Another blunder by a large-scale organisation is providing a loud reminder that digital security is not taken seriously enough in Australia.
With the upcoming legislation amendments, Australian businesses and the public need to be well informed about data security, and work towards two important changes: a refresh of security systems, and a shift in the mindset surrounding digital security.
The Department of Health blunder
The Department of Health is facing ongoing investigations by the OAIC after unintentionally exposing the health records of 1 in 10 Australians. The sensitive information included that of prominent Australians such as MPs and sportspeople. The information was made anonymous through de-identification and released to the public, as is common practice. Unfortunately for that 10% of the Australian population, a study conducted by the University of Melbourne’s School of Computing and Information found individuals were able to be re-identified.
The University of Melbourne study found these unique patient records are able to be matched to publicly available records, like past medical procedures and year of birth, allowing identities to be known with some confidence. This potentially exposes socially sensitive records like prescribed medications, termination of pregnancies, and information on personal mental health.
The information, released in 2016, includes data from the Australian Medicare Benefits Scheme (MBS) and the Pharmaceutical Benefits Scheme (PBS). A department spokesperson informed the media that the project has been halted and the dataset removed, and offered assurance that measures are being taken to protect and manage data.
The problem (now more than ever)
This is a perfect demonstration that Australian organisations both within and outside the government remain unprepared for the changes to the Privacy Act 1988 becoming effective in February next year. The Privacy Amendment (Notifiable Data Breaches) Act 2017 is bound to catch many businesses off guard.
Sloppy security measures constitute a huge breach of trust for the Australian public. When we work with organisations that collect sensitive personal data, we trust in the confidentiality offered by the organisation. When we work with an organisation that releases datasets publicly, we do so with faith in anonymity. Australians trust in the strength of the protections in place. Incidences like this recent security lapse prove to us that our trust is often misplaced. We’re led to question the strength of organisations’ security measures and, perhaps more importantly, to question whether they take our personal security seriously.
The core problem is not that the records can potentially be re-identified. The problem is that sufficient attention was not paid to security risks before the dataset release. It’s an issue of carelessness. Security was not given priority, and as such was compromised.
Personal security is rarely as straightforward as ‘to share or not to share’. For the purposes of research and transparency, it is essential that some de-identified datasets are released, especially when it comes to government entities. What needs to be considered is the nature of the release — how and to whom information is accessible, whether it is secured with technology that keeps pace with technological advances, how effective the de-identification procedures are, and whether or not data are eventually removed or destroyed.
Introducing additional legislation against the re-identification of data may patch some parts of the issue, but it is a temporary and ultimately ineffective fix. It will do little in the light of the Privacy Amendment next year. The new amendment will see organisations penalised heavily for allowing data breaches to occur. In that way, it’s a step in the right direction when it comes to ensuring we all take digital security more seriously.
The lesson to be learnt here is not one unique to the digital age. Security always needs to keep pace with threats. When the enemy makes stronger battering rams, we must see that and build a stronger door. If the enemy can sneak up through the sewers, we must know that and guard the manholes. Businesses must know intimately the nature and severity of shifting digital security threats, and never let down their guard.
Here’s the crux: digital security must be given more weight. Simply by tightening security measures and keeping digital security at the very forefront of company consciousness, organisations will avoid the embarrassment, reputation damage, and financial burden of a security breach, ensuring the continued trust of all Australians.
With the new legislation fast approaching and public awareness rising, it’s time for companies to address digital security with the gravity it deserves.