Privacy protectionism and health information: Is there ...

Privacy protectionism and health information: Is there any redress for harms to health? Judy Allen, C D’Arcy J Holman, Eric M Meslin and Fiona Stanley* Health information collected by governments can be a valuable resource for researchers seeking to improve diagnostics, treatments and public health outcomes. Responsible use requires close attention to privacy concerns and to the ethical acceptability of using personal health information without explicit consent. Less well appreciated are the legal and ethical issues that are implicated when privacy protection is extended to the point where the potential benefits to the public from research are lost. Balancing these issues is a delicate matter for data custodians. This article examines the legal, ethical and structural context in which data custodians make decisions about the release of data for research. It considers the impact of those decisions on individuals. While there is strong protection against risks to privacy and multiple avenues of redress, there is no redress where harms result from a failure to release data for research.

INTRODUCTION There is widespread acceptance that the privacy1 interests of individuals in the use and disclosure of their personal health information should be protected. These interests should be balanced against the public interest in beneficial health research using information obtained from individual records. The familiar dialogue addressing this balance has included strong voices on the need to take privacy seriously and persuasive advocacy on the importance and benefits of research, particularly health research. This dialogue has now shifted, with increasing emphasis on the ethical obligation of governments to use data for the public good. The responsibility of government agencies to maximise the beneficial use of the data they collect has been recognised in Australia in the Principles on Open Public Sector Information published by the Australian Information Commissioner, which state that “Information held by Australian Government agencies is a valuable national resource. If there is no legal need to protect the information it should be open to public access.”2 Researchers, particularly in the health arena, have responded to privacy concerns over many years by developing protocols that protect privacy and improve the security of research data. At the forefront *

Judy Allen, B Juris, LLB, LLM, Assistant Professor, School of Law, The University of Western Australia; C D’J Arcy Holman, MBBS, LLB (Hons), MPH, PhD, Winthrop Professor, School of Population Health, The University of Western Australia; Eric M Meslin, PhD, Indiana University Center for Bioethics, Indiana University Center for Law, Ethics and Applied Research (CLEAR) in Health Information; Fiona Stanley AC, MSc, MD, FAFPHM, Distinguished Research Fellow, The University of Western Australia, Patron of the Telethon Institute for Child Health Research and Vice-Chancellor’s Fellow at the University of Melbourne. Judy Allen is a consultant to the Population Health Research Network. Eric Meslin was previously supported by the University of Western Australia Institute of Advance Study Professor-at-Large program; currently supported by NIH grant # UL1RR025761-01; Department of Health and Human Services, Office of the National Coordinator, award # 90HT0054/01; and the Pierre de Fermat Chaire d’Excellence Program, Region Midi-Pyrenees/ Inserm, Universite Paul Sabatier, France.

Correspondence to: Judy Allen, University of Western Australia, M253, 35 Stirling Hwy, Crawley, WA 6009, Australia; email: [email protected]. 1

The term “privacy” is used here to refer to informational privacy and the general interest in controlling information about oneself. Although the term “confidentiality” is sometimes regarded as a synonym for privacy, it is confined in this article to its legal use in the context of a legal duty of confidentiality. This is a duty that protects a number of different interests, including individual informational privacy. The term “confidential information” is used to indicate information protected by a duty of confidentiality.

2

Office of the Australian Information Commissioner, Principles on Open Public Sector Information: Report on Review and Development of Principles (May 2011), Principle 1, http://www.oaic.gov.au/news/consultations.html#info_policy_paper viewed 25 February 2012.

(2013) 21 JLM 473

© 2013 Thomson Reuters (Professional) Australia Limited for further information visit www.thomsonreuters.com.au or send an email to [email protected]

473 Please note that this article is being provided for research purposes and is not to be reproduced in any way. If you refer to the article, please ensure you acknowledge both the publication and publisher appropriately. The citation for the journal is available in the footline of each page.

Should you wish to reproduce this article, either in part or in its entirety, in any medium, please ensure you seek permission from our permissions officer. Please email any queries to [email protected]

Allen, Holman, Meslin and Stanley

of this trend has been the emergence of data linkage systems that have enabled research to be performed using anonymous3 health data in situations where researchers previously had no practicable option but to access patients’ personal identities without consent. The security of data is being enhanced by the development of secure access facilities such as the Secure Unified Research Environment (SURE).4 In Australia and elsewhere, from North America to Europe, legislatures have been active in passing a proliferation of statutes governing the use and disclosure of personal information. Research governance has developed a sharper focus on privacy issues. Research ethics committees play a pivotal role in assessing the balance between protecting privacy and the public benefit in research using health records. Data custodians have responded with the development of governing principles,5 more rigorous approval processes, tighter security requirements, imposing personal contractual obligations on researchers and restricting data to the minimum required for each research project. These responses to privacy concerns have significantly reduced the risk that the use of information in research will cause harm to individuals or to the public interest. These advances in privacy conservation are recognised by many data custodians, who are now working with researchers to facilitate important research. Some data custodians, however, are still reluctant to allow the data, even anonymous data, to be used for research despite the legality of its use, high standards of security and approval by ethics committees.6 The refusal has taken the form of outright denial of access or, more often, intractable delays in approval or release. This has worried researchers who have expressed fears that increased regulation and defensive decision-making is hampering valuable research.7 Protection from physical harm is a positive concept globally endorsed in the governance of research involving human subjects. Preventing or at least reducing the risk of physical harm is among the most important responsibilities of research ethics committees. However, taken too far, protectionism has a negative connotation because of its close association with paternalism.8 Strong protectionism, in particular, is associated with regulatory regimes that result in greater harm than the risk they seek to address. 3

In this article the descriptor “anonymous” means that the individual’s identity is not apparent and cannot be reasonably ascertained by the holder of the information. Therefore, “anonymous information” is the opposite of “personal information” as it is defined in Australian privacy legislation. The classification of the information as “anonymous” under this definition requires an examination of the variables received by the researcher to assess whether they can reasonably ascertain the identity of individuals. The authors recognise that this definition may be different from that proposed by others, but note that consensus on terminology in this area has been difficult to achieve. See eg Lowrance WW and Collins FS, “Identifiability in Genomic Research” (2007) 317 Science 600; Knoppers BM and Saginur M, “The Babel of Genetic Data Terminology” (2005) 23 Nat Biotechnol 925 at 927; Schmidt H and Callier S, “How Anonymous is ‘Anonymous’? Some Suggestions Towards a Coherent Universal Coding System for Genetic Samples” (2012) 38(5) J Med Ethics 304.

