Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy, research and e-health

Speech by Timothy Pilgrim, Deputy Privacy Commissioner, to Australian Institute of Health and Welfare Conference, Canberra, 23 June 2010

pdfPrivacy, research and e-health

Introduction

Good afternoon. I'd like thank the Australian Institute of Health and Welfare for this opportunity to speak today.

Today, I'm talking to you about privacy in the health research and e-health arena. The key messages I want to give you are:

  • The Privacy Act is flexible principle-based law which provides appropriate protections for health information
  • It enables privacy to be balanced with other important interests such as health research
  • E-health initiatives should be underpinned by a comprehensive privacy framework.

Privacy plays an important role in regulating how information is handled in health and research contexts. There are a couple of reason for this. Firstly, personal information collected in a health context will be health information and as such is subject to stricter privacy rules.

Secondly, health information can often relate to very private matters like a person's sexual or mental health and their personal relationships, so they may be more reluctant to share that information, if they are not clear about how that information is going to be used or confident that it will be adequately protected.

That said, the Privacy Act recognises that privacy interests need to be balanced against other important interests such as research and the free flow of information. So while the Act sets out general rules about how information can be used, it also provides exceptions that allow personal information to be used, without consent, for research purposes. Also, while the Privacy Act has strict rules about how organisations can use identifiers, it also allows that Regulations can be made to prescribe others uses.

Even where privacy must, to some extent, give way to other interests, it still plays an important role in ensuring that appropriate privacy protections will apply to how information is used. Our Office advocates for proposals that involve the handling of personal information, that these proposals be underpinned by a comprehensive privacy framework. The four key elements in this framework: the system design, the technology measures, legislative measures and oversight mechanisms provide a solid foundation for such proposals and ensure that the privacy of personal information is protected to the maximum extent possible. This has been our consistent message to the Australian Government about its proposal to introduce a national e-health record and most recently, in relation to proposals for the healthcare identifier. 

The Privacy Act

Many of you have a good knowledge of the Privacy Act. However a quick privacy recap might be helpful in case some of you are not familiar with it. The Privacy Act regulates how personal information is handled through Privacy Principles contained in the Act. It defines personal information as:

information or an opinion whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.

The significance of this definition is that, even if information does not include a person's name, if their identity can be determined from that information - it will be personal information and will be covered by the Privacy Act.

Sensitive information is a category of personal information and includes health information. The Privacy Act imposes stricter rules about when sensitive information can be collected and how it should be handled.

Health information in the Privacy Act has quite a long definition; however, in simple terms it can be understood as relating to information or an opinion about the health or disability of an individual or information collected as part of providing a health service to that individual. It also includes genetic information about an individual. Health information is not limited to physical health so it could include information, for example, that relates to a person's psychological health.

The Principles in the Privacy Act set out general rules about how personal information should be handled. For example, generally information can only be collected if it necessary for a particular purpose and should only be used and disclosed for that purpose. However, there are exceptions to these general rules which allow privacy to be balanced with other interests. In a health context, personal information can be used and disclosed, without consent, where there is a serious and imminent threat to an individual and also for research purposes subject to certain conditions being met.

The handling of personal information for health research and statistical purposes

In particular, NPP 2.1 (d) allows for health information to be used for research purposes or for the compilation or analysis of statistics, without consent, where the research activities are related to public health or safety. However, health information can only be used or disclosed without consent under NPP 2.1(d) if:

  • the activities are related to public health and safety and cannot be undertaken with de-identified information
  • seeking consent is impracticable
  • the activities are carried out in accordance with the guidelines that have been developed by the National Health and Medical Research Council (NHMRC) and approved by the Privacy Commissioner.

Further guidance about complying with NPP 2.1 (d) can be found in our Private Health Sector Guidelines and in Information Sheet 9 entitled ‘Handling Health Information for Research and Management'. Both of these can be found on our website. Specifically, the Guidelines say that where using de-identified information would suffice, NPP 2.1(d) will not apply.The Guidelines also say that incurring some expense or effort to seek consent will not make getting consent impracticable. Some examples of where consent might be impractical are in blind trials or where longitudinal research using old records is undertaken.

The NHMRC has also developed guidelines under sections 95 and 95A of the Privacy Act which set out additional rules regarding the handling of personal information for research purposes. In particular, these guidelines require that approval must be obtained from a Human Research Ethics Committee (HREC) where health information will be used for research or compilation or analysis of statistics, without consent.

The exception in NPP 2.1(d) illustrates how the Privacy Act balances the need to protect an individual's personal information with the potential benefits to be gained through research.

ALRC review

Having given you a quick snapshot about some of the health and research provisions in the Privacy Act - I need to tell you that there are also some significant changes proposed for the Privacy Act, flowing from the Australian Law Reform Commission's (ALRC) Report 108 ‘For Your Information: Australian Privacy Law and Practice'. The ALRC's recommendations about the privacy principles and health and research were considered in the Australian Government's first stage response to this review. Some of the key changes agreed to by the Government were that:

  • a single set of privacy principles replace the NPPs and IPPs
  • the section 95 and 95A Guidelines should be harmonised
  • slight changes be made to the definitions of health information and health service in the Act, to clarify their meaning
  • the research arrangements in the Privacy Act be extended to human research more generally.

