My Health Records Amendment (Strengthening Privacy)

House of Representatives, 17 September 2018

Watch Matt's Speech here

Mr KEOGH (Burt) (18:46): Imagine a world where the government knew your entire medical history and your future job prospects were determined by this, a world where employers and government agencies could go over your head and review your confidential health records without permission. Imagine a world where you could be tracked by an abusive ex-partner through a publicly accessible database of all your medical information ever, a database containing all your medical information which has been put there without your express permission. It's reminiscent of the dystopian world described in the movie Gattaca, not real life in Australia in 2018—yet this is the world we find ourselves in.

The uproar from Labor and the wider public appears to have been heard with the government's acceptance that its rollout of the My Health Record system has been, in a word, appalling. The government's decision to switch to an opt-out model of the My Health Record rather than the opt-in model that was previously in existence has given rise to a number of significant privacy and security concerns that we don't believe have been properly addressed. In addition to this, we don't believe that there was an appropriate community consultation process undertaken in assessing this model, with communication with the wider community being next to nothing.

This bill responds to public anger over the My Health Record scheme by making some changes that Labor welcome, including requiring law enforcement agencies and other government agencies to seek a court order to access personal health records as well as permanently deleting the health information of people who choose to opt out of this system. While we do continue to have strong concerns about the government's implementation of the My Health Record system, we support this bill in the House.

Let's break it down further though, shall we? The My Health Record system has been designed to provide health professionals with a singular central source of health and medical information for each Australian so as to allow them to see any diagnosed condition, medical history, prior tests and pathology outcomes, allergies, treatment regimes, locational information and more. This is incredibly personal information and it could easily be used against someone. Therefore, it is very important that the privacy and security of such information is maintained. At the same time, to improve the medical care provided to a patient where this information could be made available to health professionals, especially during a medical emergency, it would be incredibly useful. However, this isn't the sort of information Australians would expect government agencies, law enforcement bodies, their health or life insurer, their employer or a violent former spouse to be able to get their hands on. This bill amends the act to require a court order or a consumer's express consent in order to disclose health information from their My Health Record to law enforcement agencies or other government bodies. While the government argues this is already its policy, with the number of broken and back-tracked promises—on school funding, ABC funding and a Prime Minister that will go a full term—we want to ensure that this policy, just like the Turnbull-Morrison government's GST break-up, is actually enshrined in legislation.

This bill sets out a range of conditions under which a judicial officer may make such an order, including that the disclosure be reasonably necessary and that the requested information not be already available elsewhere. Further to this, the bill exempts the Auditor-General, the Ombudsman and the Information Commissioner from that court order requirement. While the Liberal government claims that these limited agencies are compelled to ensure the privacy and security of the system, Labor, through a Senate inquiry, will test the relevance and efficacy of these exemptions.

The second element of the bill amends the act to require the permanent deletion of health record information for all consumers who opt out of the My Health Record system. Under the current plan, this information would be locked down but would continue to be retained until 30 years after an individual's death. This raises the question: what happens when a young person wants to get rid of the record their parents set up for them without their consent when they were a child?

While we do support this bill, as it does strengthen privacy protections to an extent, we will continue to liaise with the Senate inquiry and the community to allay further concerns. The inquiry is currently underway and seeks to run a fine toothcomb over the government's plan, and we expect to hear its findings next month. Through the referral to the Senate inquiry, we hope our further questions in relation to My Health Record will be answered.

In addition to this, we will move two amendments to the bill in the Senate, specifically in relation to protecting workers from misuse of their My Health Record information and protecting against inappropriate access to My Health Records. When it comes to protecting workers from misuse of these records, there have been significant concerns raised about access to medical records by health insurers and those assessing workers compensation claims. Unions have told us that they are worried doctors and other assessors who perform pre-employment or workers compensation assessment on behalf of employers might have access to an employee's My Health Record without their express permission or, indeed, even their knowledge. This information could be used to discriminate against potential employees, perhaps on the basis of a pre-existing medical condition that may not even be relevant to the role they are seeking to undertake. Legislating for this confidentiality will be a step in the right direction.

In the same vein, we must ensure that inappropriate access to My Health Records does not facilitate family violence or other unnecessary and nefarious access to and use of health record information. Should these records not be appropriately protected, there is nothing to ensure these records won't be used by perpetrators in family violence situations. For example, in a situation involving children who might be victims of an abusive family situation, what is there to prevent an abusive parent setting up a My Health Record for their child to keep an eye on where they are and what their medical situation is, regardless of their custody agreements? The legal fraternity is concerned that the system provides a loophole for a violent person to create a record for their child without their former partner's express consent, paving the way for these individuals to track down their estranged family's location, something that has been well covered in the press.

Furthermore, while access is intended to be limited to regulated medical professionals where consent is provided, no explanation has been given for how this restricted access will operate in a medical centre or hospital environment. These are places where every registered nurse could conceivably have access, if not other non-medical staff depending on the design of their systems. Nor has there been explanation of how such access is restricted by patient consent. Once consent is given, who else at a centre or hospital may then have access? One of the purported benefits of the My Health Record system is said to be access to medical record information in an emergency, where a patient may be unconscious and clearly unable to give consent. This being the case, the scope for unauthorised and illegitimate access appears almost unlimited. In these circumstances, what stops a nurse from looking up the Prime Minister's medical records for blackmail purposes? What stops an OT looking up his ex-wife's medical records to locate her after she has gone into hiding, fleeing domestic violence? If the government has answers to this, I would like it to provide them.

When Labor drafted a plan for My Health Record years ago, it was intended as an opt-in system, an educated, informed, signed-up process to ensure all participants had provided informed consent to ensure a streamlined medical process. The thought behind this was that e-health could deliver tangible health care improvements and save healthcare costs through fewer diagnosis, treatment and medication errors. But the government's botched roll-out means there has been only minimal take up and it has now decided to make a voluntary, informed consent scheme mandatory.

This bill is a start. But it doesn't go far enough. We believe it won't do much to put to rest the fears of the community on privacy and security. This, after all, is the government that is responsible for the 2016 census debacle. Should Labor form government, we will ensure this bill further legislates for the protection of women fleeing abusive partners and for children needing privacy from non-custodial parents. Should Labor form government, we will ensure that individuals won't be unfairly discriminated against by potential employers or in workers compensation claims. Should Labor form government, we will continue to review the recommendations from the Senate inquiry that are beyond the scope of the present bill. We will assess why the government shifted to an opt-out system, why it communicated this change so poorly, and why the default settings within the My Health Record are what they are. This must be further investigated and under a Bill Shorten Labor government that's what we would do.

This Liberal Abbott-Turnbull-Morrison government's track record when it comes to cybersecurity and privacy are quite frankly pitiful. They botched the roll-out of the NBN and the NDIS, the census failed under them and now we have the My Health Record debacle. This government cannot be trusted to store our valuable health information in a central database. That's already been proven with this roll-out. So, while we do support this bill because it is taking steps in the right direction towards more privacy, the people of Australia can be assured that, if elected, a Bill Shorten Labor government would make sure that it is an e-health system each and every Australian is comfortable with.