My Health Record remains opt-out as Senate passes privacy amendments

The Australian government's version of improved health data privacy controls will be implemented after only minimal Senate debate.

The automatic creation of digital health records will continue as planned for all Australians who haven't opted out by the new deadline of January 31.

The laws controlling Australia's contentious centralised My Health Record system will get significantly improved privacy provisions, however. So-called "secondary use" of health data will get regulatory oversight from a new Data Governance Board.

These changes were part of the My Health Records Amendment (Strengthening Privacy) Bill 2018, which was passed with amendments by the Senate on Thursday.

A Greens amendment to return to a voluntary opt-in model, something the government has consistently and strongly rejected, was not discussed by the Senate.

"Labor's plan to delay and derail the rollout of the My Health Record was blocked today," Health Minister Greg Hunt said in a statement on Wednesday.

Also: Hunt finally submits to My Health Record arm-twists as opt-out window extended

It can be assumed that the Greens did not move their amendment because they knew it wouldn't get Labor support, and would be defeated.

As first drafted in August, the Strengthening Privacy Bill addressed two of the most prominent problems with the existing legislation: Overly broad access for law enforcement, and the retention of data even when a health record was cancelled.

According to the Bill's explanatory memorandum [PDF], enforcement bodies now need "an order by a judicial officer" to access health records, and the judicial officer will have to be "satisfied that the disclosure of the information would not unreasonably interfere with the privacy of the individual".

These orders can only be granted to agencies that have the legal power to "require persons to give information", or agencies whose officers are "in the ordinary course of their duties authorised to execute warrants to enter premises and seize things found, including documents".

The information requested must be "reasonably necessary for the purposes", and "there is no effective means for the designated entity to obtain the particular information, other than an order".

A Central Alliance amendment had proposed removing all law enforcement access to My Health Record data except in cases of alleged fraud of the health system itself, but it was defeated.

Delete now means delete

Data in My Health Record was planned to be kept for 30 years after a person's death, or, if their date of death is unknown, for 130 years after their birth -- even if that person later cancelled their record.

The Bill changes that. A healthcare recipient can now cancel their record, and data will have to be deleted "as soon as practicable", unless there's a court order or similar legal requirement to retain or disclose the records, in which case it would have to be deleted "as soon as practicable after the conclusion of the matter to which the requirement relates".

The only data retained will be the person's name and healthcare identifier; the name and healthcare identifier of the person who requested the cancellation if that were someone else, for instance, a parent; and the day the cancellation takes effect.

Further amendments introduced by the government on Wednesday implement the changes announced last week. They address many of the 14 recommendations of the Senate Community Affairs References Committee.

See: ADHA's non-process for releasing My Health Record data revealed

They include strengthening the safeguards in cases of domestic violence; banning employers from requesting or using private health information; and banning health information from being released to insurers, even if de-identified.

A call to apply access codes to each My Health Record by default was not addressed.

The Strengthening Privacy Bill was passed by the Senate on the voices, with almost no discussion of, or changes to, the wording of the government's amendments, even though they were first seen only the day before.

It now goes back to the House of Representatives for final approval. The House next sits from November 26.

Related Coverage

Rushed My Health Record changes still missing the point

The Australian government seems obsessed with pushing everyone into its centralised digital health records system before they've even finished working out the rules. Why is that?

My Health Record data misuse penalties raised

Employers have been barred from using health data to discriminate against current or potential employees.

My Health Record opt-outs now sit at over 1.1 million

An additional 200,000 Australians have opted out, but it is sitting under ADHA's 5 percent target.

Senate inquiry recommends locking down My Health Record by default

A comprehensive review of Australia's centralised digital health record has recommended extending the opt-out period by another 12 months while privacy controls are significantly tightened.

My Health Record justifications 'kind of lame': Godwin

Australia has spent billions of dollars for 'nothing really useful', according to leading internet policy commentator Mike Godwin, and the proposed anti-encryption laws are 'inhumane, wrong, anti-democratic'.