Photo credit:  Alanna Autler

A recent spate of significant data breaches continues to demonstrate the huge problems of the relentless accumulation of information on all of us both by corporations and governments. Just in recent weeks, we’ve had:

  • the Commonwealth Bank’s major data breach, which we only learnt about from Buzzfeed;
  • the continuing fall-out from the PageUp data breach, affecting thousands of Australians and dozens of major commercial and government users;
  • a Ticketmaster data breach that may have affected Australian customers;
  • a breach at controversial health booking service HealthEngine;
  • a hack of Family Planning NSW;
  • a breach at Aviation ID Australia affecting Aviation Security Identity Cards, used to access restricted areas of airports.

At least we’re now being notified more consistently about breaches, after the government finally stopped dragging its feet and a data breach notification scheme commenced.

Earlier this week, IT News reported that the four major political parties would be given $75,000 each to strengthen the security of their voter information systems. Online rights watchdog Digital Rights Watch welcomed the move, given what is known about the poor state of cybersecurity in the systems of political parties; at least one major party is known to use a system that sends user names and passwords in clear text.

The potential for a large-scale data breach of the most serious kind will increase in coming months as the so-called “My Health Record” e-health system is rolled out. From Monday, citizens will be able to opt-out of having an electronic health record created by the government for them. Those that don’t, face the risk that their health records could be accessed via a data breach, particularly of any third party service providers involved — it is a recurring pattern of data breaches involving governments that often government agencies themselves are not breached, but they have outsourced a service to a private contractor (like PageUp) to save money and it is the latter who are breached. In the case of My Health records, there is also a risk that health professionals other than your own might also access it.

This is all prior to the grimmer scenarios around what a government agency or minister could do with your health information. These are of course no hypothetical visions of an Australian dystopia: we know that Alan Tudge and his bureaucrats used a critic’s private information to publicly attack her, and did so with the subsequent approval of the so-called Privacy Commissioner. Health information is even more sensitive than the sort of information collected by welfare authorities, but there is literally nothing to stop the government from using that information against someone who has embarrassed it. The government that leaked information about Andi Fox, that is prosecuting Witness K and Bernard Collaery, that sent AFP officers into Parliament House to pursue emails between Labor staff and journalists, that set up two royal commissions to pursue its political opponents, and that is currently criminalising even the mere reading of leaked information online, cannot be trusted with any kind of personal data. Its security is too poor, and it has demonstrated it will use private information for political purposes against citizens.

The best security is to prevent it from accumulating information on you in the first place. Then there’s none to steal or to misuse. Opting out of My Health Record is the only sensible option.