Collecting and publishing datasets is an important Government function that benefits the community. Sharing datasets enable policy makers, researchers and other interested parties to distill the information and inform policy decisions. However, just two months after the Census “Cyber Attack” scare, the Government is yet again caught up in a data breach. Below, we explain the recent breach, their response, and key lessons for businesses about controlling and preventing breaches. 

What Happened?

The government has a strict de-identification procedure for all government published data, however, advancements in technology have rendered current de-identification methods insufficient. The Australian Public Service Commission (APSC) made available for public viewing the data collected in an annual employee census of 96, 000 public servants. Following fears that the data was compromised, the Public Service’s workplace authority has since withdrawn the data from official websites along with any information that could be used to identify individuals. Before removing the data, the APSC confirmed that it had already been downloaded 60 times. This raw information is currently not in the government’s control and could be used to identify personal information.

The employee census for federal public servants has been collected annually since 2003 and personal information is collected and stored in accordance with the Privacy Act 1988 (Cth). The data records important information about management and workplace conditions so as to improve employee conditions. This was the first year that the private information collected was attached to agency identifiers. Supposedly, the agency ID would make the personal information collected identifiable when some basic information was known.

Are Breaches More Common Today?

Data breaches in 2016 seem to occur with increased frequency – whether it’s the census hack or more recently, the Medicare dataset published on data.gov.au. The Department of Health has removed the dataset based on Medicare and the Pharmaceutical Benefits Scheme after academics using the data discovered that some practitioner details could be identified based on their provider ID numbers. No patient information was compromised in the published dataset that offered a snapshot of Medicare claims between 1984 and 2014.

The Department is undertaking a full, independent audit of the process, reviewing, compiling and publishing datasets so as to remove potential future vulnerabilities. The Office of the Australian Information Commissioner is also independently investigating the breach. So, is the Federal Government using best practice algorithms to encrypt data? How can we be sure our data is safe in the digital age?

Criminalisation of Data Re-identification

The government has responded to the increase in breaches this year with a plan to criminalise the re-identification of de-identified datasets as an amendment to the Privacy Act. Attorney-General George Brandis announced that the changes to the act would also make it an offence to “counsel, procure, facilitate or encourage anyone” to re-identify anonymised data.

What is a Data Breach?

A data breach is an incident where sensitive, protected or confidential data is de-identified, viewed, stolen or used by an unauthorised individual. Personal data may include personal client information such as names, images, contact details, date of birth, demographic details and health information.

Preventing a Data Breach

Your organisation might conduct a Privacy Impact Assessment (PIA) as a means to control data breaches. A PIA is a process that determines if a project meets privacy requirements by considering and analysing both technical compliance with privacy legislation and the privacy principles of a project, product or proposal. If your organisation deals with private information, you should as best organisational practice conduct a PIA. Understanding how to prevent and mitigate potential data breaches is the best form of prevention. 

Controlling a Data Breach

As Privacy breaches are on the rise, it is important to reflect that should a serious data breach occur, your organisation should comply with the mandatory breach notification requirements set out by the Privacy Act. The Australia Privacy Principles outline four key steps to managing a privacy breach. The ABS will also look to these steps should a breach of Federal Government data occur:

  • Step 1 – Contain the breach: Once notified of a breach, containment may involve closing or shutting down the compromised system to prevent further records from being misused.
  • Step 2 – Determine the risk of the breach. Assessing the risk is important. What information has been compromised? Who is affected by this breach?
  • Step 3 – Notify: Determine whether notification of the breach is required, whether to individuals or the relevant authority.
  • Step 4 – Prevent future breaches: As a result of a direct breach, there should be a review of policies and procedure and a security audit of data. It is important to learn from breaches and prevent them from recurring. It may also help inform future privacy impact assessments.

***

Sharing de-identified data informs the private and public sectors approaches to policy.  It’s important to learn from these government data breaches over the recent months so as to mitigate the impact of future data breaches in the future. If you have any questions about preventing and controlling data breaches or need assistance drafting your organisation’s privacy policy, get in touch on 1300 544 755.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Sophie Glover

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy