Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
My Health Records Amendment (Strengthening Privacy) Bill 2018



Download PDFDownload PDF

ISSN 1328-8091

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

BILLS DIGEST NO. 30, 2018-19 16 OCTOBER 2018

My Health Records Amendment (Strengthening Privacy) Bill 2018 Owen Griffiths Law and Bills Digest Section

Contents

Purpose of the Bill ........................................................... 3

Structure of the Bill ......................................................... 3

Background ..................................................................... 3

From opt-in to opt-out ................................................ 3

Authorisation for the use, collection and disclosure .................................................................... 5

Concerns regarding disclosures for law enforcement purposes ................................................ 6

Government response ................................................ 9

Committee consideration .............................................. 10

Senate Community Affairs References Committee .. 10 Senate Community Affairs Legislation Committee ... 11 Senate Standing Committee for the Scrutiny of Bills ............................................................................ 11

Policy position of non-government parties/independents.................................................... 11

Australian Labor Party (Labor) .................................. 11

Australian Greens ...................................................... 12

Centre Alliance .......................................................... 12

Australian Conservatives ........................................... 12

Senator Tim Storer .................................................... 13

Position of major interest groups................................... 13

Financial implications .................................................... 15

Statement of Compatibility with Human Rights.............. 15

Parliamentary Joint Committee on Human Rights ... 15

Date introduced: 22 August 2018

House: House of Representatives

Portfolio: Health

Commencement: The day after the Act receives Royal Assent.

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website.

When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the Federal Register of Legislation website.

All hyperlinks in this Bills Digest are correct as at October 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 2

Key issues and provisions .............................................. 15

Destruction of records ............................................ 15

Collection, use and disclosure ................................. 16

Disclosure orders ..................................................... 18

What agencies can information be disclosed to? —‘Designated entities’ .................................... 18

Grounds for granting access .................................. 19

Threshold for disclosure to designated entities .... 20 Judicial officers ...................................................... 21

Personal capacity and immunity ........................... 21

Disclosure in relation to unlawful activities ............ 22 Other provisions ........................................................... 23

Concluding comments ................................................... 23

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 3

Purpose of the Bill The My Health Records Amendment (Strengthening Privacy) Bill 2018 (Bill) will amend the My Health Records Act 2012 (MHR Act) to:

• remove the authority of the System Operator (the Australian Digital Health Agency or ADHA) to disclose the health information in a My Health Record to enforcement agencies or other government bodies without a judicial order or the healthcare recipient’s consent (making it consistent with the ADHA’s policy position) and

• require the System Operator to destroy the health information in a healthcare recipient’s My Health Record if they cancel their registration.1

The Bill will also:

• provide the process for orders of disclosure of My Health Record health information to be made by judicial officers to designated entities and

• provide for the collection, use and disclosure of health information under the specific legislation, namely the MHR Act and the legislation associated with Auditor-General, the Commonwealth Ombudsman and the Australian Information Commissioner.2

Structure of the Bill The Bill contains one schedule which includes the amendments to the MHR Act and provides for the application of the amendments.

Background

From opt-in to opt-out In 2012, the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) was passed to enable the establishment and operation of the Personally Controlled Electronic Health Record (PCEHR) system. The objective of the PCEHR system was to facilitate access to health information relating to consumers of healthcare.3 It created an electronic health record system for regulating the collection, recording, use and disclosure of the health information of healthcare ‘consumers’.4 The PCEHR system was a voluntary, or opt-in, system. Eligible consumers could apply to the System Operator to be registered in the PCEHR system.5

The PCEHR Act included a range of privacy and access safeguards for the PCEHR system, but also provided for the System Operator to use or disclose the health information included in a consumer’s record in some circumstances. These circumstances included if the System Operator reasonably believed the disclosure was reasonably necessary for certain things done by, or on behalf of, an enforcement body.6

1. G Hunt, ‘Second reading speech: My Health Records Amendment (Strengthening Privacy) Bill 2018’, House of Representatives, Debates, (proof), 22 August 2018, p. 7. Under section 14 of the PCEHR Act, the System Operator was originally the Secretary of the Department of Health (unless the Regulations prescribe another body). In 2016, the Australian Digital Health Agency was established and prescribed as the System Operator (see below).

2. Explanatory Memorandum, My Health Records Amendment (Strengthening Privacy) Bill 2018, pp. 9-11. 3. PCEHR Act, section 3. 4. Under section 5 of the PCEHR Act a ‘consumer’ was defined as ‘an individual who has received, receives or may receive healthcare’.

5. PCEHR Act, sections 39 and 40. However, the ‘authorised representative’ (section 6) or ‘nominated representative’ (section 7) of a consumer could also register a consumer with the PCEHR system. 6. PCEHR Act, subsection 70(1).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 4

In November 2013, a review of the PCEHR system, led by the head of Uniting Care Health Queensland Richard Royle, was announced.7 The Review of the Personally Controlled Electronic Health Record was released in May 2014.8 It found there was ‘overwhelming support’ for the implementation of an electronic health record system, but stated that a ‘change in approach’ was needed to correct implementation issues and ‘to review the strategy and role that a shared electronic health record plays in a broader system of health care’.9 The recommendations of the review included that the PCEHR system should be renamed My Health Record and that the system should be transitioned to an opt-out model by 1 January 2015.10

In 2015, the Health Legislation Amendment (eHealth) Act 2015 was passed. This legislation renamed the PCEHR Act to the MHR Act and renamed ‘consumers’ in the legislation as ‘healthcare recipients’. It also amended the MHR Act to allow the Minister to provide that an opt-out model be applied to all healthcare recipients through changes to the My Health Record Rules.

In 2016, the Australian Digital Health Agency (ADHA) was established.11 Section 14 of the MHR Act provides that the System Operator is the Secretary of the Department of Health or a body established by a Commonwealth law that is prescribed under the Regulations. Prior to 1 July 2016, the System Operator was the Secretary of the Department of Health. An amendment to the My Health Records Regulation 2012 prescribed the ADHA to be the System Operator on 1 July 2016.12

On 30 November 2017, the Minister made the My Health Records (National Application) Rules 2017 which applied an opt-out model of registration to My Health Record and specified the period in which healthcare recipients could opt-out. The initial period in which healthcare recipients could choose to opt-out of the My Health Record system was 16 July 2018 to 15 October 2018. This was later extended to 15 November 2018 (see below).

As part of the 2017-18 Budget, the Department of Health stated:

A transition to opt-out participation for My Health Record will bring forward benefits many years sooner than the current opt in arrangements. Opt-out is the fastest way to realise the significant health and economic benefits of My Health Record for all Australians including through avoided hospital admissions, fewer adverse drug events, reduced duplication of tests, better coordination of care for people seeing multiple healthcare providers, and better informed treatment decisions.

Opt-out participation is supported by an independent evaluation of two opt-out [trials] undertaken in Northern Queensland and Nepean Blue Mountains Primary Health Network areas. The evaluation showed a high level of support for automatic creation of My Health Records by both healthcare providers and individuals. Across the two opt-out trial areas, the opt-out rate was just 1.9 per cent…

13

7. P Dutton (Minister for Health), Federal Government to review electronic health records, media release, 3 November 2013. 8. P Dutton (Minister for Health), Report into the Personally Controlled Electronic Health Record, media release, 19 May 2014. 9. R Royle, Review of the Personally Controlled Electronic Health Record, [Department of Health], [Canberra], December 2013, p. 13.