4

Secure Unified Research Environment (SURE), Sax Institute, https://www.sure.org.au viewed 2 October 2012.

5

Australian Government, High Level Principles for Data Integration Involving Commonwealth Data for Statistical and Research Purposes (3 February 2010).

6

This is in sharp contrast to the approach recommended by the Office of the Australian Information Commissioner. “The OAIC encourages agencies to take the view, ‘that the beneficial use of government information should be maximised’ and be prepared to work with researchers with approved projects to access information that may not be suitable for general release.” See Australian Government, Office of the Australian Information Commissioner, n 2, p 6.

7

Detmer DE, “Your Privacy or Your Health: Will Medical Privacy Legislation Stop Quality Health Care?” (2000) 12 Int J Qual Health Care 1; Al-Shahi R and Warlow C, “Using Patient-identifiable Data for Observational Research and Audit” (2000) 321 BMJ 1031; Grulich AE and Kaldor JM, “Individual Privacy and Observational Health Research: Violating an Individual’s Privacy to Benefit the Health of Others” (2001) 24 UNSWLJ 298; Upshur R, Morin B and Goel V, “The Privacy Paradox: Laying Orwell’s Ghost to Rest” (2001) 165 CMAJ 307; Kalra D et al, “Confidentiality of Personal Health Information Used for Research” (2006) 333 BMJ 196; Anderson R, “Undermining Data Privacy in Health Information: New Powers to Control Patient Information Contribute Nothing to Health” (2001) 322 BMJ 442; Davies C and Collins R, “Balancing Potential Risks and Benefits of Using Confidential Data” (2006) 333 BMJ 349.

8

Dworkin G, “Paternalism” (1972) 56(1) The Monist 64; Feinberg J, The Moral Limits of the Criminal Law, Volume 3: Harm to Self (Oxford University Press, New York, 1989); Arnerson R, “Joel Feinberg and the Justification of Hard Paternalism” (2005) 11 Legal Theory 259.

474


(2013) 21 JLM 473 Please note that this article is being provided for research purposes and is not to be reproduced in any way. If you refer to the article, please ensure you acknowledge both the publication and publisher appropriately. The citation for the journal is available in the footline of each page.


Privacy protectionism and health information: Is there any redress for harms to health?

The history of research involving human subjects can be seen as one in which these regimes have tended to wax and wane between strong and moderate protectionism.9 Whereas the Nuremberg Code was an example of a strong protectionist guideline, eg by limiting research only to those who could consent, guidelines relaxed over time as researchers became more familiar with ethical requirements, and patients became more insistent about access to research.10 Applying this same protectionist analysis to non-physical risks, such as release of personal information from administrative data sets, raises important questions, not the least of which is whether overly restrictive policies hamper research.11 This article adopts this notion of “privacy protectionism” and explores its significance in the context of health research using administrative data sets. Description and analysis is based on the Australian context, but the issues raised have widespread significance internationally. A hypothetical example is used to illustrate the dangers of privacy protectionism, with the focus on the potential harms to individuals from the denial or delay in access to administrative data for research. The regulatory framework in Australia in which these decisions about the use of health data for research are being made is described and the risks to individuals of using their health information in health research and the risks to individuals of not doing the research at all are compared. The authors also note the difficulty in comparing the risks and potential benefits to individuals against the risks and potential benefits to groups or society at large. They compare the legal redress open to individuals who suffer harm if these risks eventuate. The conclusion discusses the socio-political environment and the causes of defensive decision-making and suggests ways in which privacy protectionism can be avoided.

A HYPOTHETICAL

ILLUSTRATION

This illustration is fictitious; however, it mirrors relevant real-life facts and the collective experiences of the authors. It illustrates that the dangers of privacy protectionism are not abstract, but can cause real harm to individuals. “Maleveril” is a new and therapeutically valuable drug approved under the Therapeutic Goods Act 1989 (Cth) for use in pregnancy. It has become a favoured drug in Australia because, unlike the more expensive alternative, it does not require a special authority script. There are now anecdotal reports that it increases the risk of certain birth defects (as happened with thalidomide in the 1970s) so there is an urgent need for post-marketing adverse event analysis in pregnant women and their babies. Australia is the ideal place for such research due to the high utilisation of the drug and because it has total population collections of birth defects in almost every State. These birth defect data collections were established in Australia (and many other countries) after the thalidomide disaster when inadequate records hampered investigative studies. One of the stated aims of establishing the population registers of birth defects was to detect another thalidomide disaster more rapidly. An Australian research team from a child health research institute run by a charitable trust applies for anonymous linked data12 from the Pharmaceutical Benefits Scheme and from statutory registers covering birth defects, obstetric care, hospital inpatient episodes and death data sets to evaluate the hypothesis that Maleveril increases birth defects. They have approval from their local university human research ethics committee and the local health department’s ethics committee. The research conforms to the strict guidelines for human research and has the strong support of the institute’s consumer and community advisory group. The researchers obtain approval for the release of data from some of the data custodians; however, the researchers are frustrated because they are unable to obtain the approval 9

Moreno JD, “Goodbye to All That: The End of Moderate Protectionism in Human Subjects Research” (2001) 31(3) Hastings Center Report 9.

10

Kahn JP, Mastroianni AC and Sugarman J (eds), Beyond Consent: Seeking Justice in Research (Oxford University Press, New York, 1998).

11

Gates GW, “How Uncertainty about Privacy and Confidentiality is Hampering Efforts to More Effectively Use Administrative Records in Producing US National Statistics” (2011) 3(2) Journal of Privacy and Confidentiality 3.

12

The protocol used for linkage of administrative health data in Australia enables data custodians to provide researchers with data which have had names, addresses and other identifiers removed. The data for a project from different sources are merged using an alphanumeric key created for that particular research project only.

