Consultation Paper: National Health (Privacy) Rules 2018 review
4 June 2021
About this review
In this section you can find:
- Information about the scope and purpose of this review
- Directions on how to provide comments.
The Office of the Australian Information Commissioner (OAIC) is reviewing the National Health Privacy Rules 2018 (Rules) to decide whether and how they need to be updated. This Consultation Paper is aimed at eliciting feedback on the Rules to find out what is working well and what can be improved.
The Rules are a legislative instrument issued by the Information Commissioner under section 135AA of the National Health Act 1953. They apply to Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) claims information. People make claims under the MBS and PBS for health services in Australia. To enable this, Services Australia and the Department of Health process and store information about MBS and PBS claims.
The Rules apply to Australian Government agencies that handle MBS and PBS information with particular focus on Services Australia and the Department of Health. In brief, the Rules:
- Require that information obtained from the MBS and PBS not be stored in the same database
- Specify when claims information from the two programs may be linked
- Prohibit claims information over five years old (i.e., old information) from including information that could identify an individual, and
- Specify the circumstances in which old information may be re-linked with identifiers.
Why have a review?
The Rules are due to sunset on 1 April 2022. The OAIC is therefore consulting stakeholders on the Rules to enable revision and remaking of the Rules before that date. Other factors that indicate that a review is timely include:
- Developments in information technology since 2008, which is when the contents of the Rules were last examined in depth
- The introduction of the Australian Privacy Principles (APPs) which may have changed baseline regulatory protections otherwise afforded to claims information
- The regularity and increased scale of use of information technology in the planning and provision of health services
- Public policy approaches favouring data use and re-use in research, evidence-based decision-making and the provision of government services generally
- Community attitudes and expectations regarding the handling of their personal information; in particular, certain health information.
Submissions to the review will help the Commissioner to assess the need for revisions or amendments to the Rules.
Scope of the review
The review is a general review of all the provisions of the Rules. As with previous reviews, the Commissioner’s purpose is to ensure that the Rules, in their current form, achieve the intent of section 135AA of the National Health Act and are easy to read, understand and apply in practice.
This Paper sets out information about the review process, including:
- How to provide comments
- Information about the Rules and relevant recent developments
- General questions and issues for consideration
- Specific questions about each of the main provisions contained in the Rules.
The OAIC invites comment from interested individuals, agencies and organisations on all elements and aspects of the Rules, including but not limited to their effect on individuals, the operation of MBS and PBS processes, public sector operations and policy development, open data and associated research initiatives.
Questions have been included in the Consultation Paper to help guide your feedback. It is not necessary to respond to every topic or question raised in the Paper. Nor should you feel restricted to the topics or questions we have raised. When commenting, we encourage you to provide evidence to support your feedback, including examples, case studies, statistics or other information.
While submissions may include perspectives and commentary on the Rules, the Commissioner will not consider comments on unrelated areas of the Privacy Act 1988 or other legislation. It is also relevant to note that this is a review of the Rules and not of section 135AA of the National Health Act. It is not within the scope of this review or the Commissioner’s functions to canvas amendments to the National Health Act. Any such review would occur as a separate process led by the Department of Health.
How to provide comments
Submissions can be made by:
GPO Box 5218
The closing date for comments is 5pm Friday 4 June 2021.
We intend to make all submissions publicly available. Please indicate when making your submission if it contains confidential information you don’t want made public and why it should not be published. Requests for access to confidential comments will be determined in accordance with the FOI Act.
Although you may lodge submissions by email or post, email is preferred. To help us meet our accessibility obligations, we would appreciate you providing your submission in a web accessible format or, alternatively, in a format that will allow us to easily convert it to HTML code — for example Rich Text Format (.rtf) or Microsoft Word (.doc or .docx) format.
Privacy collection statement
The OAIC will only use the personal information it collects during this consultation for the purpose of considering the issues raised in the discussion paper. This will include sharing submissions with Information Integrity Solutions – a privacy consultancy that is assisting OAIC with this review.
About the Rules
In this section you can find:
- Explanatory information about the Rules
Including their purpose, the activities they cover and their main provisions.
- Contextual information
Including other relevant reviews, government policies and legislative reform.
The National Health (Privacy) Rules
The Rules are a legislative instrument issued by the Australian Information Commissioner. They are binding which means the public sector agencies covered by the Rules must follow them.
The Commissioner issues the Rules under section 135AA of the National Health Act. Section 135AA says that the Commissioner must issue privacy rules about how public sector agencies handle MBS and PBS claims information. Section 135AA also lists matters that the rules must cover. When revising the Rules, the Commissioner can change requirements in the Rules but cannot change the matters that section 135AA says the rules must cover.
Section 135AA was added to the National Health Act in 1991 in recognition of the special sensitivity of MBS and PBS claims information. Over the years, the Rules have been revised a number of times. The last time was in 2018.
The Rules set out requirements for how public sector agencies handle MBS and PBS claims information. MBS means Medicare Benefits Schedule and PBS means Pharmaceutical Benefits Schedule. This is information that government agencies collect and use to enable payment of benefits for medical care and medicines. It is sensitive because it reveals health information about individuals and covers most of the Australian population.
The main provisions in the Rules
The Rules explain how agencies may use, store, disclose and link MBS and PBS claims information. Although some provisions in the Rules apply to all agencies, most of the Rules just apply to Services Australia and the Department of Health as they are the two main agencies that handle MBS and PBS claims information.
Key provisions in the Rules include:
- Separate storage – MBS and PBS claims information must be stored in separate databases.
- Storage without identifiers – MBS and PBS claims information must be stored without personal identification components  and must be stored separately from enrolment and entitlements information.
- Disclosure to the Department of Health – Services Australia may disclose claims information to the Department of Health to enable Medicare to perform ‘health provider compliance functions’. Services Australia may disclose claims information to the Department of Health in other circumstances but generally such information must not include ‘personal identification components’.
- Linkage of claims information – Services Australia and the Department of Health may link claims information held in the MBS and PBS databases but only in limited circumstances.
- Retention of linked claims information – Services Australia and the Department of Health must destroy linked claims information as soon as practicable after meeting the purpose for which it was linked.
- Old information – Claims information that is five or more years old must be stored separately from other claims information and with personal identification components removed. Old information may only be re-linked with personal identification components in certain circumstances.
- Disclosure of claims information for medical research – Services Australia may disclose identifiable claims information to researchers for the purpose of medical research if the subjects of the information consent or the research follows the NHMRC guidelines.
- Use of claims information by the Department of Health – The Department may store claims information indefinitely as long as personal identification components are removed. The Secretary of the Department may authorise other uses of MBS and PBS information but a use involving linkage is subject to certain conditions.
- Name linkage – The Department of Health may obtain the personal identification components that belong to a particular Medicare PIN from Services Australia in certain limited circumstances specified in the Rules.
Key agencies regulated by the Rules
The Rules address, in the main, Services Australia and the Department of Health. However, other government agencies are also captured in the context of holding MBS and PBS information.
In 2019, a machinery of government change saw the creation of Services Australia (formerly, the Department of Human Services under the Rules). Services Australia is responsible for the delivery of advice and a range of health, social and welfare payments and services. Services Australia delivers Medicare and related programs on behalf of the Department of Health, including the PBS, Australian Immunisation Register and Australian Organ Donor Register.
Services Australia uses MBS and PBS claims information to administer the respective programs (such as paying benefits), as well as for internal operational and reporting purposes.
Department of Health
The functions of the Department of Health include providing health services and, following machinery of government changes in 2015, undertaking compliance functions in accordance with various portfolio legislation. Officers of the Department are, for example, responsible for compliance functions in accordance with the Human Services (Medicare) Act 1973. Administratively, a practical arrangement exists whereby officers employed by the Department perform health provider compliance functions under delegated powers of the Chief Executive of Medicare (Services Australia).
The Department of Health uses MBS and PBS claims information for a wide range of purposes including program administration, compliance and audit, policy development and review, statistical analysis, and reporting.
Australian government agencies
In addition to specifying Services Australia and the Department of Health, the Rules pertain to any Australian government agency covered by the Privacy Act holding information that was obtained in connection with a claim for payment or benefit under the MBS or PBS.
A number of developments provide relevant background context to this review, such as significant changes to public policy in relation to data sharing for public purposes, changes to privacy regulation and, significantly, the burgeoning digital and data economies.
Recent amendments to the National Health Act
In 2019, the National Health Act was amended by the Health Legislation Amendment (Data‑matching and Other Matters) Act 2019. The primary intention was to enable the Chief Executive Medicare to conduct data matching of listed kinds of information – including MBS and PBS claims information – for compliance-related permitted purposes (i.e., to prevent, identify and take action against fraud and other inappropriate practice by health providers).
