Speeches, presentations, articles - Office of the Privacy Commissioner

"Privacy and Society" The Experience in New Zealand, June 2010

Thu, 22 Jul 2010 11:14:16 +1200

View the Privacy Commissioner's speech to the 33rd APPA forum held in Darwin, Australia on 3-4 June 2010 entitled "Privacy and Society" The Experience in New Zealand.

NZ Doctor Series - Privacy Matters (# 19)

Wed, 30 Jun 2010 09:11:45 +1200

March 2010

American lawyers do pretty well for themselves, by all accounts. Scalded by a coffee at McDonalds? Sue. Drop some olive oil in a supermarket, then bruise yourself falling over? Sue! Drink yourself to cirrhosis on Jack Daniels? SUE!

Whether true or not, these well-worn tales typify the States' litigation-happy culture. In 2004, costs associated with this kind of claim amounted to a quarter of a trillion dollars.

In New Zealand, by contrast, fall off a ladder and hit your head and ACC should pick up the tab. Since the scheme's inception in the 1970s there is no longer a right to sue for personal injury, in exchange for not needing to take a spin on the legal roulette wheel. In effect we all have compulsory accident insurance, but with levies instead of premiums. Naturally there are a few wrinkles.

For instance, claimants must allow the treating clinician (generally either a GP like you or a physiotherapist) to give ACC any information relevant to the claim.

On one level this requirement is a little unusual because it requires a claimant to give permission. You might wonder - if you have to give "permission", is it really permission? It makes more sense when you think of it as a compulsory insurance policy - if you sign up for a private insurance policy, it's accepted that the insurance company will need some information.

However, with ACC just as with a private insurance company, the information provided needs to be relevant to the claim. Also, claimants need to know that they're allowing you to pass on information about them.

In the past, this has been done by way of the ubiquitous ACC45 form. Fill out the front, read the privacy statement on the back. But these days, electronic communication is the norm. Paper forms are used much less frequently than before - and information typed into a GP's PMS doesn't have a ‘back' on which to put the privacy statement. So how are patients to know what they're agreeing to when they fill out the form? Do they understand that they are authorising you to disclose relevant information about them to ACC?

There is a wider issue here, and it comes back to openness. GPs collecting patient information need to be open about how it's going to be used. The number of possible uses for information is constantly on the rise - how to make sure people know about it? In the past that openness has been conveyed by statements on forms, but there's a limit - call it ‘information bandwidth' to the amount of text people can meaningfully take in.

I'm talking with ACC about how to make sure people know what they're agreeing to. I'd be interested in GP experiences in this area - contact my staff on submissions@privacy.org.nz if you'd like to make a comment.

NZ Doctor Series - Privacy Matters (# 20)

Wed, 30 Jun 2010 09:16:46 +1200

April 2010

Information kept where no-one can get it is a bit like a miser's gold buried at the end of his garden. Just as with money, information's value isn't intrinsic - what really matters is how you use it, disclose it or dispose of it.

In general you can treat information in line with the purpose you obtained it for, so day to day uses and disclosures will present no problem.

But what about when you shut up shop, or your practice or PHO joins with another agency? PHOs and DHBs are merging and closing down all over the place these days so the latter, in particular, is much in the news. So what do you need to know?

First, remember that under the law you must keep hold of health records for at least ten years from the last appointment. In fact the Medical Council recommends holding onto certain records for even longer[1].

This can sometimes be problematic for mundane reasons (such as space) but the law is the law - and you can always convert old records into electronic form if physical space is an issue.

Other dilemmas can arise when a fellow doctor unexpectedly dies, leaves the country or ceases practice. Most of the time matters can be arranged ahead of time, but if there is not the time or opportunity to do so, then you or your practice may be left with a pile of unwanted medical records.

Unfortunately your legal obligation remains. Unless you transfer the records to another practitioner, or to the patient themselves, you will have to hold onto them in some form for the full ten years.

