Privacy and Confidentiality???

Kathryn Dalziel

I’m going to talk about …

• A legal framework:• Confidentiality• Privacy

• Privacy Breach • Policy & Procedures• Trust and Confidence

Issues….

You tell me!

‘Whatever, in connection with my professional practice or not in connection with it, I see or hear in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.’  

Confidentiality

In roads:• reporting requirements of funders

• the increasing size of medical practices

• patient’s rights of support

• sharing of health information between health care professionals

• ease of access to health records on electronic databases

• insurers’ insistence on full access to patient records

Privacy v Confidentiality• Privacy

– Principles to guide the amount of control which an individual can exercise over his or her personal data

– Collection, storage, use and disclosure of personal information and the right of access and correction

• Confidentiality– akin to secrecy– fundamental to trust relationship/promotes full disclosure– ability to disclose information received in confidence is

limited to authorisation or public interest.

Privacy Act v Health Information Privacy Code

• Privacy Act– Data protection

– 12 privacy principles: collection, storage, use and disclosure of personal information and the right of access and correction

• Health Information Privacy Code– Health Information & Health Agency– 12 rules: collection, storage, use and disclosure of

personal information and the right of access and correction

Health Information Privacy Rules…

1. Only collect health information if you really need it.

2. Get it straight from the people concerned.

3. Tell them what you’re going to do with it.

4. Be considerate when you’re getting it.

5. Take care of it once you’ve got it.

6. People can see their health information if they want

to.

Health Information Privacy Rules…

7. They can correct it if it’s wrong.

8. Make sure health information is correct before you

use it.

9. Get rid of it when you’re done with it.

10.Use it for the purpose you got it.

11.Only disclose it if you have a good reason.

12.Only assign unique identifiers where permitted.

• Purposes: lawful and necessary

• From person concerned: unless an exception applies

• Transparency: fact of collection, purposes, who sees the information, where it is held, compulsory/optional questions, right to access and request correction

• Lawful and fair collection

Rules 1 - 4 COLLECTION

Storage & Security An agency that holds personal/health information must take reasonable security safeguards to protect against:

• loss• unauthorised access, use, modification,

disclosure• other misuse

Rule 5

Access

If information is readily retrievable people have a right to:

• confirmation whether the agency holds* information about them;

AND • have access to the information.

* holds includes info received from other agencies

Rule 6

Correction

Individuals have a right to request correction; or have a statement of correction added.

Agency must either:

make the change attach statement

inform the individual and any recipients of the information

Rule 7

Accuracy

Before using personal or health information, an agency must take reasonable steps* to ensure it is:

• accurate• up to date• complete • relevant• not misleading

*what is reasonable will depend on the proposed use

Rule 8

Retention Personal/Health information must not be

retained for longer than is required for the purposes for which it may lawfully be

used.

Note: Health (Retention of Health Information) Regulations 1996

• Health Information to be retained for at least 10 years

from last date of treatment or care

• Does not prevent agencies from transferring information

to individual or to personal representative where individual is deceased

Rule 9

Limits on the use

Personal/Health information obtained for one purpose must not be used for another purpose unless the agency believes, on reasonable grounds:

• Other use authorised by individual or their representative

• Other purpose is directly related purpose for which information was collected initially

*many exceptions mirror principle/rule 11

Rule 10

• Statute

• Common Law/Equity

• Contract/Agreements/policies & procedures

• Personal decision making 

Legal Framework

Health Information

s22F Health Act

Treat as Rule 6 request

Individual does not want the information disclosed

• Disclosure contrary to individual’s interests• Individual does not want information disclosed• Privacy Act withholding grounds apply (see Rule 6)

Individual Representative Health Provider

May refuse in some circumstances)

May also refuse for a lawful excuse which does not include non payment, prejudice to commercial position, disclosure not allowed by Privacy Act

On request, must disclose to

Health Information Who is a representative?• where individual is dead: personal representative• where individual is under the age of 16 years: parent or guardian• where individual is not in above categories & is unable to give consent or authority or exercise his/her rights – a person appearing to be lawfully acting on the individual’s behalf or in his/her interests

Parents / guardians DO NOT have automatic right of access to children’s information

consider requests under section 22F or OIA

People can appoint agents eg.

lawyer, friend, parent written authority, properly authorised

Disclosure of health information

A health agency must not disclose health information, unless it believes, on reasonable grounds, that disclosure is: • to the individual/representative• authorised by individual/representative • purpose• of publicly available info • general information: presence, location, condition,

progress of patient (not contrary to express request) • fact of death by registered health professional or by auth

person to specified people• advice to principal caregiver of individ’s release under

Mental Health[Compulsory Assessment and Treatment] Act

Rule 11

Disclosure of health information rule 11

When it is not desirable or practicable to obtain the individual’s authorisation, a health agency may disclose where the disclosure is:

• Directly related purpose• By registered health professional to specified people (not contrary to Express

request)• Statistical (no id) • to prevent/lessen serious & imminent threat to public or individual Health

and/or safety• Necessary to facilitate sale of business• Of brief description of nature of injuries in accident & individuals id • by auth person in hosp to media (not contrary to express request)• To id individuals for health education related to accreditation, quality

assurance or risk management (no id)• To avoid prejudice to law/drug dependency • authorised by PC .

Rule 11

Unique Identifiers

What is it?A code or number that is assigned to a person by an agency which uniquely identifies the person in relation to the agency.

An agency may only assign one if:• Necessary to carry out its functions• Person’s identity is clearly established

*Must not use identifier assigned by another agency.*The NHI number is an exception – see HIPC

Rule 12

“But most people had probably sent an email or text message in error”

Prime Minister John Key says the big privacy breach at EQC was "distressing" but most people had probably sent an email or text message in error. "We do live in a world where these things are possible." The Christchurch Press: March 2013

staff interest in health information

• CDHB staff interest in the health records of the New Zealand cricket player Jesse Ryder.

• ADHB staff interest in the health records of a man with an eel ….

Setting the Standard:Independent Review of ACC’s

Privacy and Security of Information

• Clear policies creating a positive mindset as part of building customer trust & establishing a “firm but also seen as fair” image in public minds

• Coherent strategy & process to mitigate privacy risks• Monitor performance for compliance• Ensure adequate resources & capacity to respond to

incidents

Setting the Standard:Independent Review of ACC’s Privacy

and Security of Information

• Importance of privacy and protection of personal data at Board governance level

• Privacy vision, strategy and programme• Role of privacy officer and use of privacy champions• Education and Training• Culture• Reporting• Audit, review and evaluation Retrospective or

prospective?

See OPC voluntary guidelines:

http

://www.privacy.org.nz/news-and-publications/guidance-notes/priv

acy-breach-guidelines-2

/

• Breach containment and preliminary assessment;

• Evaluation of the risks associated with the breach;

• Notification; and

• Prevention

 

Data Breach

Be like me: