Draft Report - 'Caring for Older Australians’
Submission to the Productivity Commission (March 2011)
- The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission to the Productivity Commission on the draft Report, ‘Caring for Older Australians’ (draft Report). The draft Report is of interest to the OAIC in its capacity as the national privacy regulator.
- In summary, the OAIC makes the following comments and recommendations:
- The OAIC considers that there may be privacy issues associated with proposals to:
- link older Australians’ care assessment information to their e-health records, and making this information available to all approved and relevant health professionals and care providers (Chapter 8)
- establish centralised repositories of de-identified information which may be accessed by policymakers, researchers, industry and the wider community (Chapter 13).
- The OAIC welcomes reference in the draft Report to the importance of preserving individuals’ privacy, including by de-identifying personal information before it is made available to the wider community.
- The OAIC suggests that the Productivity Commission recommend in its final report to government, that a comprehensive framework for privacy protection be established at an early stage of developing proposals in Chapters 8 and 13 of the draft Report, which may impact the privacy of older Australians and their carers.
- The OAIC considers that there may be privacy issues associated with proposals to:
Office of the Australian Information Commissioner
- The OAIC is an independent statutory agency established by the Australian Information Commissioner Act 2010 (AIC Act). The OAIC commenced operation on 1 November 2010 and is headed by the Australian Information Commissioner, supported by two other statutory office holders, the Freedom of Information Commissioner and the Privacy Commissioner. Staff of the former Office of the Privacy Commissioner are now part of the OAIC.
- Together the Commissioners of the OAIC exercise three broad functions:
- the freedom of information functions set out in s 8 of the AIC Act
- the privacy functions set out in s 9 of the AIC Act
- the Information Commissioner functions set out in s 7 of the AIC Act.
- As the national privacy regulator the OAIC can provide general advice on privacy issues and the application of the Privacy Act 1988 (Privacy Act).
- The Privacy Act applies to ‘personal information', which is defined in s 6 (1) as information or an opinion, whether true or not, about an individual whose identity is apparent or can be reasonably ascertained from that information. The Privacy Act contains eleven Information Privacy Principles (IPPs) which apply to Australian and ACT Government agencies. It also includes ten National Privacy Principles (NPPs) which generally apply to all businesses with an annual turnover of more than $3 million, but which do not apply to certain exempt organisations including small businesses.
- The OAIC understands that the Productivity Commission is conducting an inquiry into Australia's aged care arrangements and will provide a final report to government later this year. As part of this inquiry, the Commission has published a draft Report for public comment, ‘Caring for Older Australians’ (draft Report), together with an independent report prepared by Applied Aged Care Solutions Pty Ltd, ‘New Aged Care Model Options’ (AACS Report). The OAIC welcomes the opportunity to provide comments on these reports.
- The OAIC’s comments focus on two suggested options for reform, which may have an impact on individuals’ privacy:
- link aged care records with e-health records and make these available to all approved and relevant health care providers and care providers 
- establish a central clearinghouse to co-ordinate, store and distribute data and provide the necessary contact point for data and information for policymakers, researchers, industry and the wider community.
- In this submission the OAIC outlines some key privacy issues which may arise in developing these policy options. While the draft Report and the AACS report canvass these options at a high level, the OAIC recommends that these options be further developed within a comprehensive framework for privacy protection.
Specific comments on the draft bill
Chapter 8 - Care and Support
- The draft Report proposes that older Australians’ care assessment information be linked to their e-health record and that this information be made available to all approved and relevant health professionals and care providers (subject to agreement from the client).
(a) Choice and control
- The OAIC welcomes the assurance that older Australians would be asked to consent before their aged care and health information is linked and provided to health care professionals and care providers. In the OAIC’s view, individuals should maintain an appropriate amount of choice and control over their personal and sensitive information (including health information). This includes obtaining genuine and informed consent from an older Australian before using and disclosing their personal information. In the OAIC’s opinion, promoting choice and control will ensure that older Australians are comfortable with how their personal information is being used, and will engender trust in the health and aged care systems.
