19 December 2017


Presumably in response to yesterday's report on the reidentification of health data noted here, the Office of the Australian Information Commissioner (OAIC) has released a statement that it is still investigating the 2016 health data breaches but is - of course - mindful of the importance of trust.

The delay is symptomatic of the OAIC's bureaucratic incapacity (regulatory capture exacerbated by under-resourcing after the year when Attorney-General George Brandis recurrently announced that the OAIC would be abolished but failed to get his legislation through the national legislature).

It adds weight to the UNSWLJ article by Burdon and Siganto on OAIC Own Motion Investigations.

That article - 'The Privacy Commissioner and Own-Motion Investigations into Serious Data Breaches: A Case of Going through the Motions?' in (2015) 38(3) University of New South Wales Law Journal 1145 - commented
If the OAIC does not have the technical knowledge or skills to analyse the causes or methods for prevention of security breaches, or to assess technical details about how security breaches occurred, then it is not clear how the OAIC is able to conduct these investigations or assure itself that third-party expert reports are accurate, complete and based on the use of an appropriate standard of care. It is therefore difficult to determine how the OAIC can adequately say whether there has been any failure to properly protect personal information. 
Our investigation of the six OMIs suggests that the OAIC’s decisions to commence the investigations were in response to media and were perhaps motivated by an interest in raising the profile of data breaches in Australia to support the introduction of a mandatory notification scheme. Whether this is in fact correct or not, there are clearly issues with the process followed in each investigation. In all of the OMIs, an ‘on the papers’ approach was used, based on written responses to largely generic requests for information. There was virtually no second-round questioning, independent evidence gathering or confirmation of the facts as asserted by the respondents, whether directly or via third-party investigation reports commissioned by the respondents. The decision-making process used is also not clear. The change in the outcome of the Medvet investigation, after the initial outcome was communicated to the respondent, in particular raises issues as to the basis for the OAIC’s decision-making in these cases. 
We assert that these issues arise, in part, as a consequence of the limited powers, skills and resources available to the OAIC at the time. Given the OAIC’s new powers and increased accountability, these issues may be addressed in future Commissioner-initiated investigations. However, without the allocation of significant additional resources, it seems unlikely that there would be any significant change in process. Reliance on third-party investigation reports commissioned by the respondent in a future investigation may not be an appropriate resolution. 
The OAIC is right to emphasise that the problem of data breaches is likely to remain. However, the examination of the six OMIs reveals that the investigatory approach adopted can lead to the situation where the OAIC investigators are simply going through the motions. On that note, given the issues we highlight in this article, the OAIC’s data breach investigations as a body of work are unlikely to be of assistance in regulatory efforts to prevent data breaches, unless significant changes are undertaken. Such changes would herald a major policy shift regarding the role of the OAIC, characterised by the need for a supported, adequately resourced and thus proactive Australian privacy regulator. In that regard, our examination of six relatively recent OMIs sounds a warning not just as to what has happened, but also for the future.
Alas, what was past is present. The OAIC's statement yesterday reads
The Australian Information and Privacy Commissioner is currently investigating the publication of the Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets on data.gov.au. The investigation was opened under section 40(2) of the Australian Privacy Act 1988 (Privacy Act) in late September 2016 when the Department of Health notified the OAIC that the datasets were potentially vulnerable to re-identification. 
Given the investigation into the MBS and PBS datasets is ongoing, we are unable to comment on it further at this time. However, the Commissioner will make a public statement at the conclusion of the investigation. 
Realising the value of public data to innovations that benefit the community at large is dependent on the public’s confidence that privacy is protected. The OAIC continues to work with Australian Government agencies to enhance privacy protection in published datasets.