Technology provides unlimited opportunities for the collection and processing of data with efficiencies that have not been seen before. Consideration must be given to the limits to the collection and use of such information in the Health Care Industry and the legal implications of a breach of the law in relation to medical information.

You have just been told that your job application for a senior managerial position has been unsuccessful - your potential employer has determined that due to your medical history which includes heart disease, they would not be able to rely on you to cope with the often stressful position.

You have just been told that the bank has rejected your loan application - your medical records show evidence of psychiatric illness and your bank manager is doubtful about your ability to continue to earn a living.

You are being pestered day and night by pharmaceutical salespeople - they have a complete list of all your medical disorders and a product to sell you for each one.

Perhaps these situations are rather extreme, but they are all possible in the event that access to medical records is made easy and legal.

There are arguments for and against having medical records available over a national or international network. Many people are more mobile both for business and pleasure. As you are laying unconscious in a hospital after an accident on the other side of the planet would you like your treating doctor to have a list of your known allergies, your current medication and your blood type before you undergo medical treatment? There are obvious advantages to having your medical records available electronically. The use of a “family GP” is often replaced by the use of a number of different clinics and doctors in the age of the 24 hour medical centre.

Medical professionals often object, with good reason, to making their records available to their patients although there have been a number of Australian Court cases which have been found in favour of the patient.

Often patients' records are seen as the personal notes of the medical professional and not suitable for release to the patient. So, not only do we need to consider the consequences of third party access to our electronic records, but the medical professional also needs to take records in a way that is intended to be reviewed by their patient and third parties without opening themselves to the danger of professional negligence claims.

There are currently many proposed changes to privacy legislation at both the State and Commonwealth level. Many of these changes are being initiated for commercial reasons arising out of the impending European Union directives regarding data protection and privacy but are equally applicable to the electronic storage of medical records.

The advantages of computer records are:

• Ease of access and improved efficiency
• Comprehensive records
• Reminders
• Current technology allows for a user friendly interface delivered via the Internet
• Aid to medical research
• Detection of fraud and abuse of insurance and Government benefits
• Increasing use of the use of technology to identify individuals

The disadvantages of computer records are:

• Difficulty in ensuring security of access
• The individual's right to privacy
• Internet
  • Type in “About:Global” in Netscape and every link that has been visited since installation is displayed.
  • Cookies (See Annexure 1)
  • Usenet posts
  • Each time you visit a site you leave details such as your domain.

Common law in Australia does not provide individuals with a right to privacy.

Common Law does, however, provide that if a defendant is proved to have used confidential information, directly or indirectly obtained from a plaintiff with the consent express or implied of the plaintiff, the defendant will have infringed the plaintiff's rights.

Relevant factors to be considered in determining whether information is confidential in a normal business scenario are:

• the extent to which the information is known outside the business;
• the extent to which it is known by employees and others involved in the business;
• the extent of measures taken to guard the secrecy of the information and the efforts by which it was known as confidential;
• the value of the information to the employer and its competitors;
• the amount of skill, effort or money expended in developing the information; and
• the ease or difficulty with which the information could be properly acquired or duplicated by others.

Medical information is much clearer and clearly falls within the category of confidential information.¹⁾

A breach of the duty to keep confidential information confidential may give rise to the following legal remedies:

• Injunction to prevent threatened disclosure or use
• Damages, General and Exemplary
• Dismissal

Further a breach may also give rise to a claim in negligence for breach of duty of care.

The Privacy Act 1988 deals with the gathering, processing and dissemination of information about and individual. The Act does not deal with unwanted intrusion into an individual's private life or activities.

A convicted child rapist working as a technical in a Boston Hospital riffled through a 1000 computerised records looking for potential victims (and was caught when the father of a nine year old used called id to trace the call back to the hospital)²⁾

In Maryland, a banker on the state health commission pulled up a list a cancer patients cross checked it against the names of his bank's customers and revoked the loans of the matches.³⁾

In Britain a newspaper revealed how easy it is to gain access to the National Health Service records by hiring private investigators to pull the confidential files of a dozen people. The detectives found most of the information for most of the people within three (3) hours.⁴⁾

At least a third of America's Fortune 500 companies regularly review health information before making hiring decisions.⁵⁾

• Passwords to limit access to information
• Audit Trail monitoring access to information
• Firewalls to protect against external access
• Encryption to prevent use by unauthorised users

Technology provides unlimited opportunities for the collection and processing of data with efficiencies, which have not been seen before. Consideration must be given to the limits to the collection and use of such information in the Health Care Industry and the legal implications of a breach of the law in relation to medical information.

Definition
A Cookie is a computer program that is delivered by a web server to the visitor's computer where it is “set”. The web server uses the Cookie when the visitor returns to that web site. A user may be completely unaware that a Cookie is set if they are using the default setting for Microsoft Explorer or Netscape Navigator.

