Our reference: D2017/009100
Via email: MyHealthRecorddata@healthconsult.com.au
Development of the Framework for the Secondary Use of My Health Record Data
I welcome the opportunity to provide comment on the Public Consultation Paper (Consultation Paper) for the Development of a Framework for Secondary Use of My Health Record Data (Framework).
The Consultation Paper outlines the context and background for considering the circumstances in which secondary use of My Health Record data should be allowed and the development of an appropriate framework. I acknowledge the consideration that has been given to the privacy issues associated with the secondary uses of My Health Record data and the role that privacy protections will play in ensuring the long term success of the Framework.
By way of an overall comment, I am supportive of initiatives which seek to maximise the use of data in the public interest and agree that secondary use of data in this way has the power to improve outcomes for all Australians. Given that the My Health Record system has the potential to become one of the richest sources of health information in Australia, the benefits that may be derived from use of the data beyond primary care are significant. At the same time, I am also mindful that when considering how the use of sensitive health information can be enhanced, it is crucial that privacy remain a central consideration. For a large portion of the community, health information is particularly sensitive and there is a greater reluctance to share it – even in a de-identified form.
Public support for projects that aim to maximise the value of data, such as the Framework, depend on the level of choice and control afforded to individuals. That is, the extent to which individuals have the ability to decide who has access to their information, and how that information will be used. In addition, having robust accountability and oversight mechanisms in place to ensure its protection is essential. When privacy considerations are embedded in policies and frameworks from the outset, it is more likely that public expectations are being met, allowing for greater public support. If community expectations are not met in relation to the handling of My Health Record system data for secondary uses, there is a risk that consumers will choose not to engage with the My Health Record system at all.
In order to assist with the development of the Framework, I have set out some relevant considerations that centre on providing transparency and choice to consumers about how their personal information is handled. As the Framework is further developed, I would welcome the opportunity to provide additional input.
Role of the Office of the Australian Information Commissioner
The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency established by the Australian Parliament to bring together three functions:
The integration of these three functions in one agency, gives the OAIC a unique perspective that comes from balancing the right to privacy with broader information policy goals. This includes promoting the privacy protection of health information, while ensuring its availability and use for research and clinical decision-making.
Additionally, and as set out in the Consultation Paper, the OAIC is the independent regulator for privacy aspects of the My Health Record system, providing a range of compliance and guidance functions regarding the handling of personal information. As part of this role, the OAIC has worked with the Department of Health and the Australian Digital Health Agency (ADHA) to promote and ensure that privacy considerations are prioritised and form an integral part of Australia’s digital health policy.
Principles to guide secondary use of My Health Record data
Building informed confidence within the community
Determining whether there is public acceptance of data use for secondary purposes, and building this acceptance, is a significant challenge. My Office’s most recent Community Attitudes to Privacy Survey revealed that a large portion of the public (86%) consider the use of their personal information for a secondary purpose as “misuse”.  The concepts of increased data use or sharing make people cautious, but the research also shows that individuals are more likely to allow their data to be used for secondary purposes when they know it is working for a public benefit. Nearly half of Australians (46%) said they supported government agencies using their personal details for research, service development or policy development purposes, with 30% that were not comfortable with the proposition entirely. However, 21% of Australians were found to be neither comfortable nor uncomfortable with the proposal. This suggests that there is an opportunity to build support for secondary use of My Health Record data by demonstrating the benefits and value of its use to the broader community.
As noted in the Consultation Paper, social licence is vital to facilitating the legitimate secondary use of My Health Record data. Community trust can be quickly lost if individuals are not confident that the public service respects their personal information and is doing all it can to protect it and use it appropriately. Ultimately, people need to see the benefits and value of the use of their personal information and understand the parameters around its handling and protection. When entities provide transparency over personal information handling practices and are accountable it gives individuals the confidence that their privacy is respected, and they are more likely to be supportive of increased data activities.
