Senate debates

Thursday, 15 November 2018

Bills

My Health Records Amendment (Strengthening Privacy) Bill 2018; In Committee

9:31 am

Photo of Sue LinesSue Lines (WA, Deputy-President) Share this | | Hansard source

The committee is considering the My Health Records Amendment (Strengthening Privacy) Bill 2018, as amended. The question is that Australian Greens amendments (1) and (2) on sheet 8565 be agreed to.

Photo of Richard Di NataleRichard Di Natale (Victoria, Australian Greens) Share this | | Hansard source

Regarding the amendments proposed on sheet 8565, I seek leave to withdraw amendment (2) and I intend to proceed with amendment (1). This is based on some advice that clarifies that the amendment will address the issue of 14- to 17-year-olds.

Leave granted.

9:32 am

Photo of Helen PolleyHelen Polley (Tasmania, Australian Labor Party, Shadow Assistant Minister to the Leader (Tasmania)) Share this | | Hansard source

Labor will support the amendment. The government concedes that parental access to My Health Records of people aged 14 to 17 is problematic. They have promised a review of this issue, basically saying, 'Trust us; we'll fix this later.' But, given the government's complete bungling of the opt-out period, Labor doesn't trust that assurance. The amendment moved by the Greens was proposed by the Royal Australian College of General Practitioners. The GPs say that it's important to move to ensure the trust of young patients, and Labor will support it. But this amendment addresses only one issue in the government's opt-out scheme.

Today we have seen alarming new reports that a range of health providers will be able to access Australians' most sensitive health information on My Health Record. This could include whether Australians are impotent or have a sexually transmitted disease or an alcohol or drug issue. Labor has been calling for a Privacy Commissioner review of the default access settings for weeks, but the government has stubbornly refused to act, just as they stubbornly refused to act on the opt-out period until yesterday. Now that the government has backflipped on the opt-out period, they should backflip on these concerns and order an urgent Privacy Commissioner review.

9:33 am

Photo of Jordon Steele-JohnJordon Steele-John (WA, Australian Greens) Share this | | Hansard source

When you go to the doctor, when you engage with a healthcare professional, and you are a young person, you have a right to privacy. You have a right to know that the things you discuss of a highly personal nature will be kept between the two of you. This trust that exists between patient and practitioner enables many private, sensitive issues to be discussed. The legislation as drafted wholly failed to protect young people in this regard and to enshrine our right to privacy. It would have enabled health records to be shared automatically with parents or guardians, placing young people at significant risk of information, such as that relating to the disclosure of abuse and to the requirement to access sexual health services, mental health services and reproductive health services, being shared. It would have put all of that at risk and enabled it to be shared with a parent or guardian. It was a travesty, and the youth sector rightly came together and demanded that something be done.

I support this amendment wholeheartedly. I am proud to be a member of the movement that has brought it into being here today. We must always ensure that the right of young people to privacy is protected; that, when our information is accessed, our active consent is first sought so that trust can be maintained; and that rights are preserved. Thank you very much.

The CHAIR: The question is that the amendment as amended by Senator Di Natale, (1) on sheet 8565, be agreed to.

Question agreed to.

9:36 am

Photo of Nigel ScullionNigel Scullion (NT, Country Liberal Party, Minister for Indigenous Affairs) Share this | | Hansard source

I table a supplementary explanatory memorandum relating to the government amendments to be moved in this bill.

9:37 am

Photo of Helen PolleyHelen Polley (Tasmania, Australian Labor Party, Shadow Assistant Minister to the Leader (Tasmania)) Share this | | Hansard source

Chair, we welcome the fact that the government has followed Labor's lead on these amendments. When Labor initiated the Senate inquiry into the My Health Record, the health minister dismissed it as a stunt. But the inquiry demonstrated the need for these six amendments, and Labor proposed them more than a month ago. The government announced last week that it would back down and make these amendments to its own bill, but, as usual when it comes to My Health Record, the government has bungled these amendments. The government's proposed restrictions only apply to national system employees, a definition that excludes state public sector and local governments. And, despite the government saying that they would ban employers from requesting or requiring My Health Record information, these amendments don't actually do that. So we will be moving further changes to the government's amendments.

Can I clarify with the government that those amendments that you put with the memorandum of understanding relate to those six government amendments?

9:38 am

Photo of Nigel ScullionNigel Scullion (NT, Country Liberal Party, Minister for Indigenous Affairs) Share this | | Hansard source

They do indeed, Senator. I'm sorry, it has been difficult through the process to actually put that. It was in front of me yesterday but we didn't have time. There should be a copy in front of you very shortly. They are indeed; they do relate exactly to the amendments on, I think, sheet 5840.

The CHAIR: Minister, if I may assist the process: you need to actually move the amendments.

I move those amendments. I think they relate—at least yesterday—to sheet 5840.

The CHAIR: No, I believe, Minister, what you're seeking to do is move amendments (1) to (8) on sheet EH276. We can go to other senators, if you want to seek clarification.

Certainly. I've actually been seeking the sheet number.

