Sunday, March 03, 2019

FOI Request Response On The MyHR Deletion Mechanism Raises Some Very Interesting Questions!

Here is the response page:
Australian Digital Health Agency
March 01, 2019

FOI.190218 Signed decision letter.pdf
242K

Dear Mr Warren,
Good afternoon. Please see the attached signed decision letter in response
to your FOI request.
Regards,
Cecilia
FOI Officer 
FOI Officer, FOI Team 
Strategic Service Design and Delivery
Australian Digital Health Agency 
Scarborough House, Level 6, 1 Atlantic Street, Woden ACT 2606
Phone [1]+61 22230780
Mobile [2]+61
Email [3][ADHA request email]
Web [4]www.digitalhealth.gov.au
The Australian Digital Health Agency acknowledges the traditional owners
of country throughout Australia, and their continuing connection to land,
sea and community. We pay our respects to them and their cultures, and to
Elders both past and present.
Important: This transmission is intended only for the use of the addressee
and may contain confidential or legally privileged information. If you are
not the intended recipient, you are notified that any use or dissemination
of this communication is strictly prohibited. If you receive this
transmission in error please notify the author immediately and delete all
copies of this transmission.
References
Visible links
1. file:///tmp/tel:+6122230780
2. file:///tmp/tel:+61
3. mailto:[ADHA request email]
4. https://www.digitalhealth.gov.au/
Here is the link:
Forgetting the verbiage the guts of the decision is from the .pdf is:
----- Begin Extract

Decision

The schedule indicates the document to which access is refused. My reasons for refusing access are given below.

Exemptions

Conditional exemptions
Documents to which section 47E applies
I have decided that document 1 contains material that is fully exempt from disclosure under section 47E of the FOI Act as set out in the attached schedule.
Sub section 47E(d) of the FOI Act concerns documents that may affect certain operations of agencies and it provides:
A document is conditionally exempt if its disclosure under this Act would, or could reasonably be expected to, do any of the following:
….
(d) have a substantial adverse effect on the proper and efficient conduct of the operations of an agency.
I note that paragraph 6.123 of the OAIC Guidelines state that any predicted substantial adverse effect must ‘bear on the agency’s proper and efficient operations, that is the agency is undertaking its expected activities in an expected manner’.
I have found that the Agency’s operations would be substantially affected if the information in the above document was disclosed. The information regarding the technical operation system for the deletion processes contained in this document is such that, if it were released, the Agency’s My Health Record (MHR) and ICT systems would be vulnerable to potential exploitation and other cyber security risks.
To divulge that level of technical information, would compromise the security and integrity of the MHR system. It would undermine the Agency’s ICT systems control, operations and processes for the management of the MHR and potentially weaken the Agency’s ICT capability into the future. Authors of operational information may limit the detail included in this material to reveal less about the system and the way it operates in case the information is made publicly available.
I am satisfied that the document identified above attracts the subsection 47E(d) exemption because the Agency’s operations would be compromised.
After determining that the documents are conditionally exempt in accordance with subsection 47E(d), I am required to consider the Public Interest test (section 11A(5)).

Public interest considerations

Disclosure of the deliberative material would facilitate the objects of the FOI Act, by providing the applicant with access to information held by the Commonwealth Government (the Government) and increasing scrutiny of the Government’s activities. However, I consider that release of this information could reasonably obstruct the future development of ICT operational systems from being honestly expressed and recorded. It is also of equal importance that a level of integrity and confidence is maintained for the continued free flow of ideas and that operational platforms are protected. It is important that officers are able to give full and uncensored consideration to opinions, advice and outcomes when engaging in operational functionalities. The ability and willingness of officers to thoroughly consider all options would be adversely affected if the document could then be disclosed to the public for debate and comment outside of official operational processes.
Therefore, it is reasonably foreseeable that allowing public access to documents concerning the operations of the Agency would undermine the functioning of the Agency, its ICT systems and its conduct in discharging Commonwealth business.
I consider that, on balance, the public interest factors against disclosure outweigh the factors for disclosure of the exempt material contained in the documents. Therefore, I have decided that it would be contrary to the public interest to release the information considered exempt under section 47E(d) of the FOI Act.
In accordance with section 11B(4) of the FOI Act, I have not taken any irrelevant factors into account when making my decision.

Additional information

In relation to your request, there is legislation and publicly available information that explains the technical dimensions of the record destruction of MHRs.

A MHR that was cancelled in the past (and archived) will be permanently deleted. If you cancel a record at any time it will be permanently deleted. See: https://www.myhealthrecord.gov.au/about/legislation-and-governance/summary-privacy- protections]
The Australian Parliament passed the My Health Records Amendment (Strengthening Privacy) Act 2018 on the 26 November 2018. See: https://www.aph.gov.au/Parliamentary_Business/Bills_LEGislation/Bills_Search_Results/Result?bId=r6169
As at 1 February 2018 consumer’s cancelling records were archived in the MHR System. The MHR website holds information on permanently deleting your record, permanent deletion of a cancelled My Health Record, recent changes now allow permanent deletion of a MHR and previously cancelled records. Please see https://www.myhealthrecord.gov.au/for-you-your-family/howtos/cancel-your-record.
Please note: Any MHR that has previously been cancelled will also be permanently deleted from the system.
The process to permanently delete these records started on 23 January 2019 and is expected to take up to 90 days. There is no archived or back up of these deletions and that information will not be able to be recovered.
----- End Extract:
The bottom line here is, as Justin Warren who requested the stuff has pointed out (and big big thanks for the effort), that it is hard to see how a vulnerability could be introduced by knowing how the process worked and that it seems incredible there is only one document on the topic.
Surely the ADHA could have produced a 2 page technical document explaining how it worked with no compromise – but as usual they obfuscate.
Without details no-one would trust they actually do it! And saying if the public knows how things work would discourage discussion internally is bunkum
What do you think?
David.

10 comments:

  1. Well, it seems like they only have one technical document about deleting records, written by Accenture (their contacted system provider) and they are worried having to be too guarded about how they write technical documents in case the public or the cyber security criminals get to read them.

    But I agree, surely there is an overview available that explains how a record delete works, to a sufficient level that provides some assurance to those that are users of the system – i.e. consumers and healthcare providers. Why so secretive?

    Here are the things I would like to know if I choose to delete my record:

    What will happen if a hospital or a GP tries to access my (now deleted) record – e.g. to upload a shared summary or a discharge summary – or to correct one that may have been in error? Will the my health record system tell them ‘this record has been deleted’ or ‘no such record exists’. Confusing for the healthcare provider, especially if they have previously accessed/ uploaded to this record. If the message is ‘no such record exists’, then the uploading provider might then waste time in determining if they have the wrong patient details (e.g. wrong IHI).
    What if the record was previously accessed, and used to make a clinical decision (e.g. using allergy information), and now there is a medico-legal case that needs to ascertain what was in the record at that time? If the local system has not kept a record of what was downloaded at that point in time, and the central system has deleted everything, then there is no evidence, and perhaps some loss of trust in using the system altogether.

    As a consumer, I would like to know a little more than the high level ‘sound bites’ on the public website.

    ReplyDelete
  2. A document is conditionally exempt if its disclosure under this Act would, or could reasonably be expected to, do any of the following:
    ….
    (d) have a substantial adverse effect on the proper and efficient conduct of the operations of an agency.

    This refers to the operation of the agency, not My Health Record

    You don't suppose that's code for "the delete function doesn't actually fully delete and if this was generally known, it would embarrass the agency"?

    just asking.

    ReplyDelete
  3. As a digital health innovation platform (as spewed forth by Timothy Kelsey), how will that work if you cannot obtain details of the platform. As for cyber risk they are simply playing the terrorism card and they know it. That in its self is a shameful act by employees of the federal government. Perhaps they should classify it ‘top secret’ and then get everyone one in the punter who wants to access it top level security clearance!!

    ReplyDelete
  4. Well then we are all doomed based on ADHA logic - https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-sharepoint-online-data-deletion

    Seems either the ADHA is talking through their ass or their ICT systems are so crap something like that requested information creates a vulnerability? A system holding this sort of information and supported by a world leading cyber security centre as Tom likes to boast would surely have ongoing blue team - red team design and build practices?

    The ADHA has a very real faulty towers feel about it

    ReplyDelete
  5. @4.30 PM "Will the my health record system tell them ‘this record has been deleted’ or ‘no such record exists’." Not a problem - the system will clearly indicate that as from nn pm on dd/mm/yyyy the record and all prior information held has been permanently deleted at the request of (person name and IHI).

    As for the rest of your comment - you are tilting a windmills and wasting everyone's time..

    ReplyDelete
  6. @6:03 PM you wish.

    ReplyDelete
  7. Having read and tried to understand what this ADHA person is trying to say Income to a conclusion that what ADHA have said here (intentional or otherwise), seems to indicate that the delete mechanism has introduced a systemic vulnerability into the GovHR system that the ADHA and Department know about, but don't want to disclose. Am I reading this right or is there another angle I am missing?

    I am not sure what the value was in all that legislative and policy narrative? Was it to distract? Was it to prevent people reading it? Or a simple case of what happens when none qualified people try to mimic subject matter experts?

    ReplyDelete
  8. March 03 8:14 PM. Perhaps someone very clever has advised the ADHA into unwittingly publishing an admission that the system is a very dangerous place for a nation’s medical information to be stored.

    ReplyDelete
  9. I always thought that ADHA was reading from the 'Yes, Minister' playbook as this might explain why it behaves as it does. I have always viewed ADHA activity through the lens of 'What would Sir Humphrey do?' and predictability has been very high so far. However, I was disappointed that they didn't use terms such as "cause confusion" and "unduly excite public controversy" in responding to the FOI request.

    Perhaps ADHA could review the 'Yes, Minister' historical record for inspiration.

    Sir Humphrey: There is a well-established Government procedure for suppress… deciding not to publish reports.
    Jim Hacker: Really?
    Sir Humphrey: You simply discredit them.
    Jim Hacker: Good heavens... how?
    Sir Humphrey: Stage one, you give your reasons in terms of the public interest. You hint at security considerations – the report could be used to put pressure on government and could be misinterpreted.
    Jim Hacker: Anything could be misinterpreted. The Sermon on the Mount could be misinterpreted!
    Sir Humphrey: Indeed – it could be argued that the Sermon on the Mount, had it been a government report, would almost certainly not have been published. A most irresponsible document. All that stuff about the meek inheriting the earth could do irreparable damage to the defence budget.

    Classic.

    ReplyDelete
  10. Comparing Timmy with Sir Humphrey is an insult to Sir Humphrey

    Timmy is more like George W Bush. The real power lies with the people behind the smiling, but ineffectual face. Bush had the neocons, Timmy's puppet masters are less obvious. They will survive, Timmy won't.

    ReplyDelete