Kai Tiaki inquiry report

Fri, 23 Mar 2007 12:08:55 +1200

Background of inquiry

In May 2006 “Kai Tiaki Nursing New Zealand”, the New Zealand Nurses Organisation’s journal published a photographic essay “Who Cares”. The five-page essay encompassed 39 images. The images portrayed the daily routine of carers looking after the elderly in an institutional setting and depicted both carers and residents, along with quotations from the subjects in the photographs. Some photographs showed carers, and apparently vulnerable residents who were near naked and engaged in intimate daily routines such as showering and toileting. The purpose of the essay was to highlight the work of the carers and the people for whom they care in an effort to improve work conditions.

Download the full inquiry report below (PDF 11 pages)

Guthrie Tests

Fri, 12 May 2006 15:05:37 +1200

A report by the Privacy Commissioner following his inquiry into the collection, retention, use and release of newborn metabolic screening test samples, pursuant to section 13(1)(m) of the Privacy Act 1993.

You can download the full, 14-page report from the bottom of this page.

Introduction

In May 1999 an application was made to the High Court for a direction that Auckland Healthcare Services Ltd produce a blood sample of a child which was the subject of proceedings before the Court. At issue was a Guthrie blood test sample taken from the child and held by the National Testing Centre, a division of Auckland Healthcare Services Ltd. The Court ordered Auckland Healthcare Services Ltd to produce the
blood sample card for inspection by the court and/or for the purpose of making any experiment thereon. The blood sample was tested and the father of the child subsequently made an application to the High Court in August 1999 for a declaration of paternity.

I considered there were information privacy issues as well as other issues of public policy involved in making blood samples available for genetic identification. The judgments of Justices Salmon and Morris did not traverse in detail the public policy issues. I accordingly commenced an inquiry into the collection, retention, use and
disclosure of the samples to see if there appeared to be any changes which ought to be made in the law, information supplied to parents, retention of the samples and to consider the implications of the use and disclosure in civil and criminal cases of the samples or the information obtained from them.

Following is a report of that inquiry. It is my recommendation that legislation be introduced to control the storage and use of Guthrie Blood Test Sample Cards.

I was assisted in my inquiry and the writing of this report by Kristin Langdon BA LL.B NZRN and Robert Stevens, Barrister.

Canterbury District Health Board patient notes inquiry

Sat, 13 May 2006 16:06:24 +1200

Inquiry Initiated by the Privacy Commissioner

Canterbury District Health Board
Discovery of patient notes in an abandoned hospital building
Final report
July 2003

Background to the Inquiry

On 18 May 2002, the Christchurch Press reported that confidential psychiatric records had been found in an abandoned Sunnyside Hospital building in Christchurch. As a result, the newspaper reported, an internal hospital inquiry had begun and the Privacy Commissioner and the Health and Disability Commissioner had been informed.

The Facts

The Privacy Commissioner was advised that, in November 2001, an amateur photographer had broken into the abandoned building and had found records pertaining to patients at the old Sunnyside Hospital.

The woman found a 1989 duty diary which detailed events in the hospital, including deaths, suicides, assaults, escapes and treatment of patients. The diary named more than 100 patients from a large number of wards. The woman also found a number of patient information sheets which listed bank account numbers, social security numbers and next of kin. Typical excerpts from the diary include:

(Patient) left ward via window. After a search was found on Wrights Rd overbridge about to jump. With difficulty was restrained and returned.
(Patient) rocking, ruminating and remained resolved about her intentions to end her children's lives until 0200 hours when she fell asleep with assistance of medication.

The hospital demanded that the (stolen) files be returned.

Action Taken by Canterbury District Health Board

Vince Barry, General Manager of Mental Health Services advised that the building was supposed to have been cleared of documents when it closed in 2000. All other buildings were checked and no other documents were found.

Mr Barry apologised for what had occurred and reassured patients and their families that no patient files were among the documents returned to the hospital by the newspaper.

