Published at The Conversation, Monday 30 May

Telstra Health – the company’s health arm – will aggregate and manage data currently held by various state registries into one national database. There is potential that other cancer screening registries, such as breast screening, might also be contracted to Telstra Health in the future.

The registries not only contain personally identifying information, such as names and addresses, but also the results of pap smears that allow inferences about a person’s sexual status.

When Telstra Health’s venture into the market place was first foreshadowed in late October 2014, commentators highlighted potential issues around the privacy of Australians’ personal information. So it was no surprise that this first Australian outsourcing provoked consumer advocates to highlight similar concerns.

Why outsource?

In 1993, two American management gurus, David Osborne and Ted Gaebler, proposed a magic pudding recipe for what they termed as Reinventing Government. In their model, government could set its objectives and use market-based approaches – including contracting out functions to private companies – to provide services to achieve them.

More than 20 years later, the waters of government contracting out are lapping at the gates of Medicare. The 2014 federal budget proposed outsourcing, or “market testing”, the processing of Medicare payments. And while we wait, the Telstra contract has become the first such outsourcing in Australia.

Private registry operators have been established in the United States for a number of years and have won contracts to run cancer registries in some states. So far, no data security breaches have been reported in these. But this doesn’t stop Australian health experts from worrying.

Privacy concerns

The Department of Health has taken the unusual step of issuing a media release in the middle of an election campaign to assuage concerns. It confirmed that Commonwealth privacy legislation will apply to the cancer registry data managed by Telstra Health and that “any misuse of data could be an offence under the Criminal Code”.

Although that language sounds strong, criminal prosecutions usually require proof of malicious intent, recklessness or negligence – a high standard that isn’t always likely to be obtained.

What is more likely is that well-meaning staff might not be scrupulous in rejecting data requests from those who, on first glance, appear to have a legitimate reason for knowing personal details. They might, for instance, release an address to a police officer hunting for a missing person who sought the information without a warrant. Or they might release data by mistake.

Concerns about privacy are exacerbated by the fact that Telstra has breached its customers’ privacy before. In 2011, around 60,000 BigPondusers’ passwords were temporarily displayed on the internet, leading to an investigation by the Privacy Commissioner for security breaches.

And in January this year, personal voicemails of one Telstra user were mistakenly sent to another. This may be a small example of a data breach, but everyone is entitled to their privacy.

Contractual protections

Beyond legislative threats, privacy concerns can only be assuaged through contractual provisions, whether in the cancer registry contract or with the processing of Medicare payments. Unfortunately, we don’t know how strong the provisions are in the proposed contract and what the renewal provisions are.

Unauthorised release of data potentially costs registries in terms of investigations and regulatory compliance, but these costs should be increased to ensure managers have even greater incentives to take strong action to protect patient privacy.

The automatic consequences of release of data – inadvertent or not – must be made so great that any risk-management matrix will ensure the organisation and its managers always have patient privacy at the forefront of their mind. It will not be good enough to do the standard dance after the data is released, or inappropriately used, where the contracting organisation (in this case, the Department of Health) tut-tuts, and the contractee (in this case Telstra Health) issues a mea culpa.

The contract should prescribe tough financial penalties that have automatic effect after any data release, allowing little discretion for the penalties to be lobbied away with promises of future good behaviour. The contractual penalties need to be strong enough (A$1 million per person identified or data element used, for instance) so management ensures that patients’ rights and privacy are protected.

Consumers might also be given a right to sue for breach of their privacy to further focus management’s mind.

Clearly, the cancer screening registry contract is only the first of the potential outsourcing of health programs. It creates a precedent that needs to be right.

The Conversation