Security and Privacy

Data for Decisions uses University of Melbourne software to ethically and safely extract data from general practice computer systems

GRHANITE software

GRHANITE is University of Melbourne developed computer software that works in any environment where data is routinely collected. Its first prototype was developed by Associate Professor Douglas Boyle in 2007 and has been used extensively in the primary care arena; it is currently installed in many GP clinics throughout Australia.

GRHANITE addresses many complex legal, ethical, organisational and technical barriers that can hinder the use of sensitive, routinely collected data. It can interface with many GP practice management computer software systems, including Medical Director, Best Practice, GENIE, Zedmed, Communicare, MedTech32 and others. GRHANITE provides GPs or practice managers with easy access to a patient ‘opt-out’ checkbox and has the capability to provide privacy-protecting record linkage. For more about record linkage click here.


GRHANITE optimises patient and health provider privacy by ensuring person-identifying information (i.e. patients, practitioners or other staff) is not included in the data extracted. If necessary, the data originating from a GP practice can be re-identified by sending it back to that practice and using a re-identification ‘key’. Such re-identification might be done if a practice agrees to participate in a clinical trial (pending appropriate data and ethical approvals) where the practice may contact patients with certain characteristics to determine their interest in participating. (N.B. Involvement in clinical trials may include financial incentives and benefits to GPs and patients through access to new treatments.)

Data for Decisions adheres to the University of Melbourne Privacy Policy which outlines our obligation to comply with the relevant Australian regulations and legislations. Researchers that use information sourced from the Patron database are legally required to take all measures to protect privacy and they must not take any steps to attempt to re-identify any data that is provided to them.

Data storage

The Patron data repository is physically housed within the University of Melbourne environment. Nectar Cloud eResearch infrastructure facilitate secure storage of the large Patron dataset. The University of Melbourne is Nectar’s lead agent. No data within the Patron dataset is stored within an off-shore server or outside of the University controlled server environment.

Data security

Our team at HaBIC R2 Health Informatics Unit, within the Department of General Practice, are experts in cross-sectoral data capture, consent management and privacy-protecting record management. We employ international best practice policies and procedures in our data warehousing and curation to ‘future proof’ against risk, and we adhere to all national legislation around privacy and data security. Our active risk mitigation strategies are regularly reviewed.

No Patron datasets will ever be publicly accessible, but findings from the research, using aggregate data, will be made available through publications and reports. Every researcher that accesses the datasets can do so only after showing that they will meet strict ethical, legal and data governance standards. It is a legal requirement that any notifiable data breaches are reported to the Australian Information Commissioner within three days.

Anonymous record linkage

GRHANITE has a mechanism for supporting anonymous record linkage. This mechanism ensures names or other person-identifying information of patients never leave the general practice. This is done using a technique known as cryptographic hashing. This mechanism generates ‘signatures’ that are derived from identifiable information but do not contain it. Because the signature does not contain identifying information, the signature can never be reversed. .

The Australian data use context

Making more effective use of existing data is widely considered integral to enhance consumer and business outcomes, better inform decision-making and policy development, and facilitate greater efficiency and innovation.

The following links provide detailed material about the ethical, legal and regulatory provisions of data sharing in the Australian context.

  1. Productivity Commission, Data Availability and Use: Productivity Commission Inquiry Report - Overview & recommendations Report No.82. 2017, Canberra.
  2. Menzies Foundation, Public support for data-based research to improve health: A discussion paper based on the proceedings of a Menzies Foundation Workshop 16th August, 2013. 2013, Melbourne
  3. The University of Melbourne, Privacy Policy (MPF1104)