In developing the Framework, I would encourage consideration to be given to the steps that will need to be taken to demonstrate trustworthiness and ensure public confidence in the Framework. Amongst other things, this will include ensuring that:
- the range of permitted secondary uses under the Framework is limited, ethical and secure and that the broader public value of these secondary uses is clearly communicated
- individuals understand how their information is accessed, by whom, and for what purposes and what protective security measures are in place.
Consent for secondary use of My Health Record data
I strongly consider that any Framework for the secondary use of My Health Record data should be founded on robust notice and consent processes. In providing personal information for the purposes of receiving healthcare, individuals cannot be expected to know or anticipate all the other secondary uses to which the information could be put and how this will occur. In this context and to build public trust in the Framework, careful consideration must be given to how individuals can exercise choice and control over their personal information – particularly, how individuals can be given notice of, and exercise meaningful consent to secondary uses.
When individuals feel a sense of personal control over the uses of their data, they are more likely to be supportive and confident about those uses. The Framework should therefore clearly describe when information will be used and when individuals will be able to exercise a degree of choice about these uses. Unless there is a mandatory legal requirement, individuals should be asked for consent or be able to opt-out of secondary uses.
It is also important to recognise that people’s concerns about their personal information are often granular. For example, individuals may be apprehensive about specific pieces of health information being shared or particular secondary purposes rather than have a blanket concern. Recognising this there is value in taking a multi-layer approach to seeking consent. Rather than offering a single choice, individuals should have the option to consent (or withdraw consent) for certain types or categories of their information being used as well as the types or categories of secondary uses.
Requiring an individual’s consent before collecting health information and handling personal information is a key privacy protection in the Privacy Act. My Office has published advisory guidelines (known as the APP guidelines) which address some of the key challenges and issues in seeking consent that may be of assistance in developing the Framework. For example, the APP guidelines discuss:
- the four key elements of consent (paragraph B.35)
- the limited circumstances in which use of an opt-out mechanism to infer consent may be appropriate (paragraph B.40)
- the potential for the practice of bundled consent to undermine the voluntary nature of consent (paragraphs B.45 – B.46)
- the assessment of whether an individual has capacity to consent (paragraph B.52 – B.58).
Process for requesting and accessing data
Privacy enhancing governance arrangements and processes
Collecting and sharing personal information are essential aspects of health research and health innovation. However, these uses of personal information do not come without risk. A strong governance framework can help ensure the processes involved in handling information for these purposes minimise the privacy and security risks. The governance arrangements set out in the Framework should ensure that potential privacy challenges are considered and monitored.
The OAIC would support a governance model that included the establishment of a governing body to oversee and implement the principles set out in the Framework. Any such body should have a role in privacy governance, ensuring that good privacy practices are incorporated at the outset of any project proposing to use My Health Record data for a secondary purpose are granted. This approach is generally referred to as ‘privacy by design’, and can assist in finding the balance between maximising usefulness and value of data with the protection of an individual’s personal information.
As part of taking a privacy-by-design approach to the establishment of the governance arrangements for the Framework, I recommend that a privacy impact assessment (PIA) be conducted. A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. This process will help to identify any impacts on the privacy of individuals, and allow for privacy safeguards to be built into the preferred model.
Conducting a PIA at an early stage is the best way to ensure that appropriate privacy safeguards are included in new policy proposals. For more information on conducting a PIA, see the OAIC’s Guide to undertaking privacy impact assessments.
De-identification can be a valuable tool in the context of health research, allowing the utility of data to be maximised while preserving individual privacy.
In developing the Framework, it is important to remember that unless affected individuals provide consent to use information for a specific secondary purpose, any information used for such purposes must be in a de-identified form. More broadly, as the Consultation Paper acknowledges, before any My Health Record data is released, the governing body will want to ensure that privacy is protected, and therefore that any de-identification methods used render the information ‘not individually identifiable’. In light of this, I strongly agree that there must be a robust process in place to ensure that de-identification is carried out effectively in the context of the Framework. Getting this process right will be crucial to ensuring that community trust can be built in these new uses of data.
