Depts must take care with data
As more and more private information about individuals is collected by government departments, and retained and shared between them, many people have rightly become concerned about how it is handled and what is done with it. As the wholesale accidental release of information from such departments as the Accident Compensation Commission, the Earthquake Commission and the Internal Revenue Department have shown, their track record in keeping private information and data systems secure has hardly been a sparkling one. Concerns about the security of private information and how that private data is handled can only be expected to grow as increasingly sensitive information, such as health records, goes online.
As the collection of information by government departments has increased exponentially, so has the sharing and matching of it. Oversight of data sharing and data matching is provided by the office of Privacy Commissioner Marie Shroff. Reports from her office suggest that not all departments have developed systems to ensure the information they receive is dealt with appropriately.
Regulations and protocols developed for information exchange provide that the information should be used only for specific purposes and in some cases must be destroyed once used for that purpose. This reflects a provision in the Privacy Act that agencies may only collect information for a lawful purpose connected with the function of the agency and that the information is necessary for that purpose. Over the course of last year, the Privacy Commissioner found that a number of agencies do not have sufficiently robust processes for destroying data and some had used it for purposes other than those for which it had been provided. Others did not store it properly.
The exchange of information between departments has many benefits in tracking down those who one way or another are defaulting on their obligations to the Government. The value of it is obvious when it is seen that the Justice Department alone was able to use it to recover $80 million in unpaid fines.
The breaches found by the Privacy Commissioner are being fixed. But it is crucial for public confidence that departments have systems that comply with the rules automatically rather than having to repair them after they've been found to have fallen short. As Shroff notes, this is a highly complex environment with huge amounts of citizens' data being handled. That is all the more reason for vigilance.
That vigilance appears to be being practised by the Canterbury District Health Board as tens of thousands of patient medical records go online. Such records, it goes without saying, can contain extremely sensitive information.
In the first two months of the system's operation, audits designed to safeguard the information raised red flags in 70 instances of what appeared to be unauthorised access to the files. So far, none of them has been found to be improper. That may suggest the system is perhaps over-alert but that is far preferable to it being too loose.