Submissions to the Australian Law Reform Commission (ALRC) review of the Commonwealth Privacy Act are due by Friday 7 December, 2007.
The Health Informatics Society of Australia (HISA) has reviewed the suggestions from the ALRC and formed a view regarding the suggestions made by the ALRC in the Health Information Domain.
This review was conducted by a special interest group, HISA's Health Information Privacy and Security group (HIPS), which looks at the issues of privacy and security in the area of health information. HIPS holds seminars, conducts surveys and develops position papers for government consideration. HIPS is chaired by Prof. Peter Croll of the University of Queensland.
Its most recent activity has been the HISA submission to the Australian Law Reform Commission relating to the commission’s review of the Australian privacy laws.
Following a seminar in November a position paper has been developed.
The key points are as follows (to quote the web site):
The view of the Health Information Privacy and Security Group is that
- We seek national consistency with the proposed privacy laws across State/Federal Public/Private sectors. The current proposals do not go far enough to resolve this by allowing state exceptions and complex rules regarding when those exceptions apply. Furthermore, a well resourced nationally consistent process for managing privacy complaints (i.e. not delegated to state/territory as proposed in 56-1) would be more appropriate considering today's ubiquitous technology.
- Greater reliance on referral to the Human Research Ethics Committees (HREC) is being proposed for interpreting research, quality assurance, audit etc. Will there be sufficient consistency across the various HRECs and do they have the necessary skills and resources to carry out the proposed functions? Concern has been raised about how to avoid the inevitable bureaucratic backlog associated with HRECs unless these issues are adequately addressed?
- In health we have witnessed changes in people's (clients) expectations and behaviour brought about by the advances in technology. That is their ability to access health knowledge and to take greater personal control over their health to include user controlled internet content (e.g. Web 2.0). Furthermore, personal access to medical devices, assistive technologies and ‘smart home' environments are causing a shift towards data being held by non traditional healthcare providers. Although the proposed privacy law changes intend to be ‘technology-neutral' they need to recognize this shift in behaviour brought about by technology. Current proposals focus on ‘health service' and ‘health service providers' and not the individuals.
- Technology changes rapidly and hence any ‘technology neutral' proposal must therefore rely on the basic principles (UPPs) set down in the Act. Are sufficient provisions being made to accommodate how any technology changes need to be interpreted as being compliant with the UPPs in the Act? Too much damage can be done if we have to wait for case law hence, more regular periodic risk assessments of new technologies and interpretive guidelines would greatly assist in maintaining people's trust with technology.
- There is a proposal to develop guidelines that relate to the "handling of health information under the Privacy Act" (56-4). The stakeholders involved will be at the discretion of the Office of the Privacy Commissioner with only DoHA being specifically mentioned. The range and types of stakeholders need to be specified to ensure industry and professional society representation.
- National guidelines on obtaining individual's consent are crucial. This would permit unified approach to recording client's preferences and ensure technological compatibility for sharing and linking health information.
- Common platforms for the application of privacy to take into account cross border data flows. Many of our industry partners are requesting a ‘global' approach to ensure a baseline standard across the industry and organizations.
I have provided some commentary on the web site to some of the points raised.
HREC
On December 1st, 2007 DGM says:
HRECs have been around for many years and there is considerable concern about the mode of interaction between lay advisers, clinical professionals and non clinical professionals. Expertise of a high level is vital if 'group think' and power dynamics are not to distort outcomes and adequately protect patients and subjects.
Adequate and skilled resources are crucial as researchers livelihoods depend on efficient and reliable responses
Technology Neutrality
On December 1st, 2007 DGM says:
There needs to be a careful distinction drawn between privacy principles - which must be technologically agnostic - and just serve the need for privacy - and the implementation of privacy - be it in paper, technical or organisations and their systems. Each implementation has different issues to be addressed to ensure the principles are met.
Consent
On December 1st, 2007 DGM says:
The suggestions made do not to my mind come near addressing the complexity of how consent should be obtained, managed, refreshed and how the legion of different types of primary, secondary and even tertiary information should be treated. As soon as you move from the individual rational and competent individual freely giving informed consent for a specific act or treatment you move into areas where judgment and balance are required - e.g. all secondary data use etc etc.
The differential sensitivity of varieties of health information adds an additional layer of complexity that needs consideration as well.
General
On December 1st, 2007 DGM says:
Obviously there needs to be full stakeholder consultation and consensus building with item 5 and there must be appropriate protections with cross border flows of sensitive information (I suggest must have as good a regime or better before data moves OS)
Others have also provided some commentary and a few corrections.
If you have any interest in the area it would be invaluable if you were to go to the site, review all the information provided and maybe leave a comment or two.
Access the site here.
This needs to be done by close of business Wed 5 December, 2007 to give the team time to consider the suggestions.
I hope some extra input if forthcoming. This is important stuff!
David.
The news summary will appear later in the week!
D.