9:39 am

Photo of Stirling GriffStirling Griff (SA, Centre Alliance) Share this | | Hansard source

by leave—I move amendments (1) to (4) on revised sheet 8539 together:

(1) Schedule 1, item 6, page 4 (line 16), omit "or 69A".

(2) Schedule 1, item 7, page 4 (lines 20 and 21), omit the item.

(3) Schedule 1, item 12, page 5 (line 9) to page 8 (line 19), to be opposed.

(4) Schedule 1, item 16, page 8 (line 32) to page 9 (line 3), omit all the words from and including "sufficient certainty" to the end of subsection 70(3A), substitute "sufficient certainty to initiate consideration of the matter or concerns".

Photo of Helen PolleyHelen Polley (Tasmania, Australian Labor Party, Shadow Assistant Minister to the Leader (Tasmania)) Share this | | Hansard source

The government has bungled the opt-out period badly and lost the trust and confidence of the Australian people in My Health Record. This Centre Alliance amendment is an effort to restore that trust and confidence by limiting the use of the record to health purposes. However, Labor accepts that in very limited circumstances access to My Health Records may be needed by law enforcement or other government agencies. Labor is also satisfied that the government's changes, which require a court order for that access to occur, are appropriate protections, so Labor will not be supporting this amendment.

The CHAIR: The question is that the amendments, as moved by Senator Griff, on sheet 8539 be agreed to.

Question negatived.

9:40 am

Photo of Nigel ScullionNigel Scullion (NT, Country Liberal Party, Minister for Indigenous Affairs) Share this | | Hansard source

by leave—I move government amendments (1) to (8) on sheet EH276 together:

(1) Clause 2, page 2 (table), omit the table (including the note), substitute:

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

(2) Schedule 1, page 3 (before line 4), before item 1, insert:

1AA Section 3

  After "national", insert "public".

1AB Section 4

  After "system is a", insert "national public".

(3) Schedule 1, page 3 (after line 5), after item 1, insert:

1A Section 5

  Insert:

  national system employer has the same meaning as in the Fair Work Act 2009, disregarding sections 30D and 30N of that Act.

  prohibited purpose has the meaning given by section 70A.

1B After subsection 6 ( 1 )

  Insert:

  (1A) Despite subsection (1), a person who has parental responsibility for a healthcare recipient aged under 18 is not the authorised representative of the healthcare recipient if the System Operator is satisfied that:

  (a) under a court order or a law of the Commonwealth or a State or Territory, the person must be supervised while spending time with the healthcare recipient; or

  (b) the life, health or safety of the healthcare recipient or another person would be put at risk if the person were the authorised representative of the healthcare recipient.

1C Subsection 6 ( 2 )

  After "If there is no person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 18,", insert "or the only such persons are covered by subsection (1A),".

1D At the end of subsection 7 ( 2 )

  Add:

Note: Despite this subsection, a nominated representative must not use information for a prohibited purpose within the meaning of section 70A (even though a healthcare recipient may do so): see subsections 59A(2), 70B(2), 71A(4) and 71B(3).

1E After section 15

  Insert:

16 Research or public health purposes

     The System Operator's function under paragraph 15(ma) does not include providing de-identified data to a private health insurer (within the meaning of the Private Health Insurance Act 2007) or any other insurer.

(4) Schedule 1, item 6, page 4 (after line 19), after subsection 17(4), insert:

  (5) To avoid doubt, if the System Operator is required under subsection (3) to destroy a record that includes health information, the System Operator must also destroy the following:

  (a) any copy of the record;

  (b) any previous version of the record;

(c) any back-up version of the record.

(5) Schedule 1, page 4 (after line 19), after item 6, insert:

6A Subsection 59 ( 3 ) (penalty)

  Repeal the penalty, substitute:

Penalty:   Imprisonment for 5 years or 300 penalty units, or both.

6B Subsection 59 ( 4 ) (penalty)

  Repeal the penalty, substitute:

Civil penalty:   1,500 penalty units.

6C After section 59

  Insert:

59A Unauthorised use of information included in a healthcare recipient ' s My Health Record for prohibited purpose

  (1) A person must not use health information included in a healthcare recipient's My Health Record for a prohibited purpose, if the person obtained the information by using or gaining access to the My Health Record system.

Note: For prohibited purpose, see section 70A.

Civil penalty:   1,500 penalty units.

  (2) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).

6D Subsection 60 ( 3 ) (penalty)

  Repeal the penalty, substitute:

Penalty:   Imprisonment for 5 years or 300 penalty units, or both.

6E Subsection 60 ( 4 ) (penalty)

  Repeal the penalty, substitute:

Civil penalty:   1,500 penalty units.

(6) Schedule 1, page 9 (after line 3), after item 16, insert:

16A At the end of Division 2 of Part 4

  Add:

Subdivision C—Unauthorised use of information included in a healthcare recipient ' s My Health Record for prohibited purpose

70A Definition of prohibited purpose

  (1) Information included in a healthcare recipient's My Health Record is used for a prohibited purpose if the person who uses the information does so for any one or more of the following purposes:

  (a) the purpose of:

     (i) underwriting a contract of insurance that covers the healthcare recipient; or

     (ii) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or

     (iii) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or

     (iv) a national system employer employing, or continuing or ceasing to employ, the healthcare recipient;

(b) a purpose prescribed by the regulations.

