Professional Services Review Agency: own motion investigation report

Background

On 5 July 2010, the Australian Privacy Commissioner (the Commissioner) commenced an own motion investigation under the Privacy Act 1988 (Cth)[1] following the receipt of information which alleged that the Professional Services Review Agency (PSR) holds Medicare Benefits Program (MBP) and Pharmaceutical Benefits Program (PBP) claims information within the same database. It was also alleged that PSR retains individual medical records, collected for its review purposes, for an indeterminate time and in an unsecured manner.

This information raised concerns that PSR may not be complying with its obligations relating to the way MBP and PBP claims information should be handled by Australian Government agencies when stored in computer databases.

On this basis, the Commissioner commenced an investigation into whether PSR had breached the Privacy Guidelines for Medicare Benefits and Pharmaceutical Benefits Programs (the Guidelines) issued under section 135AA of the National Health Act 1953 (Cth). Additionally, the Commissioner investigated whether PSR had breached Information Privacy Principle (IPP) 4 regarding data security issues.

The Commissioner sought information from PSR about how PSR stores the personal information it holds. In particular, the Commissioner asked PSR to provide information on how PSR stores its electronic MBP and PBP information and the steps it has in place to ensure data security.

Investigation findings

The purpose of the Guidelines is to give effect to section 135AA of the Health Act. The Guidelines provide specific standards and safeguards for the way that individuals’ claims information is handled by Australian Government agencies when stored in computer databases. The Commissioner’s investigation focused on whether the way in which PSR stored MBP and PBP claims information was consistent with Guideline 1. These standards are in addition to any requirements that may be imposed by the IPPs contained in section 14 of the Privacy Act.

Section 14 of the Privacy Act contains 11 IPPs that regulate the way that agencies handle ‘personal information’ about individuals. The Commissioner’s investigation also looked at whether the way in which PSR stored MBP and PBP claims information was consistent with IPP 4, which requires an agency to take reasonable steps to protect the personal information it holds against loss, unauthorised access, modification or disclosure, and against other misuse.

Information Privacy Principle 4

IPP 4 states that a record-keeper who has possession or control of a record that contains personal information shall ensure:

• that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse
• that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

IPP 4 obliges an agency to protect the personal information it holds with such safeguards as are reasonable in the circumstances. If it does not, it breaches IPP 4, even if no loss, unauthorised access, use, modification or disclosure actually takes place.

During the investigation PSR provided information about the different measures it has in place to keep information secure. In particular, the Commissioner noted that PSR:

• retains records in accordance with the National Archives of Australia guidelines, Normal Administrative Practice and existing Records Authorities;
• destroys records in accordance with the timeframes set by the National Archives of Australia and mechanisms set by the PSM and ISM guidelines at the “X-IN-CONFIDENCE” level;
• commissioned a review of its information and communication technologies in 2009 to ensure it was achieving best practice standard and a Records Management Program was undertaken as a result of this review;
• undertook a Protective Security Assessment of its practices and undertakes an annual Strategic Risk Assessment as part of its wider audit and compliance regime.

PSR has policy documents that set out how it manages data security including its Privacy Policy, Breach of Code of Conduct Policy and Clear Desk Policy. Some of the practical data security measures flowing from these policies include PSR’s secure office environment, its ICT audit logs and tracking program.

Based on the information that PSR provided, the Commissioner was satisfied that PSR has reasonable security safeguards in place to protect the information it holds from unauthorized access, use, modification or disclosure. In that regard, the Commissioner was satisfied that PSR’s practices are consistent with its obligations under IPP 4.

Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Program

Section s135AA(3) of the Health Act prescribes that the Information Commissioner must issue guidelines that specify the limited purposes for which information is linked and used in particular circumstances and how that information is stored.

The information to which the Guidelines apply is defined in section 135AA(1) as information relating to an individual, held or obtained by an agency, that was obtained by that agency or any other agency in connection with a claim for payment of a benefit under the MBP or the PBP. By virtue of section 135AA(2), the guidelines do not apply to the information insofar as it identifies the person who provided a service, or the information is stored in a database identifying individuals who are eligible under those programs and does not include claims information relation to those individuals or is not stored in a database.

The current Guidelines were issued under section 135AA of the Health Act on 6 March 2008 and took effect on 1 July 2008. As the Guidelines are a legislative instrument, they are subject to Parliamentary scrutiny and disallowance. Legislative instruments are subordinate to primary legislation passed by Parliament and so where a legislative instrument is inconsistent with any provision in the enabling legislation, the latter will prevail to the extent of any inconsistency. This means that the prescriptive terms of section 135AA dictate the content of the Guidelines.

