- by: Karen Dearne
- From: The Australian
- December 14, 2011
Tuesday, December 20, 2011
Just Why Have Medicare Not Got The Abuse Of Their Systems Under Control? Firm Penalties Are Vital.
The inadequacy of the present legislation protecting personal information held by Government agencies is made very clear in the following report.
A CENTRELINK employee was sacked after accessing records belonging to customers and co-workers on 124 separate occasions, and misusing the agency's IT systems to benefit the people concerned.
The 26-year Centrelink veteran was terminated in early 2010, after an investigation into the many "unauthorised accesses” between January 2007 and January 2010.
The outcome is one of 14 cases of suspected breaches of the Australian Public Service code of conduct investigated by Centrelink over recent years; the heavily redacted findings have been published under Freedom of Information laws.
The staff member accessed one customer’s records on 61 occasions, and also a co-worker’s customer record on 61 occasions.
An investigation revealed that on three further occasions, unauthorised accesses to a former co-worker’s records resulted in alterations awarding benefits the individual was not entitled to receive.
The investigating professional standards officer dismissed the employee, saying "Centrelink takes these types of situations seriously".
Detecting and disciplining data snoops is a key priority for federal government agencies, with a number of high-profile data sensitive projects in train, including the merger of Medicare, Centrelink and Child Support and the creation of a national Healthcare Identifier database for the upcoming personally controlled e-health record system.
In the published sample cases, nine other Centrelink employees were found to be searching customer records of family members and acquaintances through the Income Support Information System or OnLine Search facility, incurring penalties of an average $50 to $100 per breach.
More examples of bad behaviour are found here:
With the Government planning to hold all our health records in data-bases managed by either Medicare Australia or a contract partner it seems clear the penalties are simply not adequate at present.
For me proven deliberate access without a proper reason should result in a no questions asked instant dismissal and if there has been any harm caused by the breach there should be serious fines of $20,000+. For breaches for profit etc. jail time should be a serious option.
It is only with dis-incentives of this level, clearly communicated to staff, will the problem be substantially addressed.
The Explanatory Memorandum for the PCEHR Bills (page 35 on) makes it clear that civil penalties for abuse of the PCEHR information (with some more draconian Crimes Act provisions available for serious criminal activities) will be enacted and this is a good thing - as long as all involved know how seriously such offenses will be taken and that the penalties handed out are really substantial to act as a proper incentive to do the right thing.
The first time a $110 fine is handed out will be the last time the penalty regime is taken seriously.
You can access the Explanatory Memorandum here:
We really need very powerful dis-incentives and comprehensive education to make this work - given the Medicare experience among others.
Posted by Dr David More MB PhD FACHI at Tuesday, December 20, 2011