Setting the Record Straight

The My Health Record system is an Australian Commonwealth government program designed to extract parts of your medical and health information and put them in a new system the government controls. It was originally designed for you to voluntarily opt-in (which few did) but in 2016 the government announced its intention to make it opt-out, whether you want it or not.

This page is a response to where the government claims to Set The Record Straight regarding privacy.

Links to other pages on this site are available here

Setting The Record Straight page with our comments embedded.

The current page on My Health Record website.

The original page was posted on 12 April and was featured in an email campaign.

The text in blue, below, was downloaded at 3:00pm Wednesday 13 April 2016.

Setting the record straight!

Published 12 April 2016

There are a number of positive and negative assertions circulating the media, so each month we will be ‘setting the record straight’ and highlighting which My Health Record rumours are facts and which are not, so you can be confident when dealing with your customers. This month we set the record straight on privacy.

Here are some of the misrepresentations, along with the actual facts:

Assertion: Individuals cannot control who sees their My Health Record

Not true. Individuals can ask their healthcare provider not to upload certain information to their My Health Record and can also choose to be notified when their My Health Record is accessed. They can also set controls to restrict access to certain information in their My Health Record or to prevent certain healthcare provider organisations from seeing anything in their My Health Record. For example, individuals may want to restrict access or ask a provider not to upload their sensitive health information, such as sexual or mental health issues accessible by all healthcare providers.


Is the government really saying that the best way to control access to “certain” information is to not put it into the My Health Record at all?

This is one area where we agree with the government. If you have concerns about your health data being inappropriately accessed (see here for reasons why you might consider opting out), don’t put it into your My Health Record.

It would be useful for the government to explain how being alerted to when their My Health Record has been accessed by some unspecified person in a health care organisation constitutes “access control”. Once some unauthorised person has seen the information, it’s out of everyone’s control. You can’t make someone forget they’ve seen a health record.

What does “ask a provider not to upload their sensitive health information, such as sexual or mental health issues accessible by all healthcare providers.” mean?

Of course, the area where individuals have no control over whatsoever is the system operator itself, and more specifically, the call centre.

Call Centre operators have unrestricted access to all of a My Health Record, even if you have canceled your registration the data still exists in the system. It is also likely (because the government hasn’t told us otherwise) that even data you have “removed” is still available to the operators.

This page has more details about the My Health Record Call Centre, including that the government said it would develop a framework for defining how the Call Centre would protect privacy and that it would be backed by legislation, but it has failed to deliver.

The government claims that they take security and privacy seriously and that users have ultimate control over access. The evidence strongly indicates that they don’t.


Assertion: Government agencies will be able to access people’s personal data

There are very limited circumstances where anyone, including the Government, may access someone’s My Health Record. Those circumstances are narrower than under existing laws like the Privacy Act 1988, so My Health Record actually provides more protection of sensitive health information than exists for health records outside of the system. Limited circumstances include:

*    For the purpose of providing healthcare to an individual, including in an emergency;

*    For law enforcement purposes – in line with current powers under the Privacy Act, enforcement bodies may access information for particular investigations;

*    For the purpose of a healthcare provider’s indemnity cover – for example as part of a provider’s defence (or that of their medical indemnity insurer, acting on their behalf) in proceedings of negligence. This reflects longstanding rights of providers to use health information in records they hold in their own systems as part of proceedings.


What are Limited circumstances? The legislation doesn’t specify anything other than “the system operator must be satisfied….”.

So, our claim that the government can see the data in your health record is quite correct. Which means the government agrees with what we have written here.

It’s good to know the government is putting straight something that we don’t disagree with.

Assertion: Personal information won’t be safe – the My Health Record system is a gold mine for hackers and blackmailers

The privacy of people’s personal information is taken extremely seriously. A range of legislative and technical mechanisms work together to ensure the privacy and security of people’s information in the My Health Record system.

My Health Record uses bank-strength security including strong encryption and firewalls, secure logins and audit trails. It meets Australian Government Security Standards and is regularly tested for security compliance and vulnerability. These standards are regularly updated to address emerging cyber-threats. The staff who operate and maintain the My Health Record system are vetted and undergo police checks, consistent with government standards.

Further, the unauthorised collection, use or disclosure of information in the My Health Record system, is subject to both civil and criminal penalties where an action is deliberate or reckless. These penalties do not apply where a mistake has been made – for example, if a healthcare provider inadvertently or accidently (sic) accesses an individual’s My Health Record. The penalty for not complying with the My Health Records Rules is $18,000 for individuals and $90,000 for bodies corporate.

Further information about the My Health Record system’s privacy and security policies can be found on the My Health Record website

You can find image sources on the website

You can also find more image sources on website


The government is confusing IT security with Information Security. The first is an IT issue the second is about access to information. We have discussed this issue on our infomation page and stand by what we have said. The government hasn’t attempted to set this straight. Either they don’t understand the difference or they have declined to address it and hope nobody notices.

The government claims that there has been an assertion “the My Health Record system is a gold mine for hackers and blackmailers” We haven’t made that assertion although we might consider it, as it seems to have merits, but the puzzling thing is that the government doesn’t.