Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation on the Privacy Blueprint - Unique Health Identifiers (Version 1.0); Submission to the National E-Health Transition Authority (March 2007)

Submission to the National E-Health Transition Authority

March 2007

About the Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

2. The Office welcomes the release of the Privacy Blueprint for Unique Health Identifiers - Version 1.0 ('the Blueprint').[1] In particular, the National E-Health Transition Authority's (NEHTA) early and comprehensive approach to incorporating good privacy practice into the Unique Healthcare Identifiers ('UHI') Service, and its consultation on this issue, may provide a solid basis for establishing consumer confidence in the handling of their personal information under this scheme.

3. The Office understands that the principle policy objective underpinning the UHI Service is to enable accurate identification of both healthcare providers and consumers in healthcare settings.

4. The Office has previously acknowledged the potentially important role of a unique identifier specifically for the health sector while noting privacy issues. For example, in its recent submission to the Australian Law Reform Commission's Review of Privacy ('the ALRC Inquiry'), the Office specifically noted that health care may be one context in which a unique identifier could offer important benefits. [2]

5. After discussing a number of overarching privacy issues, the balance of this submission follows the structure of the Blueprint.

Overarching privacy issues

6. The Unique Health Identifiers framework appears to raise two overarching privacy issues. These relate to each of the proposed UHI for individuals (termed the Individual Healthcare Identifier (IHI)) and to the data repository held by the UHI Organisation.

Privacy risks of unique identifiers

7. The Office has noted previously that any unique personal identifier, especially where widely held in the community, raises significant privacy risks regarding datalinking and datamatching.

8. In its recent submission to the ALRC Inquiry, the Office has discussed these risks at length.[3] The Office noted that, in most cases, data-matching or linking is extremely labour intensive, time consuming and costly. It requires specialist skills to undertake large-scale data-matching of disparate data sets not designed to be interlinked. Issuing each individual a unique identifier or number common across the range of systems is often the most efficient way to facilitate the linking of two databases.

9. However, enabling such easy and accurate data-linking could create an environment in which linking might be done excessively and without justification. Such linkages may combine personal information that has been collected for very different purposes and create rich datasets about individuals' interactions in society.

10. Given the possibility that a unique health identifier may be issued for all individuals in Australia, it becomes important to ensure that this risk is mitigated.

11. In its submission to the ALRC Inquiry, the Office commented on this issue in the context of an Individual Health Identifier. While noting the potentially important role of a unique identifier in the health context, the Office submitted that:

"…the challenge is to ensure that such a highly reliable identifier is not usurped for purposes beyond the health system and the clinical care of individuals. If such identifiers were used expansively outside of the health system, particularly in ways the community may be uncomfortable with, then the trust individuals place in the system may be undermined." [4]

12. A Canadian Parliamentary Inquiry provides a cautionary description of the function creep experienced by that nation's Social Insurance Number:

"Mistakenly, the private sector began to look upon the SIN as a piece of identification and property owners asked for it on apartment rental applications, video stores required it as security for movie rentals, universities and colleges requested it on their application forms and pizza places even used it as a customer number for their delivery system." [5]

13. It is to address such risks that Parliament enacted restrictions on the use of individuals' Tax File Numbers. Similarly, the policy intent of the restrictions placed on any Australian Government identifier by National Privacy Principle 7 is to respond to the risk of such identifiers becoming widely adopted.

14. This submission discusses below, at paragraphs 54-60, possible legislative measures that may be needed to appropriately limit the handling of a UHI.

Central databases - privacy issues

15. In the addition to the three proposed UHIs (one for each of individuals, individual health care providers and individual healthcare organisations), the second key element to the proposal is for a single UHI Organisation to be established that will generate the unique numbers and "…collect the identification and demographic information to populate the record from a range of data sources". [6]

16. The Blueprint notes this would result in a database of personal information on all individuals in Australia, though the Office suggests that this may be somewhat less exhaustive if, as discussed in the discussion on consent, individuals are given the choice as to whether or not they participate.

17. Regardless of the final consent mechanism, it would seem that the UHI Organisation could potentially hold a very large database on most, if not all, Australians and foreign residents who obtain healthcare. Among other things, it is envisaged that this database will contain names, dates or birth and current and past addresses. The Office notes that the UHI Organisation will not hold clinical information.

18. While other similarly large databases exist in Australia, such as those maintained by Medicare Australia and the Australian Taxation Office, what would seem to make this repository unique is the potential for it to be accessible to a large number of users who work in the health sector. In regard to privacy protections, users will interact with the database in different jurisdictions, some of which may have no privacy legislation.

19. This would appear to create a privacy risk should access to the database be misused or abused, particularly to locate the address of an individual for purposes unrelated to health care. Any such misuse could harm the interests of healthcare consumers, and ultimately risk undermining trust and confidence both in the UHI System and the health system more generally.

20. Given the potential for misuse the Office welcomes NEHTA's detailed measures, outlined in the Blueprint, directed at protecting the personal information of individuals, though in some areas there may be merit in further examination as to whether the protections are full commensurate with the risk of misuse.

21. The Office also notes that the Blueprint appears to only specify Medicare Australia as a data source, at least for the initial data Individual Health Identifier (IHI) dataset. The Office would welcome further information on what other data sources may be relied upon by the UHI Organisation in the future.

Chapter 1: Introduction

22. The Office supports NEHTA's view that "privacy perceptions of the Australian community… play a major role in ensuring the success of e-health systems" and that "NEHTA's initiatives will only be successful if they meet community expectations regarding privacy".[7] The Office has, for example, expressed similar views on related areas in its previous submissions to the Australian Government Department of Health and Ageing regarding the former HealthConnect initiative. [8]

23. The Office welcomes the Blueprint's multi-faceted approach to the consideration of privacy in the UHI Service, which incorporates analysis in the areas of law, technology, governance and accountability, safety net processes and culture.[9] This approach is similar to the Office's four-part privacy framework, comprising system design, technological measures, legislation and oversight mechanism.[10]

24. A primary distinction between the Office's framework and that proposed in the Blueprint is that the former highlights the important role of ensuring that system design gives adequate regard to good information privacy practices, including in regard to such fundamental matters as what information is collected and why. The Office notes that while this is not prescribed in the Blueprint's framework, the importance of good system design is recognised elsewhere in the Blueprint, such as at section 4.4.

25. The Office is also encouraged by the emphasis on addressing privacy, both at the earliest stages of the project, and progressively throughout the project, including through a full Privacy Impact Assessment (PIA) which the Office understands is scheduled to commence in the first half of 2007. [11] The Office has developed a Privacy Impact Assessment Guide, which is available from the Office's website, part of which is reproduced in Appendix B of the Blueprint. [12]

Chapter 2: Unique healthcare identifiers

26. The Office notes the description of the proposed UHI Service provided in Chapter 2 of the Blueprint.

Chapter 3: Mapping information flows against privacy principles

27. The Blueprint notes the absence of uniform national privacy regulation and states that, at this stage, it has not been decided whether the UHI Organisation will be a public or private sector organisation. [13] Given this, NEHTA takes the approach of assessing the UHI Service against a generic set of privacy principles intended to reflect the "shared sources of most Australian privacy laws". The Office welcomes this mapping exercise as an effective way to identify potential privacy issues, both in regard to legal compliance, as well as in the context of good privacy practice, though notes the limitations that apply in absence of a decision on the legal basis of the UHI Organisation.

