This appeared a few days ago.
ADHA sees 'inconsequential' My Health Record data breach notices eroding trust
By Ry Crozier on Jan 8, 2021 7:08AM
Calls for lesser need to disclose.
The Australian Digital Health Agency, overseer of the My Health Record, has expressed concern at the number and type of "potential" data breaches it is being forced to disclose.
In a submission to the Privacy Act review [pdf], the agency (ADHA) asks for changes to the My Health Records Act under which it operates, and for “harmonisation” of data breach rules with those in the Privacy Act.
ADHA said the Act under which it operates requires both “actual and potential breaches” to be reported, a “first of its kind in national legislation”.
“The My Health Record data breach scheme was intended to provide transparency for consumers and the public about the safety and reliability of the My Health Record system,” ADHA said in its submission.
“However, the definition of a breach under section 75 of the My Health Records Act 2012 is very broad and substantially differs from what the community may reasonably consider to be a ‘breach’.
“It also differs substantially from the notifiable data breach scheme requirements under the Privacy Act.
“One key difference is that mandatory reporting of data breaches under the My Health Records Act are required even where there may be no adverse impact or likely to result in harm to a consumer. This may also require notification to individuals if they are affected by the notifiable breach – even where there is no risk of harm.”
Under the current law, ADHA and its health partners that interact with My Health Records must disclose even unsuccessful access attempts and false positives.
That has meant that in years past ADHA has had to report - and declare - dozens of “breaches”.
The agency said in the Privacy Act review submission that it “would support some harmonisation of the My Health Record data breach requirements with those under the Privacy Act.”
ADHA said later in the same submission that while “it is appropriate that the privacy protections in the My Health Records Act continue alongside the broader protections set out in the Privacy Act, nevertheless [it] considers that some changes to the My Health Records Act should be canvassed, including further alignment with Privacy Act concepts.”
Some changes may already be in-train, with the Department of Health raising similar arguments in a review of the My Health Records legislation that ran for about a month late last year.
A report stemming from that review is already with the Health Minister, according to the department's website.
In a consultation paper [pdf] released for the review, Health said that one of the “criticisms” of the health record scheme “is that the MHR Act requirements are more demanding and indeterminate than the Privacy Act requirements.”
…..
Privacy watchdog's opposition
The OAIC is largely against ADHA's proposal, and believes My Health Record should remain subject to the more stringent data breach reporting standards.
"The OAIC is concerned that the lower data breach notification threshold required for information held in the MHR system was designed as a privacy enhancing measure, given that the MHR system is a searchable network of connected registered repositories storing sensitive personal information," it said in a submission [pdf] to the Department of Health review.
The full article is here:
The ADHA leadership are really an arrogant mob!
The regulations for Breach Reporting
were put in place to reassure the public and now they want to wind their
transparency back as it is inconvenient. They handle sensitive information and
need to fully report any potential risks to the data. Interesting the privacy watchdog does not agree with the ADHA and I certainly agree with them and not the ADHA!
The got rid of Board Minutes and now this. They really are a piece of work!
What do you think?
David.
If I wasn’t suspicious of this ragtag mob before, I sure am suspicious now. There must be more to this than the burden of filling out a form or two?
ReplyDeleteNo good will come of this med to long-term. EHealth failures can be traced back in a large part to exactly this sort of thinking. Pressure from lazy people and organisations. Please relax this, can we not have to meet that requirement, park it for future implementation - this is what happen to standards and compliance happened to the HI service, happened to secure messaging.
ReplyDeleteNot a great start for the newly demoted CEO.
An odd strategy. Would have thought a better option would be to see the marketing opportunities in transparency rather than create yet more negative noise by being all secretive. I am guessing this is a result of a series on unfortunate excuses. Thank David will watch this unfold especially as it goes against the grain of the current privacy policy drive.
ReplyDeleteAn odd strategy? More like a slap in the face and a middle finger to citizen rights.
ReplyDelete"EHealth failures can be traced back in a large part to exactly this sort of thinking. Pressure from lazy people and organisations"
ReplyDeleteExactly! By employing generic management to run the show they somehow think they can fudge the outcomes. Computers don't work like that, if its not right it doesn't work! We need to try and get the base level functionality right, not "sort of reasonable" Trying to build on crappy untested implementations is pouring money down the drain, which describes the last 20 years of eHealth.
I think Sarah Conner has highlighted something very relevant. The ADHA inability to manage the messaging around breech notifications and its own specific legislation should be of great concern. Obviously the CEO has no faith in the Agency’s privacy, Policy, and Legal teams.
ReplyDeleteIf only the troubles with the MyHR and national digital health efforts were that simple. It is a bit like - if a database is breached and no one is there to hear it, was it really breached?.
ReplyDeleteIt seems myGov is getting worse.
ReplyDeleteServices Australia have created a two factor authentication Code Generator app
https://www.servicesaustralia.gov.au/individuals/online-help/set-mygov-code-generator-app
Some people think that, it (to put it mildly) has not been thought through or tested properly.
https://www.reddit.com/r/australia/comments/kw3rqc/my_latest_review_of_the_mygov_code_generator_app/
there's > 3400 reviews, most negative.
That same mindset and incompetence that delivered the MyGov 2FA (to fail again) now directs the my health record and national eHealth infrastructure.
ReplyDeleteNot that two factor authentication is the answer anyway.
ReplyDeleteCloud Attacks Are Bypassing MFA, Feds Warn
https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/
And we know how diligent users are when it comes to security, etc
One third of Australian users have not updated Covidsafe app
https://www.theguardian.com/technology/2021/jan/14/one-third-of-australian-users-have-not-updated-covidsafe-app