Wednesday, 12 December 2018
Do you know whose hands have harvested your medical information?
The
Medical Republic,
7 December 2018:
An
investigation by The Medical Republic has revealed state, territory
and federal police forces have sent around 2,600 requests a year for this
sensitive health data to the Department of Human Services over the past two
years. The department can legally disclose private health records to the police
without a court order.
The
department would not reveal how many of these requests were granted, but said
the number of disclosures per year had remained stable over the past decade.
Once
linked, Pharmaceutical Benefits Scheme (PBS) and Medicare Benefits Schedule
(MBS) data, can paint a very detailed picture about a person’s medical history.
PBS
data includes every rebatable medication purchased at a chemist. MBS records
show which Medicare item numbers were billed for during each consultation, and
what tests were ordered.
This
information is as sensitive as MHR data, although it lacks the granularity of
laboratory test results or GP notes, which can be included in a MHR. In
November, the federal parliament passed legislation requiring police to produce
a court order to access MHR data.
“This
begs the question as to why similar protections are not being enacted in the
MBS and PBS legislation,” Malcolm Crompton, a former privacy commissioner of
Australia and founder and lead privacy advisor of Information Integrity
Solutions, told The Medical Republic.
The
legislative inconsistency was an “undeniable oddity” especially because most of
the content of a MHR would, at least initially, simply be MBS and PBS data, he
said.
Data
sharing between the Department of Human Services and the police is shrouded in
secrecy, with decisions being made behind closed doors by unnamed officials
using an undisclosed set of public interest guidelines, which were issued by
the secretary of the Department of Health in 2003.
The
human services department has refused to make its 18-page privacy guidelines public
under FOI laws, citing concerns that agencies might use their knowledge of the
guidelines to trick the department.
“Specifically,
with the benefit of having reviewed the document, requestors may construct
their requests in a manner that undermines the department’s procedures (e.g. by
misleading the delegate) in order to secure the disclosure of the requested
information,” an FOI decision maker said…..
The
department eventually provided a single case study for police use of private
health data, four months after initially being asked about the purpose of
disclosing this data, and only after The Medical Republic’s investigation
exposed the scale of police requests.
The
case study describes a scenario where the police are making an enquiry about a
missing person whose safety is in question, and are using MBS and PBS claims
information to determine whether the missing person had seen a doctor, obtained
medications or updated their contact details.
The
Medical Republic contacted each state, territory and federal police force
for this investigation, but only the NT Police confirmed how many times the
department had provided patient information.
The
NT Police, Fire and Emergency Services made an average of 26 requests per year
for private health data, including current contact details, next of kin, MBS or
PBS records.
All
of these requests were successful, and all were made without a court order.
“Requests are not made under court order but rather must satisfy certain
criteria,” Detective Acting Superintendent Peter Kennon said.
“That
is it must be for a missing person or in relation to an offence with a penalty of
two years or more imprisonment or 44 penalty units (about $6,000), and be
in the public interest.”
The
department is obliged to report the number of times it has disclosed
linked PBS and MBS data to law enforcement authorities on an annual basis to
the Office of Australian Information Commissioner (OAIC).
The
Medical Republic obtained a copy of the OAIC reports, which showed that the DHS
gave linked MBS and PBS data to police five times in 2016-17, but did not
disclose data given to police in the previous three years.
“Most
of the public interest disclosures the department makes to law enforcement
agencies do not need to be included in our annual reports to the Privacy
Commissioner,” a department spokesperson said.
The
department only has to report the disclosure of “linked” MBS and PBS data to
police. The word “linked” is not defined in the legislative instrument, so in practice, the department
appears able to apply a definition that minimises its reporting obligations.
MBS
and PBS data was only “linked” if the information was “combined, joined or
merged”, a department spokesperson said. “The mere extraction of an
individual’s MBS and PBS claims information into separate documents does not
constitute linking for the purposes of the guidelines, even if those documents
are sent to the same email address,” the spokesperson said.
“The
department seems to be playing with semantics in order to avoid complying with
the intention of the guidelines,” Dr Robertson-Dunn said.
Labels:
Big Brother,
data mining,
data retention
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment