Use of both de-identified data and, in some circumstances, identifiable data will be permitted under a new government framework for so-called “secondary use” of data derived from the national eHealth record system. Linking data from the My Health Record system to other datasets is also allowed under some circumstances.
The Department of Health last year commissioned the development of the framework for using My Health Record data for purposes other than its primary purpose of providing healthcare to an individual.
Secondary use can include research, policy analysis and work on improving health services.
Under the new framework, individuals who don’t want their data used for secondary purposes will be required to opt-out. The opt-out process is separate from the procedure necessary for individuals who don’t want an eHealth record automatically created for them (the government last year decided to shift to an opt-out approach for My Health Record).
Down the track, individuals may be able to offer or withdraw consent for specific secondary uses of their data. For projects that involve identifiable data, there will be a consent process involved.
“It is acknowledged that Australian consumers have different levels of health literacy and health system usage,” the framework states. “This will be considered when implementing processes to convey consent.”
Access to the data will be overseen by an MHR Secondary Use of Data Governance Board, which will approve applications to access the system.
Any Australian-based entity with the exception of insurance agencies will be permitted to apply for access the MHR data. Overseas-based applicants “must be working in collaboration with an Australian applicant” for a project and will not have direct access to MHR data.
The data drawn from the records may not leave Australia, but under the framework there is scope for data analyses and reports produced using the data to be shared internationally.
The board may permit linking of MHR data with other data sources “once the applicant’s use is assessed to be of public benefit”.
Commercial organisations may apply to use the data “so long as it can be demonstrated that the use is consistent with ‘research and public health purposes’ and is likely to generate public health benefits and/or be in the public interest,” the framework states.
The Department of Health came under fire in 2016 after it released for download supposedly anonymised health data. Melbourne University researchers were able to successfully re-identify a range of data.
Last month the Office of the Australian Information Commissioner revealed that health service providers accounted for almost a quarter of the breaches reported in the first six weeks of operation of the Notifiable Data Breach (NDB) scheme.