Qld Justice accidentally discloses sensitive data
Posted by Karen Cowan, on 5 Nov 2013, in IT Magazine.
Originally published: http://www.itnews.com.au/News/362941,qld-justice-accidentally-discloses-sensitive-data.aspx
Second law enforcement agency caught out by metadata.
Queensland’s Department of Justice and Attorney General (DJAG) has pulled nearly 15,000 items of metadata out of the public domain after they were discovered to contain sensitive information.
The metadata, which was publically viewable prior to April this year, includes the names of people who have come into contact with the agency as well as investigations before the courts.
It described thousands of confidential files to be held on the department’s behalf by the Queensland State Archives until a predetermined period of secrecy has lapsed.
An agency-by-agency review of the QSA index tabled in parliament this week shows while records themselves remain under wraps, their descriptive titles expose a worrying level of detail about the individuals and investigations contained within.
In the course of reviewing the public index of its own 80,556 confidential records, DJAG discovered 14,850 item descriptions which contained “the names of individuals” or which “relate to recent and confidential matters”, according to the review.
DJAG refused to provide any more detail about the nature of the metadata and declined to comment on whether it held concerns about the welfare of anyone mentioned in the listings.
The QSA stated in the tabled report that “through the review process, no specific concerns regarding the release of ‘inappropriate’ metadata have been raised by agencies”.
Every agency with closed files listed in the QSA stores has been asked to comb through the associated metadata to make sure it can’t be interpreted or correlated into meaningful data. The tabled documents show, so far, the vast majority of agencies have opted to reinstate listings in full.
A handful of agencies, including the DJAG, have redacted some of the previously available listings.
The Queensland Police withdrew 183 items of an undisclosed nature, the Department of Natural Resources and Mines withdrew information on a series of mine incidents, and the Department of Premier and Cabinet pulled several listings with descriptions containing the names of former employees.
Queensland parliament’s crime and misconduct committee demanded the review in April following revelations that “untested” and “scandalous” allegations against high profile Queenslanders were inadvertently made public when the Crime and Misconduct Commission gave a cache of secret files and associated metadata related to the 1980s Fitzgerald Inquiry to the QSA in 2012.
The committee said it was “shocked” the information had made it through both the CMC and QSA’s normal procedures and onto the public index without anyone sounding the alarm.
“Even a cursory glance at the information which can be gleaned from this descriptive data provides enough detail about the sensitive content of some documents to raise a reasonable suspicion that a mistake has been made,” the report stated.
Adhering to a request from the Minister for Science, IT, Innovation and the Arts, the QSA has now reversed its stance on publishing by default.
“In contrast to the practice of the past several decades of releasing the metadata unless instructed otherwise, QSA now requires agencies to explicitly authorise whether or not the metadata for closed records is to be released in the public catalogue,” it said in the progress report.
But the QSA maintains that assessing the suitability for release of metadata is the responsibility of agencies, and it had no statutory obligation to offer them guidance on this matter.