Menu lock

Technology

Aug 7, 2017

5 comments

The government is planning to give every Australian a digital health record by the end of 2018. With that goal in mind, the Council of Australian Governments (COAG) Health Council has approved Australia’s National Digital Health Strategy, drafted by the Australian Digital Health Agency (ADHA.) So how much data will a digital health record — known officially as a My Health Record (MHR) — contain?

Lots.

The MHR was previously known as the Personally Controlled E-Health Record (PCEHR.) But after patients and healthcare providers avoided signing up to the PCEHR in droves, ADHA renamed the project and changed patients’ sign-up option from opt-in, to opt-out only. Yes, that’s right: you all get an MHR, whether you like it or not. Want to opt-out? Too bad.

The government won’t delete your e-health record: people who opt-out will still have a shadow-file — a shell account the ADHA will retain, void of healthcare data from the date patients opt-out. And how well do opt-outs work anyway? Well, before the UK scrapped its equivalent digital health data project — known as care.data — it was discovered the National Health Service was disregarding patient requests and still populating patient files with information, even after patients opted-out.

The National Digital Health Strategy claims the MHR will allow all Aussies to access their health info “at any time online and through mobile apps”. And what could go wrong, considering the Australian government has left a trail of failed data governance projects in its wake in recent years? “Early app developers are already taking advantage of new interfaces on top of the MHR system which allow people to see the medications they have taken, or to view clinical documents on their mobile devices,” according to the strategy.

[Sure you can opt out of giving govt your info — by giving govt your info]

While the Digital Health Agency website states “vendors have to ‘self-declare’ conformance to My Health Record system specifications under a new ‘Conformance, Compliance and Declaration (CCD) process’”, what security measures the government is actually taking to ensure app developers have appropriate clearance to access a firehose of national health data isn’t specifically addressed in the strategy document. The strategy points out a key challenge is “establishing confidence in the reliability of secure messaging. (Of course, the concept of “establishing [public] confidence” — usually by process of spin and PR — is very different from the process of actually ensuring security.)

While the Digital Health Agency has established a technical working group to “co-design solutions” for secure messaging, the names of the members of the technical working group haven’t been made public, and details of ADHA’s process for appointments to the group are not available via the department’s website. Despite the MHR going live in 2018, ADHA doesn’t plan to undertake a “public consultation on draft interoperability standards” until the end of that year, which seems all kind of arse-backwards. One wonders, wouldn’t it perhaps be better if the government completed the public consultations first, and then set up digital accounts for every last damn person, based on feedback?

It’s all rather concerning, particularly as the National Digital Health Strategy is proposing some fairly ambitious projects, including the “development of a mental health portal which will provide support in accessing quality endorsed mental health apps and mental health services” and allow services to “support tailored individual care for people with severe and complex mental illness”. Which raises the question: is the government planning to make a great big old list of people with mental health issues? What happens when the mental health portal gets breached, and incredibly sensitive data leaks?

The strategy notes lots of privacy concerns, but it doesn’t seem to be particularly interested in road-mapping a resolution to those particular issues — at least not within the report. The strategy deals with security concerns with an instant fix: the creation of a “Digital Health Cyber Security Centre (Digital Health CSC)”, which plans to develop a “range of guidance materials” over time. It’s also uncertain from the strategy how the Cyber Security Centre will adequately train thousands of GPs, pharmacists and app developers involved in the My Health Record project to protect the security of Australian medical data.

[Govt’s electronic health record plan is a data breach waiting to happen]

The National Digital Health Strategy is nothing but an ode to positive thinking: “Greater utility will be realised through pushing information (e.g. notifications for patients) and pulling information,” chirps the strategy merrily. Coincidentally, insurance agency BUPA is quoted twice in the National Digital Health Strategy. Yes, the very same BUPA that only recently experienced a serious data breach involving customer details of 20,000 Australians.

BUPA’s submission to the National Digital Health Strategy argues “the strategy should specifically recognise that the role of government is to facilitate private sector development of innovative digital products and services”. Errrrm, what? Perhaps it’s an old-fashioned notion, but traditionally the role of government is to serve its citizens first, as opposed to insurance agencies. So it’s odd that a government department should have seen fit to include such a corporately aligned quote in it’s national strategy.

Of course, the Digital Health Strategy is eager to talk up positive cases of Australian scientific advancements, mentioning robotic medical operating systems and Aussie development of wi-fi. The Digital Health Strategy doesn’t manage to mention any negative case studies, such as the recent discovery that Medicare data was up for sale on the dark web, or that the Department of Health and Ageing had to pull a public dataset after discovering the information was re-identifiable.

Towards the end of the report, it’s suddenly pointed out that “strong privacy, security and risk management frameworks to protect sensitive information, while also enabling the safe and efficient sharing of information are vital” is a “critical success factors for the national digital health strategy”. So, will privacy, security and patient consent in the MHR turn out to be anything more than just lip service? The MHR opt-out process will begin in early 2018 — just in case you’re not willing to take the gamble on the safety of your own medical records.

Federal

Jun 26, 2017

5 comments

Complaints to the privacy watchdog alleging the misuse of personal information by government agencies have soared 50% amid a flurry of privacy-related controversies including the robo-debt debacle and the AFP’s illegal access of a journalist’s phone records, data obtained exclusively by Crikey reveals.

The Office of the Australian Information Commissioner (OAIC) received 123 complaints against state bodies over the use or disclosure of personal information in the first 11 months of this financial year, compared to 82 for all of 2014-15, data released under freedom of information shows.

By far the largest number of complaints, 38, were directed at the Department of Human Services, the agency under fire in recent months for imposing thousands of false Centrelink debt notices based on faulty data-matching — although the department also accounted for the most complaints in 2015-16 (43) and 2014-15 (38).

The Australian Taxation Office had the second-most complaints, with 12, followed by the Department of Immigration and Border Protection with 11.

[TV journo Steve Barrett implicated in ATO sting]

The Australian Bureau of Statistics, Department of Defence, National Disability Insurance Agency, Administrative Appeals Tribunal, AFP and Comcare each had four to seven complaints against them. Twenty-three other bodies, including the Department of the Prime Minister and Cabinet and the Fair Work Commission, were hit with three or fewer claims each.

The figures refer to alleged privacy breaches that may or may not be ultimately upheld by the OAIC, which is dealing with a backlog of more than 2000 privacy cases awaiting a determination for a year or longer.

So far this year, the commissioner’s office has made just one determination under principle six of the Privacy Act 1988, which refers to use or disclosure of personal data.  

The sharp rise in complaints comes at a time of heightened scrutiny of privacy issues in Australia, and as the government argues for greater access to sensitive personal information.

Earlier this month, following a series of Islamic terror attacks in the UK, Prime Minister Malcolm Turnbull flagged plans to force tech companies to decode encrypted electronic communications, telling Parliament the “privacy of a terrorist can never be more important than public safety”.

In April, the AFP admitted to accessing an unnamed journalist’s metadata without a warrant, breaching safeguards included in contentious data-retention laws passed by the Abbot government in 2015.

[AFP’s metadata breach shows just how ‘trustworthy’ the agency is]

Last year’s census, meanwhile, drew heavy criticism from privacy advocates after the ABS announced it would hold onto names and addresses it collected instead of destroying the information as it had in the past.

David Vaile, chair of the Australian Privacy Foundation, told Crikey that the rising number of complaints was “not surprising” given the blase attitude of successive governments. He noted that the previous Office of the Privacy Commissioner was subsumed into the current broadly defined agency and that Australia was one of the few developed countries without an established tort of privacy.

“I think that awareness has brought to people’s attention that they can no longer reasonably trust anyone who says, ‘trust us, we can keep your information secure and we will keep it secure,” Vaile said.

The new figures probably underestimated the extent of the privacy breaches out there, Vaile added.

“I think it is quite concerning, I think it’s probably the tip of the iceberg because of the underfunding and the attacks on the regulator’s office and the attempts to bury them in another entity and the establishment,” he said.

