Scholars and other commentators widely assert that enforcement of contractual and other limitations on labor mobility deters innovation. Based on this view, federal and state legislators have taken, and continue to consider, actions to limit the enforcement of covenants not-to-compete in employment agreements. These actions would discard the centuries-old reasonableness standard that governs the enforcement of these provisions, often termed ‘noncompetes’, in all but four states (notably, California). We argue that this zero-enforcement position lacks a sound basis in theory or empirics. As a matter of theory, it overlooks the complex effects of contractual limitations on labor mobility in innovation markets. While it is frequently asserted that noncompetes may impede knowledge spillovers that foster innovation, it is frequently overlooked that noncompetes may encourage firms to invest in cultivating intellectual and human capital. As a matter of empirics, we show that two commonly referenced bodies of evidence fail to support zero enforcement. First, we revisit the conventional account of the rise of Silicon Valley and the purported fall of the Boston area as innovation centers, showing that this divergence cannot suitably be explained by differences in state law regarding noncompetes. Second, we show that widely cited empirical studies fail to support a causal relationship between noncompetes, reduced labor mobility, and reduced innovation. Given these theoretical and empirical complexities, we propose an error-cost approach that provides an economic rationale for the common law’s reasonableness approach toward contractual constraints on the circulation of human capital.
23 July 2020
Noncompetes
'The Case for Noncompetes' by Jonathan Barnett and Ted M Sichelman in (2020) 86 University of Chicago Law Review 953 comments
Australian Designs Regime
IP Australia has released an exposure draft of the Designs Amendment (Advisory Council on Intellectual Property Response) Bill 2020 (Cth) and Designs Amendment (Advisory Council on Intellectual Property Response) Regulations, 'intended to provide early benefits to designers ahead of further initiatives in development.
Apart from technical improvements the legislation would amend the Designs Act to benefit designers by:
Apart from technical improvements the legislation would amend the Designs Act to benefit designers by:
- introducing a 12 month grace period to help protect designers from losing their rights through inadvertent disclosures made prior to filing
- expanding the existing limited prior use defence to protect third parties who started preparations to make a design before someone else tried to register it
- simplifying the design registration process by removing the publication option and making registration automatic six months after filing
- aligning with the other IP rights by giving exclusive licensees legal standing to sue for infringement.
- Australian designers contribute more than $67 billion to the economy each year, making up 3.5% of GDP on average, with a strong presence in manufacturing and global value chains. fewer than 0.5% of Australian businesses have held a design right in the last 16 years.
- the design rights system in Australia is currently a niche IP right serving a niche set of industries.
- Evidence of the economic value of design rights is positive but limited.
- the system is difficult to understand; 'Even experienced users can find it difficult to register and use design rights successfully'.
- Economic analysis shows having a design right predicts some productivity gains for a narrow segment of the economy (businesses in a limited set of ‘design rights-intensive’ industries, primarily in manufacturing and some in wholesale trade)
- Not all businesses can expect an economic benefit from having design rights.
- Design rights provide value as part of a broader business strategy. A broader strategy that includes design rights often also includes being a part of global value chains, having strong competitive strategies, and using informal design protection methods. Design rights work in tandem with patents and trade marks.
- Australian businesses with an IP portfolio that combines design rights with patents and/or trade marks are seen to live longer, have more employees, and have a higher average profit per employee than businesses who just have design rights on their own.
22 July 2020
FOI resourcing
In Farrell; Chief Executive Officer, Services Australia and (Freedom of information) [2020] AATA 2390 AAT Senior Member Damien O'Donovan has offered a robust critique of resistance by Services Australia to access by journalist Paul Farrell to information under the Freedom of Information Act 1982 (Cth).
The Department of Human Services (now Services Australia) refused access on 21 December 2017, on the basis that a practical refusal reason exists in relation to the request, ie processing the request would substantially and unreasonably divert the resources of the agency from its other operations. Farrell sought a review by the Australian Information Commissioner on 4 January 2018. The Commissioner set aside the decision on 5 June 2019, having decided that ‘a practical refusal reason does not exist’. Onwards to the AAT!
On 1 December 2017 the Department had written to Farrell indicating that it intended to refuse his request unless he revised and narrowed the request, claiming that there were over 750 AVTOP decision letters and an estimated 195 plus hours would be needed to process the request in full. On appeal the Information Commissioner determined that a practical refusal reason did not exist, estimating that the overall processing time would be approximately 61.25 hours in part because redaction would be straight forward and repetitive given the general uniformity between each of the documents.
The Tribunal states
Farrell argued that there would not be an unreasonable diversion of agency resources: whether disclosure would be ‘unreasonable’ is a question of fact and degree which calls for a balancing of all the legitimate interests involved.
The Department of Human Services (now Services Australia) refused access on 21 December 2017, on the basis that a practical refusal reason exists in relation to the request, ie processing the request would substantially and unreasonably divert the resources of the agency from its other operations. Farrell sought a review by the Australian Information Commissioner on 4 January 2018. The Commissioner set aside the decision on 5 June 2019, having decided that ‘a practical refusal reason does not exist’. Onwards to the AAT!
On 1 December 2017 the Department had written to Farrell indicating that it intended to refuse his request unless he revised and narrowed the request, claiming that there were over 750 AVTOP decision letters and an estimated 195 plus hours would be needed to process the request in full. On appeal the Information Commissioner determined that a practical refusal reason did not exist, estimating that the overall processing time would be approximately 61.25 hours in part because redaction would be straight forward and repetitive given the general uniformity between each of the documents.
The Tribunal states
The applicant is a substantial agency. According to the Services Australia 2018-2019 Annual Report, the agency was responsible in 2018-2019 for payments totalling $184 billion; more than 3.5 million social security and welfare claims; and more than 429 million Medicare services. It is a large and well-resourced agency. It has more than 28,000 employees.
With 28,000 bodies alongside a budget and responsibilities on that scale you might expect enough people to handle FOI requests.
The Tribunal notes
In the financial year 2018-2019 it devoted the equivalent of 66.66 full time staff to the processing of Freedom of Information (FOI) requests. On average the agency took 2.86 days (approximately 21.5 hours) to process each request. Of the 6210 FOI access requests the agency processed, 5955 were requests for personal information. This makes it one of the largest FOI processors in the Commonwealth.
For the purposes of these proceedings it was agreed that it would take 61.25 hours for the Department to process the request. It was accepted by the applicant that much of that time would be time spent by members of the FOI team. However, it would be necessary for the FOI team to involve employees from the Emergency Management Team. The Emergency Management Team would be required to undertake the search and retrieval exercise as a consequence of the filing system used in relation to the program and advise on the sensitivities within each document.
In addition to administering the AVTOP program, the Emergency Management Team is responsible for the agency’s preparation, coordination and operational responses to disasters, emergencies and ad hoc government relief. The team often has to allocate all of its resources to facilitate responses to emergencies. There was, however, no evidence to suggest that the processing of this FOI application would involve diversion of resources during any emergency situation.
Information is already in the public domain about the AVTOP program. It is a statutory program. The amount which can be paid to an applicant is capped by the Social Security Act 1991 at $75,000. The amount payable is calculated in accordance with prescriptive payment principles which are a set out in a legislative instrument.
A substantial amount of information relating to the AVTOP is publicly available on the Department’s website describing the nature and purpose of the scheme, eligibility criteria and application processes. The Department has published data on the number of claims paid each financial year and the total amount paid. For some financial years, the Department has published further data that identifies the number of claims received, the number of payments made to primary and secondary victims, and the events in respect of which payments were made. For example, it is possible to work out that the average amount paid to successful primary claimants in 2015-2016 was $57,270 and 12 claims were declined.Services Australia however accepts that
the statistical information which is publicly available does not include all of the information which can be derived from the information in the AVTOP decision notices [and] accepts that more will be known about the program if the FOI request is processed although it disputes the value of that additional information particularly given that the reasons for each individual decision will not be revealed.The Tribunal notes guidelines that
There may be circumstances where the processing of an applicant’s request would have a substantial effect on an agency or minister but may not necessarily be unreasonable in the circumstances. For example, an agency that is particularly large may not necessarily find that the processing of a request to be unreasonable, despite the fact that processing the request would have a substantial effect on the agency. Such agencies are likely to have dedicated resources to ensure that it can appropriately handle requests and reduce the impact of the requests on other business areas of the agency through the establishment of a permanent FOI team, as well as assigning additional temporary resources to handle a peak in the number or complexity of requests. ...
