Data privacy, secrecy and security policy

Transcription

1 A Data privacy, secrecy and security policy 11 March 2014 v2.0 Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 1 of 52

2 Document Control Sheet Document Information Document Name Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Change History Author Date Description Version NHFB 29/07/2013 Working draft for jurisdictional consideration. V0.1 NHFB 26/11/2013 Final version reflecting feedback V1.0 NHFB 11/03/2014 Updated for the Privacy Amendment (Enhancing Privacy Protection) Act 2012 V2.0 Approval Title Name Signature Administrator of the National Health Funding Pool Bob Sendt Date 11 March 2014 Title Name Signature NHFB Chief Executive Officer Lynton Norris Date 11 March 2014 This document is Unclassified and for Official Use Only. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 2 of 52

3 Contents ACRONYMS AND ABBREVIATIONS... 5 PREFACE INTRODUCTION Purpose Data privacy and secrecy Data security Physical security Data protocols Related documents Document updates COLLECTION AND USE OF PERSONAL INFORMATION LEGAL CONSIDERATIONS Collection of personal information under APP Use or disclosure of personal information under APP Security of personal information under APP Data protocol to ensure prudent management of personal information EDW DATA SECURITY FEATURES UTILISED BY THE ADMINISTRATOR About the EDW Granting and revoking user access to data via data stewards User permissions Shared workspaces Data separation Access logs and audit trails Technical implementation Annual attestation PROTOCOLS FOR DATA COLLECTION Administrator s Three Year Data Plan Data protocol 01: State and territory provision of hospital service estimates Protocols for reconciliation requirements Data protocol 02: State and territory provision of hospital services data to Administrator by accessing data provided to IHPA Data protocol 03: (interim) State and territory provision of hospital services data directly to the Administrator Data protocol 04: Provision of de-identified Medicare number for hospital services to Administrator PROTOCOLS FOR USE AND STORAGE OF DATA Determining hospital services eligible for Commonwealth funding Data protocol 05: Determine reconciliation adjustments to Commonwealth ABF funding Data Retention and Disposal Protocol Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 3 of 52

4 6 PROTOCOL FOR RELEASE OF DATA Data protocol 06: Protocol for the release of data Data protocol for the release of matched services to states and territories for review PROTOCOL FOR TREATMENT OF IDENTIFIED DATA Non-disclosure agreement Data protocol 07: Protocol for an incident of identification of a patient from de-identified or identifiable patient data APPENDIX A: DATA PROTOCOL DIAGRAMS APPENDIX B: MATRIX OF DATA TYPE TO RELEVANT PRIVACY AND SECRECY PROVISIONS APPENDIX C: MATRIX OF DATA TO RELEVANT DATA TYPE APPENDIX D: PROCEDURE FOR DATA STEWARD TO GRANT AND REVOKE ACCESS TO DATA APPENDIX E: GLOSSARY Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 4 of 52

5 Acronyms and abbreviations The following acronyms and abbreviations are used throughout this document. Term Description ABF Activity Based Funding ADS Analytical Data Store Administrator Administrator of the National Health Funding Pool COAG Council of Australian Governments DHS Commonwealth Department of Human Services DoH Commonwealth Department of Health IHPA Independent Hospital Pricing Authority LHN Local Hospital Network MBS Medical Benefits Schedule NEP National Efficient Price NHFB National Health Funding Body NHPA National Health Performance Authority NHRA National Health Reform Agreement EDW Enterprise Data Warehouse NMDS National Minimum Data Sets NWAU National Weighted Activity Unit ODS Operational Data Store PBS PIN RDS SCoH SPP Pharmaceutical Benefits Scheme Personal Identification Number Reference Data Store Standing Council on Health Specific Purpose Payment Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 5 of 52

6 Preface I am pleased to present my data privacy, secrecy and security policy for dealing with the collection, use, storage, disclosure and destruction of the data involved in my role as Administrator of the National Health Funding Pool. This policy has been informed by discussions with stakeholders. This policy document is of particular relevance to my work in reconciling actual hospital service levels to pre-existing estimates and in matching hospital services data to Medical Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) claims data using a common Medicare PIN. The document outlines processes and protocols I employ to ensure appropriate treatment of these data in the context of Commonwealth and state and territory privacy and secrecy requirements as stated in legislation and associated guidelines and principles. I have set out in this document the data I use, together with my assessment of the sensitivity of the data, the related legislation, guidelines, principles and advice I have used in forming this policy. The privacy, secrecy and security of all data provided by jurisdictions are of particular importance to me. Systems and processes used for collection, storage and reporting have been designed to ensure security of information. I will update this document as necessary to ensure these arrangements reflect changes in the legislative environment and best practice data and information management. All data requested by me are either not identified, or are de-identified. As long as these data remain unidentified, they are not deemed to be personal information within the meaning of the Privacy Act 1988 as amended by the Privacy Amendment Act To cover the possibility that data may become identifiable (and therefore potentially personal information ), additional measures have been adopted to ensure that their collection and use are in accordance with the Australian Privacy Principles and with the secrecy and patient confidentiality provisions in the National Health Reform Act 2011 and other statutory protections. All data not already specified under the National Health Reform Agreement (NHRA) or relevant legislation to be in the public domain are considered sensitive information and are treated in line with relevant secrecy provisions. In this document I outline specific protocols which are in place to ensure identifiable information is not received by me. I also outline protocols which I have put in place for the possibility where de-identified information received by me (or the National Health Funding Body on my behalf) becomes identifiable and therefore caught by relevant privacy provisions. The protocols include advising the data steward of the instance, precluding officers from disclosing information, and disposing of records securely where appropriate. RJ Sendt Administrator National Health Funding Pool Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 6 of 52

7 1 Introduction The Administrator of the National Health Funding Pool (the Administrator) and the National Health Funding Body (NHFB) are established under the National Health Reform Act 2011 (the NHR Act). The Administrator's primary function is to administer the National Health Funding Pool, which in essence involves making payments to state and territory accounts in exchange for states and territories providing a certain number of public hospital services to patients. The NHFB's function is to assist the Administrator in the performance of his or her functions. As part of administering the National Health Funding Pool, the Administrator is required to perform a reconciliation of activity in respect of each state and territory. This reconciliation requires the provision of patient level hospital service data and MBS and PBS claims data. The overall policy intention is for this reconciliation to be undertaken by the Administrator using only de-identified data. As part of the requirements for this process, steps have been included to ensure the de-identification of data prior to a reconciliation being done by the Administrator. The Appendices to this document set out matrices of the types of data the Administrator uses, together with an assessment of privacy, secrecy and security around the data, and the related legislation, guidelines, principles and advice used in forming this policy. 1.1 Purpose The purpose of this document is to describe the Administrator s data privacy, secrecy and security policies and protocols relating to the collection, use, storage and disclosure of data used to inform the processes involved in his or her role. 1.2 Data privacy and secrecy The privacy and secrecy of information is of paramount importance. Any personal information will be treated in accordance with the Australian Privacy Principles in the Privacy Act 1988, incorporating the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the secrecy and patient confidentiality provisions in the NHR Act as well as other statutory protections. The NHR Act provides protections and imposes obligations on the Administrator and NHFB for the handling of personal information and makes provisions to ensure patient confidentiality. All officers of the NHFB - whether staff employed under the Public Service Act 1999 or other persons assisting the NHFB (including contractors engaged by the NHFB Chief Executive Officer) - are subject to the Australian Public Service (APS) Code of Conduct. Any collection of personal information will only be done for a specified purpose and will be undertaken in strict compliance with the Australian Privacy Principles set out in the Privacy Act 1988 as amended by the Privacy Amendment (Enhancing Privacy Protection) Act Data security The Administrator is committed to the security of all data, and particularly patient level data submitted by states and territories. The Enterprise Data Warehouse (EDW) is being used as a secure facility for the submission, storage and dissemination of data to enable the Administrator s reconciliation processes including National Weighted Activity Unit (NWAU) calculation and determination of activity based funding eligibility. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 7 of 52

8 Where appropriate, security measures and standards employed are consistent with those provided within the Protective Security Policy Framework issued by the Commonwealth Attorney-General s Department and the Australian Government Information Security Manual issued by the Defence Signals Directorate. 1.4 Physical security The Administrator and the NHFB have physical security arrangements in place to ensure the security of data. These arrangements are consistent with the Protective Security Policy Framework and Australian Government Information Security Manual. Where appropriate the Administrator and NHFB use secure rooms, isolated (secure) printers, secure network connections, stand-alone computers, lockable filing cabinets and encrypted USB drives and compact discs. Access to the facilities and materials is restricted and monitored. 1.5 Data protocols This document outlines the data protocols for the collection, use, storage, disclosure and disposal of relevant data. The primary purpose of each protocol is to highlight how data privacy, secrecy and security are handled as the data flow through each of the protocol steps. Security in these protocols demonstrate the appropriate application of the Australian Government s Protective Security Policy Framework by the Administrator and NHFB, providing the operational environment necessary for the confident and secure conduct of the Administrator s business. Managing security risks proportionately and effectively enables the Administrator and NHFB to provide the necessary protection of the Administrator s and the NHFB s people, information and assets. 1.6 Related documents The policies in this document should be read in conjunction with the following documents, which collectively detail the Administrator s related policies, processes and data requirements. 1. NHR PHF NHFB Procedures Manual v Methodology for the Calculation of Commonwealth National Health Funding Pool Contributions (provided for each financial year) 3. Determination 03: Provision of actual hospital services data for reconciliation with estimated data 4. Business rules for determining hospital services eligible for Commonwealth funding Volume 2: Extended proof of concept Reconciliation Framework 6. The Administrator s rolling three year Data Plan. This document specifies the data items collected by the Administrator, including de-identifed data that would be personal information if re-identifed. 7. NHFB Physical Security Policy v NHFB Protective Security Framework v Document updates This document is subject to change and may be updated and reissued by the Administrator. Changes, if any, will be communicated to all stakeholders. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 8 of 52

9 2 Collection and use of personal information legal Both the Administrator and the NHFB are entities for the purposes of the Commonwealth Privacy Act 1988 (the Act) as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012, and are required to comply with the Australian Privacy Principles (APPs) set out in the Act.. The APPs apply to personal information. While de-identifcation procedures have been put in place, it is possible that at least some of these data would fall within the definition of personal information. Any personal information contained in the data provided by states and territories would be collected by the Administrator and the NHFB for the purpose of fulfilling the Administrator's function relating to reconciling the amounts the Commonwealth is required to pay into each State Pool Account with subsequent actual service delivery, and would be both necessary for, and directly related to, that purpose. Table 1 Relevant Australian Privacy Principles APP APP 3 Australian Privacy Principle text Collection of solicited personal information 3.1 If an APP entity is an agency, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity s functions or activities. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 9 of 52

10 APP APP 6 Australian Privacy Principle text Use or disclosure of personal information 6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless: a. the individual has consented to the use or disclosure of the information; or b. subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information. 6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if: a. the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is: i. if the information is sensitive information directly related to the primary purpose; or ii.if the information is not sensitive information related to the primary purpose; or b. the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or c. a permitted general situation exists in relation to the use or disclosure of the information by the APP entity; or d. the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or e. the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. 6.3 This subclause applies in relation to the disclosure of personal information about an individual by an APP entity that is an agency if: a. the agency is not an enforcement body; and b. the information is biometric information or biometric templates; and c. the recipient of the information is an enforcement body; and d. the disclosure is conducted in accordance with the guidelines made by the Commissioner for the purposes of this paragraph. 6.4 If: a. the APP entity is an organisation; and b. subsection 16B(2) applied in relation to the collection of the personal information by the entity; the entity must take such steps as are reasonable in the circumstances to ensure that the information is de-identified before the entity discloses it in accordance with subclause 6.1 or 6.2. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 10 of 52

11 APP APP 11 Australian Privacy Principle text Security of personal information 11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information: 11.2 If: a. from misuse, interference and loss: and b. from unauthorised access, modification or disclosure a. an APP entity holds personal information about an individual; and b. the entity no longer needs the informationfor any purpose for which the information may be usedor disclosed by the entity under this Schedule; and c. the information is not contained in a Commonwealth record; and d. the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information; the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified. 2.1 Collection of personal information under APP 3 Where a patient's identity is 'reasonably ascertainable' from data provided by a jurisdiction (i.e. by combining multiple data fields, or combining it with publicly available data), and thus constitutes personal information, APP 3 (refer Table 1) allows the Administrator and NHFB officers to collect these data if the information is reasonably necessary for, or directly related to, one or more of the entity s functions or activities. As the collection of these data from jurisdictions is a necessary part of, and directly related to, performing the function of reconciling the amounts paid by the Commonwealth into State Pool Accounts with the actual services provided, then even if the data received contain personal information, receipt of such data by the Administrator and the NFHB will not breach APP Use or disclosure of personal information under APP 6 APP 6 (refer Table 1) deals with the use or disclosure of personal information by agencies. This is relevant to the Administrator's purpose in using the data provided to: reconcile the amounts paid by the Commonwealth into each State Pool Account with the subsequent actual services provided; and match with MBS and PBS claims data in order to reconcile the amounts paid by the Commonwealth into each State Pool Account based on actual services provided. APP 6 allows the data to be used for these purposes. The Administrator s Data Plan requires only the receipt of de-identified data in the first instance. However where information may become identified or are considered reidentifiable, steps will be taken to ensure that this information is de-identified prior to any disclosure. This may include separately storing data considered to be personally identifiable, de-identifying data using recognised techniques, aggregating data to a level that eliminates the chance of re-identification or removing the personally identifiable data elements from data sets altogether. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 11 of 52

12 2.3 Security of personal information under APP 11 APP 11 deals with the security of personal information whilst being used for the purporse and also at the completion of the purpose. Notwithstanding that the Administrator s Data Plan requires only the receipt of de-identified data, the Administrator has measures in place to meet the requirements of APP 11 when using data received from jurisdictions. The Administrator uses the secure facilities of the EDW to receive, manage and store data. Section 3 provides detail on the EDW facilities with respect to security including access. At the completion of the purpose, and where the information does not form part of a Commonwealth record, the Administrator will destroy or de-identify data that may become re-identifiable before storing or sharing the data. 2.4 Data protocol to ensure prudent management of personal information In the event that an incident occurs where certain reconciliation data lead to identification of one or more individual patients, data protocol 07 sets out the procedures to be followed by the Administrator and the NHFB. Whilst an incident of this nature is not in breach of the Privacy Act, protocol 07 demonstrates that the Administrator has a process to ensure prudent management of personal information consistent with Commonwealth legislative requirements. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 12 of 52

13 3 EDW data security features utilised by the Administrator 3.1 About the EDW The EDW is a high quality, secure, reliable, easy-to-use, shared data storage, analysis and reporting system that supports some of the Administrator s key information management requirements. The EDW was established in 2010 to provide the information and communication technology capability to enable key roles and agencies the Administrator, the NHFB, the Independent Hospital Pricing Authority, the National Health Performance Authority, the Australian Commission on Safety and Quality in Health Care and the Commonwealth Department of Health (DoH), to perform their roles under national health reform. The EDW includes the following features: a secure online system for jurisdictions to submit data to the Administrator secure access control management for the sharing of data between the Administrator and the organisations specified in the clause B97 of the NHRA a facility that allows jurisdictions to securely access approved data products a physically secure location with disaster recovery capabilities compliance with relevant Australian Government security policies, including the Australian Government Protective Security Policy Framework and the Australian Government Information Security Manual. 3.2 Granting and revoking user access to data via data stewards For each source data artefact, only the relevant data steward (for example the NHFB CEO as NHFB data steward for the Administrator s data) has the authority to grant and revoke access to those data, and must provide explicit approval before any access to the data artefact by a user or group of users. For example, an NHFB officer who wishes to access hospital services data that have been provided to the Administrator, has to make a request to the NHFB data steward, who then has to determine what access will be granted (if any). Requests for access can also be made in respect of a group of users rather than a single user. The NHFB data steward has a documented procedure for granting and revoking access to data artefacts to a user or group of users (refer Appendix D). Once access has been approved by the data steward, the EDW data custodian will then set the access permissions for that user (or group of users) to access it in accordance with the approval by the data steward. Although a data set may be loaded into the EDW, it can only be accessed by specific users or groups of users where there is explicit approval from the relevant data steward. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 13 of 52

14 3.3 User permissions Source data sets in the EDW are stored as Teradata database tables. The system enables user permissions to be implemented at the level of individual data elements in a table. So, for example, if a data set includes 10 fields in each line of data in a table which has 400,000 lines, and where one of the fields is the year of collection, it is possible to give a particular user access to, say, only three of those fields, and only for data that was collected in a particular year. 3.4 Shared workspaces Specified groups of NHFB users have access to shared workspaces that are confidential to the members of the group, in the same way as are folders on shared drives. These are termed Analytical Data Stores (ADSs) as they are intended to enable exploratory analysis of data. The NHFB, in assisting the Administrator, has been allocated three ADSs, which can be regarded effectively as separate databases: An ADS for analysis of hospital activity and related data An ADS for analysis of MBS and related data An ADS for analysis of PBS and related data The NHFB data steward grants and revokes access to these ADSs as required, to NHFB users only. This means that the ADSs and all the data sets in them are reserved for the exclusive use of NHFB users. Any data provided by the Administrator to agencies under the sharing principles of the NHRA (under clause B97) will be provided as a copy only. Each copy will be provided either by secure data transfer directly to each agency, or (in line with arrangements between agencies and the EDW) by provision of the data in shared EDW workspaces provided for specified groups of agency users. The NHFB data steward mandates that all the Administrator s data for reconciliation requirements, other than data authorised to be in the public domain, is to be stored and analysed in the EDW in the above ADSs to ensure appropriate levels of privacy, secrecy and security. 3.5 Data separation In the EDW, the shared work spaces, derived data and analytical programs of NHFB officers will be separate and secure from any other organisation. The NHFB data steward will have authority over who has access to NHFB data. For example, if officers of the NHFB are undertaking analyses of data for reconciliation purposes, those analyses will not be accessible to other users outside the NHFB, nor will any of the working datasets, SAS programs, or any data cubes or reports created. 3.6 Access logs and audit trails In addition to the overall approach of authorised data stewards granting access to specific source data sets, data elements in those source data sets, reports and/or cubes, to designated users and/or groups of users, the EDW logs all access to data in the managed data space at the level of the user and the individual data elements, reports or cubes accessed, the operations performed on those data, and the time at which the access took place. For data saved within EDW personal and group shared workspaces, the EDW logs access at the level of individual users and the files they access, but not generally at the level of specific data elements accessed within the files. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 14 of 52

15 Access to these logs is strictly controlled and will generally only be available to authorised EDW officers. In the event of an apparent anomaly being discovered in access to NHFB source data, reports or cubes, the EDW will bring this to the attention of the NHFB data steward via a manual process. When this occurs, the NHFB data steward will investigate the anomaly, any breaches of protocol, and planned remedial actions. Outcomes will be advised to the relevant jurisdiction. The access logs will also be available to internal and external auditors, where they wish to review the logs to establish that no inappropriate or unauthorised access has occurred. The NHFB will receive a copy of those parts of the access logs that detail access to its derived data and to the shared workspaces of its officers, and, if requested, the audit trails for instances of access to its derived data and/or workspaces. 3.7 Technical implementation The technical capacity to implement this approach to managing data access is done in part through an Oracle product called Identity and Access Management (I&AM). I&AM is built into the EDW and maintains a profile for each and every EDW user which sets out their membership of any source data access groups. The permissions for these data access groups are implemented in the relevant part of the EDW for example in Red Hat Enterprise Linux and in Teradata. The permissions assigned to a data access group cover the source data sets, reports and data cubes that those users or groups of users are entitled to access and any rules governing their access (for example that it is for a data set pertaining to a particular month or year). The identification and authentication of each user is done through the NHFB s outsourced network logon process, which is managed by IBM. When a person who has logged on to the NHFB s network seeks to access the EDW that is, any of the data or software in the EDW they can only gain access where the information regarding their identity is securely passed from IBM s network security module to Oracle I&AM. I&AM then assigns to that user for that session (i.e. until the person logs off or exits the EDW), the permissions that are associated with the data access group(s) designated for that person in their I&AM profile. When access to the EDW is extended to third parties that are not users of the NHFB network, those users will have to pass a logon process that uniquely identifies them to the Oracle I&AM. 3.8 Annual attestation The NHFB Data Steward will make an annual attestation to the Administrator, as at 30 June each year, detailing a list of officers authorised to access NHFB data, together with a statement of any breaches of data security over the year. The Administrator will share the statement with jurisdictions accordingly. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 15 of 52

16 4 Protocols for data collection The Administrator seeks to provide a secure data exchange mechanism for the provision of all data. 4.1 Administrator s Three Year Data Plan The Administrator s Three Year Data Plan (Data Plan) is the Administrator s determination of the minimum level of data required from jurisdictions in order to calculate the Commonwealth s contribution, conduct reconciliation activities and ensure national comparability (clause B88, NHRA). The Data Plan is revised and re-issued annually, following endorsement by the Standing Council on Health. Supply of the data outlined in the Data Plan is required to enable the Administrator to undertake the functions set out in legislation and in the NHRA. The objectives of the Data Plan are to: communicate the Administrator s data requirements over the three years to jurisdictions in accordance with clause B85 of the NHRA describe the mechanisms, including timelines that the Administrator will use to collect data from jurisdictions advise how data will be used by the Administrator in undertaking the duties required by the Act and the NHRA. Refer to the relevant Data Plan for data submission requirements relating to the reconciliation process. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 16 of 52

