OAIC submission to Department of Health and Aged Care: General practice data and electronic clinical decision support

Introduction

1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission to the General practice data and electronic clinical decision support - Consultation Regulation Impact Statement (CRIS) released by the Department of Health and Aged Care (Department) on 28 November 2022. The Department seeks stakeholder feedback on potential regulatory options for the sharing of general practice (GP) data and the use of the electronic clinical decision support (eCDS) systems.

2 The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act), freedom of information (FOI) functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)).

3 The Privacy Act applies to most Australian Government agencies, any organisation with an annual turnover of more than $3 million and some other organisations. Regardless of turnover, the Privacy Act applies to all private sector organisations that provide a health service or hold health information. These organisations are considered to be a health service provider, even if it is not their primary activity, and they have obligations under the Privacy Act for all their activities.

4 The OAIC is also the independent regulator of the privacy aspects of the My Health Records (MHR) system. The privacy framework for the MHR system is currently set out in the My Health Records Act 2012 (Cth) (MHR Act) and the Privacy Act. The OAIC has a range of regulatory functions and enforcement powers under both the Privacy Act and MHR Act to ensure compliance with these privacy requirements. In addition to the exercise of its regulatory responsibilities, the OAIC proactively develops digital health guidance for various stakeholders.

5 The OAIC notes that the CRIS raises a number of evolving risks surrounding the existing approach to GP data and eCDS use in a rapidly shifting technology environment. These risks are a concern and the CRIS provides the opportunity to address them through recommending strong regulatory requirements to govern the handling of GP data.

6 The OAIC recognises that the use and sharing of GP data has the potential to improve health outcomes for Australians, including by informing government policy and public health research. However, as this will often involve the collection and management of large amounts of sensitive health information, privacy must be a central consideration. For a large portion of the community, health information is particularly sensitive and there is a greater reluctance to share it – even in a de-identified form. The protection and security of GP data and health information more generally is essential to public confidence and trust in general practitioners and other health service providers.

7 We are broadly supportive of the policy objectives identified in the CRIS to mitigate risks and improve the way that GP data is collected, shared and used. Developing a consistent approach to the access, collection and management of this data, and ensuring that data sharing is safe, secure, timely and accessible, is crucial to realising the public benefits which can flow from the use of data provided to GPs.

8 Of the options canvassed by the CRIS, we consider that Option 4 is the most appropriate to enhance the ongoing, appropriate and secure sharing of general practice data and support the uptake of eCDS. Noting the gravity of the problem areas highlighted by the CRIS, it is important that the collection and use of GP data is subject to clear, mandatory requirements in relation to matters including consent, de-identification and secure handling and storage.

9 At the same time, any regulatory scheme must be workable and not impose a disproportionate compliance burden on GPs and other health service providers. Where appropriate, such a scheme should leverage, rather than duplicate, existing regulatory requirements, including those in the Privacy Act.

10 The purpose of this submission is to provide further information about how the regulatory scheme proposed by Option 4 might interact with Australia’s existing privacy framework, key proposals arising from the Attorney-General’s Department’s review of the Privacy Act (Privacy Act Review), and other regulatory requirements which apply to health information.[1] The submission seeks to assist the Department in further developing its regulatory response, to ensure that this is consistent with community expectations and concerns regarding the collection, handling and sharing of GP data.

Privacy as the foundation of trust

11 Public trust is crucial to the success of data sharing initiatives. As the CRIS acknowledges, a lack of trust can inhibit data sharing, while greater transparency can increase the trust and involvement of consumers in the sharing of GP data and its impacts on their care.[2] The CRIS notes that currently, consumers have little clarity as to how their information is being used and how their health information is being kept confidential and secure.[3] It recognises that the lack of existing guidance regarding consumer consent and privacy presents a significant reputational risk for GPs, particularly if consumer data is disclosed to and used by third parties.[4]

12 The COVID-19 pandemic has increased rates of digitisation. Organisations have needed to consider new ways of handling personal information and this need continues. Society has embraced technology in the delivery of health services and Australians are more engaged than ever before with their health data. This change has required organisations to collaborate quickly and at a deeper level to provide consumers with key services and to create a seamless, convenient experience with choice and control over how their data is used. What has become clear over the past few years is the fundamental role that upholding privacy plays in building, and maintaining, trust.

