Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
My Health Records Amendment (Strengthening Privacy) Bill 2018

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

2016-2017-2018

 

The Parliament of the

Commonwealth of Australia

 

THE SENATE

 

 

 

My Health Records Amendment (Strengthening Privacy) Bill 2018

 

 

(1)     Clause  2 , page 2 (table), omit the table (including the note), substitute:

 

Commencement information

Column 1

Column 2

Column 3

Provisions

Commencement

Date/Details

1.  Sections 1 to 3 and anything in this Act not elsewhere covered by this table

The day this Act receives the Royal Assent.

 

2.  Schedule 1

The day after this Act receives the Royal Assent.

 

3.  Schedule 2

A single day to be fixed by Proclamation.

However, if the provisions do not commence within the period of 12 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period.

 

Note:          This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

[commencement]

(2)     Schedule 1, page 3 (before line 4), before item 1, insert:

1AA  Section 3

After “national”, insert “public”.

1AB  Section 4

After “system is a”, insert “national public”.

[My Health Record system is a national public system]

(3)     Schedule 1, page 3 (after line 5), after item 1, insert:

1A  Section 5

Insert:

national system employer has the same meaning as in the Fair Work Act 2009 , disregarding sections 30D and 30N of that Act.

prohibited purpose has the meaning given by section 70A.

1B  After subsection 6(1)

Insert:

          (1A)  Despite subsection (1), a person who has parental responsibility for a healthcare recipient aged under 18 is not the authorised representative of the healthcare recipient if the System Operator is satisfied that:

                     (a)  under a court order or a law of the Commonwealth or a State or Territory, the person must be supervised while spending time with the healthcare recipient; or

                     (b)  the life, health or safety of the healthcare recipient or another person would be put at risk if the person were the authorised representative of the healthcare recipient.

1C  Subsection 6(2)

After “If there is no person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 18,”, insert “or the only such persons are covered by subsection (1A),”.

1D  At the end of subsection 7(2)

Add:

Note:          Despite this subsection, a nominated representative must not use information for a prohibited purpose within the meaning of section 70A (even though a healthcare recipient may do so): see subsections 59A(2), 70B(2), 71A(4) and 71B(3).

1E  After section 15

Insert:

16   Research or public health purposes

                   The System Operator’s function under paragraph 15(ma) does not include providing de-identified data to a private health insurer (within the meaning of the Private Health Insurance Act 2007 ) or any other insurer.

[persons with parental responsibility who are not authorised persons; use for prohibited purpose; provision of de-identified data to insurers]

(4)     Schedule  1 , item  6 , page 4 (after line 19) , after subsection  17 ( 4 ), insert:

             (5)  To avoid doubt, if the System Operator is required under subsection (3) to destroy a record that includes health information, the System Operator must also destroy the following:

                     (a)  any copy of the record;

                     (b)  any previous version of the record;

                     (c)  any back-up version of the record.

[destruction of records]

(5)     Schedule 1, page 4 (after line 19), after item 6, insert:

6A  Subsection 59(3) (penalty)

Repeal the penalty, substitute:

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

6B  Subsection 59(4) (penalty)

Repeal the penalty, substitute:

Civil penalty:          1,500 penalty units.

6C  After section 59

Insert:

59A   Unauthorised use of information included in a healthcare recipient’s My Health Record for prohibited purpose

             (1)  A person must not use health information included in a healthcare recipient’s My Health Record for a prohibited purpose, if the person obtained the information by using or gaining access to the My Health Record system.

Note:          For prohibited purpose , see section 70A.

Civil penalty:          1,500 penalty units.

             (2)  Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).

6D  Subsection 60(3) (penalty)

Repeal the penalty, substitute:

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

6E  Subsection 60(4) (penalty)

Repeal the penalty, substitute:

Civil penalty:          1,500 penalty units.

[penalties; use for prohibited purpose]

(6)     Schedule 1, page 9 (after line 3), after item 16, insert:

16A  At the end of Division 2 of Part 4

Add:

Subdivision C Unauthorised use of information included in a healthcare recipient’s My Health Record for prohibited purpose

70A   Definition of prohibited purpose

             (1)  Information included in a healthcare recipient’s My Health Record is used for a prohibited purpose if the person who uses the information does so for any one or more of the following purposes:

                     (a)  the purpose of:

                              (i)  underwriting a contract of insurance that covers the healthcare recipient; or

                             (ii)  determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or

                            (iii)  determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or

                            (iv)  a national system employer employing, or continuing or ceasing to employ, the healthcare recipient;

                     (b)  a purpose prescribed by the regulations.

