Data (R)Evolution: Consumer welfare and growth in the digital economy

Take a look at what ACCC Chair Rod Sims had to say at the Consumer Policy Research Centre 2019 conference about the challenges consumers are facing with the growing digital economy: Data (R)Evolution: Consumer welfare and growth in the digital economy address | ACCC

Some key points:

Vague, long and complex data policies contribute to this substantial disconnect between how consumers think their data should be treated and how it is actually treated.

The fact digital platform users are not well informed about the collection and use of their data affects competition and consumer welfare.

The proliferation of data and the advancement of data analytics has led to a growth in scams and identity theft, as well as growing risks of consumer harm arising from reduced competition and potential for discrimination and exclusion.

For example, data could be used to target individuals to buy goods at inflated prices; or can provide sellers and advertisers with information that allows discrimination between buyers based on income, geographic location or health issues.

We are concerned that protections for consumers need to match the new digital age as the existing regulatory frameworks for the collection and use of data has not held up well to the challenges of digitalisation.

Please feel free to add your own thoughts below.

Much of what concerned me regarding the T&Cs in my topic on CHOICE testing, privacy Privacy, Smart Devices, their T&Cs, CHOICE testing & reviews of them.

For the normal user the interest is to use the device and not spend hours with a law firm deciphering the code that these days are termed T&Cs. CHOICE however has vast experience with the way things are written to obscure intent.

Rod Sims even presses on that issue “Vague, long and complex data policies contribute to this substantial disconnect between how consumers think their data should be treated and how it is actually treated.
The fact digital platform users are not well informed about the collection and use of their data affects competition and consumer welfare.”

So not only is it the protections we need but we also need to first know what we need protecting against. I really do see a strong role for CHOICE in this area. As an example if during a product review some item/s in the T&Cs is/are too broad a capture of user data or even where the data may be used and or stored I think CHOICE could advise of those issues in the review. If needed even reduce the result based on those problems. Marking a product down because of these issues would hopefully send a strong message to the producers and would also warn potential users of the problems they may expose themselves to by using the product. Both are principles behind CHOICE reviews.

My partner phoned into Centrelink today and was asked to provide a voice print as an option for part of future identity verification.

It is something the ATO had some time previously instigated for corporate clients, and recently our internet provider.

Interestingly with Centrelink, aside from suggesting it would be used across the MyGov platform, we were advised for this purpose the voice print would be recorded and stored with Telstra. Did we hear right?

Hopefully they were able to reject this ‘option’! Biometrics held by a private company on behalf of government - sounds fantastical (using the old-fashioned meaning).

What we think, and what the majority conform to may be very different realities. With the ATO and our ISP there was not an optional to press 1 to skip.

With Centrelink there is a follow up one on one to verify your ID and accept the method. It is at this second human stage you have the option to opt in or out while talking with a real person. Your voice print has already been solicited and recorded.

Don’t be surprised. This is the new norm. No politician took this to an election asking for a mandate. It has been happening for some time in the instance of the ATO, and many months for our ISP. For Centrelink who knows when it became the norm?

Personally it may not be a bad thing, although a voice can be captured and re used just as a pin can be stolen.

The ownership of personal data of all sorts needs to reside with the individual, not with data aggregators, marketters, banks, doctors, RSPs, utilities, etc., etc.

Individuals should have the legal right to on demand ‘withdraw’ all their personal data from anyone who holds it.

If only this had been addressed before the collection of personal data in a digital form had commenced?

The trouble is that it’s impossible to know whether your personal data has actually been ‘removed’ or simply ‘put into archive storage’.

Another difficulty is that removing all personal data would make tracking a transaction almost impossible, this could affect a person’s ability to get an ACL problem addressed. If you have dealt with a business and they have obtained name, address, contact numbers, and payment details to ensure the authenticity of a transaction and to have them for Taxation and audit requirements, then removing that data may even be a breach of law. This may have consequences even after the person has ceased to do business with the Business/es, until at least a person’s ACL rights have expired but could also be for at least 7 years. As an example LG’s 10 year warranty on some Front Loader motors might require the business to hold those details for at least 10 years.

Then there is metadata retention as required by Federal Law, and other long term need to hold data Laws. I think it is probably a better option that a person is notified about who has data held about them, then they should be able to access that data and have any errors amended, any non essential data scrubbed, or in the case of a non essential data record to have the record expunged.

This is part of the problem. We have a government that sees short term benefits and ignores long term costs.

Hadn’t thought about that. I suspect that it may be more relevant to criminal investigations than ATO though.

As it is not necessary to register a product one purchases to have statutory rights under the ACL, keeping data for this reason is unnecessary.

That would be held by carriers, ISPs, & RSPs; and be totally independent of whether or not you withdraw your data from a business.

Agreed!

Perhaps it does not need to be kept for that reason. A business still needs to be able to account for it’s income, it’s sales and any receipts and accounts issued. These are hardly anonymous records. And for a business keeping their thermally printed copy of each transaction and manually recording it is a cost.

Digitally recording and keeping the details of each customer transaction is so much simpler. We are in their systems no matter how much we might protest. Minor value cash sales excepted. GST reconciliation essential.

In the olden days their were large ledgers maintained by pen and ink or a pencil for similar purpose. Sales tax anyone?

P.s.
50% of any concern might be not knowing all of the places you have a digital footprint?

In the pen and ink days it was just recording a sale, and very basic information.

True, but they don’t need collect all the information that they do now seemingly as a matter of course, and only basic information is needed for a sale unless it is needed by legislation (for example buying a vehicle or home) .

Welcome to the nightmare of an ATO audit.
Guilty until you can prove otherwise. Life is not always as we imagine. An absence of detail is not a good place for defence.

Never had one, but know people with wrinkles who did. Sometimes it was audit after audit after audit, even though the ATO found nothing untoward.

PS They didn’t have wrinkles beforehand.

Much of the pen and ink days was Cash business with no names attached but still often involving a Bill of Sale to prove ownership of the goods. Even then loans often existed and proof of those were kept that contained signatures, names, and even occupations and addresses if needed. Nowadays we also have ongoing credit via Credit Cards, we have Consumer Warranties for which records do need to be kept and if the consumer loses their record they often go to the retailer to see if they can be traced that may use the CC detail or the Debit Card transaction. When a retailer buys goods they have records and when they sell or dispose of stock they have records. The need to keep increasing amounts of data is because of all those data interconnects that now occur. Every car a VIN number not only to identify what the car was assembled from but what date. Then the VIN is linked to rego, to loans, to recalls and as an example you can imagine the data records that then link the purchaser and any subsequent owner to that VIN number and parts used in the car.

It reminds me of how in my G-father’s small town business ran. Many customers had credit accounts up to a certain value. The community as a whole like most of the day were close knit. The majority of the towns folk and nearby were stable long term residents.

Those with more or less means would be known to all. Doubtless most store keepers kept a finely tuned digital record in the old grey computer. What colours, styles, fashions, needs does Mrs A or Mr J prefer. Customer profiling, data retention systems, and subliminal marketing at the church fete might predate the days of geranium and silicon.

The local CWA or Mechanics Institute meetings likely provided a similar service to ‘Faceplant’ and ‘Tinder’. While the local ‘fetes’ and shows were much the same as eBay.

Doubtless discrimination in favour of or against individual consumers was an issue back then too.

An aside:
Never to be forgotten. It’s harder than we might imagine.
Even back into the 19th century being officially forgotten seems an unlikely outcome. I have one relative who passed in the 1880’s in a notable NSW township. The NSW system has nil records or any registration of the death. However there was a church service, funeral procession and lengthy obits in two local news papers. Trove perpetuates the event.

Returning to the root trigger of the discussions - ACCC

HEALTH and AUSTRALIAN GP’s SHARING PATIENT DATA?

“ Clearly personal health data is an increasingly valuable commodity…recent reports from the US of Google’s ‘Project Nightingale’, which involves the use of health data from a large health care provider….” ACCC Chair Rod Sims

It is strange people look elsewhere for the examples. We have these events in our own back yard!

Since August 2019 the Federal Department of Health through the Primary Health Care Networks has, initiated collecting patients data including weight height blood pressure gender your alcohol habits your sexual orientation, postcode, surgery you attended DOB etc directly from your personal GP’s files. The process is called PIP - QI. Your GP surgery allows PHN to walk in and extract the data from the patient files - including your file. To avoid political alarms the process is often being denied or covered over as “Quality Improvement” . The data shared is indicated in table 1 - https://www1.health.gov.au/internet/main/publishing.nsf/Content/D4FE6997059769B8CA258426000794AF/$File/Practice%20Incentives%20Program%20Eligible%20Data%20Set%20Data%20Governance%20Framework.pdf

To get the data from GP files a private company software has been “decreed” to be the data extractor which must be used on the GP files. There has been no consumer/ patient involvement or notification. Your GP is in effect trapped into selling data to the PHN as if they DO NOT do so they lose existing Govt funding. In an existing large practice this maybe as much as $50K p.a. It is no surprise the AMA & RACGP executives signed off. Money talks.

The GP medical professions havebeen repeatedly reassured by PHN, Govt and RACGP “all is OK”. Your (patient) data is de-identified and encrypted before being shared with others. You, the patient, are “deemed” to have consented indirectly by a very liberal interpretation of a concept known as “secondary data”. Secondary data is a complex issue. Ironically the secondary consent process requires consideration of the ethics and consent from the source of the data - that is your (patient) consent! Is there an ethical consideration about doctors selling your information?

The prestigious respected Royal College of Physicians has noted :

“… Legislative authority for secondary use is inferior to having informed consent from the perspective of patient trust and confidence. …”

The use of “…Vague, long and complex data policies…” Is being used to justify consumer /patient consent for PIP-QI. The response to my complain to the RACGP executive starts with “ Patient or provider consent for sharing de-identified practice data is not a legal requirement. However, general practices should advise individuals they are sharing de-identified data, for example, by including information in their practice privacy policy information….” This seems to me to be hurrying the consent in the fine print.

Government is intimately aware of this situation it has fostered - PIP-QI very deliberately just bypass the public. As a contrast , during the creation of the National MyHealth Record MyHR system, consumers were very clear about owning their data. Multiple millions of dollars were spent to understand the consumers view. Core principals like …the patient never needs to advise their doctor of their choice to opt in or out of MyHR are well documented and understood . YOUR consent for MyHR is entirely patient controlled. No awkward discussions with your doctor about your feelings or position on privacy. The MyHR has multiple opt out levels - opt out all together, make some items restricted as to who can see them AND / OR withdraw consent from all secondary data use. [ https://www1.health.gov.au/internet/main/publishing.nsf/Content/eHealth-framework ] PIP QI by-passes this process - there is no patient notification, you must talk directly to the practice manager and your doctor if you do not consent to PIP-QI

It seems a large slice (not all) of the medical profession is happy to take the money and sell your (their patients”) data onto the PHN. Maybe a better quote for Mr Sims is
“ … Data is increasingly valuable… and as we have seen in recent years …data is SO valuable that it seems to out-strip our [society] capacity for ethics judgement or governance. ”

The backroads of artificial intelligence recorded 30 May 2019 New Professors Talk University of Newcastle. abc.net.au/radionational/programs/bigideas/the-backroads-of-artificial-intelligence/11495506

• List item

I am really interested - how do you feel as a consumer / patient about this?
Why are the established MyHR rules bypassed and the consumer sidelined for PIP-QI?

Next time your GP checks your blood pressure or asks about your alcohol habits - what’s the motivation for process - your health or the practice pay packet? Is this ethical and professional behaviour?

Thank you for providing your comments. How individual data is accessed and used by government is of great interest.

To assist us to better understand what arrangements are in place, are you able to explain more fully the following?

Where is this stated by the government in their agreements with medical service providers?

Is there a contract or sale agreement?
How much does each medical practice get paid per patient record provided.

The total payable at maximum is $50,000 for a General Practice for all it’s clients. The rate is $5 per patient per year and divided into quarterly payments.

“Eligible practices can receive a maximum payment of $12,500per quarter, based on $5.00 per Standardised Whole Patient Equivalent, per year. In order to receive a payment general practices must have submitted their quarterly data at least once during the data submission period for that quarter. ACCHS and other IAHP organisations will provide nKPI data within their existing arrangement with the Department of Health.”

&

"3. What is the payment for participating in the PIP QI Incentive?

The PIP QI Incentive provides a payment of $5 per Standardised Whole Patient Equivalent (SWPE) per annum to accredited practices who provide the PIP Eligible Data Set each quarter to their local PHN and participate in continuous quality improvement activities in partnership with their local PHN. Eligible general practices can receive a maximum payment of $12,500 per quarter or $50,000 per annum.

For example, any practice that meets the eligibility requirements each quarter with a SWPE of 10,000 or higher will hit the cap of $50,000 per annum. The Incentive is paid quarterly to a cap of $12,500. If a practice’s SWPE is 7,500 they are eligible for $37,500 per annum, which if their SWPE remains static would be paid at $9,375 per quarter."

"Quality Improvement Measures

The collection of the de-identified Improvement Measures that form the PIP Eligible Data Set are part of a system of quality improvement that includes reflective practice, a common data baseline, and data analysis. The Improvement Measures are not designed to assess individual general practice or general practitioner performance. They do support a regional and national understanding of chronic disease management in areas of high need, and future iterations will respond to emerging evidence on areas of high need.

The Improvement Measures are:
1.Proportion of patients with diabetes with a current HbA1c result
2.Proportion of patients with a smoking status
3.Proportion of patients with a weight classification
4.Proportion of patients aged 65 and over who were immunised against influenza
5.Proportion of patients with diabetes who were immunised against influenza
6.Proportion of patients with COPD who were immunised against influenza
7.Proportion of patients with an alcohol consumption status
8.Proportion of patients with the necessary risk factors assessed to enable CVD assessment
9.Proportion of female patients with an up-to-date cervical screening
10.Proportion of patients with diabetes with a blood pressure result."

Want to read the documents then see:

• PIP QI Guidelines (PDF 545 KB)
• PIP QI Guidelines (Word 110 KB)
• Improvement Measures (PDF 216 KB)
• Improvement Measures (Word 90 KB)
• Improvement Measures – Annotated Specifications (PDF 246 KB)
• Improvement Measures – Annotated Specifications (Word 91 KB)
• PIP Eligible Data Set Data Governance Framework (PDF 502 KB)
• PIP Eligible Data Set Data Governance Framework (Word 98 KB)
• PIP QI Who do I ask (PDF 99 KB)
• PIP QI Who do I ask (Word 93 KB)
• PIP QI FAQs (PDF 150 KB)
• PIP QI FAQs (Word 79 KB)
• PIP QI Fact Sheet - What practices need to know (PDF 186 KB)
• PIP QI Fact Sheet - What practices need to know (Word 80 KB)
• PIP QI Fact Sheet - ACCHS and other IAHP funded organisations (PDF 116 KB)
• PIP QI Fact Sheet - ACCHS and other IAHP funded organisations (Word 73 KB)
• PIP QI Fact Sheet - Exemption (PDF 129 KB)
• PIP QI Fact Sheet - Exemption (Word 77 KB)
• PIP QI Exemption Application Form (PDF 138 KB)
• PIP QI Exemption Application Form (Word 69 KB)
• PIP QI Fact Sheet – Consumer (PDF 38 KB)
• PIP QI Fact Sheet – Consumer (Word 65 KB)