Elder Abuse Discussion Paper — submission to the Australian Law Reform Commission

Date: 3 March 2017

Our reference: D2017/000787
Professor Rosalind Croucher AM
President
Australian Law Reform Commission
GPO Box 3708
Sydney NSW 2001

Via email: elder_abuse@alrc.gov.au

Dear Professor Croucher

OAIC submission on Elder Abuse Discussion Paper (DP 83)

I welcome the opportunity to provide this submission to the Australian Law Reform Commission (ALRC) in relation to the Elder Abuse Discussion Paper (Discussion Paper).

The Discussion Paper focuses on identifying best practice legal frameworks that support older people to participate equally in the community. It proposes a number of initiatives to protect older people from the misuse or advantage taken by individuals who have formal and informal support or representative roles. For example, the Discussion Paper identifies that, in many cases, better – and potentially more extensive – information sharing and coordination is required between government agencies and service providers to more adequately respond to cases of elder abuse.[1]

Sharing information in this context necessarily raises privacy issues and any disclosure needs to be carefully considered. Personal information associated with allegations of elder abuse is highly sensitive and inappropriate disclosure could have significant consequences, for both victims and alleged perpetrators. However, as I highlighted in my earlier submission on the Elder AbuseIssues Paper (Issues Paper (IP 47)), the right to privacy is not absolute and, in some circumstances, privacy rights will necessarily give way where there is a compelling public interest reason to do so. This balance between privacy and other public interest objectives is reflected in the Australian Privacy Principles (APPs) which contain a number of exceptions that can facilitate the collection, use and disclosure of information when responding to elder abuse.

My comments below outline some key privacy considerations for entities when sharing information, particularly regarding the proposal to establish a national register of enduring documents. I also provide comments on the Discussion Paper’s proposals to grant immunity to individuals reporting elder abuse and the uploading of enduring documents to the My Health Record system.

Establishing a national online register

One of the safeguards against elder abuse – in particular financial abuse – which is canvassed in the Discussion Paper, is the creation of a national online register of enduring documents. This proposed register would also include court and tribunal orders for the appointment of guardians and financial administrators and/or managers.[2]

I acknowledge that a national register has the potential to provide an easy-to-use and cost-effective mechanism for solicitors, banks and others to search for and check the authenticity of an instrument. However, as the register will contain a comprehensive amount of sensitive information about individuals (such as financial and health information), it is important to carefully consider the register’s privacy implications and appropriate mitigation strategies.[3]

The Discussion Paper recognises that a national register presents significant privacy and confidentiality issues and refers to the need to restrict access to the register. It states that ‘the principal should be able to decide which individuals (as opposed to organisations) may access the register with respect to their enduring document (e.g. specified family members). More broadly, a level of privacy can be maintained by restricting access to the register to authorised people and organisations.’

Ensuring that access to the register is restricted, tightly controlled and monitored will be fundamental to protecting privacy rights. In particular, providing authorised people with access that is limited only to the information which they need to know, will help ensure that personal information is protected from misuse and only used for the purposes for which it was collected.[4] Applying this in practice will mean, for example, implementing access controls so that different users can only access the specific information that is necessary for them to perform their role or functions and cannot simply browse the register without restriction.[5]

Additionally, there are also a number of other considerations that will need to be taken into account to maintain a high level of privacy. The operator of the register will need to consider how the register will comply with other APPs. This includes, for example, ensuring that information in the register is accurate, up-to-date and complete[6] and that the personal information within the register is handled in an open and transparent manner.[7]

Granting immunity to individuals that report elder abuse

The Discussion Paper proposes that people who report suspected elder abuse to the public advocate or public guardian be given immunity from certain legal obligations that might otherwise prevent them from reporting abuse. This proposal stems from the concern expressed through various submissions to the Issues Paper (IP 47) that suggest healthcare professionals, banks/financial institutions and aged care workers are concerned about reporting or disclosing suspicion of elder abuse for fear of breaching privacy laws (among other concerns). The immunity proposal, therefore, could help to drive the desired cultural change and encourage a more proactive approach to reporting.

