Brandis re-identification law proposal slammed

While Health Minister Sussan Ley has apologised for the breach in de-identified medical data, Australia's Attorney-General has come under fire for 'rushing' through legislation.
Written by Asha Barbaschow, Contributor

The Royal Australian College of General Practitioners (RACGP) has said retrospective legislative changes to the Privacy Act, announced by Australian Attorney-General George Brandis on Wednesday, will do nothing to retrieve sensitive information already made public.

Speaking at the RACGP annual conference in Perth, Dr Nathan Pinskier, chair of the RACGP's expert committee of e-health, expressed his concern about the potential for medical data to be decoded and exposed.

Pinskier's comments come after the Department of Health said it had pulled a public dataset from data.gov.au after it was revealed that certain information regarding the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme was not encrypted properly.

Health said in a statement that the decision to remove the dataset containing de-identified medical data it released in August came after the department was alerted by a team of researchers at Melbourne University that it was possible to decrypt some service provider identification numbers from the data openly available to them.

"If you can reaggregate it, even though it's illegal to do so, somebody probably will," Pinskier said. "There is a possibility individual consumers could be identified -- it could be potentially devastating."

According to the department, the dataset did not include names or addresses of service providers and no patient information was identified.

Pinskier said, however, that the data release by the department last month was a knee-jerk reaction to the government's funding cuts to primary care research.

"This was rushed, they didn't do a proper evaluation, and if they'd done their proper threat risk assessment they probably would have not released information in that form," he added.

Also speaking at the RACGP event on Thursday, Health Minister Sussan Ley apologised for the breach reaffirming that no patient information had been compromised in the process.

Ley had insisted the government had worked swiftly to tighten privacy laws, with Brandis moving on Wednesday to amend legislation making it illegal to re-identify de-identified government data.

Claiming that the "privacy of citizens is of paramount importance" to the government, Brandis said the amendment, which will be introduced in the coming months during the spring sittings of Parliament, will criminalise the re-identification of de-identified data.

"However, with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future," he said in a statement.

"The amendment to the Privacy Act will create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.

"The legislative change ... will provide that these offences will take effect from today's announcement."

The Media, Entertainment & Arts Alliance (MEAA) has also said it is concerned by the Privacy Act amendments, and that such a move would undermine legitimate research, scrutiny, and security testing of anonymised data.

Of particular concern to the journalist and artist union is the proposed change that would make it an offence to "counsel, procure, facilitate, or encourage" anyone to re-identify data as well as to publish or communicate a re-identified dataset. MEAA CEO Paul Murphy believes journalists should be able to scrutinise and report on flaws in government security measures.

"Legitimate public interest journalism and genuinely well-intentioned innocent activities could be caught up by these proposed changes," Murphy said.

"Journalists working with experts in data security would all be caught up by these changes simply for seeking to determine if there are flaws in the security of government datasets. Government should be subject to legitimate scrutiny and the Privacy Act should not be used to prevent legitimate investigations in the public interest."

The Attorney-General's Department confirmed there will be provision in the legislation for legitimate research to continue.

With AAP

Editorial standards