Privacy has come out of the shadows and into the mainstream in Australia. The level of reporting has not been seen in the media since the original Australia Card which led to the introduction of Australia’s Privacy legislation 30 years ago. Cambridge Analytica and re-identification of health information versus the productivity gains and excitement around digital innovation have all sectors considering the vital but fragile balance between improving services and crossing the line over to what privacy experts Cukier and Viktor Von Shoenberger have famously termed “creepy.”
Nowhere is the potential of data sharing more tantalising than in health where globally budgets are being stretched by unprecedented chronic disease and the need for improved aged care. So, what’s it to be? Privacy and autonomy or the public good and efficiency? Can we have it all?
Firstly we need to ask, what does privacy mean?
Privacy isn’t easily defined. Variously called the right to be left alone, a basic human right, the right to live free from surveillance or dataveillance, privacy is not defined in our Privacy Act.Privacy is a fluid concept meaning different things to everyone, in various circumstances and stages of their lives. It is also cultural so that in Scandinavian countries the sharing of health information is viewed differently.
Privacy, as distinct from confidentiality or secrecy, is essential to a person’s autonomy. It allows individuals to control how they share information about themselves which defines peoples place in the world. Professor Luciano Floridi says information about you – such as your genetic code, memories, and beliefs – is just as much a part of you as say, your left arm.
Yet the value of damage to your arm is quantifiable under personal injury laws, whereas the value of information about you doesn’t rank on balance sheets under our accounting standards. and the tort of privacy and funding a claim for damages, has some way to go in Australia. Whichever way privacy is defined, the right to control information is crucial and harm caused by privacy breaches is irrefutable.
Health data breaches are particularly sensitive and are further complicated by the way health information needs to be shared, requiring a nuanced approach where it is fully or partially shared with some, or all, a person’s care team, at various times. The stakes are high – not only are decisions made in split seconds in high pressure environments, once health information becomes public, it cannot become “unknown”. Unlike privacy breaches resulting in financial loss, where reparation can put the injured party back in the same position, health data breaches affect reputation and may mean information on physical, mental or sexual conditions are released. Reputations, like china, are easily cracked, and never well mended.
Naturally privacy protection and the free flow of information are not mutually exclusive, the trick being to get the legal and trust frameworks in place. Australia has a principles-based law to help translate privacy, a human right, into reality but earning and retaining trust in respect of the custodianship of health information will determine the success of our opt out national health record system.
What does an OPT OUT Health Record mean and how did we get here?
The possibilities of digital health for care, research and efficiencies appear endless. Billions of dollars of savings, better deployment of resources and significant improvements in the care of individuals are just some of the benefits espoused. From a privacy perspective in Australia to date, there have been relatively few public privacy breaches despite the thousands of digital health transactions processed every hour by thousands of different private and public systems. The huge amount of media and public concern surrounding the non-malicious reidentification of Medicare data last year, and the recent breaches by an online medical booking service indicates that the trust is strong and that this apparent breach is a novelty rather than “the last straw”. So far so good. The question is whether the national health record is able to realise these benefits and be seen as trusted platform by us all.
Starting today (16 July), Australians can choose to “opt out” from having an electronic health record, called the MyHealth Record. Under this program a record will be created for each of us and automatically populated by two years of Medicare and PBS data. This will be accessible to us and our health providers who can upload new information to our record. This is not the result of a hasty or stealthy act by government, but results from a series of events since 2005. A record of these events is essential to put context around this complex area of privacy and digital health where the government is responsible for the most effective allocation of the health budget.
In 2005, the National Electronic Health Transition Authority (NEHTA) was formed. This entity was tasked with implementing the Deloitte eHealth Strategy which had bi-partisan political support and recommended a “middle market approach.” This meant the government would provide the critical infrastructure, like authentication and identification, and industry led solutions would do the rest in a decentralised approach with federated data models, enabling interoperability in a health ecosystem, much the way our telephones currently operate. The Deloitte Report was supported by the National Health & Hospital Commission, which noted the reform “…should not require government involvement with designing, buying or operating IT systems.”
