Collecting and publishing datasets is an important Government function that benefits the community. Sharing datasets enable policy makers, researchers and other interested parties to distill the information and inform policy decisions. However, just two months after the Census “Cyber Attack” scare, the Government is yet again caught up in a data breach. Below, we explain the recent breach, their response, and key lessons for businesses about controlling and preventing breaches.
The government has a strict de-identification procedure for all government published data, however, advancements in technology have rendered current de-identification methods insufficient. The Australian Public Service Commission (APSC) made available for public viewing the data collected in an annual employee census of 96, 000 public servants. Following fears that the data was compromised, the Public Service’s workplace authority has since withdrawn the data from official websites along with any information that could be used to identify individuals. Before removing the data, the APSC confirmed that it had already been downloaded 60 times. This raw information is currently not in the government’s control and could be used to identify personal information.
The employee census for federal public servants has been collected annually since 2003 and personal information is collected and stored in accordance with the Privacy Act 1988 (Cth). The data records important information about management and workplace conditions so as to improve employee conditions. This was the first year that the private information collected was attached to agency identifiers. Supposedly, the agency ID would make the personal information collected identifiable when some basic information was known.
Are Breaches More Common Today?
Data breaches in 2016 seem to occur with increased frequency – whether it’s the census hack or more recently, the Medicare dataset published on data.gov.au. The Department of Health has removed the dataset based on Medicare and the Pharmaceutical Benefits Scheme after academics using the data discovered that some practitioner details could be identified based on their provider ID numbers. No patient information was compromised in the published dataset that offered a snapshot of Medicare claims between 1984 and 2014.
The Department is undertaking a full, independent audit of the process, reviewing, compiling and publishing datasets so as to remove potential future vulnerabilities. The Office of the Australian Information Commissioner is also independently investigating the breach. So, is the Federal Government using best practice algorithms to encrypt data? How can we be sure our data is safe in the digital age?
Criminalisation of Data Re-identification
The government has responded to the increase in breaches this year with a plan to criminalise the re-identification of de-identified datasets as an amendment to the Privacy Act. Attorney-General George Brandis announced that the changes to the act would also make it an offence to “counsel, procure, facilitate or encourage anyone” to re-identify anonymised data.
What is a Data Breach?
A data breach is an incident where sensitive, protected or confidential data is de-identified, viewed, stolen or used by an unauthorised individual. Personal data may include personal client information such as names, images, contact details, date of birth, demographic details and health information.
Preventing a Data Breach
Your organisation might conduct a Privacy Impact Assessment (PIA) as a means to control data breaches. A PIA is a process that determines if a project meets privacy requirements by considering and analysing both technical compliance with privacy legislation and the privacy principles of a project, product or proposal. If your organisation deals with private information, you should as best organisational practice conduct a PIA. Understanding how to prevent and mitigate potential data breaches is the best form of prevention.
Controlling a Data Breach
As Privacy breaches are on the rise, it is important to reflect that should a serious data breach occur, your organisation should comply with the mandatory breach notification requirements set out by the Privacy Act. The Australia Privacy Principles outline four key steps to managing a privacy breach. The ABS will also look to these steps should a breach of Federal Government data occur:
- Step 1 – Contain the breach: Once notified of a breach, containment may involve closing or shutting down the compromised system to prevent further records from being misused.
- Step 2 – Determine the risk of the breach. Assessing the risk is important. What information has been compromised? Who is affected by this breach?
- Step 3 – Notify: Determine whether notification of the breach is required, whether to individuals or the relevant authority.
- Step 4 – Prevent future breaches: As a result of a direct breach, there should be a review of policies and procedure and a security audit of data. It is important to learn from breaches and prevent them from recurring. It may also help inform future privacy impact assessments.