On 24 August, TaMS originally released its report into the GDE Bridge collapse.
You can review the finalised and fully redacted version of the report here.
Normally, there is a process with releasing government documentation, by which the information which isn’t necessary (mostly personal information like names, phone numbers, etc) or the sensitive parts (like the names of everybody who was onsite and involved with the concrete pour, the order of contacts in an emergency, or the name, qualification, and association of the engineer who signed off on the formwork) is removed before the public ever get to see it.
When the process works correctly, nobody really cares.
However, leaking personal and sensitive information is kind of a big deal, and in this case, one that was overlooked by everyone involved at TaMS.
Weekly NewsletterEvery Thursday afternoon, we package up the most-read and trending RiotACT stories of the past seven days and deliver straight to your inbox..
In this case the redaction method used on the original version of the GDE Report was a spectacular failure, in that TaMS unknowingly released a document which effectively named names, gave away phone numbers, included statements revealing who signed off on the bridge.
When this uncomfortable fact was brought to their attention a day later, TaMS re-released a sanitised version.
I have no idea how many of your read the original during the original 24 hours that it was available, downloaded copies, or distributed links to it to other interested parties.
However, the only way the people responsible learn their lessons is when things get unexpected public attention.
The actual hosting of it is administered by Mediafire under a temporary use account, when people stop downloading the files within that, the temporary mediafire account will expire.
Download and distribute how you see fit.
But just as eggs can’t be reassembled, the damage to privacy is done.
I did a relatively honest thing, and told those in authority about the breach of confidentiality when I found out about it.
This unintended (but consequential) release of Government information was brought to the attention of the Chief Minister more than 24 hours after it originally occurred, and in the same email as requesting a response as an enrolled voter, was mentioned as a potential story item for publication by RiotACT.
It received the below reply.
Interestingly, it involves time travel.
Thank you for your letter of 2:56PM yesterday afternoon regarding the method used to blank out personal details included in the SMEC report on the collapse of bridge formwork.
The Government takes its responsibilities to protect the privacy of individuals very seriously and this is why it was careful to ensure details were not published online as a part of the report.
It is unfortunate that the manner adopted to do this was not more robust.
The matter was addressed immediately after it was brought to the attention of Government with more secure documents posted to the server at 2:50 which became live shortly after.
INTACT, the Government’s IT unit, has subsequently been asked to provide advice to agencies on the procedure for undertaking such deletions in more robust manner.
Office of Jon Stanhope MLA
Caroline Le Couteur, Greens Spokesperson for TaMS (and also IT) response is below:
Thank you for your email. By now you have received an email from Mr Stanhope’s senior advisor Mr Shane Breynard about how the government has fixed the issue. I think they acted appropriately once you alerted them to the problem. However I am also the Greens’ IT spokesperson so this is of double interest to me. I will see assurances that it will not happen again.
Caroline Le Couteur MLA
ACT Greens Member for Molonglo
ACT Greens Spokesperson for Planning, Territory and Municipal Services, Business and Economic
Development, Indigenous Affairs, Arts and Heritage
Alistair Coe, Shadow Minister for Transport and Urban Services, was also informed, and responded within half an hour of the email to ask how it was done.
It really was astoundingly simple, whichever work experience candidate was at TaMS that day performed the original ‘redaction’ by putting white boxes over the parts they didn’t want you to see, and the current version of Adobe Acrobat 9 reveals these layers as big red rectangles.
This is the equivalent of putting a yellow post-it note on a sheet of paper, with “Please, don’t look under this” written on it.
With a bit of effort, you can either delete the big rectangles, or if that is too hard, just copy a page and paste it into any document editing software (such as Microsoft Word).
Others have been caught out by such computer voodoo before.
Law.com special article, “Sloppy Redaction: To Err Is Automated”
“…Associated Press was able to uncover some of the confidential details of the settlement between Facebook and ConnectU…”
PDF Redacting Failure by the US Government
Both of the emails quoted above came with the footer “This email, and any attachments, may be confidential and also privileged. If you are not the intended recipient, please notify the sender and delete all copies of this transmission along with any attachments immediately. You should not copy or use it for any purpose, nor disclose its contents to any other person”, but I suggest the same legal footing for that statement relies on similar legal grounds as the various statement’s relating to TaMS’ Privacy Policies.
Quoted from various places on the TaMS website:
Use of personal information collected
“Any personal information you choose to provide will only be used for the purpose for which it was provided and will not be disclosed to other persons or organisations without your prior consent or if required by law.”
Source: TaMS Privacy Statement
“The ACT Government recognises the importance of personal privacy and has implemented measures to ensure personal details are not disclosed to other parties. Please familiarise yourself with our privacy statement if you have any concerns.”
Also, the ACT Government’s Full Privacy Statement is over here.
And according to the Federal Privacy Commission, the ACT Government is bound by the Federal Privacy Act.
If you are in fact, one of the persons named within the documentation, I would suggest that:
1) You find out more about your rights, and what the ACT Government has done.
2) Contact the Privacy Commissioner and file a complaint if you feel you have been wronged.
(For reference, Adobe actually put together a How-to Guide for situations like this, which goes through how to do it correctly step-by-step.)