Turnbull Government's data retention privacy blunder just rolls on and on...

“If data can be re-identified with no more than SQL, there's no "if" about a leak, and the "when" is history.” [Journalist Richard Chirgwin, Twitter 18 December 2017]

“But why are medical records so attractive? Well, it turns out that there’s a metaphorical holiday feast of enticing data served up in your average health record. Family history, demographic data, insurance information, medications, etc. means there’s enough information to completely steal an individual’s identity and commit medication fraud, financial fraud, insurance fraud and a wide array of other crimes. When this very private, unchangeable information gets into the wrong hands, devastation can ensue.” [Robert Lord writing in Forbes, 15 December 2017]

First the Australian general public were told that patient data was well protected and data breaches wouldn't happen as a result of government's drive to collect, cross-match and retain as much information about each and every Australian citizen/permanent resident as possible.

Then when the inevitable day came where poor data security was laid bare - as the personal histories of 550,000 blood donors were placed on an insecure computer and accessed, as Medicare details began to be offered for sale on the Internet's dark web and Medicare itself became careless with its encryption -  the public was told in the first instance that misuse was unlikely, in the second instance that personal medical information couldn't be accessed and that patients couldn't really be individually identified in the third instance where a billion line encrypted data set was publicly released.

After that the Turnbull Government assured the population that it would create legislation which would make it illegal for anyone to de-encrypt anonymised data and create a Notifiable Data Breaches scheme.

We were all going to be safe once more in the arms of the Turnbull Government.

Now the cat is out of the bag, because that billion-line 30 year's worth of personal health information about est. 3 million people just won't stay in the back of the ministerial cupboard where Greg Hunt shoved it.

 [Fairfax journalist Ben Grubb, Twitter 18 December 2017]

The Sydney Morning Herald, 18 December 2017:

One in ten Australians' private health records have been unwittingly exposed by the Department of Health in an embarrassing blunder that includes potentially exposing if someone is on HIV medication, whether mothers have had terminations, or if mentally unwell people are seeing psychologists.

A report, published on Monday by Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague from the University of Melbourne's School of Computing and Information Systems, outlines how de-identified historical health data from the Australian Medicare Benefits Scheme (MBS) and the Pharmaceutical Benefits Scheme (PBS) released to the public in August 2016 can be re-identified using known information about the person to find their record.

The study reveals unique patient records matching the online public information of seven prominent Australians, including three (former or current) MPs and an AFL footballer. While a unique match may not always be accurate, Dr Rubinstein said there was the possibility to improve confidence by cross-referencing other data.

"Because only 10 per cent of Australians are included in the sample data, there can be a coincidental resemblance to someone who isn't included," he said.

"We can improve confidence by cross-referencing with a second dataset of population-wide billing frequencies. We can also examine uniqueness according to the characteristics of commercial datasets we know of, such as bank billing data."…….

Privacy analyst and Lockstep consultant Stephen Wilson said the breach damaged public confidence in health policy makers and data custodians.

"It's a huge breach of trust," he said.

"Promises of 'de-identification' and 'anonymisation' made by health officials, and ABS too in connection with census data releases, have been shown to be erroneous.

"The ability to re-identify patients from this sort of public release is frankly, in my view, catastrophic. Real dangers are posed to patients with socially difficult conditions.

"It beggars belief that any official would promise 'anonymity' any more. These promises cannot be kept."

Computer security researcher Troy Hunt said re-identification of anonymised records was attractive to researchers and nefarious parties alike.

"In this case, clearly more work needs to be done to protect individuals' identities,' he said. "My hope is that the government embraces responsible research like this and strives to improve confidentiality rather than penalise those seeking to report deficiencies such as this."

The federal Department of Health was notified about the issue December last year.

"The Department of Health takes this matter very seriously and had already referred this to the Privacy Commissioner," a Department of Health spokesperson told Fairfax Media......

Meanwhile, the Office of the Australian Information Commissioner, which houses Australia's privacy commissioner, said it was investigating the publication of the datasets.

"The investigation was opened under section 40(2) of the Australian Privacy Act 1988 (Privacy Act) in late September 2016 when the Department of Health notified the OAIC that the datasets were potentially vulnerable to re-identification," a spokesperson said.

"Given the investigation into the Medicare Benefits Scheme (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets is ongoing, we are unable to comment on it further at this time.

However, the commissioner will make a public statement at the conclusion of the investigation."

The OAIC said it continued to work with Australian government agencies to enhance privacy protection in published datasets.....

Australians to own their own banking, energy, phone and internet data? How wonderful! Except.....

Read the news coming out of Canberra…..

Assistant Minister for Cities and Digital Transformation and Liberal MP for Hume Angus Taylor, media release, 26 November 2017:

Australians to own their own banking, energy, phone and internet data

The Turnbull Government will legislate a national Consumer Data Right, allowing customers open access to their banking, energy, phone and internet transactions.

Australians will be able to compare offers, get access to cheaper products and plans to help them ‘make the switch’ and get greater value for money.

Assistant Minister for Cities and Digital Transformation Angus Taylor said it was the biggest reform to consumer law in a generation.

“Government is pursuing the very simple idea that the customer should own their own data. It is a powerful idea and a very important one,” Assistant Minister Taylor said.

“Australians have been missing out because it’s too hard to switch to something better. You may be able to access your recent banking transactions, or compare this quarter’s energy bill to the last, but it sure isn’t quick or easy to work out if you can get a better deal elsewhere.”

The Consumer Data Right was one of 41 recommendations from the Productivity Commission’s Data Availability and Use Inquiry, tabled in parliament in May this year.

The Government’s formal response to the inquiry will be published in coming weeks.

“It won’t be far down the track when you can simply tap your smartphone to switch from one bank to another, to a cheaper internet plan, or between energy companies.

Government is lifting the lid on competition in consumer services and technology is the enabler,” Assistant Minister Taylor said.

