[LINK] Defence Amendment Act 2018

Bernard Robertson-Dunn brd at iimetro.com.au
Tue Dec 11 22:37:17 AEDT 2018

On 11/12/2018 7:15 pm, Stephen Loosley wrote:
> “The disturbing new national security law that no one is talking about”
> The encryption fiasco isn't the only capitulation recently made in the name of Australia's national security.
And security isn't the only area the government is weakening the
legislation that protects us, it's happening with the privacy of our
health data.

There's the little matter of MBS/PBS data. This is held by DHS and there
are some very strict laws that govern who can store and link these data.
As part of the National Health Act 1953, the Privacy Commissioner
created in 2008 a set of Privacy Guidelines that are binding on all
government agencies.


One of the guidelines, 7.2, applies to the Department of Health and says:

“The Secretary of the Department, or delegate, must not permit the
establishment of a system which stores claims information from both the
Medicare Benefits Program and Pharmaceutical Benefits Program in a
combined form.”

When it was designed it might be argued that the PCEHR, a Department of
Health system, was legal because MBS/PBS data was only accessed by the
PCEHR, it didn’t store it therefore there might have been a loophole. In
addition because it was opt-in and people signed a form, the PCEHR had
the explicit consent of patients to acquire and store their health data.

The big problem was moving to opt-out - which does not require explicit
consent and there was a change to the design whereby MBS/PBS data is
extracted from the DHS systems and stored in a central database in what
is now called My Health Record. This is operated by the Australian
Digital Health Agency, which falls under the Health Minister's portfolio
and is managed by the Department of Health.

How has the Department of Health got round the Privacy Guidelines? The
Privacy Commissioner spent two years consulting with a wide range of
stakeholders before issuing his guidelines – which have just been
reviewed and confirmed in new legislation that comes into force on 1
April 2019. The Privacy Guidelines still apply to all agencies.

What happened was the government quietly created an exception. When the
various laws were amended in 2015/16 to enable a move to opt-out, a new
clause was inserted in the National Health Act 1953.

That clause is in section 135AA  Privacy rules and is:
“(5AA)    Nothing in this section, or in the rules issued by the
Information Commissioner, prevents the My Health Record System Operator
including information to which this section applies in the My Health
Record of a healthcare recipient.”

This innocuous little clause, without mentioning MBS/PBS data, hides the
drastic weakening of a major Privacy Guideline.

At no stage in the various Explanatory Statements that cover the
National Health Act 1953, The My Health Records Act, The Information
Commissioner’s submission to the Department of Health regarding the
change to opt-out has the fact that the government has sidestepped the
law that previously stated that the Department of Health was not to
store and/or link MBS/PBS data.

And the government claimed that it had passed legislation recently
"strengthening the privacy of health data".

There's many, many things wrong with My Health Record, this is just one
of them.



Bernard Robertson-Dunn
Canberra Australia
email: brd at iimetro.com.au
web:   www.drbrd.com
web:   www.problemsfirst.com

More information about the Link mailing list