Health highlights challenges with genomic information under current Privacy Act

The Australian Department of Health has asked for the government to provide more guidance on how to get de-identification right, hoping such advice will be provided when the Privacy Act 1988 receives a facelift.

Health, in a submission [PDF] to a review of the Act underway by the Attorney-General's Department, said the de-identification of data, given the risk of re-identification, is a complex area.

"Particularly given the burgeoning demand for access to public sector data at very granular levels, and for linkage with other datasets," it wrote.

The department said that while the Office of the Australian Information Commissioner (OAIC) has published guidance materials on de-identification, data custodians may still need to seek specialist expertise in order to be satisfied that the likelihood of re-identification is low, "particularly in light of advances in data analytic technologies".

"The department is of the view that any changes in the Privacy Act that require additional protections in relation to de-identified, anonymised, and pseudonymised information … will need to be supported by appropriate guidance and expertise in order for implementation to be effective," it said.

See also: Nearly 12-months old COVIDSafe legislation cited as cause of Privacy Act review delays

The department raised these concerns alongside the issue of genomic information.

"Genomic information will only fall within the scope of the Privacy Act if it meets the definition of personal information in s 6(1) of the Privacy Act, which can be challenging particularly in the context of data sharing and linkage activities necessary for genomics," it explained.

"There is uncertainty and inconsistency in the application of the current test as to whether genomic information is 'about' an individual who is 'reasonably identifiable', in which case it falls within scope of Privacy Act."

Health said it is therefore difficult to assess when genomic information may render a person reasonably identifiable, particularly as data moves between different collections with different data linkage possibilities.

"Such lack of clarity is likely to present a barrier to the uptake of clinical genomic research and services, as individuals may be unwilling to share their genomic information," it said.

On the idea of balancing the provision of adequate information to individuals and minimising regulatory burden, Health noted there are currently up to 10 different requirements that could be included in Australian Privacy Principle (APP) 5 -- APP 5 requires an APP entity that collects personal information about an individual to take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters.

"The department would be broadly supportive of appropriate measures to simplify this process, including additional guidance about the scope of APP 5 notices, the role of overarching privacy notices in making individuals aware of APP 5 matters, and the development of a standard form of words to assist APP entities in complying with APP 5 obligations," it wrote.

"In addition, the department would further support any appropriate measures that assist in clarifying how the primary purpose of collection should be interpreted, particularly where there could be multiple purposes for which personal information is being collected."

The department said it would welcome any appropriate measures aimed at simplifying the notification process relevant to APP 5, in particular the development of a standardised framework of notice.

It also said requirements to obtain more specific and explicit consent in relation to the purposes for which information is collected, used, or disclosed would provide the department with greater immediate clarity around obligations for the handling of personal information.

"The ability to use or disclose personal information for secondary purposes unforeseen at the time of collection provides significant benefit to both government and the Australian public by, for example, facilitating continuous improvement and evaluation of policy implementation and reducing the risk of individuals being disadvantaged in service delivery by not having provided the appropriate consent," it added.

"The department is cognisant of the need to guard against function creep while at the same time offering some measure of flexibility with respect to unforeseen but beneficial secondary purpose uses or disclosures."

MORE FROM THE PRIVACY ACT REVIEW

• Privacy Act review to examine privacy tort, direct action rights, and GDPR compliance
• Facebook and Snap Inc call for a GDPR-aligned Australian Privacy Act
• Attorney-General asked to update 'personal information' definition in Privacy Act
• ACCC calls for Privacy Act changes to protect loyalty scheme customers
• Google says consent over every aspect of data processing would be burdensome
• Optus warns not to punish whole economy for tech giant sins in Privacy Act changes
• Over 4,000 privacy complaints made about Aussie telcos in FY20
• OAIC wants stronger enforcement powers in Australia's revamped Privacy Act