28. Where appropriate, the Office provides comment below on elements of the mapping exercise.

Collection

29. The Blueprint states, at page 16, that:

"Clear purpose statement and collection notices contribute to discharging collection obligations by establishing that such information is necessary for an organisation to carry out its functions and activities."[14]

30. The Office would advise some caution in terms of this statement, as it could lead to a situation where an organisation may collect information for any purpose, so long as it is specified in the collection notice.

31. Collection notices provide individuals with information, and may establish expectations, regarding the uses and intended handling practices which will apply to their information. However, it seems less arguable that, in absence of an objective basis, they establish that a given collection is 'necessary' within the meaning of the Privacy Act.

32. In addition, the question of what is a valid function or activity of an organisation is also important. The Office addressed this issue in its recent submission to the ALRC Inquiry, noting that currently, both the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs), contained in the Privacy Act, require that collection be necessary for a purpose, though each leave open the degree to which the purpose itself is legitimate. [15] The Office concurred with the ALRC's issues paper that neither set of principles require the legitimacy of the purpose of collection of personal information to be determined objectively. Generally, this is less problematic in the case of agencies, which have purposes defined in their enabling law.

33. The Office has suggested that "the legitimacy of the purpose of collection might be strengthened by the introduction of a 'reasonable person test' to the collection principle. In this way the collection principle might specify that an organisation may only collect personal information for purposes that are reasonable where 'reasonable' means 'what a reasonable person would consider appropriate under the circumstances'". [16]

Use and Disclosure

34. The Blueprint describes a number of purposes for which personal information collected by the UHI Organisation may be used or disclosed. These are:

  • for the primary purpose of accurate identification of individuals and providers across all health settings;
  • for a directly related secondary purpose that is within the reasonable expectations of the community, such as "…administrative (or quasi-clinical) processes, such as sending vaccination reminder letters or organising home visits"; or
  • in accordance with a lawful authority or an individual's consent. [17]

35. As the primary purpose of collection by the UHI Organisation would be "the accurate identification of individuals across all healthcare settings",[18] the Office suggests that it may be helpful to further consider the question of directly related secondary purposes to ensure that possible secondary uses would be likely to meet the "directly related" test. This issue could be usefully progressed in future Privacy Impact Assessments.

36. The Office has previously provided guidance on the meaning of "directly related purpose. For example, the Guidelines to the National Privacy Principles explain that:

"To be related, the secondary purpose must be something that arises in the context of the primary purpose. If personal information is sensitive information the use or disclosure must be directly related to the primary purpose of collection. This means that there must be a stronger connection between the use or disclosure and the primary purpose for collection." [19]

37. In addition, the Office's Guidelines to Information Privacy Principle 8-11 explain that:

"Directly" means that there needs to be a close relationship between the purpose of the use and the purpose for which the personal information is obtained in the first place. A directly related purpose is one which is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. If the related purpose is administrative, it must be one that people would reasonably expect to be associated with the original purpose." [20]

Data Quality

38. The Blueprint envisages that IHI records will be created by transferring data from Medicare Australia's databases.[21] The Office notes the findings of a 2004 audit of one Medicare Australia database, the Medicare enrolment database, which found that "…the database is sufficiently complete, accurate and current to support the effective administration of Medicare".[22] However, this same audit also noted that there were some inaccuracies, which, while not significant enough to hamper the administration of the benefits program, may have implications for UHIs.

39. The Office suggests that data cleansing of the migrated data may need to be a significant, though currently unstated, element of the data quality framework described in section 3.6. The Office would need more information on whether data cleansing will occur before being able to comment further.

Anonymity

40. The Office welcomes the recognition that anonymity in healthcare will, in some circumstances, facilitate improved healthcare outcomes for individuals and in terms of public health. The Blueprint acknowledges that some health services, such as sexual health and drug and alcohol treatment, may be conducted without the need for individuals to identify themselves. The Office welcomes the statement in the Blueprint that such health services would not use the IHI in their dealings with clients.

41. The Office suggests, however, that the option for an individual to seek treatment without identifying themselves through the provision of their IHI could extend to other health services. Individuals may consider other health services to be particularly sensitive, and should be able to choose when they use their IHI.

Identifiers

42. National Privacy Principle (NPP) 7 limits the adoption, use or disclosure of identifiers issued by the Australian Government. For example, an Australian Government identifier may not be adopted as an identifier by private sector health service providers.

43. As noted in the Executive Summary of the Blueprint, whether the UHI Organisation is a public or private sector entity will have significant bearing on which, if any, privacy regulation applies. If the UHI Organisation is not a Commonwealth agency, then it would seem likely that NPP 7 may not apply to any unique identifiers issued by it.

44. Alternatively, the Office notes that if the issuing body is an Australian Government entity, then NPP 7 would likely apply to how the IHI is handled by private sector health service providers. However, such regulation would not apply to state and territory governments given their exemption from the Privacy Act. Given the significant role of state and territory governments in delivering health care in Australia, the identifier could be widely adopted without being subject to appropriate regulation.

45. The Office has noted above (see paragraphs 7-14) the significant privacy risks of unique identifiers. These risks, together with the jurisdictional uncertainties described above, highlight the potential value of providing specific legislative protections for any IHI, which would apply to all potential users and uses.

Governance and Legislation

Complaint Handling

46. The Blueprint notes that an internal complaints process would be integrated with the governance of the UHI Service.[23] The Office supports the creation of an internal complaint handling mechanism as a precursor to seeking redress from a Privacy Commissioner or other appropriate regulator.

47. However, the Office notes that there may be tensions that arise from the same oversight body setting the rules for matters such as access and consent arrangements, and fulfilling its role as an 'independent complaints handling body'. NEHTA may wish to consider whether the separation of these functions will result in greater confidence in the complaint handler's independence.

48. A particular issue may emerge where an alleged breach occurs in an entity outside of the Privacy Act's jurisdiction, such as in a state government health service. This would be additionally problematic if the breach occurred in a jurisdiction without privacy regulation. While administrative measures by the UHI Organisation may offer some remedy to affected individuals, it would be unclear whether such remedies would be able to be enforced by the individual in the absence of a privacy or similar regulator.

49. In regard to the application of the Privacy Act and other existing regulatory regimes, it is the Office's view that existing external regulatory and complaint handling bodies should be mandated to investigate complaints to the extent that their jurisdiction provides.

50. The Office maintains its previously expressed view that it was the Parliament's intent when enacting the Privacy Act 1988, and subsequent amendments, that to the degree permitted by the legislation there should be consistency in the regulation of privacy in the Australian Government public sector and the private sector including by making this Office the regulatory body for privacy issues.

51. Accordingly, the Office should retain jurisdiction for privacy complaints and audits emerging from the UHI Service to the extent such matters fall within its jurisdiction. To do otherwise would increase regulatory complexity, in that privacy complaints may be investigated by different regulators (or by none) depending on the type of body that is alleged to have committed the breach.

52. The Office also notes that the creation of an additional regulatory body would not be consistent with Australian Government policy advocating the non-proliferation of regulatory agencies and the promotion of less-complex, stable and predictable regulatory environments. [24]

53. Finally, in the Office's view it would be more efficient and effective for existing bodies to use their existing regulatory functions rather than for government to establish a new body. Such an approach would ensure that existing expertise is effectively leveraged while avoiding unnecessary duplication.

Legislation

54. The Office welcomes NEHTA's intention to introduce legislation containing specific provisions, including sanctions and remedies, governing the UHI Service. [25]

55. Dedicated legislation will address the need for consistency of privacy protections. As the Blueprint states, Australia currently has an array of health privacy regulation across several jurisdictions.[26] Many State of Territory jurisdictions have their own legislation or administrative policy arrangements applying to their public sectors and in some cases health privacy regulation applying in the private sector alongside the Privacy Act. Some States have no privacy regulation in relation to their public sector.

56. The lack of uniform privacy regulation means that it is important that nation-wide projects, particularly those which involve personal information, or potentially sensitive information of a large number of Australians, such as the UHI Service, benefit from dedicated, project-specific legislation ensuring that consistent privacy protections apply regardless of jurisdiction.

57. While the Privacy Act gives a sound foundation, the protections it affords are principle based and technology neutral, rather than drafted prescriptively to meet privacy risks posed by specific projects such as the UHI Service.

58. The protections that apply to tax file numbers provide a good example of more prescriptive privacy protections that apply to a widely held identifier, in recognition of the heightened privacy risks.[27] These protections add to those provided in the IPPs, which apply to Commonwealth government agencies, and the NPPs, which apply to most private sector organisations.

59. As the Office has previously stated in relation to the HealthConnect initiative, specific legislation would merit containing:

  • Provisions setting out primary uses of data;
  • A designated authority and process for approval of secondary uses of data;
  • Consent processes;
  • Audit and mandatory reporting requirements; and
  • Sanctions and complaint mechanisms (including a right of recourse to the Privacy Commissioner). [51]

60. The Office would welcome the opportunity to comment upon draft legislation.

Chapter 4: Key issues

61. In addition to analysis against generic principles, the Blueprint also sets out a broad policy approach to privacy for the UHI Service.

62. The Office has some concerns about issues raised in section 4.1 of this Chapter.

63. The Office notes that in some instances the Blueprint appears to assume that gains in organisational objectives are invariably offset by compromises in privacy.

For example, the first paragraph of section 4.1 states:

"NEHTA's privacy analysis must balance the improved practice and security that a more systematic approach to healthcare identification brings, against the potential privacy risks that arise from the UHI approach." [28]

64. The Office believes that the provision of healthcare (including associated identity management functions, such as proposed by the UHI Service) and the protection of privacy need not be mutually exclusive and opposed. When appropriately implemented, good privacy practice can underpin effective healthcare, including by ensuring that information is accurate and that the right information about the right individual is provided only to those who need to know. The Office believes that the implication that there must always be a trade-off between privacy and achieving efficient outcomes misstates the relationship between the two.

65. The second paragraph of section 4.1 (beginning, "A number of privacy risks…") points to existing privacy risks in the Australian health services system. This and following paragraphs explain that a unique identifier could assist to mitigate these existing risks. While this may be accurate, the Office points to the privacy risks of unique identifiers, as discussed in paragraphs 7-14 above, unique identifiers raise particular privacy risks regarding the degree to which they may facilitate the linkage of disparate datasources. These risks do not appear to be reflected in section 4.1, or elsewhere in the Blueprint.

66. The Office notes that paragraph 6 of section 4.1, appears to envisage a generic public interest test for interpreting key compliance concepts such as reasonableness and practicability:

"Just as for managing other legal compliance issues, complying with privacy law can prompt the application of tests of reasonableness or practicality. Decisions on what is reasonable or practical in relation to a particular e-health initiative are essentially threshold decisions. These decisions may use a test of balancing an individual's right to privacy against competing public interests in the free flow of information." [29]

67. The Office has previously taken the view that, in the handling of sensitive information in the health context, tests of reasonableness and practicability should be applied in such a way as to afford strong protections to this type of personal information. For example, in regard to data security, the Office has held that the "reasonable steps" required by organisations to secure health information should entail robust protections that may be in excess of those that are reasonable for less sensitive forms of personal information.

68. Finally, the Office notes that page 22 of the Blueprint states:

"The privacy principles are intended to provide a framework for the responsible collection and handling of personal information, rather than a prescriptive set of rules to be obeyed." [30]

69. While the Privacy Act does provide broad, principle-based regulation, the Office is concerned that describing the principles in this way may give an incorrect impression that organisations do not have obligations to comply with the Privacy Act.

Consent and notification

Key Questions

1. How best to manage consent requirements around the initial use of Medicare Australia's information systems? 2. Whether certainty around the legitimacy of that use is best achieved through seeking to meet current consent requirements or whether legislative support is preferred? 3. How should individual consent be managed when enrolling people in the UHI Service? NEHTA presents three options, discussed in more detail below:

  1. An "opt in" system whereby each individual provides express consent to participate in the IHI.
  2. An "opt out" system whereby each individual is presumed to participate in the IHI but is given an opportunity to opt out.
  3. "Lawful authority and notice", whereby specific legislation is developed to support the IHI, enabling the creation and distribution of the identifiers in accordance with the requirements of that law.

 

The Blueprint seeks comment on the models outlined above.

4. Are there any other issues NEHTA should take into account in relation to this topic? [31]

70. The Blueprint states that the UHI Service is based on the premise that the initial collection of data will be obtained through Medicare Australia, which will be assigned the task of meeting consent and notification obligations. [32]

71. In regard to consent generally, the Office has consistently held the view that the decision to permit personal information to be handled in an electronic health context should be subject to the individual's express consent. That is, consent should not be implied by the failure of an individual to act to 'opt-out' of an engagement. [33]

Option 1 - Express consent through 'opt-in' mechanisms

Communication strategies for seeking express consent

72. In regard to option 1 (express consent or 'opt-in'), the Office notes that the Blueprint envisages that an opt-in model requires direct communication with each individual:

"Medicare Australia would need to contact every individual concerned and explain the IHI in sufficient detail…" [34]

73. The Office is of the view that this is not necessarily the case. An alternative express consent model may be based on community education and promotion, essentially inviting individuals to enrol in the UHI Service either directly, or via a healthcare provider. Provided that this publication contained detail sufficient to inform individuals about the proposal, it may be possible to meet consent requirements through this means.

Using Medicare Australia enrolment data to seek consent

74. Medicare Australia, as an Australian government agency, is bound by the IPPs. IPP 10 provides that agencies must not use the personal information that they hold for purposes other than the purpose for collection, unless:

  • the individual concerned has consented;
  • the use of the information is required or authorised by or under law; or
  • the purpose for which the information is used is directly related to the purpose for which the information was obtained.

75. The Blueprint acknowledges that the purpose of creating a national identification service is not the purpose for which the information was collected by Medicare Australia. [35]

76. The Office has not put forward a view as to whether Medicare Australia could use personal information it has collected for the purpose of processing Medicare benefits claims, for the secondary purpose of contacting individuals to seek their consent to participate. The Office would welcome the opportunity to discuss this matter further with NEHTA and Medicare Australia if this approach were to be pursued.

Elements of consent

77. In discussing an express consent model, the Blueprint states that "…responsibility for meeting informed consent requirements would lie with individual Australians rather than Medicare Australia…" In contrast, the Blueprint suggests that:

"under an opt-out model… responsibility for meeting the informed consent requirements lies with the organisation (i.e. Medicare Australia) rather than the individuals themselves." [36]

78. The Office is unsure of the validity of this characterisation. The Office's Guidelines on Information Privacy Principles 8-11 [37]explain that if an agency wants to rely on consent provisions to use or disclose personal information, then the agency must be able to show that the person the information is about:

  • is accurately informed of what they are consenting to; or
  • can reasonably be assumed to understand what they are consenting to, at the time they consent; and
  • the person the information is about must freely consent to the use or disclosure.

79. Accordingly, regardless of whether an express or implied model of consent is pursued, an agency would be required to establish that it had taken reasonable measures to ensure that the consent was valid.

80. The Office reiterates its view that requiring an active and informed decision by an individual, by providing a clear expression of consent, is the most appropriate model for the handling of personal information in the health context. The Office suggests an opt-in model for enrolments in the UHI Service merits further consideration. The Office recognises the potential benefits of the UHI Service in terms of improved communication, but it is not clear that these benefits justify taking steps to avoid having to obtain consent to participate in the UHI Service.

Option 2 - Implied consent through 'opt-out' mechanisms

81. As suggested above, the Office would be less inclined to support an 'opt-out' mechanism for individual inclusion in the UHI Service, whereby consent was implied by the absence of an individual taking some step to express an objection.

82. The Office reiterates its comments above concerning the responsibility of agencies to ensure that consent is fully informed and freely given (see paragraphs 77-79).

Option 3 - Enabling legislation for the creation of IHIs

83. The Blueprint discusses options regarding express and implied consent, though goes on to appear to favour the certainty offered by a legislative authorisation for the disclosure of the information by Medicare Australia, and the subsequent creation of IHIs. [38]

84. The Office considers that the better privacy practice involves ensuring that individuals are informed and agree to their participation in the UHI Service. Where individuals are empowered to make fully informed choices about the handling of their personal information, they will have greater confidence in the protection of their information, and are more likely to participate in the UHI Service.

85. If the UHI Service proceeds on the basis of legislative authorisation, the Office suggests that it would be important for there to be compensatory privacy measures implemented. For example, if all Australians will have an IHI, then the use of the IHI should be based on express consent. As NEHTA recognises, consent is crucial in ensuring that individuals "feel that they exercise a degree of control over the collection and handling of their personal information and that there is transparency about proposed uses and disclosures of that information." If an individual is denied control over whether an IHI is created for them, they should have control over whether the IHI is ever used to identify them, as well as whether the associated information can be accessed by other parties.[39]

Voluntary participation

86. The Office welcomes the Blueprint's statement that participation in the UHI Service is voluntary and not a prerequisite for receiving healthcare. [40]Further, individuals should be free to decide whether they wish to use the IHI in any particular interaction with healthcare service providers, or in relation to any particular episode of treatment.

87. The policy intent that use of the IHI is not a precondition for health care services could be supported by measures such as specific legislation enshrining individual choice, as well as education programs for the healthcare providers and individuals, which explain that the IHI is underpinned by voluntary participation.

88. The Office also suggests that the care needs to be taken in system design to ensure that healthcare administration continues to function effectively for individuals who do not participate in the UHI Service.

Ongoing enrolments

89. After the initial enrolment phrase, it is envisaged that the UHI Service will commence directly enrolling individuals (for example, people born after the initial transfer from Medicare Australia).[41] The Office would welcome further detail on the intended consent arrangements regarding the collection of information for enrolment in the UHI Service and creation of an IHI in these circumstances.

Authorised access

Key Question

1. Are the Blueprint's policies and strategies with regard to access arrangements adequate? 2. NEHTA is specifically seeking feedback on the appropriate balance to be struck for the breadth of HPI-O access rights for healthcare activities. 3. Other issues requiring consideration for non-healthcare provider access policies include:

Certification processes for the HPI-O, requiring an authentication mechanism to enable audit function for access by healthcare administrators. It should be noted that administrators must meet the same authentication requirements as will be required for providers. Clear allocation of liability and responsibility for the acts of administrators and the development of a privacy protective culture in provider organisations that wish to take part in the UHI Service. 4. Are there any other issues that NEHTA should take into account in relation to this topic?

 

90. The Blueprint notes that members of treating teams and administrative staff are likely to make use of the UHI Service as part of their employment.[42] The Office recognises that providing high-quality health services increasingly involves sharing information across care-teams. For detailed comment on the privacy implications of this activity, please refer to the Guidelines on Privacy in the Private Health Sector.

91. A key privacy concern here is the risk of function-creep, whereby access to IHI records may be incrementally expanded for purposes increasingly unrelated to the provision of health care. The primary purpose of the UHI Service is accurate identification of individuals and health service providers, which contributes to efficiency of both coordinated care and health service administration.

Non-healthcare provider access

92. The Office is particularly concerned about access to individuals' contact information, especially address details. As discussed in paragraphs 15-21, there is potential for the repository retained by the UHI Organisation to be a near whole of population database of names and contact details, made widely available through the health sector.

93. The Office also notes that non-healthcare providers will not be issued identifiers, but rather will gain access through the Health Provider Identifier for their employing organisation. This may reduce the deterrent effect of being able to specifically identify an individual who may inappropriately access the repository.

94. The Blueprint invites views on appropriate role-based controls for non-health care providers.

95. In the Office's view, this issue requires careful consideration of the primary function of the UHI Service. As the Office understands it, for individuals, the UHI Service is primarily intended to ensure that clinical information can, subject to meeting any privacy obligations, be shared between health service providers for the purpose of providing health care.

96. The Office is less convinced that administrative functions are of sufficient importance to justify access to individuals' address details through the UHI Service. The benefits of such a facility may not be proportionate to the privacy risks they entail. Accordingly, the Office suggests that further consideration could be given to whether address details should be made available in circumstances where the user may not be able to be held accountable for their handling, and where they may not be required for the delivery of a health service to the individual.

97. As discussed below, given the risks of making such information widely available through a disparate system, the Office is unsure whether address details should be collected at all by the UHI Organisation.

98. If address details are required for the purpose of identifying an individual, then access to such information by non-healthcare providers should be limited to those individuals who can satisfy the UHI Organisation that they have a compelling reason for requiring that information. The Office suggests that an additional category of UHI could be established for those non-healthcare providers who may demonstrate a need to access address details. Such a mechanism would allow access to be monitored and for individuals to be personally held accountable for their handling of address information.

99. The Office welcomes NEHTA's identification of the importance of privacy protective culture,[44] and would welcome further detail on what measures will be taken to establish and maintain the culture of the participants and users of the UHI Service.

UHI data fields

Key Questions

1. Will the proposed data fields be capable of meeting privacy requirements around necessity and proportionality? 2. Do any of the proposed data fields raise specific privacy problems that will not be mitigated by NEHTA's approach as outlined above? 3. Are the proposed mitigation strategies sufficient? Are there any other positive steps that could be taken to enable access to information while ensuring that 'sensitive' information is protected? 4. Are there any other issues NEHTA should take into account in relation to this topic?

100. The Blueprint states that the proposed data fields for the IHI record are: first name, surname, date of birth, sex, home address, home telephone number, mother's original surname, birth plurality, birth order, date of death, and three entries of home address history. The Blueprint states that the above level of detail is consistent with international and Australian standards. [45]

101. The Office notes that the relevant standard is AS 5017-2006: Health Care Client Identification (the Standard). Significantly, the Standard purports to prescribe "only the minimum dataset required for unambiguous identification." [46]

102. It appears that the Standard does not prescribe or require the collection of all of the items of personal information listed above, rather it provides those categories of information as options to be used where appropriate, and in particular where a primary identifier (eg, name) is not sufficient. The Standard states: [47]

"This section describes nine additional data elements… that may be used, where relevant, to maximize the likelihood of positive identification of health care clients... These data should only be collected where required for the identification of the client."

103. As discussed above, the Office is unsure, given the privacy concerns, whether address details should be collected by the UHI Organisation, unless strict access restrictions are imposed. In this regard, the Office would welcome further information as to whether other data items, such as name and date of birth, would be sufficient to reliably identify an individual. This would leave open for health service providers to collect address details directly from individuals for inclusion in local clinical information systems for their own administrative purposes.

104. If address details are deemed a necessary field for identifying an individual and retrieving an individual's IHI, the Office submits that individuals should be permitted to withhold it, or make it available to only selected health service providers.

105. The Office notes that NEHTA has engaged an independent healthcare standards expert to analyse the proposed data fields, and looks forward to seeing the recommendations that follow this analysis and the decisions regarding what information is considered necessary for the UHI Service.

Masking Information

106. The Office notes that there are specific privacy issues surrounding some types of personal information. The Blueprint acknowledges that individuals with protection or restraining orders in force merit special consideration in relation to masking their record. These concerns are also likely to impact on the individual's willingness to have their home address and telephone number included in their IHI record.[48]

107. As suggested above in paragraph 104, given the possible privacy risks of making individuals' addresses widely available, there may be merit in broadening the masking facility to permit individuals to choose to mask their home addresses in any circumstances, without the necessity of having a protection or restraining order. Structure of the IHI Record

108. The Office notes that the Blueprint envisages a tiered structure for the IHI and HPI-I, where by the unique identifier number will be associated with:

  • A summary record: identifier, name, date of birth;
  • An identification record: summary record information, plus further identifying information such as address; and
  • A demographic record: identification record information, plus additional data fields such as mobile phone number.

109. The Office welcomes the tiered structure as an integral privacy protection built into the design process and releasing "the minimum amount of information required for matching purposes."[49]

110. The Blueprint states that the three tiered structure provides functional limitation, and segregates parts of the record holding different, and more detailed, personal information. However, it goes on to say that this structure will not prevent providers accessing the full record should it be required. It is not immediately clear how this enhances the privacy of the record if there are no limitations on access to the additional layers of information.

111. As noted above, the information contained in the demographic record is described as that which "may not have been essential to accurately identify an individual, but are required to provide safe and high quality healthcare."[50] This objective appears different to the stated primary purpose of the UHI Service, that being to identify individuals in healthcare settings. As suggested above in paragraphs 95-98, it is unclear from the Blueprint whether the collection and availability of address details for purposes other than the direct care of the individual offers benefits that are proportionate to the privacy risks.

Audit functions

 

Key Questions

1. Clear business rules and privacy policies will be critical to the management of the UHI Service's audit and search functionality. Is this sufficient? 2. Would it help promote confidence and trust in the UHI Service if Audit & Accountability Checklists were published, clearly outlining the UHI Organisation's approach to auditing? 3. Are there any technical solutions available to mitigate the potential privacy risk associated with auditing individuals' use of the audit function? 4. Are there any other issues NEHTA should take into account in relation to this topic?[51]

Forms of audit functionality

112. The Blueprint identifies two forms of audit functionality which may be employed for the UHI Service:

  • auditing access to individuals IHI records by health service provider staff ('auditing staff access'); and
  • auditing individuals' access to their own IHI records ('auditing individuals' access'). [52]

113. As the Blueprint acknowledges, auditing staff access is a key accountability measure, but it should not be the primary accountability measure. This form of transaction record can confer significant privacy benefits, and engender confidence in the integrity of the UHI Service, and the information held within it, by allowing individuals to monitor access to their personal information. [53]Auditing the provider may also serve to detect and deter inappropriate access.

114. The Office reiterates its concern that the inability to specifically identify individual non-healthcare providers may reduce the value of auditing as an oversight mechanism.

115. The Office welcomes NEHTA's recognition of the privacy risks attending auditing individual's access. This activity may allow monitoring of an individual's behaviour, and may result in judgements being made regarding the individual's pattern of access.

116. At the same time, there may be value in such audit trails being available, particularly where an individual makes changes to their own record. Accordingly, the Office suggests that it may be more useful to focus on the purpose for which individuals' audit trails may be used, and by whom, rather than simply proscribe their creation.

Privacy solutions

117. While technical measures may mitigate some of the above risks, the Office is concerned that preventative design features may be circumvented. For example, it may be possible to bypass audit trails if there are no technical or organisational protections to prevent printouts of IHI records being used or disclosed for unauthorised purposes, or to prevent electronic copies being created and distributed in an unauthorised manner. It may be effective and appropriate to address the risk of this behaviour in legislation.

118. In the interests of transparency, the Office sees merit in publishing Audit and Accountability Checklists.[54] Such measures are consistent with an organisation's obligations under NPP 5 (Openness), which requires organisations to communicate their policies and practices for handling personal information.

