Privacy Foundation outlines ‘major concerns’ with opt-out e-Health scheme


news The Australian Privacy Foundation (APF) has aired “major concerns” with the Personally Controlled eHealth Record (PCEHR) system and the government’s proposals to make it an ‘opt-out’ scheme.

The PCEHR project was initially funded in the 2010 Federal Budget to the tune of $466.7 million after years of health industry and technology experts calling for development and national leadership in e-health and health identifier technology to better tie together patients’ records and achieve clinical outcomes. The project has been overseen by the Department of Health in coalition with the National E-Health Transition Authority (NEHTA).

However, the project has been reported to have suffered extensive problems and has suffered from poor uptake by medical facilities and the public. Due to the issues, on 4 November 2013new Coalition Health Minister Peter Dutton kicked off a promised review of the PCEHR project. The project is now set to continue, but will be significantly revamped under the Coalition.

In the 2015-16 Budget, the Coalition Government announced $485 million for the redevelopment of the now My Health Record system to ‘strengthen and transform national digital health governance’ through an Australian Commission for eHealth.

The Government is now seeking to pass legislation to make the scheme opt-out by default instead of opt-in, meaning it would be likely to collect the data of many more Australians by default.

In a 29 October statement signed by Bernard Robertson-Dunn, Chair of the APF’s Health Committee, the organisation expressed reservations about plans to make the “re-branded, unpopular and under-used eHealth record system rely on an ‘opt-out’ process to manufacture deemed consent”.

The APF’s concerns centre on the risk that many people could now face having a “new, redundant, poorly secured, centrally controlled record without even realising some of their sensitive medical and personal data has been harvested and put into a system accessible from the Internet”. It further expressed the concern that the Internet is not necessarily a secure place for such data.

The statement alleged that the government’s changes are being carried out to boost the enrolment numbers, “conveniently avoiding the messy problem” of persuading Australians to voluntarily opt-in to the scheme.

Robertson-Dunn said comments from Health Minister Sussan Ley’s statement on 28 October suggested that the government was now proposing to “further weaken” the “already ambiguous, uncertain, incomprehensible and largely useless” access controls on the PCEHR.

The APF’s concerns centred on that fact that the access controls operate at the institutional level, not the individual level. If someone examines a patient’s record, it points out, the patient will not know the identity of that person, only that it was someone from a healthcare institution.

“That someone could have been a receptionist, an admin assistant or a world leading cardio-thoracic specialist,” the statement says. “So much for control and awareness.”

The APF said it had compared the access controls of the PCEHR to other federal government IT systems in which each user not only has a unique user ID and password, but is allowed to access only that data for which that have a valid “need to know”. Users will also have had a police check and received security vetting.

“Does the Federal government really believe that the data in its own IT systems is more important than the health and personal information on most Australians?” said the APF.

The statement raised further concerns over security, saying the PCEHR also creates an “unnecessary new potential target for bad actors intent on fraud and identity theft, for over-zealous governments unwilling to accept your sensitive personal medical life-story is not theirs to “share”, and for overly-opportunistic businesses keen to monetise such highly prized information.”

The statement added: “The more data in the system, the more attractive it becomes.”

The existing legislation, said the APF, allows the operators of the PCEHR to give patients’ health and other personal data to law enforcement bodies and official bodies protecting public revenue (such as the ATO) ‘[w]ithout a court order. Without informing parliament. Without informing the patient. The government has not been particularly keen to publicise this, but it’s there in Section 70 of the eHealth Act 2102 (and our submission) for all to see.”

The APF stressed that it remains “supportive of and committed to the application of information technology and advanced data analytical capabilities to clinical treatment, medical research and the efficient operation of the health system”.

It concluded, however, that the process needs to proceed on a basis of “trust, respect and mutual confidence”.