Privacy Related Articles
Due to the fact that Centrelink has a huge amount of personal information on most of the population of Australia it has to take great care to keep that information secure. Generally, Centrelink is able to keep that information secure.Unfortunately for Centrelink and its' clients this is not always the case. In the past (and more than likely in the future) there have been many occasions when Centrelink staff have breached clients privacy (both accidentally and deliberately). For this reason I have started to collect articles about Centrelink, privacy concerns and privacy breaches.
To view or hide an article just click on the title.
To find out exactly where each article came from click in the link imbedded in the pop-up title . This will open up a window and show the original article.
Centrelink DEWR & Others Hacking!
Centrelink DEWR & Others Hacking!
On February the 1st 2008 Centrelink and it’s fellow counterparts hacked in this web site Centreflunk.com and CentreChat.com, it was morning about 8:00am they were detected and then did the bolt!
It’s pathetic that a web site sharing information publicly available and a web site sharing the truth should be targeted by this Australian Government Organisation. To stoop so low, we know what we share is not what they want us to share however we stand for the freedom we have.
We made complaints with just about everyone, and should be seeing the progress of the investigation come along soon.
Centrelink, DEWR, AFP, NSW GOVT, TASSIE GOVT, WA GOVT & a few others have been making daily visits on our sites, what they do is another thing, sometimes they look, sometimes they try and login with incorrect passwords and one time they even registered an account?
Let’s hope next time they try a move like this they encounter the skills of US and we will fight back directly while they hack.
Cheers
Clink
On February the 1st 2008 Centrelink and it’s fellow counterparts hacked in this web site Centreflunk.com and CentreChat.com, it was morning about 8:00am they were detected and then did the bolt!
It’s pathetic that a web site sharing information publicly available and a web site sharing the truth should be targeted by this Australian Government Organisation. To stoop so low, we know what we share is not what they want us to share however we stand for the freedom we have.
We made complaints with just about everyone, and should be seeing the progress of the investigation come along soon.
Centrelink, DEWR, AFP, NSW GOVT, TASSIE GOVT, WA GOVT & a few others have been making daily visits on our sites, what they do is another thing, sometimes they look, sometimes they try and login with incorrect passwords and one time they even registered an account?
Let’s hope next time they try a move like this they encounter the skills of US and we will fight back directly while they hack.
Cheers
Clink
Ex-Centrelink worker slammed over Corby leak
Ex-Centrelink worker slammed over Corby leak
By Greg Stolz
October 10, 2007 02:45am
A FORMER Centrelink employee who leaked twisted information about jailed Bali drug runner Schapelle Corby to a television current affairs show was branded "a disgrace" yesterday by a Gold Coast magistrate.
Magistrate Terry Duroux said the Corbys had already been through enough "without this sort of thing".
He was sentencing Natalie Pearson, 24, who pleaded guilty in the Southport Magistrate's Court to unlawfully communicating private information about a pension application by Corby a month before she was arrested in Bali in October 2004 with 4.1kg of marijuana in her bodyboard bag.
The court was told Pearson leaked the details to Channel 7's Today Tonight, which ran a story alleging Corby had applied for the pension for drug-related psychological problems.
But Pearson was only repeating office gossip, as Corby's pension claim was for post-traumatic stress believed to be related to her cancer-stricken father, Michael.
Defence lawyer Debbie Marinov said Pearson had been pressured into doing the Today Tonight interview, even though she "knew it was the wrong thing to do".
Mr Duroux said while Pearson might have been pressured, she simply should have refused to do the interview.
"This was a trying time for Ms Corby and her family," he said. "They had already gone through enough and didn't need this sort of thing being aired nationally throughout Australia."
The charge carries a maximum penalty of one year's jail and a $6600 fine but Mr Duroux released Pearson on a $1000, three-year good behaviour bond. He recorded a conviction.
An emotional Rosleigh Rose, Corby's mother, confronted Pearson after the hearing, telling her: "You shouldn't have done that."
Outside court, Ms Rose said: "She's just a naughty, terrible girl who you'll never be able to trust."
By Greg Stolz
October 10, 2007 02:45am
A FORMER Centrelink employee who leaked twisted information about jailed Bali drug runner Schapelle Corby to a television current affairs show was branded "a disgrace" yesterday by a Gold Coast magistrate.
Magistrate Terry Duroux said the Corbys had already been through enough "without this sort of thing".
He was sentencing Natalie Pearson, 24, who pleaded guilty in the Southport Magistrate's Court to unlawfully communicating private information about a pension application by Corby a month before she was arrested in Bali in October 2004 with 4.1kg of marijuana in her bodyboard bag.
The court was told Pearson leaked the details to Channel 7's Today Tonight, which ran a story alleging Corby had applied for the pension for drug-related psychological problems.
But Pearson was only repeating office gossip, as Corby's pension claim was for post-traumatic stress believed to be related to her cancer-stricken father, Michael.
Defence lawyer Debbie Marinov said Pearson had been pressured into doing the Today Tonight interview, even though she "knew it was the wrong thing to do".
Mr Duroux said while Pearson might have been pressured, she simply should have refused to do the interview.
"This was a trying time for Ms Corby and her family," he said. "They had already gone through enough and didn't need this sort of thing being aired nationally throughout Australia."
The charge carries a maximum penalty of one year's jail and a $6600 fine but Mr Duroux released Pearson on a $1000, three-year good behaviour bond. He recorded a conviction.
An emotional Rosleigh Rose, Corby's mother, confronted Pearson after the hearing, telling her: "You shouldn't have done that."
Outside court, Ms Rose said: "She's just a naughty, terrible girl who you'll never be able to trust."
One privacy breach a day at Centrelink
One privacy breach a day at Centrelink
Denis Peters | September 25, 2007
CENTRELINK says its staff breached privacy regulations 367 times in the past financial year, but only two employees were sacked.
Centrelink said 24 employees resigned and two had been sacked because of privacy breaches
The federal welfare support agency's checks also identified 289 conflict of interest cases, general manager Hank Jongen said.
He said 24 employees resigned and two had been sacked because of the breaches.
Mr Jongen said a privacy breach occurred when an employee accessed personal information when it was not part of their duty, commonly referred to as browsing.
"Last financial year, there were 367 proven privacy breaches,'' he said.
"It's important to note more than 40 per cent of these privacy breaches related to misdirected mail resulting from human error, and not employees browsing customer records.
"Our checks also identified 289 conflict of interest cases, which are breaches of the Australian Public Service code of conduct, rather than a breach of privacy.''
An example of this was where an employee was not authorised to access their own customer record, or records of family members, ex-partners, neighbours or close personal friends, even if the individual asked them to do so.
"Of the proven privacy and code of conduct breaches, 24 employees resigned and two had their employment terminated,'' he said.
"Another 296 employees received a written warning, 13 were reprimanded and 44 were fined or had their salary reduced.''
Mr Jongen was responding to a Seven Network report which said about 140 employees had been sacked over the past couple of years and that Centrelink was investigating 547 privacy breaches by staff inappropriately accessing clients' personal details.
He said Centrelink had a robust monitoring system which used advanced data-matching analysis capabilities to continually monitor employees' access to customer records.
"The information released under Freedom of Information was based on the results of a raw data-matching exercise in 2005 that was broadly cast to identify all potential breaches of privacy and conflict of interest,'' he said.
"Further analysis showed most of these data matches didn't disclose any breach of privacy or other misconduct.
"The overwhelming majority of our 26,500 employees perform their duties in a highly ethical and responsible manner.
"However, we're constantly monitoring our customer records to make sure we quickly identify employees who aren't upholding these values.''
Denis Peters | September 25, 2007
CENTRELINK says its staff breached privacy regulations 367 times in the past financial year, but only two employees were sacked.
Centrelink said 24 employees resigned and two had been sacked because of privacy breaches
The federal welfare support agency's checks also identified 289 conflict of interest cases, general manager Hank Jongen said.
He said 24 employees resigned and two had been sacked because of the breaches.
Mr Jongen said a privacy breach occurred when an employee accessed personal information when it was not part of their duty, commonly referred to as browsing.
"Last financial year, there were 367 proven privacy breaches,'' he said.
"It's important to note more than 40 per cent of these privacy breaches related to misdirected mail resulting from human error, and not employees browsing customer records.
