An audit of WA Health’s system for protecting sensitive information about patient’s private and sensitive information relating to the COVID pandemic has found it to be loose and lacking and not in control.
In her report COVID-19 Contact Tracing System – Application Audit Auditor General Caroline Spencer said the agency’s information contained some of the most sensitive and consequential data the health system had collected over the past two years.
Ms Spencer said that in doing this, WA Health’s Public Health COVID-19 Unified System (PHOCUS) collated highly sensitive personal and medical information of affected positive individuals and their close and casual contacts from multiple sources for contact tracing purposes.
“I expected to find robust access controls for this system given the sensitive nature of information it contains and the consequences to people’s privacy, freedom of movement and public health measures,” Ms Spencer said.
“However, our audit found a number of significant weaknesses.”
The Auditor General said she was concerned that the security and privacy of peoples’ highly sensitive medical and personal information had not been protected to the extent the community has a right to expect.
“WA Health does not adequately log and monitor who has accessed information to detect inappropriate changes or snooping, and has provided an external vendor with inappropriate access to personal and medical information,” she said.
“In the absence of comprehensive privacy legislation in our State, WA Health must ensure their privacy practices protect the confidentiality of information stored in PHOCUS and are consistent with the Commonwealth Privacy Act 1988.”
She said similar concerns had been raised in her SafeWA –Application Audit report.
The Auditor General made four recommendations, including that WA Health protect the confidentiality, integrity and availability of people’s’ personal and medical information as well as improve its data quality processes.
Ms Spencer’s 18-page Report can be accessed at this PS News link and the Audit Team was Aloha Morrissey, Kamran Aslam, Michael Chumak, Paul Tilbrook, Jacqueline Richards and Karen Telford.