The DHB began an internal inquiry into the matter.

Canterbury DHB's Internal Inquiry

The documents had apparently been held by the finder for some months. The identity of the finder was not disclosed to the DHB so it was not possible to confirm where the diary had been found and, in particular, whether it had been found in the old Sunnyside hospital building. The DHB noted that there are numerous buildings on the Sunnyside (now Hillmorton) hospital site that have been decommissioned over the last few years.

The focus of the DHB's report was the process by which the building was decommissioned. This revealed that:

The main Sunnyside building was vacated in October 2000.
It previously housed a number of services which had been moved to more appropriate accommodation as the site was redeveloped.
Large parts of the building were vacant at this time.
A Project Manager supervised the move of the Administration department. Papers, documents and old furniture left in the building were cleared.
The Facility Service Manager of Hillmorton Hospital reviewed any documents found.
Documents not required for clinical purposes were disposed of via secure document destruction.
The building was locked, windows were boarded and the perimeter was fenced.
The site was signed to clearly indicate that persons entering would be trespassing.
The buildings were maintained by building and maintenance services with frequent patrols being conducted by a contracted security company.
Since then, there have been occasions when the old buildings have been broken into.
As much of the building is regarded as unsafe, neither the police nor security patrols have entered the building.

· In each case where entry has been detected, Building and Maintenance Services have re-secured the access points.

Following the individual going to the newspaper, the General Manager, Mental Health Services requested a further search of the building. This search was conducted on 17 May 2002 and did not reveal any further sensitive documents remaining in the former Sunnyside hospital building.

The former hospital buildings are currently in the process of being demolished and it is anticipated that demolition work will be completed by February 2003.

Compliance Issues

Canterbury DHB has acknowledged that the incident has highlighted the need to ensure that reasonable safeguards are in place for the protection of health information. It has submitted that when the building was vacated, documents were removed and the building was then secured. Any information which was disclosed was as a result of illegal entry to the building and the theft of some documents. Canterbury DHB accepts that all patient information should have been removed.

The Privacy Act

The incident raises issues under Rule 5 of the Health Information Privacy Code. Rule 5 provides:

(1) A health agency that holds health information must ensure:

(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against:
(i) loss;
(ii) access, use, modification, or disclosure, except with the authority of the agency; and
(iii) other misuse;
(b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the health agency, including any storing, processing, or destruction of the information, everything reasonably within the power of the health agency is done to prevent unauthorised use or unauthorised disclosure of the information; and
(c) that, where a document containing health information is not to be kept, the document is disposed of in a manner that preserves the privacy of the individual.

(2) This rule applies to health information obtained before or after the commencement of this code.

Under this rule, an agency is obliged to have in place systems to ensure that reasonable security safeguards are in place to protect information that it holds.

Notwithstanding that a search of the building was conducted when it was vacated, the building was secured and documents were removed, it appears that the process was not adequate to ensure the protection of health information. Indeed, it appears that some documents remained in the building, and it was not sufficiently secured to prevent illegal entry and theft of some sensitive information.

Decommissioning Process

In order to avoid the repetition of such an incident, the following decommissioning process will be implemented by the DHB:

When vacating premises, all documentation, irrespective of source or content, should be removed;
The relevant Service Manager should sign off that this has been done;
Following the move, a person should be designated responsibility by the Site Redevelopment Manager via the relevant Project Manager for physically checking that clearance has occurred;
The responsible person should retrieve any items that could be regarded as health or otherwise sensitive information; and
The process should be signed off as being completed.

Conclusion

Having considered the information provided to me by the DHB, I am satisfied that the incident which is the subject of my Inquiry is an isolated one and that the DHB has taken appropriate steps to avoid its recurrence. In particular I note it has formalised a Decommissioning Process which it will use in the future when a site is vacated and records and documents need to be relocated. I consider it essential that such a process is followed.

