Guidelines sidelined: The cost of human error

As we entered the new year, Privacy Commissioner, Carly Kind, got to work on a privacy complaint made against Services Australia. 

In an unfortunate turn of events, the Commissioner found that the agency had violated several key Australian Privacy Principles (APPs). 

What happened?

The case stemmed from a complaint filed by an individual whose personal records were mistakenly intertwined with those of other individuals due to processing errors made by Services Australia’s staff. 

The breaches in question were:

• APP 11.1: Failure to protect personal information from unauthorized disclosure.
• APP 10.2: Failure to ensure the quality of personal information.
• APP 6.1: Unauthorised disclosure of personal information.

It seems that the complainant’s personal information, including sensitive data, was accidentally merged with records belonging to other customers. This mix-up likely occurred because multiple individuals shared similar names and dates of birth.  [After years of withstanding school yard taunts, the author’s unique name finally pays off!]

These errors resulted in the unauthorised disclosure of private information. A breach of the APPs – and trust.

The author acknowledges that Services Australia delivers crucial services to millions of Australians; the very nature of Services Australia requires it to collect and handle sensitive information relating to customers’ health and welfare, financial situation, disabilities, citizenship status and family circumstances.  

What went wrong? 

At the heart of the issue were processing errors made by Services Australia staff. Despite having safeguards in place, such as “caution flags” designed to alert staff to potential data integrity issues, the agency’s internal protocol were deemed insufficient as they led to personal information being inadvertently disclosed.

The processing errors included:

1. incorrectly updating the complainant’s Medicare records with the address of another customer;
2. assigning the complainant’s complete COVID and influenza vaccination history to the record of another Medicare customer;
3. sending the complainant’s new Medicare card to a third parties…twice;
4. the complainant receiving a Medicare Safety Net Threshold notice for a third party and the third party’s children; and 
5. assigning the complainant’s COVID vaccination history to another customer’s record due to a manual error.

Services Australia had established guidelines for managing instances of intertwined Medicare records, including the use of “caution flags” to alert staff of potential data integrity issues.  The guidelines stipulated the following procedures for Services Australia staff when managing intertwined Medicare records:

1. If an intertwined record is identified or suspected, staff are required to search the Consumer Directory Maintenance System to determine whether an intertwined flag has been set on a customer record.
2. If a record has an intertwined flag, a caution or suspend flag message will display on the customer’s records.
3. Where no intertwined flag has been set, the Medicare Customer Data Integrity Unit is to be notified to put a caution flag on the Medicare customer records and investigate.
4. Once the Medicare Customer Records have been corrected, a resolved flag is placed on each of the affected records.

The Outcome: 

Despite these guidelines, the Privacy Commissioner found that the steps taken by Services Australia during the relevant period were not reasonable because they failed to protect the complainant’s personal information from unauthorised disclosure on multiple separate occasions over an extended period. The repetition of incidents suggested that the measures were inadequate and ineffective in appropriately protecting the complainant’s personal information.

In response to the breach, the Privacy Commissioner ordered several corrective actions:

1. A written apology to the complainant for the mishandling of their personal information.
2. A review of Services Australia’s guidelines related to intertwined records to ensure more effective safeguards are in place.
3. $10,000 in compensation for the complainant, compensating for the non-economic loss caused by the privacy violation.

Key Takeaways: 

Our four takeaways from the Services Australia case:

1. Regular auditing and correction of data: Internal practices, procedures and systems must be in place to audit, monitor, identify and correct poor quality personal information.
2. Regular training for staff: No policy, guideline, or system can be effective without the people behind it being properly trained. Staff must be made aware of potential risks, best practices, and the consequences of mishandling sensitive data.
3. System alerts and escalation processes: Systems must be equipped with clear alerts and escalation processes to catch errors before they snowball into breaches.
4. Checks and balances for both human and automated procedures: It’s not enough to have automated data integrity measures in place. Human error is inevitable, but the damage can be minimized by ensuring strong checks and balances are in place. 

As privacy breaches continue to make headlines around the world, this is but another decision which underscores the need for ongoing vigilance and improvements in data protection practices. 

Article written by Ariel Bastian and Anna Kosterich.