Data protection and management

Definition of `health data'

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

Health data includes:

  • information or an opinion about an individual’s health or any health services provided, or to be provided, to the individual;

  • any personal information collected to provide or in providing a ‘health service’ to an individual (including organ donation); and

  • genetic information about an individual that is in a form that could be predictive about the health of an individual (or relative of the individual).

 

The concept of ‘providing health services’ is very broad and can capture a range of services that may not be front of mind when thinking about health – for example, information collected by a gym on an individual in connection with a gym class, or Medicare billing information held by an insurance provider or debt collector.

Anonymised health data is not defined, although the Australian Privacy Principles (APP) Guidelines state that ‘anonymity’ means that an individual dealing with an entity cannot be identified. Critically, health data that may be anonymous in the hands of one entity may not be anonymous in the hands of another. The ability of an entity to link a data set with other information is relevant to whether data is truly anonymised.

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

Given the sensitivity of health information, its collection, use and management is regulated by the Privacy Act.

Health data is treated more strictly than personal information under the Privacy Act. Health data is a subset of ‘sensitive information’ and consent is required for its collection.

Generally, an organisation can collect health data from a person if:

  • the person provides their consent (express or implied); and

  • the information is reasonably necessary for the organisation’s activities.

 

Implied consent arises when consent can be inferred from the circumstances and conduct of the person providing the health information. This is a higher test than that imposed on other personal information.

APP 11 requires entities to take reasonable steps to protect personal information (including sensitive information, such as health information) it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. According to the Office of the Australian Information Commissioner (OAIC)’s APP Guidelines, ‘reasonable steps’ will depend on the circumstances in each particular case and may include governance, culture and training, internal practices, procedures and systems, ICT security, access security, and destruction and de-identification.

In addition, the handling of health information is also subject to certain state-based legislation, which differs from the Privacy Act in some aspects, but the differences are relatively minor.

Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

APP 2 provides that individuals must have the option of dealing anonymously or by pseudonym with entities subject to the Privacy Act. However, entities are not required to provide these options if the entity is required or authorised by law to deal with identified individuals or it is impracticable for the entity to deal with individuals who have not identified themselves. There may also be practical consequences for patients who do not wish to identify themselves, as their ongoing healthcare may be difficult for organisations to manage and they are unlikely to be able to claim a Medicare or health fund rebate.

De-identification may be one way to protect the privacy of individuals. De-identification involves removing personal identifiers (such as name, address, date of birth, etc) and removing or altering other information that could identify an individual (such as unique characteristics). However, with the increasing capability of technology and the sophistication of cyber attacks, it is becoming more and more difficult to de-identify data effectively.

Types of de-identified health data include Medicare numbers and healthcare identifiers. Medicare numbers are primarily used by individuals to claim benefits under the Medicare Benefits Scheme. APP 9 restricts the use or disclosure of a patient’s government related identifier to specific circumstances (eg, it is reasonably necessary to verify the patient’s identity for an organisation’s activities).

Healthcare identifiers are unique 16-digit numbers that identify individual healthcare providers, healthcare provider organisations (such as digital health organisations) and individuals receiving healthcare. Healthcare identifiers help to reduce the potential for mix-ups with health data and are the foundation for government initiatives such as the My Health Record system, in which individuals’ health information can be viewed securely online. They are not health records, but are limited to identifying information such as name, date of birth and sex to uniquely identify patients. Use of healthcare identifiers are regulated by the Healthcare Identifiers Act 2010 (Cth) and Healthcare Identifiers Regulations 2020 (Cth), which provide that healthcare identifiers may only be collected, accessed, used and disclosed for limited purposes (such as providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient). In circumstances where a healthcare identifier is used or disclosed for purposes not permitted by the legislation, criminal and civil penalties may apply.

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

The Privacy Act gives the Privacy Commissioner a range of privacy regulatory powers, including powers that allow the OAIC to work with entities to facilitate best privacy practices, as well as investigative and enforcement powers to use in response to privacy breaches.

