This past week has seen a flurry of activity in Australia concerning privacy and human rights. UN Special Rapporteur on the right to privacy, Professor Joseph Cannataci, has spoken at a number of events as part of consultations he is undertaking while visiting Australia. In the same week, the Australian Human Rights Commission launched its own issues paper on human rights and technology.
Meanwhile, Australians have been caught up in yet another government data project whose design confounds even the most basic notions of privacy. My Health Record is a centralised electronic medical record created automatically for every Australian. While originally Australians could opt in to the service, it has now become 'opt out'.
The concept sounds good. Imagine a one-stop-shop of your medical details at the fingertips of your doctor. For people with complex health needs in particular, such a record would surely assist in providing seamless care. However, there are three serious flaws in the system that together demand our serious attention before we hand over control of our collated health data to My Health Record: these are the design of the system, its legal framework, and the overarching culture surrounding data in Australia.
Rather than a complete record of a patient's medical history, My Health Record provides summary information including instances of Medicare-rebated health care and prescribing history, as well as immunisations and allergies. Doctors may also upload clinical notes. Patients may also place constraints on what information is uploaded to their record, and who may access that information.
Doctors accessing this information in one place is a recognised benefit of the system: it will help bridge gaps in communication between treating doctors. But people will still need, and will still have, full medical notes at their doctor's and from hospital visits. The My Health Record system is no substitute for a full medical history.
Information in My Health Record may be breached or released by a host of others beyond those working in a doctor's surgery or hospital. This is expressly contemplated by the legal framework of My Health Record, in the My Health Records Act. Of particular concern, the Department is authorised to release patients' information for law enforcement purposes where it reasonably believes disclosure is reasonably necessary for a broad range of law enforcement purposes.
This is not a mandatory provision. The Department is not obliged to release patient information to law enforcement agencies. But it is authorised to do so. Therefore, there is no requirement for a warrant to access patient information if the Department is willing to hand it over.
"It is incumbent on citizens to vote with their feet — to protest and to opt out of My Health Record — to send a message to government that we do not accept this incursion of state power."
The Department has indicated that its policy is to refuse to disclose information. However, a policy does not give patients a right for their information to be protected. Beyond the Act, Australia has no bill of rights. We have no entrenched privacy protections. There is no check on government power over our sensitive health information which government will capture by default.
In response to persistent public outcry about My Health Record, the Prime Minister indicated late last week that the government would review the legislation. He stopped short though, of explaining what action would be taken.
And this brings me to the culture surrounding data in Australia. Data is seductive. It (legitimately) forms the basis of scientific inquiry, of evidence-based government policy, and of commercial enterprise. Government therefore has a tendency to try to use pools of data for as many purposes as possible — including to sell it. This is what happened in the 2016 Australian Census, and what caused such opposition.
On the other side of the equation, citizens as users of the internet have been softened into giving up their data to corporations, largely unknowingly. Governments have capitalised on this learned complacency in developing information infrastructure that gathers and aggregates our data from diverse sources. This data provides government with the means of making decisions for the public good, but it also expands government power at the expense of the citizen's freedom, autonomy, and self-determination.
My Health Record is the latest example of a system that lures us with proclaimed benefits and convenience, but in a way that enhances government power without balancing government responsibilities to ensure citizens' civil liberties. The power to share health information with law enforcement raises questions about Centrelink enforcement proceedings, NDIS investigations, workers compensation matters, and disciplinary matters against professionals, among others.
The relationship between My Health Record and secondary services or apps, such as those used to book appointments with your doctor, is also unclear, with the potential for health information to be shared with (sold to) commercial third parties.
It is not possible to understand the benefits of a massive data collection program such as My Health Record in the absence of considering its effect on the relationship between citizen and the state. It is incumbent on citizens to vote with their feet — to protest and to opt out of My Health Record — to send a message to government that we do not accept this incursion of state power. And it is incumbent on government to listen and act.
See the Australian Privacy Foundation for information on how to opt out by the due date of 15 October.
Make a submission here to the Human Rights Commission about technology and human rights.
Kate Galloway is a legal academic with an interest in social justice.