​Australian Privacy Foundation wants 'privacy tort' to protect health data

The Australian Privacy Foundation wants the federal government to act swiftly in ensuring the health information of citizens is safe from suffering the same fate as Equifax clients.
Written by Asha Barbaschow, Contributor

The Australian Privacy Foundation (APF) has requested that the federal government urgently reform existing laws and reconsider the administration of My Health Record, saying the recent Equifax data breach has highlighted the urgency of protecting citizen information.

In its submission to the Independent Review of Accessibility by Health Providers of Medicare Card Numbers, APF said that health records are just as valuable to hackers, and that the current system for storing and using health records in Australia is "hopelessly deficient".

"With lousy data security, and a world where data breaches are a daily event, the Australian government's reluctance to fix this problem is looking negligent," APF chair David Vaile said.

Vaile called for the establishment of a "privacy tort", such as a national law providing a right to compensation for anyone who has experienced a serious breach of privacy.

According to the APF, the tort has been recommended by Commonwealth, state, and territory law reform commissions and parliamentary committees over the last decade.

"A privacy tort is a common sense solution to a problem that will not go away," the APF claimed. "A privacy tort exists in most major economies. Australians are now almost alone in remaining exposed to massive privacy breaches without any enforceable legal remedy. Australia is increasingly isolated by its failure to offer this basic self-help protection for citizens' rights in the digital age."

Similarly, the APF also called for strengthening the Office of the Australian Information Commissioner (OAIC), labelling the agency led by Timothy Pilgrim as being "underfed".

"There needs to be greater transparency in disclosure by government of data breaches, particularly those relating to health records," Vaile added. "We should not rely on journalists to discover that our privacy has been breached."

The Australian government opened its review into the Health Professional Online Services (HPOS) system last month.

When announcing the HPOS review in July, the government admitted it was commissioned in response to reports originally made by The Guardian that Medicare card details were being sold on the dark web.

The HPOS review is expected to consider the balance between allowing appropriate access to Medicare card numbers for health professionals to confirm patients' Medicare eligibility and the security of patients' Medicare card numbers.

It will also review citizen and health professional access to Medicare card numbers via the HPOS system and the accompanying telephone channel.

HPOS, introduced in 2009, is currently used 45,000 times daily, and allows medical practitioners and health providers to look up Medicare details when a person does not have a Medicare card on them.

Vaile wants to see the privacy amendments his organisation is calling for made with urgency, pointing to federal government's electronic health records system My Health Record, which was last month given the go-ahead from the Council of Australian Governments Health Council (COAG) to begin automatically signing up Australians.

"These changes are now urgent because Australia is establishing the billion-dollar MyHR program, intended to create electronic access to the medical records of most people across Australia," he said.

By 2018, all Australians will have a My Health Record, and by 2022, all healthcare providers will be able to contribute to and use health information stored in My Health Record on behalf of their patients. They will also be able to communicate with other healthcare providers on the clinical status of joint patients via the digital platform.

Australians will be able to opt out if they choose.

Despite approval from COAG, there is no standard way to share data between providers, and by the end of next year only draft standards and a roadmap for implementation are pencilled in.

"There needs to be a full independent review of the whole controversial MyHR program, given the widespread concerns by health, information technology, and legal specialists that its design, security model, and implementation is fundamentally flawed," Vaile added.

"Trust is the basis of effective medicine, and the clinical relationship at the heart of it, but there is no trust in My Health Record's defective design and inadequate operation. The government system is so inadequate that Australians' health records will be a click away from being stolen."

Additionally, the privacy foundation opposes calls for the establishment of a multi-purpose national identity card -- a new Australia Card -- to replace the Medicare Card or Medicare Number.

"Such a card will not meaningfully inhibit identity crime. It will require resources that are more usefully invested in public health," Vaile added.

"It will not be a trustworthy solution. It will erode the privacy of all Australians."

Editorial standards