Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Australian Information Commissioner and Privacy Commissioner’s investigation into published MBS / PBS dataset finalised

Australian Information Commissioner and Privacy Commissioner’s investigation into published MBS / PBS dataset finalised

29 March 2018

The Australian Information Commissioner and Privacy Commissioner, Timothy Pilgrim, concluded his investigation into the Department of Health’s publication of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) data on 23 March 2018. The investigation concluded by way of an enforceable undertaking offered by the Department, and accepted by the Commissioner.

The Commissioner considered that the risk of re-identifying medical providers whose information was in the dataset was not sufficiently low, and that the Department’s processes for assessing the risks associated with publication were inadequate. The Commissioner’s view was that, in the course of publishing the dataset, the Department breached the Privacy Act 1988 (Cth).

In accepting an enforceable undertaking, the Commissioner acknowledged that the breaches were unintentional, and that the Department’s decision to publish the dataset was made on the understanding that the privacy interests of all relevant individuals were protected. The Commissioner noted the cooperative manner in which the Department approached the investigation, the quick and comprehensive steps it took to minimise the privacy impact of the incident once it was alerted to the risk of re-identification, and the improvements it has since put in place to enhance its data governance and release processes.

The Commissioner considered that the enforceable undertaking, which will require the Department to continue to review and enhance its data governance and release processes with oversight from the OAIC, was an appropriate regulatory outcome for his investigation.

This incident holds important lessons for custodians of valuable datasets containing personal information. Determining whether information has been appropriately de-identified requires careful, expert, and likely independent evaluation. Who the information is released to must also be considered.

Appropriate processes should sit behind any decision to release de-identified personal information. This incident offers an opportunity for Australian Government agencies to strengthen their approach to publishing data derived from personal information. Since this incident, the Australian Government has developed a Process for Publishing Sensitive Unit Record Level Public Data as Open Data, providing guidance on releasing datasets related to personal information.

In July 2018, the Privacy (Australian Government Agencies – Governance) APP Code 2017 will take effect, and will provide additional privacy protection standards for Australian Government agencies.

Realising the value of public data to the benefit of the community is dependent on the public’s confidence that privacy is protected. The OAIC continues to work with Australian Government agencies to enhance privacy protection in published datasets. Recently the OAIC and CSIRO’s Data61 jointly published the De-identification Decision-Making Framework (DDF). This provides guidance to Australian organisations that handle personal information on meeting their ethical responsibilities and legal obligations (such as those under the Privacy Act) when considering how datasets may be shared or released. The OAIC has also recently released an updated guide on De-identification and the Privacy Act, and a Guide to Data Analytics and the Australian Privacy Principles.

Australian Information and Privacy Commissioner’s investigation into published MBS and PBS datasets

18 December 2017

The Australian Information and Privacy Commissioner is currently investigating the publication of the Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets on data.gov.au. The investigation was opened under section 40(2) of the Australian Privacy Act 1988 (Privacy Act) in late September 2016 when the Department of Health notified the OAIC that the datasets were potentially vulnerable to re-identification.

Given the investigation into the MBS and PBS datasets is ongoing, we are unable to comment on it further at this time. However, the Commissioner will make a public statement at the conclusion of the investigation.

Realising the value of public data to innovations that benefit the community at large is dependent on the public’s confidence that privacy is protected. The OAIC continues to work with Australian Government agencies to enhance privacy protection in published datasets. A recent example is the De-identification Decision-Making Framework developed by CSIRO’s Data61 and the OAIC. This provides guidance to Australian organisations that handle personal information on meeting their ethical responsibilities and legal obligations (such as those under the Privacy Act) when considering how datasets may be shared or released.

Back to Contents

Australian Privacy Commissioner’s investigation into published MBS and PBS data sets

29 September 2016

The Department of Health has notified me of a potential vulnerability within the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme datasets, published on data.gov.au.

Based on the information provided, I have opened an investigation under section 40(2) of the Australian Privacy Act 1988.

The primary purpose of the investigation is to assess whether any personal information has been compromised or is at risk of compromise, and to assess the adequacy of the Department of Health’s processes for de-identifying information for publication.

I welcome the decision of the Department of Health to immediately suspend access to the data set.

The results of my investigation will be published at its conclusion.

Timothy Pilgrim PSM
Australian Privacy Commissioner 
Acting Australian Information Commissioner

Back to Contents