I have brought this report to the attention of all District Health Boards and to the Private Hospitals Association so that they may adopt appropriate procedures for decommissioning of hospitals. I do not consider any further action on my part is necessary.

B H Slane
Privacy Commissioner

Rawhiti Trust Hospital Board inquiry

Sun, 14 May 2006 16:36:05 +1200

Rawhiti Trust Hospital Board

Discovery of patient notes in an a former private hospital building Final report

Background to the inquiry

Following reports to the media in December 2000 that patient files, had been located at the former premises of a private hospital in Auckland (Rawhiti Trust Hospital) I initiated an inquiry into the circumstances in which these files had come to be left on those premises.

I was concerned that the circumstances involved here raised issues relating to heath records and what becomes of them when a hospital ceases business.

Terms of Reference

I sought to establish:

1. Whether records relating to terminations conducted at the Rawhiti Trust Hospital ("the Hospital") had been left on the former premises of the Hospital;

2. If so, what those records comprised, and how they came to have been left after the Hospital sold the premises;

3. Who (which agency) was responsible for ensuring the Hospital's records had been properly secured after it had ceased functioning as a hospital.

Background on the Rawhiti Trust Hospital

The Hospital was formed under a Deed of Trust, dated 18 May 1971, and was registered under the Charitable Trusts Act 1957. The Hospital was under the direction of the Rawhiti Trust Hospital Board of Trustees ("the Board"), which met monthly, and had a General Manager employed (responsible to the Board) for the efficient running of the Hospital. The Board consisted of seven medical practitioners and one lawyer, none of whom received remuneration. The Hospital also had a Director of Nursing, who was responsible for the day to day running of the Hospital, in particular with matters to do with the Hospital's licence.

The Board Secretary, John Hetherington, advised that during its period of operation the Hospital had held three main kinds of records - patient medical records, patient administrative records and staff employment records. During the Hospital's operation, patient medical records were stored at Nurse's stations (in the case of current in/out patient medical records), whilst administrative records (billing etc) were held in the Support Services Manager's Office. Once patients were discharged, their medical and administrative records were combined and kept in the Support Services Manager's Office for twelve months, after which they were taken to a locked storage area in the basement. In addition to these records the Hospital also held the usual records relating to its employees.

The Facts

I was advised in early December 2000 that a member of the public had come across the confidential files of women who had had terminations. The allegation was that those records had been found in an unsecured room attached to the Mt Eden premises of the former Hospital.

The files were alleged to include the names and addresses of women who had had terminations at the Hospital from 1995, termination authorisation forms, as well as general administration papers. Information on a number of terminations carried out each month at the Hospital had also been found.

The premises were subsequently secured by the Police and these files removed to secure storage under the direction of the Ministry of Health. The Hospital had closed approximately three months prior to the discovery.

A spokesman for the Board, John Hetherington, advised that the Board had been unaware that the files had been left at the Hospital's former premises when it had vacated them. Mr Hetherington initially said that he did not know why the files had been left behind. According to a spokesman for the security firm looking after these premises for the new owner the building had been padlocked, but had been broken into.

Privacy Commissioner's Inquiry

As a result of my inquiry I have been able to establish that the Hospital had closed on Friday 19 March 1999, that prior to this the Director of Nursing had contacted the Ministry of Health and the Abortion Supervisory Committee advising of the impending closure and surrending the Hospital's licence and the licence to conduct terminations. A further purpose of that contact was to arrange delivery of the Hospital's records to the Ministry, as required under the Hospitals Act 1957.

It seems that the Ministry advised the Director of Nursing to herself make suitable arrangements for the confidential storage of those records, as it did not have room to receive them. This was done, with arrangements being made for confidential storage with a storage company in Penrose (Recall Total Information Management). The transfer of records was commenced prior to the Hospital's closure, but was not concluded until after the Hospital had closed, at a time when many of the staff who had been responsible for the records were no longer employed.

The Hospital premises were not completely vacated until the end of April/beginning of May 1999, and sale of the premises was not concluded until the end of May 1999. Settlement was completed on 18 July 2000.

The First Issue: Were records left on the premises?

It appears that during the operation of the Hospital some records and files had been transferred from the main storage area to a room under a fire exit stairway, normally used to house redundant equipment. Although the bulk of the records held by the Hospital were successfully relocated to storage with Recall, these records remained on the premises.

The Second Issue: What did these records consist of, and how did they come to be left?

The records, which related to both staff and patients, were contained in six boxes and comprised: a ring binder (containing confidential patient information), files of creditor's invoices, theatre supplies lists, patient bulletins and staff wage lists. They related to the period 1990-1994. The ring binder of patient information contained 198 certificates from certifying consultants for the termination of pregnancies. The wage records consisted of a binder containing the print-outs of the calculations of employee's fortnightly wages.

It appears that the six boxes had been temporarily stored in a room some distance from the main storage area, and in a place not routinely accessed by staff. The room had been locked during the time the Hospital functioned, with the key being kept in the Support Manager's Office. According to the security firm whose responsibility it was to secure the premises after the property had been sold, the room had been padlocked and had remained so until it was broken into. Contrary to some claims in the media, the files had not been abandoned in an unsecured room, nor were the Hospital buildings themselves unsecured: alarms had been installed in the main Hospital buildings after the purchaser had taken possession of it.

It appears that an oversight occurred in the handling and removal of these records, in that the temporary location of the files was not one generally used for the storage of records and therefore was not thought to contain such records. This was compounded by the fact that, by the time of the final closure of the Hospital and the removal of the last records to secure storage with Recall, the staff remaining were unaware that records had been taken from the main storage area to that location. As a result these files were overlooked.

The Board considers that the failure to remove these files from the room was an oversight, which it regrets. In its view, the physical location of the room contributed to that oversight. The Board has drawn my attention to the successful relocation of the bulk of the files held by the Hospital to secure storage.

The Third Issue: Which agency was responsible for these records?

The major issue of concern to me during the course of my inquiry was which agency had been legally responsible for the secure storage of these records upon the closure of the Hospital.

In my view, a strict interpretation of the governing legislation and regulations confers responsibility for ensuring secure storage of patient registers and records of the kind involved here on the Director-General of Health.

Under the Hospital's Act 1957 and the subordinate Hospitals Regulations, health information is divided into registers of patients (specified under section 137 of the Hospitals Act and Regulation 5 of the Hospitals Regulations) and patient charts (provided for under section 138 of the Hospitals Act and Regulation 7(1) of the Hospitals Regulations).

With respect to responsibility for this information, regulation 6(2) of the Hospitals Regulations provides:

If a licence is revoked or otherwise terminated, the licensee shall forthwith forward all registers in his or her hands to the Director/General of Health.

Similarly, Regulation 8(2) of the those Regulations provides that if a licence is revoked or otherwise terminated, the licensee shall forthwith deliver all patient charts in the licensee's hands to the Director-General of Health.

The Hospital's understanding was therefore that upon termination of its licence it was obliged to return all patient charts and registers to the Ministry of Health. Thus when the Director of Nursing for the Hospital approached the Ministry of Health to advise that the licence was terminating, and asking the Ministry to take the patient records and registers, she did so in compliance with the Regulations governing this circumstance.

Advice to my office from the Ministry of Health was that the volume of information that the Ministry could potentially be required to retain and store as a result of compliance by hospitals with these Regulations is such that it is unable to receive the information. Accordingly, the Ministry advises these agencies to make provision for the secure storage of the records they hold.

Upon being advised that it should make alternative arrangements for the secure storage of those registers and records, the Hospital arranged for them to be securely stored with Recall, and for access to those records and registers to be provided to patients and staff through Ascot Hospital. As noted above, some of the records that it had intended to provide for in this manner were left on its former premises and were subsequently located there. They have since been returned to the Ministry, which holds them under the terms of the Hospitals Regulations and the Health (Retention of Health Information) Regulations.

