victoria in May 2019, after the data breach and his related sexual assault of Zack was identified.
The investigation did not identify any concerns about the actions of WWCC Victoria in assessing and later revoking Alexander Jones’s Working with Children clearance. This was because they appeared entirely compliant with the requirements of the Working with Children Act, which was in force at the time.
Yet the decision to grant Alexander Jones's clearance highlights legislative constraints that undermine the effectiveness of the Working with Children Check scheme. These include:
- limitations on the type of information that can be considered when assessing an application for clearance to work with children
- significant restrictions on the power to reassess and revoke a person’s clearance to work with children, once concerns are identified.
Why Alexander Jones was permitted to work with children
Alexander Jones was already the subject of serious child protection concerns at the time he applied for a Working with Children clearance to work at Melbourne City Mission.
This included evidence he was:
- investigated by interstate police as a ‘person of interest’ in relation to several serious offences, including an alleged rape and the alleged sexual exploitation of a child
- flagged by interstate child protection authorities as a person suspected of sexually abusing a child
- subject to multiple Apprehended Violence Orders, including an order restricting his interactions with a young person deemed at risk of sexual exploitation.
Information about the above matters was not disclosed or available to WWCC Victoria when it assessed Alexander Jones’s Working with Children Check application.
Concerningly, this information, on its own, would not have provided statutory grounds to refuse Alexander Jones a Working with Children clearance, had it been disclosed to WWCC Victoria.
WWC assessment process
The Worker Screening Act 2020 (Vic) establishes the processes WWCC Victoria must use to assess applications for Working with Children Checks.3 According to section 11 of the Worker Screening Act, the ‘paramount consideration’ of all decisions made under the scheme must be ‘the protection of children from sexual or physical harm’.
Once a Working with Children Check application is made, WWCC Victoria:
- must generally arrange for a police record check on the applicant
- must seek information about any interstate working with children applications or clearances relating to the applicant
- may make enquiries with and consider information from other bodies such as the Director of Public Prosecutions
- may seek further information from the applicant themselves.
Depending on the applicant’s criminal history and other factors, WWCC Victoria is then required to determine what category the application fits into. Based on the category and the information available, WWCC Victoria must then either grant or refuse the application.
Clearance provided to Alexander Jones
Alexander Jones first applied to WWCC Victoria for a Working with Children Check on 17 March 2016.
WWCC Victoria undertook a police record check in accordance with section 58(1) of the Worker Screening Act. This disclosed only minor dishonesty offences committed in New South Wales and Queensland. Alexander Jones’s application was accordingly assessed as a Category C application and granted in April 2016.
The police record check undertaken by WWCC Victoria did not identify evidence of the serious interstate child protection concerns relating to Alexander Jones, including the fact he was previously investigated by NSW Police Force for two alleged Category A offences.
During interview with the investigation, the Director of WWCC Victoria explained that information disclosed in police record checks is generally limited to criminal charges that have been laid by police. Information about police investigations or Intervention Orders that do not result in criminal charges is not disclosed.
But even if WWCC Victoria had received this information, it would not have formed a basis to refuse an application for a Working with Children Check under section 68(1) of the Worker Screening Act. In practice, this means WWCC Victoria must grant clearances to applicants who have been investigated but not charged in relation to serious criminal allegations, unless other grounds exist to refuse them.
The Director of WWCC Victoria observed that the unit’s ‘hands are tied’ in circumstances where these grounds do not exist:
"We get information that’s quite concerning sometimes, but we can’t do anything with it. There has to be a trigger and it has to either be a criminal history or it has to be a prescribed [disciplinary or regulatory] finding. Outside of that, our hands are tied."
In the present case, the Director of WWCC Victoria confirmed the prior interstate investigations into Alexander Jones’s activities would not have constituted grounds to refuse him a Working with Children clearance, even if this information had been voluntarily disclosed to the screening authority.
Why Alexander Jones’s clearance was not revoked until May 2019
Alexander Jones’s Working with Children clearance was first revoked by WWCC Victoria in May 2019, about six months after the data breach involving CRISSP was identified.
In that six-month period, WWCC Victoria was notified Alexander Jones was continuing to apply for child-related work with organisations engaging with vulnerable young people.
WWCC Victoria was also notified that:
- there were interstate child protection concerns relating to him, including the previous New South Wales Police investigations into alleged sexual offences
- there were multiple reports made to Child Protection alleging he was grooming vulnerable young people
- there was a reportable conduct investigation into child exploitation material allegedly found on his laptop
- he was flagged by Child Protection as a ‘person of interest’ on the Sexual Exploitation Register
- Zack had disclosed to Child Protection that he was raped by Alexander Jones.
Yet WWCC Victoria was unable to reassess Alexander Jones’s suitability to hold a Working with Children clearance based on any of this information.