I therefore appreciate the consideration given in the Consultation Paper to the de-identification methods that could be adopted prior to the release of My Health Record data for secondary use. However, I would caution against adopting a one-size-fits-all solution to de-identifying data, particularly health information. Each data release must be considered on its own merits, particularly given the rich and sensitive nature of the personal information handled under this Framework.
It is important to note that de-identification is not the panacea to privacy protection – it is an exercise in risk management, not an exact science. This is because whether information is personal or de-identified will depend on the context. Information will be de-identified where the risk of an individual being re-identified in the data is very low in the relevant release context. This means that re-identification risk must be assessed contextually. To de-identify effectively, entities must consider not only the data itself, but also the environment the data will be released into. Both factors must be considered in order to effectively determine which techniques and controls are necessary to de-identify the data, while ensuring it remains appropriate for its intended use.
The OAIC has produced various resources in the area of de-identification which may be useful to refer to, including the De-identification Decision-making Framework, which provides detailed guidance on the factors that should be considered to ensure de-identification is carried out effectively and in compliance with the Privacy Act, as well as a guidance sheet on the De-identification of data and information.
Supporting legislation and policies
As noted in the Consultation Paper, while Australian Government agencies, private sector organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses have responsibilities under the Privacy Act, not all entities requesting My Health Record data will have privacy obligations. Additionally, once My Health Record data is released from the system for secondary use, the My Health Records Act will also not apply.
As such, I strongly recommend that the Framework consider requiring entities seeking My Health Record data for secondary use, that are not covered by the Privacy Act or an equivalent privacy law of the State or Territory, to be brought under the coverage of the Privacy Act via sections 6E, 6EA or 6F of the Privacy Act. Operating under the Privacy Act (or equivalent State or Territory laws) will not only help to ensure trust and confidence in the data activities of entities using My Health Record data but will also provide regulatory oversight and enforceable rights for individuals should data be mishandled.
I would be pleased for my staff to meet with you to discuss these matters further, and to offer any other assistance that may be useful in the development of the Framework.
The OAIC contact for this matter is Sarah Ghali, Director, Regulation & Strategy Branch. Ms Ghali can be contacted on [contact details removed].
Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner
21 November 2017
 The OAIC is currently finalising a Memorandum of Understanding (MOU) relationship with the ADHA to provide dedicated privacy-related services under the Privacy Act 1988, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010. The MOU sets out a program of work including compliance and enforcement activities, providing privacy-related advice and developing guidance and training materials for internal and external stakeholders.
 See the Community Attitudes to Privacy survey, a longitudinal survey into community attitudes to privacy run by the OAIC, with the most recent survey conducted in 2017. For more information about the OAIC Community Attitudes to Privacy survey 2017, see the Launch of Community Attitudes to Privacy report, available on the OAIC’s website at: https://www.oaic.gov.au/engage-with-us/community-attitudes/australian-community-attitudes-to-privacy-survey-2017.
 See page 15 of the Consultation Paper.
 The OAIC’s APP guidelines have been published to assist in interpreting the APPs and key concepts in the Privacy Act. They are available at www.oaic.gov.au
 I note that the OAIC has recently developed a Privacy Code, which applies to all agencies covered by the Privacy Act. This Code will come into force in July 2018. One requirement of the Code is that PIAs must be conducted for all high privacy risk projects. See www.oaic.gov.au for more information on the requirements of the Privacy Code.
 The My Health Records Act 2012 (Cth) permits secondary uses of data only with consent, or when the information is in a de-identified form: ss 15(ma), 66(2) and 109(7A).
 See page 13 of the Consultation Paper.
 See page 24 the De-identification Decision-Making Framework.
 For these reasons, it is important to be aware that open data environments are really only appropriate for information that is either not derived from personal information, or information that has been through an extremely robust de-identification process that ensures - with a very high degree of confidence - that no individuals are reasonably identifiable, and that no re-identification could occur.
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org