And what about mergers? As part of a merger of two health agencies, you'll probably need to share patient information in bulk. You may not know that much ahead of time that a merger is afoot, so getting patients' permission for the disclosure is likely to be impractical if not impossible.

However the law allows disclosure of information to another agency where necessary for the "sale or disposition of a business as a going concern". This should cover the transfer of records from one organisation to another, where the same business is being carried on.

That's not the end of the story, though - notifying patients as soon as possible of what is to happen with their information is absolutely crucial. Privacy is often about making information flows transparent. For instance when my GP retired a few years back he contacted all his patients to tell us to whom he'd be transferring our records.

For this kind of anticipated transaction, and assuming you've been open to your patients about why you hold their information and what you plan to do with it, privacy law shouldn't be much of a constraint.

But when you step outside the normal course of business, things can get tricky. Remember that there are constraints around how you hold onto and dispose of patient information, and think ahead to what might go wrong. Because the one thing that a doctor cannot be is a miser when it comes to his or her patient's information.

[1] The Medical Council guidelines on retention are available at http://tinyurl.com/y8g5f5h

NZ Doctor Series - Privacy Matters (# 21)

Wed, 30 Jun 2010 09:22:52 +1200

May 2010

Vox populi, vox dei ("the voice of the people is the voice of God") is a phrase with an impressive pedigree. Its first known mention is in a letter to Charlemagne in 798 AD. While many medieval concepts have not stood the test of time (witch burning, the sale of indulgences) this is one that still has a lot of value.

As Privacy Commissioner, my responsibility is to help protect New Zealanders' information. Naturally I can't do that properly without listening to the "vox populi" from time to time.

My most recent UMR survey , which I announced in Privacy Awareness Week (3-9 May), gives some interesting insights into what people think about the use of their health information.

A little over 60% of respondents were concerned about insurance companies getting full medical records from GPs. This was a new question and I will be interested in seeing how public opinion develops over time.

Moving to the unabashedly positive news, at least for my readers in this magazine, 94% of New Zealanders think the health sector - defined in the survey as doctors, hospitals and pharmacists - are trustworthy custodians of health information. This is a testament to the high ethical standards in the medical profession, particularly as that figure constitutes a slight rise since the last survey.

Possibly as a result of this high level of trust, only 32% of people are concerned about doctors sharing their health information with other health providers.

However these results shouldn't lead to complacency. There is widespread (80-90%) concern about personal information on the internet, particularly when it relates to children. And there is a high level of worry (79%) about information being held by overseas businesses.

There is also a steady increase in overall concern about privacy - 59% of people have a high concern about the privacy of their information, up from only 47% back in 2001. I suspect this is at least partly because of the rise of the Internet as a vital part of daily life, a suspicion that is borne out by other parts of the survey.

With the inevitable rise of Internet health portals, cloud computing and shared electronic health records this has some interesting implications for health practitioners. Already vast quantities of personal information are held in web-based systems like Google's Gmail. Practically this means data is being stored overseas, in vast data warehouses.

If, as seems likely, this approach extends to health information then doctors may find themselves in the position of relying on an overseas company to protect their own patients information - not necessarily a comfortable place to be!

The voice of the people, as expressed in the 2010 UMR survey, is pretty clear about how much trust is vested in doctors' handling of patient information. In my view, though, we must continue to be careful. These sky-high levels of trust are a treasure to be preserved rather than a resource to be spent.

Protecting Biometric Data: Privacy By Design

Fri, 26 Mar 2010 10:29:20 +1300

2010 Biometrics Institute of New Zealand Conference

Privacy Commissioner, Marie Shroff
26 March 2010
Holiday Inn Hotel, Wellington

Good morning and thank you very much for the opportunity to speak to you today.
I remember that the last time I addressed this conference was one of my first speaking engagements in my then-new role of Privacy Commissioner, back in October 2004. Five and a half years has passed quickly, and I'm aware that you have been dealing with many developments in the biometrics field over this period. There have also been changes in the way that biometric technology is viewed by the general public .

I think possibly the most significant change is the increased visibility and general use of biometric technologies. In certain every-day contexts, such as in airports, people know that biometrics could well be part of the immigration and security processes. Some of you will have been involved in the roll-out of the new New Zealand passports containing a biometric chip, and the recent installation of ‘SmartGate' in our airports. I have used the SmartGate system during recent trips to Australia, and mostly found it convenient and easy to use.

But there has been an increase in public awareness of the potential privacy implications associated with the use of some of these technologies, provoked in no small part by the imagination of Hollywood. As a result of the increased interaction between biometric technology and the public, The Biometrics Institute developed a Privacy Code for institute members in 2006, which has recently been reviewed. I acknowledge the proactive approach you have taken towards encouraging consideration of privacy issues within your industry.

One of the functions of my role as Privacy Commissioner is to promote an understanding of good information handling and to encourage agencies to follow best privacy practice. In general I much prefer and believe in a "carrot rather than stick" approach.

‘Privacy' is a subjective notion, and can mean different things to different people; but it is often expressed as "the right to be left alone" or "the right to control one's personal information." This subjectivity means it is difficult to draw specific limits around what is privacy intrusive. It depends very much on the circumstances at the time. I was recently travelling in America and Canada, and was required to undergo full fingerprinting and iris scanning as I passed through immigration. Being from New Zealand, this wasn't something I was used to, but I was aware it would happen and it was within my comfort zone. However, when I was queuing to go up the Toronto Tower, I was required to go through an air gate that sucked the air from around me to test it for potential explosives. The people before me seemed comfortable with the procedure, but this was unfamiliar for me. I really didn't enjoy the experience at all.

Regardless of a person's own comfort zone, privacy is not an absolute right; it must be balanced against competing interests such as national security or personal safety. In New Zealand, this balancing exercise is facilitated by the Privacy Act 1993, the core of which is a series of twelve information privacy principles covering collection, access to, correction, storage and disclosure of personal information.

Biometric information is personal information.
At this point I would like to emphasise that technologies, including biometric technologies are neutral; the mere fact that biometric technologies work by collecting and using biological information does not make them "anti-privacy", and therefore on my hit list.

But, because they collect and use personal information, they are of interest to my office, and thought needs to be applied to how they are designed and used.

This need not impact adversely on the effectiveness of the technology. It is quite possible to develop and implement technology which incorporates good information-handling strategies. In New Zealand we would call this a win-win solution, where both the need for efficiencies created by new technologies and the protection of personal information can be satisfied.

Now, I am not a technical expert, and I am not in a position to recommend specific technologies to you. What I am interested in is the principles that go into the development of the technology; and how, from its earliest moment of conception, it collects and uses personal biometric information in the most privacy-protective way possible.

So, I want to talk to you about Privacy By Design.

This is not a new concept; it was Ontario Information and Privacy Commissioner Dr Ann Cavoukian who first coined the phrase "Privacy by Design", back in the 1990s.

"Privacy by Design" talks about privacy as the first thought; not as an afterthought.
Why is this? It is more difficult, more costly and far less effective to try to retrofit privacy on to a system or policy. It is also more difficult to get people to change the way they do things - far better to make privacy the default from the outset. It is far harder to recover from a privacy disaster - such as a major data breach - than it is to prevent it happening.

Achieving Privacy By Design

Biometrics is an evolving field. What is possible today could be obsolete in a very short period of time. I read not too long ago that researchers in Germany and the UK are making inroads into brain-reading technology - actually being able to read a person's intentions before they act by scanning their brain. Unsurprisingly, comparisons are being made between this and the Steven Spielberg film "Minority Report", where potential murderers are arrested before they commit the act on the basis of an incriminating brain scan. I am not suggesting that this is the likely future of law and order, but it is enough to have motivated scientists in this field to call for an ethical debate into the development of this technology before it has gone so far we are overwhelmed by the implications.

But the movie does illustrate an important point: trust. The public has to have trust in their governments, businesses and other institutions so that our society keeps functioning well. Modern life requires the citizens of most countries to part with personal and identity information to travel, obtain healthcare, or open a bank account. According to a survey conducted by Unisys in October last year, 60 percent of people in New Zealand are willing to use biometrics which includes fingerprinting and eye scans, to prove their identity. In America, more than 70 percent of survey respondents will trust banks and government agencies to ask them for biometric data for identity verification.

To maintain customer confidence, and to remain the customer's choice, it is important to protect this information. Good privacy practices are good business.

This is exactly what Privacy by Design advocates. Considering and assessing and the privacy implications of a technology or practice before it is deployed, and building safeguards in to the system itself. Privacy, therefore, becomes an essential component of the solution being delivered: it anticipates and prevents privacy invasive events before they can happen. This in turn helps maximise the take-up of the technology by ensuring that people trust that their information is being properly managed. So you're more likely to achieve your project objectives and the return on investment can be maximised. This is the win/win factor.

So what, exactly, do you as technology developers, and as agencies and institutions implementing biometric systems need to consider, from a privacy perspective, when designing and using biometric technologies? How do you build it in, rather than bolting it on?

I thought it would be most useful if I could develop a short mnemonic which would assist you to remember the most important points.

So the mnemonic I have come up with is PADLOCK. Let me run you through it:
The P in Padlock stands for purpose.
Both developer and client need to start with a clear idea about what has to be achieved, so consideration can be given to whether Biometric technology is the right solution to achieve this outcome. If it is, knowing exactly what you are going to use the biometric system for enables you to develop the most suitable and privacy-appropriate design.

The methods you use to collect, store or analyse biometric data should be a proportional solution your problem. This will raise questions such as: should the collection be optional or mandatory?

Proportionality and purpose also extend to the nature of the people who will be participating. A primary school in Hong Kong was ordered to stop using fingerprint matching to register school attendance, lunch provision and access to library services by the Privacy Commissioner in Hong Kong, who said that this basic record-keeping function could be achieved by less privacy-intrusive methods, and that these young students were not yet sufficiently mature enough to appreciate the permanence and nature of the information they were giving away.

There is always pressure in tough economic times to do more with less, and there is a great temptation to access and use stored information for a new or additional purposes. If you find yourself in this situation, I would advise you to resist the temptation to go ahead without first getting sound legal advice, as you could potentially breach the privacy principles.

The A in Padlock is for accuracy
Contrary to public belief, you and I are aware that no biometric system can ever be 100 percent accurate in recording or matching the right biometric template with the right sample. Obviously you need to give careful consideration to the accuracy of the particular system you are implementing. This will be influenced by many things, including the number of people who are going to use the system, and the consequences of a false rejection or a false acceptance. For example, with entry to a secure building, where there are also security guards on the door who are able to visually check and process entering staff, it may be more important to have a low false acceptance rate than a low rejection rate, as security guards may be able to process the people whom the system fails to recognise.

Of course as you scale your system up to potentially thousands or millions of people, even small error rates will cause an increasing number of people to be incorrectly rejected or accepted by the system, meaning you may not achieve your original purpose; or you may have that ‘privacy disaster' I mentioned earlier which damages your credibility and therefore your effectiveness.

Sometimes the personal element can be overlooked here. The privacy principles require you to allow individuals to access any personal information you have about them and allow them the chance to correct it if they think it is wrong. This can be tricky when it comes to biometrics, because a stored template is unlikely to mean anything to an individual. But, if a person has been incorrectly matched or rejected they may request that any record of that match be corrected.

The D in Padlock is for Data Minimisation
The more data that is collected from an individual, the higher the risk that person's identity information could be compromised. The very element of biometrics which makes them so popular for accurate identification, also poses problems to the person if they are compromised. There is no changing your fingerprints or your iris pattern. The more data held, the more that is at risk of theft, so only collect or keep information that is essential to achieve your purpose.

And while I know biometric technology has advanced to the point of including all sorts of safeguards against fraud, there will always be the brazen criminal who can thwart the system using a packet of gummy bears and a MacGyver mentality.

The L in Padlock is for lifecycle
It is important to think about everything you do with personal information - from collection through to the use of the information, to its safe and complete destruction. This is called the information lifecycle, and at every stage there are choices you can make about how you handle information, and opportunities to be more careful with people's data.

The best time to make these choices is when you are designing your system. A Privacy Impact Assessment is a useful tool to help you to work through the lifecycle of information and identify the choices that you have. It will also get you thinking about why you've got the information and how long you need to keep it to achieve its purpose.

Ideally, developer and client should jointly prepare the PIA as part of the briefing part of implementing a new biometric system, so that all bases are covered.

Lifecycle is an often undervalued concept in information system design. Yet while it may appear complex, if it is accurately mapped at the beginning, you will have the basic information you need to effectively manage your information.

Think about even the simplest information system, such as names and phone numbers collected for a school raffle. Personal information is given to the organiser in exchange for the chance to win a prize. Even here, the information transitions through collection, use and eventual destruction. Raffle organisers can make good choices at each stage, such as designating responsibility for keeping sign up sheets secure, and making sure they are shredded at the close of the raffle.

There is some good guidance material around on mapping information lifecycles and developing PIAs which is on the OPC website (www.privacy.org.nz) and also on the Australian Privacy Commissioner's website. You also have an excellent resource list on the Biometrics Institute website.

The O in Padlock is for Ongoing Responsibility
As technology developers, you will have the need to discuss implementation and technology use with your clients. This is a great opportunity to encourage pro-privacy use of your technology, as this will ultimately aid your reputation as a safe and reliable consumer choice in the future. Some banks, for example, are already using this good privacy practice as a selling point and a market advantage.

The C in Padlock is for Control
Maintenance of control over the information being collected is vitally important.
Security of data overlaps with privacy here and you can use that to advantage inside many organisations which may be more focussed on security rather than privacy.

In some cases biometric data collected will form part of a centralised data base. These large central databases, accessible over networks in real time, present significant operational and security concerns, and are a target for hackers and for inside abuse.

When transmitting data, encrypt it. Never leave data vulnerable. On the other hand, do not suppose that data repositories are ever totally safe from hackers.

Take, for example, recently released ID cards for foreign nationals working or studying in Britain, part of the National Identity Scheme. Embedded inside is a microchip containing information such as name, date of birth, physical characteristics and fingerprints; as well as information relating to immigration status and eligibility for State benefits. The Government confidently asserted that the identity cards were "unforgeable". However, a certain British newspaper acquired the services of a hacker to attempt to create a clone of the card, and programme it with false data. He achieved this in 12 minutes, using a basic Nokia mobile phone.

The K in Padlock is for Knowledge
The person from whom you are collecting any personal information should be aware that the data has been collected, and also for what purpose. This is not only a requirement of the Privacy Act, but can also improve the public's trust and confidence as they are more likely to use your system if they understand what is going on and how it affects them. It also means that they can choose to use another method if they want to; for example SmartGate is an optional system for new New Zealand passport holders to use. Travellers also have the option of queuing up to pass through immigration by presenting their passport to an officer.

Conclusion
Last time I addressed you I hinted that this may be an industry which sees some specific privacy regulation in the future. Regulation, such as a code, is something I can impose for a specific activity if it becomes necessary. So it's never off the table. But I prefer to see industries take responsibility for the privacy implications of their activities, and self regulate. You know best how biometric technology and its applications are developing, and are well placed to deduce what the impacts on privacy are likely to be.

You have made a good start implementing a voluntary privacy code. However, I urge you to continue to be proactive. If you consistently follow the principles I have outlined today, further regulation may not needed. It really is up to you.

Biometrics is a changing field, but integrating basic privacy concepts at its core will ensure that future innovations are effective, efficient, and respectful of the people from whom biometric data is collected. Build it in, don't bolt it on.