Instead, his clearance was ultimately revoked on procedural grounds, after he failed to provide information requested by WWCC Victoria about largely unrelated dishonesty offences.
WWC reassessment powers
Section 78(1) of the Worker Screening Act requires WWCC Victoria to reassess a person’s eligibility to hold a Working with Children in certain circumstances.
These include where WWCC Victoria is notified the person has, since receiving a clearance, been:
- charged with, convicted or found guilty of a Category A or Category B offence
- subject to a relevant disciplinary or regulatory finding, including a substantiated finding of reportable
conduct under Victoria’s Reportable Conduct Scheme - excluded from child-related work by an interstate child-safety screening authority.
- When reassessing a person’s suitability to hold a Working with Children clearance, WWCC Victoria is permitted to:
• consider any notices given to it by disciplinary or regulatory entities, and make further enquiries with such bodies
• make enquiries with and seek information from other sources such as the Director of Public Prosecutions
• require the person to provide further information within a specified period of time.
When reassessing a person’s suitability to hold a Working with Children clearance, WWCC Victoria is permitted to:
- consider any notices given to it by disciplinary or regulatory entities, and make further enquiries with such bodies
- make enquiries with and seek information from other sources such as the Director of Public Prosecutions
- require the person to provide further information within a specified period of time.
WWCC Victoria classifies reassessments within either Category A, Category B or Category C, using the same criteria as the assessment process.
WWCC Victoria is generally required to revoke a person’s clearance if they fall within Category A or B. Category C clearances must not be revoked unless WWCC Victoria is satisfied there is a risk to the safety of children, having regard to specific legislative criteria.
WWCC Victoria must give written notice to the person before determining to revoke a Working with Children clearance. WWCC Victoria must consider any response from the person before making a decision and can revoke a person’s clearance if they fail to respond within a specified period of time.
WWCC Victoria is required to suspend a person’s Working with Children clearance pending a reassessment in circumstances where they have been made subject to sex offender reporting obligations or charged with, convicted or found guilty of certain Category A or Category B offences. The Worker Screening Act does not otherwise allow WWCC Victoria to suspend a person’s clearance pending a reassessment.
Reassessment of Alexander Jones’s clearance
WWCC Victoria was first notified of concerns relating to Alexander Jones’s contact with children on 22 October 2018, immediately after the data breach was detected.
The Department subsequently wrote to WWCC Victoria on 3 December 2018 to request it urgently suspend Alexander Jones’s Working with Children clearance while Victoria Police and Child Protection investigated the incident.
In the letter, the Department provided an overview of the data breach and child protection concerns relating to Alexander Jones at the time, including information obtained from New South Wales child protection authorities.
Under the Working with Children Act (which was in force at the time), the information provided by the Department did not constitute grounds to suspend or reassess Alexander Jones’s Working with Children clearance. This was because Alexander Jones had not been charged with, convicted or found guilty of a criminal offence or made subject to a relevant disciplinary or regulatory finding.
WWCC Victoria nevertheless promptly contacted the Department and Victoria Police to seek further information about the various investigations relating to Alexander Jones.
The Director of WWCC Victoria recalled the purpose of these enquiries:
"I said, ‘Give me what you’ve got.’ The theory being that [we would] look through it and see, ‘Have we got anything – that hook that will trigger a reassessment?'
Following enquiries, on 14 February 2019, the Department supplied WWCC Victoria with detailed intelligence reports from Child Protection, Victoria Police and NSW Police Force.
These reports included additional information about the Victorian Child Protection reports concerning Alexander Jones, including Zack’s recent disclosure. They also summarised the various law enforcement investigations into his alleged conduct, including the interstate Apprehended Violence Orders and alleged sexual offences investigated by NSW Police Force.
The Department also notified WWCC Victoria that Alexander Jones had allegedly recently provided false information to a prospective employer in an effort to obtain further child-related work.
All the information supplied by the Department still did not provide WWCC Victoria with legislative grounds to reassess Alexander Jones’s Working with Children clearance.
The Director of WWCC Victoria observed:
"[It was] frustrating and concerning. … [I remember saying], ‘This guy is desperate. He wants to get access to children. We have to do something here.’ We had no other trigger [to reassess his clearance]."
According to the Director of WWCC Victoria, the screening authority was subsequently informed of Victoria Police’s intention to charge Alexander Jones with dishonesty offences arising from his failure to return a rental vehicle. The Director described this event as a ‘light bulb moment’:
"We saw he was in the car with children. And that was like, ‘Oh hang on, we can ask him a question about that’ … We wouldn’t normally receive those pending charges as part of ongoing monitoring because it’s not normally an indication of risk to children, but once we were aware of it, we did ask Victoria Police from memory to send us the charges."
