This appeared last week:
Victorian information sharing Bill a threat to privacy
Authored by David Vaile, Juanita Fernando, Shirley Prager, Stephen Milgate and Aniello Iannuzzi.
THE Victorian Government’s Health Legislation Amendment (Information Sharing) Bill 2021 was rushed through its first parliamentary vote on 14 October 2021, raising many unanswered questions for patients and health care professionals in that state.
The purpose of the Bill, as stated in the preliminary section of the legislation is twofold:
- to establish a centralised electronic system to enable public hospitals and other specified health services to share specified patient health information for the purpose of providing medical treatment to patients; and
- to provide for public hospitals and other specified health services to collect and disclose specified patient health information to the Secretary for the purpose of establishing and maintaining the Electronic Patient Health Information Sharing System.
We believe the law will allow the Victorian Government to “establish a centralised electronic patient health information sharing system for participating health services” going back 5 years. The Bill mentions denominational hospitals, metropolitan hospitals, residential care services, and other specified services, including mental health, community health and ambulance. Where the grey area lies is in the Bill’s future potential to affect private practice, particularly in rural areas, where the duties of rural doctors in hospitals often overlap public and private systems.
We understand that every Victorian will be given a unique patient identification number, and that the Secretary can request information and identification on any patient from the participants, and enforce compliance, outlined in Sections 3 (b) and 4, of the Bill, with this request.
The data collected and linked by the proposed new Victorian Government medical records portal will be exposed to a large number of end users, such as government agencies and linked businesses across Australia, subject to the Secretary’s control. The data will contain each patient’s current and historical medical and health information.
The law blocks individuals’ ability to consent to or opt out of the process, to control access to their sensitive information, and to limit access to certain parties.
Section 134ZL, No consent required
- A participating health service may collect, use or disclose specified patient health information as permitted or authorised by this Part without the consent of the person to whom the information relates.
- The Secretary may collect, use or disclose specified patient health information as permitted or authorised by this Part without the consent of the person to whom the information relates.
Put plainly, this legislation allows agents of the Victorian Government a complete record of every Victorian person’s most sensitive and private information. The Bill does not specify details of the complete record, so we assume this includes all GP records, mental health details, community health records, and admission to hospitals and so forth.
The powers embodied in the Bill are unprecedented. We believe it risks the health and wellness of some individuals who decide not to seek clinical attention for potentially life-threatening or serious conditions.
The Australian Privacy Foundation (APF) has been unable locate the Privacy Impact Assessment (PIA) supporting the Bill. The PIA, if conducted, must be published in the public domain if Victorians are to trust the Bill.
Why does the Victorian Government need to harvest and store such a rich database of patient information?
The Australian Doctors Federation (ADF) and the APF are alarmed by the content of the legislation, as well as the haste and lack of consultation with which it was executed.
Some of the serious questions raised by this legislation include:
- Will clinicians be required to enter information into the system, and how will this affect their current workplace duties and duty of care?
- To whom will the government grant access to the information in the central patient record (third-party use), and how will this be regulated? This is an issue one of the authors of this article raised a few years ago relating to My Health Record.
- Why are key privacy principles being suspended for this system?
- What sort of database technology is involved? How will cybersecurity infiltration, exfiltration or other abuses be detected or prevented?
- Will this new central system be used to enforce the government’s coronavirus disease 2019 (COVID-19) policies, or any other aspect of government policy?
- Who bears responsibility and liability for the accuracy, currency, completeness and relevance of the data, data breaches or other abuse?
- What rights and compensation will patients be afforded when mistakes are made and abuses occur?
Both the APF and ADF maintain that quality health care requires patient trust and confidence, protection of patient–doctor confidentiality, with access to top class health informatics and high integrity data.
Unfortunately, governments have a weak track record for implementing robust and trustworthy systems (for example, Robodebt, the COVIDSafe app, and data breaches).
We strongly recommend that the proposed legislation not proceed until these and other key questions are publicly debated, carefully scrutinised and resolved.
David Vaile is Chair of the Australian Privacy Foundation.
Dr Juanita Fernando is Adjunct Research Fellow in Medical Education Research and Quality at Monash University. She is chair of the APF’s Health Committee.
Stephen Milgate AM is a Director of the Australian Doctors’ Federation.
Dr Shirley Prager is a psychiatrist in private practice in Melbourne.
Dr Aniello Iannuzzi is Chair of the Australian Doctors’ Federation. He is a rural GP.
The link is here:
https://insightplus.mja.com.au/2021/41/victorian-information-sharing-bill-a-threat-to-privacy/
Disclosure: I am on the APF’s Health Committee.
For myself I think this legislation is extreme overreach and need much more constrained in how data is obtained and what is subsequently done with it by way of protection and use. Just why Vic. Health is developing a real time version of the #myHealthRecord, with no patient consent or opt-out provisions beats me!
David.
This appears to be more Dictator Dan-esque overreach.
ReplyDeleteMy concern is that the legislation forbids a person's ability to opt out of data sharing of their medical records, including with "linked businesses across Australia".
That could be quite the honey pot. Or money pot.
"The data will contain each patient’s current and historical medical and health information."
ReplyDeleteMore of the same old naive fantasy. The reality is this:
"The data will contain SOME OF each patient’s current and historical medical and health information."
What will happen if a decision is made on incomplete data and the person suffers hurt, damage or loss? How will they even know?
Is there to be any concept of responsibility and accountability for the quality, accuracy, timeliness of the data?
Yet again, "For every complex problem there is an answer that is clear, simple, and wrong." H. L. Mencken
Fundamentally this move by the VIC Government is a blatant atatement that MY HEALTH RECORD is an outright failure and that VIC can do better.
ReplyDelete... and that VIC can do better
ReplyDeleteIt is more likely that VIC will fail for the same reasons.
Some sort of database with a web app. Game changing
ReplyDelete@8:34 PM. That is exactly what the ADHA has just announced - spun a little differently but essentially a database with a app.
ReplyDelete