Uses
Uses of Cookies include the surreptitious:

• gathering of information regarding the frequency of visits to a web site;
• determining appropriate banner advertising for each visitor;
• obtaining the visitors' IP address, user name and e-mail address;
• determining which operating system or other software is being used by the visitor;
• calculating the visitor's time spent on the Internet; and
• other information

This information can be exceptionally valuable.

Computer Trespass
Section 9A of the Summary Offences Act 1966 (Vic) provides that:
A person must not gain access to, or enter, a computer system or part of a computer system without lawful authority to do so. Penalty 25 penalty units ($2,500) or imprisonment for six (6) months.
It is my opinion that the setting of a Cookie falls within the definition of “gaining access” or “entering” a computer system without lawful authority. It must be remembered that for many users setting a Cookie is an involuntary act or an act of which the user has no knowledge.

Section 76B of the Crimes Act 1914 (Cth) as amended provides that a person who intentionally and without authority obtains access to data stored in a Commonwealth computer; or data stored on behalf of the Commonwealth in a computer that is not a Commonwealth Computer is guilty of an offence. Penalty: Six months imprisonment
It follows that if a Commonwealth employee visited a Cookie site and data in a Commonwealth Computer is accessed, the site owner may be found to have committed a criminal act.

Other penalties may also be involved, if for instance, financial advantage is obtained by deception. Section 1307 of the Australian Corporations Law imposes remedies in respect of unauthorised dealings in books and records of a company stored on computer.

Whilst there appears to be an abundance of law breaking there appears to be no enforcement.

Commercial Implications and breaches in Australia
If your web site developer has included a Cookie on your web site, technically you would be committing a criminal offence if you access a computer as a result of a visitor accepting your Cookie.

If trade secrets or confidential information, such as medical records, are obtained, breaches of confidential information and copyright infringement may also give rise to civil liability.

Commercial Implications and breaches Overseas
There has been some debate on the question of whether the action of Cookies would be in violation of the EC Directive on the Legal Protection of Databases. The two major objectives of the Directive are to harmonise copyright law applicable to the structure of databases and to create a new right, which protects the database creator against the unauthorised extraction and/or use of the whole or a substantial part of the database. A visitor to a web page may have data stored on his computer in a form that would classify as a database. Violators of the laws, which are passed in accordance with this Directive, will be subject to both civil and criminal remedies as is already provided for by the national copyright laws of the Member States.

Privacy Legislation
The EC Directive on Data Protection relates to the protection of personal data. Personal data is defined as “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Cookies allow information to be sent back to the web page owner, who can include information about the user in a database. This information is sent back to the web page owner without the user being informed of this action. Under the EC Directive, the customer/user is entitled to know that data is being collected about them. The user has the right to protest the collection of the data, and the collector must act on such protest. The user has the right to inspect the data stored about them and to demand corrections to it.

The action of a Cookie would be in violation of the Directive, if the user was European and/or if the data collector was European. If the web page owner and user are both in Europe:

• Collection of data about the user, by using cookies, is unlawful
• The web page owner will be liable for civil damages, or criminal penalties, or both.

Under the UK Data Protection Act 1984, a collector of personal data must be registered and must comply with various data protection principles, one of which is that data must be obtained and processed fairly and lawfully. A data collector should be open and honest about why the data is required, and so should state who he is, what the intended use of the data is, and to whom such data is to be given. Cookie information gathering does not appear to meet this principal. However, this UK Act applies only to personal data. If the information gathered could identify only the user's computer, and not the user, such information will not be regulated by the Act.

There is a possible argument that a web page owner is using the visitor's computer from data is being collected. If this interpretation is applied, web page owners, although situated outside the EU, may still find themself subject to the relevant national law of the country in which the visitor is located and obliged to designate a representative established in that country. The Directive is to be implemented by 24 October 1998 so there are a few questions to be answered before then.

USA
In the US, a bill pending in Congress, the Consumer Internet Privacy Protection Act of 1997 would require a person's prior written consent before a computer service could sell or disclose personal information to a third party. This Act may require a person's consent before information collected using Cookies is can be sold or disclosed to third parties.

Conclusion
Web site owners who make use of Cookies to collect data about visitors to their site should bear in mind that there is a strong push from various lobby groups around the world to improve privacy legislation. It is recommended that visitors are informed about what personal information is being collected, why it is being collected and to whom it will be released. Most importantly, web site owners should not assume that compliance with their own country's laws ensures their activities are legal in other legal jurisdictions. Australia has not made a definite move towards legislation similar to the European Directives, but in order to protect our international economic ties, new developments should hopefully be on the parliamentary drawing board for implementation in the near future.

Companies and individuals, which continue to use cookies ethically or otherwise, may find themselves at the wrong end of a charge sheet or a writ.

June 1998