The federal government’s proposed Medicare data-matching scheme is too broad and would bring with it a range of privacy risks, according to the NSW Council for Civil Liberties.
The government unveiled plans in September to conduct data-matching on health information between departments and agencies to crack down on fraudulent Medicare claims. It ran consultations on the Health Amendment (Data-matching) Bill 2019 until early October, but introduced the bill to Parliament just two weeks later.
The legislation expands the data-matching scope to include data from the Medical Benefits Scheme, Pharmaceutical Benefits Scheme, Veteran Affairs, Home Affairs, and potentially private health insurers.
A number of submissions to government raised serious concerns around privacy, the scope of departments to be involved with data-matching and the overriding of existing privacy laws.
The NSW Council for Civil Liberties rejected the legislation in its proposed form, mainly due to its broad nature of the data-sharing scheme, which includes any Commonwealth entity.
This reference is “too broad and permits a wide discretion to increase the ambit of government departments involved in data-matching”. The Council called for the scheme to be limited to the small number of entities listed in the government’s consultation guide, and to exclude Home Affairs.
It also recommended that the entities included have to enter into a prescriptive data protocol with Medicare, and to ensure that any data-matching information and results conform to “data minimisation and destruction best practices”.
The Council also raised concerns with a subsection in the draft legislation allowing data-matching for the purpose of “detecting or investigating whether a person may have engaged in inappropriate practice”.
“This purpose is not limited to Medicare programs or healthcare providers and has the potential for wider applications, other than ensuring the integrity of the system,” the NSW Council of Civil Liberties said.
This permitted purpose of data-matching remains in the legislation that has been introduced to Parliament.
The organisation called for the data-matching scheme to be “narrowly and consistently defined and limited to legitimate Medicare programs”.
The Council also took issue with the “unconstrained discretion” that the legislation gives to the Chief Executive Medicare to regulate the sharing of personal data, calling for the main requirements to be included in the actual legislation.
“This would ensure adherence to appropriate protocols and transparency, in that important administrative processes would not be made outside the primary legislative framework, or without a high level of scrutiny,” the submission said.
When introducing the legislation to Parliament in October, Health Minister Greg Hunt said he would put in place governance arrangements for the data-matching through a legislative instrument prescribing how the information would be handled to “ensure that the use, storage, access and handling of data protects privacy”.
“The government acknowledges the importance of protecting an individual’s privacy and the trust placed in the government by Australians to manage their health data appropriately. Protecting the privacy of an individual’s health and other data is central to this bill,” Mr Hunt told the Parliament.
The Australian Medical Association also said it had “major concerns” with scheme in its own submission. The AMA said that government had previously given assurances that the changes in the legislation would not override the Privacy Act or change existing privacy settings.
But the legislation would exclude the proposed data matching from this “restriction when the matching is undertaken for specified Medicare compliance purposes”.
“In other words, the Department will no longer have to comply with the Privacy Rules – including the specific protocols for data-matching – established by the Information Commissioner under section 135AA of the National Health Act,” the AMA’s submission said.
The AMA is also concerned about a lack of minimum time periods for consultation, no requirements to consult broadly on it or for a regular review of the appropriateness of the scheme or for the Information Commissioner to endorse the processes.
“The AMA believes the new bill substantially changes the regulatory arrangements currently in place. Improved compliance is important from both a clinical and health financing perspective,” it said.
“However, it should be patient-focused, ensuing the health system delivers on the high-quality and necessary care for Australians when they need it.
“It is vital the Department ensures the data-matching arrangements are transparent to withstand public scrutiny and well communicated to reassure patients their privacy will be protected.”
Data tech firm Vanteum also raised serious concerns with the new bill, saying it may place the privacy of all Australians at “serious risk”. The legislation would be debated in Parliament when the lower house sits later this month.