Federal

Jun 19, 2017

5 comments

What do you get after more than a year of waiting for Border Force to respond to a freedom of information request? Not a lot, it turns out.

In April 2016, Crikey filed an FOI request for footage taken during Border Force’s trial of GoPro cameras. As we reported at the time a “small number” of GoPro cameras were issued for specific situations where Border Force agents board vessels at sea, and a second batch of cameras were bought “to evaluate the capability and to examine associated legislative, technical, training and other issues”.

The agency took over 12 months to respond and last week provided a DVD with just one, 32MB, two-minute video with one minute of footage from the trial:

Another eight videos identified by the department were blocked from release. Four of the videos were of border patrol operations prior to the launch of Operation Sovereign Borders (OSB) but contained “tactics and operational procedures” relevant to OSB. 

[What are they hiding? The widespread denial of FOI requests]

“This pertains to the national security of Australia,” the department said. “The operations of the assets captured on the video footage form part of the maintenance of the security of the Commonwealth… Australia’s national interests are threatened by any unauthorised arrival of people and the Australian Government has responsibility for the lawful and orderly entry of people into Australia, along with ensuring that only those foreign nationals who are appropriately authorised are allowed to enter and remain.”

The release of the footage would compromise the security of the Commonwealth, the department argued. Other reasons for blocking the release of the rest of the footage include that officers could be clearly identified in some of the footage. The full list of reasons can be found here

The delay in the release of the footage is not surprising considering that as one of the most secretive agencies, the Department of Immigration and Border Protection receives more FOI requests than any other government agency, and potentially more than the other agencies combined. In 2014-15, the Office of the Australian Information Commissioner reported that DIBP, Human Services and the Department of Veteran Affairs received more than 75% of the total of FOI requests to Commonwealth agencies. Between October 2013 and February 2017, DIBP received 59,817 FOI requests. The department has just 81 full-time equivalent staff — a plainly inadequate number given the volume of requests — and an annual budget of $6.7 million to deal with all the requests.

[On-water matter or just bureaucracy? Why FOI requests are languishing]

Typical requests for information should take just 30 days, and the department recently told a Senate estimates committee that it did “attempt to meet these legislative timeframes to the extent possible within the limits of our operational and administrative capacity”. In the last financial year, of the 22,913 FOI requests finalised, 15,710 were finalised within the expected timeframe, but as of February this year 3905 of the 4059 active requests with the agency were outside the statutory timeframe for response.

These aren’t considered “overdue” because under FOI law, failure to respond in the timeframe can be treated as a refusal and then escalated for review at a higher level.

The release of the footage under FOI does show that such footage can be requested, meaning footage from other events in Immigration can be requested — such as, say, the Good Friday incident CCTV footage the government and Andrew Bolt claim backs Immigration Minister Peter Dutton’s statements about what sparked the tensions on Manus Island.

The department was still evaluating the use of GoPro cameras on Border Force officers, and said at the time last year that a wider roll-out of cameras that had both audio and video recording could be in breach of state, territory and Commonwealth privacy legislation if used onshore.

Federal

May 24, 2017

5 comments

Companies

May 5, 2017

5 comments

With every app you download, every web search you do and, increasingly, every product you buy, you lose more of your right to privacy and all control over what happens to your information. And no one is doing anything to stop it.

Discussing information security in the digital age at the Wheeler Centre in Melbourne this week, computing and information systems academic Vanessa Teague, lawyer Josh Bornstein and tech security strategist Rachael Falk all agreed that the private sector’s access to and use of our private information was “out of control” and that the government had made little effort to counteract it.

Bornstein said there needed to be far greater regulation, and called for a ban on the sale of private information by companies.

“Why not have a blanket prohibition on service providers on-selling private information to third parties?” asked Bornstein.

“No one signed up for it. This practice did not develop because consumers said ‘I want you to sell my information to some nong to use’.”

Teague agreed: “[This kind of] data sharing just makes everything worse, and I’m yet to hear a single convincing argument it’s in the interest of the consumer.”