Following on from the Prime Minister’s recent agreement with electricity retailers, and the Treasurer’s open banking initiative, the Consumer Data Right will be established sector-by-sector, beginning in the banking, energy and telecommunications sectors.

Utilities will be required to provide standard, comparable, easy-to-read digital information, that third parties can readily access. New Commonwealth legislation to give effect to these reforms will be brought forward in 2018. [my yellow highlighting]

Take a minute to feel good about this.

Then realise that not all the publicly or privately held digital data retained about you will actually be ‘owned’ by you.

If anything it appears that individuals will have a limited joint right to certain data and what access to data they have will probably attract a fee to view and/or download.

It is also likely that data held about you by the banking, energy, phone and internet sectors will be transferred to third parties even when you prefer this didn't happen. It may become a condition of changing service providers as it will likely give the new provider a wealth of information about you and your credit rating.

It is also highly likely that the new legislation will allow third parties to access, disclose and trade in data sets and/or consumer data - without consumers necessarily being made aware this is occurring.

Eventually the Turnbull Government's consumer data rights along with those third party rights will apply to all sectors, including the insurance industry.

If you are interested in some background reading start with the Australian Productivity Commission’s March 2017 report here.

Are banks and insurance companies misusing personal health information and medical files?

“After an insured has made a claim against their policy, the insurer obtains access to and reviews the insured’s medical records. PIAC has seen instances of insurers obtaining an insured’s complete medical history, including from doctors that treated the insured during childhood, before deciding a claim.

PIAC has found that insurers often rely on matters ‘discovered’ during the review of the insured’s medical records to allege that the insured has breached their duty of disclosure.

Often the conclusions drawn by the insurer from the insured’s medical record about their experiences of mental health are inconsistent with the insured’s medical record and the opinions of their treating medical practitioners.

PIAC has represented individuals who have had a policy avoided because the insurer has relied on medical records to impute a medical condition that either did not exist or that the insured did not know existed at the time of applying for insurance.

In PIAC’s experience, it appears that consumers are being disadvantaged by the reforms to the remedies available to insurers (as set out above), or at the very least, are not seeing any benefits flowing from the increased flexibility.” [Public Interest Advocacy Centre, 18 November 2016]

Parliament of Australia, Inquiry into the life insurance industry:

On 14 September 2016, the Senate referred an inquiry into the life insurance industry to the Joint Parliamentary Committee on Corporations and Financial Services for report by 30 June 2017.

The committee welcomes individual stories that may identify widespread issues and recommendations for reform. The committee is not able to investigate or resolve individual disputes.

If you make adverse comment about people in your submission, the committee may reject such evidence or offer a right of reply.

Submissions close on 18 November 2016.

On 29 March 2017, the Senate extended the reporting date from 30 June 2017 to 31 October 2017.

Submissions received by the Committee can be found here.

ABC News, 8 September 2017:

Doctors are pushing back against insurance companies asking them to send them their patients' entire health records as they make decisions about life insurance.

"I am very alarmed that there might be tens of thousands of people's entire health record across the country now stored with insurance companies," Labor Senator Deborah O'Neil told Parliament's joint committee on corporations and financial services.

Edwin Kruys from the Royal Australian College of General Practitioners told the committee doctors do not believe it is appropriate to send entire files to insurance companies.

"It contains information that is often not relevant to the claim, it is all sorts of information that patients have shared with their doctor over the years and they may not even remember what they have shared," Dr Kruys said.

Anne Trimmer from the Australian Medical Association (AMA) told the committee it is challenging for a doctor to determine which parts of a file are relevant.

"And you overlay that with doctors who are time poor with busy practices, it is really hard to make the determination of what is really relevant," she said.

Helen Troup who is managing director of the Commonwealth Bank's Life Insurance arm, CommInsure, told their insurance customers agreed to let doctors provide the files.

"We do get a full authority," Ms Troup said.

She said the company keeps the files but could not say how many it had.

"Our claims principle is to ask for information that is relevant to the claim assessment," she said.

But she said it sometimes meant the company received the full file.

"We of course take due care with that information," Ms Troup said.

But Dr Kruys said he did not take a tick in a box on a form as true consent from his patients to hand over their records, so he contacted them and checked.

He told the committee that they often then withdrew that consent and he would instead send a much more specific report.

Associate Professor Stephen Bradshaw of the Medical Board of Australia told the committee that the request for medical records could come months or years after the doctor had seen the patient.

Would you trust these men with your personal health information? Part Two

Left to Right: Minister for Human Services and Liberal MP for Aston, Alan Tudge

& Minister for Health and Liberal MP for Flinders, Greg Hunt

The Guardian, 8 July 2017:

The government found itself facing heavy criticism this week over how it handles Australians’ personal information, after a Guardian investigation revealed a darknet trader was illegally selling the details of any Medicare card holder on request by “exploiting a vulnerability” in a government system.

The data had been for sale since at least October 2016, and the seller appears to have sold the Medicare details of at least 75 Australians…..

“What’s happening is the community is wrapping these attacks together and seeing them as a threat, and it adds to a perception that their data is not safe,” said Australia’s privacy commissioner, Timothy Pilgrim. “All the players need to work out a way to build up that trust.”

But why do these breaches keep happening? And is the government doing everything it can to stop them, and reassure the public when they do happen?

After being alerted by the Guardian to the Medicare breach, the minister took swift action, referring it to the Australian federal police for investigation. Pilgrim welcomed this as an appropriate response…..

The most critical risk to Australians from the misuse of Medicare card data is one of identity fraud. A fake Medicare card with legitimate details can get a criminal a quarter of the way to an entire fake ID. This could then be used by organised crime groups in any number of ways, for example by leasing property or equipment. It could also be used to fraudulently obtain services from Medicare itself.

In this case, the darknet was the vehicle for this particular identity fraud scam. But it didn’t need to be, and it is likely similar, less-sophisticated scams are taking place right now.

