This popped up last week:
'Serious misjudgment': policeman fined for giving friend intelligence
By Georgina Mitchell
November 25, 2019 — 6.16pm
A NSW highway patrol officer has been convicted and fined $3080 after he met a long-term friend at a cafe this year and gave him restricted information from the police computer system, in an interaction witnessed by an undercover operative.
Phillip Edward Parker, 53, told his friend of 30 years that Strike Force Raptor – a police taskforce targeting bikies and criminal activity – had written two intelligence reports about him in police database COPS.
Parker told his friend the dates the reports were put into the system and said they concerned his friend's presence at an incident, as well as information about a stolen tow truck from 2008.
The details were divulged after a police officer pulled the friend over on April 8, 2019 and said to him: "Have you been in trouble before ... a couple of intels are coming up on you".
"I said 'excuse me?'" the friend told Parker, in a call intercepted by police. "He goes 'yeah'. I said 'f---ing hell, I don't know what intels are coming up on me. Mate, I've done nothing."
Parker asked for the registration number of his friend's tow truck. Later that day, the friend asked if he'd had time to look into it.
"Nah I haven't had time yet," Parker responded.
"I can't believe he said that," the man said. "I just played the tape back. He clearly said it. That blew me away, f---. Unless he was bluffing, but you can't say shit like that. Like it's f---ing upset me."
The next morning, Parker met the friend at a cafe at Penshurst in Sydney's south, bringing with him his police "Mobipol" data terminal.
According to agreed facts, "an undercover operative in the cafe" overheard Parker relay information from the police system to the man. The man then said he would speak to his solicitor and make an application to access the intelligence reports.
"The offender then put the Mobipol device away before the two left the cafe," the facts said.
More here:
What this shows that with a co-operative ‘friend’ it is possible, using legitimate access, to look up all sorts of private information, and this has to include the #myHR. Sure there may be an audit trail of the access, but how many have their account set up to alert them when unexpected access happens, or have blocked some / all access to all but a few users? Is the ADHA regularly reviewing each and every audit trail? I suspect not! The risk of getting caught seems pretty low.
From the Auditor General’s Report we have this: (p37)
“3.39 As at 30 June 2019, a Record Access Code had been set for 27,215 records – 0.1 per cent of all records – and a Limited Document Access Code had been set for 3,862 documents in the system.”
So basically no-one has secured their record – and details were not provided on the numbers who has set SMS alerts on access – but presumably it is again not many.
What we thus learn is that any properly authorised user can pretty much look at any record they know the details of and are pretty unlikely to trip any security alert about unauthorised access.
I am not sure the public would describe this as a secure and well regulated system where the users are sufficiently well informed about possible access to be properly in control of what happens to their data.
Has such access already happened and no one has noticed?
Who knows?
David.
2 comments:
I agree David, the ADHA has questionable standards when it comes to honesty and transparency. A major breech could take place and the public would be none the wiser.
This erosion of trust with ADHA and the Minister is perhaps the saddest outcome to date.
The culpability of ADHA and the minister are different. The ADHA and its CEO make untruthful statements. e.g. Tim Kelsey is reported to have said on 21 Feb 2019:
“A GP will have the most up-to-date information currently available on the patient and in that way, we will reduce the number of accidental misdiagnoses”
[We need to get the digital basics right and quickly: Tim Kelsey
https://www.healthcareit.com.au/article/we-need-get-digital-basics-right-and-quickly-tim-kelsey]
The reality is very different. A patient's myhr will start off empty of clinical information and historical data cannot be uploaded. The system was supposed to "help overcome the fragmentation of health information" but does nothing of the sort.
I can find no statement from the minister, inside or outside parliament where he has made any claims as to the capability of myhr. There is a quote from him in the ANAO review describing what the myhr was supposed to do, but he seems to have been very careful not to claim what it does.
But he is the minister responsible for his portfolio, which includes the ADHA.
These days ministers appear to be able to hide behind plausible deniability - he was not the minister responsible for the thing and he relies on expert advisers.
Post a Comment