The amendment specifically introduced new provisions to the National Health Act that would enable data matching, notwithstanding restrictions to disclosure, matching or storage of information prescribed in the Rules issued under s 135AA.
Review of the Privacy Act
The Attorney-General’s Department is currently conducting a review of the federal Privacy Act, to ensure that ‘privacy settings empower consumers, protect their data and best serve the Australian economy.’ The review will examine, among other things, the scope and application of the Privacy Act as well as its interaction with other Commonwealth regulatory frameworks.
The Issues Paper highlighted the digital economy, the ability to communicate and transact with individuals online, and new and emerging technologies as developments that should be kept in mind when determining whether the Privacy Act is fit for purpose.
Data Availability and Transparency Bill
The Data Availability and Transparency Bill 2020 (the Bill) was introduced to the Australian Parliament on 9 December 2020. If enacted, the Bill would create a national scheme for organisations to request access to Australian Government data in a controlled manner for prescribed purposes, namely: (i) improving government service delivery, (ii) informing government policy and programs, and (iii) research and development.
The Bill represents the most significant step taken by the Australian Government to reform the way public sector data is accessed and used. It comes in response to the Productivity Commission’s Data Availability and Use inquiry, which identified the benefits of data in improving efficiency and productivity, as well as allowing governments and businesses to offer new kinds of products and services. The Bill is relevant to the Rules because, if enacted into law, it may enable sharing and use of MBS and PBS claims information in prescribed circumstances.
Royal Commission into Aged Care Quality and Safety
The Royal Commission into Aged Care Quality and Safety was established on 8 October 2018. One of its findings was that there is inadequate sharing of health information about older people as they move between the health and aged care systems.
Recommendation 67 of the final report specifically addresses improving data on the interaction between the health and aged care systems. This includes:
- The Australian Government should implement an aged care identifier by no later than 1 July 2022 in the MBS and PBS datasets for regular public reporting purposes
- All governments should implement a legislative framework by no later than 1 July 2023 for health and aged care data to be directly linked, shared and analysed to understand the burden of disease of current and prospective people receiving aged care and their current and future health needs.
Senate Select Committee report
The Senate Select Committee on Health (SSC on Health) was established to inquire into and report on health policy, administration and expenditure. In compiling its 2016 Sixth Interim Report, ‘Big health data: Australia’s big potential’, the SSC on Health received a significant number of stakeholder submissions in relation to improving access to and linkage between health data sets. The 2016 Report itself dedicated chapter four to the issue of MBS and PBS data linkage, and said at Recommendation 4:
“The committee recommends that given the changes in technology, and mindful of the capacity and moral obligation for governments to hold and strongly secure personal data and privacy, the government review the operation of section 135AA of the National Health Act 1953, with the aim of improving access to de‑identified MBS and PBS data for the purpose of health policy evaluation and development as well as research undertaken in the public interest.”
While this review does not canvas the appropriateness of section 135AA of the National Health Act, the recommendation highlights the tension associated with operation of the Rules in a climate where insights derived from MBS and PBS data are highly desirable.
Changes in technology
The movement of the Australian government to an e-gov model, such as the co-located services accessible via a MyGov account, reflects the government’s continued progress in the realms of digitally enabled services and technology uptake. The government has focused on making interactions between the community and agencies more seamless, as well as leveraging data from those interactions to deliver better, faster, more equitable and more intuitive services in the future.
The technologies supporting government service are also advancing, with data storage modalities no longer taking the form of a physical location (or ‘database’) on a computer within an office or building; rather, agencies are increasingly exploring the use of virtual locations, where information is stored in off-site data centres, transmitted via the internet (‘the cloud’), with access managed locally through various administrative and technical controls. The government’s Secure Cloud Strategy, which replaces the Australian Government Cloud Computing Policy of 2014, considers that ‘common shared platforms’ will continue to be explored by government through the auspices of the Digital Transformation Agency, to:
- Reduce information enclaves in agencies by providing an ability to efficiently manage information across agencies and classifications (e.g., protected, unclassified, etc), and
- Enable agencies to manage multi-provider services.