Tudge has used an unusual line to explain the breach. He has said it was not a hack or cyber attack, but “traditional criminal activity”. What he’s edging around is that his department believe this was a case of an individual using a legitimate method to access Medicare data – but for an unauthorised and illegal purpose.

But contrary to Tudge’s assertion, access control is very much a matter of cybersecurity. And there are a lot of problems with the way Medicare card details can be obtained.

For instance more than 200,000 individual users can potentially look up Medicare card details through the department’s system. The department has declined to answer whether each access is logged, which could allow it to trace when a particular card was looked up. If those controls aren’t there, it’s unlikely the darkweb vendor selling this data will be found.

It doesn’t mean someone sitting in a doctor’s clinic has been supplying the data. A prospective patient could show up at a GP’s reception, pretending to be someone else, and just ask for that person’s Medicare card details. Guardian Australia has spoken with one employee at a medical practice who said people regularly asked for their card details to be supplied.

Identity fraud using Medicare cards is coming to be seen as a big problem in the government. The human services department acknowledged in February 2016 that there had been 1,500 “probable” cases of Medicare fraud, a jump from 269. The Australian reported that in 2014 the justice minister, Michael Keenan, set out to quantify the scale of Medicare card fraud taking place. A study found Medicare cards and driving licences were the mostly commonly used forms of ID for fraudsters.

The problem appears to be growing worse as those given credentials to access Medicare card details legitimately has increased – jumping 25% in the last financial year – and as organised crime groups grow more sophisticated in their methods.

All of this contributes to the loss of trust….

Would you trust these men with your personal health information? , 5 July2017

You're not on Facebook? Why not?!

One of the many reasons some people are closing their Facebook accounts and walking away – excessive, obsessive data collection and the uses to which it is put.

News.com.au, 1 May 2017:

FACEBOOK has come under fire over revelations it is targeting potentially vulnerable youths who “need a confidence boost” to facilitate predatory advertising practices.

The allegation was revealed this morning by The Australian which obtained internal documents from the social media giant which reportedly show how Facebook can exploit the moods and insecurities of teenagers using the platform for the potential benefit of advertisers.

The confidential document dated this year detailed how by monitoring posts, comments and interactions on the site, Facebook can figure out when people as young as 14 feel “defeated”, “overwhelmed”, “stressed”, “anxious”, “nervous”, “stupid”, “silly”, “useless”, and a “failure”.

Such information gathered through a system dubbed sentiment analysis could be used by advertisers to target young Facebook users when they are potentially more vulnerable.

While Google is the king of the online advertising world, Facebook is the other major player which dominates the industry worth about $80 billion last year.

But Facebook is not one to rest on its laurels. The leaked document shows it has been honing the covert tools its uses to gain useful psychological insights on young Australian and New Zealanders in high school and tertiary education.

The social media services we use can derive immense insight and personal information about us and our moods from the way we use them, and arguably none is more fastidious in that regard than Facebook which harvests immense data on its users.

The secret document was put together by two Australian Facebook execs and includes information about when young people are likely to feel excited, reflective, as well as other emotions related to overcoming fears.

The Guardian, 3 May 2017:

For two years I was charged with turning Facebook data into money, by any legal means. If you browse the internet or buy items in physical stores, and then see ads related to those purchases on Facebook, blame me. I helped create the first versions of that, way back in 2012.

The ethics of Facebook’s micro-targeted advertising was thrust into the spotlight this week by a report out of Australia. The article, based on a leaked presentation, said that Facebook was able to identify teenagers at their most vulnerable, including when they feel “insecure”, “worthless”, “defeated” and “stressed”.

Facebook claimed the report was misleading, assuring the public that the company does not “offer tools to target people based on their emotional state”. If the intention of Facebook’s public relations spin is to give the impression that such targeting is not even possible on their platform, I’m here to tell you I believe they’re lying through their teeth.

Just as Mark Zuckerberg was being disingenuous (to put it mildly) when, in the wake of Donald Trump’s unexpected victory, he expressed doubt that Facebook could have flipped the presidential election.

Facebook deploys a political advertising sales team, specialized by political party, and charged with convincing deep-pocketed politicians that they do have the kind of influence needed to alter the outcome of elections. 

I was at Facebook in 2012, during the previous presidential race. The fact that Facebook could easily throw the election by selectively showing a Get Out the Vote reminder in certain counties of a swing state, for example, was a running joke.

Express online, 6 January 2017:

FACEBOOK siphons an enormous amount of data from its users – whether it's monitoring your mouse movements, tracking the amount of time you spend on any given post, or the subject of your photographs……

The US social network is constantly tracking information about its users – however, most users will not be aware of just how much data it can siphon from a single photograph.

Facebook hints at how much data it is able to detect when it suggests people who might be in the photograph, prompting you to tag their faces.

But in reality, the California-based social network is tracking much more than just faces.

When you upload a photo on Facebook, the social network scans the image and detects how many people are in the photograph, and whether it was taken indoors or outside.

Facebook is also able to identify humans, animals and inanimate objects.

It is not always accurate, but the social network is able to differentiate between people who are standing, or sitting down.

To find out exactly what Facebook is reading into your photos, software developer Adam Geitgey has created a useful Chrome browser extension that reveals the data Facebook is collecting from your images.

Show Facebook Computer Vision Tags reveals data that Facebook usually keeps hidden from its users.

The free Google Chrome extension can be downloaded from the Chrome extension store.

Facebook has implemented object recognition technology since April 2016, a spokesperson for the company told Metro.co.uk.

