The federal Health department has no plan outlining how its supplier Telstra will manage the privacy and security of the new national cancer screening register, one year on from the contract being signed, the national auditor has found.
The Australian National Audit Office undertook an audit into Health's procurement of services for the operation of the register, which was last May awarded to Telstra for $220 million over five years.
It found that while Health had broadly complied with its obligations under Commonwealth and internal department procurement rules, additional costs as well as security and privacy concerns have resulted from key objectives not being met.
The department revealed in February that the register would not go live as planned in March, and was more likely to become operational in December due to a complex data migration process.
The ANAO today revealed this missed deadline - attributed to the "complexity of assimilating and migrating data from eight state and territory cancer registers into one register" - had resulted in extra costs for the Health department.
It has been forced to pay pathology providers an extra $16.5 million to continue providing pap smear testing until the new human papillomavirus (HPV) test for cervical cancer - which the new register will facilitate - can begin, the audit office reported.
The savings the national cancer screening register was meant to provide will therefore "be delayed", the ANAO wrote.
"Ongoing monitoring of progress and strong proactive management of the contract will be required if value for money is to be achieved in the establishment of the [register]," it said.
However, more concerningly, the audit office found that - a year after the contract between Health and Telstra was signed - the department still has no official documents outlining how data and privacy issues will be managed.
The $220 million contract required Telstra to submit a data protection plan within 40 days of signing it; a privacy policy or security risk management plan be submitted; that a deed of confidentiality and privacy be signed with subcontractors; and that Telstra staff with direct access to the register have appropriate security clearance.
The ANAO found that none of those requirements had been met as of March this year.
A data protection plan - a "key document to manage issues relating to privacy of data" - was submitted by Telstra within the 40-day timeframe and later revised, the audit office said, but it was formally rejected in December last year on the grounds that it didn't fully comply with the contract requirements.
The Health department has still not accepted a data protection plan from Telstra, it said.
Health is uncertain whether Telstra has signed deed of confidentiality and privacy documents with its subcontractors, because a register that monitors this compliance is incomplete, the audit office said.
A privacy policy or security risk management plan outlining how data and privacy will be managed has still not been delivered, despite being due in November last year.
And a list detailing security clearances for Telstra staff with access to the register is "incomplete", the auditor reported.
In its response to the ANAO's findings, Telstra acknowledged that the documents were "still being finalised", but pointed out that it is compliant with the Commonwealth protective security policy framework (PSPF) and the information security manual (ISM).
The telco said it had "continued to implement the project in accordance with its overarching privacy and security obligations under the contract".
"By way of example, Telstra had built a secure ISM certified environment to receive the required data by 1 December 2016," it said.
The company claimed the submission dates for the privacy and security documents that the auditor was reviewing had been changed since the original contract was signed and "do not accurately reflect" new agreed deadlines.
"Telstra takes its obligations to securely manage data seriously and has progressed a range of actions necessary for implementation of the register and restricting acess to sensitive information," the telco told the auditor.
An independent IRAP (ASD's information security registered assessors program) assessment will be undertaken before the register goes live, it said, and it already has "processes and controls" in place to restrict access to sensitive information.
Privacy and security had been a key concern for Labor and Greens MPs following the signing of the contract; they had claimed the data contained in the system was too sensitive to be managed by a private sector operator.
.png&h=141&w=208&c=1&s=1)
