The Australian government is currently releasing detailed medical records to police through a ‘secret regime’ that experts are condemning for violating fundamental privacy protections, according to a report from The Medical Republic.
The report states that the federal and state police force requests “large volumes” of data from both the Pharmaceutical Benefits Scheme and Medicare Benefits Schedule every year. However, unlike the My Health Record, no warrant or court order is required for the police to obtain this sensitive information. Instead, the department follows ‘internal guidelines’ to determine whether or not someone’s medical data will be released. Another report from The Guardian states that the Department of Human Services “has never made the guidelines public and has actively fought to keep them a secret.”
“The records can paint a detailed picture of a person’s medical history, including, for example, any history of mental health issues, HIV, abortion or sexually transmitted diseases,” writes Felicity Nelson.
Current reporting shows that the department facilitated 2,677 requests from police for PBS and MBS data in a twelve-month period from September 2017. Sensitive medical data, according to the department was released for a number of reasons, including “the identification of deceased persons.”
While the department is obligated to report to the Office of the Australian Information Commissioner each time it releases MBS and PBS data, annual records obtained by Medical Republic show that the department made just five disclosures of data handed to police between 2016-17 to the OAIC.
The Medical Republic, who broke the story recently won a 12-month freedom of information battle with the Department of Human Services to secure the release of heavily-redacted documents with lawyers and health privacy advocacy groups, who were, according to The Guardian “almost universally critical of the laxness of the privacy provisions in the guidelines, which have not been updated since 2003.”
Experts are calling for the outdated guidelines to be updated in a similar manner to the 2018 updates to the My Health Record legislation, which states that police cannot access health data without a court order.
The guidelines state that ‘the public interest’ has an extremely broad definition, referring to anything from national security, major crimes, the administration of criminal law or public safety. Professor of law at Bond University, Jonathon Crowe was critical of the vagueness of its definition, stating that the “broad and vague nature of the guidelines for releasing confidential medical data to police is highly concerning.”
“The definition of ‘public interest’ is particularly open-ended and leaves significant and unchecked discretion to department officials,” he added.
“If the road to hell is paved with good intentions, with this process the government has created a four-lane highway,” said barrister at Isaacs Chambers in Melbourne, Peter Clarke. “The process is the antithesis of proper privacy protections.”
A spokesperson for the department, Hank Jongen, said that the government did indeed take its privacy responsibilities “very seriously,” and it complied with legal requirements. Jongen added that Information listed on the MBS and PBS “may be significantly less detailed than the type of information found on a person’s MyHealthRecord.”
Malcolm Crompton, a former privacy commission of Australia and lead privacy adviser at Information Integrity Solutions said that “I would have thought the law relating to access MBS and PBS data should be updated to reflect the decision parliament on the My Health Record.”
Chair of ethics and medicolegal committee at the Australia Medical Association agreed, adding that the data privacy laws should be put to the “pub test” to see if they’re up to community standards.