Title BILLS
My Health Records Amendment (Strengthening Privacy) Bill 2018
Second Reading
Database Senate Hansard
Date 14-11-2018
Source Senate
Parl No. 45
Page 8065
Party ALP
Status Final
Speaker Bilyk, Sen Catryna
Stage My Health Records Amendment (Strengthening Privacy) Bill 2018
Context BILLS
System Id chamber/hansards/b8a44c40-3453-4209-9b0b-b13bdd868983/0021


BILLS - My Health Records Amendment (Strengthening Privacy) Bill 2018 - Second Reading


Senator BILYK (Tasmania) (10:30): I rise to speak on the My Health Records Amendment (Strengthening Privacy) Bill 2018. This is a very, very important bill, and one which we really have to get right. But, regretfully, it's been pretty clear, in the minds of the Australian people, that this government has failed in its management of the rollout of the My Health Record system. I'm disappointed that this government's failures have led to such unnecessary anxiety and distress and have seriously damaged public trust in a system that should have provided a positive outcome for health care in Australia. It's clear, once again, that the government's myopic focus on internal politics has kept them from governing sensibly, responsibly and in the interests of all Australians.

Let me be clear: Labor support e-health and the concept of the My Health Record. It was Labor that kickstarted the development and implementation of an electronic health record system when we were last in office. The electronic health records could provide significant improvements to the way Australians receive health care. Some of the advantages include: improving coordination between GPs, specialists and hospitals; and cutting down on duplication and errors in diagnosis, prescriptions and treatments.

Implemented by a competent government, e-health records could deliver tangible healthcare improvements while making cost savings that could be reinvested in the healthcare system. Implemented by a competent government, e-health records could save lives. However, this government have demonstrated gross incompetence and have seriously botched the implementation of their opt-out scheme. Those opposite have a track record of dramatically failing in their implementation of information technology solutions, and it was this government—we should all remember this—that gave us the census and the robo-debt debacles. Disappointingly, we've also seen Medicare and PBS data leaked and the absolutely disastrous outsourcing of the National Cancer Screening Register to Telstra, which still hasn't delivered a functioning system. Only a government as incompetent as this one could roll out a second-rate National Broadband Network using outdated technology and yet still experience delays and cost blowouts. Now we can see the added implementation of the My Health Record system, and we can add that to that sorry list. The blame for this lies squarely at the feet of this government.

Labor tried to warn the government that their My Health Record implementations were flawed. Even as far back as 2015, which I think is when the My Health Record bill was passed, Labor shadow minister Catherine King moved a second reading amendment which noted 'the inadequacy of this bill in making real improvements to a national electronic health record system'. Although the government voted down the amendment, wouldn't you think that they would have at least heeded its warning and maybe had a look at it? But they didn't, and just last month we found ourselves once again trying to clean up another government mess.

The e-health system Labor began implementing was opt in, and we thought that was the right approach—so anyone who participated had to give informed consent. However, the changes made by the government in 2015 moved the system from one of informed consent to one of presumed consent. Informed consent is a foundational principle on the way that health professionals work together with those in care. It's based on a very strong relationship of trust and is embedded across the entire healthcare system. Moving to a presumed consent model and providing a period in which people could choose to opt out of the system altogether was a very significant change. It was both legal and ideological, as well as representing a significant change in the healthcare relationship.

Bringing both healthcare professionals and the Australian public along with these changes is absolutely essential to its success. It requires properly and consistently explaining to the Australian public not just how the opt-out system works but why this change is even necessary. However, the government decided in its own stubborn way and without proper public debate—yet again—to make My Health Record an opt-out system. They failed, in their arrogance, to properly explain why or even to make a vague attempt to educate the public about their approach.

Their failure to communicate has fuelled many of the privacy and security concerns Australians have had about My Health Record. It's these concerns that have led to more than 1.1 million Australians opting out of having a My Health Record since the beginning of the opt-out period. The government could have communicated with the Australian public quite easily. The government could have sent Australians a letter, like they did in the small opt-out trial sites that they ran, but they chose not to do that, obviously embarrassed by the mistake of sending letters in the trial sites to people who were deceased. They could have run TV advertisements—and, let's be honest, the government generally have no problem running advertisements that promote their policies—but they didn't do that either. While the Australian Digital Health Agency could afford to spend $81 million on consultants last year alone, it's disappointing that they couldn't spend money explaining a fundamental change to how Australians' private health data is stored and shared. In July, as the opt-out period began, all of the criticisms that the government hoped to keep quiet came flooding out. While the botched rollout of the opt-out period occurred under Mr Turnbull's government and undermined public trust in the important reform, it's really disappointing that the Morrison government still couldn't get it right.

This bill responds to public anger over the scheme by making some changes that Labor welcomes. The changes include requiring law enforcement and other government agencies to get a court order to access records and permanently deleting the health information of people who opt out of the My Health Record. These are positive changes, and we support them, but, as Labor senators noted in the reports of two Senate inquiries—one into the bill itself and another into the My Health Record system more generally—the changes in the bill do not go far enough. The Senate Community Affairs Legislation Committee inquired into this bill and reported on 12 October 2018. Despite the Minister for Health dismissing the inquiry as a stunt, which is typical of this government's approach, the completed inquiry revealed a range of serious flaws in the current legislation that were not addressed by the government's bill.

We've had grave concerns about whether the bill sufficiently protects vulnerable people. For example, this bill does nothing to address concerns that My Health Record may risk the safety of women fleeing from abusive partners, or children needing privacy from non-custodial parents. Workers have also raised concerns that doctors who perform pre-employment or workers' compensation assessments may pass health information to employers and that employers could use this information to discriminate against employees—for example, on the basis of pre-existing medical conditions. These are basic flaws that need to be fixed.

Submitters to the Senate inquiry had important points to make about their concerns with the bill, and I'd just like to share a few with the chamber. Australian Lawyers Alliance expressed concern. They say:

… the inadequate measures in place to protect the medical records in the My Health database from 'coercive sharing', where individuals may be coerced into providing access to their medical records when applying for employment or seeking insurance products.

The Australian Association of Social Workers strongly recommended:

… much greater consideration needs to be given to victims and survivors of family violence, including safeguards to assure that the record is not used to further perpetuate abuse.

In their submission, the Australian Medical Association expressed concerns about insurers having access to the data. The AMA told the committee:

The AMA shares the media concern that health insurers should not have access to My Health Record data. Their interest in this data presents a clear conflict of interest between the financial benefit of avoiding fund members who are high risk claimants and their obligations to abide by the principles of community rating. The My Health Records Amendment (Strengthening Privacy)Bill 2018 presents an opportunity for a further amendment to the Bill to remove all doubt data sharing with health insurers will occur at some point in the future.

Labor senators, in their dissenting report on the inquiry, signalled our intention to move amendments to this bill. We want to ensure that the My Health Record can never be privatised or commercialised; that private health insurers can never access My Health Record, including de-identified data; that employees' right to privacy is protected in the context of employer directed health care by including a clause similar to section 14(2) of the Healthcare Identifiers Act in the My Health Records Act; that vulnerable children and parents, such as those fleeing domestic violence, are protected by narrowing the definition of parental responsibility; and that the system operator, the Australian Digital Health Agency, cannot delegate access to My Health Record to other entities. These amendments seek to address concerns raised by medical professionals, law experts, domestic violence advocates and unions throughout the course of the inquiry.

Labor also initiated the broader Senate Community Affairs References Committee inquiry into the My Health Record framework as a whole. This inquiry focused on elements of the system that are beyond the scope of this bill such as the government's position to switch to an opt-out system, the communication of this change, and default settings with the record. The report of the references committee inquiry was tabled on 18 October. This report had several recommendations relating to privacy and security. They included that access codes be applied to each record as a default and can only be overridden in an urgent situation, that the privacy of 14- to 17-year-old children be protected and that the period for which a My Health Record can be suspended in the case of serious risk to the healthcare recipient be extended, as well as a range of recommendations strengthening protections against the use of My Health Record data for secondary commercial, employment or insurance purposes.

We welcomed the government's announcement just last week that they will be taking up Labor's suggestions and moving amendments to this bill to address the numerous concerns raised by stakeholders. For several weeks Labor has had these sensible changes on the table, yet the Minister for Health, Mr Hunt, has refused to engage with us. They say that imitation is the sincerest form of flattery, but it is simply not good enough that the government is scrambling to implement our changes at the eleventh hour. With only tomorrow before the end of the opt-out period, it's absolutely vital that the period be extended. This bill and the government's amendments will not pass the parliament in time for important privacy and security provisions to be put in place before the end of the opt-out period. The House of Reps doesn't even sit again for more than a week after the opt-out period ends, and it's not sitting this week either. This means that some Australians may actually opt out because of the privacy concerns that could have been addressed by the bill when it finally passes. Rather than rushing at the last minute to fix its My Health Record mess, the government actually needs to take a deep breath, take a step back and take the time to get this reform right.

The Senate has joined Labor's call passing, I think, Senator Watt's motion on Monday, which calls on the government to:

… extend or suspend the opt-out period until the legislation and any amendments are passed, outstanding privacy and security issues are addressed and public confidence in this important reform is restored.

We've also called on the government, given the numerous privacy and security concerns raised about My Health Record, to commission an independent review of the My Health Record system by the Privacy Commissioner and the Office of the Australian Information Commissioner. This review should consider the appropriate balance between utility for clinicians, patients and others, such as carers, and privacy and security for individuals; the difficulty of ensuring informed consent in an opt-out model and measures to encourage consumer engagement and informed choice; changes to default access settings that are necessary because of the shift to an opt-out model; particular protection for vulnerable people, including minors aged between 14 and 17 and families fleeing domestic violence; and further legislative policy and system changes that are needed to achieve these aims.

Our concerns and our call for an independent review have been given further impetus by recent revelations now that the Australian Digital Health Agency's director of privacy has quit. An articleinThe Sydney Morning Heraldon9 November said:

… sources close to Ms Hunt confirmed that she had left the business out of frustration that privacy and security concerns her team had raised with senior management were often ignored.

One of the sources was quoted as saying ADHA's privacy staff were 'disillusioned', that there was a pattern of 'not listening' at senior levels of the ADHA and within the health minister's office and that concerns were treated simply as management or public relations issues. That's not good enough. It's understood that, of the agency's privacy team, which consisted of four staff, one has moved overseas and another is going on leave for 12 months. With the director's departure, this will leave just one dedicated privacy staff member at the ADHA from December, and that's pretty concerning; in fact, it's extremely concerning. The fact is that there are privacy concerns being raised, not just by Labor and not just by stakeholders in the submissions to the Senate inquiries but within the ADHA itself, and that adds a great deal of weight to our call for an independent privacy review.

Also adding weight to the call for an independent review is the recent news that 99 My Health Record data breaches have been reported to the Office of the Australian Information Commissioner, including 11 breaches since 1 July this year. At the same time as the OAIC was reporting multiple breaches over the course of the past six years, a spokesperson for the health minister claimed there has never been a reported security breach of the system. Why is there a disparity between the reports of the OAIC and the minister about whether data breaches have occurred and how many? The conflicting claims of the minister's office against those of the OAIC, the concerns raised by not one but two Senate inquiries and the reports from within the agency itself all demonstrate the vital importance of an independent privacy review of the My Health Record system. They also strongly support the case for an extension to the opt-out period. As I said before, the deadline for that is 15 November—that's tomorrow—so this suspension must be announced immediately.

Labor will be moving an amendment to this bill to insert a 12-month extension. A 12-month extension will give the government time to run a new public information campaign that reaches every Australian and allows them to make a fully informed choice about whether to opt out of the scheme. It would also give the government plenty of time to commission an independent review of outstanding privacy concerns with the system. We welcome the government's attempt to finally fix the flaws in this bill, but this bill should be the first step to fixing their My Health Record mess, not the last.

Had the government agreed to work constructively with Labor to fix the problems with the rollout rather than be obnoxious and say, 'We know best and we know how to do everything,' we may have been able to help save them from their own shambolic mess. If they heed Labor's call to extend the opt-out period and to commission an independent review of the privacy and security concerns, they just might be able to restore the trust to the medical profession and the broader Australian public. Unfortunately, for this incompetent government, public confidence in their ability to implement this important reform is currently at an all-time low. But it's not just the government who will suffer from the mess that they've created. Until this mess is fixed, millions of ordinary Australians will miss out on the benefits of an electronic health record because they cannot trust the privacy and the security of the Morrison government's My Health Record. I urge the government and crossbenchers to support Labor's sensible amendment for an extension of the opt-out period.