How private is our personal information?

According to the ‘beeb, hospital staff in Low Angeles are likely to be sacked for looking at Britney Spears’ hospital records. This isn’t terribly surprising to me (either that they looked, or are subsequently being sacked for doing so), but it does bring up an interesting point about the privacy of things like medical records, and who has access to them.

In Victoria over the past couple of years there were a number of cases where police were alleged to have improperly accessed records about people for matters unrelated to a police investigation. This sort of access is different to something like a criminal history check (which you might authorise your employer to have access to). The police databases contain information about every encounter you have with police, whether as a suspect or a complainant, regardless of whether you are charged. As far as I’m aware, they’re never purged, and they’re not always accurate. Such files may contain a lot of incriminating information — stuff that you wouldn’t necessarily want an enemy to have access to. But there was a suggestion, for a while, that if your enemies had mates ‘on the job’, they may have access to some of thin information.

To their credit, the police are aware of the sensitivity of their data. The systems require a login to access any information, and some require the user to state why they are accessing it before any data can be retrieved. I don’t know how often access if audited, but it’s certainly pretty trivial for them to do. So only a pretty dumb copper is going to access this information and think they can easily get away with it.

Access to hospital data, on the other hand, is probably not as tightly regulated for internal staff. I don’t know anything really about medical data systems, so I don’t know what sort of access rules they have. But I wouldn’t be surprised, for example, if a doctor who had never treated you could easily read your computer file and find out you had been treated for an STD. Evidently, in the Spears’ case, something like this had happened (the article mentions that none of the staff who were disciplined were doctors, so evidently it wasn’t just doctors who had unfettered access to the information).

I once worked in a place where we had access to similar medical files, and although you needed a password to get into to the system, once you were in you could read pretty much anything. At once point information of the sort we had access to about some famous person made it into the media, and we all received a very stern email from the boss about our ethical responsibilities (it turns out that it wasn’t us who had leaked — it was the police!). I’m not aware of any misuses of this information, but the way the system was set up, it would have been pretty easy. And it should have been difficult, if not impossible.

I’m sure that under the federal privacy legislation there are all sorts of guidelines and penalties for organisations leaking information. Whenever I call my insurance agency or bank I have to give them pretty much my entire life story so they can determine it is, in fact, me. But I suspect that the internal safeguards on the information are significantly weaker. And I suspect that the first time we’ll find out about the failure of these safeguards is when someone misuses the information.

This news report states that it’s not the first time the hospital in question has had issues with staff inappropriately accessing data.

“We feel horrible that it happened again,” Simpson said, adding that UCLA treats celebrities “all the time and you never hear about this”.

This suggests that there was not just a failure of the professionalism of the staff, but that there is a fundamental flaw with the way in which the data is stored and accessed. It’s the processes which aren’t up to the task of keeping the data safe. It also suggests that they haven’t learned from previous incidents and improved those processes.

One can only hope our local institutions would do better.