Ed Husic (Chifley, Australian Labor Party, Shadow Minister for the Digital Economy) Share this | Hansard source

I'll start my speech on the My Health Records Amendment (Strengthening Privacy) Bill 2018 by reflecting on protection of data, and I'll get my phone back from the member from Whitlam. I want to take up from where the member for Whitlam left off, and that was where we are at this point in time. This year, I've remarked on other occasions, is a threshold year when it comes to the issue of tech and, in particular, the notion of data. I think that the public have become a lot more enlivened and a lot more aware about the huge amount of data that is being generated through the multitude of devices that they have, and people are now starting to think a lot more deeply: 'Okay, this data is being generated. How is it being used? Will it be used in a way that does not benefit me?' People hear a lot about the benefits of this data and how it will be applied, but they're now starting to recognise that there is another side to this coin and that this needs to be explored further.

This debate that we're having right now comes at a time when the broader environment is seeing the gloss of tech start to wear. I speak as someone who recognises the value of the application of technology to do a lot better in terms of economic growth and generation of new jobs and to help people live better lives. But, with everything, we should have a clear-eyed assessment. As much as there's benefit, we should also be mindful of the things that we don't necessarily think are working in favour of the public. I think this is the year when, more and more, people will expect greater respect for data by both business and government. People will think about the data that's being generated in anyone's home at any one time. You'll probably have close to 20 different items connected through your wi-fi network at your home that are all pumping out data. The data is all going somewhere. Someone's got access to it. How is it being used? The someone is both business and government. It requires recognition by government of a higher level of sensitivity about how data is being used and how it's being protected.

I open my contribution today with that because context in this debate is important. It's why the public reaction to where we're at with the My Health Record initiative overtook this government and well and truly put it on the back foot. It has not appreciated the growing concern that exists in the minds of the public about how the data is being used by both business and government, and it failed to bring the public along. I might, at this point, make a reflection on the sweat-laden contribution of the member for Goldstein last night. He had spoken out against the government's management of My Health Record. Then, in the bizarre contribution that he made last night, he started by saying: 'I'm not going to be popular with the comments that I'm making tonight. I don't think My Health Record should exist, but it's all the Labor Party's fault'. He tried, in one manoeuvre—I wouldn't say deft; it was daft—to sheet home the problems that existed with this system. It typifies the operating approach of the government, particularly with respect to My Health Record.

The government made a number of fundamental errors in the implementation of My Health Record. They ignored it for ages. They thought that they could buy off a number of stakeholders to go out and promote on their behalf. They didn't do the grunt work of putting the framework in place to ensure the smooth implementation of this. Fatally, they roped the whole public in. They required people to opt out. It would be assumed they would be in rather than out. They thought that would work a treat. Well, how phenomenally wrong could you be? The problem with this government, particularly in terms of digital projects, is that they're there for the announcement but they're never there for the delivery and they're certainly never there to explain when things go wrong. A number of people have highlighted instances where the government has stuffed up the delivery of digital projects, including this one that has brought us to the chamber to discuss right now.

When it comes to digital projects, it's worth noting that we have had over a dozen different derailments through the course of this term of parliament. In one term of parliament we've had close to 15 different projects that have gone off the rails. We had, for example, as has been cited, the failure to smoothly implement the 2016 online census. We've had repeated crashes of the ATO website. We've had the delayed revamp of the Child Support Agency website and then other problems associated with the maintenance of that platform. They halted the start of the online NAPLAN testing. They guillotined the gov.au redesign proposal—wasted nearly a million dollars on that project. They shut down their Digital Transformation Office and then reopened it under another name. They waved goodbye to two CEOs, one for the DTO and one for the DTA. They scored the business thumbs down for the overhyped Digital Marketplace. They saw the arrest of IT contractors in the Department of Human Services for suspected fraud. They've notched up a record $10 billion spend on government IT—to give you context, that's almost as much as we spend on Newstart in this country. You can't forget robo-debt—there's another one. They dumped the apprentice IT platform. They suspended the ACIC biometric project. And then we come to My Health Record, where they tried to sneak everyone in the public onto this platform and make them opt out, rather than do the hard work of building confidence in the My Health Record system and getting people to opt in to the system. There are serious concerns about the management of this, and, given the litany of failures of this government on digital projects, you can understand that the public has been conditioned to expect less, not more, from government digital transformation, given the way that it has been managed by this government.

The government needs to invest more time in building confidence in this system and answering simple questions. For example, as was pointed out through the contribution of the member for Gellibrand, a number of people can access this system at different points in the system. How do you know how that access has manifested itself? For example, the My Health Records portal is a web based portal, from what I'm led to believe; if someone accesses the system and screenshoots or print-screen dumps data that's on that screen, how do you know that has even occurred? I'd be interested in whether the minister will be letting the public know whether they have mechanisms within their platform to detect that kind of activity.

These kinds of threshold questions are important to answer to build confidence. I said this a few moments ago: you need to be able to build confidence that the My Health Record system will respect the data that is used. The government say, 'In this bill we will ensure that, if someone opts out of the My Health Record system, their data will be permanently deleted.' How? And how do you test whether or not that has actually occurred? You could do it in word, but would it happen in deed? The government need to build more confidence in the system so they are able to prove that these things have occurred. Now the government may say, 'This is an onerous test to place on the system,' but, sorry, that's where we've got to. The government need to recognise that, in the minds of the public, the expectation has been raised about how data is being used. This will be a lot more important in the years to come, and they've got to be able to say, 'We've given you an assurance that this has been done. This will happen.'

The government make a big deal about the fact that they are being transparent and open, when experience suggests otherwise. They have been unable to deliver digital services that the public rates highly. For instance, even if you look at updating their own performance dashboards for various government services, you will find that they all lag in terms of being updated or that the user satisfaction with the actual sites themselves is low. The Australian Taxation Office's community website has got a user satisfaction rate of under a half. Community digital take-up for the Taxation Office is only 16 per cent, which is down 18 per cent. User satisfaction for the Human Services website has only just managed a pass mark. So people will also have concerns with the way that the systems are being used by the public and the way that the data is being collected, retained and protected. These are the types of things that the government have to be a lot more mindful about.

There were a number of points that the shadow minister for health, the member for Ballarat, raised in her contribution to this debate that are worthy of repeating and that we need to reinforce. The requirement for informed consent, which I've already touched upon, to build a strong relationship of trust is absolutely critical. We need to be able to see that occur. We need to be able to have much better communication with the public. As I said, there has been no letter on the national shift to the opt-out system and the importance of My Health Record. The government needs to invest time and effort to make sure that happens. The level of assurance needed to ensure that people's concerns about, for instance, how data will be used needs to be increased as well.

As the shadow minister pointed out, concern exists that My Health Record data accessed through pre-employment medical checks or workers compensation assessments could be passed to employers and used to discriminate against workers with pre-existing medical conditions. This is a genuine concern.

The member for Whitlam mentioned the fact that in the case of data that is generated through wearables that are connected through to the internet—the concern already exists in the United States about things like the Apple Watch, Fitbit or whatever—health insurers may try to demand access to that data as a condition of getting a better health insurance policy. We need to have those types of assurances that data that's generated through the My Health Record system isn't being used in a way that works against individual citizens. That type of thing needs to be stressed a lot more.

As the Australian Healthcare & Hospitals Association has told the Senate inquiry into this legislation, even changes to more thoroughly lockout insurers may not be enough. They've argued that consumer protections should be put in place to prevent third parties from discriminating against individuals who don't agree to the release of their My Health Record data. They've raised the prospect of businesses refusing to sell a product or service, or charging more, unless the individual provides access to their data. Exactly the type of debate that has been held in the United States over the interrelationship of wearables, generation of data and its application in different forms is being visited here on our soil, particularly in the context of this debate, and that does need to be addressed.

Again, these are not small things. They do require effort. They require a lot more time than what the government has said. I think the government needs to do a bigger job in terms of building public confidence in the system, particularly around the protection of data, recognising that people are much more alive to cybersecurity risks than ever before and, when the data is in the system, how it's being used by those who are supposedly allowed to access the data and how it might be used down the track in ways that people hadn't contemplated initially. It certainly needs way more time than the one month opt-out extension that we've seen by the government to date. This should be extended way further than what we are currently seeing. If the government fails to do that, then it comes to the very point I raised at the start of this, that they are not investing the time or care to ensure public confidence in this system.

See this speech in context