House debates
Monday, 17 September 2018
Bills
My Health Records Amendment (Strengthening Privacy) Bill 2018; Second Reading
5:26 pm
Ms Catherine King (Ballarat, Australian Labor Party, Shadow Minister for Health and Medicare) Share this | Hansard source
When this House last considered the My Health Record, in 2015, I moved a second reading amendment on the government's bill. It called on the House to note 'the inadequacy of this bill in making real improvements to a national electronic health system'. The government voted that amendment down. Labor, alongside many health groups, was always agnostic about the government's decision to move to an opt-out system. We did not believe that this was the main area where improvements needed to be made. We raised very real concerns about implementation but were prepared to give the government and the new digital health agency a go, to get it right. But three years later it is clear that the government has botched the implementation of the My Health Record.
We should be very clear: the legislation before the House today is a clean-up exercise, and it is a job only partly done. We will use the processes available to us through the Senate to try to improve this legislation. But we will also use those processes to determine whether we need to go further if we are fortunate enough to form government at the next election. I want to be clear at the outset that Labor supports a national digital health record. We established the personally controlled electronic health record under the leadership of the member for Sydney. We knew that the personally controlled electronic health record could improve coordination between GPs, specialists and hospitals and cut down on duplication and errors in diagnosis, prescription and treatments. It's an important healthcare reform.
We continue to believe that the My Health Record could save money and lives if implemented by a competent government. But that is a very big 'if', because this is not a competent government when it comes to digital service delivery. This is the government that gave us census fail and robodebt. In health, this is the government that saw Medicare and PBS data leaked and that spent millions of dollars outsourcing the National Cancer Screening Register to Telstra in a contract that still has not delivered a functioning cancer register. Now we can add the implementation of the My Health Record to that very sorry list, because in mid-July, when the opt-out period for the My Health Record began, it became clear that the government had bungled this vital program in two fundamental ways.
First the government failed—and it seems even to have refused—to communicate with Australians about the risks and benefits of the My Health Record and what the opt-out system means in practice. The opt-out model is a very big change from Labor's opt-in system. Every Australian will now get a My Health Record unless they tell the government that they don't want one. It moves the system away from one of informed consent, a model that is a foundation principle of the way that health professionals work together with those in their care. Informed consent is based on a very strong relationship of trust and is embedded across the entire healthcare system.
The government in 2015 took the decision to move to a presumed consent model and to provide a period in which people could choose to opt out of the system altogether. It is a significant change in the healthcare relationship. Bringing both healthcare professionals and the Australian public along with these changes was essential for their success. That required properly and consistently explaining to the Australian public not just the how of the opt-out system but the why. Why was it necessary? The government has never made these explanations. The Digital Health Agency gave some money to primary health networks to promote the reform. Brochures have been produced, the information within which is pretty rudimentary. One brochure I have seen was factually wrong. Funds were given to a raft of different stakeholder groups who needed to communicate with their members, but that was it.
In the opt-out trial sites the government sent a letter to every person who would be registered for a My Health Record informing them of the reform, what was happening, what their rights were and what they might need to do about it. That's a common and effective way for governments to communicate significant policy changes, but the government has refused to send the same letter as part of the national rollout. It might be because the government sent letters to dead people in the trial sites, which was pretty embarrassing and hurtful, but in any case there has been no letter on the national shift to an opt-out system and the importance of the My Health Record.
As another example the government has refused to run television ads. It is not because they can't afford it—the Digital Health Agency spent $81 million on consultants last year alone—it is because this minister doesn't have the courage to back this reform that is supposedly so important. In July, as the opt-out period began, all of the criticisms that the government had hoped to keep quiet came tumbling out. In the process the government threw away any trust the Australian people had in its implementation of the My Health Record.
The government's second broad mistake is equally damaging. Put simply it is trying to implement an opt-out system on opt-in foundations. Other than minor changes in 2015 the legislation and policies that underpin the My Health Record were designed for the opt-in, personally controlled electronic health record. In that system the government could assume informed consent because every consumer with a record had actively chosen to create one. A number of the My Health Record features made sense in that context. For example, default settings that kept a record relatively open made sense if someone had deliberately creatively and actively created that record, but when every Australian gets a My Health Record, many of them without any real engagement, those settings may no longer be tenable.
Those two fundamental mistakes led to weeks of controversy on the My Health Record and finally forced the minister to announce the changes that this bill implements. In particular this bill makes two changes to the My Health Records Act. First this bill amends the act to require a court order or a consumer's express consent in order to disclose health information from their My Health Record to law enforcement agencies or other government bodies. Even groups that are generally supportive of the My Health Record like the Australian Medical Association and the Royal Australian College of General Practitioners have been alarmed by the government's previous insistence that a policy of the Australian Digital Health Agency would suffice. I commend the AMA, the Royal Australian College of GPs and others for advocating for that policy to be enshrined in legislation.
The bill sets out a range of conditions under which a judicial officer may make a court order to disclose health information, including that the disclosure is reasonable necessary and that the requested information is not available from any other source. It also exempts the Auditor-General, the Ombudsman and the Information Commissioner from the requirement for a court order. The government argues that this is necessary because these agencies have unique responsibilities to ensure the privacy and security of the My Health Record system. I want to foreshadow today that Labor will test that proposition in the Senate.
Second, this bill amends the act to require the permanent deletion of health information for all consumers who opt out of the My Health Record. The act currently requires the information that was held in the record to be locked down but retained until 30 years after the consumer's death. Again, that setting might have made sense when a consumer had previously opted into the My Health Record and might want to rejoin the record in the future. But it makes no sense in an opt out system.
Labor welcomes the changes in this bill, but the changes do not go nearly far enough. The former president of the AMA, Professor Kerryn Phelps, has described the government's changes as woefully inadequate and as minor concessions. Labor agrees. The government has stubbornly refused to address a range of privacy and security concerns beyond the two that are apparent in this bill. I want to touch on some of those concerns today, because they make clear that this bill does not fix the problems that will plague the My Health Record.
First, advocates are alarmed, as the government should be, that the current record could be used as a tool in family violence. That's because the default settings give access to a child's My Health Record to both parents and, in fact, they may even allow a non-custodial parent to create a record for a child that is no longer in their care. So, if a woman and her children are fleeing an abusive ex-partner, that partner could track their location by viewing the doctors and pharmacies that they visit. The National Council of Single Mothers and their Children says abusive ex-partners could use this to narrow down the locations of victims in hiding. That is, frankly, a chilling prospect. But the government says it isn't a problem because one parent will be able to terminate another's access. But it is ridiculous to place the burden of keeping a child's My Health Record private on a mother fleeing violence. And even if a mother does raise concerns, the government has installed the Digital Health Agency as the judge in family violence cases in these circumstances. The agency says it will investigate concerns and reinstate access to whichever parent it believes is appropriate. With due respect to the agency, it has no expertise—absolutely none—in family violence or in family law. That is not its job. It is simply not good enough for the government to say that women fleeing violence need to raise concerns which will then be investigated by digital health bureaucrats. By the time they even become aware that a record has been created it may be too late. But, in spite of advocates' concerns and media reports, the government has stubbornly refused to actually address this issue.
A second and related concern is about parental access to My Health Records for teenagers aged 14 to 18. The concern has been raised by GPs in particular, and I want to thank them for their advocacy on behalf of their patients. Teenagers may take control of their My Health Record at the age of 14, and we know that, for many teenagers, as they start to get into their adult life, there are controversial issues they might want to talk to their GPs about, particularly around contraception. Taking control of their My Health Record at the age of 15 also requires, unfortunately, the creation of a myGov account and an identification verification procedure. GPs fear, and I agree, that many a teenager does not have access to the documents needed to take control of their own record. Where that's the case, their authorised representatives—usually their parents—will maintain default access to their record until they are 18. That will mean that parents, even non-custodial parents, can view health information such as pathology reports, medicines information and other summary documents. There are many instances where this is not appropriate. But, again, it's not a problem that this bill even attempts to address.
A third serious concern has been raised by unions. The government is incapable of listening to unions when it comes to issues like this, and they need to. Their concerns are real and deserve to be addressed in this debate. In particular, the Australian Council of Trade Unions and its members point out that employers could gain access to employees' My Health Records via employer doctors.
For example, My Health Record data accessed through pre-employment medical checks or workers compensation assessments could be passed to employers and used to discriminate against workers, for example, on the basis of pre-existing medical conditions. To be fair, the government argues that this is prohibited both by the purpose of this act and by a separate piece of legislation, the Healthcare Identifiers Act, but lawyers have publicly challenged this claim. They say the current legislative framework is ambiguous at best and that protections should be built into the My Health Records Act itself. In the meantime, unions are rightly urging their tens of thousands of members to opt out of the My Health Record.
The government says it's important for as many Australians as possible to have a My Health Record. So why wouldn't the government address the ambiguity, build protections into this act and try to restore the confidence of workers and unions? That's what the government has done on court orders. It said they were unnecessary because of the policy of the Digital Health Agency, but ultimately it recognised that legislation could help to restore trust in the My Health Record—and it is now trying to legislate for that. It should do the same in this instance.