  (2) If the person uses information for purposes that include, or for a purpose that includes, a purpose mentioned in subsection (1), the person is taken to be using the information for a prohibited purpose.

  (3) To avoid doubt, use of information is not for a prohibited purpose if the use is solely for:

  (a) the purpose of providing healthcare to the healthcare recipient; or

  (b) purposes relating to the provision of indemnity cover for a healthcare provider.

  (4) If a fault element applies to an element of an offence or civil penalty provision involving a prohibited purpose within the meaning of subparagraph (1)(a)(iv), absolute liability applies to the element that the employer is a national system employer.

  (5) References in paragraph (1)(a) to insurance do not include State insurance that does not extend beyond the limits of the State concerned.

70B Use for prohibited purpose is unauthorised

  (1) Despite Subdivisions A and B, a person is not authorised under this Division to use health information included in a registered healthcare recipient's My Health Record for a prohibited purpose.

  (2) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).

16B After Division 3 of Part 4

  Insert:

Division 3A—Offences and penalties in relation to use of My Health Record -derived information for prohibited purpose

71A Offence for use of My Health Record -derived information for prohibited purpose

  (1) A person commits an offence if:

  (a) the person uses information; and

  (b) the person does so for a prohibited purpose, and the person knows or is reckless as to that fact; and

(c) the information is health information; and

  (d) the information is or was included in a healthcare recipient's My Health Record; and

(e) the person is not the healthcare recipient.

Penalty:   Imprisonment for 5 years or 300 penalty units, or both.

  (2) Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.

Note: A defendant bears an evidential burden in relation to the matter in subsection (2): see subsection 13.3(3) of the Criminal Code.

  (3) Strict liability applies to paragraphs (1)(d) and (e).

Note: For strict liability, see section 6.1 of the Criminal Code.

  (4) Despite paragraph (1)(e) and subsection 7(2), subsection (1) of this section applies to a person who is the nominated representative of the healthcare recipient.

71B Civil penalty for use of My Health Record -derived information for prohibited purpose

  (1) A person must not use health information that is or was included in a healthcare recipient's My Health Record for a prohibited purpose.

Civil penalty:   1,500 penalty units.

  (2) Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.

Note: A person bears an evidential burden in relation to the matter in subsection (2): see section 96 of the Regulatory Powers (Standard Provisions) Act 2014.

  (3) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).

16C Subsection 75 ( 2 ) (penalty)

  Repeal the penalty, substitute:

Civil penalty:   1,500 penalty units.

16D Section 76 (penalty)

  Repeal the penalty, substitute:

Civil penalty:   1,500 penalty units.

16E Subsection 77(2A) (penalty)

  Repeal the penalty, substitute:

Penalty:   Imprisonment for 5 years or 300 penalty units, or both.

16F Subsection 77(2B) (penalty)

  Repeal the penalty, substitute:

Civil penalty:   1,500 penalty units.

16G After subsection 97 ( 2 )

  Insert:

  (2A) However, the System Operator is not required to give notice of the decision to a person if the System Operator is satisfied that doing so would put at risk the life, health or safety of a person.

16H Paragraph 98 ( 1 ) (b)

  Omit "Medicare;", substitute "Medicare.".

16J Paragraph 98 ( 1 ) (c)

  Repeal the paragraph.

16K Subsection 105 ( 3 )

  After "disclosure of" (wherever occurring), insert "de-identified data or".

16L After paragraph 105 ( 3 ) (b)

  Insert:

  (ba) in connection with insurance, other than State insurance that does not extend beyond the limits of the State concerned; or

16M Subsection 105 ( 4 )

  After "disclosure of", insert "de-identified data or".

(7) Schedule 1, item 17, page 9 (after line 12), at the end of the item, add:

  (3) The amendments made by items 6C, 16A and 16B of this Schedule apply in relation to the use of information after this Schedule commences, regardless of whether the information was collected before or after that commencement.

(8) Page 9 (after line 12), at the end of the Bill, add:

Schedule 2—Amendments commencing on Proclamation

My Health Records Act 2012

1 Section 5

  Insert:

  data custodian means the Australian Institute of Health and Welfare.

2 Paragraph 15(ma)

  Repeal the paragraph, substitute:

  (ma) in accordance with the guidance and direction of the Board established under section 82, to prepare and provide de-identified data, and, with the consent of the healthcare recipient, health information, for research or public health purposes;

3 Section 16

  After "de-identified data", insert "or health information".

4 Part 5 (heading)

  After "Other", insert "offences and".

5 After section 77

  Insert:

77A Enforceable requirements in My Health Records Rules must not be contravened: offence

  (1) An entity commits an offence if:

  (a) the entity does an act or omits to do an act; and

  (b) the result is that the entity contravenes a requirement imposed on the entity by My Health Records Rules made for the purposes of subsection 109(7A) and the entity is reckless as to that result; and

(c) the My Health Records Rules provide that the requirement is enforceable for the purposes of this paragraph; and

  (d) the entity is not the System Operator, the Data Governance Board established by section 82 or the data custodian.

