Privacy Law and Policy Reporter
Implementating privacy laws in the Australian Red Cross Blood Service
Ping-Yee Wong AUSTRALIAN RED CROSS BLOOD SERVICE
How do complex organisations adjust to new privacy laws? This case study looks at how one Australia-wide organisation has dealt with a new regulatory environment — General Editor.
The Federal Privacy Act 1988 (the Act) was enacted to cover privacy issues in the public sector. The Australian Red Cross Blood Service (ARCBS), being a non-government organisation, was not required to comply with the Act. In December 2000, the Privacy Amendment (Private Sector) Act 2000 (Cth) (the Amendment) extended application to most private sector organisations. Most businesses were given 12 months to comply, while small business operators (with annual turnovers of less than $3 million) were given 24 months to comply.
In April 2001, the ARCBS put a team together to work out the logistics of complying with the new legislation. What follows are details of the preparations, discussions and changes made to ensure that the organisation was compliant with the law by the deadline.
Australian Red Cross Blood Service
The Australian Red Cross has been responsible for blood collection from volunteer donors for the benefit of patients since 1929. In 1996, a national body called the ARCBS was formed to combine the services offered by eight semi-autonomous State based blood banks. Headquartered in Melbourne, the ARCBS employs 2000 staff supported by 2500 volunteers, and has an annual operating budget of about $200 million, largely derived from State and Federal governments and administered through the National Blood Authority.
ARCBS response to the new legislation
In the second half of 2000, a number of workshops on the new privacy law were organised and ARCBS sent representatives to these workshops. Queries were raised with the Attorney-General’s office and a reply was obtained from its information law branch that the ARCBS was considered part of the private sector and therefore was not given any exemption to the Bill.
A working party was formed in April 2001 to facilitate implementation of the Act throughout the organisation. Membership of the working party was drawn from all State and Territory branches and represented key functional areas such as risk management, medical, nursing, human resources, laboratories, information services, quality assurance, public affairs, and processing/distribution.
Elements of the Privacy Amendment (Private Sector) Act 2000
The Amendment received royal assent on 20 December 2000 and the ARCBS had to comply fully with it from 21 December 2001. The Act is administered through 10 National Privacy Principles (NPPs) which are very similar to the Information Privacy Principles (IPPs) for government organisations.
In essence, the law requires that we must:
(1) collect personal information by fair, lawful and non-intrusive means;
(2) use and disclose the information collected only for a defined primary purpose of collection, otherwise we must obtain consent to use or disclose it;
(3) ensure that the information so collected is accurate, complete and up to date;
(4) ensure that the information so collected is kept completely secure;
(6) provide an individual access to their own personal information and correct it on request;
(7) not use a government identifier such as the tax file number;
(8) allow individuals the choice of anonymity if it is lawful and practical;
(9) not transfer information to a foreign country unless that country has same privacy standards as our NPPs; and
(10) not collect sensitive information unless consent is obtained.
The working party began by collecting publicly available information. Apart from attending information forums organised by the Privacy Commissioner’s Office, we made full use of some guidance documents released progressively by the Office.
• Guidelines to the National Privacy Principles: in September 2001, a formal guidelines were produced to assist organisations in interpreting the Privacy Act.
• Guidelines on Privacy Code Development: in the same month, a document was introduced to provide guidance to private organisation to develop their own privacy codes and forward to the Privacy Commissioner for approval.
• Guidelines on Privacy in the Private Health Sector: in October 2001, a third guideline was produced to allay concerns that health information was not adequately addressed in the NPPs.
• Guidelines under s 95 of the Privacy Act 1988: in conjunction with the National Health and Medical Research Council (NHMRC), the guidelines on research were revised by the Privacy Commissioner’s Office in March 2000.
• Information sheets: the Privacy Commissioner’s Office also produced a number of publicly available information sheets on individual privacy topics. Up to December 2001, a total of 14 sheets were produced. By mid-2003, there were 18.
Members of the working party studied the documents and assessed their implications to the ARCBS. We joined Privacy Connections Network, which was an email network organised by the Privacy Commissioner to disseminate the latest information. We elected not to develop our own privacy codes but to use the NPPs as our blueprint.
The first task the working party undertook was to conduct a privacy audit. A questionnaire was designed with questions relating to the main issues in the new law such as how departments collect, use, secure, or allow access to personal information on blood donors. It was administered through representatives on the working party with help from key people in each jurisdiction.
Through this process a number of issues were identified. Most were minor and could be addressed through the guidelines and information sheets issued by the Privacy Commissioner’s office. It was pleasing to note that the ARCBS had a culture of respecting the privacy of its blood donors, and indeed a lot of personal information obtained from donors was extremely sensitive in nature. The ARCBS had always resisted attempts from third parties to access any blood donor information.
A few more important issues were identified and resolved as follows.
