Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Health
 

135AA Review Report

document icon pdf (441.07 KB)


Report of the Privacy Commissioner's Review of the Privacy Guidelines for the Handling of Medicare and PBS claims information

August 2006

Skip to content

Table of Contents

FOREWORD

This report presents the findings of a major review of the Privacy Guidelines issued for the handling of Medicare and PBS claims information by Australian Government agencies.

This review has been a significant project for my Office since being announced in November 2004, and has included an extensive consultative process.

The report has drawn on information from a variety of sources including individuals, businesses, health sector professional bodies, interest groups, and government agencies across all jurisdictions.

The issue of how health information should be handled elicits a diverse range of views, and my Office has benefited from the thoughts and expertise provided during the consultations and through the submissions.

I also thank those who contributed to the Consultative Group and to the members of my Office's Health Privacy Forum.

I am grateful to my staff for their contribution to this review. I particularly acknowledge the major contributions of Andrew Solomon, Andrew Hayne, Robyn Longhurst, Nicholas Burrage and Douglas Barry to this review.

My Office will now proceed to write guidelines that reflect the findings detailed in this review.

Karen Curtis Privacy Commissioner July 2006

SUMMARY OF FINDINGS

This report makes 25 findings on matters related to the Guidelines. Some of these findings will require new Guidelines to be made, while others describe the Office's interpretation of matters relevant to the Guidelines.

The key findings are:

An additional permitted linkage for claims information should be for the purpose of an individual accessing their record (see Finding 2)

A number of stakeholders advocated for a expansion in the purposes for which claims information may be linked. In some cases, some of these purposes can already be met under the Guidelines. Generally, the review found that a wide expansion in the permitted purposes would be inconsistent with the intent of the enabling legislation.

The review did find merit in linkages being permitted for the purpose of providing an individual with a single report of the Medicare and PBS claims history.

The prohibition against storing Medicare and PBS claims information should apply to all agencies. (see Finding 23)

It is fundamental to meet the requirements of the enabling legislation that the Guidelines must prohibit Australian Government agencies from storing Medicare and PBS claims information on the one database. The current Guidelines do not adequately ensure this and one or more further guidelines will be needed to meet this requirement.

Changes should be made to the periods for which Medicare Australia may retain claims information in linked and unlinked form (see Finding 6, 7 & 8)

A number of findings have been made concerning how Medicare Australia may handle claims information. The period of time for which it may retain linked datasets will not be prescribed as a set period. Rather, these datasets should be retained for as long as is necessary to meet the purpose for which they are made. Such an arrangement is only acceptable to the extent that Medicare Australia remains restricted in regard to the reasons for which it may link claims information.

It has also been found that the existing 5 year retention period for which Medicare Australia may retain claims information imposes an unnecessary administrative burden, without affording commensurate additional privacy protections. The review has found that this arrangement should be changed so that Medicare Australia may retain claims information permanently, but in a form in which individuals cannot routinely be identified.

In regard to these changes, Medicare Australia should have additional reporting obligations to the Privacy Commissioner.

Some changes are required in regard to how the Department of Health and Ageing may handle claims information (see Findings 14-21)

The review has found that the Guidelines should make clear that the Department of Health and Ageing, as an agency, is prohibited from storing claims information from both programs on the one database.

The review has also made findings intended to clarify other aspects of how the Guidelines apply to the Department, including in regard to the exercise of discretionary powers by the Secretary.

The full findings of this review are provided below.

1. It is a statutory requirement that the Privacy Commissioner make a Guideline requiring the separation of Medicare and PBS claims information and the Guidelines cannot be amended to allow claims information to be stored in a combined form.

2. Guideline 1.4 is to be changed to permit an individual to consent to the linkage of their own claims information by Medicare Australia for the purpose of providing access to that information.

3. Guideline 1.4(b) is to be changed to delete reference to the Coordinated Care Trials.

4. Guideline 1.4 is to be changed to better reflect the wording of the enabling section by deleting the expression "compare or combine".

5. Guideline 1.4 is to be changed and clarified by the addition of the word "only" after the word "may" in the sentence "Medicare Australia may link records of information….".

6. Guideline 3.1(a) is to be changed so that Medicare Australia may retain linked datasets for as long as is required to meet the primary purpose for which the linkage was authorised under these Guidelines.

7. A new Guideline is to be made requiring Medicare Australia to report annually to the Privacy Commissioner in regard to its datalinkage activities, including the number of records that are linked (by class) and the periods for which they are retained.

8. The current retention Guidelines will be deleted and new Guidelines will made specifying how Medicare Australia is to handle old information by requiring that:

  1. Old information be stored in separate databases to other claims information

  2. Old information can only be re-linked with personal identification components in limited and prescribed circumstances

  3. Medicare Australia is to report annually to the Privacy Commissioner on its handling of claims information as outlined in (a) and (b).

9. Guideline 4A can not impose obligations on researchers that are not agencies.

10. Guideline 4A.1 is to be retained in its present form, with the addition of a third clause requiring that Medicare Australia establish agreements with researchers requiring that information is destroyed after its use for the purpose of medical research.

11. Guideline 4A.2 is to be deleted.

12.To promote regulatory certainty, the Guidelines will not include reference to "de-identified information" but will draw on terminology consistent with the enabling legislation.

13. Section 135AA requires the Privacy Commissioner to make Guidelines for the handling of Medicare and PBS claims information relating to individuals and held by agencies regardless of whether or not that information identifies an individual.

14. Guideline 5.2(a) is to be deleted to reflect the requirement that the Privacy Commissioner must make Guidelines prohibiting the storage of Medicare and PBS claims information on the same database.

15. A Guideline prohibiting the storage of Medicare and PBS claims information on the same database is to be applied to the Department of Health and Ageing.

16. For the Department of Health and Ageing, linked datasets that include the PIN should continue to be retained for no more than 1 month.

17. For the Department of Health and Ageing, linked datasets that do not include the PIN may be retained for as long as necessary to meet the purpose for which they were established.

18. For the Department of Health and Ageing, linked datasets that do not include the PIN must not be used as a way to circumvent the absolute prohibition against the storage of claims information on the one database.

19. The Guidelines will reflect the potential distinctions in meaning between the verbs "authorise" and "permit".

20. The Guidelines should allow for the Secretary to define classes of use and disclosures provided such classes are sufficiently well defined and limited to ensure regulatory certainty.

21. Powers currently available under the Guideline to the Secretary of the Department of Health and Ageing should be able to be delegated to appropriate senior officers, for example to the level of Deputy Secretary or to the Australian Government Chief Medical Officer.

22. It is practicable to make a guideline meeting the requirement of section 135AA(5)(d) to prohibit any agency from storing Medicare and PBS claims information on the same database.

23. A guideline similar to Guideline 1.1 is to be made having effect for all agencies, thus prohibiting Medicare and PBS claims information from being stored on a single database by any agency.

24. It is not practicable to make guidelines meeting the requirements of any other clause of section 135AA(5) other than (d).

25. The Office will continue to monitor any wider use of Medicare and PBS claims information by other agencies to determine whether further guidelines become practicable.

1. OVERVIEW

Background to the Review

On 8 November 2004, the Privacy Commissioner announced that the Office of the Privacy Commissioner ('the Office') would conduct a Review of the Medicare and Pharmaceutical Benefits Programs Privacy Guidelines1 ('the Guidelines'). These Guidelines are issued by the Privacy Commissioner under section 135AA2 of the National Health Act 1953 ('National Health Act'). Issuing the Guidelines is a function of the Privacy Commissioner under section 27(1)(pa) of the Privacy Act 1988 (Privacy Act).3 The Guidelines and text of section 135AA are at Appendices A and B respectively.

The Guidelines were first issued by the Privacy Commissioner on 24 November 1993 and came into effect on 15 April 1994. The last comprehensive review of the Guidelines took place in 1995, and the last amendment to the Guidelines was made in 2000.

A number of factors point to the timeliness of this review, including:

  • developments in information technology which may have bearing on the handling of health information when stored electronically
  • suggestions that the information covered by the Guidelines could be more usefully utilised by researchers than is currently the case
  • evidence of increasing use of information technology in the planning and provision of health services
  • suggestions that community attitudes and expectations regarding the handling of personal information, and in particular sensitive health information, may have changed since the Guidelines were introduced
  • a request from the Australian Government Department of Health and Ageing (DoHA) that the Review be conducted in light of changes to the health environment and
  • principles of good regulatory practice suggest that regulatory instruments should be reviewed at intervals of no more than 10 years.4

Terms of reference

The Review is a general review of all the provisions of the Guidelines.

The Office's purpose in reviewing the Guidelines is to ensure that the Guidelines, in their current form, achieve the intent of section 135AA of the National Health Act and are user-friendly in language, style and format.

Matters not included in the review

The Review has been limited to the Guidelines and is not a review of section 135AA of the National Health Act. It is not within the scope of the Review to make findings regarding this legislation.

If stakeholders have views on the enabling legislation for the Guidelines, then an appropriate forum may be the Australian Law Reform Commission's (ALRC) current inquiry into the Privacy Act and related laws.

Further information on the ALRC's inquiry can be obtained from the ALRC at www.alrc.gov.au, or by phone (02) 8238 6333 or TTY (02) 8238 6379.

Conduct of the review

The Privacy Commissioner encouraged agencies, organisations and the general public to participate in the Review in a number of ways, including:

  • a media and web announcement5 in November 2004
  • advertisements placed in national and local papers, health sector journals and other publications including:
    • the Health ICT News/Health ICT Headlines email bulletin,11 November 2004
    • Medical Observer 12 November 2004
    • the Australasian Epidemiological Association email bulletin,12 November 2004
    • the Weekend Australian, 13 November 2004
    • the Privacy Law Bulletin, 17 November 2004
    • the Brisbane Courier Mail, 18 November 2004
    • the Northern Territory News, 18 November 2004
  • directly inviting potential stakeholders to make submissions.

Issues Paper

To assist stakeholders in contributing to the review, the Privacy Commissioner released an Issues Paper on 8 November 2004.6

The Issues Paper raised a number of topics concerning the Guidelines. These included the health environment, information linkage and secondary uses of health information, the retention of claims information, as well as issues surrounding consent and access, community attitudes and the ease of use of the Guidelines.

Those matters raised in the Issues Paper were not intended to be exhaustive, but were intended to encourage submissions on a broad range of issues which it was felt may help to inform the Office's considerations.

Open forums

The Office conducted a series of open forums in all states and territories except Western Australia.7 Forums were held in 2004 in Brisbane (22 November), Darwin (25 November), Adelaide (29 November), Melbourne (7 December), Hobart (9 December), Canberra (14 December) and Sydney (15 December).

These forums were attended by representatives of the Australian, State and Territory governments, the private sector and individuals from the health sector, including, general practitioners, researchers, consumer advocates and members of the public.

Written submissions

The Privacy Commissioner received 35 written submissions to this review. Of these, three submitters requested that their names and or submission be treated confidentially. The remaining 32 submissions can be found on the Office's website.8 A list of submitters is at Appendix C.

Consultation group

At the end of the public consultation process, the Privacy Commissioner formed a consultative group to assist in considering issues raised in the review. This group consisted of the:

  • Australian Government Attorney-General's Department (AGD)
  • Australian Government Department of Health and Ageing (DoHA)
  • Australian Institute of Health and Welfare (AIHW)
  • Australian Medical Association (AMA)
  • Australian Privacy Foundation (APF)
  • Health Consumer's Council (WA) (HCC)
  • Health Insurance Commission (HIC) and
  • Caroline Chisholm Centre for Health Ethics (CCHE).

About this report

This report brings together the views of stakeholders expressed in submissions and public forums. The report's findings are drawn from an analysis of these views and from the Office's experience with the Guidelines.

Amendments to the Guidelines subsequent to this review would be given effect by way of an instrument lodged with the Federal Register of Legislative Instruments (FRLI). This Report does not alter the Guidelines as reviewed.

The Office will now proceed to write Guidelines that reflect the findings of this report. The Office will consult with Medicare Australia and the Department of Health and Ageing, which hold the information the Guidelines relate to, to ensure that there are no unintended consequences and to allow for any transitional arrangements.

Structure of this report

This report is structured around those Guidelines identified as being of key concern to stakeholders during the review. These are:

  • the separation of claims information collected under each benefit program (Chapter 3)
  • the circumstances under which claims information from each benefit program may be linked (Chapter 4)
  • the periods for which claims information may be retained (Chapter 5)
  • the use of claims information for medical and other research purposes (Chapter 6)
  • the handling of claims information by the Department of Health and Ageing that does not identify individuals (Chapter 7) and
  • the application of the Guidelines to agencies other than Medicare Australia and the Department of Health and Ageing (Chapter 8).

2. ABOUT THE GUIDELINES: PURPOSE AND LEGISLATIVE INTENT

Purpose of the Guidelines

The purpose of the Guidelines is to give effect to section 135AA of the National Health Act. The Guidelines provide specific standards and safeguards for the way individuals' Medicare and Pharmaceutical Benefits Scheme (PBS) claims information, when stored in computer databases, is handled by Australian Government agencies. These standards are in addition to any requirements that may be imposed by the Information Privacy Principles (IPPs) contained in section 14 of the Privacy Act.

The primary objectives met by the Guidelines concern ensuring the separation of claims information made under each of the Medicare and PBS benefits programs, as well as establishing the circumstances under which this information may be linked. The Guidelines also prescribe periods of time for which claims information may be retained in various forms.

Information covered by the Guidelines

Section 135AA(1) prescribes that the Guidelines apply to information that:

  1. is information relating to an individual; and
  2. is held by an agency (whether or not the information was obtained by that agency or any other agency after the commencement of this section); and
  3. was obtained by that agency or any other agency in connection with a claim for payment of a benefit under the Medicare Benefits Program or the Pharmaceutical Benefits Program.

Significantly, the Guidelines apply to Medicare and PBS claims information whether or not an individual's identity is apparent or can be readily ascertained. This is discussed further under 'Meaning of claims information' at page 65.

Obligations imposed by the Guidelines

The Guidelines prohibit the claims information from each of the Medicare and PBS benefits programs being stored on the same database. However, the Guidelines do not require that the Medicare and PBS claims information must be kept on separate computers.

The Guidelines are legally binding.

At the time they were made, the only relevant agencies to which the Guidelines applied were the Health Insurance Commission (HIC) (now Medicare Australia) and the Department of Health, Housing, Local Government and Community Services (now, the Department of Health and Ageing (DoHA)).

Applications of the Guidelines to Medicare Australia

In 2005, the HIC became Medicare Australia. This was given effect by the Human Services Legislation Amendment Act 2005, which established Medicare Australia and amended other legislation accordingly. Section 717(1) of the Amendment Act provides that if an instrument is in force immediately before the commencement time and the instrument refers to the HIC, then the instrument continues to have effect from the commencement time as if the reference to the HIC is a reference to the Medicare CEO.

In its discussion of issues and in its findings, this report uses the agency's new nomenclature, Medicare Australia. However, when directly citing from the current Guidelines or quoting submissions, "HIC" is used.

Part A of the Guidelines regulates certain acts and practices regarding the handling of claims information by Medicare Australia.

Medicare Australia is a statutory authority responsible for administering many health programs, including Medicare, and for the processing, payment and recording of information associated with claims under the PBS and Medicare Programs (see, www.medicareaustralia.gov.au). Medicare Australia describes its functions as including monitoring possible fraud and over servicing practices.

Medicare Australia provides copies of Medicare and PBS claims information to DoHA on a daily basis. Importantly, this information does not contain information that would allow the identification of the individual about whom the information relates. This is sometimes referred to as 'de-identified' data (the meaning of 'de-identified' is discussed further at page 63).

The Office understands that Medicare claims information held by Medicare Australia includes:

  • the name and address of the individual
  • the name of the provider (for example, the doctor or hospital) and the provider's Medicare Australia number and ABN number
  • the item number, that being the number that identifies the type of service provided (this can also include a general description of the service, such as "Level B surgery consultation")
  • the cost of the service
  • the date the service was provided and
  • whether the service has been paid for.

PBS claims information held by Medicare Australia includes:

  • the name and address of the individual
  • Medicare number
  • information about the prescription, including the date it was written and issued, the item number, the type of script, quantity, dosage and any repeats
  • the prescribing doctor
  • the pharmacy supplier and
  • the patient contribution to the cost of the script.

Medicare claims information is not stored by the individual's name or Medicare card number, but by a Medicare PIN (Personal Information Number) generated internally by Medicare Australia. The creation of this PIN is permitted by the Guidelines for the purpose of handling claims information. Under the Guidelines, the PIN is a unique number for each individual, and is not generated from the individual's Medicare card number, address or date of birth.

Key Guidelines that apply to Medicare Australia include:

  • Guidelines 1.1 and 1.2 - require Medicare and PBS claims information to be stored in different databases (although the Guidelines do not prevent them from being stored on the same computer)
  • Guideline 1.4 - sets down the exceptional circumstances in which Medicare Australia may 'link, compare or combine' claims information from the two databases
  • Guideline 1.5 - prohibits data-matching between the two databases
  • Guidelines 1.6, 2.1, 2.3 & 2.4 - regulate the creation, use and disclosure of an internal PIN which Medicare Australia uses to identify claimants under the two programs
  • Guideline 3.1(a) - requires Medicare Australia to destroy any linked information sets within 3 months (subject to prescribed exceptions)
  • Guideline 3.1(b) - requires Medicare Australia to destroy its claims information after five years except in limited circumstances
  • Guideline 4.1 - permits Medicare Australia to obtain from DoHA, for specified purposes, 'old' claims information (that is, older than five years) and
  • Guideline 4A - permits the disclosure of identified claims information for medical research where the individual has given free and informed consent, or where the disclosure is done in accordance with the guidelines issued under s.95 of the Privacy Act.9 In both cases, the disclosure must conform with the relevant secrecy provisions of Medicare Australia's own legislation.10

Guidelines applying to the Department of Health and Ageing (DoHA)

Part B of the Guidelines apply to DoHA, which holds copies of Medicare and the PBS claims information that has been stripped of "personal identification components".11 This information includes, for example, the type of consultation service and the provider's name, as well as an encrypted form of the Medicare Australia PIN.

Medicare Australia provides regular updates of this information to DoHA. This information is described as "de-identified" in the Guidelines, a term not defined in either the Guidelines or section 135AA.

DoHA uses the claims information to assist with policy development, to review programs, for research purposes, to report on health system performances and to survey health trends.

DoHA discloses this claims information in aggregated form (the combined statistics about many individuals brought together for a particular purpose but which do not identify any particular individual) unless otherwise authorised by the secrecy provisions of the National Health Act, including where disclosure is considered "necessary in the public interest".12

DoHA's practices in regard to claims information stored without Personal Identification Components are not covered by the IPPs. This is because such information would not fall within the definition of 'personal information' provided in section 6 of the Privacy Act. However, for reasons explained later in this report, the handling of claims information held by DoHA is regulated by the Guidelines.13

Key Guidelines that apply to DoHA are:

  • Guideline 5.1 - allows DoHA to use claims information stripped of its "personal identification components" (referred to as "de-identified" in the Guidelines), in ways permitted by the Secretary of DoHA
  • Guideline 5.2(b) - prevents DoHA from permanently combining information from each database, with a PIN, on the same database. (This is a further means of ensuring the separation of the Medicare and PBS claims information databases) and
  • Guideline 6 - provides that DoHA may get the combination of name and PIN from Medicare Australia, thus allowing DoHA to re-identify the de-identified Medicare and PBS information that it holds in certain limited circumstances, and sets out the rules which apply when DoHA undertakes this activity.

What the Guidelines do not cover

Section 135AA(2) expressly excludes from the Guidelines, information that:

  • identifies providers of services (for example, information about a particular doctor or private hospital is not covered by the Guidelines) or
  • is part of the "eligibility" or "entitlement" databases or
  • is information which is not stored in a computer database.14

Legislative intent underpinning the Guidelines

Guidelines issued under section 135AA must give effect to the provisions of section 135AA.

As part of this review, it has been necessary to reflect on the legislative intention of section135AA that underpin the Guidelines and the policy objectives of that section.

History of the Legislation

1989 Proposal for HIC on-line concession eligibility checking

In 1989, HIC set out a "Strategy Proposal for the Management of the Pharmaceutical Benefits Program". The strategy proposed that all pharmacists be connected on-line to the Medicare Australia computer system and that Pharmacists' claims for reimbursement be assessed at the time of dispensing. Some patient identification would be necessary to permit checking of a patient's eligibility for a full or part concessional payment. This meant that a person applying for concessional benefit would need to produce the entitlement card issued by the Department of Social Security (as it was at that time).

Privacy concerns surrounding the proposal

Amongst other issues, a number of privacy concerns were raised by health providers, the Privacy Commissioner and the public. These concerns included:

  • the routine bulk transfer of information between several different departments
  • the sensitive nature of the information collected in the Medicare and Pharmaceutical Benefits programs and the fact that the same agency administers both programs and so has control of two databases of sensitive information which contain information about almost all Australians
  • pharmacists not being subject to the strict confidentially laws that apply to public servants
  • the possibility of pharmacists and staff sighting irrelevant personal information held by government
  • tension and conflict that would inevitably arise between pharmacists and patients and the essentially public nature of pharmacies leading to exchanges about personal circumstances which could be overheard by others
  • concern that alternative methods of achieving the estimated savings (such as improving the integrity of eligibility cards) had not been investigated as an alternative solution
  • the proposed system being seen as unworkable and insensitive to community needs (for example if medication is needed urgently but the patient was unable to produce a card)
  • concern about the impact of widespread eligibility checking by computer, on the relationship between health professionals, pharmacists and patients and the associated encroachment of bureaucracy into that relationship
  • concern about a computer link between the HIC and all pharmacists; and
  • the amount of data stored by the HIC.15

In light of these and other concerns, the Government decided that the proposal would not proceed and that privacy concerns would be considered before re-visiting any similar proposal.

1990 Pharmaceutical Benefits Scheme on-line proposal

In 1990, the Government announced new proposals for changes to the Pharmaceutical Benefits Scheme (PBS) including a system of on-line interactive checking of eligibility for pharmaceutical benefits, changes to the safety net threshold, the use of the Medicare card as a primary means of identifying entitlement, and the introduction of electronic lodgement for Pharmaceutical Benefits claims by pharmacists.

Introduction of section 135AA

The Health Legislation (Pharmaceutical Benefits) Amendment Bill 1991 was introduced to Parliament to implement the Government's 1990 PBS on-line proposal.

Following debate, the Bill was amended during parliamentary consideration to provide that:

  • the interactive eligibility scheme could not come into effect until after the Auditor-General and the Department of Finance had reported to Parliament on the savings estimates of the changes;
  • the savings identified by the Auditor-General and Department of Finance could not be obtained through other similarly or less intrusive eligibility checking systems; and
  • the amendments could only come into effect after the Privacy Commissioner had issued privacy guidelines for the conduct of the Medicare and PBS programs.

The last of these amendments led to the enactment of sections 135AA and 135AB of the National Health Act.

In his second reading speech for this bill, the then Minister for Aged, Family and Health Services noted that it was the right of the Government to protect taxpayers' money by "providing that only those eligible to receive benefits do in fact receive them".16

The Minister went on to respond to privacy concerns raised by the proposals:

"This Government is committed to ensuring that Australians are protected from misuse of personal data collected in the course of the administration of Government programs."

The report produced by the Auditor-General and the Department of Finance17 concluded that the original cost savings estimates for the online checking proposal were significantly overstated and the review could not identify an alternative means of making those savings. The proposals surrounding the PBS and entitlement checking did not proceed.

However, in recognition of the inherently sensitive nature of the Medicare and PBS claims information, the provisions for the Medicare and PBS Guidelines remained.18 While the online checking system did not proceed, sections 135AA and 135AB were enacted in recognition of the need to protect the large quantity of sensitive information held in the two databases of PBS and Medicare claims information.

The intent of these sections was to ensure that Government did not retain complete and identified Medicare and PBS claims histories in a single database and that any linkage of that information was very restricted.

1993 amendments to section 135AA

Once enabling legislation was enacted, the issuing of the Guidelines was delayed pending amendments to section 135AA.19

These amendments were made in response to a 1992 report to Parliament from the then Privacy Commissioner, Kevin O'Connor, which noted that section 135AA (as enacted in 1991) may have had the unintended consequence of requiring the permanent "de-identification" of claims information in a way which made it impossible to later establish the identity of any particular person to whom the information related.20 Commissioner O'Connor specifically argued that permanent de-identification may unreasonably:

  • hinder patient follow-up when side effects of a drug become known
  • mean some information would not be available to Parliamentary committees of inquiry, Royal Commissions and coronial inquests
  • hinder research into long term effects of drugs.

Accordingly, the Commissioner explained that he was "…persuaded by the argument that a capacity to re-identify data can be valuable in undertaking a variety of inquiries and public health projects".

In response to the Commissioner's report, the National Health Amendment Act 1993 (No. 28) was enacted to:

"…to clarify doubts concerning the interpretation of the existing provision identified by the Privacy Commissioner in his report to Parliament dated 28 May 1992."21

One aim of the Act was also to restrict the scope of the Guidelines to information held in databases, as it was determined that the privacy concerns were primarily related to information held electronically, and to exclude information concerning providers of health services.

Legislative intent of section 135AA

In the second reading speech for the National Health Amendment Bill 1993, Dr Andrew Theophanous (then Parliamentary Secretary to the Minister for Health) explained that the function of the section is to require:

"…that information obtained from claims for medical benefits must be stored in a separate database from information obtained from claims for pharmaceutical benefits, and prohibits linkage of such information except in the way specified in the guidelines."22

Mr Christopher Haviland, the former member for Macarthur, during debate on the same bill, pointed to the need:

"…to ensure that legitimate privacy principles are balanced against the public interest, particularly in relation to the possible misuse of public money".

Mr Haviland went on to argue that the purpose of the amendment was:

"…to clarify privacy provisions to ensure that legitimate privacy concerns of individuals are protected while enabling government agencies, in this case, the Health Insurance Commission, to adequately safeguard against fraud and misuse of taxpayers' money".23

It is noteworthy this bill generally received bipartisan support, with members from both the Government and opposition speaking to the importance of ensuring the privacy of this information.24

Balancing privacy and the protection of public funds against fraud

Any amendments to the Guidelines must comply with the requirements of the legislation and be consistent with Parliament's underlying intention.

Accordingly, to be consistent with this intent, the Guidelines must ensure a functional separation of the two databases, with linkages of the data permitted only in exceptional circumstances. This principle is codified in Guideline 1.1, which establishes that:

Medicare claims information and Pharmaceutical Benefits claims information must not be held on the same database. Procedures must not be established which permit claims information from either of these programs to be linked, merged or combined, other than in the exceptional circumstances listed in Guideline 1.4.

It is notable that debates and the second reading speech point to a narrow range of purposes for which it was envisaged the information would be used, primarily to do with reducing fraudulent claims and other forms of overpayment against the Medicare and PBS programs. Uses beyond this would require clear and compelling justifications.

The fact that it is the Privacy Commissioner who issues statutory guidelines underlines a Parliamentary concern to ensure the protection of the privacy of individuals who make claims under the Medicare or PBS programs.

Other legislation relevant to the handling of Medicare and PBS claims information

The Privacy Act

The Privacy Act regulates the handling of personal information by most Australian government agencies including the personal information collected by Medicare Australia and DoHA.25 Personal information is defined in section 6 of the Privacy Act as meaning:

"…information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

Regulation of agencies' personal information handling practices is primarily provided by 11 Information Privacy Principles (IPPs) in section 14 of the Privacy Act. The IPPs regulate the way Australian government agencies collect, use and disclose personal information, as well as how records containing personal information are stored and secured. The IPPs also provide individuals with rights to access and, where necessary, correct personal information held about them by agencies.26

The IPPs co-exist with the Guidelines, with the Guidelines providing additional, specific rules for the handling of Medicare and PBS data. For example, unlike the Guidelines, the IPPs do not expressly regulate the linking, comparing or combining of records or information from databases, nor do they prescribe the length of time personal information can be retained by agencies.

In addition, as discussed at page 65, the meaning of information for the purposes of the Guidelines is broader than the meaning of "personal information" under the Privacy Act. Accordingly, in certain circumstances, the Guidelines regulate acts and practices that cannot be regulated by the IPPs.

Where Parliament requires additional privacy regulation, such as statutory guidelines, to address specific privacy concerns, such regulation will almost invariably be more restrictive than the general Information Privacy Principles that apply to all personal information held by most Australian Government agencies.

Statutory secrecy provisions

As well as the obligations under the Privacy Act and the Guidelines, Medicare and PBS claims information is subject to other legislative provisions which limit how they may be handled.

The secrecy provisions of the Health Insurance Act 1973 (Health Insurance Act) and the National Health Act prescribe the handling of personal information collected in the course of the activities of both Medicare Australia and DOHA.

Under these provisions, section 130 of the Health Insurance Act and section 135A of the National Health Act, staff of the two agencies are generally prohibited from disclosing personal information to a third party, except under prescribed circumstances and with the permission of a delegated person who has the authority to release the information. Such circumstances include where the release of personal information is deemed as being necessary in the public interest.

The Guidelines act to limit the scope of the disclosures that are permitted under the secrecy provisions. Section 130 of the Health Insurance Act and section 135A of the National Health Act permit specific disclosures of information subject to certain exceptions. The Guidelines can limit the permissible disclosures under the secrecy provisions, however the Guidelines do not act as a source of power to permit disclosures that would not be permitted under the secrecy provisions.

Alignment with National Privacy Principles and proposed National Health Privacy Code

This Review has also considered the evolution of regulatory standards around health information privacy and disclosures. In particular, the National Privacy Principles (NPPs) in the Privacy Act and to a lesser extent, the provisions of the proposed National Health Privacy Code (NHPC).27 These developments address the special issues that arise when personal health information is collected and used in various ways. While it may be desirable in some respects, to better align the protections afforded to claims data with other law, such as the NPPs, or potential law, such as the proposed NHPC; it is important to note that the intent of the Guidelines is to provide specific protections to information held in a particular context. Principle-based regulation, such as under the proposed NHPC may not achieve this. It is also important to note that the proposed NHPC has not been implemented by jurisdictions.

The issue of alignment is considered in greater detail on page 34.

3. GUIDELINE 1.1 CONCERNING THE SEPARATION OF THE CLAIMS DATABASES

Law & Policy

It is an express requirement of section 135AA of the National Health Act that the Guidelines be made to ensure the separation of the Medicare and PBS claims databases.

Sections 135AA(5)(d) states:

(5) So far as practicable, the Guidelines must

…

(d) prohibit agencies from storing in the same database:

  1. information that was obtained under the Medicare Benefits Program; and
  2. information that was obtained under the Pharmaceutical Benefits Program;

…

Guideline 1.1 gives effect to this legislative direction by providing that:

Medicare claims information and Pharmaceutical Benefits claims information must not be held on the same database. Procedures must not be established which permit claims information from either of these programs to be linked, merged or combined, other than in the exceptional circumstances listed in Guideline 1.4.

Guideline 1.1 only applies to Medicare Australia. The Review has considered whether a guideline should be made giving general effect to section 135AA(5)(d) to all agencies, and this is discussed later in this report at page .

Meaning of "so far as practicable"

In its submissions, the Department of Health and Ageing (DoHA) recognises that the Review is not intended to examine the enabling legislation. It submits that consideration, nonetheless, could be given to whether the expression "so far as practicable" in section 135AA(5) allows scope for the Guidelines to widen the present circumstances under which Medicare and PBS claims information can be held on the one database. For example, DoHA has offered the view that the linking of claims information could be adequately and practicably dealt with by simply incorporating the requirements of the Privacy Act into the Guidelines.

The Office is of the view that the term "so far as practicable" refers to the feasibility of using the Guidelines to achieve the objectives set out by the legislation, rather than what "is practicable" for any party affected by the Guidelines. For example, it may not be practicable to draft Guidelines that prescriptively regulate the minutiae of various processes that occur when claims information is linked.

In regard to Guideline 1.1, however, it is practicable for the Guideline to give effect to the clear and express requirement of section 135AA(5)(d). Further, as the provision is drafted without allowance for any exceptions, there would appear to be no discretion to alter the requirement that claims information be kept on separate databases.

Distinguishing between primary and secondary databases

Medicare Australia has sought to distinguish between forms of databases by submitting that the Privacy Commissioner clarify that the Guidelines "do not apply to subsidiary databases that are used to protect privacy and security". The clarification, suggests Medicare Australia, "…would have the effect of limiting the operation of the section to the claims database (that contains the patient history) but still allow essential administrative functions (some of which are aimed at ensuring information security anyway) to be performed using transactional information in log files and payment files that record e-business transactions."

Section 135AA(11) of the National Health Act defines database as "a discrete body of information stored by means of a computer". It does not seem possible to draw a distinction between 'primary' and 'subsidiary' databases.

Options for reform

As the separation of the databases is a legislative requirement, this Guideline cannot be amended to change its effect.

Submissions on datalinking are discussed in subsequent chapters.

Findings

1. It is a statutory requirement that the Privacy Commissioner make a Guideline requiring the separation of Medicare and PBS claims information and the Guidelines cannot be amended to allow claims information to be stored in a combined form.

4. GUIDELINE 1.4 CONCERNING MEDICARE AUSTRALIA LINKAGES OF CLAIMS INFORMATION

Law and Policy

It is a requirement of section 135AA that the Privacy Commissioner make Guidelines that prohibit the linkage of Medicare and PBS claims information.

Section 135AA(5)(e) says:

(5) So far as practicable, the guidelines must:

…

(e) prohibit linkage of:

  1. information that is held in a database maintained for the purposes of the Medicare Benefits Program; and
  2. information that is held in a database maintained for the purposes of the Pharmaceutical Benefits Program;

unless the linkage is authorised in the way specified in the guidelines.

Section 135AA(5)(e) should be read in context with section 135AA(5)(d) which prohibits agencies from storing Medicare and PBS claims information in the same database.

The distinction between 'linking' information and 'storing' information in a single database is significant. The Office interprets the concept of linkage, for the purposes of section 135AA, as being the creation of a relationship between information on an episodic and impermanent basis. In contrast, to combine information for a long or permanent period of time can be seen as storage of information in a single source, something that section 135AA requires to be proscribed.

Guideline 1.4 specifies the ways in which the Medicare and PBS claims information can be linked by Medicare Australia:

1.4 The HIC may link, compare or combine records or information from either database relating, or expected to relate, to the same patient in the following circumstances:

  1. for internal use where that use is:

    authorised or required by law, and is reasonably necessary, in a specific case or in a specific set of circumstances, for the discharge of HIC's statutory responsibilities in relation to the enforcement of the criminal law or of a law imposing a pecuniary penalty or for the protection of the public revenue; or

  2. for the purpose of external disclosure:

    in a specific case or specific set of circumstances where that disclosure is required by law; or

    in the specific circumstance of Coordinated Care Trials conducted by the Department between October 2000 and April 2004, where the individual who is the subject of the information has given his/her express and informed consent in writing; or

  3. for the purpose of determining an individual's eligibility for a benefit under one program, where eligibility for that benefit is dependent upon services provided under the other program; or

  4. where the HIC believes on reasonable grounds that the linkage is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

Submissions on extending permitted information linkages

A number of submissions cited examples of linkage activities that could benefit either individuals or the community in general. Such submissions point to the potential value of linked claims information, while also recognising the need for the protection of the privacy of personal information (including, the Australian Institute of Health and Welfare (AIHW) (28) and National Prescribing Service Ltd (NPS) (21)).

NPS (21) submits that the linking of claims information, and other datasets, could facilitate the creation of a large pharmaco-epidemiological database and that "[t]his type of surveillance has important public health and safety consequences for the community".

The South Australian Department of Health (3) argues for the importance of using de-identified health information for research and evaluation, though also submits that the community may have concerns about such uses. It says that community awareness and education campaigns may have value in addressing such concerns. This is a view shared by others, including the Australasian Epidemiology Association (AEA) (8).

GlaxoSmithKline (4) agrees that the linkage of de-identified information would be of considerable use to researchers and industry, which, it argues, have the same interest in improving health outcomes as Government health departments.

The Council for Pharmacy Registering Authorities (COPRA) (10) argues that the linkage of information from the Medicare and PBS claims databases "…potentially provides a uniquely powerful database for statistical research linking the incidence of medical treatment with changes in medicine and supply". It further argues that this research would benefit public health and Government expenditure on pharmaceuticals and the health system.

It is not always clear from submissions whether it is the Guidelines, or some other factor or combination of factors, which is responsible for inhibiting various proposed linkages. It is not always clear whether Guideline 1.4 alone is an obstacle to realising possible benefits to the community.

Submissions on limiting information linkage

Consumer groups such as the Australian Federation of AIDS Organisations (AFAO) (12) and the HIV/AIDS Peer Advisory Network (HAPAN) (33) have submitted that it is necessary to strengthen the protections afforded to sensitive health information, including by limiting the uses to which it may be put.

Submissions which saw no need for change included those from the Australian Attorney-General's Department (AGD) (16), which submits:

"If the number of circumstances in which linkages are authorised by the Guidelines increased, it may render paragraph 135AA(5)(d) ineffective. The purpose of paragraph 135AA(5), to minimise the chances of data being cross-matched, would be nullified if the Guidelines allowed linkages to be made in an expanded number of situations."

The Australian Medical Association (AMA) (11) questions whether claims information is fit for many of the proposed purposes. For example, it submits that claims information would not provide adequate or reliable information for the purposes of assessing the effectiveness of a particular drug, or for monitoring treatment or equipment. This view is supported by the Caroline Chisholm Centre for Health Ethics (CCCHE) (2) and the Australian Nursing Federation (ANF) (12).

The AMA (11) also submits that the information is not required for adverse drug monitoring, which is currently the responsibility of the Adverse Drug Reactions Monitoring Advisory Committee, an argument also offered by the CCCHE (2), which submits that Medicare and PBS claims information "…would lack detail to make causal claims".

The ANF (12) expresses similar doubts regarding a range of secondary uses:

"It is difficult to see how the Medicare data would contribute meaningfully (even with linkage to the PBS data) to the secondary uses suggested in the discussion paper. In addition to the concerns above, the Medicare data is not qualitative, contains no diagnostic information, and has limited clinical value. In some instances eg adverse drug reactions and drug effectiveness, other, more accurate means are available to collect the data in a more timely manner."

Both the AMA (11) and the APF (29) submit that many of the proposed uses or linkages are currently achievable under the Guidelines, including the disclosure of identified claims information under Guideline 4A for medical research, and the disclosure of de-identified information under Guideline 5. The ANF concurs with this view, arguing:

"It is also apparent that the Guidelines in their current form do allow for the use of linked data for specific purposes."

Consent to link for access

A number of submissions responded to the Issues Paper in discussing whether an individual should be able to consent to the linking of their own claims information. Under the current Guidelines, an individual cannot consent to their Medicare and PBS information being linked and provided to them in a single report. Rather, when an individual requests information from the databases, it is provided in two separate reports.

Medicare Australia (7), DoHA (35), Australian Divisions of General Practice (ADGP) (26), and the AMA (11) submitted that the individual may benefit from having access to their claims information by means of a single report or printout from the PBS and Medicare databases. The South Australian Department of Health (3) provided qualified support to the individual being able to consent to the linking of their own claims information for the purpose of their own access.

The AFAO (12) says that it would be desirable if the Guidelines could be altered to enable consumers to consent to the linking of their own information so that they could receive a single summary. AFAO says this should occur with the fully informed consent of the consumer and the summary information should not be stored or distributed to third parties except as agreed to by the consumer.

In contrast to these views, the Australian Privacy Foundation (APF) (29) considers that the suggestion that an individual cannot consent to their Medicare and PBS information being linked and provided to them in a single report and that this hinders their ability to easily and conveniently access their full claims information "a complete furphy". There is no reason, says the APF, why Medicare Australia cannot design its processes for responding to access requests to give the "results" of the two enquires in one combined response.

This is considered further at Option 2.

Consent to link for provision of a health service

An individual may benefit in terms of their treatment, if their health service provider has access to their linked data. For example, Pharmaceutical Health and Rational Use of Medicines (PHARM) (6) has strongly advocated the value of linked datasets for the individual's treatment, arguing that in a clinical context, separating "…medical and prescription databases is like separating treatment notes from diagnostic information within a hospital record". According to PHARM (6), this would enable the health service provider to gain an accurate picture of the individual's treatment and prescription history. It could also ensure that quality health outcomes were not denied to people with disabilities.

This is considered further at Option 3.

Risks surrounding broad-based consent for health service provision

Giving consent to the way personal health information is handled is one way in which individuals maintain a degree of control over their privacy. The key elements to consent are that it must be voluntary, the individual giving consent must be adequately informed and they must have the capacity to understand, provide and communicate their consent.28

In 2000, the Office considered the implications of the Guidelines incorporating a consent mechanism when reviewing Guideline 1.4 for the purpose of the Coordinated Care Trials. A broad consent mechanism may create a heightened risk that individuals may not be fully informed as to what it is they are consenting to. Alternatively, such a model may introduce a risk of "bundled consent", that is the bundling together of consent to a wide range of uses and disclosures of personal information without giving the individual an opportunity to choose which uses and disclosures they agree to and which they do not. Accordingly, the Office declined such a consent mechanism.

Coordinated Care Trials

Guideline 1.4(b) was amended in 2000 to insert a second exception for Coordinated Care Trials. This exception permitted Medicare Australia to disclose linked information from the Medicare and PBS databases with the individual's "express and informed consent". The exception was limited to "the specific circumstance of Coordinated Care Trials conducted by the Department between October 2000 and April 2004".

The disclosures of linked information were necessary to obtain an individual's complete health picture for the purposes of testing a new system of managing health care for people with multiple or complex care needs.

The AMA (11) submitted that as the Trials were to be completed by the end of 2005, this Guideline should be deleted.

The views of the Consultation Group were sought to obtain further information about the Trials and any further need for the second exception to Guideline 1.4(b). Both Medicare Australia and DoHA advised that the Trials were to conclude in 2005, but that for evaluation purposes and for contractual reasons the linked participant information would be retained for a further two years.

This matter is discussed further at Option 4.

Medicare Australia submission regarding information linkage and disclosures

Medicare Australia submits that, in the interests of ensuring privacy protection, 'clear principles' should be used which require either the provision of consent or the use of 'unidentifiable data wherever possible'.

Medicare Australia (7) recommends that:

"Linkage, comparison or combination of Medicare and PBS claims data should be allowed in accordance with principles similar to those incorporated in proposed National Health Privacy Principle 2 (NHPP2) of the proposed National Health Privacy Code and the National Privacy Principles included in the Privacy Act. These allow for the secondary use of information:

  • with the individual's consent;
  • if the output from the linkage is reliably de-identified; or
  • in other cases only when the use of identifiable information is necessary, restricted to a minimum, and justified in public safety terms, or when specifically sanctioned by other law; and
  • with the approval of an appropriate governance process."

This proposal is considered as Option 5.

DoHA submission regarding information linkage and disclosures

In regard to the linking of claims information, DoHA (35) supports linkage by Medicare Australia for the purpose of facilitating an individual's access to claims information. Further, DoHA submits that Medicare Australia should be permitted to use and disclose identified Medicare and PBS claims information for secondary purposes "in accordance with arrangements agreed with DoHA" and only undertaken with:

  1. consent and an independent review process or
  2. compliance with Guidelines under section 95 or 95A of the Privacy Act.

In the course of its discussion on the secondary uses of the Medicare and PBS claims data, DoHA refers to the information sets held by Australian, State and Territory governments and to the potential richness of the information that would emerge if these sets are linked. DoHA envisages the creation of a "…longitudinal whole of treatment view …of the health services received by each individual, available for productive analysis by researchers."

This proposal is considered as Option 6.

Australian Bureau of Statistics submission regarding increased secondary uses

The submission from the Australian Bureau of Statistics (ABS) (32) limits itself to "…issues covered by the ABS role, namely the use of the data for statistical purposes."

The ABS describes two examples of how Medicare and/or PBS claims information can be linked with ABS survey unit record data. It goes on to argue:

"The opportunity for richer datasets and statistical output of increased analytical value without imposing additional reporting workload on the community is the key driver for such change."

The ABS submits that the Guidelines prevent it from obtaining identified claims information in either unit or linked form. The ABS notes that Guideline 1.4(b) does not include a provision that would permit Medicare Australia to provide it with linked claims information. Further, Guideline 4A limits the release of identified information to medical research, whereas the ABS may seek to the use the claims information for social and other forms of research.

As an alternative to legislation, the ABS recommends the extension of Guidelines 1.4(b) and 4A to include statistical research, subject to the general constraints that underpin the Guidelines. These would include a reference group to determine the public interest in disclosures for statistical research, legislative secrecy constraints and an emphasis upon transparency.

This is considered further at Option 7.

Options for review of Guideline 1.4

Option 1: No change

The intent of Parliament in enacting section 135AA was that claims information should not be linked by agencies other than in exceptional circumstances. There is a lack of consensus in the submissions regarding whether the Guideline should permit greater information linkage for uses other than the reason the information is collected and stored. While there may be useful purposes for which claims information could be linked, it is not clear that permitting these linkages would be consistent with the intent of the section to maintain the functional separation of the Medicare and PBS data.

The Office also notes that at least some of the suggested linkages could be performed under the current Guidelines. However, the Office sees merit in some amendments being made as discussed in the options below.

Option 2: Individual consent to link claims information for access

The Office recognises possible merit in the Guidelines allowing an individual to obtain a copy of their linked Medicare and PBS claims information from Medicare Australia, even though individuals currently have a right of access to this information in unlinked form. While submissions do not provide strong evidence of the benefits of this, it may be convenient for the consumer to receive a single consolidated record.

Overall, this option has received support during the review. The only concern has been whether the option could be abused. The AMA points to a risk of insurance companies requiring individuals to supply copies of their linked claims information as a condition of providing the individuals with insurance cover.29 However, the risk would be marginal, as insurance companies (or any party) could equally require the individual to supply copies of Medicare and PBS records in unlinked form.

While the benefits to the individual are marginal (that is, individuals can already access their information separately), the risks of such a provision do not appear to be significant. The Office sees merit in this Option.

Option 3: Individual consent to link information for the provision of a health service

The Office recognises that there may be merit in the individual being able to give express consent to the linking of their claims information for purposes which are directly related to the provision of specific health services. However, it is not clear whether, on balance, such a provision is warranted or necessary given the risks that such an option may entail and given a health service provider may already access health information and perform such linkage themselves if it is required.

The Office was informed by a number of submissions that pointed to the risks of a broad-based consent mechanism. In general, allowing an individual to consent to linkage for a wide range of purposes could promote routine linkages in a way which departs from the legislative intention to limit linkages to exceptional circumstances. Further, there are potential risks surrounding limited consent options, in that it is possible that an individual may be subject to "bundled consent" or other pressures which could be inconsistent with giving voluntary consent.

As individuals already have access to claims information, on balance, the benefits of being able to consent to linkage for provision of a health service, do not appear to outweigh the risks that a broad consent mechanism could be misused in the ways suggested above and would depart from the legislative intention to limit linkages.

Option 4: Coordinated Care Trials

DoHA has advised the Office that this Guideline has not been drawn upon, as any linkage has been done by private sector providers, rather than by an agency. In the Office's view, a guideline should only be made where it serves a clear regulatory function either by imposing additional regulation or by clarifying or consolidating obligations established elsewhere.

As the Guideline has not been necessary, its retention is not required. Therefore, the second exception to Guideline 1.4(b) will be deleted.

Option 5 Medicare Australia submission regarding aligning the Guidelines with the protections of the NPPs and proposed National Health Privacy Code

It has been submitted that the linkage of Medicare and PBS claims information by Medicare Australia should be allowed in accordance with principles similar to those incorporated in National Health Privacy Principle 2 (NHPP 2) of the proposed National Health Privacy Code (NHPC) and the National Privacy Principles included in the Privacy Act. It is noticeable that both the NPPs and proposed NHPPs provide for a wider range of uses and disclosures than the current guidelines.

In considering this view, it should also be noted that the proposed NHPC has not been implemented.30 In this regard, it would be inappropriate for the Office to give legal effect to the proposed NHPC before it has been implemented in either the Commonwealth or any state or territory jurisdiction.

More significantly, the Office notes that the purposes for which health information may be used or disclosed under the proposed NHPP 2 include:

  1. disclosure to a health service provider, without consent, for the purpose of providing health services
  2. disclosure to a health service provider, without consent, for the funding, management, planning, monitoring, improvement or evaluation of health services
  3. disclosure to a health service provider, without consent, for training purposes and
  4. use or disclosure where required or authorised, whether expressly or impliedly, by law.

The relevant equivalent principle in the Privacy Act is National Privacy Principle (NPP) 2, which is similar, though not identical, to proposed NHPP 2.

An alignment between the Guidelines and either the NHPPs or NPPs would increase the permitted uses and disclosures of linked claims information beyond what is currently permitted. For example, provision d) above would seem to impose a lower test than that in Guideline 1.4(b) (where a disclosure must be required by law), or Guideline 1.4(a) where a use may be authorised by law, though not impliedly.

Section 135AA(1)(e) prohibits linkage of the claims information unless it is authorised in the way specified in the Guidelines. Medicare Australia is proposing that the Privacy Commissioner's discretion be exercised so as to authorise a much broader range of permitted linkages than currently exists.

The range of linkages envisaged by this option does not sit comfortably with the intent of section 135AA, including that the information in question should be afforded protections in addition to those offered in the Privacy Act.

Further, the scope of the discretion available under section 135AA(5)(e) to permit information to be linked, should be read in conjunction with the express (though not absolute) prohibition against linkages contained in that paragraph and with the clear legislative intent to keep separate the databases, as required by section 135AA(5)(d). As to the appropriate standard of protection to be observed when authorising information linkages under the Guidelines, there is no reason to depart from the reasoning provided by a previous Privacy Commissioner in a report made to Parliament on the implementation of section 135AA.31

"[The Guidelines] will almost invariably be more restrictive than the general Information Privacy Principles that apply to all personal information held by Federal agencies".

It is reasonable to infer then, that linkages of claims information for purposes not directly related to the purpose of collection ('secondary purposes') should be authorised under the Guidelines only in special or exceptional circumstances.

Further, it should be noted that section 29 of the Privacy Act requires the Privacy Commissioner, in the performance of his or her functions, and the exercise of his or her powers, to amongst other things:

(d) ensure that his or her directions and guidelines are consistent with whichever of the following (if any) are relevant:

  1. the Information Privacy Principles;
  2. the National Privacy Principles;
  3. the Code of Conduct and Part IIIA.

As the handling of personal information by agencies is regulated by the Information Privacy Principles, it is arguable that making Guidelines that regulate agencies in a manner less restrictive than the IPPs (for example, by importing the provisions of the NPPs or proposed NHPC) would result in an inconsistency with section 29. As such, the Office is not inclined to pursue this Option.

Option 6: DoHA submission regarding information linkage and disclosures

DoHA has submitted that Medicare Australia should be permitted to use and disclose linked identified Medicare and PBS claims information for secondary purposes "in accordance with arrangements agreed with DoHA" and only undertaken with:

  • consent and an independent review process or
  • compliance with Guidelines under section 95 or 95A of the Privacy Act.

This option could provide a framework for broader secondary uses of linked claims information which would be in the public interest, while also respecting the individual's interest and providing a form of supervision of the release of the data. It could also allow greater regulatory flexibility.

However, this option involves consideration of the legislative restrictions that exist regarding incorporating other matters (in this case, the proposed "arrangements agreed with DoHA") into legislative instruments, such as the Guidelines, that are imposed by section 14 of the Legislative Instruments Act 2003 (Cth). Section 14 would appear to preclude the Guidelines from incorporating or adopting arrangements entered into from time to time between DoHA and Medicare Australia.

In considering this option, the Office believes that it would not be lawful to make statutory Guidelines which purport to allow the exercise of authority on the grounds of an independent review process, unless that process itself has some basis in law. Similarly, it does not seem that the Guidelines which the Privacy Commissioner must make may incorporate "agreements with DoHA" that may exist from time to time and in an unspecified form.

Such an arrangement seems unlikely to promote regulatory stability, predictability and transparency, in that the process of forming such agreements would not be subject to the same scrutiny (most significantly, by Parliament) as the Guidelines. Further, such an approach would be inconsistent with section 14(2) of the Legislative Instruments Act 2003 (Cth), which prescribes when one instrument may refer to, and incorporate, another.32

The Office's understanding is that section 95A of the Privacy Act, which applies to private sector organisations, does not apply to an Australian Government agency, to which section 95 ordinarily applies.

More generally though, this Option would seem to envisage a range of uses and disclosures inconsistent with the Parliamentary intent underlying section 135AA, and therefore the Office does not support this option.

The question of applying the section 95A guidelines to agencies is discussed further at page .

Option 7: ABS submission regarding amending the guidelines to allow for disclosure of linked claims data for statistical research

The option suggested by the ABS is to extend Guideline 1.4 and Guideline 4A.1 to include statistical research, in addition to medical research.

Section 29 of the Privacy Act requires the Privacy Commissioner to ensure that his or her guidelines are consistent with the relevant principles of the Privacy Act, which in this case are the IPPs. In the absence of an authorising law or the individual's consent, such linking and disclosure would be inconsistent with the IPPs, which do not permit use or disclosure for the purpose of statistical research. Further, such disclosure is not provided for by the section 95 Guidelines, the application of which is limited to medical research.

The Office notes, however, that linkage for external disclosures is authorised under Guideline 1.4(b) where it is required by law for a specific case or specific set of circumstances. Accordingly, access to linked or identified claims information by the ABS could be realised through legislative mechanisms.

See Chapter 6, Option 3 for further discussion on amending Guideline 4A.1.

Option 8: Drafting change

The Office notes that the introductory words of Guideline 1.4 are:

"The HIC may link, compare or combine records of information…".

Only the word "link" (or "linkage") is used in section 135AA. In the interests of clarity, there is merit in using terminology that is consistent with the enabling legislation and, accordingly, "compare or combine" will be deleted from Guideline 1.4.

Option 9: Drafting change

DoHA (35) questions whether the usage of the word "may" in various places in the Guidelines, including in the introductory words of Guideline 1.4 is "permissive or restrictive".

Consistent with the legislative intention of section 135AA, a narrow interpretation of section 135AA(5) should generally be adopted. Accordingly, the Office takes the view that a clarifying amendment to Guideline 1.4 could usefully be made by the appropriate insertion of the word "only".

The introductory words of Guideline 1.4 would read as follows (with the adoption of Option 8 above):

"1.4 Medicare Australia may only link records or information from…".

Findings

2. Guideline 1.4 is to be changed to permit an individual to consent to the linkage of their own claims information by Medicare Australia for the purpose of providing access to that information.

3. Guideline 1.4(b) is to be changed to delete reference to the Coordinated Care Trials.

4. Guideline 1.4 is to be changed to better reflect the wording of the enabling section by deleting the expression "compare or combine".

5. Guideline 1.4 is to be changed and clarified by the addition of the word "only" after the word "may" in the sentence "Medicare Australia may link records of information….".

5. GUIDELINE 3 ON MEDICARE AUSTRALIA DATA RETENTION PERIODS

Law and policy

Guideline 3.1 requires Medicare Australia to destroy Medicare and PBS claims information:

  1. in the case of data that is the product of the linking, comparing or combining of records or information in accordance with Guideline 1.4 - within 3 months of the data being brought into existence; or
  2. in any other case - within 5 years of the date of initial processing of the information; ….

Guidelines 3.1(c) and (d) provide limited exceptions to this destruction requirement, including where there is an unresolved investigation, prosecution, compensation matter or action for recovery of debt, or where the information affects an individual's entitlement to a related service which could be rendered after the expiry of the time limit in either 3.1(a) or (b).

Guideline 3.1(a)

Guideline 3.1(a) gives effect to sections 135AA(5)(a) (specifying the ways information may be stored) and 135AA(5)(e) (specifying the ways in which datalinking must occur to be authorised). This Guideline is intended to ensure that the policy intent of maintaining separate databases is not undermined through the creation and indefinite retention of linked information sets, the effect of which, overtime, would be the de facto merging of the databases.

Guidelines 3.1(b)

Guideline 3.1(b) gives effect to section 135AA(5)(a) and section 135AA(5)(f)(ii). Section 135AA(5)(f) states in its entirety that 'so far as practicable', the Guidelines must:

(f) specify the requirements with which agencies must comply in relation to old information, in particular requirements that:

  1. require the information to be stored in such a way that the personal identification components of the information are not linked with the rest of the information; and
  2. provide for the longer term storage and retrieval of the information; and
  3. specify the circumstances in which, and the conditions subject to which, the personal identification components of the information may later be re-linked with the rest of the information.

Section 135AA(11) defines 'old information' as:

Information to which this section applies that has been held by one or more agencies for at least the preceding 5 years.

The effect of Guideline 3.1(b) is to prevent Medicare Australia from retaining claims information in an identified form for longer than five years (that is, once the information becomes "old information"). Medicare Australia is able to retrieve this old information from DoHA for purposes specified in Guideline 4.1, including where requested by the individual.

Consideration of the three month retention period for Medicare Australia linked information under Guideline 3.1(a)

History of Guideline 3.1(a)

In 1995, Medicare Australia informed the Office that a retention period of three months applied to linked datasets. During the 1994/95 review of the Guidelines, the matter was raised by the Consumers' Health Forum (CHF) which noted that Guideline 1.4 "…does not clarify the nature of holding/storage/life of linked or combined records". The Australian Medical Association (AMA) also raised this issue and proposed that the 3 month period be codified. Medicare Australia advised the Office that the AMA's proposed amendment would not unreasonably impact on the efficient operation of its services. Subsequently, a Guideline codifying this three month period was made in 1996.

Submissions regarding Guidelines 3.1(a)

A number of submissions discussed Guideline 3.1(a) and whether the three month period should be amended. Almost all these submissions cast their discussion in regard to the needs of medical research, noting that three months may be inadequate for research implementation or thorough analysis. In this regard, it is essential to clarify the application of the Guideline.

Guideline 3.1(a) applies to linked claims information held by Medicare Australia. It does not apply to linked claims information held by other parties. The only linkages that Medicare Australia may establish are prescribed in Guideline 1.4. There is no provision for Medicare Australia to link claims information for the purpose of medical research.

Any disclosure by Medicare Australia of identified Medicare or PBS information for medical research would be made according to Guideline 4A. This Guideline permits for the disclosure of claims information, though not for its linkage. The linkage may then be done by the data recipient.

Accordingly, it is important to clarify that the three month retention period only applies to Medicare Australia's authorised linkages under Guideline 1.4, these being:

  • for Medicare Australia's internal use where required by law for the discharge of Medicare Australia's statutory responsibilities in relation to the enforcement of criminal law or for the protection of public revenue or
  • disclosure by Medicare Australia where required by law or
  • disclosure by Medicare Australia for the purpose of determining an individual's eligibility for a benefit under one program, where eligibility is dependent upon services provided under the other program or
  • disclosure by Medicare Australia where it believes on reasonable grounds that the linkage is necessary to prevent or lessen a serious imminent threat to the life or health of any individual.

Both Medicare Australia (7) and DoHA (35) submit that Medicare Australia should be able to retain linked information sets for as long as necessary to fulfil administrative functions.

However, the Office notes that Guideline 3.1(c) provides that where a linked information set relates to an "investigation, prosecution, unresolved compensation matter or action for recovery of debt pending", then this linked claims information may be retained until that matter is concluded.

Medicare Australia submits that:

"The requirement to destroy data sets made up of linked Medicare and PBS data after three months will also need review if greater use were made of linked data in the public interest. It is proper to ensure that such data sets and, indeed, any subsets of data prepared for secondary uses by HIC, were destroyed once their purpose has been met."

Options for Reform of Guideline 3.1(a)

Option 1 No amendment

It is arguable that extending the retention periods for linked datasets runs against the intention that the two claims databases be kept separate. The retention of linked datasets for long periods of time could be viewed as a de facto method of combining the databases. Given the clear prohibition in the National Health Act against combining the databases (section 135AA(5)(d)), any practice which is inconsistent with this would require clear and compelling support.

In absence of there being a clear and compelling argument to extend the period, it could be a sound regulatory response to maintain the 3 month period. The Office notes that the Guidelines already provide for linked information to be retained for longer periods if it is necessary to resolve an incomplete matter. However, as there is evidence to support a change in the retention period (see discussion below), the Office believes some amendment is necessary

Option 2 Reduce the retention period to one month

One submission advocates a reduction in retention periods. Caroline Chisholm Centre for Health Ethics (CCCHE) (2) argued that:

"The arbitrary nature of this period of time is questionable. It should certainly not be extended. It should be substantially reduced and preferably, not maintained beyond allowing initial linking and extracting of information."

In supporting its view, CCCHE pointed to the NHMRC Human Research Ethics Handbook: Commentary on the National Statement on Ethical Conduct in Research Involving Humans, which states that:

"In research based on linkages between records, an HREC may permit personal information to be used to enable the record linkage without consent it if is satisfied that:

the identity of participants is not disclosed except for the purposes of record linkage and is not retained once record linkage has been completed; [italics added]"

The Office notes that if the period were reduced, Medicare Australia would still be permitted under Guideline 3.1(c) to retain prescribed linked datasets until incomplete matters have been resolved. Accordingly, a reduced retention period promotes the principle that the databases not be combined, while still allowing certain necessary administrative functions to be undertaken.

However, it is questionable whether there is sufficient evidence available to support reducing the default retention period. While CCCHE's argument is not without merit, it should be kept in mind that the datalinkages currently performed by Medicare Australia are not for research purposes, hence the provision may not be directly analogous. The Office does not favour this Option, particularly insomuch as it may impose a greater administrative burden, without significantly improving the privacy of individuals.

Option 3 Retention "for purpose"

This option would allow Medicare Australia to retain linked datasets for as long as it is necessary to meet the purpose for which it is linked. Such linkages would be limited to those prescribed in Guideline 1.4. This may benefit Medicare Australia significantly by providing flexibility as to the creation and handling of linked datasets for the purpose of its statutory functions.

This option would likely result in different datasets having different retention periods, potentially resulting in a more complex regulatory environment, where it may be difficult to assess compliance. However, provided that the permitted purposes for which claims information is linked are kept clearly prescribed, then it should be possible where necessary to determine whether a specific purpose has been met.

This option raises the prospect of function creep, whereby information is linked and then used for a range of purposes increasingly more distantly related to why it was collected. However, this risk is mitigated by the permitted linkages being clearly and narrowly prescribed. Such an approach should ensure that all linked datasets have a clearly defined purpose and that it can be objectively determined when that purpose has been fulfilled.

So long as the permitted purposes for which information may be linked are kept relatively narrow, a "for purpose" approach is not inconsistent with the current Guidelines, which allow, in particular, for linked information sets to be retained until an outstanding "investigation, prosecution, unresolved compensation matter or action for recovery of debt" is resolved.

It should also be noted that under such an approach the purpose for some linkages may be shorter than the current three month period. For example, linkages for disclosure should be deleted as soon as the disclosure has been effected.

The Office recognises that, notwithstanding the assurances offered by retaining a narrow range of permitted linkages, some stakeholders may have concerns that Medicare Australia will be able to retain linked data for longer periods than is currently the case, and without appropriate justification. Left unaddressed, concerns of this type may undermine community trust and confidence in how Medicare Australia handles claims information.

To meet such concerns, a "retention for purpose" regime for linked claims information should be accompanied by a reporting obligation that provides appropriate transparency in regard to Medicare Australia's datalinking activities. Such reporting could include the number of records linked under each authority established by Guideline 1.4 and the average period for which each class of linkage is retained.

The Office sees merit in this Option as an effective way to balance the necessary functions of the agency and the protection of individuals' privacy.

Option 4 Extend the three month retention period

The Office notes that most submissions calling for an extension to the fixed period were for the purpose of retention for research. However, the Guideline does not allow for Medicare Australia to link for the purposes of research, nor does the Guideline apply to researchers retaining information. As such, the office does not see merit in extending the retention period for these reasons. Any such extension would have been somewhat arbitrary and may not satisfy the matters raised in submissions.

On balance, Option 3 is seen as the preferred regulatory intervention, offering flexibility to the regulated agency, while maintaining appropriate privacy safeguards.

Findings

6. Guideline 3.1(a) is to be changed so that Medicare Australia may retain linked datasets for as long as is required to meet the primary purpose for which the linkage was authorised under these Guidelines.

7. A new Guideline is to be made requiring Medicare Australia to report annually to the Privacy Commissioner in regard to its datalinkage activities, including the number of records that are linked (by class) and the periods for which they are retained.

Consideration of the five year retention period for claims information held by Medicare Australia under Guideline 3.1(b)

History and purpose of the five year retention period

When first introduced in 1991, section 135AA included a provision (then subsection 6(c)) that all claims information be permanently and irreversibly 'de-identified' after five years. The intention underlying section 135AA(6)(c) was to ensure that Medicare Australia did not become a central repository of health information on almost all Australians.

In the initial 1992 draft Guidelines, section 135AA(6)(c) was given effect by Guideline 3.1, which required that Medicare Australia destroy claims information within five years of receipt. An explanatory note prepared at the time explained that the draft Guideline sought "… to ensure that the long-term retention of information in identified form is avoided" and goes on to confirm that "This Guideline addresses the requirement under section 135AA(6)(c)…".

This explanatory note remains in the current Guidelines, though the section cited has been amended to135AA(5)(f), which imposes obligations that differ from the original and repealed section 135AA(6)(c).

In regard to section 135AA(6)(c), former Commissioner Kevin O'Connor reported to Parliament in 1992 that permanent de-identification may unreasonably:

  • hinder patient follow-up when side effects of a drug become known
  • mean some information would not be available to Parliamentary committees of inquiry, Royal Commissions and coronial inquests
  • hinder research into long term effects of drugs.

