Chapter 4


Chapter 4

Restrictions on linking MBS and PBS data

4.1        The committee is ever mindful of privacy concerns with regard to data, its storage, management, use and security. However, as noted in the previous chapter, many submissions indicated that significant health policy development and medical research could be advanced if linked Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data were more readily accessible.[1] For example Professor Sallie-Anne Pearson told the committee:

The linkage of PBS, MBS and other Commonwealth collections, such as those held by the Department of Social Services, can expand our opportunities to explore value, real-world use and pivotal issues such as equity of access. Despite medicines being tested extensively in clinical trials, when they are PBS subsidised there is significant uncertainty about how they would perform in routine clinical care. When I talk to consumers, they are surprised to learn that comprehensive postmarket surveillance research does not occur routinely in Australia. Why is this the case? Activity of this kind actually requires Commonwealth and state based data holdings to be linked... The currently fragmented data systems in Australia make it difficult, if not impossible, to systematically capture these impacts.[2]

4.2        Professor Pearson also noted the practical problems for researchers in not being able to link MBS and PBS data:

The agencies, I believe, are prevented from linking their MBS and PBS data, but if you actually think about it—if you want to understand something as basic as does a person go to a specialist to get a particular medicine and then how is the medicine continued, is it continued by a specialist or by a general practitioner—we cannot find that out because we do not have the visits linked to the prescription. Very basic things around navigating through that system are really actually important—are people monitored after they are prescribed a medicine? We do not know that because that information cannot be linked. There are some really practical impediments to doing some very basic work in this regard.[3]

4.3        The importance and potential uses of these datasets were also recognised in the Public Sector Data Management Report. According to the report, linked MBS and PBS data is the fourth most requested data from the Australian Government.[4]

Source and content of the prohibition

4.4        Presently there are restrictions in both legislation and subordinate legislation that strictly constrain the linkage of MBS and PBS data.

4.5        The National Health Act 1953 requires the Information Commissioner to make privacy rules.[5] The National Health Act requires that the rules must:

  1. prohibit agencies from storing in the same database:
    1. information that was obtained under the Medicare Benefits Program; and
    2. information that was obtained under the Pharmaceutical Benefits Program; and
  2. prohibit linkage of:
    1. information that is held in a database maintained for the purposes of the Medicare Benefits Program; and
    2. information that is held in a database maintained for the purposes of the Pharmaceutical Benefits Program;
      unless the linkage is authorised in the way specified in the rules;[6]

4.6        The current privacy guidelines were made by the Privacy Commissioner in 2008.[7] These legally binding guidelines provide that data from the PBS and MBS databases may only be linked:

  • if it is necessary to comply with law;
  • to determine eligibility for a benefit under one program, where eligibility depends upon services provided by the other program;
  • where Medicare reasonably believes that doing so would prevent or lessen a serious and imminent threat to life or health; or
  • for release where a person has provided their consent.[8]

4.7        If linkage is undertaken for medical research purposes, the claims data can only be released where an individual has consented to having their data released and where the researcher undertakes to destroy the claims information provided to them at the conclusion of the research.[9]

4.8        These strict limitations came about following a plan by the then Health Insurance Commission (now Medicare) to implement an online system that would allow pharmacists to claim reimbursement and to check whether patients were eligible for concession prices on pharmaceuticals at the time they were being dispensed.[10]

4.9        The scheme ultimately did not go ahead, but an amendment to protect the privacy of individuals given the large amount of data that would be collected under the MBS and PBS schemes was implemented as sections 135AA and 135AB of the National Health Act 1953.[11]

4.10      The provision was last examined by the Parliament in 1993. At that time the aims of the amendment were encapsulated by the then Member for Macarthur, Mr Christopher Haviland MP who argued:

There is a need to ensure that legitimate privacy principles are balanced against the public interest, particularly in relation to the possible misuse of public money. This is the essential aim of this amendment—to clarify privacy provisions to ensure that legitimate privacy concerns of individuals are protected while enabling government agencies, in this case the Health Insurance Commission, to adequately safeguard against fraud and misuse of taxpayers' money.[12]

Changes in technology

4.11      The committee remains committed to that fundamental need to "ensure that legitimate privacy concerns of individuals are protected." It also notes though that while the evolutionary march of technology has both increased the ability to collect sensitive data about individuals it has also produced technology and techniques that can protect that information.

4.12      Data linkage technology has transformed significantly in the last forty years. Emeritus Professor D'Arcy Holman of the University of Western Australia told an audience in July 2014 that:

My first employment, as a Public Health Medical Student Resident during the Christmas of 1972, was to tabulate figures...of intestinal parasite infections found in the patients of Swanbourne Hospital.

The information technology available to me wasn’t of the digital electronic form, but consisted of a mechanical dinosaur known as the Hollerith card sorter. The point is that what we could do with health statistics, even as recent as the 1970s, was severely constrained by the technical infrastructure available to us.[13]

4.13      Emeritus Professor Holman later returned to the subject of data linkage and privacy in his lecture with the following exposition:

...one might query if this [data linkage] represents a significant invasion of privacy. To the contrary, the effects of data linkage on privacy have been exactly the opposite, with a profound privacy benefit compared with the way we did research before.

Here’s what real medical records look like, courtesy of a patient who’s given permission for them to be displayed. Lots of documents, and now computer screens, liberally plastered with the patient’s name and address. During the first 20 years of my career, I waded through countless thousands of records like this. It was tedious and inefficient work, especially because often one had to pour through reams of paper to find just the one or two important facts to answer the research question. Data linkage has turned this approach on its head...so that during the last 20 years, what I’ve worked with has looked like this: No names and addresses, age rather than date of birth, contains only the information needed to answer the research question, and just a number is used to represent each person, although for any two research projects that system is different, so the patients don’t even have a unique number. Nevertheless, use of the same number for the same anonymous person in each project, illuminates the crucial connections within and between different data collections, so that the outcomes can be measured.[14]

4.14      In his evidence, Mr Timothy Pilgrim, who is the Acting Australian Information Commissioner and currently performs the functions of the Privacy Commissioner, reminded the committee that sometimes legislation needs to be revisited in light of technological changes:

Something that we find with a number of the laws that I deal with is that there is a need to review some of those because the situations change quite dramatically in terms of technologies you can use to bring together information sets and how they can be dispersed.[15]

4.15      The protection of sensitive personal information remains a key focus of both researchers and governments.

Calls for review

4.16      In the 23 years since the provision was last debated, the technologies available to protect privacy have increased dramatically. As technology has increased and researchers have become able to conduct more complex analysis of combined datasets, the demand for linked data has also grown.

4.17      This in turn has led to a number of prominent reports that have recommended that the National Health Act and the Privacy Guidelines be reviewed.

4.18      For example in 2009, the National Health and Hospitals Reform Commission wrote:

To better understand people’s use of health services and health outcomes across different caresettings, we recommend that public and private hospital episode data should be collected nationally and linked to MBS and PBS data using a patient’s Medicare card number.[16]

4.19      In 2013, the Productivity Commission similarly suggested that the Privacy Guidelines be amended noting that in the present environment:

Protecting confidentiality is warranted but the current approach is too cautious and complex with the restrictions creating unnecessary downsides and delays for evidence-based policy formulation.[17]

4.20      In December 2015, the Public Sector Data Management Report called the current privacy arrangements 'over-cautious and cumbersome'.[18]

4.21      Days after this report was released, departmental witnesses who appeared before the committee were given the opportunity to explain how the current restrictions came to be in place and why they continue to be necessary. The answer provided by representatives of the Department of Health acknowledged the 'very strong concerns about privacy' which historically dominated departmental assessments of data requests from researchers.[19] However officials noted the paradigm shift that has occurred:

...what has happened fairly recently is that there has been a significant cultural shift in the way data is regarded. It is regarded as an asset; it is regarded as a key tool in informing policy development and research. I think we are shifting from a culture of protecting data at all costs to one of protecting data but also identifying ways we can use it.[20]

4.22      Even the Acting Australian Information Commissioner supported the need to review the current legislative restrictions on linking MBS-PBS data:

...section 135 of the Health Act...came into force, I think, over 20 years ago. I would be the first to say that legislation should be reviewed regularly and, in fact, some years ago I actually proposed that when there were some challenges identified with the guidelines when the office [Office of the Australian Information Commissioner] was developing it at the time. We acknowledged that there seemed to be some challenges about data retention; being able to bring the two sets of data together into one database was another issue. At that stage—I think that that was in 2011—I said that we were certainly open to having that particular piece of legislation looked at because it was, for want of a better description, an old piece of legislation that was developed at a different time when there were different community expectations and different mechanisms to simply store the information.

So what I am saying is yes—I think it is entirely appropriate to have that piece of legislation reviewed, to look for other mechanisms which may be able to make more efficient use of that information in terms of...freeing up data for good social policy purposes. But at the same time I would then say that if we are going to do that, what can we build in to ensure there is the right level of protection about that information in a newer environment of how it is going to be used? That could be through mechanisms such as building up protections around security, giving it stronger protections where it is going to be held. Those sorts of issues are things we would want to look at.[21]

4.23      The Public Sector Data Management Report released by the Department of the Prime Minister and Cabinet in December 2015 recommended that:

Legislation should be reviewed to identify whether privacy and secrecy laws can be streamlined and modernised to enable data to be better used for policy and research...[22]

Australian Information Commissioner's view

4.24      The Office of the Privacy Commissioner sits within the Office of the Australian Information Commissioner. The post of Privacy Commissioner is currently vacant and instead those functions are fulfilled by the Acting Australian Information Commissioner.[23]

4.25      The Office of the Information Commissioner recognised that there are significant social benefits that can be obtained by using de-identified health data for policy development and research purposes. The Acting Australian Information Commissioner, Mr Timothy Pilgrim, wrote in his submission:

Taking into consideration the Committee's focus on improving access to and linkage between health data sets for policy development, I appreciate that personal information held by government can be, when it is handled appropriately, a valuable resource for policy, planning, research, innovation and providing better services.

If legislative and policy changes are made to facilitate or extend access to, and the use of, personal information in research and policy planning, it is important that an integrated approach to privacy management is taken from the beginning. This includes, for example:

  • implementing legislative safeguards to limit the possibility of function creep
  • considering whether any restriction on an individual's right to privacy that arises from changes to how health data sets are used is reasonable, necessary and proportionate to the expected benefits
  • considering whether personal information is in fact required, or whether de‑identified or anonymised information will suffice
  • undertaking a Privacy Impact Assessment (PIA) for each project that uses personal or de-identified information.[24]

4.26      In his testimony, Mr Pilgrim described a 'recurring theme' amongst certain government organisations that 'the Privacy Act was blocking the use of data' instead of them actively looking for ways to comply with the legislation and achieve the goals that researchers or others might be looking for.[25]

4.27      Mr Pilgrim also pointed out that there were options that were available under the existing privacy arrangements:

One of the security provisions in Australian privacy principle 11, which deals with securing that information and keeping it safe, says that personal information that is no longer required should either be destroyed or de‑identified. It does not set a time frame around that in particular to general personal information, so one of the mechanisms there which could allow that information to continue on is if it can be de-identified. Once information is de-identified it falls out of the definition of personal information—as you would understand, if you cannot tell who the individual is, then it is not personal information—so there are mechanisms by which quite a bit of data, I would suggest, could be kept.[26]

Proposed privatisation of Medicare payment systems

4.28      One week after the committee's final data linkage public hearing, the West Australian published an article about the government's 'secret' proposal to privatise Medicare's payments system:

The West Australian has learnt that planning for the ambitious but politically risky outsourcing of government payments is well-advanced, with a view to making it a key feature of Treasurer Scott Morrison’s first Budget in May...

[The successful private sector provider] would administer claims and payments while overseeing eligibility criteria, meaning they would require access to people’s sensitive private information.

Doctors would also have to open their books to the provider, which would be subject to regulatory oversight.[27]

4.29      Although details of the government's privatisation process and timing are unclear, senior Health Department officials have stated that a new Request for Quote was issued in January 2016 'to start to look at how we might scope this type of work, stressing that obviously we are in an exploratory stage and no decisions have been made.'[28]

4.30      Nevertheless, the Australian Medical Association has raised concerns that any move to privatise Medicare payments could 'compromise patient privacy and further fragment their care.' AMA Vice President Dr Stephen Parnis told ABC Radio that such a move would raise serious privacy issues:

There are concerns raised about the way that the administrators of these programs would handle confidential medical data; how their input may influence or undermine the doctor-patient relationship in terms of its funding.[29]

Committee view

4.31      The committee notes the real risk to privacy, improved public policy planning and to the delivery of universal healthcare if the ideological attack on Medicare expands into the actual privatisation of the Medicare payments system and associated data.

4.32      The committee also notes that the restriction on linking MBS and PBS data that is embodied in section 135AA of the National Health Act is over 20 years old and is prescriptive given technological progression in protecting data and other restrictions on accessing data.

4.33      The committee agrees with the Acting Australian Information Commissioner and other witnesses that privacy is always an important consideration in the policy making process and that it ought to be afforded serious consideration in the making and altering of access arrangements in this space. The evidence of witnesses, such as Professor Stanley and Professor Pearson, clearly indicate that there are significant harms in failing to do so.

4.34      The evidence received however, indicates that current legislative restrictions on linking MBS and PBS data are unnecessarily placing Australian lives at risk. As Professor Stanley noted (see chapters 2 and 3), there could be another thalidomide crisis or hundreds of people needlessly dying of heart attacks and we would be unable to detect it because we currently do not have the evidence‑based data available.

4.35      These significant health care imperatives must be weighed against competing public policy priorities. Privacy is and must continue to be a key consideration in the formation of public policy. However, the evidence presented to this committee, drawing on the long history of data linkage both domestically and internationally, demonstrates that data linkage is undertaken securely with successful containment of risk to the privacy of individuals while leading to significant improvements in health outcomes.

4.36      While the committee is confident about the thoroughly tested processes underpinning the use of de-identified health datasets in data linkage projects, the government's proposed privatisation of the Medicare payment system raises real privacy concerns. The committee is concerned that the government's privatisation plans risk an unintended disclosure of highly sensitive MBS and PBS data. In the committee's view it is important to maintain a clear distinction between the linkage of de-identified health datasets and the wholesale privatisation the Medicare payment systems. 

4.37      The committee is heartened that there seems to be such strong public support to utilise de-identified data that is already routinely collected to improve the health of the populace. 

4.38      Time and again, as demonstrated above, the committee heard that consumers were surprised that government did not already use administrative data for these purposes.

4.39      There is now a renewed focus on data in the public service. Given the significant opportunities to improve Australia's healthcare outcomes, the committee urges the government to adopt the following recommendations:

Recommendation 4

4.40        The committee recommends that given the changes in technology, and mindful of the capacity and moral obligation for governments to hold and strongly secure personal data and privacy, the government review the operation of section 135AA of the National Health Act 1953, with the aim of improving access to de‑identified MBS and PBS data for the purpose of health policy evaluation and development as well as research undertaken in the public interest.

Recommendation 5

4.41      The committee recommends that the Australian Information Commissioner, in consultation with privacy advocates, data custodians, academics and healthcare consumers, review the Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs in order to ensure that the government:

  • retains ownership and management of Australian MBS and PBS data and improves technological capacity to ensure the privacy of all Australians health data; and
  • develops a strategy to improve access to de-identified MBS and PBS data for the purpose of health policy evaluation and development as well as research undertaken in the public interest, in ways that don't decrease privacy.

Navigation: Previous Page | Contents | Next Page