With an untrustworthy Government known for data breaches, a system of digital health records won't be as private as you think, writes Dr Jennifer Wilson.
THE CONCEPT of a digital health record system is a splendid one, particularly for people with complex health issues, people in regional and remote areas, as well as those of us who might end up in a hospital emergency room unable to convey our history to medical staff.
I would happily opt-in to such a system, were it not for the appalling record of the Coalition Government on privacy and data breaches.
We currently have a Government that has proved itself incapable of managing the security of citizens’ data. In 2017, we discovered that Australians' Medicare details were being sold on the dark web. The Government’s reaction to this breach was described by a former AFP expert in high tech crime as “disappointing, confusing and often contemptible”.
We also have a Government that has deliberately released intimate personal details of individuals and their previous partners to the media, as payback for those individuals’ public criticisms of agencies such as Centrelink.
We have an Acting-Privacy Commissioner who has ratified the publication of this personal data if the Government feels such action is necessary to correct any criticism of its agencies.
Just take a moment to absorb this. If you publicly criticise a Government agency that holds sensitive information about you, the Privacy Commissioner has validated the Government’s right to disseminate that information in the national media, under the guise of “correcting the record”. In the case of Centrelink, there is no option for you to withhold private information in the first place if you are attempting to access benefits. The Government has you by the throat. You have to tell them your private details. If you are publicly critical, your private details are weaponised and used against you.
There is absolutely no reason to believe that this exercise of raw power will not be extended to the use of your health records if the Government or any one of approximately 15 “enforcement agencies” decide that is necessary. And the information in your health records is likely the most private and sensitive information you’ll ever have recorded.
As part of its marketing of the digital health record system known as "My Health Record", the Government has set up an information website and a Twitter account that offers answers to queries about the digital initiative:
My Health Record is a secure online summary of your health information. You can control what goes into it and who is allowed to access it.
Australia • myhealthrecord.gov.au
The claim that we have control over who can access our data is false. There are at least 15 Federal and State Government agencies that can be granted access to your private health records solely at the discretion of a departmental secretary, without warrants and apparently without oversight.
In the legislative framework for this system, the My Health Records Act 2012, it is stated that for the purposes of law enforcement that your private health data can be accessed by ‘enforcement bodies’ solely at the discretion of the System Operator.
The System Operator is identified as the Secretary of the Department, or a body established by Commonwealth law to be that operator.
‘I don’t think a lot of doctors understand that records they upload to #MyHealthRecord in good faith~bc they want to improve patient care~could be used against people for administrative reasons in a way that they would never be happy with’ @trentyarwood https://t.co/6RX5AqH4QD— Melissa Castan (@DrMCastan) July 16, 2018
In other words, any Government enforcement body can access your personal medical records without a warrant and without your knowledge.
Access is granted at the discretion of a department secretary, or a body established by the Government that controls the enforcement agencies seeking to access your records:
MY HEALTH RECORDS ACT 2012 - SECT 70
Disclosure for law enforcement purposes, etc.
(1) The System Operator is authorised to use or disclose health information included in a healthcare recipient's My Health Record if the System Operator reasonably believes that the use or disclosure is reasonably necessary for one or more of the following things done by, or on behalf of, an enforcement body:
(a) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a imposing a penalty or sanction or breaches of a prescribed law;
(b) the enforcement of laws relating to the confiscation of the proceeds of crime;
(c) the protection of the public revenue;
(d) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(e) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
My Health Record: the case for opting in - The My Health Record (MHR) system promises to make Australia a leader in providing citizens with access to their own health records.#health #publichealth #Digitalhealthhttps://t.co/BLa2T4aPID pic.twitter.com/adyddFlNAs— Malka N. Halgamuge (@MalkaNisha) July 18, 2018
The definition of "enforcement body" and "enforcement-related activity" is as follows:
'Enforcement body’ means:
(a) the Australian Federal Police; or
(aa) the Integrity Commissioner; or
(b) the ACC; or
(c) the Immigration Department; or
(d) the Australian Prudential Regulation Authority; or
(e) the Australian Securities and Investments Commission; or
(ea) the Office of the Director of Public Prosecutions, or a similar body established under a law of a State or Territory; or
(f) another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or
(g) another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue; or
(h) a police force or service of a State or a Territory; or
(i) the New South Wales Crime Commission; or
(j) the Independent Commission Against Corruption of New South Wales; or
(k) the Law Enforcement Conduct Commission of New South Wales; or
(ka) the Independent Broad-based Anti-corruption Commission of Victoria; or
(l) the Crime and Corruption Commission of Queensland; or
(la) the Corruption and Crime Commission of Western Australia; or
(lb) the Independent Commissioner Against Corruption of South Australia; or
(m) another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries; or
(n) a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or
(o) a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue.
Around 20,000 people already opted out of #MyHealthRecord, Australia's centralised digital #health records system, on Monday #OPTOut— TALAOLP (@Talaolp) July 17, 2018
The Law can change to allow other parties accesshttps://t.co/3aYpTnMr87#Auspol @banas51 @Nobby15 @randlight #LNPMemes #ALPMemes pic.twitter.com/oFB3TNn6dC
‘Enforcement related activity’ means:
(a) the prevention, detection, investigation, prosecution or punishment of:
(i) criminal offences; or
(ii) breaches of a law imposing a penalty or sanction; or
(b) the conduct of surveillance activities, intelligence gathering activities or monitoring activities; or
(c) the conduct of protective or custodial activities; or
(d) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(e) the protection of the public revenue; or
(f) the prevention, detection, investigation or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations; or
(g) the preparation for, or conduct of, proceedings before any court or tribunal, or the implementation of court/tribunal orders.
That these bodies can access your health records without legal oversight, merely on the say-so of a departmental secretary, is entirely unacceptable. This ought to give the most complacent among us pause for thought.
The situation we are in is intolerable. We need a My Health Record system for citizens who will benefit from its many advantages. Yet our Government has demonstrated that it is ready and willing to weaponise citizens’ personal information and use it against us. The Government, by its untrustworthiness, its record of incompetence, and its established and enthusiastic betrayal of our privacy, is preventing access to the healthcare record system we need. By allowing agencies access to our personal data without oversight, on the authority of an individual public servant, the Government is making the system entirely unsafe for citizens to use.
You have till October to opt out of the My Health Record system. After that, you’ll automatically be included. The RN Breakfast interview (shown above) with Paul Shetler, former Head of the Government’s Digital Transformational Office, is invaluable if you need an expert opinion to help you make up your mind.
No mainstream journalist has thus far challenged the Government and its representatives on their claim that individuals have complete control over data stored in My Health Record. Health Minister Greg Hunt stated in an interview with Linda Mottram on ABC's PM Wednesday evening that a court order is required to access health records. According to the Act, this is not the case, yet Hunt’s claim went unchallenged.
It’s impossible to say if this is because no mainstream journalist has actually researched the legislation, or if it is because the media has some interest in propagating Government misinformation about health record privacy.
Opt out! Cassandra the Information Technology Wobbegong on My Health Record. @firstdogonmoon considers #MyHealthRecord https://t.co/8jNdTOLXFC #notmyrecord #privacy #healthdata— Melissa Castan (@DrMCastan) July 19, 201
You can follow Dr Jennifer Wilson on her blog No Place for Sheep or on Twitter @NoPlaceForSheep.
Support independent journalism Subscribe to IA.