Thursday 27 April 2017

Of course, certainly, we keep your personal information safe from prying eyes!


Anyone who is certain that all information a state/federal government department/agency or civil corporation holds about their social, financial, genealogical or health status is strictly protected from prying eyes needs to seriously question why they appear to hold that unsafe assumption.

The Sydney Morning Herald, 21 April 2017:

More than 700 public patients have had their privacy breached and potential delays in their follow up care after more than 1600 medical letters were found dumped in a Sydney bin.

NSW Health is investigating the incident involving a sub-contractor for a company tasked with transcribing medical letters sent from specialists to general practitioners.

On Tuesday, April 11, a man found piles of follow-up letters containing patient details stuffed into a garbage bin at an apartment block in Ashfield. It is understood there were more than 1600 documents in total. Some of the letters were duplicates. 

The man called in his neighbour, a female health worker, who recognised the documents were out-patient letters and contacted Ashfield police. 

A sub-contractor for Global Transcription Services (GTS) was supposed to take the letters home to post but instead stuffed them into the bin. The young woman had been dealing with personal upheaval and health issues, Health Minister Brad Hazzard said on Thursday, adding it was inappropriate to comment further.

The letters related to 768 public hospital patients from Royal North Shore, Gosford Hospital outpatients and Cancer Centre and Dubbo Hospital Cancer Centre.

There were also 700 letters relating to patients from six private providers: Chris O'Brien Lifehouse, providing services to Dubbo Cancer Clinic, Northern Cancer Institute (Frenchs Forest and St Leonards), Sharp Neurology, Southside Cancer Care Centre, Strathfield Retina Clinic and the Woolcock Institute.

Newcastle Herald, 17 April 2017:

The NSW privacy commissioner has called for a thorough investigation after thousands of photo ID cards, including gun licences, were mistakenly sent to the wrong people in a "significant" security breach.

A total of 2693 cards were sent to the wrong people earlier this month.

Among the documents mailed out were 2000 driver's licences, 104 firearm licences, 318 permits to use disabled parking, 242 proof of age cards, 26 security licences and 3 commercial and private investigator licences.

It is understood people affected went to Service NSW to apply for their licence on April 5, with the licences printed at the agency's card operations centre on April 7.

The error was discovered four days later. Service NSW informed police, Roads and Maritime Services and the privacy commissioner.

Shortly afterwards, gun shops were contacted by police and told to be "extra vigilant" in checking licences until all licences sent to the wrong address were retrieved, News Corp reported.

Those affected have been advised to "be alert to activities that may indicate their identity is being misused by others".

Acting NSW Privacy Commissioner Elizabeth Coombs said the breach was significant as it involves the identity of members of the public.

"These cards contain personal information that can identify individuals. Health information, which is even more sensitive, appears to have also been affected (eg on disability status)," Dr Coombs said.

"This breach is of particular concern as it occurs at a time when the NSW Government is increasing its digital interaction and service provision with the NSW community.

Education HQ Australia, 12 April 2017:

The traumatic, sensitive details of a Victorian mother's life lingered online for days after the education department thought it had dealt with a privacy breach.

The woman was one of 120 people affected when the Victorian education department inadvertently published personal details of parents online after receiving 558 submissions on proposed new regulations for state education.

The department thought it had taken the documents offline, but they were still publicly available five days after the breach, with several still listed on Google's search engine on Wednesday afternoon.

The Australian, 7 April 2017:

A Senate committee which investigated secret Defence training that teaches soldiers how to deal with being taken prisoners of war accidentally disclosed the confidential evidence of witnesses to each other.

On March 7, the Senate Foreign Affairs, Defence and Trade references committee took evidence from witnesses in-camera, which means it wasn't a public hearing, as part of an inquiry into training procedures for resistance to interrogation and conduct after capture.

Witnesses were posted copies of their transcripts to check over by registered mail, but the committee accidentally sent witnesses all transcripts rather than just individual ones.

Crickey.com.au, 4 April 2017:

Qantas customers’ personal data has been compromised after a data breach revealed the names, seat numbers and frequent flyer numbers of eight passengers to another passenger looking at the Qantas check-in app on Thursday. The app, which was used to check in for a flight between Newman, Western Australia, and Perth, showed the length of the flight and that a snack or brunch would be available, but the Qantas passenger was shocked to be able to see details for other passengers…..

It is not the first time Qantas customer details have been shared with others. In January, an email sent to customers flying out of Melbourne warned of traffic delays on the Tullamarine Freeway included surnames and booking references of other passengers

The Age, 26 March 2017:

A hospital is being investigated for breaching the privacy of dozens of patients after medical records revealing a "swollen penis" and mental illnesses among other things, were found in a Coburg street.
The Australian Information and Privacy Commissioner Timothy Pilgrim is investigating how the records of 31 patients were removed from the John Fawkner Private Hospital in Melbourne's north last month.

Determination
1. I find that the respondent, Comcare, interfered with the complainant’s privacy in breach of Part III of the Privacy Act 1988 (Cth) (Privacy Act) by:
a. disclosing the complainant’s personal information, including sensitive health information on a publicly available website contrary to Information Privacy Principle (IPP) 11; and
b. failing to take such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse contrary to IPP 4.


Findings
1. Commonwealth Bank of Australia Limited (the CBA) interfered with the complainant’s privacy by:
* disclosing her personal information to the principal of a Commonwealth Bank Mortgage Innovation agency (MIA) for a purpose other than the primary purpose of collection, in breach of National Privacy Principle (NPP) 2.1 of the Privacy Act 1988 (Cth) (Privacy Act), and
* failing to take reasonable steps under NPP 4.1 to protect her personal information from misuse and loss and from unauthorised access, modification or disclosure.

No comments: