There can be benefits from the ‘sharing’ (distribution) of health and other personal information among health care professionals and researchers. Any such ‘sharing’ must, however, be based on an understanding of potential risks. It must only occur within an effective legal framework, and controls appropriate for those risks. A ‘Trust me, I’m from the government!’ approach is a recipe for pain. So is sharing such sensitive data with government without full openness, transparency and a legal framework that prevents them from misusing it out of the public eye.
The inadequacy of Australia’s current health data privacy framework – inadequate risk assessment, inadequate law, inadequate enforcement – was demonstrated recently by a major independent study from Chris Culnane, Benjamin Rubinstein and Vanessa Teague at Melbourne University, released in the last days of 2017. [1]
In 2016 the Australian government released a large-scale data set relating to the health of many Australians, under the fashionable rubric of ‘Open Data’. [2] This 10% sample included all publicly reimbursed medical and pharmaceutical bills for selected patients spanning the thirty years from 1984 to 2014. The data as released was meant to be ‘de-identified’, meaning that it supposedly could not be linked to a particular individual: and since it would thus raise no privacy issues, it could be released ‘into the wild’, without controls.
Unfortunately, the government got it wrong: this weak protection can be breached. The IT security researchers demonstrated that this sensitive health data can be reidentified: with minimal effort it may be possible to get a picture of the health of prominent Australians, or of you and your neighbours. The research follows similar studies in the United States and Europe demonstrating the unreliability of existing ‘de-identification’ techniques in the face of rapidly-evolving artificial intelligence ‘machine learning’, and Big Data tools. It must be taken seriously.
In response to that earlier study, the Office of the Australian Information Commissioner’s Office (OAIC), the national privacy watchdog formerly known as the Privacy Commissioner, announced that it is “investigating the publication of the Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets”. OAIC has been investigating since September 2016, after the same researchers initially revealed problems with the data by demonstrating it was possible to re-identify practitioner records. [3]
More than a year later, in 2018 the OAIC is still investigating.
- There has been no public report, nor warning about the bug in ‘Open Data’.
- There is no indication of when the report will be released.
- There has been no indication of whether the report will be released in full rather than in the usual redacted version.
- There has been no requirement to reconsider the misplaced trust in ‘deidentification’ of ‘Open Data’ in the face of evidence of its unreliability.
You should be able to trust governments to care for sensitive personal data about yourself and your family. Clearly some of those who are handling this data either lack expertise, or are careless: it appears that ‘Open Data’ protections can be breached.
The Health Department and its Minister should be held to account. Overseas governments have responded effectively to similar problems: for example, the major Caldicott reports in the UK saw the end of the ‘Care.Data’ plan to sell the health records of most people in Britain. (The architect of that plan is now the CEO of the Australian Digital Health Agency.)
The OAIC should also be held to account. The delay of more than a year is unacceptable. So is the fact there is no end in sight, and the fundamental, controversial flaw in the rhetoric about the claimed safety of ‘Open Data’ remains unrecognised.
It may be that the OAIC lacks expertise and other resources. That is no excuse. (Extensive research work done by NICTA, and by independent university researchers like those at Melbourne and other institutions internationally, identifies the growing risks to ‘de-identification’ as a safe basis for the release of data derived from personal information into a hostile global environment. Efforts by proponents of ‘Open Data’ to promote the safety of de-identification must be met with a more sceptical view.)
It is time for the new Attorney General to provide adequate resources for the national privacy watchdog, so Australians can expect them to investigate the fundamental risks in ‘Open Data’ properly, independently, and promptly.
The OAIC should act like a watchdog, not like a rather timid snail.
Media contacts:
Bernard Robertson-Dunn | 0411157113 | APF health committee chair |
David Vaile | 0414731249 | APF chair |
Kat Lane | 0447620694 | APF vice chair |
Sources:
[1] | Detailed report: Chris Culnane, Benjamin Rubinstein and Vanessa Teague, ‘Health Data in an Open World’, arXiv ‘Computers and Society’ pre-print, December 2017 <https://arxiv.org/abs/1712.05627’> Explanation: ‘The simple process of re-identifying patients in public health records’, <https://pursuit.unimelb.edu.au/articles/the-simple-process-of-re-identifying-patients-in-publichealth-records> |
[2] | See the Australian government Open Data web site: <http://data.gov.au/> |
[3] | OAIC <https://www.oaic.gov.au/media-and-speeches/statements/australian-privacycommissioner-s-investigation-into-published-mbs-and-pbs-data-sets> |