Penalty:   100 penalty units.

  (2) Strict liability applies to paragraphs (1)(c) and (d).

Note: For strict liability, see section 6.1 of the Criminal Code.

6 Section 78 (at the end of the heading)

  Add ": civil penalty".

7 Section 78

  Before "A person", insert "(1)".

8 At the end of section 78

  Add:

  (2) An entity (other than the System Operator, the Data Governance Board established by section 82 or the data custodian) must not contravene a requirement imposed on the entity by My Health Records Rules made for the purposes of subsection 109(7A), if the My Health Records Rules provide that the requirement is enforceable for the purposes of this subsection.

Civil penalty:   100 penalty units.

9 After Part 6

  Insert:

Part 7—Data Governance Board

Division 1—Establishment and functions

82 Data Governance Board

     The Data Governance Board is established by this section.

83 Functions of the Board

  (1) The functions of the Data Governance Board are:

  (a) to oversee the operation of the framework prescribed by My Health Records Rules made for the purposes of subsection 109(7A), including by:

     (i) assessing applications for the collection, use or disclosure of de-identified data and health information for research or public health purposes; and

     (ii) guiding and directing the System Operator in the performance of its function under paragraph 15(ma) (preparing and providing de-identified data and health information); and

     (iii) taking steps to ensure the ongoing protection of de-identified data and health information used by, or disclosed to, persons for research or public health purposes and that the data and information is being used and disclosed only for those purposes; and

(b) any other functions conferred on the Board by this Act or the My Health Records Rules.

  (2) The Board does not have any functions, and must not perform any role, in relation to the day-to-day operation of the My Health Record system.

Division 2—Membership

84 Membership

     The Data Governance Board consists of the following members:

  (a) the Chair of the Data Governance Board;

  (b) the Deputy Chair of the Data Governance Board;

(c) at least 7, and no more than 10, other members.

85 Appointment of members

  (1) Members are to be appointed by the Minister by written instrument, on a part-time basis.

  (2) The Minister must appoint one member to be the Chair and another member to be the Deputy Chair.

86 Qualifications and experience

  (1) The Minister must appoint the following as members:

  (a) a person who represents the System Operator;

  (b) a person who represents the data custodian;

(c) a person who is an Aboriginal person or a Torres Strait Islander.

  (2) A person (including a person appointed in accordance with subsection (1)) is not eligible for appointment as a member of the Data Governance Board unless the person has skills or experience in, or knowledge of, one or more of the following fields:

  (a) population health and epidemiology;

  (b) medical or health research;

(c) health services delivery;

  (d) technology;

(e) data science;

  (f) data governance;

(g) privacy;

  (h) consumer advocacy.

87 Acting appointments

  (1) The Minister may, by written instrument, appoint a person to act as the Chair:

  (a) during a vacancy in the office of Chair (whether or not an appointment has previously been made to the office); or

  (b) during any period, or during all periods, when the Chair:

     (i) is absent from duty or from Australia; or

     (ii) is, for any reason, unable to perform the duties of the office.

Note: For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.

  (2) The Minister may, by written instrument, appoint a person to act as the Deputy Chair:

  (a) during a vacancy in the office of Deputy Chair (whether or not an appointment has previously been made to the office); or

  (b) during any period, or during all periods, when the Deputy Chair:

     (i) is absent from duty or from Australia; or

     (ii) is, for any reason, unable to perform the duties of the office.

Note: For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.

88 Term of appointment and other terms and conditions

  (1) A member of the Data Governance Board holds office for the period specified in the instrument of appointment. The period must not exceed 5 years.

  (2) A member of the Data Governance Board holds office on the terms and conditions (if any) in relation to matters not covered by this Part that are determined by the Minister.

89 Remuneration

  (1) A member of the Data Governance Board is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the member is to be paid the remuneration that is prescribed by an instrument made under subsection (4).

  (2) A member is to be paid the allowances that are prescribed by an instrument made under subsection (4).

  (3) This section has effect subject to the Remuneration Tribunal Act 1973.

  (4) The Minister may, by legislative instrument, prescribe:

  (a) remuneration for the purposes of subsection (1); and

  (b) allowances for the purposes of subsection (2).

90 Resignation

  (1) A member of the Data Governance Board may resign the member's appointment by giving the Minister a written resignation.

  (2) The resignation takes effect on the day it is received by the Minister or, if a later day is specified in the resignation, on that later day.

91 Termination of appointment

  (1) The Minister may terminate the appointment of a member of the Data Governance Board:

  (a) for misbehaviour; or

  (b) if the member is unable to perform the duties of the member's office because of physical or mental incapacity.

  (2) The Minister may terminate the appointment of a member of the Data Governance Board if:

  (a) the member:

     (i) becomes bankrupt; or

     (ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or

     (iii) compounds with the member's creditors; or

     (iv) makes an assignment of the member's remuneration for the benefit of the member's creditors; or

(b) the member is absent, except on leave of absence, from 3 consecutive meetings of the Board; or

  (c) the member engages in paid work (within the meaning of section 93) that, in the Minister's opinion, conflicts or could conflict with the proper performance of the member's duties (see section 93); or

(d) the member fails, without reasonable excuse, to comply with section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) or rules made for the purposes of that section.

92 Leave of absence

     The Minister may grant leave of absence to anymember of the Data Governance Board on the terms and conditions that the Minister determines.

93 Other paid work

  (1) A member of the Data Governance Board must not engage in any paid work that, in the Minister's opinion, conflicts or could conflict with the proper performance of the member's duties.

  (2) In subsection (1):

  paid work means work for financial gain or reward (whether as an employee, a self-employed person or otherwise).

Division 3—Meetings of the Data Governance Board

94 Convening meetings

  (1) The Data Governance Board must hold such meetings as are necessary for the efficient performance of its functions.

  (2) The Chair of the Data Governance Board:

  (a) may convene a meeting at any time; and

  (b) must convene a meeting within 30 days after receiving a written request to do so from another member of the Board.

95 Presiding at meetings

  (1) The Chairof theData Governance Boardmust preside at all meetings at which the Chair is present.

  (2) If the Chairis not present at a meeting at which the Deputy Chair is present, the Deputy Chair must preside.

  (3) If neither the Chair nor the Deputy Chair is present at a meeting, the other members present must appoint one of themselves to preside.

96 Quorum

  (1) At a meeting of the Data Governance Board, a quorum is constituted by a majority of members of the Board.

  (2) However, if:

  (a) a member of the Board is required by rules made for the purposes of section 29 of the Public Governance, Performance and Accountability Act 2013 not to be present during the deliberations, or to take part in any decision, of the Board with respect to a particular matter; and

  (b) when the member leaves the meeting concerned there is no longer a quorum present;

the remaining members at the meeting constitute a quorum for the purpose of any deliberation or decision at that meeting with respect to that matter.

96A Voting at meetings

  (1) A question arising at a meeting of the Data Governance Board is to be determined by a majority of the votes of the members of the Board present and voting.

  (2) The person presiding at a meeting of the Board has a deliberative vote and, if the votes are equal, a casting vote.

96B Conduct of meetings

     The Data Governance Board may, subject to this Division, regulate proceedings at its meetings as it considers appropriate.

Note: Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which members of the Board may participate in meetings.

96C Minutes

     The Data Governance Board must keep minutes of its meetings.

96D Decisions without meetings

  (1) The Data Governance Board is taken to have made a decision at a meeting if:

  (a) without meeting, a majority of the members of the Board entitled to vote on the proposed decision indicate agreement with the decision; and

  (b) that agreement is indicated in accordance with the method determined by the Board under subsection (2); and

(c) all the memberswere informed of the proposed decision, or reasonable efforts were made to inform all the members of the proposed decision.

  (2) Subsection (1) applies only if the Board:

  (a) has determined that it may make decisions of that kind without meeting; and

  (b) has determined the method by which members are to indicate agreement with proposed decisions.

  (3) For the purposes of paragraph (1)(a), a memberis not entitled to vote on a proposed decision if the member would not have been entitled to vote on that proposal if the matter had been considered at a meeting of the Board.

  (4) The Board must keep a record of decisions made in accordance with this section.

Note: Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which members of the Board may participate in meetings.

Division 4—Other matters relating to the Data Governance Board

96E Relationship between System Operator and Data Governance Board in relation to data for research or public health purposes

  (1) In performing the function mentioned in paragraph 15(ma), the System Operator must comply with a direction from, and follow the guidance of, the Data Governance Board.

  (2) If rules made for the purposes of subsection 109(7A) require the Data Governance Board to take steps to ensure that de-identified data and health information disclosed to persons for research or public health purposes is being used only for those purposes, the System Operator must not take any steps of its own to ensure that the data and information is being used only for those purposes.

  (3) Subsection (2) does not imply that the System Operator has a duty to take steps in relation to use of data and information at a time when there are no rules of the kind mentioned in subsection (2).

96F Board committees

  (1) The Data Governance Board may establish a committee or committees to assist in carrying out the functions of the Board.

  (2) The Board may dissolve a committee at any time.

  (3) The functions of a committee are as determined by the Board.

  (4) In performing its functions, a committee must comply with any directions given to the committee by the Board.

  (5) A question arising at a meeting of a committee is to be determined by a majority of the votes of committee members present.

  (6) A committee must inform the other members of the Board of its decisions.

  (7) A committee may regulate proceedings at its meetings as it considers appropriate.

  (8) A committee must ensure that minutes of its meetings are kept.

96G Delegation of functions

  (1) If the Secretary of the Department consents to the Data Governance Board delegating functions to APS employees in the Department, the Board may delegate any or all of its functions to such an APS employee.

Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.

  (2) If the chief executive officer (however described) of the data custodian consents to the Board delegating functions to members of the staff mentioned in subsection 19(1) of the Australian Institute of Health and Welfare Act 1987, the Board may delegate all or any of its functions to such a member of staff.

Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.

  (3) In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Board.

  (4) The delegation continues in force despite a change in the membership of the Board.

  (5) The delegation may be varied or revoked by the Board (whether or not there has been a change in the membership of the Board).

