Pages

Saturday, June 07, 2008

Data matching and privacy concerns

In March, reports surfaced of the Australian Sports Anti-Doping Authority providing Medicare with a list of athletes’ names and asking Medicare to search through its files in order to identify possible users of steroids and human growth hormones. A worthy objective maybe, but there was a flurry of concern at the time about whether there had been proper consideration given to the privacy issues concerning health information held by Medicare.

The issue surfaced last week in Senate Estimates (Finance and Public Administration 28 May 114-115 ) when the Privacy Commissioner confirmed that no one had raised the matter with her office before the media reports. Three days later on 17 March, she commenced an investigation. It's an interesting (half) case study about data matching within government, but not a great confidence builder for those concerned about the handling of heath information by Federal government agencies.

Things have moved slowly since:
"Senator MASON—Have you completed that report?
Ms K Curtis—No, we have not completed that report. In the usual process, we wrote to both ASADA and Medicare, making what we call a preliminary inquiry of them, and, as a result of some information they provided back to us, we have then asked them further questions to be answered. We have not received all those responses to date.
Senator MASON—So the investigation is ongoing?
Ms K Curtis—Yes, the investigation is ongoing.
Senator MASON—Are your preliminary inquiries published anywhere, or is that simply internal?
Ms K Curtis—No, our usual process for handling a complaint or an own motion investigation is that we do it in accordance with the principles of natural justice, and we do those things in private.
Senator MASON—How long do you think you will take before that inquiry is finished?
Ms K Curtis—Once we have received the information back from both bodies, we will be able to make an assessment of where we go from there."

There is not much the Commissioner can do about the matter anyway.
"Senator MASON—What sorts of sanctions are you able to take on agencies?
Ms K Curtis—Own motion investigations are different to the powers relating to complaints. With own motion investigations, we essentially really would only have a ‘name and shame’ sanction. Also, we would ask parties...to reconsider their processes and to change their systems and implement new practices and procedures. But, in terms of formal sanctions, there is no formal sanction that I can impose."

Those potentially affected are apparently still in the dark.
"Senator MASON—When you say there were no complaints by any individuals, would any particular individual have known that their privacy may have been breached?
Ms K Curtis—Once it was in the media, perhaps it may have come to the attention of some individuals.
Senator MASON—But would a particular individual necessarily have known that their privacy may have
been breached? A group of individuals may—that is, the athletes—but would any particular individual?
Ms K Curtis—I cannot really comment about—
Senator MASON—You are not certain?
Ms K Curtis—what an individual would know or not know about whether they were possibly in a list of people that ASADA had provided to Medicare.
Senator MASON—So you could not be certain that any particular person would know that their privacy had been breached?
Ms K Curtis—Not at this stage, no."

Guidelines about data matching in many areas of the Federal Government are "voluntary"
"Senator MASON—When agencies seek to data match from different Commonwealth databases, there is a law and protocols that look at that situation, that accrue to that situation. What are they? What is the law?
Ms K Curtis—Essentially, there are two guidelines. One set of guidelines is mandatory and one set of guidelines is voluntary. The first set, which is mandatory, is those that relate to a data-matching act, which covers the way the tax office, Centrelink and the Department of Veterans’ Affairs match information using the tax file number. There are also voluntary guidelines that have been issued by a previous Privacy Commissioner in 1998 that cover the way other agencies data match, including the way, say, ATO would also data match when they do not use the tax file number.
Senator MASON—For example, ASADA and Medicare?
Ms K Curtis—Exactly.
Senator MASON—So there are protocols—
Ms K Curtis—Yes.
Senator MASON—that should have been followed?
Ms K Curtis—They are voluntary guidelines, though. Yes, that is correct."

The Guidelines suggest agencies run things past the Commissioner but this doesn't always happen
"Senator MASON—Generally, do agencies that are engaging or seek to engage in data matching of Commonwealth databases seek your advice? Should they seek your advice?
Ms K Curtis—The guidelines suggest that agencies should provide their protocol on the data matching to our office, and we report that in our annual report every year. They are also available on our website.
Senator MASON—Do agencies generally do that?
Ms K Curtis—To the best of my knowledge, the ones that we are provided with—that I know about—yes, they do.
Senator MASON—Is it common that agencies do not?
Ms K Curtis—I do not think ‘common’ would be an appropriate word, but I cannot be certain that all agencies do.
Mr Pilgrim—When it comes to the voluntary guidelines, we would be relying on individual agencies who are using them to provide us with the information. We do not have a process by which we are in a position to go around and randomly check every agency to see whether they have been undertaking those sorts of matching activities in accordance with them. We rely on them to, if you like, voluntarily provide us with that information each year."

20 years on, could some in government still be unaware of the Privacy Act?
"Senator MASON—Mr Pilgrim and Ms Curtis, would you be surprised if a CEO of a Commonwealth agency was not aware of the Privacy Commissioner and privacy issues?
Ms K Curtis—I would be surprised if they were not aware. The Privacy Act has been in place since it was passed in 1988.
Senator MASON—Twenty years now!
Ms K Curtis—Effective 1 January 1989. I would be surprised if senior people were not aware.
Senator MASON—Is it fair to say that health records in particular are privacy sensitive?
Ms K Curtis—Yes. Under the private sector provisions of our act, health records are actually specifically accorded a higher status, sensitive information, and given higher levels of protection. Under the information privacy principles which cover the way government agencies and departments operate, it is not the same sort of definition, but generally speaking—and it is borne out by our community attitudes survey, which we have undertaken every three years for the last three cycles of that—people think that their health information really ought to be carefully regarded.
Senator MASON—So, when you have the data matching of any individual and their Medicare records, that is potentially highly privacy intrusive—correct? And you would be surprised if a CEO of a Commonwealth agency was not aware of that?
Ms K Curtis—I would be surprised. The Privacy Act is well known, and it is a key act. It is part of the accountability framework of government."

No comments:

Post a Comment