Victorian government agencies reported 83 data breaches to the state’s peak privacy overseer last year as privacy complaints surged 59 percent amidst data breaches at the state’s hospitals and a massive release of public-transport data that required regulatory intervention.
The volume of data breaches – nearly seven per month – represented a 28 percent increase on the previous year and was more than double the 35 breaches reported in 2016-17, according to the recently released 2018-19 annual report of the Office of the Victorian Information Commissioner (OVIC).
Voluntary reporting helps the agency understand the magnitude of the growing level of cybercrime within the state’s public service, and also assists its responses to complaints and enquiries from the community, the report said.
That level of engagement “demonstrates public sector commitment to transparent and accountable privacy practices,” it continued, noting that OVIC’s involvement “can provide affected individuals with a degree of independent assurance that the breach is being handled appropriately.”
The figures are a wake-up call for the nascent organisation, which was founded in 2017 with a remit to help Victoria’s public service improve information-security practices in the wake of years of problematic non-compliance.
Improving the situation had required wholesale awareness of both the prevalence and importance of personal information, information commissioner wrote Sven Bluemmel said in introducing the report.
“In almost every interaction, information is created or collected,” he said. “Government agencies must think of themselves not as owners, but as custodians of information.”
“As custodians, we have a responsibility to ensure that the right information is available to the right people, at the right time and through the right channels. Upholding these responsibilities is essential to a fair, inclusive and democratic society.”
Awareness of best practice had grown thanks to the Victorian Protective Data Security Framework (VPDSF), which was published by Victoria’s Information Security Unit (ISU) and required of the state’s approximately 2500 public-sector organisations.
Fully 96 percent had submitted their Protective Data Security Plans – and formal attestations signifying executive understanding of security’s importance – on time.
Yet this wasn’t enough to prevent the massive release of a data set containing 1.8 billion historical records about the use of Myki travel cards on the state’s public-transport network.
That data set, which was de-identified and provided by Public Transport Victoria (PTV) for use in the Melbourne Datathon, became a prima facie example of privacy’s complexity as observers demonstrated that even the anonymised data could be correlated with other information to derive individual users’ identities and travel patterns.
Despite its good intentions, OVIC concluded in its recent review of the incident, PTV breached the state’s Information Privacy Principles “by disclosing personal information for a purpose other than that for which it was collected”. PTV had also failed to “take reasonable steps to protect the personal information contained in the dataset from disclosure,” OVIC ruled.
The need for privacy consistency
Such incidents highlight the ongoing risk to personal data and the importance of a continuing, coherent information-management policy for state agencies.
“Principally, this matter demonstrates the challenges in identifying privacy risks in large, complex datasets and the need for the Victorian public sector, which possesses many large and sensitive data holdings, to have a high level of data literacy.”
OVIC has positioned the VPDSF as the key driver for this improved literacy. The agency has been reviewing the VPDSF and will update the framework before year’s end, but strong overall feedback about the framework has supported the agency’s regulatory approach, the value of components such as the Information Asset Register, and the effectiveness of mandatory attestations in garnering ongoing executive support.
“Without the process, many VPS organisations would either have not undertaken the required activities or not to the same level of rigor,” the report notes. “It also improved stakeholder visibility within the VPS organisation.”
OVIC had also undertaken extensive educational outreach during the year, publishing a formal guide for handling privacy issues during a data-breach response, as well as updating its Privacy Impact Assessment (PIA) framework and authoring a guide exploring the technical, social, and legal aspects of artificial intelligence.
Greater citizen awareness of privacy and information rights also saw a surge in freedom of Information (FOI) requests over the course of the year.
OVIC completed 1282 FOI reviews and complaints during the fiscal year, up 51 percent on the previous year – driving increasing demand for FOI training and the delivery of 109 education and training sessions to more than 700 Victorian government staff.
A concerted focus on finalising complaints – rather than passing unresolvable cases to the Victorian Civil and Administrative Tribunal (VCAT) for resolution – saw just 25 percent of complaints end up going to VCAT, down substantially from 53 percent the previous year.
OVIC provides free FOI and privacy training to Victorian Government staff, and has been working on stakeholder engagement to “embed a culture of fair public access to information” across the state’s public service.