3 December 2015

Anonymous GP data can be cracked: warning

Informatics Medicolegal


The Privacy Commissioner has sounded a warning shot that companies dealing in “anonymous” prescribing data may nevertheless be revealing doctors’ and patients’ identities.

Commissioner Timothy Pilgrim has acknowledged that sophisticated technology is now capable of re-identifying anonymous data, by means such as cross-referencing anonymous data with other data sets.

Previously, trading in de-identified data was thought to be relatively safe, as it was not covered by the Privacy Act so could not attract financial penalties.

But the new stance has the potential to disrupt the market for patient and prescription data, with the Commissioner signalling there may be future crackdowns on companies that do not protect against re-identification.

“The face of privacy, personal information, and data protection is changing,” Mr Pilgrim told a privacy conference in Melbourne late last month.

“Data sets of ‘anonymous data’ are fast becoming identifiable. And personal information is not just that which does identify you, but that which may.”

The uncertainty now is how much de-identification is required to protect privacy – an issue that has already unsettled large industry players.

Practice software company MedicalDirector confirmed last week that it was seeking updated legal advice on how it treated GPs’ data, such as for research purposes.

“We’re currently investigating and reviewing those comments. I do think there are repercussions into the health area,” chief executive Phil Offer said.

An industry source, who had bought prescribing data from GPs in the past to supply to pharmaceutical companies, said restricting the trade of de-identified data trade would also impact legitimate medical research.

“This isn’t for flogging a can of baked beans for Woolworths, this is valuable information.”

He also said re-identifying data had always been possible, but that it had required a “phenomenal” amount of effort.

That would not be worthwhile to uncover patients’ identities, where the value was in big-picture trends, the source said.

But he admitted matching doctors’ identities to prescribing data was commercially valuable.

The commissioner has a history of going after companies that sell prescription data that is clearly linked to doctors’ identities.

In 2013, Mr Pilgrim warned IMS Health that its plan to buy doctors’ personalised prescribing data from pharmacies would breach the Privacy Act.

IMS Health’s plan to buy the data and sell it on – unless doctors opted out of the scheme – sparked a fierce backlash from the profession.

An increased burden on GPs

GPs should be “extremely” careful when supplying de-identified data, medical defence organisations warn.

MDA National medicolegal manager Dr Sara Bird said GPs had always needed to be “extremely careful”, but the burden was now even greater.

This was especially so given the commissioner had also stepped up efforts recently to investigate privacy breaches, she said.

“The reputational and financial risks are significant if there is any breach of privacy,” she said.

But the complexity came when deciding how much information to remove to sufficiently de-identify the data, Dr Bird said.

She recommended GPs seek professional advice, because seemingly bare information might still be re-identified.

“There may be another dataset, or other information could be matched with the de-identified information to make it re-identifiable,” she said.

“De-identification is complex and much more than just removing the patient’s name, date of birth and contact details.”

It was hard to tell how widespread the trade was in general practice. MDA National had not recently received any requests for advice, but Avant confirmed some of its GP members supplied de-identified data for research purposes.

“The Privacy Commissioner is pointing to a potentially new issue, which we think will need careful consideration,” Head of Advocacy Georgie Haysom said.