This article was first published in the Privacy Law Bulletin Volume 18 No 3.

Digital transformation of healthcare is supposed to be the big positive outcome of the COVID-19 pandemic. Yet despite Australia’s relatively formidableThis article was originally written in March 2021 before the outbreak of the Delta variant. COVID-19 response, our public sector has had few ground-breaking digital health initiatives. While telehealth was clearly a valuable response, the use of a video or telephone call between doctor and patient is at the lower end of the scale of digital technology.

In contrast over in the commercial space, thanks to our smartphones, tablets and (even) watches, the quality, reliability and accessibility of our own personal digital health data have never been so outstanding.

Data will self-evidently be at the core of any transformative digital health applications. Why do governments face systemic problems with digital health data compared to the global tech providers? As we have a mixed private sector-public sector health delivery model in Australia, what will health data management look like in the future? And what does this mean for lawyers advising clients in this area?

Key takeaways for lawyers

  1. Data and privacy issues are becoming increasingly critical in healthcare. COVID-19 and the rapid adoption of novel health technologies have only amplified this. Understanding privacy regulation both at a federal and individual state and territory levels will be essential when advising on health data matters.
  2. Robust regulatory frameworks are important to ensure that personal information is protected, while still enabling the patient to benefit from their data’s use. In the health sector, legal frameworks for managing data security also need to acknowledge the often time-critical nature of what clinicians and their patients are dealing with.
  3. Centralised health data collection and storage models, such as My Health Record, have failed to overcome public disquiet and distrust, especially around data collected by government. With the variety and range of organisations within Australia’s health sector, a centralised model is also complex and clunky to build and implement uniformly. We are more likely to see a “federated” world in which data is exchanged between different organisations and data providers, with a combination of Application Programming Interfaces (APIs) and data standards facilitating data exchange. This more decentralised model may help overcome public concern by giving patients a higher level of control over their data.
  4. However, the ability to draw connections across different datasets within and outside organisations remains a challenge for many health institutions and between private and public sector health organisations. Yet this kind of data sharing is exactly what can most help Australia’s healthcare sector thrive. Legal advice that addresses the privacy compliance issues in 1 and the framework challenges in 2 and 3, while still facilitating data sharing, will be the most valuable assistance lawyers can give to these organisations.

What is digital health data?

Historically, “health data” was limited in nature to the information manually collected during private interactions with medical professionals. Its use was confined to the institution’s four walls, meaning that access to data by another individual or institution was complicated.

Technology, of course, has allowed us to easily collect, store and share data. Digital health apps capture data in real-time in innovative ways: think AI, robotics, nanotech and “always on” devices.

And it’s not just about the data collected from an individual. Data can be mass aggregated about countless people, AI can analyse it to find trends we could never see, and health services can be provided based on comparing patient data from AI’s learnings across states, if not countries.

Digital health data = better healthcare

The benefits of a rich, readily available pool of digital health data are easily seen as follows:

While the opportunities facilitated by digital health are promising, as the Health Informatics Society Australia cautions, “digital health is not how we do health”, but “what we do … with regard to health”.

Governments and data: a socially distant relationship

A government’s collection and use of its citizens’ data and privacy concerns are seemingly always at loggerheads. A criticism of the My Health Record is that, while the data was being harvested from patients, the My Health Record system appears more suited to supply data for government agencies and researchers than it is suited to healthcare.

Enter the COVIDSafe App; the sunscreen for COVID-19.

In theory, the App was the government’s golden ticket to conquering COVID-19. Once downloaded to a smartphone it would run in the background, silently identifying whether users were within close contact of a positive case. Clusters would be seamlessly identified, individuals would be notified, and community spreading would be avoided.

However the App received considerable community backlash over its clunky technology and scepticism about its effectiveness when measured against the mildly irritable admin of running it every time the user left the house. The results? Data recorded in August 2020 found a locked iPhone only detected another locked iPhone at most 50% of the time.

Even more problematic was the general scepticism about how the government would use the data, fuelled by lack of transparency around that use. For example the government has refused to release information in response to freedom of information requests about how many of the initial 7 million users continue to use the App. Concerningly, it has been alleged that one or more Australian intelligence agencies have “incidentally” collected data relating to the App, albeit within the scope of the Privacy Act 1988 (Cth).

But I use my Apple Watch to record the same data … ?

Apple Health allows users to monitor their own health through data collection and digital connectivity. Through partnership apps, users can record anything from their daily step counter and blood oxygen levels to the exact time it takes to run a kilometre on a given route.

Big, foreign corporations collecting this data have the capacity to exploit your information by selling it to other big, foreign corporations for profit. Yet, we voluntarily supply this information. Over and over again.

