Australian Privacy Charter Council
Version of 16 July 2001
© Australian Privacy Charter Council, 2001
This document is at http://www.privacy.org.au/apcc/Submns/HlthBMMS0107.html
While the emphasis on consent and on voluntary participation is welcome, we are fearful that individuals will come under increasing pressure to participate. The scale of the investment in establishing the infrastructure will only be justified on a cost-benefit basis if there are substantial levels of participation. We cannot assess the likely pressures without access to cost-benefit assumptions which do not appear to be readily available. It is essential that estimates of the number of participants required to justify the investment are made available to assist debate. We are very concerned that the opt-in basis of the scheme - put forward as a major re-assurance - is not viable operationally or financially and that pressure will inevitably grow for change, firstly to an opt-out basis, and ultimately to compulsion.
We are also concerned that the architecture of the system is not `privacy friendly'. It is not clear why a centralised database has been preferred to a decentralised system which only links records held locally as and when required. The vast majority of `interactions' will occur within a limited geographical area and within a local grouping of health service providers. Centralised databases inevitably lead to suspicions, whether justified or not, about function creep as well as increased risk of unauthorised access and misuse of records. History shows that such databases become irresistible targets for other agencies, all of who can mount public interest arguments for access. The best defence against function creep and misuse alike is to avoid the creation of a centralised database in the first place.
The approach to access controls seems muddled and briefings have apparently failed to re-assure consumer representatives that the scheme promoters really understand the limitations of public key infrastructure, or its significant privacy implications (see the Privacy Commissioner's draft PKI Privacy Guidelines). It is not clear why the PKI is considered potentially adequate as an authentication mechanism for health professionals and pharmacists but not for individuals (digital certificates need to be made a lot more user friendly before they will be accessible to most people, whether professionals or patients).
There is also a unresolved issue of data quality which also goes to the viability of the scheme - if different participants are going to be allowed to keep different versions of a patients record - which may be partly at the individuals request but may also be due to the doctor/pharmacist's approach, isn't there a possibility of confusion, and treatment or prescription on the basis of incomplete information? While this may be no more so than at present (and the rationale for the scheme), once there are records in a `scheme' which purports to be national and multi-user, key questions of liability will arise?
The lack of participation by the State public hospital systems must also throw into doubt much of the justification for, and value of, the BMMS. The system only really makes sense for an individual if a very high proportion of the health service providers with whom they have contact are participating. Having only (some) GPs and pharmacists involved, but not hospitals, must severely diminish the value of the system, and could even be dangerous if it gives an incomplete picture of an individual's treatment and medication. This is particularly the case for the relatively small proportion of the population for whom interactions are likely to be a potential problem. The design of the system appears to be a classic case of collecting information about a very large population to address an issue or problem which is in fact very limited, to a relatively few `high intensity' patients.
The BMMS model appear to us to be an example of a top down approach - an over-designed system in search of users, rather than a demand driven response to the needs of either individuals or health professionals.
We therefore support the position of the Australian Consumers Association - that specific BMMS legislation is premature, and that the ideas and concepts involved should be tested in limited field trials, alongside less technologically sophisticated alternatives. From 21 December, any personal information involved will be protected by the Privacy Act if it is not already covered by one of the public sector regimes. In the meantime, participants in the trials should be required to commit to observe privacy principles by contract.
If, notwithstanding our preference, the legislation proceeds, we support the suggestions of the Consumers Health Forum for stronger consumer safeguards. In particular the controls applying to personal information while it is held in the BMMS should extend to any information downloaded from it by participants. This should include very strict limits on what downloaded information could be used for and who it could be disclosed to, as well as a requirement for a high standard for security after download. BMMS management should not escape responsibility for the data just because it has been downloaded - except that they should not of course be held liable for wanton disregard for legal or contractual safeguards. Paragraph 40 of the Summary does not address this key requirement, although paragraph 52 implies that privacy requirements will be included in the conditions of participation.
The role of identifiers needs to be further explained - in particular the way which the Medicare number will be used. Will it become the BMMS identifier, or only be used for the proposed linkages to other HIC systems?
We would be concerned at any commercial involvement in the scheme - because of its sensitivity, it should in our view remain clearly a public sector initiative, subject to the full range of accountability measures.
Other privacy issues that need to be resolved include the age of consent, not only for participation but also for access to records and for authorising suppression; the life of the data (ie: retention period); the ability for individuals to change their mind and have any records deleted (and withdrawn from participants who have downloaded them); and the range of options that participants will have for selective suppression. It is not clear why the BMMS Board needs to retain a right of access to identifiable information overriding an individual's suppression request (paragraph 31 of the Summary is not convincing) - many people may wish their treating doctor and/or pharmacist to have access but deny it to health bureaucrats, and if the interests of the patient are indeed paramount, this should be allowed.
There would also need to be a major public education campaign that as well as selling the benefits also gave a fair and balanced account of the risks, and clearly explained the privacy safeguards and options. Paragraph 10 of the Summary provides for some useful specific steps.
We welcome the strong offence provisions in the draft legislation. These appear sound, but their relevance is contingent on the other issues which need to be resolved - as outlined above.
Go to APCC's Home-Page.
Go to the contents-page for this segment.
Send an email to the APCC Convenor
Created: 30 July 2001
Last Amended: 30 July 2001
APCC thanks its site-sponsor: