Very little is stopping My Health Record being hooked up to robo-debt

Intent and potentially a lack of will are all that are preventing a meeting of robo-debt and health data, because the legislation is not.
Written by Chris Duckett, Contributor

As the Australian government in its various guises continues to deny the prospect of an automated Centrelink dreadbot being augmented with health data, reality keeps on pricking the bubble that My Health Record proponents seem determined to keep themselves encapsulated within.

At the start of the opt-out window last week, Minister for Health Greg Hunt told reporters that Centrelink would not get its hands on Australians' health data, while also adding that security is better than the banks' and "defence-tested" -- and if that reassures any cyberconcerns, there is a very nice bridge across Sydney Harbour that could really do with a new owner.

But a quick glance at the legislation that backs My Health Record shows that it is open to allowing the Australian Digital Health Agency (ADHA) to pass information on to any government agency that can make a case for increasing public revenue.

These are the sorts of clauses that allowed the likes of Bankstown City Council, Victorian Taxi Services, the RSPCA of Victoria, and Australia Post to get their hands on telecommunications data in the past.

As late as Saturday, ADHA continued to push its own idea of when health information would be released, stating a higher threshold than that which exists in the legislation.

"The Australia Digital Health Agency has not and will not release any documents without a court/coronial or similar order," ADHA said.

"No documents have been released in the last six years, and none will be released in the future without a court order/coronial or similar order.

Must read: The My Health Record story no politician should miss

"Additionally, no other government agencies have direct access to the My Health Record system other than the system operator."

One could convince oneself that ADHA is going to maintain a high threshold and demand court orders for each and every disclosure, but if you believe ADHA is going to deny the agencies in Canberra that are known to throw their weight around, such as the Department of Home Affairs and the Centrelink-overseeing Department of Human Services, well, there's a special sale right now on that bridge I mentioned earlier.

On Tuesday, that hive of rabble-rousers known as the Parliamentary Library weighed in, and, due to the fact that it is literate, determined that a lower threshold exists with My Health Record than the one ADHA is pushing.

"It represents a significant reduction in the legal threshold for the release of private medical information to law enforcement," the library wrote.

"As legislation would normally take precedence over an agency's 'operating policy', this means that unless the ADHA has deemed a request unreasonable, it cannot routinely require a law-enforcement body to get a warrant, and its operating policy can be ignored or changed at any time."

For an example of how the Australian government maintains the thresholds of personal information disclosure, consider the Department of Foreign Affairs and Trade (DFAT).

In April, DFAT detailed the awful process it uses to manually verify biometric passport information, where DFAT receives an email containing a form with information to be verified from other departments, and checks that the email is from a government domain.

If the requester asserts that they have the authority to send the request, and the desk-level DFAT staff member has no reason to question whether that assertion is incorrect, the request proceeds.

"The department does not have the specialist law enforcement expertise needed to assess the merits of the requests it receives, and does not seek information on this from other agencies," DFAT said. "As such, its decisions about whether to disclose personal information to these agencies are, in a sense, mechanistic, based on whether requests satisfy simple business rules.

"If agencies satisfy those conditions, the department will in practice always approve their requests."

As the furore over a filing cabinet of secret government documents took hold at the start of the year, it showed Canberra cannot handle its own secret information in the paper format it has used for over a century.

Add to this equation the limited capacity of Australian governments to create computer systems that do not end up being described as some form of shambles, and why should the population believe that My Health Record will be anything other than the latest Canberra computing cluster muck?

It certainly doesn't help that in the last week, Singapore has shown the risks associated with digitised and centralised health information, with no less than the nation's prime minister among the 1.5 million people impacted by the breach.

If the assurances of ADHA are to be trusted by people capable of reading the laws of the land, there is a very simple solution: Change to the laws to require a warrant to access medical records.

It could be the first step on a long path of regaining lost trust, otherwise Australians face the prospect of their entire health history sitting in a database until 30 years after their death and trusting that each and every government will not cross the Rubicon that allows robo-debt to do its worst.

Related Coverage

Editorial standards