             (2)  If the person uses information for purposes that include, or for a purpose that includes, a purpose mentioned in subsection (1), the person is taken to be using the information for a prohibited purpose.

             (3)  To avoid doubt, use of information is not for a prohibited purpose if the use is solely for:

                     (a)  the purpose of providing healthcare to the healthcare recipient; or

                     (b)  purposes relating to the provision of indemnity cover for a healthcare provider.

             (4)  If a fault element applies to an element of an offence or civil penalty provision involving a prohibited purpose within the meaning of subparagraph (1)(a)(iv), absolute liability applies to the element that the employer is a national system employer.

             (5)  References in paragraph (1)(a) to insurance do not include State insurance that does not extend beyond the limits of the State concerned.

70B   Use for prohibited purpose is unauthorised

             (1)  Despite Subdivisions A and B, a person is not authorised under this Division to use health information included in a registered healthcare recipient’s My Health Record for a prohibited purpose.

             (2)  Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).

16B  After Division 3 of Part 4

Insert:

Division 3A Offences and penalties in relation to use of My Health Record-derived information for prohibited purpose

71A   Offence for use of My Health Record-derived information for prohibited purpose

             (1)  A person commits an offence if:

                     (a)  the person uses information; and

                     (b)  the person does so for a prohibited purpose, and the person knows or is reckless as to that fact; and

                     (c)  the information is health information; and

                     (d)  the information is or was included in a healthcare recipient’s My Health Record; and

                     (e)  the person is not the healthcare recipient.

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

             (2)  Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.

Note:          A defendant bears an evidential burden in relation to the matter in subsection (2): see subsection 13.3(3) of the Criminal Code .

             (3)  Strict liability applies to paragraphs (1)(d) and (e).

Note:          For strict liability, see section 6.1 of the Criminal Code .

             (4)  Despite paragraph (1)(e) and subsection 7(2), subsection (1) of this section applies to a person who is the nominated representative of the healthcare recipient.

71B   Civil penalty for use of My Health Record-derived information for prohibited purpose

             (1)  A person must not use health information that is or was included in a healthcare recipient’s My Health Record for a prohibited purpose.

Civil penalty:          1,500 penalty units.

             (2)  Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.

Note:          A person bears an evidential burden in relation to the matter in subsection (2): see section 96 of the Regulatory Powers (Standard Provisions) Act 2014 .

             (3)  Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).

16C  Subsection 75(2) (penalty)

Repeal the penalty, substitute:

Civil penalty:          1,500 penalty units.

16D  Section 76 (penalty)

Repeal the penalty, substitute:

Civil penalty:          1,500 penalty units.

16E  Subsection 77(2A) (penalty)

Repeal the penalty, substitute:

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

16F  Subsection 77(2B) (penalty)

Repeal the penalty, substitute:

Civil penalty:          1,500 penalty units.

16G  After subsection 97(2)

Insert:

          (2A)  However, the System Operator is not required to give notice of the decision to a person if the System Operator is satisfied that doing so would put at risk the life, health or safety of a person.

16H  Paragraph 98(1)(b)

Omit “Medicare;”, substitute “Medicare.”.

16J  Paragraph 98(1)(c)

Repeal the paragraph.

16K  Subsection 105(3)

After “disclosure of” (wherever occurring), insert “de-identified data or”.

16L  After paragraph 105(3)(b)

Insert:

                   (ba)  in connection with insurance, other than State insurance that does not extend beyond the limits of the State concerned; or

16M  Subsection 105(4)

After “disclosure of”, insert “de-identified data or”.

[use for prohibited purpose; penalties; provision of de-identified data to insurers; risk to life, health or safety; delegates]

(7)     Schedule  1 , item 17, page 9 (after line 12) , at the end of the item, add:

(3)       The amendments made by items 6C, 16A and 16B of this Schedule apply in relation to the use of information after this Schedule commences, regardless of whether the information was collected before or after that commencement.