Conclusion

I have reached the conclusion that at the point that its licence to operate as a hospital terminated the Hospital held these records as the Ministry's agent, and that in terms of Rule 5 of the Health Information Privacy Code, the Hospital took reasonable steps to ensure the security of the records and registers which it held. In reaching this view I have noted that the Hospital had attempted to comply with the relevant Regulations, that when directed to do so by the Ministry it had made appropriate arrangements for the secure storage of the files, and had transferred responsibility for their continuing future secure storage (as well as for providing access to them) to Ascot Hospital, its successor in function. That arrangement was agreed to by the Ministry. Unfortunately, as a result of an oversight, the Hospital failed to secure all of the records it held at the time it closed.

Although I consider such an oversight to be serious, I am also of the view that it was a one-off failure on its part, and as such it would not appear to be amenable to further security safeguards being enacted. Moreover, because of its one-off nature I am not persuaded that it constitutes a "practice" on the part of the Hospital. I therefore do not consider any further action on my part is necessary.

I have written to the Ministry regarding the anomaly that appears to exist with respect to responsibility for the storage and handling of patient registers and records from hospitals whose licences terminate or are revoked. The Ministry advises that it is currently reviewing how record retention can best be managed in the circumstances of hospitals such as Rawhiti. This is in parallel to a review of the issue in relation to record retention in public hospitals where facilities close.

B H Slane
Privacy Commissioner

Cervical Cancer Inquiry

Fri, 12 May 2006 13:53:07 +1200

Statement/Submission
Bruce Slane
Privacy Comissioner

Introduction/ background to Privacy Act

1. On 27 July I was approached on behalf of the Inquiry to assist the Inquiry in relation to research and privacy issues.

2. The Privacy Act was passed in 1993. Its purpose, as set out in the long title is "to promote and protect individual privacy in general accordance with the Recommendation of the Council of the Organisation for Economic Cooperation and Development Concerning guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data…"

3. The way in which the Act seeks to achieve this general aim is by 12 information privacy principles (set out in section 6), which regulate the ways in which "agencies" collect, use, store disclose, and provide for individuals access to and correction of, "personal information". These 12 information privacy principles are based on the guidelines issued by the OECD in 1980

4. It is important to understand the breadth of coverage of the Act. It applies to all agencies. This term is defined very broadly. With certain specific exceptions, the term applies to "any person or body of persons, whether corporate or unincorporate and whether in the public sector or the private sector."

5. It is agencies that are required to comply with the information privacy principles in their dealings with personal information. The term encompasses organisations and individuals that one would expect would hold quite sensitive information (such as hospitals and doctors), and those that would not be expected to hold personal information of any special consequence, like dairies and shoemakers.

6. The term "personal information" is equally broad. It means "information about an identifiable individual". There is no qualitative threshold limiting the application of the term to "private" or "intimate" information. The Act applies to all information about an identifiable individual, whether sensitive or mundane.

7. This breadth of coverage has several features. First, the information privacy principles are written in a way which must apply in all circumstances. They require agencies to apply tests of "reasonableness". For example, information privacy principle 8 sets out agencies' obligations to ensure that information is accurate and up to date before it is used. That principle says;

"An agency which holds personal information shall not use that information without taking such steps (if any) as are in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate up to date, complete relevant and not misleading."

8. The second feature is the way in which liability for breach of the principles is incurred. Section 66 sets out the liability for an "interference with privacy". In summary, that section requires that in order for an alleged breach of privacy to be actionable under the Act, there must have been a breach of an information privacy principle, and some harm, loss, damage, detriment, or adverse effect on a right or benefit, or some significant humiliation, loss of dignity or injury to feelings of that individual. The exception to this harm requirement is where the complaint relates to a request by an individual for access to or correction of personal information.

