A senate committee has given a tick of approval to proposed added privacy measures for the MHR, but the wrangling is far from over
A senate committee has given a tick of approval to proposed added privacy measures for the My Health Record, but the wrangling is far from over.
The My Health Records Amendment (Strengthening Privacy) Bill 2018 was drafted amid an outcry over privacy issues, such as whether police would be able to demand access to patients’ health information.
In one key amendment, the bill removes the ability of the system operator (the Australian Digital Health Agency) to disclose a patient’s information to a law enforcement or other government agency without a court order or the patient’s consent.
In another safeguard, the system operator will be required to permanently delete information uploaded to the National Repositories Service when a patient cancels their MHR registration.
However, while supporting the Community Affairs Legislation Committee’s recommendation that the bill be passed, Labor senators said the proposed changes were “woefully inadequate” and they would propose a raft of further amendments.
In remarks attached to the committee’s report, the three Labor members, Kristina Keneally, Murray Watt and Lisa Singh, said the inquiry had revealed a number of flaws that the bill did not address.
“These flaws have been created by the government’s rushed implementation of an opt-out model,” they wrote.
“Legislation and settings that made sense in Labor’s opt-in model – when informed consent was assured – make no sense under the government’s opt-out model.”
The Labor senators repeated a demand that the opt-out period, due to expire next month, be extended indefinitely “until all remaining concerns are addressed and public confidence in this important reform is restored”.
The senators said Labor intended to introduce new amendments to ensure:
- The My Health Record can never be privatised or commercialised;
- Private health insurers can never access My Health Records, including de-identified data;
- Employees’ privacy is protected in the context of employer-directed health care, by including a clause similar to s14(2) of the Healthcare Identifiers Act in the My Health Record Act;
- Vulnerable children and parents such as those fleeing domestic violence are protected, by narrowing the definition of parental responsibility; and
- The system operator cannot delegate access to My Health Records to other entities.
Additional privacy and security concerns over default My Health Record settings – for example, regarding automatic uploads and minors aged 14-18 – would be addressed in a separate report, the Labor senators said.
Greens Senators also stopped short of dissenting from the committee’s recommendations but said the proposed legislation “may represent only a minor improvement instead of the necessary solution”.