The sensitive health data of nearly 30,000 ACT public servants has remained publicly accessible for more than three years in a privacy breach experts have described as "extremely concerning".
A spreadsheet containing the details of thousands of workers' compensation claims between 1989 and 2018 was uploaded to the territory government's tender site in 2018 and has remained there until the government was notified this week, The Canberra Times can reveal.
While the names and birthdates of workers were removed in an effort to de-identify the data, it contains intimate details of their claims, including the injury date and type, location on the body and the financial compensation received.
The spreadsheet, which covers the period since self government, also includes the person's birth year and gender as well as occupation details, including the directorate they were employed in and their job title.
The Canberra Times has been able to identify individuals from the data contained in the spreadsheet and people familiar with the workers' compensation system in the ACT said they could also easily link information to individuals they knew or had worked with.
The spreadsheet was uploaded as part of information provided to tenderers vying for a contract to manage workers' compensation claims on behalf of the government, following requests for more information by potential suppliers.
The ACT government has defended the release of the information. A spokesperson said it was the government's view that no personal health information had been released.
"In view of the concerns raised today, the ACT will initiate a review to determine whether the spreadsheet inappropriately included private or medical information and will act accordingly," the spokesperson said on Wednesday.
The spokesman said redacted workers' compensation claim data was periodically released, including in response to freedom of information requests, questions in the Legislative Assembly or to consultative industry forums.
MORE A.C.T. POLITICS NEWS:
"The spreadsheet was heavily redacted prior to release for the purposes of preventing the identity of workers' compensation claimants to be determined ... The tender in question was approved for release by the then head of ACT Treasury, on advice from workers' compensation and procurement officials and the government procurement board," they said.
The spreadsheet was downloaded 110 times, and was required to provide tenderers with the detail of the claims they would manage if awarded the contract, the spokesperson said.
Long-serving public servant Mary, who chose to not be identified for fear of reprisal, said she felt let down by the government for which she worked.
"An apology would be nice and an acknowledgement that they've gone and done this," she said.
"The workers' compensation [claim process] is stressful as it is, and this adds another layer on top knowing this data set out that is out there.
"They need to acknowledge that they've caused undue stress to their own staff in doing this."
But experts and advocates have warned the breach demonstrated a shortfall in understanding about the importance of personal data, particularly sensitive health data.
Canberra-based law firm Elringtons, which has a number of current and former clients who have been through the workers' compensation process, said it was already "extremely intrusive" and an "enormous invasion of privacy" for claimants.
Firm lawyer Tom Maling said workers were forced to trust that the information would be kept secure and only for the purpose of helping them to recover.
"The disclosure of this type of sensitive information for a purpose other than helping them recover will be extremely concerning to workers who are impacted, as it represents a significant breach of trust," he said
"It is often a long and difficult road for injured workers to recover from their injuries, and this is often made harder by the claims management process and stigma associated with work injuries.
"Many of my clients will feel the breach just adds further insult on injury."
It comes more than a year after the territory's auditor-general slammed the ACT government for not understanding the risks and requirements of securing sensitive data, adding it was "not well placed" to respond to data breaches.
The government responded in August last year, saying it was a key focus to strengthen data security arrangements and "respond effectively to data security incidents".
Australian Privacy Foundation vice-chair and University of Canberra legal expert Bruce Baer Arnold has called for a rigorous independent review, following the major data breach.
"The government now should be making a major commitment right across the ACT public sector to make sure that nothing like this ever happens again," he said.
"Because once the data is out there, it's not coming back."
Our journalists work hard to provide local, up-to-date news to the community. This is how you can continue to access our trusted content: