A recent NSW case illustrates the complexity of obtaining lawful authority to disclose personal information – and the equal importance of on-going vigilance, to ensure compliance.
Rather than privacy compliance being determined with a single assessment about lawful authority to proceed, I often think that project initiation should involve a set of four cascading assessments:
- Can we? A legal assessment asks: Can we lawfully collect, use or disclose this data?
- Should we? An ethical assessment asks: Do we have a social licence to collect, use or disclose this data?
- Is it suitable? A quality assessment asks: Is this data, and this methodology, fit for our purpose, such that this project will meet its objectives?
- How should we? A safety assessment asks: What else must we consider in relation to data security, accountability, transparency, and other compliance obligations?
Yet too often we see only the first question being asked of a project.
This creates a significant compliance risk: if a project is not managed in a holistic fashion, once the project gets the legal green light, all other obligations may be forgotten.
A recent case illustrates the dangers of failing to shore up compliance with the obligations that continue throughout the life of a project, and the loss of stakeholder trust that can ensue.
The case: sharing a child patient’s medical information for research
A multi-year, multi-site medical research project was operating under the benefit of a Human Research Ethics Committee (HREC) approval. The research project included the secondary use of historic health information, without patient involvement or consent. The study protocol submitted to the HREC stated:
“Recruitment and consent: Consent will not be sought for this retrospective review of patient records. All collected data will be de-identifiedand patient confidentiality respected. Therefore, no risks to patients are anticipated.
Data storage and analysis: The abovementioned patient data will be extracted from the medical record of existing hospital systems or diagnostic laboratories… the data will be de-identified and stored within the secure [name] database or other suitable site-specific database where security standards are met (password-protected computer, limited to approved investigators)…”
Melbourne Health HREC was approved under the national mutual recognition scheme to issue a waiver of consent, which could be relied upon by disclosing entities in other Australian jurisdictions. Health information was being collected by MCRI (a medical research institute in Victoria) from multiple hospitals, including a public hospital in Sydney which was a member of the Sydney Children’s Hospitals Network (SCHN).
All parties agreed to a Multi-Institutional Agreement (as required by the National Health and Medical Research Council), in which each party agreed to comply with the federal Privacy Act and any applicable State or Territory laws.
Over the course of conducting the research project, a doctor who was a principal investigator at MCRI was seeking to verify and update information collected about patients for the study. The doctor at MCRI emailed two doctors at the respondent’s hospital in Sydney attaching a spreadsheet with details about some 300 patients. The patients’ names, sex, dates of birth, postcodes and other information was included in the spreadsheet. Three columns were blank, regarding whether each patient was alive or deceased, the date of their last follow-up with the hospital, and the clinical manifestation. The information was not de-identified. The spreadsheet was not encrypted or password-protected.
One of the doctors in Sydney completed the blank fields in the spreadsheet and emailed it back. Again, the spreadsheet was not de-identified, encrypted or password-protected.
Some years later, one of the people in this research cohort learned about this conduct, and made a privacy complaint. The complainant, given the pseudonym FZP by the Tribunal, had been a patient of the respondent’s hospital when he was a child.
The complaint related to alleged breaches of multiple privacy principles, but of most consequence were disclosure and data security. While ultimately the disclosure itself was lawful, the way it was conducted was found to be in breach, and compensation payable as a result.
The complexity of determining if the disclosure was lawful
The Tribunal found that there had been a ‘disclosure’ of health information for the purposes of Health Privacy Principle (HPP) 11 in the Health Records and Information Privacy Act 2002 (NSW). However, the disclosure was authorised under HPP 11(1)(f), and the NSW Privacy Commissioner’s statutory guidelines on research issued thereunder, which together create a research exemption. This exemption requires the involvement of an HREC to conduct an assessment, so the Tribunal was effectively reviewing the conduct not only of the NSW respondent agency which made the disclosure, but also the decision-making of the Victorian HREC.
In some detail, the Tribunal stepped through all the layered requirements of HPP 11(1)(f) and the NSW Privacy Commissioner’s statutory guidelines on research, necessary to authorise the disclosure. These required confirmation that:
- The project was “research”
- The research was in the public interest
- The disclosure by SCHN of the complainant’s health information was reasonably necessary for that research in the public interest
- The research purpose cannot be served by using de-identified (or unidentified) information
- It was impracticable to obtain consent from the patients to be included in the study
- The information is not published in a generally available publication, and
- The disclosure was in accordance with the Research Guidelines.
Having satisfied all the elements of HPP 11(1)(f) and the related statutory guidelines, the Tribunal found that the disclosure without consent was authorised, and thus there was no breach of HPP 11.
But data security still at issue
By contrast, the Tribunal found that the NSW public sector agency breached the Data Security principle HPP 5(1)(c) because:
“by sending the email:
- with an unencrypted spreadsheet with no password protection;
- without identifying the research project, and
- without any other warnings as to the sensitive nature of the information or limitations on its use
it did not ensure that the information was protected by taking such security safeguards as were reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure or against all other misuse”.
In particular, the Tribunal noted that:
“despite the existence of the security safeguards presented by SCHN, little thought was given to them or how they should have been applied. I therefore can only conclude that there was a breakdown in their observation through either a lack of knowledge, a lack of concern, or both. (There was a) failure to comply with SCHN’s own written instructions in the Privacy Leaflet for Staff (SCHN) advising against sending health information outside NSW Health unless password-protected or encrypted, and suggesting secure file transfer systems be used”.
Research vs privacy: a matter of dignity
Privacy is not an absolute right; our laws seek to codify when other public interests may prevail, such as the public interest in medical research that could benefit humanity. For example, the NSW legislation delicately balances those competing public interests, by setting out multiple ethical tests which must be met before a research project can proceed without the knowledge or consent of the relevant individuals, as well as further safety obligations to minimise the risk of harm to those individuals.
In this case, the complainant made an eloquent and heartfelt statement which illustrated that tension between the importance of individual privacy and the importance of medical research:
“I.. am living with a debilitating genetic illness resulting in multiple disabilities and have witnessed the passing of my [sibling] from the same genetic illness. I agree that the sharing of information for research purposes can aid our understanding of illnesses (where de-identification is normal practice): it can help seek better management strategies, improve quality of life and potentially find a cure (and there is nothing I want more than all these things).
HOWEVER: There are numerous legal and ethical requirements in place at all levels of medical research governance that provides protection for patients’ privacy. The message should be clear and understood by researchers, that while participants’ medical information is valuable to them, so is the participant’s basic human right to respect and privacy valuable to us, and for many, this constitutes our remaining dignity”.
A cautionary tale
Getting the privacy settings right in the design of data-related projects is critical, but so is ongoing vigilance about compliance. This case demonstrates how securing lawful authority to share personal information is not the full story; you must also ensure that data security protocols are in place and adhered to, by using additional privacy controls and vigilance, throughout the life of a project.
However, this case also serves as a reminder not only of the importance of meeting all legal obligations when using data about humans, but also of the reason why we have privacy rules in the first place: to protect humans from harm, including any diminution of respect, autonomy or dignity.
Please reach out to our team if we can be of assistance.