This begs the question, 

why are we more inclined to give our data to private tech companies (and global ones at that) than our very own government?

It all comes down to trust …

Our data relationship with government is built around compliance and consequences. Governments collect data to ensure we are not overclaiming social security or underpaying taxes. We give the information grudgingly and we don’t see much return value, at least to us at an individual level.

Our relationship with a tech provider is more transactional. We understand that the corporation’s utilisation of our data is to make a profit — unlike the government’s use of data being for a public benefit. But what’s important is the individual transactional character of us giving over the data. We get something in return because the corporation provides a service or product that is more curated, better quality, more refined and integrated.

Of course, as the current furore over adtech shows, some tech providers are more open and honest about this transactional relationship than others. However, because their tech offering is usually pretty impressive, we are frequently willing to share our data no matter the providers’ honesty or openness, for better or for worse. And it can often be for better. Recall that if it weren’t for Apple Health’s technological advances, we would not be able to access and monitor our own health data. This connectivity can benefit not only us, but medical institutions too.

Meanwhile government, empowered to make decisions affecting our lives across a broad front, has the capacity to use that information in potentially punitive ways. So we instinctively fear a government that collects our data, particularly when there is strikingly little transparency over how it is used.

A new way forward?

COVID-19 gave the government the opportunity to better use health data and digital connectivity to conquer the virus. However, the pandemic experience does not seem to have conquered our deep-rooted fear of the government exploiting our health information. If government re-ran the introduction of My Health Record today would there really be a different outcome?

When governments get into data collection, they tend to think in terms of a big centralised database under their control which then requires a high level of standardisation in how the data is collected — a sort of “main frame” mindset harking back to a pre-Cloud world. These government-run centralised database projects often go horribly wrong — with big cost and time blow outs. Having so many stakeholders bidding for what data should be collected risks collapsing under their own weight. Also, the information government wants and the format in which it wants it entered is not necessarily suited to the private sector participants collecting and using the data. Consequently, using the centralised database can be more trouble than it is worth.

And of course, it’s the idea of big centralised databases holding personal information controlled by government which scares the public.

Maybe it’s time for government to take a different role in relation to health data. Health data is collected, stored and used by a wide range of health care providers, big and small, public and private. Should we think about the challenge as not “how do we extract this data into a centralised database?” but instead “how do we facilitate all these systems talking to each other?”

Technologies such as Cloud-based applications and new programming methodologies such as APIs are inherently more flexible and enable different systems to interoperate with each other. Although data is stored in different formats between databases, the relevant data can still be extracted and exchanged. While a level of data standardisation is needed, there is more scope for individual providers to build and manage their databases to suit their operating conditions.

Blockchain is another technology that speaks to the centralised government — data privacy challenge. Blockchain was born as a democratic revolt against the government bailouts of financial institutions that brought the global economy to its knees in 2007–08. It is rapidly gaining traction because the network is entirely premised on trust and transparency. Its peer-to-peer nature means changes made to the blockchain — including, for example, those “incidental” intelligence agency data collections — can be publicly scrutinised. While storage capacity and environmental sustainability issues remain unresolved, blockchain could be an immutable, highly secure and “publicly owned” facilitator of data transactions. It may lead to promising solutions for public health data storage.

In Australia’s very heterogenous health market, promoting a “federated” data model may provide a more feasible way forward. On this approach, government would facilitate the development of APIs and interoperability frameworks. This approach would also have the added advantage of potentially supporting a higher level of patient control over the distribution of their data through the federated system.

In contrast to My Health Record’s “mainframe mentality”, Germany implemented its health record using a decentralised approach through eHealthcare smartcards. Data stored on the smartcards includes the insured person’s name, date of birth, address, gender, insurance number and coverage status. There is also an option for the smartcard to store additional personal data with a person’s consent, such as emergency information and medication, allergies or drug intolerance.

Currently, data authorised healthcare providers can access the data on presentation of the eHealthcare card. There is no need for a centralised repository, which could be hacked or used for purposes other than for healthcare. In 2017, 70 million Germans were in possession of the card. In the near future, as the cards are poised to include emergency data, medication plans and patient records, a new generation of cards is expected to increasingly facilitate the exchange of medical information necessary for treatment.

While maximising patient control, the German approach has drawbacks in supporting co-ordinated health responses between providers because the data is held, literally, in the patient’s hands. But a lesson from the German experience is that the place to start in thinking about how to share health data is with the patients themselves. A federated data model may provide a better solution to the centralised government-personal data challenge, that takes a truly patient-centric approach.


Authors: Peter Waters, Anna Belgiorno-Nettis and Lucy Goodlad