My Health Privacy Changes 'Just A Few Band-Aids', More Needed

"It’s a bit of a joke," critics said.

The government's abrupt backdown on certain privacy issues around the My Health Record system is welcome but does not go far enough, according to critics who remain concerned about security of sensitive data.

Health minister Greg Hunt announced on Tuesday that protections would be strengthened around the disclosure of health information from the government database. The My Health Records Act 2012 allows system operators to legally disclose health information if "reasonably necessary" to prevent or investigate crimes, or for "the protection of public revenue" -- but the Australian Digital Health Agency said internal policies, which are superseded by legislation, would require a court order to pass on health info.

Almost six million Australians currently have a My Health Record, Hunt said, with the opt out period to be extended by another month to November 2018.

Hunt said the legislation "legislation will be strengthened to match the existing ADHA policy" to remove "ambiguity", which he said would mean no records would be released to police or government agencies without a court order.

Changes will also allow people to permanently delete their record, and the government will investigate further public awareness campaigns.

However, Hunt's announcement did not go into many issues and "many risks" raised by privacy and security advocates. The current My Health record is "opt out", not in as it was originally designed, meaning everyone will have a record created unless they cancel it.

Critics are also concerned about general issues of security after recent government tech bungles -- such as the 2016 Census, and Medicare numbers being sold on the dark web.

"It’s always fun when you're insulted for a few weeks then the government has to back down because you were correct," said Justin Warren, an IT consultant and Electronic Frontiers Australia board member, who has been among the leading critics of My Health.

"The changes don't go far enough. It is barely a beginning. It is just a few band-aids to save face."

Dr Bernard Robertson-Dunn, chair of the Australian Privacy Foundation's health committee, said he was concerned laws might be changed again.

"It’s a bit of a joke. For the minister to say he can tear up the legislation and replace it means he can do exactly the same again, or any future government can tear it up and replace it," he told ten daily.

"Your My Health Record is supposed to be there for life. Does anybody really believe this legislation wont change, and can we trust the government not to change it?"

Labor's shadow health minister Catherine King called the changes "completely inadequate" and said the government had "bungled" the roll out of the program.

"The legislation underpinning the My Health Record was designed for an opt-in system. The Government made the decision to shift to opt-out but was too incompetent to realise it needed to strengthen privacy and security provisions as a result," she said on Wednesday.

"Labor remains of the view the Government should suspend the My Health Record rollout until this mess can be cleaned up. That should include a comprehensive review of the underpinning legislation and a stocktake of all privacy and security measures."

Hunt said Tuesday's changes were developed in consultation with the Royal Australian College of General Practitioners -- whose president-elect said last week he was "very concerned regarding the privacy provisions" -- and the Australian Medical Association.

Warren said the government needed to now consult with the tech and privacy sector to address the remaining issues.

"The list [of issues] is extremely long and detailed. They haven't done the work. They should take this as an opportunity to stop. When you find yourself in a hole, stop digging," he told ten daily.

"They need to have a long hard look at multiple parts of the laws. The change from opt in to opt out requires fundamental changes to the system which they haven't done. I don't think anyone understands what that requires."

Robertson-Dunn said he wanted to see more detail on the proposed changes.

"We don't know what the legislation will be. It’s meaningless to say this will strengthen the protections," he said.