Primary Health Networks (PHNs) are legally accountable for the controlled management and use of data through legislative and policy obligations.
These obligations are acted upon by PHNs through:
compliance with Australian privacy legislation, including the Australian Privacy Principles, and with the terms and conditions of Data Sharing Agreements held with general practices
using de-identified general practice data for approved purposes only, e.g., PIP QI, and utilisation of the best tools and technologies available to avoid the possibility of data re-identification
securely storing the shared data received from the general practices
disclosing any data breaches in accordance with the requirements of the Office of the Australian Information Commission (OAIC)
never seeking to re-identify anonymous patient data, sell or seek any commercial benefit from general practice patient and practice data
never sharing patient data outside of the terms of Data Sharing Agreements held with general practices
establishing and maintaining safeguards against the misuse, damage, or disclosure of the shared data in its possession or control that comply with all legislation.
Together the PHNs’ National Data Governance Framework and the Data Sharing Agreements provide stakeholders with the assurance that patients’ and practitioners’ privacy is protected.
The National Data Governance Framework
The National Data Governance Framework was developed by the PHN Cooperative’s National Data Governance Committee and applies to all PHNs nationally.
For those PHNS participating in Primary Health Insights, it is implemented through the structures, technologies, processes and procedures used on the platform. All PHNs are subject to a governance audit before onboarding.
PHNs’ approach to data governance may be described as:
The Framework features:
1. Risk identification
A risks register is maintained by the National Data Governance Committee, identifying risks that may impact on the lifecycle of data within the primary health sector.
2. National and local data management responsibilities
The appointment of a Primary Health Insights Data Governance Manager and nominated PHN data stewards, custodians and sponsors provides a robust management structure and accountabilities for governance.
3. Comprehensive policy statements
Expressed as “must do” or “must have” statements, policies range from what to do when data is created and how data can be shared, through to how to strive for better data quality, management of data security and privacy and data ethics.
4. Processes and procedures
Detailed processes and procedures provide operational guidance on the implementation of policies and support consistency of performance among PHNs. The key Data Set Privacy Impact Assessment is mandated for every new data set uploaded to Primary Health Insights. Based on OAIC guidelines, this toolset:
provides a decision making framework for de-identification of datasets
determines if data can be shared and under what circumstances
supports PHNs in identifying any risk of re-identification
formalises the procedure for the event of a data breach.
5. Tools and technologies
Tools and technologies assist in the management of good data governance.
6. Governance controls
Governance controls establish measures for monitoring data governance performance within all PHNs. Incorporation of data governance into PHNs ongoing internal audit process is required to ensure ongoing monitoring of data governance compliance.
The PHNs National Data Framework Policy is available here.
Data Sharing Agreements
PHNs hold Data Sharing Agreements with many of the general practices within their regions. These Agreements vary between PHNs and any PHN may hold a number of different Agreements within their region, however there are important factors common to all.
The key factors are:
Protecting privacy
Patient data is de-identified and does not contain specific patient and clinician names, Medicare numbers or other identifying data. PHNs do not seek to re-identify data.
Both general practices and PHNs agree to treat personal or sensitive information, as defined by the Privacy Act 1988 (Cth) including the Australian Privacy Principles, in accordance with all applicable privacy legislation.
Use of data to benefit health service provision
PHNs will only use data for permitted purposes including making insight driven decisions to support the provision of health services in the right place at the right time, health planning and assessment needs, quality improvement at general practices, reporting trends and insights to practices and improving health strategy and policies.
PHNs do not use data to accredit, certify or publicly evaluate general practices. Data cannot be used for any commercial purpose or supplied for any commercial purpose.
Use of data to improve health outcomes
De-identified data may be shared by PHNs, and disclosed to third parties, for the purposes of statistical reporting, population health planning, development and enhancement of community health promotion and prevention strategies, to aid in comparisons with health trends, research (in accordance with required ethics approvals) and commissioning services in line with Australian Government Department of Health’s Commissioning Framework.
PHNs also manage data sharing for national reporting or research purposes in line with existing agreements, rules and policies.
Patient consent
It is the responsibility of general practices to obtain and manage patients’ consent for their de-identified data to be shared beyond the practice information system.
Protecting the security and integrity of the data
PHNs are responsible for maintaining safeguards against the misuse, damage or disclosure of data, secure storage, notification of unauthorised disclosure and compliance with the relevant data governance framework.