Why data retention scares me: reason #32

Sep 08

Identities have been changed to protect the innocent. This story came to me from an IT worker (let’s call her Jane) who worked on a database project in the public service some years ago. As is wont to happen in the public service, her project morphed from a set of very clearly defined deliverables into a completely different project, largely driven by political considerations.

While working on this project, she was unnerved one day when she came across her partner’s name in one of the database records. She had that cold, clammy “oh no what have I done?” response after assuming she must’ve added a “dummy” record into the system for testing purposes, and forgot to remove it. But she also had no memory of doing it either.

Trying to jog her memory as to why and when she’d entered that record, she read on. And, based on the details, realised that it wasn’t a dummy record at all; her partner was indeed on the system.

A few years prior, her partner (let’s call him Peter) had made an appointment with his GP to confide that he was starting to be concerned about how well he was (or wasn’t) coping with the recent addition to his family – Peter and Jane had both been going through a toughish patch as new parents. The GP gave him the phone number of a helpline, which he called from his home soon after. The record Jane stumbled on in the database was the record of that phone call, from a time in their lives from which they’d both moved on.

As far as Peter knew, he was calling a “helpline”. He had (until Jane told him) no idea that as a result of that phone call, he had a mental health record with the health department.

Jane’s work included overseeing the movement of that data into a new repository. The Personal Information Protection Act had just come into play, and accordingly Jane took the opportunity to raise the issue with her superiors: here was a case-in-point of the existence of a mental health record regarding someone who didn’t know the record even existed (let alone the other protections conferred by the Act, such as the person’s right to refuse to have a record made, to have the purpose of the record explained, to review the record and to correct it).  Apparently it caused a bit of a flap, but only temporarily – to this day Peter has never been officially advised of the existence of that record nor of his right to access it.

The postscript to the story was equally troubling. A week after Jane’s employment contract expired, i.e. when she was no longer in the public service, she was still able to access that record. No-one within the health department had remembered to revoke her access rights to the system – she was able to access the department’s network, and the database in question. To make a point, she made an appointment with senior management, and took in a copy of the record that she’d made that morning.

That’s apparently the kind of information protection and management we can expect for potentially sensitive, government-managed health data, bound by recently introduced rights-based legislation. And yet the government thinks we should have no qualms about the wholesale retention of everything we do online by third party entities which exist to make money by facilitating communication over global networks.



  1. McJules /

    About four years ago when I last went to a doctor I was really concerned about the computer on his desk and asked him some Qs as to the security he used for it. To my view he used nothing special, which I supposed would have been good enough for anyone who wasn’t a sceptic but, I decided then and there that If I needed treatment for anything that I didn’t want the world to know about I wouldn’t go to the doctor.
    I would have felt more assured about the security of his computer records if he used two machines ie. one always offline for his patient database and their treatment records and the second online for drug info and any other online knowledge items he required. Computers are so inexpensive now that two machines wouldn’t be such a drama. Patient information really is is confidential Just as it was in the handwritten card days.

    • Marshall /

      Hi McJules,

      Thanks for the comment. Assuming you’re in Australia, and your doctor worked as part of a medical practice, it’s more than likely that your records were not on his computer at all, but rather on a server in the practice, or even externally hosted.

      Software developers are typically very responsive to their clients’ security demands, especially in the health-care arena, and this is probably more apparent in the private sector than in the public sector. There are a few ‘big players’ on the GP software front in this country and most of them are well established (at least that was situation when I was last involved) and took security relatively seriously. The story above is an example of the worst types of things that can happen when a government department receives inadequate funding, makes IT decisions for political reasons, and has a splintered approach to IT management – there are just too many opportunities for things to fall between the gaps.

      That said, a lot of security is designed to prevent simple ‘attacks’ or to protect against procedural oversights, rather than preventing targeted and genuinely sophisticated attacks; I have little doubt that the far greater majority of the information we consider to be private, wherever it lives, is in fact wide open to exploitation if anyone cared to do so and had the time/money to invest to do it. For a really chilling example of just how far things can go, check out this article.