The Northern Territory information commissioner says he offered only "brief advice" to the government regarding a privacy breach of medical records before the incident was “managed in-house” and subsequently kept secret.
The ABC revealed on Thursday that more than 50,000 patients had their health files sent between two NT government departments in 2018 and 2019 as part of a software system upgrade.
More than 3,000 identifiable records were then transferred to global software vendor Intersystems, which has offices in 27 countries including in Europe, South America and China.
Some patient items were classed as having very-high or high clinical risk, such as psychology reports and psychiatric facility visits, termination of pregnancy or stillbirth records, and electroconvulsive therapy — also known as electric shock therapy — records.
Chief Minister Natasha Fyles, who was health minister at the time, never made the privacy breach public.
"I was advised in a flash brief and also at the chief executive meetings, but I had no role … around decisions [not to tell the public]," she said.
When asked why she didn't notify the public, Ms Fyles said the information commissioner had been notified.
Responding to questions from the ABC, Information Commissioner Peter Shoyer said he was first contacted in October 2019 by the Department of Digital and Corporate Development and NT Health "in relation to disclosure of patient information to a third-party IT contractor".
Mr Shoyer said he "provided brief advice on further potential steps" after being given "a substantial number" of de-identified files.
"While there were a substantial number of files, it does not appear to coincide with the numbers referred to in [the ABC] report," he said.
"The difference may be due to the early stage of the investigation at that time.
"We provided brief advice to the departments on potential further steps including … a requirement for both departments to be satisfied that the relevant personal information had been sufficiently contained."
Mr Shoyers said other advice included a need to evaluate the information in more detail to consider whether there were patients who should be told about the breach.
He offered to assist both departments further but was told "the privacy breach was being managed in-house".
"There was no further request for assistance," he said.
'Process scrutinised thoroughly'
Chief executive of NT Health Marco Briceno said his department "consulted extensively at the time with the information commissioner".
"Because this information was not used against what it was intended to, and it did not leave the security of the system, then we didn't think that we were actually in breach of the law," he said.
"However, the process was scrutinised thoroughly by the commissioner and we're still working with the information commissioner now to ensure that we are not in breach of legislation."
Mr Briceno said the decision not to notify the public was "made by NT Health, by the chief executive of the time, and the senior executive team of the time, based on our obligations in the [NT Information Act]," he said.
"The commissioner of information confirmed what our obligations were."
Mr Shoyer said current NT legislation did not require agencies to notify individuals subject to a data breach.
"My office has worked with NT government officers over time to advance development of a whole-of-government approach to data breach reporting but there is as yet no mandated system," he said.