NSW government mulls HIV-status database
Can barely build a system, let alone secure it
A state with a poor record for protecting private data, in a country that has no mandatory breach disclosure, wants to add names to a health database containing peoples' HIV status: what could possibly go wrong?
The NSW state government is currently considering a regulatory report suggesting the change. The NSW Health discussion paper describes the de-identification of HIV patient records in the state's database of notifiable diseases as an anachronism.
Unsurprisingly, gay activists are furious, and I'm inclined to agree with them.
For example: it's five days since the NSW TrainLink Website was compromised and customer data stolen. In that time, only the bare minimum of information has been released, and at the time of writing the state's transport body hasn't been able to get the booking system back online.
The same state government is overseeing a train-wreck IT implementation in its education department, and there's a police culture of misusing data access. Most recently, a magistrate slapped down an “assault police” charge and awarded all costs to the accused, because the police demanded her telephone and (as Fairfax reports) deleted photographs of an officer groping her breasts.
The state's auditor-general isn't happy with state government IT security in critical infrastructure, and worryingly for the body that reviews security, its own clue falls between a gram and a teaspoonful.
The gay community's concern is that discrimination on the basis of someone's HIV status still exists in Australia, no matter what the health department believes.
As it's put in the Sydney Star Observer:
“Those who have been failed by the state are more likely to be suspicious of it, and to be handed to the same state as a named and observed individual will lead to a reduction in testing rates and ultimately do the opposite of what this new measure is attempting – retention of PLHIV [ed: people living with HIV] in care.”
Vulture South would add that with the combined risk of a breach or malicious access, the idea should be abandoned.
A final point: the PDF of the report is dated April, and submissions close tomorrow. As you will see in the image below, NSW Health somehow neglected to issue a media release soliciting submissions.
Poor form. ®