• Privacy is not secrecy or confidentiality
• Privacy is wider than security
• Privacy is about control
What is Privacy?
• Tool for preserving peoples control over their information…
• in the face of technology that tends to lessen that control
What is Privacy?
Health Information Privacy Code 1994: What is it?
• Code of practice issued by the Privacy Commissioner
• Focus is on purpose not consent
• Modifies 12 information privacy principles into 12 rules
• Purpose and openness
Who and what is covered• Health information about identifiable
individuals Medical history, services provided, results, incidentalsSome exceptions around the Cervical Screening Programme
• Health agenciesPeople and organisations who provide health and disability services, insurers
• LimitsHealth Code does not override any other law that authorises or requires collection, use or disclosure of information
Health Information Privacy Code 1994: Summary
1) Only collect the information you need2) Get it from the person concerned3) Tell them what you're doing4) Be nice when you're doing it5) Take care of the information once you've got it6) They can see it if they want to 7) They can correct it if it's wrong8) Make sure it's accurate before you use it9) Get rid of it when you're done with it10) Only use it for the purpose you got it for 11) Only disclose it if that's why you got it12) Be careful with unique identifiers
Health Information Privacy
Code: rule 11(1)
Rule 11: Health information must not be disclosed unless one of the exceptions applies.
Disclosure is allowable if it is:
• To the individual or their representative, or authorised by them
• One of the purposes for which it was obtained• Originally from a publicly available source• General information about presence, location,
condition of patient in hospital
some exceptions rule 11(2)
An agency may also disclose, if it believes on reasonable grounds that disclosure is:
• for a directly related purpose, or statistical or research purposes
• necessary to prevent or lessen a serious and imminent threat to public health or safety or the life or health of the individual or another
• necessary to avoid prejudice to maintenance of law or conduct of proceedings
Section 22F Health Act 1956
requires disclosure unless withholding grounds apply, eg. Rule 11(4) HIPC, ss27-29 Privacy Act.
Who can make request under 22F• Person/agency who is providing or is to
provide health or disability services to individual
• The individual’s representative
Section 22F Health Act 1956 Upon request the holder of health
information must disclose to:
Individual
Representative
Healthcare Provider
Treat as Rule 6, ss27-29 of Privacy Act apply
Agency may refuse if: individual doesn’t want disclosure or there is alawful excuse not to disclose
Rule 11(4)(b) agency may refuse if: contrary to individual’s interests or patient veto, or ss27-29 Privacy Act apply
Representatives
• Where a person is dead – their personal representative (executor or administrator)
• Where a person is under 16, dead or alive – a parent or guardian
• Where a person cannot give consent or exercise rights – a person lawfully acting on their behalf or in their best interests
Access & Correction Rules 6 and 7
If health information is readily retrievable people have a right to:
• confirmation whether the agency holds information about them
• have access to the information
• ask for it to be corrected
Withholding Grounds Rule 6
Good reasons to withhold information from an individual; ss 27-29 of the Privacy Act
• 27(1)(c) - prejudice maintenance of law• 27(1)(d) - endanger safety• 29(1)(a) - unwarranted disclosure• 29(1)(c) - prejudice physical / mental health• 29(2) - not readily retrievable / cannot be found / does
not exist
Correction Rule 7
Individuals have a right to request correction; or have a statement of correction added.
Agency must either:
make the change attach statement
inform the individual and any recipients of the information
Policy and Privacy in Health
• Privacy isn’t just the Privacy Act• Complexities arise from
relationship between:– Ethical confidentiality and privacy– Biological material and health
information – Electronic records and physical
records– “Opt-in” vs “Opt-out”– Informed consent vs notification
Function Creep
Collection some implications
• Collection is where you find the key legal obligation of transparency
• Falls on agency initially collecting data• In health context, places heavy weight on
primary care• Practical need for ‘upstream’ users of data to
take some of that load• Benefits in trust, openness and willingness of
health consumers to have their information used
• Also benefit of increased trust from ‘downstream’ health agencies
Wider context• Records can be owned, information cannot• Agencies have obligations (purpose and
openness)• Individuals have rights (access and
correction) • Also, privacy law focuses on awareness
rather than consent• However both consumers and clinicians
can have a valuable sense of ownership over information about them – don’t want it misused
• Trust is harder to regain than it is to lose
Competing interests
“The Commissioner shall have due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way”
Competing Interests
Can be quite compelling:– Patient wellbeing
– Research
– New uses for information
– Profit
– Easier better processes
How are these managed?• Complaints and enquiries process
in Privacy Act– Relies on people making complaints– Requires ‘harm’– Legalistic
• Ethics committees for research– Circular definitions
• Privacy Commissioner comment on new laws and proposed schemes– Limited resources
• Public and practitioner outrage– Potent but unreliable!
•Patients come to their doctors because they trust them.
•Good privacy is good business
•Our role is not to prevent change, but to make sure people know what they’re getting into•“Road maps, not road
blocks”
Ultimately…
Don’t blame the Privacy Act! Act!
enquiries hotline 0800 803 909www.privacy.org.nz