13 Privacy issues that are not properly addressed can impact the community’s trust and undermine the success of new data initiatives. The OAIC’s Australian Community Attitudes to Privacy Survey 2020 (ACAPS) report demonstrates that privacy is fundamental to building and maintaining public trust. The report shows that privacy is a major concern for the majority of Australians (around 70%), particularly as the digital environment and data practices evolve rapidly.[5] The report also showed that 87% of Australians want more control and choice over the collection and use of their personal information, and that only 34% currently feel in control of their privacy.

14 The survey results also demonstrated there has been a general downward trend in trust since 2007. Trust in businesses in general is down by 13%, and there has been a 14% decline in trust in how the Australian Government handles personal information. Although 70% of Australians believe health service providers, including doctors, hospitals and pharmacists are either very trustworthy or somewhat trustworthy with the way they use their personal information, 60% of respondents expressed reluctance at providing medical or health information to any organisation. This highlights the sensitivity of health information and the need to ensure that the handling of this information is accompanied by robust safeguards.

15 When it comes to a government agency using the personal information that was provided to them for research or service and policy development, the ACAPS report showed that 40% of Australians are comfortable with this and 27% are not. This result is generally consistent with the 2017 survey (2% more Australians were comfortable and 3% fewer Australians were uncomfortable).

16 Public trust can be quickly lost if consumers are not confident that health providers collecting their personal information are taking reasonable steps to protect it and use it appropriately. Ultimately, people need to see the benefits and value of the use of their personal information and understand the parameters around its handling and protection. When entities provide transparency over personal information handling practices and are accountable it gives consumers the confidence that their privacy is respected, and they are more likely to be supportive of increased data activities.

17 We encourage consideration be given to the steps that will build trust and ensure public confidence in the use of the data provided to GPs and secondary data users, even where the data will be de-identified or aggregated.

18 Amongst other things, we consider those steps to include clearly and narrowly defining the scope of what data can be shared, who can receive the data and the purposes for which the receiving entity can use the information. It may be appropriate to limit the types of personal information that recipients are permitted to combine with the data provided, or introduce purpose limitations or prohibitions to ensure that the data is being used in a fair and reasonable way. It is also crucial to be transparent and ensure that the public understand how their information may be accessed, by whom and for what purposes and what protective security measures are in place.

19 Conducting a privacy impact assessment (PIA) when developing any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of consumers will assist the Department to identify and assess the potential privacy impacts of its preferred regulatory option.[6] It will also mitigate any risks that may arise from the proposed information handling practices under the scheme.

20 Conducting and publishing a PIA may help to build public trust and confidence in respect of the collection, use and disclosure of GP data, and demonstrates a commitment to accountable and transparent privacy practices. The OAIC has published a suite of guidance materials to assist entities to undertake PIAs and implement a ‘privacy by design’ approach. These include a Guide to undertaking privacy impact assessments, a Privacy Impact Assessment tool and a Privacy Impact Assessment e-Learning course.[7]

Consent and control over data

21 The CRIS highlights various challenges in relation to control over GP data. It notes that with the movement of patient management systems (PMS) to the cloud, control of data access is likely to shift from general practices to PMS companies which would have greater control over who can access data.[8] This raises the potential for PMS companies to limit access to data, both by imposing costs on access and by controlling the data which is extracted, mapped and shared. The CRIS also points to a lack of clarity and consistency regarding ownership of GP data and how it can be used after it has been shared and analysed or modified.[9]

22 It is critical that in developing a regulatory framework to address these challenges, the Department places the individual consumer at the centre of its considerations. Doing so will help the community to continue to trust health service providers with the collection and handling of sensitive health information.

23 In particular, a data sharing framework should be founded on robust notice and consent processes. Careful consideration must be given to how consumers can exercise choice and control over their personal information – particularly, how consumers can be given notice of and exercise meaningful consent to secondary uses.

24 For consent to be meaningful, consumers need to be provided with genuine choices around how their personal information will be handled, and those choices need to be inherently fair. Meaningful consent also requires a consumer to be properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent.

