Denham Sadler
July 23, 2018
MHR legislation contradicts agency
Health Records
The agency behind the federal government’s troubled My Health Record service is continuing to maintain that it would not hand over sensitive medical information to authorities without a warrant, despite the legislation underpinning the system not reflecting this.
It comes as politicians from both sides of politics raised concerns with the electronic health record and confirmed they would opt-out from the service.
The Opposition has broken from its bipartisan position and called on government to extend the three month opt-out period as a result of the ongoing security and privacy concerns, and a lack of communication.
A primary concern about My Health Record (MHR) is the potential for the sensitive medical data stored on it to be accessed by government agencies such as the ATO or Centrelink, or passed on law enforcement.
In response to criticism based on these concerns, the Australian Digital Health Agency (ADHA) has said that it will not be handing over any data without a court-issued warrant.
“The ADHA has not and will not release any documents without a court / coronial or similar order. No documents have been released in the last six years and none will be released in the future without a court order / coronial or similar order,” the agency said.
“Additionally, no other government agencies have direct access to the My Health record system, other than the system operator.”
This is in direct contrast to what is actually stated in the legislation underpinning MHR, which is much broader in allowing for the access of data.
Section 70 of the My Health Record Act says the agency only has to “reasonably believe” that the disclosure of information is “reasonably necessary” to prevent, detect, investigate, prosecute or punish criminal offences, for the enforcement of laws, or the “protection of the public revenue”.
The ADHA’s own privacy policy is much stricter in this interpretation.
“The law does not permit direct access by any third party to the My Health Record system, unless they are providing healthcare to an individual," the policy says. "Section 70 of My Health Record Act 2012, the ADHA as the system operator of MHR has formally placed on the record that it will not approve the release of any individual’s personal or health information to a third party unless it is required to by law.”
“Law enforcement agencies cannot access a MHR and would need to apply to the agency for access.”
But the fact that this is not reflected in the legislation has concerned many civil and digital rights advocates, leading to calls for the Act to be amended.
“So far ADHA has chosen to respond to people’s concerns about third-party access to data with hand-waving and bluster. That doesn’t ally people’s legitimate concerns about the operation of the My Health Records Act, and in particular section 70,” Electronic Frontiers Australia (EFA) board-member Justin Warren told InnovationAus.com.
“The legislation clearly states that broadly defined ‘enforcement bodies’ such as state and federal police, Home Affairs, ASIC, potentially even Centrelink, can access My Health Record information without a warrant, and for purposes including ‘protection of the public revenue’.
“Claims that ADHA has a policy of requiring a warrant doesn’t change what the law says, and a mere policy could change at any time, Mr Warren said.
“People don’t want their health information privacy subject to the whims of ADHA’s management of the day. We need to be confident about who can see our health information, and under what circumstances.”
Health minister Greg Hunt has also said that is “incorrect” to say that law enforcement would be able to access MHR without a court order.
“The Digital Health Agency is clear and categorical – no documents have been released in more than six years and no documents will be released without a court order,” Mr Hunt said.
The ADHA did not respond to a request for comment.
There are also concerns that the government may release information stored on MHR to counter critics, following a Privacy Commissioner decision earlier this year that ruled Australians should “reasonably expect” the government to release sensitive personal data publicly to refute its critics.
It comes as Liberal backbencher Tim Wilson became the first coalition MP to publicly criticise MHR and confirm that he has opted out from the service.
“I have opted out of the system and ultimately it’s up to everybody to choose what to do, because of course people who don’t currently have access to their medical records, there is some benefits to the system in terms of efficiency and access to your medical records under the new system put forward by My Health Record,” Mr Wilson told Sky News on Monday morning.
“I don’t think it will surprise anybody that my instinctive position should always be as a Liberal that systems should be opt-in and people should be able to freely choose to opt in to a system rather than have to go through the process of opting out, and that includes myself.”
He said government had “inherited” the situation from the previous government. But while Labor did legislate for MHR originally, it was the current Turnbull government that moved the service to an opt-out model.
“There is nothing wrong with having a My Health record system, but my position about whether people should be free to choose remains resolutely clear,” Mr Wilson said.
Labor backbencher Pat Conroy has also slammed the service, saying it has been “mishandled” by the government and he has “zero confidence” in it.
“In theory, having the system is a good thing...but this is a government that mismanaged the census collection online,” Mr Conroy told ABC News 24.
Lots more here:
https://www.innovationaus.com/2018/07/MHR-legislation-contradicts-agency
Follow the link for a good read.
David
It's interesting that the government seems to define third party as someone other than themselves.
ReplyDeleteIMHO, The only parties who should be involved in a person's health data are the person and their health care providers. The government is a third party as is everyone else.
The legislation lets the government (i.e. the system operator, and through them most government agencies) have unrestricted and un-audited access.
That's the first deal breaker.
The second is that no matter what the government claims about the laws, regulations, etc today, there is no way known that they can make those claims about the future.
MyHr is doomed, not just because of the Singapore data breach (as in this week's poll) but because of its most fundamental characteristic - the government has your health data.
Greg Hunt, Tim Kelsey and Tony Bartone can say what they like (and a lot of it is misinformation e.g. Hunt's claim about "military level security) but they will never be able to argue that away.
The train wreck is happening.
It's interesting that the government seems to define third party as someone other than themselves.
ReplyDeleteI guess it depends on your take of My in my health record. I am guessing the government has wedded itself as being the My
Is it being made clear to people if you do not opt-out by October 15th your records will be on government file for 30 years (or if you die 130 years after your birth)even if they cancel? This is according to the 'How to Cancel' section of the MyHealth website. ie. no right to be forgotten after Oct15. Now why on earth would this be? This system is not for the patient even though it is being sold as such.
ReplyDeleteTina asked "Is it being made clear to people ..."
ReplyDeleteNot by the government. That's part of the problem. The rest of the problem IS the government.