Australian Digital Health Agency is considering adding DNA data to My Health Record

Crikey.com.au, 6 April 2018:

DNA DEBATE

The federal government’s controversial My Health Record program is capable of storing genomic data, such as cancer risks, using technology that both has huge research applications and highlights privacy and security concerns.

The Sydney Morning Herald reports that genome-sequencing company Genome.One, which can track genetic variations and therefore disease risks, has built “necessary infrastructure” for uploading sensitive genomic data into the opt-out system.

University of Canberra privacy expert Bruce Arnold has criticised the inherent risks of DNA-tracking technology and, just a week after the government backdown on police access to My Health Records, today’s news as again demonstrating a lack public consultation.

The Australian Digital Health Agency (ADHA) which is responsibe for My Health Record gave Genome.One, a wholly-owned subsidiary of The Garvan Institute, $40,000 in September 2017 to support the development of this software.

Its GoExplore™ software provides sequencing and analyses of patients’ DNA samples to assesses their risk of developing 52 hereditary conditions, including 31 cancers, 13 heart conditions, as well several other conditions where monitoring or intervention can be of benefit. 

In a change of focus, Genome.One and The Garvan Institute are reportedly no longer offering clinical reporting for genetic disease diagnosis or personal health genomics in Australia. This service was priced at $6,400 plus GST, with no Medicare rebate.

Staffing numbers in Genome.One have been severely cut, new capital is being sought and, Gavan has stated that it intends to spin off Genome.One software into a new company in which it will be a minority shareholder.

However, Genome.One still intends to pilot its genomics technology integrated into GP practice software and on !8 April 2018 its CEO stated; “We're working with some electronic medical record providers and we're hoping that we can get a trial underway at some point this year”.

Tell me again why the Turnbull Government is insisting My Health Record will become mandatory by the end of October 2018?

It is not just ordinary health care consumers who have concerns about the My Health Record database, system design, privacy issues and ethical considerations.

It is not just the Turnbull Government which has not sufficiently prepared public and private health care organisations for the nationwide rollout of mass personal and health information collection - the organisations themselves are not ready.

Lewis Ryan (Academic GP Registrar)

* 91 % of GP Registrars have never used My Health Record in a clinical context

* 65% of GP Registrars have never discussed My Health Record with a patient

* 78%  of GP Registrars have never received training in how to use My Health Record

* 73% of GP Registrars say lack of training is a barrier to using My Health Record

* 71% of  GP Registrars who have used the My Health Record system say that the user interface is a barrier

* Only 21% of  GP Registrars believe privacy is well protected in the My Health Record system

In fact Australia-wide only 6,510 general practice organisations to date have registered to use My Health Record and these would only represent a fraction of the 35,982 GPs practicing across the country in 2016-17.

UPDATE

Healthcare IT News, 3 August 2018:

The Federal Government’s Health Care Homes is forcing patients to have a My Health Record to receive chronic care management through the program, raising ethical questions and concerns about discrimination.

The government’s Health Care Homes trial provides coordinated care for those with chronic and complex diseases through more than 200 GP practices and Aboriginal Community Controlled Health Services nationally, and enrolment in the program requires patients to have a My Health Record or be willing to get one.

But GP and former AMA president Dr Kerryn Phelps claimed the demand for patients to sign up to the national health database to access Health Care Homes support is unethical.

“I have massive ethical concerns about that, particularly given the concerns around privacy and security of My Health Record. It is discriminatory and it should be removed,” Phelps told Healthcare IT News Australia.

Under a two-year trial beginning in late 2017, up to 65,000 people are eligible to become Health Care Homes patients as part of a government-funded initiative to improve care for those with long-term conditions including diabetes, arthritis, and heart and lung diseases.

Patients in the program receive coordinated care from a team including their GP, specialists and allied health professionals and according to the Department of Health: “All Health Care Homes’ patients need to have a My Health Record. If you don’t have a My Health Record, your care team will sign you up.”

Phelps said as such patients who don’t want a My Health Record have been unable to access a health service they would otherwise be entitled to.

“When you speak to doctors who are in involved in the Heath Care Homes trial, their experience is that some patients are refusing to sign up because they don’t want a My Health Record. So it is a discriminatory requirement.”

It has also raised concerns about possible future government efforts to compel Australians to have My Health Records.

“The general feedback I’m getting is that the Health Care Homes trial is very disappointing to say the least but, nonetheless, what this shows is that signing up to My Health Record could just be made a prerequisite to sign up for other things like Centrelink payments or workers compensation.”

Human rights lawyer and Digital Rights Watch board member Lizzie O’Shea claims patients should have a right to choose whether they are signed up to the government’s online medical record without it affecting their healthcare.

“It is deeply concerning to see health services force their patients to use what has clearly been shown to be a flawed and invasive system. My Health Record has had sustained criticism from privacy advocates, academics and health professionals, and questions still remain to be answered on the privacy and security of how individual's data will be stored, accessed and protected,” O’Shea said. [my yellow highlighting]

Turnbull Government prepares an end run around the Australian electorate?

In 1986 the Federal Government couldn’t get the national electorate to accept the Australia Card, a national identity card to be carried by all citizens.

Likewise in 2007 the wider electorate rejected the proposed Access Card, a national identity card with a unique personal identification number, which was to be linked to a centralised database expected to contain an unprecedented amount of personal and other information.

Federal Government also failed to have everyone embrace the idea of MyGov, a data sharing, one-stop digital portal for access to government services created in 2013. To date only 11.5 million people out of a population of over 24.9 million hold an account with MyGov.

When after three and a half years the populace did not register in sufficient numbers for the so-called Personally Controlled Electronic Health Record (PCEHR), an intrusive opt-in data retention system, government changed tack.

It relabelled PCEHR as My Health Record (MHR) in 2016 and broadened the number of agencies which could access an individual’s personal/health information. Decreeing it would become a mandatory data collection system applied to the entire Australian population, with only a short an opt-out period prior to full program implementation¹.

However, it seems that the Turnbull Federal Government expects around 1.9 million people to opt-out of or cancel their My Heath Record in the next two months. Possibly with more cancellations to occur in the future, as privacy and personal safety become issues due to the inevitable continuation of MHR data breaches and the occurrence of unanticipated software vulnerabilities/failures.

So Turnbull and his Liberal and Nationals cronies have a backup in place in 2018 called the Data Sharing and Release Bill, which Introduces legislation to improve the use and reuse of public sector data within government and with private corporations outside of government, as well as granting access to and the sharing of data on individuals and businesses that is currently otherwise prohibited.

The bill also allows for the sharing of transaction, usage and product data with service competitors and comparison services. An as yet unrealised  provision which is currently being wrapped up in a pretty bow and called a consumer right - but one that is likely to be abused by the banking, finance, insurance, electricity/gas industry sectors.

The bill appears to override the federal privacy act where provisions are incompatible.

This is a bill voters have yet to see, because the Turnbull Government has not seen fit to publish the bill’s full text. Only an issues paper is available at present.

Notes:

1. Federal Government may have succeeded in retaining the personal details of every person who filled in the 2016 Census by permanently retaining these details and linking this information to their future Census information in order to track people overtime for the rest of their lives, but this win for government as Big Brother was reliant on stealth in implementation and was limited in what it could achieve at the time. 

Because not everyone ended up with a genuine unique identification key as an unknown number of individual citizens and permanent residents (possibly well in excess of half a million souls) as acts of civil disobedience deliberately filled in the national survey forms with falsified information or managed to evade filling in a form altogether. 

Australian Health Minister Greg Hunt is not being truthful about My Health Record and he knows it

On 16 July 2018 the Australian Minister for Health and Liberal MP for Flinders, Gregory Andrew 'Greg' Hunt, characterised My Health Record as a "secure summary" of an individual's key health information.

The Office of the Australian Information Commissioner (OAIC) tells a rather different story.

One where at least 242 individual My Health Records have been part of mandatory data breach reports in 2015-16 to 2016-17, with nine of the 51 reported breach events involving "the unauthorised access of a healthcare recipient’s My Health Record by a third party".

A story which also involves at least 96 instances of Medicare uploading data to the wrong digital health records and also uploading claim information to another 123 My Health Records apparently without the knowledge or consent of the persons in whose names these My Health Records had been created.

There were other instances where MyGov accounts held by healthcare recipients were incorrectly linked to the My Health Records of other healthcare recipients.

Prior to the database name change and system change from opt-in to opt-out there had been another 9 data breaches of an unspecified nature reported, involving an unknown number of what are now called My Health Records.

More instances are now being aired in mainstream and social media where My Health Records were created by DHS Medicare Repository Services or other agents/agencies without the knowledge or consent of the individual in whose name the record had been created.

Healthcare IT News 16 July 2018

If this is how the national e-health database was officially functioning malfunctioning by 30 June 2017, how on earth is the system going to cope when it attempts to create millions of new My Health Records after 15 October 2018?

On the first day of the 60 day opt-out period about 20,000 people refused to have a My Health Record automatically created for them and at least one Liberal MP has also opted out, the Member for Goldstein and member of the House of Representatives Standing Committee on Health, Aged Care and Sport Tim Wilson. 

Prime Minister Malcolm Bligh Turnbull has stated his view that mass withdrawals will not kill the national digital health records system - perhaps because he and his government are possibly contemplating adopting the following three coercive recommendations found amongst the thirty-one recommendations included in the Siggins Miller November 2016 Evaluation of the Participation Trials for the My Health Record: Final Report:

20. Use all mechanisms available in commissioning and funding health services as vehicles to require the use of the My Health Record to obtain funds where practical.

21. Consider ways to require the use of the My Health Record system by all healthcare providers and how to best use the Government’s purchasing power directly (e.g. in the aged care sector), via new initiatives as they arise (such the Health Care Home initiative) or via PHNs commissioning clinical services (e.g. require use of the My Health Record system in all clinical and aged care services that receive Commonwealth funds). Such requirements should have a timeframe within which healthcare providers need to become compliant.

22. Explore with health insurers how they could encourage preferred suppliers and clients to use the My Health Record system as part of their push for preventive care and cost containment.

That the My Health Record is not about improving health service delivery for individual patients is indicated by the fact that a My Health Record is retained by the National Repositories Service for between 30 and up to 130 years after death and, even during an individual's lifetime can be accessed by the courts, police, other government agencies and private corporations listed as research organisations requiring medical/lifestyle information for what is essentially commercial gain, at the discretion of the Secretary of the Department of Health or the Digital Health Agency Systems Operator. See: My Health Records Act 2012 (20 September 2017), Subdivision B - s63 to s70

To put it bluntly, this national database will allow federal government to monitor the personal lives of Australian citizens more closely, enforce civil & criminal law, monetise collated data for its own benefit  and, weaponize the personal information collected anytime it feels threatened by dissenting opinion.

NOTES

OAIC annual reports:

https://www.oaic.gov.au/resources/about-us/corporate-information/annual-reports/ehealth-and-hi-act-annual-reports/annual-report-of-the-australian-information-commissioner-s-activities-in-relation-to-digital-health-2015-16.pdf

https://www.oaic.gov.au/resources/about-us/corporate-information/annual-reports/ehealth-and-hi-act-annual-reports/annual-report-of-the-australian-information-commissioner-s-activities-in-relation-to-digital-health-2016-17.pdf

The Guardian, 22 July 2018:

Australia’s impending My Health Record system is “identical” to a failed system in England that was cancelled after it was found to be selling patient data to drug and insurance companies, a British privacy expert has said.

My Health Record is a digital medical record that stores medical data and shares it between medical providers. In the UK, a similar system called care.data was announced in 2014, but cancelled in 2016 after an investigation found that drug and insurance companies were able to buy information on patients’ mental health conditions, diseases and smoking habits.

The man in charge of implementing My Health Record in Australia, Tim Kelsey, was also in charge of setting up care.data. 

Phil Booth, the coordinator of British privacy group Medconfidential, said the similarities were “extraordinary” and he expected the same privacy breaches to occur.

“The parallels are incredible,” he said. “It looks like it is repeating itself, almost like a rewind or a replay. The context has changed but what is plainly obvious to us from the other side of the planet, is that this system seems to be the 2018 replica of the 2014 care.data.” [my yellow highlighting]

North Coast Voices , 22 July 2018, Former Murdoch journalist in charge of MyHealth records –what could possibly go wrong?

UPDATE

Australian Parliamentary Library, Flagpost, 23 July 2018:

Section 70 of the My Health Records Act 2012 enables the System Operator (ADHA) to ‘use or disclose health information’ contained in an individual’s My Health Record if the ADHA ‘reasonably believes that the use or disclosure is reasonably necessary’ to, among other things, prevent, detect, investigate or prosecute any criminal offence, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; protect the public revenue; or prevent, detect, investigate or remedy ‘seriously improper conduct’. Although ‘protection of the public revenue’ is not explained, it is reasonable to assume that this might include investigations into potential fraud and other financial offences involving agencies such as Centrelink, Medicare, or the Australian Tax Office. The general wording of section 70 is a fairly standard formulation common to various legislation—such as the Telecommunications Act 1997—which appears to provide broad access to a wide range of agencies for a wide range of purposes. 

While this should mean that requests for data by police, Home Affairs and other authorities will be individually assessed, and that any disclosure will be limited to the minimum necessary to satisfy the request, it represents a significant reduction in the legal threshold for the release of private medical information to law enforcement. Currently, unless a patient consents to the release of their medical records, or disclosure is required to meet a doctor’s mandatory reporting obligations (e.g. in cases of suspected child sexual abuse), law enforcement agencies can only access a person’s records (via their doctor) with a warrant, subpoena or court order....

It seems unlikely that this level of protection and obligation afforded to medical records by the doctor-patient relationship will be maintained, or that a doctor’s judgement will be accommodated, once a patient’s medical record is uploaded to My Health Record and subject to section 70 of the My Health Records Act 2012. The AMA’s Guide to Medical Practitioners on the use of the Personally Controlled Electronic Health Record System (from 2012) does not clarify the situation.

Although it has been reported that the ADHA’s ‘operating policy is to release information only where the request is subject to judicial oversight’, the My Health Records Act 2012 does not mandate this and it does not appear that the ADHA’s operating policy is supported by any rule or regulation. As legislation would normally take precedence over an agency’s ‘operating policy’, this means that unless the ADHA has deemed a request unreasonable, it cannot routinely require a law enforcement body to get a warrant, and its operating policy can be ignored or changed at any time.

The Health Minister’s assertions that no one’s data can be used to ‘criminalise’ them and that ‘the Digital Health Agency has again reaffirmed today that material … can only be accessed with a court order’ seem at odds with the legislation which only requires a reasonable belief that disclosure of a person’s data is reasonably necessary to prevent, detect, investigate or prosecute a criminal offence…..

Although the disclosure provisions of different agencies may be more or less strict than those of the ADHA and the My Health Records Act 2012, the problem with the MHR system is the nature of the data itself. As the Law Council of Australia notes, ‘the information held on a healthcare recipient’s My Health Record is regarded by many individuals as highly sensitive and intimate’. The National Association of People with HIV Australia has suggested that ‘the department needs to ensure that an individual’s My Health Record is bound to similar privacy protections as existing laws relating to the privacy of health records’. Arguably, therefore, an alternative to the approach of the current scheme would be for medical records registered in the MHR system to be legally protected from access by law enforcement agencies to at least the same degree as records held by a doctor.

Former Murdoch journalist in charge of MyHealth records –what could possibly go wrong?

Former news editor of the notorious Newscorp publication The Sunday Times which was involved in the UK hacking scandal, former  Executive Director of Transparency and Open Data in the UK Cabinet Office and then National Director for Patients and Information and head of the toxic government Care.data project which stored patient medical information in a single database. before ending up as the commercial director of Telstra Health in Australia, Tim Kelsey, was appointed as CEO of the Australian Digital Health Agency by the Turnbull Coalition Government to progress the stalled My Health Record national database in 2016 with a salary worth $522,240 a year.

 A curriculum vitae which may go some way to explaining why reports are beginning to emerge of individuals seeking to opt-out of My Health Record finding out they have been registered by stealth in the Australian national database some years ago.

Crikey.com.au, 18 July 2018:

The bureaucrat overseeing My Health Record presided over a disaster-plagued national health record system in the UK, and has written passionately about the belief people have no right to opt out of health records or anonymity.

Tim Kelsey is a former British journalist who moved into the electronic health record business in the 2000s. In 2012, he was appointed to run the UK government’s national health record system, Care.data, which was brought to a shuddering halt in 2014 after widespread criticism over the sale of patients’ private data to drug and insurance companies, then scrapped altogether in 2016. By that stage, Kelsey had moved to Telstra in Australia, before later taking a government role. There was considerable criticism about the lack of information around Care.data, and over 700,000 UK people opted out of the system.

Kelsey vehemently opposed allowing people to opt out — the exact model he is presiding over in Australia. In a 2009 article, “Long Live The Database State”, for Prospect…..

For Kelsey, this was necessary for effective health services…….

Kelsey also expressed his opposition to the anonymisation of data, even of the most personal kind…... 

Kelsey’s vision was of a vast state apparatus collecting, consolidating and distributing private information to enable an interventionist state.

Moreover, he stated others should have access to data…..

ADHA, Kelsey is doing little to fix his reputation for controversy. On Saturday, ADHA released an extraordinary 1000-word attack on News Corp health journalist Sue Dunlevy who correctly pointed out the strong risk to privacy in the My Health Record system. The statement repeatedly criticised Dunlevy, accusing her of “dangerous fearmongering” and being “misleading and ignorant”.

Dunlevy had rightly noted the lack of any effective information campaign about My Health record (exactly the criticism made of Care.data), prompting ADHA to boast of its $114 million campaign at Australia Post shops, Department of Human Services “access points” and letters to health practitioners. It makes you wonder why even News Corp’s Janet Albrechtsen said she’d never heard of My Health Record until last week…. 

Turnbull and Keenan botching digital transformation policy

The Australian Minister for Human Services, Minister Assisting the Prime Minister for Digital Transformation and Liberal MP for Stirling, 46 year-old Michael Fayat Keenan, is all gung-ho for digital transformation.

The problem is that he is just not good at being transformative – rather like his prime minister.

One could almost see the trainwreck coming down the line from the moment of then Communications Minister Turnbull's initial joint announcement with then Prime Minister Tony Abbott in 2015.

Despite the obvious problems Michael Keenan will be commencing pre-rollout trials of a facial recognition program this year,

Yahoo News, 1 July 20118:

Welfare recipients will soon be asked to have their faces scanned before they can claim their benefits.

It is part of a new trial of biometric security measures the government will begin within months.

Similar to how SmartGates work at airports to check passports, government services will ask recipients to take a photo on a computer or phone to create a MyGov ID.

The photo will then be checked against passports and driver’s licences.

But there are questions as to whether this information could be misused.

Australian Privacy Foundation’s Bernard Robertson-Dunn said people needed to be assured “it works properly” and the government “doesn’t use the technology to do things it didn’t say it was going to do”.

Human Services Minister Michael Keenan said on May 1 the misuse of data which could be used to “impinge on people’s privacy” was “clearly” a concern for many Australians.

The 2016 Census is an example of a recent government technology fail….

Uses for the MyGov ID will trial from October – with an all-online way to get a tax file number.

Next year Centrelink services, including Newstart and Youth Allowance, will also be trialled.

Here is the organisational and technological mess that Keenan helped create…..

The Canberra Times, 29 June 2018, p.14:

The agency charged with guiding IT projects has been sidelined from major policies and is removed from the Coalition's thinking about digital reform, an inquiry into the government's $10 billion tech spend has found.

A report released on Wednesday has called for a central vision to guide the government in its IT reform and found changes to the Digital Transformation Agency had left it watching on as major tech projects hit disaster.

The inquiry found the DTA did not have the Australian Criminal Intelligence Commission's botched project to adopt biometric technology on its watchlist and that it had failed to involve itself in determining why the Education Department's Australian Apprenticeship Management System project was called off.

It was sidelined as the Department of Home Affairs took charge of cyber policy, the Prime Minister's department assumed control of data policy and the newly created Office of the Information Commissioner was created separate from the DTA, the report said.

"The evidence heard by this committee revealed an organisation that was not at the centre of government thinking about digital transformation, or responsible for the creation and enactment of a broader vision of what that transformation would look like," it said.

News.com.au, 12 June 2018:

Australians will be able to access government services with a single log-in under a plan to create a "single digital identity" by 2025.

Michael Keenan, the federal minister in charge of digital services, said face-to-face interactions with government services would be greatly reduced.

"Think of it as a 100-point digital ID check that will unlock access to almost any government agency through a single portal such as a myGov account," Mr Keenan said.

The minister wants Australia to be a world leader in digital government, with almost all services to be available online by 2025.

Mr Keenan said having 30 different log-ins for government services is not good enough.

"The old ways of doing things, like forcing our customers to do business with us over the counter, must be re-imagined and refined," he said.

People will need to establish their digital identity once before being able to use it across services.

The first of several pilot programs using a "beta" version of what will be known as myGovID will begin in October.

The initial pilot will enable 100,000 participants to apply for a tax file number online, which Mr Keenan says will reduce processing time to a day from up to a month currently.

In a pilot starting from March next year, services including student identification and Centrelink will be connected to the digital identity.

Also from March 2019, 100,000 people will be able to use their digital identity to create their My Health Record online.

Mr Keenan says one face-to-face or over-the-counter transaction costs on average about $17 to process, while an online transaction can cost less than 40 cents.

The Human Services department will operate as the gateway between service providers and people.

"This is key to protecting privacy, as the exchange will act as a double-blind - service providers will not see any of the user's ID information and identity providers will not know what services each user is accessing," Mr Keenan said.

Labor digital economy spokesman Ed Husic said the Turnbull government was responsible for a "dirty dozen" of failed digital transformation failures, including the census and tax office website crashes.

"The biggest challenge confronting the Turnbull government is to quit its addiction to glitzy digital announcements and get stuck into properly delivering these multimillion-dollar projects," Mr Husic said.

The Australian Crime Intelligence Commission has suspended the contract for its beleaguered biometric identification services project in order to renegotiate it after the contractor failed to meet the deadline for completion and the cost ran $40 million over budget.

It follows a recommendation from a scathing independent review late last year that the contract be overhauled, the project be simplified and the timeline for delivery changed.

In 2016 ACIC (then CrimTrac) contracted NEC Australia to deliver a program that would replace the national automated fingerprint identification system, adding in facial recognition, palm prints and foot prints and would be available for use by police forces around the country.

Industry news website InnovationAus reported on Wednesday that NEC contractors had been marched from ACIC's premises on Monday June 4, after being told that the project had been suspended at the start of June.

It is believed the project has been suspended until Friday, while the negotiations over the contract take place.

A PricewaterhouseCoopers report last November seen by Fairfax Media said "a chain of decisions involving all levels and stakeholders" had led to the project running behind schedule and over budget.

It recommended that the scope of the project be simplified and standardised, and called it "highly challenged" and presenting a "high risk" to the commission.

"There is low confidence in likelihood of delivery which requires focus to achieve turnaround."

Poor communication, operational silos, limited collaboration and a failure to estimate the project's complexity had blown it off-track, the report said.

The report also recommended that the existing fingerprint database contract with Morpho be extended for 12 months after its expiry last month. It is not clear whether this contract was extended as recommended……

NEC Australia was also the contractor for the failed Australian apprentice management system, which was dumped by the Department of Education and Training last month due to critical defects, also found by a report by PwC.

InnovationAus, 12 June 2018:

NEC Australia won a $52 million tender for the Biometric Identification Services project in early 2016. The project involved replacing the ACIC’s National Automated Fingerprint Identification System with a “multi-modal biometric identification” service, incorporating fingerprints, footprints and facial recognition.

But the project is running behind schedule and is understood to be returning a high amount of false positives.

ABC News, 28 May 2018:

A massive case of mistaken identity in the UK is prompting calls for a rethink on plans to use facial recognition technology to track down terrorists and traffic offenders.

"If you have technology that is not up to scratch and it is bringing back high returns of false positives then you really need to go back to the drawing board," president-elect of the Law Council of Australia Arthur Moses told AM.

The comments follow revelations a London police trial of facial recognition technology generated 104 "alerts", of which 102 were false.

The technology scanned CCTV footage from the Notting Hill Carnival and Six Nations Rugby matches in London in search of wanted criminals.

Only 39 days to go until concerned Australian citizens can opt out of the Turnbull Government's collection of personal health information for its national database

Apparently this email is currently being sent out to registered Australian citizens.

Australian Digital Health Agency, email, 5 June 2018:

Hello,

You are receiving this email because you registered your email address at myhealthrecord.gov.au to find out more information about how to opt-out of the My Health Record system.

If you do not want a My Health Record, you must register your choice between 16 July and 15 October 2018 during the opt-out period. It is not possible to opt-out of having a record before the opt-out period starts.

The opt-out period will not apply to individuals who have previously chosen to have a My Health Record, or were included in the Nepean Blue Mountains or North Queensland opt-out trials in 2016. Individuals who have an existing My Health Record can cancel their record at any time. Instructions on cancelling a record can be found on the My Health Record website.

Once the opt-out period starts you will receive another email letting you know that the opt-out period has started and what to do if you still want to opt-out.

A My Health Record is a secure online summary of an individual’s key health information. 1 in 5 Australians already have one. It’s an individual’s choice who sees their My Health Record, what’s in it and who it is shared with. My Health Record has safeguards in place to protect an individuals’ information including encryption, firewalls and secure login.

For further information about the My Health Record, please visit the My Health Record website.

Thank you,

The My Health Record System Operator
www.digitalhealth.gov.au

[my yellow highlighting]

An insider has finally admitted what any digital native would be well aware of - your personal health information entered into a national database will be no safer that having it up on Facebook

Remembering that a federal government national screening program, working with with a private entity, has already accessed personal information from Medicare without consent of registered individuals and entered these persons into a research program - again without consent - and these individuals apparently could not easily opt out of being listed as a research subject but were often only verbally offered  the option of declining to take part in testing, which presumably meant that health data from other sources was still capable of being collected about them by the program. One has to wonder what the Turnbull Government and medical establishment actually consider patient rights to be in practice when it comes to "My Health Record".

Healthcare IT News, 4 May 2018:

Weeks before the anticipated announcement of the My Health Record opt out period, an insider’s leak has claimed the Australian Digital Health Agency has decided associated risks for consumers “will not be explicitly discussed on the website”.

As the ADHA heads towards the imminent announcement of the three-month window in which Australians will be able to opt out of My Health Record before being signed up to the online health information repository, the agency was caught by surprise today when details emerged in a blog post by GP and member of the steering group for the national expansion of MHR, Dr Edwin Kruys.

Kruys wrote that MHR offers “clear benefits” to healthcare through providing clinicians with greater access to discharge summaries, pathology and diagnostic reports, prescription records and more, but said “every digital solution has its pros and cons” and behind-the-scenes risk mitigation has been one of the priorities of the ADHA. However, he claimed Australians may not be made aware of the risks involved in allowing their private medical information to be shared via the Federal Government’s system.

“It has been decided that the risks associated with the MyHR will not be explicitly discussed on the website,” Kruys wrote.

“This obviously includes the risk of cyber attacks and public confidence in the security of the data.”

The most contentious contribution in the post related to the secondary use of Australians’ health information, the framework of which has yet to be announced by Health Minister Greg Hunt.

Contacted by HITNA, the agency moved swiftly to have Kruys delete the paragraph relating to secondary use.

In the comment that has since been removed, Kruys wrote, “Many consumers and clinicians regard secondary use of the MyHR data as a risk. The MyHR will contain a ‘toggle’, giving consumers the option to switch secondary use of their own data on or off.”

Under the My Health Records Act 2012, health information in MHR may be collected, used and disclosed “for any purpose” with the consent of the healthcare recipient. One of the functions of the system operator is “to prepare and provide de-identified data for research and public health purposes”. 

Before these provisions of the act will be implemented, a framework for secondary use of MHR systems data must be established. 

HealthConsult was engaged to assist the Federal Government in developing a draft framework and implementation plan for the process and within its public consultation process in 2017 received supportive submissions from the Australasian College of Health Informatics, the Australian Bureau of Statistics and numerous research institutes, universities, and clinicians’ groups.

Computerworld, 14 May 2018:

Use of both de-identified data and, in some circumstances, identifiable data will be permitted under a new government framework for so-called “secondary use” of data derived from the national eHealth record system. Linking data from the My Health Record system to other datasets is also allowed under some circumstances.

The Department of Health last year commissioned the development of the framework for using My Health Record data for purposes other than its primary purpose of providing healthcare to an individual.

Secondary use can include research, policy analysis and work on improving health services.

Under the new framework, individuals who don’t want their data used for secondary purposes will be required to opt-out. The opt-out process is separate from the procedure necessary for individuals who don’t want an eHealth record automatically created for them (the government last year decided to shift to an opt-out approach for My Health Record)……

Access to the data will be overseen by an MHR Secondary Use of Data Governance Board, which will approve applications to access the system.

Any Australian-based entity with the exception of insurance agencies will be permitted to apply for access the MHR data. Overseas-based applicants “must be working in collaboration with an Australian applicant” for a project and will not have direct access to MHR data.

The data drawn from the records may not leave Australia, but under the framework there is scope for data analyses and reports produced using the data to be shared internationally……

The Department of Health came under fire in 2016 after it released for download supposedly anonymised health data. Melbourne University researchers were able to successfully re-identify a range of data.

Last month the Office of the Australian Information Commissioner revealed that health service providers accounted for almost a quarter of the breaches reported in the first six weeks of operation of the Notifiable Data Breach (NDB) scheme.

The Sydney Morning Herald, 14 May 2018:

Australians who don't want a personal electronic health record will have from July 16 to October 15 to opt-out of the national scheme the federal government announced on Monday.

Every Australian will have a My Health Record unless they choose to opt-out during the three-month period, according to the Australian Digital Health Agency.

The announcement follows the release of the government’s secondary use of data rules earlier this month that inflamed concerns of patient privacy and data use.

Under the framework, medical information would be made available to third parties from 2020 - including some identifying data for public health and research purposes - unless individuals opted out.

In other news....... 

The Sydney Morning Herald, 14 May 2018:

A cyber attack on Family Planning NSW's website has exposed the personal information of up to 8000 clients, including women who have booked appointments or sought advice about abortion, contraception and other services.

Clients received an email from FPNSW on Monday alerting them that their website had been hacked on Anzac Day.

The compromised data contained information from roughly 8000 clients who had contacted FPNSW via its website in the past 2½ years to make appointments or give feedback.

It included the personal details clients entered via an online form, including names, contact details, dates of birth and the reason for their enquiries….

The website was secured by 10am on April 26, 2018 and all web database information has been secure since that time

SBS News, 14 May 2018:

Clients were told Family Planning NSW was one of several agencies targeted by cybercriminals who requested a bitcoin ransom on April 25…..

The not-for-profit has five clinics in NSW, with more than 28,000 people visiting every year.

The most recent Digital Rights Watch State of Digital Rights (May 2018) report can be found here.

The report’s 8 recommendations include:

Repeal of the mandatory metadata retention scheme

Introduction of a Commonwealth statutory civil cause of action for serious invasions of privacy

A complete cessation of commercial espionage conducted by the Australian Signals Directorate

Changes to copyright laws so they are flexible, transparent and provide due process to users

Support for nation states to uphold the United Nations Convention on the Rights of the Child in the digital age

Expand the definition of sensitive information under the Privacy Act to specifically include behavioural biometrics

Increase measures to educate private businesses and other entities of their responsibilities under the Privacy Act regarding behavioural biometrics, and the right to pseudonymity

Introduce a compulsory register of entities that collect static and behavioural biometric data, to provide the public with information about the entities that are collecting biometric data and for what purpose

The loopholes opened with the 2011 reform of the FOI laws should be closed by returning ASD, ASIO, ASIS and other intelligence agencies to the ambit of the FOI Act, with the interpretation of national security as a ground for refusal of FOI requests being reviewed and narrowed

Telecommunications providers and internet platforms must develop processes to increase transparency in content moderation and, make known what content was removed or triggered an account suspension.