17 4.2 Data protocol 01: State and territory provision of hospital service estimates This data protocol is followed when states and territories provide the Administrator with NWAU estimates (or updates to NWAU estimates) for hospital services. Estimates are required to be provided for the coming financial year in aggregate by 31 March each year, and then by confirmed aggregate and each Local Hospital Network (LHN) by 31 May each year. States and territories are then able to revise estimates using this protocol as the financial year progresses. Refer to the Data Plan for details on submission requirements. Refer Appendix A for a data protocol 01 process diagram. Table 2 Data protocol 01 for state and territory provision of hospital service estimates to the Administrator Step Participant and Action 1. State or territory: Sends service estimates to the Administrator. Description A state or territory s original or revised service estimates in spreadsheet form directly to the Administrator at nhfa.administrator@nhfa.gov.au according to formats and timeframes as specified in the Data Plan and associated technical specifications. Privacy There are no privacy concerns with these data as the data contain no personal information. Secrecy The service estimate data are received into a securely managed server where only the Administrator, or NHFB officers specifically authorised by the Administrator may view the to access the data. Security The service estimate data are received into a securely managed server. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 17 of 52

18 Step Participant and Action 2. Administrator and NHFB: receive estimates. Description The NHFB stores the estimates in the NHFB secure document management system. Privacy Secrecy Only specified NHFB officers as authorised by the NHFB CEO have access to the Administrator s to receive estimates. Only specified NHFB officers as authorised by the NHFB data steward have access to the NHFB secure document management system to store and retrieve estimates. Security The service estimate data are received into a securely managed server and a secure document management system. 3. NHFB: Utilises estimates provided to derive Commonwealth National Health Funding Pool contributions. The NHFB, acting on Administrator instructions as documented in the relevant year s Methodology for the Calculation of Commonwealth National Health Funding Pool Contributions, utilises estimates provided, including cross border estimates, along with SPP, NEP, NEC and other information as required to calculate Commonwealth National Health Funding Pool contributions. Only specified NHFB officers as authorised by the NHFB CEO have access to the Administrator s to receive estimates. Only specified NHFB officers as authorised by the NHFB data steward have access to the NHFB secure document The service estimate data and derived Commonwealth national health funding pool contributions are managed in an secure server and secure document management system. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 18 of 52

19 Step Participant and Action 4. Administrator: Approves calculation of Commonwealth National Health Funding Pool contributions and advises jurisdictional ministers and Commonwealth Treasurer. Description Privacy Secrecy management system to store and retrieve estimates and contribution results. Security 5. Commonwealth Treasurer: Receives advice of Commonwealth National Health Funding Pool contributions. 1. Jurisdictional Ministers: Receive advice of Commonwealth National Health Funding Pool contributions. 7. NHFB: Enters Commonwealth National Health Funding Pool contributions into the NHFA Payments System. Only specified NHFB officers as authorised by the NHFB data steward have access to the NHFA Payments System to enter, validate and approve contributions. A three stage entry, validation and approval process, by three separate NHFB users (who are authorised to enter, validate or approve as appropriate) ensures appropriate security around the entry of contributions Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 19 of 52

20 4.3 Protocols for reconciliation requirements Data protocol 02: State and territory provision of hospital services data to Administrator by accessing data provided to IHPA This data protocol is followed when states and territories request the Administrator to use the data already being supplied to the Independent Hospital Pricing Authority (IHPA), through the AIHW/IHPA data submissions portal (AIHW/IHPA Portal) for Submission A. The AIHW/IHPA Portal is a secure facility for the submission of data. Refer Appendix A for a data protocol 02 process diagram. Table 3 Data protocol 02 for state and territory provision of hospital services data to the Administrator Step Participant and Action 1. State or territory: Submits hospital service data via the AIHW/IHPA Portal. Description States and territories request the Administrator to use quarter two and quarter four data already being supplied to the IHPA, through the AIHW/IHPA Portal. Privacy The data contain no identifiable personal information. Secrecy IHPA portal data can only be viewed by authorised IHPA officers. Security The IHPA portal utilises the secure facilities of the EDW for the receipt of data. 2. IHPA: Validates data according to IHPA rules (agreed with NHFB). The Administrator utilises the IHPA validation process for consistency between IHPA and Administrator data. The IHPA utilises secure IHPA data facilities for the validation of data. 3. IHPA: Provides validated data to the Administrator and NHFB. IHPA provides the data to the Administrator through the EDW IHPA utilises the secure facilities of the EDW for the sharing of data with the Administrator. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 20 of 52

21 Step Participant and Action 4. NHFB: receives data on behalf of Administrator (Submission A as referred to in the Administrator s Data Plan). Description The data are received into the Administrator s ADS within the EDW. Privacy The data contain no identifiable personal information. In the event of a patient who had a hospital service being identified by NHFB officers from the specified data, then data protocol 07 must be followed. Secrecy Once the data are received from IHPA by the Administrator, they can only be viewed by authorised NHFB officers granted access to hospital services as required for assisting with the Administrator s functions. Security The Administrator utilises the secure facilities of the EDW for the receipt of data. All data are stored in the EDW s Teradata platform. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 21 of 52

22 4.3.2 Data protocol 03: (interim) State and territory provision of hospital services data directly to the Administrator This protocol is followed when states and territories submit password protected Submission A patient services data directly to the Administrator. Any data provided via this means will be subject to the same data validation rules as data provided to IHPA. Note: Data protocol 03 is interim, and is expected to be retired in December When data protocol 03 is retired, data protocol 02 will become the only protocol for use in the provision of hospital service data to the Administrator. Refer Appendix A for a data protocol 03 process diagram. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 22 of 52

23 Table 4 Data protocol 03 for state and territory provision of hospital services data to Administrator Step Participant and Action 1. State or territory: Posts six monthly and annual hospital services data directly to the Administrator (Submission A as referred to in the Administrator s Data Plan). Description States and territories must submit password protected patient services data directly to the Administrator on a CD via Australia Post registered mail. The CD must be mailed to the post office box as advised to states and territories by the Administrator. States and territories must format the data as outlined in the Administrator s Technical Specifications. For consistency purposes, any data provided via this means will be subject to the same data validation rules as data provided to IHPA. The password for the data must be ed to the Administrator at nhfa.administrator@nhfa.gov.au. Privacy The data contain no identifiable personal information. Secrecy If the CD is intercepted by an unauthorised third party, then the data are encrypted and will be unreadable without the password, as the password is delivered to the recipient by a separate mechanism. Security The CD submitted carries password protection, and the password is delivered to the recipient by a separate mechanism. 2. NHFB: receives data on behalf of Administrator and applies password to allow access to the data. The data contain no identifiable personal information. In the event of a patient who had a hospital service being identified by NHFB officers from the specified data, then The unencrypted CD data (once password is applied) can only be viewed by authorised NHFB officers granted access to hospital services as required for assisting with the Administrator s functions. The CD submitted carries password protection, and the password is delivered to the recipient by a separate mechanism. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 23 of 52

24 Step Participant and Action 3. NHFB: loads data into the Administrator s work area (ADS) in the EDW ready for use. Description Privacy data protocol 07 will be followed. Secrecy Once the data are loaded into the EDW, it can only viewed by authorised NHFB officers granted access to hospital services as required for assisting with the Administrator s functions. Security All data are stored in the EDW s Teradata platform. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 24 of 52

25 4.3.3 Data protocol 04: Provision of de-identified Medicare number for hospital services to Administrator This protocol is followed when states and territories submit password protected Submission B Medicare number data for those patient services submitted in Submission A to the Commonwealth Department of Human Services (DHS) on a CD via Australia Post registered mail. The interim arrangement of posting CDs is expected to be replaced by the use of a data submission portal. DHS holds the status of an integrating authority and undertakes this work as a service to the Administrator as required under the NHRA. Refer Appendix A for a data protocol 04 process diagram. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 25 of 52

26 Table 5 Data protocol 04 for provision of de-identified Medicare number for hospital services Step Participant and Action 1. State or territory: Submits six monthly and annual hospital patient services Medicare number data to DHS (Submission B as referred to in the Administrator s Data Plan). Description Each state and territory must submit password protected patient services Medicare number data directly to DHS on a CD via Australia Post registered mail. The CD must be mailed to the DHS officer and address as advised by the Administrator. States and territories must format the data as outlined in Appendix B of the Administrator s Technical Specifications. The password for the data must be ed to the authorised DHS officer at the address advised by the Administrator. Privacy The Medicare number is identifiable information which could be used fraudulently or used to identify a patient who had a hospital service. In the unlikely event of the state or territory Medicare number data being sent to the Administrator in error, then it must be returned immediately to the provider jurisdiction. Secrecy If the CD is intercepted by an unauthorised third party, then the data are encrypted and will be unreadable without the password, as the password is delivered to the recipient by a separate mechanism. Security The CD submitted carries password protection, and the password is delivered to the recipient by a separate mechanism. 2. DHS business area: receives data as an arranged service for the Administrator, and notes the password. On receipt of the data CD, DHS log the data disc details, including State/territory, date received, relevant password, and date the CD is uploaded to the DHS system for processing. The data contain identifiable information in the form of a Medicare number. DHS has existing established practices for handling Medicare number data in accordance with privacy requirements. The unencrypted CD data (once the password is applied) can only be viewed by appropriately accredited DHS officers granted access as required for processing the data. The CD submitted carries password protection, and the password is delivered to the recipient by a separate mechanism. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 26 of 52