119. Additionally, the Office notes that audit is a post-facto form of oversight. While it may provide a useful deterrent effect, and may hold individuals accountable for the misuse of personal information, auditing needs to be undertaken in conjunction with proactive privacy protection measures.

Masking and pseudonymity

Key Questions

1. NEHTA is examining current approaches to masking and pseudonymity in settings such as government administration of personal information databases and also the banking and finance sector to determine best practice approaches for the UHI Organisation to adopt. What model would best suit the requirements of the UHI Service? 2. Requirements to manage sensitive circumstances for unique identifiers are interrelated with privacy management for any future Shared EHR services. It should be noted that the IHI will act as a key to an individual's Shared EHR and as such, will be directly associated with it. Does the relationship to a potential future Shared EHR service warrant additional consideration at this point? 3. Are there any other issues NEHTA should take into account in relation to this topic?

Policy settings

120. The Blueprint expresses that the development of the architecture of the UHI Service allows for the consideration of various models for masking and pseudonymity. The Office welcomes the consideration of these privacy-enhancing measures.

121. The Blueprint states that anonymity is inconsistent with the objectives of the UHI Service.[55] While identification is clearly fundamental to the UHI Service, individuals should be able to seek healthcare anonymously if they choose. As recognised in the Blueprint, an individual may not wish to disclose their identity when seeking treatment for certain types of condition, such as sexual health matters. However, it is possible that this treatment, or other, similarly sensitive treatments, may be sought from a General Practitioner. The Office recommends that individuals have the option as to whether they choose to utilise the UHI Service for a particular matter (see paragraph 86).

122. There may be other individuals who wish to interact through the UHI Service, but who do not wish their identity to be widely known.

123. The Office understands that masking entails attaching access restrictions to sections of an individual's record.[56] Alternatively, pseudonymity allows an individual to operate under an assumed identity, while the link with their true identity remains protected information.[57]

124. The policy intent of pseudonyms may be frustrated if there is a record attached to the pseudonym which allows for the individual's identity to be discovered. If, for example, the pseudonym record contains an individual's biographical information (such as postal address), it may be easy to match the pseudonym with the individual's true identity. This may be particularly the case in small or regional communities, where biographical information such as postcode and details of the health condition known may be sufficient to re-identify that individual. Issues associated with re-identification are discussed below at paragraph 164.

125. These risks further emphasise the need to limit the biographical information contained in the data fields.

126. The Office would also welcome further information on how pseudonymous and masked records are allocated and controlled, including:

  • Whether these features will be available to any person enrolled in the UHI Service?
  • What criteria would determine entitlement, and what process would individuals have to complete in order to use these features?
  • Whether access to the closed or masked section of masked records would be determined by the individual, or by protocols determined by the UHI Service?

127. The Office suggests that individuals should be given opportunities to specify the particular role-based access privileges that will apply to their record. An individual may prefer that access to certain information, such as contact details, be restricted to their treating General Practitioner.

Interaction with a shared electronic health record

128. The Office welcomes NEHTA's recognition of the inter-relationship between possible future shared electronic health records and the IHI. This relationship could be usefully explored as part of a full PIA.

129. In particular, the Office would draw attention to the importance of distinguishing between each type of record. While the IHI record may contain personal information that many individuals will expect to be handled carefully (such as address details), the SEHR is likely to hold even more intimate details that individuals will expect to be treated privately. A key concern, for example, would be to ensure that an individual who may have justification to obtain an IHI for administrative purposes (notwithstanding the Office's concerns about such access), could not then also access the relevant SEHR.

Framework for authorised representatives

Key Questions

1. What processes and evidence could be reasonably required to support an application to be an authorised representative? 2. Do current policies in place in similar healthcare settings manage requirements for authorised representatives adequately? If not, what are some of the issues associated with these policies? 3. Should the level of access and permissions allowed distinguish between the type of authorised representative and the circumstances in which they seek to act? For example, should a higher level of proof be required to make changes to an IHI record compared to simply accessing an IHI record? Should a parent's level of access be the same regardless of the circumstances? 4. Is there a need for the UHI Organisation to be able to manage associates in addition to authorised representatives? 5. Is parental consent an issue dealt with adequately by healthcare providers in the course of professional judgement used in provider decision-making? 6. Are there any other issues NEHTA should take into account in relation to this topic?

130. The Office has discussed privacy issues regarding child and adults with impaired decision making in its recent submission to the ALRC Inquiry.[58] The Office has noted the complexities and challenges inherent in attempting to balance the privacy rights of individuals who are not able to exercise decision-making on their own, with the need to provide such individuals with access to services.

131. Each group presents comparable but different challenges for implementing a UHI Service, which balances community, representative and individual expectations across a range of circumstances.

132. The NPPs make specific provision for dealing with individuals who do not have capacity to exercise decision making (including children who have not attained common law capacity). NPP 2.4 creates a legislative framework for disclosing health information to representatives in particular circumstances. This principle states that a health service provider may (though notably not 'must') disclose an individual's health information to a 'responsible person' where the individual is incapable of giving consent, and certain other conditions are satisfied.[59] These conditions include that the disclosure:

  • is necessary for the provision of appropriate care, or for compassionate reasons
  • is not contrary to the individual's known wishes, and
  • is limited to the extent reasonable and necessary to satisfy the purpose of the disclosure.

133. The disclosures to representatives permitted by the Privacy Act could be usefully reflected in the design and implementation of the UHI Service. Such a measure may require legislation to ensure that such practices are not inconsistent with the existing provisions of the Privacy Act, particularly if the UHI Service is designed in such a way that the UHI Organisation is the disclosing body. In such a case, NPP 2.4 would be unlikely to apply, as it would not appear that the UHI Organisation is providing a health service to the individual. Similarly, if the UHI Organisation were an Australian Government agency, then NPP 2.4 would not apply.

134. NEHTA may also consider addressing this issue through organisational culture, including promoting the development of awareness among healthcare providers (including their staff) regarding permissible disclosures to representatives. The Office will be preparing additional guidance regarding the application of NPP 2.4, which may assist in this objective.

Impaired decision-making capacity

135. In the Office's view, a framework for dealing with individuals in the groups outlined above should be responsive to the individual's particular circumstance and individuals should be able to make decisions about their personal information to the extent that they are able to do so. Moreover, even if an individual lacks legal capacity, they should still be involved as far as is practical in decision-making processes.

136. The Blueprint states that:

"Individuals with reduced decision-making capacity will need to compromise a reasonable level of their health information privacy in order to receive the most effective health services but this should be carried out in a way that respects their right to privacy and where possible, promotes their individual human dignity and autonomy."[60] 137. This passage could be interpreted to mean that compromises regarding the rights of vulnerable individuals are unavoidable.

