Privacy

Privacy

The primary objective of the PHRN and its Data Linkage Units is to provide approved access to reliable health and health related information for research projects that will benefit the Australian community and are conducted in a way that maximises the protection of people's privacy.

The continued protection of personal information, the preservation and respect of individual privacy and the implementation of a secure data management system are all critical to the success of the PHRN and its operating nodes and data linkage units.

The PHRN has implemented a number of procedures to ensure the best possible privacy and security practices are in place:

  • a range of privacy, security, communication and information management policies;
  • ongoing privacy impact assessments;
  • a legal consultant specialising in privacy issues to advise and guide on policy and practice;
  • consumer representatives to provide advice and training; leading edge technology to ensure information technology, software and data management systems meet the highest security standards;
  • a public website to educate and inform, including a 'Frequently Asked Questions' section; and
  • an extensive governance and management system in place to ensure accountability.

The PHRN data linkage process is subject to a wide range of legislation and laws aimed at protecting the data used and people's privacy. The work carried out by the PHRN is governed and controlled by a number of legal, contractual, criminal and confidentiality laws and regulations. Due to the national makeup of the PHRN, the linkage units and project participants must satisfy many regulations to ensure safe and secure handling of data.

Data collections used for health research are generally covered by specific legislation. The legislation authorises the collection and use of information in these statutory data collections without the consent of individuals due to the strong public interest and value in the use of the data for the health and well-being of all Australians.

In addition, the PHRN is involved in ongoing consultation with consumer and community representatives so that its management understands and responds effectively to public views and queries > Read more...

Best Practice Privacy-Preserving Protocol

Prior to the introduction of data linkage it was common practice to provide researchers with complete data sets or collections containing both the content information (health information such as diagnosis and treatment) and personal information (eg name, address, date of birth). The major reason for the release of personal information to researchers in the past was to enable them to find and manually link records.

A strength of the PHRN data linkage process is that it enables population level research to be conducted under a secure system aimed at protecting a person's identity. One of the main tools used by the PHRN to minimise the risk to the privacy of individuals is the separation principle.

The separation principle was developed by Prof Bass in 2000/2001 and involves the separation of personal information and content information. This process means that data custodians remain the only party who have access to both personal information and content information.

This is done by the use of linkage keys which replace personal information in health records, allowing records from the same person to be extracted from different data collections whilst protecting their identity (read more about the data linkage process). This protocol is regarded by many as the best practice approach in data linkage as its application addresses privacy issues in research design. As a result all PHRN data linkage units and researchers using PHRN infrastructure are required to comply with the separation principle.

The protocol has been shown to balance the protection of individual privacy and confidentiality with the advancement of medical and scientific knowledge. This balance is accomplished in two main ways and is described below.

Through the separation of linkage data from content data

The data used for linkage (personal information) is restricted and includes only the specific data items that are needed to ensure accurate data matching (such as full names, date of birth, sex and address). Authorised data linkers in the Data Linkage Units use the specific data items to create the linkage IDs.

The content information remains with the original data collection and the data custodians of each collection remain the only people who have access to the complete data set. Within the model, data linkers do not have access to content information about individuals and researchers do not have access to personal information about individuals and are therefore unable to connect a person to any clinical or health care-related information (Kelman et al., 2002).

Through the separation of functions and responsibilities

This method involves the separation of the data linkage process from the custodianship of data and the extraction of data for researchers.

The individuals undertaking data linkage (and having access to name-identified data) are different to (and kept separate from) researchers who may be involved in the analysis of linked content information (which does not include personal information).

In this model, those who are responsible for creating linkage IDs are not allowed to be involved in the analysis of the linked content data, or to discuss the data at the unit record level with the researchers (Kelman, 2002).

The separation of the personal information from the content data and the separation of people's roles in the process serve as the basis for a robust privacy preserving 'best practice' protocol. Data linkage following this approach increases the ability of researchers and service providers to conduct research and monitoring without the need to access identifiable data. Moreover, it facilitates the use of data for monitoring and evaluation of health services and for health research and minimises the intrusions on individuals' privacy.

Managing access to information

Applications for access to data are carefully scrutinised. Applications must be reviewed by the data custodian in charge of the records and by a Human Research Ethics Committee (HREC) to ensure that only the information absolutely necessary for the fulfilment of the research project is provided.

The use, disclosure and retention of information is also limited. For example:

  • Researchers are only permitted to use the information for the particular project they have received approval for, and in the precise way that has been approved
  • Each researcher working on a project must be identified and approved and the information may not be given to another person
  • The information may only be kept for the period of time approved for the research project and it must then be returned to the data custodian or destroyed. This condition is managed by either the contract the researcher has with a data custodian, their HREC approval conditions or by arrangement with the data linkage unit

Both the HREC and the data custodians have the right to audit/monitor/check that the researchers are adhering to the agreed security and data disposal plans. If the researchers don't follow the agreed plans they will be in breach of both their contracts with the data custodians and their HREC approval.

Potential consequences of non-compliance include:

  • HREC approval suspended or withdrawn (this would stop the researchers completing the project or publishing the results)
  • Data custodians refusing to provide data to the researcher in the future
  • Data custodians refusing to provide data to the researcher's institution in the future
  • Legal action over the breach of contract.

In addition, the PHRN is supporting the effective implementation of its privacy policies by designing and organising appropriate training for researchers using the PHRN infrastructure to access national data. Training will also be offered to members of Human Research Ethics Committees to improve understanding of data linkage and the protection of privacy within it.

Privacy Impact Assessments

Privacy Impact Assessments (PIAs) are an important tool in understanding and addressing the privacy impacts of the work of the PHRN. PIAs provide a point-of-time assessment of privacy matters including perceived risks relating to legal compliance, security and the meeting of community expectations. The PHRN is commissioning PIAs at a number of stages in the development of the Network to ensure privacy requirements continue to be met.