Falk, who had earlier pointed out that a consumer had no bargaining power to challenge the individual sections of terms and conditions, which effectively sign away their right to privacy, agreed that she couldn’t think of a genuine benefit to consumers. When host Damien Carrick expressed surprise at such a sweeping statement, Bornstein countered that this was a sign of how far the argument had gotten out of proportion. 

[Data retention will hurt YOU, not criminals. Here’s how]

And while the private sector is not subject to nearly enough oversight — “they’re so massive, they can do whatever they want,” Bornstein said — Teague said the government was attempting to criminalise legitimate research into privacy issues through amendments to the Privacy Act.  She gave the example of the release of a sample of medical billing records for roughly 2 million people on data.gov.au in August 2016. It was de-identified using encryption, but Teague and a team of researchers were able, fairly easily, to get around the encryption and let the government know. However, under the Re-identification Offence Bill — currently stalled in the Senate after the Greens and Labor vowed to opposed it —  this research would have been a criminal offence. Teague said this was confusing the indication of a problem with the problem itself. 

“I think the law is wrong,” she said. “When someone like me or my research group shows that a data set like that can be re-identified, that should be regarded as a good thing, as showing you the tip of an iceberg, and you should be a lot more worried about the iceberg than trying to stop people explaining to you what the problem is.”

She said if a small group of researchers could so easily re-identify sensitive data, it was worrying to consider what a large corporation with far greater resources and access to more private information could do with such a sample being made public.

The government’s approach to privacy was also criticised in relation to the release of Andie Fox’s private information after she criticised the Department of Human Services. Bornstein said it was “particularly egregious abuse of power.”

“It’s quite a nasty thing to do and it sends a strong message — if you want to criticise the government, you will pay a price,” he said.

[Centrelink reveals private info about client that bad-mouthed the debt-recovery shemozzle]

The evening was peppered with worrying anecdotes of privacy breaches: a group of patients for a therapist in America, who mysteriously started receiving Facebook suggestions that they become friends with one another; cars (the make of which was tantalisingly elided) that store the footage from the front and rear cameras and the audio from the voice command feature “the Cloud”; an employer who accessed the bank information of an employee who was suing for unfair dismissal, to gauge how long they could continue to pursue their case; and more.

While the panellists differed on how best to protect any semblance of privacy in the digital age (while Bornstein argued strongly that it was only possible through stringent government regulation, Falk and Teague both favoured individual consumer push back), they were of an accord on one point: the push back had to begin immediately.  

Federal

May 1, 2017

5 comments

Australia

Apr 28, 2017

5 comments

Australia

Apr 11, 2017

5 comments

Centrelink will make no effort to ensure that money paid to the organisation as a result of robo-debt notices is money actually owed to Centrelink, a Senate inquiry has heard.

In many situations, those who were given incorrect debt notices by Centrelink as part of its automated debt recovery system rolled out last year were encouraged to make repayments even if they were disputing the debt. 

But the Department of Human Services says if a Centrelink recipient begins a payment plan with the agency after receiving a debt notice, the recipient has conceded that the debt calculated by Centrelink is correct. At a hearing of the Senate committee investigating the robo-debt notice system in Melbourne this morning, national manager of DHS’ whole of government division Marc Mowbray-d’Arbela said debts repaid directly through Centrelink or through debt collectors were not reviewed, even though they might be incorrect.

“If they started repaying [the debt] then we accept it at face value,” he said.

“So you’ve never audited the records?” Labor Senator Louise Pratt asked. Mowbray-d’Arbela said he would need to take the question on notice.

He said that it was up to those making the repayments to raise questions about the debt with the department.

The Commonwealth Ombudsman said yesterday in a report into the robo-debt notice system that Centrelink should examine whether it had been over-recovering debts as a result of the new system:

“The risk of over-recovering debts from social security recipients and the potential impact this may have on this relatively vulnerable group of people, warrants further consideration by DHS. We suggest DHS test a sizeable sample of debts raised by the OCI (Online Compliance Intervention). The samples should include people who did not respond to the initial letter, as well as people who went online and people who contacted DHS via other channels. We also suggest DHS re-evaluate where the risk for debts calculated on incomplete information should properly lie and investigate whether there are ways to mitigate this risk.”

