The Australian government has published guidelines on the third-party use of data from its contentious My Health Record, with the Secondary Use of Data Governance Board charged with making many of the decisions on who and why data can be used, on a case-by-case basis.
My Health Record is Australia's electronic health records system, given the green light in August 2017 from the Council of Australian Governments Health Council (COAG) to begin automatically signing up Australians.
By 2018, all Australians will have a My Health Record, and by 2022, all healthcare providers will be able to contribute to and use health information stored in My Health Record on behalf of their patients. They will also be able to communicate with other healthcare providers on the clinical status of joint patients via the digital platform.
Australians will be able to opt out of a My Health Record if they choose, and they similarly can opt out of having their data available for secondary use.
Where a health record has been cancelled, the data also becomes unavailable for secondary use.
The Framework to guide the secondary use of My Health Record system data [PDF], released on Friday, aims to define how data contained within the system can be used for research and public health purposes, while preserving privacy and security of data in the system.
33 items comprise the framework, with many requiring the Secondary Use of Data Governance Board to make the final decision on whether a third party can use the data.
The board will comprise representatives from the Australian Institute of Health and Welfare (AIHW), which is the data custodian for the purposes of the framework; the Australian Digital Health Agency, which will act as the system operator; and representatives from population health/epidemiology, research, health services delivery, technology, data science, data governance and privacy, and consumer advocacy.
There are 18 steps an entity wishing to access the information contained within the My Health Record must follow, including gaining "ethics approval" from the AIHW Ethics Committee.
The board will oversee development and operation of all secondary use infrastructure, the framework explains.
For example, the board will use a "case and precedent" approach to determine what is "solely commercial use" of data.
The board will assess applications primarily based on the use of data, not the user, with the framework explaining the "safe people" principle will be applied when reviewing requests for data with respect to the applicant, probing their knowledge, skills, and incentives to store and use the data appropriately.
In order to be granted access to the data, overseas-based applicants must be working in "collaboration" with an Australian applicant in respect to the proposed project. They must also demonstrate that the proposed data usage will generate public health benefits for Australians
Direct access to or release of My Health Record data is only to the Australian entity, and data released for secondary use is to be stored in a facility within Australia.
The applicant must also be responsible for ensuring they comply with all relevant Australian legislation.
The framework restricts access to de-identified data, noting it cannot be used solely for commercial and non-health-related purposes.
The provision of My Health Record data to insurance agencies will also not be permitted at this stage, while the use of My Health Record data for clinical trials recruitment will not be considered until an explicit consent option is available in the My Health Record access controls.
"There is a need to balance support for the use of the data for beneficial research and public health purposes against the policy of not using the data for solely commercial purposes," the framework reads. "Commercial organisations may propose uses that could be approved so long as it can be demonstrated that the use is consistent with 'research and public health purposes' and is likely to generate public health benefits and/or be in the public interest."
With health the highest breached sector in Australia since the country's Notifiable Data Breaches (NDB) scheme came into effect earlier this year, the framework has included a contractual requirement that the entity using the My Health Record data report any data breaches or data loss to the Office of the Australian Information Commissioner, including advice on remedial actions to be taken under the NDB scheme.
Where an applicant seeks access to data from another repository such as the Medicare Benefits Schedule or Pharmaceutical Benefits Schedule data, they will be referred to the data custodian for those systems.
The framework will be reviewed after two years of operation.
The revelation that supposedly anonymous medical data can be re-identified tops off a year of data governance incompetence by the Australian government. But will there even be a response, let alone a fix?
The Australian Privacy Foundation wants the federal government to act swiftly in ensuring the health information of citizens is safe from suffering the same fate as Equifax clients.
Australia has performed an amazing act of self-leakage, selling a pair of locked filing cabinets of its own secret Cabinet documents.
The Australian Privacy Foundation wants the government to develop security controls around sharing open data and provide the agency charged with investigating data misuse with 'adequate' resources.
Australia is charging headlong into a privacy disaster as government open data initiatives come online without considering how to properly implement privacy safeguards and data anonymity.