Medicare scare just tip of the data iceberg

Our social services are organised by massive databases. Health, welfare, education and the pension all require reams of information about identity, social needs, eligibility, and entitlement. Our infrastructure is managed by massive databases holding information about traffic flows, public transport usage, communications networks and population flows. Our security is maintained by complex information systems managing defence assets, intelligence data, and capabilities and deployment information.

We should be thinking about these enormous data holdings when we read the news that thieves have been selling Medicare numbers linked to identities on the “dark web” – a mostly untraceable anonymous corner of the internet.

That last detail is what has made this such a scandal for the government, as Human Services Minister Alan Tudge and the AFP have scrambled to identity the systems’ weaknesses. But the fact that the Medicare numbers are being sold is the only thing that makes this an unusual data security breach. Australian government databases are constantly being accessed by people who are not authorised to do so.

Here's just a taste. Last year, the Queensland Crime and Corruption Commission revealed it had laid 81 criminal charges and 11 disciplinary recommendations in the space of 12 months for unauthorised access to confidential information by police. The Victorian government's police database was wrongly accessed 214 times between 2008 and 2013, by “hundreds” of officers. Earlier this year, 12 staff were fired from the Australian Taxation Office for accessing tax data on celebrities and people they knew.

We could go on. These of course are the instances we know about because they have been detected and reported on. There are undoubtedly others.

Governments manage a lot of data because we ask them to do it a lot, and to do what they do well. They run thousands of complex systems. Many of these systems have been jerry-rigged and adapted from earlier systems, a series of politicised, over-budget and under-delivering IT projects stacked on top of each other over decades.

But these repeated episodes of unauthorised access show that these complex systems are in dire need of reform. It is clear that the “permission” structures on these government databases are deeply broken.

In the debate over mandatory data retention one of the big questions was whether law enforcement and regulatory agencies should have to obtain a warrant before accessing stored data. In the end the government decided no warrant was necessary – because warrants could only slow down investigations. This is exactly the sort of loose permission structure that leads to abuse. Last week's Medicare breach has been made possible because thousands and thousands of people – bureaucrats, health professionals, and so on – can access the Medicare database. 

Rather than leaving data access up to the discretion of thousands of people, we need stricter codified rules on data access. Government databases need to be restructured to prevent, not simply penalise, employees from going on fishing expeditions.

In the past, economic reform was targeted at big sectors like banking, telecommunications, and trade. As Australian governments evolve inevitably into complex information brokers, the next wave of reform will have to focus on data management.

Chris Berg is a postdoctoral fellow at RMIT University and Senior Fellow at the Institute of Public Affairs.