Tuesday, May 01, 2018

It Seems That ASIC Is Not The Only Rather Limp Wristed Government Regulator. OAIC May Need To Toughen Up Too!

This appeared last week:

Data debacle earns health department a slap on the wrist

One of the odder privacy sagas seems have run its course
24th April 2018
It had all the hallmarks of a major blunder.
It was 2016 and the Federal Department of Health had just made public the MBS and PBS claims of some 2.5 million Australians, dating back 30 years.
The ostensibly de-identified dataset was supposed to be used for academic research.
But it wasn't long before three University of Melbourne boffins reported a potential flaw: using a few simple computer tricks, it was possible not only to identify the Medicare services provided by every GP in the data set, but also to identify patients and a significant amount of their medical history.
The academics even claimed that it was possible to extract the records of seven well-known Australians, including three politicians and an AFL star.
The story made national headlines about being potentially the biggest single data breach in Australian history and prompted an apology by then-health minister Sussan Ley at the RACGP conference. 
-----Lots omitted.

The celebrity angle
When the story broke, the researchers had also claimed there was another privacy hole which allowed them, in theory, to target celebrities.
They argued that if you knew the date a well-known patient had a particular service, such as a politician giving birth or a sportsperson undergoing surgery for an ACL injury, then if only one person had that service performed on that particular day, you could rummage through the MBS dataset and identify patients that way, along with all the other Medicare services they had received over the past 30 years.
Somewhat to the surprise of the researchers themselves, the commissioner dismissed this.
He said this was because the department had the foresight to randomly alter the dates of every MBS service, putting them up to 14 days forward or backwards before the data was put online.
This would have helped foil any underhanded plot.
The department also received a tick for removing rarely-claimed MBS items from the dataset for similar reasons.
In conclusion, the privacy commissioner said the idea of publishing the MBS and PBS data of 2.5 million patients for researchers to use was sensible enough, but the department should have done more to make sure the data could not be decrypted.
Some GP academics have questioned whether publishing slabs of data on the internet was a cost-cutting exercise — an alternative to funding proper research programs such as BEACH based at the University of Sydney.
The commission did not seem to consider this explicitly, but it did say more care was necessary before posting medical data on the open net.
Due to this lack of thought, the department guilty of breaching the Privacy Act.
The punishment? No, not mass fines. An "enforceable undertaking" to "continue to review and enhance its data governance and released processes, with oversight from the OAIC".
In other words, a slap on the wrist.
Many more details:
With the Financial Services Royal Commission revealing just how few serious penalties have been imposed on those who were badly errant in the financial sector – and the Government in the last few weeks belatedly really ramping up potential penalties – we just note the efforts of the Office Of the Australian Information Commissioner (OAIC) in bringing to book errant and clearly careless bureaucrats in the Health Department.
It seems just a stern talking to is all that is required. I am sure the AMP Chairman would hope her penalty would be as gentle. I suspect both criminal penalties and the loss of her job are more likely and similar, given the scale of the stuff-up, should have followed for the relevant leaders in the Health Department don’t you think?
As Justice Hayne has was reported as noting:
“Banking royal commissioner Kenneth Hayne has questioned the attitude of the financial services industry to obedience to the law.
Acknowledging that the industry was large and things were bound to go wrong from time to time, Mr Hayne went on to say:
‘“One thing I might have to look at is what is the attitude of the industry … to obedience to the law.
“Obedience to the law that governs their affairs.
“There may be a difference between a breakdown in controls and an acknowledgment of a breach of laws.
“I don’t want people ignoring the fact that these are ideas at least on the table.”
See here:
 Clearly the law similarly governs what Health Department bureaucrats may reasonably do and they need to take careful note – after all they too did break the law! The days of a slap with a wet lettuce leaf may be ending all over.
I sense public tolerance of bureaucrats ignoring laws may be on the turn.
David.

1 comment:

  1. I not holding my breathe, this royal commission is certainly exposing a cancer in our nations institutes.

    https://www.gizmodo.com/major-bank-loses-12-million-customers-data-in-the-most-1825711247/amp

    1. OAIC appeared rather relaxed about the whole affair - why? The revelations key banking personal were advising minister right to the top shows there was opportunities for interference and conflict of interests, was there lobbying done to brush over this?

    2. My Health Record is based on banking strength security practices. That sounds less and less a trust building claim, much like the fax protocols are the tyranny of our age.

    3. Can we be comfortable that all breaches have been made public? How long until the MYHR lot loose a container in cyber space?

    ReplyDelete