The Australian Law Reform Commission Releases a Few Important Suggestions!

The following press release appeared a few days ago.

http://www.alrc.gov.au/media/2007/mr1207_privacy.html

Media release

Australian Law Reform Commission

Wednesday 12 September 2007

ALRC proposes overhaul of ‘complex and costly’ privacy laws

The Australian Law Reform Commission (ALRC) today released a blueprint with 301 proposals for overhauling Australia’s complex and costly privacy laws and practices.

Releasing Discussion Paper 72, Review of Australian Privacy Law, ALRC President Prof David Weisbrot said it was the product of the largest public consultation process in ALRC history: “We have received over 300 submissions and held over 170 meetings to date, including with business, consumers, young people, health officials, technology experts and privacy advocates and regulators.

“The clearest message from the community is that we must streamline our unnecessarily complex system. The federal Privacy Act sets out different principles for private organisations and for government agencies. On top of that, each state and territory has its own privacy laws or guidelines and some also have separate laws on health privacy.

“The ALRC is proposing there be a single set of privacy principles for information-handling across all sectors, and all levels of government. This will make it easier and less expensive for organisations to comply, and much more simple for people to understand their rights.

“The protection of personal information stored or processed overseas, as is now routine, is another serious concern. The ALRC wants to ensure that such information has at least the same level of protection as is provided domestically. We propose that a government agency or company that transfers personal information overseas without consent should remain accountable for any breach of privacy that occurs as a result of the transfer”, Prof Weisbrot said.

Commissioner in charge of the Inquiry, Prof Les McCrimmon, said that the ALRC also is proposing a new system of data breach notification: “There is currently no requirement to notify individuals when there has been unauthorised access to their information, such as when lists of credit card details are inadvertently published. Where there is a real risk of serious harm to individuals, we say they must be notified.”

Professor McCrimmon said that the ALRC also proposes the removal of the exemption for political parties from the Privacy Act. “Political parties and MPs should be required to take the same level of care when handling personal information as any other agency or organisation.”

Other key proposals include:
• introducing a new statutory cause of action where an individual’s reasonable expectation of privacy has been breached;
• abolishing the fee for ‘silent’ telephone numbers;
• expanding the enforcement powers of the Privacy Commissioner;
• imposing civil penalties for serious breaches of the Act; and
• introducing a more comprehensive system of credit reporting.

Review of Australian Privacy Law is available at no cost from the ALRC website, www.alrc.gov.au. The ALRC is seeking community feedback on these proposals before a final report and recommendations are completed in March 2008. Submissions close on 7 December 2007.

---- End Release.

An overview of the recommendations can be found at the following URL:

http://www.austlii.edu.au/au/other/alrc/publications/dp/72/overview.pdf

The full document is available as a series of .pdf files and can be accessed here.

Of interest specifically to the readers of the blog is the health section. This is to be found at the following URL:

http://www.austlii.edu.au/au/other/alrc/publications/dp/72/73.pdf

The conclusions and proposals make for an interesting read.

-----

ALRC’s view

56.106 In the ALRC’s view, the collection of health information into electronic health information systems does not require specific legislative control if the Privacy Act is updated and amended as proposed in this Discussion Paper. The collection of health information into electronic records and the use of electronic systems to share health information among health service providers treating an individual do not raise new or unique issues. The proposed UPPs and the Privacy (Health Information) Regulations are intended to be technology neutral and would satisfactorily regulate the handling of electronic health information.

56.107 However, the establishment of a national UHI scheme or a national SEHR scheme would require specific enabling legislation. The ALRC recognises the significant potential benefits to healthcare quality and safety that the establishment of such schemes may deliver. The schemes will work effectively, however, only if there is a sufficient degree of public trust and public confidence in the schemes and their administration. Further, national developments of such importance involving the establishment and use of unique identifiers for all Australians and the development of a national approach to SEHRs should be subject to public debate and parliamentary scrutiny.

56.108 The ALRC agrees with NEHTA that enabling legislation should deal with those issues that fall outside existing privacy regulation. Such enabling legislation should nominate or establish an agency or organisation with clear responsibility for managing the systems, including the personal information in the systems. There should be clear lines of accountability. The legislation should set out the permitted and prohibited uses of UHIs and sanctions for misuse. Moreover, the legislation should make absolutely clear that certain safeguards are fundamental; for example, that it is not necessary to use a UHI to access health care.

56.109 The systems should remain subject to the Privacy Act and the proposed UPPs as amended by the proposed Privacy (Health Information) Regulations. For example, health information generally should only be collected for inclusion in an SEHR with consent. That information should only be used or disclosed for the purpose it was collected or a directly related secondary purpose where the individual would reasonably expect the agency or organisation to use or disclose the information for that purpose.

56.110 Under the proposed ‘Identifiers’ principle, it would be necessary to set out in regulations those agencies and organisations allowed to adopt, use and disclose UHIs, and the circumstances in which it was lawful for those agencies and organisations to adopt, use or disclose a UHI.

56.111 Exceptions in the UPPs and the regulations would apply so that, for example, it would be possible to use or disclose an individual’s health information held in an SEHR if the agency or organisation reasonably believed that the use or disclosure was necessary to lessen or prevent a serious threat to an individual’s life, health or safety or public health or public safety.

56.112 The proposals in Chapter 4 are aimed at achieving national consistency in privacy regulation and, in particular, one set of privacy principles applying across the private sector, and the federal, state and territory public sectors. Any legislation establishing the UHI and SEHR schemes also should apply nationally to ensure consistency between the public and private sectors and across all jurisdictions.

Proposal 56–5 The national Unique Healthcare Identifiers (UHIs) scheme and the national Shared Electronic Health Records (SEHR) scheme should be established under specific enabling legislation. The legislation should address information privacy issues, such as:

(a) the nomination of an agency or organisation with clear responsibility for managing the respective systems, including the personal information contained in the systems;

(b) the eligibility criteria, rights and requirements for participation in the UHI scheme and the SEHR scheme by health consumers and health service providers, including consent requirements;

(c) permitted and prohibited uses and linkages of the personal information held in the systems;

(d) permitted and prohibited uses of UHIs and sanctions in relation to misuse; and

(e) safeguards in relation to the use of UHIs; for example, that it is not necessary to use a UHI in order to access health services.

I have to say that the discussion and proposal looks very sound to me – especially the part suggesting that common principles apply fully across both private and public sector.

I also agree that new identity services of the type proposed by NEHTA need to be protected by specific and robust legislation.

All in all and excellent start.

David.

0 comments:

Post a Comment