May 4th, 2020

Peter ("the Guru") Hernandez

General Manager - Technology

Australian Physiotherapy Council


Data, Data, data.  No word has ever elicited such joy…well, for me anyway.  But just like everything delightful, there is always a downside.  Data without the most stringent of safeguards is akin to teeing up a 2 billion person zoom conference and inadvertently sharing your screen… with all your passwords on it.

However, here’s a tip…not all data is born equal.

Each organisation is different and categorises its data depending on a whole host of factors.  Here at the Council, we have four primary data classifications, namely:

  1. Unimportant
  2. Confidential to the organisation
  3. Personal
  4. Health

Data deemed “unimportant” is such because there would be no adverse impact  (i.e. no harm would/could be done to the owner of the data, or to stakeholders, customers and third parties) should that information become known to others. This type of information is that which typically appears on an organisation’s website or social media. No protection is required or as I like to call it SFPC (Safe for Public Consumption).

Data that is “confidential to an organisation” needs to be secured against making its way to unintended recipients. There are technical ways to protect access to this information, but protocols and policies must be in place to govern the use and dissemination of this type of information. Typically, these include things like contracts, procedures, intellectual property, processes…

The third is “personal” data, which includes names, contact details, addresses, Dates of Birth, financial details, Tax File Numbers.  The list is infinite.  Blind Freddy knows that if this information becomes public knowledge, appreciable harm could be done.

Our final category is “health” information such as doctor’s details, immunisation records, scripts, reports, tests, medical histories etc.  This is the kind of data, also known as Personal Health Information or PHI, that one voluntarily shares with medical practitioners, hospitals and health insurers.  In the sobering words of Morris Panner, the CEO of DICOM Grid – an American internet-based solutions company for digital medical imaging:

“Health information has a strange paradox.  You want it to be private from most people, yet when you require care, you want a lot of people to see it, really fast. You just want it to be the right people at the right time”.

Ironically, despite the substantial risk of this information being misappropriated, there’s far less spend on security measures of PHI data in the health sector as there are in other industries with data deemed to be highly sensitive.

Fortunately, the laws in Australia governing the treatment of private data / information (i.e. personal and health) are rigorous, making it mandatory for organisations to notify stakeholders who would be adversely impacted if a data breach occurs, as well as requiring it to remediate the breach and take steps to prevent further contraventions.

Here we are… working from home (for those of us lucky enough to still be working), accessing data in the cloud, sending emails from the cloud.  Hold up a minute I hear you ask.  How did we protect data before we used meteorological terminology to describe servers accessed over the internet?  First, we had firewalls and they were invented to protect our files from the outside world. Then, we realised we wanted to access files from that outside world, so we invented the Virtual Private Network (VPN). Then we said, let’s not do any of that anymore.  Instead, let’s move those files in a place beyond the office called the cloud.  Makes sense right? Anywhere, anyplace, anytime access is the expectation of a generation.

But what’s protecting the data that we now place in the cloud? Reassuringly, there are some incredibly complex designs, tools and systems in place doing their job seamlessly to secure our most personal information.  Here are the just a few of them:


  • Data segmentation: this is a design principle that implements separation between the networks that access the data and the networks that store the data. The same separation principle is applied to separate confidential data from privacy data and unclassified data.


  • Firewalls: these are devices which can allow access or deny access to networks depending on your location (i.e. inside a network like the office, outside that network or even specific network identifiers).


  • Authentication providers: this is usually a directory of usernames and stored passwords, or identities which can access the network, or parts of the network. Modern directories are things like Azure Active Directory, Google Accounts, Apple ID…, even Facebook and LinkedIn.


  • Encryption: this done through the use of public and private pairs of keys which allow authorised people to decrypt an encrypted transmission. By carefully distributing the keys to approved parties, an application owner will control who and which computers can access what information.


  • Application Gateways: these are intelligent systems which scan traffic that flows through them to identify anomalies that indicate a threat or an attack.

So where does that leave us? 

Privacy is paramount.  No two ways about it.  Personal information must be safeguarded and secured.  But that’s an all too often disingenuous platitude offered by many and delivered by few – which might go some way to explaining the jittery uptake of the Government’s COVIDsafe app.

At the Council, rest assured however that we apply the most rigorous protection to all information because to have your information is a privilege; a privilege we will never take for granted.

Whilst a big chunk of my time and budget is devoted to streamlining processes and ensuring we’re a user-friendly, customer obsessed organisation.  Hands down, the principal IT spend and time allocation is dedicated to guaranteeing data protection and security.  So whether you’re an overseas qualified physiotherapist, Education Provider, Director, Contractor or Villager, please rest easy tonight knowing… your secrets are safe with us.


#secretsaresafewithus; #privacyisparamount; #techequalsbridge;  #lifedisrupted;  #covid19;    #letssticktogetherremotely; #techtotherescue



Recent News

Share via
Copy link