Feature Story

Privacy: A priority

An interview with David Batch, Principal Privacy Officer NEHTA

How would you describe your role at NEHTA?

I lead the privacy team who are responsible for overseeing and managing the development, implementation and maintenance of a privacy framework that will support NEHTA’s business objectives. We also develop and manage the strategies for our internal and external approach to privacy.

What experience do you bring to this position?

Most recently I was Director of Safety and Trust for the social networking website MySpace.com. A significant part of my job was to make sure the website was operating to protect a user’s privacy and would not allow access to information that had been restricted by a user, particularly that of minors.

How does the work you did at MySpace relate to your role at NEHTA?

Amongst the more reputable social networking sites like MySpace, it is considered essential that the underpinning technology enables the protection of privacy when privacy has been requested, or where the law or policy requires it.  It is also critical in social networking that you go beyond ‘compliance’ and gain the trust of the user community through engagement and response to privacy and safety concerns. This approach is critical to the success of Australia’s e-health system. When you give information to doctors or other healthcare professionals, you expect it will be treated with confidentiality. It is the role of the privacy team to make sure that the systems NEHTA designs are compliant with privacy laws as well as community expectations, so as to build trust in Australia’s national e-health system.

NEHTA is building the foundations for a national e-health system, but privacy laws currently differ from jurisdiction to jurisdiction. How easy is it to navigate this ‘patchwork’ of legislation?

It is true that the laws differ but there are many principles that apply across the states and territories and under federal law, however differences can arise in the application of these principles. The Federal Government has released its response to the Australian Law Reform Commission’s review of Australian privacy laws. As part of this, the Federal Government is examining a set of uniform privacy principles which will make managing privacy much easier. The Commonwealth has also indicated its intention to work with the State and Territory Governments to progress national consistency in privacy regulation. This is good news for the Australian public and it confirms NEHTA’s approach to privacy.

Is e-health driving the need for uniform privacy principles?

Health has definitely been one of the drivers for streamlining of the privacy laws in Australia. Commerce and technology, in particular the internet, has also allowed information to travel across borders in quantities and at speeds never previously anticipated.  

How would you describe NEHTA’s approach to privacy?

Confidentiality and privacy are the crux of a successful health system, so NEHTA is approaching each of its work areas from the angle of protecting information where it needs to be protected and allowing access to information to trusted people in trusted circumstances. Privacy Impact Assessments (PIAs) are being undertaken for different areas of our work program and have already informed a number of changes.

Can you give an example that illustrates how a PIA has led to change?

Through the Healthcare Identifier Service (HIS) – which is to be the backbone of any future electronic health record – every Australian seeking healthcare is to be issued with a unique Individual Health Identifier (IHI) which will be used to identify you in certain healthcare communications. Through the PIA process we have determined that some information that was originally to be assigned to this IHI was actually unnecessary and as a result the IHI will now have only four identifying fields; your name, date of birth, address and gender. This is a good outcome which satisfies the universal privacy principle of only collecting information that is necessary to execute your function.

Has NEHTA undertaken community consultation on the issue of privacy?

Yes. NEHTA consults on every area of its work program with a range of parties, including privacy advocacy groups, the State and Federal Privacy Commissioners, clinicians, representatives of patient groups and consumers of healthcare. We are developing e-health systems that will return safety, clinical and convenience benefits to the healthcare consumers and healthcare professionals, whilst improving information protection and enhancing privacy, so to deliver this it is critical we have an understanding of the community’s expectations.

What do you see as your greatest challenge?

The privacy team’s greatest challenge is overcoming fear of change, and assuring the Australian community that the proposed e-health systems are designed to enhance information protection and benefit them from a privacy point of view. Right now we have a system that is a mixture of paper and electronic, with no national security standards or accountabilities for access to systems in place. In the absence of a national scheme, health professionals and practices will increasingly adopt varying electronic means to store patient information – systems that may have limited interoperability and unverified security. A national e-health system will deliver clinical, safety and convenience benefits that incompatible systems can’t, whilst also providing greater information and privacy protections through a mix of legislative protections and national operational standards. These will ensure nationally consistent access restrictions, audit logs and accountabilities for the use of and access to personal health information.

Which areas of NEHTA’s work program will you work on in the future?

The privacy team will continue working with the various programs such as e-referrals, e-medicine management, e-diagnostics and e-discharge summaries to make sure the operational delivery is privacy compliant – both from a legal and community expectation point of view.