From a health sector research perspective, data linkage and privacy enhancing technologies have seen significant advancement in the years the Rules (and the preceding guidelines) have been in operation. It is now possible for very large human service datasets from multiple different sources to be linked together to produce insights while preserving the privacy of individual subjects.
This enabling technology has been matched by a growing appetite from researchers and policymakers for data linkage projects. For example, the Australian Institute of Health and Welfare (AIHW) and the Australian Bureau of Statistics (ABS) – two of the foremost accredited integrating authorities in Australia – have been increasingly involved in data linkage for policy analysis, research and statistical purposes, often involving MBS and PBS claims information.
Key issues and general questions
In this section you can find:
- Key questions for this review
To enable us to gauge how the Rules are operating and areas for improvement.
- Other general questions and issues
Including in relation to the form and function of the Rules and how they operate in practice.
Key questions for this review
This review is aimed at understanding how the Rules are currently operating, whether their provisions remain fit-for-purpose and what revision or updates may be needed.
- What provisions in the Rules work well and should remain as they are or with minimal changes?
- What provisions in the Rules are no longer fit for purpose? Why?
- Do the Rules get the balance right between protection of privacy on the one hand and use of claims information on the other? Why or why not?
Form and function of the Rules
Prescriptive versus principles-based
The Rules are relatively prescriptive in form. They give specific instructions on how specific agencies must store and handle claims information and the limited circumstances in which claims information may be linked, retained or rendered identifiable. This contrasts with the APPs, for example, which take a principles-based approach to regulating personal information, allowing entities greater discretion in interpreting the application of the legislation to their own circumstances.
Generally, subordinate legislation – like the Rules – would be expected to be more prescriptive than primary legislation. It adds detail and specificity to the framework established by legislation. Specificity is encouraged because subordinate legislation can be revised and updated more easily than primary legislation – it does not have to be passed by parliament. A prescriptive approach can have the positive effect of eliminating known privacy risks that would otherwise confront an officer when, for example, making decisions about claims data linkage. On the other hand, an overly prescriptive approach can inadvertently block reasonable activities or be complex to apply in practice.
- Which provisions in the Rules are too prescriptive / not prescriptive enough?
- Would any parts of the Rules benefit from being made more principles-based? Why?
Technological specificity versus technological neutrality
A side-effect of more prescriptive regulations is that they may struggle to accommodate rapidly changing information technology. In the context of these Rules, this can have two effects:
- The Rules contain requirements that have been overtaken by changes to technology and are therefore difficult to apply in practice or require inefficient workarounds to enable compliance.
- The Rules obstruct or limit reasonable use cases for claims information that have been enabled by changes to technology and digitisation of government operations.
While the Rules minimise the use of technologically specific language, there are some provisions where this is unavoidable. For example, the National Health Act says that the Rules must prohibit the storage of MBS and PBS information in the same ‘database.’ Therefore, the Rules refer to separation of ‘databases’. Other provisions, while not necessarily being technologically specific, impose requirements that may operate counter to modern data practices. For example, very short retention times for linked claims information may make use of the information difficult or discourage legitimate linkage activities.
- How could the Rules be updated to better accommodate current information technologies and modern data practices in a way that continues to protect privacy?
- Which parts of the Rules are no longer fit for purpose due to technological change or need adjustment?
Interaction with the APPs
In 2012 the Privacy Act 1988 was significantly amended with the introduction of the Australian Privacy Principles (APPs). The APPs regulate the handling of personal information, including health information, and establish requirements for each stage of the information lifecycle from collection of personal information through to use, storage, disclosure and disposal. The APPs replaced the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs), which applied to Australian government agencies and the private sector respectively.
To the extent that the Rules impose more specific obligations than the APPs, the Rules prevail. In all other cases, the APPs apply as normal to personal information handling.
The Rules have not been significantly revised or updated since the introduction of the APPs. In practice, this means that the way the Rules interact with the APPs – and any gaps or overlap in this regard – has not yet been formally canvassed. For example, the Rules contain strict disposal provisions for claims information (particularly linked claims information). This made sense prior to the introduction of the APPs because the earlier IPPs did not contain any information disposal requirements so the Rules filled a gap. However, that changed with the APPs which now impose data disposal requirements. Therefore, a question arises as to whether certain APPs should ‘cover the field’ for health information (including MBS and PBS information) or whether the nature of MBS and PBS information demands additional controls set down in the Rules.
