In September 2016, the Office of the Australian Information Commissioner (“OAIC”) was notified of vulnerabilities in the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme datasets published online. The datasets were based on personal information held by the Department of Health (“Department”). Following the notification, the OAIC opened an investigation to assess whether personal information had been compromised and the adequacy of the Department’s processes.
Timothy Pilgrim, the Australian Information Commissioner and Privacy Commissioner (“Commissioner”), concluded his investigation on 23 March 2018. He concluded that the Department’s processes for assessing risks were inadequate with the Department offering to enter into an enforceable undertaking to review and enhance its data governance with oversight from the OAIC.
The Commissioner also noted that this situation is an important reminder for all Australian Government agencies to strengthen their approach to publishing data derived from personal information.