Government will refer potential privacy breach to independent watchdog

The ACT Government will refer a potential privacy breach in which the details of almost 30,000 workers compensation claims were posted online to the independent watchdog to determine whether or not it constituted a breach.

But the government is also asking all members of the Assembly to reveal whether or not they or their offices accessed the data or passed it on to any third parties.

It was revealed last week that a spreadsheet containing details of claimants such as birth year, gender, occupation, types and dates of injuries, and the directorate where a person worked, was uploaded to the ACT’s tender website in 2018.

Last week, the government committed to an internal review of the matter, although Special Minister of State Chris Steel has now said the government will cooperate fully with the Office of the Australian Information Commissioner (OIAC) and will take any further actions or recommendations suggested by the review.

Opposition Leader Elizabeth Lee had called for the ACT Government to establish an independent review into the matter, saying “alarm bells should be ringing in the highest levels of government”.

“This incident has led to an enormous breach of trust and faith,” she told the Assembly on Tuesday (30 November).

But the government amended Ms Lee’s initial motion to also call on all members of the ACT Legislative Assembly to reveal whether or not they, or their offices, had accessed the data or provided copies or links to it to third parties.

Members were also called on to delete any copies they held.

“For future reference, in the event that members in this place become aware of publicly available information which they believe is not consistent with privacy legislation principles, the appropriate course of action will be to immediately draw this to the attention of the government and privacy regulators,” Mr Steel said.

“Further disseminating this information in question will not be consistent with the objective of protecting privacy.”

Mr Steel said the “redacted, identified” spreadsheet had not, in fact, been available since it was uploaded in 2018.

According to a timeline provided by the government, the spreadsheet was removed from the TendersACT website in May 2018 but became available again in February 2020 when a systems upgrade took place.

The government attributed this to a “communications breakdown” between procurement officials.

Eight unique users downloaded the spreadsheet 16 times between 6 September and 24 November 2021 before the story broke in the media.

Mr Steel said the information available had been deidentified and redacted.

Minister for Health Rachel Stephen-Smith said she’d been advised the data would not be considered “health records”.

Ms Stephen-Smith also noted that “the way it had been talked about in the media and reported on in some sections of the media” had only served to induce stress and anxiety for those who believed they were affected.

An update will be provided to the Assembly within three months of Mr Steel receiving advice from the OAIC, he said.

The government has yet to describe the incident as a data breach, although Ms Lee said if this was the case, the spreadsheet never should have been deleted.

“You can’t have it both ways. You can’t, on the one hand, say, ‘there’s no privacy breach here’, and on the other hand, demand that everyone delete it.

“Why? If it’s not private, if it’s not confidential, if it’s not a breach, what’s he asking for? Ms Lee questioned.