Whether a practical refusal reason exists will be a question of fact in the individual case. Bearing in mind the range of matters that must and can be considered, it is not possible to specify an indicative number of hours of processing time that would constitute a practical refusal reason. Agencies should not adopt a ‘ceiling’ in relation to processing times; for example, deciding that a practical refusal reason exists once the estimated processing time exceeds 40 hours. Rather, each case should be assessed on its own merits, and the findings in individual AAT and IC review decisions which discuss estimated processing times should be viewed in that light.Services Australia argued that '61.25 hours (or 8.1 days) of processing time is sufficient to establish a substantial diversion of resources particularly in a context where the average amount of time normally spent on an FOI request by the agency is 2.8 days', claiming that diversion would be unreasonable because:
(a) There is no significant public interest in the documents requested when regard is had to how much information is already in the public domain about the program.
(b) What little additional information that the release of the sought-after material will reveal does not generate a sufficient public interest to justify the diversion of resources.
(c) Disclosure carries with it a real risk of identification of the claimant, and, where the claimant is a secondary victim, the primary victim.
(d) The goal of promoting the effective oversight of public expenditure is best met by looking at the operation of the AVTOP scheme as a whole and the data already published is sufficient for that purpose.
(e) The public interest in revealing the reasons for individual government decisions is not advanced by the disclosure of the decision letters because they do not contain reasons for the decision to grant or reject individual claims.
(f) Release of the decision notices will not increase public participation in government processes or inform the community of the policies, rules, guidelines, practices and codes of conduct followed by the government. Information about the program published elsewhere does that.
(g) The amount of work required is disproportionate to the value which can be extracted from the documents.
(h) The letters were sent to a highly sensitive customer cohort who have experienced significant trauma. While personal information will have been redacted there is nevertheless a risk, depending on the redactions applied, that a customer would recognise the letter sent to them (if published) and be further traumatised by its release to a third-party journalist. It would not be in the public interest for such outcomes to occur.
(i) It would not be in the public interest to divert staff from the Emergency Management Team which has important responsibilities to search for and retrieve documents in response to an FOI request that will ultimately add little to what is already publicly available.The Tribunal raised with the Department the question of whether, in the phrase ‘divert the resources of the agency from its other operations’, ‘other operations’ included the processing of other FOI requests. The Department submitted that it did.
Farrell argued that there would not be an unreasonable diversion of agency resources: whether disclosure would be ‘unreasonable’ is a question of fact and degree which calls for a balancing of all the legitimate interests involved.
He submitted that
in line with section 3(2) of the FOI Act, the increased amount of information that would become available would increase the scrutiny of this government program.
... this was important at a level of principle because it was rare that governments would publish information about a failing program. Information about programs which are damaging to an agency’s ‘political masters’ is not likely to be widely published.
... if the information it was hoping to obtain about the program were summarised in a ministerial brief, there would be no argument that they should get access. The fact that the information is stored in a large number of letters rather than summarised in one place should not affect whether the respondent gets access to the documents.
... there was a significant public interest in the release of information about the number of claims and payments in respect of each individual terrorist acts and that additional information could be gleaned about a number of aspects of the program.Farrell urged the AAT to reject the proposition that what was already published was sufficient. An agency deciding for itself what was the best way for oversight to occur was not in the public interest. Release of the documents would
also allow some assessment and analysis about the parity of treatment of claimants under the scheme. The work required to process the claim is not disproportionate to the value which can be extracted from the documents and the failure of the applicant to store documents at a central location cannot be used to justify claims of a substantial and unreasonable diversion of resources.The AAT stated
The diversion of 61.25 staff hours, while significant if measured against the amount of resources the applicant usually devotes to an average FOI request, are tiny relative to the resources available to the agency. Accordingly, it is important to have a proper frame of reference when considering the threshold set by the term ‘substantially’. It has long been recognised that the use of the word ‘substantial’ is both susceptible to ambiguity and is a word ‘calculated to conceal a lack of precision’. It is also a term whose meaning can range, depending on context, from requiring that something be ‘large weighty or big’ or merely indicate that something needs to be ‘real or of substance’. Accordingly, a constructional choice needs to be made in relation to the meaning of the word ‘substantially’ in the context in which it appears. ...
Before an agency can avail itself of the practical refusal reason for failing to process a request, it must establish that doing so would substantially and unreasonably divert resources. These terms should not be interpreted in isolation from each other. To succeed with the exclusion, an agency must establish both. Accordingly, even if an application would involve the unreasonable diversion of the resources of an agency, if the diversion is not substantial then it is not possible to refuse the request for practical refusal reasons. Parliament has, in effect, set a resource-diversion threshold below which even requests that unreasonably divert resources must be processed.
The constructional choice in this case is between an option which forces an agency to process an unreasonable request up to the point at which the resource diversion could be described as large, or, only forcing an agency to process unreasonable requests in circumstances where there is a material diversion of resources even if, in the context of that agency, or objectively, the resources diverted are quite small. It is unlikely that Parliament was intending to create a regime under which resources which were significant but could not be described as large (either relative to the size of the agency or in absolute terms) were being diverted to the processing of FOI requests which unreasonably diverted public resources.
A ‘material’ test is open on the language of the text and consistent with the purpose of the provision and the FOI Act as a whole – keeping in mind that one of the objects of the Act is to facilitate and promote public access to information, promptly and at the lowest reasonable cost. If citizens were able to force the processing of unreasonable FOI requests because the resource diversion threshold was set high, then it eliminates incentives to negotiate reasonable outcomes which meet the disclosure objectives of the FOI Act but at a reasonable cost. Accordingly, I am satisfied that in the context in which it appears in section 24AA, the word ‘substantially’ refers not to a large diversion of resources but merely to one of substance. 61.25 hours of Departmental employee’s time is a diversion of substance and, therefore, meets the threshold for a substantial diversion of resources.
I note for completeness that if I had concluded the term substantially conveyed a requirement for a ‘large’ diversion of resources, I would not have been satisfied that 61.25 hours met that requirement in the context of the resources available to Services Australia. ...
As noted above, the diversion of agency resources at 61.25 hours, is not insignificant. However, in the context of an agency which according to its 2018/2019 Annual Report has more than 28,000 employees and has devoted the equivalent of 66 full time employees to the processing of FOI requests, the diversion is less significant than it would be for a smaller agency. Processing the claim is well within the capacity of the agency with the resources it has available to it.
Second, the identity of the persons who will undertake the processing of the claim and the impact on the other work of the agency. I am satisfied that the bulk of the work in processing the claim will be done by the agency’s specialised FOI team. Some time will be spent by the line area, the Emergency Management Team, in locating the documents and in assisting the FOI team in relation to appropriate redactions to be made, but there is no evidence to suggest that the nature of the request is such that specific staff will be diverted from important work at critical times. These first two factors do not support the conclusion that the diversion of resources will be unreasonable.Saliently, yhe Department conceded that
additional information about the program will become publicly available as a consequence of the release of information in the form sought by the respondent. In circumstances where no less burdensome alternative that would yield the same information has been identified, I am not willing to cast upon the respondent any obligation to be more accommodating. One of the benefits of the FOI Act is that it allows citizens to get access to information that they want, not only information that agencies want them to access. It is not legitimate to characterise a person as unco-operative merely because they failed to explore or agree to a process which was less burdensome but also less revealing. The approach taken by the respondent does not support a conclusion that the diversion of resources is unreasonable.
Fourth, whether there is a significant public interest in the documents requested. In circumstances where I am satisfied that this FOI request can be processed using the existing resources of the agency and without significant diversion from the non-FOI work of the agency, I am not willing to assess stringently the public interest served by the release of the specific information which the applicant concedes will be brought to light by the release of the decision letters.
The release of the information will increase scrutiny and review of Government activities at least in the sense that more will be known about it. That serves the public interest in and of itself. In the present context I do not consider it appropriate for me to make a judgment about whether the particular information revealed about the AVTOP program has more general utility. In this circumstance, and I am sure in many other circumstances, that is not the kind of analysis which should be attempted. Once it is accepted that new information will come to light about a Government spending program, a public interest is served and that counts against a finding that the diversion of resources is unreasonable.
Fifth, other steps taken to publish information about the program. I accept that there is already a significant amount of information available in the public arena about AVTOP that has been willingly put there by the agency. Further, the amounts paid under the program are paid in accordance with quite specific legislative requirements. These matters diminish the extent to which the material produced in response to the FOI request can increase scrutiny, discussion, comment and review of the Government’s activities.
However, as [Farrell] rightly points out, there are dangers in allowing those who administer programs to control what information is released in relation to a program. It would be unfortunate if the more thorough scrutiny which the FOI Act provides for, could be avoided or diminished by an agency choosing to release material in a form that painted a favourable but not entirely representative picture of a program. Even though a considerable amount is known publicly about the AVTOP program, what is known has been chosen by the agency. Scrutiny is enhanced when a citizen can obtain ready access to information which the agency has not chosen to release. Once it is conceded that, as a result of the FOI request, more information will be available to the public, it would be a rare case where disclosure of other information about the same program would aid in establishing that the consequent diversion of resources was unreasonable.
Medical Devices Regulatory Failure
The UK First Do No Harm: The report of the Independent Medicines and Medical Devices Safety Review (Cumberlege Report) is an important point of reference for regulatory failure in Australia regarding pelvic mesh and other implants. It also highlights the salience of listening to patients and their families.
Cumberlege comments that the Review
Cumberlege comments that the Review
has been about people who have suffered avoidable harm. Our report is entitled “First Do No Harm”. Having spent two years listening to heart wrenching stories of acute suffering, families fractured, children harmed and much else, I and my team thought it an appropriate title. It is a phrase that should serve as a guiding principle, and the starting point, not only for doctors but for all the other component parts of our healthcare system. Too often, we believe it has not. ... We have found that the healthcare system – in which I include the NHS, private providers, the regulators and professional bodies, pharmaceutical and device manufacturers, and policymakers – is disjointed, siloed, unresponsive and defensive. It does not adequately recognise that patients are its raison d’etre. It has failed to listen to their concerns and when, belatedly, it has decided to act it has too often moved glacially. Indeed, over these two years we have found ourselves in the position of recommending, encouraging and urging the system to take action that should have been taken long ago. The system is not good enough at spotting trends in practice and outcomes that give rise to safety concerns. Listening to patients is pivotal to that. This is why one of our principal recommendations is the appointment of an independent Patient Safety Commissioner, a person of standing who sits outside the healthcare system, accountable to Parliament through the Health and Social Care Select Committee. The Commissioner would be the patients’ port of call, listener and advocate, who holds the system to account, monitors trends, encourages and requires the system to act. This person would be the golden thread, tying the disjointed system together in the interests of those who matter most. Secretary of State, we are entering a new world, in which innovation and technology will bring exciting change. There is potential to do so much good, but we must ensure the risks of increasingly complex healthcare are understood and where the system is not sure of the risks it must say so. Had it done so in the case of our three interventions, I have no doubt that much anguish, suffering and many ruined lives could have been avoided.The Report states
1.1 This Review was announced in the House of Commons on 21st February 2018 by Jeremy Hunt, the then Secretary of State for Health and Social Care. Its purpose is to examine how the healthcare system in England responds to reports about harmful side effects from medicines and medical devices and to consider how to respond to them more quickly and effectively in the future.
1.2 Under my chairmanship the Review was asked to investigate what had happened in respect of two medications and one medical device:
- hormone pregnancy tests (HPTs) – tests, such as Primodos, which were withdrawn from the market in the late 1970s and which are thought to be associated with birth defects and miscarriages;
- sodium valproate – an effective anti-epileptic drug which causes physical malformations, autism and developmental delay in many children when it is taken by their mothers during pregnancy; and
- pelvic mesh implants – used in the surgical repair of pelvic organ prolapse and to manage stress urinary incontinence. Its use has been linked to crippling, life- changing, complications; and to make recommendations for the future.
1.3 The Review was prompted by patient-led campaigns that have run for years and, in the cases of valproate and Primodos over decades, drawing active support from their respective All-Party Parliamentary Groups and the media. As the Secretary of State commented: ‘We must acknowledge that the response to these issues from those in positions of authority has not always been good enough. Sometimes the reaction has felt too focussed on defending the status quo, rather than addressing the needs of patients and, as a result, patients and their families have spent too long feeling that they were not being listened to...’
1.5 The Review was asked to consider how to strengthen the patient voice in order to help build a ‘system that listens, hears and acts – with speed, compassion and proportionality.’
1.6 On the face of it we were being asked to investigate three disparate interventions governed by two different product regulatory frameworks in the one Review. It soon became apparent, however, that far more binds these interventions than separates them:
- they all are taken or used by women and, in the cases of valproate and hormone pregnancy tests, usage is during pregnancy;
- patients affected by each tell similar and compelling stories of their battles to be listened to when things go wrong;
- patients turning to each other for help and mutual support;
- patients campaigning for years, if not decades, to achieve acknowledgement, resorting to the media and politicians to take up their cause because the healthcare system did not.
1.7 The Review looks not just at what happened in the three individual cases but how the healthcare system reacted as a whole, and how that response can be made more robust, speedy and appropriate. It is in this sense a system-wide review.
1.8 Finally, as complex and wide-ranging as our Review proved to be, we know that there are many who contacted us during the course of our work and who were disappointed that we could not also consider their concerns about other medications and devices on the market. The list is long – Essure (a contraceptive device), Roaccutane (a treatment for severe acne that can cause birth defects if used in pregnancy), Poly Implant Prostheses (PIP) breast implants, cervical cancer vaccination, in utero exposure to hormones, valproate use in children. We are aware of the similarities between pelvic mesh and mesh used for hernia procedures and we have heard from a number of people adversely affected following hernia mesh procedures. With regards to mesh, the scope of this Review relates only to pelvic mesh, which following insertion resides in the pelvis to support pelvic organs. So, neither hernia mesh nor the other medications and devices listed above were within our remit. Concerns about these taken together, however, point to a healthcare system that cannot be relied upon to identify and respond promptly to safety concerns. We believe that what we have to say and recommend for the future will have an important read-across to these and other interventions and the manner in which they are approved, delivered, regulated and monitored.
1.9 What follows is a summary of what we heard, and then a summary of our observations and recommendations and the reasoning behind them. These recommendations cover England only, though we know the devolved administrations are following our work closely. We hope those governments will consider the recommendations we have made for England.
What we heard
1.10 Patients were at the heart of our Review. Although our focus was on England, we travelled to the four corners of the UK to listen and learn. We met with hundreds of affected patients and their families and heard by email, phone and letter from many more. It became all too clear that those who have been affected have been dismissed, overlooked, and ignored for far too long. The issue here is not one of a single or a few rogue medical practitioners, or differences in regional practice. It is system-wide.
1.11 We took evidence from a wide range of stakeholders, from clinicians and the Royal Colleges, from the pharmaceutical industry and manufacturers of devices, from the full range of NHS and private sector providers and arms-length bodies including the regulators, professional and disciplinary bodies and finally from the Department of Health and Social Care. Collectively we refer to this group of stakeholders as the healthcare system.
1.12 The patients’ stories were harrowing. Our two-year journey took its toll on all of us but that paled into insignificance in the face of so much adversity borne with such resilience and bravery by those we met and heard from. They told their stories with dignity and eloquence, but also with sadness and anger, to highlight common and compelling themes:
- the lack of information to make informed choices;
- lack of awareness of who to complain to and how to report adverse events;
- the struggle to be heard;
- not being believed;
- dismissive and unhelpful attitudes on the part of some clinicians;
- a sense of abandonment;
- life-changing consequences, not only for those directly affected, but for their families and friends too;
- breakdown of family life;
- loss of jobs, financial support and sometimes housing;
- loss of identity and self-worth;
- a persistent feeling of guilt;
- children becoming their mothers’ and siblings’ carers;
- clinicians untutored in the skills they need to make a proper diagnosis;
- clinicians not knowing how to learn from patients;
- inaccurate or altered patient records;
- a lack of interest in, and an inability to deliver, the monitoring of adverse outcomes and long-term follow-up across the healthcare system.
1.13 These testimonies provided the background to our own diligent inquiry into the roles played by those whose job it is to ‘listen, hear and act with compassion, speed and proportionality’.
What we learnt
1.14 What follows will not make comfortable reading for many who have dedicated their lives with the best of intentions to delivering high-quality and compassionate treatment and care. We recognise that most people do excellent work most of the time in the health service. They work hard, they work long hours and they came into the healthcare professions to help sick people get better, never more so than during the Covid-19 pandemic. We recognise too that the constituent parts of the healthcare system do for the most part what each is asked to do. But what they have been asked to do is not the solution to the problem as we see it.
1.15 Innovation in medical care has done wonderful things and saved many lives. But innovation without comprehensive pre-market testing and post-marketing surveillance and long-term monitoring of outcomes is, quite simply, dangerous. Crucial opportunities are lost to learn about what works well, what does not, what needs special measures put around its use, and what should be withdrawn because the risks over time outweigh the benefits. Without such information it is not possible for doctors and patients to understand the risks, and patients cannot make informed choices. This applies both to medications and to medical devices.
1.16 The lack of such vigilant, long-term monitoring has been a predominant thread throughout our work. Its absence means that the system does not know the scale of the problems we were asked to investigate:
i. The system does not know, so neither do we, just how many women have been treated for stress urinary incontinence and the repair of pelvic organ prolapse using polypropylene mesh. The system does not know, so neither do we, how many women have been cured of their incontinence, or been successfully treated for their prolapse – only then to experience a long list of life-changing conditions that include loss of sex life, chronic pain, infection, difficulty voiding, recurrent urinary incontinence, permanent nerve damage or damage to surrounding organs, haemorrhage, autoimmune disease and psychiatric injury. We met so many women with limited mobility having to rely on a wheelchair or crutches to move around, unable to sit for periods at a time, unable to play with their children or carry their grandchildren. Living daily with the consequences of the operations and procedures they thought would cure them. The effects of these procedures have caused fractured relationships for some and placed some women and their families in dire financial straits. In short, the system does not know the true long-term complication rate for pelvic mesh procedures. In the absence of such information, it is impossible to know how many women would have chosen a different form of treatment – a different care pathway – if only they had been given the information they needed to make a fully-informed choice;
ii. The system does not know, so neither do we, just how many women over four decades took sodium valproate, a highly effective treatment for managing epilepsy but a known teratogenic medication, who then went on to become pregnant because they had not been properly informed as to the risk they were taking and the options open to them. The system does not know, so neither do we, how many of those children were subsequently born with either significant malformations, developmental delay or autism (now termed Foetal Valproate Spectrum Disorder or FVSD). The research tells us that 10% of unborn children exposed to the medication are likely to suffer physical birth defects such as spina bifida, hare lip and cleft palate, heart problems and limb defects, and 40% will have a developmental delay or autism. The system still does not know where all these valproate-affected children, now adults in many cases, are, or how to contact them to secure the proper diagnosis and assessment of their care needs. The system does not know how to ensure every woman of childbearing age on sodium valproate is continuously monitored, advised of the risks and aware of the Pregnancy Prevention Programme. How then can the system minimise the risk of future babies being damaged by valproate taken in pregnancy?
iii. The system does not know, so neither do we, just how many women took a Hormone Pregnancy Test, such as Primodos, between the 1950s and 1978 when it was withdrawn. The system does not know, so neither do we, how many miscarriages may have occurred after taking this medication, how many of the children born to mothers who took Primodos may have suffered physical malformations or died before reaching adulthood, or how many of those children, now adults, may still be alive and in need of extensive care and support.
1.17 The healthcare system collects a huge amount of information. But it cannot answer these fundamental questions. How then can it spot trends and complications and act swiftly and coherently to protect patients and prevent harm? How then can it design and provide the services that those affected need to lead as full a life as possible? How then can the healthcare system be considered a system for all?
1.18 We heard about the failure of the system to acknowledge when things go wrong for fear of blame and litigation. There is an institutional and professional resistance to changing practice even in the face of mounting safety concerns. There can be a culture of dismissive and arrogant attitudes that only serve to intimidate and confuse. For women there is an added dimension – the widespread and wholly unacceptable labelling of so many symptoms as ‘normal’ and attributable to ‘women’s problems’.
1.19 We heard about a system that does not work in a joined-up fashion, and that lacks the leadership to deliver coherent and fully integrated patient safety policy directives and standards. Mistakes are perpetuated through a culture of denial, a resistance to no-blame learning, and an absence of overall effective accountability. This culture has to change, starting at ground level while being encouraged and supported from the top. Witness Professor Ted Baker, the Care Quality Commission’s (CQC) Chief Inspector of Hospitals, speaking at a recent Patient Safety Learning Conference at The King’s Fund, referring to an ‘insidious culture of defensiveness and blame.’
1.20 We heard about a system that cannot be relied upon to identify promptly significant adverse outcomes arising from a medication or device because it lacks the means to do so. For decades there has been something known as the ‘Yellow Card’ system through which clinicians, and indeed patients, can report suspected adverse reactions to treatment. But it is clear that there is gross under-reporting, and our complaints systems are both too complex and too diffuse to allow early signal detection.
1.21 We heard much said about manufacturers being motivated by sales, speed to market and returns to shareholders; manufacturers who contest their liability to contribute towards help for these patient groups. Those suffering from mesh complications around the world have had to resort to litigation to have the wrongs done to them acknowledged. Valproate-affected families have also failed in their group litigation attempt in the UK. In France it is a government-backed scheme that will pay compensation to those who have suffered one or more complications attributable to Fetal Valproate Spectrum Disorder. HPT-affected families in the UK have one failed litigation behind them although we understand that solicitors are now preparing to file a second group action in the UK in relation to HPTs.
1.22 We heard about the gaps in knowledge and evidence gathering that have already been identified by the National Institute for Health and Care Excellence (NICE), and by others who set the standards for best clinical practice. Crucial research evidence that should help shine a light on what are safe and effective interventions is neither prioritised nor funded. And we heard about research that is funded by manufacturers that never sees the light of day because it is negative or inconclusive for the product in question, or is less than transparent in its declaration of conflicts of interest when positive findings are reported.
1.23 All that we have heard leads us to conclude the system is not safe enough for those taking medications in pregnancy or being treated using new devices and techniques. Patients are being exposed to a risk of harm when they do not need to be. And, while we have looked in detail at only three interventions, we have heard nothing that would lead us to believe that things are different for other surgical procedures and devices or other medications.
1.24 It has taken this Review to shine a light on systemic failings. That the healthcare system itself failed to do so suggests that it has either lost sight of the interests of all those it was set up to serve or does not know how best to do this. The NHS is funded by the taxpayer for the benefit of all of society – current and future. Patients have been affected adversely by poor or indifferent care, have suffered at the hands of clinicians who do not, or who chose not to listen, and have been abandoned by a system that fails to recognise and then correct its mistakes at the earliest opportunity. At times patients have been denied their fundamental right to have the information they need to make fully informed choices. These patients should not have to campaign for years or even decades for their voices to be heard. Patients should not have to find the evidence to say whether the treatments they are being offered are safe and will leave them better off than before. They should not have to join the dots of patient safety. But when they do just that, they deserve to be listened to with respect.
1.25 Medicine has made great strides in what it has been able to do to prolong life and treat the previously untreatable. But along that journey of scientific progress it has also become complex and potentially too dangerous to be left solely in the hands of clinicians. The influence of patients within the NHS and the overall delivery of healthcare needs to be increased to balance the authority both directly and indirectly of those we call stakeholders in the healthcare system – the professionals certainly, but others too, including big pharma. Patients are unable to make decisions that concern what happens to them because of a widespread lack of truly informed consent and a reluctance or inability by those charged with patient care and treatment to listen and, having listened, to act and where necessary remedy mistakes or misjudgements made. We have much more to say about this throughout our report.
1.26 In the following chapters we catalogue a list of missed opportunities. These are moments when something could or should have been done to minimise continuing patient harm in respect of each of the three interventions. We also set out our recommendations below and the justification for them.
1.27 Many will have benefited from pelvic mesh implants. Likewise, sodium valproate will have been an effective treatment for many. But this cannot justify the damage done to those who have suffered without prior knowledge of the dangers they faced – which could take years to present. While the title of our report may not be original, it was chosen with care. ‘FIRST DO NO HARM’ is a fundamental maxim of medical practice – and that has not been the case here. After ‘first do no harm’ comes, of course, ‘NEXT DO SOME GOOD’. We do not want to stifle the medical progress which has enabled many of us to live longer and in better health over the last fifty years. The task for the healthcare system is to get the balance right. It can and must do both.
Our Recommendations
1.28 Our Terms of Reference required us to investigate whether the response of the healthcare system was sufficiently robust, speedy and appropriate. In the following chapters we will show that it was not, resulting in avoidable harm. The passage of time between the concerns being raised and the effectiveness of actions taken to address those concerns and then to investigate and learn the lessons – decades in the case of sodium valproate and Primodos – demonstrably added to the suffering and pain of those affected. The system, and those that oversee it, need to acknowledge what has gone so badly wrong.
Recommendation 1:
The Government should immediately issue a fulsome apology on behalf of the healthcare system to the families affected by Primodos, sodium valproate and pelvic mesh.
1.29 The patient voice and influence within the NHS and the overall delivery of health care needs to be strengthened. The failure of the healthcare system to respond to patient concerns is a recurrent theme, most recently raised by the Paterson Inquiry. Patients often know when something has gone wrong with their treatment. All too often they are the first to know. Their experience must no longer be considered anecdotal and weighted least in the hierarchy of evidence-based medicine.
1.30 We do not need another re-organisation of the NHS to get this right; we do not need another regulatory body in an already crowded field. But we do need a new voice, with statutory powers, to talk and act from the perspective of the patient, to encourage the system to do what needs to be done and hold it to account. We need a person of standing who sits outside the healthcare system and who is accountable to Parliament through the Health and Social Care Select Committee. This new voice, which we are calling the Patient Safety Commissioner, would continue the work this Review has started, in pressing the system to take timely action where action is called for to minimise harm.
