Submissions to the Australian Law Reform Commission (ALRC) review of the Commonwealth Privacy Act are due by Friday 7 December, 2007.
The Health Informatics Society of Australia (HISA) has reviewed the suggestions from the ALRC and formed a view regarding the suggestions made by the ALRC in the Health Information Domain.
This review was conducted by a special interest group, HISA's Health Information Privacy and Security group (HIPS), which looks at the issues of privacy and security in the area of health information. HIPS holds seminars, conducts surveys and develops position papers for government consideration. HIPS is chaired by Prof. Peter Croll of the University of Queensland.
Its most recent activity has been the HISA submission to the Australian Law Reform Commission relating to the commission’s review of the Australian privacy laws.
Following a seminar in November a position paper has been developed.
The key points are as follows (to quote the web site):
The view of the Health Information Privacy and Security Group is that
- We seek national consistency with the proposed privacy laws across State/Federal Public/Private sectors. The current proposals do not go far enough to resolve this by allowing state exceptions and complex rules regarding when those exceptions apply. Furthermore, a well resourced nationally consistent process for managing privacy complaints (i.e. not delegated to state/territory as proposed in 56-1) would be more appropriate considering today's ubiquitous technology.
- Greater reliance on referral to the Human Research Ethics Committees (HREC) is being proposed for interpreting research, quality assurance, audit etc. Will there be sufficient consistency across the various HRECs and do they have the necessary skills and resources to carry out the proposed functions? Concern has been raised about how to avoid the inevitable bureaucratic backlog associated with HRECs unless these issues are adequately addressed?
- In health we have witnessed changes in people's (clients) expectations and behaviour brought about by the advances in technology. That is their ability to access health knowledge and to take greater personal control over their health to include user controlled internet content (e.g. Web 2.0). Furthermore, personal access to medical devices, assistive technologies and ‘smart home' environments are causing a shift towards data being held by non traditional healthcare providers. Although the proposed privacy law changes intend to be ‘technology-neutral' they need to recognize this shift in behaviour brought about by technology. Current proposals focus on ‘health service' and ‘health service providers' and not the individuals.
- Technology changes rapidly and hence any ‘technology neutral' proposal must therefore rely on the basic principles (UPPs) set down in the Act. Are sufficient provisions being made to accommodate how any technology changes need to be interpreted as being compliant with the UPPs in the Act? Too much damage can be done if we have to wait for case law hence, more regular periodic risk assessments of new technologies and interpretive guidelines would greatly assist in maintaining people's trust with technology.
- There is a proposal to develop guidelines that relate to the "handling of health information under the Privacy Act" (56-4). The stakeholders involved will be at the discretion of the Office of the Privacy Commissioner with only DoHA being specifically mentioned. The range and types of stakeholders need to be specified to ensure industry and professional society representation.
- National guidelines on obtaining individual's consent are crucial. This would permit unified approach to recording client's preferences and ensure technological compatibility for sharing and linking health information.
- Common platforms for the application of privacy to take into account cross border data flows. Many of our industry partners are requesting a ‘global' approach to ensure a baseline standard across the industry and organizations.
I have provided some commentary on the web site to some of the points raised.
HREC
On December 1st, 2007 DGM says:
HRECs have been around for many years and there is considerable concern about the mode of interaction between lay advisers, clinical professionals and non clinical professionals. Expertise of a high level is vital if 'group think' and power dynamics are not to distort outcomes and adequately protect patients and subjects.
Adequate and skilled resources are crucial as researchers livelihoods depend on efficient and reliable responses
Technology Neutrality
On December 1st, 2007 DGM says:
There needs to be a careful distinction drawn between privacy principles - which must be technologically agnostic - and just serve the need for privacy - and the implementation of privacy - be it in paper, technical or organisations and their systems. Each implementation has different issues to be addressed to ensure the principles are met.
Consent
On December 1st, 2007 DGM says:
The suggestions made do not to my mind come near addressing the complexity of how consent should be obtained, managed, refreshed and how the legion of different types of primary, secondary and even tertiary information should be treated. As soon as you move from the individual rational and competent individual freely giving informed consent for a specific act or treatment you move into areas where judgment and balance are required - e.g. all secondary data use etc etc.
The differential sensitivity of varieties of health information adds an additional layer of complexity that needs consideration as well.
General
On December 1st, 2007 DGM says:
Obviously there needs to be full stakeholder consultation and consensus building with item 5 and there must be appropriate protections with cross border flows of sensitive information (I suggest must have as good a regime or better before data moves OS)
Others have also provided some commentary and a few corrections.
If you have any interest in the area it would be invaluable if you were to go to the site, review all the information provided and maybe leave a comment or two.
Access the site here.
This needs to be done by close of business Wed 5 December, 2007 to give the team time to consider the suggestions.
I hope some extra input if forthcoming. This is important stuff!
David.
The news summary will appear later in the week!
D.
Thanks, David, for featuring this very important issue. In the interests of consistency, I am cross posting the comment I entered on the HIPS Submission site.
ReplyDeleteI would be happy to review any comments made here and pass them on to the HISA volunteers responsible for the submission.
Jon Hilton
Original posting on HIPS Submission website:
We must confront the need for change head on
On December 1st, 2007 JHilton says:
I could not agree more with the comments above regarding consent and consensus building. While in an ideal world, the legislation should be "implementation neutral", we ignore practical implementation issues at our peril. Avoiding the problem by leaving the resolution of some of the more pressing practical issues to case law is likely to lead to further uncertainty and delay.
I agree that once we move beyond the straightforward cases, there is often no "right" answer, and the legislation and regulatory framework should recognise this from the outset.
There is no substitute for well informed people when seeking judgement and balance. Achieving and maintaining the right balance between public good, practicality and individual preferences will require ongoing effort from people committed to the task.
At the same time, I think there is a growing recognition that for health information the current balance is not right, that there is a need for change. In exploring this, we should consider a broad range of topics such as the notion of ownership of information, practical limitations on personal control of information, currently available technical solutions and their limitations, changing expectations of consumers, transition issues, and so on. Some of these issues will be best dealt with through provisions in the legislation, others will be better managed through regulation and governance.
The situation is crying out for an individual or small committee with a mandate to lead the consultations and once a solid consensus has been established, push through the required changes. The entire process needs to be very well resourced, starting with significant and wide ranging stakeholder consultation. Following this, there will be a need to support people - both health care providers and consumers - through the required changes in practice that will, I believe, emerge from the consultations.
With all due respect for their abilities, I don't think that Human Research Ethics Committees are the right bodies to take a prominent role in such a broad based process of change, although they are clearly a valuable resource. Devolution of complaints management to the individual State jurisdictions runs the risk of dissipating responsibility and would make it harder to provide effective leadership.
I would prefer to see a more integrated approach to the operational and practical issues in finding and maintaining the right balance. Such an approach would, I think, have to be implemented by a single national body, that would either take advice from or subsume the functions of the various Committees and Commissioners that currently exist.
I cannot describe the exact nature of the body I think should be responsible for this, but I'm sure there are experienced people out there who can make some very practical and positive suggestions along these lines.