20 July 2012


Overseas action regarding data breaches provides a perspective on Australian practice.

The UK Information Commissioner has penalised St George’s Healthcare NHS Trust £60,000 for sending a "vulnerable individual’s sensitive medical details" to the wrong address.

The Information Commissioner indicates that
The information was contained in two letters that were sent out by the Trust in May 2011. While the letters were addressed to the correct recipient, they were sent to an old address, despite the person not having lived in the property for nearly five years. The ICO’s investigation found that the individual’s current address had been provided to the trust’s staff before the medical examination took place. Additionally the correct address had been logged on the national care records service, known as NHS SPINE, in June 2006. The mistake was made after the Trust’s staff failed to use the address supplied before the examination, or check that the individual’s recorded address on their local patient database matched the data on the SPINE. The Trust had set up a prompt to remind staff about the need to check and update patient information against SPINE; however the Trust knew the prompt could be bypassed and failed to take action to address the problem until it was too late.
The ICO’s Head of Enforcement commented that -
It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it. This breach was clearly preventable and is the result of the Trust’s failure to make sure the contact details they have for their patients are accurate and up to date. 
This is the fourth monetary penalty we have issued to the NHS in the past two months. It is vital that these organisations make sure they have the necessary measures in place to keep patients’ details secure.
The NHS Trust has reportedly taken action to make sure that the personal information is kept secure, including "making sure adequate checks are in place to ensure that local information the trust has for patients is correct, by cross checking that information against SPINE and other relevant sources". The Australian legal framework is different, with the national Privacy Commissioner having neither the power to impose financial penalties nor apparently (until a succession of promo items, replete with snaps of the Commissioner himself) much interest in shaming errant bodies.

Yesterday the Canberra Times - only slightly less provincial than the Bungedore Mirror - reported that "A defence agency emailed the personal details of almost 2500 former military personnel to hundreds of people, even though its software had warned it not to". The information apparently included each former ADF member's name, ID number, unit name, date and reason for leaving the service and personal email address.

The Defence Department - like Telstra, Sydney University, Vodafone, First State Super and other organisations that have been criticised regarding a breach - offered the usual response: it is "treating this matter with the utmost seriousness". They would say that, wouldn't they. "An external consultant is undertaking a formal investigation and Defence has conducted an immediate review of its processes and procedures pending the outcome of this investigation".
The Defence Community Organisation, which helps families that are struggling to adjust to military life, has since acknowledged the error was a ''serious breach of privacy and … also a breach of trust". 
Last month, one of its new employees accidentally attached the database to a survey, which was then sent to about 400 people who had recently left the Australian Defence Force.
The computer initially blocked the email, warning that it contained an "unauthorised security clearance". However, after seeking advice, the employee was then told to "just send the email again". ... the email contained personal information of more than 2400 former personnel, "including members who were now deceased".
The Times reports that staff members involved in the incident have been counselled and directed to undertake privacy training. We might wonder about the meaningfulness of that training.

The Organisation's site does not provide information about the data breach; apparently less important than the announcement that "The Defence Child Care Centres have successfully transitioned to a new service provider, Mission Australia Early Learning Services (MAELS) from 1 July 2012".