As acknowledged in the Discussion Paper, there are a range of exceptions to the use or disclosure principle (APP 6) that would facilitate the disclosure of personal information for the purposes of reporting suspected elder abuse to the relevant public advocate or public guardian. However, I can appreciate that the immunity proposal may address other legal barriers (such as duties of confidentiality) and provide certainty to those making disclosures in this area.

In implementing the immunity proposal, a broader framework that provides clear and specific circumstances in which disclosures can be made and immunity applies, will need to be established. This will include, for example, ensuring that staff are equipped with good decision-making frameworks when it comes to information sharing and reporting. This type of broader approach will ensure that those individuals using or disclosing information have a clear understanding of when they may be able to rely on the immunity provision.

Uploading enduring documents to the My Health Record system

The Discussion Paper refers to a suggestion, raised by a response to the Issues Paper (IP 47), that there may be an opportunity to upload enduring documents to an individual’s My Health Record.[8]

Similar to the ALRC, it is my view that these documents be kept separate from medical records and advance care directives. The My Health Record system is an online summary of an individual’s key health information which can be accessed digitally by individuals and by healthcare providers, within the specific and tightly-regulated parameters of the My Health Records Act 2012. On the other hand, enduring documents are not solely related to an individual’s health or medical treatment and are used by a wider group than healthcare providers, such as banks and financial institutions. Considering the sensitivity of the health information within the My Health Record system and its specific purpose in facilitating healthcare, it would not be appropriate to expand the system’s scope and purpose.[9]

The My Health Record system also provides for the use of authorised representatives, such as individuals with a power of attorney, to apply for and manage a My Health Record on behalf of another person. In this regard, the My Health Record system already has processes and systems in place to identify representatives and permit their use and disclosure of an individual’s health information within the parameters of the My Health Record system.

Further information

I trust that these comments are useful to the ALRC and welcome any further engagement with the ALRC. If you have any questions or would like to discuss our submission further, please contact Sarah Ghali, Acting Director, Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

3 March 2017

Footnotes

[1] For example, the Discussion Paper outlines the ALRC’s view that public advocates/guardians are well-placed to play a crisis case management and coordination role but that this would require extensive information sharing and coordination between different entities (paragraph 3.49). In addition, the ALRC has proposed an aged care model that includes further information sharing provisions (paragraph 11.132).

[2] This recommendation is outlined in Proposal 5-1.

[3] One tool which will help map out the privacy impacts of a proposal, such as the creation of a register, is a privacy impact assessment (PIA). A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. For further information on conducting a PIA, see the OAIC’s Guide to undertaking privacy impact assessments: https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments

[4] Under APP 6, organisations and government agencies covered by the Privacy Act 1988 (Privacy Act) can only use or disclose personal information for a purpose for which it was collected, or for a secondary purpose if an exception applies.

[5] Under APP 11, organisations and government agencies covered by the Privacy Act, must take reasonable steps to protect personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Implementing safeguards, such as access controls, may be one of the ‘reasonable steps’ taken to help ensure compliance with APP 11. Another privacy enhancing feature may be, for example, an audit trail functionality that allows access to the register to be logged and tracked so that there is additional oversight around who has accessed the information.

[6] This requirement is regulated by APP 10 – quality of personal information. For further information, see Chapter 10 of the APP Guidelines: https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-10-app-10-quality-of-personal-information

[7] This requirement is regulated by APP 1 – open and transparent management of personal information. For further information, see Chapter 1 of the APP Guidelines: https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information

[8] This is outlined in paragraph 5.54 of the Discussion Paper.

[9] The OAIC is the independent regulator of the privacy aspects of the My Health Record system. Under a Memorandum of Understanding with the Australian Digital Health Agency, my Office undertakes a program of work related to the My Health Record system including compliance and enforcement activities, providing privacy-related advice and developing My Health Record guidance and training materials for internal and external stakeholders.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au