Concerns like these are why Labor referred the My Health Record to the Senate for inquiry. When I announced Labor's push for an inquiry, the minister called it a stunt. That's how little he cares about the risk that his My Health Record may contribute to family violence or discriminate against workers. But ultimately there was overwhelming support in the Senate for not one but two inquiries. One will examine this bill in the usual way. The other is a broader inquiry that will review all the laws, regulations and rules that underpin the My Health Record. It will examine the government's decision to shift from an opt-in system to an opt-out system and whether it adequately prepared for this fundamental change. It will examine a range of privacy and security concerns, including those that I have discussed today. And it will look at the potential that commercial interests, including health insurers, could be given access to My Health Record data. The inquiries have held their first hearings, and Labor thanks all the organisations and individuals that have already contributed to them. Unlike the government, we are committed to listening to all Australians on their national digital health record.
Witnesses at the inquiry have already raised a number of potential issues that haven't been previously raised. Professor Phelps, who I mentioned earlier, believes we need to better safeguard against any future moves to privatise or monetise this this system. I think it's pretty clear the Australian people have no appetite to see their health system sold off or commercialised. I think they sent that message pretty loudly and clearly in the 2016 election, when this government was actively involved in the idea of the private sector looking at the Medicare payments system. Professor Phelps has raised concerns about section 98 of the legislation, which gives the Australian Digital Health Agency the power to delegate any function to any other person with the consent of the minister. As she points out, this section could have very broad implications, and it's worth exploring this further.
It's also been pointed out that the My Health Record is something that, if successfully delivered, will be around for a long time, and we need to futureproof it. That means tightening the current legislation as much as we possibly can. We also need to make absolutely certain that the private health insurers are never given access to people's records. The government says that this won't happen, but there is the potential for that to change as part of a scheduled review in 2020. We need more explicit legislative guarantees that this will never happen under any circumstances.
The Royal Australian College of GPs warned the Senate committee last week that there was a real risk insurers may try and game the system. They suggested that the act should be strengthened so it specifically prohibits insurers from even making requests to healthcare providers to access such information. But, as the Australian Healthcare and Hospitals Association told the inquiry last week, even changes to more thoroughly lock out insurers may not be enough. The Australian Healthcare and Hospitals Association believe there should be consumer protections to prevent third parties from discriminating against individuals who do not agree to release their My Health Record data. They raised the prospect of businesses refusing to sell a product or service, or charging more, unless the individual provides access to their data. That is obviously not acceptable. We believe there may also be some merit in a review of the default privacy and security settings for a person's record. There is significant concern from IT and cybersecurity experts that the current settings are too relaxed.
At any rate, given the committee process underway, we will not oppose or amend this bill in the House. We will allow it to proceed to the Senate, where we may seek to amend the bill in light of the evidence of the two inquiries. In the meantime, we still firmly believe that the opt-out rollout should be suspended until all of these concerns are fully addressed and a new comprehensive public information campaign is launched. The government promised such a campaign six weeks ago, but so far we have seen absolutely no trace of it. Put simply, a one-month extension to the opt-out period that the government has introduced does not cut it. This reform should not go any further until public trust has been restored, and the only way to do that is to let the Senate do its job and to make sure that we actually get this legislation correct. We have always believed in the benefits of a national digital health record and what they could deliver and that it was worth some of the risks. But governments must do everything in their power to minimise the risks.
I think it is foolish of any government to say that this data won't leak at some point. The reality is that over recent days and recent months, and in other countries as well, we've seen significant sensitive health data enter the public domain. The issue is: what are the protections for people when that occurs? What are the protections for people when third parties use or publish that information in any way? We need to make sure that we have the regulatory framework in place to ensure that people's privacy is protected and that the security of their data is as strong as it possibly can be. But then what happens in the case of this information making it into the public domain and being republished in a newspaper or used adversely against someone in their employment or against someone seeking further insurance or in any other matter? I think those are debates that we need to have to make sure that we've got that right within the legislative framework.
More than that, the government must clearly demonstrate and explain to the public what they're doing to minimise the risks. Otherwise, the whole enterprise will be hobbled in distrust and scepticism. The reform needs public support to work, and that's where the government has failed. That is why it needs to suspend the opt-out period until it can get this right.
The changes in this bill are necessary but not sufficient. We need to respect the Senate inquiry process as an opportunity for all Australians to have their say. We need further protections for privacy and security in both legislation and policy, and we need a government that is committed to communicating with all Australians about the benefits and risks of the My Health Record so all Australians can make an informed choice about whether to participate. I therefore move the second reading amendment that has been circulated in my name:
That all words after "That" be omitted with a view to substituting the following words:
"whilst not declining to give the bill a second reading, the House calls on the Government to suspend the 'opt out' phase of the My Health Record rollout until other privacy and security concerns are addressed".
No comments