Acting Ombudsman Richard Glenn recommended that DHS reassess whether debts were accurate where a 10% recovery fee was applied automatically. In response, department secretary Kathryn Campbell said the department agreed to all of the recommendations made in the report, but said the 10% fee was only applied “in limited circumstances,” where there was no contact from the recipient. Problems with debt notices going to old addresses of recipients have been well-documented in media reports.

Campbell said that the department had written to everyone who had a debt levied on them that they had review rights, placing the onus back again on the recipient, rather than having debt reassessed by the department itself.

The Ombudsman also found that the letters sent before January 20 this year did not include a phone number to call for help about a debt notice, and they did not explain how recipients could ask for an extension of time on the repayment or for a reassessment to be made. Senators on the committee today said that much of the evidence received from people who had been sent the original letters said that they had been fishing in the dark, and recipients had not known how to begin disputing the assessment. 

A sample debt notice letter

Human Services has argued that the new notice letters offer much more information and make it clear they aren’t debt notices. The new letter includes employment information from the ATO and is sent via registered mail, meaning that it must be signed for before Centrelink can progress to the next notice stage.

The letter sent to Centrelink recipients now

It was also not fair on Centrelink recipients to be forced to obtain pay slips and other evidence from employers to prove they didn’t owe the debt claimed when those recipients didn’t have the same information-gathering powers that DHS has under law, the Ombudsman said:

“In the OCI context, it may be reasonable for customers to retain their employment and payroll records for a similar period, but not for six or seven years, particularly where they have not been forewarned about this requirement. Some customers may face challenges collecting this information where their employer no longer exists, is being unco-operative or has not retained payroll records.”

The Ombudsman slammed the department over its project planning for the compliance system before the system was rolled out in September last year. Key stakeholders were not effectively consulted during the planning stages, or when the full roll-out happened in September. This resulted in confusion and inaccuracy in public statements made by NGOs, journalists and individuals, the Ombudsman said. Usability was also not properly tested, and should have been rolled out slower with the assistance of the Digital Transformation Agency, the Ombudsman said.

Federal

Apr 4, 2017

5 comments

The legal advice relied upon by Human Services Minister Alan Tudge to support his release of blogger and Centrelink recipient Andie Fox’s personal information to a journalist appears to be missing, despite several attempts to obtain it.

In late February, Fox published a comment on The Canberra Times detailing some of her experiences with with Centrelink’s robo-debt notice debacle. Tudge’s office then gave Canberra Times journalist Paul Malone personal information about Fox’s history with Centrelink and the Tax Office, which formed the basis of an article denying Fox’s original claims. 

Questions remain over whether Tudge’s office acted within the law in disclosing Fox’s private information without her consent. 

[Alan Tudge and DHS think it’s legal to leak private citizens’ details to the press. It isn’t.]

In Parliament in late February, Tudge appeared to quote from legal advice that suggested he was able to disclose the information to correct the record:

“In cases where people have gone to the media, with statements that are incorrect or misleading … we are able to, under the Social Services Act, release information about the person for the purpose of, as I quote, ‘correcting a mistake of fact, a misleading perception or impression, or a misleading statement’.  That is what the law allows.”

But what Tudge quotes does not appear in the Social Services Act. The language appears in 2015 guidelines around section 208 of the Social Security Act, which allows the secretary of the department to issue public interest certificates for the disclosure of private information to correct the record. The department said in Senate estimates, however, that no public interest certificate had been issued, and instead the department was relying on section 202 of the act to release the information. There is nothing in that section of the act to suggest that the government could release Fox’s information.

In media interviews in March, Tudge claimed the chief legal officer of his department had formally cleared him to release the information. But the secretary of his department, Kathryn Campbell, told an estimates hearing that legal advice had not been provided to Tudge:

“I am not sure we would say ‘informal’. I think we would say that the legal advice per se was not provided but that for the policy advice we had legal advice.”

