E-health opt-out records a 'huge invasion of privacy'

The Privacy Foundation has accused the Australian Senate of ignoring privacy concerns in making the e-health record system opt-out.
Written by Corinne Reichert, Contributor

The Australian Privacy Foundation has accused the Senate of being "dangerously naive" in thinking that opt-out e-health records could be secured against breaches of privacy.

Bernard Robertson-Dunn, a member of the Privacy Foundation who has also constructed IT systems for several government departments, said it is "patently absurd" for the Senate inquiry committee to think that Australian laws will do anything to deter criminals and cyber attacks from overseas.

The Senate had said it would institute penalties for privacy breaches in order to address concerns over the misuse of confidential medical information.

The Senate had ignored expert advice by changing the e-health records to be opt-out, according to the Privacy Foundation, with the likelihood of personal information being stolen and published in an attack similar to the Ashley Madison hack increasing with the more data that is stored.

"This is in spite of being told that it is insecure and a major threat to the privacy of most Australians, has little value to health professionals, and has all the appearance of primarily being an aid to law-enforcement and revenue-collection agencies," Robertson-Dunn said in a letter to senators.

Even lawful access to the medical information could constitute a "huge invasion of privacy", the Privacy Foundation argued, as anyone employed by a medical facility could access the health records of patients.

The Australian government's e-health record system was switched on in 2012, and was given a further AU$485 million in funding in the 2015-16 Budget in May. At the same time, it was rebranded from the "personally controlled e-health record system" (PCEHR) to My Health Record.

The most recent funding injection will improve the billion-dollar system by updating it with various recommendations from GPs who have used the system in its current state.

According to Minister for Health Sussan Ley, less than one in 10 Australians have signed up for the service so far.

"In this modern world, where technology makes information sharing boundless, there's no excuse for Australia not to have a functioning national e-health system," Ley said.

"Doctors have indicated that they're much more likely to use the system if all their patients have a record. We also need full coverage if we're to cut down on inefficiencies created by not having one seamless records system, such as double ups with testing, prescriptions, and other procedures."

Ley said that a properly functioning national e-health system could save taxpayers up to AU$2.5 billion per year within a decade's time, with another AU$1.6 billion per year savings for the states.

A 2013 review of the system by former Minister for Health Peter Dutton had suggested that the system be made opt-out in order to improve signup numbers. In September this year, the government responded by introducing legislation that will see e-health accounts automatically assigned to patients. The government will begin trialling these opt-out accounts, with a nationwide rollout planned should the trials be successful.

The Office of the Australian Information Commissioner (OAIC) revealed last month that it only responded to eight mandatory data breach notifications concerning the e-health record system during the 2015 financial year, and had made various recommendations to the Department of Health on privacy concerns, including to make the system opt-out.

A human rights parliamentary committee, led by Liberal party member Philip Ruddock, has also raised privacy concerns about the opt-out e-health record system.

The Australian government has been prone to turning a blind eye on privacy concerns, with critics panning the mandatory data-retention laws as being a "honey pot" for would-be hackers.

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, passed by the Australian government in March, came into effect last month. It will see customers' call records, location information, IP addresses, billing information, and other data stored for two years, accessible without a warrant by law-enforcement agencies.

Prior to the law's passing, Australian Privacy Commissioner Timothy Pilgrim attempted to argue that the two-year retention period should be assessed against the risk to privacy of storing such a large amount of personal data. He pointed out that 90 percent of investigations relying on retained data only use data that is less than one year old.

"If a decision is made to implement a scheme such as this which is going to require, as I said, the holding or the collection and retaining of huge volumes of data and personal information about people for a long period of time, we need to look at what else we can put in place to do our best to secure that information," Pilgrim said.

Such a risk would be compounded by the fact that national security agencies will be accessing and sharing the customer data -- despite these organisations having a long history of privacy breaches through carelessness.

In February last year, the Immigration Department published the details of almost 10,000 asylum seekers, including their full names, dates of birth, genders, nationalities, periods of immigration detention, locations, boat arrival information, and the reasons why an entrant was classified as having travelled into Australia "unlawfully".

In a similar gaffe, the same department accidentally emailed the passport numbers, dates of birth, and visa information of world leaders attending last year's G20 summit in Brisbane -- including those of US President Barack Obama and Russian President Vladimir Putin -- to a member of the Asian Cup Local Organising Committee.

The e-health record opt-out trial will involve 1 million patients in North Queensland and the Blue Mountains in New South Wales, and is set to begin in early 2016.

With AAP

Editorial standards