Rebekha Sharkie (Mayo, Centre Alliance) Share this | Hansard source

I rise in support of the My Health Records Amendment (Strengthening Privacy) Bill 2018. The My Health Record is not a new initiative. The digital database already houses the medical records of over six million Australians. It's been around for years now, and it carries the handprints of those on both sides of this chamber. Presumably then there are sensible policy reasons behind the introduction of the My Health Record scheme, and I don't doubt that is true. Shortly I will discuss some of the benefits. But we also can't ignore the widely held and very real fear that this information—our most personal information—could be lost, stolen or used in a way that we didn't foresee and certainly didn't consent to. Over 900,000 people have opted out of the scheme since the formal opt-out period began in July. If the government is going to continue to push this policy forward, they need to convince the public that their data is safe, that the system is secure and that they, the individual, will always be the ones in control of their personal data.

Setting those concerns aside for a moment, I do want to touch on the three potential benefits to the community. First, the My Health Record initiative will give people the ability to access their medical records anywhere in Australia. It won't matter whether you're moving interstate for work or whether you're retired and following the sun north. Wherever you are, you should be able to access and update your records. Second, healthcare professionals will have instant access to your medical records. None of us want to contemplate serious or sudden illness or injury, but it does happen. If you live alone and you are immobile or unconscious, perhaps in an emergency room, the ability to access information about your medical history—everything from current medications to noted allergic reactions—could make all the difference. Too often we've seen X-rays and MRI scans and file notes disappear somewhere between the GP, the specialist consulting rooms and the hospital wards, so why wouldn't we take steps to streamline the process and reduce the risk of critical information going missing? That is assuming, of course, that the information being fed into the database is accurate in the first place, but that is another matter altogether.

Finally, the scheme would be one unifying point in a maze of patient and consumer information currently floating in and out of government organisations and agencies, such as Medicare, the PBS and the donor registry. The point I make is this: the information is already out there. It is already being collected in one way or another. This scheme just serves to tie all those loose ends together and create a central database. All of the benefits listed above are predicated on the central database—a one-stop shop for all of your personal and private information. It is precisely that aspect of the scheme that does make many of us, including me, quite uneasy. Some of the concerns have been addressed by the amendments proposed in the bill—namely, the restriction on law enforcement agencies accessing our information without consent or a court order, and the system operator no longer being able to store our data for 30 years. Instead, the system operator must delete all records immediately after a person elects to opt out of the scheme. These are sensible amendments to the scheme that are in line with community expectations, and they have my support.

Let me be clear. Just because I support the bill in this House today does not mean that I do not share the concerns of my constituents. I have very real doubts about the government's ability to keep our data secure, and I have no doubt that there are groups out there who see the database as a veritable goldmine of valuable information. I appreciate that the Minister for Health has said that this scheme is protected by some of the most stringent privacy legislation in the world, and that may be true, but will laws really deter those who are determined to crack into the database? The government may scoff at these fears, but they are widely held in the community and not without good reason. Let's take a look at a few recent examples across the globe.

Earlier this year in Singapore, over 1.5 million records were accessed, and the names, addresses, gender and date of birth were all copied without the knowledge or consent of the patients. It was described by the Singaporean government as a deliberate, targeted and well-planned attack. In 2015, Anthem, a major health insurance provider in the US, was targeted, and the records of approximately 79 million Americans were exposed. The UK also had its own difficulties with a centralised electronic health record. Worryingly, the data breach occurred not by cybercriminals but by pharmaceutical and insurance companies, who purchased the data for their own commercial advantage. But let's set aside these sophisticated cyberattacks for one moment and focus on how just the day-to-day operations of the scheme are going to impact on Australian families. I'm genuinely concerned that, without proper safeguards in place, this scheme will put victims of family violence and their children at risk. I listened to some of the comments made by the member for Bruce.

We need to ensure that the various agencies—courts, police and government departments—are able to liaise with one another and share critical information in a timely manner. I understand that the Digital Health Agency has established a family safety program to work with these stakeholders and manage risks associated with the inadvertent disclosure of private information to perpetrators of family violence. But the suggestions put forward to manage the risk of harm are, in my view, deficient and compromise the utility of the child's My Health Record. Options put forward to manage the risk to victims of family violence include suspending their child's record or simply not creating one in the first place. I understand that the government is aware of these limitations and is consulting with stakeholders to ensure that these concerns are addressed, but it's really not good enough that the government's response to such a complex issue is simply to tell one parent to suspend the My Health Record of their child.

I also echo the concerns highlighted by the Law Council of Australia during their appearance at the Senate inquiry last night that the current definition of parental responsibility under the act actually exposes the scheme to misuse by perpetrators of family violence. Under the Family Law Act, there is a difference between an order for parental responsibility and an order which provides for a parent to spend time with the child. A parent can have an order for parental responsibility without being granted an order to spend time with the child. Notwithstanding that a judge has decided that, because of a history of family violence, it is not in the best interests of the child to spend time with the parent, the parent will still be able to access the child's health record. It is imperative that this scheme does not operate in a vacuum and that this act and, specifically, the definitions used around care arrangements are consistent with the principles and provisions of the Family Law Act. There are a number of very serious issues around privacy and security that we are yet to resolve.

There is no doubt that these issues require further scrutiny. In saying that, I hope the comments I've made during the course of my speech on this debate don't frighten others away from the scheme. There are many people out there who may genuinely benefit from My Health Record. The point is that it has to be an informed decision. Every person will need to think about their own personal circumstances and decide whether the risks outweigh the rewards. But for many Australians that won't happen, not because they choose for it not to, but because they simply aren't aware of the fact that a My Health Record has been created in their name. Under the government's opt-out system, it won't matter that you didn't know. It won't matter that, if you had known, you would have rejected the idea. It won't matter that you didn't realise the opt-out time frame had expired. All that matters is that your most personal and private information is being collected by the government and you did nothing to stop them.

I do have some sympathy for the government. I can't imagine that getting accurate information out into the community was an easy task, and so an opt-out scheme would no doubt significantly increase the number of people captured under the scheme, but the information being collected is the clearest example of private and personal information. When we are concerning ourselves with this sort of information, I think we need to make sure that those of us who are handing over our medical histories to the mercy of a government server are doing so with our eyes wide open. In conclusion, I offer my support to this bill, but it is qualified support. I want to make it clear that I will continue to speak with my Senate colleagues to determine what, if any, amendments should be made following the release of the committee report.

See this speech in context