- What additional requirements should apply to MBS and PBS information over and above the APPs? Why?
- Which provisions in the Rules (if any) should be removed or adjusted in light of the APPs?
The Rules in practice
Modernisation and trends in government information policy
The Commissioner cannot create rules that ignore or weaken the application of section 135AA of the National Health Act. Section 135AA prescribes certain matters that must be contained in the Rules. However, there may be opportunities within the Rules and the parameters of section 135AA to retain privacy safeguards while acknowledging Australia’s maturing approach to data use and the government’s ongoing digital transformation. For example, some now believe that the Rules get the balance wrong between privacy and data use. A chief criticism of the Rules in a recent Senate Committee report was that the heavy weighting of information privacy considerations denied legitimate opportunities to access MBS and PBS datasets for research in the public interest. The Rules were characterised in some submissions to the Senate Committee as over-cautious, cumbersome and, according to the Productivity Commission, ‘complex with the restrictions creating unnecessary downsides and delays for evidence-based policy formulation’.
Recent developments outlined above illustrate opportunities for alignment of the Rules with new currents in government information policy.
10.How can the Rules be modernised or made more effective, while remaining within the parameters of the primary legislation?
11.How might the Rules better align with current government policies pertaining to information use, re-use and sharing while still protecting privacy?
Specific questions about the Rules
In this section you can find:
- More detailed information about what the Rules say
- Specific questions
About each of the main provisions contained in the Rules.
The Rules apply to Australian government agencies covered by the Privacy Act, though most provisions apply specifically to Services Australia and the Department of Health. The Rules refer to the ‘Department of Human Services’ – in this paper, we refer to that department by its current name – ‘Services Australia.’
Storing claims information in separate databases
What the Rules say
The Rules require agencies to store MBS claims information in a separate database to PBS claims information. The National Health Act itself requires the Rules to prohibit storage of this information in the same database and the Information Commissioner has no discretion to alter or moderate this requirement. The Commissioner explains the policy intent of the Rules in the Explanatory Statement – that the Rules ‘recognise the sensitivity of health information and restrict the linkage of claims information. Such linkages may reveal detailed information on the health status and history of the majority of Australians, beyond what is necessary for the administration of the respective programs.’
The requirement to store data in ‘separate databases’ may no longer be meaningful in the current digital environment. However, until the National Health Act is changed, this requirement will have to remain a feature of the Rules.
Management of claims information by Services Australia
What the Rules say
The Rules specify how Services Australia must manage claims information. This includes requirements that:
- The MBS claims database and PBS claims database be kept separate from enrolment and entitlement databases.
- The MBS claims database must not include personal identification components other than the Medicare card number.
- The PBS claims database must not include personal identification components other than the pharmaceutical entitlement number.
The Rules ensure that claims information in the MBS and PBS databases is stripped of personal identification components, such as name and address information, apart from a Medicare card number, or a pharmaceutical entitlements number.
These requirements apply to claims information that is not ‘old information’. Information that is more than five years old is considered ‘old information’, and this information must not be stored with any personal identification components at all, including the Medicare card number or the Pharmaceutical entitlements number.
The effect of these requirements is to lessen the privacy impact of these databases and reduce privacy risks. This could include risks that the claims information is inappropriately accessed or disclosed, or risks of function creep such as where claims information is used for unintended or unauthorised secondary uses.
12.Should these requirements (about separation of claims information from enrolments and entitlements and exclusion of personal identification components) stay the same or be changed? Why?
Requirement for Services Australia to maintain technical standards
What the Rules say
The Rules require Services Australia to establish and maintain detailed technical standards in relation to the MBS claims database and PBS claims database which cover matters including:
- Access controls
- Security measures, including measures to prevent unauthorised linkages
- Measures to enable tracing of authorised linkages
- Destruction schedules for authorised linkages.
The Rules require Services Australia to establish standards to ensure a range of technical matters are adequately dealt with in designing a computer system to store claims information. If Services Australia changes the standards, it must inform the OAIC.
Services Australia is subject to other security obligations in relation to MBS and PBS claims information. These include information security requirements under APP 11 in the Privacy Act, the Australian Government’s Protective Security Policy Framework, and the Information Security Manual. This could raise a question as to whether dedicated technical standards for MBS and PBS information is necessary in view of those other security obligations. On the other hand, dedicated technical standards enable more specific requirements particularly in managing data linkage and safeguarding the data from unauthorised linking.
