This past week has seen a flurry of activity in Australia concerning privacy and human rights. UN Special Rapporteur on the right to privacy, Professor Joseph Cannataci, has spoken at a number of events as part of consultations he is undertaking while visiting Australia. In the same week, the Australian Human Rights Commission launched its own issues paper on human rights and technology.
Meanwhile, Australians have been caught up in yet another government data project whose design confounds even the most basic notions of privacy. My Health Record is a centralised electronic medical record created automatically for every Australian. While originally Australians could opt in to the service, it has now become 'opt out'.
The concept sounds good. Imagine a one-stop-shop of your medical details at the fingertips of your doctor. For people with complex health needs in particular, such a record would surely assist in providing seamless care. However, there are three serious flaws in the system that together demand our serious attention before we hand over control of our collated health data to My Health Record: these are the design of the system, its legal framework, and the overarching culture surrounding data in Australia.
Rather than a complete record of a patient's medical history, My Health Record provides summary information including instances of Medicare-rebated health care and prescribing history, as well as immunisations and allergies. Doctors may also upload clinical notes. Patients may also place constraints on what information is uploaded to their record, and who may access that information.
Doctors accessing this information in one place is a recognised benefit of the system: it will help bridge gaps in communication between treating doctors. But people will still need, and will still have, full medical notes at their doctor's and from hospital visits. The My Health Record system is no substitute for a full medical history.
Information in My Health Record may be breached or released by a host of others beyond those working in a doctor's surgery or hospital. This is expressly contemplated by the legal framework of My Health Record, in the My Health Records Act. Of particular concern, the Department is authorised to release patients' information for law enforcement purposes where it reasonably believes disclosure is reasonably necessary for a broad range of law enforcement purposes.
This is not a mandatory provision. The Department is not obliged to release patient information to law enforcement agencies. But it is authorised to do