I would also draw to your attention that the Law Commission is currently undertaking a review of the Privacy Act, and its technology chapter discusses biometrics. You have an opportunity to make submissions on the content of this chapter, as well as any other matter in the review. I urge you to have your say about the intersection of privacy and biometrics. You can find the discussion documents on the Law Commission website www.lawcom.govt.nz

Finally, I wish you a productive and stimulating conference, and encourage you to keep these principles in mind as you move through today's programme.

NZ Doctor Series - Privacy Matters (# 18)

Wed, 03 Mar 2010 09:25:41 +1300

November 2009

Freedom of the press is one of the planks our democracy stands on. In the abstract this is an undeniable positive. As the saying goes, "sunlight is the best disinfectant". Dealing with press freedom directly, though, can be a little harrowing. What should you say to a reporter on the other end of the phone at 5.00 pm on a Friday?

One answer, of course, is ‘nothing' - but things are rarely that simple. What if you want to get your side of the story across, or to defend a colleague? What if you're being asked for information about a patient you genuinely feel poses a threat to others or who has been mistreated? How about Official Information Act requests - do you have to respond?

In fact, the law will only rarely require you to speak or remain silent when faced with enquiries from the media. Instead, you will generally have a space in which to exercise your discretion, in line with your own ethical obligation of confidentiality. Protecting the confidence of your patients must weigh heavily.

But, as always, there are exceptions. For instance the Health Information Privacy Code allows you to talk about a hospital patient's presence, location, condition and progress unless the patient or their representative has vetoed disclosure.

The answers to the other questions posed above are more equivocal.

Disclosing information about a patient to back up a colleague, or to defend yourself against allegations you think are unfair, will always present problems Unless you have the patient's permission, a polite ‘no comment' may be the best option. Naturally if the information is solely about you rather than your patient you can do as you like with it, and information that cannot identify a person can always be disclosed.

Also, while you can disclose information about a patient to prevent a serious and imminent threat to someone's safety, you need to be talking to someone who can do something about that threat. It's unlikely the media would fit that bill.

The situation is slightly different if you work for a public sector agency like a hospital or District Health Board, though you're also more likely to have a communications officer to help deal with difficult dilemmas. The Official Information Act means that anyone, including a reporter, can ask for access to publicly held information, including patient records. Requests can be refused where disclosure would breach someone's privacy and there is no significant public interest in disclosure. Nearly all the time, this will lead to a refusal of an OIA request for health information, but not always.

The bottom line is ‘don't be hasty', even when faced with a tight news deadline. When talking to the media, first find out who they are, what exactly they're looking for and who else they've spoken to. Then you'll be better placed to respond in a way that respects both the public's right to know and your patients' right to confidentiality.

Twittering your rights away?

Thu, 12 Nov 2009 09:18:05 +1300

A lunchtime presentation by Katrine Evans, Assistant Privacy Commissioner (Legal and Policy), run by the Wellington Community Law Centre in conjunction with Wellington Central Library on 11 November 2009.

See below to download the presentation.

NZ Doctor Series - Privacy Matters (# 16)

Thu, 15 Oct 2009 15:39:44 +1300

July 2009

We have always lived in a world of networks. In the past, these networks were social; of trust, kin and obligation. Nowadays, it is arguably the computer networks surrounding us that have a greater effect on our lives.

However, one of the oddities of ubiquitous technology is that we notice it most when it's not there. For instance, patients going from practice to practice may be surprised that their medical records and health information have not gone with them. Their email correspondence, tax information and banking records are all available to them online - why not their blood test results?

Developing an electronic health records infrastructure is a formidable technical challenge. It is also dependent on producing a system that will retain the trust of the users and people whose data is being stored within it. The best system in the world is of little use if no-one wants to use it!

There are a number of plans afoot to increase the accessibility and ease of transmission of health information in New Zealand. As you might expect, I have some concerns.

One issue is that the larger a store of data becomes, the more tempting it is to use it for additional, unanticipated purposes - ‘function creep'. The Health Information Privacy Code tries to prevent this by requiring agencies to be clear about why they are holding and using health information.

