health information privacy and cloud computing

Document Sample
health information privacy and cloud computing Powered By Docstoc
					        Records in the Mist
Health Information Privacy and Cloud Computing
                   Health IT Cluster
                     20 May 2009

                                                 Sebastian Morgan-Lynch
                                                   Policy Adviser (Health)
                                       Office of the Privacy Commissioner
What is Cloud Computing?

    Useful analogy?

 Or metaphor gone mad?
  What is Cloud Computing?

“The creation of large data
 centres that can be
 dynamically provisioned,
 configured and reconfigured to
 deliver services in a scalable
  What is Cloud Computing?

 Term  suggests dispersion
 Actually represents
  centralisation of information
  and resources in data centres
 Raises issues of corporate or
  government control over
 How could Cloud Computing be
      Useful in Health IT?
 Cheap

 Scalable

 Convenient

 Single access point for patients’
 Transfers requirement to keep
  technology up-to-date to specialist
            Privacy Law
 Law  effectively tech-neutral
 No legal distinction between
  privacy of health information
  stored on paper and electronically
 Practical issues around purpose
  and openness with electronic
  information – “gatekeepers”
 How many people know how their
  information is actually going to be
 Whose job is it to tell them?
               The Privacy Act
10 Application of principles to information held
(1) For the purposes of principle 5 and principles 8 to 11,
   information held by an agency includes information that is
   held outside New Zealand by that agency, where that
   information has been transferred out of New Zealand by
   that agency or any other agency.
(2) For the purposes of principles 6 and 7, information held
   by an agency includes information held outside New
   Zealand by that agency.
(3) Nothing in this section shall apply to render an agency in
   breach of any of the information privacy principles in
   respect of any action that the agency is required to take
   by or under the law of any place outside New Zealand.
Health Information Privacy Code 1994:
1)Only collect the information you need
2)Get it from the person concerned
3)Tell them what you're doing
4)Be nice when you're doing it
5)Take care of the information once you've got it
6)They can see it if they want to
7)They can correct it if it's wrong
8)Make sure it's accurate before you use it
9)Get rid of it when you're done with it
10)Only use it for the purpose you got it for
11)Only disclose it if that's why you got it
12)Be careful with unique identifiers
Health Information Privacy Code 1994:

   Summary of the Summary


    Collection: Some Implications
   Collection is where you find the key legal
    obligation of transparency
   Falls on agency initially collecting data
   In health context, places heavy weight on
    primary care
   Practical need for ‘upstream’ users of data to take
    some of that load
   Benefits in trust, openness and willingness of
    health consumers to have their information used
   Also benefit of increased trust from ‘downstream’
    health agencies
                   Legal Environment
While no major changes on the horizon, there is some

Privacy Act Amendment
– Gives Privacy Commissioner power to restrict transfer of data to a
  territory of weak privacy protection or where Privacy Act might be
– Privacy request not restricted to New Zealander, permanent resident
  or currently in New Zealand (as it currently is)
– Facilitates referral of complaint to overseas privacy enforcement

Public Health Bill
– Modifies medical practitioner powers to disclose where necessary for
  care or safety
– Currently being revised

Law Commission Review
– Law Commission reviewing Privacy Act, as final element of four part
       User Expectations





     But who is the User?

General  Practitioner?
Primary Health
District Health Board?

Ministry of Health?
      Trust and Confidence
 Health  agencies need to make sure
  their patients know why their
  information is being collected and
  who is going to see it
 Therefore, they need to know
  where the information they collect
  is going to go, and why
 Currently this is not always the
    Benefits, Risks, Opportunities
   Benefits
    – International access by patients and clinicians to health
      information – servicing increasingly transient population
    – Potentially more efficient use of resources
    – Lessen medical errors from transmission, transcription, lost
      referrals, incorrect medication etc
   Risks
    – More potential for large scale data breaches
    – Loss of consumer trust if improperly managed
    – Large collections of identified clinical data very tempting for
      secondary uses – commercial, clinical, employment
    – Security of information dependent on legal regime of country
      where data centre is based
   Opportunities
    – Ensuring good information management practices generally
      good clinical sense
    – GPs in position to play key role as advocates for their patients’
    One Solution to Jurisdictional
   Google has proposed (and patented) the idea of a ‘google
    navy’ of floating datacentres
                Useful Resources
   “Government Use of Offshore ICT Service Providers” – State
    Services Commission, April 2009
    – Notes risks around loss of control, loss of privacy/security and
      jurisdictional issues
    – Suggests carrying out risk assessment, outlines some avenues
      to consider
   “Where is the cloud? Geography, economics, environment
    and jurisdiction in cloud computing” – Jaeger, Lin, Grimes
    and Simmons, May 2009
    – Outlines practical considerations around cloud computing, with
      particular focus on jurisdictional issues
    – Useful summary of recent writing

Telephone:           Wellington (04) 474 7590
                     Auckland (09) 302 8680
Enquiries hotline:   0800 803 909
Internet address:

Shared By: