Care don’t share: what Medvet breach says about Australian privacy laws

Why isn’t more being done to keep our sensitive information from prying eyes? sinus iridium

Participation in Australian society involves providing information about yourself to both public and private sector organisations.

Such information may be sensitive, which raises important questions:

  • Can you expect those organisations to safeguard your information?
  • What happens if they don’t? Can you take legal action?
  • Will a government watchdog be persuasive or merely whip the offender with a limp lettuce leaf?

Last month’s data breach at Medvet – the South Australian state government enterprise that dominates the workplace drug and alcohol testing industry – suggests your expectations of information privacy are misplaced.

The incident shows we need stronger privacy law and meaningful enforcement. We also need a cultural change, whereby institutions regard themselves as data custodians rather than data owners and therefore take their responsibilities more seriously.

In the digital environment there are times where sharing is most certainly not caring.

The tagline on Medvet’s website reads: “Vetting your staff and workplace to reduce your risk”. Unfortunately its own risk management appears poor.

The companies executives and IT staff allowed customer data – including names, home addresses, phone numbers, type of drug or paternity test – to be publicly accessible online.

That data was thus cached by Google and other search engines, potentially staying accessible to any searcher in perpetuity.

Company representatives then failed to respond by quickly using Google’s facility for taking that data off Google’s cache and search results.

The company’s executives and communication staff weren’t quick to individually alert customers that their data had gone feral.

Some customers presumably encountered the bad news in newspapers the following day.

The Medvet incident is interesting for two reasons.

The first is that it happened at all. Data breaches are not unusual – they are a recurrent feature of reporting in the mass media.

Journalists and commentators will often express incredulity or outrage when a leading government agency, corporation or university has: been hacked; failed to purge a server or personal computer that goes on sale; or lost unencrypted disks, tapes and laptops that contain the personal information of thousands of customers/employees.

Such incidents are also a regular feature of technical literature.

Medvet’s executives and IT staff surely should have recognised that unauthorised access to the data in their custody was a risk – a clear, and therefore worrying, possibility.

They do not appear to have managed that risk very well.

The second reason the incident is interesting is because people at Medvet appear to have been slow to respond.

Rather than executing a properly considered response that immediately addressed the breach and went on to alert customers, they appear – from the outside – to have sat on their hands.

Google apparently deleted the cached information after being alerted by “a concerned industry figure, unrelated to Medvet”.

We don’t know what went on in the Medvet executive suite and may not find out for some time; but the dilatory nature of the response is disturbing.

The Medvet data breach tells us something about how organisations treat privacy and how it is enforced.

Medvet’s online Privacy Policy states the organisation is committed to observing the National Privacy Principles in the national Privacy Act.

Medvet “does not share any personally identifiable information with any third parties” and “data remains secure”.

The organisation “utilises reasonable and appropriate protections to ensure that personal information in its care is not misused or lost or accessed without proper authorisation”.

Perhaps it’s time to reconsider industry practice regarding “reasonable and appropriate” practice in handling data and responding to instances where information has wandered out of the “secure facility”.

The same privacy statement indicates that “Medvet will review its compliance with the National Privacy Principles on a regular basis and may amend this Privacy Policy Statement from time to time”.

It’s time, obviously, to do that review and to do it properly.

Medvet has been unfortunate but there is no reason to believe that such a breach is exceptional.

Other organisations – including universities, government agencies and multinational corporations with the very best information technology money can buy – have experienced unwanted exposure of “their” data, i.e. information about you, me and the people next door.

Sony, for example, had hackers wandering undetected through more than 70 million customer records for several months.

Australia needs a privacy watchdog that is quick to act, a watchdog that, like its overseas counterparts in the UK and US, is equipped with the sort of financial penalties that get the attention of executives.

Shaming is not enough: where there is improper sharing we need real punishment to stop future problems.