Keeping privacy front of mind when developing policy and designing new processes or systems helps deliver good outcomes while maintaining individual privacy interests.

Failing to carefully consider privacy throughout the policy and law-making process can lead to situations that erode public trust and the willingness of individuals to engage with agencies that deliver important services like healthcare.

The development of an electronic health record system in Australia highlights the importance of taking privacy into account when designing new law.

The My Health Records Amendment (Strengthening Privacy) Bill 2018 is the third bill relating to the implementation of Australia’s My Health Records electronic record system. This latest bill is needed to retro-fit privacy safeguards to address public concern about new policy positions taken after the original law was passed, leading to one commentator to describe it as “a band-aid on the My Health Record train wreck”.

The My Health Record controversy shows little sign of abating in the short to medium term. For New Zealanders to understand it better (and avoid having something similar happen here), we need to know how it all began and how function creep seized the programme.

Some background

In 2012, Australia enacted the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) to govern the establishment and operation of an electronic health record system governing the handling of individuals’ health information. The new system was a voluntary, or opt-in, system. In other words, individuals could apply to be registered in the system.

A review of the system in 2014 recommended changing to an opt-out model on the rationale that it was the fastest way to realise the benefits of a system that enables better coordination of health care services. Subsequently, a law was passed to adopt the opt-out model, and from July to October 2018 people could choose to opt-out of the electronic health record system.

But since the opt-out period began, many people expressed concerns about the broad discretion of the system operator to release individual’s health information to a range of enforcement bodies. You can read about these misgivings here and here. People were also concerned that information would continue to be stored in the National Repositories Service even for the more than one million people who had opted out so far.

To address those concerns, the My Health Records Amendment (Strengthening Privacy) Bill 2018 will amend the law so that individuals’ health information will not be released without a court order. The Bill will also ensure that information held in the system would be permanently deleted if someone cancels their My Health Record account.

The public and political outcry has prompted Australia’s federal government to extend the opt-out deadline until January 2019. But there’s been further criticism because an estimated 17 million Australians are likely to be automatically enrolled on My Health Record despite lingering privacy concerns. You can read this comprehensive summary of the online health information database’s troubled roll-out here.  

Privacy by Design

Implementing an electronic health records system is no easy task. But in this Australian example (which required three laws to be passed) demonstrates the benefits of using Privacy by Design from the start.

A person-centric Privacy by Design approach can provide assurance that privacy impacts on individuals have been fully considered and that your objectives don’t come at the expense of privacy-friendly outcomes. The aim is to identify privacy risks early so you can build privacy protections into new policy and law.

It’s very important to follow best practice policy development processes. That includes examining all the possible consequences for affected parties (costs, benefits and trade-offs for both individuals and other agencies), taking account of your goals, constraints, and any other competing interests that need to be balanced with your objectives.

If you want to delve deeper, the Parliament Library Bill Digest provides a substantive record of the legal development of Australia’s electronic health record system.

Image credit: My Health Record logo (edited)

health, International