[use for prohibited purpose]

(8)     Page 9 (after line 12) , at the end of the Bill, add:

Schedule 2 Amendments commencing on Proclamation

   

My Health Records Act 2012

1  Section 5

Insert:

data custodian means the Australian Institute of Health and Welfare.

2  Paragraph 15(ma)

Repeal the paragraph, substitute:

                  (ma)  in accordance with the guidance and direction of the Board established under section 82, to prepare and provide de-identified data, and, with the consent of the healthcare recipient, health information, for research or public health purposes;

3  Section 16

After “de-identified data”, insert “or health information”.

4  Part 5 (heading)

After “ Other ”, insert “ offences and ”.

5  After section 77

Insert:

77A   Enforceable requirements in My Health Records Rules must not be contravened: offence

             (1)  An entity commits an offence if:

                     (a)  the entity does an act or omits to do an act; and

                     (b)  the result is that the entity contravenes a requirement imposed on the entity by My Health Records Rules made for the purposes of subsection 109(7A) and the entity is reckless as to that result; and

                     (c)  the My Health Records Rules provide that the requirement is enforceable for the purposes of this paragraph; and

                     (d)  the entity is not the System Operator, the Data Governance Board established by section 82 or the data custodian.

Penalty:  100 penalty units.

             (2)  Strict liability applies to paragraphs (1)(c) and (d).

Note:          For strict liability, see section 6.1 of the Criminal Code .

6  Section 78 (at the end of the heading)

Add “ : civil penalty ”.

7  Section 78

Before “A person”, insert “(1)”.

8  At the end of section 78

Add:

             (2)  An entity (other than the System Operator, the Data Governance Board established by section 82 or the data custodian) must not contravene a requirement imposed on the entity by My Health Records Rules made for the purposes of subsection 109(7A), if the My Health Records Rules provide that the requirement is enforceable for the purposes of this subsection.

Civil penalty:          100 penalty units.

9  After Part 6

Insert:

Part 7 Data Governance Board

Division 1 Establishment and functions

82   Data Governance Board

                   The Data Governance Board is established by this section.

83   Functions of the Board

             (1)  The functions of the Data Governance Board are:

                     (a)  to oversee the operation of the framework prescribed by My Health Records Rules made for the purposes of subsection 109(7A), including by:

                              (i)  assessing applications for the collection, use or disclosure of de-identified data and health information for research or public health purposes; and

                             (ii)  guiding and directing the System Operator in the performance of its function under paragraph 15(ma) (preparing and providing de-identified data and health information); and

                            (iii)  taking steps to ensure the ongoing protection of de-identified data and health information used by, or disclosed to, persons for research or public health purposes and that the data and information is being used and disclosed only for those purposes; and

                     (b)  any other functions conferred on the Board by this Act or the My Health Records Rules.

             (2)  The Board does not have any functions, and must not perform any role, in relation to the day-to-day operation of the My Health Record system.

Division 2 Membership

84   Membership

                   The Data Governance Board consists of the following members:

                     (a)  the Chair of the Data Governance Board;

                     (b)  the Deputy Chair of the Data Governance Board;

                     (c)  at least 7, and no more than 10, other members.

85   Appointment of members

             (1)  Members are to be appointed by the Minister by written instrument, on a part-time basis.

             (2)  The Minister must appoint one member to be the Chair and another member to be the Deputy Chair.

86   Qualifications and experience

             (1)  The Minister must appoint the following as members:

                     (a)  a person who represents the System Operator;

                     (b)  a person who represents the data custodian;

                     (c)  a person who is an Aboriginal person or a Torres Strait Islander.

             (2)  A person (including a person appointed in accordance with subsection (1)) is not eligible for appointment as a member of the Data Governance Board unless the person has skills or experience in, or knowledge of, one or more of the following fields:

                     (a)  population health and epidemiology;

                     (b)  medical or health research;

                     (c)  health services delivery;

                     (d)  technology;

                     (e)  data science;

                      (f)  data governance;

                     (g)  privacy;

                     (h)  consumer advocacy.

87   Acting appointments

             (1)  The Minister may, by written instrument, appoint a person to act as the Chair:

                     (a)  during a vacancy in the office of Chair (whether or not an appointment has previously been made to the office); or

                     (b)  during any period, or during all periods, when the Chair:

                              (i)  is absent from duty or from Australia; or

                             (ii)  is, for any reason, unable to perform the duties of the office.

Note:          For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901 .

             (2)  The Minister may, by written instrument, appoint a person to act as the Deputy Chair:

                     (a)  during a vacancy in the office of Deputy Chair (whether or not an appointment has previously been made to the office); or

                     (b)  during any period, or during all periods, when the Deputy Chair:

                              (i)  is absent from duty or from Australia; or

                             (ii)  is, for any reason, unable to perform the duties of the office.

Note:          For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901 .

88   Term of appointment and other terms and conditions

             (1)  A member of the Data Governance Board holds office for the period specified in the instrument of appointment. The period must not exceed 5 years.

             (2)  A member of the Data Governance Board holds office on the terms and conditions (if any) in relation to matters not covered by this Part that are determined by the Minister.

89   Remuneration

             (1)  A member of the Data Governance Board is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the member is to be paid the remuneration that is prescribed by an instrument made under subsection (4).

             (2)  A member is to be paid the allowances that are prescribed by an instrument made under subsection (4).

             (3)  This section has effect subject to the Remuneration Tribunal Act 1973 .

             (4)  The Minister may, by legislative instrument, prescribe:

                     (a)  remuneration for the purposes of subsection (1); and

                     (b)  allowances for the purposes of subsection (2).

90   Resignation

             (1)  A member of the Data Governance Board may resign the member’s appointment by giving the Minister a written resignation.

             (2)  The resignation takes effect on the day it is received by the Minister or, if a later day is specified in the resignation, on that later day.

91   Termination of appointment

             (1)  The Minister may terminate the appointment of a member of the Data Governance Board:

                     (a)  for misbehaviour; or

                     (b)  if the member is unable to perform the duties of the member’s office because of physical or mental incapacity.

             (2)  The Minister may terminate the appointment of a member of the Data Governance Board if:

                     (a)  the member:

                              (i)  becomes bankrupt; or

                             (ii)  applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or

                            (iii)  compounds with the member’s creditors; or

                            (iv)  makes an assignment of the member’s remuneration for the benefit of the member’s creditors; or

                     (b)  the member is absent, except on leave of absence, from 3 consecutive meetings of the Board; or

                     (c)  the member engages in paid work (within the meaning of section 93) that, in the Minister’s opinion, conflicts or could conflict with the proper performance of the member’s duties (see section 93); or

                     (d)  the member fails, without reasonable excuse, to comply with section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) or rules made for the purposes of that section.

92   Leave of absence

                   The Minister may grant leave of absence to any member of the Data Governance Board on the terms and conditions that the Minister determines.

93   Other paid work

             (1)  A member of the Data Governance Board must not engage in any paid work that, in the Minister’s opinion, conflicts or could conflict with the proper performance of the member’s duties.

             (2)  In subsection (1):

paid work means work for financial gain or reward (whether as an employee, a self-employed person or otherwise).

Division 3 Meetings of the Data Governance Board

94   Convening meetings

             (1)  The Data Governance Board must hold such meetings as are necessary for the efficient performance of its functions.

             (2)  The Chair of the Data Governance Board:

                     (a)  may convene a meeting at any time; and

                     (b)  must convene a meeting within 30 days after receiving a written request to do so from another member of the Board.

95   Presiding at meetings

             (1)  The Chair of the Data Governance Board must preside at all meetings at which the Chair is present.

             (2)  If the Chair is not present at a meeting at which the Deputy Chair is present, the Deputy Chair must preside.

             (3)  If neither the Chair nor the Deputy Chair is present at a meeting, the other members present must appoint one of themselves to preside.

96   Quorum

             (1)  At a meeting of the Data Governance Board, a quorum is constituted by a majority of members of the Board.

             (2)  However, if:

                     (a)  a member of the Board is required by rules made for the purposes of section 29 of the Public Governance, Performance and Accountability Act 2013 not to be present during the deliberations, or to take part in any decision, of the Board with respect to a particular matter; and

                     (b)  when the member leaves the meeting concerned there is no longer a quorum present;

the remaining members at the meeting constitute a quorum for the purpose of any deliberation or decision at that meeting with respect to that matter.

96A   Voting at meetings

             (1)  A question arising at a meeting of the Data Governance Board is to be determined by a majority of the votes of the members of the Board present and voting.

             (2)  The person presiding at a meeting of the Board has a deliberative vote and, if the votes are equal, a casting vote.

96B   Conduct of meetings

                   The Data Governance Board may, subject to this Division, regulate proceedings at its meetings as it considers appropriate.

Note:          Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which members of the Board may participate in meetings.

96C   Minutes

                   The Data Governance Board must keep minutes of its meetings.

96D   Decisions without meetings

             (1)  The Data Governance Board is taken to have made a decision at a meeting if:

                     (a)  without meeting, a majority of the members of the Board entitled to vote on the proposed decision indicate agreement with the decision; and

                     (b)  that agreement is indicated in accordance with the method determined by the Board under subsection (2); and

                     (c)  all the members were informed of the proposed decision, or reasonable efforts were made to inform all the members of the proposed decision.

             (2)  Subsection (1) applies only if the Board:

                     (a)  has determined that it may make decisions of that kind without meeting; and

                     (b)  has determined the method by which members are to indicate agreement with proposed decisions.

             (3)  For the purposes of paragraph (1)(a), a member is not entitled to vote on a proposed decision if the member would not have been entitled to vote on that proposal if the matter had been considered at a meeting of the Board.

             (4)  The Board must keep a record of decisions made in accordance with this section.

Note:          Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which members of the Board may participate in meetings.

Division 4 Other matters relating to the Data Governance Board

96E   Relationship between System Operator and Data Governance Board in relation to data for research or public health purposes

             (1)  In performing the function mentioned in paragraph 15(ma), the System Operator must comply with a direction from, and follow the guidance of, the Data Governance Board.

             (2)  If rules made for the purposes of subsection 109(7A) require the Data Governance Board to take steps to ensure that de-identified data and health information disclosed to persons for research or public health purposes is being used only for those purposes, the System Operator must not take any steps of its own to ensure that the data and information is being used only for those purposes.

             (3)  Subsection (2) does not imply that the System Operator has a duty to take steps in relation to use of data and information at a time when there are no rules of the kind mentioned in subsection (2).

96F   Board committees

             (1)  The Data Governance Board may establish a committee or committees to assist in carrying out the functions of the Board.

             (2)  The Board may dissolve a committee at any time.

             (3)  The functions of a committee are as determined by the Board.

             (4)  In performing its functions, a committee must comply with any directions given to the committee by the Board.

             (5)  A question arising at a meeting of a committee is to be determined by a majority of the votes of committee members present.

             (6)  A committee must inform the other members of the Board of its decisions.

             (7)  A committee may regulate proceedings at its meetings as it considers appropriate.

             (8)  A committee must ensure that minutes of its meetings are kept.

96G   Delegation of functions

             (1)  If the Secretary of the Department consents to the Data Governance Board delegating functions to APS employees in the Department, the Board may delegate any or all of its functions to such an APS employee.

Note:          Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.

             (2)  If the chief executive officer (however described) of the data custodian consents to the Board delegating functions to members of the staff mentioned in subsection 19(1) of the Australian Institute of Health and Welfare Act 1987 , the Board may delegate all or any of its functions to such a member of staff.

Note:          Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.

             (3)  In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Board.

             (4)  The delegation continues in force despite a change in the membership of the Board.

             (5)  The delegation may be varied or revoked by the Board (whether or not there has been a change in the membership of the Board).

96H   Annual report

             (1)  As soon as practicable after the end of each financial year, the Data Governance Board must prepare and give a report to the Minister, for presentation to the Parliament, on the Board’s activities during the financial year.

Note:          See also section 34C of the Acts Interpretation Act 1901 , which contains extra rules about annual reports.

             (2)  A report on the Department’s activities given under section 46 of the Public Governance, Performance and Accountability Act 2013 does not need to include a report on the activities of the Board.

96J   Board is part of the Department

                   For the purposes of paragraph (a) of the definition of Department of State in section 8 of the Public Governance, Performance and Accountability Act 2013 , the Data Governance Board is prescribed in relation to the Department.

10  Subsection 105(2)

After “System Operator”, insert “, Data Governance Board and data custodian”.

11  After paragraph 105(6)(a)

Insert:

                    (aa)  the Data Governance Board;

                   (ab)  the data custodian;

12  Subsection 109(7A)

Repeal the subsection, substitute:

My Health Records Rules may relate to research or public health purposes

          (7A)  The My Health Records Rules may, in accordance with section 109A, prescribe a framework to guide the collection, use and disclosure of de-identified data and, with the consent of healthcare recipients, health information, for research or public health purposes.

13  Subsection 109(9)

Omit “the My Health Records Rules”, substitute “My Health Records Rules made for purposes other than subsection (7A)”.

14  After section 109

Insert:

109A   My Health Records Rules relating to data for research or public health purposes

Examples of what the rules may do

             (1)  Without limiting subsection 109(7A), My Health Records Rules made for the purposes of that subsection (the rules ) may do any or all of the following:

                     (a)  impose requirements on the System Operator, the Data Governance Board established by section 82, the data custodian and other entities, including procedures that must be followed, in relation to preparing, providing, collecting, accessing, using and disclosing health information and de-identified data;

                     (b)  provide that any or all such requirements are enforceable for the purposes of paragraph 77A(1)(c) or subsection 78(2);

                     (c)  make provision in relation to the performance of the Board’s functions set out in paragraph 83(1)(a);

                     (d)  authorise the Board to make written policies and guidelines to be followed by other entities for the purposes of giving effect to the prescribed framework.

Functions of data custodian

             (2)  The data custodian has the following functions, and the rules may make provision in relation to the performance of those functions:

                     (a)  under the direction of the Data Governance Board and in accordance with this Act—helping to implement the prescribed framework by:

                              (i)  receiving de-identified data and health information from the My Health Record system; and

                             (ii)  as necessary—de-identifying health information; and

                            (iii)  as necessary—providing data linkage services (within the meaning of the rules); and

                            (iv)  preparing and providing de-identified data and health information to users of data and information whose use has been approved by the Data Governance Board; and

                             (v)  ensuring that users of de-identified data and health information are subject to conditions of use;

                     (b)  any other functions conferred on the data custodian by this Act or the rules.

Limits on rules

             (3)  The rules:

                     (a)  must not allow the health information of a healthcare recipient to be collected, used or disclosed otherwise than with the consent of the healthcare recipient; and

                     (b)  must not allow de-identified data or health information to be provided to a private health insurer (within the meaning of the Private Health Insurance Act 2007 ) or any other insurer (with or without the consent of the healthcare recipient); and

                     (c)  must not provide that any of the following is enforceable for the purposes of paragraph 77A(1)(c) or subsection 78(2):

                              (i)  a provision of a policy, guideline or other instrument made under the rules;

                             (ii)  a provision of the rules that requires an entity to comply with such a policy, guideline or instrument.

Constitutional limits on rules

             (4)  If the rules make provision for the disclosure of de-identified data or health information obtained by using or gaining access to the My Health Record system, the rules must have the effect that the data or information is to be disclosed only:

                     (a)  by means of a postal, telegraphic, telephonic or other like service; or

                     (b)  by or to a corporation to which paragraph 51(xx) of the Constitution applies; or

                     (c)  by or to a person within a Territory or a place acquired by the Commonwealth for a public purpose; or

                     (d)  by or to the Commonwealth or an authority of the Commonwealth.

             (5)  The rules may make other provision in relation to de-identified data or health information only:

                     (a)  to ensure that collection, use and disclosure of data or information does not result in an interference with privacy of the kind the Commonwealth has international obligations to protect against, including under the International Covenant on Civil and Political Rights (in particular Article 17 of the Covenant); or

Note:       The text of the Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23). In 2018, a text of a Covenant in the Australian Treaties Series was accessible through the Australian Treaties Library on the AustLII website (http://www.austlii.edu.au).

                     (b)  for purposes related to collecting, preparing, analysing or publishing statistics; or

                     (c)  by providing for data or information to be collected from or by, used by or disclosed by or to, any of the following:

                              (i)  a corporation to which paragraph 51(xx) of the Constitution applies;

                             (ii)  a person within a Territory or a place acquired by the Commonwealth for a public purpose;

                            (iii)  the Commonwealth or an authority of the Commonwealth.

[data for research or public health purposes]