10. Ibid., p. 16. 11. Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016. 12. My Health Records Amendment (System Operator) Regulation 2016. 13. Department of Health (DoH), Budget 2017-18: My Health Record - continuation and expansion, Fact sheet, DoH, Canberra,

9 May 2017.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 5

Authorisation for the use, collection and disclosure The MHR Act establishes a complex regulatory framework for the use, collection and disclosure of the health information included in a healthcare recipient’s My Health Record. A person or organisation can only collect, use or disclose the health information in a healthcare recipient’s My Health Record if they are authorised to do so by the MHR Act. For example, healthcare recipients themselves are authorised to collect, use and disclose, for any purpose, the health information included in their own My Health Record.14

Participants in the My Health Record system, such as registered healthcare providers, have a range of authorisations to collect, use or disclose the health information in a healthcare recipient’s My Health Record.15 These include, for example, collection, use and disclosure of health information for the purpose of providing healthcare to the registered healthcare recipient (in accordance with the access controls set by the healthcare recipient).16

Additionally, under the MHR Act the System Operator (the ADHA) has a number of authorisations to disclose or use the health information contained in a My Health Record in certain circumstances. These include to:

• disclose information if ordered to do so by a court or tribunal if the proceedings relate to the MHR Act, unauthorised access to information in the My Health Record system or healthcare provider indemnity cover, or with the consent of the consumer (subsections 69(1) and (4)) and

• disclose information if ordered or directed by a coroner (subsection 69(2)).

In particular, section 70 is titled Disclosure for law enforcement purposes, etc. Subsection 70(1) provides that the System Operator is authorised ‘to use or disclose’ the health information included in a healthcare recipient’s My Health Record if the System Operator ‘reasonably believes that the use or disclosure is reasonably necessary for one or more of the following things done by, or on behalf of, an enforcement body’. These are:

• the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law

• the enforcement of laws relating to the confiscation of the proceeds of crime

• the protection of the public revenue

• the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct and

• the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Subsection 70(2) clarifies that as far as subsection 70(1) relates to the last point regarding the proceedings or orders of courts and tribunals, it is subject to section 69 which (as noted above) provides for these disclosures.

Subsection 70(3) provides for the use or disclose of My Health Record health information if the System Operator ‘has reason to suspect unlawful activity’ which relates to the System Operator’s

14. MHR Act, section 67. 15. A participant in the My Health Record system is defined in the MHR Act as meaning: the System Operator, a registered healthcare provider organisation, the operator of the National Repositories Service, a registered repository operator, a registered portal operator and a registered contracted service provider, so far as the contracted service provider provides

services to a registered healthcare provider (section 5 of the MHR Act). 16. MHR Act, section 61.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 6

functions and ‘reasonably believes’ use or disclosure is necessary ‘for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities’.

The listed ‘enforcement purposes’ in subsection 70(1) which provide for when the System Operator may use or disclose My Health Record health information reflect, but do not replicate, the factors in Australian Privacy Principles (APP) 6.2(e) which restrict the use or disclosure of personal information by APP entities17 under the Privacy Act 1988 (Privacy Act).18 Provisions which permit the use and disclosure of information and/or documents for ‘enforcement’ reasons exist in a range of other Commonwealth legislation.19

Concerns regarding disclosures for law enforcement purposes The potential privacy risks associated with the development of a national electronic health record system have led a range of concerns being expressed, including in relation to access by law enforcement agencies to the stored health information. For example, in 2011, the Privacy Impact Assessment regarding the proposed PCEHR system undertaken by Minter Ellison Lawyers for the Department of Health and Ageing noted that the system would be ‘an attractive source of data’ for several groups including law enforcement agencies. It stated:

The extent to which the PCEHR is seen as a 'honeypot' of data for insurance companies and law enforcement agencies may impact on the degree of confidence placed in the PCEHR system by consumers. 20

Trials of the opt-out My Health Record model were conducted in 2016. The key finding of the evaluation report feedback regarding the confidentiality and security of the My Health Record system was positive:

Once the benefits of the My Health Record system were clear, nearly all focus group participants said that their concerns about security and privacy, or about the fact that a My Health Record had been created, disappeared. They most often said that, while they thought that no computer-based systems were totally safe, on balance they thought that the benefits to them, their families and the health system far outweighed those risks…

21

There were also indications that law enforcement access to the health information in the My Health Record system could raise concerns. The evaluation report included:

Concerns about confidentiality and security were expressed more often in the focus group in Mapoon… Questions and concerns were also raised by this group regarding law enforcement agencies having access to the My Health Record system. After clarifying that, as a personally-controlled record, they could set their own privacy settings and also access alerts and logs that detailed which healthcare

17. Under the Privacy Act, an APP entity is an organisation or agency obliged to comply with the Australian Privacy Principles (APP) (see sections 6, 6C and 15). 18. While under subsection 70(1) of the MHR Act the use or disclosure of health information can be for ‘one or more of the following things done by, or on behalf of, an enforcement body’, under APP 6.2(e) the use or disclosure of personal

information can be for ‘for one or more enforcement related activities conducted by, or on behalf of, an enforcement body’. The meanings in the definition of enforcement related activities in the Privacy Act differs from the ‘things done by’ an enforcement body in subsection 70(1) MHR Act. In the Privacy Act, enforcement related activities also includes ‘the conduct of surveillance activities, intelligence gathering activities or monitoring activities’, ‘the conduct of protective or custodial activities’ and extends to ‘the prevention, detection, investigation or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations’. 19. See, for example: section 504, Fair Work Act 2009; section 149, Work Health and Safety Act 2011; paragraph 86-3(1)(h), Aged

Care Act 1997; subsection 90K(5), Australian Postal Corporation Act 1989; section 38, Dental Benefits Act 2008; section 111, Australian Jobs Act 2013; section 55, Clean Energy Regulator Act 2011; section 21, Student Identifiers Act 2014. 20. Minter Ellison Lawyers, Privacy impact assessment report: Personally Controlled Electronic Health Record (PCEHR), report prepared for the Department of Health and Ageing, 15 November 2011, p. 85. 21. Siggins Miller [a firm], Evaluation of the participation trials for the My Health Record, Final report, [Sydney], November 2016,

p. vi.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 7

providers had recently accessed the My Health Record, half the participants were satisfied with the level of security and ability of the My Health Record to keep their information confidential, while the other half remained sceptical [sic]. 22

In 2016, legal academics, Danuta Medelson and Gabrielle Wolf analysed the My Health Record system and the MHR Act in the context of the change to the opt-out model. They stated:

Not only has the system failed to fulfil its statutory objectives, but it permits the wide dissemination of information that historically has been confined to the therapeutic relationship between patient and health practitioner. After considering several other purposes for which the system is apparently designed, and who stands to benefit from it, we conclude that the government risks losing the trust of Australians in its electronic health care policies unless it reveals all of its objectives and obtains patients' consent to the use and disclosure of their information.

23

They noted:

Circumstances and purposes articulated in the statute include provision of information captured by the My Health Record system to courts and tribunals, as well as use of this information for law enforcement purposes. Although other uses of this information and their scope are yet to be explicitly revealed, it is clear that information previously considered to be within the private domain of individuals and under the control of their chosen health providers is being reconceptualised as shared data about individuals, to be collected, distributed and managed by government and private entities.