"Our checks also identified 289 conflict of interest cases, which are breaches of the Australian Public Service code of conduct, rather than a breach of privacy.''
An example of this was where an employee was not authorised to access their own customer record, or records of family members, ex-partners, neighbours or close personal friends, even if the individual asked them to do so.
"Of the proven privacy and code of conduct breaches, 24 employees resigned and two had their employment terminated,'' he said.
"Another 296 employees received a written warning, 13 were reprimanded and 44 were fined or had their salary reduced.''
Mr Jongen was responding to a Seven Network report which said about 140 employees had been sacked over the past couple of years and that Centrelink was investigating 547 privacy breaches by staff inappropriately accessing clients' personal details.
He said Centrelink had a robust monitoring system which used advanced data-matching analysis capabilities to continually monitor employees' access to customer records.
"The information released under Freedom of Information was based on the results of a raw data-matching exercise in 2005 that was broadly cast to identify all potential breaches of privacy and conflict of interest,'' he said.
"Further analysis showed most of these data matches didn't disclose any breach of privacy or other misconduct.
"The overwhelming majority of our 26,500 employees perform their duties in a highly ethical and responsible manner.
"However, we're constantly monitoring our customer records to make sure we quickly identify employees who aren't upholding these values.''
Australia 'must overhaul data disclosure mess'
Australia 'must overhaul data disclosure mess'
Liam Tung, ZDNet Australia
12 September 2007 11:35 AM
Tags: data disclosure, law reform, inquiry, data breach, privacy, propose, commonwealth, act
The Australian Law Reform Commission (ALRC) has given the thumbs up to the introduction of data breach disclosure laws in Australia, which would put it in line with current US and European legislation.
The ALRC has proposed a major shake-up of current privacy laws, including data breach disclosure laws, which it hopes will simplify complex and overlapping state and Commonwealth privacy legislation, including the Commonwealth Privacy Act 1988, which has not been reviewed for 20 years.
Professor David Weisbrot, ALRC President, said: "That's not normal. When you think about sedition laws, that took three to four [hundred], 500 years to review. [However] when Michael Kirby and the other commissioners were doing this work in the 1980s … no one had heard of e-mail, or mobile phones and no-one had digital cameras. All files were paper based … There was no Internet, no Amazon, no Myspace, no YouTube, no spam, no phishing, no biometrics, no DNA testing, and no e-tags. And there was no offshore data processing centres where Australian's personal information was routinely sent or accessed from."
The discussion paper contains 301 proposals, however, recommendations will only be submitted to the government of the day in March 2008 after a further round of community and stakeholder feedback.
The commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said current arrangements have caused confusion for those attempting to navigate the current "piecemeal" Commonwealth Privacy Act and overlapping state privacy legislation.
The ALRC will propose that the Commonwealth Privacy Act apply to both the Commonwealth public sector and the private sector, removing state-based privacy legislation from the latter. The ALRC has not proposed that the Commonwealth Act applies to state government agencies, but it will however propose the Act adopts common understandings of definitions such as what constitutes "personal information" and a "record".
Data breach laws
If data breach disclosure laws are introduced in the way the ALRC has proposed, organisations and businesses will be obliged to notify the individuals concerned as well as the Privacy Commissioner when personal information has been compromised under the custodian's care.
The Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said: "Businesses are concerned that if we go down this road of data breach notification, what is it going to cost? The cost, particularly if you look at some of the US examples, can be substantial. Wherever there is unauthorised access to information you must notify, even if there's no serious threat of harm to the individual whose information has been breached. That can result in a very great cost of compliance for business."
However McCrimmon said the ALRC's proposals have been tempered so that only certain breaches qualify for notification status.
"What we propose is that there should be a data breach notification provision. What we've also proposed however is that there be certain thresholds that are set," he said.
Those thresholds are that there is a real risk of serious harm to affected individuals, and in instances where the information was not adequately encrypted or redacted.
If there has been a breach but no harm caused, McCrimmon said -- such as instances where an employee accesses a document that he does not have rights to by mistake but immediately leaves the document and does so with it unaltered -- that would not necessitate a notification. "In some US states, it would. The one we're proposing, it wouldn't," he added.
He said the Centrelink and Medicare examples, where records were inappropriately accessed, and in instances where a laptop is left at the airport would trigger notification rules.
Despite the increased attention given to the issue of data breaches by the ALRC's discussion paper, David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of New South Wales, said it will be a long time before real changes are made.
Referring to the Democrats introducing a Private Members Bill on amending the Privacy Act to include data disclosure laws last month, Vaile said: "The fact it's been introduced is only a tiny step forward. Private members bills are often ignored."
Liam Tung, ZDNet Australia
12 September 2007 11:35 AM
Tags: data disclosure, law reform, inquiry, data breach, privacy, propose, commonwealth, act
The Australian Law Reform Commission (ALRC) has given the thumbs up to the introduction of data breach disclosure laws in Australia, which would put it in line with current US and European legislation.
The ALRC has proposed a major shake-up of current privacy laws, including data breach disclosure laws, which it hopes will simplify complex and overlapping state and Commonwealth privacy legislation, including the Commonwealth Privacy Act 1988, which has not been reviewed for 20 years.
Professor David Weisbrot, ALRC President, said: "That's not normal. When you think about sedition laws, that took three to four [hundred], 500 years to review. [However] when Michael Kirby and the other commissioners were doing this work in the 1980s … no one had heard of e-mail, or mobile phones and no-one had digital cameras. All files were paper based … There was no Internet, no Amazon, no Myspace, no YouTube, no spam, no phishing, no biometrics, no DNA testing, and no e-tags. And there was no offshore data processing centres where Australian's personal information was routinely sent or accessed from."
The discussion paper contains 301 proposals, however, recommendations will only be submitted to the government of the day in March 2008 after a further round of community and stakeholder feedback.
The commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said current arrangements have caused confusion for those attempting to navigate the current "piecemeal" Commonwealth Privacy Act and overlapping state privacy legislation.
The ALRC will propose that the Commonwealth Privacy Act apply to both the Commonwealth public sector and the private sector, removing state-based privacy legislation from the latter. The ALRC has not proposed that the Commonwealth Act applies to state government agencies, but it will however propose the Act adopts common understandings of definitions such as what constitutes "personal information" and a "record".
Data breach laws
If data breach disclosure laws are introduced in the way the ALRC has proposed, organisations and businesses will be obliged to notify the individuals concerned as well as the Privacy Commissioner when personal information has been compromised under the custodian's care.
The Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said: "Businesses are concerned that if we go down this road of data breach notification, what is it going to cost? The cost, particularly if you look at some of the US examples, can be substantial. Wherever there is unauthorised access to information you must notify, even if there's no serious threat of harm to the individual whose information has been breached. That can result in a very great cost of compliance for business."
However McCrimmon said the ALRC's proposals have been tempered so that only certain breaches qualify for notification status.
"What we propose is that there should be a data breach notification provision. What we've also proposed however is that there be certain thresholds that are set," he said.
Those thresholds are that there is a real risk of serious harm to affected individuals, and in instances where the information was not adequately encrypted or redacted.
If there has been a breach but no harm caused, McCrimmon said -- such as instances where an employee accesses a document that he does not have rights to by mistake but immediately leaves the document and does so with it unaltered -- that would not necessitate a notification. "In some US states, it would. The one we're proposing, it wouldn't," he added.
He said the Centrelink and Medicare examples, where records were inappropriately accessed, and in instances where a laptop is left at the airport would trigger notification rules.
Despite the increased attention given to the issue of data breaches by the ALRC's discussion paper, David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of New South Wales, said it will be a long time before real changes are made.
Referring to the Democrats introducing a Private Members Bill on amending the Privacy Act to include data disclosure laws last month, Vaile said: "The fact it's been introduced is only a tiny step forward. Private members bills are often ignored."
ATO staff fired for viewing confidential data
Even though this article is not specifically Centrelink related, it is privacy related. It shows that privacy breaches occur widely, in many Government departments and that "stamping out unauthorised access is impossible".
ATO staff fired for viewing confidential data
Liam Tung, ZDNet Australia
28 August 2007 02:18 PM
Tags: ato, tax office, security breach, access management, unauthorised access
A dozen employees have either been sacked or resigned after internal audits of logs by the Australian Tax Office (ATO) showed employees had been abusing their access privileges.
