MGMatt Gilchrist

technology · Healthy Business for Doctors · 10 May 2016

Privacy Commissioner review of GP Privacy Policies

The Office of the Australian Information Commissioner last week released a report about their recent review of Privacy Policies in Australian GP practices. The report is here >> https://www.oaic.gov.au/privacy-law/assessments/general-practice-clinics-app-1-privacy-policy-assessment Let's look at the summary

Part 2 — Summary statistics regarding findings

2.1  The OAIC found that 36 GP Clinics had a privacy policy, but four out of the 40 GP clinics did not have a privacy policy that was capable of assessment against APP 1. Findings in the rest of this report refer to the 36 GP clinics assessed.

2.2  20 of 36 privacy policies covered or explicitly referred to the APPs.

2.3  Using the Flesch-Kincaid Reading Ease test, 28 of 36 policies assessed required an education of above Grade 12 to easily read and understand the policy.

2.4  Only four of the 36 privacy policies contained appropriate contact information for individuals to submit access or correction requests or make complaints to the practice.

2.5  The lack of appropriate contact details also affected whether polices had appropriate access, correction and complaint handling provisions. As a result of this, and due to other issues identified by the assessors:

  • only two of the 36 policies appropriately advised patients how to make a complaint about possible breaches of their privacy
  • only two of the 36 policies appropriately advised patients how they could request a correction to their personal information
  • only one of the 36 privacy polices appropriately advised patients how they could request access to their personal information.

2.6  The OAIC found the policies did not contain some of the content required by APP 1.4. Our findings included:

  • 18 of 36 privacy policies stated the kinds of personal information they collected and held in a manner considered to meet the requirements of APP1.4
  • 23 of 36 GP clinics stated how they generally collect personal information
  • 24 of 36 GP clinics stated how they generally hold personal information
  • only seven GP clinics stated how they collected and held personal information in a manner considered to meet the requirements of APP 1.4
  • 20 of 36 privacy policies stated the purposes as to why they collected, held, used and disclosed personal information in a manner considered to meet the requirements of APP 1.4
  • 25 of 36 privacy policies described the reasonable steps the practice took to protect patients’ personal information
  • 6 of 36 privacy policies advised patients how the clinic generally would deal with a privacy complaint they received
  • 31 of 36 GP clinics have signed a PCEHR Participation Agreement. Only one of the GP clinics specifically referred to the collection, use or disclosure of personal information by GPs through the use of the My Health Record system
  • 33 of 36 GP clinics stated that they held IHIs. 12 privacy policies specifically referred to the collection, use or disclosure of IHIs
  • No privacy policy specifically referred to the collection, use or disclosure of personal information using an electronic transfer of prescriptions service, which are systems commonly used by GPs.

2.7  19 of the 36 privacy policies did not make any statement relating to overseas disclosures. The majority of those that did refer to overseas disclosures noted that any such disclosure would only be made with the consent of the patient.

2.8  28 GP clinics had a web presence. Of these, 17 published their privacy policy online.

2.9  GP clinics provided access to privacy policies in different ways:

  • 35 of 36 GP clinics provided a hard copy of their privacy policy to patients on request
  • 30 of 36 GP clinics displayed information about the privacy policy in their practice
  • 20 of 36 GP clinics provided a copy of their privacy policy to all new patients who attend their clinic.
My response 2.1 Some 10 % of GP practices surveyed didn't have a Privacy Policy = 10% FAIL 2.2 Some 40% didn't mention the APPs in their policy = 40% FAIL 2.3 Flesch-Kincaid Reading Ease scale is new to me, so I googled it. It turns out that it is EASLIY implemented in Microsoft word, and you can get a 'Flesch-Kincaid reading ease score' when you do a spelling and punctuation check once this feature is turned on. (Just for fun I ran the APPs through this test and got a score of 14.7, ie the reader needs a university degree to be able to understand the APPs). The OIAC says that 28 of 36 policies required above a grade 12 education to read and understand the policy. I'd like some interaction between this result and the one above before I pass judgement on this. It seems hard to me to reduce a document from university graduate level to sub high-school reading level. 2.4 only 10% contained contact information for patients to submit requests = 90% FAIL 2.5 only 5% stated how patients could request changes, or make a complaint, and only ONE Practice advised how patients could request access to the information held about them. 2.6  A whole range of different FAILs here, the last one is interesting as most GP practices would be required to use an eScript solution as part of the eHealth PIP component = 100% FAIL 2.7 No mention of oversea's data storage = 50% FAIL 2.8 Showing the Privacy Policy on the surgery website was a recommendation contained in the APPs = 40% FAIL for those with a web site 2.9 I'd expect that all clinics should provide a hard copy upon request as a minimum. The OIAC doesn't detail what is expected.