Page 205 - Week 01 - Thursday, 10 February 2022
On 24 December 2021, the OAIC responded to Procurement ACT’s request for advice. The OAIC has indicated that a referral from an ACT government agency is not sufficient for it to initiate an investigation, and that it is not inclined to do so unless it receives a complaint by an affected individual in relation to the incident. I propose to table a copy of that correspondence from the OAIC for the Assembly’s review.
The response from the OAIC provided advice regarding factors that should be taken into consideration when de-identifying information, along with a copy of processes outlined in the Notifiable Data Breach Scheme under part IIIC of the Privacy Act 1988. While the ACT government is not subject to that scheme, except in cases where tax file number information has been disclosed, we have closely considered the steps required under the scheme in relation to this matter.
Under the Notifiable Data Breach Scheme, there are a number of factors which must be taken into account when considering whether a breach has occurred. These are: there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds; this is likely to result in serious harm to one or more individuals; and the organisation or agency has not been able to prevent the likely risk of serious harm with remedial action.
Where the workers compensation claims data can be linked back to the individual claimant, it should be considered personal information. Although it is unlikely in the vast majority of cases, due to both the de-identification undertaken and the span of age of matters included within the spreadsheet, we cannot categorically conclude that an individual would not be identifiable within the spreadsheet. Therefore, the ACT government is treating this release as an unauthorised disclosure of personal information.
However, the unauthorised disclosure of this information on the Tenders ACT platform is not likely to result in serious harm to one or more individuals. This is because of the de-identification undertaken on the data and the government’s swift action to remediate its release by removing it from public access as soon as Procurement ACT was notified of its publication. This event, therefore, does not meet the further two criteria necessary to trigger the provisions of the data breach notification scheme set out in the commonwealth’s Privacy Act 1988, if it applied in this case.
I note that the information contained in the spreadsheet related to tens of thousands of matters spanning some 30 years, back to the commencement of self-government in the ACT. The government has considered whether it would be possible to locate and contact all individuals whose matters were included in this spreadsheet and concluded that it would not be possible to do so with rigour or consistency.
Because it is not feasible to contact individuals, clear information has now been posted to the ACT government’s employment portal about this issue. This statement includes the details of the OAIC and how to make a complaint if individuals have concerns. This site is externally facing and will allow previous ACT government employees whose information may be contained in the spreadsheet to access relevant advice and information.