Privacy statement on information collection forms
A generic statement was designed by the working party to inform blood donors why we were collecting personal information from them. The statement was modified according to the situation, but by the end of December 2001 all forms on which we collect information from blood donors had a clear statement on the reason for collection.
In addition, advice was obtained from our legal counsel to add a statement on the blood donor questionnaire to ensure that consent was obtained from the donor to use the health information we collect from them. We were also advised to insert a standard privacy statement on all outgoing emails from ARCBS computer terminals.
Development of security policy
A new security policy was developed by information services to ensure that unique user identity and passwords were always used when staff logged on to their computer terminals. Various levels of security access were designed to limit access to information to only those who needed to know. Firewalls were installed in relevant pieces of equipment to guard against unauthorised access and/or computer hacking.
The physical security of facilities such as authority or ability to access donor personal information in hardcopy or electronic form was also reviewed and no deficiency was found.
Appointment of privacy officers
Following the Privacy Commissioner’s recommendations, a privacy officer was appointed in each of the major business units to deal with blood donor privacy enquiries, handle requests for access to their personal information, and collect and report on statistics on donor privacy complaints.
Donor access to personal information
The ARCBS is not amenable to freedom of information laws. With the introduction of the Privacy Act, a new procedure to allow blood donors to access their own information was introduced. It consists of a national standard procedure and information request form. Blood donors are asked to fill in the request form and the ARCBS undertook to provide the information within 14 days.
Communications with blood donors
A training package was prepared to inform all staff of the new legislation and the new procedures put in place. The package contained a self-assessment tool which staff were asked to complete. Managers and workplace trainers in charge of each area were requested to ensure that staff in their area had completed the assessment and were satisfied with the outcome.
Effect of other legislation
Being a national organisation, the ARCBS was affected by a number of State based laws which caused some challenges in implementing the Federal Privacy Act. In particular, see the following.
• Australian Capital Territory: the Health Records Act 1997 (ACT) did not give exemption to employee records. The human resources department in the ACT was asked to take note of this discrepancy when managing its staff there. Their Act also did not allow disclosure to third parties without consent unless the disclosure was for an individual’s benefit. For this reason we added an additional statement on the donor questionnaire as part of the consenting process to giving blood.
• Victoria: the Health Records Act 2001 (Vic) similarly treated employee records as any other record, and was not given exemptions as in the Federal Act. The local human resources department was notified of this difference. In addition, it was noted that the local Act placed special restrictions on transfer of personal information outside Victoria. It was argued whether these restrictions were constitutional but to date no final determination could be made.
• New South Wales: the Health Records Act 2002 (NSW), is similar to the ACT law. As implementation was already completed in the ARCBS by the time this local Act was enacted, and as far as we could tell there was no substantial impact on our organisation apart from what was already in place, we did not reactivate the implementation team.
Each state based Act had subtle differences in how health information was to be handled compared to the Federal Privacy Act. It made the process of implementing the Federal Act in a national organisation such as ours more difficult. Towards the end of 2002, a National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council (AHMAC) developed a paper titled National Health Privacy Code (Draft) Consultation Paper which set out a national approach to this issue and hopefully the confusion could be solved when the new Code was finally introduced.
Learning from the process
In a short space of eight months, the ARCBS completed the complicated task of implementing a new law in the organisation. This was due to the dedication of a group of experienced individuals in the organisation. We believe we had some inherent strengths which enabled us to finish the job in such a short time, but we found some challenges too.
We had senior management support right from the start. We believed senior executives who appointed members of the group and provided encouragement and funding throughout the process was vital to the success. We were fortunate in that the organisation had always had a culture of confidentiality regarding information provided by our donors. The willingness of staff to contribute to organisational goals was pleasing too. The presence of a workplace training system enabled us to roll out the staff training package with a minimum of fuss. And finally, the existence of a risk management system which continued the work of monitoring privacy issues and complaints after the working party completed its work was also vital.
Apart from the short time span, the interpretation of the legislation was a challenge. Fortunately, the explanatory material produced by the Privacy Commissioner’s Office was very helpful. But we did have to turn to our legal advisers from time to time. One particular difficulty was with some differences between State based legislation on the handling of health information compared to the federal Act, and we had to ask for legal advice to resolve the issue.
After completion of implementation, the privacy officers continued their work in monitoring requests for privacy information and complaints from blood donors. To date complaints were few and managed effectively and efficiently. No complaint was referred to the Privacy Commissioner.
Privacy officers attended annual privacy training sessions as part of the ARCBS risk management forum. Procedures were being put in place to ensure that all new employees were given instructions on the Federal privacy law.
ARCBS successfully implemented the Federal Privacy Act within an eight month period with the help of a working party and legal advice. All our blood donors were informed and all staff were trained. This was an example of great team work within the organisation. The adoption of an open and honest approach to privacy will hopefully improve the confidence our donors have in us. l
Dr Ping-Yee Wong is Senior Medical Officer, Australian Red Cross Blood Service, PO Box 354, South Melbourne, 3205.