(2013) 21 JLM 473




Allen, Holman, Meslin and Stanley of one of the data custodians. Barriers and delays are raised in the name of privacy. Eventually, after five years of delay, the funding for the project expires and the project is abandoned. Meanwhile, researchers in Canada, with their own linked data, have demonstrated clearly that Maleveril causes a rare combination of cardiac and facial defects and they sound the alarm. The drug is withdrawn from use in pregnant women in Australia and elsewhere. Angry Australian parents, who suspect that their children have been adversely affected by the drug, organise themselves into an action group to lobby the government to permit the Australian research to proceed. They want to use the results as potential local evidence that they have been victims of the drug, but they understand that anonymous data about them alone (for which they would willingly give consent) is useless. The researchers need the anonymous data on everyone exposed to the drug, regardless of whether they have an affected baby or not to accurately ascertain the risk. Eventually, the researchers are given “special” access to the data as they originally proposed. The retrospective results confirm that the problems found with the drug in Canada apply equally in Australia. Due to the delays, Maleveril has remained on the market for seven years longer than it would have if the research had gone ahead when it was first proposed. In that time it is estimated that 210 severely malformed babies have been born in Australia as a result of the use of Maleveril. One family has two severely disabled children following in utero exposure to the drug over the last three years and they believe that the government’s policies have caused their children’s disabilities. They ask why the anonymous data, which were available and could have been used legally, were not used to prevent this disaster and to avoid the severe malformations in their children. They want to know who is responsible and whether there is any redress for the harm suffered by their children.

THE

REGULATORY CONTEXT

The data sought by the researchers in this hypothetical case study are administrative data regularly collected by government departments for public purposes, which include monitoring disease and planning and funding health care services. These statutory data sets, such as those in the hypothetical example, usually contain identifiable information relating to individuals. Importantly, however, it is only summary information and should be clearly distinguished from the much more detailed patient health records that are used for patient care. Typically, the information is collected from health care providers without patient consent under mandatory reporting requirements.13 One of the strongest justifications for restricting an individual’s control over their health information is the public benefit flowing from the collection and use of statistical information about health and health services.14 Community acceptance of this justification relies, first, on minimising the risks to the individual and the intrusion on their privacy; and, secondly, on using the information well in order to maximise the public benefits. An appropriate regulatory framework is needed to protect people from harm caused by the disclosure of health information and to protect individual interests in controlling their personal information. The regulatory system for administrative data should, however, also facilitate the beneficial use of the data. The statutory data collections in the hypothetical scenario are established by legislation that authorises the collection, use and disclosure of the information.15 The privacy of patient information is protected by legal duties of confidentiality from three sources: 13

For example, Health Act 1911 (WA), s 335; Hospital and Health Services Act 1927 (WA), s 26S; Cancer Act 1958 (Vic), s 60; Public Health Act 2005 (Qld), s 217; Public Health Act 2010 (NSW), s 54.

14

President’s Council of Advisors on Science and Technology (PCAST), Report to the President Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: A Path Forward (Executive Office of the President, PCAST, Washington DC, December 2010) p 108, http://www.whitehouse.gov/sites/default/files/microsites/ostp/pcast-health-itreport.pdf viewed 15 February 2012. 15

The PBS data are collected under the National Health Act 1953 (Cth), s 99AAA(8). The data in the other collections are collected under State legislation governing each collection. For example, in Western Australia the relevant legislation is the Health Act 1911 (WA), s 335; the Hospital and Health Services Act 1927 (WA), s 26S; and the Births Deaths and Marriages Registration Act 1998 (WA), ss 12, 40.

476





•

First, information collected under statutory powers can only be used or disclosed for the purposes authorised by the statute and must be treated as confidential.16 Government bodies holding statutory data collections come under this duty which Brennan J of the High Court of Australia has described as “closely analogous to a duty imposed by equity”.17 • Secondly, the general duty of confidentiality in equity will apply to everyone receiving personal health information, including researchers.18 • Thirdly, the authorising statutes often expressly impose statutory duties of confidentiality on the data custodian and its employees and sometimes on all recipients of the information.19 Exceptions to these express statutory duties of confidentiality typically include a research exception and give the minister or the chief executive of the relevant government department discretion to authorise the release of the data for research judged to be in the public interest.20 These provisions authorise the release of information and provide an exception to both the statutory and the equitable duty of confidentiality.21 The privacy of personal information in administrative data sets is also protected by the network of information privacy legislation in Australia.22 These statutes limit the lawful use and disclosure of information23 and apply to information where the identity of the individual is apparent or reasonably ascertainable.24 This includes information in administrative data sets, where it is held in a form that identifies individual patients. The information privacy statutes, however, do not apply to the information sought by the researchers in the hypothetical example since it is not personal information. Data linkage protocols adopted in Australia enable data custodians to provide information from multiple data sets, which can then be merged for a particular research project without disclosing any identifiable information.25 The initial creation of linkage maps uses identifiable demographics; however, once the linkages have been 16

Johns v Australian Securities Commission (1993) 178 CLR 408.

17

Johns v Australian Securities Commission (1993) 178 CLR 408 at 424.

18

The equitable duty of confidentiality is imposed on a person who receives information of a confidential nature in circumstances importing a duty of confidence: Coco v AN Clark (Engineers) Ltd [1969] RPC 41; Moorgate Tobacco Co Ltd v Philip Morris Ltd (No 2) (1984) 156 CLR 414; Stephens v Avery [1988] 2 WLR 1280; Smith Kline & French Laboratories (Aust) Ltd v Department of Community Services and Health (1991) 28 FCR 291. This includes personal health information collected in the course of providing health care. Use or disclosure will not be a breach of confidentiality, however, where the information has been anonymised: R v Department of Health; Ex parte Source Informatics Ltd [2001] QB 424. 19

For example, National Health Act 1953 (Cth), s 135A(1); Health Services Act 1991 (Qld), s 62A; Public Health Act 2010 (NSW), s 130; Public Health Act 2005 (Qld), s 220; Health (Western Australia Cancer Register) Regulations 2011 (WA), reg 11.