1.31 This new Commissioner would champion the patient voice and from this unique perspective would support and encourage the efforts of the healthcare system to improve patient safety around the use of medicines and medical devices. The Commissioner would lead, with full patient group engagement and involvement, on developing a set of principles of Better Patient Safety that would govern the way the Commissioner fulfilled her or his remit.
1.32 Where there are areas of concern related to the use of medicines and devices, the healthcare system will need to satisfy the Patient Safety Commissioner on the outcomes required for change, who is responsible for delivery and who will take the lead on co-ordination. The Patient Safety Commissioner will wish to monitor the effectiveness of the outcomes.
Recommendation 2:
The appointment of a Patient Safety Commissioner who would be an independent public leader with a statutory responsibility. The Commissioner would champion the value of listening to patients and promoting users’ perspectives in seeking improvements to patient safety around the use of medicines and medical devices.
1.33 Litigation has, so far, not served our patient groups well. We would not wish to remove the option to litigate, but for the future we propose a Redress Agency. This agency would supplement the current systems for resolution of disputes between patients and the healthcare system. This Redress Agency is not about addressing the needs of those already affected by the three interventions considered by this Review - these are addressed by Recommendation 4. It is about creating a new way of delivering redress in the future. There are precedents for this both in the UK and abroad, see Appendix 3.
1.34 The Redress Agency will provide a standing structure which is easy for patients to access and use. Rather than blaming individuals, decisions will be based on avoidable harm looking at systemic failings. This will encourage reporting by clinicians and so provide faster resolution for claimants. The Redress Agency will administer decisions using a non-adversarial process. The support or redress offered could be both financial and non-monetary.
1.35 To enable flexibility to adapt and respond to situations as they arise, different injury types would have separate schemes. Each scheme would have its own eligibility criteria and its own funding. A levy for pharmaceuticals could be paid into a pharmaceuticals scheme and separately a levy for medical devices could be paid into a medical devices scheme. Placing such products on the UK market should be made conditional upon contributing to a scheme. The Redress Agency would administer these schemes.
1.36 The costs of running the Redress Agency could be met by contributions from manufacturers and the state, but it must be situated outside the current organisations and the exercise of its functions must be entirely independent.
1.37 Those responsible for the Redress Agency will have an important role to play in harm prevention as adverse event reports would be centralised, so enabling data to be provided that will help regulators detect signals earlier.
Recommendation 3: A new independent Redress Agency for those harmed by medicines and medical devices should be created based on models operating effectively in other countries. The Redress Agency will administer decisions using a non-adversarial process with determinations based on avoidable harm looking at systemic failings, rather than blaming individuals.
1.38 In our view all three of the interventions have caused avoidable psychological harm in some patients. It is clear that mesh has caused significant physical harm and valproate has caused physical and neurodevelopmental harm. We believe that the state and manufacturers have an ethical responsibility to provide ex gratia payments to those who have experienced avoidable damage from the interventions we have reviewed. We recommend these schemes provide discretionary payments. Each of the three interventions should have its own scheme with tailored eligibility criteria. These payments are not intended to cover the costs of services which are available free of charge, such as health care and social security payments, but rather for other needs that could, for example, include travel to medical appointments, respite breaks or emergency payments where a parent has had to stop working to cover care. Patients have waited far too long for redress. Any scheme must be set up promptly. However, each should be structured so that it can be incorporated into the wider Redress Agency for the future as set out in Recommendation 3.
1.39 Individuals who obtain compensation from litigation or from out of court settlements (like J&J’s Scottish pelvic mesh settlement) will not need recourse to these schemes.
Recommendation 4:
Separate schemes should be set up for each intervention – HPTs, valproate and pelvic mesh – to meet the cost of providing additional care and support to those who have experienced avoidable harm and are eligible to claim.
1.40 We believe that those harmed are due not only an apology but better care and support through specialist centres: specialist centres for mesh, and separately specialist centres for those affected by medications taken during pregnancy. As well as meeting clinical needs, these centres should act as a one stop shop, able to signpost and refer patients to other services including educational, social and welfare. NHS England as the commissioner should collaborate with other government bodies which provide these services. As centres of excellence, such centres should have the responsibility to research better treatments and to audit outcomes. We have been in discussions with NHS England about commissioning these centres. At the time of writing, the commissioning process for specialist mesh centres is ongoing and we have been actively engaged in this process, see Chapter 5, paragraphs 5.12 – 5.13.
Recommendation 5:
Networks of specialist centres should be set up to provide comprehensive treatment, care and advice for those affected by implanted mesh; and separately for those adversely affected by medications taken during pregnancy.
1.41 Post Brexit, the Medicines and Healthcare products Regulatory Agency (MHRA) will have to change, as indeed it recognises. This provides an opportunity to bring much needed cultural and legislative reform and to become more public-facing. The MHRA does not have the public profile of some other international regulators, such as the US Food and Drugs Administration (FDA). If they have concerns patients need to know what the MHRA does and how to contact it. The MHRA must work both for patients and with them. Reform, underpinned by legislation, is needed so that the views of patients are systematically listened to and their experiences of medications and devices are used to inform licensing and regulatory decisions. These strategic themes are further explored in Chapter 2 Theme 11.
1.42 For both medicines and medical devices there is a need for more robust, publicly accessible post-marketing surveillance. This should include mandatory requirements on healthcare organisations to report adverse events within a designated time period. The MHRA should provide assessments of the risks of individual medicines or devices and of classes of medicines or device where one or more members of the class carries an elevated risk.
1.43 The spontaneous reporting platform for medicines and devices, the Yellow Card system, needs reform. It needs to provide a user-friendly, accessible, transparent repository of adverse event reports. We recognise that the MHRA has previously tried to persuade other EU member states to be more open over adverse device reports. In our view openness and transparency should be a statutory requirement for adverse event reporting in the UK. The MHRA should be required to invite representatives of those who report adverse events (both patients and healthcare professionals) to be involved in evaluating and making decisions on specific safety concerns.
1.44 Medicines have to pass tests of quality, safety and efficacy before reaching the market. Medical devices are less rigorously examined before they are first marketed. This is because devices continually evolve, so by the time a clinical trial was complete the device may be onto a new iteration. Unlike medicines many implantable medical devices are intended to be permanent.
1.45 At present the MHRA has no involvement in the pre-market phase of medical device development. It should develop a proactive regulatory role for devices that is more akin to the licensing of medicines; this must be clinically focussed and at least as stringent as the new EU Medical Devices Regulations (MDR). The MHRA should keep a register of all devices approved for the UK market. Manufacturers should be required to apply to the MHRA before marketing their device. The MHRA should assess the application in a way that is proportionate to the risks posed taking into account relevant factors such as, the evidence base supplied, approvals in other jurisdictions, and the post-marketing surveillance plans. If approved a device will be added to the register. Marketing approval for devices should be a staged process, progressing to wider use and dissemination of the device as more information becomes available. In the event of an issue with a device the MHRA must have the power to remove a device from the register. Given there are an estimated 600,000 or more devices on the market we recognise that initially this will almost certainly involve some ‘grandfathering’ of currently marketed devices.
Recommendation 6:
The MHRA needs substantial revision, particularly in relation to adverse event reporting and medical device regulation. It needs to ensure that it engages more with patients and their outcomes. It needs to raise awareness of its public protection roles and to ensure that patients have an integral role in its work.
1.46 Post-market surveillance for devices and medicines needs to be high-quality and comprehensive, and it can be greatly facilitated by digital technology and big data. It became apparent to us that there were problems with obtaining comprehensive data and creating registries. We know that mature registries can deliver good- quality long-term outcome data using measures that matter to patients. They are, however, few and far between and all too often prompted by catastrophe.
1.47 We propose a two-stage process for data gathering. Firstly, the setting up of a mesh database with comprehensive coverage. In November 2019 the Secretary of State accepted what we had to say and mandated the requisite data collection by NHS Digital. The second stage will consist of establishing a mesh registry or registries to investigate specific issues in depth. Contact information can be extracted from a database into the registry to enable this research to take place.
1.48 Ultimately the goal must be to establish a database for all implantable medical devices, which can feed into registries as required.
1.49 While this recommendation focuses on medical devices, consideration should be given to the creation of comparable databases for specific medications, for example the use of medications during pregnancy.
Recommendation 7:
A central patient-identifiable database should be created by collecting key details of the implantation of all devices at the time of the operation. This can then be linked to specifically created registers to research and audit the outcomes both in terms of the device safety and patient reported outcomes measures.
1.50 We have been concerned by conflicts of interest, both potential and real, in the provision of care or treatment, particularly where doctors have financial and other links with the pharmaceutical and medical device companies. Currently there is no central register of clinicians’ financial and non-financial interests.
1.51 Other regulators should consider similar requirements as necessary, and the Professional Standards Authority should evaluate whether conflicts of interests have been adequately declared.
1.52 There is also no easily accessible means of identifying the accredited competencies of individual clinicians. The General Medical Council (GMC) has introduced registration for GPs and for specialists who want to practise as consultants. We recommend that this should be expanded to include all doctors’ particular clinical interests (and any supporting accreditation).
1.53 We believe that responsibility for transparency of interests should not lie only with the medical profession. Medicines and medical device manufacturers should also ensure that they publish details of payments and payments in kind that they make to teaching hospitals, research institutions and individuals. This should be a statutory requirement similar to the Physician Payments Sunshine Act 2010 in the US. Consideration should be given as to where these disclosures should be published, including potentially expanding Disclosure UK and making it mandatory.
Recommendation 8:
Transparency of payments made to clinicians needs to improve. The register of the General Medical Council (GMC) should be expanded to include a list of financial and non-pecuniary interests for all doctors, as well as doctors’ particular clinical interests and their recognised and accredited specialisms. In addition, there should be mandatory reporting for pharmaceutical and medical device industries of payments made to teaching hospitals, research institutions and individual clinicians.
1.54 Our recommendations are designed to reduce the risk of similar cases of avoidable harm in future and to pave the way for a healthcare system that looks and feels very different from the past. It should not take years of campaigning by patients and yet another series of reviews or inquiries to achieve this.
1.55 We hope this Government, and all those bodies that comprise the healthcare system, will take heed of what we have to say, and that our recommendations, if accepted in full as we believe they should be, will be implemented with real determination and a sense of urgency. Our final recommendation shifts the focus to implementation.
Recommendation 9:
The Government should immediately set up a task force to implement this Review’s recommendations. Its first task should be to set out a timeline for their implementation.
Australian Cyber Security Strategy
The Industry Advisory Panel on the Australia’s 2020 Cyber Security Strategy appears to be underwhelmed by the Commonwealth government's approach. It its report this week it comments
Technology now sits at the very heart of the lives of most Australians and increasingly shapes our economy, our society and our future. It is fast changing how we live, learn and work as well as creating incredible new opportunities, efficiencies and benefits - from remote working to digitised global supply chains, from tele-health to e-commerce. The Federal Government is clear-eyed about the opportunities:
“Our Government’s goal is for Australia to be a leading digital economy by 2030. Our degree of success will be critical to income growth and job creation over the next decade and beyond. Our extensive policy agenda encompasses digital access, connectivity, consumer data and competition policy, government service delivery and skills development, trade and global e-commerce governance, as well as the necessary focus on security and privacy concerns.” Prime Minister Scott Morrison BCA annual dinner keynote 21 November 2019
The scope and timing of that ambition is well placed. As we enter the 2020s the world is on the exciting cusp of a fourth industrial revolution driven by connectivity and digital technologies. Artificial intelligence, sensors, autonomous machines and systems, edge compute, augmented reality and 5G will combine to create incredible new products and services, infuse the physical world with digital, revolutionise business operations, elevate human work, and serve customers and citizens in many new ways.
All of this was true before the emergence of the COVID pandemic which has only further underlined the importance of the digital economy in Australia. In responding to COVID, mandatory social distancing and self-isolation means healthcare, education, work and commerce and even staying in touch with friends and family are largely being done online. Looking beyond this crisis, technology and our ability and willingness to embrace the digital world has now emerged as central to a rapid economic recovery.
With so much at stake, robust and effective cyber security has never been more important and the 2020 Cyber Security Strategy Industry Advisory Panel welcomed the opportunity to contribute to that outcome.
Australia’s 2020 Cyber Security Strategy
The Panel were engaged in late 2019 at a time when the Federal Government were reviewing the progress of the landmark 2016 Cyber Security Strategy. This work led to the establishment of the Joint Cyber Security Centres, creation of cyber.gov.au as a one-stop-shop for cyber security advice and the establishment of key leadership positions including the Ambassador for Cyber Affairs.
Despite these achievements the Government acknowledged that significant and ongoing changes in the scope, scale and sophistication of cyber threats required an evolution in our approach to cyber security as a nation. Minister for Home Affairs, Peter Dutton, has described how meeting the evolving cyber challenge is key to Australia’s economic prosperity and national security. In September 2019 he said:
“Cyber security has never been more important to Australia’s economic prosperity and national security. In 2016, the Australian Government delivered its landmark Cyber Security Strategy, which invested $230 million to foster a safer internet for all Australians. Despite making strong progress against the goals set in 2016, the threat environment has changed significantly and we need to adapt our approach to improve the security of business and the community.” “Cyber criminals are more abundant and better resourced, state actors have become more sophisticated and emboldened, and more of our economy is connecting online. Cyber security incidents have been estimated to cost Australian businesses up to $29 billion per year and cybercrime affected almost one in three Australian adults in 2018.”
This escalation in malicious cyber activity has only increased during COVID as we have been forced to work, learn and connect from home, outside of some of our usual security frameworks. We are seeing malicious actors including criminals and state based actors exploiting this opportunity to their own advantage, to the significant risk and detriment of Australian citizens.
On 30 June 2020, Prime Minister Scott Morrison pointed to the urgency of the issue: “The Federal Government’s top priority is protecting our nation’s economy, national security and sovereignty. Malicious cyber activity undermines that.” Australia’s ability to prosper as a digital economy can be enhanced if we increase our investment in our cyber defences. We must move to comprehensively protect ourselves and our businesses from cybercrime, protect our national infrastructure and improve the security of our institutions – including our democratic electoral processes, which have been the subject of malicious cyber-attack in other parts of the world. It is crucial we act quickly and decisively.
The 2020 Cyber Security Strategy Industry Advisory Panel was formed in November 2019 and asked to provide advice from an industry perspective on best practices in cyber security and related fields; emerging cyber security trends and threats; key strategic priorities for the 2020 Cyber Security Strategy; significant obstacles and barriers for the delivery of the 2020 Cyber Security Strategy; and the effect of proposed initiatives on different elements of the economy, both domestic and international.
The Panel met 13 times between November 2019 and July 2020, including two meetings with Minister Dutton and formal briefings, including some classified, from the Department of Home Affairs, the Australian Signals Directorate, the Attorney-General’s Department, the Department of the Treasury, the Australian Competition and Consumer Commission, the then Department of Communications and the Arts, the eSafety Commissioner, the Australian Federal Police, the Australian Security Intelligence Organisation, the Cyber Security Cooperative Research Centre and AustCyber.
After broad consultation and careful deliberation, the 2020 Cyber Security Strategy Industry Advisory Panel has developed a series of recommendations that we believe strike the right balance between increasing our cyber defences, promoting the development of a digital economy and countering threats to our economy, safety, sovereignty and national security.
The Panel’s recommendations are structured around a framework with five key pillars:
- Deterrence: deterring malicious actors from targeting Australia.
- Prevention: preventing people and sectors in Australia from being compromised online.
- Detection: identifying and responding quickly to cyber security threats.
- Resilience: minimising the impact of cyber security incidents.
- Investment: investing in essential cyber security enablers.
On deterrence, we recommend that the Government establish clear consequences for those targeting Australia and people living in Australia. A key priority is increasing transparency on Government investigative activity with more frequent attribution and consequences applied where appropriate. Strengthening the Australian Cyber Security Centre’s ability to disrupt cyber criminals by targeting the proceeds of cybercrime derived both domestically and internationally is a priority.
On prevention, the recommendations include the pursuit of initiatives that make businesses and citizens in Australia harder to compromise online. This includes a clear definition for critical infrastructure and systems of national significance with a view to capturing all essential services and functions in the public and private sectors; consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for owners and operators of critical infrastructure and systems of national significance; measures to build trust in technology markets through transparency such as product labelling; and the extension of existing legislative and regulatory frameworks relevant in the physical world to the online world. Ultimately cybercrime is just crime, cyber espionage is just espionage and hacktivism is just activism online.
All levels of Government should take steps to better protect public sector networks from cyber security threats. Government agencies should be required to achieve the same or higher levels of protection as privately-owned critical infrastructure operators. Different levels of government should collaborate to share best practices and lessons learned. Ultimately Governments should be exemplars of cyber security best practice and Australian governments have some way to go in achieving this aspiration.
On detection, recommendations include that Government establish automated, real-time and bi-directional threat sharing mechanisms between industry and Government, beginning with critical infrastructure sectors. Government should also empower industry to automatically block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’.
On resilience, recommendations include the development of proactive mitigation strategies and strengthening of systems essential for end-to-end resilience. Government should strengthen the incident response and victim support options already in place. Speed is key when it comes to recovering from cyber incidents and Government should hold regular large scale and cross-sectoral cyber security incident response exercises to improve the readiness of interdependent critical infrastructure providers and government agencies.
Resilience includes both the ability to recover from a cyber-attack as well as the redundancy designed-in to systems and processes. In other words, a key factor influencing the ability to recover is the level of redundancy present in systems in the first place. It is important to also call out that a number of recommendations to build resilience relate to the role of the individual, in particular around building cyber awareness. In this regard there is an important distinction between cyber security (which means protecting data and information networks and critical infrastructure functions) and cyber safety (which means protecting users from harmful online content). The fundamental ability to participate safely online is the difference between enjoying the internet’s abundant information resources and opportunities, and being a potential victim of a cybercrime.
On investment, recommendations support the ongoing development of highly specialised and effective capabilities exemplified by the Australian Cyber Security Centre and the state-based Joint Cyber Security Centres. This existing capability should be substantially increased and enhanced through significant investment and a more integrated governance structure that maintains an industry leadership role. It is going to be a critical enabler to the success of the 2020 Cyber Security Strategy.
The Panel is also of the view that it is important for Government and industry to continue to invest in cyber skills development and security risk management in Australia. Good enterprise security management includes all aspects of securing people, property and technology. This skills investment is recommended at both a professional and specialist skills level and also more broadly, and should include primary, secondary and tertiary courses (including programs that focus on all aspects of enterprise security risk management, particularly cyber skills uplift). Importantly many of these skills should be built as foundational requirements in science, maths, engineering and technology. Although the cyber skills and awareness of directors on the boards of Australia’s listed companies has been developed in recent years, there is opportunity for further development and support.
Within this framework of 60 recommendations sit 25 high priority and 35 other recommendations that address the full spectrum of cyber security threats – from the ‘routine’ threats that target vulnerable people in Australia every day to sophisticated ‘state actor’ cyber-attacks that threaten our economy, safety, sovereignty and national security. The Panel recommends that threats to critical infrastructure, digital supply chains and systems of national significance should be addressed first.
State, territory and local governments should also be considered key implementation partners for all elements of the Strategy. We encourage the Australian Government to establish formal mechanisms to ensure ongoing engagement with all levels of government.
Clear roles and responsibilities
Cyber threats continue to shift and evolve and, as the threats evolve, so must our response. The recommendations we propose are built around creating robust and adaptable defences as threats emerge and technologies and opportunities change.
It is important to recognise that effective cyber defences involve more than just investment dollars. Our report highlights that an effective response includes fundamentally organising and governing differently to ensure more efficient and effective use of resources and aligning cyber security imperatives across Australia. This requires clearly defined roles, responsibilities and authorities to be established and the Federal Government’s role in leading and coordinating the national effort is therefore critical. Ultimately the Government is in a unique position with access to information and tools which mean that in particular circumstances it is the appropriate party to lead our cyber defence. This is not only about the Federal Government but effective coordination with other tiers of Government. Government also plays an important role partnering with industry, as well as broadening community awareness and skills in adequately addressing cyber issues.
If Australia’s cyber security is well organised and well governed then the application of all resources - public, private, people, infrastructure and capital investment – will achieve far more efficient and effective results. This was an important learning from the 2016 Cyber Strategy.
The only way to look at cyber security is as a team. Large enterprises, small and medium businesses and Government all have shared platforms, common customers, and all are the target of attacks. We all therefore play a role, and share an accountability, in keeping Australians safe.
Implementation
The 2020 Strategy will be largely measured based on how well it is implemented and whether it meets or exceeds objective and bold metrics. During consultation, some stakeholders viewed implementation of the 2016 Cyber Security Strategy as being limited by regular changes in governance arrangements, lack of clarity about the roles of different government departments and inconsistent public communication. We encourage the Government to create strong governance and evaluation mechanisms around the 2020 Strategy. Data collection and evaluation, based on a maturity framework, should be afforded a high priority. A standing industry advisory panel could be established to advise the Minister for Home Affairs on cyber security matters and implementation of the 2020 Strategy on an ongoing basis strengthening the important link between Government and industry. Such a panel should have appropriate representation from across business, academia and the community. State and territory governments should be closely involved in implementation of the Strategy. It would be appropriate for state and territories to be represented on the public service committee responsible for implementing the Strategy.
Never a more important time
The Australian Government deserves real credit for the leadership it has shown on cyber security, including through the development of Australia’s 2020 Cyber Security Strategy and the announcement of a $1.35 billion investment (Cyber Enhanced Situational Awareness and Response package) over the next 10 years which will support a number of the key recommendations set out in this report. With robust cyber security critical for our economic prosperity, international competitiveness and national security, this work will only become more important as Australia continues to digitise in the future. The Chair of the Panel, Andy Penn, describes the opportunity and the challenge ahead:
“The beginning of the 2020s has been marked by a period of profound disruption for Australia with the devastating bushfires and the COVID virus. At the same time and as we progress further into the decade we will also experience an extraordinary new era of technology innovation. As an optimist I am convinced we will adapt and technology will help to solve some of society’s biggest challenges and realise some of its biggest opportunities. But at the same time, this period of working and studying from home and the accelerated trend to a digital economy are exposing us to a more vulnerable environment of cyber threats. We are seeing increased levels of malicious cyber activity both state based and criminal. Successfully meeting this challenge requires upgrading Australia’s cyber defences to be strong, adaptive and built around a strategic framework that is coordinated, integrated and capable. The 2020 Cyber Security Strategy has an opportunity to be all of those things and provide an enormous – and never more important - contribution to a safer, more prosperous Australia.”
The Panel appreciate the opportunity to have worked with the Australian Government to build Australia’s cyber defences through the 2020 Cyber Security Strategy and look forward to the key initiatives emanating from this work - they could not arrive at a more important time.
List of Recommendations
Objective 1: There are clear consequences for targeting Australians
In considering how Australia can increase the consequences of malicious cyber activity for nation states and cyber criminals, the 2020 Cyber Security Strategy should as an immediate priority:
1 Target the growing volume of cybercrime by increasing operational-level cooperation with states, territories, and international partners leveraging the Australian Cyber Security Centre and Joint Cyber Security Centres.
2 Increase the Australian Cyber Security Centre’s ability to disrupt cyber criminals on the Dark Web and to target the proceeds of cybercrime.
3 Leverage existing cybercrime awareness raising campaigns to better inform businesses and individuals about new and emerging cybercrime threats to them.
4 Hold malicious actors accountable via enhanced law enforcement, diplomatic means, and economic sanctions or otherwise as appropriate.
5 Work with industry to better inform threat visibility and Government attribution activities where appropriate.
6 The Australian Government should openly describe and advocate the actions it may take in response to a serious cyber security incident to deter malicious cyber actors from targeting Australia.
7 Promote international law and continue to embed norms of responsible state behaviour online, in particular those that relate to the protection of critical infrastructure serving the public and deterring malicious cyber activity including intellectual property theft and ransomware attacks.
Objective 2: Cyber risks are owned by those best placed to manage them
In considering how Australia can improve cyber security risk management across the economy and for critical infrastructure, the 2020 Cyber Security Strategy should as an immediate priority:
8 Review the Australian Government’s definition for critical infrastructure with a view to capturing all essential systems and functions in the public and private sectors and supply chains, including digital infrastructure such as data centres, that address all systems of national significance.
9 Introduce consistent, principles-based requirements to implement reasonable protection against cyber threats (where needed) for owners and operators of critical infrastructure (regardless of whether owned or operated by Government or private), with measurement based on a fit-for-purpose cyber maturity-based framework. In alignment with international best practice, this should leverage rather than duplicate existing sectoral regulations and minimise regulatory burden. We further recommend that the 2020 Cyber Security Strategy should:
We further recommend that the 2020 Cyber Security Strategy should:
10 Review Australia’s legislative environment for cyber security to ensure that suppliers of digital products and services have appropriate obligations to protect their customers.
11 Strongly encourage major vendors to sign-up to a voluntary ‘secure by design’ charter to leverage international best practice.
Objective 3: Australians practise safe behaviours at home and at work
In considering how Australia can reduce human risk factors in cyber security, the 2020 Cyber Security Strategy should as an immediate priority:
12 Unify all Government messaging on online safety and cyber security awareness raising, noting that existing campaigns run by different Government agencies share a common audience who do not distinguish between different online issues. Government should speak with one voice. Campaigns should be age and sector appropriate.
13 Increase assistance to small and medium businesses and the community through cyber security toolkits, trusted advice and practical assistance.
14 Partner with industry to increase the scale, reach and impact/effectiveness of cyber security awareness raising campaigns, including through co-design and co-funding where appropriate.
15 Incentivise large businesses to provide cyber security support to small and medium businesses in their supply chain and customer base.
Objective 4: Government is a cyber security exemplar
In considering how the Australian Government can improve trust in the cyber security of its own systems and networks, the 2020 Cyber Security Strategy should as an immediate priority:
16 Make Australian governments exemplars of enterprise security risk management, including cyber security, physical security and personnel security.
17. Require Government agencies providing essential services to meet the same cyber security standards as privately owned critical infrastructure, with increased accountability and oversight.
18 Prioritise the decommissioning or hardening of vulnerable legacy systems as part of an accelerated shift towards secure cloud based services.
We further recommend that the 2020 Cyber Security Strategy should:
19 Better coordinate digital procurement decisions across Government, with a view to negotiating best practice outcomes and where appropriate cost savings with common vendors.
20 Leverage Government procurement processes to improve cyber security through purchasing products and services with higher standards.
21 Require larger, more capable Government departments to provide cyber security services to smaller agencies on a basis that is uniform, consistent and risk based.
22 Fund the Australian Cyber Security Centre (ACSC) to continue its rolling program of cyber security improvements (but not audits) for other Australian Government agencies. Given the ACSC essentially provides a second line of defence role in risk management terminology, audit should be undertaken by a separate agency.
Objective 5: Trusted goods, services and supply chains
In considering how Australia can encourage the development of a digital technology market where security is built-in across the supply chain, the 2020 Cyber Security Strategy should as an immediate priority:
23 Increase investment in cyber security research and development, including basic sciences, and coordinate state and territory-led research and development at the national level. This will enable Government to maximise economic opportunities and drive national security outcomes.
24 Work with industry to increase Australia’s role in shaping international cyber security standards.
25 Work with industry and likeminded nations to encourage diversity, transparency and competition in digital supply chains.
We further recommend that the 2020 Cyber Security Strategy should:
26 Develop a program to identify and assess emerging threats and emerging technologies that could introduce new vulnerabilities leveraging Australia’s global leadership in policy development related to cyber risks. The CSIRO and Defence Science and Technology are two existing national agencies that could be leveraged to support the development of this program.
27 Obtain industry consensus around what cyber security standards should be used in Australia and accelerate the adoption of these standards to ensure digital products and services are ‘secure by design’.
28 Require increased recognition and adoption of specific cyber security standards in Australia.
29 Implement a dynamic accreditation or mandatory cyber security labelling scheme so that consumers can make informed choices about their own cyber security (recognising that accreditations and product labelling will need to take account of changes in technology).
30 Work with the emerging cyber insurance industry to improve access to reliable actuarial data and develop best practice approaches to nudging the cyber security hygiene of policy holders.
31 Build transparency into critical and emerging technology supply chains to enable consumers to trust the cyber security of their devices.
32 Consider mandatory requirements or certification of supply chains for software and hardware supporting critical infrastructure.
Objective 6: Comprehensive situational awareness enables action
In considering how the Government and industry can improve the timeliness and quality of threat information sharing to better anticipate and respond to threats, the 2020 Cyber Security Strategy should as an immediate priority:
33 Establish automated, real-time and bi-directional threat sharing mechanisms between Government and industry, beginning with critical infrastructure sectors.
We further recommend that the 2020 Cyber Security Strategy should:
35. Consider the development of ‘safe harbour’ legislative provisions that give industry certainty about the information it can voluntarily share with other organisations to prevent or respond to cyber security threats.
36. Resume the publication of annual reports on the state of cyber security threats to Australia.
Objective 7: Effective incident response options and victim support
In considering how Government and industry can create and sustain a high level of preparedness for incidents and improve support to victims, the 2020 Cyber Security Strategy should as an immediate priority:
34 Empower industry to automatically block a greater proportion of known cyber security threats in real-time, including by providing legislative certainty.
37 Map in partnership with industry, the resilience of critical infrastructure networks, with a view to increasing maturity levels over time.
38 Identify and assess in partnership with industry interdependencies, single points of failure and consolidation risk to enable better understanding of cyber risk.
39 Work with industry to agree a unique set of circumstances in relation to critical infrastructure and systems of national significance where it would be necessary for Government to provide reasonable assistance to Australian businesses during a cyber security emergency, and define suitable oversight and thresholds for action.
40 Provide additional funding to not-for-profit organisations that support victims of cybercrime and communicate their role and existence to the community.
We further recommend that the 2020 Cyber Security Strategy should:
41 Hold a large scale and cross-sectoral cyber security incident response exercise at least every two years to improve national coordination and incident response readiness of interdependent critical infrastructure providers and government agencies. Exercises should include links to international activities where appropriate.
42. Include industry in Australia’s formal incident response plans by amending the national Cyber Incident Management Arrangements.
Enabler 1: The Australian Signals Directorate’s Joint Cyber Security Centres (JCSCs)
Recognising the JCSCs are the local offices of the Australian Cyber Security Centre, the 2020 Cyber Security Strategy should as an immediate priority:
43 Establish a national board chaired by ASD (with industry co-chair) and including industry representation to strengthen the strategic leadership of the Joint Cyber Security Centres, underpinned by a charter outlining the JCSCs’ scope and deliverables.
44 Fund ASD to provide enhanced technical and consulting cyber services to industry through the JCSC Program, including a greater focus on information sharing.
We further recommend that the 2020 Cyber Security Strategy should:
45 Create a staff exchange program between the ACSC, academia and industry to enable cross-sectoral collaboration and information sharing. The CSIRO and Defence Science and Technology could be leveraged to support the engagement between academia and industry.
46 Dedicate additional JCSC resources to engage with local governments.
Enabler 2: Cyber security skills
In considering how Government, industry and academia improve risk postures by strengthening the pipeline of skilled cyber security professionals, the 2020 Cyber Security Strategy should:
47 Position the Australian Government to take a national leadership role in addressing Australia’s cyber security skills shortage.
48 Work with professional bodies and academia to include cyber security education in adjunct technical fields such as engineering and data science and extend cyber skills training to company directors.
49 Consider creating an internationally aligned accreditation scheme to recognise the skills, experience and qualifications of cyber security professionals in both technical and management roles. This should including mapping the equivalency of existing qualifications.
50 Adopt a national framework that defines the roles that make up the cyber security profession. Use this framework to develop a national workforce planning program for the cyber security profession.
51 Consider additional incentives to attract and retain Government cyber security specialists.
52 Strengthen voluntary professional accreditation of university cyber security courses, to provide greater assurance to students and employers that courses are meeting contemporary industry demands.
53 Develop targeted cyber security programs in primary and high school to inspire young people to take up a career in cyber security, and build foundational skills in science, maths, engineering and technology.
54 Undertake a regular survey across Government and business to better understand the size of cyber security skills shortage in Australia and evaluate new programs under the 2020 Cyber Security Strategy.
Enabler 3: Intelligence and Assessment
The Panel recognises the importance of intelligence-led efforts to combat malicious cyber activity and acknowledges that this is primarily a matter for Government. The Panel is of the view that successful implementation of the recommendations above relating to Objective 1 (Clear consequences for targeting Australia and Australians),
Objective 6 (Comprehensive situational awareness enables action) and Enabler 1 (The Australian Signals Directorate’s Joint Cyber Security Centres) will support Government to enhance the delivery of this enabler. The Panel encourages the Government to be open and transparent about its knowledge of the threat environment wherever possible, including by declassifying information when appropriate, increasing proactive cyber threat briefings to security cleared industry personnel with a need to know, and sponsoring greater numbers of industry representatives to obtain security clearances.
Enabler 4: Governance
In considering how Government should manage implementation of the Strategy, including oversight arrangements, ongoing industry consultation and reporting mechanisms, the 2020 Cyber Security Strategy should as an immediate priority:
55 Include state and territory Governments in development, implementation and monitoring of all relevant initiatives under the 2020 Cyber Security Strategy.
We further recommend that the 2020 Cyber Security Strategy should:
56 Appoint an industry advisory panel to advise the Government on cyber security on an ongoing basis, including on the implementation of the 2020 Cyber Security Strategy. The panel should work with the accountable Government agency or department responsible for implementing the Strategy, while reporting to the Minister for Home Affairs.
57 Task the industry advisory panel to publish an annual progress report on implementation of the 2020 Cyber Security Strategy and emerging cyber security threats and priorities for Australia from an industry perspective.
Enabler 5: Evidence and Evaluation In considering the best practice approaches to evidence collection and evaluation that can inform implementation of the Strategy and future policy making, the 2020 Cyber Security Strategy should:
58 Adopt a maturity model approach to evidence and evaluation.
59 Invest in improved data collection, research and analysis to underpin evaluation of the performance against the metrics of the 2020 Cyber Security Strategy. This should include periodic surveys of the cyber security maturity of public and private sector organisations.
60 Publish regular updates on implementation of the 2020 Cyber Security Strategy and periodically review and refresh the Strategy every 2 or 4 years.