According to the ATO, employees were sent on a training program aimed at educating staff how handle taxpayer information after investigations showed that 27 staff had gained unauthorised access to personal tax records in 2006.
Access to personal tax records outside the normal course of business is prohibited under current privacy laws. Staff caught accessing records illegally face heavy fines or jail terms.
However, the ATO claims stamping out unauthorised access is impossible.
"While no level of unauthorised access is acceptable, in an organisation of about 22,000 people it is inevitable that a very small number of people will be tempted to do the wrong thing," an ATO spokeswoman told The Australian.
Last year federal Treasurer Peter Costello was unsure whether the actions of these staff meant the tax office had a "cultural problem" in relation to the handling of tax payer information.
Rob Mackinnon, an access management consultant for analyst firm IBRS, told ZDNet Australia that rather than being a cultural problem it was a problem with human nature and affects all large organisations dealing with sensitive information.
Privacy breaches in an organisation like the ATO are inevitable and would likely require internal intelligence to be identified since constant monitoring would be too onerous from a technology point of view, he said.
"[Privacy breaches] will always tend to happen because in some respects, by having stringent privacy guidelines, it's like hiding candy from the kids," said MacKinnon.
Other security problems faced by the ATO related to unauthorised access to tax information by external taxation agents via its Web portal.
The Audit Office found that in 2006, the ATO did "not have the capability for the timely production of a clear and meaningful end-to-end view of a user's actions within the Portals" used by tax agents.
To alleviate some of these problems the ATO deployed a centralised audit logging system using Tier-3's Huntsman security product.
At time of writing, the ATO was unavailable for comment.
ATO staff fired for viewing confidential data
Liam Tung, ZDNet Australia
28 August 2007 02:18 PM
Tags: ato, tax office, security breach, access management, unauthorised access
A dozen employees have either been sacked or resigned after internal audits of logs by the Australian Tax Office (ATO) showed employees had been abusing their access privileges.
According to the ATO, employees were sent on a training program aimed at educating staff how handle taxpayer information after investigations showed that 27 staff had gained unauthorised access to personal tax records in 2006.
Access to personal tax records outside the normal course of business is prohibited under current privacy laws. Staff caught accessing records illegally face heavy fines or jail terms.
However, the ATO claims stamping out unauthorised access is impossible.
"While no level of unauthorised access is acceptable, in an organisation of about 22,000 people it is inevitable that a very small number of people will be tempted to do the wrong thing," an ATO spokeswoman told The Australian.
Last year federal Treasurer Peter Costello was unsure whether the actions of these staff meant the tax office had a "cultural problem" in relation to the handling of tax payer information.
Rob Mackinnon, an access management consultant for analyst firm IBRS, told ZDNet Australia that rather than being a cultural problem it was a problem with human nature and affects all large organisations dealing with sensitive information.
Privacy breaches in an organisation like the ATO are inevitable and would likely require internal intelligence to be identified since constant monitoring would be too onerous from a technology point of view, he said.
"[Privacy breaches] will always tend to happen because in some respects, by having stringent privacy guidelines, it's like hiding candy from the kids," said MacKinnon.
Other security problems faced by the ATO related to unauthorised access to tax information by external taxation agents via its Web portal.
The Audit Office found that in 2006, the ATO did "not have the capability for the timely production of a clear and meaningful end-to-end view of a user's actions within the Portals" used by tax agents.
To alleviate some of these problems the ATO deployed a centralised audit logging system using Tier-3's Huntsman security product.
At time of writing, the ATO was unavailable for comment.
Smart card fears as public servant snoops revealed
Smart card fears as public servant snoops revealed
By Tanya Giles and Peter Mickelburough
October 14, 2006 12:00am
HUNDREDS of public servants have been caught spying on the private information of citizens in federal and state government agencies.
Most of the 1000-plus victims were never told details of their private lives, including personal, financial, health, police and emergency records, had been invaded.
A Herald Sun survey of 15 key federal and state departments and agencies, which hold up to 100 million secret files on individuals, found 650 public servants were
sacked or sanctioned for snooping on their clients in the past year.
The revelation comes as Canberra pushes ahead with controversial plans to replace 17 health and welfare cards with a single smart card.
The Herald Sun found confidential files were breached at VicRoads, Victoria Police, Corrections Victoria, Centrelink, Medicare, the tax office and the Emergency
Services Telecommunications Authority.
The breaches occurred despite strict policies designed to protect private information.
The Herald Sun investigation found Medicare investigated 23 breaches in 2005-06, referring one case of alleged fraud and theft to federal police.
Thirteen Medicare workers remain under investigation, four have been sacked, five have resigned and one has been counselled.
Medicare spokesman Peter Sexton said Medicare was beefing up security, including audits and tighter controls on access to records.
Other new privacy intrusion cases included VicRoads, which holds 7.5 million files.
VicRoads probed 21 complaints in 2005-06, leading to two resignations and two reprimands.
VicRoads spokeswoman Kara O'Dwyer said all staff were warned not to use, release, disclose or study people's files for unofficial reasons.
Victoria Police has acted against 19 staff after high-profile leaks of more than 800 files from its LEAP database.
Fourteen police were fined, three were put on good behaviour bonds, three were demoted and one was reprimanded.
Other privacy breaches last year included:
FIVE staff at the Department of Human Services counselled over "inadvertent" breaches.
THREE corrections staff who looked at records of inmates and a prison officer whistleblower.
ONE allegation against a WorkCover employee that could not be sub-stantiated.
The tax office last month sanctioned 24 staff for privacy breaches. Four were sacked, 12 resigned, two were fined and six had their pay cut or were demoted.
Two were prosecuted under the Tax Act, with one sentenced to community service and the other fined.
The worst offender was Centrelink, which last month admitted 111 staff were sacked or had resigned for looking at welfare recipients' files.
Centrelink has disciplined 585 staff for wrongly accessing customer records on 790 occasions since 2004.
Labor's human services spokesman, Kelvin Thomson, said the breaches should ring alarm bells for Australians.
Mr Thomson said Human Services Minister Joe Hockey, who is responsible for Centrelink and the smart card, must show how he would protect privacy.
Mr Hockey said rigorous controls to ensure maximum privacy were being developed for the smart card.
By Tanya Giles and Peter Mickelburough
October 14, 2006 12:00am
HUNDREDS of public servants have been caught spying on the private information of citizens in federal and state government agencies.
Most of the 1000-plus victims were never told details of their private lives, including personal, financial, health, police and emergency records, had been invaded.
A Herald Sun survey of 15 key federal and state departments and agencies, which hold up to 100 million secret files on individuals, found 650 public servants were
sacked or sanctioned for snooping on their clients in the past year.
The revelation comes as Canberra pushes ahead with controversial plans to replace 17 health and welfare cards with a single smart card.
The Herald Sun found confidential files were breached at VicRoads, Victoria Police, Corrections Victoria, Centrelink, Medicare, the tax office and the Emergency
Services Telecommunications Authority.
The breaches occurred despite strict policies designed to protect private information.
The Herald Sun investigation found Medicare investigated 23 breaches in 2005-06, referring one case of alleged fraud and theft to federal police.
Thirteen Medicare workers remain under investigation, four have been sacked, five have resigned and one has been counselled.
Medicare spokesman Peter Sexton said Medicare was beefing up security, including audits and tighter controls on access to records.
Other new privacy intrusion cases included VicRoads, which holds 7.5 million files.
VicRoads probed 21 complaints in 2005-06, leading to two resignations and two reprimands.
VicRoads spokeswoman Kara O'Dwyer said all staff were warned not to use, release, disclose or study people's files for unofficial reasons.
Victoria Police has acted against 19 staff after high-profile leaks of more than 800 files from its LEAP database.
Fourteen police were fined, three were put on good behaviour bonds, three were demoted and one was reprimanded.
Other privacy breaches last year included:
FIVE staff at the Department of Human Services counselled over "inadvertent" breaches.
THREE corrections staff who looked at records of inmates and a prison officer whistleblower.
ONE allegation against a WorkCover employee that could not be sub-stantiated.
The tax office last month sanctioned 24 staff for privacy breaches. Four were sacked, 12 resigned, two were fined and six had their pay cut or were demoted.
Two were prosecuted under the Tax Act, with one sentenced to community service and the other fined.
The worst offender was Centrelink, which last month admitted 111 staff were sacked or had resigned for looking at welfare recipients' files.
Centrelink has disciplined 585 staff for wrongly accessing customer records on 790 occasions since 2004.
Labor's human services spokesman, Kelvin Thomson, said the breaches should ring alarm bells for Australians.
Mr Thomson said Human Services Minister Joe Hockey, who is responsible for Centrelink and the smart card, must show how he would protect privacy.
Mr Hockey said rigorous controls to ensure maximum privacy were being developed for the smart card.
Eying Big Brother
Eyeing Big Brother
Paul Malone
Saturday, 26 August 2006
The latest privacy breaches of government records raise new questions about plans for a national smart card for 2008. PAUL MALONE reports
LIKE THE universe, the government's share of our information is exploding: birth dates, income and tax records, health information, the census, criminal records, marriage and family details, unemployment benefits, traffic infringements, disabilities, death records. The list of some of our most intimate data gathering on official files gets bigger by the day.
Public servants, bound by codes of conduct and threatened with the Crimes Act and secrecy provisions, are the keepers of the files. Tens of thousands of public servants have access to databases with information about you and me. In the Defence Department alone there more than 10,000 staff who are certified users of the personnel-management system that held the records of all Defence staff.
But it is in agencies such as Centrelink, the Australian Taxation Office and Medicare Australia - where records on the vast majority of Australians are held - that there is the potential for abuse that could affect any one of us.
The revelation this week that 585 Centrelink staff had been sanctioned for privacy violations, that 19 had been dismissed and 92 had resigned as a result brought the issue to the public's attention.
But the Centrelink cases are not unique. Earlier this year it was revealed that the Child Support Agency had discovered 405 breaches of privacy, including 69 cases where sensitive information was given to former spouses.
In Medicare Australia, where 5400 staff are employed, over the past three years a total of 21 cases of privacy breaches, unauthorised access or fraud have been identified. Five staff were formally counselled, two demoted, eight resigned and six were terminated.
A further 13 cases are under investigation.
And in November last year an Immigration Department employee was convicted in the ACT Magistrates Court on 16 charges of unauthorised access to client records.
The agencies with the biggest potential for invasion of privacy are the tax office and the big two in the Human Services portfolio, Centrelink and Medicare.
In confirming the breaches of privacy at Centrelink, the chief executive, Jeff Whalan, presented the best possible spin, saying his organisation had boosted privacy protection. The general manager of Centrelink, Hank Jorgen, was keen to emphasise that Centrelink had initiated the investigation.
But the chief executive of Civil Liberties Australia, Bill Rowlings, observed that if they had caught one or two people you would say, "OK, somebody's done the wrong thing."
But close to 600 was another matter altogether.
Whalan made the point that Centrelink has 25,000 staff and the overwhelming majority performed their duties in a highly ethical and responsible manner. But he could hardly be proud of the fact that one in 50 broke the rules.
One of explanations for the relatively high incidence of breaches in Centrelink is that it is only in the past two years that the agency has employed spyware technology to track staff transactions and browsing. Medicare is understood to have had such systems in place for years.
The Child Support Agency breaches - relatively as high as Centrelink's - are even more disturbing, with the possibility that a leak could enable a former spouse to physically harm a former partner.
Privacy Commissioner Karen Curtis says it is unacceptable to have any breach. But it is good news that Centrelink has caught the violators.
"It is good that they've found these and they've done serious things like [having staff] demoted and dismissed," she says.
"It's really hard. You're always going to find there are some bad eggs and you have to put in place processes to stop those bad eggs."
Since taking the job as Privacy Commissioner she has been impressed with the amount of resources Centrelink has directed towards privacy. Centrelink had been monitoring operations for over a year and had warned staff that it was doing the audit. Interest in the Commonwealth Government's protection of people's records is at a peak at present because of the proposed introduction of the smart card, or access card. Potentially the card could be issued to 17million Australians. Some see it as an identity card, or the revival of the aborted Australia Card.
It is proposed that the card - to be introduced in phases from 2008 - will replace 17 health and social-service cards, including the Medicare card and the veterans' card.
The Government believes it will improve delivery of services to many Australians. Carriage for the card rests with the Department of Human Services, which also has responsibility for Centrelink, the Child Support Agency and Medicare.
What is not widely understood about the card is that its introduction will not mean the consolidation of the databases of the various agencies. Nor will it mean that an officer working with the unemployed in Centrelink will be able to trawl the Medicare data.
In this public-service area, everyone, it seems, is proud to proclaim that "data silos" will be maintained. (Even under present arrangements agency silos are not totally sealed. Under the strictest controls and with legislative approval, Centrelink officers can and do check information on income and tax with the tax office.)
The card will in effect provide users with a key to get into each and every agency. Rather than have a number of cards - Medicare and veterans, for example - the staff at Medicare, or at the Department of Veterans' Affairs, will recognise the access card.
The card will have standard information - the user's name, photograph, digital signature, address, and the access to benefits. To allay fears about privacy, the Government has established the Access Card Consumer and Privacy Task Force, chaired by former Australian Consumer and Competition Commission head Professor Allan Fels.
This week Fels said the Centrelink scandal highlighted why data on the card should be kept to a minimum.
He said the Centrelink revelations were disturbing but he took some comfort from the fact that the Government had caught the breaches.
An expert in the field, the former head of the access-card taskforce, James Kelaher, agrees with Fels that the minimum amount of information should be on the card. But he notes that there are some large groups, seniors, for example, who need, or may want, more information on their card. There was a trade-off. "No information detracts from the card use," he says. "Too much information creates too many problems. There's a spectrum and you've got to be down the end of the spectrum which is not very much on the card."
In her submission to the taskforce, Curtis questions whether the card has to have a photograph. She says a photograph should be printed on the card only if the individual wants it.
"A card with near-universal adult population coverage and having a printed photograph on its face would be close in appearance to a national identity card," she says.
A photograph of the face is not necessary for the card to interact with an electronic reader and for the person's identity to be established when he or she visits a government agency. Curtis wants legislation to limit the use of the card, to prevent unauthorised access or disclosure and prevent routine data matching.
Kelaher says the card is part of a whole new system.
It will replace an antiquated paper-based system with something that will be easier for people to use and easier for people to keep their own information up to date. When it was in place the system would be more secure than that used by the banks for internet banking.
Curtis distinguishes between different levels of improper activity. At the lowest level there is browsing - unacceptable but without the impact on the individual that other actions might have. Then there is getting information to use for non-sanctioned purposes.
At the highest end there are criminal acts such as altering records and fraudulent activities punishable by dismissal and charges.
Curtis notes that the culture in an organisation is an important factor in discouraging breaches of privacy. Staff had to be educated and made aware of their obligations and the limitations on their authority.
If the complaints to the Privacy Commission are a measure, Commonwealth Government activities are not a major privacy area of concern. Curtis says she receives between 1200 and 1300 complaints a year and only 10 to 13 per cent of them relate to the way Commonwealth departments and agencies operate. But complaints go to the commission only if they are not resolved internally. The relatively low number of complaints about government activity might therefore indicate that agencies are better at resolving complaints themselves.
While having staff who do the right thing is the best security, building the technology properly and putting in place systems that can track and monitor transactions increases the chances that staff will do the right thing. A year ago the audit office reported that the Defence personnel-management system, which holds the records of 100,000 people, could be accessed by 10,000 staff. Yesterday the department told The Canberra Times it was 12,000 - but insisted multiple layers of security existed to prevent open access.
At that time the system, known as PMKeyS, did not automatically log a record of those who viewed staff details. The free access could enable identity theft. This week a Defence spokesman said all PMKeyS operators were warned every time they accessed the system that they were subject to the provisions of the Privacy Act and Defence Security Protocols.
Access to personal information was controlled by profiles such as "supervisor" or "personnel officer". These profiles provided the restrictions on transaction and access. The system created audit records for transactions where data was created or changed, including identifying who did the change, the date and what was changed.
The system was independently audited in 2006 and the auditors had stated that the PMKeyS access-management system gave appropriate protection to data.
Curtis said she understood that since last year Defence had introduced better procedures to audit and monitor conduct. But to get a browsing audit trail would require a rebuild of the system. She understood Defence had undertaken to do that.
The card system has yet to be built. Keeping data in silos, giving users tight profiles and having a high-tech monitoring system will provide the basic security. But any system that can be built can be cracked. In the end, an honest staff committed to privacy is the only guarantee of security.
Paul Malone
Saturday, 26 August 2006
The latest privacy breaches of government records raise new questions about plans for a national smart card for 2008. PAUL MALONE reports
LIKE THE universe, the government's share of our information is exploding: birth dates, income and tax records, health information, the census, criminal records, marriage and family details, unemployment benefits, traffic infringements, disabilities, death records. The list of some of our most intimate data gathering on official files gets bigger by the day.
Public servants, bound by codes of conduct and threatened with the Crimes Act and secrecy provisions, are the keepers of the files. Tens of thousands of public servants have access to databases with information about you and me. In the Defence Department alone there more than 10,000 staff who are certified users of the personnel-management system that held the records of all Defence staff.
But it is in agencies such as Centrelink, the Australian Taxation Office and Medicare Australia - where records on the vast majority of Australians are held - that there is the potential for abuse that could affect any one of us.
The revelation this week that 585 Centrelink staff had been sanctioned for privacy violations, that 19 had been dismissed and 92 had resigned as a result brought the issue to the public's attention.
But the Centrelink cases are not unique. Earlier this year it was revealed that the Child Support Agency had discovered 405 breaches of privacy, including 69 cases where sensitive information was given to former spouses.
In Medicare Australia, where 5400 staff are employed, over the past three years a total of 21 cases of privacy breaches, unauthorised access or fraud have been identified. Five staff were formally counselled, two demoted, eight resigned and six were terminated.
A further 13 cases are under investigation.
And in November last year an Immigration Department employee was convicted in the ACT Magistrates Court on 16 charges of unauthorised access to client records.
The agencies with the biggest potential for invasion of privacy are the tax office and the big two in the Human Services portfolio, Centrelink and Medicare.
In confirming the breaches of privacy at Centrelink, the chief executive, Jeff Whalan, presented the best possible spin, saying his organisation had boosted privacy protection. The general manager of Centrelink, Hank Jorgen, was keen to emphasise that Centrelink had initiated the investigation.
But the chief executive of Civil Liberties Australia, Bill Rowlings, observed that if they had caught one or two people you would say, "OK, somebody's done the wrong thing."
But close to 600 was another matter altogether.
Whalan made the point that Centrelink has 25,000 staff and the overwhelming majority performed their duties in a highly ethical and responsible manner. But he could hardly be proud of the fact that one in 50 broke the rules.
One of explanations for the relatively high incidence of breaches in Centrelink is that it is only in the past two years that the agency has employed spyware technology to track staff transactions and browsing. Medicare is understood to have had such systems in place for years.
The Child Support Agency breaches - relatively as high as Centrelink's - are even more disturbing, with the possibility that a leak could enable a former spouse to physically harm a former partner.
Privacy Commissioner Karen Curtis says it is unacceptable to have any breach. But it is good news that Centrelink has caught the violators.
"It is good that they've found these and they've done serious things like [having staff] demoted and dismissed," she says.
"It's really hard. You're always going to find there are some bad eggs and you have to put in place processes to stop those bad eggs."
Since taking the job as Privacy Commissioner she has been impressed with the amount of resources Centrelink has directed towards privacy. Centrelink had been monitoring operations for over a year and had warned staff that it was doing the audit. Interest in the Commonwealth Government's protection of people's records is at a peak at present because of the proposed introduction of the smart card, or access card. Potentially the card could be issued to 17million Australians. Some see it as an identity card, or the revival of the aborted Australia Card.
It is proposed that the card - to be introduced in phases from 2008 - will replace 17 health and social-service cards, including the Medicare card and the veterans' card.
The Government believes it will improve delivery of services to many Australians. Carriage for the card rests with the Department of Human Services, which also has responsibility for Centrelink, the Child Support Agency and Medicare.
What is not widely understood about the card is that its introduction will not mean the consolidation of the databases of the various agencies. Nor will it mean that an officer working with the unemployed in Centrelink will be able to trawl the Medicare data.
In this public-service area, everyone, it seems, is proud to proclaim that "data silos" will be maintained. (Even under present arrangements agency silos are not totally sealed. Under the strictest controls and with legislative approval, Centrelink officers can and do check information on income and tax with the tax office.)
The card will in effect provide users with a key to get into each and every agency. Rather than have a number of cards - Medicare and veterans, for example - the staff at Medicare, or at the Department of Veterans' Affairs, will recognise the access card.
The card will have standard information - the user's name, photograph, digital signature, address, and the access to benefits. To allay fears about privacy, the Government has established the Access Card Consumer and Privacy Task Force, chaired by former Australian Consumer and Competition Commission head Professor Allan Fels.
This week Fels said the Centrelink scandal highlighted why data on the card should be kept to a minimum.
He said the Centrelink revelations were disturbing but he took some comfort from the fact that the Government had caught the breaches.
An expert in the field, the former head of the access-card taskforce, James Kelaher, agrees with Fels that the minimum amount of information should be on the card. But he notes that there are some large groups, seniors, for example, who need, or may want, more information on their card. There was a trade-off. "No information detracts from the card use," he says. "Too much information creates too many problems. There's a spectrum and you've got to be down the end of the spectrum which is not very much on the card."
In her submission to the taskforce, Curtis questions whether the card has to have a photograph. She says a photograph should be printed on the card only if the individual wants it.
"A card with near-universal adult population coverage and having a printed photograph on its face would be close in appearance to a national identity card," she says.
A photograph of the face is not necessary for the card to interact with an electronic reader and for the person's identity to be established when he or she visits a government agency. Curtis wants legislation to limit the use of the card, to prevent unauthorised access or disclosure and prevent routine data matching.
Kelaher says the card is part of a whole new system.
It will replace an antiquated paper-based system with something that will be easier for people to use and easier for people to keep their own information up to date. When it was in place the system would be more secure than that used by the banks for internet banking.
Curtis distinguishes between different levels of improper activity. At the lowest level there is browsing - unacceptable but without the impact on the individual that other actions might have. Then there is getting information to use for non-sanctioned purposes.
At the highest end there are criminal acts such as altering records and fraudulent activities punishable by dismissal and charges.
Curtis notes that the culture in an organisation is an important factor in discouraging breaches of privacy. Staff had to be educated and made aware of their obligations and the limitations on their authority.
If the complaints to the Privacy Commission are a measure, Commonwealth Government activities are not a major privacy area of concern. Curtis says she receives between 1200 and 1300 complaints a year and only 10 to 13 per cent of them relate to the way Commonwealth departments and agencies operate. But complaints go to the commission only if they are not resolved internally. The relatively low number of complaints about government activity might therefore indicate that agencies are better at resolving complaints themselves.
While having staff who do the right thing is the best security, building the technology properly and putting in place systems that can track and monitor transactions increases the chances that staff will do the right thing. A year ago the audit office reported that the Defence personnel-management system, which holds the records of 100,000 people, could be accessed by 10,000 staff. Yesterday the department told The Canberra Times it was 12,000 - but insisted multiple layers of security existed to prevent open access.
At that time the system, known as PMKeyS, did not automatically log a record of those who viewed staff details. The free access could enable identity theft. This week a Defence spokesman said all PMKeyS operators were warned every time they accessed the system that they were subject to the provisions of the Privacy Act and Defence Security Protocols.
Access to personal information was controlled by profiles such as "supervisor" or "personnel officer". These profiles provided the restrictions on transaction and access. The system created audit records for transactions where data was created or changed, including identifying who did the change, the date and what was changed.
The system was independently audited in 2006 and the auditors had stated that the PMKeyS access-management system gave appropriate protection to data.
Curtis said she understood that since last year Defence had introduced better procedures to audit and monitor conduct. But to get a browsing audit trail would require a rebuild of the system. She understood Defence had undertaken to do that.
The card system has yet to be built. Keeping data in silos, giving users tight profiles and having a high-tech monitoring system will provide the basic security. But any system that can be built can be cracked. In the end, an honest staff committed to privacy is the only guarantee of security.
Centrelink breach worries Smartcard boss
Centrelink breach worries Smartcard boss
August 23, 2006 - 10:19AM
Serious concerns have been raised about the federal government's planned Smartcard after more than 100 Centrelink staff lost their jobs for inappropriately accessing client records.
