The Victorian government is yet to consult with its own privacy office on a plan to store the health data of individuals in a database and share it with clinicians without consent, a proposal labelled “deeply disturbing” by digital rights advocates.
In September, the state government quietly released a discussion paper on the creation of the Clinical Information Sharing (CIS) platform, which will store the private medical data of Victorians from public hospitals and health services in a database, and share this across various health services.
The CIS solution was a recommendation from a 2015 independent report on the elimination of avoidable harm and deaths. The plan is now in the first phase of a three-year project to introduce the database, and there has been little public discussion on the proposal until a report in The Age on the weekend.
A spokesperson for the Department of Health said the CIS platform would help clinicians provide better care to Victorians.
“A consolidated picture of a patient’s medical and health history is essential to the provision of the best treatment and care in our public hospitals. A patient’s care journey takes them to different hospitals over the course of an illness, trauma or procedure,” the spokesperson told InnovationAus.
“Sharing of information and records between public hospitals and health services ensures that they have a more complete picture of a patient’s history. It reduces the risk of missing important medicines information and allergies and lets doctors and nurses see important medical images and laboratory results, to more safely manage the patient.”
The spokesperson emphasised that the proposal is currently just a discussion paper, and feedback will be sought on “safeguarding privacy and security”.
The state government also said that feedback has already been sought from the health sector, legal sector, consumers and patients, and privacy bodies and peak clinical and industrial bodies.
But the Victorian government has not yet consulted with its own Office of the Victorian Information Commissioner (OVIC) on the proposal, which will have significant privacy implications, and has also yet to seek feedback from prominent civil and digital rights organisations.
Victorian Information Commissioner Sven Bluemmel said it’s important for privacy issues to be considered as early as possible with potential policies like these.
“It is the role of my office to provide guidance and assistance to Victorian public sector agencies with Privacy Impact Assessments, where requested. It is critical that privacy and information security issues are considered early and fully in any proposal and privacy in such a scheme is crucial, especially to earn trust,” Mr Bluemmel told InnovationAus.
“To date, the DHHS has not contacted my office regarding this matter.”
The CIS proposal closely mirrors the federal government’s controversial My Health Record initial, which was transformed into an opt-out system early last year. The Victorian government said its new system would “complement” My Health Record rather than replace it.
The proposal in Victoria has raised significant concern among privacy and civil liberties advocates, with issues centering on the mandatory nature of the database and the potential for it to act as a honeypot for hackers.
Sharing highly personal health data without an avenue to opt-out would be “outrageous”, Electronic Frontiers Australia (EFA) board member Justin Warren said.
“EFA is deeply disturbed by this plan to create a government surveillance database of some of the most sensitive personal information people have: information about their health. That this is to be done without people’s consent is outrageous,” Mr Warren said.
“It is astounding that the Victorian government would ignore the massive backlash against My Health Record’s move to an opt-out system. Why are they trying to repeat the same mistakes as the federal government? Australians have consistently called for governments to do more to protect our privacy, not less.
“The health sector is consistently the largest source of notifiable data breaches in Australia, why would you try to make the situation worse? Government’s ongoing fascination with surveillance is creepy and weird.”
Such data-sharing initiatives involving significantly personal information should not be mandatory, Deakin University senior lecturer Dr Monique Mann said.
“They’re not learning from My Health Record with the fact they’re not giving people the option to opt-out. I don’t know what the rationale or justification is, or if they’re doing it almost by stealth,” Dr Mann told InnovationAus.
“It’s really concerning for it to not have the potential to opt-out, off the back of COVIDSafe, the expansion of QR codes and the collection of personal information,” she said.
“It’s being done in a way without any consultation with the community or with any real social licence. Peoples’ health information is so sensitive around mental health, and a whole range of issues as well. People should be able to decide when they do and do not disclose that information. It shouldn’t be made compulsory for people using the public health system.
“When looking at an incursion to privacy, we have to look at if it’s necessary, proportionate and the least invasive way of achieving the objective, with appropriate safeguards and informed consent. It seems this doesn’t meet that test.”
Do you know more? Contact James Riley via Email.