9. In other words an agency will not be liable to pay damages for a breach of a collection or disclosure principle which produces no adverse outcome for the individual concerned.

10. The third feature is the way in which the Act is enforced. The principles are not enforceable in a court of law (with the exception of the right of access to information held by a public sector agency). Complaints must be made to the Privacy Commissioner, whose function is to investigate them impartially with an obligation to conciliate, and try and settle complaints. Ultimately, civil proceedings based on a complaint may be determined by the Complaints Review Tribunal which can give a ruling on a case. There is a right of appeal to the High Court.

11. Fourthly, by virtue of section 7 of the Act, neither the Act nor the Code overrides other enactments which authorise, require or prohibit particular information collections or disclosures. For example, the information privacy principles in the Act and the rules in the Code do not derogate from such provisions in section 74A of the Health Act, the Cancer Registry Act, or section 4C of the Commissions of Inquiry Act to the extent they constitute legal authority for certain actions.

12. A fifth consequence is the ability of the Privacy Commissioner to issue codes of practice, which can tailor the application of the information privacy principles to particular industries or sectors. The first such Code of Practice I issued was the Health Information Privacy Code (temporary) 1993. ("the Code"). Compliance with the rules of the Code is deemed compliance with the information privacy principles.

13. In addition to codes of practice, the Privacy Commissioner is able to authorise certain actions that would otherwise be in breach of the principles under section 54 of the Act. Collection, use or disclosure in accordance with an authority granted under section 54 is a stated exception to Rules 2, 10 and 11.

Health Information Privacy Code

14. The code substitutes the Health Information Privacy Rules for the information privacy principles. I issued the forerunner to the code in 1993 (Health Information Privacy Code (Temporary) 1993) as a temporary code to coincide with the health reforms of that year. I issued the present code one year later, and have reviewed the code and reissued it this year. In the meantime there have been amendments. The process of development and issuance of the Code was inclusive. I publicly notified the intention to issue a code and sought submissions, circulated discussion papers and held publicly advertised workshops around the country. Ethics committees and researchers were included in the consultative process. The document that resulted amended the information privacy principles in several important ways that are of relevance to this inquiry.

15. Three of the information privacy principles and Health Information Privacy Rules may be of particular interest to this Inquiry.

Rule 2 says that health information should generally be collected directly from the person concerned. - Rule 3 requires openness in the collection of health information.
Rule 11 places some restrictions on the disclosure of health information.

16. It is an exception to Rule 2 requiring collection of health information directly from the person concerned if the health agency believes, on reasonable grounds…
(2)(g) that the information:
(i) will not be used in a form in which the individual concerned is identified;
(ii) will be used for statistical purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(iii) will be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably by expected to identify the individual concerned…

17. Rule 3 requires a health agency to take such steps as are, in the circumstances, reasonable to ensure that the individual concerned or the representative is aware of the collection and the purposes for which it is being collected, the intended recipients and the consequences (if any) of failing to do so. Compliance with these and other requirements of the Rule has the incidental benefit of permitting such uses and disclosures as are anticipated. There are some exceptions to this Rule.

18. There are exceptions to Rule 11 restricting disclosure of health information where the health agency believes, on reasonable grounds that obtaining the authorisation of the individual concerned is not reasonable or practicable and that…
(2)(a) the disclosure of the information is directly related to one of the purposes in connection with which the information was obtained; or
(c) that the information:
(i) is to be used in a form in which the individual concerned is not identified;
(ii) is to be used for statistical purposes and will not be published in a form that could reasonably to expected to identify the individual concerned; or
(iii) is to be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form which could reasonably be expected to identify the individual concerned…
(h) that the disclosure of the information:
(i) is required for the purpose of a professionally recognised accreditation of a health or disability service;
(ii) is required for a professionally recognized external quality assurance programme;
(iii) is required for risk management assessment and the disclosure is solely to a person engaged by an agency for the purpose of assessing the agency's risk;
and the information will not be published in a form which could reasonably by expected to identify any individual nor disclosed by the accreditation or quality assurance or risk management organisation to third parties except as required by law…