138. The Office suggests the following approach, drawn from its Guidelines on Privacy in the Private Health Sector conveys a more positive message regarding how privacy and individuals with impaired decision making:

"A lack of decision-making capacity and privacy-related consent issues should not mean that individuals miss out on getting necessary health care, support and other services. Yet, neither should an individual's privacy rights be undermined unnecessarily by virtue of their inability to give consent." [61]

139. Within this group, there is considerable diversity in the capacity to make decisions. A decision-making disability may be a permanent or a temporary condition. In some cases, it may only affect an individual's decision-making ability some of the time, such as where an individual has a particular mental illness which may be episodic in nature. Further, it may be that the individual can make decisions about the handling of their information if they are provided with the necessary support. The UHI Service should ensure that privacy protections are able to be tailored to these sorts of scenarios.

140. The Office has no view on question 1 and would encourage NEHTA to consult with relevant government bodies (such as Guardianship Boards) and consumer interest groups.

141. In regard to question 2, in its submission to the ALRC Inquiry, the Office has recommended that there may be a need to make some amendments to the Privacy Act in order to better protect the privacy of adults with a decision-making disability.[62] There are also some situations where the better option appears to be non-legislative, such as the provision of further and more detailed guidance material.

142. In regard to question 3 above, the Office notes that allowing an informal representative to take action on an individual's behalf may have greater risks than where a representative only has access to information. The Office recognises that facilitating an authorised representative's access to information (for example, finding out whether an address has been changed) could assist the representative in their efforts to advise the individual. Where a representative seeks to take action on an individual's record, for the certainty and convenience of all parties, it may be appropriate to establish a formal relationship (for example, a guardianship order).

143. The Blueprint states that associates, or informal representatives, will not have a role in the UHI Service. While the Office generally supports limiting which third-party individuals may access information in the IHI record, the Office is unsure as to whether this may be inconsistent with the policy intent of NPP 2.4. This principle permits an organisation to disclose personal information to a "responsible person". In turn, NPP 2.5 defines "responsible person" to include individuals who may not be a formal representative of the individual, such as "…a person who has an intimate personal relationship with the individual" (NPP 2.5(g)).

Minors and Consent

144. The Blueprint accurately identifies the basic privacy issues in this area. In particular, the preference of many young people to keep health information private, and the important role played by healthcare providers in assessing capacity of children and young people.[63]

145. The Office notes the Blueprint's statement that no clinical information will be collected as a part of the IHI record. The information to be collected is limited to what is necessary to identify the individual in a healthcare context.

146. The Privacy Act applies a common law approach to assessing a child's capacity. As explained in the Office's Guidelines on Privacy in the Private Health Care Sector:

Judgements about a young person's competence could involve consideration of their ability to understand the current issues and circumstances, their maturity and degree of autonomy, and the type and sensitivity of the information to be disclosed

147. In practice, this means that wherever possible, capacity should be assessed on an individual basis, rather than upon attaining a prescribed age. This ensures that mature young people are entitled to make decisions about their personal information as soon as they are able, rather than being constrained by an imposed age of capacity.

148. The Office considers it appropriate that consent provided by a parent (or other representative) on behalf of a child who lacks capacity, is taken to be provided by the child themselves. However, the UHI Service should allow for the possibility that, when the child attains capacity, they will not agree with the decisions that have been made on their behalf. The creation of an IHI, and potentially, the participation in a Shared EHR system, presents a significant example of where, once participation has been initiated, information is likely to be stored in the system, even if a participant (including a young person) later chooses to opt out.[64]

149. The Office suggests that NEHTA consider how the UHI Service would respond to a range of family situations, particularly with regard to parental access to the child's UHI record. Potential issues that could be examined, perhaps by a Privacy Impact Assessment, include:

  • where access to a record is sought, or action on a child or young person's record is taken by a non-custodial parent;
  • where the young person attains capacity and does not wish a parent to have access to their IHI record; and
  • where the child or young person does not reside with their parents (for example, where the child is placed in foster care).

150. The UHI Service may need to make provision for a young person to establish their own capacity. Health service providers such as General Practitioners may be of assistance in certifying capacity.

151. The Office suggests that NEHTA consult with consumer representatives on this matter.

Future uses and research

Key Questions

1. What relationship should there be between the UHI Organisation and external researchers? 2. Is NEHTA's preliminary position on de-identifying data appropriate? 3. Should consideration be given to new models aiming to facilitate secondary uses such as the National Data Network? Are there any other issues NEHTA should take into account in relation to this topic? [65]

Policy framework for assessing future uses

152. The Office welcomes the Blueprint's statement that use of the UHI Service is to be restricted to the Australian healthcare sector.

153. The Blueprint requests feedback on what types of other uses the UHI Service should support, and how best to manage these uses.

154. The key privacy issue raised by possible future uses of the UHI Service is the risk of function creep. Function creep involves incremental expansion in the purpose for which a system or object is used, so that it is employed for purposes that were not initially agreed to or envisaged.

155. Individuals may not expect these incremental uses nor consider them appropriate. Accordingly, significant expansion in the purposes for which the UHI data repository is used, may in the future risk undermining community trust.

156. Function creep could be avoided by ensuring that the system design limits future expansions in scope, thus reducing pressures that may otherwise emerge for the system or personal information it holds to be used for other purposes.

157. Additionally, to maximise community confidence in the UHI Service, a process could be established to manage the uses of the UHI Service that is transparent, widely consultative and supported by legislation. The degree to which the community can be engaged in this process will determine whether an expansion of use is regarded as a useful and deliberate innovation, or uncontrolled function creep.

158. To mitigate the risk of function creep, regulatory instruments changing or expanding secondary uses could be subject to consultation with key stakeholders, including the Privacy Commissioner, and ultimately, require parliamentary scrutiny and oversight.

The UHI Service and research bodies

159. The Blueprint requests comment on the appropriate nature of the UHI Service's relationship with particular researchers, and with mechanisms created to facilitate research, such as the National Data Network (NDN).

160. The Office notes the Blueprint's statement that no clinical information will be collected for inclusion in the IHI record.[66] Accordingly, the UHI Service's utility for research purposes would appear to be restricted to circumstances where the identifier is used in conjunction with other data. For example, the IHI number may be used to link records of health treatment.

161. The Office would welcome the opportunity to provide comment as the interaction of the IHI with health record systems is further developed and clarified.

162. The Blueprint also notes that secondary use policies must comply with existing obligations such as guidelines issued by the National Health and Medical Research Council under sections 95 and 95A of the Privacy Act ('the Guidelines').[67

]

163. The role of the Guidelines in relation to the UHI Service is not immediately apparent. The Guidelines apply to research applications involving the use and disclosure of identifying health information without the individual's consent. The Blueprint indicates, however, that only de-identified information would be disclosed to research bodies. The Office would welcome the opportunity to provide comment on this matter as it is further developed.

The Blueprint's approach to de-identified information

164. The Blueprint states that personal information collected for the UHI Service will be de-identified before it is released to third parties. This commitment reflects the Privacy Act's requirements regarding the disclosures of health information.

165. Section 6 of the Privacy Act defines personal information as "information… about an individual whose identity is apparent, or can reasonably be ascertained"

166. This means that merely removing an individual's name from a record may not de-identify information if it is still possible to determine the identity of the person to whom the information relates from other information stored in the record. For example, in the case of some illnesses, it is possible that health information grouped by geographical data (for example information about a particular condition by postcode) could be identifiable where there is only one individual with the particular condition within a postcode area.

167. The Office believes that NEHTA should ensure that any access to UHI Service records which purports to be de-identified does not allow information to be re-identified.

168. The Blueprint states that:

"Wherever possible, personal information should be de-identified prior to its release to a third party..."[68]

169. The Office assumes that this a statement of good privacy practice, that is, even where the legal authority to disclose identified information exists, such information would still be released in de-identified form wherever possible.

1. National E-Health Transition Authority, 'Privacy Blueprint - Unique Healthcare Identifiers.'Available at http://www.nehta.gov.au/index.php?option=com_docman&task=doc_view&gid=148&Itemid=139. Accessed 27 February 2007 ('The Blueprint').

2 See, for examples, "Benefits of unique identifiers" in Chapter 12 of the Office's ALRC Inquiry submission, available at http://www.privacy.gov.au/publications/submissions/alrc/c12.html#Benefits1.

3 See, Chapter 12 concerning "Unique Multipurpose identifiers" available at http://www.privacy.gov.au/publications/submissions/alrc/c12.html#Privacy6. Similar themes were discussed in the Office's submission to the Access Card Consumer and Privacy Taskforce on Discussion Paper Number 1 available at http://www.privacy.gov.au/materials/types/submissions/view/6453#mozTocId957306.

4 See paragraphs 15 and 16 of the Office's submission to the ALRC Inquiry, available at http://www.privacy.gov.au/publications/submissions/alrc/c12.html#Privacy6.

5 Report of the Standing Committee on Human Resources Development and the Status of Persons with Disabilities, Beyond the numbers: the future of the social insurance number system in Canada (May 1999), available at http://www.parl.gc.ca/InfoComDoc/36/1/HRPD/Studies/Reports/hrpdrp04/09-part1-e.htm.

6 Section 2.2.1 of the Blueprint, p 7.

7 Section 1.3 of the Blueprint, p 2.

8 See, for example, the Office's submission on the HealthConnect Business Architecture Version 1.9 , available at http://www.privacy.gov.au/materials/types/download/8680/6520.

9 The Blueprint, p 3

10 Office of the Privacy Commissioner, Submission to the Department of Human Services: Access Card Consumer and Privacy Taskforce, Available at http://www.privacy.gov.au/materials/types/submissions/view/6453.

11 The Blueprint, p 36

12 Offie of the Privacy Commissioner, Privacy Impact Assessment Guide, Available at http://www.privacy.gov.au/publications/pia06/index.html.

13 The Blueprint, p 14-15

14 The Blueprint, p 16

15 See paragraph 99 of Chapter 11 of the Office's submission to the ALRC Inquiry, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#Collection5.

16 Ibid, p 100

17 The Blueprint, p 16

18 See, for example, p 11 of the Blueprint

19 Available at http://www.privacy.gov.au/materials/types/guidelines/view/6582#npp21a.

20 See page 50, available at http://www.privacy.gov.au/materials/types/download/8700/6538.

21 The Blueprint, p 23

22 See paragraph 23, page 15, ANAO Audit Report No.24 2004-05 Integrity of Medicare Enrolment Data available at http://www.anao.gov.au/uploads/documents/2004-05_Audit_Report_24.pdf.

23 The Blueprint, p 20

24 The Hon John Howard, Prime Minister, Media Release "Government Response to the Report of the Taskforce on Reducing the Regulatory Burdens on Business" 7 April 2006. Available at http://www.pm.gov.au/news/media_releases/media_Release1869.html.

25 The Blueprint, p 20

26 The Blueprint, p 14

27 Under section 17 of the Privacy Act, the Privacy Commissioner has responsibility to issue statutory guidelines concerning the handling of Tax File Numbers (TFNs). Further privacy protections over TFNs are provided by the Data-matching Program (Assistance and Tax) Act 1990, which requires the Privacy Commissioner to issues binding guidelines on the matching of records which contain the TFN. The Taxation Administration Act 1953 provides penalties for the mishandling of TFNs, including up to two years imprisonment.

28 The Blueprint, p 22

29 The Blueprint, p 22

30 The Blueprint, p22

31 The Blueprint, p 24.

32 The Blueprint, p 23

33 See, for example, paragraphs 36-62 of the Office's submission on the former HealthConnect business architecture , available at http://www.privacy.gov.au/materials/types/download/8680/6520.

34 The Blueprint, p 24

35 The Blueprint, p 23

36 The Blueprint, p 24

37 Available at http://www.privacy.gov.au/materials/types/download/8700/6538.

38 The Blueprint, p 24

39 The Blueprint, p 23

40 The Blueprint, p 8

41 The Blueprint, p 23

42 The Blueprint, p 26

43 The Blueprint, p 16

44 The Blueprint, p 26

45 The Blueprint, p 27

46 Standards Australia, 'AS 5017-2006: Healthcare Client Identification.' Available at http://www.nehta.gov.au/index.php?option=com_standardscatalogue&m=resource&cid=9&id=30&Itemid=424 Accessed 27 February 2006 ('the Standard'), page 6

47 The Standard, p55.

48 The Blueprint, p 29.

49 The Blueprint, p 10

50 The Blueprint, p 10

51 The Blueprint, p 29

52 The Blueprint, p 28

53 The Blueprint, p 29

54 The Blueprint, p 29

55 The Blueprint, p 29

56 The Blueprint, p 29

57 The Blueprint, p 30

58 See Chapter 9 on "Children, young people and adults with a decision-making disability" available at http://www.privacy.gov.au/publications/submissions/alrc/c9.html.

59 The meaning of 'responsible person' is defined in NPP 2.5.

60 The Blueprint, p 30-31

61 The Office of the Privacy Commissioner, 'Guidelines on Privacy in the Private Health Sector'. Available at http://www.privacy.gov.au/materials/types/guidelines/view/6517.

62 See the Office's response to Question 9-3 of the ALRC's Discussion Paper, available at http://www.privacy.gov.au/publications/submissions/alrc/c9.html#L23305.

63 The Blueprint, p 31

64 See the Office's response to Question 9-1 of the ALRC's Discussion Paper, available at http://www.privacy.gov.au/publications/submissions/alrc/c9.html#Consent2

65 The Blueprint, p 33

66 The Blueprint, p 32

67 The Blueprint, p 33. These Guidelines are available from the Office of the Privacy Commissioner's website at http://www.privacy.gov.au/act/guidelines/#3.4.

68 The Blueprint, p 32