On 20 February 2019, WWCC Victoria wrote to Alexander Jones to provide notice of its intention to reassess his Working with Children clearance. Alexander Jones was asked to respond to a summary of the dishonesty charges and provide information about his relationship with a young person allegedly in his company at the time of the alleged offences.
Alexander Jones did not respond to the notice of reassessment within the specified timeframe. After providing further statutory notice of its intention to do so, WWCC Victoria revoked his Working with Children clearance on 3 May 2019.
Owing to his subsequent conviction for sexual penetration of Zack and status as a registrable sex offender, Alexander Jones is now prohibited from applying for a further Working with Children Check under section 129(a) of the Worker Screening Act.
Information considered by interstate screening authorities
Assessable information
Unlike in Victoria, most other Australian child-safety screening authorities are permitted to consider evidence of conduct that does not result in criminal charges or disciplinary findings when assessing a person’s suitability to work with children and young people.
Depending on the jurisdiction, this evidence can include police intelligence, child protection reports, Intervention Orders and related court orders concerning the applicant.
For example, New South Wales’s screening authority has discretion to scrutinise any applicant’s suitability to work with children, regardless of their criminal or disciplinary history. When conducting an assessment, this body is permitted to consider ‘any order of a court or tribunal’ in force in relation to the applicant, as well as ‘any other matters’ considered necessary.
Similar schemes in the Australian Capital Territory and South Australia allow child protection and family violence orders
to be considered. South Australia’s screening authority is also permitted to consider child protection intelligence and is required to conduct more detailed risk assessments for applicants investigated for alleged sexual abuse, even where not substantiated.
Queensland’s screening authority is able to consider ‘investigative information’ identified by police. This can include evidence of alleged sexual offences against children that have not resulted in criminal charges due to the child’s
inability or unwillingness to give evidence, provided other procedural criteria are met. This body is also able to consider other information relating to the applicant’s risk to children and young people, which can be used to refuse a clearance in exceptional circumstances.
Tasmania’s screening authority is similarly empowered to consider ‘criminal intelligence information’ relating to
the applicant obtained from local and interstate law enforcement bodies, which is not necessarily limited to information about charged offences.
Reassessment powers
In contrast to Victoria, interstate screening authorities are generally afforded greater discretion to reassess a person’s suitability to work with children and young people.
New South Wales and South Australia do not limit the circumstances in which screening authorities can reassess a person’s clearance. South Australian legislation expressly provides that a reassessment can be conducted on the screening authority’s ‘own motion’. Once a reassessment is commenced, these screening authorities are empowered to consider the same types of information available during the assessment process.
Other jurisdictions allow or require screening authorities to reassess a person’s clearance when notified of new information.
For example, Queensland’s screening authority is empowered to conduct a reassessment where ‘further information’ is identified about a clearance-holder. This encompasses any additional information relevant to whether it is ‘in the best interests of children’ that the person retain their clearance, as well as any court or tribunal decisions relating to the clearance-holder.
Similarly, Australian Capital Territory and Tasmanian screening authorities are permitted to reassess a person’s suitability to work with children in circumstances where ‘new relevant information’ is identified. Unlike in Victoria, this can include evidence of suspected criminal offences, regardless of whether charges have been issued.
Proposed reforms
The Worker Screening Act should be amended to allow WWCC Victoria to consider and act upon other forms of information likely to be relevant to an applicant’s risk to children and young people.
Noting interstate practice, this could include:
- police and child protection intelligence, including information about suspected offences
- details of Intervention Orders and other similar court orders
- any other relevant information.
WWCC Victoria should also be provided general discretion to refuse an applicant clearance if reasonably satisfied they pose an unjustifiable risk to the safety of children, using the criteria already established for Category C applications. This discretion should be available regardless of the applicant’s criminal or disciplinary history.
Similarly, WWCC Victoria should be empowered to reassess a person’s suitability to work with children of its own initiative, and without the need for notification of a criminal charge or disciplinary outcome. This should include the power to temporarily suspend a person’s clearance in limited circumstances.
Retaining the existing procedural safeguards, WWCC Victoria should also be generally empowered to revoke a person’s clearance following reassessment, if reasonably satisfied they pose an unjustifiable risk to the safety of children.
In response to a draft version of this report, the Department of Justice and Community Safety observed that WWCC Victoria is already able to consider some behaviours that do not result in criminal charges,
when notified of findings made under the Reportable Conduct Scheme. This can include alleged grooming of children and young people by employees.
However, Alexander Jones was not employed by an organisation subject to the Reportable Conduct Scheme when many of the concerns were identified about his alleged conduct. Additionally, some behaviours, such as his misuse of CRISSP, were unlikely to satisfy the high threshold for ‘reportable conduct’ under the Child Wellbeing and Safety Act.
