The federal government appears to believe that it has only exposed sensitive, personal data when somebody points it out.
It's the only explanation for its attempt to rush through legislation that will make it illegal to reveal that government agencies have breached individual privacy by publishing poorly de-identified datasets on the public web.
In August this year, the Department of Health published a large research dataset containing Medicare and PBS claim data online.
The dataset contained a billion lines of data relating to three million Australians, and it was supposed to have been ‘de-identified’ in order to protect individuals from having their personal health data exposed to the world.
The trouble is, it wasn’t.
Dr Vanessa Teague of the University of Melbourne and her colleagues were able to determine the unique service provider ID of individual doctors from a mere ten percent of the published data.
The department then hastily removed the dataset from the site, but not before many people had a chance to download the data, myself included.
A bill introduced by the government mere days after the bungle was made public seeks to make it illegal to re-identify datasets like this.
It doesn't try to stop poorly de-identified datasets being published in the first place - just noticing that they can be re-identified.
Parading down the street clad only in what some poorly informed mandarins assured him are the latest in privacy protecting garments, Attorney-General George Brandis seems terribly concerned that someone might point out that, as he suspects, they are not actually protecting his privacy much at all.
How very dare they.
His department's own submission to the senate committee scrutinising the bill admits that de-identification is not without risk, because it's not possible to provide an absolute guarantee that de-identified information could never be re-identified.
It points out that technological advances mean de-identification methods that were once sufficient may not be enough to prevent re-identification in the future.
Despite this, the government seems to think that its legislation is a kind of magic spell that stops technology from working.
As some readers may be aware, the internet is available in places other than Australia. Places that are not subject to Australian law, and that contain people who - like Dr Teague - are capable of re-identifying datasets.
But the legislation does nothing to stop people outside of the country from re-identifying information and publishing it. It doesn’t prevent people from re-identifying information and keeping the knowledge a secret, to use for their own, possibly nefarious, purposes.
The AGD also admits that once personal data has been publicly re-identified, the damage is already done.
And yet nothing in its bill seeks to prevent the government from publishing poorly de-identified information in the first place.
Instead, the AGD relies on the existing Australian Privacy Principles (APPs) contained in the Privacy Act, arguing that agencies that fail to implement robust de-identification processes risk breaching the APPs.
Rather than do the hard work of protecting citizens' privacy, the government is attempting to protect itself by passing legislation that will reduce the chance of anyone publicly calling it out when it gets it wrong.
By its own admission, the government is well aware of the risk to individuals, and the permanent harm they can suffer, when their private information is published without their consent or knowledge.
And yet in response, it chooses to penalise not those who released the badly anonymised data in the first place, but those who notice.
An Attorney-General ashamed of his own nakedness wants to make criminals of those who dare to point out that he is wearing no clothes.
