However, APF needs your assistance to maintain its momentum.

Renewing your membership is helpful.
To renew, direct deposit to the APF bank account at Bendigo Bank, BSB 633000 A/c No. 126 879 162.
Please include your name, to ensure we credit it to the right person.
It helps to email us at treasurer@privacy.org.au, saying you’ve paid. The rates remain $275 for Life, $40 regular, and $10 concession.
Further info at https://privacy.org.au/about/members/contributing/.

Even more helpful are direct contributions to APF’s policy work, at https://privacy.org.au/policies/ and https://privacy.org.au/publications/by-policy-area/.

We need more input from more people who have an interest in the area, and who have some ability in research, analysis and drafting of policy positions on privacy issues, or are prepared to develop those skills.

APF has multiple experienced people on the Board and Committees. They can provide support for new contributors to have impacts on policy and practice in the public and private sectors.

No-one can cover the whole, broad field, so you probably prefer to contribute in a particular area. We have Committees that focus on:

• Telecommunications and the Internet, including eBusiness and eGovernment, websites, apps, and security for handhelds and desktops
• Surveillance, including through the use of cameras and microphones, and the automated capture of data
• Health, including medical records and their use and abuse

You may have an area of interest that isn’t covered by an existing Committee. Let us know what your focus is, and we’ll look for colleagues for you among Board, Committee and members generally.

The APF Board, and Australian society, thank you for your contributions.

AN EVENT: Queensland Council for Civil Liberties (QCCL) is running the Derek Fielding Memorial Lecture, in Brisbane, on Thursday, 7 September 2023, 6:30-9:00 pm. The presenter is sometime APF Board-member Samantha Floreani, on ‘Human rights for a collective liberatory digital future’. Register here

Roger Clarke
As Secretary, Australian Privacy Foundation, on behalf of the Board:
https://privacy.org.au/about/contacts/

Advisory Panel

23 August 2022

We’re combining this newsletter with the Annual Renewal Notice

How to renew

1. Check how much to pay ($275 Life, $40, or $10 concession), here
   Note: If you joined within the last 6 months, it won’t be necessary for you to renew until next year’s notice
2. Pay the relevant amount into this account:
   Bendigo Bank, BSB 633000 A/c No. 126879162
   Include your name, so that we can reconcile the account
3. Email to us, saying you’ve paid

Call for Nominations

As you can see from the brief outline of activities below, the APF Board is buried in work to defend privacy interests. With a couple of recent retirements from the fray by major contributors, we’re short-handed.
Please consider assisting the Board, whether casually on a matter of concern to you, via one of the Committees, or on the Board. Details are here.
If you’re aware of talent who we should be approaching, please put us in contact with them, or vice versa!

Key Aspects of APF Activities during 2021-22

1. Continued busyness, fighting against privacy-invasive behaviours, for privacy-sensitive practices, and for privacy protections. See at the bottom for a quick summary of recent major contributions
2. A shortage of volunteer policy analysts and other active support
3. We’re announcing waiver of the annual fee for volunteers who commit to material assistance in relation to any of the following:
   • research into new technologies, business practices and government initiatives that are likely to have privacy implications
   • drafting and review of proactive Policy Positions
   • drafting and review of submissions in response to policy-influencing opportunities in parliaments, governments and industry sectors
   • frequent social media postings on APF’s behalf, in the appropriate communication-style for one or more particular social media channels
   • drafting of old-fashioned, but still-needed, media releases
   • identification of media reports of suitable quality and relevance, and extraction and posting to the privacy policy e-list of the text and the source, with optional commentary on the topic
   • monthly maintenance of the APF publications index-pages (by date, by topic, and by jurisdiction)

Some Major Areas of Recent APF Activities

The Federal Election

• Media Release of 11 April 2022
• The resulting 2022 Federal Election Scorecard, version of 19 May 22
• The election-result was highly privacy-positive. The new AG has previously supported a privacy right of action, and the large cross-bench comprises Greens and Andrew Wilkie, whose platforms are strongly pro-privacy, plus ‘Teal Liberals’ who are moderately so.

Your(?) ABC Joins the Digital Surveillance Economy
Imposition of Mandatory Registration to use ABC iView

• Open Letter – 2 Mar 22
• ABC Chair Ita Buttrose’s reply of 8 Mar 2022
• Letter to the ABC Chair on 11 May 2022
• Media Release on 15 May 2022
• See also this blog-entry by a past chair of APF

Health Privacy

• Health Legislation Amendment (Information Sharing) Bill 2021 (Vic)
• National Disability Insurance Scheme (NDIS) – a serious data breach
• The unjustifiably demanding ACT COVID ‘Case Investigation’ Form
Health Insurance Companies’ Marketing of Wearables to Consumers

Australia’s Electronic Surveillance Framework

• Submission to Dept of Home Affairs, of 8 Feb 2022, in conjunction with QCCL and Liberty Victoria
• Australian Border Force’s Warrant-less Access to Smartphone Comms

It has been removed from the Library’s website. This is taken from a cached copy available on Google:

Law enforcement access to My Health Record data
Posted 23/07/2018 by Nigel Brew

Parliamentary Library

My Health Record (MHR) was introduced in June 2012 by the Gillard Labor Government originally as an opt-in system known as the Personally Controlled Electronic Health Record (PCEHR) before legislative amendments in 2015 introduced by the Abbott Coalition Government renamed it and laid the groundwork for it to become an opt-out system. Law enforcement access to MHR data is among the privacy concerns raised about the program, but this provision was in the original legislation and received little attention when the Bill was debated.

The PCEHR/MHR has been operating for six years now since July 2012 and was characterised in 2015 by Labor politicians as a ‘proud Labor reform’ and a ‘natural extension’ of Medicare. The MHR system is operated by the Australian Digital Health Agency (ADHA) as a ‘secure online summary of an individual’s health information’. However, under certain circumstances, MHR data may be provided to an ‘enforcement body’ for purposes unrelated to a person’s healthcare. An ‘enforcement body’ is defined in section 6 of the Privacy Act 1988 as the Australian Federal Police, the Immigration Department, financial regulatory authorities, crime commissions, any state or territory police force, anti-corruption bodies, and any federal or state/territory agency responsible for administering a law that imposes a penalty or sanction or a prescribed law, or a law relating to the protection of the public revenue.

Section 70 of the My Health Records Act 2012 enables the System Operator (ADHA) to ‘use or disclose health information’ contained in an individual’s My Health Record if the ADHA ‘reasonably believes that the use or disclosure is reasonably necessary’ to, among other things, prevent, detect, investigate or prosecute any criminal offence, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; protect the public revenue; or prevent, detect, investigate or remedy ‘seriously improper conduct’. Although ‘protection of the public revenue’ is not explained, it is reasonable to assume that this might include investigations into potential fraud and other financial offences involving agencies such as Centrelink, Medicare, or the Australian Tax Office. The general wording of section 70 is a fairly standard formulation common to various legislation—such as the Telecommunications Act 1997—which appears to provide broad access to a wide range of agencies for a wide range of purposes. 

While this should mean that requests for data by police, Home Affairs and other authorities will be individually assessed, and that any disclosure will be limited to the minimum necessary to satisfy the request, it represents a significant reduction in the legal threshold for the release of private medical information to law enforcement. Currently, unless a patient consents to the release of their medical records, or disclosure is required to meet a doctor’s mandatory reporting obligations (e.g. in cases of suspected child sexual abuse), law enforcement agencies can only access a person’s records (via their doctor) with a warrant, subpoena or court order.

The Australian Medical Association’s existing Ethical Guidelines for Doctors on Disclosing Medical Records to Third Parties 2010 (revised 2015) note:

It seems unlikely that this level of protection and obligation afforded to medical records by the doctor-patient relationship will be maintained, or that a doctor’s judgement will be accommodated, once a patient’s medical record is uploaded to My Health Record and subject to section 70 of the My Health Records Act 2012. The AMA’s Guide to Medical Practitioners on the use of the Personally Controlled Electronic Health Record System (from 2012) does not clarify the situation.

Although it has been reported that the ADHA’s ‘operating policy is to release information only where the request is subject to judicial oversight’, the My Health Records Act 2012 does not mandate this and it does not appear that the ADHA’s operating policy is supported by any rule or regulation. As legislation would normally take precedence over an agency’s ‘operating policy’, this means that unless the ADHA has deemed a request unreasonable, it cannot routinely require a law enforcement body to get a warrant, and its operating policy can be ignored or changed at any time.

The Health Minister’s assertions that no one’s data can be used to ‘criminalise’ them and that ‘the Digital Health Agency has again reaffirmed today that material … can only be accessed with a court order’ seem at odds with the legislation which only requires a reasonable belief that disclosure of a person’s data is reasonably necessary to prevent, detect, investigate or prosecute a criminal offence.

This uncertainty has left different advocacy groups concerned. The Chief Executive Officer of the Sex Workers Outreach project has been reported saying that warrantless law enforcement access to medical records was the main reason sex workers were concerned about MHR, pointing out that ‘“Sex work is criminalised in a number of states … So, if I’m in the ACT and somebody suspects me of sex working, and they go into my medical record and that proves it, I can end up in jail”’. Similarly, while the Federation of Ethnic Communities’ Councils of Australia supports the MHR, it was reported that ‘it hopes My Health Record information will not be used for the purposes of immigration enforcement or decisions’. Such fears are possibly not without foundation. Until recently, data-sharing arrangements in the UK between the National Health Service and the Home Office meant that medical records were being used to track down illegal immigrants:

It is interesting to note that while disclosure of personal information under Australian social security law for the purpose of enforcing the law must satisfy a higher bar compared with the My Health Records Act 2012, the provisions permitting disclosure of Medicare information for the purpose of enforcing the law are actually broader than the My Health Records Act 2012.

Although the disclosure provisions of different agencies may be more or less strict than those of the ADHA and the My Health Records Act 2012, the problem with the MHR system is the nature of the data itself. As the Law Council of Australia notes, ‘the information held on a healthcare recipient’s My Health Record is regarded by many individuals as highly sensitive and intimate’. The National Association of People with HIV Australia has suggested that ‘the department needs to ensure that an individual’s My Health Record is bound to similar privacy protections as existing laws relating to the privacy of health records’. Arguably, therefore, an alternative to the approach of the current scheme would be for medical records registered in the MHR system to be legally protected from access by law enforcement agencies to at least the same degree as records held by a doctor.