24

On 7 June 2018, Leanne Wells, the Chief Executive Officer of the Consumers Health Forum of Australia, published an article considering the pros and cons of the My Health Record system, including potential access to health information by law enforcement and government agencies. She stated:

The Government and/or ADHA needs to be transparent with the public about the policies and procedures they have in place around access to My Health Record information by law enforcement and other government agencies, and consider whether changes to guidelines or legislation are needed. 25

The My Health Record opt-out period commenced on 16 July 2018.26 This event prompted public discussion regarding the merits of the My Health Record system for healthcare recipients.27 Part of this public debate focused on the provision in the MHR Act for disclosure by the System Operator for law enforcement purposes.28 On 16 July 2018, the ABC published an article with Tim Kelsey, the head of the ADHA, concerning My Health Record which included questions in relation to the rules and policies which guide the ADHA's decision to grant access to law enforcement.29 It stated:

Which rules and policies guide the ADHA's decision to grant access to law enforcement?

The ADHA is authorised by law to disclose someone's health information if it "reasonably believes" it's necessary for preventing or investigating crimes and protecting the public revenue, among other things specified under section 70 of the My Health Records Act.

22. Ibid., p. 88. 23. D Mendelson and G Wolf, ‘My [electronic] health record - cui bono (for whose benefit)?’, Journal of Law and Medicine, 24(2), 2016, p. 283. 24. Ibid., p. 286 (emphasis in original). 25. L Wells, ‘An important overview of the pros, cons and questions about My Health Record’, Croakey, 7 June 2018. 26. ADHA, My Health Record - Australians to decide on a smarter and safer way to share their important healthcare information,

media release, 16 July 2018. 27. For example, D Vaile, B Arnold, K Kemp, ‘My Health Record: the case for opting out’, The Conversation, 16 July 2018. 28. For example, B Grubb, ‘The digital health record is a bad idea. I'm opting out, and you should too’, The Age, 17 July 2018. 29. A Bogle, ‘My Health Record: your questions answered on cybersecurity, police and privacy’, ABC News, 15 July 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 8

The agency was unable to provide a definition of "protecting the public revenue" by deadline.

When it receives a law enforcement request, the ADHA will need to determine that it's a legitimate request from an enforcement body.

"While the Agency assesses each formal request on a case by case basis, our operating policy is to release information only where the request is subject to judicial oversight," the ADHA said.

"If the access does not support public confidence and trust in the System and the object of the My Health Record Act then the Agency will deny the request."

Law enforcement bodies will not be granted direct access to the My Health Record: The ADHA said any disclosure would be limited to what is necessary to satisfy the purpose of the request.

Has the ADHA received any requests from law enforcement to access records?

Mr Kelsey said no police requests have been received yet.

Will users be informed if their data has been released to law enforcement?

If personal information is disclosed to law enforcement, the decision about whether to notify the My Health Record holder will be decided "case-by-case".

Likewise, healthcare provider organisations won't be informed if their patient's data is accessed.

The release to police will be recorded in a written note and stored by the ADHA. 30

On 21 July 2018, the ADHA issued a fact sheet on police access to My Health Record which noted that it had received ‘a few enquiries regarding other government departments and law enforcement accessing My Health Record’. It stated:

The Australia Digital Health Agency has not and will not release any documents without a court/coronial or similar order.

No documents have been released in the last six years and none will be released in the future without a court order/coronial or similar order.

Additionally, no other Government agencies have direct access to the My Health Record system, other than the system operator. 31

However, during this period, concerns regarding the potential for disclosures under section 70 continued to be expressed.32 For example, on 22 July 2018 the former Australian Medical Association (AMA) president Professor Kerryn Phelps was reported as saying that allowing police access to My Health Record information would undermine trust in the medical profession and the health system. She asked:

If someone has a cocaine problem, will they want to tell their doctor and seek help if they think it has any possibility of being uploaded to a site that can be accessed by police? 33

Anna Johnston, a privacy consultant with Salinger Privacy, stated:

30. Ibid. 31. Australian Digital Health Agency (ADHA), Fact sheet: police access to My Health Record, ADHA, 21 July 2018. 32. For example, B Keane, ‘Soon there may be no escape from government and corporate surveillance’, Crikey, 23 July 2018. 33. S Dunlevy, ‘Health record at risk of hacking’, The Sunday Telegraph, 22 July 2018, p. 15.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 9

While any policy by ADHA to limit the exercise of its powers under the legislation is welcome, the fact remains that the legislation governing the My Health Record does give the operator of the system very wide discretion to release health information about individuals to a wide range of enforcement bodies, which is not just law enforcement agencies like police but also includes the Immigration Department for example…

The law allows disclosure not only in response to a court order or warrant, but also under a 'reasonable belief' test relating to matters beyond just criminal law offences. 34

On 23 July 2018, an entry concerning ‘Law enforcement access to My Health Record data’ was published on the Parliamentary Library’s FlagPost, a blog on current issues of interest to members of the Australian Parliament.35 This entry also noted that, while it was the policy of the ADHA in relation to law enforcement to only release information where requests are subject to judicial oversight, ‘it does not appear that the ADHA’s operating policy is supported by any rule or regulation’.36

In light of the public discussion regarding the privacy and security of patient health information key medical professional organisations clarified their views on the My Health Record system.37 The President-elect of the Royal Australian College of General Practitioners (RACGP) spoke with the Minister for Health, Greg Hunt, to discuss ‘strengthening the legislation’s privacy provisions’.38 On 25 July 2018, the AMA President Dr Tony Bartone called for the Government to provide guarantees about the long-term security of the privacy of the My Health Record system which could involve ‘examining the legislation’. He stated:

[T]here had been a groundswell of concern from AMA members, the broader medical profession, and the public about the 2012 legislation framing the My Health Record, particularly Section 70, which deals with the disclosure of health information for law enforcement purposes. 39

Government response On 31 July 2018, the Minister for Heath, Greg Hunt announced strengthened privacy protections would be introduced for the My Health Record system:

After constructive discussions with the AMA and RACGP, the Government will strengthen privacy provisions under the My Health Record Act, removing any doubt regarding Labor’s 2012 legislation.

Labor’s 2012 My Health Record legislation will be strengthened to match the existing ADHA policy.

This policy requires a court order to release any My Health Record information without consent. The amendment will ensure no record can be released to police or government agencies, for any purpose, without a court order.

34. Stilgherrian, ‘Tens of thousands opt out of My Health Record, but can Immigration and local councils view the rest?’, ZDnet, 17 July 2018. 35. N Brew, ‘Law enforcement access to My Health Record data’, FlagPost, Parliamentary Library blog, 26 July 2018. This entry was originally uploaded on 23 July 2018. 36. Ibid. Following feedback from the Department of Health, the FlagPost entry was briefly withdrawn and republished on

26 July 2018 with additional information. Correspondence between the Department of Health and the Parliamentary Library relating to this matter has been released under the Freedom of Information Act 1982 by the Department of Health. These documents are available on the Department of Health’s website. 37. For example, B Grubb, ‘Peak GP body's alleged support for My Health Record called into question’, Crikey, 23 July 2018. 38. P Hayes, ‘Federal Government agrees to toughen privacy provisions in My Health Record legislation’, newsGP, 26 July 2018. 39. Australian Medical Association (AMA), Guaranteeing security of the My Health Record, media release, 25 July 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 10

The Digital Health Agency’s policy is clear and categorical - no documents have been released in more than six years and no documents will be released without a court order. This will be enshrined in legislation.

This change to the My Health Record Act will therefore remove any ambiguity on this matter.

In addition, the Government will also amend Labor’s 2012 legislation to ensure if someone wishes to cancel their record they will be able to do so permanently, with their record deleted from the system.

