What is it about South Australia, land of problematical restrictions on free speech and association? (I'm assured by several South Australians that the water - undrinkable though it is - is
not to blame)
Today's news involves furore over the failure of Medvet ("Vetting your staff and workplace to reduce your risk"), the state government enterprise that is dominant in the workplace drug and alcohol testing industry, to quickly respond to a major data breach.
On Friday Medvet pledged that it was doing everything possible to deal with access via Google to information regarding the paternity, drug and alcohol tests. Conduct a fairly cursory search and you could discern the identities of Medvet test subjects (names, home addresses, phone numbers), the nature of the test and the price.
It is reported that Google deleted the cached information after "a concerned industry figure, unrelated to Medvet" alerted Google that confidential data was online. Google provides scope for removing confidential data (including cached pages). It
notes for example that its "URL removal tool is intended for pages that urgently need to be removed - for example, if they contain confidential data that was accidentally exposed". Use of the tool prevents public access to Google's cached pages and takes those pages out of Google's search results (although does not, of course, delete screenshots or other copies that Google's competitors and users have made of the pages). In principle, by acting responsible, Medvet could have deleted all the offending material on Friday.
Medvet's indifference is of concern and raises questions about its overall handling of data.
The South Australian government has announced it will "push for an independent review" into the data exposure and reportedly denies any prior knowledge of Medvet's security problems.
SA Health Department chief executive David Swan reportedly spoke to Medvet chair Terry Evans "several times over the weekend" and confirmed that Medvet will allow external auditors to examine its systems in identifying how the privacy breaches happened, "who saw the data" and when company staff learnt of the problem.
Commonwealth Privacy Commissioner Timothy Pilgrim, acting more quickly than in the past, has reportedly announced that he will investigate both Medvet's original security breach and its subsequent failure to immediately contact Google - and presumably other search engines - about remove information that should not have gone public. (There is, as yet, no announcement on the OAIC or former Privacy Commission site.)
Medvet will reportedly be asked to explain what actions it took when it first became aware in April [!] of a security lapse. It will also be asked to explain what steps were taken last Friday after
The Weekend Australian alerted Medvet's managing director that information was online.
Interesting, Medvet apparently still has not contacted people whose information went feral.
Its statement of 2:30pm this afternoon indicates that -
Medvet Laboratories deeply regrets that its web store security has been compromised, as a result of which some clients' delivery addresses and product order details have become available on the internet. No client bank account details or results of any tests have been disclosed.
On becoming aware of this Medvet Laboratories immediately closed the web store and we have initiated the necessary steps to have the information removed from the internet.
All client information has now been removed and is no longer available on the internet.
The Medvet Laboratories board has instructed that an independent investigation is undertaken immediately into how this has occurred, who is affected and what can be done to address it.
Once we have all the facts we will contact the clients whose details have been published to the internet.
We sincerely apologise for this occurring and for any embarrassment this may have caused to our clients.
A more positive stance would involve contacting everyone now, so that they don't have to discover the bad news by reading the newspapers.
Medvet's online Privacy Policy states that -
Medvet Science Pty Ltd (Medvet) ABN 15 008 089 745 is committed to observing the National Privacy Principles as set out in the Privacy Amendment (Private Sector) Act 2000.
Medvet has adopted all principles set forth in the National Privacy Principles that govern the collection, use, disclosure, quality, security, access and correction of information that personally identifies an individual ("personal information"). This Policy Statement applies to all personal information that Medvet may collect, use and disclose, whether that information is manually or digitally processed.
The meaningfulness of Medvet's adoption of the NPP is thrown into question by exposure of the data.
The statement continues -
2. Personal Information
Medvet collects personal information when we provide our services to you. Generally Medvet will tell you why we are collecting information, when we collect it and how we plan to use it or this will be obvious at the time of collection.
Medvet usually collects personal information directly from you although sometimes we may use agents or service providers to do this for us. Medvet may also acquire lists from other sources, both from other companies and from public documents.
3. Use of Information
Medvet usually collects personal information such as your name, address and telephone number. In some instances it may include your date of birth and medical records. When you are online, Medvet collect information regarding the pages within our network which you visit and what you click on. As a general rule Medvet does not collect sensitive information. However, if we do, it will usually be for the purposes of providing our goods or services and if the law requires us to, Medvet will seek your consent to collect it.
Medvet use your information to provide our services to you, to fulfil administrative functions associated with these services, for example billing, to enter into contracts with you or third parties and for marketing and client relationship purposes.
4. Other Disclosure of Personal Information
Medvet does not disclose personal information that it holds about Clients or Recipients to third parties without their consent, unless permitted under the National Privacy Principles or unless otherwise required by law. Medvet respects the privacy of users visiting our website and does not share any personally identifiable information with any third parties. ...
6. Data Integrity
Medvet only uses personal information necessary to perform the Services requested. Occasionally, Clients provide more personal information than is necessary for that purpose (for example, providing us with a name, street address and e-mail address, when only the name and e-mail address are necessary). In such cases, Medvet identifies and utilises the required data. The rest of the data remains secure and unused until it is destroyed or returned to the Client, upon request. Medvet only stores personal information when specifically requested to do so by the Client, or as part of standard back-up/archiving process.
All archived files are stored in a secure facility.
7. Data Security
Medvet utilises reasonable and appropriate protections to ensure that personal information in its care is not misused or lost or accessed without proper authorisation. Access to personal information stored on Medvet servers is restricted to those employees or contractors who require such access to perform a legitimate business purpose relating to the Services, maintenance, internal security or other related issues. All Medvet employees and contractors, as a prerequisite for employment, are required to sign a strict and detailed confidentiality agreement in relation to the personal information that they will have access to.
It's perhaps time to reconsider industry practice regarding "reasonable and appropriate" practice in handling data and responding to instances where information has wandered out of the "secure facility" or where "reasonable and appropriate" demonstrably is not adequate.
The statement continues -
8. Correction of Personal Information
Medvet takes reasonable steps to ensure that all personal information it holds is accurate, complete and up to date. Clients and other individuals should also promptly notify Medvet if any personal information that Medvet hold about them is incorrect or out of date.
9. Access to Personal Information
Individual Recipients seeking access to their personal information that Medvet has received from its Clients should contact the Client directly. Medvet is happy to provide access to such personal information, to any interested Recipient upon request, providing appropriate identification is made available and the Client consents to the release of the information.
12. Review of Compliance
Medvet will review its compliance with the National Privacy Principles on a regular basis and may amend this Privacy Policy Statement from time to time.
Time, obviously, to do that review and to do it properly.