Information Commissioner’s Report
29 March 2018
The Department of Health welcomes the Information Commissioner’s final report following his investigation into the department’s release of a sample of data from the Medicare Benefits Scheme (MBS) and Pharmaceutical Benefits Scheme (PBS).
This action was taken by the department with the intention of supporting medical research and policy development, and with the belief that the privacy of individuals had been protected.
The Commissioner has found the department:
- did not breach APP6 of the Privacy Act 1988 regarding the personal information of patients;
- was in breach of APP 6 of the Privacy Act in relation to the personal information of medical providers; and
- did not comply with APP 1 or APP 11 of the Privacy Act in the course of preparing the dataset for publication.
To ensure the department continued to comply with the Australian Privacy Principles as well as other requirements, it offered to the Commissioner an Enforceable Undertaking under section 33E of the Privacy Act. The Commissioner considered the Enforceable Undertaking was an appropriate regulatory outcome for his investigation, and this Undertaking is now in place.
It is important to note that the Department is not aware of any individual or provider having been identified through this release of data.
By Esther Han
p.s. In the spirit of preventing this happening again I provide the following link(s) from the OAIC.
De-identification and the Privacy Act
I am sure the DOH will find some useful reading here. As I am sure they will find this interesting!
Guide to Data Analytics and the Australian Privacy Principles