Who’s reading your health information now?
There can be benefits from sharing health and other personal information among health care professionals and researchers. But any such sharing must be based on an understanding of potential risks.
It must occur only within an effective legal framework, with controls appropriate for those risks. A ‘Trust me, I’m from the government’ approach is a recipe for disaster. So is the sharing of sensitive data with government without full openness, transparency and a legal framework that prevents it from being misused out of the public eye.
Australia’s current health data privacy framework is utterly inadequate. There is inadequate risk assessment, inadequate law, and inadequate enforcement.
This was demonstrated recently by a major independent study from Chris Culnane, Benjamin Rubinstein and Vanessa Teague at Melbourne University, released in the last days of 2017. Their report is here.
In 2016 the Australian government released a large-scale data set relating to the health of many Australians, under the fashionable rubric of ‘open data’. This 10 percent sample included all publicly reimbursed medical and pharmaceutical bills for selected patients, spanning the thirty years from 1984 to 2014.
The data as released was meant to be ‘de-identified’, meaning that it supposedly could not be linked to a particular individual. That was meant to mean that there would be no privacy issues, and the data could be released ‘into the wild’ without controls.
Unfortunately, the government got it wrong. This weak protection was able to be breached. IT security researchers demonstrated that this sensitive health data could be ‘re-identified’. With minimal effort it was possible to get a picture of the health of prominent Australians, or of you and your neighbours.
The research follows similar studies in the US and Europe which have demonstrated the unreliability of existing de-identification techniques in the face of rapidly-evolving artificial intelligence, machine learning, and big data tools. It must be taken seriously.
In response to that earlier study, the Office of the Australian Information Commissioner (OAIC), the national privacy watchdog formerly known as the Privacy Commissioner, announced that it is “investigating the publication of the Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets.”
OAIC has been investigating since September 2016, after the same researchers initially revealed problems with the data by demonstrating it was possible to re-identify practitioner records. More than a year later, in early 2018, the OAIC is still investigating. Meanwhile:
- There has been no public report, nor any warning about the bug in open data – the ability to re-identify it.
- There is no indication of when the report will be released.
- There has been no indication of whether the report will be released in full rather than in the usual redacted version.
- There has been no requirement to reconsider the misplaced trust in the de-identified open data in the face of evidence of its unreliability.
We should be able to trust governments to care for sensitive personal data about ourselves and our families. Clearly some of those who are handling this data either lack expertise, or are careless: Open data protections can be breached.
The Health Department and its Minister should be held to account. Overseas governments have responded effectively to similar problems: for example, the major Caldicott reports in the UK saw the end of the Care.Data plan to sell the health records of most people in Britain. (The architect of that plan is now the CEO of the Australian Digital Health Agency.)
The OAIC needs to be held to account. The delay of more than a year is unacceptable. So is the fact there is no end in sight, and the fundamental, controversial flaw in the rhetoric about the claimed safety of open data remains unrecognised.
It may be that the OAIC lacks expertise and other resources. That is no excuse. Extensive research work done by NICTA, and by independent university researchers like those at Melbourne and other institutions internationally, has identified the growing risks to de-identification as a safe basis for the release of data derived from personal information into a hostile global environment.
Efforts by proponents of open data to promote the safety of de-identification must be met with a more skeptical view.
New Attorney General Christian Porter should provide adequate resources for the national privacy watchdog, so Australians can expect them to investigate the fundamental risks in open data properly, independently, and promptly.
The OAIC should act like a watchdog, not like a timid snail.
Bernard Robertson-Dunn is Australian Privacy Foundation (APF) health committee chair. David Vaile is APF chair. Kat Lane is APF vice chair.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter.