MHR legislation contradicts agency


James Riley
Editorial Director

The agency behind the federal government’s troubled My Health Record service is continuing to maintain that it would not hand over sensitive medical information to authorities without a warrant, despite the legislation underpinning the system not reflecting this.

It comes as politicians from both sides of politics raised concerns with the electronic health record and confirmed they would opt-out from the service.

The Opposition has broken from its bipartisan position and called on government to extend the three month opt-out period as a result of the ongoing security and privacy concerns, and a lack of communication.

Catherine King: Government has failed to communicate effectively

A primary concern about My Health Record (MHR) is the potential for the sensitive medical data stored on it to be accessed by government agencies such as the ATO or Centrelink, or passed on law enforcement.

In response to criticism based on these concerns, the Australian Digital Health Agency (ADHA) has said that it will not be handing over any data without a court-issued warrant.

“The ADHA has not and will not release any documents without a court / coronial or similar order. No documents have been released in the last six years and none will be released in the future without a court order / coronial or similar order,” the agency said.

“Additionally, no other government agencies have direct access to the My Health record system, other than the system operator.”

This is in direct contrast to what is actually stated in the legislation underpinning MHR, which is much broader in allowing for the access of data.

Section 70 of the My Health Record Act says the agency only has to “reasonably believe” that the disclosure of information is “reasonably necessary” to prevent, detect, investigate, prosecute or punish criminal offences, for the enforcement of laws, or the “protection of the public revenue”.

The ADHA’s own privacy policy is much stricter in this interpretation.

“The law does not permit direct access by any third party to the My Health Record system, unless they are providing healthcare to an individual,” the policy says. “Section 70 of My Health Record Act 2012, the ADHA as the system operator of MHR has formally placed on the record that it will not approve the release of any individual’s personal or health information to a third party unless it is required to by law.”

“Law enforcement agencies cannot access a MHR and would need to apply to the agency for access.”

But the fact that this is not reflected in the legislation has concerned many civil and digital rights advocates, leading to calls for the Act to be amended.

“So far ADHA has chosen to respond to people’s concerns about third-party access to data with hand-waving and bluster. That doesn’t ally people’s legitimate concerns about the operation of the My Health Records Act, and in particular section 70,” Electronic Frontiers Australia (EFA) board-member Justin Warren told InnovationAus.com.

“The legislation clearly states that broadly defined ‘enforcement bodies’ such as state and federal police, Home Affairs, ASIC, potentially even Centrelink, can access My Health Record information without a warrant, and for purposes including ‘protection of the public revenue’.

“Claims that ADHA has a policy of requiring a warrant doesn’t change what the law says, and a mere policy could change at any time, Mr Warren said.

“People don’t want their health information privacy subject to the whims of ADHA’s management of the day. We need to be confident about who can see our health information, and under what circumstances.”

Health minister Greg Hunt has also said that is “incorrect” to say that law enforcement would be able to access MHR without a court order.

“The Digital Health Agency is clear and categorical – no documents have been released in more than six years and no documents will be released without a court order,” Mr Hunt said.

The ADHA did not respond to a request for comment.

There are also concerns that the government may release information stored on MHR to counter critics, following a Privacy Commissioner decision earlier this year that ruled Australians should “reasonably expect” the government to release sensitive personal data publicly to refute its critics.

It comes as Liberal backbencher Tim Wilson became the first coalition MP to publicly criticise MHR and confirm that he has opted out from the service.

“I have opted out of the system and ultimately it’s up to everybody to choose what to do, because of course people who don’t currently have access to their medical records, there is some benefits to the system in terms of efficiency and access to your medical records under the new system put forward by My Health Record,” Mr Wilson told Sky News on Monday morning

“I don’t think it will surprise anybody that my instinctive position should always be as a Liberal that systems should be opt-in and people should be able to freely choose to opt in to a system rather than have to go through the process of opting out, and that includes myself.”

He said government had “inherited” the situation from the previous government. But while Labor did legislate for MHR originally, it was the current Turnbull government that moved the service to an opt-out model.

“There is nothing wrong with having a My Health record system, but my position about whether people should be free to choose remains resolutely clear,” Mr Wilson said.

Labor backbencher Pat Conroy has also slammed the service, saying it has been “mishandled” by the government and he has “zero confidence” in it.

“In theory, having the system is a good thing…but this is a government that mismanaged the census collection online,” Mr Conroy told ABC News 24.

“This is a government that allowed Medicare records to be stolen and put on to the dark web. So I’ve got zero confidence this government can manage this properly,” he said.

“I’m worried about the confidentiality of my data and my constituents’ data. In theory, this is a good system but I think we need to do a lot more before I have any confidence this government can manage this.

“I’m probably not going to put my data on there because I don’t have confidence in the system.”

While the Opposition previously supported the move to an opt-out service, it has now called on the government to extend the opt-out period to “give every Australian enough time to make an informed choice about their own records”.

“The government has failed to effectively communicate with the public about what the My Health Record is and the potential benefits it could bring,” Shadow health minister Catherine King said in a statement.

“It has also failed to explain to people how their rights will be respected and their privacy protected,” she said.

“This approach has fuelled suspicion and skepticism – which could be why tens of thousands of people rushed to opt out in the first week.”

Mr Warren said he supports this push, with some major changes needed.

“It’s hard to see how ADHA can proceed with the automatic creation of My Health Records without pausing and rethinking its whole approach here,” he said.

“There are some substantial changes that are clearly required, and EFA would be happy to work with them as part of a more consultative approach with civil society.”

Towards the end of the first week of the three month opt out period for MHR, a major data breach hit the Singapore government health database, with the personal data of an estimated 1.5 million people accessed, further fuelling concerns around Australia’s own digital health records.

Data accessed included names, addresses and medicines dispensed, but no other medical records, according to the government. Among those impacted by the breach was Singapore Prime Minister Lee Hsien Loong.

Do you know more? Contact James Riley via Email.

Leave a Comment