25 It is also important to recognise that people’s concerns about their personal information are often granular. For example, consumers may be apprehensive about specific pieces of health information being shared or particular secondary purposes rather than have a generalised concern. Recognising this, there is value in taking a multi-layered approach to seeking consent. Rather than offering a single choice, consumers should have the option to consent (or withdraw consent) for certain types or categories of their information being used as well as the types or categories of secondary uses.

26 As part of facilitating choice and control, it will be relevant to consider what controls are available to the consumer at the time of consenting to the disclosure of their personal information and after the information has been disclosed. For example, the Consumer Data Right (CDR) scheme enables CDR consumers to provide access to data for limited purposes and time periods, includes mechanisms to withdraw consent, and confers rights to request erasure of their personal information in certain circumstances. The final Privacy Act Review report has made similar proposals that seek to improve the clarity of collection notices and consent, along with the introduction of new individual privacy rights.[10]

27 It should also be recognised that even where the proposed access mechanism is based on strong user consent, this may not provide sufficient protection for high-risk data. This is because consumers are not always able to readily assess the risks and benefits of allowing their data to be accessed and analysed by third parties in more complex circumstances or may not feel that they are able to refuse consent. This risk increases with the sensitivity of the data, vulnerability of the consumer, and where there is a lack of alternate options or pathways available.

28 In our submission to the Privacy Act Review,[11] the OAIC submitted that the burden of understanding and consenting to complicated information handling practices should not fall on individuals. The OAIC recommended establishing a positive obligation on organisations to handle personal information fairly and reasonably and to require regulated entities to take a proactive approach to meeting their obligations as the parties best equipped to understand their complex information handling flows and practices.[12] This perspective is reflected in the Privacy Act Review final report, which proposes establishing a requirement that the collection, use and disclosure of personal information must be fair and reasonable in the circumstances. The final report proposes that this requirement apply irrespective of whether consent has been obtained.[13] This would prevent consent being used to legitimise handling of personal information in a manner that, objectively, is unfair or unreasonable.

29 Robust notice, consent and handling requirements will allow consumers to have confidence when they provide consent that—like a safety standard—privacy protection, of the highest standard, is a given.

Use of de-identified or aggregate patient data

30 As the CRIS acknowledges, while there is no legal obligation to obtain consent to use de-identified data, the sharing of such data without the informed consent of a patient risks damaging GP relationships with their patients and may give rise to GP liability if the data is ultimately misused.[14]

31 De-identification can be a valuable tool in the context of health research, allowing the utility of data to be maximised while preserving consumer privacy. Information that has undergone an appropriate and robust de-identification process is not personal information and is not currently subject to the Privacy Act.^[15] This requires there to be no reasonable likelihood of re-identification occurring in the context that the data will be made available.

32 However, appropriate de-identification may be complex, especially in relation to detailed datasets that may be disclosed widely and combined with other data sets. In this context, de-identification will generally require more than removing personal identifiers such as names and addresses. Additional techniques and controls are likely to be required to remove, obscure, aggregate, alter and/or protect data in some way so that it is no longer about an identifiable (or reasonably identifiable) individual.

33 In addition, de-identification is not a fixed or end state. Data may become personal information as the context changes. Managing this risk will require regular re‑assessment, particularly if an entity receives and assimilates additional data, even at an aggregate level, through other proposed data access mechanisms.

34 It is critical that there is a robust process in place to ensure that de-identification is carried out effectively in the context of regulatory reforms to GP data sharing and handling. We caution against adopting a one-size-fits-all solution to de-identifying data, particularly health information. Each data release must be considered on its own merits, particularly given the rich and sensitive nature of the personal information collected and handled by health service providers.

35 The CRIS notes that the MHR Act has an existing legislative framework for managing consent to use de-identified data and health information from the MHR system for research and public good purposes.[16] One of the functions of the System Operator under the MHR Act is to prepare and provide de-identified data for research or public health purposes.[17] The Minister may make My Health Records Rules (MHR Rules) relating to research or public health purposes and prescribe a framework to guide the collection, use and disclosure of de identified data and, with the consent of healthcare recipients, health information, for research or public health purposes. [18]

36 The aim of the framework is to help build public trust in the process through transparent decision making and wide sharing of the results of the secondary use of MHR data.[19] Although we note that MHR data is not yet available for research and public health purposes, the guiding principles set out in the framework are useful to guide implementation of Option 4.  These include:

1. Consumer control of data in the My Health Record system
2. Risk mitigation strategies and imposed penalties
3. Preparing and making data available, and data quality
4. Monitoring and assurance processes.[20]

37 We also note that the Department is reviewing the framework and creating Rules to guide the use of My Health Record system data for research and public health purposes and suggest that these are considered when they become available.

38 The OAIC further suggests that where measures are introduced to expand or change the sharing of anonymised data sets, the relevant parties be prohibited from re-identifying the data sets as a way to manage the re-identification risk that can emerge over time. Similar protections have been contemplated by the Privacy Act Review Report, which proposed that APP entities be prohibited from re-identifying de-identified information obtained from a source other than the individual to whom the information relates, with appropriate exceptions.^[21]

39 The OAIC also recommends that the Department have regard to the OAIC’s guidance on de-identification as well as the De-Identification Decision-Making Framework, produced jointly by the OAIC and CSIRO-Data61.[22]

Data security

40 The OAIC is supportive of measures canvassed in the CRIS to improve the secure handling and storage of GP data. As the CRIS acknowledges, improved security will help to create trust among GPs and consumers that their data is being used in a way that protects privacy.

41 It is important that any regulatory reforms to address the security of GP data consider leveraging existing mechanisms to counter cyber security and privacy threats. The relationship between information security and privacy is codified in the Privacy Act under well-established security obligations, particularly through Australian Privacy Principles (APPs) 1 and 11 and the NDB scheme.

42 Under APP 1, entities must take steps beyond technical security measures in order to protect and ensure the integrity of personal information throughout the information lifecycle, including by implementing strategies in relation to governance, internal practices, processes and systems, and dealing with third party providers. This ‘privacy by design’ approach under APP 1 supports strong data security amongst regulated entities by establishing measures which prevent the misuse, interference, loss or unauthorised access to, modification or disclosure of personal information. This approach also ensures entities detect privacy breaches promptly and are ready to respond to potential privacy breaches in a timely and appropriate manner.

43 In complying with APP 11, organisations are required to take reasonable steps to protect the personal information they hold, which includes actively monitoring their risk environment for emerging threats and implementing appropriate mitigation strategies. This is a dynamic responsibility which scales proportionately to the volume and sensitivity of personal information held by an entity, the nature and size of the entity and the threat environment in which it operates.

44 The OAIC administers the NDB scheme and is responsible for receiving notifications of eligible data breaches, handling complaints and conducting investigations and providing guidance and information to regulated organisations and the community. The NDB scheme requires entities covered by the Privacy Act to carry out an assessment whenever they suspect that there may have been a loss of, unauthorised access to, or unauthorised disclosure of personal information that they hold. If serious harm is likely to result to an individual, entities must notify the OAIC and also affected individuals so they can take protective action and mitigate the harm from the breach.

45 In recognition of the special sensitivity of health information, the MHR Act makes it mandatory for certain entities to notify the OAIC and the MHR System Operator of a data breach involving the MHR system. The MHR System Operator is the Australian Digital Health Agency. The MHR Act also requires relevant entities to take a number of steps as soon as practicable after becoming aware of a MHR data breach. These steps differ slightly depending on the whether the data breach has occurred or may have occurred.

46 While the Privacy Act applies specifically to the handling of personal information, in practice, strong privacy compliance is likely to uplift the data security capability of entities generally. This is because most entities collect and hold some personal information and many are likely to have information handling processes or systems that cover all types of information that they hold.

47 We encourage the Department to consider these existing requirements as it develops a framework for the safeguarding of GP data, to ensure the interoperability and consistency of any new security and reporting obligations. Australians will have greater confidence in disclosing health information to GPs and other health service providers if they know that their data is being handled and stored securely in accordance with clear and consistent data security standards.