19. Some of these exceptions were included in the code to take into account particular information needs of the health sector and of health research. In incorporating them into the Code, I have reflected nothing more onerous than the ethical and professional standards for these activities. By this I mean that it is not for me to impose my view about when a research project will require ethics committee approval, or which quality assurance programmes should be able to avail themselves of the relevant exception. Those are matters for the professions and research bodies themselves to determine. I was concerned to build in sufficient flexibility to enable the Code to take into account commonly accepted good practice within the sector and professions. In effect, these exceptions permit a degree of self regulation.

20. I am not able to offer any further detailed guidance to the Inquiry as to how I have interpreted these provisions, because I would only do so in the context of investigating a complaint. In the short time I have had to prepare these submissions I have not been able to locate any cases where I have made a finding that a research or quality assurance activity has resulted in an interference with the privacy of an individual. I can only speculate as to the reasons that these sections have not come up as issues during any complaint investigation, but these may include that no individual has felt that their privacy has been interfered with by any research or quality assurance programme, and that the exceptions have therefore been applied correctly. Conceivably this might occur because there has been a degree of caution, based on risk averse advice tendered by the advisers to institutions, researchers, or ethics committees, on compliance with the Code. It does however seem likely that the emphasis on patient autonomy and informed consent following the Cartwright Inquiry has led to the strong emphasis on consent in the approach of Ethics Committees. The Health Research Guidelines are an example.

21 Research published recently by Charlotte Paul, Associate Professor, Department of Preventive and Social Medicine, University of Otago would tend to suggest the former view is the more accurate. Her article (New Zealand Medical Journal 9 June 2000 p 210) records the findings of a study into health researchers' views of ethics committee functioning in New Zealand. She found that researchers "appeared largely satisfied with the code and its interpretation by ethics committees - except for two people." The article concluded that "the positive aspects of ethics committee functioning should be recognised, especially … the handling of the Health Information Privacy Code".

Ethics Committees

22. There is likely to be an area of overlap between the Code and matters that are properly the concern of ethics committees. That is to say, there will be occasions when the implications of a particular research proposal have a privacy dimension that the ethics committee will want to consider very closely. However that is not the same as saying that the Privacy Act or Code should be interpreted as directing ethics committees' deliberations.

23. Obtaining ethics committee approval for research is not required by the Code if one of the other provisions allows the intended collection, use or disclosure. If, for instance, a particular disclosure was one of the purposes for which the information was obtained, Rule 11(1)(c) would apply. If it was either not desirable or practicable to obtain authorisation and the disclosure was directly related to one of the purposes for which it was obtained of if it was required for a professionally recognized external quality assurance programme (Rule 11(2)(h)) then no ethics approval is required by the Code. The researcher may, however, feel obliged to seek such approval.

24. I would expect that in approving or declining any given proposal, an ethics committee might have regard to the Health Research Council Guidelines on Ethics in Health Research. The guidelines were prepared by Charlotte Paul, Associate Professor of Epidemiology, Department of Preventive and Social Medicine, University of Otago; Grant Liddell, Senior Lecturer, Faculty of Law, University of Otago; and Peter Skegg, Professor of Law, University of Otago. (refer www.hrc.govt.nz/ethguid9 and Human Rights Law and Practice vol 1 no 4 p 196). Those guidelines explain the provisions of the Code, and set out "Recommended good practice". One such recommendation is that:
"in general health information should not be disclosed without the authorisation of the individual concerned. It may not always be desirable or practicable to obtain individual consent in which case the safeguards set out below are particularly important. The overriding consideration should always be that no harm or distress will ensue for the individual or for the family, and that professional relations (for example doctor-patient) will not be impaired in any way. The "safeguards" referred to include consideration by an accredited ethics committee, consultation with Kaitiaki Committees and strict procedures regarding the maintenance of confidentiality."

