Key developments
- National Health (Privacy) Rules 2018 review
- Injury insurance arrangements for food delivery riders in the gig economy
- Building Business Back Better – proposed changes to state environmental planning policy codes
- Stage 2 review of the Model Defamation Provisions
- Varying development standards
- Draft guidance for ASIC breach reporting
- Education Legislation Amendment (Parental Rights) Bill 2020 – response to questions on notice
National Health (Privacy) Rules 2018 review
The Privacy and Data Law Committee contributed to a submission to the Office of the Australian Information Commissioner (‘OAIC’) on its review of the National Health (Privacy) Rules 2018 (‘the Rules’).
The submission responded to various questions posed in the OAIC’s consultation paper as part of the review. Primarily, the submission focused on recommendations to ensure that the Rules remain prescriptive, and clearly define how Medicare Benefits Schedule (‘MBS’) and Pharmaceutical Benefits Schedule (‘PBS’) claims information should be collected, handled and stored by all agencies with access to that data.
The submission noted that the Law Society recognises the benefits to appropriately controlled and safeguarded use and sharing of data, particularly where such use and sharing enables the better delivery of government services and benefits to citizens. However, initiatives that rely on the provision and use of data largely depend on high levels of citizen trust that governments will ensure that uses of data about them are fair, proportionate and consistent with expectations about how that data will be used and shared. This is particularly relevant in the context of the limited role that an affected individual’s consent can play in relation to the collection, use and sharing by governments of data about them.
We noted that there are currently deficiencies in the existing combination of data privacy laws and administrative law remedies, both in NSW and Commonwealth legislation, in relation to potential outcomes enabled by data outputs from data sharing. Many forms of data sharing (such as through data linkage of disparate data sets using a pseudonymised transactor key) are not closely regulated by data privacy law, yet may still enable the creation of outputs that can be used to impose individuated (differentiated) outcomes upon individuals or small cohorts of individuals. That outcome might be: the denial of offer of a service, a different price for a service, withdrawal of a service, a demand for payment or reimbursement, an investigation or enforcement action.