Legislative Assembly for the ACT: 2021 Week 12 Hansard (Thursday, 25 November 2021) . . Page.. 3700 ..
at whether this has met all ACT government policy requirements and obligations under the privacy acts, both in the ACT and federally. We look forward to that review being undertaken and any recommendations that may come out of that review about whether there has in fact been a breach of privacy in this particular case and whether there are any further measures we can put in place to protect the privacy of individuals in procurements going forward.
MR HANSON: Minister, will you be notifying as many of the 30,000 people as possible about how you will compensate them for this breach of privacy?
MR STEEL: The actions that will be undertaken will be performed by the review that will be undertaken by CMTEDD into this matter. As I have stated before, there was a range of de-identified data that provided, where information that would have provided the claimant’s name, date and month of birth, address and contact details was not part of the spreadsheet as part of that procurement. The fields that were listed in the spreadsheet included information like Comcare ID, gender, the directorate each individual was employed by, the duration of the claim, the dollar value associated with it, and the mechanism and location of the injury.
Once we have undertaken that review, there will be, no doubt, recommendations and findings about whether there has been a breach and any actions that may be required in order to address that. That may include potentially reaching out to anyone who may have been involved.
MR HANSON: My question is to the Special Minister of State. When releasing report No 3 in 2020 on data security the Auditor-General said:
ACT Government agencies have not clearly understood the risks and requirements of securing sensitive data, and are not well placed to respond to a data breach.
Knowing that the Auditor-General raised these significant concerns over cyber security in 2020, today’s story in the Canberra Times, where it was revealed the government has deliberately released the personal information of 30,000 ACT public servants online, makes it clear that this government has totally failed to mitigate the data breach risks. As the minister responsible for cyber security, how have you allowed this data breach to persist for three years, including for over a year on your watch?
MR STEEL: I thank the member for his question. We have only just become aware in relation to this particular procurement. While typically the information on tender documents for procurements goes up on Tenders ACT and is removed after a period of time, it just so happens that a system change in 2020 resulted in these documents becoming visible again without the knowledge of Procurement ACT. That will no doubt be part of the review.