So what advice was the minister relying on? Crikey filed a freedom of information request with the Department of Human Services requesting the document that Tudge quoted from in Parliament. An officer within the Department of Human Services indicated last week the department might refuse the request because the department had no way of knowing exactly what advice the minister was quoting from:

“I am not able to reasonably identify whether or not the Minister was referring to any specific document. The Minister could have been referring to any document, briefing, minutes or notes. In order to identify the document in scope of your request, the department would be required to review every document that has been provided to the Minister or his Office by the department since he commenced in office in February 2016 and determine whether any of those documents contain material quoted by the Minister during the Parliamentary debate on 28 February 2017.”

[Australia, 2017: bureaucrats who see citizens as enemies]

Crikey asked for the department to ask the minister’s office what document exactly he was quoting from, but we have yet to receive a response.

Yesterday, Labor human services spokeswoman Linda Burney released legal advice from prominent Melbourne barrister Robert Richter QC on the matter. Richter said that Fox’s information was protected information, and that it was “reasonably clear” that the minister or one of his staffers “has committed an offence” punishable by up to two years in jail.

“The disclosure of Centrelink clients’ information to ‘set the record straight’ is not permitted under the Act,” Richter said in his advice.

Burney yesterday called on the minister to release the advice he received:

“He keeps talking about some sort of legal advice that gave him the OK to leak this information. No one has ever seen that advice, and in fact his department claims that that advice does not exist.”

The Australian Federal Police also received a referral from Burney to investigate whether Tudge or his office had broken the law in releasing Fox’s personal information. Burney says she understands the AFP is investigating the matter.

Federal

Mar 15, 2017

5 comments

Unchastened by the census debacle and unbowed by the government’s use of personal information to pursue its critics, the Australian Bureau of Statistics is again demanding Australians hand over their most private information under the threat of prosecution.

Earlier this month, Andrew Henderson of the ABS wrote to 35,000 households demanding that they participate in “an Important Household Survey” (yes, with the capitalisation) and register online for the process. “You are obliged to provide the information being requested,” the chosen recipients were told. Anyone who refused to be registered would be visited by the ABS and required to comply under the Census and Statistics Act 1905. Currently, anyone refusing to co-operate with the ABS can be fined $180 (plus court costs).

How the ABS chooses its targets isn’t clear: in the 1980s it infamously targeted journalist Shirley Stott-Despoja and lost the subsequent court case — and then had Parliament change the law to remove the possibility of losing again.

[Why you should boycott the census]

The survey comes in the wake of both the 2016 census debacle and the subsequent inquiry, which revealed that the ABS had a poor understanding of and lacked capacity to manage its IT contracts. It also comes after revelations the Department of Human Services, which promises “we are bound by strict confidentiality and secrecy provisions in social security, families, health, child support and disability services law” and that it will not use personal information “for any purpose other than why it was collected”, handed private information to journalists in order to smear Centrelink clients for publicly criticising it. The government also plans similar laws to enable the Department of Veterans’ Affairs to do the same.

Information obtained from the survey will be added to census data, other survey data and other information on individuals and addresses held by other government agencies to create a joined-up, lifelong file of personal information on every citizen — protected, the ABS says, by an encrypted identity key.

[You’ve decided to boycott the census. Now what?]

The Centrelink attacks on its critics demonstrate how government will always find ways to justify exploiting personal information despite assurances it will be kept confidential — the Department of Human Services insisted its was right to release private details about writer Andie Fox to journalist Paul Malone, in order to address the “concerns” of “other individuals … so that people knew it was important to file their tax returns and tell us about changes in their circumstances”.

Citizens concerned to protect their privacy and prevent future abuse of their information by the government are best advised to take whatever steps they can to avoid ABS surveys, since the ABS can offer no guarantees that the information will not be stolen or misused by the government. If they must co-operate, victims are advised to film the entire interview with the ABS representative to create their own record of what information has been provided — you are perfectly entitled to film in your own home, and ABS employees have no basis for refusing to be filmed.