Labor has called for the privacy commissioner to investigate the breaches, in which 600 Centrelink staff browsed the welfare records of friends, family, neighbours and ex-lovers without authorisation.
And the man heading a privacy taskforce looking into the proposed Smartcard says he is deeply concerned by the breaches.
A total of 19 staff were sacked and 92 resigned after 790 cases of inappropriate access were uncovered.
In the most serious cases, staff members changed client details without authorisation as they spied on sensitive information.
Smartcard Privacy Taskforce head Allan Fels said the breaches highlighted why data on the proposed new card should be kept to a minimum.
The Smartcard will link welfare and other personal details of at least 17 million Australians.
"The Centrelink revelations are deeply disturbing," Prof Fels told ABC radio.
"I take some comfort from the fact that the government has caught them and punished them but there is still a huge weight now on the government to provide full proper legal and technical protection of privacy with the access card."
Prime Minister John Howard said Centrelink had dealt appropriately with employees who abused their positions of trust.
But opposition human services spokesman Kelvin Thomson said Privacy Commissioner Karen Curtis had to investigate.
Mr Thomson said the news came on top of revelations in June that the Child Support Agency had 405 privacy breaches in nine months - two of which required mothers and their children to be relocated at taxpayers' expense.
He said the breaches raised serious concerns about the Smartcard.
"The government cannot expect Australians to accept the Smartcard proposal until it satisfies them that it has resolved their legitimate privacy concerns," he said.
Centrelink spokesman Hank Jongen said five cases had been referred to the Australian Federal Police for investigation, while more than 300 staff faced salary deductions or fines, another 46 were reprimanded, and the remainder were demoted or warned.
The staff were caught using sophisticated "spyware" software monitoring access to client records.
Mr Jongen described the dragnet as a "mopping up exercise", saying the number of staff involved was small considering Centrelink handled 80 million transactions every week for more than six million customers.
"So you've got to keep these incidents in context," Mr Jongen told ABC radio.
"The overwhelming majority of our staff have not been involved in these activities.
"Often these activities have simply involved one of our staff, for example, surfing the details of family and friends or taking a peek at their neighbour's records.
"The number of serious offences that have occurred is only a small proportion of the total number."
Community and Public Sector Union deputy national president Lisa Newman said the job losses were regrettable but the union had long warned Centrelink members about the dangers of inappropriate data access.
Opposition Leader Kim Beazley said the breaches demonstrated the government's administrative incompetence.
© 2006 AAP Brought to you by
August 23, 2006 - 10:19AM
Serious concerns have been raised about the federal government's planned Smartcard after more than 100 Centrelink staff lost their jobs for inappropriately accessing client records.
Labor has called for the privacy commissioner to investigate the breaches, in which 600 Centrelink staff browsed the welfare records of friends, family, neighbours and ex-lovers without authorisation.
And the man heading a privacy taskforce looking into the proposed Smartcard says he is deeply concerned by the breaches.
A total of 19 staff were sacked and 92 resigned after 790 cases of inappropriate access were uncovered.
In the most serious cases, staff members changed client details without authorisation as they spied on sensitive information.
Smartcard Privacy Taskforce head Allan Fels said the breaches highlighted why data on the proposed new card should be kept to a minimum.
The Smartcard will link welfare and other personal details of at least 17 million Australians.
"The Centrelink revelations are deeply disturbing," Prof Fels told ABC radio.
"I take some comfort from the fact that the government has caught them and punished them but there is still a huge weight now on the government to provide full proper legal and technical protection of privacy with the access card."
Prime Minister John Howard said Centrelink had dealt appropriately with employees who abused their positions of trust.
But opposition human services spokesman Kelvin Thomson said Privacy Commissioner Karen Curtis had to investigate.
Mr Thomson said the news came on top of revelations in June that the Child Support Agency had 405 privacy breaches in nine months - two of which required mothers and their children to be relocated at taxpayers' expense.
He said the breaches raised serious concerns about the Smartcard.
"The government cannot expect Australians to accept the Smartcard proposal until it satisfies them that it has resolved their legitimate privacy concerns," he said.
Centrelink spokesman Hank Jongen said five cases had been referred to the Australian Federal Police for investigation, while more than 300 staff faced salary deductions or fines, another 46 were reprimanded, and the remainder were demoted or warned.
The staff were caught using sophisticated "spyware" software monitoring access to client records.
Mr Jongen described the dragnet as a "mopping up exercise", saying the number of staff involved was small considering Centrelink handled 80 million transactions every week for more than six million customers.
"So you've got to keep these incidents in context," Mr Jongen told ABC radio.
"The overwhelming majority of our staff have not been involved in these activities.
"Often these activities have simply involved one of our staff, for example, surfing the details of family and friends or taking a peek at their neighbour's records.
"The number of serious offences that have occurred is only a small proportion of the total number."
Community and Public Sector Union deputy national president Lisa Newman said the job losses were regrettable but the union had long warned Centrelink members about the dangers of inappropriate data access.
Opposition Leader Kim Beazley said the breaches demonstrated the government's administrative incompetence.
© 2006 AAP Brought to you by
Police probe Centrelink fraud claim
Police probe Centrelink fraud claim
Kate Hagan
August 23, 2006 - 2:03PM
Latest related coverage
VOTE Centrelink out of control?
Police have confirmed they are investigating staff at a government agency amid allegations public servants may be involved in identity fraud.
A spokesman for the Australian Federal Police confirmed it had received five referrals from Centrelink in relation to breaches of Commonwealth legislation but declined to comment further.
It is believed at least one of the cases could include the establishment of fake identities to receive payments.
"These referrals are currently being investigated . . . it is inappropriate for (us) to comment further," he said.
'Inappropriate access'
Centrelink has uncovered 790 cases of its staff's "inappropriate access" to client records — including details such as such as income, current relationships, and criminal records — after installing spyware to monitor staff.
A two-year investigation has caught 585 Centrelink employees accessing the private information of welfare recipients.
Centrelink workers are allocated clients' cases but are forbidden from accessing records of those outside their case load. Curiosity — or more sinister motives such as checking an ex-partner's relationship status — can lead them to do so.
Six million Australians are Centrelink clients.
Staff 'warned of consequences'
Community and Public Sector Union national secretary Stephen Jones said staff had received multiple warnings about the consequences of "browsing" via bulletins, meetings and brochures.
"The integrity and privacy of information held by the public service needs to be maintained," Mr Jones said. "People need to have faith in the public service and unfortunate incidents like this can undermine that."
Mr Jones said the union was providing advice and support to members caught up in the investigation.
Centrelink management has sanctioned 585 of its 25,000 staff for violating its code of conduct, resulting in 19 dismissals, 92 resignations, and more than 300 salary reductions or fines. Other staff were demoted, reprimanded and warned.
"Our role has been to make sure there's been a fair process," Mr Jones said.
"In a lot of cases, it is pretty clear-cut though; if someone has signed a bit of paper saying they're aware of the policy and have breached it, there's not a lot that can be done."
'Zero tolerance'
Centrelink chief executive Jeff Whalan said clients could be assured that Centrelink was committed to protecting their privacy.
"Customer records should only be accessed for business reasons and we do not tolerate staff surfing the details of family and friends or peeking at records of neighbours," Mr Whalan said.
"As a result we revamped our techniques to assist us to keep improper conduct in check, and we are committed to maintaining that process.
"The privacy of individuals' records is our major priority."
"What this demonstrates is that we exercise zero tolerance in this area," Centrelink general manager Hank Jongen told ABC Radio.
"It shows our staff that we are absolutely serious about maintaining the privacy of our customers."
theage.com.au, with AAP
Kate Hagan
August 23, 2006 - 2:03PM
Latest related coverage
VOTE Centrelink out of control?
Police have confirmed they are investigating staff at a government agency amid allegations public servants may be involved in identity fraud.
A spokesman for the Australian Federal Police confirmed it had received five referrals from Centrelink in relation to breaches of Commonwealth legislation but declined to comment further.
It is believed at least one of the cases could include the establishment of fake identities to receive payments.
"These referrals are currently being investigated . . . it is inappropriate for (us) to comment further," he said.
'Inappropriate access'
Centrelink has uncovered 790 cases of its staff's "inappropriate access" to client records — including details such as such as income, current relationships, and criminal records — after installing spyware to monitor staff.
