Bills Digest No. 30, Bills Digests alphabetical index 2018–19

My Health Records Amendment (Strengthening Privacy) Bill 2018

Health and Aged Care

Author

Owen Griffiths

Go to a section

Introductory Info Date introduced: 22 August 2018
House: House of Representatives
Portfolio: Health
Commencement: The day after the Act receives Royal Assent.

Purpose of the Bill

The My Health Records Amendment (Strengthening Privacy) Bill 2018 (Bill) will amend the My Health Records Act 2012 (MHR Act) to:

  • remove the authority of the System Operator (the Australian Digital Health Agency or ADHA) to disclose the health information in a My Health Record to enforcement agencies or other government bodies without a judicial order or the healthcare recipient’s consent (making it consistent with the ADHA’s policy position) and
  • require the System Operator to destroy the health information in a healthcare recipient’s My Health Record if they cancel their registration.[1]
  • The Bill will also:
  • provide the process for orders of disclosure of My Health Record health information to be made by judicial officers to designated entities and
  • provide for the collection, use and disclosure of health information under the specific legislation, namely the MHR Act and the legislation associated with Auditor-General, the Commonwealth Ombudsman and the Australian Information Commissioner.[2]

Structure of the Bill

The Bill contains one schedule which includes the amendments to the MHR Act and provides for the application of the amendments.

Background

From opt-in to opt-out

In 2012, the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) was passed to enable the establishment and operation of the Personally Controlled Electronic Health Record (PCEHR) system. The objective of the PCEHR system was to facilitate access to health information relating to consumers of healthcare.[3] It created an electronic health record system for regulating the collection, recording, use and disclosure of the health information of healthcare ‘consumers’.[4] The PCEHR system was a voluntary, or opt-in, system. Eligible consumers could apply to the System Operator to be registered in the PCEHR system.[5]

The PCEHR Act included a range of privacy and access safeguards for the PCEHR system, but also provided for the System Operator to use or disclose the health information included in a consumer’s record in some circumstances. These circumstances included if the System Operator reasonably believed the disclosure was reasonably necessary for certain things done by, or on behalf of, an enforcement body.[6]

In November 2013, a review of the PCEHR system, led by the head of Uniting Care Health Queensland Richard Royle, was announced.[7] The Review of the Personally Controlled Electronic Health Record was released in May 2014.[8] It found there was ‘overwhelming support’ for the implementation of an electronic health record system, but stated that a ‘change in approach’ was needed to correct implementation issues and ‘to review the strategy and role that a shared electronic health record plays in a broader system of health care’.[9] The recommendations of the review included that the PCEHR system should be renamed My Health Record and that the system should be transitioned to an opt-out model by 1 January 2015.[10]

In 2015, the Health Legislation Amendment (eHealth) Act 2015 was passed. This legislation renamed the PCEHR Act to the MHR Act and renamed ‘consumers’ in the legislation as ‘healthcare recipients’. It also amended the MHR Act to allow the Minister to provide that an opt-out model be applied to all healthcare recipients through changes to the My Health Record Rules.

In 2016, the Australian Digital Health Agency (ADHA) was established.[11] Section 14 of the MHR Act provides that the System Operator is the Secretary of the Department of Health or a body established by a Commonwealth law that is prescribed under the Regulations. Prior to 1 July 2016, the System Operator was the Secretary of the Department of Health. An amendment to the My Health Records Regulation 2012 prescribed the ADHA to be the System Operator on 1 July 2016.[12]

On 30 November 2017, the Minister made the My Health Records (National Application) Rules 2017 which applied an opt-out model of registration to My Health Record and specified the period in which healthcare recipients could opt-out. The initial period in which healthcare recipients could choose to opt-out of the My Health Record system was 16 July 2018 to 15 October 2018. This was later extended to 15 November 2018 (see below). 

As part of the 2017–18 Budget, the Department of Health stated:

A transition to opt-out participation for My Health Record will bring forward benefits many years sooner than the current opt in arrangements. Opt-out is the fastest way to realise the significant health and economic benefits of My Health Record for all Australians including through avoided hospital admissions, fewer adverse drug events, reduced duplication of tests, better coordination of care for people seeing multiple healthcare providers, and better informed treatment decisions.

Opt-out participation is supported by an independent evaluation of two opt-out [trials] undertaken in Northern Queensland and Nepean Blue Mountains Primary Health Network areas. The evaluation showed a high level of support for automatic creation of My Health Records by both healthcare providers and individuals. Across the two opt-out trial areas, the opt-out rate was just 1.9 per cent...[13]

Authorisation for the use, collection and disclosure

The MHR Act establishes a complex regulatory framework for the use, collection and disclosure of the health information included in a healthcare recipient’s My Health Record. A person or organisation can only collect, use or disclose the health information in a healthcare recipient’s My Health Record if they are authorised to do so by the MHR Act. For example, healthcare recipients themselves are authorised to collect, use and disclose, for any purpose, the health information included in their own My Health Record.[14]

Participants in the My Health Record system, such as registered healthcare providers, have a range of authorisations to collect, use or disclose the health information in a healthcare recipient’s My Health Record.[15] These include, for example, collection, use and disclosure of health information for the purpose of providing healthcare to the registered healthcare recipient (in accordance with the access controls set by the healthcare recipient).[16]

Additionally, under the MHR Act the System Operator (the ADHA) has a number of authorisations to disclose or use the health information contained in a My Health Record in certain circumstances. These include to:

  • disclose information if ordered to do so by a court or tribunal if the proceedings relate to the MHR Act, unauthorised access to information in the My Health Record system or healthcare provider indemnity cover, or with the consent of the consumer (subsections 69(1) and (4)) and
  • disclose information if ordered or directed by a coroner (subsection 69(2)).

In particular, section 70 is titled Disclosure for law enforcement purposes, etc. Subsection 70(1) provides that the System Operator is authorised ‘to use or disclose’ the health information included in a healthcare recipient’s My Health Record if the System Operator ‘reasonably believes that the use or disclosure is reasonably necessary for one or more of the following things done by, or on behalf of, an enforcement body’. These are:

  • the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law
  • the enforcement of laws relating to the confiscation of the proceeds of crime
  • the protection of the public revenue
  • the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct and
  • the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Subsection 70(2) clarifies that as far as subsection 70(1) relates to the last point regarding the proceedings or orders of courts and tribunals, it is subject to section 69 which (as noted above) provides for these disclosures.

Subsection 70(3) provides for the use or disclose of My Health Record health information if the System Operator ‘has reason to suspect unlawful activity’ which relates to the System Operator’s functions and ‘reasonably believes’ use or disclosure is necessary ‘for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities’.

The listed ‘enforcement purposes’ in subsection 70(1) which provide for when the System Operator may use or disclose My Health Record health information reflect, but do not replicate, the factors in Australian Privacy Principles (APP) 6.2(e) which restrict the use or disclosure of personal information by APP entities[17] under the Privacy Act 1988 (Privacy Act).[18] Provisions which permit the use and disclosure of information and/or documents for ‘enforcement’ reasons exist in a range of other Commonwealth legislation.[19]

Concerns regarding disclosures for law enforcement purposes

The potential privacy risks associated with the development of a national electronic health record system have led a range of concerns being expressed, including in relation to access by law enforcement agencies to the stored health information. For example, in 2011, the Privacy Impact Assessment regarding the proposed PCEHR system undertaken by Minter Ellison Lawyers for the Department of Health and Ageing noted that the system would be ‘an attractive source of data’ for several groups including law enforcement agencies. It stated: 

The extent to which the PCEHR is seen as a 'honeypot' of data for insurance companies and law enforcement agencies may impact on the degree of confidence placed in the PCEHR system by consumers.[20]

Trials of the opt-out My Health Record model were conducted in 2016. The key finding of the evaluation report feedback regarding the confidentiality and security of the My Health Record system was positive:

Once the benefits of the My Health Record system were clear, nearly all focus group participants said that their concerns about security and privacy, or about the fact that a My Health Record had been created, disappeared. They most often said that, while they thought that no computer-based systems were totally safe, on balance they thought that the benefits to them, their families and the health system far outweighed those risks...[21]

There were also indications that law enforcement access to the health information in the My Health Record system could raise concerns. The evaluation report included:

Concerns about confidentiality and security were expressed more often in the focus group in Mapoon... Questions and concerns were also raised by this group regarding law enforcement agencies having access to the My Health Record system. After clarifying that, as a personally-controlled record, they could set their own privacy settings and also access alerts and logs that detailed which healthcare providers had recently accessed the My Health Record, half the participants were satisfied with the level of security and ability of the My Health Record to keep their information confidential, while the other half remained sceptical [sic].[22]

In 2016, legal academics, Danuta Medelson and Gabrielle Wolf analysed the My Health Record system and the MHR Act in the context of the change to the opt-out model. They stated:

Not only has the system failed to fulfil its statutory objectives, but it permits the wide dissemination of information that historically has been confined to the therapeutic relationship between patient and health practitioner. After considering several other purposes for which the system is apparently designed, and who stands to benefit from it, we conclude that the government risks losing the trust of Australians in its electronic health care policies unless it reveals all of its objectives and obtains patients' consent to the use and disclosure of their information.[23]

They noted:

Circumstances and purposes articulated in the statute include provision of information captured by the My Health Record system to courts and tribunals, as well as use of this information for law enforcement purposes. Although other uses of this information and their scope are yet to be explicitly revealed, it is clear that information previously considered to be within the private domain of individuals and under the control of their chosen health providers is being reconceptualised as shared data about individuals, to be collected, distributed and managed by government and private entities.[24]

On 7 June 2018, Leanne Wells, the Chief Executive Officer of the Consumers Health Forum of Australia, published an article considering the pros and cons of the My Health Record system, including potential access to health information by law enforcement and government agencies. She stated:

The Government and/or ADHA needs to be transparent with the public about the policies and procedures they have in place around access to My Health Record information by law enforcement and other government agencies, and consider whether changes to guidelines or legislation are needed.[25]

The My Health Record opt-out period commenced on 16 July 2018.[26] This event prompted public discussion regarding the merits of the My Health Record system for healthcare recipients.[27] Part of this public debate focused on the provision in the MHR Act for disclosure by the System Operator for law enforcement purposes.[28] On 16 July 2018, the ABC published an article with Tim Kelsey, the head of the ADHA, concerning My Health Record which included questions in relation to the rules and policies which guide the ADHA's decision to grant access to law enforcement.[29] It stated:

Which rules and policies guide the ADHA's decision to grant access to law enforcement?

The ADHA is authorised by law to disclose someone's health information if it "reasonably believes" it's necessary for preventing or investigating crimes and protecting the public revenue, among other things specified under section 70 of the My Health Records Act.

The agency was unable to provide a definition of "protecting the public revenue" by deadline.

When it receives a law enforcement request, the ADHA will need to determine that it's a legitimate request from an enforcement body.

"While the Agency assesses each formal request on a case by case basis, our operating policy is to release information only where the request is subject to judicial oversight," the ADHA said.

"If the access does not support public confidence and trust in the System and the object of the My Health Record Act then the Agency will deny the request."

Law enforcement bodies will not be granted direct access to the My Health Record: The ADHA said any disclosure would be limited to what is necessary to satisfy the purpose of the request.

Has the ADHA received any requests from law enforcement to access records?

Mr Kelsey said no police requests have been received yet.

Will users be informed if their data has been released to law enforcement?

If personal information is disclosed to law enforcement, the decision about whether to notify the My Health Record holder will be decided "case-by-case".

Likewise, healthcare provider organisations won't be informed if their patient's data is accessed.

The release to police will be recorded in a written note and stored by the ADHA.[30]

On 21 July 2018, the ADHA issued a fact sheet on police access to My Health Record which noted that it had received ‘a few enquiries regarding other government departments and law enforcement accessing My Health Record’. It stated:

The Australia Digital Health Agency has not and will not release any documents without a court/coronial or similar order. 

No documents have been released in the last six years and none will be released in the future without a court order/coronial or similar order.

Additionally, no other Government agencies have direct access to the My Health Record system, other than the system operator.[31]

However, during this period, concerns regarding the potential for disclosures under section 70 continued to be expressed.[32] For example, on 22 July 2018 the former Australian Medical Association (AMA) president Professor Kerryn Phelps was reported as saying that allowing police access to My Health Record information would undermine trust in the medical profession and the health system. She asked:

If someone has a cocaine problem, will they want to tell their doctor and seek help if they think it has any possibility of being uploaded to a site that can be accessed by police?[33]

Anna Johnston, a privacy consultant with Salinger Privacy, stated:

While any policy by ADHA to limit the exercise of its powers under the legislation is welcome, the fact remains that the legislation governing the My Health Record does give the operator of the system very wide discretion to release health information about individuals to a wide range of enforcement bodies, which is not just law enforcement agencies like police but also includes the Immigration Department for example...

The law allows disclosure not only in response to a court order or warrant, but also under a 'reasonable belief' test relating to matters beyond just criminal law offences.[34]

On 23 July 2018, an entry concerning ‘Law enforcement access to My Health Record data’ was published on the Parliamentary Library’s FlagPost, a blog on current issues of interest to members of the Australian Parliament.[35] This entry also noted that, while it was the policy of the ADHA in relation to law enforcement to only release information where requests are subject to judicial oversight, ‘it does not appear that the ADHA’s operating policy is supported by any rule or regulation’.[36]

In light of the public discussion regarding the privacy and security of patient health information key medical professional organisations clarified their views on the My Health Record system.[37] The President-elect of the Royal Australian College of General Practitioners (RACGP) spoke with the Minister for Health, Greg Hunt, to discuss ‘strengthening the legislation’s privacy provisions’.[38] On 25 July 2018, the AMA President Dr Tony Bartone called for the Government to provide guarantees about the long-term security of the privacy of the My Health Record system which could involve ‘examining the legislation’. He stated:

[T]here had been a groundswell of concern from AMA members, the broader medical profession, and the public about the 2012 legislation framing the My Health Record, particularly Section 70, which deals with the disclosure of health information for law enforcement purposes.[39]

Government response

On 31 July 2018, the Minister for Heath, Greg Hunt announced strengthened privacy protections would be introduced for the My Health Record system:

After constructive discussions with the AMA and RACGP, the Government will strengthen privacy provisions under the My Health Record Act, removing any doubt regarding Labor’s 2012 legislation.

Labor’s 2012 My Health Record legislation will be strengthened to match the existing ADHA policy.

This policy requires a court order to release any My Health Record information without consent. The amendment will ensure no record can be released to police or government agencies, for any purpose, without a court order.

The Digital Health Agency’s policy is clear and categorical – no documents have been released in more than six years and no documents will be released without a court order. This will be enshrined in legislation.

This change to the My Health Record Act will therefore remove any ambiguity on this matter.

In addition, the Government will also amend Labor’s 2012 legislation to ensure if someone wishes to cancel their record they will be able to do so permanently, with their record deleted from the system.

The Government will also work with medical leaders on additional communications to the public about the benefits and purpose of the My Health Record, so they can make an informed choice.

We will be looking to implement and introduce these changes as soon as possible.[40]

The proposed privacy protections have been positively received by the AMA and the RACGP.[41]

At the Council of Australian Governments Health Council meeting on 2 August 2018 jurisdictions reaffirmed their support of a national opt-out approach to the My Health Record system. The meeting communique stated: 

Jurisdictions noted clinical advice about the benefits of My Health Record and expressed their strong support for My Health Record to support patient’s health. Ministers acknowledged some concerns in the community and noted actions proposed to provide community confidence, including strengthening privacy and security provisions of My Health Record.[42]

On 10 August 2018, the Government confirmed it would extend the opt-out period for My Health Record for an extra month to 15 November 2018.[43]

Committee consideration

Senate Community Affairs References Committee

On 15 August 2018, the Senate Community Affairs References Committee (References Committee) was referred an inquiry into the My Health Record system for inquiry and report by 8 October 2018.[44] The terms of reference of the inquiry contain a number of matters relevant to the amendments of the Bill, including ‘the arrangements for third party access by law enforcement, government agencies, researchers and commercial interests’ and ‘measures that are necessary to address community privacy concerns in the My Health Record system’.

On 12 October 2018, the References Committee sought and received an extension to the reporting date of the inquiry to 17 October 2018. 

Further information regarding the inquiry, including the full terms of reference, is available on the inquiry homepage.

Senate Community Affairs Legislation Committee

On 23 August 2018, on the recommendation of the Senate Selection of Bills Committee, the Senate referred the provisions of the Bill to the Senate Community Affairs Legislation Committee (Legislation Committee) for inquiry and report by 8 October 2018.[45] On 19 September 2018, the Senate granted an extension of time for reporting until 12 October 2018.[46]

Further information regarding the inquiry is available on inquiry page. In particular, the inquiry page outlines the approach to the evidence received for the inquiry:

The Community Affairs Committees have agreed to share relevant evidence in the My Health Record system inquiry and the inquiry into the My Health Records Amendment (Strengthening Privacy) Bill 2018. Only matters related to provisions of the Bill will be considered in the Legislation Committee inquiry.

The Legislation Committee tabled its report into the provisions of the Bill on 12 October 2018. In relation to the amendments of the Bill, the committee’s report stated:

The committee recognises the considerable expected benefits of the [My Health Record] system, and that healthcare recipients' confidence in the privacy provisions of the system is vital in ensuring the system's overall success. The committee commends the Bill's proposed amendments to sections 65, 69 and 70 to the MHR Act to strengthen the privacy provisions of the MHR system.[47]

Additional comments were made by Labor senators who noted the broader concerns which had been raised with the My Health Record system and urged the Government to ‘heed Labor's call to suspend the opt-out rollout until all remaining concerns are addressed and public confidence in this important reform is restored’.[48] Additional comments were also made by the Australian Greens senators who cautioned that the Bill ‘represent a minor improvement instead of the necessary solution’. They noted two specific issues. The first was ‘unanswered questions’ regarding the potential access by law enforcement to backups and cache files. The second was their support for a proposal made by the University of Melbourne for a notification to the healthcare recipient if their information has been disclosed under the new process in the Bill.[49]

Senate Standing Committee for the Scrutiny of Bills

The Senate Standing Committee for the Scrutiny of Bills had no comment on the Bill.[50]

Policy position of non-government parties/independents

Australian Labor Party (Labor)

Labor representatives do not appear to have commented on the specific provisions of the Bill. While broadly supportive of an electronic health record system, Labor has expressed the view that the rollout of My Health Records should be suspended until privacy concerns with system are addressed.[51] For example, on 15 August 2018, Ms Catherine King MP, the Shadow Minister for Health and Medicare, released a media release in relation to the Senate Community Affairs References Committee inquiry into the My Health Record system. It stated: 

We remain deeply concerned that the Government's bungled rollout of the My Health Record opt-out period has severely undermined public trust in this important reform...

Labor has long supported an electronic health record system. We believe it has the capacity to revolutionise health care delivery, but we also recognise it needs a high degree of public support in order to be successful.

While the Government has agreed to a number of changes demanded by Labor and doctors' groups, including an extension of the opt-out period and a new public information campaign, more needs to be done...[52]

While Labor did not oppose the passage of the Bill in the House of Representatives, it unsuccessfully sought to amend the motion passing the Bill to include ‘the House calls on the Government to suspend the “opt out” phase of the My Health Record rollout until other privacy and security concerns are addressed’.[53]

Australian Greens

Prior to the introduction of the Bill, on 27 July 2018, the Australian Greens announced they would pursue a Private Senators Bill ‘to ensure that any access to my health record data by law enforcement would require a warrant’. The Australian Greens leader, Senator Richard Di Natale stated that ‘[i]f you want to access someone’s medical records, you should have to have a warrant, simple as that’. [54] Australian Greens representatives do not appear to have commented on the Bill.

Centre Alliance

Prior to the introduction of the Bill, on 25 July 2018, Centre Alliance Senator Rex Patrick was reported as stating ‘Centre Alliance will write to the health minister urging him to introduce legislation to ensure people’s health data is properly protected’.[55]

In her second reading speech in the House of Representatives, Centre Alliance’s Rebecca Sharkie MP, supported the Bill but noted that it was ‘qualified support’. She outlined a number of broader privacy and security concerns with the My Health Record system and indicated that she remained open to amendments ‘following the release of the [Senate] committee report’.[56] 

Australian Conservatives

Prior to the introduction of the Bill, on 25 July 2018, Australian Conservative Senator Cory Bernardi was reported as stating that he was ‘open to all suggestions that will enhance individual privacy, the security of data, and to protect people from the intrusion of big government, whether that be from law enforcement or other government departments’.[57]

Senator Tim Storer

Prior to the introduction of the Bill, on 3 August 2018, independent Senator Tim Storer indicated he would be opting out of the My Health Record system. His media release stated:

My Health Record as currently legislated appears more of a law enforcement measure than a health care initiative. The changes that Health Minister Greg Hunt has announced do not address the faults in My Health Record’s design. I have serious concerns that the lack of protections for privacy and security for sensitive health information remain...

At the very least, My Health Record must be suspended, pending a full parliamentary enquiry with an emphasis on evidence from qualified cyber-security experts.[58]

Position of major interest groups

Persons and organisations with an interest in the My Health Record system have provided submissions and evidence to the Senate Community Affairs Committee inquiries into the Bill and the My Health Record system. While a range of concerns regarding the privacy and security of the My Health Record system have been raised, the amendments of the Bill were largely supported by the persons and organisations who contributed to the inquiries.[59] For example, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, welcomed the changes:

The community in general is seeking greater clarity as to how their personal information is collected and used, including by any third parties. In relation to the My Health Record this is manifested, for example, in relation to concern as to access to the record by third parties such as law enforcement. In that regard, I welcome the government's decision to introduce the My Health Records Amendment (Strengthening Privacy) Bill to provide stronger safeguards regarding access to the record. I also welcome the bill's intention to allow the permanent deletion of My Health Record records on request. This is an important mitigation, which allows individuals to decide at a later date that they do not wish to have a My Health Record.[60]

The Consumer Health Forum of Australia also commended the ‘government's response to concerns about release to law enforcement and other agencies without a warrant’:

The community expects due diligence and vigilance by legislators and the system operator when it comes to privacy safeguards and accountability and transparency in those safeguards ... We advocated for those legislative changes to ensure that no My Health Record could be released to police for any purpose without a court order. We also support measures and steps to change the legislation to ensure that if any Australian wishes to cancel their record, they can do so permanently with the record deleted from the system.[61]

The AMA considered that, if the Bill were passed, ‘the remaining circumstances where the legislation allow[s] disclosure strike an appropriate balance’ between protection of patient’s privacy and allowing access in appropriate circumstances. It noted:

These controls are substantially tighter than the controls that apply under the Privacy Act 1988 (Cth) to patient data stored in the clinician’s own patient records. They also impose greater restrictions on the government’s and courts’ powers to require production than apply to data held by the patient outside the My Health Record system.[62]

In its submission, the ADHA reiterated that it has ‘have never received a request for information for law enforcement purposes and have not released any information for such purposes’ and noted that it has an operational policy that it would not release any documents without a court or similar order.[63] The ADHA described the proposed amendments as acknowledging ‘the evolving expectations of the community since the legislation was first debated and approved in Parliament in 2012’. It stated that the ‘changes also reflect the strong and positive advocacy of the clinical and consumer peak bodies who have been central in advocating for these issues to be addressed in the legislation’.[64]

However, the Australian Privacy Foundation raised concerns with proposed amendments:

  • The claim that there is no additional cost. This is only true if the real problem of deleting inactive records is not properly addressed...
  • The presumption that people will not want to delete individual documents from the health record
  • The reality that the government can change the legislation at any time in the future.
  • The reality that My Health Data will flow into other systems that have nothing like the safeguards built into My Health Records and where the prohibitions and authorisations of do not apply, as per Section 71 of the legislation...
  • The government treats itself as a special case, for which they have provided no justification.
  • The government needs to treat itself as a third party in the patient/health provider relationship.

The proposed amendments seem to reinstate judicial review, but this has to be read in the context of the rest of the legislation. Just as we were reassured about third-party access provisions in the legislation, we need to look at what other hidden landmines there are. Only a full review of the legislation and all of its possible implications now and in the future will be acceptable.[65]

The Women’s Legal Service NSW also noted that, while the amendments of the Bill provide for a mechanism to permanently delete records from the My Health Records system, ‘the deletion of records is a complex problem’. It stated:

The My Health Record database is designed for retention not deletion. Consequently, even if data is deleted from the database, there is a possibility that it may still be present in the backup ‘snapshots’. Some of these backups may be retained for extended periods and accessible to a small group of IT administrators. This radically weakens the effectiveness of the mechanism afforded in the legislation to delete health records, consequently putting private health information at risk of exposure.[66]

The Scarlett Alliance (the Australian Sex Workers Association) welcomed the changes in the Bill but argued that these changes ‘did not go far enough in ensuring the community privacy concerns about [the My Health Record system] are addressed’.[67] Its recommendations included:

  • the My Health Record return to an opt-in system
  • privacy controls should be set by default to the highest privacy and security settings
  • the healthcare recipients should be notified each time their data will be used for a secondary purpose, be informed of how the information will be used and agree to participate and
  • healthcare recipients should have the ability to permanently delete individual records without the necessity of cancelling their registration in order to do so.[68]

Financial implications

The Explanatory Memorandum states that there will be no net cost to implement the changes made by the Bill.[69]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[70]

Parliamentary Joint Committee on Human Rights

The Parliamentary Joint Committee on Human Rights listed the Bill as one which did not raise human rights concerns.[71]

Key issues and provisions

Destruction of records

The simplified outline of the MHR Act (in section 4) includes that the System Operator is responsible for operating the National Repositories Service which stores key records that form part of a healthcare recipient’s My Health Record. Section 17 deals with the retention of records uploaded to the National Repositories Service. It requires that the System Operator ensures that the records are retained for set periods where:

  • the record is uploaded to the National Repositories Service and
  • the record includes health information included in the My Health Record of a healthcare recipient.

Items 2 to 6 amend section 17 to reflect changes regarding the destruction of records. Item 2 inserts ‘and destruction’ to the title of section 17. Items 3 and 4 insert consequential subheadings into section 17.

Paragraph 17(2)(b) sets out the periods the System Operator must ensure a record is retained. These are:

(i) 30 years after the death of the healthcare recipient or

(ii) if the System Operator does not know the date of death of the healthcare recipient—130 years after the date of birth of the healthcare recipient.

Item 5 inserts a third option proposed subparagraph 17(2)(b)(iii). This provides that ‘if, under subsection (3), the record is required to be destroyed because of the cancellation of registration of the healthcare recipient—when the System Operator is required to destroy the record under subsection (4)’.

Item 6 inserts proposed subsections 17(3) and 17(4) which deal with the destruction of records after cancellation on request.

Currently, subsection 51(1) of the MHR Act provides that the System Operator must decide to cancel or suspend the registration of a healthcare recipient or other entity if requested in writing by a healthcare recipient or other entity. Proposed subsection 17(3) will additionally require the System Operator to destroy any record that includes health information if the System Operator is required to cancel the registration of a healthcare recipient under subsection 51(1).

However, some minimal information is not required to be destroyed:

  • the name and healthcare identifier of the healthcare recipient
  • the name and healthcare identifier of the person who requested the cancellation, if different from the healthcare recipient and
  • the day the cancellation decision takes effect.[72]

The Explanatory Memorandum notes this enables the System Operator to retain some ‘identifying and administrative information’. It states:

This is not health information. Retaining this information is necessary for the System Operator to fulfil its functions and, among other things, assure healthcare recipients that their request to cancel their registration in the My Health Record system has been actioned.[73]

Collection, use and disclosure

Section 63 authorises the collection, use and disclosure of health information for the management of the My Health Record system, including in response to requests by the System Operator. The note under section 63 provides examples of sections of the MHR Act under which the System Operator may make a request. Item 7 inserts a reference to proposed section 69A (to be inserted by item 12) to this note.

Section 65 deals with the collection, use and disclosure of health information authorised by law. It provides that, subject to disclosure to orders by a court or tribunals (dealt with by section 69), participants in the My Health Record System are authorised to ‘collect, use and disclose the health information included in a healthcare recipient’s My Health Record ‘if the collection, use or disclosure is required or authorised by Commonwealth, State or Territory law’. Items 8, 9, 10 will amend section 65 to limit the laws which could allow access to health information contained in the My Health Record system.  

Item 8 omits ‘Commonwealth, State or Territory law’ in subsection 65(1) and limits this by replacing this part with ‘a Commonwealth, State or Territory law covered by subsection (3)’.

Item 9 inserts a note under to subsection 65(1) to clarify that ‘No State or Territory laws are covered by subsection (3)’.

Item 10 inserts proposed subsection 65(3) which will specify the legislation which may authorise or require a participant to collect, use or disclose health information in a healthcare recipient’s My Health Record. These are the:

  • MHR Act
  • Auditor-General Act 1997
  • Ombudsman Act 1976 and
  • ‘a law of the Commonwealth to the extent that the law requires or authorises the collection, use or disclosure of information for the purposes of performing the Information Commissioner’s functions in relation to the My Health Record system’.[74]

The Explanatory Memorandum states that proposed subsection 65(3) will allow ‘the
Auditor-General, the Ombudsman and the Information Commissioner to carry out their respective obligations to ensure the System Operator has not breached the privacy of an individual’s My Health Record or failed to action an individual’s request to cancel and therefore delete their My Health Record’. However, under the amendments any other entity that seeks to obtain health information in a healthcare recipient’s My Health Record ‘would require a court order or an order from a judicial officer’.[75] It noted:

If other laws are identified in future that should be recognised by section 65 – that is, that should authorise or require an entity to collect, use or disclose health information in a healthcare recipient’s My Health Record – the new subsection does not provide a regulation-making power so amendments to the MHR Act would be required.

All other laws currently in force that may authorise or require the collection, use or disclosure of health information in a healthcare recipient’s My Health Record will no longer have effect insofar as they relate to the collection, use or disclosure of My Health Record information.[76]

Other government agencies also have powers to obtain information and evidence. For example, under the Taxation Administration Act 1953, the Commissioner of Taxation has the power to require persons to produce to the Commissioner any documents in their custody or control ‘for the purpose of the administration or operation of a taxation law’.[77] However, as this legislation is not included in proposed subsection 65(3), the Australia Taxation Office would need to seek a disclosure order to request the disclosure of a person’s My Health Record system records (see below).

The Explanatory Memorandum states that the amendments mean that ‘no state or territory laws can authorise or require a participant to collect, use or disclose health information in a healthcare recipient’s My Health Record’.[78] If the amendments are passed, it is not clear if there will be tension between this strict limitation and the state and territory laws under which the disclosure of My Health Record health information would previously have been authorised. For example, it is unclear to what degree the existing state and territory public health reporting and mandatory child abuse notification obligations will overlap with section 64 of the MHR Act which authorises the collection, use or disclosure of My Health Record health information ‘in the case of a serious threat to public health and safety’.[79]

Disclosure orders

Item 12 inserts proposed sections 69A and 69B which will provide for the disclosure of health information contained in a healthcare recipient’s My Health Record to designated entities by order of certain judicial officers.

What agencies can information be disclosed to? —‘Designated entities’

Proposed subsection 69A(1) provides that, if a designated entity presents the System Operator with an order under this section, the System Operator must comply with the order. A designated entity is ‘an agency, or State or Territory authority, within the meaning on the Privacy Act’ which is not a court, tribunal or coroner. The terms ‘agency’ and ‘State or Territory authority’ are broadly defined in section 6[80] and subsection 6C(3)[81] of the Privacy Act. A wide range of government bodies and law enforcement agencies would be covered by the definitions of these terms. 

Proposed subsection 69A(2) clarifies that except as authorised in proposed subsection 69A(1) or in accordance with proposed subsection 65(3) (inserted by item 10 above) ‘a participant in the My Health Record system, or a healthcare recipient, cannot be required to disclose health information included in a healthcare recipient’s My Health Record to a designated entity’.

Proposed subsection 69A(3) further clarifies that the section does not authorise ‘the System Operator to use or disclose healthcare recipient-only notes’.[82]

Proposed subsection 69A(4) requires the System Operator to make a written note of any uses or disclosures of personal information under the section.

Grounds for granting access

Proposed subsection 69A(5) provides for designated entities to apply to certain judicial officers for an order for disclosure of health information included in a healthcare recipient’s My Health Record. A designated entity may apply to a magistrate of a state or territory or to a judge who is eligible under proposed subsection 69B(2).  

Proposed subsection 69A(6) outlines the conditions for the judicial officer in making an order. The proposed test has two limbs that must each be satisfied.

First, (proposed paragraph 69A(6)(a)) a judicial officer may make an order if the designated entity satisfies the judicial officer, by information on oath or affirmation, that:

  • the designated entity has powers or duties of the kind mentioned in proposed subsection 69A(7). These are:
    • the designated entity has power under a law of the Commonwealth or a state or territory (other than a law covered by proposed subsection 65(3)) to require persons to give information to the designated entity or
    • officers of the designated entity are, in the ordinary course of their duties, authorised to execute warrants to enter premises and seize things found, including documents
  • if the designated entity has powers under a law of the Commonwealth or a state or territory to require persons to give information to the designated entity—the designated entity has exercised or purported to exercise its power to require the System Operator to disclose information to which the order will relate
  • in all the circumstances, the particular disclosure of the particular information to the designated entity is reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity and
  • there is no effective means for the designated entity to obtain the particular information, other than an order under this section.

Second, (proposed paragraph 69A(6)(b)) the judicial officer must also be satisfied that, in relation to whether in all the circumstances, the particular disclosure of the particular information is reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity that ‘the disclosure of the information would not, on balance, unreasonably interfere with the privacy of the healthcare recipient’.

Subsection 69A(8) provides that the judicial officer must not make an order unless the designated entity or some other person has given the judicial officer, either orally or by affidavit, such further information (if any) as the judicial officer requires concerning the grounds on which the order is being sought.

The information required to be included in orders is outlined in proposed subsection 69A(9). Orders must:

  • identify the healthcare recipient
  • specify the particular information to be disclosed
  • authorise one or more officers of the designated entity (whether or not named in the order) to obtain the information from the System Operator and require the System Operator to disclose the information to the designated entity
  • specify the day (not more than six months after the making of the order) on which the order ceases to have effect and
  • state the purpose for which the order is made.

The requirements in proposed subsection 69A(9) can be contrasted with existing arrangements under section 70 which does not contain comparable obligations.  

The Explanatory Memorandum notes that while authorisation for disclosure under proposed section 69A is not limited to enforcement bodies ‘it removes any doubt that government bodies (except the Auditor-General, Ombudsman or Information Commissioner which are authorised under section 65) and law enforcement agencies can only obtain My Health Record information using an order by a judicial officer’.[83]

Threshold for disclosure to designated entities

The amendments of the Bill establish a standard for orders of disclosure to designated entities under proposed section 69A which appear to be tailored to the sensitive nature of the health information stored in the My Health Record system.

Any designated entity (for example, a government agency) who has a legal power to require persons to give information to the designated entity or whose officers ‘in the ordinary course of their duties’ are authorised to execute warrants to enter premises and seize things will be able to apply to an eligible judicial officer for an order. This means that a broad range of government bodies and agencies will be able to apply for disclosure orders relating to My Health Record health information.

The requirement in proposed subparagraph 69A(6)(a)(iii) that the judicial officer be satisfied the disclosure is ‘reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity’ is comparable to other provisions which allow for law enforcement officers to apply for warrants. While warrant application processes differ between jurisdictions, these search warrant application processes usually require a judicial officer to be satisfied on ‘reasonable grounds’ that the grant the warrant is necessary.[84]

Under proposed paragraph 69A(6)(b), the judicial officer must also be satisfied, in considering whether the disclosure is ‘reasonably necessary’, that ‘the disclosure of the information would not, on balance, unreasonably interfere with the privacy of the healthcare recipient’. This requirement for the judicial officer to consider the ‘privacy’ of the affected person does not appear to be present in the requirements of other law enforcement search warrant processes.[85] 

Proposed subparagraph 69A(6)(a)(iv) provides that the order may be made if ‘there is no effective means for the designated entity to obtain the particular information’ other than the granting of the order. This establishes another requirement before a disclosure order can be made. However, the provision does not provide guidance to the judicial officer on the standard to be applied in determining if this requirement has been met.

Notably, the warrant issuing process under the Crimes Act 1914 (Cth), requires: 

If the person applying for the warrant is a member or special member of the Australian Federal Police and has, at any time previously, applied for a warrant relating to the same person or premises the person must state particulars of those applications and their outcome in the information.[86]

The proposed process for the making of orders of disclosure to designated entities, and the requirements for the information which must be included in an order under subsection 69A(9), do not contain a comparable requirement.

While the System Operator is obliged to make a written note of the use or disclosure of personal information under proposed section 69A, it is not required to notify or inform the healthcare recipient who has been affected by the disclosure order.

Judicial officers

Proposed section 69B sets out the judges and state and territory magistrates who are able to make disclosure orders under proposed section 69A.

Proposed subsections 69B(1) and (2) provide that a judge of a court created by the Parliament may, by writing, consent to be nominated by the Attorney-General. The Attorney-General may then, by writing, nominate the judge to be eligible. Subsection 69B(3) clarifies that nominations are not legislative instruments. 

Proposed subsection 69B(5) provides that the Governor-General may:

  • arrange with the Governor of a state for the performance, by all or any of the persons who from time to time hold office as magistrates of that state, of the functions of a magistrate conferred by section 69A or
  • arrange with the Chief Minister of the Australian Capital Territory for the performance, by all or any of the persons who from time to time hold office as magistrates of the Australian Capital Territory, of the functions of a magistrate conferred by section 69A or
  • arrange with the Administrator of the Northern Territory for the performance, by all or any of the persons who from time to time hold office as Judges of the Local Court of the Northern Territory, of the functions of a magistrate conferred by section 69A.

However, proposed subsection 69B(4) provides that magistrates do not need accept the functions conferred by proposed section 69A.

Personal capacity and immunity

Proposed subsection 69B(6) proves that the functions under proposed section 69A (to make disclosure orders) are conferred on judicial officers in their ‘personal capacity’ rather than as a court or member of a court. Despite this, proposed subsection 69B(7) clarifies that judicial officers performing functions under proposed section 69A have the same ‘protection and immunity’ as if the judicial officer were performing the function as the court or as a member of the court of which the judicial officer is a member.

Disclosure in relation to unlawful activities

Items 13, 14, 15, and 16 amend section 70 of the MHR Act. Currently section 70 authorises the System Operator to use or disclose health information included in a healthcare recipient’s My Health Record:

  • if the System Operator reasonably believes it is ‘reasonably necessary’ for a range of law enforcement purposes and
  • if the System Operator:
    • has reason to suspect that unlawful activity that relates to the System Operator’s functions has been, is being or may be engaged in and
    • reasonably believes that use or disclosure of the information is necessary for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities.

The Explanatory Memorandum notes that the amended section 70 ‘will no longer relate to the use and disclosure of My Health Record information for law enforcement purposes and will only relate to use and disclosure of this information in relation to unlawful activity’.[87]

Item 13 amends the heading of section 70 to ‘Disclosure in relation to unlawful activities’.

Item 14 repeals subsections 70(1) and 70(2) which provide for the System Operator to disclose health information included in a healthcare recipient’s My Health Record for law enforcement purposes.

Item 15 inserts ‘(subject to subsection 3A)’ into subsection 70(3). This refers to proposed subsection 70(3A) inserted by item 16. As noted above, subsection 70(3) authorises the use and disclosure of health information where there is suspected unlawful activity in relation to the functions of the System Operator. The amendment will change the first part of subsection 70(3) to make disclosure of health information (but not use) by the System Operator under this subsection subject to proposed subsection 70(3A).

Item 16 inserts proposed subsection 70(3A) which limits disclosures by the System Operator under subsection 70(3). It provides that the System Operator is authorised to disclose under subsection 70(3) only the information the relevant person or authority needs to identify the matter or concerns ‘with sufficient clarity’ to:

  • initiate consideration of the matter or concerns and
  • if necessary, apply for an order under section 69A in relation to the matter or concerns.

The Explanatory Memorandum states that this amendment limits disclosures to the ‘minimal amount of information to enable the person or authority to identify the matter or concerns in order to take action’. It notes that allowing such disclosures ‘ensures the System Operator can continue to meet its obligations to protect the privacy and integrity of the My Health Record system and individual record holders’.[88] The Explanatory Memorandum also includes an example of how this authorisation would operate in the case of an employee using their access to the My Health Record system to blackmail someone:

The System Operator would notify the Australian Federal Police (AFP) of the suspected activity and the name of the person being blackmailed to allow the AFP to investigate the matter. Were the AFP to form a view that My Health Record information was necessary, they would need to apply for an order under new section 69A...[89]

Other provisions

The provisions of the Bill include minor consequential amendments and the application of the amendments in relation to destruction of records.

Item 1 repeals the definition of enforcement body from section 5 of the MHR Act (which gave the term the same meaning as in the Privacy Act). As a result of the amendments made by items 13 to 16 this term will no longer be used.

Section 67 provides that healthcare recipients are authorised to collect, use and disclose for any purpose the health information included in their My Health Record. However, a note clarifies that the information that can be collected ‘may be limited’ if the healthcare recipient’s registration is cancelled. Item 11 amends this note to reflect the proposed amendments made to section 17 regarding retention and destruction requirements. The Explanatory Memorandum notes that ‘if a healthcare recipient has requested to cancel their registration in the My Health Record system, their My Health Record will be permanently deleted and, as a result, there will be no health information in the system for them to collect’.[90]

Item 17 provides that amendments to section 17 (made by items 4 and 5 relating to destruction of records by the System Operator) apply ‘to the health information of any healthcare recipient who has cancelled their My Health Record since the system began operating on 1 July 2012, unless the healthcare recipient re-registered before the amendments in the Bill commenced’.[91]

Concluding comments

The change of the My Health Record system from opt-in to an opt-out model has prompted questions regarding the privacy and security of the stored health information. Concerns have been raised regarding access by enforcement bodies to health information by medical professional organisations and others. The Government has responded to these concerns through the amendments contained in the Bill which are intended to ensure that no My Health Record information will be released to government agencies or enforcement bodies without an order made by a judicial officer. The amendments also oblige the System Operator (ADHA) to permanently destroy the health information contained in a healthcare recipient’s My Health Record when the registration of the person is cancelled.

The amendments contained in the Bill appear to have addressed the specific concerns which have been expressed regarding access by government agencies and enforcement bodies to My Health Record health information under section 70 of the MHR Act. However, the move to an opt-out model has raised, or renewed, a range of other privacy and security issues with the My Health Record system. Individuals and organisations with broader criticism or concerns in relation to the My Health Record system are likely to continue to advocate for further reform.