20 – Anna Johnston, Sallinger Privacy

20 – Anna Johnston, Sallinger Privacy

If you work in the healthcare industry you have a huge responsibility when it comes to managing sensitive patient information, whether you’re a big software vendor or a single physiotherapist, everyone needs to follow the same rules, and there are some pretty serious consequences for not doing it properly.  Do you know what your obligations are and if you’re doing a good job? Check this episode out to find out!

Who is Anna Johnston

Anna Johnston is one of Australia’s most respected experts in privacy law and practice.

She has qualifications in law, public policy and management, and 26 years’ experience in legal, policy and research roles.  Anna has a breadth of perspectives and a wealth of experience to dealing with privacy and data governance issues.

She is the former Deputy Privacy Commissioner for NSW, so she knows the regulator’s perspective and since 2004 is the Director for consulting firm “Salinger Privacy”.

Anna has been called upon to provide expert testimony before various Parliamentary inquiries and the Productivity Commission, spoken at numerous conferences, and is regularly asked to comment on privacy issues in the media.  

Anna holds a first class honours degree in Law, a Masters of Public Policy with honours, a Graduate Certificate in Management, a Graduate Diploma of Legal Practice, and a Bachelor of Arts, plus a number of other relevant and well regarded certificates and industry associations. 

In this Episode you’ll learn

2:08 – About Salinger Privacy

4:55 – Privacy Concerns in Data (with a focus on health tech)

8:15 – All about, privacy reviews, data flows, data governance, and privacy design

14:28 -AI – How does it fit ethically, legally and is policy keeping up with innovation 

16:40 – AI – GDPR, challenges for AI with diagnostic decisions  

20:10 – AI – Transparency, Accountability and Consent

26:00 – Legal Obligations with Data Privacy

Key TakeAways

1. When it comes to privacy law in Australia, the same laws and consequences apply to everyone dealing with healthcare information – whether they are a big institution of a single doctor.
2. While Data Privacy breaches do happen they are often the result of lack of education and or the best intentions in mind, not so much because of malicious intent
3. Often AI is trained on data that was collected not for the intention of training the machine, so the concept of informed consent is a tricky one 
4. The simple “tick this box to agree” actually isn’t enough and more emphasis needs to be put on clearly communicating clearly with the person who’s data is being collected
5. The expectations of patients data privacy holds the health and medical industries to the highest levels of scrutiny meaning that breaches are to be reported to the Price  Commissioners office and the patients whose privacy has been breached

Links

Anna Johnston Twitter – @SalingerPrivacy 

Anna Johnston LinkedIn – https://www.linkedin.com/in/anna-johnston-ba188410a/

Notifiable Data Breaches Scheme – https://www.oaic.gov.au/ndb 

GDPR – https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entities-and-the-eu-general-data-protection-regulation/ 

MSIA – https://msia.com.au/ 

Salinger Privacy – https://www.salingerprivacy.com.au/ 

My Health Record (Formerly PCEHR) – https://www.myhealthrecord.gov.au/ 

NDIS – https://www.ndis.gov.au/ 

National Health and Medical Research Council – https://www.nhmrc.gov.au/ 

Transcript

[00:00:00] Pete: With me today is Anna Johnson. Anna is one of Australia’s most respected experts in Privacy Law and practice.

She has qualifications in law, public policy and management and 26 years experience in legal policy and research roles. Anna has a breadth of perspectives and a wealth of experience in dealing with privacy and data governance issues. She’s the former deputy privacy commissioner for New South Wales.So she really knows regulatory perspective well, and since 2004 is the director for consulting firm Salinger Privacy Anna holds a first-class honours degree in law, a masters of public policy and honors a graduate certificate in management a graduate diploma of legal practice Anna Bachelor of Arts plus a number of other relevant and well-regarded certificates and Industry associations, Anna no longer practices as a solicitor so I am allowed to tell the occasional lawyer joke apparently which is great because that’s what I’ll probably do Anna thanks so much for joining.

[00:01:06] Anna: Thanks Peter great to be here.

[00:01:07] Pete: I think we came across each other because you were doing some stuff with MSIA a before the Medical Software Industry Association.

[00:01:15] Anna: Yes, I presented at their annual conference recently and then also ran a workshop about privacy by Design so for anyone in that space of Designing health-related technology how to understand the kind of the skills and strategies that will help you build privacy compliance into the design upfront rather than trying to retrofit later.

 [00:01:39] Pete: Love to get into more of that detail a bit later on in the conversation too. So, you know you’re well well primed for the health Tech space and it’s kind of cool to have someone on the show that you know is involved in many different Industries. You’re not a vendor you’re another player in this kind of big space in an area that’s super important these days in our area of Health Tech being data privacy and security and whatnot.So I’m super excited about this conversation. So tell me a little bit more about Salinger Privacy what you guys do and where your clients operate?