These changes will extend the circumstances in which research can be done without consent and simplify the privacy obligations the researchers have, while at the same time maintaining privacy protection for individuals. Thus, the changes balance the need for individuals to have choice and control about how their information is used for health and research purposes with that need to conduct research to develop, implement and monitor the delivery of community services.

Identifiers

As I mentioned earlier, the e-health package includes the healthcare identifier. The Privacy Act provides specific protections around the use of identifiers because identifiers raise particular privacy risks.  National Privacy Principle 7 prevents organisations from adopting identifiers as their own identifiers and strictly limits how organisations can use and disclose them. In effect these limits prevent identifiers being used by organisations for data matching and ensure that any handling of identifiers is limited to purposes that Parliament intended.

Identifiers are not inherently privacy invasive. In fact in some cases, the ability to correctly identify an individual and link them to their personal information may be extremely beneficial, and this is certainly the case for most healthcare interactions.

Despite these potential benefits, the use of identifiers also raises potential risks. Where such identifiers are used for multiple purposes and across different agencies and organisations, there is increased risk of potential privacy breaches for example through ID theft and fraud. There is also a risk that the use of such identifiers could be lead to function creep. Function creep describes a situation where information that is collected for one purpose is then used for other unintended and unexpected purposes often beyond the knowledge of the individual concerned.

For these reasons and because people consider their health information to be more private than other information, our Office has been actively involved in the development of e-health and, more recently, the healthcare identifier.

E-health and the healthcare identifier

As you would be aware, the Government has made a commitment to spend $466 million over the next two years on developing the infrastructure to enable the introduction of electronic health records.  The final details of how a national electronic health record will look are not yet available. However, in simple terms, an e-health record will identify the individual it relates to and hold some clinical information about them. Healthcare providers will able to access an individual's e-health record as part of providing the individual with healthcare.

The first stage of the Government's e-health package is the healthcare identifier and is a fundamental building block of the e-health system. It will uniquely identify and assign a healthcare identifier for all Australians receiving healthcare and all healthcare providers. The healthcare identifier will not hold any clinical information about an individual. Again in simple terms, its purpose will be to link health records accurately to the individual they belong to and to enable information to be sent securely and electronically between healthcare providers.

Despite the fact that the healthcare identifier will not hold any clinical information about an individual - there are still privacy risks that could arise if the identifier was used for unintended purposes or by unauthorised people. For that reason we recommended that a comprehensive privacy framework should underpin the introduction of the healthcare identifier.

A comprehensive privacy framework includes four key elements:

  • Fundamental system design involves setting out the essential components of the proposal. This includes clearly setting out why personal information is being collected and how it will be used and disclosed, and any consent mechanisms involved.
  • Technology measures includes determining the appropriate data accuracy and security measures required to protect the personal information that is collected.
  • Legislative measures includes having enabling legislation which prescribes the purposes for which information can be used and introduces sanctions where those provisions are breached.
  • Oversight mechanisms that provide strong accountability measures, including audit and reporting requirements and a complaint mechanism for individuals.

Privacy is not about taking a ‘one size fits all' approach. It is about assessing the privacy obligations and risks that could arise from a particular proposal in order to determine what privacy protections are appropriate for managing those risks and it is always better to build privacy into a project's design rather than to tack it on at the end.

Using the Office's Privacy Impact Assessment (PIA) Guide, you can identify the privacy risks of a proposal and develop controls to manage those risks. A PIA is also a very useful tool to use when working through the four key elements required to develop a comprehensive privacy framework for a proposal.

Now how does this model work in relation to the healthcare identifier?

  • There is enabling legislation that will establish the healthcare identifiers service and the framework that sets out how they will be assigned, and how they can be handled. This will ensure that healthcare identifiers cannot be used for expanded purposes without further consultation and Parliamentary scrutiny.
  • The purposes for which healthcare identifiers can be used or disclosed are limited, primarily to the provisions of healthcare, and clearly prescribed. However, one of the prescribed uses of healthcare identifiers is for the conduct of research that has ethics committee approval.
  • Obligations are imposed on the HI Service Operator and healthcare providers regarding accuracy and security of data.
  • There are sanctions and compliance mechanisms in place to redress the misuse of healthcare identifiers.

In particular, our Office will be able to investigate privacy complaints about the handling of healthcare identifiers, even where those relate to state government entities. As it stands, we are pleased with the privacy framework that underpins the healthcare identifiers service and we will continue to work with the Government as the e-health system develops.

Our Office has been engaging with the Government over a number of years about privacy in the e-health system, including providing a detailed submission on the E-Health Privacy Blueprint. As the e-health system expands, the privacy framework will need to evolve along with it, because different privacy risks mean different privacy responses are necessary.For example, while we accept that healthcare identifiers will be automatically issued, we believe that individuals should be able to choose whether they have an e-health record. And where an e-health record is established, access to the information held on it should be controlled by the individual, except in limited circumstances, say where there is an emergency. These and other important issues will need to be considered within the wider lens of the comprehensive privacy framework that should support the e-health system.

In Closing

In closing, the Privacy Act is about balancing privacy interests with other important community aims, such as the efficient flow of health information. In our view, it is always possible to achieve such aims in a privacy enhancing, rather than privacy intrusive, way.

Thank you.