Telstra grilled over security of cancer register data

Telstra fronted a senate committee today to defend its ability to protect a database of highly sensitive medical details under the incoming national cancer screening register, agreeing to adhere to new data breach disclosure rules if required.

The telco won a five-year, $178 million contract to build and maintain the country's new cancer screening register in May this year.

The register will record the cancer screening results for 11 million Australian patients, replacing nine existing systems to provide a single record for each individual. It will interact with My Health Records, Medicare and private health providers.

But the government has come under fire for awarding the contract to operate the sensitive register to a private sector body instead of a not-for-profit or public sector agency.

Labor and the Greens earlier this month combined forces to send legislation that would enable the register to a senate committtee for scrutiny.

The parties want to amend the proposed law to exclude the ability for the register to be operated by a for-profit business.

In its first hearings today, four Telstra Health executives appeared before the committee in an effort to allay concerns about potential disclosure or misuse of the sensitive citizen data.

The executives argued Telstra was not intending to do anything with the data "beyond what we're allowed to do" in the contract, pointing out it is subject to the Privacy Act as well as the Australia government protective security policy framework (PSPF), constant assessments, and "around the clock" audits.

The telco's contract requires it to store the patient data in Australia. Control of permitted uses and disclosures of the data contained in the register lies with the federal government.

"[The PSPF] includes, among other things, ISM certification, which has 1500 different controls that we have to pass. We can't operate the register without that, and there is an independent assessment of that overseen by the Australian Signals Directorate," Telstra Health managing director Shane Solomon said.

"What we are required to do is exactly the same as any other public sector and not-for-profit that stores and manages and transmits patient data."

The telco is also obligated under the Privacy Act to notify the Department of Health in the event of a data breach.

However, Privacy Commissioner Timothy Pilgrim has proposed that new requirements be made specifically for this case to include notification to both himself and affected individuals.

The federal government is currently preparing to introduce mandatory data breach legislation that would apply such requirements to all Australian organisations currently governed by the Privacy Act.

Telstra Health said it would have no issue extending its notification requirements to Pilgrim and affected individuals, but pointed out that its contract states it can only do so if directed to by its client, the Department of Health.

"Part of the contract is we're not permitted independently to make public statements without referring back to the Commonwealth. So if that's a provision put on us philosophically we have no problem with it, but we are bound by the contract," Solomon said.

"We don't own the data, and so we can't do whatever we like. We would need their authorisation to notify individuals.

"[However] our general approach is we are passionate about privacy and security and we will comply with whatever [is required]. It's not in our interest obviously for there to be a privacy or security breach."

The senate committee inquiry is scheduled to report back by October 11.

Telstra warned that any delay to the legislation passing before October 30 would threaten its ability to meet its stipulated 1 May 2017 system go-live.