Publication date: 23 November 2018

Privacy Act 1988

Undertaking to the Australian Information Commissioner

under section 33E of the Privacy Act 1988

by

Department of Health ABN 83 605 426 759

Person giving the Undertaking

1 This Undertaking is given to the Australian Information Commissioner (Commissioner) by the Department of Health ABN 83 606 426 759 (Department), an “Agency” within the meaning of the Public Service Act 1999 and the Privacy Act 1988, under section 33E of the Privacy Act.

Background

2 On 1 August 2016 the Department published on data.gov.au (a portal designed to provide an easy way to find, access and reuse public data) a collection of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) related data. The data consisted of claims information for a 10% sample of individuals ie patients who had made a claim for payment of Medicare Benefits since 1984 or for payment of Pharmaceutical Benefits since 2003 (10% datasets).

3 The Department considered that use of the 10% datasets by health researchers, consumer interests and participants in the health system would deliver significant benefits to the health system, including:

  1. better access to evidence to inform the Government’s decisions about which health policies and programs to invest in
  2. a better understanding of what works, how well, for what cost, and in what circumstances; and
  3. a more efficient health system, by supporting the most cost-effective treatments, strategies and interventions on broad-based independent evidence

4 The Department took a range of steps to de-identify the 10% datasets before their public release. These steps included:

  1. encryption (through the use of a pseudo-random number generator) and expansion of digits of patient identifier numbers and provider numbers
  2. removal of rare events
  3. including only the year of birth of a patient, rather than the full date of birth
  4. removal of patients over the age of 100; and
  5. perturbation of dates of service (+ or – up to 14 days)

5 On 8 September 2016:

  1. three academics from the School of Computing and Information Systems at the University of Melbourne contacted the Australian Bureau of Statistics (ABS) in writing to inform the ABS of deficiencies they had identified in relation to the manner of encryption of the provider numbers in the 10% datasets which they considered enabled them to convert the encrypted provider numbers into provider numbers assigned to health practitioners for the purposes of the Health Insurance Act 1973 (Medicare provider numbers) (the Discovered Vulnerability)
  2. the ABS passed the written communication received from the academics to the Department; and
  3. the Department removed the 10% datasets from the data.gov.au portal, contacted the lead researcher from the University of Melbourne and received an assurance that the academics had no intention to publish any decrypted information or the Discovered Vulnerability

6 On 9 September 2016:

  1. the Department voluntarily notified the Commissioner of the Discovered Vulnerability; and
  2. the Commissioner commenced an investigation on his own initiative under section 40(2) of the Privacy Act into the publication by the Department of the 10% datasets

7 On 12 September 2016, the Department commissioned an independent review of the events that led to the publication of the 10% datasets with the Discovered Vulnerability (Independent Review). The Department received the results of the Independent Review on 29 September 2016, and on the same date, made a public announcement in relation to the Discovered Vulnerability in the 10% datasets.

8 Recommendations were made by the Independent Review. Those recommendations have been accepted and implemented by the Department and were as follows:

  1. Data release policies for the Department should include a requirement for specific testing of confidentialisation measures for all public releases of unit-level or patient level data to confirm that they are appropriate to meet the Department’s risk appetite for data release. Such testing should be undertaken by qualified personnel with relevant skills including (as required) cryptography and data analysis.
  2. The Department should continue and accelerate its implementation of centralisation of certain aspects of data governance in order to increase consistency of approach and decision making for data access. Further, the central governance body should develop a comprehensive set of guidance for line areas that hold data to ensure consistent approaches.
  3. Data release policies for the Department should include a requirement for all public releases of unit-level or patient-level data to be reviewed and approved by the responsible Deputy Secretary.
  4. Data release policies for the Department should include a requirement for all public releases of unit-level or patient-level data to apply departmental project management disciplines and risk assessment and management disciplines consistent with those applied for data integration projects.

9 On 7 December 2016, the Department of the Prime Minister and Cabinet published a process setting out a method that Australian Government agencies need to follow to release sensitive unit record datasets as open data (Whole of Government Sensitive Unit Record Open Data Process).[1]

10 The Commissioner has acknowledged that once the Department became aware of the Discovered Vulnerability, the Department’s response was quick and comprehensive. It acted to rapidly remove the 10% datasets from public access and enhanced its processes to ensure that such an error would not be repeated.

11 The term ‘personal information’ in the Privacy Act is defined in section 6(1) to mean:

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not

12 In the course of conducting his investigation under s 40(2) of the Privacy Act, the Commissioner has considered, amongst other things, analysis of the 10% datasets as published on the data.gov.au portal performed by:

  1. the three academics from the University of Melbourne who alerted the ABS to the Discovered Vulnerability
  2. Data61 (a division of CSIRO described as “world leaders in data science research”[2]); and
  3. the Australian Signals Directorate

13 The Commissioner has noted that at the time of the investigation there was not sufficient evidence before the Commissioner to conclude that patients who made claims for Medicare benefits or PBS benefits (details of which were included in the 10% datasets) were ‘reasonably identifiable’ for the purposes of the Privacy Act.