20

For example, National Health Act 1953 (Cth), s 135A(3); Public Health Act 2005 (Qld), ss 223, 281, 282; Cancer Act 1958 (Vic), s 61A; Public Health Act 2010 (NSW), s 130(d); Health (Western Australia Cancer Register) Regulations 2011 (WA), reg 12.

21

Parry-Jones v Law Society [1969] 1 Ch 1; Hunter v Mann [1974] QB 767.

22

Privacy Act 1988 (Cth); Information Privacy Act 2009 (Qld); Health Records and Information Privacy Act 2002 (NSW); Privacy and Personal Information Protection Act 1998 (NSW); Information Privacy Act 2000 (Vic); Health Records Act 2001 (Vic); Personal Information Protection Act 2004 (Tas); Health Records (Privacy and Access) Act 1997 (ACT); Information Act 2002 (NT).

23

Privacy Act 1988 (Cth), s 14, IPP 10 and 11, NPP 2; Information Privacy Act 2009 (Qld), IPP 2; Health Records and Information Privacy Act 2002 (NSW), HPP 10 and 11; Privacy and Personal Information Protection Act 1998 (NSW), ss 17, 18; Information Privacy Act 2000 (Vic), IPP 2; Health Records Act 2001 (Vic), HPP 2; Personal Information Protection Act 2004 (Tas), PIPP 2; Health Records (Privacy and Access) Act 1997 (ACT), PP 9 and 10; Information Act 2002 (NT), IPP 2.

24

Privacy Act 1988 (Cth), s 6; Information Privacy Act 2009 (Qld), s 12; Health Records and Information Privacy Act 2002 (NSW), s 5; Privacy and Personal Information Protection Act 1998 (NSW), s 4; Information Privacy Act 2000 (Vic), s 3; Health Records Act 2001 (Vic), s 3; Personal Information Protection Act 2004 (Tas), s 3; Health Records (Privacy and Access) Act 1997 (ACT), s 4; Information Act 2002 (NT), s 4. 25

Kelman CW, Bass AJ and Holman CDJ, “Research Use of Linked Health Data: A ‘Best Practice’ Protocol” (2002) 26 Australian and New Zealand Journal of Public Health 251.

(2013) 21 JLM 473





made, data custodians can extract anonymous data for analysis. In the illustration above, the researchers would not reasonably be able to ascertain the identity of individuals from the information they would receive.26 If a research project does require personal information, the information privacy statutes apply and the disclosure of the information will be limited by the terms of the applicable statutes. All the relevant statutes provide for the use and disclosure of personal information for research without the individual’s consent where it is impracticable to obtain consent.27 The terms of the exception in the various statues vary, but all of them require that the research is approved by an authorised Human Research Ethics Committee (HREC) applying the National Health and Medical Research Council Guidelines.28 The HREC must be satisfied that the public interest in the research significantly outweighs the public interest in privacy. The public interest in privacy is in ensuring that patients continue to entrust confidential information to health care professionals and communicate frankly. Relevant factors include the sensitivity and the degree of identifiability of the information, the security measures to protect the information, and the scientific merit and importance of the research (often referred to as the “validity and value” proposition).29 Where the HREC has approved the research, the disclosure of information will not be in breach of the privacy principles. Despite its complexity, the legal framework does demonstrate a clear intention to balance the public interests in research with the protection of privacy. In the hypothetical example, there are no legal obstacles to the release of the data for the research project. The necessary approvals have been obtained. The HREC has made the judgment that the greater public interest is with the conduct of the research; however, the ultimate authority to release the data remains with the data custodian.

BALANCING

THE RISKS AND POTENTIAL BENEFITS

The study described in the hypothetical example involves the use of information collected from thousands of mothers and children in statutory data sets. On its face, such a study necessarily raises concerns about whether the privacy of the mothers and children can be adequately protected and whether privacy breaches (accidental or intentional) may result in psychological or economic harms as damaging as a physical injury. The risk of defaming someone’s reputation (or that of their family), or of discrimination in employment and insurance, are non-trivial consequences that can affect a person’s long-term wellbeing. When the information is about children, considered vulnerable because they are unable to protect their own interests by consenting or declining to participate, imputed harms may be greater. How, then, to evaluate risk in the hypothetical example and how to compare the risks to participants against the potential benefits? Accepted governance approaches understand risk as the probability and magnitude of a possible future harm to an identified individual, taking into consideration various factors including the potential harm’s duration, reversibility, and impact on one’s capacity and interests.30 This accounts for the accepted distinction in many guidance documents 26

In WL v La Trobe University (General) (2005) 24 VAR 23; [2005] VCAT 2592 at [42] Coghlan DP held that identity was not reasonably ascertainable where “more than moderate steps” were required.

27

Privacy Act 1988 (Cth), s 95, NPP 2.1(d); Information Privacy Act 2009 (Qld), IPP 2.1(c); Health Records and Information Privacy Act 2002 (NSW), HPP 10(f) and 11(f); New South Wales Privacy Commissioner, Direction on Disclosure of Information by Public Sector Agencies for Research Purposes (23 December 2011); Information Privacy Act 2002 (Vic), IPP 2.1(c); Health Records Act 2001 (Vic), HPP 2.2(g); Personal Information Protection Act 2004 (Tas), PPIP 2.1(c); Health Records (Privacy and Access) Act 1997 (ACT), PP 10.3; Information Act 2002 (NT), IPP 2.1(ca).

28

Australian Government, National Health and Medical Research Council (NHMRC), National Statement on Ethical Conduct in Human Research (2007); NHMRC, Guidelines Under s 95 of the Privacy Act 1988 (2000); NHMRC, Guidelines Approved under s 95A of the Privacy Act 1988 (2001).

29

Freedman B, “Scientific Value and Validity as Ethical Requirements for Research: A Proposed Explication” (1987) 9(6) IRB: Ethics and Human Research 7.

30

Feinberg, n 8.

