A new report by the government’s privacy authority has found that the Department of Health breached the Privacy Act a number of times as part of a bungled release of medical data in 2016, but the department will not face any sanctions or punishment.
The report, completed by Australian Information Commissioner Timothy Pilgrim prior to his retirement last week, found the department’s processes for assessing risks around releasing health data was “inadequate”, and that the office broke privacy laws in publishing the information.
But the department has escaped any sanctions, instead entering into an enforceable undertaking that requires it to “review and enhance its data governance and release processes” with oversight from the Office of the Australian Information Commissioner (OAIC).
The issues stem from the department publishing a collection of Medicare Benefits and Pharmaceutical Benefits scheme data in 2016. The data covered claims information for 10 per cent of people that had made claims since 1984 – nearly 3 million people.
The data was anonymised, and the OAIC report found that the department believed adequate steps had been taken to keep the information private, and it had been done in “good faith”.
But a month after it was published, researchers from the University of Melbourne found the Medicare service providers could be re-identified from the data.
The department quickly removed the dataset as part of its “quick and comprehensive response”, the OAIC report found, but the process leading up to the release of the data was “flawed”.
“There were flaws in the process followed by the Department in de-identifying the dataset, assessing the risk of re-identification and deciding to publish it,” Mr Pilgrim said in his report.
While the Department of Health took steps to de-identify the personal information of Medicare service providers, these measures were ultimately not sufficient,” he said.
“The encryption method for provider numbers was flawed, allowing Medicare service providers to potentially be re-identified from the information.”
This mistakes led to the Department of Health breaching the Australian Privacy Act multiple times.
Further research late last year by the academics that discovered the original issue found that when combined with other readily available information, such as dates of birth and gender, the data released by the department could be connected to an individual.
Their report claimed that because of this, the medical data of one in ten Australians had been potentially exposed.
Prominent individuals who have medical information widely published were more at risk, but the researchers found that every day Australians could also be identified, especially by banks and insurance agencies.
But in his report, the privacy commissioner said the risk of this happening was “extremely low”.
“Patients could only be identified by relying on unusual features of those patients, or a very full knowledge of their medical history, sufficient to distinguish them from everyone else in the dataset. While there is some risk of re-identification of patients by a sufficiently informed and skilled person, this risk is extremely low,” Mr Pilgrim said.
“The Commissioner’s view is that the processes or steps for achieving re-identification are so extensive, and the risk of identification for any given patient so low, that the patients in the dataset are not reasonably identifiable for the purposes of the Privacy Act.”