Conclusions
Alexander Jones’s appointment to Finding Solutions
Alexander Jones was already the subject of serious child protection concerns at the time of his appointment to the Department-funded Finding Solutions program.
New South Wales law enforcement had investigated him as a ‘person of interest’ in relation to two alleged sexual offences, including, most disturbingly, the alleged sexual abuse of a child. New South Wales child protection authorities had also flagged him as a suspected perpetrator of abuse and he had been made subject to multiple Apprehended Violence Orders. This included an order restricting his contact with a young person deemed at risk of sexual exploitation.
Yet criminal charges were not issued in relation to any of these matters, and they were therefore not disclosed in a
criminal history check conducted at the time of Alexander Jones’s recruitment to Melbourne City Mission.
Alexander Jones was also not qualified to work with vulnerable children and young people: at the time he joined Melbourne City Mission, he had no child-related employment history or relevant tertiary qualifications. This means he did not satisfy the essential requirements for employment as a Case Worker on the Finding Solutions program.
This fact was concealed from Melbourne City Mission during the recruitment process. Alexander Jones’s application substantially misrepresented his employment history and qualifications, and routine background checks did not identify the deception.
Melbourne City Mission’s recruitment of Alexander Jones largely adhered to standard employment screening
procedures, and the organisation could not have uncovered the past criminal and child protection investigations into his conduct.
Yet the failure to check Alexander Jones’s purported tertiary qualifications was a missed opportunity to detect his apparent deception and also appeared contrary to Melbourne City Mission’s Service Agreement with the Department.
Conduct and performance issues
Melbourne City Mission did not receive any complaints or concerns about Alexander Jones’s interactions with children and young people during his period as a Case Worker on the Finding Solutions program.
Yet problems with his presentation and behaviour were identified and reported internally. Former co-workers recalled he often attended work unwashed, smelled ‘really bad’ and dressed below the standard expected for the role. These witnesses also described incidents of inappropriate remarks and aggression towards colleagues, stating they generally felt uncomfortable working alongside him.
Although these issues were largely managed in accordance with established disciplinary processes, they did not result in further scrutiny of Alexander Jones’s background – even when clearly at odds with the standards expected of an experienced and well-credentialed case worker.
One former co-worker’s observation that management ‘treated him like a client’ appeared reinforced by the contents of a performance management plan, which went so far as to instruct Alexander Jones to regularly trim his nails and tie his shoelaces to avoid tripping.
When interviewed by the investigation, a former supervisor observed there was sometimes a ‘fine line’ between treating employees fairly and maintaining a child safe workplace. The former supervisor acknowledged that in this case misplaced empathy may have resulted in too much emphasis on the former.
Similarly, clear discrepancies in Alexander Jones’s claimed academic achievements were not recognised and investigated, even when apparently highlighted by sceptical colleagues.
The lack of timely information about formal complaints pathways meant some co-workers were unsure about how to properly escalate concerns within the organisation, or mistakenly believed they had done so.
The investigation did not identify evidence that client safety was directly compromised during Alexander Jones’s period on the Finding Solutions program. However, the nature of the Case Worker role – which involved substantial offsite client outreach – largely prevented managers and co-workers from directly observing Alexander Jones’s contact with clients.
Professional boundaries were later crossed with at least one young person following his departure from the organisation. In this regard, the omission to interview most of Alexander Jones’s former clients following identification of his sexual offending appeared ill-advised, although this was based on an apparent misunderstanding between Melbourne City Mission and the Department.
Subsequent child protection concerns
Alexander Jones was subject to several child protection reports about his alleged contact with young people following his departure from Melbourne City Mission.
For the most part, Melbourne City Mission was not notified of these concerns – despite, in one case, a clear connection with his former role at the organisation.
For its part, the Department otherwise appeared to respond conscientiously to the allegations. Child Protection appropriately notified and collaborated with community service organisation Concern Australia where Alexander Jones volunteered. Joint efforts to interview his former clients appeared to contrast favourably with the Department’s more limited collaboration with Melbourne City Mission.
Information obtained through interviews with young people and their carers did not provide a basis for Child Protection to intervene. The Department nevertheless appropriately revisited these allegations after the data breach was identified.
CRISSP data breach
Melbourne City Mission failed to deactivate Alexander Jones’s access to CRISSP when he left the Finding Solutions program, unintentionally providing him continued access to sensitive information about vulnerable children and young people.
Although serious in its privacy impacts, the error arose from a simple oversight during Alexander Jones’s transfer to
Melbourne City Mission’s Frontyard service. At the time, deprovisioning measures implemented by Melbourne City Mission did not adequately address this risk.
The data breach was subsequently detected by both Melbourne City Mission and the Department by chance. Both authorities appeared to take appropriate action to promptly restrict Alexander Jones’s further access to the system.
