6 min read July 26, 2018 at 7:16pm
Thanks to all of you for the kind words about my advocacy on #myHealthRecord over the last couple of weeks. If you've been living under a rock, you can see my thoughts over at this post.
Those of you who have been paying attention will be aware that some of my biggest concerns have been around section 70 of the My Health Records Act, which allows for the release of information in myHealthRecord by the system operator (ie: the Australian Digital Health Agency) to enforcement bodies defined in section 6 of the Privacy Act.
The Australian Parliamentary Library published a post on 23rd July dealing with these issues; on the morning of 26th July, it was taken down, and republished later the same afternoon. The original version is still available at the Internet Archive, the new version is here.
In the interests of transparency, I've compared the new and old versions; old on the left of the images, new on the right. Deletions are highlighted in red, additions in green and substantial modifications in purple. Click on the thumbs for the full images (sorry, I'll try and edit the post to make them bigger in-line if I get time).
I agree with the assessment by Crikey's Bernard Keane that the updated blog post is significantly watered down from the original. Much of the analysis which could be considered to be at all critical of the wording of the act is in the removed sections; for example:
It seems unlikely that this level of protection and obligation afforded to medical records by the doctor-patient relationship will be maintained, or that a doctor’s judgement will be accommodated, once a patient’s medical record is uploaded to My Health Record and subject to section 70 of the My Health Records Act 2012.
The Health Minister’s assertions that ... data… can only be accessed with a court order’ seem at odds with the legislation which only requires a reasonable belief that disclosure of a person’s data is reasonably necessary to prevent, detect, investigate or prosecute a criminal offence.
The new post emphases the Health Minister's line that
ADHA has stated that it ‘has not and will not release any documents without a court/coronial or similar order’, a point which the Health Minister has reiterated
While its concern is quite watered down
However, the My Health Records Act 2012 does not mandate this, and it does not appear that the ADHA’s operating policy is supported by any rule or regulation.
Rather than the original's suggestion that myHR data should be offered the same protection as clinical records, we have the rather limp assurance from the Prime Minister that
‘the Government was absolutely committed to maintaining the privacy of the My Health Record system’ and that concerns expressed by the AMA and College of General Practitioners ‘will be addressed’.
I have a number of concerns about the content of the new analysis, but also the process.
First, as recently as Sunday, the AMA President is quoted on their website as saying:
My Health Record has been designed at the highest level of government standards, AMA President Dr Tony Bartone says.
Of course, when facts change, people are entitled to change their mind, however it's difficult not to feel like the newfound realisation of the problems with the (unchanged) myHR Act have come about because of the howling about the issue in the media, rather than a deep engagement with the issues that privacy advocates have been complaining about for years.
Secondly is my now-often-repeated mantra that - as a group - doctors are terrible at computers. Why is the government parleying with the AMA and RACGP? I'm sure these groups will be able to put forward doctors' concerns about the potential breaches of confidentiality very well, but what about engaging with privacy and technology advocates like the Privacy Foundation, Digital Rights Watch or Electronic Frontiers Australia - who have all been complaining about the privacy implications for far longer than the AMA and RACGP (and may well have a better understanding of some of the other technical issues around privacy).
Leaving aside the dreadful communications strategy (or lack thereof) around the launch of the opt-out period, or indeed myHealthRecord more generally (more details in today's Crikey[$]), the government has been incredibly tin-earred about the flood of negative publicity about myHealthRecord this week, with everyone from the Prime Minister and Health Minister down to ADHA's twitter account maintaining that everything is fine - until, of course, we're going to consult with the docs and address their concerns (which just yesterday were completely invalid).
Of course there is the very real issue that things are indeed not fine at all. I am not a lawyer, but the original analysis from the Parliamentary Library, the legal advice to the QPU and concerns posted online by lawyers of the qualified and bush variety all point out that the law, derived from the Act indeed allows the release by ADHA to every quasi- or actual law enforcement body based on concerns rather than warrants. The health minister doesn't seem to be in too much of a hurry to consider changing the Act. I have lodged a Freedom of Information request to try and get to the bottom of what ADHA's procedures are.
Finally - and possibly most concerning - is the fact that the independent analysis from the Parliamentary Library has been "reviewed" in response to a complaint from the Department of Health. This follows on from multiple complaints to the ABC about stories from the Communications Minister (including the "review" under very similar circumstances of Emma Alberici's economics story), siccing the AFP on to people who might have leaked info about the NBN from Stephen Conroy's office and charging a security service officer and his lawyer for breaching the Intelligence Services Act - for whistleblowing about the unconscionable bugging of a foreign power for commercial gain - and publishing personal Centrelink info about a blogger who complained about #Robodebt.
The government is leaning on public servants or journalists who publish unfavourable analysis, surveilling public servants to plug embarrassing leaks and persecuting whistleblowers.
Is it any wonder people aren't very inclined to trust the Government when they say "we won't do anything dodgy with your myHealthRecord without a court order"?
Image: Pipe Dream by Sharosh Rajasekher - via Unsplash - CC0
Images captured from Parliament of Australia Website (and the Internet Archive), CC-BY-NC-ND-3.0-AU; believed not to be a derivative work as captured for commentary/analysis.
Post title inspired by Stilgherrian - it's a reference to 1984