Tuesday, September 13, 2016

The Office Of The Australian Information Commissioner Has Reviewed The myHR And Found A Potential Information Leak.

This appeared a little while ago:

National Repositories Service: Implementation of recommendations — My Health Record System Operator

Assessment undertaken: November 2015
Draft report issued: April 2016
Final report issued: September 2016
…..

Part 1: Summary

1.1 This report sets out the findings of a follow up assessment by the Office of the Australian Information Commissioner (OAIC) on the System Operator of the My Health Record system (Department of Health).[1] The assessment considered how the System Operator has addressed recommendations from the OAIC’s previous audit on the security of personal information held on the National Repositories Service, undertaken in January 2014.
1.2 The fieldwork component of the assessment was conducted from 11 to 12 November 2015 at the System Operator offices in Canberra.
1.3 The OAIC has made three recommendations that, if put in place by the System Operator will in the opinion of the OAIC, minimise the risks identified around how the security of personal information is managed. These are set out in the report and summarised at Part 5.
…..

Part 5: Summary of recommendations

Recommendation 1

5.1 It is recommended that the role and operation of the PSWG is reviewed to ensure that it has an effective role as a focal point for strategic and significant privacy advice and solutions for issues affecting the My Health Record system.

Assessee Response

5.2 Agreed. The role of the internal PSWG will be reviewed to give the group a more strategic focus in an operational context. The review will also consider the role of the PSWG following the establishment of a Privacy and Security Advisory Committee as part of the governance structure for the Australian Digital Health Agency.

Recommendation 2

5.3 Subject to the following paragraph, it is recommended that the System Operator undertake a PIA (and, if necessary, a TRA) into the use of the IMS with particular reference to its adequacy in the My Health Record system incident management context and the effectiveness of its access controls.
5.4 A PIA may not be necessary if the System Operator is satisfied that the end to end security review and the external security review of the IMS adequately set out the privacy impacts from using the IMS to share incident information.

Assessee Response

5.5 Agreed. The Australian Digital Health Agency will undertake a PIA on the IMS following consideration of the findings of the My Health Record end to end security review and its adequacy in addressing information sharing in the IMS.

Recommendation 3

5.6 It is recommended that the System Operator consider measures to assist with identifying where personal information is stored on the IMS. The System Operator should also consider how to secure older IMS tickets which may contain personal information with appropriate access controls. Where personal information is identified, consideration should be given to whether it needs to be retained in accordance with the Archives Act 1983 (Cth).

Assessee Response

5.7 Agreed. The System Operator will develop a written policy which outlines the System Operators obligation for the management of personal information under the My Health Records Act 2012 and the Archives Act 1983. This will include periodic reviews of information contained in the IMS to identify, manage and dispose of such information in accordance with these obligations.
Here is the link:
It seems that the myHR IMS (Incident Management System) collects a lot of data directly from the live system and that this information is widely shared with people outside the System Operator.
Clearly there need to be procedures to ensure the shared information is not sensitive for any client of the myHR and this seems not to be the case at present.
The System Operator says they will fix the issue.
We look forward to the next review to confirm that has been the case!
David.

1 comment:

Bernard Robertson-Dunn said...

Maybe they'll get round to fixing that just after they sort out call centres. But don't hold your breath

In 2010/11 the government commissioned a Privacy Impact Assessment from Minter Ellison, a firm of lawyers.[PIA]

Their report included these statements:
5.1.13 Privacy Risks - Access to personal information by Call Centre

a) It has not yet been determined the extent to which staff of the System Operator's Call Centre will be able to 'view' data held in a consumer's PCEHR.

5.1.14 Recommendation - Access to personal information by Call Centre staff

5.11 That regulations under the PCEHR Bill set controls over the System Operator's Call Centre including requirements for staff security screening the monitoring of calls and how much of a consumer's data can be 'viewed' in what circumstances.

Reference:
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/faq-security-410/$file/Personally%20Controlled%20Electronic%20Health%20Record%20PCEHR%20Privacy%20Impact%20Assessment%20Report.pdf

Paragraph 5.14 is recommending that the Minister for Health creates regulations that define controls over what Call Centre operators can and cannot do.

Regulations are part of the legislative process that allow a minister to "fine tune" a parliamentary act, without having to present a bill to parliament. This is a normal parliamentary process.

The Department of Health's response to paragraph 5.11 of the Privacy Impact Assessment, above, was this:

The Department agrees that a clear and robust framework is required for the operation of the PCEHR system Call Centre. The Department considers that this would be achieved in a flexible and responsive way through the use of regulations or rules. This is provided for in the legislation (s109(2) and (3)).

Did the Department develop that framework? Not that we know of, six years later.