48 To support compliance and better practice, the OAIC provides guidance on a range of security-related issues, including data breach preparation and response,[23] data breach action plans for health service providers,[24] and securing personal information.[25]

Regulatory framework

49 The OAIC supports action being taken to mitigate the potential risks raised in the CRIS in respect of governance, oversight and transparency regarding the access and use of GP data. Advances in technology have enabled GP data to be collected, stored, extracted, aggregated and analysed in novel ways that have the potential for public good such as informing government policy and public health research. However, as the CRIS identifies, these advancements, in combination with increasingly complex processes for sharing and accessing GP data, have the potential to increase the risk of data breaches and misuse of data. Additional privacy safeguards supported by clear oversight and reporting mechanisms should be considered to ensure these risks are appropriately managed.

50 Measures proposed under Option 4 of the CRIS, including the proposed introduction of strict security and storage requirements, mandatory reporting requirements, and an independent statutory body to provide oversight, have the potential to improve the consistency, quality and security of GP data, as well as the accountability and transparency of all actors who handle this data. This heightened governance, oversight and transparency will be critical in protecting information in the context of an evolving risk landscape.

51 At the same time, it is important that regulatory reforms are proportionate and avoid unnecessary duplication of requirements. We encourage the Department to consider opportunities to leverage existing regulatory requirements which apply to the handling of data.

52 The Privacy Act provides a well-established framework to minimise the privacy risks associated with personal-information handling activities. One of the objects of the Privacy Act is to provide the basis for nationally consistent regulation of privacy and the handling of personal information. The APPs promote national consistency of regulation by providing a scaleable set of standards that are applicable to both Australian Government agencies and private sector organisations covered by the Privacy Act.

53 We note that the OAIC’s existing oversight functions are likely to be engaged by the reforms being considered as part of Option 4 of the CRIS. For example, the OAIC has complaint handling functions in relation to the management and potential misuse of health information, My Health Records and Healthcare Identifiers and receives notifications of eligible data breaches under the Notifiable Data Breaches (NDB) scheme and the My Health Record NDB scheme. Where there is a concern about the management of health information – about misuse or leak of data, access to health records or handling of health records, consumers will have existing avenues through the OAIC to address their concerns.

54 A strong governance framework can help ensure the processes involved in handling information for public health purposes minimise privacy and security risks. It is important that the governance arrangements in place for the sharing of GP data ensure that potential privacy challenges are considered and monitored.

55 Specific legislation may be used to impose higher or more targeted obligations than those in the Privacy Act and APPs where this is justified for high privacy risk activities. For example, the MHR system is supported by additional legislated privacy obligations in recognition of the highly sensitive nature of the personal information accessible through the system. We consider that GP data, even in de-identified form, requires similar guardrails to protect it from misuse. This is especially important given the volume of data flows and handling by multiple entities that increases privacy and mishandling risks.

56 The MHR system leverages the existing regulatory framework created by the Privacy Act, by making unauthorised collection, use or disclosure of My Health Record information an interference with privacy under the Privacy Act. Option 4 could consider a similar approach by limiting when and how health information included in a PMS can be collected, used and disclosed and making unauthorised collection, use or disclosure an interference with privacy.

57 If the Department pursues a separate legislative scheme as outlined in Option 4, we recommend the Information Commissioner have regulatory oversight of any privacy-specific aspects of the legislation. This will ensure that regulation and enforcement is clear, consistent and effective. Consistency in oversight will also help to reduce regulatory burden, for both regulators and entities captured by the legislation, by ensuring that entities do not face multiple enforcement actions from different regulators under different laws.

Conclusion

58 As noted above, we consider that privacy is integral to ensuring public trust and confidence in use of eCDS and the way GP data is managed in Australia. The handling of GP data must be subject to a robust regulatory framework that includes clear obligations for how data will be used, shared and stored.

59 The measures proposed as part of Option 4 will enhance the existing privacy framework, which will further support the Department’s vision and objectives to help improve patient outcomes, healthcare provider experience and health policy design. In further developing the framework for GP data sharing, we encourage the Department to consider existing regulatory requirements that can be leveraged to ensure that the scheme is interoperable and avoids unnecessary duplication. As we have discussed above, the ongoing Privacy Act Review is likely to have implications for any new regulatory scheme for GP data and eCDS use and should be considered through the reform process.

60 We understand that the CRIS is the beginning of a conversation rather than its conclusion and submissions to this consultation will help inform the Department’s future data activities.  The OAIC welcomes ongoing engagement with the Department as it considers submissions and finalises the design of its preferred regulatory model.