The primary objectives of the Guidelines are to ensure the separation of claims information collected under the MBP and the PBP, as well as establishing the circumstances under which this information may be linked and retained in linked form.

To that end, the Guidelines prescribe the circumstances in which claims information may be retained in various forms, such as where it is required to be separated from personal identifying components (that is, ‘de-identified’). The establishment of regular reporting requirements and a framework for limited retention periods is intended to ensure that the linkage and retention of claims information does not result in the de facto combination of the two databases.

In particular, the section provides that the Guidelines must, as far as practicable, prohibit the linkage and storage of claims information. Specifically, section 135AA(5)(d) states that the Guidelines must, as far as practicable, prohibit agencies from storing in the same database information that was obtained through the MBP and information that was obtained through the PBP.

A breach of the Guidelines constitutes an interference with privacy under section 13 of the Privacy Act. In turn, an individual may complain to the Commissioner about an alleged interference with their privacy.

Guideline 1

For Australian Government agencies, Guideline 1 requires that claims information obtained under the MBP must be stored in a separate database to claims information obtained under the PBP. Guideline 1 gives effect to section 135AA(5)(d) of the Health Act, which prohibits agencies from storing claims information on the one database. The meaning of database is defined in the section 135AA as a ’discrete body of information’.

Guideline 1 is drafted without allowing for any exceptions. Consequently, there would appear to be no discretion to alter the requirement that Australian Government agencies keep claims information on separate databases. Guideline 1 prescribes the general obligations which all agencies must meet.

PSR advised that it stored its electronic MBP and PBP data on their server using a file management system known as TRIM Context v6 (TRIM). Potentially, TRIM could allow both sets of data to be searched and accessed simultaneously through a single search process. For the purpose of the Guidelines this meant that the data was stored in the same database.

PSR advised that reviews of medical records relating to MBP information are performed separately from any review of PBP information. PSR told the Commissioner that Medicare Australia provides it with both the MBP and PBP claims information and the requirement to separate such data would be unreasonably onerous.

PSR further claimed that the information it holds cannot be sorted, rearranged, or linked to build a picture of a patient’s MBP and/or PBP history.

However, the Guidelines make clear that is no discretion in s135AA(5) that would allow this information to be stored on one database where the requirement to separate such information would be unreasonably onerous.

On this basis, the Commissioner formed the view that PSR’s practices were in breach of its obligations under the Section 135AA Guidelines. The Commissioner recommended that PSR separate information relating to MBP and PBP into two separate databases to ensure it meets the obligations of the Guidelines and by extension the Health Act.

Action taken following the Commissioner’s recommendation

In light of the Commissioner’s finding that PSR was in breach of the Guidelines, PSR proposed a number of actions to implement functional and access controls to separate the data. The functionality and access controls would include the following features:

• PBP information can only be saved on the PBP server due to a fixed naming convention
• Only a limited number of PSR staff have the ‘Case Managers’ profile which gives access to MBP and PBP information
• While a PSR staff member with the appropriate level of access can see that both MBP and PBP information is held, the actual viewing of PBP information is restricted in TRIM. In particular, TRIM will not allow the user to open the documents containing MBP and then PBP in the same window
• Audit trails monitor and report all read/write access to TRIM and triggers exist to detect anomalies in user behaviour.

PSR outlined that it had developed new operational procedures so that separate requests are lodged with Medicare for MBP information and for PBP information. This ensures that the information is returned as two separate documents and can be saved on separate virtual servers. PSR has also indicated that it would develop further operational procedures and process controls to ensure that MBP and PBP information from Medicare is only accepted in separate documents, including when information is sent to the Committee.

Conclusion

On the basis of the information collected as part of the investigation, the Commissioner concluded that, at the time of the investigation, PSR was storing MBP and PBP claims information in the same database in contravention of the Guidelines. Consequently, PSR was in breach of the Privacy Act.

As a result of the investigation, PSR proposed the implementation of functional and access controls to quarantine MBP information and PBP information sufficiently, so that it would be stored on PSR‘s TRIM system as a ’discrete body of information′ on separate virtual data stores. In that regard, the Commissioner found that this adequately addressed the issues raised during the investigation. On this basis, the Commissioner decided to cease the investigation into the matter.