The Victorian health department has been criticised for multiple breaches of privacy during the COVID-19 pandemic, leading to life-changing consequences for a young woman.

In a damning report published on Tuesday, the Victorian Information Commissioner said the department failed to ensure adequate pre-employment screening of third-party contractors.

The most high-profile failure involved a call centre worker with a criminal history using a department system to look up the details of a 31-year-old who was isolating at a Burwood share house in July 2021.

Abdulfatah Awow impersonated a health department official to gain entry into the home and tried to pressure the woman into performing sexual acts by telling her she was breaching her isolation requirements and could be deported to Taiwan.

He was later sentenced to three and a half years in prison, while the victim relocated interstate over fears he had her personal details.

The Department of Health hired third-party call centres during the global health crisis to help with contact tracing for people infected with COVID-19.

The commissioner’s investigation concluded it breached privacy and data protection laws by failing to take reasonable steps to protect against the misuse of people’s personal information.

While acknowledging the unprecedented circumstances, Commissioner Sven Bluemmel said government agencies were rightly held to a high standard.

“The failure to protect personal information resulted in serious and life-altering crimes being committed against a young woman,” he said.

Contracts with recruiting companies were unclear about the responsibility of performing police checks and did not specify measures to review whether the obligations were being met.

“The department did not submit any police check applications for processing for a period of eight months,” the 65-page report said.

Four recommendations were made to bolster the department’s preparedness for recruiting surge workforces with access to personal information and to assign a senior department figure to oversee contract creation and management with service providers.

“We know that there will be future health and other emergencies requiring rapid responses that place government agencies under pressure,” Mr Bluemmel said.

“What we can learn from the events of this case is that it is extremely difficult to make large-scale adjustments to an emergency public health response when you are in the middle of it.

“Agencies must consider risks and be prepared.”

In its official response, the health department expressed regret about the misuse of personal information, and accepted more could have been done to protect Victorians’ privacy.

It committed to consider the recommendations and provide an update on the action it has taken or plans to take to the Information Commissioner by March 2024.

– AAP