The following is a very draft discussion paper I and a few colleagues have been working on for the Privacy Assessment of the proposed Commonwealth Access Card. All the views have been developed my me and are NOT ACHI policy at this point in any way at all. I would be interested in any comments any reader may have.
David.
Privacy Issues and Facts Related to the Proposed Access Card.
Discussion Draft – October 1, 2006
Background to the Submission.
The Commonwealth Government is planning to introduce a smartcard based Access Card which will be used as proof of identity for all adult individuals who wish to access services provided by the Commonwealth Department of Human Services. Among other things use of the card will be necessary to obtain payments from both Medicare and Centrelink.
The card is intended to replace 17 health and social services cards, including the Medicare card, health care cards and veteran cards.
Because of concerns regarding the possible impact on individual’s privacy the Professor Alan Fels AO has been asked to chair the Access Card Consumer and Privacy Task Force to address consumer and privacy issues related to development of the health and social services access card by Minister for Human Services Mr Joe Hockey.
The Australian College of Health Informatics (ACHI)
The Australian College of Health Informatics is Australia's peak health informatics professional body. As such the College is concerned that information technology be effectively and successfully implemented in support of healthcare service delivery.
Because of this core interest, and ACHI’s recognition that lack of trust in the ability of information technology to manage private information correctly and securely on the part of the populace could risk successful Health IT implementations, ACHI has an interest in ensuring that the implementation of the Access Card addresses patient privacy appropriately.
ACHI’s View on the Overall Access Card Proposal.
ACHI has no firm view on the policy correctness of the introduction of the Access Card (and the large and complex technology infrastructure needed to support it) as it is presently proposed.
ACHI does however note that a project of this scale does carry very significant implementation risks, due to both its scale and complexity, which will need to be very carefully managed if the current estimates off costs, benefits and timelines are to be met.
Additionally ACHI does have concern that the Access Card is not as voluntary, in a practical sense, as Government has stated. The inability to access Medicare, Centrelink and similar benefits would place significant cost on most citizens who chooses not to have the Access Card. For those with major medical expenses or those on Centrelink income support it is essentially compulsory in all but name. This point is raised because the virtually compulsory nature of the Access Card has significant privacy implications as will be explored below.
Note: This submission assumes that only identification data will be held on the Access Card. The issues that arise if the card functionality extends beyond this (i.e. the card becomes a partial electronic health record) are very complex and would require more detailed review (covering data segmentation on the smartcard, currency of information, primary and secondary data use, emergency, de-identification, pseudonymisation and so on) and are beyond the scope of the Access Card as we presently understand it.
Comments on Privacy Aspects of the proposed Access Card
The Australian College of Health Informatics (ACHI) would like to offer the following for consideration in regard to possible privacy issues surrounding the proposed access card.
1. ACHI is a strong supporter of the Australian National Privacy Principles as a framework for consideration of privacy issues but also believes that Identifiable Personal Health Information requires protection and handling beyond what is offered in the NPP because of the potential sensitivity of such information.
This point has been recognised by the existence of specific legislation in both the Commonwealth and a number of State Jurisdictions specially focussed on preservation of Health Information Privacy and Confidentiality.
The complexity and sensitivity of the issue can be appreciated by recognising that the National Health Privacy Code, whose development was begun in by Health Ministers in 2000 has yet (in October 2006) to be finalised, and that the only evidence of this work being undertaken in now not on the DoHA web site but in the National Archive.
The lack of agreement on this code would argue for care in the storage of Health Information on the Access Card or its attendant backup repository systems until this code is finalised.
2. ACHI is of the view that unless the possible privacy issues surrounding the proposed Access Card are carefully and rigorously framed and developed, and that public opinion is satisfied with the privacy management outcomes developed, there will be substantial public resistance to the adoption and use of the Card.
3. ACHI believes that the threats to personal privacy from electronic records and paper based records are sufficiently different as to require separate consideration, despite the similarity of the objectives to be met with each type of record. As an example 10000 paper records require a major logistic effort to steal whereas 10000 complete electronic patient records could easily be stolen on a 25gm USB Key.
ACHI also recognises that there are also efficiency and process advantages possible with well designed identity management systems. It would be of great value to the health sector if a trusted and privacy enhancing identifier were available to support Electronic Health Record initiatives.
4. ACHI understands the importance of accurate identification of individuals for both patient safety as well as fraud control and is concerned that any system that is devised has sufficient safeguards and protections to ensure extremely low risk of mis-identification. ACHI also recognises that any identification system is only as robust and reliable as its weakest link and that the processes around enrolling, maintaining and securing the identity information held must be very reliable indeed. This means that any temptation to cut cost corners that lead to compromise of the integrity of the system need to be strenuously resisted.
ACHI also recognises that healthcare, unlike other industries must also be flexible in it's direct communication with individuals and be able to reflect the name/s by which the individual is comfortable (preferred name). In this context the issues of identification become more complex than in other environments,. Accuracy must 'vie' with human requirements as well as the need for identification in emergency.
5. ACHI is concerned about the proliferating array of individual person identification systems and believes there should be rationalisation of all these different efforts to minimise cost and maximise data quality. (i.e. the NEHTA identifier and access control initiatives, Minister Abbott’s Health Smartcard, the Access / Smartcard Initiative, Passport ID, the Document Verification System for Attorney General's and Medicare / Centrelink's current ID systems.). The impact of the intersection of these various systems in the future is very hard to predict and may be very damaging to public confidence and trust.
6. ACHI supports the apparent current direction to restrict the information content on the Access Card to just that required for identification to minimise scope creep and the potential abuse of other data which may be held on the card. The scope creep in the uses of the Canadian SIN and the US SSN should be taken as a serious warning as to the risks of permitting un-authorised use of strong individual identifiers and should be specifically legislated against.
7. ACHI believes that it should be recognised that as the Access Card provides access to all Government Benefits (including Medicare and Centrelink Payments) it is, for all practical purposes, a compulsory Identity Card, despite Government claims to the contrary. ACHI would like careful consideration to be given to provision of some granularity in requirement for use of identity in certain circumstances. Simple denial of access without the use of the Access Card may impose unreasonable additional costs on some small segments of the community.
8. ACHI is concerned that there are a significant number of people in the community who, quite legitimately, feel they need multiple “functional” identities to avoid discrimination or persecution and to obtain a degree of peace of mind regarding their access to care. An example of this is the patient with a potentially stigmatising disease (e.g. HIV/AIDS, an STD or mental illness etc) who wishes to preserve their confidentiality regarding that illness while being able to access ordinary care locally.
Unless two “practical” identities are possible the individual is unable to be confident their very sensitive information will only be disclosed when they want it disclosed. (There is good evidence of significant prejudice and persecution when such material is involuntarily released to make these concerns more than reasonable, as does the potential choice individuals may make to not seek necessary care.) ACHI believes development of an approach to meet the needs of such individuals with regard to their avoiding discrimination and prejudice needs to be carefully considered, while recognising the inherent difficulties this poses.
Consultation with the bodies representing those living with HIV / AIDS, Hepatitis C, Mental Illness and Genetic Risk is vital before the operational and privacy frameworks are finalised.
9. ACHI believes that prior to implementation there should be a comprehensive privacy impact assessment, as recommended by the Privacy Commissioner, in her office's submission. This will ensure the whole (including the Access Card, supporting systems and potential uses) , current, proposal gets a fully detailed privacy review. We would also like to see the complete KPMG Business Case for the Access Card be released for public scrutiny, review and comment before the Access Card is finally given the go-ahead. Such release would clarify a range of aspects of the Government’s business case for the Access Card which are presently unclear.
10. ACHI believes there must be legislative controls to ensure all forms of record linking and secondary use based on the Access Card identifier(s) is fully transparent and subject to careful privacy review.
11. ACHI believes there must be legislative controls to ensure the production of the Access Card will never be required by any entity other than the appropriate Government Agencies. (Strict prohibition of use of Access Card for video hire etc).
12. ACHI believes, as does the Privacy Commissioner, that there must be very tight controls on the use of the Access Card identifier for data-linkage and data-mining purposes. Given the Access Card database will be a virtual repository of identification for 16 million Australians it is clear there will be temptations by some agencies to use the Access Card system for linkages which the public would find highly problematic from a privacy perspective. The governance structures set up to manage the overall system must be robust enough to ensure such any use is strictly regulated and in the individual as well as national interest before being approved. (The approach taken to separate Medicare and PBS data is a useful model in this regard).
13. ACHI is concerned that the IT Infrastructure that will be required to support the Access Card will ultimately require a very considerable and quite high risk project be undertaken. The quality of the management of the security and privacy controls built into the system will be vital to the overall project success.
14. ACHI understands the importance of identification in the e-Health environment and would be interested to understand whether the Public Health Sector could reasonably leverage the work undertaken with the Access Card to assist the effectiveness of E-Health implementations which are in the interest of both patients and their carers.
No comments:
Post a Comment