The Verge, 27 May 2016:

Facebook will now display ads to web users who are not members of its social network, the company announced Thursday, in a bid to significantly expand its online ad network. As The Wall Street Journal reports, Facebook will use cookies, "like" buttons, and other plug-ins embedded on third-party sites to track members and non-members alike. The company says it will be able to better target non-Facebook users and serve relevant ads to them…

Some of the data Facebook collects to facilitate ad placements, according to The Washington Post on  19 August 2016:

1. Location
2. Age
3. Generation
4. Gender
5. Language
6. Education level
7. Field of study
8. School
9. Ethnic affinity
10. Income and net worth
11. Home ownership and type
12. Home value
13. Property size
14. Square footage of home
15. Year home was built
16. Household composition

As explained on that shiny new portal, Facebook keeps ads “useful and relevant” in four distinct ways. It tracks your on-site activity, such as the pages you like and the ads you click, and your device and location settings, such as the brand of phone you use and your type of Internet connection. Most users recognize these things impact ad targeting: Facebook has repeatedly said as much. But slightly more surprising is the extent of Facebook’s web-tracking efforts and its collaborations with major data brokers.

While you’re logged onto Facebook, for instance, the network can see virtually every other website you visit. Even when you’re logged off, Facebook knows much of your browsing: It’s alerted every time you load a page with a “Like” or “share” button, or an advertisement sourced from its Atlas network. Facebook also provides publishers with a piece of code, called Facebook Pixel, that they (and by extension, Facebook) can use to log their Facebook-using visitors.

While you’re logged onto Facebook, for instance, the network can see virtually every other website you visit. Even when you’re logged off, Facebook knows much of your browsing: It’s alerted every time you load a page with a “Like” or “share” button, or an advertisement sourced from its Atlas network. Facebook also provides publishers with a piece of code, called Facebook Pixel, that they (and by extension, Facebook) can use to log their Facebook-using visitors.

17. Users who have an anniversary within 30 days
18. Users who are away from family or hometown
19. Users who are friends with someone who has an anniversary, is newly married or engaged, recently moved, or has an upcoming birthday
20. Users in long-distance relationships
21. Users in new relationships
22. Users who have new jobs
23. Users who are newly engaged
24. Users who are newly married
25. Users who have recently moved
26. Users who have birthdays soon
27. Parents
28. Expectant parents
29. Mothers, divided by “type” (soccer, trendy, etc.)
30. Users who are likely to engage in politics
31. Conservatives and liberals
32. Relationship status

On top of that, Facebook offers marketers the option to target ads according to data compiled by firms like Experian, Acxiom and Epsilon, which have historically fueled mailing lists and other sorts of offline efforts. These firms build their profiles over a period of years, gathering data from government and public records, consumer contests, warranties and surveys, and private commercial sources — like loyalty card purchase histories or magazine subscription lists. Whatever they gather from those searches can also be fed into a model to draw further conclusions, like whether you’re likely to be an investor or buy organic for your kids.

Wired, 28 December 2012:

In 2010, while researching his thesis, he asked Facebook if it could send him all of the user data the company had relating to his own account. Amazingly, he got a response.

Facebook was, in Schrems' words, "dumb enough" to send him all his data in a 1,200-page PDF. It showed that Facebook kept records of every person who had ever poked him, all the IP addresses of machines he had used to access the site (as well as which other Facebook users had logged in on that machine), a full history of messages and chats and even his "last location", which appeared to use a combination of check-ins, data gathered from apps, IP addresses and geo-tagged uploads to work out where he was.

As Schrems went through the document, he found items he thought he had deleted, such as messages, status updates and wall posts. He also found personal information he says he never supplied, including email addresses that had been culled from his friends' address books. European law is worded vaguely, but says that personal data must be processed "fairly"; people should be given comprehensive information on how it will be used; the data processed should not be "excessive" in relation to the purpose for which it was collected; it should be held securely and deleted when no longer needed. And each person should have the right to access all of their personal data.

Australian Dept. of Human Services and Centrelink sink to a new low

An automated Dept. of Human Services-Centrelink debt recovery system that launched an est. 230,000 investigations into client welfare paymentsin 2016-17, then used an error-prone “income averaging” method to decide that more than 133,000 clients had incurred a debt owed to Centrelink and sent them a bill which included a recovery fee.

If that wasn’t bad enough, around 43 per cent of these debts were immediately referred to heavy-handed private sector debt collectors working on commission.

During this entire debacle spokespersons for the Turnbull Government, the Department and Centrelink have attempted to mislead and misinform welfare clients, mainstream media and the general public.

Now we have been told that for months, perhaps years, the software program being used by Centrelink to run its access to online services portal left users vulnerable to phishing attacks which can steal their credentials including names, addresses, bank account details.

If this is yet another example of the innovative and agile government information technology Liberal and National Party MPs boast about - then gawd help us all!

Comment  on office of the Minister for Human Services, Mr Alan Tudge

By an IT consultant.......

Senate Standing Committees On Community Affairs, Inquiry Into Design, Scope, Cost-Benefit Analysis, Contracts Awarded And Implementation Associated With The Better Management Of The Social Welfare System Initiative, Excerpt from Submission 38:

That Victorian Legal Aid saw it necessary to update its advice to clients to warn them that their personal information is no longer safe with the Department is an extraordinary situation. This is not advice from tinfoil-hat-wearing conspiracy theorists. This is sober advice from legal professionals that a major part of the Australian Government cannot be trusted. I cannot stress enough how bad this is.

This behaviour from the Department has had a chilling effect, as I believe it was intended to. This chilling effect is not theoretical. I have personally spoken to individuals who have been reluctant to speak out against the Department, either to the media or to this Inquiry, because they fear repercussions from the Department as they are dependant in some way on income support.

At one point I discussed these matters with the office of the Minister for Human Services, Mr Alan Tudge, and was alarmed to discover that his office did not share my view that the Department has an asymmetric power advantage over individuals. They were of the view that if an individual is critical of the Department in the media, they become fair game.

