MedicineInsight: Privacy, security and governance

NPS MedicineWise takes its role as data custodian of primary healthcare data seriously. We extract non-identifiable, unit-level data from participating general practice systems. Non-identifiable data is the output of the de-identification process, which involves the removal or alteration of information that identifies a person, or is reasonably likely to identify them, as well as the application of any additional protections to prevent identification; including re-identification risks.

While the unit-level data we collect is quite detailed, and capable of being matched longitudinally and/or with other data sets, it has been appropriately de-identified at a participating general practice prior to extraction. This means that the unit-level data we collect, use and store in MedicineInsight does not constitute as personal information under the Privacy Act, as it is no longer about an identifiable individual or an individual who is reasonably identifiable.

Although, NPS MedicineWise appreciate the sensitivities that exist toward the secondary use of data, and together with its concern to adopt best practice standards where possible, have chosen to treat de-identified patient-level data as if it were subject to the Privacy Act. This position is a choice by NPS MedicineWise and not a legal obligation. It takes a strong stance on privacy and security protection for non-identifiable unit-level data, and has been initiated in the interests of MedicineInsight maintaining a robust social license to operate among consumers. A similar position has been extended to the consumer opt out approach that underpins the program.

Under the Privacy Act, there is no requirement for NPS MedicineWise to obtain patient consent to collect the data for the MedicineInsight program. This is because the program does not handle personal or sensitive (including health) information that identifies a person, or is reasonably likely to identify them.

However, in the interests of taking an open and transparent position on the handing of data for secondary use ³ and to respect the privacy of consumers, NPS MedicineWise have chosen to employ an opt out approach to the MedicineInsight program.

It is important to note that NPS MedicineWise does not intend for the opt out approach to be taken as a consent process, nor is it endorsed by a waiver of consent. Rather, the opt out approach has been initiated as a matter of good practice and respect for a individuals’ privacy, as opposed to an expectation of NPS MedicineWise having to meet a standard of consent for MedicineInsight.

The opt out approach is intended to be an important mechanism to provide consumers with as much choice and control over their data as possible by providing transparency of data flows and giving individuals the option not to participate. We operate the opt out approach in accordance with the specific requirements of the National Statement on Ethical Conduct in Human Research, 2007 (updated 2018). For example, by ensuring:

• Involvement in the program is low risk for consumers.
• The public interest in the proposed activity substantially outweighs the public interest in the protection of privacy.
• Reasonable attempts are made to provide consumers with appropriate information about the MedicineInsight program via their general practice.

The opt out approach relies on general practices (as the data owners) implementing the model, by displaying the MedicineInsight poster and making information sheets and out-out forms available to consumers in the practice. This obligation is set out in the practice agreement a practice signs when joining the MedicineInsight program. Practices are also encouraged to include information about MedicineInsight in their local privacy policies or privacy statements to appropriately notify consumers about their involvement in the program.

The position to protect a consumers’ rights and privacy is also a broader requirement of the Royal Australian College General Practitioners (RACGP). The RACGP’s guiding principles document for practices managing requests for the secondary use of de-identified general practice data, requires patients to be made aware if their practice provides de-identified data to third parties.

The MedicineInsight program uses a ‘five safes’⁴ assessment approach for the safe sharing of data. This framework provides multiple layers of controls to ensure:

• safe data; that is protected from inappropriate access
• safe outputs; that safeguard the privacy of individuals who contribute data
• safe projects; that ensure data is released only where this is in the public benefit
• safe people; who are trusted and qualified data users
• safe settings; that data is securely stored and accessed

The choice of NPS MedicineWise to extend the five safes assessment to the MedicineInsight program takes an approach that balances risk and data utility to ensure data is shared in a way that delivers public benefit, supports integrity, protects privacy, and maintains confidentiality.

We invite practices to participate in the MedicineInsight program, and respect their choice not to participate. Our privacy controls (listed below) ensure that information about GPs and patients is not gathered covertly, or without their knowledge.

• The owner of the practice is provided with a comprehensive Practice Kit that includes information for them to make an informed decision to participate in the program
• GPs are informed by the owner of the practice about the practice’s participation in the program, and are given the opportunity to provide informed consent to receiving individual tailored reports and
• Patients are made aware of the program through promotional material that is displayed within the waiting room of all participating practices.
• The MedicineInsight program has received ethics approval via the Royal Australian College of General Practitioners National Research Evaluation Ethics Committee, and operates in accordance with the requirements of this approval.
• Where MedicineInsight data is used for research purposes, all research projects and outcomes are made publicly available, and provided only with approval and oversight from NHMRC certified Human Research Ethics Committees.
  

We take robust precautions to protect data we hold from misuse and loss, and from unauthorised access, modification and disclosure. We have a range of processes and policies in place to ensure MedicineInsight data is only stored in secure environments and is transferred securely.

• Data extracted from practices are encrypted to government standards, and this ensures that unauthorised parties are not able to interrogate or ‘translate’ the data for their own use;
• Data are stored only in Australia;
• Robust and effective security controls are in place to protect the data; and
• Data are only accessible by authorised staff.
• A data-sharing agreement must be in place which outlines the responsibilities and obligations of researchers that access MedicineInsight data.
  

Third parties may express an interest in the data collected through MedicineInsight. The provision of data in these instances undergoes a rigorous and formal approval process, and is guided by the independent external MedicineInsight Data Governance Committee. This Committee includes GPs, consumer advocates, privacy experts and researchers and reports all approvals and studies to the Royal Australian College of General Practitioners National Research and Evaluation Ethics Committee.

Third-party use of MedicineInsight data must be aligned with our overall mission and be for public good. Data shared with third parties is done in a secure manner and all individual general practice, healthcare professionals, practice staff, and patient details are always deidentified.

Find out more about the application process