In response to this 1992 report, Parliament enacted the National Health Amendment Act 1993 to address this and other perceived problems with the operation of section 135AA. This amendment Act repealed section 135AA(6)(c) and enacted the current section 135AA(5)(f).

The effect of the existing section 135AA(5)(f) is twofold:

  • first, information older than five years (defined as "old information") must be stripped of its "personal identification components"- this requirement reflects the effect of former section 135AA(6)(c) and imports the notion that Medicare Australia should not be permitted to retain identified claims information for longer than five years. This provision is currently given effect by Guideline 3.1(b); and
  • secondly, the question of re-identifying this "old information" (as raised in O'Connor's 1992 report) is addressed by ensuring that there be Guidelines which provide for the re-linking of this information with the personal identification components in limited circumstances. This is given effect by Guidelines 4 and 5.

Thus, it can be seen that the existing five year period reflects the original Parliamentary intent of ensuring that identified claims information should not general be available to agencies after five years. The current Guidelines, in Guideline 3.1(b), provide a method of giving effect to this intent.

Views provided in submissions

Submissions on maintaining the five year retention period

The Australian Privacy Foundation (APF) (29) submits that there is a lack of argument to support any change to the Guidelines. The argument submitted by DoHA and Medicare Australia that an extended retention period would expedite the processing of requests for records is described by the APF as a "mere furphy".33 The APF states that Medicare Australia and DoHA should be able to "…devise procedures for responding to such requests that do not involve unacceptable delays."34

The National Network of Private Psychiatric Sector Consumers and Carers (NNPPSCC) (5) submits that there is value in retaining information for longer than five years because of the nature of the therapeutic relationship in psychiatric care. Significantly though, in its views, as this information is already stored by DoHA, it does not believe that Medicare Australia need retain the information for longer than five years.

This is considered further at Option 1.

Submissions on extending the 5 year retention period

The issue of whether Medicare Australia should be permitted to retain claims information for longer than five years is discussed in a number of submissions (including Pharmaceutical Health and Rational Use of Medicines (PHARM) (6), WYETH (22), and Health Evaluation, Research and Outcomes Network (HERON) (23)). Generally, these submissions call on the period to be extended either for administrative purposes internal to Medicare Australia or for research purposes.

Medicare Australia has submitted that it has a need to retain claims information for longer than five years to conduct some of its functions efficiently. Medicare Australia is currently required to retrieve from the DoHA information that is older than five years.

Such retrievals, according to Medicare Australia, may be to:

  1. process request for information from individuals, law enforcement agencies, coroners' offices, medical practitioner and pharmacist registration authorities and other third parties who have the individual consents (Medicare Australia advises there are around 10,500 such request, per year)
  2. seek reimbursement for compensation matters where that matter is settled more than five years after the information was collected (Medicare Australia advises that it currently requires records for around 1,300 cases, per month) and
  3. ensure duplicate or ineligible claims are not paid (that is, where a procedure cannot be claimed more than once in any period beyond five years - for example, cleft palate (fifteen years) and certain eye treatments (thrirty-five years). Medicare Australia advises that there are around 113,000 such procedures claimed on the benefits programs each year.

Medicare Australia argues that extending the retention period for an arbitrary number of years will not address its concerns. One example given is that there is an incompatibility between the requirements of the Guidelines and some items under the Medicare Schedule (point 3, above). Further, Medicare Australia suggests that it cannot efficiently administer the Medicare program without breaching the Guidelines.

DoHA (35) submits that the current arrangement is burdensome on it. For example, it notes that for each retrieval request from Medicare Australia, DoHA is required to consider whether it is legally possible to disclose the information to Medicare Australia, that is, in accordance with its secrecy provisions, the Privacy Act, and Guideline 4.1. (The Office notes, however, that as the information held by DoHA is not identified, the Privacy Act would likely not apply.)35

The Australian Medical Association (AMA) (11) suggests that an extended retention period may be of assistance to consumers for a range of reasons, but should only be changed on the basis of supporting evidence or consumer demand.

Likewise, the Australian Federation of AIDS Organisations (AFAO) (12) agrees that consideration should be given to allowing Medicare Australia to retain claims information for longer than five years, such as ten years, if the retention period is clearly stated and stringent privacy safeguards remain.

The submission from the Victorian Health Services Commissioner (20) says that, if it can be shown that the current arrangements are unnecessarily burdensome, it may be appropriate to extend the five year retention period.

Extending the retention period is discussed further at Options 2 and 4.

Research and the 5 year retention period

In reviewing the Guidelines, the Office has considered a range of important social interests that may compete with privacy, including the efficient administration of government services and the handling of claims information for medical and other research. A number of submissions discuss Medicare Australia's 5 year retention period in the context of the needs of researchers.

PHARM (6) submits that:

"[l]ongitudinal studies provide very important information about a population's health, and indeed, health care changes can often take more than ten years to be reflected in improved patient outcomes."36

It suggests an extension in the order of 20 years may be more appropriate.

Similarly, Wyeth (22) argues that a 10-year timeframe is more appropriate in order to assess long-term changes in population-based health outcomes due to technological advances. Also, it is submitted that this would allow for government agencies to have efficient access to information in order to comply with individual patient information requests in addition to information linkage projects. The National Prescribing Service Ltd (NPS) (21) also considers that five years of information will be insufficient to monitor trends for some interventions

HERON (23) claims that researchers need information that goes back beyond 5 years for reasons such as examining the relationship between a disease occurring now and medication taken in the past.37 This submission argues that while the information can currently be accessed from DoHA, in its experience, the process results in delays for research. Access would be enhanced, it submits, if Medicare Australia could retain information for 10 years.

As an alternative to Medicare Australia retaining this information for a longer period of time, PHARM (6) suggests that consideration could be given to Medicare Australia publishing information sets or passing the information sets to another agency in order to assist longitudinal study of the quality of use of medicines beyond the five year retention period.

Variable retention periods

Medicare Australia (7) and DoHA (35) suggest a flexible approach to retention periods, where the period is determined based on the purpose for which the information is used.

Medicare Australia recommends that the current five year retention period should be replaced with a "requirement that HIC retains records for at least as long as they are likely to have further use and only destroy records in accordance with a pre-determined destruction schedule."38

DoHA agrees that the restriction on Medicare Australia retaining old claims information should be deleted, and substituted with "so far as this is necessary for it to undertake administrative functions relating to claims."39

The Australian Institute of Health and Welfare (AIHW) (28) believes that with the benefit to be derived from longitudinal studies, a more appropriate time limit would be in line with NHMRC/AVCC Guidelines40 to ensure optimum use of this valuable information source. This view is similar to DoHA and Medicare Australia as it advocates a flexible approach to retention depending on the specific project and purpose.

This is discussed further at Option 3.

Submissions on reducing the 5 year retention period

The Australian Medical Association submitted that:

"Should any change to the current Guidelines that alters current arrangements that separate PBS and MBS data occur, AMA would not support an expanded retention period, and in fact would consider a reduced retention period appropriate."

This is canvassed further at Option 5.

Options for Reform of Guideline 3.1(b)

Option 1 No amendment

As explained above, the 5 year period currently in place has been imported from the original form of section 135AA. While the section has been amended, the amendment was not due to any change in Parliament's intention that the long term retention of identified information be avoided. There is some support for retaining the 5 year retention limit, while other submissions including from research bodies, advocate extending it. Medicare Australia and DoHA argue that it creates an unnecessary administrative burden on their respective agencies. The Office sees some merit in this option, however as discussed below, there is greater evidence to support some change.

Option 2 Extend the prescribed retention period

As there is a demand for access to information older than five years, it would be more convenient for recipients, and would also reduce the administrative burden on both Medicare Australia and DoHA, if Medicare Australia could supply the old information directly.

The Office has noted that any extension will be somewhat arbitrary. During the review, the Office has sought data from Medicare Australia to illustrate what the "request curve" may look like, that is, what percentage of requests for old information could be met by the agency if the retention period were extended by various periods of time. While Medicare Australia was unable to quantify a request curve, it submits that, "based on the experience of the delegate who signs off on these requests every day…", 95% of requests for claims information are for an individual's entire record. Accordingly, regardless of any extension to the retention period (short of a period that extended to cover all claims), Medicare Australia would still be required to seek data from DoHA in an estimated 95% of cases.

If Guideline 3.1(b) were amended to permit Medicare Australia to retain claims information for longer than 5 years, an additional Guideline will be required to comply with section 135AA(5)(f). Under this section, information held by agencies for 5 years becomes "old information". Section 135AA(5)(f) requires that the Privacy Commissioner makes a Guideline which deals with agencies' handling of "old information", including requiring that it be stripped of its "personal identification components".

In addition, further Guidelines would be needed specifying when Medicare Australia may re-assign the personal identification components to the old information.

As any extension for a prescribed period would be arbitrary and also not seem to address Medicare Australia's concerns, the Office does not support this option.

Option 3 Retain for as long as required 'for purpose'

The third option is to replace a prescriptive retention period with a flexible Guideline that allows Medicare Australia to destroy information in accordance with an internal destruction schedule. The schedule would reflect the purposes for which each piece of claims information has been collected.

Medicare Australia has argued that it be permitted by the Guidelines to retain records for "at least as long as they are likely to have further use and only destroy records in accordance with a pre-determined destruction schedule." This would reduce the administrative burden created by having to seek data from DoHA.

However, such a proposal may create regulatory uncertainty and be administratively difficult. In effect, each piece of claims information held by Medicare Australia may have a different retention period attributed to it.

Further, this option may not be consistent with the specificity required of the Guidelines. Section 135AA(f) requires the Guidelines themselves to "specify the requirements with which agencies must comply in relation to old information".

The Office notes that, as with Option 2, this option would require a new guideline specifying that Medicare Australia must strip claims information of its personal identification components after 5 years, as well as a guideline prescribing when the two elements may be re-linked.

Given the lack of specificity and potential regulatory uncertainty that would accompany this option, the Office is not inclined to support it.

Option 4 Unlimited retention subject to additional protections

While acknowledging the argument in some submissions that the "burden" suggested by Medicare Australia and DoHA and could be overcome by improved processes, the Office also recognises that the Guidelines do impose administrative costs on both agencies. Whether these costs are reasonable depends on such factors as whether the privacy protections afforded are commensurate to the burden imposed, or whether similar or more robust protections could be provided through other mechanisms.

On balance, the Office is of the view that privacy protections at least equal to those currently available are possible without the need for imposing the current administrative burden.

In seeking ways of addressing this issue, the Office has noted the difficulty and inherent arbitrariness of extending the retention period to another fixed period. Further, the Office accepts Medicare Australia's submission that any extended fixed term may not assist in addressing the question of administrative efficiency.

The Office has also noted that a variable retention period, as suggested by Medicare Australia and canvassed by Option 3, is not suitable for the retention of unlinked claims information.

Accordingly, the Office believes that alternative measures can be taken that reduce the administrative costs of handling information, while ensuring that the legislative requirements and policy intent of section 135AA are met.

The Office considers one such measure is to remove the time limit for which claims information may be retained, while making new Guidelines that afford alternative forms of privacy protection consistent with that required by section 135AA. In particular, Guidelines would be required to:

  • ensure that claims information is stripped of its personal identification components after 5 years (that is, once it becomes 'old information')
  • require the old information is stored on a separate database to other claims information and
  • narrowly prescribe the circumstances when personal identification components and old information may be re-linked.

In addition, a further Guideline will be made requiring Medicare Australia to report to the Privacy Commissioner, for publication, on its handing of old claims information, including the number of times old information is re-linked with personal identification components and for what purposes. The Office support this option as a reasonable measure to reduce the administrative burden imposed on Medicare Australia and DoHA, while at the same time providing privacy protections around when re-linkage with identifying information may occur and greater public transparency concerning the frequency and purposes of such re-linkage.

Option 5 Reducing the retention period to less than 5 years

While this option may offer some privacy benefits by increasing the structural barriers to the linking of personal information, it would, at the same time, magnify the administrative burdens on the two agencies by increasing the need for data retrieval. The Office has also noted that the this option has not been strongly canvassed in submissions. On balance, the Office has preferred Option 4.

Findings

8. The current retention Guidelines will be deleted and new Guidelines will made specifying how Medicare Australia is to handle old information by requiring that:

  1. Old information be stored in separate databases to other claims information

  2. Old information can only be re-linked with personal identification components in limited and prescribed circumstances

  3. Medicare Australia is to report annually to the Privacy Commissioner on its handling of claims information as outlined in (a) and (b).

6. GUIDELINE 4A ON THE DISCLOSURE OF IDENTIFIED CLAIMS INFORMATION FOR MEDICAL RESEARCH BY MEDICARE AUSTRALIA

Law and Policy

Section 135AA(5) (c) says:

(5) So far as practicable, the Guidelines must:

…

(c) specify the circumstances in which agencies may disclose information.

Guideline 4A says:

4A.1) Disclosure of Medicare and Pharmaceutical Benefits claims information for medical research must conform to the secrecy provisions in the Health Insurance Act 1973 and the National Health Act 1953. In addition identified claims information may only be disclosed for research if:

  1. Medicare Australia is satisfied that the individuals who are the subject of that information have given their free and informed consent to the use of that information in the research project; or
  2. the disclosure is made for the purposes of medical research to be conducted in accordance with the Medical Research Guidelines issued by the National Health and Medical Research Council under section 95 of the Privacy Act 1988.
4A.2) These Guidelines do not prevent a researcher to whom information has been disclosed in accordance with guideline 4A.1 from retaining that information once it becomes old information provided that at the conclusion of the research project the researcher either returns the information to Medicare Australia for destruction or securely destroys the information.

This Guideline can be viewed as a restatement of the agency's obligations under other instruments in relation to unlinked information and does not impose any additional obligations. The Guideline does not permit the information to be linked and disclosed for any purpose. However, it does not prevent the recipient from performing the linkage.

Guideline 4A.2 permits a researcher to retain 'old information' (as defined in section 135AA(11)) provided that, at the end of the project, the researcher either returns the information to Medicare Australia for destruction or securely destroys the data.

The application of the section 95 Guidelines to Guideline 4A

The IPPs do not include a specific provision to permit Australian government agencies to use or disclose personal information for medical research. However, such uses and disclosures would be permitted under the IPPs if either the individual's consent were obtained (IPP 10.1(a), 11.1(b)) or if a specific law requires or authorises use or disclosure for that purpose(IPP 10.1(c) or 11.1(d)).

Guideline 4A refers to the Guidelines that are issued by the National Health and Medical Research Council (NHMRC) with the approval of the Privacy Commissioner under section 95 of the Privacy Act (the Section 95 Guidelines). Section 95 of the Privacy Act is at Appendix D.

The Section 95 Guidelines provides a mechanism to permit agencies to use or disclose personal information for the purpose of medical research, where such a practice would otherwise be a breach of the IPPs. That is, the disclosure may occur without obtaining the individual's consent, and in the absence of any other authorising law.

In particular, section 95(4) provides that an act done by an agency which would ordinarily breach the IPPs, shall not constitute a breach where that act is done:

  • for the purpose of medical research and
  • in accordance with the NHMRC guidelines issued for the purposes of the section.41

The essential element of the section 95 guidelines is that an agency may disclose personal information to a medical researcher if it is satisfied that the medical research proposal has been subject to appropriate scrutiny and approved by a Human Research Ethics Committee (HREC). The HREC should, in deciding whether to approve the research, weigh the public interest in privacy against the public interest in the proposed medical research.

Use of claims information for medical research

There is general consensus amongst the submissions acknowledging the fundamental importance of individuals retaining control over their personal health data.42 While usually not distinguishing between 'medical research'43 and 'non-medical research', a large number of submissions support the disclosure of claims information for 'research purposes'.

The Australasian Epidemiology Association (AEA) (8) supports the existing Guideline 4A and submits the importance of research being able to be conducted, without consent, subject to appropriate protections. Similarly, Health Evaluation, Research and Outcomes Network (HERON) (23) submits that:

"Access by researchers to data on the Medicare services and procedures received by and PBS claims for prescription medicines for study subjects included in specific research projects can greatly enhance the scope of research and its capacity to answer important questions about health and health care."

Submissions on consent and medical research

The degree to which researchers should, in general, seek individuals' consent prior to using health information for medical research is a complicated question, the resolution of which is beyond the scope of this review. However, it is clear from submissions that a wide range of strongly held and cogently argued views exist.

Bodies such as the Consumers' Health Forum (CHF) (30) and the Australian Nursing Federation (ANF) (31) see any secondary use of claims information as requiring consent. Caroline Chisholm Centre for Health Ethics (CCCHE) (2) considers identified information should never be provided to aid research unless with the express consent of the individual.

The National Network of Private Psychiatric Sector Consumers and Carers (NNPPSCC) (5) is of the view that obtaining properly informed consent from individuals with mental illnesses may be impossible, particularly during an acute episode, as individuals in these circumstances do not have the capacity to understand the implications of what they are consenting to.

The Breast Cancer Network Australia (BCNA) (24) submits the view that individuals are, in general, happy for their personal health information to be used for research in the public interest provided they are asked for their consent. As a consequence, the BCNA submits that any specific plan to change the Guidelines so that Medicare and PBS information may be made available for additional secondary uses should be preceded by significant public consultation and communication.

Pharmaceutical Health and Rational Use of Medicines (PHARM) (6) submits that individuals need to be able to consent to the use of their information and that there is a lack of knowledge and understanding on the part of individuals about what information is collected about them.

A confidential submission suggests that many linkages are small and routine and, if at all possible, individuals should not be asked to consent to linkage of their own information as it would be impractical and disruptive to them. This submission argues that individuals should be aware at the time their personal information is collected that large-scale databases exist.

The Health Consumers' Council (HCC) (13) believes there needs to be ongoing public engagement about the ethical, social and legal matters which health research on datasets without consent, brings to the fore. The HCC submits that further community engagement is required to gain a clear understanding of what the community expects regarding consent and the use of claims information, particularly:

"…when university researchers and state government utilise data from Medicare and PBS yet are governed by different and possibly less stringent privacy requirements than the Medicare and PBS Guidelines."

The CHF (30) submits that the use of claims information held by Medicare Australia and how this is shared with third parties has been a key consent issue for consumers and cites Medicare Australia's Prescription Shopping project44 as an example. CHF says that the primary reason consumers access Medicare or PBS claims information is to determine their entitlement to the safety net.

The ANF (31) strongly supports the need for consent to the use of personal information for the purposes of research. The ANF raises three issues of concern:

  • the potential risk to privacy through information linkage and improved technological access
  • the degree to which the information is sufficiently 'clean' and fit for the purpose of research (a doubt also raised by the Australian Medical Association (AMA) (11)) and
  • community attitudes to the trustworthiness of those who collect and retain their personal health data, particularly whether such trust may be undermined by wider uses of this information without individuals consent.

HIV/AIDS Peer Advisory Network (HAPAN) (33) submits that rather than a relaxing the existing protections, a tightening of the protocols, requiring the consent of the patient in each circumstance, is warranted.

The NNPPSCC (5) express their support for consensual disclosures in these terms:

"We support the basic privacy principle that personal and sensitive information should only be used for the purpose for which it was obtained. If the secondary purpose is to track the efficacy of particular treatments, or monitor adverse side effects of medications detailed in the PBS data, or for any other purposes, then the consumer's written informed consent must be obtained prior to this occurring. We believe that the Guidelines could be amended to specify secondary uses of the information with this written informed consent as the security for such purposes."

The Australian Divisions of General Practice (ADGP) (26) supports individuals having a "greater prospective discretion" to share their information for research purposes, with individual consent to be sought at the point of collection.

The Australian Institute of Health and Welfare (AIHW) (28) considers the Section 95 Guidelines, which require ethics committee consideration, have proven to be effective. While supporting diligent efforts to obtain consent from an individual for the linking of personal information, the AIHW says it would be concerned at the possible negative effect on information quality should such consent be mandatory before linkage could occur.

The Australian Bureau of Statistics (ABS) (32) has noted that it currently cannot obtain claims information from Medicare Australia for its own research purposes. This is because Guideline 1.4 does not permit any information linking for research purposes, while Guideline 4A only allows disclosure of identified information for medical research purposes. Amendment to either of these Guidelines would be one method of permitting the ABS to obtain this information.

On the issue of how effectively the Guidelines meet the community's expectations surrounding individuals' control of health information, Medicare Australia (7) submits that health service providers and researchers are often surprised to find how difficult it is for them to obtain information from Medicare Australia. Medicare Australia says it:

"…cannot comment on public opinion generally, since HIC has not consulted publicly on this specific question. HIC believes that information should only be divulged with express consent, when reliably de-identified, or in other very specific circumstances. The principles applied to other circumstances should include a requirement that the known wishes of the consumer must be respected."

Community attitudes regarding consent and medical research

The Issues Paper noted research released by the National Health and Medical Research Council (NHMRC)45 which shows that 53% of health consumers would not mind if their names were given to a researcher in order to invite them to participate in health research. Most people who had not participated in a medical research study previously, indicated that they would do so if asked. These results are similar to those reported from UK and New Zealand research, which suggest that many individuals would be willing to consent to their personal health information being used for research in the public interest, though would expect to be offered the choice.46

Alternatively, health researchers have given reasons why consent-based access to health information can be less than ideal. For example, in the case of population health research, the expense involved in contacting and seeking consent from large numbers of individuals may be prohibitive. The findings from such research may be less useful, particularly if many people do not consent. Certain groups (such as the marginalised or socio-economically disadvantaged) may be particularly under-represented in consent based research.47

The NHMRC (19) also notes responses to a quantitative survey it conducted in 2004, in which 66% of the general public and 64% of respondents in the "health consumer" category reported that it was acceptable or very acceptable for approved researchers to match information from different databases.

The ADGP (26) submits that some researchers have pointed out that individualised consent processes are time-consuming, expensive and extremely difficult to undertake with large information samples, which could potentially hinder useful research that would contribute to the delivery of better health care. However, the ADGP (26) also notes that consumer focus group research conducted as part of a project on chronic illness care in 2003, found that consumers held a strong view consent was required for the use of identified or de-identified information.

HERON (23) suggests that the vast majority of Australians support health and medical research. It refers to Research Australia's Health and Medical Research Opinion Poll 2004, which reported that 76% of Australians were interested in health and medical research and that 72% believed it had made a difference to their life.48

DoHA refers to unpublished research conducted by it which has found "… that the use of health information for research that could improve population health was widely endorsed by health consumers." This submission goes on to state "…This same research found that greater privacy concerns exist amongst health consumers in the use of identified health information for research purposes."

The Office's understanding of the application of Guideline 4A

It should be noted that Guideline 4A allows disclosures by Medicare Australia of claims information for the purposes of medical research. The Guideline permits Medicare Australia to disclose, but does not require the agency to disclose the information. Among the conditions that need to be met are obtaining the individual's consent or approval under the Section 95 Guidelines (including approval by an HREC).

It is not clear that the submissions demonstrate that the public interest in using claims information to conduct medical research cannot be significantly met by relying on Guideline 4A (for identified information) and/or Guideline 5 (for de-identified information). While Guideline 4A limits this research to medical research, no such limit applies to the use of de-identified information for non-medical research under Guideline 5.

Accordingly, it does not seem necessary to amend Guideline 4A significantly to allow greater use of claims information for medical research purposes. In some cases, there may be uncertainty surrounding the effect of these Guidelines on research. If there is a failure around understanding, it remains open to the Office, in consultation with stakeholders, to provide the necessary guidance on the application of the Guidelines to medical research.

Guideline 4A.2 appears to impose obligations beyond the Privacy Commissioner's powers

Guideline 4A.2 purports to impose an obligation on researchers to whom information has been disclosed to either return information to Medicare Australia or destroy it at the conclusion of the research.

However, it is noted that section 135AA limits the authority of the Guidelines to agencies. Researchers external to Medicare Australia are not regulated by this Guideline.

The Office also notes that this obligation seems inconsistent with the approach taken under Guideline 5.4, whereby an obligation is imposed on DoHA (rather than a third-party) to ensure that a recipient of claims information handled claims information in a certain manner.

Accordingly, the Office is inclined to amend Guideline 4A.2 such that it will be an obligation on Medicare Australia to seek assurances from a researcher to which it discloses claims information that the information will be securely destroyed or returned for destruction when the research project has concluded.

Question concerning whether Guideline 4A is redundant

DoHA (35) has submitted that other legislation, such as the secrecy provisions of the National Health Act and the Health Insurance Act, as well as the relevant Privacy Act provisions render the provisions of Guideline 4A.1 superfluous. If true, one option for reform may be to delete this Guideline.

This is discussed further under Option 1.

Application of Section 95A of the Privacy Act to Guideline 4A

Since the Guidelines were last reviewed, the private sector provisions of the Privacy Act have come into operation. From 21 December 2001, ten National Privacy Principles (the NPPs) regulate the handling of personal information.

Under NPP 10, an organisation may not collect "sensitive" personal information (which includes health information) unless one of a number of prescribed exemptions applies. NPP 10.3 provides that an organisation may collect personal health information without the individual's consent for a range of research-related purposes where the collection meets certain criteria.

One of the exceptions on which organisations may rely is provided in NPP 10.3(d)(iii). This provision allows, subject to other criteria being met, for organisations to collect health information without consent where that collection is in accordance with guidelines issued by the NHRMC and approved by the Privacy Commissioner under section 95A of the Privacy Act ('the Section 95A Guidelines'). The Section 95A Guidelines apply to the private sector. The text of sections 95A and 95 of the Privacy Act are at Appendix D.

The section 95A guidelines provide a framework for private sector researchers to follow when preparing a proposal to be submitted to an HREC for approval to collect, use or disclose personal health information without consent. They do not impose obligations on how agencies handle personal health information.

It is important to note that the Section 95A Guidelines encompass a broader range of purposes than the Section 95 Guidelines applying to agencies. In particular, while the latter relates to the purpose of "medical research", the section 95A guidelines deal with the wider purposes of:

  • research, or the compilation or analysis of statistics, relevant to public health or public safety; or
  • the management funding or monitoring of a health service.

In addition, NPP2.1(d) permits organisations, though not agencies, to disclose health information for a broader range of purposes than are available to agencies, provided that the research is conducted in accordance with the Section 95A Guidelines (that is, for research or statistics "relevant to public health and safety").

However, it is significant that agencies may only disclose personal information in accordance with either the IPPs or in accordance with the section 95 guidelines, which are narrower in scope than the section 95A guidelines.

Accordingly, organisations can collect health information under the section 95A Guidelines for wider purposes than agencies may disclose under the section 95 Guidelines and Guideline 4A.1.

Submissions regarding applicability of the section 95A guidelines

DoHA (35) notes that there is no reference in Guideline 4A to the section 95A guidelines, and argues that "[u]se of identified information should not be prohibited under the Guidelines where this would be permitted under the s95 or 95A guidelines". The Victorian Health Services Commissioner (20) recommends that Guideline 4A.1(b) be amended to include the section 95A guidelines.

As discussed above, section 95 of Privacy Act provides that agencies may disclose personal information for medical research where the medical research is in accordance with the relevant NHMRC guidelines. There is no provision in the Privacy Act for agencies to choose to apply the section 95A guidelines, rather than the section 95 guidelines.

Permitting agencies to disclose personal information without consent in accordance with the section 95A guidelines would have the effect of imposing a privacy standard that differs from that provided for agencies under the Privacy Act. Such a guideline, if made, would seem to be inconsistent with the Privacy Commissioner's obligations under section 29(d) of the Privacy Act requiring consistency with the relevant obligations of the Privacy Act.

It should be noted that the Privacy Commissioner's review of the private sector provisions of the Privacy Act has noted the possible challenges raised by inconsistencies between public and private sector privacy regulation, including in a research context and has made recommendations in this regard.49

Question on the duration of valid consent

The Australasian Epidemiology Association (AEA) (8) submits that consent given at the commencement of the research is required to be refreshed after five years and that this often proves problematic as research subjects are not always available to renew their consent. In subsequent discussions with the AEA, the Office understands that this 5 year period is established by Medicare Australia as a condition of disclosure to researchers.

While this issue may pose barriers to researchers, the obligation referred to is not one created by the Guidelines.

Human Research Ethics Committees (HRECs) and collection without consent

The AEA (8) submits that researchers are finding that HRECs are adopting an increasingly conservative approach to approving research proposals.

Further, the AEA says that Australasian ethics review panels should feel confident that a decision to allow access to recorded information for epidemiological research without individual consent will not lead to breaches of individual confidentiality or privacy.

The approach taken by HRECs to privacy considerations is a far broader matter and beyond the remit of the Guidelines or this review. The broader question of research and HRECs is a matter discussed in the Privacy Commissioner's review of the private sector provisions of the Privacy Act.50

Options for reform

Option 1: Guideline 4A could be deleted as it restates obligations from other instruments

The Office has considered whether this Guideline is redundant on the grounds that it may simply restate obligations imposed by the secrecy provisions of either the National Health Act or Health Insurances Act, as well as the Privacy Act.

Medicare Australia would be required to conform with secrecy provisions in making disclosures of personal information regardless of the Guideline.

Similarly, Medicare Australia's obligations under the Privacy Act would require that, before disclosing personal information for medical research, Medicare Australia either gain the individual's consent, or make the disclosure in accordance with the Section 95 Guidelines.

Accordingly, the obligations imposed by Guideline 4A restate existing obligations and the Guideline may serve no further regulatory function.

However, the Office believes that there is value in these obligations being highlighted in a consolidated form in the Guidelines, and therefore does not support the option to delete these Guidelines.

Option 2: Guideline 4A could be changed to remove the requirement that research be "medical"

This option would expand the purposes for which identified claims information may be disclosed by permitting disclosure for research purposes beyond medical research.

It is not clear that the potentially valuable benefits to the community which could be achieved by this expansion of allowable research in the Guidelines would not outweigh the public interest in maintaining the privacy protections currently afforded to claims information. On balance, it would seem to be significantly broadening the range of permitted disclosures if identified claims information could be disclosed for non-medical research.

Such an amendment would also go beyond the disclosures that agencies can make under the section 95 mechanism (which limits disclosures to "medical research").

It is also noted that the ABS submits that affording it access to Medicare and PBS claims information for the purpose of statistical research:

"…would seem more appropriate to legislative change rather than amendment to the Guidelines".

Such legislative measures, if drafted adequately, may permit it to obtain linked claims information under Guideline 1.4(b) ('required by law').

However, an amendment such as this would allow disclosures that are inconsistent with the IPPs and accordingly the Office does not support this Option.

Option 3: Guideline 4A.2 be changed to make consistent with statutory powers

Currently, this Guideline purports to impose an obligation on a "researcher". As the jurisdiction of the Guidelines is limited to agencies, the Guidelines do not seem to have a legal basis to exercise authority over researchers, unless that researcher is also an agency and it is practicable to make guidelines applying to them.51

Accordingly, this provision should be redrafted so that it is a requirement on Medicare Australia that it may only disclose information under section 4A if it obtains agreement from the researcher that the information will be destroyed at the conclusion of the research project.

As this obligation would be an additional criteria that Medicare Australia must meet prior to releasing identified claims information, it could comfortably sit as a new clause to Guideline 4A.1, rather than as a separate Guideline 4A.2. The Office supports this Option.

Findings

9. Guideline 4A can not impose obligations on researchers that are not agencies.

10. Guideline 4A.1 is to be retained in its present form, with the addition of a third clause requiring that Medicare Australia establish agreements with researchers requiring that information is destroyed after its use for the purpose of medical research.

11. Guideline 4A.2 is to be deleted.

7. GUIDELINES 5 and 6 CONCERNING CLAIMS INFORMATION THAT DOES NOT CONTAIN PERSONAL IDENTIFICATION COMPONENTS

Law and policy

Section 135AA (1)(a) says that section 135AA "applies to information that is information relating to an individual".

Section 135AA(5)(d), regarding the content of the Guidelines, says that:

So far as practicable, the Guidelines must:

(d) prohibit agencies from storing in the same database [ Medicare and PBS claims data].

Relevantly, Guideline 5.1 says:

5.2 The Secretary must not permit the establishment of a system which maintains the de-identified records from both programs in a combined form on a permanent basis in conjunction with the internal personal identification number.

  1. Nothing in this Guideline prevents the retention of de-identified records from both programs in a combined form in conjunction with an encrypted form of the internal personal identification number or a new and unrelated number.
  2. This Guideline does not prevent Pharmaceutical Benefits and Medicare claims information concerning particular individuals from being temporarily linked by the PIN where:
    1. the linkage is necessary for a use permitted by the Secretary; and
    2. claims information identified by the PIN or any personal identification components (defined in section 135AA(11) of the National Health Act) is used solely as a necessary intermediate step to obtain aggregate or de-identified information; and
    3. claims information temporarily linked in conjunction with the personal identification number is destroyed within 1 month of its creation.
    Claims information from the two databases shall only be linked in this temporary manner in conjunction with the internal personal identification number where there is no practical alternative.

Meaning of "de-identified" information

The Office notes that Guideline 5 is concerned with the handling of what is termed "de-identified information". While this may be a commonly used expression, it cannot be said that there is consensus on a definition of the term. It is not defined, for example, in either the Privacy Act or the National Health Act. In particular, there is a lack of consensus on whether or not the term only applies to information in a permanent state (that is, the information cannot be "re-identified").

A reference to the term "de-identified" in the Privacy Act occurs in NPP 10.4, which states that:

If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it. [emphasis added]

The only other reference to the term is in NPP 4.2, which similarly uses the expression "permanently de''identify". In both cases, the qualification of "permanently" makes it at least arguable that, absent the qualifier, "de-identify" may be taken as constituting an impermanent state.

Alternatively, the NHMRC, in its National Statement on Ethical Conduct in Research Involving Humans (the 'National Statement' is currently under review) has attempted to resolve this by introducing a third category of information, "potentially re-identifiable". This categorisation suggests that the term "de-identified" may be taken as referring to a permanent state. This is an interpretation supported by, for example, the World Medical Association.52

In its submission, the Australian Medical Association (AMA)(11) addresses the uncertainty raised by the term. This submission:

"… acknowledges the value of linking de-identified data but is not satisfied that there is a national standard or definition as to what constitutes de-identified data."

The Department of Health and Ageing (DoHA)(35) notes in its submission that "The crucial term "de-identified" is not defined."

The Office also recognises that the meaning of "de-identification" may be unclear in practice. Advancements in information technology and associated processes can mean that information that was once not capable of being re-identified, may now be able to be linked with other data to create identified information. In some cases, an individual's identity can be reasonably ascertained by the linking together of datasets that, by themselves, may not identify an individual.53

This definitional uncertainty is unhelpful in a regulatory context, where certainty and clarity are essential. Further, the existing use of the term in the Guidelines is inconsistent with the view taken by the Office in conducting this Review that terms used in the Guidelines should, where appropriate, mirror those used in the enabling legislation.

Accordingly, the Office will amend the Guidelines to remove references to "de-identified information" and replace them with expressions that better match those used in section 135AA and which offer greater certainty of meaning.

In this regard, section 135AA provides a definition of "personal identification components" of claims information.54 Section 135AA(5)(f) requires that the Privacy Commissioner make Guidelines for the long term storage of claims information, and requires that such storage be premised on claims information being stripped of personal identification components. The new Guidelines will adopt this terminology.

Issues raised during consultation

Views on the handling of "de-identified" information

A number of submissions support the use and disclosure of information that does not identify individuals, including without consent, for research purposes. GlaxoSmithKline (4) submits that researchers, health consumers and industry all have an interest in the improved use of health resources and maximisation of health outcomes and should be given access to anonymous datasets. MBF (14) concurs with this view, submitting that "By sharing de-identified, aggregate data, both public and private will have the opportunity to analyse experience across the industry".

Proposals for linkage of anonymous claims information for specific activities included the improvement of quality assurance activities around prescribing practices, the evaluation of public health strategies and policies (National Prescribing Service (21)) and for population health studies (Heron (23) Australian Divisions of General Practice) (26)).

The Breast Cancer Network (BCNA) (24) sees epidemiological studies using anonymous linked information as assisting clinical trials, provided that these were accompanied by privacy safeguards and protections such as ethics committee supervision.

The Australian Institute of Health and Welfare (AIHW) (28) submits that it has used de-identified information for worthwhile research, and has afforded strict privacy protections to it.

However, not all submissions are comfortable about the secondary use of claims information, even when that information does not identify individuals. The National Network of Private Psychiatric Sector Consumers and Carers (NNPPSCC) (5) expresses the strong view that the consumer's written informed consent must be obtained prior to their personal health information being used for secondary purposes.

The Australian Privacy Foundation (APF) (29) says that "it is not clear how the Guidelines currently obstruct the use of de-identified information for statistical research" (29). The Australian Medical Association (AMA) (11) notes that the range of existing permissible uses of de-identified information available under the Guidelines.

The Health Consumer's Council (HCC)(13) submits that it

"…is aware of grave community concerns in WA about data linkage and the potential for re-identification of an individuals personal details as a result of the data linkage process."

The Privacy Commissioner's authority to make Guideline 5

DoHA submits that:

"…s135AA only applies to information relating to an individual (s135AA (1) (a)). There is an issue as to whether the power under s135AA extends to permit guidelines to be made that cover de-identified information. If the information held by the Department does not relate to an individual (because it is de-identified) then it should not be addressed in the Guidelines."

Meaning of "claims information"

In response to DoHA's submission, the Office is satisfied that the Privacy Commissioner does have the authority under section 135AA to make guidelines concerning the handling of claims information, including where that information does not identify an individual.

In reaching this view, the Office notes that section 135AA applies to information that, amongst other things, is information relating to an individual.55 This definition does not mirror that provided in section 6 of the Privacy Act for "personal information" as being:

… information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Further, it appears significant that section 135AA(5)(f) expressly requires the Privacy Commissioner to make guidelines concerning the handling of information which has been stripped of its personal identification components. Such information would not generally meet the definitional thresholds of "personal information" and, it follows, this section cannot be given effect unless the meaning of "information" is read as being distinct from "personal information".

The Office is satisfied that section 135AA requires the Privacy Commissioner to make Guidelines for the handling of Medicare and PBS claims information relating to individuals and held by agencies regardless of whether that information identifies an individual or not.

Guideline 5.2 and section 135AA

The Office's understanding of the meaning of "information" has implications for Guideline 5.2.

Guideline 5.2 says:

"The secretary must not permit the establishment of a system which maintains the de-identified records from both programs in a combined form on a permanent basis in conjunction with the internal personal identification number."

Guideline 5.2(a) then provides:

"Nothing in this Guideline prevents the retention of de-identified records from both programs in a combined form in conjunction with an encrypted form of the internal personal identification number or a new and unrelated number"

Section 135AA(5) requires that guidelines be made establishing an absolute prohibition against agencies storing information that was obtained under the Medicare and PBS programs in the same database. As discussed above, this provision applies to information regardless of whether it also contains personal identification components. Accordingly, when Guideline 5.2(a) is read in conjunction with section 135AA(5), it can be seen that the current clause does not reflect the requirements of the legislation, in that it purports to permit an act or practice that is required to be prohibited.

Accordingly, it is necessary to omit Guideline 5.2(a) from any revised Guidelines to reflect the requirement that DoHA be prohibited from storing any information that has been collected under the Medicare or PBS programs in the same database. To ensure clarity in this matter, a Guideline similar to existing Guideline 1.1 (which applies to Medicare Australia), should be adopted for DoHA.

Encryption and the retention of linked claims information

DoHA has raises a number of other issues relating to its handling of claims information. In particular, DoHA:

  • queries the necessity for claims information to be stored in conjunction with an encrypted PIN (Guideline 5.2(a)), submitting that this encryption "…does not appear to provide any added protection" because "…the Department does not routinely have access to the Medicare Enrolment File".
  • submits that the one-month retention period for claims information that is linked in association with an unencrypted PIN (Guideline 5.2(b)(iii)) is unnecessary given "..the level of other protection that is available" and that the Guidelines should allow "…the timeframe under which linked data is to held to be determined individually for each project".

The first matter is partly addressed by the finding that Guideline 5.2(a) should be omitted, however, the question of under what circumstances the PIN should be encrypted remains relevant. While these obligations are separate, as they are complementary elements to an overall regulatory framework, there is merit in considering them together.

It is a broad policy objective of section 135AA and the Guidelines that DoHA should be permitted to link claims information for specific policy and research purposes in the public interest, albeit that such linkages should not create datasets that risk identifying individuals.

If a PIN-name linkage is known, then the individual to which a dataset pertains could be identified if that dataset includes the PIN. For this reason, there is an arguable case for requiring DoHA to encrypt the PIN that it associates with a linked dataset so that it is less likely the individual can be identified in the future.

At the same time, DoHA has submitted that:

Given that the Department does not routinely have access to the Medicare Enrolment File (it can only gain access to name-PIN links under guideline 6.1), and thus cannot put patient names to PINs, means that the need to encrypt the PIN does not appear to provide any added protection.

PIN-name linkages under Guideline 6

In this regard, Guideline 6.1 provides that an officer of DoHA may only link the PIN to identifying details held by Medicare Australia where that is authorised by the Secretary and is necessary:

  1. to clarify which information relates to a particular patient where doubt has arisen in the conduct of an activity involving the comparison or linkage of de-identified information; or
  2. for the purpose of disclosing personal information in a specific case or in a specific set of circumstances as expressly authorised or required by law.

In turn, Guideline 6.2 provides that:

The Secretary of the Department must establish procedures which ensure that where information is obtained under paragraph (a) of Guideline 6.1 that information is not retained once the doubt has been clarified.

Accordingly, the circumstances under which DoHA will be aware of a PIN-name linkage will be relatively restricted. However, it nonetheless remains the case that in these circumstances DoHA will be aware of the individual to which a PIN relates and that this creates a risk that an individual could be associated with a linked set of claims data, if that data includes the PIN.

It is appropriate therefore that where DoHA seeks to link claims information based on the PIN, then that linked dataset should be retained for a short and prescribed period of time. This requirement will assist in minimising the risk to individuals that they may be deliberately or inadvertently identified. The current period of one month seems at the upper-end of such a reasonable period.

At the same time, where DoHA links claims information on an encrypted form of the PIN, or on another number which cannot be associated an individual, then such datasets pose a lesser risk to the privacy of individuals. The retention period for such datasets should appropriately be for the purpose for which the linkage was created.

This 'for purpose' approach to the retention of linked datasets (that do not include the PIN) must not be used as a way to circumvent the absolute prohibition against the storage of claims information on the one database. Linked datasets must be for a clearly defined purpose and for a limited duration. As was discussed earlier in this report, the Office interprets the concept of "linkage", for the purposes of section 135AA, as being the creation of a relationship between information on an episodic and impermanent basis. The retention of linked datasets for long or indeterminate periods of time may have the effect of establishing a de facto common database.

Clarification and delegation of Secretary's powers

There are a number of matters under the Guidelines where acts and practices may be authorised by the Secretary of DoHA, or are required not to be permitted by the Secretary. DoHA has raised a number of issues in this regard, in particular:

  • whether the terms "permit" (Guidelines 5.1, 5.2(b)(ii)) and "authorise" (Guideline 6.1) have different meanings;
  • the exact scope of the authority created by such terms, including whether, for example, it is adequate for the Secretary to "…put in place general principles that the Department must follow in using data or requesting information from HIC, or if the Secretary needs to approve/authorise every single…" use or disclosure
  • whether a mechanism can be made in the Guidelines establishing an authority for the Secretary to delegate the exercise of these powers.

Meaning of "authorise" and "permit"

Dealing with these matters in turn, the Office notes the potential regulatory confusion created by the inconsistent use of terms and will seek to ensure that, where appropriate, terms are used consistently in any new guidelines. The Office's understanding is that while the term authorise "…can also mean permit",56 to the extent that there may be any distinction, the word "authorise":

"…connotes a mental element and it could not be inferred that a person had, by mere inactivity, authorised something to be done if he neither knew nor had reason to suspect that the act might be done"

In contrast, the word "permit" can be interpreted in such a way that a permission may "…sometimes even be inferred from an unfettered handing over for use without a knowledge of that particular use".57 Put another way, "permit" could be interpreted as allowing by inference something to occur on the grounds that it is not specifically prohibited.

Accordingly, given that the purpose of the Guidelines is to establish specific rules around the handling of Medicare and PBS claims information, the preferred term in any specific Guideline should be whichever, in that context, is consistent with the policy intent of the Guidelines and affords appropriate privacy protections.

Generally, where the purpose of a Guideline is to allow something that is otherwise not allowed, then the verb "authorise" is preferred as it makes clear that the handling of Medicare and PBS claims information should be subject to an active decision made by an appropriately senior officer after due consideration.

Guideline 5.1 establishes an authority under which the Secretary may "permit" the use of claims information by the DoHA. The enabling legislation requires that the Guidelines "…specify the uses to which agencies may put information" (section 135AA(5)(b)). How agencies may use claims information is an important concern of the Guidelines and the effective regulation of uses is an important way of ensuring adequate privacy protections. It therefore follows that the uses to which DoHA may put claims information should be subject to an active decision on the part of Secretary. Consistent with the policy settings for the Guideline, the verb used in this context should be "authorise", thus making clear that uses can not be inferred.

Similarly, Guideline 6.1 requires the Secretary to "authorise" DoHA officers to obtain personal identification components from Medicare Australia. This is again a highly sensitive matter and is fundamental to the privacy protections established by the Guidelines. A specific authority is appropriate.

Guideline 5.2 provides that the Secretary must not "permit" the establishment of system that maintains information from each program on the same database. A Guideline to this effect is another important requirement of the enabling legislation. In this context, the verb "permit" is appropriate, as it reflects the requirement that the Secretary will not allow this practice either by expressly authorising or by allowing an inference that it is allowed, including by omission.

Scope of discretionary powers

On the second matter, the intent of such powers, as discussed above, is to allow the Secretary to authorise specific information handling acts and practices having regard to the enabling legislation and Guidelines.

The proposed use of the word "authorise" in the Guidelines should inform the decision maker that the use of such discretionary powers will require them to make an active decision as to the acts and practices they are authorising, including the relative merits of such activities.

In regard to the scope of these powers, the Office understands that it would be difficult to draft a series of broad principles that would apply uniformly across a range of circumstances and still meet the intent of the enabling legislation and Guidelines. Such an approach would seem inconsistent with the Guidelines, including by effectively delegating the discretionary powers to staff, permitting them to determine the exact circumstances under which claims information may be used or disclosed.

There may be an ability to draft an authority that covers some classes of use or disclosure. This would require that the parameters of such classes are sufficiently well defined and limited to ensure that there is certainty concerning which information handling practices are allowed.

Delegation of Secretary's powers

On the final matter, the Office accepts that the existing requirement for the Secretary to approve various acts and practices may establish an administrative burden on the efficient processing of requests. In some cases, this may unnecessarily delay any number of activities deemed in the public interest.

At the same time, the manner in which Medicare and PBS claims information should be handled is important, and requires the oversight of senior staff within DoHA. Accordingly, the Office is inclined to support the addition of limited delegation facility such that the Secretary may delegate the exercise of powers under the Guidelines, for example, to the level of Deputy Secretary and to the Australian Government Chief Medical Officer.

Findings

12. To promote regulatory certainty, the Guidelines will not include reference to "de-identified information" but will draw on terminology consistent with the enabling legislation.

13. Section 135AA requires the Privacy Commissioner to make Guidelines for the handling of Medicare and PBS claims information relating to individuals and held by agencies regardless of whether or not that information identifies an individual.

14. Guideline 5.2(a) is to be deleted to reflect the requirement that the Privacy Commissioner must make Guidelines prohibiting the storage of Medicare and PBS claims information on the same database.

15. A Guideline prohibiting the storage of Medicare and PBS claims information on the same database is to be applied to the Department of Health and Ageing.

16. For the Department of Health and Ageing, linked datasets that include the PIN should continue to be retained for no more than 1 month.

17. For the Department of Health and Ageing, linked datasets that do not include the PIN may be retained for as long as necessary to meet the purpose for which they were established.

18. For the Department of Health and Ageing, linked datasets that do not include the PIN must not be used as a way to circumvent the absolute prohibition against the storage of claims information on the one database.

19. The Guidelines will reflect the potential distinctions in meaning between the verbs "authorise" and "permit".

20. The Guidelines should allow for the Secretary to define classes of use and disclosures provided such classes are sufficiently well defined and limited to ensure regulatory certainty.

21. Powers currently available under the Guideline to the Secretary of the Department of Health and Ageing should be able to be delegated to appropriate senior officers, for example to the level of Deputy Secretary or to the Australian Government Chief Medical Officer.

8. APPLICATION OF THE GUIDELINES TO OTHER AGENCIES

Law & Policy

Section 135AA(5) requires the Privacy Commissioner to, 'so far as practicable', make guidelines regulating how agencies use, store and disclose Medicare and PBS claims information. For the purposes of the section, agency has the same meaning as given in section 6 of the Privacy Act as:

  1. a Minister; or
  2. a Department; or
  3. a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth enactment, not being:
    1. an incorporated company, society or association; or
    2. an organisation within the meaning of the Conciliation and Arbitration Act 1904 or a branch of such an organisation; or
  4. a body established or appointed by the Governor''General, or by a Minister, otherwise than by or under a Commonwealth enactment; or
  5. a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth enactment, other than a person who, by virtue of holding that office, is the Secretary of a Department; or
  6. a person holding or performing the duties of an appointment, being an appointment made by the Governor''General, or by a Minister, otherwise than under a Commonwealth enactment; or
  7. a federal court; or
  8. the Australian Federal Police; or
  9. an eligible case manager; or
  10. the nominated AGHS company; or
  11. an eligible hearing service provider.

At the time the Guidelines were drafted, the Office was advised that Medicare Australia and DoHA were the only agencies handling information to which the Guidelines applied. Consequently, the Guidelines are limited in their effect to these two agencies.

During this Review, the Office has considered whether making Guidelines that regulate Medicare Australia and DoHA is sufficient to meet the statutory requirement that the instrument apply to "agencies". If found that such guidelines are not sufficient, then further guidelines may be required to regulate the handling of claims information by all other agencies.

The policy objective in making Guidelines that apply to all agencies would be to ensure that other agencies may not handle Medicare and PBS claims information in a manner that risks the privacy of that information. Specifically, it is a key requirement of the enabling legislation that agencies not be able to create a de facto central database of health information on most Australians, nor be able to use or disclose that information for purposes unrelated to why it was collected, including by linking information from each benefit program.

Establishing regulation for all agencies could be through a range of regulatory models, which may include:

  • a minimalist model that could create obligations on the two primary information holders (Medicare Australia and DoHA) to only disclose claims information to other agencies on the condition that any recipient agency would handle claims information in a manner consistent with the rules applying to Medicare Australia and DoHA. Provisions of this kind already exist in Guidelines 4A.2 and 5.4.
  • a more expansive model could be to make a new Part to the Guidelines that prescriptively codifies how 'other agencies' handle claims information in accordance with the requirements of the enabling legislation.

Section 135AA(5) specifies the requirements the guidelines must address 'so far as practicable'. It was that the expression 'so far as practicable' in s.135AA(5) means the feasibility of using the Guidelines to achieve the objectives set out by the legislation. For example, it may not be practicable to draft Guidelines that prescriptively regulate the minutiae of various processes that occur when claims information is linked.

Additionally, it may not be practicable to make Guidelines that regulate agencies that may only handle claims information on an infrequent or ad hoc basis, or where the purpose of such handling is difficult to anticipate. For example, Guideline 1.4 permits Medicare Australia to disclose claims information where required by law. Accordingly, there may be a large number of laws that permit such disclosures, for a wide range of different purposes. It is arguably not practicable for the Guidelines to regulate how agencies may handle claims information when obtained for a wide variety of different purposes, or for practices that may be episodic and irregular.

It is noted that some of the requirements of section 135AA may lend themselves to wide application more readily than others. For example, the prohibition provided by section 135AA(5)(d) against storing Medicare and PBS claims information is an absolute one for which no exceptions can be made. Accordingly, it is arguable that it is practicable for this to be given a form of "blanket" effect across all agencies by a Guideline proscribing such a practice.

Alternatively, it would seem more difficult and far less practicable to make guidelines that specify the authorisations under which agencies may be permitted to link claims information or how agencies may handle old claims information (sections 135AA(5)(e) and (f) respectively).

In considering the question of extending the regulatory effect of the Guidelines, the Office has also noted that a number of agencies would welcome the opportunity to be able to obtain claims information, including for public health and social research. The pressure to make greater use of claims information appears to be increasing. If other agencies were routinely obtaining and handling claims information, then this may make it more necessary for the Office to consider further regulation of either specific agencies, or agencies generally.

Options for Reform

Option 1 No amendment

The Guidelines could remain restricted to regulating Medicare Australia and DoHA, while fulfilling the Privacy Commissioner's statutory responsibilities regarding making the Guidelines.

Apart from Medicare Australia and DoHA, the Office is not aware of the large-scale collection of claims data by other agencies. As such, it may not be practicable for the Office to make regulation in anticipation of acts and practices that do not actually occur. Such regulation make be speculative and unnecessary.

Significantly, it would not seem practicable to provide the specificity of regulation required by at least some of the requirements of section 135AA, in particular, the requirements to make guidelines for authorised linkages and the handling of old information.

At the same time, there would seem merit in the Office monitoring for any wider use of claims information by other agencies and, if necessary, reconsidering further regulation if more tangible concerns emerge. Until such concerns arise, the Office is inclined not to make any major amendment to address the regulation of other agencies.

It is less clear whether it can be deemed impracticable to make guidelines prohibiting agencies from storing Medicare and PBS claims information on the same database. As this is an absolute prohibition, it is arguable that it can be given effect relatively simply. As the enabling legislation requires such a guideline "so far as it practicable", it may be necessary to make such a guideline to fulfil the Privacy Commissioner's statutory responsibilities.

Option 2 Introduce an additional Part with new Guidelines applying to agencies other than DoHA and Medicare Australia

Additional guidelines could be made in a new Part to the Guidelines. These Guidelines would apply to all agencies other than DoHA and Medicare Australia, thus giving effect, in general terms, to the requirements of 135AA(5) (the matters to which the Guidelines must address) and fulfilling the policy objective of that section. These provisions could include:

  • agencies must use or disclose information only for the purpose it was collected (giving effect to 135AA(5)(a)-(c)
  • agencies must not store information from the two databases in a single database (as required by section 135AA(5)(d)
  • agencies must strip information of personal identification components after 5 years (section 135AA(5)(f).

As with Option 1, it does not seem practicable for the Office to issue a guideline in this detail to regulate other potential agencies, particularly where there is no evidence to demonstrate large-scale collection and use of claims data by other agencies.

The Office does not believe that it is practicable to make such Guidelines and does not support this Option.

Option 3 Make a guideline placing an obligation on DoHA and Medicare Australia to ensure that recipient agencies of claims information handle it in accordance with the requirements of 135AA

This Option could ensure that disclosures must be subject to binding arrangements between Medicare Australia or DoHA, and the recipient agency which requires the recipient agency to adhere to all the matters raised in section 135AA.

Section 135AA was enacted with the requirement that the Privacy Commissioner issue Guidelines that regulate how agencies handle Medicare and PBS claims data. The process of issuing these Guidelines requires consultation, written notice, and parliamentary oversight by disallowance. The Office is reluctant to create a system of sub-regulation of other agencies through agreements with the principal agencies, which does not have the parliamentary oversight that is required of the section.

The Office does not support this Option.

Option 4 Make a guideline giving effect to the absolute prohibition against combining Medicare and PBS claims information

This Option could involve making a guideline similar to Guideline 1.1 (which currently prohibits Medicare Australia from combining claims information on the same database) that applies to all agencies. Such a guideline would be a mechanism to give effect to express requirement of section 135AA(5)(d). As this section requires an absolute prohibition, the guideline required to give it effect would be relatively simple, as it would not be required to provide exceptions. This avoids the impracticable alternatives discussed in Options 1 and 2.

This Option could be adopted as part of any of the other three options, or as a standalone method of addressing a key concern of the Guidelines.

The Office is inclined to support this Option as it gives affect to the primary obligation to prohibit the storage of claims information on one database, to all agencies. As the making of such a guideline is practicable, it is a statutory requirement that it must be made.

Findings

22. It is practicable to make a guideline meeting the requirement of section 135AA(5)(d) to prohibit any agency from storing Medicare and PBS claims information on the same database.

23. A guideline similar to Guideline 1.1 is to be made having effect for all agencies, thus prohibiting Medicare and PBS claims information from being stored on a single database by any agency.

24. It is not practicable to make guidelines meeting the requirements of any other clause of section 135AA(5) other than (d).

25. The Office will continue to monitor any wider use of Medicare and PBS claims information by other agencies to determine whether further guidelines become practicable.

Appendix A: Medicare and Pharmaceutical Benefits Programs privacy guidelines

Issued under section 135AA of the National Health Act 1953, with Privacy Commissioner's notes

May 1997

© Commonwealth of Australia 1997. This work is copyright. It may be reproduced in whole or part for study or training purposes subject to the inclusion of an acknowledgment of the source and no commercial usage or sale. Reproduction for purposes other than those indicated above require the prior written permission from the Privacy Commissioner. Requests and enquiries concerning reproduction rights should be directed to the Manager, Human Rights and Equal Opportunity Commission, GPO Box 5218, Sydney NSW 1042. ISBN 0 642 27022 8

Contents Preface 1 Introduction 1 A Health Insurance Commission 5 B Department 11 C Miscellaneous 15 Meaning of terms 15 Table of amendments 17

Preface

These Guidelines were first issued on 24 November 1993, under section 135AA of the National Health Act 1953. A Table of Amendments since that time appears at the end of the document.

The Guidelines commence with an introduction and then contain a number of specific provisions. The numbered Guidelines lay down rules which are legally binding. A breach of a rule constitutes an interference with the privacy of an individual for the purposes of s.13(bb) of the Privacy Act 1988. (See further s.135AB, National Health Act 1953.)

The Guidelines are accompanied by Commissioner's notes which are in italics. The Commissioner's notes do not form part of the law and provide interpretive assistance only.

Introduction

Legal basis

These Guidelines are issued by the Privacy Commissioner under section 135AA of the National Health Act.

The Guidelines have been developed in consultation with the Health Insurance Commission ("the HIC"), the Department of Health, Housing, Local Government and Community Services ("the Department"), representatives of the pharmacy and medical professions and other relevant organisations.

Commissioner's note

Consultation is required by section 135AA(6) of the National Health Act. Section 4(2) of the National Health Amendment Act 1993 provides that consultations that took place under subsection 135AA(7) of the National Health Act (prior to it being amended by the National Health Amendment Act 1993) are to be taken for consultations under section 135AA(6) as amended.

The Department of Health, Housing, Local Government and Community Services is now called the Department of Health and Family Services.

These Guidelines are disallowable instruments under section 46A of the Acts Interpretation Act 1901. They take effect from 15 April 1994 unless disallowed by Parliament. The Guidelines may be replaced or varied by written notice by the Privacy Commissioner at any time. Any such variation would also be subject to disallowance.

Commissioner's note

See the Table of Amendments at the end of the Guidelines for the date of effect of amendments to the Guidelines.

The Guidelines provide for standards to apply to information about an individual's claims under the Medicare and Pharmaceutical Benefits Programs which is stored in a computer database. The National Health Act (s.135AA(5)) requires that, so far as practicable the Guidelines must:

  1. specify the ways in which information may be stored and, in particular, specify the circumstances in which creating copies of information in paper or similar form is prohibited; and
  2. specify the uses to which agencies may put information; and
  3. specify the circumstances in which agencies may disclose information; and
  4. prohibit agencies from storing in the same database:
    1. information that was obtained under the Medicare Benefits Program; and
    2. information that was obtained under the Pharmaceutical Benefits Program; and
  5. prohibit linkage of:
    1. information that is held in a database maintained for the purposes of the Medicare Benefits Program; and
    2. information that is held in a database maintained for the purposes of the Pharmaceutical Benefits Program;
    unless the linkage is authorised in the way specified in the Guidelines; and
  6. specify the requirements with which agencies must comply in relation to old information, in particular requirements that:
    1. require the information to be stored in such a way that the personal identification components of the information are not linked with the rest of the information; and
    2. provide for the longer term storage and retrieval of the information; and
    3. specify the circumstances in which, and the conditions subject to which, the personal identification components of the information may later be re-linked with the rest of the information.

Section 135AB of the National Health Act provides that a breach of the Guidelines constitutes an interference with privacy under section 13 of the Privacy Act. An individual may complain to the Privacy Commissioner under section 36 of the Privacy Act about a practice that may be a breach of the Guidelines. A complaint concerning a breach of the Guidelines will be dealt with in the same way as a complaint of a breach of an Information Privacy Principle.

Scope

The National Health Act sets out the information to which the Guidelines apply. Paragraphs 135AA(1) and (2) of the National Health Act provide:

  1. Subject to subsection (2), this section applies to information that:
    1. is information relating to an individual; and
    2. is held by an agency (whether or not the information was obtained by that agency or any other agency after the commencement of this section); and
    3. was obtained by that agency or any other agency in connection with a claim for payment of a benefit under the Medicare Benefits Program or the Pharmaceutical Benefits Program.
  2. This section does not apply to such information:
    1. so far as it identifies:
      1. a person who provided the service or goods in connection with which the claim for payment is made; or
      2. a person who, in his or her capacity as the provider of services, made a referral or request to another person to provide the service or goods; or
    2. so far as it is contained in a database that:
      1. is maintained for the purpose of identifying persons who are eligible to be paid benefits under the Medicare Benefits Program or the Pharmaceutical Benefits Program; and
      2. does not contain information relating to claims for payment of such benefits; or
    3. so far as it is not stored in a database."

Commissioner's note

The following outline of the scope of the Guidelines is drawn from subsections 135AA(1) and 135AA(2) of the National Health Act. It attempts to put the requirements of these sections into simpler language but is not intended to alter or vary the meaning of those sections.

These Guidelines seek to provide privacy protection for Medicare and Pharmaceutical Benefits claims information relating to individuals that is held by any agency under the Privacy Act. Agencies under the Privacy Act include federal and ACT departments and bodies (see section 6 of the Privacy Act for a comprehensive definition).

Commissioner's note

The HIC and the Department advise that they are presently the only agencies holding information which satisfies the conditions set out under subsections 135AA(1) and (2) as to the information to be regulated by these Guidelines. Consequently these Guidelines are framed in terms of the HIC and the Department's storage, use etc of that information. If the situation arises in future where other agencies are affected by subsections (1) and (2) the Guidelines will be amended. The National Centre for Epidemiology and Population Health holds on a database some Medicare claims information, which has been disclosed to the Centre with the consent of the individuals concerned for a particular research study. Guideline 4A deals specifically with claims information disclosed or used for research purposes.

The Guidelines do not apply to information which identifies a provider of a service under the Medicare or Pharmaceutical Benefits Programs or a provider who refers an individual for a service under these programs. Nor do the Guidelines apply to databases aimed at identifying people eligible to be paid benefits under the two programs.

The Guidelines apply only to the claims information which is stored on a computer database.

These Guidelines apply to all patient claims information collected under the Pharmaceutical Benefits Program and the Medicare Program, and held on a computer database, which is still in existence.

Commissioner's note

The current position in relation to the retention of claims data is that Pharmaceutical Benefits claims information from November 1986 to date has been retained. Data from the commencement of the Medicare Program on 1 February 1984 is covered by the Guidelines. Medical claims data dating from the period before 1 February 1984 is not covered by the Guidelines. However, the Department has indicated that it would apply the spirit of the Guidelines to data collected prior to 1 February 1984.

These Guidelines do not regulate the disclosure of claims information by the HIC other than:

  • in relation to any linkage between Medicare and Pharmaceutical Benefits claims information; and
  • to the extent that the internal personal identification number (PIN) is involved.

The Guidelines should be read in conjunction with the secrecy provisions of the relevant health legislation (in particular section 130 of the Health Insurance Act and section 135A of the National Health Act) and the Information Privacy Principles (in section 14 of the Privacy Act). In some areas the Guidelines set a higher standard for the protection of claims information than is required by the Information Privacy Principles and deal with issues not covered by the Privacy Act (such as the retention, de-identification and destruction of claims information). In these cases the Guidelines override the Information Privacy Principles. Any disclosures of claims information must conform to the Guidelines and the relevant secrecy provisions in health legislation as well as Information Privacy Principle 11 (which limits disclosure of personal information).

These Guidelines do not cover information collected and held by the HIC and Department in carrying out functions under s.100 of the National Health Act (such as Human Growth Hormone Program and Continuing Medication Program) or the Pharmacy Restructuring Program (under Division 4B and 4C of Part VII of the National Health Act).

Commissioner's note

The Human Growth Hormone and Continuing Medication Programs are small and specific programs administered by the Department rather than the HIC. Payments in the Human Growth Hormone Program are made by the Department to manufacturers who supply the doctors treating patients receiving the Human Growth Hormone. Claims data is not currently stored on a database. Under the Continuing Medication Program the Department refunds the prescription co-payment for displaced persons accommodated in shelters. Copies of the prescriptions are held by the Department but claims information is not currently stored on a database. Data held in relation to the Pharmacy Restructuring Program does not include patient claims data and therefore does not come within the scope of these Guidelines.

A. Health Insurance Commission

The following standards must be observed by the Health Insurance Commission in managing patient claims information in the conduct of the Medicare and Pharmaceutical Benefits Programs.

1. Functional separation of programs

1.1 Medicare claims information and Pharmaceutical Benefits claims information must not be held on the same database. Procedures must not be established which permit claims information from either of these programs to be linked, merged or combined, other than in the exceptional circumstances listed in Guideline 1.4.

Commissioner's note

This Guideline seeks to ensure that functional separation is maintained between the two databases, so as to accord with the individual patient's expectation that sensitive health information given in a particular context is used and managed by the recipient in a way that is consistent and in accordance with that context. It gives a practical expression, in the context of information storage systems, to the privacy principle that information should generally only be used for the purpose for which it was collected.

1.2 To ensure that functional separation is maintained between the two programs:

  1. The claims information relevant to each program must be held in a separate database. This requirement does not prevent the HIC from locating each database within the same computer system.
  2. Detailed technical standards must be established by the HIC which:
    1. specify access controls applying to each database;
    2. limit access to each database to those officers or contractors who have a reasonable need for access in order to ensure the effective administration of the particular program; and
    3. specify the security procedures and controls which have been included in each database or in the system to prevent unauthorised comparison or merging of records held in either database about the same patient.

1.3 These matters must be dealt with in a Technical Standards Report to be held by the HIC and filed with the Privacy Commissioner. Any variations to the technical standards should be the subject of a Variation Report also filed with the Privacy Commissioner.

1.4 The HIC may link, compare or combine records or information from either database relating, or expected to relate, to the same patient in the following circumstances:

  1. for internal use where that use is:
  • authorised or required by law, and is reasonably necessary, in a specific case or in a specific set of circumstances, for the discharge of the HIC's statutory responsibilities in relation to the enforcement of the criminal law or of a law imposing a pecuniary penalty or for the protection of the public revenue; or
  • for the purpose of external disclosure:
    • in a specific case or specific set of circumstances where that disclosure is required by law; or
    • in the specific circumstance of Coordinated Care Trials conducted by the Department between October 2000 and April 2004, where the individual who is the subject of the information has given his/her express and informed consent in writing; or…
  • for the purpose of determining an individual's eligibility for a benefit under one program, where eligibility for that benefit is dependent upon services provided under the other program; or
  • where the HIC believes on reasonable grounds that the linkage is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

Commissioner's note

This Guideline varies Information Privacy Principle 10 in relation to internal use and Information Privacy Principle 11 in relation to external disclosure in the specific circumstances referred to in the Guideline, that is linkage, comparison or combination of records from either of the regulated databases. These variations reflect the special sensitivity attaching to linkage or comparison of records from the two claims databases.

Under section 1.4 (b) amendment 2000 No 1 inserted a second exception for Coordinated Care Trials, under which the HIC may disclose linked data from the Medicare and PBS databases to obtain a person's complete health picture for the purpose of testing a new system of managing health care for people with multiple or complex care needs.

An illustration of where exception (c) may be used is where specific pharmaceutical benefits may be supplied to a person participating in assisted reproduction programs (including in vitro fertilisation).

1.5 The discretion referred to in Guideline 1.4 may not be used to establish a data matching program between the two databases.

Commissioner's note

A data matching program in this context is intended to refer to the routine comparison of large numbers of records held in each database, using a computer, with a view to identifying matters of interest.

1.6 Where records or information are compared or combined for the purpose of disclosure as permitted by Guideline 1.4(b), the internal personal identification number must not be included in any information to be disclosed unless it is expressly required by law.

Commissioner's note

A key feature of these Guidelines is to ensure that there is no linkage of both name and internal personal identification number in any disclosure to third parties by either the HIC or the Department, unless expressly required by law. Later Guidelines, in particular Guideline 2, deal with the extent to which these two data items may be made available by the HIC to the Department. The object is to restrict to the HIC, as far as possible, knowledge of the name-internal personal identification number link. An example of where the internal personal identification number may be expressly required by law to be disclosed is where there is a warrant or subpoena for the information.

1.7 Where records or information relating to the same patient in either database are compared or combined in conformity with Guideline 1.4(b), (c) and (d) the HIC shall keep a note of that action. The HIC must identify, in the Technical Standards Report, how the action can be traced.

Commissioner's note

This requirement is supplementary to the obligation under Information Privacy Principle 10.2, to maintain a log of use where personal information is used for the enforcement of the criminal law, a law imposing a pecuniary penalty or for protection of the public revenue. Amendment 1996 No 1 amended this Guideline so that the HIC must specify in a technical report how it will keep an auditable record of instances where records or information relating to the same patient are linked, compared, or combined under Guideline 1.4. The previous requirement to include a flag on the database was amended as the HIC advised that it could not comply with it, and that it would have drawn attention to the fact that the subject of a record has had their records matched or combined to the HIC operators.

1.8 Enrolment and entitlement databases must be kept separate from the claims databases. Personal Identification Numbers referred to in Guideline 2 may be included in claims databases. Personal identification components must not be included in claims databases except as follows: in the case of Medicare claims database, the Medicare number; and in the case of the Pharmaceutical Benefits claims database, the Pharmaceutical entitlements number.

Commissioner's note

This Guideline seeks to reinforce the existing practice of maintaining the enrolment and entitlement databases separately from the claims databases. This is seen as valuable in ensuring that the more detailed personal particulars (such as name and address) kept on the enrolment and entitlement databases are not duplicated in the more active claims processing databases.Previously no personal identification details other than the personal identification numbers referred to in Guideline 2 could be included in the claims database.Amendment 1996 No 1 permitted the use of the Medicare card number on the Medicare claims database, and the Pharmaceutical entitlements number on the Pharmaceutical Benefits claims database. These numbers are integral to the processing of claims and their inclusion on the relevant database does not undermine the policy objective of functional separation of the claims database. Since the Personal Identification Number (PIN) referred to in Guideline 2 is not defined as a 'personal identification component', it will continue to be able to be included in the claims database.

2. Maintenance and disclosure of personal identification number (pin) information

Commissioner's note

The HIC holds unique internal personal identification numbers in relation to all persons listed in the two databases. The internal operation of these databases is conducted by reference to those numbers. The object of these Guidelines is to restrict to the HIC, as far as possible, knowledge of the link between the name and internal personal identification number.

2.1 The HIC may maintain an internal personal identification number to the extent necessary to assist it in clearly identifying each patient included in either program.

Commissioner's note

This Guideline accords with existing practice.

2.2 In assigning an internal personal identification number to a patient the HIC shall ensure that it is not based on or derived from a person's name, date of birth, address, telephone number or Medicare card number or that it enables an individual's identity to be determined from the internal personal identification number alone. The internal personal identification number must not reveal any health related or other personal information of the patient.

Commissioner's note

This Guideline seeks to ensure that the internal personal identification number is not designed so as to convey, through codes, information about an individual. This accords with international statements on desirable practice in relation to the use of personal identification numbers in administration.

2.3 A person's Medicare card number in an encrypted form and the internal personal identification number may be provided to the Department in conjunction with de''identified details of claims for payment under the Medicare Benefits Program or the Pharmaceutical Benefits Program. No other official patient identifying number shall be provided except as permitted by Guideline 2.7. Any algorithm enabling the encrypted Medicare card number or the internal personal identification number to be decoded so as to reveal the identity of a patient shall not be provided to the Department in any circumstances although a business algorithm enabling the encrypted Medicare card number or the internal personal identification number to be validated may be provided to the Department.

Commissioner's note

It is routine for the HIC to provide de-identified (i.e anonymised) claims data to the Department. The Department uses the de-identified data for a range of public policy purposes for some of which it is necessary to link records relating to the same (unidentified) individual.

Amendment 1996 No 1 permitted the inclusion of the Medicare card number in encrypted form allowing the HIC to identify card level activities, when it obtains old claims information from the Department, while not enabling the Department to decode the number.

The reference to other official patient identifying numbers not being provided (except as provided in Guideline 2.7) is chiefly a reference to the Department of Social Security or Department of Veterans' Affairs concessional entitlement numbers, but applies equally to any official identifying number.

The Guideline seeks to ensure that any decoding algorithm in use in the HIC is not revealed to the Department.

2.4 The patient name corresponding to an internal personal identification number may only be provided to the Department where the HIC has received a request from the Department conforming to Guideline 6.

Commissioner's note

This Guideline gives the HIC a discretion to provide the name-internal personal identification number link to the Department. This Guideline must be read in conjunction with Guideline 6 which specifies the limited circumstances where that is permissible.

2.5 Where the HIC has given the Department a name or number to enable it to re-identify information in accordance with Guideline 6 the HIC shall keep a note of that action.

Commissioner's note

This Guideline seeks to ensure that any exercise of a discretion under Guideline 2.4 is logged, so as to assist the Privacy Commissioner in monitoring compliance.

2.6 Where the HIC lawfully discloses information to an agency, organisation or individual other than the Department it must not provide both the name and the internal personal identification number unless it is expressly required by law (for example under warrant or subpoena).

Commissioner's note

This Guideline must be read in conjunction with Information Privacy Principle 11 and the relevant secrecy provisions in legislation. It seeks to ensure that in circumstances where the HIC makes a lawful disclosure, it only discloses either name information or internal personal identification number information, but not both unless this is expressly required by law.

2.7 The HIC may also supply the Department with information as to whether the records attaching to a particular personal identification number relate to an individual who is or was a participant in special schemes such as safety net arrangements under the Medicare and Pharmaceutical Benefits Programs. That additional information shall not be in a form which reveals the identity of the individual.

Commissioner's note

The Department has advised that anonymity of the individual would normally be achieved by the HIC encrypting the relevant entitlement numbers.

3. Destruction

Commissioner's note

The following Guideline seeks to ensure that long-term retention of data in identified form is avoided. This Guideline addresses the requirement under subsection 135AA(5)(f)(i) of the National Health Act that data over five years old is stored so that personal identification components are not linked with claims information.

3.1 The HIC shall destroy Medicare and Pharmaceutical Benefits claims information:

  1. in the case of data that is the product of the linking, comparing or combining of records or information in accordance with Guideline 1.4 - within 3 months of the data being brought into existence; or
  2. in any other case - within 5 years of the date of initial processing of the information;

unless:

  1. there is an investigation, prosecution, unresolved compensation matter or action for recovery of debt pending which requires that the information be retained beyond whichever of the limits in paragraph (a) or (b) applies; or
  2. the information affects an individual's entitlement to a related service which could be rendered after the expiry of whichever of the time limits in paragraph (a) or (b) applies.

Commissioner's note

This Guideline does not prevent the HIC from retaining a summary or sample file of claims which have been stripped of all patient identifiers.

3.2 The HIC must make special arrangements for the security of records which have been retained under Guideline 3.1(c). These arrangements are to be included in the Technical Standards Report.

Commissioner's note

The amount of information which would need to be retained after five years is likely to be very small. The Guideline ensures that the data retained by the HIC is given special protection and is not exposed in the ordinary operating system.

3.3 The HIC shall destroy any information that is retained beyond whichever of the time limits in Guideline 3.1(a) or (b) applies:

    1. within 14 months of the completion of the relevant investigation, prosecution, unresolved compensation matter or action for recovery of debt referred to in Guideline 3.1(c); or
    2. as soon as practicable after the circumstances referred to in Guideline 3.1(d) no longer apply;

    as the case requires, and the HIC must satisfy the Privacy Commissioner, upon request, that it has adhered to its obligations under this guideline.

    Commissioner's note

    Records Disposal Authority 1233, under the Archives Act, establishes a mandatory minimum retention period for records. Amendment 1996 No 1 strengthened this Guideline to require the HIC to destroy information rather than merely establishing procedures to do so; and that it must satisfy the Privacy Commissioner of its adherence to its obligations rather than merely being required to keep the Privacy Commissioner informed of the relevant procedures.

    4. Obtaining old claims information

    4.1 The HIC may, after supplying the relevant personal identification number or provider number, obtain from the Department, old claims information held by the Department and related to the number supplied where the HIC needs that information to enable it to:

    • take action on an unresolved compensation matter
    • take action on an investigation or prosecution
    • take action for recovery of a debt
    • determine entitlement on a late lodged claim
    • determine entitlement for a related service rendered more than five years after the service which is the subject of the old claims information
    • fulfil a request for that information from the individual concerned or from a person acting on behalf of that individual
    • lawfully disclose identified information in accordance with the secrecy provisions of the relevant legislation and these guidelines.

    Commissioner's note

    This Guideline regulates the circumstances in which the HIC may obtain from the Department claims information more than five years old.

    4.2 Any record of any information obtained under Guideline 4.1 shall be deleted from any database on which it is held as soon as practicable after the action referred to in Guideline 4.1 has been completed; and in any case shall only be retained on any database for a maximum period of 3 months.

    4.3 The HIC must make special arrangements for the security of records obtained in accordance with Guideline 4.1. These arrangements are to be described in a Technical Standards Report.

    4.4 Where information is obtained in accordance with Guideline 4.1 the HIC shall keep a note of the action.

    Commissioner's note

    This Guideline aims to provide a record of the transaction in the event of an individual complaint.

    4a. Use of identified claims information for research purposes

    4A.1 Disclosure of Medicare and Pharmaceutical Benefits claims information for medical research must conform to the secrecy provisions in the Health Insurance Act 1973 and the National Health Act 1953. In addition identified claims information may only be disclosed for research if:

    1. the HIC is satisfied that the individuals who are the subject of that information have given their free and informed consent to the use of that information in the research project; or
    2. the disclosure is made for the purposes of medical research to be conducted in accordance with the Medical Research Guidelines issued by the National Health and Medical Research Council under section 95 of the Privacy Act 1988.

    Commissioner's note

    Reference to the Medical Research Guidelines is limited to the MRG in force on 1 January 1997, when Guideline 4A came into effect. It cannot refer to the MRG as in force from time to time in the future.

    4A.2 These Guidelines do not prevent a researcher to whom information has been disclosed in accordance with guideline 4A.1 from retaining that information once it becomes old information provided that at the conclusion of the research project the researcher either returns the information to the HIC for destruction or securely destroys the information.

    Commissioner's note

    This Guideline replaces the previous Guideline 7 to make it clear that disclosures for research purposes must conform to the secrecy provisions and to make it clear that the Guidelines permit disclosures that are made with the consent of the individual or in accordance with the NH&MRC Medical Research Guidelines.

    B. Department

    The following standards must be observed by the Department in using claims information received from the HIC.

    5. Use of de-identified claims information

    5.1 Claims information in computer form provided to the Department by the HIC in de-identified form may be used by the Department as permitted by the Secretary to the Department.

    Commissioner's note

    This Guideline seeks to recognise that the Department usually holds claims data in de-identified form. Provided there are adequate controls over the possibility of name linkage, the Department's practices in relation to de-identified data are not affected by the Privacy Act. Guideline 6 seeks to ensure that adequate controls over the possibility of name linkage exist.

    5.2 The Secretary must not permit the establishment of a system which maintains the de-identified records from both programs in a combined form on a permanent basis in conjunction with the internal personal identification number.

    1. Nothing in this Guideline prevents the retention of de-identified records from both programs in a combined form in conjunction with an encrypted form of the internal personal identification number or a new and unrelated number.
    2. This Guideline does not prevent Pharmaceutical Benefits and Medicare claims information concerning particular individuals from being temporarily linked by the PIN where:
      1. the linkage is necessary for a use permitted by the Secretary; and
      2. claims information identified by the PIN or any personal identification components (defined in section 135AA(11) of the National Health Act) is used solely as a necessary intermediate step to obtain aggregate or de-identified information; and
      3. claims information temporarily linked in conjunction with the personal identification number is destroyed within 1 month of its creation.

      Claims information from the two databases shall only be linked in this temporary manner in conjunction with the internal personal identification number where there is no practical alternative.

    Commissioner's note

    This Guideline is seeking to provide a further means of ensuring that the principle of functional separation of Pharmaceutical Benefits and Medicare claims data is maintained. It is recognised that it may be desirable for health policy purposes for de-identified records to be compared. By preventing this being done permanently in conjunction with the internal personal identification number, the possibility of a link back to the name or identity of a patient is reduced. Amendment 1996 No 1 clarified the Guideline and also provided that it does not prevent the retention of de-identified records in a combined form in conjunction with an encrypted form of the PIN or a new and unrelated number. Before the amendment, this could only be done using a new and unrelated number. While the Department may encrypt the PIN, it will not have the ability to determine who the PIN relates to.

    5.3 De-identified claims information may be held indefinitely for policy and research purposes.

    Commissioner's note

    This Guideline accords with current practice. The Department is developing a policy on the retention of de-identified data beyond ten years.

    5.4 Where the Department discloses claims information relating to patients in a de-identified form (other than in accordance with Guideline 4 or 6), the Department must be reasonably satisfied that the recipient is not in a position to re-identify the information unless the de-identified information has been released under section 130 of the Health Insurance Act 1973 or section 135A of the National Health Act 1953.

    Commissioner's note

    This Guideline seeks to ensure that the Department does not disclose de-identified data without having considered the possibility of whether it can be re-identified in the hands of the recipient. Amendment 1996 No 1 amended this Guideline to make an exception where the de-identified information has been released under secrecy provisions in the Department's own Acts.

    Any disclosures must also accord with the Information Privacy Principles in the Privacy Act and the relevant secrecy provisions in health legislation.

    6. Name linkage

    6.1 An officer of the Department may obtain from the HIC the name and other personal identification components corresponding to the internal personal identification number where that is authorised by the Secretary and is necessary:

    1. to clarify which information relates to a particular patient where doubt has arisen in the conduct of an activity involving the comparison or linkage of de-identified information; or
    2. for the purpose of disclosing personal information in a specific case or in a specific set of circumstances as expressly authorised or required by law.

    Commissioner's note

    This Guideline recognises that there are limited circumstances in which it is necessary for the Department to have access to name information.

    • Exception (a) is addressed to circumstances where technical difficulties arise in the conduct of policy and research activity which mean that data from two databases cannot accurately be compared without temporary re-identification of the data. The need to check the name is invariably transient, and identified data is not retained as a result.
    • Exception (b) is necessary to deal with situations where the Department holds information which is the subject of a formal legal demand or in relation to which it has an express discretion to lawfully disclose information and where it is not practical for the request to be handled by the HIC. Guideline 6.4 provides that the Department should usually consider transferring requests for identified information to the HIC for action.

    6.2 The Secretary of the Department must establish procedures which ensure that where information is obtained under paragraph (a) of Guideline 6.1 that information is not retained once the doubt has been clarified.

    Commissioner's note

    This Guideline seeks to ensure that procedures are implemented which limit the checking of name information to as few officers as possible and to ensure that the existence of name information is transient.

    6.3 The Department must maintain and make publicly available a policy statement outlining its usual practices of disclosure in relation to paragraph (b) of Guideline 6.1.

    Commissioner's note

    This Guideline ensures that where personal information is disclosed in circumstances as expressly authorised or required by law, the normal practices of disclosure be available for public scrutiny.

    6.4 The Secretary of the Department must establish procedures which ensure that a request to disclose identified patient information is usually referred to the HIC and is only handled by the Department where it is not practical for the request to be referred to the HIC for action.

    Commissioner's note

    This Guideline aims to ensure that the principal record keeper of identified information, the HIC, retains control of requests for identified information. If the request is for claims information over five years old the Department should adopt the usual practice of disclosing the relevant claims information (with PIN) to the HIC for the HIC to re-identify. This Guideline recognises that there may be some cases where it is not practicable for this to occur, for example where this may cause unacceptable delays.

    This Guideline should be read in conjunction with Guidelines 4 and 6.7 which set out the circumstances and controls on the disclosure by the Department to the HIC of claims information identified by PIN.

    6.5 In cases where information is obtained under paragraph (b) of Guideline 6.1, the Secretary of the Department must establish procedures which ensure that

    1. a central record of those transactions is retained by the Department, and
    2. the central record is held under strict security by a designated officer.

    Commissioner's note

    Due to the sensitivity of the Department re-identifying data for the purposes of external disclosure, Guidelines 6.4 and 6.5 introduce a number of measures: first, to establish procedures for the HIC to be the agency that deals with requests for identified data; second, where the Department considers it is necessary to depart from these procedures and deal with the request itself, to ensure that a secure, single and central log is kept. The log will enable monitoring by the Privacy Commissioner of the scale of any practice, as well as providing a record of the transaction in the event of individual complaint.

    6.6 The Secretary must keep the Privacy Commissioner informed of the procedures developed under Guidelines 6.2, 6.4 and 6.5.

    6.7 Where the Department has given the HIC Medicare claims information or Pharmaceutical Benefits claims information identified by the personal identification number in accordance with a request under Guideline 4, the Department shall keep a central record for each program of that action.

    Commissioner's note

    This Guideline was amended by Amendment 1996 No 1 to clarify that each program should have a separate central record.

    Amendment 1996 No 1 removed Part C, comprising Guideline 7, which dealt with research, consequential upon the insertion of new Guideline 4A.

    C. Miscellaneous

    8. Paper copies, or copies in a similar form, of information contained in either database may be made where it is useful for the purpose at hand. However paper copies, or copies in a similar form, may not be made of the complete or a major proportion of a single database or all relevant databases. Paper copies of information must not be made for the purpose of circumventing the requirements of these Guidelines.

    The HIC and the Secretary of the Department must keep the Privacy Commissioner informed of any arrangements that the HIC or the Department make in relation to any delegation or authorisations given that are associated with the implementation of these Guidelines.

    Commissioner's note

    Under general legislation the HIC and the Secretary of the Department have wide powers of delegation. This Guideline provides a mechanism for enabling the Privacy Commissioner to monitor the scope and extent of any delegations and authorisations that relate to claims information and these Guidelines.

    10. The HIC and Department shall take such steps as are reasonable in the circumstances to make all staff aware of the need to protect the privacy of individuals in relation to claims information and of the content of these Guidelines.

    Commissioner's note

    The HIC and the Department should also take reasonable steps to make all staff aware of the secrecy obligations imposed by the legislation administered by the HIC and the Department and the privacy obligations imposed by the Information Privacy Principles and the Privacy Act. The Information Privacy Principles in the Privacy Act apply to all personal information held.

    11. To the extent that a Guideline is inconsistent with the Information Privacy Principles the Guideline prevails.

    Commissioner's note

    As these Guidelines deal with a particular area of administration they lay down standards which seek to be specific to the privacy issues of that area. To ensure that these Guidelines are used as the primary reference for establishing standards, the aim of this Guideline is to ensure that the relevant Guideline prevails in cases where that Guideline sets a higher standard from that which might flow from the application of an Information Privacy Principle.

    Meaning of terms

    "agency" is defined in section 135AA(11) of the National Health Act 1953 as "having the same meaning as in the Privacy Act 1988";

    "the HIC" means the Health Insurance Commission;

    "database" is defined in section 135AA(11) of the National Health Act 1953 as "a discrete body of information stored by means of a computer";

    "the Department" means the portfolio department responsible for the Medicare and Pharmaceutical Benefits Program;

    Commissioner's note

    The "Department" is currently the Department of Health and Family Services.

    "Medicare Benefits Program" is defined in section 135AA(11) of the National Health Act 1953 as "the program for providing Medicare benefits under the Health Insurance Act 1973";

    "Medicare claims information" refers to the information provided in connection with a claim under the Medicare Benefits Program and includes identification information in respect of the person to whom a service attracting Medicare benefit was provided, the person who provided the service, where appropriate the person who requested the service; and the details of the service provided;

    "National Health Act" refers to the National Health Act 1953;

    "old information" is defined in section 135AA(11) of the National Health Act 1953 as "information to which this section [section 135AA of the National Health Act 1953] applies that has been held by one or more agencies for at least the preceding 5 years". In these Guidelines an alternative term, "old claims information" is sometimes used and has the same meaning;

    "patient" refers to a person who received a service for which a claim under the Medicare Benefits Program or the Pharmaceutical Benefits Program has been made;

    "personal identification components", in relation to information, is defined in section 135AA(11) of the National Health Act 1953 as "so much of the information as includes any of the following:

    1. the name of the person to whom the information relates;
    2. the person's address;
    3. the person's Medicare card number;
    4. the person's Pharmaceutical entitlements number";

    "personal identification number" means the internal identification used by the HIC to identify individuals eligible to receive Pharmaceutical or Medicare Benefits. It is an internal reference number, separate and unrelated to the Medicare card number;

    "Pharmaceutical Benefits claims information" refers to the information provided in connection with a claim for benefit under the Pharmaceutical Benefits Program and includes identification information in respect of the person to whom pharmaceuticals were supplied, the person who prescribed the service, the person who supplied the benefit; and the details of the service provided;

    "Pharmaceutical Benefits Program" is defined in section 135AA(11) of the National Health Act 1953 as "the program for supplying pharmaceutical benefits under Part VII of this [National Health] Act";

    "Privacy Act" means the Privacy Act, 1988;

    Any term used in these Guidelines which is defined in the Privacy Act 1988 has that meaning.

    Table of amendments 

    The Guidelines were issued on 24 November 1993 and were published in the Government Gazette, GN 48, on 8 December 1993. The Guidelines came into effect on 15 April 1994.

    An amendment to the Guidelines was issued on 22 February 1994 and was published in the Government Gazette, GN 9, on 9 March 1994. The amendment came into effect on 13 May 1994.

    Guideline affected How affected
    Guideline 4 inserted by 22.2.94 amendment
    Guideline 5.4 amended by 22.2.94 amendment
    Guideline 6.7 inserted by 22.2.94 amendment
    Meaning of terms "old information" amended by 22.2.94 amendment

    A second amendment to the Guidelines was issued on 30 October 1996 and was published in the Government Gazette, GN03, on 22 January 1996. The amendment came into effect on 1 January 1997.

    Guideline affected How affected
    Guideline 1.7 amended by 30.1.96 amendment
    Guideline 1.8 amended by 30.1.96 amendment
    Guideline 2.3 replaced by 30.1.96 amendment
    Guideline 3.1 replaced by 30.1.96 amendment
    Guideline 3.2 amended by 30.1.96 amendment
    Guideline 3.3 replaced by 30.1.96 amendment
    Guideline 4A inserted by 30.1.96 amendment
    Guideline 5.2 amended by 30.1.96 amendment
    Guideline 5.4 amended by 30.1.96 amendment
    Guideline 6.7 replaced by 30.1.96 amendment
    Part C omitted by 30.1.96 amendment

    A third amendment to the Guidelines was issued on 27 June 2000 and was published in the Government Gazette, GN 44, on 8 November 2000. The amendment came into effect on 10 October 2000.

    Guideline affected How affected
    Guideline 1.4 (b). amended by 27.7.00 amendment

    Appendix B: Sections 135AA and 135AB of the National Health Act 1953

    Privacy guidelines

    Information to which this section applies

    (1) Subject to subsection (2), this section applies to information that:

    1. is information relating to an individual; and
    2. is held by an agency (whether or not the information was obtained by that agency or any other agency after the commencement of this section); and
    3. was obtained by that agency or any other agency in connection with a claim for payment of a benefit under the Medicare Benefits Program or the Pharmaceutical Benefits Program.

    Information to which this section does not apply

    (2) This section does not apply to such information:

    1. so far as it identifies:
      1. a person who provided the service or goods in connection with which the claim for payment is made; or
      2. a person who, in his or her capacity as the provider of services, made a referral or request to another person to provide the service or goods; or
    2. so far as it is contained in a database that:
      1. is maintained for the purpose of identifying persons who are eligible to be paid benefits under the Medicare Benefits Program or the Pharmaceutical Benefits Program; and
      2.  does not contain information relating to claims for payment of such benefits; or
    3. so far as it is not stored in a database.

    Issuing guidelines

    (3) The Privacy Commissioner must, by written notice, issue guidelines relating to information to which this section applies.

    Replacing or varying guidelines

    (4) At any time, the Privacy Commissioner may, by written notice, issue further guidelines that vary the existing guidelines.

    Content of guidelines

    (5) So far as practicable, the guidelines must:

    1. specify the ways in which information may be stored and, in particular, specify the circumstances in which creating copies of information in paper or similar form is prohibited; and
    2. specify the uses to which agencies may put information; and
    3. specify the circumstances in which agencies may disclose information; and
    4. prohibit agencies from storing in the same database:
      1. information that was obtained under the Medicare Benefits Program; and
      2. information that was obtained under the Pharmaceutical Benefits Program; and
    5. prohibit linkage of:
      1. information that is held in a database maintained for the purposes of the Medicare Benefits Program; and
      2. information that is held in a database maintained for the purposes of the Pharmaceutical Benefits Program;
      unless the linkage is authorised in the way specified in the guidelines; and
    6. specify the requirements with which agencies must comply in relation to old information, in particular requirements that:
      1. require the information to be stored in such a way that the personal identification components of the information are not linked with the rest of the information; and
      2. provide for the longer term storage and retrieval of the information; and
      3. specify the circumstances in which, and the conditions subject to which, the personal identification components of the information may later be re-linked with the rest of the information.

    (5A) Nothing in this section, or in the guidelines issued by the Privacy Commissioner, precludes the inclusion, in a database of information held by the Health Insurance Commission and relating to claims for benefits under the Pharmaceutical Benefits Program, of the pharmaceutical entitlements number applicable to the person to whom each such claim relates:

    1. as a person covered by a benefit entitlement card; or
    2. as a person included within a class identified by the Minister in a determination under subsection 86E(1).

    Consultation

    (6) Before issuing guidelines, the Privacy Commissioner must take reasonable steps to consult with organisations (including agencies) whose interests would be affected by the guidelines .

    Disallowance

    (7) Guidelines are disallowable instruments for the purposes of section 46A of the Acts Interpretation Act 1901.

    When guidelines take effect

    (8) Despite section 46A and paragraph 48(1)(b) of the Acts Interpretation Act 1901 , guidelines take effect from:

    1. the first day on which they are no longer liable to be disallowed; or
    2. if the guidelines provide for their commencement after that day—in accordance with that provision.

    Failure to table first guidelines within 6 months

    (9) If guidelines issued under subsection (1) are not laid before each House of the Parliament under paragraph 48(1)(c) of the Acts Interpretation Act 1901 (as applied by section 46A of that Act) within 6 months after the commencement of this section, the Privacy Commissioner must report the failure to issue guidelines within that period to each House of the Parliament within 15 sitting days of that House after the end of the period.

    Tabling first guidelines after 6 months

    (10) Subsection (9) does not render invalid guidelines issued under subsection (3) that are not laid before each House of the Parliament within that period .

    Definitions

    (11) In this section:

    agency has the same meaning as in the Privacy Act 1988 .

    "benefit entitlement card" means:

    1. a medicare card within the meaning of subsection 84(1); and
    2. a card that evidences the person's status as a concessional beneficiary within the meaning of subsection 84(1).

    database means a discrete body of information stored by means of a computer.

    "Medicare Benefits Program" means the program for providing Medicare benefits under the Health Insurance Act 1973 .

    "old information" means information to which this section applies that has been held by one or more agencies for at least the preceding 5 years.

    "personal identification components", in relation to information, means so much of the information as includes any of the following:

    1. the name of the person to whom the information relates;
    2. the person's address;
    3. the person's Medicare card number;
    4. the person's Pharmaceutical entitlements number.

    Pharmaceutical Benefits Program means the program for supplying pharmaceutical benefits and special pharmaceutical products under Part VII of this Act

    "pharmaceutical entitlements number", in relation to a person, means:

    1. if the person is covered by a medicare card—a medicare number within the meaning of subsection 84(1) that is applicable to the person as a person covered by that card; and
    2. if the person is covered by a card that evidences the person's status as a concessional beneficiary within the meaning of subsection 84 (1)—the number applicable to that person as a person covered by that card.

    NATIONAL HEALTH ACT 1953 - SECTION 135AB

    Breaches of the privacy guidelines

    1. A breach of the guidelines issued under section 135AA constitutes an act or practice involving interference with the privacy of an individual for the purposes of section 13 of the Privacy Act 1988 .
    2. An individual may complain to the Privacy Commissioner about an act or practice in relation to the operation of guidelines issued under section 135AA of this Act which may be an interference with the privacy of an individual.
    3. If a complaint is made, Part V of the Privacy Act 1988 applies, with such modifications as the circumstances require, as if the complaint were an IPP complaint (within the meaning of that Act) made under section 36 of that Act.

    Appendix C: List of submitters

    1. Individual - Confidential
    2. Caroline Chisholm Centre for Health Ethics
    3. Department of Health, Government of South Australia
    4. GlaxoSmithKline
    5. National Network of Private Psychiatric Sector Consumers and Carers
    6. Pharmaceutical Health and Rational Use of Medicines (PHARM)
    7. Medicare Australia (as the Health Insurance Commission)
    8. Australasian Epidemiology Association
    9. HIV/Aids Peer Advisory Network (HAPAN)
    10. Council of Pharmacy Registering Authorities (COPRA)
    11. Australian Medical Association (AMA)
    12. Australian Federation of AIDS organisations
    13. Health Consumers' Council
    14. MBF Australia Limited
    15. Department of Health, Western Australia - Confidential
    16. Attorney-General's Department
    17. Australian Association of Pathology Practices
    18. Pharmacy Guild of Australia
    19. National Health and Medical Research Council (NHMRC)
    20. Office of the Health Services Commissioner
    21. National Prescribing Service
    22. Wyeth Australia Pty Limited
    23. Health Evaluation, Research and Outcomes Network (HERON)
    24. Breast Cancer Network
    25. SA Department of Health Information and Communication Technology (ICT) Services
    26. Australian Divisions of General Practice
    27. The Cancer Council of Victoria
    28. Australian Institute of Health and Welfare
    29. Australian Privacy Foundation
    30. Consumers' Health Forum
    31. Australian Nursing Federation
    32. Australian Bureau of Statistics 
    33. HIV/Aids Peer Advisory Network (HAPAN) (Supplementary)
    34. Dr Christine M O'Keefe, CSIRO Mathematical and Information Sciences - Confidential
    35. The Australian Government Department of Health and Ageing

    Appendix D: Section 95 and 95 of the Privacy Act

    95 Medical research guidelines

    1. The CEO of the National Health and Medical Research Council may, with the approval of the Commissioner, issue guidelines for the protection of privacy in the conduct of medical research.
    2. The Commissioner shall not approve the issue of guidelines unless he or she is satisfied that the public interest in the promotion of research of the kind to which the guidelines relate outweighs to a substantial degree the public interest in maintaining adherence to the Information Privacy Principles.
    3. Guidelines shall be issued by being published in the Gazette.
    4. Where:
      1. but for this subsection, an act done by an agency would breach an Information Privacy Principle; and
      2. the act is done in the course of medical research and in accordance with guidelines under subsection (1);
    the act shall be regarded as not breaching that Information Privacy Principle.
    • Where the Commissioner refuses to approve the issue of guidelines under subsection (1), an application may be made to the Administrative Appeals Tribunal for review of the Commissioner's decision.

    95A Guidelines for National Privacy Principles about health information

    Overview

    (1) This section allows the Commissioner to approve for the purposes of the CEO of the National Privacy Principles (the NPPs) guidelines that are issued by the National Health and Medical Research Council or a prescribed authority.

    Approving guidelines for use and disclosure

    (2) For the purposes of subparagraph 2.1(d)(ii) of the NPPs, the Commissioner may, by notice in the Gazette, approve guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.

    Public interest test

    (3) The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 2.1(d)).

    Approving guidelines for collection

    (4) For the purposes of subparagraph 10.3(d)(iii) of the NPPs, the Commissioner may, by notice in the Gazette, approve guidelines that relate to the collection of health information for the purposes of:

    1. research, or the compilation or analysis of statistics, relevant to public health or public safety; or
    2. the management, funding or monitoring of a health service.

    Public interest test

    (5) The Commissioner may give an approval under subsection (4) only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 10.3(d)).

    Revocation of approval

    (6) The Commissioner may, by notice in the Gazette, revoke an approval of guidelines under this section if he or she is no longer satisfied of the matter that he or she had to be satisfied of to approve the guidelines.

    Review by AAT

    (7) Application may be made to the Administrative Appeals Tribunal for review of a decision of the Commissioner to refuse to approve guidelines or to revoke an approval of guidelines.

    Endnotes

    1. http://www.privacy.gov.au/materials/types/download/8765/6575
    2. http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/framelodgmentattachments/DA1E3AD6F00493CDCA257149001CB9CB
    3. http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/framelodgmentattachments/6062D9FB42870B97CA25714C00800F04
    4. Council of Australian Governments (COAG) Principles and Guidelines for National Standard Setting and Regulatory Action by Ministerial Councils and Standard-Setting Bodies (2004) available at http://www.pc.gov.au/orr/reports/external/coag/coag.pdf
    5. http://www.privacy.gov.au/materials/types/media/view/6072
    6. http://www.privacy.gov.au/#c
    7. A meeting was scheduled for Perth, however this was cancelled due to insufficient confirmed attendees.
    8. http://www.privacy.gov.au/materials/types/guidelines
    9. For the section 95 Guidelines, see, http://www.privacy.gov.au/law/other/medical/#2.
    10. Section 130, Health Insurance Act 1973.
    11. This is a term defined in section 135AA(11) to include such information as name, address and Medicare number.
    12. Section 135A (3) National Health Act 1953.
    13. This is discussed further at page 65.
    14. A database is defined in the Guidelines in the same way it is defined in section 135AA(11) of the National Health Act as "a discrete body of information stored by means of a computer".
    15. Privacy Commissioner Medicare and Pharmaceutical Benefits Programs: Privacy Guideline - Draft Guidelines and Background Paper, February 1992.
    16. 30 May 1991 available at http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?id=517158&table=HANSARDR
    17. Joint Review by Auditor-General and The Department of Finance, Pharmaceutical Benefits Scheme - Review of Estimated Savings from Proposed System of Eligibility Checking, presented to the Senate on 5 December 1991
    18. Privacy Commissioner Medicare and Pharmaceutical Benefits Programs Privacy Guidelines: Report to Parliament under section 135AA of the National Health Act 1953 28 May 1992.
    19. National Health Amendment Act 1993 (No. 28) available at http://www.austlii.edu.au/au/legis/cth/num_act/nhaa1993n281993254/index.html
    20. Privacy Commissioner Medicare and Pharmaceutical Benefits Programs Privacy Guidelines: Report to Parliament under section 135AA of the National Health Act 1953 28 May 1992.
    21. Explanatory Memorandum National Health Amendment Bill 1993, The Parliament of the Commonwealth of Australia.
    22. 26 May 1993 available at http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?ID=453858&TABLE=HANSARDR
    23. http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?ID=453866&TABLE=HANSARDR
    24. See, for example, Senator Patterson's speech during debate: "I hope these amendments and the subsequent guidelines will be the culmination of four years of the coalition's efforts to persuade this Government to develop a policy on how it handled the vast array of health information it maintains on individual Australians."
    25. There are a small number of agencies which are exempt from the Privacy Act, such as intelligence agencies (see section 7 of the Privacy Act).
    26. The Office has produced IPP guidelines which are available at http://www.privacy.gov.au/materials/types/guidelines
    27. http://pandora.nla.gov.au/pan/44612/20060314/www7.health.gov.au/pubs/pdf/code.pdf
    28. OFPC (2001) Guidelines on Privacy in the Private Health Sector available at http://www.privacy.gov.au/law/other/medical/#1
    29. This practice is referred to generically as 'bundling consents'. See The Office's Media Release Bundled consents and the Privacy Act. May 2002. Available at http://www.privacy.gov.au/materials/types/media/view/6154
    30. A copy of the proposed National Health Privacy Code is available at http://pandora.nla.gov.au/pan/44612/20060314/www7.health.gov.au/pubs/pdf/code.pdf
    31. Medicare and Pharmaceutical Benefits Programs Privacy Guidelines: Report to Parliament Under Section 135AA of the National Health Act, 1953, May 1992
    32. Legislative Instruments Act 2003 (Cth) at http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/96B99BC30ACCD3E1CA256F810022EB2B/$file/LegislativeInstruments2003_WD02.pdf
    33. Submission 29, p 3
    34. Submission 29, p 3
    35. This is because the Privacy Act applies to 'personal information' - see page.
    36. Submission 6, p 3.
    37. Submission 23, p 2
    38. Submission 7, p 14
    39. Submission 35, para.141
    40. Section 2 of the joint NHMRC/Australian Vice-Chancellors' Committee (AVCC) Statement and Guidelines on Research Practice, "2.3 Data must be held for sufficient time to allow reference. For data that is published this may be for as long as interest and discussion persists following publication. It is recommended that the minimum period of retention is at least 5 years from the data of publication but for specific types of research, such as clinical research, 15 years may be more appropriate".
    41. The "section 95" guidelines are available at http://www.privacy.gov.au/publications/e26.pdf.
    42. This is supported by the Office's 2001 Research into community Business and Government Attitudes towards Privacy in Australia; available at http://www.privacy.gov.au/materials/types/research/view/6614 ; and by the Office's 2004 Community attitudes towards privacy; available at http://www.privacy.gov.au/publications/rcommunity/index.html .
    43. Guideline 4A permits the disclosure of identified claims data only for 'medical research' purposes.
    44. http://www.medicareaustralia.gov.au/providers/programs_services/pbs/prescription_shop.htm#info_services
    45. NHMRC (2004) The impact of privacy regulation on NHMRC stakeholders available at http://www.nhmrc.gov.au/aboutus/privacy.htm
    46. UK National Health Service (2004) Share with care:People's Views on Consent and Confidentiality of Patient Information available at http://www.nhsia.nhs.uk/confidentiality/pages/docs/swc.pdf ; Whiddett, R, Hunter I and Engelbrecht J (2004) 'Patients' attitudes towards sharing their medical information' paper presented at the Australian Psychological Society 39th Annual Conference 29 Sept-3 October.
    47. Stanley F (2003) 'Public good or invasion of privacy?' paper presented at the 25th International Conference of Data Protection and Privacy Commissioners 10-12 September, available at http://www.privacyconference2003.org/program.asp#fiona
    48. http://researchaustralia.republicast.com/PublicOpinionPoll2004/republicast.asp
    49. See, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 available at http://www.privacy.gov.au/materials/types/reports/view/6049#rec_research
    50. See http://www.privacy.gov.au/materials/types/reports/view/6049#7_3
    51. The question of whether it is "practicable" to make guidelines applying to other agencies is discussed further in Chapter 8.
    52. See, for example, the World Medical Association's Declaration On Ethical Considerations Regarding Health Databases, which states at clause 7(3) that: "'De-identified data' are data in which the link between the patient and the information has been broken and cannot be recovered."
    53. Robert Gelman, for example, in Public Record Usage in the United States (available at http://www.cnil.fr/conference2001/eng/contribution/gellman_contrib.html) cites research that reveals: "... the Cambridge, Massachusetts voter registration list has 55,000 voters. Twelve percent of voters have unique birthdates. So if a person of voting age lives in Cambridge, the voter might be identified just from the birthdate on the voter list. With birthdate and gender, 20% of voters are unique. With birthdate and five-digit zip code, 69% are unique. With birthdate and nine-digit zip code, 97% are unique. More broadly, 87% of Americans can be identified just by birthdate, five digit zip code, and gender. Sweeney has also shown that hospital discharge data, available in a form with all overt identifiers removed, can be linked to individual patients. In one example, she identified the hospital record of the Governor of Massachusetts from records that had supposedly been de-identified and released publicly."
    54. "personal identification components" , in relation to information, means so much of the information as includes any of the following:
      1. the name of the person to whom the information relates;
      2. the person's address;
      3. the person's Medicare card number;
      4. the person's Pharmaceutical entitlements number.
    55. Specifically, section 135(1) prescribes the information to which the Guidelines relate in these terms:
      1. is information relating to an individual; and
      2. is held by an agency (whether or not the information was obtained by that agency or any other agency after the commencement of this section); and
      3. was obtained by that agency or any other agency in connection with a claim for payment of a benefit under the Medicare Benefits Program or the Pharmaceutical Benefits Program.
    56. Saunders J (ed.) Words and phrases legally defined Butterworth 1988, p.141. Similarly, in everyday usage, permit and authorise can be synonyms (see, for example, The Macquarie Concise Thesaurus 1992, p.50).
    57. Saunders J (ed.) Words and phrases legally defined Butterworth 1988, pp.355-356.