On 11/11/18 12:48, David wrote:
> ... But Prof. Vaille described MHRecord as having an appallingly bad
IT security model, rather like leaving the bank unlocked because there
were penalties for theft. By default, access is allowed and there are
no account PINs. Furthermore, individual use is _not_ logged, only the
organisation responsible, and it may even be the case that those
individuals are not even mentioned in the legislation.
>
> (Roger, is that true? How can they be penalised in that case?)
Yep, you got it: In practical terms, they can't.
The offence provisions might as well not exist, because they're
unenforceable.
The entire MyHR process and product is a fiasco and a fraud.
______
On 11/11/18 12:48, David wrote:
ABC Radio National had some interesting programs this (Sunday) morning.
Round Table -
https://www.abc.net.au/radionational/programs/the-roundtable/my-health-record-privacy-data/10474670
- discussed My Health Record. Two apologists for it had nothing very
interesting to say, and much of it would have to be described as naieve. But
the third panelist was Professor David Vaile, Executive Director of the
Cyberspace Law and Policy Centre at UNSW.
He revealed that medical information (other than a summary of any allergies?)
isn't held in a structured database but is a collection of PDF documents! Can
you imagine a patient lying unconscious in ED while a doctor makes a cup of
coffee and settles down to plow through them?
One apologist emphasised how there were legislated penalties for unauthorised
access, and penalties seem to be the main security mechanism. But Prof. Vaille
described MHRecord as having an appallingly bad IT security model, rather like
leaving the bank unlocked because there were penalties for theft. By default,
access is allowed and there are no account PINs. Furthermore, individual use
is _not_ logged, only the organisation responsible, and it may even be the case
that those individuals are not even mentioned in the legislation.
(Roger, is that true? How can they be penalised in that case?)
Access by organisations including the ATO, Centrelink, the police, etc. wasn't
mentioned.
The Coalition has tried to abolish & defund the Office of the Privacy
Commissioner, and now the MHRecord director of privacy has resigned - see
https://www.smh.com.au/technology/my-health-record-s-privacy-chief-quits-amid-claims-agency-not-listening-20181107-p50elu.html
People have until next Thursday (or will it be Wednesday?) to opt out.
David L.
_______________________________________________
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link
--
Roger Clarke mailto:roger.cla...@xamax.com.au
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
_______________________________________________
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link