On 11/12/2018 7:15 pm, Stephen Loosley wrote: > “The disturbing new national security law that no one is talking about” > > The encryption fiasco isn't the only capitulation recently made in the name > of Australia's national security. > And security isn't the only area the government is weakening the legislation that protects us, it's happening with the privacy of our health data.
There's the little matter of MBS/PBS data. This is held by DHS and there are some very strict laws that govern who can store and link these data. As part of the National Health Act 1953, the Privacy Commissioner created in 2008 a set of Privacy Guidelines that are binding on all government agencies. https://www.legislation.gov.au/Details/F2008L00706 One of the guidelines, 7.2, applies to the Department of Health and says: “The Secretary of the Department, or delegate, must not permit the establishment of a system which stores claims information from both the Medicare Benefits Program and Pharmaceutical Benefits Program in a combined form.” When it was designed it might be argued that the PCEHR, a Department of Health system, was legal because MBS/PBS data was only accessed by the PCEHR, it didn’t store it therefore there might have been a loophole. In addition because it was opt-in and people signed a form, the PCEHR had the explicit consent of patients to acquire and store their health data. The big problem was moving to opt-out - which does not require explicit consent and there was a change to the design whereby MBS/PBS data is extracted from the DHS systems and stored in a central database in what is now called My Health Record. This is operated by the Australian Digital Health Agency, which falls under the Health Minister's portfolio and is managed by the Department of Health. How has the Department of Health got round the Privacy Guidelines? The Privacy Commissioner spent two years consulting with a wide range of stakeholders before issuing his guidelines – which have just been reviewed and confirmed in new legislation that comes into force on 1 April 2019. The Privacy Guidelines still apply to all agencies. What happened was the government quietly created an exception. When the various laws were amended in 2015/16 to enable a move to opt-out, a new clause was inserted in the National Health Act 1953. That clause is in section 135AA Privacy rules and is: “(5AA) Nothing in this section, or in the rules issued by the Information Commissioner, prevents the My Health Record System Operator including information to which this section applies in the My Health Record of a healthcare recipient.” This innocuous little clause, without mentioning MBS/PBS data, hides the drastic weakening of a major Privacy Guideline. At no stage in the various Explanatory Statements that cover the National Health Act 1953, The My Health Records Act, The Information Commissioner’s submission to the Department of Health regarding the change to opt-out has the fact that the government has sidestepped the law that previously stated that the Department of Health was not to store and/or link MBS/PBS data. And the government claimed that it had passed legislation recently "strengthening the privacy of health data". There's many, many things wrong with My Health Record, this is just one of them. -- Regards brd Bernard Robertson-Dunn Canberra Australia email: [email protected] web: www.drbrd.com web: www.problemsfirst.com _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