While primarily caused by an oversight by Melbourne City Mission, the fact and extent of the data breach was also facilitated by inadequate compliance measures implemented by the Department.
Prior to the incident, the Department failed to regularly audit CRISSP user access. Repeated warnings about the need to further scrutinise privacy compliance within funded service providers also went apparently unheeded.
In contrast, the Department’s efforts to disrupt and investigate Alexander Jones’s activities following identification of the data breach were thorough and appropriately child focused.
Regrettably, however, the lack of meaningful collaboration with Melbourne City Mission undermined an otherwise holistic response.
This was best demonstrated by the Department’s decision not to share details of Alexander Jones’s CRISSP access with Melbourne City Mission. Consequently, authorities failed to identify his earlier misuse of the system – and the existence of potentially many more affected children and young people – until this was detected by Ombudsman investigators.
Notifications to affected parties
CRISSP’s Common Client Layer function – which allows access to limited information about clients actively engaged with a number of services – posed a practical challenge to the Department’s efforts to identify individuals affected by the data breach. The Department nevertheless appeared to take a pragmatic approach to this issue, triangulating audit records with existing Child Protection intelligence.
Initial delays in notifying and interviewing affected parties also appeared reasonable, given specific requests made by Victoria Police.
Reassuringly, efforts were made to speak with young people who were not affected by the data breach but were identified through the interview process as having been in contact with Alexander Jones.
In contrast, the Department’s decision to apply a ‘child protection lens’ to planning interviews meant some, predominantly older people were not notified that he had inappropriately accessed their information until years after the fact, following media scrutiny.
Once again, the Department appeared to have disregarded prior warnings from oversight bodies – in this case, about the need to develop policy and guidance clarifying how and when to notify people affected by a data breach. While the
Department was not expressly obligated to notify all affected parties, doing so would have better promoted the right to privacy identified in the Charter of Rights Act.
Regrettably, the investigation also substantiated allegations that the Department provided inaccurate and ultimately misleading information to Victoria’s Information Commissioner about its plans to notify some individuals affected by the data breach.
While there was clearly no intention to deceive the privacy watchdog, the error pointed to a lack of internal coordination. Reassuringly, the Department appeared to make robust efforts to locate and notify the remaining affected parties, once the oversight was identified.
Engagement with Zack’s family
Poor communication with the family of Alexander Jones’s victim-survivor undermined the Department’s
commitment to transparency following the data breach.
Over a succession of months, Zack’s mother was provided inaccurate and contradictory information about Alexander Jones’s access to the family’s private information, significantly contributing to her safety concerns.
The information was initially limited. Later advice was provided that Alexander Jones was able to access all of Zack’s details and case notes – as well as information about other family members. This was incorrect.
In a letter to the family, the Department then purported to correct the record: Alexander Jones was only able to see Zack’s name and address. This advice too proved incorrect and was later contradicted in open court proceedings, much to the dismay of Zack’s mother.
In fact, by the time the investigation commenced, the Department no longer considered Alexander Jones had accessed any of Zack’s information in CRISSP. Yet this had not been communicated to Zack’s family.
Worse, the investigation found that this conclusion – that Zack’s information was never visible to Alexander Jones – was first reached and internally reported to senior staff within weeks of the data breach being discovered, and more than three months before the Department first approached Zack and his mother.
Regrettably, the Department also appeared insensitive to the family’s distress when it failed to appropriately brief Melbourne City Mission about the sexual assault prior to facilitating a meeting between Zack’s mother and the organisation.
While lacking critical information and context, Melbourne City Mission also acknowledged letting the family down when it abruptly ceased engaging with Zack’s mother, following the meeting.
The investigation was ultimately satisfied that Alexander Jones did not access Zack’s information in CRISSP. Yet the family’s longstanding suspicion he accessed confidential information about another young person when threatening Zack appeared vindicated by audit records.
Zack’s courage in disclosing details of the sexual assault ultimately proved critical to disrupting Alexander Jones’s activities. In turn, the Department appeared initially receptive to Zack’s needs – opening a Child Protection case, assisting the family to move homes and coordinating with relevant support services
Yet it is easy to empathise with sentiments expressed by Zack’s mother and advocate, who queried why similar supports weren’t available when the family first contacted Child Protection for help, in the immediate aftermath of the sexual assault.
Unsurprisingly, the investigation heard Zack continues to struggle with trauma arising from the incident. Zack’s mother and advocate each observed that funding limitations and a lack of constancy in services have undermined Zack’s recovery. The investigation was disappointed to observe the Department was no longer actively engaged with or supporting the family.
While acknowledging the Department’s uncertain legal responsibility for the incident, it appears further steps could still be taken to assist Zack and his mother to address the long-term consequences of Alexander Jones’s offending. This would be consistent with the principles underpinning the Children, Youth and Families Act and the right to protection under the Charter of Rights Act.
Reforms following the data breach
More encouragingly, the investigation found Melbourne City Mission and the Department had each taken meaningful action to investigate and address privacy risks highlighted by the CRISSP data breach.
Reforms implemented by Melbourne City Mission were particularly impressive. Following identification of the data breach, the organisation commissioned separate, comprehensive reviews of its internal privacy and recruitment practices, ultimately acting on all recommendations.
Local procedures for deactivating CRISSP user access were overhauled to identify and eliminate potential single points
of failure. Staff are now responsible for auditing CRISSP user access on a monthly basis, exceeding requirements imposed by the Department.
Further, Melbourne City Mission now employs a dedicated Privacy Officer to oversee and promote privacy compliance within the organisation. It is also investing in technology solutions to integrate the multiple information systems required under its funding arrangements. This will allow for increased monitoring of staff access to client records, among other things.
For its part, the Department promptly undertook a root cause analysis of the data breach, which recognised the need for significantly greater compliance monitoring of contracted service providers. In accordance with a compliance notice from the Information Commissioner, it has since engaged with these organisations
to regularly audit the accuracy of CRISSP user lists.
Further, the Department has revised contractual documents underpinning the use of the CRISSP system to include clearer obligations about deactivating user accounts and keeping accurate user records.
Noting the recent discovery that Alexander Jones was misusing CRISSP while employed on Finding Solutions, the investigation considered that further measures are needed to detect irregular and unauthorised use of the system by active case workers.
Comment on the Worker Screening Act
The fact that Alexander Jones was able to obtain and subsequently keep a Working with Children clearance highlights clear legislative shortcomings limiting the effectiveness of Victoria’s Working with Children Check scheme.
Under the Worker Screening Act, Victoria’s screening authority is generally prevented from using police and child protection intelligence about matters that do not result in criminal charges or disciplinary findings, even where potentially indicative of serious child-safety concerns.
This meant Alexander Jones was able to readily obtain clearance to work with vulnerable children and young people, despite multiple, serious prior interstate law enforcement and child protection
investigations into his alleged interactions with children, as well as other ‘red flags’.
Just as significantly, the investigation found authorities were hamstrung from reassessing and revoking Alexander Jones’s clearance, although notified of escalating concerns about his background and contact with vulnerable children and young people.
Absurdly, it was dishonesty charges, rather than the multiple reports about his
alleged sexual exploitation of children, that ultimately provided the statutory basis to reassess Alexander Jones’s Working with Children clearance.
The investigation considered the Worker Screening Act should be amended. Working with Children Check Victoria should be able to consider and act upon information indicating an applicant or clearance-holder poses an unjustifiable risk to the safety of children, regardless of whether criminal charges are issued.
Although concerned about the scheme itself, the investigation did not identify any errors by Working with Children Check Victoria – noting it made great efforts to address concerns about Alexander Jones’s contact with children while scrupulously adhering to its legislation.
Compliance with human rights
Under section 38(1) of the Charter of Rights Act, it is generally unlawful for public authorities such as the Department to:
- act in a way that is incompatible with a human right (including by failing to act in a particular way)
- fail to give proper consideration to a human right when making a decision.
Non-government organisations such as Melbourne City Mission are also required to comply with these obligations when exercising public functions on behalf of the State.
Section 13(a) of the Charter of Rights Act recognises that people in Victoria have the right not to have their privacy, family, home or correspondence unlawfully or arbitrarily interfered with.
Sections 17 recognises that families are ‘the fundamental group unit of society’ and are entitled to be protected by society and the State. This section also recognises that every child has the right to be protected in a way that is in their best interests and consistent with their particular needs.
Despite some errors in execution, the investigation was generally satisfied Melbourne City Mission and the Department gave proper consideration to the right to privacy and the obligation to protect families and children when responding to the CRISSP data breach.
This was evidenced by the extent to which both authorities sought to prioritise the safety of families and young people potentially affected by Alexander Jones’s conduct, as well as the action taken to significantly improve privacy compliance measures relating to the CRISSP system.
The investigation nevertheless considered Melbourne City Mission appeared to act incompatibly with these rights when it:
- failed to revoke Alexander Jones’s access to the CRISSP system at the time of his transfer from the Finding Solutions program, allowing him continued access to sensitive client information
- omitted to implement measures that adequately addressed privacy risks associated with CRISSP.
Likewise, the Department’s previous failure as system administrator to implement appropriate compliance measures to address the risk of unauthorised CRISSP user access appeared incompatible with the right to privacy and obligation to protect families and children.