478





between different levels or degrees of risk.31 This model works well for traditional medical research involving clinical trials where the protectionist justification focuses primarily on risk reduction and less on benefit production, but in the hypothetical example a complexity arises: the risks are borne by individuals, but the potential benefits are enjoyed by the public in the form of improved public health strategies. This situation has been described as an incommensurability problem, where risks and potential benefits from the conduct of research are unevenly experienced.32 A further complication, applicable to research generally, is the incommensurable impact on individuals and groups from the failure to conduct research. The hypothetical example illustrates that administrative decisions restricting or delaying access to data for research can result not only in a generalised loss of benefit from the research but can have a direct and catastrophic impact on the health of particular individuals. The focus on the risks of information disclosure should not obscure the harms that can be caused by failing to conduct research. Indeed, it may be unethical not to conduct research with such collected data.33 The presence of such incommensurabilities may not be fatal to data linkage research so long as steps to reduce risk can be implemented. Chief among these are the high standards of physical and administrative security to prevent any unauthorised disclosures. One of the most important privacy-protecting advances has been the development of data linkage. The hypothetical example illustrates how data linkage enables research to be undertaken without giving researchers access to any identifiable information. Where researchers are only given anonymous information and the security standards required are rigorous, the possibility of any individual suffering a privacy-related harm from the disclosure of this information is minimised. However, the small risk to individuals can be overshadowed in practice by more generalised concerns. The accidental loss or misuse of even anonymous information could damage public confidence in data custodians or in researchers generally. The regulation of the use of health information for research must find an appropriate balance between the risks to individual privacy and the benefits of research. Denying access to health data held in administrative collections may be an attractive, though simplistic, response to protect privacy, but this means that the potential benefits are denied, with real consequences for individual health and for the quality, efficiency and equity of health service delivery.

DOES

THE LAW PROVIDE REDRESS FOR THESE HARMS?

This section of the article considers the legal redress that would be available to individuals if they were harmed by breaches of privacy as a result of a decision to permit the use of the data for the research. It is then compared to the redress available to individuals who are harmed by decisions that prevent the conduct of research.

Legal redress for accidental or deliberate misuse of information In the hypothetical scenario the data are anonymous, so the probability of privacy harms from the identification of individuals is very low.34 Suppose, however, that there had been accidental or 31

See eg in Australia, the NHMRC, n 28 (2007), Ch 2.1, which distinguishes between “low” and “negligible”; and, in the United States of America, the Department of Health and Human Services, Code of Federal Regulations, 45 CFR 46.102(i) where the regulatory term is “minimal risk”. 32

Martin DK, Kohut N, Meslin EM et al, “The Incommensurability of Research Risks and Benefits: Practical Help for Research Ethics Committees” (1995) 17(2) IRB: A Review of Human Subjects Research 8.

33

Stanley FJ and Meslin EM, “Australia Needs a Better System for Health Care Evaluation” (2007) 186 MJA 220.

34

Although the information is anonymous, and hence the identity of individuals is not “reasonably ascertainable” by the researchers who receive it, this does not completely exclude re-identification by coincidence or extraordinary effort. Concern has recently been expressed about the sufficiency of de-identification for privacy protection in other areas of health research: see Rothstein MA, “Is Deidentification Sufficient to Protect Health Privacy in Research?” (2010) 10(9) Am J Bioeth 3. In the field of genomic analysis it is theoretically possible to re-identify previously de-identified data. See eg Homer N, Szelinger S, Redman M et al, “Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High Density SNP Genotyping Microarrays” (2008) 4(8) PLoS Genetics 1. In addition, the data in the hypothetical example are re-identifiable by the data custodians who hold the identifying keys.

(2013) 21 JLM 473





deliberate misuse of the information by the researchers that resulted in such an injury. What legal redress would a person who suffered a privacy injury have against the researchers or the data custodians? Misconduct by researchers attracts criminal, civil and professional penalties. Statutes that impose a duty of confidentiality usually impose a criminal penalty for its breach35 and some of these penalties extend to a researcher. For example, if a researcher improperly disclosed information collected under the National Health Act 1953 (Cth), they would commit an offence punishable by up to two years imprisonment or a fine of $5,000 or both.36 These penalties are attracted irrespective of any harm suffered by individuals. They rightly reflect the grave harm to the public interest in privacy and confidentiality resulting from the wrongful disclosure of health information. An individual who has suffered harm from a breach of a duty of confidentiality may also seek civil redress in the courts against the researcher or the research institution. Equity will provide a remedy where there is an unconscionable use or disclosure of confidential information.37 Where the confidential information is of a personal and intimate nature, then the humiliation and indignity of disclosure or misuse is sufficient harm without further proof of detriment to the patient.38 Where, however, the identity of the individual is protected by anonymisation, personal integrity is not undermined and there will be no unconscionable use or disclosure and no breach of confidence.39 If, however, the person has suffered an injury such as a recognised psychiatric illness or financial harm as a result of the misuse of the information or a negligent breach of security, then there may also be an action in negligence against the individual researcher or the research institution.40 If the conduct is deliberate, then aggravated41 or exemplary damages,42 as well as compensatory damages, would be available in a negligence action in some jurisdictions.43 Complaints about misconduct in health research can be made under information privacy legislation and under health ombudsman legislation.44 In the hypothetical example, the research is being conducted by an independent research institute, an organisation governed by the Privacy Act 1988 (Cth), so an aggrieved person could complain to the Office of the Australian Privacy Commissioner if there was a breach of the principles in the handling of personal health information by the researchers.45 If the research is conducted in a State entity, such as a university, then a complaint could be made under the relevant State and Territory Information Privacy Acts46 or in Western 35


36

National Health Act 1953 (Cth), s 135A(1).

37

Coco v AN Clark (Engineers) Ltd [1969] RPC 41 at 47-48 (Megarry J); R v Department of Health; Ex parte Source Informatics Ltd [2001] QB 424.

38

Duchess of Argyll v Duke of Argyll [1967] Ch 302.

39

R v Department of Health; Ex parte Source Informatics Ltd [2001] QB 424 at [34]-[35].

40

Furniss v Fitchett [1958] NZLR 396.

41

New South Wales v Ibbett (2006) 229 CLR 638.

42

Lamb v Cotogno (1987) 164 CLR 1.

43

Aggravated and exemplary damages have been prohibited in negligence actions for personal injury in New South Wales (Civil Liability Act 2002 (NSW), s 21); Queensland (Civil Liability Act 2003 (Qld), s 52); and the Northern Territory (Personal Injuries (Liability and Damages) Act 2003 (NT), s 19) but remain available in other jurisdictions.

44

As far as the authors are aware, there have been no such complaints made against researchers using data linkage in more than 30 years of using such methods in Western Australia and there have been no instances of data being inappropriately identified or misused.

45

Privacy Act 1988 (Cth), s 36.

46

Information Privacy Act 2009 (Qld), s 165; Health Records and Information Privacy Act 2002 (NSW), s 42; Health Records Act 2001 (Vic), s 45; Personal Information Protection Act 2004 (Tas), s 18; Health Records (Privacy and Access) Act 1997 (ACT), s 18; Information Act 2002 (NT), s 104.

480





Australia and South Australia to the health ombudsman.47 Powers held by these bodies include investigation, conciliation and determination of complaints, and the outcomes include apologies, change of practices and compensation for financial and non-financial loss. Where the researcher is a registered health practitioner, complaints can also be made or referred to the relevant professional registration board and the researcher risks de-registration. Researchers will also be subject to contractual obligations. Data custodians generally require that each researcher enter into a contract that includes confidentiality terms.48 A researcher who breaches this agreement would be subject to contractual penalties. There would also be significant professional consequences. Breaches are likely to result in the withdrawal of the data and the cancellation of approvals for the project.49 A researcher who has engaged in misconduct is unlikely to be given data in the future and applications from other researchers at the research institution will be subjected to greater scrutiny. A researcher who breaches confidentiality terms may also be subject to misconduct proceedings under their contract of employment and may risk dismissal. Thus, individual researchers face strong disincentives to the unlawful disclosure of information, including significant criminal penalties, the award of compensation against them and severe professional consequences. The consequences for research institutes are also potentially grave and include loss of public trust, loss of reputation and loss of financial support from community and government sources. While litigation is expensive, there would be strong incentives for defendants to settle. A person who suffers a privacy injury may also have legal redress against the relevant data custodians. Breach of the statutory duties of confidentiality is generally a criminal offence under the empowering statutes.50 Public service data custodians are also subject to criminal penalties for misconduct in the course of their work.51 A civil action for breach of the duty of confidentiality, as discussed above, may also be available against a data custodian. These options will only be available, however, if the data custodian acts outside the terms of the statutory authorisation for the release of data. A civil action for breach of statutory duty may be arguable but once again only if there has, in fact, been a breach of the statutory duty of confidentiality.52 In addition, the plaintiff would have to establish a legislative intention to create a private right of action. The courts will take into account positive indicators in these circumstances, such as the fixed standard of conduct,53 the existence of a duty of care under the general law,54 and the intention to benefit the particular class of individuals55 whose personal information is held in the data collection; and negative indicators, such as the existence of a criminal sanction.56 In most jurisdictions in Australia, public authorities would have the 47

Health and Disability Services (Complaints) Act 1995 (WA), ss 19, 25(1)(e); Health and Community Services Complaints Act 2004 (SA), ss 24, s 25(f), (i).

48

For example, the Department of Health WA, Confidentiality Agreement (January 2009), http://www.health.wa.gov.au/ healthdata/HREC/index.cfm viewed 15 December 2012. 49

For example the Department of Health WA, HREC Standard Operating Procedure, Reporting and Handling of Adverse Events and Breaches in the Conduct of a Project (19 July 2012), http://www.health.wa.gov.au/healthdata/HREC/index.cfm viewed 15 December 2012. 50


51

Independent Commission Against Corruption Act 1988 (NSW), s 8(1)(d); Criminal Code Act 1913 (WA), s 81; Crimes Act 1958 (Vic), s 464ZGK; Criminal Code Act 1899 (Qld), s 85; Criminal Code Act 1924 (Tas), s 110; Crimes Act 1900 (ACT), s 153; Criminal Code Act 1983 (NT), s 76; Criminal Law Consolidation Act 1935 (SA), s 238; Crimes Act 1914 (Cth), s 70.

52

Slivak v Lurgi (Aust) Pty Ltd (2001) 205 CLR 304; Galashiels Gas Co Ltd v O’Donnell [1949] AC 275.

53

O’Connor v SP Bray Ltd (1937) 56 CLR 464.

54

O’Connor v SP Bray Ltd (1937) 56 CLR 464.

55

Sovar v Henry Lane Pty Ltd (1967) 116 CLR 397; Read v Croydon Corp [1938] 4 All ER 631.

56

Kirvek Management and Consultancy Services Ltd v Attorney-General of Trinidad and Tobago [2002] 1 WLR 2792.

(2013) 21 JLM 473





protection of a statutory defence which excludes liability for breach of statutory duty unless the act or omission is so unreasonable that no authority would consider it a reasonable exercise of its functions.57 Data custodians could also be held accountable for privacy injuries caused by the accidental or deliberate release of data by researchers in the conduct of the research. In an action in negligence the plaintiff would have to establish that the data custodian had failed to take reasonable care to ensure that the researchers properly secured the information. It is unlikely that this would succeed, however, where the data custodian has acceptable procedures that require researchers to adopt appropriate levels of security.58 Contractual arrangements are used to ensure that the research institution indemnifies the data custodian for any liability arising from the research use of the data. Therefore the weight of the legal risk for breaches of privacy lies on the research institution. An individual aggrieved by a breach of privacy during research has an array of administrative procedures and complaints processes that are cheap and easily accessible. In addition, a number of promising causes of action are available if they choose to litigate. While some litigation avenues are open against data custodians, they will not be available if the data custodian has complied with statutory requirements and has appropriate procedures in place to ensure that researchers adopt good data security practices. The principal legal risk is borne by the individual researchers and the institutions that employ them.

