Home & Office

Plan for privacy and security absent from national cancer-screening database: ANAO

The ANAO concluded that no official documentation has been found that outlines how Telstra would manage the privacy and security of the national cancer screening register.
Written by Tas Bindi, Contributor

The Australian federal Health department has no plan around how privacy and security of the new national cancer screening register (NCSR) will be handled by Telstra, and "inadequate" planning has led to the incurrence of additional costs, the Australian National Audit Office (ANAO) has found.

A year on from the AU$220 million contract being awarded to Telstra to create a database of cancer records for those who have been screened for bowel and cervical cancer, the national auditor has concluded that the effectiveness of the procurement has been negatively impacted, with key objectives not being met in the agreed timeline due to limited consideration of privacy, security, and conflicts of interest.

The Health department does not have any official documents outlining how Telstra would manage privacy and security, and it rejected the telco's proposed data protection plan in December on the grounds that it did not comply with the requirements of the contract, the ANAO stated in its audit report.

Under the terms of the five-year contract, Telstra was required submit a data protection plan within 40 days of signing the contract, as well as a privacy policy or security risk management plan following that.

The contract also requires Telstra and its subcontractors to sign a deed of confidentiality and privacy, and for staff members who have direct access to the register to have appropriate security clearance.

As of March, all of these requirements were marked as "incomplete" by the ANAO.

Telstra admitted in its response to ANAO's findings, dated June 1, that the documentation was "still being finalised". The telco added that the submission dates for the privacy and security documents had been updated since the original contract was signed and "do not accurately reflect" the deadlines that were subsequently agreed upon.

The telco also stated in its response that its mechanisms and processes are compliant with the Commonwealth Protective Security Policy Framework, the Commonwealth Information Security Manual, and other privacy and security obligations outlined in the contract.

"Telstra takes its obligations to securely manage data seriously and has progressed a range of actions necessary for the implementation of the Register and restricting access to sensitive information," Telstra stated in its response. "By way of example, Telstra had built a secure ISM certified environment to receive the required data by 1 December 2016."

The Australian Labor Party criticised the government last year for "outsourcing" healthcare-related initiatives after Prime Minister Malcolm Turnbull warned against outsourcing too many government services during his election campaign. Labor pointed out that the data contained in the register was too sensitive to be managed by a private sector vendor.

"Labor will fight the government's plan to hand private and intimate health data that is usually only disclosed between a person and their GP to a for-profit telecommunications corporation," Shadow Minister for Health and Medicare Catherine King said at the time.

"In just another example of Malcolm Turnbull's determination to privatise our health system, the government has put Australians' Medicare numbers and Medicare claims information in the hands of a multinational telecommunications corporation.

"At least 27 times during the election campaign, Malcolm Turnbull said that he would never outsource Medicare -- but that's exactly what he is doing here."

Following the release of the ANAO's report, King called the federal government's handling of the NCSR "disastrous".

"The stuff up is made all the more serious by the fact that some of Australia's most sensitive and deeply personal health data, such as pap smear results and bowel cancer screening, will be housed on this Register," King said in a statement on Thursday.

In February, Health attributed the missed May 1 deadline to the "complexity of assimilating and migrating data from eight state and territory cancer registers into one register", adding that the NCSR would likely become operational in December.

The ANAO said that the missed deadline has eventuated in additional costs being incurred and "value for money outcomes [being] compromised". The health department has had to pay an extra AU$16.5 million to pathology providers to continue providing pap smear tests until the new five-yearly human papillomavirus (HPV) test for cervical screening can begin through the new register, the ANAO report states.

The savings that were projected to come from NCSR operations will, as a result, be "delayed", the ANAO said.

"It is absolutely appalling that the Turnbull government has botched up something so important, and in the process delayed a cervical screening test which literally saves the lives of women around the country," King said in a statement.

The ANAO stated that ongoing monitoring of progress and "proactive management" of the contract will be required moving forward if "value for money is to be achieved" by establishing the NCSR.

The NCSR was intended to deliver a single database with one record per patient, allowing healthcare practitioners and consumers to access records from federal, state, and territory government agencies, My Health Record, and Medicare, as well as private health service providers, pathologists, and general practices at one online location.

The plan is also to provide mail-based reminders for patients whose cancer screening is due, and a contact centre for those needing assistance.

Editorial standards