Privacy health check: Diagnosing for law reform PMAANZ Conference 10 September 2016 Daimhin Warner Director (Auckland), Simply Privacy Ltd
Law reform is coming: Time to get your house in order What is privacy and why s it important? What s coming in the law reform? Privacy health check: What s your prognosis? Protecting health information Sharing health information Consequences of a privacy breach Health case studies
Privacy is about preserving individual control protecting autonomy and dignity giving people meaningful choices
The Privacy Act & Health Information Privacy Code Promote and protect individual privacy 12 Health Information Privacy Rules (a roadmap for compliance) Health agencies have obligations (purpose and openness) Patients have rights (access and correction) Privacy law focuses on awareness rather than consent It s all about reasonableness
What information does it cover? Health information is information about a patient s: medical history disabilities health services used administration with a health agency So, it s really everything you hold about a patient
Why does privacy matter? Health information is a key asset and risk High public (and media) interest in privacy: The public cares Recent high profile privacy breaches driving change Becoming a point of difference for agencies Getting it wrong will impact Patient trust Reputation Your ability to collect the health information you need Staff loyalty and morale
And don t forget You re liable for the actions of your employees You re liable for the actions of third party contractors and service providers The Privacy Act applies to information you hold overseas You cannot contract this liability out! Personal affairs are excluded (but note the Harmful Digital Communications Act)
Health Information Privacy Rules 1. Only collect the information you need 2. Get it from the person concerned 3. Tell them what you're doing 4. Be ethical when you're doing it 5. Take care of the information once you've got it 6. They can see it if they want to 7. They can correct it if it's wrong 8. Make sure it's accurate before you use it 9. Get rid of it when you're done with it 10. Only use it for the purpose you got it for 11. Only disclose it if that's why you got it 12. Be careful with unique identifiers
The Privacy Act is growing some teeth
Privacy law reform Mandatory breach notification Material breaches = notify the OPC Serious breaches (real risk of harm) = notify the OPC and affected customers Offence for failure to notify = fine of up to $10,000 Increased powers for the Privacy Commissioner Enhanced own motion inquiry powers Power to issue compliance notices (cease and desist!) Power to make access determinations
Privacy law reform New cloud computing accountability provisions Will make explicit that agencies are responsible for information held in cloud Will require more openness with customers about use of third parties Harmful Digital Communications Act Creates new avenue of complaint about social media activities Limits publicly available exceptions to principles 10 and 11 if unfair or unreasonable Should inform any social media policy for agencies and staff
Privacy Health Check Who s your Privacy Officer? What personal information do you collect and hold? How is information being used, and who is it being disclosed to? What are patients and whanau told about this? Where is information stored, and is a third party involved? How long is information retained for? Do you have a breach management plan? Do all staff know what s expected of them?
Privacy is everyone s responsibility
Information security You must take reasonable steps to protect personal information against: Loss; Unauthorised access, use, modification or disclosure; or Other misuse What s reasonable depends on the context
Information security Remember: Privacy is everyone s responsibility Training and awareness System access and protection (employee browsing risk) Responsible transmission of information Precautions when dealing with the public Clear desks Sound B.O.D. and work from home policies
Retention Health information must not be retained for longer than it s needed Think about: Lawful purposes Statutory requirements (Health (Retention of Health Information) Regulations 1996) 10 years from last contact with patient
Everyone makes mistakes. It s how you manage them that counts
Privacy breach management Contain What has happened? Is there anything you can do to retrieve or secure the information? Evaluate What harm could result from the breach? Is there anything you can do to minimise this?
Privacy breach management Notify Should the affected people be made aware of the breach? How will you notify them (be personal) Should the Privacy Commissioner be notified? Prevent How did the breach occur? What lessons can be learned from it? Are there steps that can be taken to prevent a repeat?
Every patient has the Right to Know
Access: The Right to Know Patients have a strong right to know Remember section 22F of the Health Act requests can come from: The patient The patient s representative Where patient is dead, a personal representative Where patient is under 16, a parent or guardian Where patient is unable to consent, a person acting lawfully on their behalf or in their interests The patient s new health provider
Access: The Right to Know Records can be owned, information cannot Precautions must be taken to verify identity Requests don t have to be in writing You can provide assistance to the requester You should transfer the request if you don t hold the information or feel uncomfortable releasing it Patient can veto representative access
Access: The Right to Know A decision must be made as soon as possible, and no later than 20 working days later Information must then be released without undue delay You cannot charge, unless: The info was already released within last 12 months The info is expensive to reproduce There can be good reasons for refusing a request
Access: The Right to Know You can withhold information from students, but only for certain reasons, like: It s mixed information and releasing it would breach someone else s privacy (section 29(1)(a)) Releasing the information would endanger safety (section 27(1)(d)) Releasing the information would be contrary to an under 16 s interests (section 29(1)(d)) The information is not readily retrievable or does not exist (section 29(2))
The Privacy Act is an enabler, not a barrier
Disclosure of information: When you must Some laws require disclosure (these override the Privacy Act) Land Transport Act 1998 Cancer Registry Act 1993 Court Order (search warrant)
Disclosure of information: When you re asked Some laws require disclosure on request (these override the Privacy Act) Official Information Act 1982 (but only if you re public sector) Rule 6 of the Health Information Privacy Code Sections 22F or 22C of the Health Act 1956
Disclosure of information: When you want to Some laws permit disclosure (these override the Privacy Act) Children, Young Persons and Their Families Act 1989 Medicines Act 1981 & Misuse of Drugs Act 1975 Protected Disclosures Act 2000
Disclosure of information: When you want to Does rule 11 of the HIPC permit disclosure? authorised by the patient/representative purpose for collection (check your privacy statement) fact of death Or where authorisation is not possible: directly related purpose statistical or research purposes to prevent or lessen serious threat maintenance of the law/conduct of court proceedings
Disclosure of information: Things to consider Ethical obligations Privacy outlasts death Patient veto Patient s best interests Requests from family Privacy statement
Trust is harder to regain than it is to lose
What if it all goes wrong? Complaint to health agency from patient Privacy complaint to OPC Referral to Director of Human Rights Proceedings Human Rights Review Tribunal and beyond Naming Potential for media interest
Health case studies The nosey employee Employee browsing Settled $$ The stamp on the envelope Mental health stamp Settled $$ A promotional photo Online photo linked to name of patient Settled $$
Stay in touch! simplyprivacy.co.nz @Simply_Privacy info@simplyprivacy.co.nz Practical advice Privacy impact assessments Privacy health checks Training Breach investigations Privacy Officer services