- The OAIC suggests that to ensure effective choice and control, an older Australian’s decision not to consent to linking or disclosing their records, should not adversely affect their access to aged care services. However the OAIC recognises that in practice, as linking and disclosing records is intended to provide better outcomes, this decision may limit access to optimal aged care outcomes. Perhaps the final report could outline options for managing the records of older Australians’ in the absence of consent, which ensure that these individuals are not disadvantaged.
- The OAIC also notes that some older Australians may be unable to give genuine and informed consent due to a physical or legal incapacity. The OAIC suggests the final report to government acknowledge the challenge of obtaining consent in these circumstances, so that consideration may be given to appropriate policy responses.
(b) E-health records and privacy attributes
- It is unclear to the OAIC which types of e-health records are proposed to be linked to aged care records, for example whether this is intended to include the Personally Controlled Electronic Health Record (PCEHR). The OAIC notes that different types of e-health records have particular privacy settings and attributes. As such, perhaps the final report to government could recommend further consideration of the impact on different e-health records’ privacy settings and attributes, when linked with aged care records.
- For example, the Personally Controlled Electronic Health Record (PCEHR) which is being developed by the Department of Health and Ageing, is currently intended to be made available to all Australians on an opt in basis, and individuals will be able to control who has access to the information contained in their PCEHR. Any proposals involving PCEHRs should therefore recognise that uptake of the PCEHR may be limited, particularly in the period immediately following its implementation, and that where an individual has a PCEHR, access to it will be contingent on consent. It will be important to develop options for proposals to proceed in the absence of PCEHRs and to ensure that individuals who do not have a PCEHR, or who choose to limit access to their PCEHR, are not disadvantaged.
- Generally speaking, the OAIC suggests that any proposals to link e-health records and aged care information and to increase access to this information should emphasise the importance of designing appropriate privacy safeguards. These may include a legislative scheme which specifies who may access this information, the purposes the information may be used for and appropriate storage and security arrangements. These kinds of privacy safeguards should be considered at an early stage, and their design integrated into the policy development process (see Comprehensive Privacy Framework, on page 7).
Chapter 13 - Aged Care Policy Research and Evaluation
- The draft Report proposes that a new regulatory body, the Australian Aged Care Regulation Commission (AACRC), be established to coordinate the collection, storage and distribution of national data sets on aged care, and to facilitate the linkage to data contained within Medicare and Centrelink. The AACRC would act as an approved clearinghouse and would provide the ‘necessary contact point for data and information for policymakers, researchers, industry and the wider community’.
- In the OAIC’s opinion, there are significant, manageable privacy risks associated with establishing a large, centralised repository of information which is accessible to many users. In particular, without appropriate security and other privacy safeguards, there is a risk of misuse or abuse. This could harm the interests of older Australians and ultimately undermine trust in government information systems. If the repository contains personal information (see paragraph 18), these risks could be managed by establishing strong data security safeguards to limit the risk of unauthorised access, use, modification or disclosure, or other misuse.
- The OAIC supports the requirement that ‘access to data clearly needs to preserve the privacy and confidentiality of individuals and providers’ and agrees that this may be achieved (in part), by de-identifying this data for wider use. However, while the OAIC strongly encourages de-identifying personal information as a way to preserve individuals’ privacy, the nature and extent of de-identification must be carefully considered if it is to provide adequate privacy protection to the information being released. In particular, with the advent of new technologies which facilitate data linkage and re-identification, it is increasingly difficult to conclude that the identity of an individual can never be ascertained from information that superficially appears to be de-identified. Accordingly, when designing and implementing a system for de-identifying information, careful consideration should be given to the potential for third parties to manipulate and link together pieces of information to re-identify individuals.
- The OAIC also suggests clarifying who would de-identify this information and when this would occur. If agencies (or organisations covered by the Privacy Act) provide personal information to the AACRC to be de-identified, they would generally need to obtain the individual’s consent to do so. In the OAIC’s view, better privacy practice would involve the collecting agency (or organisation) de-identifying information before it is provided to the AACRC. Further, even if the collecting agency (or organisation) de-identifies the information, the OAIC would encourage them as a matter of good practice, to notify individuals that this may be disclosed as de-identified information to the AACRC for particular purposes.