96H Annual report

  (1) As soon as practicable after the end of each financial year, the Data Governance Board must prepare and give a report to the Minister, for presentation to the Parliament, on the Board's activities during the financial year.

Note: See also section 34C of the Acts Interpretation Act 1901, which contains extra rules about annual reports.

  (2) A report on the Department's activities given under section 46 of the Public Governance, Performance and Accountability Act 2013 does not need to include a report on the activities of the Board.

96J Board is part of the Department

     For the purposes of paragraph (a) of the definition of Department of State in section 8 of the Public Governance, Performance and Accountability Act 2013, the Data Governance Board is prescribed in relation to the Department.

10 Subsection 105 ( 2 )

  After "System Operator", insert ", Data Governance Board and data custodian".

11 After paragraph 105 ( 6 ) (a)

  Insert:

  (aa) the Data Governance Board;

  (ab) the data custodian;

12 Subsection 109(7A)

  Repeal the subsection, substitute:

My Health Records Rules may relate to research or public health purposes

  (7A) The My Health Records Rules may, in accordance with section 109A, prescribe a framework to guide the collection, use and disclosure of de-identified data and, with the consent of healthcare recipients, health information, for research or public health purposes.

13 Subsection 109 ( 9 )

  Omit "the My Health Records Rules", substitute "My Health Records Rules made for purposes other than subsection (7A)".

14 After section 109

  Insert:

109A My Health Records Rules relating to data for research or public health purposes

Examples of what the rules may do

  (1) Without limiting subsection 109(7A), My Health Records Rules made for the purposes of that subsection (the rules) may do any or all of the following:

  (a) impose requirements on the System Operator, the Data Governance Board established by section 82, the data custodian and other entities, including procedures that must be followed, in relation to preparing, providing, collecting, accessing, using and disclosing health information and de-identified data;

  (b) provide that any or all such requirements are enforceable for the purposes of paragraph 77A(1)(c) or subsection 78(2);

(c) make provision in relation to the performance of the Board's functions set out in paragraph 83(1)(a);

  (d) authorise the Board to make written policies and guidelines to be followed by other entities for the purposes of giving effect to the prescribed framework.

Functions of data custodian

  (2) The data custodian has the following functions, and the rules may make provision in relation to the performance of those functions:

  (a) under the direction of the Data Governance Board and in accordance with this Act—helping to implement the prescribed framework by:

     (i) receiving de-identified data and health information from the My Health Record system; and

     (ii) as necessary—de-identifying health information; and

     (iii) as necessary—providing data linkage services (within the meaning of the rules); and

     (iv) preparing and providing de-identified data and health information to users of data and information whose use has been approved by the Data Governance Board; and

     (v) ensuring that users of de-identified data and health information are subject to conditions of use;

(b) any other functions conferred on the data custodian by this Act or the rules.

Limits on rules

  (3) The rules:

  (a) must not allow the health information of a healthcare recipient to be collected, used or disclosed otherwise than with the consent of the healthcare recipient; and

  (b) must not allow de-identified data or health information to be provided to a private health insurer (within the meaning of the Private Health Insurance Act 2007) or any other insurer (with or without the consent of the healthcare recipient); and

(c) must not provide that any of the following is enforceable for the purposes of paragraph 77A(1)(c) or subsection 78(2):

     (i) a provision of a policy, guideline or other instrument made under the rules;

     (ii) a provision of the rules that requires an entity to comply with such a policy, guideline or instrument.

Constitutional limits on rules

  (4) If the rules make provision for the disclosure of de-identified data or health information obtained by using or gaining access to the My Health Record system, the rules must have the effect that the data or information is to be disclosed only:

  (a) by means of a postal, telegraphic, telephonic or other like service; or

  (b) by or to a corporation to which paragraph 51(xx) of the Constitution applies; or

(c) by or to a person within a Territory or a place acquired by the Commonwealth for a public purpose; or

  (d) by or to the Commonwealth or an authority of the Commonwealth.

  (5) The rules may make other provision in relation to de-identified data or health information only:

  (a) to ensure that collection, use and disclosure of data or information does not result in an interference with privacy of the kind the Commonwealth has international obligations to protect against, including under the International Covenant on Civil and Political Rights (in particular Article 17 of the Covenant); or

Note: The text of the Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23). In 2018, a text of a Covenant in the Australian Treaties Series was accessible through the Australian Treaties Library on the AustLII website (http://www.austlii.edu.au).

(b) for purposes related to collecting, preparing, analysing or publishing statistics; or

  (c) by providing for data or information to be collected from or by, used by or disclosed by or to, any of the following:

     (i) a corporation to which paragraph 51(xx) of the Constitution applies;

     (ii) a person within a Territory or a place acquired by the Commonwealth for a public purpose;

     (iii) the Commonwealth or an authority of the Commonwealth.

9:41 am

Photo of Helen PolleyHelen Polley (Tasmania, Australian Labor Party, Shadow Assistant Minister to the Leader (Tasmania)) Share this | | Hansard source

I've made comments previously on the government's amendments, and I now move our amendments relating to those.

The CHAIR: Which amendments are these? Senator Bernardi.

Photo of Cory BernardiCory Bernardi (SA, Australian Conservatives) Share this | | Hansard source

I was just seeking the call after the amendments had been moved by the government. I wonder whether they'd be in a position to explain what these amendments actually do.

The CHAIR: Yes, we're just in the process of Senator Polley moving amendments, so I think we might deal with that.

I was seeking the call before because the government had moved amendments and I wanted to know, from the minister, what the amendments actually were.

The CHAIR: Yes, and we'll come back to that. We're just in the process of doing that. I will get Senator Polley to finish what she started, and then we'll see if the government wants to respond to the question you've just asked.

Photo of Helen PolleyHelen Polley (Tasmania, Australian Labor Party, Shadow Assistant Minister to the Leader (Tasmania)) Share this | | Hansard source

I move amendments on sheet 8574, circulated in my name:

(1) Amendment (3), item 1A, omit the definition of national system employer.

(2) Amendment (6), item 16A, subparagraph 70A(1)(a)(iv), omit "a national system employer", substitute "an employer".

(3) Amendment (6), item 16A, omit subsection 70A(4).

(4) Amendment (6), item 16A, at the end of section 70A, add:

  (6) For the purposes of this section, using information for a purpose includes requesting or requiring the information for that purpose.

(5) Amendment (6), item 16B, before section 71A, insert:

71AA Definitions

     In this Division:

  My Health Record of a healthcare recipient includes a My Health Record of the healthcare recipient that has been cancelled or suspended.

  use information for a purpose includes request or require the information for that purpose.

The CHAIR: Senator Bernardi, would you like to put your question now?

9:42 am

Photo of Cory BernardiCory Bernardi (SA, Australian Conservatives) Share this | | Hansard source

My question simply was: when the original amendments were moved—

The CHAIR: Are these the ones on sheet EH276?

That's the point: I don't know, because I don't have it in front of me. I'm interested in asking the minister, who has moved some amendments, for a brief explanation of what the amendments actually do. Then I will ask the same question of Senator Polley—what her amendments actually do to the government's amendments. This is in the interest of clarification, because I don't have the complete information in front of me.

Photo of Nigel ScullionNigel Scullion (NT, Country Liberal Party, Minister for Indigenous Affairs) Share this | | Hansard source

I thank Senator Bernardi for the invitation to make a contribution on these amendments. There are two amendments. The first is to remove the ability of the system operator—that's actually the Australian Digital Health Agency—to disclose information to law enforcement agencies and other government bodies without a court order or the consumer's express consent. This is actually consistent with the Australian Digital Health Agency's current policy position, which has remained unchanged and has resulted in no My Health Records being disclosed under such circumstances. We did deal, a moment ago, with the Centre Alliance amendment. Whilst it wasn't supported, they intended to delete the new sections 69A and 69B, which deal with very narrow confines under which a court order can be made.

The second element of those amendments is going to require the Australian Digital Health Agency to permanently delete health information it holds for any consumer who has cancelled their My Health Record. This makes it clear that, if a person chooses to cancel at any time, their record will be deleted completely and forever. The new amendments are as follows. Particular concerns have been raised regarding the potential for domestic violence to occur. As a result of that, for example, a parent may be able to access a child's My Health Record and get access to information on where the mum has moved to with the child. The government recognise that this is a serious matter, so we've put in a range of safeguards. There are a series of safeguards already in place in the system. These amendments will apply if a person has parental responsibility or if a person's access to the child is subject to supervision. This isn't intended if the court decides that you have access to 60:40 periods of time. It's only when there are particular supervision circumstances, so they only get access to the child in supervised circumstances. This would be taken into consideration. It also applies if the Australian Digital Health Agency considers that they may pose a risk, so there may be other circumstances where access to this information may pose a risk. This is ensuring that that person can't get access to the child's My Health Record.

The amendments will also provide greater clarity that My Health Records cannot be used for insurance or employment purposes. We've had a lot of discussion about that. This just provides some clarification. It will prohibit an employer from requesting or using health information in an individual's My Health Record, protecting employees and potential employees from any discriminatory use or use of their My Health Record. Information can be obtained from a My Health Record by healthcare providers and individuals. These amendments will also ensure that information derived from the My Health Record system cannot be used for insurance or employment purposes, regardless of where it is being viewed or stored. This will be one of the prohibited uses. This prohibition will apply to any activity for insurance or employment purposes, regardless of whether it is considered to be for the purposes of providing health care. For example, a healthcare provider undertaking a health assessment of an individual for employment purposes, which sometimes happens, would be expressly prohibited from using the individual's My Health Record or from using information that has been derived from that.

Through these amendments we'll also be increasing the maximum penalty levels for breaches of key privacy protections. This was an expressed recommendation of the Senate Community Affairs Legislation Committee. The maximum penalty level is just under double: in broad terms, I think for a corporation it is up to $1.5 million and five years imprisonment and for an individual it is $315,000. In any event, we have reflected the recommendations of the Senate inquiry. These penalty levels are now the maximum penalty levels for breaches of key privacy protections. They will be associated with any misuse of a person's health information obtained by unauthorised access to the My Health Record system or taking My Health Record information outside of Australia. Effectively, for example, if you downloaded something, printed a hard copy, took it outside of Australia and sold it outside of Australia, you wouldn't be subject to Australia's laws in that regard, so that prohibition about taking information outside of Australia ensures that you cannot take those My Health Records out of Australia. But if you were in London, for example, and went to a doctor or practitioner, you could still get access to the benefits of your My Health Record.

This will result in much stronger penalties for persons who collect, use or disclose health information if they are not authorised to do so. An individual who knowingly misuses a person's health information contained in their My Health Record will now face up to five years in jail and a maximum penalty of $315,000. Without going into too much detail, secondary use—if you tell someone something and they use it—is exactly the same; there is not a diminished penalty. The penalty remains at the maximum for the secondary person who obtains information from a prohibited act; they are subject to the same penalties. These increases in penalties acknowledge that as the system grows it will contain a larger volume of health information that needs to have the appropriate level of security. We think these safeguards are appropriate. The amendments also make clear that if a person chooses to cancel their My Health Record at any time it will be deleted permanently, including any backups, saved copies or the like.

In May this year the minister released the framework for the secondary use of the My Health system data, and now these amendments, as I indicated earlier, provide a legislative basis to support another tier of the appropriate use of My Health data for research and public health purposes. The amendments also remove the ability of the Australian Digital Health Agency to provide identified or de-identified information to the private health insurers and other types of insurers for research or for public health purposes. For the purposes of clarity: we're removing the ability that currently exists in de-identified form, to ensure that any of the data cannot be provided to insurers for research and public health purposes. They'll also provide that the minister's rule-making power will include the ability to specify requirements that apply to entities handling information for research and public health purposes, and set out processes for seeking to use or deciding to disclose this de-identified information. The amendments will also remove the ability of the Australian Digital Health Agency to delegate its functions and powers to an entity other than the Department of Health and the chief executive, Medicare. Such functions are delegated as appropriate to ensure the effective management of the system.

Finally, the government remains committed to the My Health Record system being government owned and operated. There was some talk about what would happen if we sold it. Are these same processes going to be in place? We are committed to this being government owned and operated as a national health asset, and the legislation clearly and unequivocally reflects this position. As a package, these amendments comprehensively address the concerns that have been raised by the public and in the Senate inquiries, and enhance the safety and privacy protections in the My Health Record system. The My Health record system will provide significant health and economic benefits for all Australians through avoided hospital admissions, fewer adverse drug events, reduced duplication of tests, better coordination of care for people seeing multiple healthcare providers and better informed treatment decisions. We're committed to this system because it is changing health care in Australia for the better, and we're equally committed to the privacy of the individual's health information. These measures strengthen the privacy protections and demonstrate this commitment.

I thank all senators who have made a significant contribution through the Senate inquiry and through this process. I commend the amendments to the house.

9:53 am

Photo of Cory BernardiCory Bernardi (SA, Australian Conservatives) Share this | | Hansard source

I understand Senator Polley has some amendments, and I would be interested in a brief explanation of how they alter this. Minister, if I could have your attention for a second, could the government indicate whether they are generally supportive of Senator Polley's amendments to your amendments? That would be of assistance too.

Photo of Nigel ScullionNigel Scullion (NT, Country Liberal Party, Minister for Indigenous Affairs) Share this | | Hansard source

Without verballing Senator Polley, my understanding is that we're agreeing to a minor wording amendment. We think it improves our amendment. I think we're about to move to that amendment now. But the amendment in substance is just a stronger wording of the same amendment.

Photo of Helen PolleyHelen Polley (Tasmania, Australian Labor Party, Shadow Assistant Minister to the Leader (Tasmania)) Share this | | Hansard source

To assist Senator Bernardi: from the outset this government has bungled the process. The amendments that have just been moved by the government were in fact ones that we have been pushing hard on. But, even though they have attempted to pick up our concerns, as usual they have continued to bungle the process. The government's proposed restrictions only apply to national system employers, a definition that excludes state public sectors and local governments. Despite the government saying that they would ban employees from requesting or requiring My Health information, these amendments don't actually do that. That's why we have moved in our amendments a further amendment to strengthen the concerns that we have and why I moved that we take sheet 8574, circulated in my name. We do appreciate the fact that the government has finally got on board in supporting our amendments and proposing the ones that they did and that, at the end of the day, they've followed the lead of Labor on this very important initiative.

9:54 am

Photo of Nigel ScullionNigel Scullion (NT, Country Liberal Party, Minister for Indigenous Affairs) Share this | | Hansard source

As I indicated earlier, we'll be supporting the opposition's amendments. We think they're actually omitting the definition of the national system employer, and they simplify and clarify the language, which is consistent with the government's policy intent.

The CHAIR: The question is that opposition amendments (1) to (5) on sheet 8574, which are amendments to the government amendments on sheet EH276, be agreed to.

Question agreed to.

The CHAIR: The question now is that government amendments (1) to (8) on sheet EH276, as amended, be agreed to.

Question agreed to.

Bill, as amended, agreed to.

Bill reported with amendments; report adopted.