Data Mining and Data Matching: Regulatory and Ethical Considerations Relating to Privacy and Confidentiality in Medical Data

• Author: Thilla Rajaretnam
• Pages: 294-310

JICLT

Journal of International Commercial Law and Technology

Vol.9, No.4 (2014)

294

DATA MINING AND DATA MATCHING: REGULATORY

AND ETHICAL CONSIDERATIONS RELATING TO

PRIVACY AND CONFIDENTIALITY

IN MEDICAL DATA

Thilla Rajaretnam*

Associate Lecturer, School of Law,

University of Western Sydney (UWS), NSW Australia,

E-mail: t.rajaretnam@uws.edu.au

Abstract. The application of data mining techniques to health-related data is beneficial to

medical research. However, the use of data mining or knowledge discovery in databases, and data

matching and profiling techniques, raises ethical concerns relating to consent and undermines the

confidentiality of medical data. Data mining and data matching r equires active collaboration

between the medical practitioner and the data miner. This article examines the ethical management

of medical data including personal information and sensitive information in the h ealthcare sector.

It offers some eth ical and legal perspectives on privacy and the confidentiality of medical data. It

examines the international landscape of health information privacy protection, relevant Australian

legislation and recommendations to improve the ethical handling of medical data proposed by the

Australian Law Reform Commission.

Key words: Data mining, data matching, medical data, ethics, privacy, regulation

1 Introduction

Over recent decades concerns about health and the promotion of wellbeing has become of paramount

importance to individuals and governments in al l societies.1 The World Health Organisation defines health as a

‘state of complete physical, mental and social well-being and n ot merely the absence of disease or infirmity’.2

Health has come to mean the attainment of a state of wellbeing and the attainment of physical fitness, and

psychological stability. Protection of the body becomes synonymous with the protection of the self.3 Individuals

can experience feelings of deep violation of the self when the body is under threat, not only from di sease but

also when there is a profound sense of invasion of a sphere of their lives over which they have no control.4 The

principle of autonomy dictates that individuals deserve respect concerning the choices that they make, both

about what happens to their bodies and, in the modern world, to their personal data.5 The autonomy and dignity

of individuals is recognised in the duty of confidentiality.6 In the medical context, patient-related data has

* LLB (Hons) (Lond.), CLP (Malaysia), LLM (UWS), PhD (UWS).

1 Laurie, Graeme (2002) Genetic Privacy: A Challenge to Medical-legal Norms, Cambridge University Press, p. 12.

2 The World Health Organisation, Constitution, adopted by the International Health Conference held in New York from 19

June to 22 July 1946, signed on 22 July 1946 by the representatives of 61 States (Off. Rec. Wld Hlth Org., 2, 100), and

entered into force on 7 April 1948. Amendments adopted by the Twenty-sixth, Twenty-ninth, Thirty-ninth and Fifty-first

World Health Assemblies (resolutions WHA26.37, WHA29.38, WHA39.6 and WHA51.23) came into force on 3 February

1977, 20 January 1984, 11 July 1994 and 15 September 2005 respectively and are incorporated in the present text.

3 Laurie, Graeme (2002) Genetic Privacy: A Challenge to Medical-legal Norms, Cambridge University Press, p. 12.

4 Danish Council of Ethics, (1993) Ethics and Mapping the Human Genome (Copenhagen, Notex) p. 52, as cited in Laurie,

Graeme (2002) Genetic Privacy: A Challenge to Medical-legal Norms, Cambridge University Press, p.12.

5 Laurie, Graeme (2002) Genetic Privacy: A Challenge to Medical-legal Norms, Cambridge University Press, p. 203.

6 McMahon, Marilyn (2006) ‘Re-thinking Confidentiality’ in I Freckelton and K Petersen (eds), Disputes and Dilemmas in

Health Law, Federation Press, p. 563, 579.

JICLT

Journal of International Commercial Law and Technology

Vol.9, No.4 (2014)

295

traditionally been recorded in doctors’ surgeries and hospitals. This meant that patients knew exactly what

information they had confided in their doctors, and doctors and hospitals, being bound by ethical and

professional codes of conduct, maintained the confidentiality of patients’ medical data.7 Today, however,

advances in in formation technology and particularly the use of innovative information-harvesting technologies

mean that data collection generally has become almost indiscriminate. Some of these technologies are also being

used in the medical sphere.

Two methods used by agencies and organisations to collect, process an d analyse information are data

matching and data mining.8 Data matching is ‘the large scale comparison of records or files …collected or h eld

for different purposes, with a view to i dentifying matters of interest’,9 while data mining has been defined as ‘a

set of automated techniques used to extract buried or previously unknown pieces of information from large

databases’ about individuals from a number of unknown sources th at may be un authorised.10 In the medical

context, health service providers such as doctors and hospitals are using data matching and data mining

technologies to monitor their patients’ health. Medical researchers are also using such techniques. A growing e-

health industry har vests medical data using sensing and monitoring technologies such as bio-sensing

technology,11 radio frequency identification (‘RFID’) technology12 and smartphones.

Developments in information processing technologies, its use by healthcare providers and the handling of

sensitive healthcare information by healthcare service pr oviders have heightened patient concerns r egarding

privacy in the medical context.13 For example the use of data mining and profiling techniques has raised

concerns about the ethical collection, use and disclosure of data generally and the privacy and confidentiality of

individuals’ personal information, sensitive information and health information.14 As government agencies and

private sector organisations collect and store vast amounts of information generated by the everyday activities of

individuals—for example, surfing the net or renting a car, using an ATM machine or a debit or credit card for

purchases, using a Medicare card when visiting a doctor or hospital, having a prescription filled at the pharmacy

or purchasing medication over the counter—these concerns arise in an ever wider context.

This article examines the ethical management of data including personal information, sensitive information

and health information in the healthcare sector. It offers some ethical and legal perspectives on the privacy and

confidentiality of medical data. The article then considers guidelines and conventions dealing with the pri vacy

of medical information in the international sphere, the current situation under Australian law, and

recommendations of the Australian Law Reform Commission for pr oposed law reform in relation to the ethical

handling of medical data.

2 Data Matching and Data Mining in the Medical Context

7 Laurie, Graeme (2002) Genetic Privacy: A Challenge to Medical-legal Norms, Cambridge University Press, p. 19.

8 Australian Law Reform Commission, (2008) For Your Information: Australian Privacy Law and Practice (ALRC Report

108), vol 1 p. 402.

9 Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice (ALRC Report 108)

(2008), vol 1 p. 402-4 [9.48]-[9.54]; Office of the Federal Privacy Commissioner, The Use of Data Matching in

Commonwealth Administration: Guidelines (1998), [14].

10 Information and Privacy Commissioner Ontario, (1998) Data Mining: Staking a Claim on Your Privacy, p. 4.

11 A biosensor is a detection device that combines a biological component with a physicochemical detector component. For

example, the use by miners of a canary in a cage to warn of gas could be considered a biosensor. Many biosensor

applications today similarly use organisms which respond to toxic substances at a much lower concentration than humans

can detect to warn of the presence of the toxins. This technology has application in the healthcare, agri-food, environment

and security sectors: health/Biosensors-What-are-Biosensors.aspx> (accessed 15 November

2013).

12 Radio frequency identification is any method of identifying unique items using radio waves, most usually by means of a

small electronic device consisting of a chip and an antenna.

13 Laurie, Graeme (2002) Genetic Privacy: A Challenge to Medical-legal Norms, Cambridge University Press, p. 19.

14 These terms are defined in s 6(1) of the Privacy Act 1988 (Cth): for definitions see 5.2.1 of this article.