Professional Services Review Agency by Privacy Commissioner
December 18, 2011 |
The Privacy Commissioner commenced an own motion investigation report on the Professional Services Review Agency and allegations that there was storage of information from two separate and distinct bodies on the same database. It found there was a breach of the Act. The report is found here.
FACTS
The privacy Commissioner received a complaint that the Professional Services Review Agency (“PSR”) was holding medicare benefits program material and pharmaceutical benefits program data on the same database. This would potentially be a breach of the guidelines issued under section 135AA of the National Health Act 1953. There was also the question of whether there was a breach of IPP 4.
DECISION
The Commissioner found there was no breach of IPP 4. The PSR satisfied the Commissioner that it had in place satisfactory measures to safeguard data including:
- retains records in accordance with the National Archives of Australia guidelines, Normal Administrative Practice and existing Records Authorities;
- destroys records in accordance with the timeframes set by the National Archives of Australia and mechanisms set by the PSM and ISM guidelines at the “X-IN-CONFIDENCE” level;
- commissioned a review of its information and communication technologies in 2009 to ensure it was achieving best practice standard and a Records Management Program was undertaken as a result of this review;
- undertook a Protective Security Assessment of its practices and undertakes an annual Strategic Risk Assessment as part of its wider audit and compliance regime.
The Commissioner found there was a breach of the guidelines however as the PSR maintained data of the MBP and PBP on the same database. This offended against the primary purpose of the guidelines which was to:
“…to ensure the separation of claims information collected under the MBP and the PBP, as well as establishing the circumstances under which this information may be linked and retained in linked form.”
The guidelines requires de identification, limited retention and avoiding linkage which may result in a de facto combination of databases.
The PSR stored its electronic MBP and PBP on a server which uses a file management system, TRIM, which could allow both sets of data to be searched and accessed similtaneously through a single search process. As such, for the purpose of the guidelines the data was stored in the same database. While the PSR complained that to separate the data was onerous and complicated there was no discretion.
The PSR proposed amending its operation to install the following features:
- PBP information can only be saved on the PBP server due to a fixed naming convention
- Only a limited number of PSR staff have the ‘Case Managers’ profile which gives access to MBP and PBP information
- While a PSR staff member with the appropriate level of access can see that both MBP and PBP information is held, the actual viewing of PBP information is restricted in TRIM. In particular, TRIM will not allow the user to open the documents containing MBP and then PBP in the same window
- Audit trails monitor and report all read/write access to TRIM and triggers exist to detect anomalies in user behaviour.
Requests for information now has to be made by separate requests and when it is stored it is returned in separate documents and stored on separate virtual servers.
While the Commissioner found there was a breach of the Privacy Act he was satisfied that the remedial steps were sufficient to adequately address the issues.
ISSUES
When looking at database breaches there are often key technical issues that need to be considered. In this matter the fact that server enabled similtaneous searches of databases meant there was a breach of the Guidelines. The breadth of the regulations is also a critical consideration. Here the guidelines offered no discretion.