Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Wednesday, 14 November 2018
Page: 8078

Senator GRIFF (South Australia) (11:28): The My Health Records Amendment (Strengthening Privacy) Bill 2018 represents an opportunity to address some obvious flaws with the current My Health Records Act. Many of us here in the chamber have, for a long time, held concerns about the pace of the rollout of the opt-out system and what seems like a dismissive approach to valid privacy and security concerns.

My Health Record started life as an opt-in, personally-controlled health record system, so it's perhaps unsurprising that it's had such a rocky journey towards a national opt-out system. I'm glad that the government has finally sought to amend two of the more glaring problems in the act that were undermining trust in the system. Under this bill, cancelled records will actually be cancelled and not simply deactivated and put on file somewhere for 30 years after the person's death. Common sense has very much prevailed here because to do otherwise would be very much unnecessary, even ridiculous, and would mean that if you had cancelled your record it still existed and, in the worst-case scenario, could still be accessed by hackers in the event of a security breach.

The bill will also require enforcement agencies such as the police and the immigration department to require a court order before they can access an individual's My Health Record. Previously, they could literally just knock on the door and ask the system operator for them, and all the Australian Digital Health Agency had to do was reasonably believe that it was necessary to hand them over. How's that for due process? How's that for privacy? Somehow it was decided that this should be permitted, even at the risk that it might dissuade some people from taking out a My Health Record, not necessarily out of fear but perhaps more out of an abundance of caution.

We know from estimates that Tasmania Police have made one request to access a person's record, but that person didn't have a record so it became a moot point. We have no information on what would have been deemed a reasonable belief. This bill seeks to patch up that lax and subjective approach to oversight by requiring enforcement agencies to obtain a court order first, but we think this is closing the door after the horse has bolted. I can see why government would be keen to allow enforcement access to this massive database as a last resort, but we contend that it is an inappropriate use of the system. I'd like to remind everyone that the original intent of the My Health Record system was to improve people's management of their personal health and, in particular, to improve the delivery of health care for patients with chronic and complicated conditions. As a database, it should only be used for public health benefits. To open this database to designated entities, such as the police and the immigration department, for non-health related purposes is very much mission creep. That is why we have proposed an amendment to remove enforcement access to My Health Record, even under warrant, unless it relates to fraud or misuse of the My Health Record itself. We think this is a sensible balance that better protects people's privacy and protects the integrity of the system. The type of information available through My Health Record would be available through other means at the government's disposal, such as Medicare, for example. No-one can give us even a hypothetical circumstance under which the record would be needed by enforcement agencies.

As to the other amendments before us, we agree that the opt-out period needs to be extended well past tomorrow to give people more opportunity to be informed about the record and to take action if they don't want it. However, there does seem to be disagreement between the parties as to how long this should be, in terms of weeks or months. We've been lobbied on four weeks and up to 12 months. We don't believe that four weeks is long enough to allow the changes in this bill and continued public education to filter through, but we also think that there is momentum now that we should build on and that 12 months is too long a period. Centre Alliance is happy to accept the government's amendments, which address many of the concerns that were raised during the references inquiry and which other parties would have moved on if the government hadn't.

We absolutely agree that there should be no access to the records for employers or insurers. Private health records should have no bearing on the decision to employ someone or to insure them. We also support the proposal to remove access for parents who are under a supervision order, apprehended violence order or otherwise pose a risk to the health and safety of a child or authorised carer. We accept the evidence provided by the health professionals during the recent references inquiry that we need to give teenagers more control over their record. While PBS data will not be visible in a child's My Health Record after the age of 14, other sensitive information, such as pathology reports, will be visible unless the teenager takes control of their record, so we accept the Greens' amendment which serves to prevent parents accessing the record of their child after the age of 14 without their written consent. After all this, we will have a vastly improved system, though still nowhere near perfect.

I have to say that none of this does enough for me personally to persuade me to sign up, so I have opted out. I'm not at all convinced that the system will be as secure and seamless as the government and the ADHA assures us it will be. We know that health records are a major target for hackers, here and overseas. We also know from media reports and the Community Affairs References Committee inquiry on My Health Record that security experts have expressed concerns at the centralised nature of the database. Your health data is incredibly private and intimate. Even if you feel you have nothing to hide, it is the last thing you want in the hands of the police, in the hands of hackers, or out of your hands at all.