In both cases, this was due to:
- the sensitivity of the information often recorded in CRISSP, including its relevance to vulnerable children and young people and the reasonable expectations concerning its use
- the largely foreseeable risks to children and young people and their families arising from unauthorised user access to the system
- the availability of simple measures to address these risks.
The Department’s poor communication with Zack’s mother about the data breach also appeared incompatible with Zack’s best interests and his right to protection. This is demonstrated by:
- the lack of a reasonable justification for the misleading and contradictory information provided to the family
- the way the Department’s communication unreasonably limited Zack’s mother’s ability to make decisions in Zack’s best interests
- the Department’s significant delay in setting the record straight about what information Alexander Jones accessed about Zack.
Opinion
In light of the above and pursuant to section 23(1)(a) of the Ombudsman Act:
1. Melbourne City Mission’s omissions to:
(a) revoke Alexander Jones’s access to the CRISSP system at the time of his transfer from the Finding Solutions program
(b) implement adequate measures to address privacy risks associated with the CRISSP deprovisioning process appear to have been contrary to section 38(1) of the Charter of Human Rights and Responsibilities Act 2006 (Vic), as these actions were incompatible with the right to privacy and the protection of families and children.
2. The Department of Health and Human Services’ previous omission to implement appropriate compliance measures to address the risk of unauthorised CRISSP user access appears to have been contrary to section 38(1) of the Charter of Human Rights and Responsibilities Act 2006 (Vic), as it was incompatible with the right to privacy and the protection of families and children.
3. The Department of Health and Human Services and Department of Families, Fairness and Housing’s omission to provide accurate and timely information to Zack’s mother about the CRISSP data breach by Alexander Jones appears to have been contrary to section 38(1) of the Charter of Human Rights and Responsibilities Act 2006 (Vic), as it was incompatible with Zack’s right to protection.
Further, pursuant to section 23(1)(g) of the Ombudsman Act:
4. The Department of Health and Human Services’ omission to identify and address Alexander Jones’s earlier misuse of CRISSP, following identification of the data breach, was wrong.
5. The Department of Health and Human Services’ omission to make timely efforts to notify remaining individuals affected by the data breach, contrary to representations made to the Office of the Victorian Information Commissioner on 21 February 2020, was wrong.
Recommendations
To the Victorian Government
Recommendation 1
Amend the Worker Screening Act 2020 (Vic) to allow the Secretary to the Department of Justice and Community Safety to:
a. obtain and consider any information that may be relevant to an applicant’s suitability to work with children
b. refuse an application for a Working with Children Check if reasonably satisfied the applicant poses an unjustifiable risk to the safety of children (including where no criminal or disciplinary history exists)
c. reassess a person’s suitability to hold a Working with Children clearance on the Secretary’s own initiative,
and without need for notification of a criminal charge or disciplinary outcome
d. pending determination of a reassessment, suspend a person’s Working with Children clearance where the Secretary reasonably suspects the person poses an unjustifiable risk to the safety of children
e. revoke a person’s Working with Children clearance following reassessment, where reasonably satisfied the person poses an unjustifiable risk to the safety of children (including where no criminal or disciplinary history exists).
To Melbourne City Mission
Recommendation 2
Review staff grievance procedures in light of the contents of this report and consider further opportunities to integrate and give effect to the Child Safe Standards.
Melbourne City Mission response: Accepted.
To the Department of Families, Fairness and Housing
Recommendation 3
Develop and implement a Data Breach Response Plan in accordance with the Office of the Information Commissioner’s 2019 publication, Managing the Privacy Impacts of a Data Breach.
Department of Families, Fairness and Housing response: Accepted.
Recommendation 4
Investigate opportunities to further improve CRISSP (Client Relationship Information System for Service Providers) information security, including through implementation of User and Entity Behavioural Analytics tools.
Department of Families, Fairness and Housing response: Accepted.
