PDF redaction is hard, NSW Medical Council finds out - the hard way
Actually, it's easy, you just have to pay attention
Australian public sector agencies have a persistent problem trying to redact PDFs: this time, the guilty party is the Medical Council of NSW.
The council breached the privacy of a doctor and her son, the Medical Tribunal found earlier this month, because it mishandled redacting their names out of a PDF it published on its Website.
The document in question was the final decision of the Medical Council relating to hearings and appeals over a doctor's registration, for which the doctor was granted a non-publication order.
Instead of completely removing the names from the document, as this decision explains, someone in the Medical Council drew a black square over the names – which anybody adept with PDF documents will know leaves the names intact.
The names in the document then got indexed by Google, so as well as deleting the document from its own site, the Medical Council's legal director Miranda St Hill had to work through the business of getting the Chocolate Factory to de-index the names.
“Ms St Hill explained that the method used to "redact" the Applicant's name merely placed an opaque "block" over the top of the “redacted” words. While this prevented the human eye from reading the Applicant’s name, it allowed, as was later discovered, Google webcrawlers (also called "Googlebots") to read this information and to link the publication to a search of "Dr [AIN]" (and similar).
“In summary, Ms St Hill’s evidence, in explaining Google searches, was that while there was no identifying information on the face of the decision on the Respondent’s website (such information having been redacted), the fact that a Google search of the Applicant's name resulted in a link to the decision meant it could readily be inferred that the decision related to her.”
The Register hopes that somewhere, a sysadmin at the Medical Council or Internetrix, which hosts its site, is checking other redacted decisions to make sure they're not breaching anyone's privacy.
The Medical Tribunal has the case set down for hearings in April about remedies.
A couple of years ago, the former Department of Immigration – reshaped into the quasi-military Border Force, complete with a bigger budget for medals than the country's army, navy and air force put together – mishandled data redaction and published 10,000 refugees' names and addresses. ®