Thursday, October 13, 2016

It Rather Looks That The Government Needs To Fundamentally Re-Think The Open- Data Release Program.

Last week we heard all about this issue which was covered superbly in the Saturday Paper a few days ago:
Oct 8, 2016

Millions of Australians caught in health records breach

The government’s negotiations with doctors over the Medicare rebate is not helped by a breach of privacy on apparently anonymised health data.
When she addressed the annual conference of the Royal Australian College of General Practitioners in Perth last week, Health Minister Sussan Ley was already in a hostile environment.
Doctors are angry at cost-saving measures that are putting pressure on their fees. They believe the government has broken promises, used them as a collective cash cow and left them to pass on higher costs to their patients.
Standing at the podium, Ley surprised the GPs by apologising for something else entirely.
Ley revealed that the health department had inadvertently committed a potentially serious breach of the Privacy Act by deliberately publishing supposedly anonymous Medicare and pharmaceutical claims data involving GPs and three million of their patients.
To help health researchers provide better analysis and contribute to health policy, the department had made public “de-identified” records of claims under the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme for a randomly selected sample of 10 per cent of the Australian population.
But it had also included just enough information about its encryption algorithms to enable a competent code-breaker to unravel the jumbled numbers that replaced doctors’ provider numbers and potentially identify them.
Ley did not explain why, when doctors who discover a privacy breach are obliged to alert those affected immediately, the government waited 16 days. 
It took analysts at the University of Melbourne’s Department of Computing and Information Systems just a few days to do it.
“Yes, there will always be risks, no matter how slight, around the release of any de-identified data,” Ley told the conference last Thursday morning, as she segued to a nothing-to-see-here confession, five minutes into a half-hour speech. “It’s how we manage these risks when they arise that is important.”
Her department’s risk management is now the subject of considerable discussion across government about how the release of information on the Department of Prime Minister and Cabinet’s data.gov.au website could have been so badly handled.
Ley revealed that the University of Melbourne researchers had notified her department of “a vulnerability” in the encrypted data on September 8 – the researchers say it was actually September 12 – and “that individual healthcare providers could possibly be re-identified”.
Ley assured doctors there were “no provider names in the dataset” and no patient information had been “compromised”.
Lots more here:
No sooner did we think this has settled down than this news appeared.

Privacy fears over public service data release

Australian Public Service Commission reviews employee census data set
Rohan Pearce (Computerworld)  06 October, 2016 08:49
The Australian Public Service Commission is reviewing a data set it released through the government’s open data portal to ensure that it can’t be used to identify individual government employees.
Fairfax Media yesterday revealed the privacy concerns over the public service employee census data set.
“The APS employee census collects attitudinal data, it is not administrative data and does not collect names or contact details,” an APSC spokesperson said in a statement.
“De-identified and significantly aggregated APS employee census data is published annually on data.gov.au. Respondents are advised of this before completing the survey.”
……
In response to the discovery of the vulnerativlity in the health data sets, Attorney-General George Brandis announced Privacy Act changes that will make it a crime to reidentify ostensibly deidentified government data. His announcement has raised concerns that it could have an impact on cyber security research.
More here:

Govt pulls dataset that jeopardised 96,000 employees

By Allie Coyne on Oct 6, 2016 7:17AM

Downloaded 58 times before being removed.

A second data breach within the federal government in a week has seen a dataset involving 96,000 public servants pulled from public view over privacy concerns.
Fairfax Media reported yesterday that the Australian Public Service Commission had decided to pull the dataset from the government's open data portal data.gov.au over concerns the information could be used to identify individual officers.
The APSC performs a massive yearly employee census to collect attitudinal data that tracks the views of staffers about management and workplace conditions.
While the data collected from the 96,000 public servants does not involve names or contact details, the APSC told iTnews that tweaks to this year's dataset had raised privacy concerns.
For the first time since it started collecting the census in 2003, the APSC this year added a numeric code for each government agency to an individual's responses.
It said agencies were not named and "at no time did the APSC publish individual identifiable information in the public domain".
But it decided to pull the dataset and review the information over concerns matching agency codes to individual responses would make it relatively easy to identify the public service worker who filled out the census.
Lots more here:
As well as here:
  • October 5 2016 - 9:24AM

96,000 public servants in new data breach

Noel Towell
The federal government is caught up in a second data privacy scare, this time involving a massive data-set on more than 96,000 of its public servants amid fears their confidential information might not be secure.
In the second potentially serious Commonwealth data breach to become public in less than a week, the public service's workplace authority has confirmed that it has withdrawn the data gathered in its massive annual employee census from public view.
It is feared that identification codes for departments and agencies could be used to identify the individual public servants who filled in the census, the largest workplace survey undertaken in Australia, on condition of anonymity.
The data has been taken down from official websites to be washed of any features that could be used to breach the privacy of government officials.
But the Australian Public Service Commission has confirmed the data-set was downloaded nearly 60 times before the take-down, meaning the raw information is in circulation with no way to control how it is used or distributed further.
Much more here:
One really wonders what is going on here and how many other IT academics are working to access more of the information the government is / has released.
What is needed here is for the Government to close all the releases down and then publish a proper draft framework for how it is going to move forward and have it fully critiqued by experts here and overseas.
If they don’t I suspect the drip, drip of mistakes will just grow.
David.

No comments: