Restrictions on linking MBS and PBS data
The committee is ever mindful of privacy concerns with regard to data,
its storage, management, use and security. However, as noted in the previous
chapter, many submissions indicated that significant health policy development
and medical research could be advanced if linked Medicare Benefits Schedule (MBS)
and Pharmaceutical Benefits Scheme (PBS) data were more readily accessible.
For example Professor Sallie-Anne Pearson told the committee:
The linkage of PBS, MBS and other Commonwealth collections,
such as those held by the Department of Social Services, can expand our
opportunities to explore value, real-world use and pivotal issues such as
equity of access. Despite medicines being tested extensively in clinical
trials, when they are PBS subsidised there is significant uncertainty about how
they would perform in routine clinical care. When I talk to consumers, they are
surprised to learn that comprehensive postmarket surveillance research does not
occur routinely in Australia. Why is this the case? Activity of this kind
actually requires Commonwealth and state based data holdings to be linked... The
currently fragmented data systems in Australia make it difficult, if not
impossible, to systematically capture these impacts.
Professor Pearson also noted the practical problems for researchers in
not being able to link MBS and PBS data:
The agencies, I believe, are prevented from linking their MBS
and PBS data, but if you actually think about it—if you want to understand
something as basic as does a person go to a specialist to get a particular
medicine and then how is the medicine continued, is it continued by a
specialist or by a general practitioner—we cannot find that out because we do
not have the visits linked to the prescription. Very basic things around
navigating through that system are really actually important—are people
monitored after they are prescribed a medicine? We do not know that because
that information cannot be linked. There are some really practical impediments
to doing some very basic work in this regard.
The importance and potential uses of these datasets were also recognised
in the Public Sector Data Management Report. According to the report,
linked MBS and PBS data is the fourth most requested data from the Australian
Source and content of the
Presently there are restrictions in both legislation and subordinate
legislation that strictly constrain the linkage of MBS and PBS data.
The National Health Act 1953 requires the Information
Commissioner to make privacy rules.
The National Health Act requires that the rules must:
- prohibit agencies from storing in the same database:
- information that was obtained
under the Medicare Benefits Program; and
- information that was obtained
under the Pharmaceutical Benefits Program; and
- prohibit linkage of:
- information that is held in a
database maintained for the purposes of the Medicare Benefits Program; and
- information that is held in a
database maintained for the purposes of the Pharmaceutical Benefits Program;
unless the linkage is authorised in the way specified in the
The current privacy guidelines were made by the Privacy Commissioner in
These legally binding guidelines provide that data from the PBS and MBS
databases may only be linked:
- if it is necessary to comply with law;
- to determine eligibility for a benefit under one program, where
eligibility depends upon services provided by the other program;
- where Medicare reasonably believes that doing so would prevent or
lessen a serious and imminent threat to life or health; or
- for release where a person has provided their consent.
If linkage is undertaken for medical research purposes, the claims data
can only be released where an individual has consented to having their data
released and where the researcher undertakes to destroy the claims information
provided to them at the conclusion of the research.
These strict limitations came about following a plan by the then Health
Insurance Commission (now Medicare) to implement an online system that would
allow pharmacists to claim reimbursement and to check whether patients were
eligible for concession prices on pharmaceuticals at the time they were being
The scheme ultimately did not go ahead, but an amendment to protect the
privacy of individuals given the large amount of data that would be collected
under the MBS and PBS schemes was implemented as sections 135AA and 135AB of
the National Health Act 1953.
The provision was last examined by the Parliament in 1993. At that time
the aims of the amendment were encapsulated by the then Member for Macarthur,
Mr Christopher Haviland MP who argued:
There is a need to ensure that legitimate privacy principles
are balanced against the public interest, particularly in relation to the
possible misuse of public money. This is the essential aim of this amendment—to
clarify privacy provisions to ensure that legitimate privacy concerns of
individuals are protected while enabling government agencies, in this case the
Health Insurance Commission, to adequately safeguard against fraud and misuse
of taxpayers' money.
