Dated September 1998
This document is at http://www.privacy.org.au/Papers/SubmnPharm9809.html
The Australian Privacy Charter Council was formed in 1992 to promote observance of best practice privacy standards throughout the Australian Community. Under the chairmanship of Justice Michael Kirby, then of the NSW Court of Appeal, the Council brought together privacy, consumer and civil liberties experts with representatives of the business community.
In 1994, the Charter Council launched the Australian Privacy Charter, which is attached to this submission. The Charter sets out 18 principles, reflecting international best practice, which provide a benchmark against which specific proposals for privacy laws and guidelines can be measured. The Charter and its principles are appended to this submission.
The Charter Council continues in existence to promote the Charter and its principles, to comment on privacy initiatives, or the lack of them, in particular sectors and jurisdictions, and to provide a forum for discussion of privacy which brings together representatives from a wide range of interests - non-government organisations, business and government.
The Charter Council's main concern is to ensure that internationally recognised privacy principles, and fair information practices, are applied to the handling of personal information in all jurisdictions and sectors in Australia. Because of the absence in Australia of comprehensive privacy law applying to the private sector, there is currently inadequate protection for consumers against the misuse of their personal information. This is a particular concern in relation to electronic transactions, including the use of the public Internet and private networks or Intranets.
It is important to recognise that privacy concerns extend well beyond confidentiality and security. People are also increasingly wanting to know how organisations they are dealing with propose to use any personal information they obtain from them, and demanding some control over those uses. This is especially true of health related information which most people perceive as particularly sensitive. People also want a right of access to personal information held about them and an ability to challenge its quality, and have corrections made where necessary.
It has been widely recognised by expert opinion both in Australia and overseas that a comprehensive and consistent framework of privacy or data protection law is an essential pre-condition for consumer confidence in electronic transactions. This in turn makes such a framework a pre-condition for business investment in new technology and services, and for acceptance of electronic delivery of government services.
Australia does not currently have such a framework, and governments seem reluctant to provide one, although the Victorian government has announced its intention to legislate, and we hope that other jurisdictions follow suit.
In the meantime, the Charter Council supports the efforts by specific organisations or sectors to provide privacy protection in voluntary codes of practice and guidelines, preferably with effective compliance and enforcement mechanisms.
The Charter Council welcomes this thoughtful and well presented paper. It has laid out the privacy issues clearly, and correctly identified informed consent, and the opt-in vs op-out debate, as the main area to be resolved. We also welcome the involvement of the Privacy Commissioner's office, and of various health consumer groups, in the consultative group, and hope that this continues into the implementation phase.
We agree that a Pharmacy Intranet should operate in accordance with internationally recognised best practice data protection rules. The Privacy Commissioner's National Principles (NPs) are a good starting point in most respects. While the Council has some reservations about parts of the February 1998 version of the NPs, these reservations would only affect the Intranet proposals to the extent that commercial marketing uses were being considered. You will be aware that the Privacy Commissioner is currently reviewing the NPs and assume that you will adopt any new version that she issues as your starting point.
The NPs recognise health information as particularly sensitive - a category which generally requires express consent or express authorisation by law for secondary uses or disclosures. However, Principle 10.2 provides for this strict control to be replaced, in the case of health information, by rules established by competent bodies dealing with obligations of professional confidentiality.
While we are broadly confident that participants in health care services are well aware of the importance of confidentiality and informed consent as the basis for use and disclosure, we are concerned about the potential confusion of objectives inherent in the Intranet proposal. This confusion arises from the competing interests of health care on the one hand and efficient administration on the other, in an environment where administration is increasingly focussing on such issues as prevention of abuse, overservicing, and value for money. Put in these words, as they usually are, these objectives are unobjectionable. But they can all too easily become a dominant consideration which overrides important concepts of patients autonomy, privacy and confidentiality.
It cannot be assumed that what health care administrators, or even health care professionals, think is in a patient's interests is necessarily what the patient him or herself agrees, or will be willing to consent to. Administrators in particular will often be driven by a utilitarian view of what is best for the overall population of patients, even if this means that individuals' preferences are overridden.
In addition, it is rarely clear what is meant by terms such as abuse or overservicing - these are subjective concepts which will be applied differently depending on the perspectives or objective. The extent to which patient privacy can legitimately be compromised will be different if 'abuse' means fraudulent, than if it means 'inappropriate'. Fraud is a relatively objective matter, but if the objective is to detect or prevent inappropriate behaviour, the questions arise 'in whose opinion?' and 'on what criteria?'
The Charter Council's main concern about the Intranet proposal comes down to a fear about its potential to provide the infrastructure for a system of routine surveillance of health care events at the level of the individual, with a wide range of professionals and administrators outside the immediate treatment team having access to sensitive personal data, even on a controlled basis. The new ACT health privacy law makes this useful distinction between treatment team and others, but is in our view too permissive (as are the National Principles) when it comes to health care administration and management as an exception to the general controls on secondary uses.
There are all sorts of legitimate reasons why individuals might be wary about their prescription histories being held in a database which is potentially widely available, even within the health care community. This caution would be based not only on concern about who might gain authorised access, but also about the unavoidable risk (however tight the security) of unauthorised access.
We recognise the undoubted benefits that would flow from the various functions that a Pharmacy Intranet could assist. But we urge that the design of the system should be such that these benefits are offered to individuals rather than imposed on them. In other words, individuals should be given choices, wherever possible. For instance, the compilation and storage of a comprehensive medication record should be an option, but not a requirement, and individuals should not be denied treatment or service because of their unwillingness to consent to secondary uses which are neither necessary, nor required by law.
The Charter Council understands that many of our concerns are outside the immediate control of this Project, and depend on decisions made elsewhere about eligibility criteria, enforcement powers etc. But an Intranet will make exchanges of information and surveillance easier, and for this reason the design of the system cannot set these concerns aside.
At the very least, the Intranet should operate under rules equivalent to those in the ACT Health Records (Privacy and Access) Act 1997, with a supervisory authority, a complaints scheme, and enforceable remedies for breaches of the rules. Some participants will be subject to such rules in the ACT law or Commonwealth Privacy Act, or before long in Victoria and New South Wales. In the absence of legislation in other jurisdictions, there will need to be some form of self-regulatory mechanism established.
We request that we be kept informed of the progress of the Project, and given the opportunity to comment further as the design and functions become clearer.
Attachment: Australian Privacy Charter
Nigel Waters
Convenor
Australian Privacy Charter Council
Go to the APF Home Page.
Created: 7 February 2003
Last Amended: 7 February 2003
APF thanks its site-sponsor: