The Senate Community Affairs Legislation Committee (committee) received
evidence from submitters and witnesses regarding the proposed amendments of My
Health Records Amendment (Strengthening Privacy) Bill 2018 (Bill) to the Health
Records Act 2012 (MHR Act).
Submitters supported the Bill's proposed amendments to, in effect,
require the My Health Record (MHR) System Operator (System Operator) not to
release health information to a law enforcement or government agency without a
court order, and to require the System Operator to destroy the health
information in a healthcare recipient's MHR if the recipient requests their MHR
registration is cancelled. Submitters also highlighted the expected benefits of the MHR system for
However, some submitters and witnesses raised concerns that the Bill did
not address the broader privacy issues affecting the MHR system. This chapter outlines the key provisions of the Bill and the concerns raised.
The legislative framework of the MHR system is established by the MHR
Act, the Healthcare Identifiers Act 2010 (HI Act) and the Privacy Act
1988 (Privacy Act). These acts contribute to the privacy provisions of the MHR system, and each
impose serious penalties for the misuse of health information, as follows:
- MHR Act—protects the information stored in the MHR system;
- HI Act—regulates the management of healthcare identifiers; and
- Privacy Act—regulates the management of personal health
information and access and control of that information.
The legislative framework of the MHR system is supported by several
items of subordinate legislation, including the: My Health Records Regulation
2012, Healthcare Identifiers Regulations 2010, and the MHR Rules (My Health
Records Rule 2016, My Health Records (Assisted Registration) Rule 2015, My
Health Records (National Application) Rules 2017 and the My Health Records
(Opt-Out Trials) Rule 2016).
The MHR system's privacy framework was developed in accordance with the
handling of information provisions of the Privacy Act, with provisions, such as
the criminal penalties imposable under the MHR Act, made to reflect the unique
and sensitive information potentially stored in a MHR.
Retention of information provisions
The MHR system draws on the health information stored in distributed
participating repositories to compile the health information presented in
healthcare recipients' MHRs. As explained by the Department of the Health, the National Repositories Service
(NRS) is operated by the System Operator to:
...ensure a minimum critical set of health information is
available for a My Health Record, such as shared health summaries, event
summaries, discharge summaries and specialist letters, and to hold information
not stored elsewhere, such as a healthcare recipient’s own health summary and
In accordance with section 17 of the MHR Act, the System Operator is
required to retain a healthcare recipient's information, which has been
uploaded to the NRS, for a period of 30 years after the death of a healthcare
recipient or, if the healthcare recipient's date of death is unknown, 130 years
after the date of birth of a the healthcare recipient. Section 17 of the MHR Act does not currently distinguish between whether a
healthcare recipient has a MHR registration or not. As such, the System
Operator must retain health information uploaded to the NRS for all healthcare
recipients, even if a healthcare recipient has requested their MHR be
Following the commencement of the opt-out period, concerns were raised
that healthcare recipients' information would be retained in the MHR system
after healthcare recipients had cancelled their MHR registration. The Bill's amendments would require the System Operator to promptly destroy a
healthcare recipient's MHR information following cancellation of their MHR
registration, bar in specified legal circumstances.
Item 6 of the Bill proposes to amend section 17 of the MHR Act through
the addition of two new paragraphs which would require the System Operator to:
...permanently destroy any record uploaded to the National
Repositories Service, which includes health information that is included in a
healthcare recipient’s My Health Record, if that healthcare recipient has
requested that the System Operator cancel their My Health Record.
Proposed new subsection 17(3) requires the System Operator destroy
health information in MHR if a healthcare recipient has cancelled their MHR
registration in accordance with subsection 51(1) of the MHR Act. The System
Operator is authorised to retain a minimal amount of information, including:
the name and healthcare identifier of the healthcare recipient; the name and
healthcare identifier of the person who requested the cancellation, if
different from the healthcare recipient; and the date on which the cancelation
of the MHR takes effect.
For healthcare recipients who have not requested their MHR registration
be cancelled, the System Operator is still required to retain their MHRs in
accordance with the time periods specified in the MHR Act.
Timeframes and exemptions
Proposed new subsection 17(4) requires the System Operator to comply
with the destruction of health information as soon as practical after the
cancellation of a MHR takes effect under subsection 51(7). If the System
Operator is required to retain a record due to other legal requirements, the System
Operator must destroy the record as soon as practical after the conclusion of
the matters to which the additional requirements relate.
The Department of Health outlined the circumstances in which the System
Operator may be exempt from destroying information under proposed new
...if the information is being lawfully obtained by an entity
under amended section 65, section 69 or new section 69A – that is, the System
Operator has received a court order or an order by a judicial officer for the
disclosure of that information, or a request by the Australian Information
Commissioner, Ombudsman or Auditor-General for the information, or a court
order instructing the System Operator not to destroy the information (for
example, until certain related legal proceedings have ended). If one of these
exceptions applies, the System Operator would be required to destroy the
information promptly after that matter has concluded (for example, after the
information has been disclosed as ordered).
The Office of the Australian Information Commissioner (OAIC) observed
that proposed paragraph 17(4)(a) of the Bill does not define the 'as soon as
practicable' requirement for the System Operator to cause the record to be
destroyed. However, the OAIC noted the statement in the Explanatory Memorandum
that, in practice, permanent deletion would occur within 24 to 48 hours.
Item 11 of the Bill proposes amending the note to section 67 of the MHR
Act to inform readers that if a healthcare recipient's MHR registration is
cancelled, their access to their MHR information may be limited due to the
Submitters supported the Bill's proposed amendments to the section 17 of
the MHR Act to enable the deletion of recipients' healthcare information from the
MHR system. The Australian Human Rights Commission (AHRC) submitted that the proposed
amendment '...better reflects the principle that people should be able to control
how information about them is collected, used and disclosed.' The AIDS Action Council of the ACT noted that the Bill's amendments to section
17 of the MHR Act would ensure communities subject to criminalisation, stigma
and discrimination would have their confidentiality maintained.
The Royal Australasian College of Physicians noted that the proposed
record deletion amendment was commendable from a privacy perspective, however
suggested the amendment may cause some complications, such as:
- increasing the legal risks to practitioners who have previously
relied on healthcare recipients' MHR information and which is subsequently
- should a patient subsequently wish to reinstate their MHR, there
would be health information gaps in that record.
Whilst welcoming the amendments, the Australian Council of Social
Service (ACOSS) recommended that healthcare recipients be notified of the
capacity to permanently delete information in a MHR at the time their record is
created. The Australian Nursing and Midwifery Federation and the Scarlet Alliance,
Australian Sex Workers Association proposed the Bill's amendments could have
gone further to allow healthcare recipients to permanently delete specific
records within a MHR.
Some witnesses and submitters suggested that the permanent deletion of
information from the systems which back up the MHR systems is not a
In the committee's view, the Bill's proposed amendments to section 17 of
the MHR Act would, if passed, improve healthcare recipients' ability to control
how their health information is stored.
The committee recognises some submitters and witnesses have suggested
there may be practical difficulties around the deletion of data in the NRS, or
that deletion functionality could have been applied to specific documents
rather than entire MHR records.
The committee acknowledges that information related to peoples' health
is a particularly sensitive, and confidential, category of information. The
committee therefore considers it appropriate that healthcare recipients are
able to control how their health information is accessed and stored, including
through the capacity to have their MHR information permanently deleted, if they
choose to cancel their MHR registration. The committee commends the Bill's
proposed amendments to section 17 of the MHR Act as an additional privacy
safeguard within the MHR system.
Authorised disclosure provisions
The collection, use, or disclosure of the health information included in
health recipients' MHRs is restricted by section 59 of the MHR Act. Health information from a MHR can only be used, or disclosed, in accordance
with the authorisations provided under Division 2 of Part 4 of the MHR Act.
Currently, authorisations of the MHR Act to collect, use and disclose
health information from the MHR system include, but are not limited to:
- Section 65—authorising MHR system participants to collect, use
and disclose information if required or authorised to do so by another
- Section 69—authorising the System Operator to disclose
information if ordered to do so by a court or tribunal if the proceedings
relate to the MHR Act, unauthorised MHR access, healthcare provider indemnity
cover, or if a healthcare recipient provides their consent;
- Section 69—authorising the System Operator to disclose
information if ordered or directed by a coroner;
- Section 70—authorising the System Operator to use or disclose
information in a recipient's MHR to enable a law enforcement body to undertake
specified law enforcement activities;
- Section 70—authorising the System Operator to use or disclose
health information if the System Operator suspects that there has been unlawful
activity in relation to its functions, and reasonably believes that the use or
disclosure of the information is necessary for investigation of, or report to,
Section 70 of the MHR Act does not currently specify that a court order
is required for the System Operator to use or disclose healthcare recipients'
MHR information for law enforcement or related purposes. Rather, the System Operator is authorised to disclose healthcare recipients'
MHR information for law enforcement purposes where the System Operator has a
reasonable belief that such disclosure is reasonably necessary for that
Submitters and witnesses to the inquiry expressed their concern
regarding the current law enforcement disclosure authorisations of the MHR Act. This concern follows an equivalent concern raised by stakeholders at the
commencement the MHR system opt-out period.
Bill's proposed amendments
The Bill proposes to amend the MHR Act to '...further limit the
circumstances in which health information in a healthcare recipients' MHR may
be collected, used or disclosed.' Principally, the System Operator will no longer have the ability to disclose
MHR information to law enforcement or government agencies without an order from
a judicial officer.
Proposed new subsection
65(3)—disclosure to independent oversight bodies
Item 10 of the Bill proposes to amend section 65 of the MHR Act by adding
proposed new subsection 65(3). Proposed new subsection 65(3) specifies, and, in
effect, limits the laws which may authorise or require a MHR system
participants to collect, use, or disclose the health information contained in
healthcare recipients' MHRs to that of independent oversight bodies. The Department of Health explained:
Under the changes proposed to section 65, it would generally
no longer be sufficient for a participant in the My Health Record system to
rely on other state, territory or Commonwealth laws to access health
information in a healthcare recipient’s My Health Record. The purpose of this
amendment is to restrict, as far as if practicable and in accordance with good
governance, the other laws that are able to require or authorise access to
health information stored in the My Health Record system. State and territory
laws will no longer be able to be relied upon to require or authorise access.
Only a very limited range of Commonwealth laws will be able to require or
authorise access to health information – that is, laws which are necessary for
the proper administration and oversight of the system.
Proposed new subsection 65(3) limits the laws which may authorise the
collection, use or disclosure of health information to those specified by the
subsection, that is: the MHR Act itself; the Auditor-General Act 1997;
the Ombudsman Act 1976; and Commonwealth laws enabling the Information
Commissioner to perform statutory functions with respect to the MHR system. If entities which are not enabled by the laws specified in proposed new
subsection 65(3) seek to access MHR information, they would need to do so under proposed new section 69A.
The AHRC submitted that the Bill, by restricting the scope of section 65
of the MHR Act, would contribute to the better protection of privacy for
individuals whose health information is held the MHR system. The OAIC supported the Bill's proposed amendment to section 65 of the MHR Act
and noted the amendment '...provides certainty and transparency for individuals
around which laws may authorise the collection, use, and disclosure of MHR
Proposed new sections 69A and
69B—disclosure to a designated entity and authorisation of judicial officers
Item 12 of the Bill proposes amending section 69 of the MHR Act to
reflect Australian Government policy that '...My Health Record information will not
be released to law enforcement agencies or government bodies without a court
order.' The Bill proposes two new sections, 69A and 69B, which, in effect, enshrines
the Government's non-disclosure policy in the MHR Act.
In accordance with proposed new subsection 69A(5), a designated entity,
as specified in proposed new subsection 69A(1), may apply to an authorised
judicial officer for an order requiring the System Operator to disclose
healthcare recipients MHR information. A judicial officer may grant the order
provided they are satisfied the designated entity:
- has a legal power to require a person to provide information, or
its officers are authorised to execute search warrants;
is exercising its authorised powers, or purporting to exercise
the information requested for disclosure is reasonably necessary
for the designated entity to investigate, audit, or access matters in
accordance with its duties; and
- there are not any other effective means for the designated entity
to obtain the information requested for disclosure.
Proposed new subsection 69A(8) would require that a judicial officer not
make an order for a disclosure of MHR information if the designated entity
applying for the order has not provided further information, if any, requested
by the judicial officer regarding the grounds on which the order is being
Proposed new section 69B sets out the arrangements for judicial officers
to make orders under proposed new section 69A.
The Bill proposes consequential amendments to section 70 of the MHR Act
that remove the authorisations for the System Operator disclose MHR information
for law enforcement purposes from that section. New proposed section 69A
provides for the '...significantly reduced form of this authorisation, with
significantly strengthened privacy protections.'
Under subsection 70(3) of the MHR Act, the System Operator remains
authorised to disclose MHR information in circumstances where the System
Operator has reason to suspect unlawful activity has occurred in relation to
its functions and reasonably believes that disclosure is necessary to commence
an investigation, or to report the concerns to the relevant entities. Proposed
new subsection 70(3A) provides that, if the conditions of subsection 70(3) are
met, the System Operator must only disclose a minimal amount of information to
ensure proper consideration of the suspected unlawful activity.
Submitters supported the Bill's proposed amendments to require the
System Operator disclose information to law enforcement and government agencies
only in circumstances where a judicial officer makes an order requiring the
disclosure. The Australian Healthcare and Hospital Association submitted that the Bill '...appears
to address community privacy concerns around the need for an appropriate
judicial process to access information contained in an individual’s My Health Record.'
The Australian Nursing and Midwifery suggested that concerns regarding
disclosure without a court order are addressed by the Bill's amendments. The Australian Medical Association suggested that the controls proposed by the
Bill's amendments to the MHR Act regarding information disclosure:
...are substantially tighter than the controls that apply under
the Privacy Act 1988 (Cth) to patient data stored in the clinician’s own
patient records. They also impose greater restrictions on the government’s and
courts’ powers to require production than apply to data held by the patient
outside the My Health Record system.
Whilst welcoming the Bill's proposed amendments, the AHRC urged
consideration of amending proposed paragraph 69A(6)(b) to require a judicial
officer, in making an order under subsection 69A(6), to '...consider the effect
of any release of information on other human rights, in addition to the right
to privacy.' The AHRC also recommended that proposed paragraph 69A(7)(a) be amended:
...to make it explicit that an order may only be made allowing
disclosure of health information to an entity if that entity would, absent the
operation of s 69A(2), have power to obtain information held in the My Health
The Queensland Law Society (QLS) queried whether the Bill's proposed new
section 69A is an appropriate remedy to concerns raised regarding the
disclosure provisions of section 70 of the MHR Act. QLS suggested it is unclear
whether '...an application would still need to be made under this section in
circumstances where a body already requires a warrant (notwithstanding the
current section 70) to obtain a person’s personal information'.
The University of Melbourne noted that healthcare recipients' trust of
disclosure provisions of the MHR system could be enhanced if, under proposed
subsection 69A(4), the System Operator was required to notify a healthcare
recipient if their MHR information had been disclosed under proposed new
The University of Sydney indicated there was a lack of clarity and
potential concern regarding researchers' access to MHR information. Research Australia noted that, under subsection 15(ma) of the MHR Act, the
System Operator may prepare and provide de-identified data for research and
public health purposes. In May 2018, the Australian Government released the Framework to guide the
secondary use of My Health Record system data which outlines how de-identified
MHR information may be used for research purposes.
Some submitters commented that the definition of a designated entity
authorised to apply to a judicial officer for an order to disclose information
in proposed section 69A is broad. The Australian Federation of AIDS Organisations recommended that the designated
entities authorised to apply for a court to access MHR information are
restricted to law enforcement agencies. Future Wise proposed that access to MHR system documents by designated entities
should occur with the knowledge of the primary author, wherever possible.
In the committee's view, the Bill's proposed amendments, to require an
order of a judicial officer prior to the System Operator disclosing any MHR
information to a law enforcement or government agency, are a significant enhancement
to the privacy provisions of the MHR Act.
The committee notes the MHR system will store healthcare recipients'
sensitive, and confidential, health information for the primary purpose of
improving their health care. The committee considers it appropriate that
healthcare recipients are afforded the assurance, as provided for in the Bill's
proposed amendments, that their MHR information will not be disclosed for
purposes unrelated to their healthcare without appropriate judicial oversight.
The committee acknowledges the Bill's proposed amendments reflect current
government policy not to disclose MHR information without a court order. The committee notes that the current System Operator, the Australian Digital
Health Agency (ADHA), has not, since its establishment in 2016, received a
request for MHR information for law enforcement purposes, nor has the ADHA
disclosed information for that purpose.
The committee recognises the considerable expected benefits of the MHR
system, and that healthcare recipients' confidence in the privacy provisions of
the system is vital in ensuring the system's overall success. The committee
commends the Bill's proposed amendments to sections 65, 69 and 70 to the MHR
Act to strengthen the privacy provisions of the MHR system.
Submitters and witnesses noted varying issues and concerns that, whilst
not directly addressing the provisions of the Bill, are relevant to the broader
operation of the MHR system. Some of those issues and concerns are noted in
Some submitters raised issues and concerns regarding the MHR system
operating on an opt-out basis. ACOSS noted its concerns regarding MHR health information potentially being
used for non-health related purposes were 'heightened' given the MHR system's
opt-out basis. The Australian Association of Social Workers (AASW) submitted the opt-out
period should be extended.
Other submitters supported the MHR system's opt-out arrangements to
maximise the expected health benefits of the system.
Family violence and elder abuse
Some submitters raised concerns that MHR information could be accessed
by perpetrators of family violence and subsequently used to compromise the
safety of people subject to that violence. The Women's Legal Service NSW reported concern that perpetrators of family
violence could use a child's MHR information to potentially reveal the location
of victims in hiding. The Law Council of Australia's submission considered matters related to
parental access arrangements and noted, amongst other things:
- the System Operator will use Medicare records to determine who
can access a child's MHR information;
- parents will have the ability to make an application to alter
parental responsibility and access to a child's MHR information, however the
details and ease of that process are not currently clear; and
- a person will have the ability to register for a MHR using a
pseudonym which is not connected to that person's Medicare information.
The AASW strongly recommended:
...much greater consideration needs to be given to victims and
survivors of family violence, including safeguards to assure that the record is
not used to further perpetuate abuse.
The QLS noted concerns regarding the potential abuse of older people, or
people with a disability, by persons acting on behalf of, or purporting to act
on behalf of, an older person when creating or accessing an MHR. Subsection
6(4) of the MHR Act enables the System Operator to determine the authorised
representative of a healthcare recipient. QLS submitted that it is not
currently clear what degree of verification must be performed by the System
Operator when making a determination regarding an individual becoming an authorised
representative for another person.
Coerced consent and related matters
Whilst supporting the Bill's proposed amendments to the MHR Act, the
Australian Lawyers Alliance expressed concern regarding:
'...the inadequate measures in place to protect the medical
records in the My Health database from ‘coercive sharing’, where individuals
may be coerced into providing access to their medical records when applying for
employment or seeking insurance products.
Other witnesses provided evidence regarding related concerns for
circumstances in which a healthcare recipient's MHR information could,
potentially, be viewed by a health practitioner nominated by that recipient's
employer or insurer. The Law Council of Australia (LCA) recommended that the MHR Act be amended to
'...create additional privacy for the health records of employees when accessed
Disclosures relating to threats to
Some submitters recommended that section 64(2) of the MHR Act be amended
to require system participants to obtain an order from a judicial officer prior
to using the provisions of that section to collect, use, or disclose MHR health
information to lessen or prevent a threat to public health.
Consumers of Mental Health WA recommended that the MHR Act be amended to
require that healthcare recipients be notified as soon as practical after their
MHR information had been used for emergency purposes under section 64.
The committee acknowledges the evidence provided by submitters and
witnesses regarding the issues and concerns described in this section. The
committee notes that these issues and concerns, whilst not directly applicable
to the provisions of the Bill, are relevant to the effective operation of the
The committee agreed to share evidence with its counterpart committee,
the Senate Community Affairs References Committee (references committee), for
the references committee's inquiry into the MHR system. The committee notes the
matters discussed in this section will be examined in greater detail in the
references committee's inquiry report.
The committee strongly believes the MHR system is a significant health
policy reform, with the potential to benefit a large number of Australians
through improved healthcare quality and health outcomes. The committee
recognises that the national scale of the MHR system creates complexity in the
design of the MHR system, and that the success of the MHR system significantly
depends on the confidence Australians have in the system's capacity to protect
their confidential health information. The committee commends the Bill's
proposed amendments to the MHR Act that will, if passed, significantly
strengthen the privacy provisions of the MHR System.
The committee recommends the Bill be passed.
Senator Lucy Gichuhi
Navigation: Previous Page | Contents | Next Page