It is past time for Australian MPs, ministers, government agencies and contractors to develop some humility. They do not, and cannot, control worldwide privacy regimes and security threats, or the algorithms ruling shared, aggregated or online digital information. Unenforceable assurances will no longer work.

People in Australia will only trust and have confidence in government and business collecting, storing, and using their vulnerable personal information if it is done in trust-worthy privacy-enhancing systems, covered by strong laws with minimal exemptions, and with easy enforcement when things go wrong – not the mess of loopholes, exceptions, back-door tricks and ‘wet lettuce-leaf’ indirect enforcement we have under current law. The key defects set out below require amendments to bring privacy protection under Australian law, mainly Privacy Act 1988 (Cth), into the 21st century and up to the standard of peer developed countries.

• The legal definition of ‘consent’ needs to be fixed to reflect its real meaning, requiring ‘active and properly informed consent’ rather than ‘implied consent’. Silence, pre-ticked boxes, or inactivity mustn’t be accepted as valid ‘consent’. What we’re told about risk and disclosure must be blunt and clear.
• Privacy Act exemptions are out of control and insidious. At least the following must be removed:
  • employee records
  • registered political parties, and political ‘acts and practices’
  • journalism, except reports about public officials and others in performance of their duties
• The Australian Broadcasting Corporation Act 1983 should be amended to:
  • ensure Australians are not required to provide their personal information or register for a mandatory account to access the ABC’s full digital media services
  • forbid ABC from sharing (re-)identifiable personal information with other entities or platforms
• Personal information should only be exposed to publication as ‘Open Data’, or other uncontrolled circulation, if it is genuinely and permanently anonymous. It should be banned from being described or treated as ‘de-identified’ unless the process used conclusively proves the data can no longer ever be re-linked to a person, under any circumstances, at any time in the future, backed up by ongoing audits.
• We need a statutory tort for breach of privacy, at last, as recommended by five Australian Law Reform reviews over three decades. Australia must no longer be the only equivalent country where citizens have no means to take legal action to protect their personal dignity. The blueprint’s been discussed and consulted on for years, it’s ready to go, the rest of the world copes, let’s stop the fudging and do it.
• We need a dedicated, properly resourced Privacy Commissioner again, to address the current privacy complaint backlog, and future data privacy exploits and threats. A conflicted, sporadic regulator fails us.

The SA Ambulance Service has disclosed that the personal details of 28,000 patients have been stolen.¹

Those details include people’s name, date of birth, age, address, and in some cases, their pension number and health notes.

Juanita Fernando, chair of the Australian Privacy Foundation’s (APF’s) Health Committee said, “That’s prime fodder for identity theft and something we all need to take seriously.”

The Ambulance Service says the data was on a storage device that was stolen from a consultancy firm in July. The consultants had apparently held the data since the early 2000s.

There’s no indication that the device was encrypted – a basic security precaution.

Neither is there any indication that a proper risk assessment occurred before the Ambulance Service handed over the sensitive personal details about lots of South Australians to the consultants.

Fernando continued, “If you use an ambulance you should be able to have confidence that your private data will not end up in the hands of a consultant and disappear ten years later.”

She added, “Those people had no control over the data. The first they knew about the problem was reading it on the ABC website.”

The APF calls on the Ambulance Service to provide full disclosure of what has gone wrong. It is insufficient for the Service to say it “regrets” the theft.¹

The Foundation calls on the Service to immediately take steps to prevent similar problems.

Fernando concluded, “South Australians are entitled to solutions, not regrets and excuses.”

Media Contacts for Australian Privacy Foundation board members:

References

1. ABC News. SA Ambulance Service patients’ personal information stolen from consultancy firm, 10 November 2021. https://www.abc.net.au/news/2021-11-10/sa-ambulance-service-data-stolen/100608028

The Victorian government’s “Health Legislation Amendment (Information Sharing) Bill 2021” was hurried through its first Parliamentary vote last week.¹ The Bill links all patient medical and health information through a single portal, to be shared between authorised end-users, decided and controlled by the Secretary of the Department of Health. The Legislative Council can interrupt the Bill’s progress.

The powers embodied in the Bill are unprecedented, threatening patient-doctor confidentiality, risking health and wellness should some individuals decide not to seek clinical attention for potentially life threatening or serious illnesses and conditions. But the APF cannot locate the Privacy Impact Assessment (PIA) supporting the Bill. The PIA, assuming one was conducted, must be published in the public domain if Victorians are to trust the Bill.

The APF asks Victoria’s Legislative Council to pause the Bill’s passage and send it back to the lower house for amendment, requesting a more thorough community consult than has occurred. Some information must be withheld from the collection enabled by the Bill, especially where there is no patient consent. Patient health and wellbeing, even lives, are at stake here.

Juanita Fernando, chair of the APF Health Committee said “The data collected and linked by the portal will authorise use of each patient’s current and historical medical information, including mental health and ambulance services; evidently a complete record of every Victorian person’s sensitive and private information.”

The disproportionate powers embodied in the Bill also require a softening of Victoria’s Health Privacy Principles to operate.

Fernando continued, “ People will have no ability to consent to or opt-out of the process. They cannot even look at a complete log of who can see what and who has seen what.” She concluded, “Only a dozen or fewer sentinel events need to be flagged for medical emergencies, so we wonder at the need for the Victorian government to harvest and centrally store such a rich database of sensitive patient information.”

The Australian Doctors Federation is alarmed and, with the APF, raises serious questions about the Bill, calling for public debate, careful examination and resolution of community concerns.²

Media Contacts for Australian Privacy Foundation board members:

References

1. Health Legislation Amendment (Information Sharing) Bill 2021, Victorian Legislation, October 2021. https://www.legislation.vic.gov.au/bills/health-legislation-amendment-information-sharing-bill-2021
2. Australian Doctors Federation (ADF) Rushed VIC government health database law raises more questions than answers, media release; 14 October 2021