Opinion and Commentary

InDaily: Doubts remain about the privacy of My Health records

We are in a digital age, of that there is no doubt.

There is also no question that digitising health records will be beneficial in the long-run for patients, medical staff and researchers. A single digital health system which connects the silos of health information will improve the efficiency and effectiveness of Australia’s healthcare system.

However, there are also serious and substantial risks when it comes to protecting information which is as sensitive and private as the medical records of millions of Australians.

Revelations recently that the Australian Government’s proposed My Health Record may be used to track down children and their parent who may have fled from a violent partner or relationship are deeply concerning.

According to Australian Institute of Health and Welfare data during 2016-17 some 72,000 women, 34,000 children and 9000 men seeking homelessness services reported that family and domestic violence caused or contributed to their homelessness.

The message this sends to those 115,000 Australians and the hundreds of thousands more that weren’t included in these statistics, is stark;  you are no longer safe, there is potential for the misuse of information from a child’s My Health Record which could disclose your location – and that is very dangerous message indeed.

While some attempt has been made to strengthen privacy protections contained in the My Health Records Amendment (Strengthening Privacy) Bill 2018 – advocacy groups, including women’s and children’s groups, would argue these measures do not go far enough and do not protect those at risk of family violence.

The amendments covering access to medical information by law enforcement and government agencies, in addition to a requirement that records of those who opt-out to be permanently deleted, are constructive yet inadequate.

The issue remains, no digital system is entirely safe. The government’s My Health Record is no exception.

Increasingly, we are hearing reports of large-scale data leaks and hacks across all sectors – private enterprise, government, non-profit, corporate – none are immune.

Big data is big business.

The My Health Record system is particularly vulnerable to unauthorised access by individuals with parental responsibility for a child, who may not be the primary caregiver – including individuals who may be a perpetrator of family violence.

This simply cannot be the case. We ought not allow the introduction of a system which places vulnerable children and their primary caregiver at further risk of serious harm.

Legislation must ensure the location and identity of victims and survivors of family violence are not able to be shared with, or accessed by, perpetrators – even if the perpetrator falls within the definition of “a person with parental responsibility” under the My Health Record Act.

The definition of “parental responsibility” under the My Health record Act needs to be amended so it is iron-clad and does not allow parenting responsibility to be granted to or extended to any individual subject to a conditional parenting order which requires supervised visitation with the child, or they are subject to a restraining or personal protection order preventing them from spending unsupervised time with the child.

The prospect that third party health insurers may use penalties such as higher premiums or refuse to provide cover for those who may have opted-out of a My Health record, is also perilous.

A Senate committee into the issue heard last week that protections were needed to prevent third parties from discriminating against individuals who elect not to share their My Health Record data.

There is a further layer of complexity when sharing data for medical research purposes.

Certainly, on the one-hand there can be tremendous benefits reaped from record and knowledge-sharing in the medical research field.

However, concern arises when that data sharing, the secondary use of My Health Record data, is at odds with current Commonwealth, state and territory privacy laws that require an individual’s explicit, informed consent for the secondary use or disclosure of their personal information.

It would be appropriate to ask participants regardless of whether they have opted in, or out, to provide their expressed and informed consent to having the data used for a secondary purpose such as medical research.

There has been little in the way of public debate or information and awareness surrounding the implementation and roll-out of the My Health Record system.

Citizens should rightly have an opportunity to ask:

  • What assurances do we as citizens have that our private health data will not be open to exploitation and that we will not be discriminated against should we choose to maintain the privacy of that data?
  • What happens if and when that data falls into the wrong hands?
  • What contingency measures are in place and how robust are the systems designed to protect that most sensitive data?

We must seek guarantees and assurances that our data will be stored safely and used appropriately, there is simply too much at stake to get this wrong.

There must be protections in place to guard those who are vulnerable, particularly children and their parent who is at risk of family violence. A failure to do so would lead to devastating consequences – a blight on all who neglected to act.

Morry Bailes is the managing partner at Tindall Gask Bentley Lawyers, president of the Law Council of Australia and is a past president of the Law Society of SA. The opinions expressed in this column are his own