These guidelines go further than the Health Information Privacy Code requires. I understand prior evidence to this Inquiry indicates that committees may have been stricter than the guidelines suggest.

25. It seems to me that there is considerable latitude in the Code for the use of health information for research, audit, or quality assurance activities. I note that Professor David Skegg did not express any dissatisfaction with the terms of the Health Information Privacy Code.

26. My office frequently gives advice as to how the code operates, although I cannot give rulings in advance. To do so might prejudice my ability to investigate a complaint in an impartial way, without predetermination. If a researcher approached my office for advice, I would point to the provisions of the Code and invite the person to consider whether their proposal required an ethical approval, and if so, to make an application. I do not have a detailed understanding of how the ethics committees go about their considerations, but I would imagine that they would assess the application against the guidelines, and that any approval would contain an implicit or explicit condition that the researcher complied with all legal obligations (including the Code) in carrying out their research.

27. Where the proposal involves the trial of a drug or participants undergoing some medical procedure, the ethics committee would no doubt require participants "informed consent" as a condition of its approval.

28. In my experience there has been a tendency among some health professionals to confuse, and to regard as equivalent, the concepts of "informed consent", and privacy because of the provisions in the Privacy Act about individual authorisation to carry out some action. From what I have seen or know of the matters raised with the Inquiry concern has been expressed about the requirement for informed consent from the individual subjects. This would seem to derive from the concept of informed consent rather than the need to protect individual information privacy, although the effect might be to protect privacy somewhat more than is provided in the Code.

General comments

29. The concept of confidentiality of medical information is a venerable one. Underpinning the concept is the need to protect the special relationship between doctor and patient. However the concept of confidentiality is not and has never been regarded as absolute. Certain other information flows are required in order to best serve the patient, and in some cases, society as a whole.

30. Professor Skegg in his evidence noted that the concepts of privacy and confidentiality are not identical. Privacy interests as expressed in the Privacy Act are concerned not just with maintaining confidentiality, but with openness as to the purposes of collection of information, and the expectations to which individuals are entitled in respect of information transactions affecting them.

31. There is a risk in establishing health information databases, or inviting public participation in public health programmes without forethought as to the subsequent information needs of the project. Instead, public participation may be enlisted on the basis of absolute promises of confidentiality. These undertakings might have been seen as critical in terms of ensuring public trust in the project, but may ultimately be counterproductive if they prove to limit the use to which the information obtained can be used to such an extent as to limit the integrity of the project. There will be a temptation later to want to cast aside the promises for undoubtedly good purposes. Enthusiasm for the clear benefits of good research may lead to overriding the wishes of some patients to the detriment of confidence in health databases and thus jeopardise future research and treatment. On the other hand reasonable advance statements about intended quality assurance programmes, audits or research to benefit the project and thus its participants may well also build confidence.

32. The emphasis in the Privacy Act is on openness and transparency when information is collected. If, when a database is established, all the purposes for collecting the health information are certain and made clear to participants, there are likely to be no surprises due to a subsequent failure to meet legitimate expectations of participants. Hence the importance of compliance with Rule 3. It may be that this openness has ultimately an effect which underscores the confidentiality interest in the Hippocratic Oath, in that it enhances the relationship between practitioner and patient, and improves the trust and confidence that exists between them.

33. Information privacy is never a value which in our society may be maintained without regard to competing social interests. The balance is not always easy but perhaps the most difficult is to respect what others consider as important to their privacy when we do not share their concern or when we feel the overwhelming public good should cause them to concede some of that privacy. In respect of health information research I do not consider there is a natural dissonance between the objectives of research and the interests of patients, including privacy.

B H Slane, CBE LL.B
Privacy Commissioner

1 August 2000