The Australian Medical Association has sounded the alarm over the federal government’s flagship new data-sharing scheme, warning there are no minimum privacy protections and that private health information could be shared with insurance firms.
The government introduced the Data Availability and Transparency Act to Parliament in December last year, after nearly three years of development and consultation. The legislation facilitates a significant expansion of the sharing of public sector data between agencies and private organisations, sometimes without consent.
It will provide a “new path” for the sharing of this data that is currently blocked by secrecy provisions or other laws and will see far more identified data be shared among agencies and departments, and for de-identified data be shared with universities and think tanks, among other organisations.
There will be no opt-out options from the data-sharing scheme for individuals, and consent will be required unless it is “unreasonable or impracticable to obtain”.
The legislation was quickly referred to a Senate committee for an inquiry, which is expected to table its report by the end of April.
In a submission to the inquiry, the Australian Medical Association (AMA) said it is “impossible to overstate” how concerned it is about the new laws.
The organisation’s primary concern is that the bill does not include minimum privacy protections, with agencies allowed to determine their own privacy settings for sharing data. The legislation merely requires agencies to be satisfied that the sharing principles are being applied in a way that “risks associated with the sharing are appropriately mitigated”.
These principles are also “inherently subjective”, the AMA said.
“This means that, unless an agency had no regard to the data sharing principles or failed to comply with other procedural requirements, it would be difficult to ‘second guess’ their decision,” the AMA submission said.
“This leaves the public with little comfort that they will have redress – or that the officials and agency will be penalised – if decisions are made recklessly or negligently.”
There is also no power for the Data Commissioner to have to approve of the sharing of data before it happens, or to require changes to this plan.
The AMA called on the government to make amendments requiring all of the data principles be satisfied before any data is shared, for decisions to share data to be subject to review by the Administrative Appeals Tribunal and for the Commissioner to have more powers to intervene.
The medical body raised concern that the new powers will see healthcare information, such as from the MBS and PBS, being shared with private health funds for “their own purposes”, which is currently prohibited by law.
“It makes no sense to preclude My Health Record data from the data sharing scheme, but then permit the same MBS / PBS data to be directly shared with private health insurers. This is not consistent with the public’s expectations and has the potential to undermine the community-rated private health insurance system,” the submission said.
The data-sharing scheme only requires consent to be obtained from individuals “unless it is unreasonable or impracticable to seek their consent”, and this could lead to very personal information being shared without consent, the AMA said.
“It is entirely foreseeable that this exception will be used to justify the disclosure of MBS and PBS datasets of identified or identifiable sensitive health information without patient consent,” it said.
The bill allows agencies and departments to undertake the de-identification of personal data in-house, with them only having to “consider” the use of accredited data service providers.
“The well-publicised privacy breaches involving Medicare provider numbers and Myki travel information demonstrate well-intentioned officers may not be trained to appropriately anonymise personal information,” the AMA said.
The medical body said the de-identification of any data should be outsourced by default, and any decision not to do this should be subject to AAT review.
The scheme does not allow individuals to make complaints about the sharing of their data, with the only avenues being the Commonwealth Ombudsman and the Office of the Australian Information Commissioner. And as the AMA points out, the agencies and departments only have to comply with the new legislation to prove there has not been an interference with privacy.
“This means that they will have no grounds for complaint and no right to seek compensation, regardless of how poor the agencies’ processes were or the inadequacies of their risk assessment processes,” the AMA said.
The government should amend the legislation to make the complaints process less legalistic and to empower individuals to make complaints to the Data Commissioner, and to allow these complaints to be anonymous.
The Data Commissioner also came under question in the AMA submission for its conflict of interest.
As the explanatory memorandum sets out, the Commissioner will “provide advice, advocacy and guidance to ensure the scheme operates as intended”, while it will also “work with data scheme entities to build data capability, promote best practice data sharing and use and address cultural barriers to sharing”.
This dual role of advocating for the sharing of data while also regulating the sharing of data is troublesome, the AMA said.
“If an agency seeks advice from the Data Commissioner prior to entering into a data sharing agreement, there is a potential conflict at the point of providing advice between the Data Commissioner’s role of promoting safety and their role of promoting sharing,” it said.
“Moreover, if the data is subsequently re-identified or a complaint is made, the Data Commissioner will be investigating a data sharing agreement that they advised on.”
The Privacy Commissioner should be given a greater role to combat this conflict of interest, the AMA recommended.
A bipartisan group of senators have also questioned the data-sharing legislation, specifically raising concerns over a lack of detail in the legislation and the absence of privacy safeguards.