Support Careflight save lives
view counter

Private Protections

A decade ago, Malcolm Crompton was Australia’s Privacy Commissioner, overseeing the implementation of significant change to Australia’s privacy laws so that the Privacy Act applied to the private sector more generally for the first time, including all health service providers. He was also instrumental in the inclusion of a review process as part of the reform package.

The review was carried out by his successor, Karen Curtis,  which led to terms of reference being issued to the Australian Law Reform Commission which in turn completed the review in 2008. Draft legislation was introduced in 2010, and finally passed in Parliament in 2012.

Meantime technology has skipped ahead, Crompton says, and thousands of commercial entities have sprung up to focus on collecting and using private data. “At the moment, we are playing catch-up still,” he says. 

“The importance of digital information in our lives has changed greatly over the last ten years,” he says, adding that smartphones, location tracking and social networks were in their infancy a decade ago.

“Now, the importance of sharing digital information in the right circumstance has never been greater and the importance of being able to restrict its use in the right circumstance has never been greater.”

He says that  the extent of the change to date and the change ahead of us all point to the need to have an ever stronger physical governance and accountability framework in the future which has international applicability – and until that’s in place, individual privacy remains at risk.

The Australian Privacy Principles (APPs) came into law on 12 March 2014, replacing the National Privacy Principles and Information Privacy Principles and focusing on transparency, compliance and governance of personal information.

APPs apply to organisations and government agencies in Australia and include key points such as making the collection and management of personal information ‘open and transparent,’ not collecting, sharing or disclosing sensitive information without an individual’s consent, keeping it secure, allowing individuals to correct information and not using information for direct marketing.

Crompton says that the most useful updates include the strengthening of the powers of the Commissioner, and mandating organisations to have a privacy program in place – though he admits that the Privacy Commissioner is hugely under-resourced for the task.

The Privacy Commissioner falls under the Office of the Australian Information Commissioner, which shares 80 staff who perform information, privacy and Freedom of Information functions.

“The new privacy principles  reaffirm the right people have had since 2001 to access their records in hospitals,” he says.

These days, Crompton heads privacy consultancy Information Integrity Solutions (IIS) and is also a Director of the International Association of Privacy Professionals Australia New Zealand (iappANZ), with clients including APEC, the OECD and a wide range of industry clients including Microsoft and government agencies.

He says that health organisations around the world are facing similar issues with privacy and digital patient and clinical data.

“Anything that is in digital form can be shared easily,” Crompton says.

While this ability to share information between health professionals and organisations is mostly seen as a boon, he warns, “The question then becomes:  what are the ethics of when you share what, with whom, for what purpose,” he says.

Crompton will be speaking at CHIK'sHealth-e-Nation Summit in Sydney next week about the responsibility and accountability in governance of health information.

Hospitals are some of the most complex organisations in the world, he says, partly because of the always-blurry delineation between employee clinicians and private practitioners, and around the ownership of devices and the information created and stored on them.

In the past, doctors were considered beyond reproach and had the full trust of their patients, Crompton says.

“Today, I’m a health consumer, not a patient, I expect my medical professional like any other professional to give me reasonable explanations about what they're doing and what information they are collecting and sharing and whenever possible, to give me choices,” he says.

He points out that complexity is introduced when someone is unconscious or unable to make decisions and trust is again transferred completely.

“One of the basic tenets of privacy is that the individual should be informed and be able to make decisions about what's happening to the information about them,” he says.

“We delegate to doctors a whole lot of decision making about our lives, in terms of what they will do with the data, but a doctor has to earn that trust, it's not automatic.”The Privacy Act obligates doctors to keep their patient records private – but many practices don’t have basic protections in place including backups and data security and may therefore potentially breach these basic requirements.

However, while data security will impact data privacy, the concept of security needs to be separated from the concept of privacy, he says.

“Security is about ensuring that an entity is in control of the data that it holds – it knows what it's got, where it is, and what it's going to do with it. Whereas privacy, from an entity’s  perspective, is what an organisation is going to do in exercising that control. Will it share that data? How will it analyse it, how will it act on the conclusion that it draws from the analysis of the data?”

The advent of Big Data and the remarkable medical advances that can be made by collating large datasets of patient information are indeed positive, but run the risk of blinding professionals to the need for governance, he adds.

Privacy regulations allow individuals to trust organisations, Crompton says, but there are still breaches that occur where regulations fail.

He cites the example of the sale of government records in the UK, where NHS data covering 47 million patients over 13 years was sold to an actuarial organisation and used to set prices for insurance cover.

“The NHS claimed that the data had been de-identified, so individual patients’ information could not be sourced. But there are some companies which have as a business model, the re-identification of data.”

These sorts of issues can be avoided if there’s effective regulations, a capable well-resourced regulator in place, he says, along with high quality technology – and there needs to be ways to make this work internationally.

Cost and ‘red tape’ are often cited as obstacles to implementing privacy regulations, Crompton says – but workable governance does not have to be wholly taxpayer-funded.

“Listed companies, for example, are not allowed to conduct business unless they have a current audit certificate in place. The company pays for that audit, as it is part of the cost of doing business. Were the same obligations applied to personal information governance, the cost of participating in this system would be a regularly-refreshed audit certificate that shows that you have got appropriate security and privacy practices in place.”

Crompton says that the introduction of the PCEHR with all its attendant security and privacy has been a huge advantage for Australians.

“The nation is probably five years ahead of where it would be without that, in terms of trying to get in place the appropriate interoperability to allow for information sharing even if we are now pausing to make sure we have everything right,” he says.

Malcolm Crompton is speaking at CHIK's Health-e-Nation 2014 Leadership Summit Executive Breakfast on 26 March, Sydney, speaking on "Governing information - responsibility & accountability".  eHealthspace.org is a Media Sponsor for the Summit.