The Government will also work with medical leaders on additional communications to the public about the benefits and purpose of the My Health Record, so they can make an informed choice.

We will be looking to implement and introduce these changes as soon as possible. 40

The proposed privacy protections have been positively received by the AMA and the RACGP.41

At the Council of Australian Governments Health Council meeting on 2 August 2018 jurisdictions reaffirmed their support of a national opt-out approach to the My Health Record system. The meeting communique stated:

Jurisdictions noted clinical advice about the benefits of My Health Record and expressed their strong support for My Health Record to support patient’s health. Ministers acknowledged some concerns in the community and noted actions proposed to provide community confidence, including strengthening privacy and security provisions of My Health Record.

42

On 10 August 2018, the Government confirmed it would extend the opt-out period for My Health Record for an extra month to 15 November 2018.43

Committee consideration

Senate Community Affairs References Committee On 15 August 2018, the Senate Community Affairs References Committee (References Committee) was referred an inquiry into the My Health Record system for inquiry and report by 8 October 2018.44 The terms of reference of the inquiry contain a number of matters relevant to the amendments of the Bill, including ‘the arrangements for third party access by law enforcement, government agencies, researchers and commercial interests’ and ‘measures that are necessary to address community privacy concerns in the My Health Record system’.

On 12 October 2018, the References Committee sought and received an extension to the reporting date of the inquiry to 17 October 2018.

Further information regarding the inquiry, including the full terms of reference, is available on the inquiry homepage.

40. G Hunt (Minister for Health), Strengthening privacy protections for My Health Record, media release, 31 July 2018. 41. Australian Medical Association (AMA), Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, [Submission no. 79], 14 September 2018, Attachment A, p. 2; P Hayes, ‘Federal Government agrees to toughen privacy provisions in My Health Record legislation’, newsGP, 26 July 2018.

42. Council of Australian Governments Health Council, Communiqué, 2 August 2018, p. 5. 43. G Hunt (Minister for Health), My Health Record opt-out period extended, media release, 10 August 2018. 44. Australia, Senate, Journals, 108, 2017-18, 15 August 2018, pp. 3471-3472.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 11

Senate Community Affairs Legislation Committee On 23 August 2018, on the recommendation of the Senate Selection of Bills Committee, the Senate referred the provisions of the Bill to the Senate Community Affairs Legislation Committee (Legislation Committee) for inquiry and report by 8 October 2018.45 On 19 September 2018, the Senate granted an extension of time for reporting until 12 October 2018.46

Further information regarding the inquiry is available on inquiry page. In particular, the inquiry page outlines the approach to the evidence received for the inquiry:

The Community Affairs Committees have agreed to share relevant evidence in the My Health Record system inquiry and the inquiry into the My Health Records Amendment (Strengthening Privacy) Bill 2018. Only matters related to provisions of the Bill will be considered in the Legislation Committee inquiry.

The Legislation Committee tabled its report into the provisions of the Bill on 12 October 2018. In relation to the amendments of the Bill, the committee’s report stated:

The committee recognises the considerable expected benefits of the [My Health Record] system, and that healthcare recipients' confidence in the privacy provisions of the system is vital in ensuring the system's overall success. The committee commends the Bill's proposed amendments to sections 65, 69 and 70 to the MHR Act to strengthen the privacy provisions of the MHR system.

47

Additional comments were made by Labor senators who noted the broader concerns which had been raised with the My Health Record system and urged the Government to ‘heed Labor's call to suspend the opt-out rollout until all remaining concerns are addressed and public confidence in this important reform is restored’.48 Additional comments were also made by the Australian Greens senators who cautioned that the Bill ‘represent a minor improvement instead of the necessary solution’. They noted two specific issues. The first was ‘unanswered questions’ regarding the potential access by law enforcement to backups and cache files. The second was their support for a proposal made by the University of Melbourne for a notification to the healthcare recipient if their information has been disclosed under the new process in the Bill.49

Senate Standing Committee for the Scrutiny of Bills The Senate Standing Committee for the Scrutiny of Bills had no comment on the Bill.50

Policy position of non-government parties/independents

Australian Labor Party (Labor) Labor representatives do not appear to have commented on the specific provisions of the Bill. While broadly supportive of an electronic health record system, Labor has expressed the view that the rollout of My Health Records should be suspended until privacy concerns with system are addressed.51 For example, on 15 August 2018, Ms Catherine King MP, the Shadow Minister for

45. Australia, Senate, Journals, 113, 2017-18, 23 August 2018, p. 3607. 46. Australia, Senate, Journals, 120, 2017-18, 19 September 2018, p. 3823. 47. Senate Community Affairs Legislation Committee, My Health Records Amendment (Strengthening Privacy) Bill 2018 [Provisions], 12 October 2018, p. 17.

48. Ibid., p. 21. 49. Ibid., p. 24. 50. Senate Standing Committee for the Scrutiny of Bills, Scrutiny digest, 10, 2018, 12 September 2018, p. 10. 51. H Belot, ‘My Health Record rollout should be suspended until potential flaws addressed, Bill Shorten says’, ABC News,

25 July 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 12

Health and Medicare, released a media release in relation to the Senate Community Affairs References Committee inquiry into the My Health Record system. It stated:

We remain deeply concerned that the Government's bungled rollout of the My Health Record opt-out period has severely undermined public trust in this important reform…

Labor has long supported an electronic health record system. We believe it has the capacity to revolutionise health care delivery, but we also recognise it needs a high degree of public support in order to be successful.

While the Government has agreed to a number of changes demanded by Labor and doctors' groups, including an extension of the opt-out period and a new public information campaign, more needs to be done… 52

While Labor did not oppose the passage of the Bill in the House of Representatives, it unsuccessfully sought to amend the motion passing the Bill to include ‘the House calls on the Government to suspend the “opt out” phase of the My Health Record rollout until other privacy and security concerns are addressed’.53

Australian Greens Prior to the introduction of the Bill, on 27 July 2018, the Australian Greens announced they would pursue a Private Senators Bill ‘to ensure that any access to my health record data by law enforcement would require a warrant’. The Australian Greens leader, Senator Richard Di Natale stated that ‘[i]f you want to access someone’s medical records, you should have to have a warrant, simple as that’. 54 Australian Greens representatives do not appear to have commented on the Bill.

Centre Alliance Prior to the introduction of the Bill, on 25 July 2018, Centre Alliance Senator Rex Patrick was reported as stating ‘Centre Alliance will write to the health minister urging him to introduce legislation to ensure people’s health data is properly protected’.55

In her second reading speech in the House of Representatives, Centre Alliance’s Rebecca Sharkie MP, supported the Bill but noted that it was ‘qualified support’. She outlined a number of broader privacy and security concerns with the My Health Record system and indicated that she remained open to amendments ‘following the release of the [Senate] committee report’.56

Australian Conservatives Prior to the introduction of the Bill, on 25 July 2018, Australian Conservative Senator Cory Bernardi was reported as stating that he was ‘open to all suggestions that will enhance individual privacy, the security of data, and to protect people from the intrusion of big government, whether that be from law enforcement or other government departments’.57

52. C King (Shadow Minister for Health and Medicare), Senate adopts Labor’s Plan for an inquiry into My Health Record, media release, 15 August 2018, p. 1. 53. Australia, House of Representatives, Votes and proceedings, 139, 2017-18, 19 September 2018, pp. 1846-47. 54. R Di Natale, The Greens will move to enshrine warrant requirement in MyHealth: Di Natale, media release, 27 July 2018. 55. P Karp, ‘My Health Record: AMA says it will do “whatever it takes” to ensure privacy’, The Guardian, 25 July 2018. 56. R Sharkie, ‘Second reading speech: My Health Records Amendment (Strengthening Privacy) Bill 2018’, House of

Representatives, Debates, (proof), 18 September 2018, p. 59. 57. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 13

Senator Tim Storer Prior to the introduction of the Bill, on 3 August 2018, independent Senator Tim Storer indicated he would be opting out of the My Health Record system. His media release stated:

My Health Record as currently legislated appears more of a law enforcement measure than a health care initiative. The changes that Health Minister Greg Hunt has announced do not address the faults in My Health Record’s design. I have serious concerns that the lack of protections for privacy and security for sensitive health information remain…

At the very least, My Health Record must be suspended, pending a full parliamentary enquiry with an emphasis on evidence from qualified cyber-security experts. 58

Position of major interest groups Persons and organisations with an interest in the My Health Record system have provided submissions and evidence to the Senate Community Affairs Committee inquiries into the Bill and the My Health Record system. While a range of concerns regarding the privacy and security of the My Health Record system have been raised, the amendments of the Bill were largely supported by the persons and organisations who contributed to the inquiries.59 For example, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, welcomed the changes:

The community in general is seeking greater clarity as to how their personal information is collected and used, including by any third parties. In relation to the My Health Record this is manifested, for example, in relation to concern as to access to the record by third parties such as law enforcement. In that regard, I welcome the government's decision to introduce the My Health Records Amendment (Strengthening Privacy) Bill to provide stronger safeguards regarding access to the record. I also welcome the bill's intention to allow the permanent deletion of My Health Record records on request. This is an important mitigation, which allows individuals to decide at a later date that they do not wish to have a My Health Record.

60

The Consumer Health Forum of Australia also commended the ‘government's response to concerns about release to law enforcement and other agencies without a warrant’:

The community expects due diligence and vigilance by legislators and the system operator when it comes to privacy safeguards and accountability and transparency in those safeguards … We advocated for those legislative changes to ensure that no My Health Record could be released to police for any purpose without a court order. We also support measures and steps to change the legislation to ensure that if any Australian wishes to cancel their record, they can do so permanently with the record deleted from the system.

61

The AMA considered that, if the Bill were passed, ‘the remaining circumstances where the legislation allow[s] disclosure strike an appropriate balance’ between protection of patient’s privacy and allowing access in appropriate circumstances. It noted:

58. T Storer, I am opting-out of My Health Record, media release, 3 August 2018, pp. 1-2. 59. For example, M Bailes (Law Council of Australia), Evidence to Senate Community Affairs References Committee, Inquiry into the My Health Record system, 17 September 2018, p. 26; Australian Association of Social Workers, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, [Submission no. 49], September 2018,

p. 3; Australian Human Rights Commission, Submission to Senate Community Affairs Legislation Committee, Inquiry into the My Health Records Amendment (Strengthening Privacy) Bill 2018, [Submission no. 11], 14 September 2018, p. 1; Australian Nursing and Midwifery Federation, Submission to Senate Community Affairs Legislation Committee, Inquiry into the My Health Records Amendment (Strengthening Privacy) Bill 2018, [Submission no. 25], pp. 7-8. 60. A Falk, Evidence to Senate Community Affairs References Committee, Inquiry into the My Health Record system,

17 September 2018, p. 33. 61. L Wells (Consumers Health Forum of Australia), Evidence to Senate Community Affairs References Committee, Inquiry into the My Health Record system, 17 September 2018, p. 6.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 14

These controls are substantially tighter than the controls that apply under the Privacy Act 1988 (Cth) to patient data stored in the clinician’s own patient records. They also impose greater restrictions on the government’s and courts’ powers to require production than apply to data held by the patient outside the My Health Record system.

62

In its submission, the ADHA reiterated that it has ‘have never received a request for information for law enforcement purposes and have not released any information for such purposes’ and noted that it has an operational policy that it would not release any documents without a court or similar order.63 The ADHA described the proposed amendments as acknowledging ‘the evolving expectations of the community since the legislation was first debated and approved in Parliament in 2012’. It stated that the ‘changes also reflect the strong and positive advocacy of the clinical and consumer peak bodies who have been central in advocating for these issues to be addressed in the legislation’.64

However, the Australian Privacy Foundation raised concerns with proposed amendments:

- The claim that there is no additional cost. This is only true if the real problem of deleting inactive records is not properly addressed…

- The presumption that people will not want to delete individual documents from the health record

- The reality that the government can change the legislation at any time in the future.

- The reality that My Health Data will flow into other systems that have nothing like the safeguards built into My Health Records and where the prohibitions and authorisations of do not apply, as per Section 71 of the legislation…

- The government treats itself as a special case, for which they have provided no justification.

- The government needs to treat itself as a third party in the patient/health provider relationship.

The proposed amendments seem to reinstate judicial review, but this has to be read in the context of the rest of the legislation. Just as we were reassured about third-party access provisions in the legislation, we need to look at what other hidden landmines there are. Only a full review of the legislation and all of its possible implications now and in the future will be acceptable.

65

The Women’s Legal Service NSW also noted that, while the amendments of the Bill provide for a mechanism to permanently delete records from the My Health Records system, ‘the deletion of records is a complex problem’. It stated:

The My Health Record database is designed for retention not deletion. Consequently, even if data is deleted from the database, there is a possibility that it may still be present in the backup ‘snapshots’. Some of these backups may be retained for extended periods and accessible to a small group of IT administrators. This radically weakens the effectiveness of the mechanism afforded in the legislation to delete health records, consequently putting private health information at risk of exposure.

66

62. AMA, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, op. cit., p. 2. 63. ADHA, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, 14 September 2018, [Submission no. 31], p. 10. 64. Ibid. 65. Australian Privacy Foundation, Submission to Senate Community Affairs References Committee, Inquiry into the My Health

Record system, [Submission no. 1], 5 September 2018, p. 18. 66. Women’s Legal Service NSW, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, [Submission no. 19], 14 September 2018, p. 3.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 15

The Scarlett Alliance (the Australian Sex Workers Association) welcomed the changes in the Bill but argued that these changes ‘did not go far enough in ensuring the community privacy concerns about [the My Health Record system] are addressed’.67 Its recommendations included:

• the My Health Record return to an opt-in system

• privacy controls should be set by default to the highest privacy and security settings

• the healthcare recipients should be notified each time their data will be used for a secondary purpose, be informed of how the information will be used and agree to participate and

• healthcare recipients should have the ability to permanently delete individual records without the necessity of cancelling their registration in order to do so.68

Financial implications The Explanatory Memorandum states that there will be no net cost to implement the changes made by the Bill.69

Statement of Compatibility with Human Rights As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.70

Parliamentary Joint Committee on Human Rights The Parliamentary Joint Committee on Human Rights listed the Bill as one which did not raise human rights concerns.71

Key issues and provisions

Destruction of records The simplified outline of the MHR Act (in section 4) includes that the System Operator is responsible for operating the National Repositories Service which stores key records that form part of a healthcare recipient’s My Health Record. Section 17 deals with the retention of records uploaded to the National Repositories Service. It requires that the System Operator ensures that the records are retained for set periods where:

• the record is uploaded to the National Repositories Service and

• the record includes health information included in the My Health Record of a healthcare recipient.

Items 2 to 6 amend section 17 to reflect changes regarding the destruction of records. Item 2 inserts ‘and destruction’ to the title of section 17. Items 3 and 4 insert consequential subheadings into section 17.

Paragraph 17(2)(b) sets out the periods the System Operator must ensure a record is retained. These are:

67. Scarlet Alliance, Submission to Senate Community Affairs Legislation Committee, Inquiry into the My Health Records Amendment (Strengthening Privacy) Bill 2018, [Submission no. 20], 29 August 2018, p. 2. 68. Ibid., pp. 2-4. 69. Explanatory Memorandum, op. cit., p. 3. 70. The Statement of Compatibility with Human Rights can be found at page 4 of the Explanatory Memorandum to the Bill. 71. Parliamentary Joint Committee on Human Rights, Human rights scrutiny report, 9, 2018, 11 September 2018, p. 22.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 16

(i) 30 years after the death of the healthcare recipient or

(ii) if the System Operator does not know the date of death of the healthcare recipient— 130 years after the date of birth of the healthcare recipient.

Item 5 inserts a third option proposed subparagraph 17(2)(b)(iii). This provides that ‘if, under subsection (3), the record is required to be destroyed because of the cancellation of registration of the healthcare recipient—when the System Operator is required to destroy the record under subsection (4)’.

Item 6 inserts proposed subsections 17(3) and 17(4) which deal with the destruction of records after cancellation on request.

Currently, subsection 51(1) of the MHR Act provides that the System Operator must decide to cancel or suspend the registration of a healthcare recipient or other entity if requested in writing by a healthcare recipient or other entity. Proposed subsection 17(3) will additionally require the System Operator to destroy any record that includes health information if the System Operator is required to cancel the registration of a healthcare recipient under subsection 51(1).

However, some minimal information is not required to be destroyed:

• the name and healthcare identifier of the healthcare recipient

• the name and healthcare identifier of the person who requested the cancellation, if different from the healthcare recipient and

• the day the cancellation decision takes effect.72

The Explanatory Memorandum notes this enables the System Operator to retain some ‘identifying and administrative information’. It states:

This is not health information. Retaining this information is necessary for the System Operator to fulfil its functions and, among other things, assure healthcare recipients that their request to cancel their registration in the My Health Record system has been actioned. 73

Collection, use and disclosure Section 63 authorises the collection, use and disclosure of health information for the management of the My Health Record system, including in response to requests by the System Operator. The note under section 63 provides examples of sections of the MHR Act under which the System Operator may make a request. Item 7 inserts a reference to proposed section 69A (to be inserted by item 12) to this note.

Section 65 deals with the collection, use and disclosure of health information authorised by law. It provides that, subject to disclosure to orders by a court or tribunals (dealt with by section 69), participants in the My Health Record System are authorised to ‘collect, use and disclose the health information included in a healthcare recipient’s My Health Record ‘if the collection, use or disclosure is required or authorised by Commonwealth, State or Territory law’. Items 8, 9, 10 will amend section 65 to limit the laws which could allow access to health information contained in the My Health Record system.

72. Subsection 51(7) provides for when cancellation or suspension decision takes effect. This is either when the decision is made or ‘if the decision is made at the request of the healthcare recipient or other entity, and the request states that the healthcare recipient or other entity wishes the cancellation or suspension to occur at a specified future time—at that future time’.

73. Explanatory Memorandum, op. cit., p. 8.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 17

Item 8 omits ‘Commonwealth, State or Territory law’ in subsection 65(1) and limits this by replacing this part with ‘a Commonwealth, State or Territory law covered by subsection (3)’.

Item 9 inserts a note under to subsection 65(1) to clarify that ‘No State or Territory laws are covered by subsection (3)’.

Item 10 inserts proposed subsection 65(3) which will specify the legislation which may authorise or require a participant to collect, use or disclose health information in a healthcare recipient’s My Health Record. These are the:

• MHR Act

• Auditor-General Act 1997

• Ombudsman Act 1976 and

• ‘a law of the Commonwealth to the extent that the law requires or authorises the collection, use or disclosure of information for the purposes of performing the Information Commissioner’s functions in relation to the My Health Record system’.74

The Explanatory Memorandum states that proposed subsection 65(3) will allow ‘the Auditor-General, the Ombudsman and the Information Commissioner to carry out their respective obligations to ensure the System Operator has not breached the privacy of an individual’s My Health Record or failed to action an individual’s request to cancel and therefore delete their My Health Record’. However, under the amendments any other entity that seeks to obtain health information in a healthcare recipient’s My Health Record ‘would require a court order or an order from a judicial officer’.75 It noted:

If other laws are identified in future that should be recognised by section 65 - that is, that should authorise or require an entity to collect, use or disclose health information in a healthcare recipient’s My Health Record - the new subsection does not provide a regulation-making power so amendments to the MHR Act would be required.

All other laws currently in force that may authorise or require the collection, use or disclosure of health information in a healthcare recipient’s My Health Record will no longer have effect insofar as they relate to the collection, use or disclosure of My Health Record information. 76

Other government agencies also have powers to obtain information and evidence. For example, under the Taxation Administration Act 1953, the Commissioner of Taxation has the power to require persons to produce to the Commissioner any documents in their custody or control ‘for the purpose of the administration or operation of a taxation law’.77 However, as this legislation is not included in proposed subsection 65(3), the Australia Taxation Office would need to seek a disclosure order to request the disclosure of a person’s My Health Record system records (see below).

The Explanatory Memorandum states that the amendments mean that ‘no state or territory laws can authorise or require a participant to collect, use or disclose health information in a healthcare recipient’s My Health Record’.78 If the amendments are passed, it is not clear if there will be

74. In particular the Australian Information Commissioner Act 2010 establishes the Office of the Australian Information Commissioner (OAIC). The functions of the OIAC include freedom of information functions, privacy functions and information commissioner functions (which concern information management by the Commonwealth Government).

75. Explanatory Memorandum, op. cit., p. 9. 76. Ibid. 77. Paragraph 353-10(1)(c) of the Taxation Administration Act 1953 (Cth). 78. Explanatory Memorandum, op. cit., p. 9.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 18

tension between this strict limitation and the state and territory laws under which the disclosure of My Health Record health information would previously have been authorised. For example, it is unclear to what degree the existing state and territory public health reporting and mandatory child abuse notification obligations will overlap with section 64 of the MHR Act which authorises the collection, use or disclosure of My Health Record health information ‘in the case of a serious threat to public health and safety’.79

Disclosure orders Item 12 inserts proposed sections 69A and 69B which will provide for the disclosure of health information contained in a healthcare recipient’s My Health Record to designated entities by order of certain judicial officers.

What agencies can information be disclosed to? —‘Designated entities’ Proposed subsection 69A(1) provides that, if a designated entity presents the System Operator with an order under this section, the System Operator must comply with the order. A designated entity is ‘an agency, or State or Territory authority, within the meaning on the Privacy Act’ which is not a court, tribunal or coroner. The terms ‘agency’ and ‘State or Territory authority’ are broadly defined in section 680 and subsection 6C(3)81 of the Privacy Act. A wide range of government bodies and law enforcement agencies would be covered by the definitions of these terms.

Proposed subsection 69A(2) clarifies that except as authorised in proposed subsection 69A(1) or in accordance with proposed subsection 65(3) (inserted by item 10 above) ‘a participant in the My Health Record system, or a healthcare recipient, cannot be required to disclose health information included in a healthcare recipient’s My Health Record to a designated entity’.

79. For example, under the Public Health Act 2010 (NSW) a health practitioner and the Chief Executive Officer at a hospital have obligations to provide information regarding patients who may have notifiable diseases to the Secretary of the New South Wales Ministry of Health. Similarly, the state and territory legal obligations on health professionals include mandatory reporting of child abuse and neglect. For example, under the Children's Protection Act 1993 (SA) a medical practitioner who suspects on reasonable grounds that a child has been or is being abused or neglected must notify the South Australian Ministry of Health of that suspicion. That notification ‘must be accompanied by a statement of the observations, information and opinions on which the suspicion is based’ (subsection 11(3)). It is not clear if all of the potential collection, use and disclosures of My Health Record health information in relation to these obligations would be covered by section 64 of the MHR Act. This section authorises the collection, use or disclosure of health information where it is necessary to ‘lessen or prevent a serious threat to an individual’s life, health or safety’ (and unreasonable or impracticable to obtain consent) and where ‘necessary to lessen or prevent a serious threat to public health or public safety’.

80. In summary, section 6 of the Privacy Act provides that agency means: a Minister, a Department, ‘a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth enactment…’ (noting that courts and tribunals are excluded from the proposed definition of designated entity), ‘a body established or appointed by the Governor-General, or by a Minister, otherwise than by or under a Commonwealth enactment’, ‘a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth enactment, other than a person who, by virtue of holding that office, is the Secretary of a Department’, a person holding or performing the duties of an appointment, being an appointment made by the Governor-General, or by a Minister, otherwise than under a Commonwealth enactment, a federal court (noting that courts and tribunals are excluded from the proposed definition of designated entity), the Australian Federal Police, a Norfolk Island agency, an eligible hearing service provider, or the service operator under the Healthcare Identifiers Act 2010.

81. In summary, subsection 6C(3) of the Privacy Act provides that State or Territory authority means: a State or Territory Minister, a Department of State of a State or Territory, ‘a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a law of a State or Territory…’ (noting that courts and tribunals are excluded from the proposed definition of designated entity), a body established or appointed, otherwise than by or under a law of a State or Territory: by the Governor of a State; the Australian Capital Territory Executive; the Administrator of the Northern Territory; or a State or Territory Minister, a person holding or performing the duties of an office established by or under, or an appointment made under, a law of a State or Territory, other than the office of head of a State or Territory Department (however described), a person holding or performing the duties of an appointment made, otherwise than under a law of a State or Territory, by: a Governor of a State; or the Australian Capital Territory Executive; or the Administrator of the Northern Territory; or a State or Territory Minister, a State or Territory court (noting that courts and tribunals are excluded from the proposed definition of designated entity).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 19

Proposed subsection 69A(3) further clarifies that the section does not authorise ‘the System Operator to use or disclose healthcare recipient-only notes’.82

Proposed subsection 69A(4) requires the System Operator to make a written note of any uses or disclosures of personal information under the section.

Grounds for granting access Proposed subsection 69A(5) provides for designated entities to apply to certain judicial officers for an order for disclosure of health information included in a healthcare recipient’s My Health Record. A designated entity may apply to a magistrate of a state or territory or to a judge who is eligible under proposed subsection 69B(2).

Proposed subsection 69A(6) outlines the conditions for the judicial officer in making an order. The proposed test has two limbs that must each be satisfied.

First, (proposed paragraph 69A(6)(a)) a judicial officer may make an order if the designated entity satisfies the judicial officer, by information on oath or affirmation, that:

• the designated entity has powers or duties of the kind mentioned in proposed subsection 69A(7). These are:

- the designated entity has power under a law of the Commonwealth or a state or territory (other than a law covered by proposed subsection 65(3)) to require persons to give information to the designated entity or

- officers of the designated entity are, in the ordinary course of their duties, authorised to execute warrants to enter premises and seize things found, including documents • if the designated entity has powers under a law of the Commonwealth or a state or territory to require persons to give information to the designated entity—the designated entity has

exercised or purported to exercise its power to require the System Operator to disclose information to which the order will relate

• in all the circumstances, the particular disclosure of the particular information to the designated entity is reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity and

• there is no effective means for the designated entity to obtain the particular information, other than an order under this section.

Second, (proposed paragraph 69A(6)(b)) the judicial officer must also be satisfied that, in relation to whether in all the circumstances, the particular disclosure of the particular information is reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity that ‘the disclosure of the information would not, on balance, unreasonably interfere with the privacy of the healthcare recipient’.

Subsection 69A(8) provides that the judicial officer must not make an order unless the designated entity or some other person has given the judicial officer, either orally or by affidavit, such further information (if any) as the judicial officer requires concerning the grounds on which the order is being sought.

The information required to be included in orders is outlined in proposed subsection 69A(9). Orders must:

• identify the healthcare recipient

82. Section 5 of the MHR Act provides that healthcare recipient-only notes ‘means health information included by the healthcare recipient in his or her My Health Record and described in the My Health Record system as healthcare recipient-only notes (whether using that expression or an equivalent expression)’.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 20

• specify the particular information to be disclosed

• authorise one or more officers of the designated entity (whether or not named in the order) to obtain the information from the System Operator and require the System Operator to disclose the information to the designated entity

• specify the day (not more than six months after the making of the order) on which the order ceases to have effect and

• state the purpose for which the order is made.

The requirements in proposed subsection 69A(9) can be contrasted with existing arrangements under section 70 which does not contain comparable obligations.

The Explanatory Memorandum notes that while authorisation for disclosure under proposed section 69A is not limited to enforcement bodies ‘it removes any doubt that government bodies (except the Auditor-General, Ombudsman or Information Commissioner which are authorised under section 65) and law enforcement agencies can only obtain My Health Record information using an order by a judicial officer’.83

Threshold for disclosure to designated entities The amendments of the Bill establish a standard for orders of disclosure to designated entities under proposed section 69A which appear to be tailored to the sensitive nature of the health information stored in the My Health Record system.

Any designated entity (for example, a government agency) who has a legal power to require persons to give information to the designated entity or whose officers ‘in the ordinary course of their duties’ are authorised to execute warrants to enter premises and seize things will be able to apply to an eligible judicial officer for an order. This means that a broad range of government bodies and agencies will be able to apply for disclosure orders relating to My Health Record health information.

The requirement in proposed subparagraph 69A(6)(a)(iii) that the judicial officer be satisfied the disclosure is ‘reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity’ is comparable to other provisions which allow for law enforcement officers to apply for warrants. While warrant application processes differ between jurisdictions, these search warrant application processes usually require a judicial officer to be satisfied on ‘reasonable grounds’ that the grant the warrant is necessary.84

Under proposed paragraph 69A(6)(b), the judicial officer must also be satisfied, in considering whether the disclosure is ‘reasonably necessary’, that ‘the disclosure of the information would not, on balance, unreasonably interfere with the privacy of the healthcare recipient’. This requirement for the judicial officer to consider the ‘privacy’ of the affected person does not appear to be present in the requirements of other law enforcement search warrant processes.85

Proposed subparagraph 69A(6)(a)(iv) provides that the order may be made if ‘there is no effective means for the designated entity to obtain the particular information’ other than the granting of the order. This establishes another requirement before a disclosure order can be made. However,

83. Explanatory Memorandum, op. cit., p. 11. 84. For example, section 3E, Crimes Act 1914 (Cth), section 48, Law Enforcement (Powers and Responsibilities) Act 2002 (NSW), section 465, Crimes Act 1958 (Vic), section 151, Police Powers and Responsibilities Act 2000 (Qld), section 41, Criminal Investigation Act 2006 (WA), section 117, Police Administration Act (NT), section 255, Crimes Act 1900 (ACT). In contrast,

section 67 of the Summary Offences Act 1953 (SA) provides the Commissioner of Police ‘may issue general search warrants to such police officers as the Commissioner thinks fit’. 85. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 21

the provision does not provide guidance to the judicial officer on the standard to be applied in determining if this requirement has been met.

Notably, the warrant issuing process under the Crimes Act 1914 (Cth), requires:

If the person applying for the warrant is a member or special member of the Australian Federal Police and has, at any time previously, applied for a warrant relating to the same person or premises the person must state particulars of those applications and their outcome in the information. 86

The proposed process for the making of orders of disclosure to designated entities, and the requirements for the information which must be included in an order under subsection 69A(9), do not contain a comparable requirement.

While the System Operator is obliged to make a written note of the use or disclosure of personal information under proposed section 69A, it is not required to notify or inform the healthcare recipient who has been affected by the disclosure order.

Judicial officers Proposed section 69B sets out the judges and state and territory magistrates who are able to make disclosure orders under proposed section 69A.

Proposed subsections 69B(1) and (2) provide that a judge of a court created by the Parliament may, by writing, consent to be nominated by the Attorney-General. The Attorney-General may then, by writing, nominate the judge to be eligible. Subsection 69B(3) clarifies that nominations are not legislative instruments.

Proposed subsection 69B(5) provides that the Governor-General may:

• arrange with the Governor of a state for the performance, by all or any of the persons who from time to time hold office as magistrates of that state, of the functions of a magistrate conferred by section 69A or

• arrange with the Chief Minister of the Australian Capital Territory for the performance, by all or any of the persons who from time to time hold office as magistrates of the Australian Capital Territory, of the functions of a magistrate conferred by section 69A or

• arrange with the Administrator of the Northern Territory for the performance, by all or any of the persons who from time to time hold office as Judges of the Local Court of the Northern Territory, of the functions of a magistrate conferred by section 69A.

However, proposed subsection 69B(4) provides that magistrates do not need accept the functions conferred by proposed section 69A.

Personal capacity and immunity Proposed subsection 69B(6) proves that the functions under proposed section 69A (to make disclosure orders) are conferred on judicial officers in their ‘personal capacity’ rather than as a court or member of a court. Despite this, proposed subsection 69B(7) clarifies that judicial officers performing functions under proposed section 69A have the same ‘protection and immunity’ as if the judicial officer were performing the function as the court or as a member of the court of which the judicial officer is a member.

86. Subsection 3E(4), Crimes Act 1914 (Cth). See also paragraph 41(3)(h), Criminal Investigation Act 2006 (WA).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 22

Disclosure in relation to unlawful activities Items 13, 14, 15, and 16 amend section 70 of the MHR Act. Currently section 70 authorises the System Operator to use or disclose health information included in a healthcare recipient’s My Health Record:

• if the System Operator reasonably believes it is ‘reasonably necessary’ for a range of law enforcement purposes and

• if the System Operator:

- has reason to suspect that unlawful activity that relates to the System Operator’s functions has been, is being or may be engaged in and - reasonably believes that use or disclosure of the information is necessary for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities. The Explanatory Memorandum notes that the amended section 70 ‘will no longer relate to the use and disclosure of My Health Record information for law enforcement purposes and will only relate to use and disclosure of this information in relation to unlawful activity’.87

Item 13 amends the heading of section 70 to ‘Disclosure in relation to unlawful activities’.

Item 14 repeals subsections 70(1) and 70(2) which provide for the System Operator to disclose health information included in a healthcare recipient’s My Health Record for law enforcement purposes.

Item 15 inserts ‘(subject to subsection 3A)’ into subsection 70(3). This refers to proposed subsection 70(3A) inserted by item 16. As noted above, subsection 70(3) authorises the use and disclosure of health information where there is suspected unlawful activity in relation to the functions of the System Operator. The amendment will change the first part of subsection 70(3) to make disclosure of health information (but not use) by the System Operator under this subsection subject to proposed subsection 70(3A).

Item 16 inserts proposed subsection 70(3A) which limits disclosures by the System Operator under subsection 70(3). It provides that the System Operator is authorised to disclose under subsection 70(3) only the information the relevant person or authority needs to identify the matter or concerns ‘with sufficient clarity’ to:

• initiate consideration of the matter or concerns and

• if necessary, apply for an order under section 69A in relation to the matter or concerns.

The Explanatory Memorandum states that this amendment limits disclosures to the ‘minimal amount of information to enable the person or authority to identify the matter or concerns in order to take action’. It notes that allowing such disclosures ‘ensures the System Operator can continue to meet its obligations to protect the privacy and integrity of the My Health Record system and individual record holders’.88 The Explanatory Memorandum also includes an example of how this authorisation would operate in the case of an employee using their access to the My Health Record system to blackmail someone:

The System Operator would notify the Australian Federal Police (AFP) of the suspected activity and the name of the person being blackmailed to allow the AFP to investigate the matter. Were the AFP to form

87. Explanatory Memorandum, op. cit., p. 11. 88. Explanatory Memorandum, op. cit., p. 12.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 23

a view that My Health Record information was necessary, they would need to apply for an order under new section 69A… 89

Other provisions The provisions of the Bill include minor consequential amendments and the application of the amendments in relation to destruction of records.

Item 1 repeals the definition of enforcement body from section 5 of the MHR Act (which gave the term the same meaning as in the Privacy Act). As a result of the amendments made by items 13 to 16 this term will no longer be used.

Section 67 provides that healthcare recipients are authorised to collect, use and disclose for any purpose the health information included in their My Health Record. However, a note clarifies that the information that can be collected ‘may be limited’ if the healthcare recipient’s registration is cancelled. Item 11 amends this note to reflect the proposed amendments made to section 17 regarding retention and destruction requirements. The Explanatory Memorandum notes that ‘if a healthcare recipient has requested to cancel their registration in the My Health Record system, their My Health Record will be permanently deleted and, as a result, there will be no health information in the system for them to collect’.90

Item 17 provides that amendments to section 17 (made by items 4 and 5 relating to destruction of records by the System Operator) apply ‘to the health information of any healthcare recipient who has cancelled their My Health Record since the system began operating on 1 July 2012, unless the healthcare recipient re-registered before the amendments in the Bill commenced’.91

Concluding comments The change of the My Health Record system from opt-in to an opt-out model has prompted questions regarding the privacy and security of the stored health information. Concerns have been raised regarding access by enforcement bodies to health information by medical professional organisations and others. The Government has responded to these concerns through the amendments contained in the Bill which are intended to ensure that no My Health Record information will be released to government agencies or enforcement bodies without an order made by a judicial officer. The amendments also oblige the System Operator (ADHA) to permanently destroy the health information contained in a healthcare recipient’s My Health Record when the registration of the person is cancelled.

The amendments contained in the Bill appear to have addressed the specific concerns which have been expressed regarding access by government agencies and enforcement bodies to My Health Record health information under section 70 of the MHR Act. However, the move to an opt-out model has raised, or renewed, a range of other privacy and security issues with the My Health Record system. Individuals and organisations with broader criticism or concerns in relation to the My Health Record system are likely to continue to advocate for further reform.

89. Ibid.

90. Ibid.

91. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 24

© Commonwealth of Australia

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library’s Central Enquiry Point for referral.

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2500.