Another issue is an increased risk of serious security breaches occurring. Electronic information moves so much faster than its paper counterpart that, when things go wrong, they can go very wrong, very fast. The first step to minimising this risk is to take the time to work out how things might go wrong and how to deal with them when they do.

As one example of ‘things going wrong', consider Testsafe, the Auckland Regional Results Repository. As GPs north of the Bombay Hills will know, Testsafe is a DHB-run database of test results. Results go onto the database and are available to treating clinicians. Access to the database is logged and audited, and patients (and GPs) can opt off at any time.

So far so good - except when the opt-off doesn't work. Testsafe was advised in June that the data of 150 patients was accidentally exposed. This is a major concern, both for the risk to the privacy of the patients concerned, and to the integrity of the scheme itself.

I was pleased to see that Testsafe acted responsibly on being told about the breach, taking prompt steps to work out what went wrong, fix it, and to offer patients the opportunity to discover who might have seen their information. Testsafe also contacted us to let us know what had happened and what it was doing to fix the problem.

Time will tell what effect this breach has had on the relationship of trust between Testsafe, GPs and the people whose health information it holds, and therefore how effective the results repository can continue to be. Trust is the oldest network of all. And, in matters of healthcare, possibly the most important.

NZ Doctor Series - Privacy Matters (# 17)

Thu, 15 Oct 2009 15:46:27 +1300

September 2009

Early physicians thought mental illnesses was influenced by the phases of the moon. The term ‘lunatic' is a remnant of this tendency to blame external agencies for the inexplicable.

Of course, we're all much more civilised these days...and yet, in some ways, a similar stigma remains.

This can make treating a patient with a mental health condition more complex than it should be. There is an expectation, perhaps fostered by some kinds of media coverage, that society needs to be kept safe from the mentally unwell and that their privacy should therefore be forfeit.

I do not subscribe to this view. People don't lose all their rights to control their information just because they are physically sick - so why should it be different when their sickness is mental?

That said, there's a balance to be struck. Family or partners are a crucial part of helping mental health consumers recover, and genuine concerns about safety (of the patient or of someone else) can always be communicated.

In fact, the laws regulating health information place considerable discretion in the hands of clinicians.

This can be both good and bad. While the decision to disclose should rest with the person having the ultimate ethical responsibility to his or her patient, this discretion can be a heavy burden.

Clinicians need to be open about what is going to happen with their patients' information and to discuss with their patients ahead of time, if possible, how disclosure is to be managed.

Another complication is where patients give permission for you to talk to family or partners when well, then withdraw it when sick. In general, though, if you collected information for a purpose you can use it for that purpose, so the discretion will remain with you as a GP.

If it is not practical to get permission ahead of time, then exceptions to rule 11 of the HIPC allow disclosure:

• to an individual's ‘representative' when they are unable to exercise their rights (e.g. because of their current mental condition)[1];
• of someone's presence in a hospital, unless they've asked for their presence there to be kept secret[2];
• to a person's principal caregiver of the fact that they have been (or are going to be) released from compulsory status under the Mental Health (Compulsory Assessment and Treatment) Act[3];
• to a patient's relatives where it's not practical to get the patient's consent and the patient hasn't vetoed the disclosure[4].

A practitioner can also be put in a difficult position when external parties want to get access to information he or she holds in confidence. The bottom line is that if you don't want to disclose information, you generally will not have to. It's the GP's responsibility, and it will normally be the GP's decision.

I've developed some guidance notes in this area which will be available in draft form on my website at www.privacy.org.nz shortly. And always remember my enquiries line if you have a difficulty or dilemma - 0800 803 909.

[1] Rule 11(1)(a)(ii)
[2] Rule 11(1)(e)
[3] Rule 11(1)(g)
[4] Rule 11(2)(b)

Credit Reporting and Privacy: Reviewing the Code

Thu, 15 Oct 2009 14:29:24 +1300

See below to download the Privacy Commissioner's speech to the NZ Credit and Finance Institute Conference held in Auckland on 16 October 2009.