[00:02:13] Anna: Sure. So well basically we do all things privacy, so we do consulting, training, and we offer resources and one of the things I love about working in the Privacy space is It’s just a fascinating intersection between law ethics and Technology. There’s you know, there’s always something new. There’s always a new technology you coming around the corner that we have to get our heads around and help our clients manage that intersection between their Legal obligations ethics customer expectations and then you know what the technology can and what the technology should be allowed to do so, we work across as I said Consulting, training, and resources and we are an Australian business, we’ve got clients across Australia occasionally we dip our toe into the waters of New Zealand as well. But our clients come from their quite the mix. So, quite a lot of government clients but also businesses from the big end of town, to the nonprofits and also the small and very much Tech startup space.So we have clients everywhere from the kind of you know top ASX companies down to you know, one person’s got a great new tech idea with working out of their spare bedroom at the moment kind of space.

[00:03:28] Pete: Nice as to how much of it do you reckon is in that Health space?

[00:03:34] Anna: Yeah health is really common as probably the second biggest sector after government. Although of course, you know often government is also in the health sector. So sometimes our clients will be the health service provider. So someone directly in that Health Service provision space and they just want to make sure they’re dotting their I’s crossing their T’s in the way that they’re collecting and using their patients data, but more typically where, not so much that direct service provision, but all the organizations that use and collect and hold and store health information. So sometimes that’s insurance companies for example, sometimes it’s governments working in public policy organizations getting into the data analytics space so focusing particularly on you know health and disability data for example, and then there’s been some really big-ticket kind of projects we’ve worked on. So we worked on the Privacy impact assessment on the original design for My Health Record, back when it was originally called the Personally Controlled Electronic Health Record the original setup of the National Disability Insurance Scheme. So we’ve been involved in privacy impact assessments very early on in those very very big-ticket government projects which touch on health and disability data in particular.

[00:04:55] Pete: So in health in particular then what are some of the biggest privacy concerns you see today that the pop-up.

[00:05:02] Anna: So what I think is quite interesting about the health sector and it makes it different to other sectors is the health sector is a standout but in a bad way, unfortunately, so the health sector consistently tops the list of sectors reporting notifiable data breaches in Australia.So and when we talk about a notifiable data breach we’re talking about when personal information has either been lost. Subject to unauthorized access or subject to an unauthorized disclosure

[00:05:33] Pete: because it was those relatively recently wasn’t it that want kind of recently that was something change that meant that companies needed to be more transparent with that kind of thing.

[00:05:43] Anna: Yeah absolutely so the law was changed in February 2018. To make notification of it. So if you have this kind of data breach and if it’s likely to result in serious harm to one or more individuals. It’s now the law in Australia that you need to notify both price commissioner’s office and those affected individuals, so your patient.

[00:06:03] Pete: It’s not just big companies or small companies.

[00:06:05] Anna: So in the health sector at covers any health service provider regardless of their size.

So you might be a one-person physiotherapy business, you know or an independent Locum you uncovered by the federal privacy act. So regardless of your size all Health Service Providers are covered. Outside the health sector, there is an exemption for small businesses. But that exemption does not apply to health service providers.

So the health sector is already called out for I guess expectations of a high level of privacy protection for businesses no matter their size in the health sector just because of you know, patient’s expectations. And so I think one of the things that makes the health sector different is patient expectations, so it’s not that the type of privacy risks or privacy issues are different for health technology, for example, technology design as for any other type of Technology design, but the difference is that patients expectations about the protection of their Health Data are much higher. There’s just this sort of intuitive if it’s my health information. It must be kept absolutely private, but also the consequences of privacy breaches tend to be higher when you’re talking about health information compared with say, you know, The Accidental disclosure of someone’s credit card details. Yeah, there are some financial risks. But those risks can be resolved, you know relatively straightforward way. I don’t want to minimize those risks, but it’s quite a different story in terms of the repercussions individuals can face if their health information is disclosed without Authority. So that might be it could be discrimination embarrassment implications for their employment implications for insurance and all the rest.

That’s what makes the challenges for people working in technology into the health sector and technology so much higher not that as I said, not that. The nature of the Privacy risks themselves are terribly different. It’s just that the expectations are higher and the consequences are worse if you have a data breach.

[00:08:17] Pete: So you mentioned that you guys do privacy reviews. What is a privacy review exactly?

[00:08:24] Anna: So we did two different kinds so one is called a privacy impact assessment and the other is generally called a privacy audit or a privacy compliance review and the difference really is where you’re at in the design process for what we’re reviewing. So if you are at the design stage of a new project new technology project, for example, we get in at the design stage and do what’s called a privacy impact assessment. If you want us to review something that’s already up and running.

So your business as usual. We basically call that a privacy audit but regardless of which one of those we doing. We ask the same kind of questions and regardless of whether its the design of the software. It might be the design of a business process. It might be the design of a paper form. It doesn’t have to be, you know, a high-tech project to need this kind of review.

So regardless of the nature of the project we tend to ask the same questions so you know can and should we collect this data can and should we use it for this particular purpose who can we disclose it to? How do we keep it safe? So when we look at a new project, for example, we look at two broad things one is data flows and the other is data governance.

So when what I describe as data flows what we’re looking at is. What personal information is being collected? How is it going to be used? Who will it be disclosed to so those three points collection use and disclosure and for each of those we then ask is this going to be appropriate meaning is it going to be lawful?

So is it going to comply with the Privacy principles that govern collection use and disclosure but not just is it going to be lawful? Is it going to meet your customers? You know your patients expectations. Is it going to be proportionate to a legitimate business need and is there critically, is there a more privacy-protective way you can achieve that business objective? Yeah, so always trying to come up with you know, helping our clients come up with the most privacy-protective design of a technology of a form of whatever it is but in a way that still achieves the businesses objectives.

So once we’ve settled those questions about authorizing the data flows and making sure that there are lawful and appropriate then we look at data governance. So we usually start with looking at transparency. So have you communicated clearly to your customers about those data flows? You know how their personal information is going to be collected used and disclosed so that they actually understand what’s going to happen.

You know, I talk about the no-surprises rule no one likes to be surprised what’s going to happen with their data and if they have if they’re going to have choices is there a really easy way for them to manage those choices? You know, is it as straightforward as a swipe left or right on the app to say yes or no to something and one thing that’s really important is in terms of transparency is for organizations to separate out what we see is three different things but often bundled together. So those three things are your privacy policy a collection notice explaining. At the point of collection what it is you’re doing with the person’s information and a consent mechanism if you’re going to rely on consent, so those three things serve three quite different purposes, but especially online.

The design practices often companies will jumble the three all together into one long legalistic confusing document and then they make users just tick agree

[00:11:55] Pete: Tick a box and you can and you can click the link. Click the link to go read it that you it’s not down the bottom.

[00:12:02] Anna: Yeah, and we know no one ever reads it, I don’t even read them. So we so in terms of data governance. We look importantly transparency. And then finally we look at other data governance questions, like have your staff being trained. Do you have a clear pathway for managing any requests you get for patients to access their data or correct it do you have a clear pathway for managing privacy complaints. Do you have a data breach response plan in place to your staff know what to do in the event of a data breach, so. All of those things that of data flows and data governance form part of whether we’re doing a privacy impact assessment of a new project or a privacy audit of an existing business process and again, whether its software or something else, we look at both data flows and data governance as part of our privacy review.

[00:12:53] Pete: And if I think about it from my experience. Often, you know, if I’m thinking as a health Tech vendor not many of them go out with any kind of massive intention on I don’t know to steal patients information or doing something cynical with the data, but I’ve seen in the past two, it’s not about the intention of what they’re going to do with it, but it’s almost the perception of what’s going to happen or so having that kind of review or someone outside of the business to do that sounds like a pretty sensible thing to do.

[00:13:23] Anna: Yeah, absolutely and certainly my experience having worked in you know, in a regulatory role in the primes Commissioner’s Office the vast majority of privacy complaints and the vast majority of privacy breaches and data breaches are not coming from a point of malicious conduct or deliberately people doing the wrong thing.

It’s accidents and it’s oversights and its people simply not understanding what their obligations are. Understanding that there are alternative ways to design things. So absolutely. Yeah. I very very rarely see privacy breaches arising from deliberate misconduct. Yeah. It’s much more coming from a place of ignorance and sometimes people trying to do the right thing, you know trying to be helpful in trying to help the clients but accidentally doing the wrong thing.

[00:14:20] Pete: Yeah, that can happen in health care too. Can you just send this across to me? I really need it because of this particular situation or something. Yeah.

[00:14:27] Anna: Yeah. Absolutely.

[00:14:28] Pete: It seems to be the right thing to do. It’s a balance. So I’m thinking about that In our world AI artificial intelligence that’s a big point of discussion regarding privacy for me anyway at the moment. How well do you think policies keeping up with the rate of pace of innovation in Australia more broadly as AI is really Innovative space and there are other things going on too, how’s policy keeping up.

[00:14:50] Anna: I think there’s a constant challenge whether it’s AI or any other kind of new technology.

There’s always this challenge of Law and policy keeping up. The first point I’d make is that privacy laws are designed deliberately. They’re drafted deliberately to be technology-neutral and format neutral. So the idea is that they shouldn’t actually be always playing catch-up. We’ve tried to anticipate in the drafting of our privacy laws technologies that haven’t even been thought of yet and our starting point with those laws is Broad framed general kind of principles and it’s all about respecting humans autonomy and dignity. So sort of one answer is the law is keeping up because it’s it was already anticipating new technologies and that those new technologies should be being managed Under the Umbrella of existing laws and policies.

But at the same time obviously the law is constantly being challenged in terms of how workable it…