27 Step Participant and Action Description Privacy Secrecy Security 3. DHS business area: loads data into a secure DHS production mainframe environment ready for de-identification of data. 4. DHS business area: Submits a request to run the data in the production environment. The data are uploaded to the DHS mainframe environment, where the data are kept until the batch is run. The DHS business area requests the DHS IT service desk to run the data in the production environment. The batch is scheduled to run on a nominated day. The data contain identifiable information in the form of a Medicare number Once the data are loaded into the secure DHS production mainframe input data area, they can only be viewed by appropriately accredited DHS officers granted access as required for carrying out the DHS function of deidentifying the data. DHS utilises the secure facilities of the DHS production mainframe input data area for the validation of data. DHS utilises the secure facilities of the DHS production mainframe. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 27 of 52

28 Step Participant and Action Description Privacy Secrecy Security 5. DHS IT: de-identifies the data by using each input Medicare number to look up the Medicare PIN associated with the Medicare number on the DHS Consumer Directory database. The production batch is run on the scheduled day. Three files are produced from this process: 1. A response file for the submitting state or territory, with an indication of a successful or unsuccessful look up for the Medicare number for each record on the file. The response file contains the Medicare number and does not contain the Medicare PIN. 2. A de-identified output file for the Administrator. When a look up is successful the process will replace the Medicare number with the associated PIN for the patient. When a look up is not successful the Medicare number will be replaced with zero. 3. A summary report file indicating the total number of records received, the total number of successful look ups and the total number of invalid Medicare numbers. The response file contains the Medicare number and does not contain the Medicare PIN. The output file does not contain the Medicare number but contains the Medicare PIN. DHS officers involved in the process have existing permissions to access both the Medicare Number and the Medicare PIN. Once the data are loaded into the secure DHS production mainframe input data area, they can only be viewed by appropriately accredited DHS officers granted access as required for carrying out the DHS function of deidentifying the data. DHS utilises the secure facilities of the DHS production mainframe. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 28 of 52

29 Step Participant and Action Description Privacy Secrecy Security 6. DHS business area: prepares the response, output, and summary report files for forwarding to the relevant stakeholders. The DHS business area receives an automated report from DHS IT showing the results of the de-identification process. The data are downloaded from the DHS mainframe environment. This process involves the DHS business area retrieving the data from mainframe, saving the output, response and summary report files to a designated folder where they are renamed appropriately and copied to CD using encrypted WinZip software. The response file contains the Medicare number and does not contain the Medicare PIN. The output file does not contain the Medicare number but contains the Medicare PIN. DHS officers involved in the process have existing permissions to access both the Medicare Number and the Medicare PIN. Data can only be viewed by appropriately accredited DHS officers granted access as required for carrying out the DHS function of deidentifying the data. DHS utilises the secure facilities of the DHS production mainframe. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 29 of 52

30 Step Participant and Action Description Privacy Secrecy Security 7. DHS business area: mails the response file and summary report to the submitting state or territory. DHS submits the password protected response data CD indicating the results of the Medicare number look up process by registered mail to the nominated contact officer for the state or territory, with an associated indicating the password. The summary report is also included on the CD indicating the total number of records received, the total number of valid and invalid Medicare numbers. The response file contains the Medicare number and does not contain the Medicare PIN. The response file is provided back to the provider jurisdiction that already has access to the Medicare Numbers and is bound by existing local privacy requirements. The jurisdiction receiving the response file has obligations under existing local secrecy provisions. The CD provided carries password protection, and the password is delivered to the recipient by a separate mechanism. 8. State or territory: Receives the response file and summary report. Administrator of the National Health Funding Pool: Data privacy, secrecy and security policy Page 30 of 52