The attitude from Mr Tudge’s office appeared to be one of a siege mentality where they were at a substantial disadvantage despite the vast array of resources at their disposal, particularly when compared to an individual reliant on income support. They felt that there had been a lot of false information being reported in the media and that it was time for them to “start fighting back.” This adversarial attitude, coupled with the astounding levels of secrecy from the Department, indicates major cultural issues in the Department and in the responsible Minister’s office.

The Department of Human Services exists to serve the humans in our society. The clue is in the name of the department. If individuals within the Department are unhappy with their role, then they should be encouraged to seek employment elsewhere.

By a Queen's Counsel.......

ABC News, 3 April 2017:

One of Australia's leading criminal barristers believes Human Services Minister Alan Tudge — or one of his staff — may have broken the law by supplying a journalist with a Centrelink client's personal information.

Robert Richter, a Queen's Counsel and former chairman of the Criminal Bar Association, believes the disclosure could lead to a prison sentence if it is tested beyond reasonable doubt in a criminal court.

Mr Tudge has dismissed the legal advice, saying the disclosure was approved by his department's lawyers and was necessary to correct misleading public statements.

"I received clearance to release the information from the Chief Legal Counsel of the Department of Human Services, who is intimately across the details of the case and the relevant laws."

Mr Richter's advice was commissioned by Labor MP Linda Burney and his findings were based on public information, rather than inquiries with Mr Tudge's office.

In his opinion, it is "reasonably clear that either the Minister or one of his office's staff had committed an offence".

"We cannot presently put it higher without knowing precisely the content of the information that was disclosed and by whom it was disclosed," Mr Richter said……

No Australia Card? Yes, Assistant Minister. Of course you are 100% believable

Hoping against hope I don’t have to eventually file this one under “How can you tell when Government is lying".

However, I suspect that the Assistant Minister for Cities and Digital Transformation is actually lying like the proverbial trooper, given the bare bones of the federated identity service and its attendent privacy & safety risks are on display at the Digital Transformation Agency.

The Register, 19 March 2017:

Australia's federal government is sticking with its plans for a federated identity service, but disruption minister Angus Taylor has moved to quell fears of a revived “Australia Card”*.

What first emerged last year looking like a “single identity” for all citizens across all Australian governments – before being dumped – isn't coming back.

Speaking at the Teach Leaders conference in the Blue Mountains on Sunday, Taylor – full title Assistant Minister for Cities and Digital Transformation – said the Digital Transformation Agency's (DTA's) identity project is now about setting standards rather than creating a single whole-of-government identity provider.

He also said the government considers it a citizen's right to have multiple digital identities for their interactions with government, if that's what they want.

Considering that last year, the then-DTA was trying to recruit state governments to its “federated identity” alpha (only getting the NSW government's support), the new direction looks like a considerable departure from the project's original ambitions.

Taylor said: “We don't see ourselves as creating a centralised solution that we'll roll out and everybody else has to come and play – that's not the answer. But we do need to agree on standards, and we do need to agree on principles as to how this will work.”

He also emphasised that the system had to be user-driven rather than top-down, and that citizens' consent is crucial to the model.

“I must be user-driven. If I want to have 45 identities across the Internet and across my applications, it should be my choice. If I want to have one, that's my choice too.”

He added that the “user-driven approach” has to extend to the citizen having a “genuine consent” about how they interact with a digital identity.

“That, to me, is essential to any solution, and the federal government won't endorse or be part of any solution that doesn't do exactly that.”

A formal announcement about the future of the federated identity project is coming “in the very, very near future.”......

*Comment: For readers unfamiliar with 1980s Australian politics – the “Australia Card” was proposed as a single ID for citizens in 1985.

Offered as an efficiency measure, it landed when “ID cards” in Nazi Germany and the Eastern Bloc were still fresh in many citizens' minds, especially for those who had arrived in Australia's first inrush of non-British immigration.

The uproar killed off the Australia Card after a two-year political battle, but not the concept: public service managers have never lost their love of tracking and identifying citizens.

From that point of view, Paul Shetler's DTO nearly achieved a huge social change by disguising it as “technological disruption”.

#NotMyDebt: it has spite writ large all over it

Despite any current or future ministerial or departmental denials, ‘explanations’ or excuses, I find it hard to believe that this 22 February 2017 end of business day release of a Centrelink client’s personal, sensitive, protected information to a journalist was accidental.

Particularly as this act was clearly repeated.

It has spite writ large all over it.

The Guardian, 2 March 2017:

The office of human services minister, Alan Tudge, mistakenly sent a journalist internal departmental briefings about a welfare recipient’s personal circumstances, which included additional detail on her relationship and tax history.

Senior departmental figures were grilled at Senate estimates on Thursday about the release of welfare recipient Andie Fox’s personal information last month.

Fox had written an opinion piece critical of Centrelink and its handling of her debt, which ran in Fairfax Media in February. The government released her personal details to Fairfax journalist Paul Malone, who subsequently published a piece attacking Fox and questioning the veracity of her claims.

Two responses were given to the journalist, one from the department of human services and the other from Tudge.

The department said its response – three dot points containing only minimal detail on Fox’s personal history – was cleared by lawyers and was lawful. The minister’s office then added two quotes from Tudge and sent its own response to Malone.

Guardian Australia can now reveal that the minister’s office also accidentally sent the journalist two internal briefing documents, marked “for official use only”, which had been prepared by the department.

Those documents contained additional information on Fox and her personal circumstances, which went beyond the dot points prepared by the department. They included further detail of her relationship history, including when she separated from her partner.

Those documents were then sent to Malone. The documents were also mistakenly sent to Guardian Australia when it raised questions about the disclosure of Fox’s personal information.

No mention of those documents was made in Senate estimates on Thursday, despite repeated questioning of what the minister had disclosed to Malone. Tudge’s office has now conceded the documents were sent to Malone in error. But the office says it was of no consequence, because all of their contents had been legally cleared by the department.