For example, if a healthcare company fails to obtain consent to collect the health information of an individual, the company will be in breach of APP 3 regarding the collection of sensitive information.

A breach of an APP is an ‘interference with the privacy of an individual’ under section 13(1) of the Privacy Act and, although it is not a civil penalty provision, it can lead to regulatory action and penalties. The provisions of the Privacy Act are enforceable under Parts 6 and 7 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth), which provide for enforceable undertakings and injunctions to be issued to enforce provisions.

If the breach of an APP were to be regarded as a ‘serious interference with the privacy of an individual’, then civil penalties of up to A$2.1 million per breach may apply. Additionally, in March 2019, it was announced that the government intends to introduce higher penalties for breaches of the Privacy Act (however, these have not yet been implemented). The proposed changes to the Privacy Act include (among other things):

  • an increase in the maximum penalty for serious and repeated interferences with the privacy of an individual under Privacy Act, increasing the current penalty from A$2.1 million (for corporate entities) to the greater of A$10 million, 3 times the value of any benefit obtained through the misuse of the information, and 10 per cent of the company’s annual domestic turnover; and

  • greater enforcement and remedial powers for the OAIC.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

APP 11 imposes a legal obligation on entities to take steps as are reasonable in the circumstances to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Apart from this general obligation, there are no mandated IT security standards for the handling of health data in Australia. Some specific standards have been developed, including the Information security management in health using ISO/IEC 27002 and the National eHealth Security and Access Framework v4.0. However, compliance with these standards is voluntary.

The OAIC has published its Guide to health privacy and the Australian Digital Health Agency has published an Information Security Guide for small healthcare businesses. IT service providers who engage with government health agencies will typically be required to meet certain minimum IT security standards (for example, see the Digital Transformation Agency’s Secure Cloud Strategy).

On 9 November, the Australian government released the Exposure Draft Security Legislation Amendment (Critical Infrastructure) Bill 2020. The draft Bill is set to implement the first initiative of Australia’s Cyber Security Strategy 2020, which is to protect Australia’s critical infrastructure providers from cyber threats by amending the Security of Critical Infrastructure Act 2018 (Cth). Significantly, the amendment will impose security obligations on 11 new sectors, including ‘health care and medical’. Industry will be required to manage risks associated with critical infrastructure of national significance, including enhanced cybersecurity obligations to support the sharing of near-real-time threat information to strengthen organisations’ cyber preparedness and resilience.

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

Organisations should consider the following three key questions.

 

Consent – do you have adequate consent to collect, use and disclose health data for this purpose?

Where health data is collected in addition to personal information, additional consent may be required. The Privacy Act distinguishes between the use and disclosure of personal information for ‘primary purposes’ versus ‘secondary purposes’. The ‘primary purpose’ is the specific purpose for which the health information was collected. The context in which the health information was collected is relevant to this concept. A ‘secondary purpose’ is any use or disclosure for reasons other than the primary purpose. Secondary purposes are prohibited, unless the secondary purpose falls within a specific permitted exception.

In the health information context, the most common permitted exceptions are:

  • the individual would reasonably expect the organisation to use the information for the secondary purpose, and the secondary purpose is directly related to the primary purpose;
  • if the use and disclosure is required to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety;
  • if the use and disclosure is in connection with the provision of a health service or research or if the individual is incapable of giving consent (in each case, subject to specific rules); and
  • if required by law or for law enforcement purposes.

 

Data systems – do you have appropriate data management systems in place?

There are differing legal requirements for the handling of health data and personal information; however, these types of information are most often collected together. It is important to understand which data fits into each category, and to establish distinct data management processes for these different types of data.

 

Security – do you have adequate security to protect against unauthorised access and misuse?

Consider security safeguards that are reasonable in the circumstances.

Law stated date

Correct on

Give the date on which the above content is accurate.

20 November 2020.