In 2010 at the Revolutionising Australia’s Healthcare eHealth launch, Minister Roxon, promoted digital health but also alluded to the risks to privacy and security, “I can confirm that the Government is not going to build a massive data repository. We don’t believe it would deliver any additional benefits to clinicians or patients – and it creates unnecessary risks.”
In 2011 the government contracted international consulting firm Accenture to build a massive data repository and not the system proposed in the Deloitte Report. Minister Roxon confirmed that in the interests of privacy, the national health record would be opt in.
“I want to make sure we bring consumers with us in the eHealth journey by adopting an “opt in” model…allowing them to choose when to sign on. I believe the benefits of giving the Australian public the choice as to whether they participate will be key to the successful implementation. I think moving to an opt out position would be a serious mistake.”
“Opt-in “requires specific consent which is fully informed and freely given (except where otherwise permitted by law). Opt in is one of the 7 foundational principles of Privacy by Design for the implementation of fair information practices originating from former Information and Privacy Commissioner of Canada, Ann Cavoukian, and supported by the Australian Privacy Commissioner as best practice to balance the benefits of innovation and efficiencies whilst protecting personal choice over data flows. There was never any question that health services would be withheld if people determined not opt in, it was not a binary choice of either opt in and be treated – or go without. Opt out is sometimes criticised for catching the unwary, vulnerable or less engaged elements of society or for being a method of implementing otherwise unpopular or unpalatable policies and practices.
The national record, then called the Personally Controlled Electronic Health Record (PCEHR) was launched and ready for use by mid-2012. The costs exceeded the original budget of $466.7M, and are estimated between $1-2B. Similar cost blow outs and disappointments were experienced internationally. Canada had Health Infoway and the NHS in UK spent £10B on a failed national health record. A pattern of massive international IT projects failing in all areas, including health, is evidenced by the 2015 Standish CHAOS Report which conveniently lists 10 critical factors for success, which were arguably absent at the launch of the PCEHR.
In 2013 the new health Minister Dutton criticised the cost of the PCEHR, claiming it was equivalent to a spend of $100K for each person registered,  a significant gap between the $6 billion dollars of savings promised by previous health Minister Plibersek.The PCEHR Review, (later named the “Royle Review” after its Chair,) was called and resulted in 38 recommendations. It recommended the renaming of the PCEHR to the MY Health Record (MyHR) and conversion of it from opt in system to opt out. This had support from the peak health bodies and the Consumer Health Forum, constituents of which are essential for the system to operate. The Royle Review also demonstrated support for decentralised digital health, as recommended by the 2012 National Health and Hospital Reform Commission Report. To date this has not been pursued, quite possibly due to focus on the roll out of the national MyHR, but with the advent of SMART-on- FIHR technology, this may change.
In 2016 NEHTA was disbanded, the Australian Digital Health Agency created, and the 2017 Budget allocated $375M for MyHR opt-out implementation. Opt out trials were conducted in the regions of the Blue Mountains and Far North Queensland with the result being 1.9% opted out. The same trend is evident in New Zealand where less than 0.2% of South Islanders are reported to have opted out of their shared care record view since 2012.
This brings us to 2018, 6 years since the launch of the MyHR and some 4 years since I last considered the question of opt in and opt out for the national health record for the International Association of Privacy Professionals ANZ Journal. During this time, there have been annual reviews by the OAIC of the system and Senate reviews following the Medicare card number breach last year. A draft framework for secondary use was released for comment prior to its finalisation, and a report has indicated that 91% of Australians would be willing to share their de-identified medical data if it went towards research purposed. The Australian Institute of Health and Welfare (AIHW) was appointed custodian of secondary use data from MyHR, and the announcement of $30M for that purpose in the 2018 Budget has passed without public response.
The recent Data Sharing and Release Bill resulting from the Productivity Commission’s Data Access and Use Report shows times have changed. There is general acknowledgement that consumers need access to their information to help correct the current “information asymmetries”, and that productivity will be improved by greater use of data. Trust in data transactions is recognised as a critical component through the adoption of the “5 safes” international privacy and security settings which are proposed and also reflected in our Australian Privacy Principles.
Rather than marches on the streets, or extreme spikes of public concern through mainstream or industry media, there seems public acceptance and even enthusiasm for the national record. The CEO of ADHA, Tim Kelsey even refers to a public gathering in Berrigan where a MyHR cake was baked to celebrate its adoption in that town. There has also been increased focus on possible dangers of avoidable death where health practice is not digitised, with at least one Coroner’s report of a death where communications were inadequate. Questions have been raised by the Shadow Minister Catherine King about the government’s ability to roll out the MyHR. On the flip side the OAIC has cleared the government of the privacy breach underlying that claim. It would not be unreasonable however, to include “government” in former FBI Director Robert Mueller’s famous statement that:
I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.
Public acceptance of the opt out national record appears diametrically opposed to reaction over the Australia Card 30 years ago. Yet concern about privacy infringements generally is high, as illustrated by the class action 300,000 Australians are mounting against Facebook. Publicity around breaches is also prevalent – including a chilling report this week from UK where the NHS software error resulted in the data of 150,000 patients being shared, despite their explicit request for it to remain confidential. The reasons for lack of concern may include a belief that benefits outweigh the risk, satisfaction with our privacy framework and the penalties for breaching the MyHR Act, or perhaps just not much interest – something we tragically see in respect of opt in organ donation in Australia. It could also be a consequence of the great trust which Australians have in health care professionals, whose work is based on the concept of “abstain from doing harm” and whom consumers rightly expect will look after their best interests.
The 2017 OAIC survey on community attitudes to privacy found that 79% believed health service providers were the most trustworthy. Incidentally, financial institutions trailed at 59% and state and federal governments at 58%. It will be interesting to review these following the Banking Royal Commission, and loss of trust in that sector and its political risk. The value of trust manifests in many ways.
Inappropriate sharing of information can have unintended consequences. These include loss of employment, depression or even death. But the stakes of not sharing health information are also high. We live in a data driven society and it is incumbent on us to learn the rules and protect the vulnerable. In the UK lack of understanding of privacy by health professionals and other agencies meant they erred on the side of not sharing. This resulted in the massive reforms resulting from the Caldicott Report. In Australia the data release and access framework proposed by the Productivity Commission is aimed at addressing this danger.
The national MyHR program is no secret. Over $50M was spent promoting the MyHR in 2012, and there has been significant promotion since. Arguments about the quality and specific purpose of the MyHR abound, as do the arguments about whether GPs should be paid for their involvement. In 2018, in a country with one of the highest digital uptake records in the world, Australians must to be given the benefit of the doubt about their ability to weigh up the benefits and risks of whether they opt out of access to MyHR.
We know consumers want access to their health information. The MyHR is a large repository of just some of the information they may wish to access. We also know that productivity and efficiency is important. Yet despite the statement that, “productivity isn’t everything, but in the long run its nearly everything”, by Nobel prize winning Economist Paul Krugman, the success of MyHR, will almost certainly depend on that something not measured by the GDP. And that is trust.
The privacy dynamics between individuals, clinicians and the government will be closely watched under the spotlight of media over the coming months. It remains to be seen whether our health professionals and government are worthy of the high level trust they now appear to enjoy from their fellow Australians.
Emma Hossack is CEO of healthcare software and technology company Extensia, President of Medical Software Industry Association and a Former President of the International Association of Privacy Professionals ANZ
1.Professor of Philosophy and Ethics of information at the University of Oxford, Oxford Internet Institute. Also chosen by Google for the Advisory Panel to assist it with its work in respect of the right to be forgotten following the Court of Justice of the European Union ruling 13 May 2014, see http://www.theguardian.com/technology/2014/nov/11/right-to-be-forgotten-more-questions-than-answers-google
 From extreme embarrassment , Ashley Madison http://www.smh.com.au/lifestyle/life/ashley-madison-hack-what-if-you-find-out-your-colleagues-on-the-list-20150820-gj3i4y.html
to suicide – Tyler Clementi http://topics.nytimes.com/top/reference/timestopics/people/c/tyler_clementi/index.html
 The Hon Nicola Roxon MP Address to the Consumer Health Forum Canberra 14 September 2011
 The PCEHR Act 2012 Cth