A two-year investigation has caught 585 Centrelink employees accessing the private information of welfare recipients.
Centrelink workers are allocated clients' cases but are forbidden from accessing records of those outside their case load. Curiosity — or more sinister motives such as checking an ex-partner's relationship status — can lead them to do so.
Six million Australians are Centrelink clients.
Staff 'warned of consequences'
Community and Public Sector Union national secretary Stephen Jones said staff had received multiple warnings about the consequences of "browsing" via bulletins, meetings and brochures.
"The integrity and privacy of information held by the public service needs to be maintained," Mr Jones said. "People need to have faith in the public service and unfortunate incidents like this can undermine that."
Mr Jones said the union was providing advice and support to members caught up in the investigation.
Centrelink management has sanctioned 585 of its 25,000 staff for violating its code of conduct, resulting in 19 dismissals, 92 resignations, and more than 300 salary reductions or fines. Other staff were demoted, reprimanded and warned.
"Our role has been to make sure there's been a fair process," Mr Jones said.
"In a lot of cases, it is pretty clear-cut though; if someone has signed a bit of paper saying they're aware of the policy and have breached it, there's not a lot that can be done."
'Zero tolerance'
Centrelink chief executive Jeff Whalan said clients could be assured that Centrelink was committed to protecting their privacy.
"Customer records should only be accessed for business reasons and we do not tolerate staff surfing the details of family and friends or peeking at records of neighbours," Mr Whalan said.
"As a result we revamped our techniques to assist us to keep improper conduct in check, and we are committed to maintaining that process.
"The privacy of individuals' records is our major priority."
"What this demonstrates is that we exercise zero tolerance in this area," Centrelink general manager Hank Jongen told ABC Radio.
"It shows our staff that we are absolutely serious about maintaining the privacy of our customers."
theage.com.au, with AAP
ID in the News
ID in the News
This entry was posted by andrew on Saturday, August 26th, 2006 at 11:45 pm and is filed under Foreign Articles, (In)security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
The latest on Identity Cards and Databases in the UK
« It’s not always good to share
ID card fears as staff hack into Home Office database »
Eyeing Big Brother
Paul Malone, writing in the Canberra Times, catalogues recent abuses of personal data in government databases in Australia:
Tens of thousands of public servants have access to databases with information about you and me. In the Defence Department alone there more than 10,000 staff who are certified users of the personnel-management system that held the records of all Defence staff.
But it is in agencies such as Centrelink, the Australian Taxation Office and Medicare Australia - where records on the vast majority of Australians are held - that there is the potential for abuse that could affect any one of us.
The revelation this week that 585 Centrelink staff had been sanctioned for privacy violations, that 19 had been dismissed and 92 had resigned as a result brought the issue to the public’s attention.
But the Centrelink cases are not unique. Earlier this year it was revealed that the Child Support Agency had discovered 405 breaches of privacy, including 69 cases where sensitive information was given to former spouses.
In Medicare Australia, where 5400 staff are employed, over the past three years a total of 21 cases of privacy breaches, unauthorised access or fraud have been identified. Five staff were formally counselled, two demoted, eight resigned and six were terminated.
A further 13 cases are under investigation.
This entry was posted by andrew on Saturday, August 26th, 2006 at 11:45 pm and is filed under Foreign Articles, (In)security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
One Response to “Eyeing Big Brother”
1. andrew Says: August 29th, 2006 at 9:10 am
2. The Sydney Morning Herald refers to “revelations in June that the Child Support Agency had 405 privacy breaches in nine months - two of which required mothers and their children to be relocated at taxpayers’ expense.” So it seems that the scenario in NO2ID’s “Take Jane” advertisement has actually happened in Australia:
3. http://www.no2id.net/downloads/TakeJane.pdf
4. The SMH article is here:
5. http://www.smh.com.au/news/NATIONAL/Centrelink-breach-worries-Smartcard-boss/2006/08/23/1156012581260.html
This entry was posted by andrew on Saturday, August 26th, 2006 at 11:45 pm and is filed under Foreign Articles, (In)security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
The latest on Identity Cards and Databases in the UK
« It’s not always good to share
ID card fears as staff hack into Home Office database »
Eyeing Big Brother
Paul Malone, writing in the Canberra Times, catalogues recent abuses of personal data in government databases in Australia:
Tens of thousands of public servants have access to databases with information about you and me. In the Defence Department alone there more than 10,000 staff who are certified users of the personnel-management system that held the records of all Defence staff.
But it is in agencies such as Centrelink, the Australian Taxation Office and Medicare Australia - where records on the vast majority of Australians are held - that there is the potential for abuse that could affect any one of us.
The revelation this week that 585 Centrelink staff had been sanctioned for privacy violations, that 19 had been dismissed and 92 had resigned as a result brought the issue to the public’s attention.
But the Centrelink cases are not unique. Earlier this year it was revealed that the Child Support Agency had discovered 405 breaches of privacy, including 69 cases where sensitive information was given to former spouses.
In Medicare Australia, where 5400 staff are employed, over the past three years a total of 21 cases of privacy breaches, unauthorised access or fraud have been identified. Five staff were formally counselled, two demoted, eight resigned and six were terminated.
A further 13 cases are under investigation.
This entry was posted by andrew on Saturday, August 26th, 2006 at 11:45 pm and is filed under Foreign Articles, (In)security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
One Response to “Eyeing Big Brother”
1. andrew Says: August 29th, 2006 at 9:10 am
2. The Sydney Morning Herald refers to “revelations in June that the Child Support Agency had 405 privacy breaches in nine months - two of which required mothers and their children to be relocated at taxpayers’ expense.” So it seems that the scenario in NO2ID’s “Take Jane” advertisement has actually happened in Australia:
3. http://www.no2id.net/downloads/TakeJane.pdf
4. The SMH article is here:
5. http://www.smh.com.au/news/NATIONAL/Centrelink-breach-worries-Smartcard-boss/2006/08/23/1156012581260.html
Centrelink puts open source commitment in writing
Centrelink puts open source commitment in writing
David Braue, ZDNet Australia
06 September 2004 12:26 PM
Tags: david, braue, centrelink, source, open, open source
Centrelink is authoring a formal open-source policy document and investing heavily in open-source systems to anchor an improved identity management regime that’s hoped to help recover up to AU$50 million in losses to fraud annually, infrastructure planner David Oram told attendees at the AUUG 2004 conference in Melbourne.
The draft document, whose development has been put on hold during the six-week election period, follows on from recommendations from the CIO Council that government organisations increasingly look to open-source solutions to improve the reusability and flexibility of their information solutions. Formalising a policy favouring open source within Centrelink will make the organisation a crucial ally in the open source community’s efforts to raise their profile within government organisations.
Centrelink has relied on Linux and open-source tools for years, with the MRTG (Multi Router Traffic Grapher) network monitoring tool the "first of many" major production open source tools to go live within Centrelink.
Centrelink’s open source commitment will be progressively extended as other projects seek to squeeze costs out of Centrelink’s monstrous IT budget. A migration of Centrelink’s Lotus Domino environment to Linux is on the cards, as is a midrange server refresh that’s hoped to shave AU$17 million in operating costs by moving applications from over 1700 Windows, NetWare and Solaris servers to virtual machines hosted on IBM zSeries mainframe-class servers running SuSE Linux Enterprise Server 8.
These machines have been acquired as part of an open source partnership with IBM that’s seen Centrelink install nearly AU$1 million of hardware specifically for Linux-based services. "We have every conceivable database and four operating systems, and would like to simplify" the environment, Oram said. "Today we’re starting with a small project and making everyone feel comfortable [with open source], but the idea is to expand rapidly".
Identity management is a key part of Centrelink’s expansion into the world of Linux and open source. Novell’s eDirectory, for example, already helps manage and tracking the access of Centrelink’s 24,500 employees, and will increasingly be leveraged to support changes to Centrelink’s identity management policies relating to the organisation’s 6.3 million customers.
Current 100-point identification requirements for the Safety Net program, for example, means pensioners must front up to Centrelink offices for confirmation of their eligibility for discounts. An expanded identity management core, however, would let utility companies, for example, verify pensioner discount eligibility using an online service. This would save customers the bother of an additional trip to Centrelink – and save Centrelink the cost of handling the enquiry.
"That’s one less face-to-face transaction for us," Oram explained. "We are trying to improve our operations by shifting a number of things to electronic services, and it’s all around identity. There is a whole range of things we need to know, and if it means up to AU$50 million of money doesn’t get misappropriated, that’s the sort of money Centrelink is willing to spend to ensure we have good identity mechanisms".
David Braue, ZDNet Australia
06 September 2004 12:26 PM
Tags: david, braue, centrelink, source, open, open source
Centrelink is authoring a formal open-source policy document and investing heavily in open-source systems to anchor an improved identity management regime that’s hoped to help recover up to AU$50 million in losses to fraud annually, infrastructure planner David Oram told attendees at the AUUG 2004 conference in Melbourne.
The draft document, whose development has been put on hold during the six-week election period, follows on from recommendations from the CIO Council that government organisations increasingly look to open-source solutions to improve the reusability and flexibility of their information solutions. Formalising a policy favouring open source within Centrelink will make the organisation a crucial ally in the open source community’s efforts to raise their profile within government organisations.
Centrelink has relied on Linux and open-source tools for years, with the MRTG (Multi Router Traffic Grapher) network monitoring tool the "first of many" major production open source tools to go live within Centrelink.
Centrelink’s open source commitment will be progressively extended as other projects seek to squeeze costs out of Centrelink’s monstrous IT budget. A migration of Centrelink’s Lotus Domino environment to Linux is on the cards, as is a midrange server refresh that’s hoped to shave AU$17 million in operating costs by moving applications from over 1700 Windows, NetWare and Solaris servers to virtual machines hosted on IBM zSeries mainframe-class servers running SuSE Linux Enterprise Server 8.
These machines have been acquired as part of an open source partnership with IBM that’s seen Centrelink install nearly AU$1 million of hardware specifically for Linux-based services. "We have every conceivable database and four operating systems, and would like to simplify" the environment, Oram said. "Today we’re starting with a small project and making everyone feel comfortable [with open source], but the idea is to expand rapidly".
Identity management is a key part of Centrelink’s expansion into the world of Linux and open source. Novell’s eDirectory, for example, already helps manage and tracking the access of Centrelink’s 24,500 employees, and will increasingly be leveraged to support changes to Centrelink’s identity management policies relating to the organisation’s 6.3 million customers.
Current 100-point identification requirements for the Safety Net program, for example, means pensioners must front up to Centrelink offices for confirmation of their eligibility for discounts. An expanded identity management core, however, would let utility companies, for example, verify pensioner discount eligibility using an online service. This would save customers the bother of an additional trip to Centrelink – and save Centrelink the cost of handling the enquiry.
"That’s one less face-to-face transaction for us," Oram explained. "We are trying to improve our operations by shifting a number of things to electronic services, and it’s all around identity. There is a whole range of things we need to know, and if it means up to AU$50 million of money doesn’t get misappropriated, that’s the sort of money Centrelink is willing to spend to ensure we have good identity mechanisms".
Centrelink has requested information from my organisation about an individual ...
Centrelink has requested information from my organisation about an individual ...
Question: Centrelink has requested information from my organisation about an individual. Will I breach the Privacy Act if I give out this information?
Answer: If Centrelink sends you a formal, written notice requesting certain information, and the notice states that you are required to provide the information by law (the law should be named in the notice), then you will need to comply. You will not breach the Privacy Act by providing the information.
Explanation: The Privacy Act 1988 limits when you can disclose personal information that you hold about an individual. Generally, you can only disclose personal information for the purpose for which it was originally collected, or for a closely related purpose that the person would reasonably expect.
There are, however, some exceptions to this general rule, including where a disclosure is required or authorised by or under law (NPP 2.1(g)). This means:
• Required by law where a law explicitly states that (if asked) you must give certain information to a government department or authority, then you must comply with the request and you will not breach the Privacy Act by doing so;
• Authorised by law where a law says that you may give out certain personal information, then you can make a decision about whether or not to disclose it. If you decide to disclose the information, you will not breach the Privacy Act.
Centrelink, acting under the Social Security (Administration) Act 1999, has the power to require information from others in the course of determining certain matters, including social security payments and the issue of concession cards. Sections 192 to 197 of the Social Security (Administration) Act set out Centrelink's powers to require this information. They also set out the legal obligations relating to a notice requiring information, and the penalty for not complying with such a notice.
Requirements to disclose information may arise from time to time with other Commonwealth or State/Territory agencies or authorities. Again, where a law is specified in a formal, written notice and it requires you to disclose information, you will need to do so.
It is very important that if you are unsure whether a requested disclosure is required by law, you should speak with the department or authority that is seeking the information from you. They must be able to explain to you which law requires you to meet their request.
For more information on how the NPPs apply in the private sector, see the Guidelines to the National Privacy Principles. The advice in the guidelines is generic, but offers some guidance about how to comply with the principles.
Here you can find the full text of the Privacy Act 1988.
Question: Centrelink has requested information from my organisation about an individual. Will I breach the Privacy Act if I give out this information?
Answer: If Centrelink sends you a formal, written notice requesting certain information, and the notice states that you are required to provide the information by law (the law should be named in the notice), then you will need to comply. You will not breach the Privacy Act by providing the information.
Explanation: The Privacy Act 1988 limits when you can disclose personal information that you hold about an individual. Generally, you can only disclose personal information for the purpose for which it was originally collected, or for a closely related purpose that the person would reasonably expect.
There are, however, some exceptions to this general rule, including where a disclosure is required or authorised by or under law (NPP 2.1(g)). This means:
• Required by law where a law explicitly states that (if asked) you must give certain information to a government department or authority, then you must comply with the request and you will not breach the Privacy Act by doing so;
• Authorised by law where a law says that you may give out certain personal information, then you can make a decision about whether or not to disclose it. If you decide to disclose the information, you will not breach the Privacy Act.
Centrelink, acting under the Social Security (Administration) Act 1999, has the power to require information from others in the course of determining certain matters, including social security payments and the issue of concession cards. Sections 192 to 197 of the Social Security (Administration) Act set out Centrelink's powers to require this information. They also set out the legal obligations relating to a notice requiring information, and the penalty for not complying with such a notice.
Requirements to disclose information may arise from time to time with other Commonwealth or State/Territory agencies or authorities. Again, where a law is specified in a formal, written notice and it requires you to disclose information, you will need to do so.
It is very important that if you are unsure whether a requested disclosure is required by law, you should speak with the department or authority that is seeking the information from you. They must be able to explain to you which law requires you to meet their request.
For more information on how the NPPs apply in the private sector, see the Guidelines to the National Privacy Principles. The advice in the guidelines is generic, but offers some guidance about how to comply with the principles.
Here you can find the full text of the Privacy Act 1988.
Centrelink plans high-tech welfare cheat hunt
Centrelink plans high-tech welfare cheat hunt
Posted Wed Mar 24, 2004 11:53am AEDT
Centrelink has joined with the country's financial intelligence agency to use high-tech methods to hunt out professional welfare cheats.
Information from Centrelink and the financial intelligence agency AUSTRAC will be cross-referenced to find welfare recipients who also deal with large sums of money.
It will detect professional welfare cheats and crime syndicates using fake identities to fund illegal operations.
The Minister responsible for Centrelink, Larry Anthony, says the new approach sends a clear message to criminals.
"We're able to link into bank accounts or offshore transactions, then we're in a much better position not only to detect but to deter," Mr Anthony said.
The new strategy will target large payments as well as smaller but regular payments.
It is expected to stop about $5 million of illegal welfare a year.
Tags: fraud-and-corporate-crime, australia
Posted Wed Mar 24, 2004 11:53am AEDT
Centrelink has joined with the country's financial intelligence agency to use high-tech methods to hunt out professional welfare cheats.
Information from Centrelink and the financial intelligence agency AUSTRAC will be cross-referenced to find welfare recipients who also deal with large sums of money.
It will detect professional welfare cheats and crime syndicates using fake identities to fund illegal operations.
The Minister responsible for Centrelink, Larry Anthony, says the new approach sends a clear message to criminals.
"We're able to link into bank accounts or offshore transactions, then we're in a much better position not only to detect but to deter," Mr Anthony said.
The new strategy will target large payments as well as smaller but regular payments.
It is expected to stop about $5 million of illegal welfare a year.
Tags: fraud-and-corporate-crime, australia