Legal redress for injury where access to information is denied In comparison, individuals harmed by a refusal to permit the use of information for research, such as the children in the hypothetical example, would have little or no possibility of legal redress against the data custodian. The law is generally reluctant to impose liability for a failure to protect someone from harm. The family could consider an action in negligence against the data custodian for a failure to release the data for the research. The two children with physical disabilities suffered in utero would have standing to sue for any negligence committed before they were born;59 however, establishing duty, breach and causation against the data custodian would all be difficult. The data custodians in the hypothetical scenario have a discretionary power to provide the information for research. A failure to exercise a discretionary statutory power can, in some circumstances, give rise to a common law duty of care,60 but none of the relevant indicators would be present in this case. It is arguable that the data custodians ought to be aware of a risk of harm to unborn children whose mothers took Maleveril in light of the information on the research proposal provided with the application for data, but it is unlikely that this would be enough to found a duty of care. Although the children are highly vulnerable, this power is vested for the benefit of the public generally, not for a specific class to which they belong.61 It is not a case where the statutory authority is aware of a particular risk to a particular individual.62 There is another regulatory scheme directed to preventing this harm – the drug registration regime – so it would be difficult to persuade the court that the data custodian was exercising control over the situation that caused the harm.63 Recognition of a

57

Civil Law (Wrongs) Act 2002 (ACT), s 111; Civil Liability Act 2002 (NSW), s 43; Civil Liability Act 2003 (Qld), s 36; Civil Liability Act 2002 (Tas), s 40; Wrongs Act 1958 (Vic), s 84(2); Civil Liability Act 2002 (WA), s 5Y.

58

Civil Liability Act 2002 (NSW), s 42; Civil Liability Act 2002 (WA), s 5W; Civil Liability Act 2003 (Qld), s 35; Civil Liability Act 2002 (Tas), s 38; Wrongs Act 1958 (Vic), s 83; Civil Law (Wrongs) Act 2002 (ACT), s 110.

59

Watt v Rama [1972] VR 353; X v Pal (1991) 23 NSWLR 26.

60

Sutherland Shire Council v Heyman (1985) 157 CLR 424.

61

Graham Barclay Oysters Pty Ltd v Ryan (2002) 211 CLR 540.

62

Pyrenees Shire Council v Day (1998) 192 CLR 330.

63

Graham Barclay Oysters Pty Ltd v Ryan (2002) 211 CLR 540.

482





duty could result in inconsistency between the different bodies of law.64 If the decision to refuse data is based on policy considerations, such as the impact on other health initiatives, then the court is unlikely to recognise a duty.65 If the plaintiffs are able to persuade the court to recognise a duty of care, there are further challenging hurdles. The defendant would rely on “compliance with the general procedures and applicable standards”,66 as well as the “social utility” of protecting privacy in order to deny breach.67 To establish causation, the plaintiffs would have to prove that the failure to release data for the research was a necessary condition of their disability.68 The statistical evidence from the subsequent studies would provide some evidence of this, but the plaintiffs will have to persuade a court of all the elements in the causal chain: that the research would have been conducted immediately, that it would have produced the same result and that Maleveril would have been withdrawn in time to prevent the injury. There may also be other risk factors for the disability present, which could provide an alternative causal explanation.69 In Australia the plaintiffs would be unable to rely on the loss of a chance of a better outcome and would have to prove on the balance of probabilities that the physical disability would not have occurred.70 Similarly, an action for breach of statutory duty by the injured children is unlikely to have any traction. None of the legislation empowering the collection of data in Australia imposes a duty on data custodians to use or provide the data for research. Rather, the various statutes focus on the risks to privacy and impose duties of confidentiality. The statutory exceptions permitting the release of data for research merely give data custodian a discretionary power. There will be no breach of statutory duty if this power is not exercised. It is clear that while the legal redress available to individuals who are harmed by breaches of privacy is well developed, there is no similar protection provided to individuals harmed by administrative decisions to refuse access to data for health research. There are no legal incentives to consider the potential harm to individuals from a refusal to grant access to data.

DEFENSIVE

DECISION-MAKING

Where a project involves identifiable information, provided the data custodians have well-developed procedures to bind the researchers to appropriate security arrangements, the legal risk is carried by the research institution. So, although concerns about liability for breaches of privacy are often cited as justification for refusal or delays, those concerns appear to be misplaced. These concerns may be the product of confusion resulting from the complexity of the law and uncertainty as to when data are identifiable.71 The hypothetical example describes a typical data linkage research project where anonymous information is lawfully provided to researchers. There is no legal risk at all to data custodians in these circumstances. If this is understood by data custodians, then the underlying causes of conservative decision-making must lie elsewhere. This section of the article speculates about other causes of defensive decision-making. 64

Sullivan v Moody (2001) 207 CLR 562.

65

Sutherland Shire Council v Heyman (1985) 157 CLR 424; Civil Liability Act 2002 (WA), s 5X.

66

Civil Liability Act 2002 (NSW), s 42; Civil Liability Act 2002 (WA), s 5W; Civil Liability Act 2003 (Qld), s 35; Civil Liability Act 2002 (Tas), s 38; Wrongs Act 1958 (Vic), s 83; Civil Law (Wrongs) Act 2002 (ACT), s 110.

67

Civil Liability Act 2002 (NSW), s 5B; Civil Liability Act 2002 (WA), s 5B; Civil Liability Act 2003 (Qld), s 9; Civil Liability Act 2002 (Tas), s 11; Wrongs Act 1958 (Vic), s 48; Civil Law (Wrongs) Act 2002 (ACT), s 43; Civil Liability Act 1936 (SA), s 32.

68

Civil Liability Act 2002 (NSW), s 5D; Civil Liability Act 2002 (WA), s 5C; Civil Liability Act 2003 (Qld), s 11; Civil Liability Act 2002 (Tas), s 13; Wrongs Act 1958 (Vic), s 51; Civil Law (Wrongs) Act 2002 (ACT), s 45; Civil Liability Act 1936 (SA), s 34.

69

Wilsher v Essex Area Health Authority [1987] QB 730.

70

Tabet v Gett (2010) 240 CLR 537.

71

National Health and Medical Research Council, The Impact of Privacy Legislation on NHMRC Stakeholders (2004) p 17.

(2013) 21 JLM 473





Data custodians may fear becoming a scapegoat if things go wrong, risking consequences such as a reprimand, loss of position in the next departmental reorganisation or loss of prospects for career advancement. Government data custodians working in highly structured hierarchies are particularly likely to be exposed to personal interests that will be best served by adopting a conservative approach to approval for data access by researchers. “Things going wrong” need not be limited to improper conduct by researchers. New research results may cause political problems for the minister or senior department officials. Researchers sometimes voice suspicions that projects that could expose deficiencies in health system operations, policies or past decisions will not be supported. Research results are sometimes capable of conflicting with the interests of powerful lobby groups in the health system, including the pharmaceutical industry and various sections of the health workforce, who may defend their interests by criticising the department for releasing the data in the hope of getting the research shut down. Although far less likely since the introduction of anonymous linkage, fears may persist that a disgruntled member of the public might object to the release of de-identified data arising from their health care, and may be framed as a whistle blower on front-page media, causing problems for the minister and department. These disincentives to release data are not offset by much in the way of incentives. Government health data custodians work in agencies that generally do not regard health research as a primary component of their mission. Although, historically, research was the primary purpose in the establishment of data collections, this is not always explicit in the supporting legislation. There is a danger that the predominant purpose will be seen as administrative and that priority will be given to the management of health services funding rather than the research use of the data. Performance indicators are unlikely to include knowledge creation through research or other research-related outputs, and criteria for appointment or promotion will rarely include any reference to a track record of supporting research. There would be little wonder, therefore, if data custodians working in thinly stretched government departments saw their priorities elsewhere. The potential commercial value of public sector health data may be another incentive to deny researchers ready access to data. In the United Kingdom, there is speculation that the National Health Service may have a growing commercial interest in selling linked public sector health data to pharmaceutical and other business interests based in the United States.72 United Kingdom university researchers may have reason to fear effective exclusion from access to the same data because of the high prices commanded from industry or other commercial restrictions. Pressures for government agencies to recover costs or make profits from data release activities may provide agency incentives to establish restrictive arrangements that amount to a profitable data access monopoly.

CONCLUSION Patrick Devlin once famously asked in The Enforcement of Morals: “To what extent should society use the law to enforce its moral judgments?”73 Devlin’s reflections come from a long tradition of 17th and 18th century social contract theorists who debated whether government’s role in the lives of citizens should be limited to protecting them from harm and enforcing contracts, or should extend to more active ways of ensuring and promoting the general social welfare. This same debate extends to health research generally,74 and to data linkage research in particular. To what extent ought the emphasis on protection from harm common in clinical medical research, where risks of harm are physical, painful and sometimes irreversible, extend to data linkage studies, where risks are usually much lower and where the research is intended to promote public health and the general welfare? And in particular, what role should society play when it comes to protecting patients and citizens against the risk of particular non-physical harms, such as breaches of privacy or non-authorised access by third parties to confidential information? A policy of strong protectionism 72

Anderson R, “The Privacy of Our Medical Records is Being Sold Off”, The Guardian (UK) (29 August 2012) p 30.

73

Devlin P, The Enforcement of Morals (Oxford University Press, Oxford, 1957).

74

Meslin EM and Cho MK, “Research Ethics in the Era of Personalized Medicine: Updating Science’s Contract with Society” (2010) 13 Public Health Genomics 378.

484





would ensure that no harm would be actively caused to citizens, but the cost would be a dramatic reduction in the quality and quantity of research undertaken to enhance public benefit and resulting harm to individuals who could have been protected. There is evidence that different publics, when asked, are able to accept less privacy protection in exchange for greater access to other benefits.75 But this evidence alone will not resolve the legal and policy debate as public opinion may wax and wane. Nor will a simplistic appeal to a hypothetical toting up of all harms and all benefits from data linkage studies. The ethical challenge of incommensurability – where harms and benefits are experienced by different people – was noted above, and is emphasised again here. Moreover, the case of data linkage research also illustrates a temporal conundrum: how to assess risks to known individuals today (eg a data breach from a lost laptop) against the potential benefits to future generations from improved public health practices. Harder still is to assess the harms to future generations of not conducting this research. It is this type of challenge that calls for more creative thinking from ethics and law. Ethics may be called upon to help fashion a new social contract for research, one that asks society to permit the use of administrative data for research that offers the potential for benefit in exchange for pragmatic protections. It will also require a multilateral trust relationship between citizens, scientists and society that does not yet exist. One cannot simply ask the public to trust researchers with health data unless there is evidence that they are trustworthy. Fortunately, such examples exist that may be models from which to develop these approaches.76 But without an equally creative legal regime that can move beyond strong protectionism, the potential benefits from these studies will be lost. The legal and regulatory regime may need to be refocused to ensure that there is balanced consideration of both privacy protection and the beneficial use of government-held data. Although the current regulatory regime indicates recognition of the need to balance the protection of individual privacy against the public benefit in using personal information for research, the legal and structural incentives are heavily weighted towards a strong protectionist approach. Stronger incentives are needed to ensure that data release decisions are timely, transparent and reviewable. Advances in protecting individual privacy through data linkage, identity protection and rigorous security expectations mean that individual privacy need not be sacrificed in order to maximise the beneficial use of government data.

75

See eg Madams JH, “Use of Administrative Records and the Privacy-Confidentiality Trade-off” (2011) 3(2) Journal of Privacy and Confidentiality 53; Taylor H, Most People Are “Privacy Pragmatists” Who, While Concerned about Privacy, Will Sometimes Trade It Off for Other Benefits (Harris Interactive Poll, 19 March 2003), http://www.harrisinteractive.com/vault/ Harris-Interactive-Poll-Research-Most-People-Are-Privacy-Pragmatists-Who-While-Conc-2003-03.pdf viewed 27 November 2012. 76

Stanley FJ, Croft ML, Gibbins J et al, “A Population Database for Maternal and Child Health Research in Western Australia Using Record Linkage” (1994) 8 Paediatr Perinat Epidemiol 433; Holman CD, Bass AJ, Rosman D et al, “A Decade of Data Linkage in Western Australia: Strategic Design, Applications and Benefits of the WA Data Linkage System” (2008) 32 Aust Health Rev 766; Brook EL, Rosman DL and Holman CDJ, “Public Good Through Data Linkage: Measuring Research Outputs from the Western Australia Data Linkage System” (2008) 32 ANZ J Public Health 19.

(2013) 21 JLM 473