13.Is having dedicated detailed technical standards for MBS and PBS claims databases necessary given the range of other information security requirements applying to Services Australia?
14.Should the technical standards cover any other matters?
15.Should any other agencies be required to have technical standards of this sort? Which agencies and why?
What the Rules say
The Rules allow Services Australia to use Medicare personal identification numbers (PINs) to enable identification of individuals in the MBS and PBS databases. Medicare PINs may be stored in claims databases. However, the Rules require that PINs not be derived from the individual’s personal information and not reveal any personal or health information about the individual from the PIN alone.
The Rules contain provisions on the creation of a Medicare PIN that is unique for each individual, and the purposes for which a Medicare PIN may be used or disclosed. According to the Explanatory Statement, it is intended that any such unique number be kept, as far as possible, within Services Australia and not used as an identifier for other purposes. That said, Services Australia may disclose Medicare PINs in some circumstances, though usually not with the individual’s name.
16.Are the provisions regulating the creation, use and disclosure of Medicare PINs fit for purpose?
17.Should there be more permissive or more restrictive use of Medicare PINs? Why?
Disclosure to the Department of Health
What the Rules say
The Rules allow Services Australia to disclose claims information to the Department of Health to enable Medicare to perform ‘health provider compliance functions.’
Services Australia may disclose claims information to the Department of Health in other circumstances but generally such information must not include personal identification components – though Medicare PINs and encrypted Medicare card numbers are able to be shared.
If lawfully sharing claims information with an agency, organisation or individual other than the Department of Health, Services Australia must not provide both the Medicare PIN and name unless a law requires specifically requires it.
The disclosure provisions in the Rules mostly relate to how Services Australia and the Department of Health interact to enable the Department of Health to carry out delegated Medicare functions and activities. For example, the Department of Health monitors health providers and makes sure they are doing the right thing when they claim MBS and PBS benefits on behalf of their patients or customers. To carry out this function and take enforcement action, the Department of Health needs to collect and use claims information.
Disclosure of claims information to other entities other than the Department of Health must be ‘lawful’. This means that it must not be prohibited by another law and, if the information includes personal information, would need to comply with APP 6.
A later section of the Rules enables disclosure of claims information for medical research.
18.Do disclosure provisions get the balance right between data sharing and protection of privacy? Why or why not?
19.Is APP 6 adequate for regulating disclosure of claims information? What additional requirements, if any, need to be spelt out in the Rules?
Linkage of claims information
What the Rules say
The Rules allow Services Australia and the Department of Health to link claims information held in the MBS and PBS databases but only in prescribed circumstances. These include where the linkage is:
- necessary to enforce a law
- required by law
- for the protection of the public revenue
- necessary to determine an individual’s eligibility for benefits
- necessary to prevent or lessen a serious and imminent threat to the life or health of any individual
to enable disclosure to an individual when that individual has given their consent.
The Rules state that linked claims information must not include the Medicare PIN (unless this is required by law). Historically, the Rules have stopped Services Australia or the Department of Health from establishing a data-matching program between MBS and PBS data. However, this provision has been affected by recent amendments to the National Health Act which allow data-matching involving certain information that is held or has been obtained by the Chief Executive Medicare for compliance-related permitted purposes.
20.Should linkage of MBS and PBS claims information be allowed in other circumstances? What circumstances and why? How could this be done in a way that continues to protect privacy?
Retention and reporting of linked claims information
What the Rules say
The Rules say that Services Australia and the Department of Health must destroy linked claims information as soon as practicable after meeting the purpose for which it was linked. They must also make special arrangements for the security of records of linked claims information.
Services Australia and the Department of Health must also report to the OAIC certain information about their linkage activities including the number of records linked, the purposes of the linkage, number of linked records that were destroyed and so on.
The destruction requirements in the Rules act as a form of protection against function creep and unauthorised secondary use or disclosure of linked claims information. However, the strictness of the destruction requirements may reduce the utility of data linkage and curtail use of the linked information for reasonable and lawful purposes. Data linkage conducted in conjunction with other programs – for example, by the ABS for the Multi-Agency Data Integration Project (MADIP) – is not subject to the same strict destruction requirements.
21.Are the data retention requirements appropriate? Should linked claims information be able to be retained for longer?