Changes in technology
The committee remains committed to that fundamental need to "ensure
that legitimate privacy concerns of individuals are protected." It also
notes though that while the evolutionary march of technology has both increased
the ability to collect sensitive data about individuals it has also produced
technology and techniques that can protect that information.
Data linkage technology has transformed significantly in the last forty
years. Emeritus Professor D'Arcy Holman of the University of Western Australia told
an audience in July 2014 that:
My first employment, as a Public Health Medical Student Resident
during the Christmas of 1972, was to tabulate figures...of intestinal parasite
infections found in the patients of Swanbourne Hospital.
The information technology available to me wasn’t of the
digital electronic form, but consisted of a mechanical dinosaur known as the
Hollerith card sorter. The point is that what we could do with health
statistics, even as recent as the 1970s, was severely constrained by the
technical infrastructure available to us.
Emeritus Professor Holman later returned to the subject of data linkage
and privacy in his lecture with the following exposition:
...one might query if this [data linkage] represents a
significant invasion of privacy. To the contrary, the effects of data linkage
on privacy have been exactly the opposite, with a profound privacy benefit
compared with the way we did research before.
Here’s what real medical records look like, courtesy of a
patient who’s given permission for them to be displayed. Lots of documents, and
now computer screens, liberally plastered with the patient’s name and address.
During the first 20 years of my career, I waded through countless thousands of
records like this. It was tedious and inefficient work, especially because
often one had to pour through reams of paper to find just the one or two
important facts to answer the research question. Data linkage has turned this
approach on its head...so that during the last 20 years, what I’ve worked with
has looked like this: No names and addresses, age rather than date of birth,
contains only the information needed to answer the research question, and just
a number is used to represent each person, although for any two research
projects that system is different, so the patients don’t even have a unique
number. Nevertheless, use of the same number for the same anonymous person in
each project, illuminates the crucial connections within and between different
data collections, so that the outcomes can be measured.
In his evidence, Mr Timothy Pilgrim, who is the Acting Australian
Information Commissioner and currently performs the functions of the Privacy
Commissioner, reminded the committee that sometimes legislation needs to be
revisited in light of technological changes:
Something that we find with a number of the laws that I deal
with is that there is a need to review some of those because the situations
change quite dramatically in terms of technologies you can use to bring
together information sets and how they can be dispersed.
The protection of sensitive personal information remains a key focus of
both researchers and governments.
Calls for review
In the 23 years since the provision was last debated, the technologies
available to protect privacy have increased dramatically. As technology has
increased and researchers have become able to conduct more complex analysis of
combined datasets, the demand for linked data has also grown.
This in turn has led to a number of prominent reports that have
recommended that the National Health Act and the Privacy Guidelines be
For example in 2009, the National Health and Hospitals Reform Commission
To better understand people’s use of health services and
health outcomes across different caresettings, we recommend that public and
private hospital episode data should be collected nationally and linked to MBS
and PBS data using a patient’s Medicare card number.
In 2013, the Productivity Commission similarly suggested that the Privacy
Guidelines be amended noting that in the present environment:
Protecting confidentiality is warranted but the current
approach is too cautious and complex with the restrictions creating unnecessary
downsides and delays for evidence-based policy formulation.
In December 2015, the Public Sector Data Management Report called
the current privacy arrangements 'over-cautious and cumbersome'.
Days after this report was released, departmental witnesses who appeared
before the committee were given the opportunity to explain how the current
restrictions came to be in place and why they continue to be necessary. The
answer provided by representatives of the Department of Health acknowledged the
'very strong concerns about privacy' which historically dominated departmental
assessments of data requests from researchers.
However officials noted the paradigm shift that has occurred:
...what has happened fairly recently is that there has been a
significant cultural shift in the way data is regarded. It is regarded as an
asset; it is regarded as a key tool in informing policy development and
research. I think we are shifting from a culture of protecting data at all
costs to one of protecting data but also identifying ways we can use it.
Even the Acting Australian Information Commissioner supported the need
to review the current legislative restrictions on linking MBS-PBS data:
...section 135 of the Health Act...came into force, I think, over
20 years ago. I would be the first to say that legislation should be reviewed
regularly and, in fact, some years ago I actually proposed that when there were
some challenges identified with the guidelines when the office [Office of the
Australian Information Commissioner] was developing it at the time. We
acknowledged that there seemed to be some challenges about data retention;
being able to bring the two sets of data together into one database was another
issue. At that stage—I think that that was in 2011—I said that we were
certainly open to having that particular piece of legislation looked at because
it was, for want of a better description, an old piece of legislation that was
developed at a different time when there were different community expectations
and different mechanisms to simply store the information.
So what I am saying is yes—I think it is entirely appropriate
to have that piece of legislation reviewed, to look for other mechanisms which
may be able to make more efficient use of that information in terms of...freeing
up data for good social policy purposes. But at the same time I would then say
that if we are going to do that, what can we build in to ensure there is the
right level of protection about that information in a newer environment of how
it is going to be used? That could be through mechanisms such as building up
protections around security, giving it stronger protections where it is going
to be held. Those sorts of issues are things we would want to look at.
The Public Sector Data Management Report released by the
Department of the Prime Minister and Cabinet in December 2015 recommended that:
Legislation should be reviewed to identify whether privacy
and secrecy laws can be streamlined and modernised to enable data to be better
used for policy and research...
Australian Information Commissioner's view
The Office of the Privacy Commissioner sits within the Office of the Australian
Information Commissioner. The post of Privacy Commissioner is currently vacant
and instead those functions are fulfilled by the Acting Australian Information
The Office of the Information Commissioner recognised that there are
significant social benefits that can be obtained by using de-identified health
data for policy development and research purposes. The Acting Australian
Information Commissioner, Mr Timothy Pilgrim, wrote in his submission:
Taking into consideration the Committee's focus on improving
access to and linkage between health data sets for policy development, I
appreciate that personal information held by government can be, when it is
handled appropriately, a valuable resource for policy, planning, research,
innovation and providing better services.
If legislative and policy changes are made to facilitate or
extend access to, and the use of, personal information in research and policy
planning, it is important that an integrated approach to privacy management is
taken from the beginning. This includes, for example:
- implementing legislative
safeguards to limit the possibility of function creep
- considering whether any
restriction on an individual's right to privacy that arises from changes to how
health data sets are used is reasonable, necessary and proportionate to the
- considering whether personal
information is in fact required, or whether de‑identified or anonymised
information will suffice
- undertaking a Privacy Impact
Assessment (PIA) for each project that uses personal or de-identified
In his testimony, Mr Pilgrim described a 'recurring theme' amongst
certain government organisations that 'the Privacy Act was blocking the use of
data' instead of them actively looking for ways to comply with the legislation
and achieve the goals that researchers or others might be looking for.
Mr Pilgrim also pointed out that there were options that were available
under the existing privacy arrangements:
One of the security provisions in Australian privacy
principle 11, which deals with securing that information and keeping it safe,
says that personal information that is no longer required should either be
destroyed or de‑identified. It does not set a time frame around that in
particular to general personal information, so one of the mechanisms there
which could allow that information to continue on is if it can be
de-identified. Once information is de-identified it falls out of the definition
of personal information—as you would understand, if you cannot tell who the individual
is, then it is not personal information—so there are mechanisms by which quite
a bit of data, I would suggest, could be kept.
Proposed privatisation of Medicare payment systems
One week after the committee's final data linkage public hearing, the West
Australian published an article about the government's 'secret' proposal to
privatise Medicare's payments system:
The West Australian has learnt that planning for the
ambitious but politically risky outsourcing of government payments is
well-advanced, with a view to making it a key feature of Treasurer Scott
Morrison’s first Budget in May...
