The Department of Health recently announced that Telstra had won a A$220 million contract to manage the register for the National Bowel Cancer and Cervical Screening Programs.
Telstra Health – the company’s health arm – will aggregate and manage data currently held by various state registries into one national database. There is potential that other cancer screening registries, such as breast screening, might also be contracted to Telstra Health in the future.
The registries not only contain personally identifying information, such as names and addresses, but also the results of pap smears that allow inferences about a person’s sexual status.
When Telstra Health’s venture into the market place was first foreshadowed in late October 2014, commentators highlighted potential issues around the privacy of Australians’ personal information. So it was no surprise that this first Australian outsourcing provoked consumer advocates to highlight similar concerns.
Why outsource?
In 1993, two American management gurus, David Osborne and Ted Gaebler, proposed a magic pudding recipe for what they termed as Reinventing Government. In their model, government could set its objectives and use market-based approaches – including contracting out functions to private companies – to provide services to achieve them.
More than 20 years later, the waters of government contracting out are lapping at the gates of Medicare. The 2014 federal budget proposed outsourcing, or “market testing”, the processing of Medicare payments. And while we wait, the Telstra contract has become the first such outsourcing in Australia.
Private registry operators have been established in the United States for a number of years and have won contracts to run cancer registries in some states. So far, no data security breaches have been reported in these. But this doesn’t stop Australian health experts from worrying.
Privacy concerns
The Department of Health has taken the unusual step of issuing a media release in the middle of an election campaign to assuage concerns. It confirmed that Commonwealth privacy legislation will apply to the cancer registry data managed by Telstra Health and that “any misuse of data could be an offence under the Criminal Code”.
Although that language sounds strong, criminal prosecutions usually require proof of malicious intent, recklessness or negligence – a high standard that isn’t always likely to be obtained.
What is more likely is that well-meaning staff might not be scrupulous in rejecting data requests from those who, on first glance, appear to have a legitimate reason for knowing personal details. They might, for instance, release an address to a police officer hunting for a missing person who sought the information without a warrant. Or they might release data by mistake.