Comprehensive privacy framework
- In this submission, the OAIC has outlined privacy risks associated with proposals in chapters 8 and 13 of the draft Report. In the OAIC’s view, these proposals should be developed within a comprehensive framework for privacy protection. This framework should be based on four key elements:
- These elements can be explained as:
- Fundamental system design, including system architecture and the parameters governing what information is collected, information flows and consent mechanisms
- Technological measures, including but not limited to, data security initiatives
- Legislative measures, including defining who may access aged care information, the purposes the information may be used for, and introducing sanctions for misusing the information, and
- Oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.
- The OAIC also generally recommends that agencies (and organisations) undertake privacy impact assessments (PIAs) when planning new initiatives that may involve the handling of personal information. The OAIC views a PIA as an iterative process during the life of a project from initial conception to implementation and review.
- The process assists agencies and organisations to manage privacy impacts by providing a thorough analysis of the effect of the project on individual privacy and helping to find potential solutions. The elements that make up a PIA (including identification, analysis and management of privacy impacts) help to drive good privacy practice and underpin good public policy in projects. In many cases, a PIA can help to make a significant difference to the privacy impact of a project while still achieving the project’s goals.
- The OAIC encourages the Productivity Commission to endorse the importance of conducting PIAs in its final report. In the OAIC’s opinion, this, together with the adoption of a comprehensive privacy framework, would help to address the privacy risks associated with proposals in chapters 8 and 13 of the draft Report.
 Productivity Commission, ‘Caring for Older Australians’, p. 235.
 Productivity Commission, ‘Caring for Older Australians’, p. 435.
 Productivity Commission, ‘Caring for Older Australians’, p. 244. The OAIC also notes a similar proposal in the AACS Report, that an appropriate care assessment model include an information platform that can bring together information from various systems and sources and builds a single client record (care recipient and carer) that is accessible as appropriate to agencies and relevant service providers (p. 8).
 This approach is consistent with draft recommendation 4.1, which states that ‘to guide future policy change, the aged care system should aim to be consumer-directed, allowing older Australians to have choice and control over their lives’ (see Productivity Commission, ‘Caring for Older Australians’, p. XLV).
 See IPPs 10 and 11 in section 14 of the Privacy Act. IPP 10 generally states that an agency which has obtained personal information for a particular purpose, must not use the information for another purpose unless the individual consents to that use (subject to certain exceptions). IPP 11.1 generally requires agencies to obtain an individual’s consent before disclosing their personal information where the individual is unlikely to be aware the information is usually disclosed in this way (subject to certain exceptions).
 Media release by the Hon Nicola Roxon MP, Minister for Health, 11 May 2010 at http://www.health.gov.au/internet/budget/publishing.nsf/Content/budget2010-hmedia09.htm
 Productivity Commission, ‘Caring for Older Australians’, p.431.
 Productivity Commission, ‘Caring for Older Australians’, p.435.
 See IPP 4, section 14 of the Privacy Act
 Productivity Commission, ‘Caring for Older Australians’, p. 434.
 Office of the Privacy Commissioner, Submissions to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 31, p. 83 at http://www.privacy.gov.au/materials/types/research?sortby=64
 For agencies, IPP 11.1, section 14 of the Privacy Act 1988. For organisations, see NPP 2.1, Schedule 3 of the Privacy Act
 This would be consistent with responses to the former Office of the Privacy Commissioner’s Community Attitudes Survey, in which 51% of respondents considered that their permission should be sought before releasing de-identified health information for research purposes (Office of the Privacy Commissioner, ‘Community Attitudes to Privacy 2007’, p. 46 at http://www.privacy.gov.au/materials/types/research?sortby=64).
 OAIC, Privacy Impact Assessment Guide at http://www.privacy.gov.au/materials/types/guidelines