The CRIS poses a series of questions to further identify the challenges of and options for the sharing of general practice data and the use of eCDS. The objective is to use general practice data to inform government health policy and for public health research. Rather than answering each specific question posed, the NSW Council for Civil Liberties submission focuses on the privacy implications for patient consumers of general practice services and use of eCDS. The submission covers the four identified problem areas of data sharing and consent; data quality, comparability and linkage; data governance, oversight and coordination; and the increased use of eCDS by GPs.
NSWCCL has concerns over:
- the absence of a consistent and transparent regime surrounding consent, use and purpose of data sharing, and subsequent privacy and security gaps;
- lack of adequate regulation and governance over practice management software (PMS) vendors and other third-party stakeholders, extracting and profiting from general practice data (including eCDS proprietors); and,
- the lack of any oversight, rules, or regulations in relation to general practice data, once transferred out of general practice.
NSWCCL strongly endorses the introduction of legislative mechanisms, to regulate:
- standards for PMS data storage, interoperability and sharing, including data minimisation and data destruction protocols,
- quality standards and security requirements when data is extracted from PMSs,
- government oversight and reporting by stakeholders on what and how they store and use general practice data with whom its shared and its purpose, and
- an eCDS licencing system and mandatory standards including monitoring and imposing ongoing compliance with industry standards. AI in programs such as eCDS should provide for transparency, accountability, responsibility and mitigation of risk.
NSWCCL further recommends that:
- The CRIS cannot consider solutions in isolation of the recommendations made for reform of the Privacy Act. Federal and State legislative jurisdictions need to be consistent and no less rigorous than the PARR recommendations.
- NSWCCL does not support offshore cloud-based storage of general practice data or data flowing outside the Australian public health system.
- NSWCCL supports dynamic consent approaches that move away from static, one-off consent and enables consumers to exercise preferences over time.
- NSWCCL favours deidentification and aggregation of general practice data taking place as close as possible to the source of the data, preferably before leaving the GP clinic.
- Best practice principles should be applied for the appropriate use of health data for research.
- NSWCCL does not agree that data use or handling of sensitive health information, for private interests and financial gain, should be permitted.
Read more here.