14 As at the date the Department offers this undertaking, no individual, be they a provider or a patient, has complained to the Department that the publication of the 10% datasets by the Department interfered with the privacy of that individual .

Commissioner’s investigation

15 The Commissioner has indicated (based on the evidence available from his investigation) to the Department that he considers that, although the Department acted in good faith, had no intention of disclosing personal information and took measures to de-identify the data before releasing it, the Department:

  1. disclosed personal information about providers on that basis that they were reasonably identifiable, in contravention of Australian Privacy Principle (APP) 6, by publishing the 10% datasets on the data.gov.au portal with the Discovered Vulnerability
  2. for the purpose of preparing for publishing the 10% datasets, failed to take reasonable steps to protect personal information it held, in contravention of APP 11; and
  3. failed to take steps that were reasonable in the circumstances to implement practices, procedures and systems to ensure that the Department complied with the APPs when publishing the 10% datasets, in contravention of APP 1

Acknowledgements

16 The Department acknowledges that:

  1. it could have employed a more robust encryption methodology to prevent the decryption of the provider number field when selecting the method of encryption to be used in respect of certain fields in the 10% datasets; and
  2. the information included in the 10% data sets potentially enabled persons who were highly skilled and committed to identify some providers. The Department acknowledges that the three academics from the University of Melbourne did decrypt the provider numbers in the MBS dataset. The Department is not aware of any providers actually being identified as such

Duration of Undertaking

17 This Undertaking comes into effect when:

  1. it is executed by the Department; and
  2. this undertaking, so executed, is accepted by the Commissioner (the Commencement Date)

18 Upon the Commencement Date, the Department undertakes to assume the obligations set out in paragraphs 20 and 21 below for the purposes of section 33E of the Privacy Act.

19 This undertaking ceases to have effect two (2) years from the Commencement Date, or 2 years from completion of the items listed in paragraph 20 a-d, whichever is later.

Undertaking

20 The Department undertakes:

  1. to engage, after consultation with the Commissioner, a suitably qualified independent external person to conduct a review and report to the Secretary of the Department within six months of the Commencement Date as to compliance of the Department’s policies and procedures for the release of data based on personal information, with APP 1 and APP 11, including in particular, whether the Department has satisfactorily implemented the recommendations made by the Independent Review and to report on the effectiveness of the Data Governance and Release Framework and adherence to it by the Department (the First Report)
  2. to provide a copy of the First Report to the Commissioner
  3. after six months and within 12 months after the First Report is provided to the Secretary of the Department, to engage a suitably qualified independent external person (which may be the same qualified independent external person as in 20 a above) to audit and report on the adequacy of the Department’s implementation of and response to, any recommendations made in the First Report (the Second Report)
  4. to provide a copy of the Second Report to the Commissioner; and
  5. that if the Department proposes to release sensitive unit record datasets[3] as open data, it will:
    • treat the proposal as a ‘high privacy risk project’ for the purposes of the Privacy (Australian Government Agencies — Governance) APP Code 2017; and
    • follow the Whole of Government Sensitive Unit Record Open Data Process as in existence from time to time including considering alternatives to public release of such datasets, such as release to trusted recipients and release in secure environments

Provision of information to the Commissioner

21 The Department will provide all relevant documents and information requested by the Commissioner from time to time for the purpose of assessing the Department’s progress against the terms of this undertaking.

Recognitions

22 The Department recognizes that the Commissioner:

  1. may issue a media release, media interview or social media posts on execution of this undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking
  2. may from time to time publicly refer to this undertaking, including any breach of this undertaking by the Department; and
  3. will publish this undertaking on the Commissioner’s website

23 The Department recognizes that:

  1. this undertaking in no way derogates from the rights and remedies available to any individual arising from the publication of the 10% datasets on data.gov.au; and
  2. if the Commissioner considers that the Department has breached the undertaking, the Commissioner may apply to the Federal Court of Australia or the Federal Circuit Court of Australia for an order under section 33F(2) of the Privacy Act

Executed as an undertaking by

Mark Cormack, Deputy Secretary Health Financing on behalf of the Department of Health ABN 83 605 426 759

Date: 21/03/2018

Accepted by the Australian Information Commissioner pursuant to section 33E of the Privacy Act:

Date: 23/03/2018

Variation of Enforceable Undertaking (October 2018)

Privacy Act 1988

Enforceable Undertaking to the Australian Information Commissioner

under section 33E of the Privacy Act 1988

by Department of Health ABN 83 605 426 759

Definitions

1 Defined terms used in this variation of the enforceable undertaking executed by the Department of Health (Department) on 21 March 2018, which the Australian Information Commissioner (Commissioner) accepted on 23 March 2018, pursuant to section 33E of the Privacy Act 1988 (Privacy Act) (Undertaking), have the same meaning as in the Undertaking.

Background

2 Under subparagraph 20.a. of the Undertaking the Department undertook to engage, after consultation with the Commissioner, a suitably qualified independent external person to conduct a review and report to the Secretary of the Department within six months of the Commencement Date as to compliance of the Department’s policies and procedures for the release of data based on personal information, with APP 1 and APP 11, including in particular, whether the Department has satisfactorily implemented the recommendations made by the Independent Review and to report on the effectiveness of the Data Governance and Release Framework and adherence to it by the Department (the First Report).

3 The Department has engaged a suitably qualified independent external person to conduct a review but has sought an additional 8 weeks within which to provide the First Report to the Secretary of the Department.

4 The Commissioner considers it fair and reasonable in all the circumstances to grant an additional 8 weeks within which to provide the First Report and offers this variation of the Undertaking accordingly.

Variation of Undertaking

5 Under subsection 33(3) of the Privacy Act the Department varies the Undertaking and the Commissioner consents to the variation as follows:

  1. In subparagraph 20.a. delete “within 6 months of the Commencement Date” and replace with “on or before 19 November 2018”.

Acknowledgements

6 The Department acknowledges that the Commissioner:

  1. may issue a media release, media interview or social media posts on execution of this variation referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the variation
  2. may from time to time publicly refer to this variation, including any breach by the Department of the Undertaking as varied; and
  3. will publish this variation on the Commissioner’s website

Executed as a variation to the Undertaking by

Shane Porter, Assistant Secretary on behalf of the Department of Health ABN 83 605 426 759

Date: 18/10/2018

Accepted by the Australian information Commissioner pursuant to section 33E of Privacy Act

Date: 19/10/2018

Variation of Enforceable Undertaking (November 2018)

Privacy Act 1988

Enforceable Undertaking to the Australian Information Commissioner

under section 33E of the Privacy Act 1988

by Department of Health ABN 83 605 426 759

Definitions

1 Defined terms used in this variation of the enforceable undertaking executed by the Department of Health (Department) on 21 March 2018, which the Australian Information Commissioner (Commissioner) accepted on 23 March 2018, pursuant to section 33E of the Privacy Act 1988 (Privacy Act) (Undertaking), have the same meaning as in the Undertaking.

Background

2 Under subparagraph 20.a. of the Undertaking the Department undertook to engage, after consultation with the Commissioner, a suitably qualified independent external person to conduct a review and report to the Secretary of the Department within six months of the Commencement Date as to compliance of the Department’s policies and procedures for the release of data based on personal information, with APP 1 and APP 11, including in particular, whether the Department has satisfactorily implemented the recommendations made by the Independent Review and to report on the effectiveness of the Data Governance and Release Framework and adherence to it by the Department (the First Report).

3 The Department has engaged a suitably qualified independent external person to conduct a review.

4 The Department initially sought an additional 8 weeks within which to provide the First Report to the Secretary of the Department. The Commissioner granted an extension of time and the First Report was due to be provided to the Commissioner by 19 November 2018 (the First Variation)

5 The Department has requested a further extension in order to clarify a number of points raised by the external person in the course of finalising the First Report.

6 The Commissioner considers it fair and reasonable in all the circumstances to grant an additional 4 weeks within which to provide the First Report and offers this variation of the Undertaking accordingly.

Variation of Undertaking

7 Under subsection 33E(3) of the Privacy Act the Department varies the Undertaking (including the First Variation) and the Commissioner consents to the variation as follows:

  1. In subparagraph 20.a. delete “on or before 19 November 2018” and replace with “on or before 17 December 2018”.

Acknowledgements

8 The Department acknowledges that the Commissioner:

  1. may issue a media release, media interview or social media posts on execution of this variation referring to its terms and to the circumstances, which led to the Commissioner’s acceptance of the variation
  2. may from time to time publicly refer to this variation, including any breach by the Department of the Undertaking as varied; and
  3. will publish this variation on the Commissioner’s website

Executed as a variation to the Undertaking by

Shane Porter, Assistant Secretary on behalf of the Department of Health ABN 83 605 426 759

Date: 23/11/2018

Accepted by the Australian Information Commissioner pursuant to section 33E of the Privacy Act

Date: 23/11/2018

Footnotes

[1] The process is available at https://blog.data.gov.au/news-media/blog/publishing-sensitive-unit-record-level-public-data as at the date the Department offers this undertaking.

[2] See https://www.data61.csiro.au/en/Who-we-are (accessed as at the date this undertaking is executed by the Department)

[3] For the purposes of this undertaking, sensitive unit record dataset means a dataset that includes unit record level data, such as personal information.