A welfare recipient’s personal details are considered protected information under social security law, and any unlawful disclosure is considered a criminal offence. Earlier, the department told estimates that social security law only allowed it to disclose the minimal amount of information needed to correct the public record. [my highlighting]

On 2 March 2017 Labor MP for Barton and Shadow Minister for Human Services, Linda Burney, wrote to the Australian Federal Police Commissioner requesting an investigation into the personal/sensitive information release by the minister and/or his staff:

Letter to Australian Federal Police Commissioner from Shadow Minister for Human Services Linda Burney MP by clarencegirl on Scribd

https://www.scribd.com/document/340678789/Letter-to-Australian-Federal-Police-Commissioner-from-Shadow-Minister-for-Human-Services-Linda-Burney-MP

BACKGROUND

DHS & Centrelink now threatening clients who expose unfair or inappropriate implementation of social security policy?

Senate Standing Committees on Community Affairs’ Inquiry into Design, scope, cost-benefit analysis, contracts awarded and implementation associated with the Better Management of the Social Welfare System initiative

http://northcoastvoices.blogspot.com.au/search?q=centrelink

SocialSecurity (Administration) Act 1999 - Sect 202

Protection of personal information

Excerpt from Department of Human Services Privacy Policy:

Our obligations under the Privacy Act 

This policy sets out how we comply with our obligations under the Privacy Act 1988 and the Australian Privacy Principles which are set out in a Schedule to that Act. 

The Australian Privacy Principles (APPs) regulate how the department, as an APP entity, must collect, use, disclose and store personal information. The APP

What personal information and sensitive information is

The terms 'personal information' and ‘sensitive information’ come from section 6 of the Privacy Act.

References to personal information throughout the Privacy Policy include sensitive information unless otherwise indicated.

‘Personal information’ means: 

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

a) whether the information or opinion is true or not; and 

b) whether the information or opinion is recorded in a material form or not.

‘Sensitive information’ means: 

a) information or an opinion about an individual’s:

i. racial or ethnic origin

ii. political opinions

iii. membership of a political association

iv. religious beliefs or affiliations v. philosophical beliefs

vi. membership of a professional or trade association

vii. membership of a trade union

viii. sexual orientation or practices

ix. criminal record. 

b) health information about an individual

c) genetic information about an individual that is not otherwise health information

d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification e) biometric templates

Sky News, 2 March 2017:

It was also confirmed Centrelink staff trawl social media for complaints about the welfare agency and may refer serious gripes to the responsible minister.

Senior bureaucrats responsible for Centrelink say their workers sift through print, broadcast and social media for individual complaints.

Deciding on whether to report grievances to the human services minister depended on the circumstances of each case.

Singing the Centrelink Blues - with lyrics straight from Looney Tunes

After more three years of an Abbott-Turnbull federal government there appears to be only a handful of ministerial portfolios which can be thought of as well managed and the Dept. of Human Services (operating Centrelink) is not amongst them......

AS IT UNFOLDED…..

Financial Review, 31 July 2016:

The Turnbull government will this week release a request for tender for one of the most significant spends on the machinery of government in years: the job of integrating the massive welfare and Australian Tax Office IT systems, as part of a $1 billion overhaul of ageing infrastructure.

The upgrading of the government's IT systems might not normally attract much wide interest, except that the question of who would run another massive payments system – for Medicare – became such a matter of political controversy in the recent federal election campaign.

But the welfare upgrade also holds the key to clearing the way for other major welfare reforms – from implementing the McClure Report recommendations to simplify the welfare system through to data matching that will produce big administration and compliance costs for both the government and its customers.

Australian Department of Human Services:

Do you owe us money?

20 December 2016

If you do, we can ask you to pay off your Centrelink debts at any time.

If you don’t have a payment arrangement set up, from 1 January 2017 you could be charged interest and stopped from travelling overseas.

To pay back the money, use Money You Owe service in your Centrelink online account through myGov, or talk to us about setting up a payment arrangement.

If you set up a payment arrangement and make your repayments, you won’t be charged interest or stopped from travelling overseas.

To help you pay off your debt faster, we will ask the Australian Taxation Office to send us your tax refund to pay your debt. This will happen even if you have a payment arrangement in place.

To avoid a debt, tell us straight away if your circumstances change, or if you think you’ve been overpaid.

Next steps

Read more:

about how your payments could be affected when you owe us money

customer news

Guide to Social Security Law Version 1.227 - Released 7 November 2016:

6.7.1.45 Ten per cent Recovery Fee on Debts from False or Non-declaration of Income from Personal Exertion

Overview

A 10% recovery fee will be imposed on a debt incurred when a person has:

refused or failed, without reasonable excuse, to provide information, or

knowingly or recklessly provided false information,

when required under a provision of the social security law, to provide information in relation to the person's income from personal exertion.

The 10% debt recovery applies only to persons of working age on a social security benefit, DSP, WP, WidB or PPS at the time the debt occurred.

The fee is only applicable to that part of the debt that arose because the person refused or failed to provide information, or knowingly or recklessly provided false or misleading information about their income from personal exertion.

Act reference: SSAct section 23(1)-'social security payment'

Factors to consider

The decision to impose a 10% recovery fee is separate from the decision to raise a debt, and must be considered discretely. However, the decision to apply the recovery fee must be made at the same time the debt is raised and cannot be applied retrospectively……

Income from personal exertion includes any income received as an employee or for any services rendered. This includes income from earnings, salaries, wages, commissions, fees, bonuses, superannuation allowances, retiring allowances and retiring gratuities, allowances and gratuities.

It also includes proceeds of any business activity carried on by the person either alone or as a partner with any other person or profit received from holding an office or from any profit making undertaking or scheme.

The Guardian, 19 December 2016:

The data-matching system Centrelink is using to detect overpayments has also been experiencing problems, according to some welfare recipients. The new system compares data held by Centrelink with data from other government agencies, including the tax office, to determine whether a person has wrongly claimed welfare.

Last week, independent Andrew Wilkie called on the government to suspend the automated compliance system while reports of errors were investigated. Other welfare recipients have since spoken to Guardian Australia about claims for debts they say have been incorrectly issued.

One man, who asked not to be named, was told he owed $2,200 because the ATO’s information did not match the income he had reported to Centrelink. He said he claimed benefits for only part of the year, and believed the ATO’s information on his annual income had been mistakenly used to suggest he worked the entire year.

“I believe no government department could be so incompetent to not recognise the glaring problems with matching data that is on completely different scales (yearly vs fortnightly),” he said. “To me this means it has been purposely done.”

The department said last week it believed the automated system was working without error. It said there had been no increase in the rate of appeals received.

The Guardian, 23 December 2016:

A Centrelink compliance officer has broken ranks to describe the government’s crackdown on welfare debts as grossly unfair, saying its new automated compliance system is flawed and overly harsh on those on sickness benefits.

The government continues to insist there are no flaws with its compliance system, which is being used to retrieve debts from hundreds of thousands of Australia’slowest paid and most vulnerable.

The system relies on an automated data-matching process to detect discrepanciesbetween fortnightly income reported to Centrelink and annual pay information held by the tax office, a comparison that has been criticised as too crude.

Once a discrepancy is detected – currently occurring at a rate of about 20,000 cases a week, compared with 20,000 a year previously – welfare recipients must prove they were entitled to the welfare benefit, or pay the debt.

The Centrelink compliance officer, who asked for anonymity, told Guardian Australia the system was error-prone but that most customers were paying debts without checking them first. The source said of the hundreds of cases they had reviewed, only about 20 (at a “generous estimate”) turned out to be genuine debts.

The worker said the system was particularly harsh on those who received Centrelink’s sickness allowance – a benefit for employees who are unable to work temporarily due to serious illness but are not paid by their employer.

“The ATO matched data will show that they worked the entire financial year and will apportion the gross payments over that financial year without taking into account their time off,” the source said. “This means the system raises a debt for the entire sickness allowance they received. For many, that’s a debt of over $1,000.

“Although we may have documented evidence of their medical issues on the system, we as [compliance officers] are not allowed to look in the system to find any of that evidence. Instead customers must obtain all their pay information for that financial year.”

When a discrepancy between Centrelink and ATO data is detected, some individuals are being asked to track down pay slips that may be several years oldor obtain letters from their employers. That is particularly difficult where past employers have gone into liquidation or no longer exist.

The Centrelink source said their team was instructed to tell those people to contact the consumer affairs watchdog in their state or territory, which could then help them track down the necessary information. Colleagues had recently learned that those state and territory agencies did not hold such information.

“[We] were told to keep telling customers this false information until another way is found,” the source said.

The Department of Human Services said in a brief statement that it remained “confident in the online compliance system and associated checking process with customers”.

The department said more than 70% of those who had received a compliance letter since September had resolved the matter online and only 2.2% were requested to supply supporting documentation such as payslips.

Frustrations with the debt recovery process have been compounded by errors with Centrelink’s online customer portal, where individuals must go to lodge a dispute. The department said the errors with its online service had affected only a small number of people and had since been resolved.

But the compliance officer said that was untrue. They said they were “stunned” when the department stated the online system was working.

“This is completely false,” the source said. “Not only do customers, especially past customers, have access issues all the time but, since the compliance system was placed online, [compliance officers] have had many access issues.

“For the past two weeks we’ve had to turn customers away because we could not access [the system] and neither could they.”

Guardian Australia and other media, including the ABC and Crikey, continue to receive reports of incorrectly issued debts, which are causing stress and anxiety just before Christmas. 

This week the independent MP Andrew Wilkie asked the commonwealth ombudsman to investigate complaints about the automated system.

The Australian Council of Social Service (Acoss) wrote to the human services minister, Alan Tudge, on Thursday, urging him to investigate complaints about the system.

@ChristineEwing7 They claimed I didn't declare the right income in 14-15. Turns out they'd listed me under a different employer.

— Jay (@J_says_) December 29, 2016

Seriously, ppl are paying back $10k alleged debts to Centrelink and aren't quite sure why pic.twitter.com/UInINBCVrl

— Asher Wolf (@Asher_Wolf) December 30, 2016

The Guardian, 30 December 2016:

The government’s automated compliance system, which began in July, has been the subject of repeated complaints, which stem from its comparison of income reported to Centrelink and information held by the Australian Taxation Office.

It has been accompanied by threats of jail for those who do not pay, a joint police-Centrelink campaign targeting geographic areas, the imposition of a 10% debt recovery fee and plans to charge interest on welfare debts and remove the six-year statutory limit on retrieving overpayments.

Legal Aid Victoria, the Australian privacy foundation, the Australian council for social service, and independent Andrew Wilkie have all raised serious concerns, urging the human services minister, Alan Tudge, to intervene. 

IT and data expert Justin Warren – who has worked for IBM, ANZ, Australia Post and Telstra, among others – said Centrelink’s system appeared to rest on the “idiotic” assumption that “big data was magic”.

“It’s not. It’s a messy, complex, statistical system that is wrong a lot,” Warren said. “All models are wrong, but some are useful. It’s the choice of how you deal with when the system is wrong that reveals how you view the world.”

The Guardian, 30 December 2016:

This week, Guardian Australia has continued to receive complaints about Centrelink’s new method of retrieving welfare debts, which relies on an automated data matching process criticised as crude and unfair.

Now, a handful of the thousands of Australians caught up in the government’s crackdown share their experience of being unfairly targeted.

Sally, Brisbane

I am the single mum of five and three year olds. I work part time and receive partial parenting payment and family tax benefits. This finances our simple lifestyle. I was shocked and dismayed to receive a letter from Centrelink Compliance department with a debt of $24,215.81 (including $2,110 debt recovery fee) to be paid by 9 January. I was able to talk with Centrelink Compliance and it appears the automated system “duplicated” my employer, so it appears I had a second undeclared job. Although this is Centrelink’s error, I need to provide two years of payslips and apply for a “manual reassessment” of my case. To stave off debt collectors, I had to start repaying my “debt” at a reduced rate.

Ryan, Melbourne

As a long-term full-time employed professional, tax payer and small business entrepreneur, I contribute to our economy in many positive and financial ways.

Centrelink have incorrectly alleged they overpaid me the government benefit Youth Allowance which financially assisted me to successfully complete a professional tertiary qualification in 2010-2011. This qualification is now used daily in my profession. This issue has been raised six years in retrospect, which appears now due to an erroneous automated computer “data match”.

Centrelink have repeatedly refused to provide written evidence of how the overpayment occurred. In addition to this, they have falsified my fortnightly income statement since I reported it in the 2010-2011 financial year. They have also requested I supply documented financial records I am not obliged to keep under ATO law. Centrelink has been grossly wasteful of my time and that of tax-funded government employed staff. My time is valuable and productive, both within full-time employment and small business development.

Throughout this ordeal, I’ve been subjected to personal distress, confusion and dismay and at a time of family grieving, my 66-year-old father passing away concurrently with receiving presumptive Centrelink letters of debt. The current data match regime appears to have a clear objective and obvious demographic: disrupt the disadvantaged, defenceless and vulnerable.

I now feel nothing more than inspired to stand up, fight for change and the protection of our basic civil liberties. We may feel small as individuals, but collectively we can stand tall and safeguard those around us, who deserve respect, dignity, equality and compassion in our free and democratic society.

James, Wollongong

A debt collector rang me on a Saturday morning and it ruined my weekend. I thought I was being scammed: they were asking for my personal details and demanding I identify myself. I had to wait until Monday to get an answer out of Centrelink, which was: I owed them $1,000 because their automated tax matching said so.

They wanted letters and payslips from employers proving I wasn’t a liar. When I did get the information, there has been no way to provide the Department of Human Services with it even after four weeks of trying. I feel as though I’ll have no choice but to pay when leaving for an overseas trip – extorted for the money I “owe” at the customs desk or miss my flight.

Dave, Sydney

I reported correctly while on youth allowance but was sent a letter from Centrelink demanding payment of a $2,500 “debt” based on alleged under reporting. The demand caused me stress and anxiety. I spent at least five hours contacting Centrelink and gathering my payslips to prove that I did not under report and that I did not owe a debt.

After phone calls and emails to and from Centrelink and a journalist from the ABC, Centrelink acknowledged that I did not owe any debt. There was no apology for the false accusation or the stress caused. I am concerned that most people would simply pay the “debt” on the assumption that Centrelink had a valid basis to their demand.

Click on image to enlarge

I spoke to a number of #Centrelink sources this week. The government knows its robo-debt algorithm is laughably inaccurate. It doesn't care.

— Ben Eltham (@beneltham) December 31, 2016

Also in my article: #Centrelink itself is in melt-down. Staff are striking, morale at rock bottom. Interview with a CPSU source: pic.twitter.com/QxFcjSj0oF

— Ben Eltham (@beneltham) December 31, 2016

EXCERPT FROM A CENTRELINK LETTER……

Kerry King

REPLY TO CENTRELINK…..

WHO IS MAKING MONEY FROM THESE FALSE DEBTS?

Following a pilot in 1994, the Department of Social Security received funding in the 1995–96 Budget for a Flexible Debt Recovery measure, which would: 'refer certain social security debts owed by non‐current customers to mercantile agents for recovery action'.  ECAs, acting as mercantile agents, have been contracted since 1996 to recover social security payment debts owing by non‐current customers. The ECAs are paid a commission on the amount recovered for each debt.

DHS currently contracts two private sector ECAs to undertake debt recovery for Centrelink payment debts: Dun & Bradstreet and Recoveries Corporation. The current arrangement is a standing offer for debt recovery services from both suppliers for the period February 2011–February 2014.

[ANAO Audit Report No.40 2012–13 Recovery of Centrelink Payment Debts by External Collection Agencies, p.27]

Two external debt collection agencies received over $13 million in commissions for recovering Centrelink debts last financial year. The debt recovery bonanza follows a previous Audit office investigation which found private debt collection agencies recovered 10 per cent of Centrelink debts, but were the subject of more than a quarter of all complaints about debt recovery practices…..

[National Welfare Rights Network, Welfare Rights Review Vol 1 No 2]

[Austender at https://www.tenders.gov.au/?event=public.SON.view&SONUUID=0161D373-B63F-12C9-8D933DCC1AB1A50E]

WHAT NOW?

Now the Minister for Human Services and Liberal MP for Aston Alan Tudge would like to deliver all Centrelink services online in the future via software programs – including acceptance or denial of applications for pensions, benefits and allowances – without any human contact between the person applying and Centrelink. 
Probably with user access only allowed via a registered national digital identity. 

What could possibly go wrong?

WANT TO TELL THE MINISTER AND SENIOR PUBLIC SERVANT RESPONSIBLE FOR THIS MESS EXACTLY HOW YOU FEEL?

Hon. Alan Trudge MP, Minister for Human Services, can be contacted at https://www.aph.gov.au/Senators_and_Members/Contact_Senator_or_Member?MPID=M2Y

Hank Jongen, Department of Human Services General Manager, can be contacted at hank@humanservices.gov.au

* A hat tip to those mainstream journalists, social media activists, statisticians and IT people who have been covering this issue, a shout out to the whistleblowers and a big thank you to those Centrelink clients who have been telling their stories online.

UPDATE

Centrelink already knew potential for false debts but went ahead raising them anyway https://t.co/S0dJrhGaU7 #notmydebt @KevinHoganMP pic.twitter.com/E2imaH5TcH

— no_filter_Yamba (@no_filter_Yamba) January 2, 2017