We all start our lives as zygotes. At times over the last three months I’ve felt a little zygotic in my new life as Privacy Commissioner, but the magic of cell-multiplication is working for me. I’ve listened to all the wise advice to keep my head down and my mouth shut, and, largely, ignored it. In line with this, there are three things I want to say to my thoughtful audience of GPs.
First thing is: ‘this is who I am’. I’ve worked in health for a long time; back in the 1990s, I lawyered for the Ministry of Health before striking out in a field called information law. I sued a DHB on behalf of ex-patients who suffered terrible abuse at Lake Alice. I advised the Royal College on a variety of matters. I trained bright-eyed clinicians and public servants on the intricacies of the Official Information and Privacy Acts. I worked as a District Inspector of Mental Health for 15 years, trying to make lives of patients, if not better, at least not any worse. I also wrote a lot of privacy impact assessments reviewing health IT projects, like the first big National Health Index revamp, and leaning on the horn when I saw privacy snarl-ups down the road.
Second thing: ‘this is what I care about’. Privacy isn’t an obscure topic for pointy-heads. It’s integral to the way we live our lives, and the way our children will live theirs; you only need to look at the proliferation of privacy-focused apps like Snapchat, Whisper and Secret to see how important it is to them. Growing up in the 21st century information soup means it will also probably be easy for them. I want to make privacy easy for everyone.
By that I mean that I want to make privacy easy for clinicians and DHBs and PHOs to comply with; make sure they make privacy an easy option for health consumers to choose; and make it easy for people to access effective remedies when their privacy is breached.
Because privacy isn’t just about keeping things secret. In health, particularly, information needs to flow or people might die. Health information needs to be used in support of good professional practice or people won’t get the care they need. And there’s a sense that the public are ready for a much more direct engagement with their own information by way of health portals and the like; if it’s okay to look at your bank records over the internet, the argument goes, why not your health information too?
This argument has some merit, though it skips over one crucial detail. A bank is an organisation, Kiwibank or ANZ or whatever. By contrast the health sector is vast and multifarious, with NGOs and DHBs and PHOs. Based on our surveys people trust it, but that might just be because they don’t understand how extensive and complex it really is.
And that’s a real risk, in these post-Snowden, post-ACC, times of heightened public and media concern about privacy. Health IT people have been beavering away and building log-dams to catch the cold, clear mountain streams of health information – shared care records, regional results, repositories, Manage My Health, Testsafe – and to make it available for the sector. There’s every chance that, soon, the public are going to look at all the tree stumps and wonder where their privacy went.
In fact it will be where it’s always been – in the law, and in the trust they place in you, as GPs and as the custodians of their health information. I’ve worked in health for long enough to know that this trust is nearly always justified, but that doesn’t mean you’re not going to have to make some changes.
For instance, the law says you need to know where the information you collect is going and that you have to tell your patients. Do you know where the information you collect is going?
It says you need to ask your patients before you look at their shared care record, unless there’s a good reason. Do you do that?
It says you can nearly always say ‘no’ when you get a request from someone who isn’t a patient for information you’re not comfortable with providing. Did you know that?
You can always come to my office when you want to know more. Call our enquiry line, visit our website, drop us an email, write us a letter.
That leads me to the third thing, which is to ask you, ‘what else do I need to know?’ We’re a small office and can’t be everywhere. If you see something that you think needs our attention then I hope you’ll tell us.
Some of the issues that are already on my radar are multi-agency information sharing to improve child safety (done properly it shouldn’t present problems), OPC guidance on shared care records (coming out soon) and overall health sector governance (working on it with the National Health IT Board). That’s a list that covers plenty of ground, but I can always do with some pointers on where to look next.
Looking forward, the next lot of columns will be written by my senior health policy advisor, Sebastian Morgan-Lynch. Sebastian has been working with the sector since 2006 and claims it is all starting to make sense to him now. Drop him a line at firstname.lastname@example.org if you think there’s something he needs to know or if there’s something he can help you with.
As for me: beginnings are delicate times, but I’m not going to let that stop me doing the right thing, working hard to make privacy easy.