Services Australia's 988 privacy incidents mostly from 'human error'

Of the 988 'substantiated' privacy incidents experienced in 2017-18, Services Australia said there were some instances of documents containing personal information being released incorrectly.
Written by Asha Barbaschow, Contributor

Newly formed Services Australia has offered further information on the 988 privacy incidents that then-Department of Human Services (DHS) suffered in 2017-18.

Initially revealed in the department's 2018-19 Annual Report, further information was made available in response to questions on notice from Senate Estimates in October.

Of the 988 "substantiated" privacy incidents experienced in 2017-18, Services Australia said there were some instances of documents containing personal information being released incorrectly.

"Where possible, Services Australia undertook steps to recover such documents upon identification of the incident," it wrote.

See also: Services Australia claims 'mature' incident response process following outages

Services Australia said there were a number of causes of the 988 substantiated privacy incidents in 2017-18. It said the majority resulted from human error, such as incorrect updating of records and mail handling errors.

"The 988 substantiated privacy incidents in 2017-18 are incidents that occurred across the entire department," Services Australia said, noting it was not limited to the department's controversial debt collection activities.

"The department does not keep data specific to the number of substantiated privacy incidents arising as a consequence of duplicate Centrelink Reference Numbers."

Touching on the privacy implications for individuals affected, the department said the impact "varied" and was dependent upon the personal circumstances of the individuals affected; and the nature of the privacy incidents.

"The privacy implications for individuals affected ranged from (the majority of cases) where the privacy incident was promptly identified and remediated before there was any impact on the customer, to incidents where the department worked with the impacted customer to reduce the impact of the privacy incident," it said.

Also probed during Senate Estimates in October was the Digital Transformation Agency (DTA), which was asked if its responsible minister -- currently Stuart Robert, who in October last year was found to have spent 20 times more than other MPs on his home internet, clocking up more than AU$2,000 a month and blaming "connectivity issues" for the high costs -- had been briefed on cybersecurity vulnerabilities in the department networks since 1 July 2013.

The DTA, nearly two months later, responded with "yes".

The DTA was also asked how many times it has conducted a self-assessment of its compliance with the Protected Security Policy Framework Essential Eight mitigation strategies and cyber resilience since 1 July 2013.

"Since the establishment of the Digital Transformation Agency in 2017, eight self-assessments have been conducted," it said.

The DTA in early 2017 was charged with looking into the structure of existing Australian government technology projects over AU$10 million. The DTA "monitors, verifies, and engages" with the programs and labels them as at one of those three stages.

It used to provide status updates on the various projects, but that information is no longer released.

Instead, the DTA said its Digital Investment Division has met with all 21 departments or agencies that "currently have an in-flight project in the digital and ICT investment portfolio".

"As part of its oversight role, the Digital Investment Division initiates these meetings and the agenda will include discussion on strategies to support project delivery," the DTA added.

The Digital Investment Division this year met with the Australian Bureau of Statistics, Australian Criminal Intelligence Commission, Australian Federal Police, Australian Securities and Investments Commission, Australian Tax Office, Australian Transaction Reports Analysis Centre, Bureau of Meteorology, Department of Agriculture, Department of Defence, Department of Education, Department of Finance, Department of Health, Department of Home Affairs, Department of the Prime Minister and Cabinet, Department of Veterans' Affairs, Federal Court of Australia, IP Australia, National Health and Medical Research Council, Services Australia, and the Clean Energy Regulator, as well as itself.


Editorial standards