ARIEL BASTIAN
Senior Associate | Corporate Commercial
As we entered the new year, Privacy Commissioner, Carly Kind, got to work on a privacy complaint made against Services Australia.
In an unfortunate turn of events, the Commissioner found that the agency had violated several key Australian Privacy Principles (APPs).
The case stemmed from a complaint filed by an individual whose personal records were mistakenly intertwined with those of other individuals due to processing errors made by Services Australia’s staff.
The breaches in question were:
It seems that the complainant’s personal information, including sensitive data, was accidentally merged with records belonging to other customers. This mix-up likely occurred because multiple individuals shared similar names and dates of birth. [After years of withstanding school yard taunts, the author’s unique name finally pays off!]
These errors resulted in the unauthorised disclosure of private information. A breach of the APPs – and trust.
The author acknowledges that Services Australia delivers crucial services to millions of Australians; the very nature of Services Australia requires it to collect and handle sensitive information relating to customers’ health and welfare, financial situation, disabilities, citizenship status and family circumstances.
At the heart of the issue were processing errors made by Services Australia staff. Despite having safeguards in place, such as “caution flags” designed to alert staff to potential data integrity issues, the agency’s internal protocol were deemed insufficient as they led to personal information being inadvertently disclosed.
The processing errors included:
Services Australia had established guidelines for managing instances of intertwined Medicare records, including the use of “caution flags” to alert staff of potential data integrity issues. The guidelines stipulated the following procedures for Services Australia staff when managing intertwined Medicare records:
Despite these guidelines, the Privacy Commissioner found that the steps taken by Services Australia during the relevant period were not reasonable because they failed to protect the complainant’s personal information from unauthorised disclosure on multiple separate occasions over an extended period. The repetition of incidents suggested that the measures were inadequate and ineffective in appropriately protecting the complainant’s personal information.
In response to the breach, the Privacy Commissioner ordered several corrective actions:
Our four takeaways from the Services Australia case:
As privacy breaches continue to make headlines around the world, this is but another decision which underscores the need for ongoing vigilance and improvements in data protection practices.
Article written by Ariel Bastian and Anna Kosterich.