[The successful private sector provider] would administer
claims and payments while overseeing eligibility criteria, meaning they would
require access to people’s sensitive private information.
Doctors would also have to open their books to the provider,
which would be subject to regulatory oversight.
Although details of the government's privatisation process and timing
are unclear, senior Health Department officials have stated that a new Request
for Quote was issued in January 2016 'to start to look at how we might scope
this type of work, stressing that obviously we are in an exploratory stage and
no decisions have been made.'
Nevertheless, the Australian Medical Association has raised concerns
that any move to privatise Medicare payments could 'compromise patient privacy
and further fragment their care.' AMA Vice President Dr Stephen Parnis told ABC
Radio that such a move would raise serious privacy issues:
There are concerns raised about the way that the
administrators of these programs would handle confidential medical data; how
their input may influence or undermine the doctor-patient relationship in terms
of its funding.
The committee notes the real risk to privacy, improved public policy
planning and to the delivery of universal healthcare if the ideological attack
on Medicare expands into the actual privatisation of the Medicare payments
system and associated data.
The committee also notes that the restriction on linking MBS and PBS
data that is embodied in section 135AA of the National Health Act is over 20
years old and is prescriptive given technological progression in protecting
data and other restrictions on accessing data.
The committee agrees with the Acting Australian Information Commissioner
and other witnesses that privacy is always an important consideration in the policy
making process and that it ought to be afforded serious consideration in the
making and altering of access arrangements in this space. The evidence of
witnesses, such as Professor Stanley and Professor Pearson, clearly indicate
that there are significant harms in failing to do so.
The evidence received however, indicates that current legislative
restrictions on linking MBS and PBS data are unnecessarily placing Australian
lives at risk. As Professor Stanley noted (see chapters 2 and 3), there could be
another thalidomide crisis or hundreds of people needlessly dying of heart
attacks and we would be unable to detect it because we currently do not have
the evidence‑based data available.
These significant health care imperatives must be weighed against competing
public policy priorities. Privacy is and must continue to be a key
consideration in the formation of public policy. However, the evidence
presented to this committee, drawing on the long history of data linkage both
domestically and internationally, demonstrates that data linkage is undertaken
securely with successful containment of risk to the privacy of individuals while
leading to significant improvements in health outcomes.
While the committee is confident about the thoroughly tested processes
underpinning the use of de-identified health datasets in data linkage projects,
the government's proposed privatisation of the Medicare payment system raises
real privacy concerns. The committee is concerned that the government's
privatisation plans risk an unintended disclosure of highly sensitive MBS and
PBS data. In the committee's view it is important to maintain a clear
distinction between the linkage of de-identified health datasets and the
wholesale privatisation the Medicare payment systems.
The committee is heartened that there seems to be such strong public
support to utilise de-identified data that is already routinely collected to
improve the health of the populace.
Time and again, as demonstrated above, the committee heard that
consumers were surprised that government did not already use administrative
data for these purposes.
There is now a renewed focus on data in the public service. Given the
significant opportunities to improve Australia's healthcare outcomes, the
committee urges the government to adopt the following recommendations:
The committee recommends that given the changes in technology, and mindful
of the capacity and moral obligation for governments to hold and strongly
secure personal data and privacy, the government review the operation of section
135AA of the National Health Act 1953, with the aim of improving access
to de‑identified MBS and PBS data for the purpose of health policy
evaluation and development as well as research undertaken in the public
The committee recommends that the Australian Information Commissioner,
in consultation with privacy advocates, data custodians, academics and healthcare
consumers, review the Privacy Guidelines for the Medicare Benefits and Pharmaceutical
Benefits Programs in order to ensure that the government:
- retains ownership and management of Australian MBS and PBS data and
improves technological capacity to ensure the privacy of all Australians health
- develops a strategy to improve access to de-identified MBS and
PBS data for the purpose of health policy evaluation and development as well as
research undertaken in the public interest, in ways that don't decrease privacy.
Navigation: Previous Page | Contents | Next Page