22.Are reporting arrangements appropriate? Should reporting categories be changed in any way?
What the Rules say
‘Old information’ (meaning claims information that is five or more years old) is treated differently under the Rules. It must be stored separately from other claims information and with personal identification components removed. Old information may only be linked with personal identification components in certain circumstances prescribed in the Rules.
As with other forms of linkage, old information linked to personal identification components must be subject to additional security requirements, destroyed as soon as practicable after it has achieved its purpose, and be reported to the OAIC.
The National Health Act states that the Rules must regulate the handling of ‘old information’. In particular, they must require old information to be stored without personal identification components and specify the circumstances in which old information may be re-linked with those components. Therefore, the OAIC cannot revise the Rules to change this storage requirement for old information. However, the OAIC can vary the circumstances in which old information may be re-linked.
23.Are the provisions applying to old information appropriate?
24.In what circumstances (if any) should old information be able to be re-linked with personal identification components? How could this be done in a way that continues to protect privacy?
Disclosure of claims information for medical research
What the Rules say
The Rules permit Services Australia to disclose claims information to researchers for the purpose of medical research in certain circumstances. Claims information that identifies an individual may only be disclosed with that individual’s consent or in compliance with the guidelines issued by the National Health and Medical Research Council (NHMRC) under section 95 of the Privacy Act.
These arrangements reflect obligations that would apply under the Privacy Act and related laws regardless. However, the inclusion of this provision relating to medical research is to clarify and provide certainty regarding how claims information may be used for medical research purposes.
25.Is this provision necessary given it already applies under the Privacy Act? If yes, does it need to be modified in any way? Should claims information be able to be used for other forms of research? If yes, should there be any limitation on this use?
Use of claims information
What the Rules say
The Rules say that the Department of Health may store claims information indefinitely as long as personal identification components are removed. The Secretary to the Department may authorise other uses of MBS and PBS information but a use involving linkage is subject to certain conditions. For example, the linkage (other than linkage permitted in other parts of the Rules) using the Medicare PIN may only occur where:
- claims information (identified by the PIN or any personal identification components) is used solely as a necessary intermediate step to obtain aggregate or de-identified information; and
- such linked records are destroyed within one month of their creation.
The Department of Health may only disclose claims information if the recipient cannot identify the subjects of the information (unless an exception in the Rules applies).
The Rules enable linkage by the Department of Health but only in a temporary manner with a short retention period. Moreover, MBS and PBS claims information may only be linked in this temporary manner in conjunction with the Medicare PIN where there is no practical alternative.
26.Should the Department of Health be able to link claims information in a wider range of circumstances? What circumstances?
27.Are provisions enabling disclosure of claims information by the Department of Health appropriate?
What the Rules say
The Department of Health may obtain the personal identification components that belong to a particular Medicare PIN from Services Australia where it is authorised by the Secretary of the Department of Health and is necessary:
- to clarify which information relates to a particular individual where doubt has arisen in the conduct of an activity involving the linkage of de-identified information or
- for the purpose of disclosing personal information in a specific case or in a specific set of circumstances as expressly authorised or required by or under law.
There are circumstances in which it may be necessary for the Department of Health to have access to identified claims information. The Rules enable this and set restrictions on how this may occur.
28.Are name linkage provisions appropriate? Should name linkage be allowed in any other circumstances?
Other matters including management of paper copies
What the Rules say
The Rules say that while paper copies of information may be made of MBS and PBS information, paper copies may not be made of the complete or a major proportion of either the MBS or the PBS claims databases.
Services Australia and the Department of Health must make staff aware of the need to protect privacy in relation to claims information. They must also tell the OAIC of what delegations and authorisations they have in place under the Rules.
29.Are provisions relating to paper copies of claims information appropriate? Why or why not?
 Personal identification components includes any of the following: (a) the name of the person to whom the information relates; (b) the person’s address; (c) the person’s Medicare card number; (d) the person’s Pharmaceutical entitlements number – see National Health Act, s 135AA(11).
 See National Health (Privacy) Rules 2018, cl 15(4).
 See National Health (Privacy) Rules 2018, cl 7.
 See National Health Act 1953, s 135AA(5)(d).
 National Health (Privacy) Rules 2018, cl 8(5).
 See National Health (Privacy) Rules 2018, cl 9(1).
 See National Health (Privacy) Rules 2018, Explanatory Statement.