Appendix 1: the investigation
How we investigated
The investigation involved:
reviewing primary documents held by the Department and Melbourne City Mission, including records relating to:
- Alexander Jones’s recruitment to and supervision as a Case Worker on the Finding Solutions program
- Alexander Jones’s unauthorised access to CRISSP
- the identification of the data breach and how it was addressed
- other child protection reports about Alexander Jones
- Working with Children Act 2005
obtaining information and records from other Victorian Government authorities, interstate bodies and organisations concerning Alexander Jones’s background, child-related employment history and qualifications
reviewing relevant legislation, including the:
- Charter of Human Rights and Responsibilities Act 2006 (Vic)
- Children, Youth and Families Act 2005 (Vic)
- Child Wellbeing and Safety Act 2005 (Vic)
- Working with Children Act 2005 (Vic)
- Worker Screening Act 2020 (Vic)
- Privacy and Data Protection Act 2014 (Vic)
Reviewing interstate child-safety screening legislation, including the:
- Child Protection (Working with Children) Act 2012 (NSW)
- Working with Vulnerable People (Background Checking) Act 2011 (ACT)
- Child Safety (Prohibited Persons) Act 2016 (SA)
- Working with Children (Risk Management and Screening) Act 2000 (Qld)
- Registration to Work with Vulnerable People Act 2013 (Tas)
Considering materials relating to the CRISSP system, including:
- the Agreement for the Access to and Use of Information on the CRIS and CRISSP systems between the former Department of Human Services and Melbourne City Mission dated 9 April 2008
- the Department’s CRISSP Privacy Guidelines dated March 2006
- the Department’s CRISSP Business Practice Guidelines for Finding Solutions dated January 2009
Considering other relevant contractual and policy materials, such as:
- the Service Agreements between the State of Victoria and Melbourne City Mission for the period between February 2016 and October 2018
- the Department’s Service Agreement Information Kit, revisions dated 9 February 2016
- the Department’s Finding Solutions Program Guidelines, dated February 2012
Taking sworn evidence from officers of the Department, Melbourne City Mission and other witnesses
Attending a demonstration of the CRISSP system presented by the Department
Preparing this report.
The Ombudsman also engaged two law student interns from Melbourne University to research domestic and international child-safety screening schemes.
Summonsed materials
The Ombudsman obtained documents from the following bodies by witness summons issued under section 18 of the Ombudsman Act:
- the Department
- Melbourne City Mission
- the Department of Justice and Community Safety
- Concern Australia
- Melbourne University
- Chisholm Institute of TAFE
- Westpac Banking Corporation.
These bodies fully complied with each summons.
Sworn evidence
Ombudsman officers took sworn evidence from the following witnesses by voluntary appearance:
- Zack’s mother
- Zack’s advocate
- two former co-workers of Alexander Jones from Melbourne City Mission
- Melbourne City Mission’s former Team Leader Early Intervention Services
- Melbourne City Mission’s General Manager Homelessness and Family Services
- Melbourne City Mission’s General Manager Corporate Services
- Alexander Jones’s former supervisor at Concern Australia
- the employee of the Department of Justice and Community Safety who identified the data breach by Alexander Jones
- the Director of Working with Children Check Victoria.
The investigation also interviewed the following witnesses by compulsory appearance:
- the Department’s Manager Client System Support, the officer in charge of the team overseeing the CRISSP system
- the Department’s Practice Leader Sexual Exploitation, West Division
These witnesses were issued a summons to allow them to disclose information that would ordinarily be subject to the strict confidentiality obligations identified in the Children, Youth and Families Act.
Witness interviews were conducted online due to public health requirements associated with the COVID-19 pandemic. All witnesses fully cooperated with the investigation.
Appendix 2: Responses to the investigation
Alexanders Jones's response
In accordance with section 25A(2) of the Ombudsman Act, Alexander Jones was provided an opportunity to respond to the investigation’s preliminary conclusions. His response is summarised below.
Alexander Jones submitted:
- concerns about his workplace conduct at Melbourne City Mission were directed by one co-worker, and were not shared by most colleagues
- he resigned from Melbourne City Mission for health reasons – this was not connected to his disclosure of past drug use to a client
- he did not access Zack’s information in CRISSP and never made contact with a family or young person using information from this system.
Alexander Jones denied being investigated for alleged sexual offences in New South Wales. He said he was not interviewed in relation to these allegations and was never served with an Apprehended Violence Order in the jurisdiction.
Alexander Jones denied engaging in inappropriate contact with children in Victoria.
Despite his guilty plea and subsequent conviction, Alexander Jones continued to deny sexually assaulting Zack.
Melbourne City Mission's response
The Department of Families, Fairness and Housing’s response
The Department takes its privacy responsibilities seriously and is sorry for the distress this has caused.
The Department notified the Office of the Victorian Information Commissioner of the data breach relating to unauthorised CRISSP access and acknowledged in this instance more should have been done to ensure client information was protected.
The Department accepted the recommendations made by the Victorian Information Commissioner relating to the Department and has implemented them.
The Department acknowledges and accepts the Victorian Ombudsman’s recommendations and has already taken action to improve data security.
- 1. The audits showed that Alexander Jones’s account also created two client entries allocated to Melbourne City Mission. During interview with the investigation, the Department’s Manager Client System Support explained these entries would have been created automatically when Alexander Jones purported to ‘match’ the relevant clients in search returns from the Common Client Layer.
- 2. Several other possible affected parties were not notified by Child Protection because their identities could not be established from the search terms used by Alexander Jones.
- 3. At the time of Alexander Jones’s application, these processes were established by the former Working with Children Act. Changes introduced to the Working with Children Check scheme by the Worker Screening Act are not materially relevant to the present investigation.