Comments on the second draft of the fifth edition Standards for general practices — submission to the Royal Australian College of General Practitioners (RACGP)

Date: 7 October 2016

Our reference: D2016/006751

Chair
RACGP Expert Committee – Standards for General Practices
Royal Australian College of General Practitioners
100 Wellington Parade
East Melbourne
Victoria 3002

Via email: standards@racgp.org.au

Dear Chair

Comments on the second draft of the fifth edition Standards for general practices

Thank you for the opportunity to comment on the Royal Australian College of General Practitioners’ (RACGP) second draft of the fifth edition Standards for general practices (the Standards) and the Second Draft Resource Guide for the RACGP Standards for General Practices 5th Edition (Resource Guide).

The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency. The OAIC was established by the Australian Parliament to bring together three functions:

  • privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Privacy Act), and other Acts)
  • freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (FOI Act)), and
  • information management functions (as set out in the Information Commissioner Act 2010).

The integration of these three interrelated functions into one agency has made the OAIC well placed to strike an appropriate balance between promoting the right to privacy and broader information policy goals.

The Privacy Act contains thirteen Australian Privacy Principles (APPs) which outline how Australian Government agencies, private sector organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses must handle, use and manage personal information. Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act provides extra protections around its handling. This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual.

The OAIC supports initiatives that provide clarity around privacy obligations for specific sectors which regularly handle sensitive information, such as the healthcare sector. My comments below relate only to the Standards’ requirements for the handling of health information and their explanation of general practices’ privacy obligations. I have not commented on broader issues related to general practices.

Criterion C3.5 – Research

Criterion C3.5 requires general practices to ensure that all research is approved by an ethics committee and is indemnified. The criterion explains that general practice staff must be familiar with the National Health and Medical Research Council (NHMRC) Code for the Responsible Conduct of Research.

In addition to the Code for the Responsible Conduct of Research, the NHMRC has also issued two sets of guidelines for researchers to follow in the conduct of their research. These are:

  • the Guidelines under Section 95 of the Privacy Act (s 95 Guidelines), which apply to agencies and provide an exception for acts that would otherwise breach the APPs where those acts are done in the course of medical research (and in accordance with the s 95 Guidelines)
  • the Guidelines approved under Section 95A of the Privacy Act (s 95A Guidelines) which apply to private sector organisations, and deal with the disclosure of health information that is necessary for the secondary purpose of research relevant to public health or public safety.

These guidelines, issued by the NHMRC and approved by the Information Commissioner, provide a framework for Human Research Ethics Committees to approve researchers’ proposals to handle identified information without consent. This framework acknowledges both the need to protect health information from unexpected uses beyond individual healthcare, and the important role of research in advancing public health.

The s 95A guidelines apply to organisations – such as general practices – that collect, use and disclose health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or safety, or that collect health information the purpose of health service management activities where it is impracticable to obtain individuals’ consent and where the purpose cannot be served by collecting de-identified information.

Considering that the s 95A guidelines are an important legislative requirement I recommend that the s 95A guidelines are referred to in the Standards. For example, the indicator for criterion C3.5 could be amended to read:

Our practice ensures that all research is approved by an ethics committee, complies with the NHMRC’s guidelines issued under s 95A of the Privacy Act where necessary and is indemnified.

A brief overview of the s 95A guidelines could then be provided in the ‘Meeting this Criterion’ section to ensure that general practices understand the purpose of the s 95A guidelines and the circumstances in which they apply.

Criterion C7.3 – Confidentiality and privacy of health information

Criterion C7.3 outlines requirements that general practices are required to comply with in order to safeguard patient privacy. The Standards explain that general practices must collect personal health information and safeguard its confidentiality and privacy in accordance with the APPs. However, the APPs apply not only to the collection of personal information, but also to how the information is then used and disclosed. For completeness and accuracy, I therefore suggest explaining that general practices must collect, use and disclose health information in accordance with the APPs.

In addition, the description for complying with Criterion C7.3 sets out a list of issues which must be addressed in the general practice’s privacy policy. These issues are useful and largely reflect the requirements of APP 1. However, considering that a number of APP 1 requirements are not included in the Standards’ list of issues – such as the requirement to set out how an individual may access their own personal information – I recommend amending the sentence under the bullet points, to read:

For further information, including an explanation of all the information that must be included in a privacy policy, refer to the RACGP’s Privacy Policy template and visit www.oaic.gov.au.

Emphasising that there are additional requirements under APP 1, will help ensure that readers of the Standards understand that the information provided under Criterion C7.3 is a set of examples and not the comprehensive set of requirements under APP 1.

Criterion C8.1 – Patient health records

Criterion 8.1 relates to patient health records and sets out requirements for general practices to follow when, for example, collecting and retaining information. However, there is no mention of the My Health Record system and the distinct legislative requirements of the My Health Records Act 2012.

I recommend that Criterion 8.1 include a reference to the My Health Record system so that a distinction is drawn between the Standards’ requirements when retaining local patient health records and the information handling obligations of the My Health Records system.

In addition, there are references in the Standards which refer to ‘eHealth system training’. It is unclear whether this refers to the My Health Record system or to broader digital health systems. The Department of Health has produced a number of training resources specifically for health service providers using the My Health Record system, and as such I recommend clarifying the ‘eHealth’ reference.

Mandatory requirements for meeting criteria C7.3. C7.4 and C8.1

Criteria C7.3, C7.4 and C8.1 outline lists of issues that general practices are required to comply with in relation to confidentiality and privacy of health information, information security and handling of patient health records. These lists include mandatory and optional items to meet each criterion.

I understand that compliance with the mandatory items found in these Standards will be part of the accreditation process for general practices. However, from a Privacy Act perspective (in particular APP 11 which relates to information security) the optional items listed may be just as relevant or even more so than the mandatory items. For example, a practice that does not ensure it provides appropriate access to each role, based on position descriptions (an optional item under C7.4C) may not be seen to be taking reasonable steps to protect personal information under APP 11.

Noting such matters as ‘optional’ may raise a risk that general practices will not give proper weight to them. I recommend that you include text that notes to the effect that, while some of the items may be optional for accreditation purposes, they will need to be considered by practices to meet their obligations under the Privacy Act.

The Resource Guide for the RACGP Standards for general practices (5th edition)

The Resource Guide provides a useful list of further resources to assist general practices better understand the requirements of the Standards. Under the Information Management section, links are provided to the OAIC’s guidance, Chapter 11: APP 11 – Security of personal information, and the OAIC’s Data breach notification – A guide to handling personal information security breaches. The OAIC has subsequently released the Guide to securing personal information,[1] which could also be added to the list of resources. This resource provides guidance on the reasonable steps that entities are required to take under the Privacy Act to protect the personal information they hold from misuse, interference, loss and from unauthorised access, modification or disclosure.

Further information

I hope the above information is useful to you. If you have any questions, please do not hesitate to contact Melanie Drayton, Director, Regulation and Strategy Branch on [contact details removed].

Yours sincerely

Timothy Pilgrim
Australian Privacy Commissioner
Acting Australian Information Commissioner

7 October 2016

Footnotes

[1] https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au