One thing they (ADHA) never talks about is the section in the
legislation that effectively cripples the whole privacy protection stuff:

TL;DR If the data can be got elsewhere, all bets are off. FYI, the
system is designed to get copies of data held elsewhere.

This is exactly what the legislation says:

Division 3—Prohibitions and authorisations limited to My Health Record

71  Prohibitions and authorisations limited to health information
collected by using the My Health Record system

(1) The prohibitions and authorisations under Divisions 1 and 2 in
respect of the collection, use and disclosure of health information
included in a healthcare recipient’s My Health Record are limited to the
collection, use or disclosure of health information obtained by using
the My Health Record system.

(2) If health information included in a healthcare recipient’s My Health
Record can also be obtained by means other than by using the My Health
Record system, such a prohibition or authorisation does not apply to
health information lawfully obtained by those other means, even if the
health information was originally obtained by using the My Health Record

Information stored for more than one purpose

(3) Without limiting the circumstances in which health information
included in a healthcare recipient’s My Health Record and obtained by a
person is taken not to be obtained by using or gaining access to the My
Health Record system, it is taken not to be so obtained if:

  (a) the health information is stored in a repository operated both for
the purposes of the My Health Record system and other purposes; and

  (b) the person lawfully obtained the health information directly from
the repository for those other purposes.

Note:    For example, information that is included in a registered
healthcare recipient’s My Health Record may be stored in a repository
operated by a State or Territory for purposes related to the My Health
Record system and other purposes. When lawfully obtained directly from
the repository for those other purposes, the prohibitions and
authorisations in this Part will not apply.

Information originally obtained by means of My Health Record system

(4) Without limiting the circumstances in which health information
included in a healthcare recipient’s My Health Record and obtained by a
person is taken not to be obtained by using or gaining access to the My
Health Record system, it is taken not to be so obtained if:

 (a)  the health information was originally obtained by a participant in
the My Health Record system by means of the My Health Record system in
accordance with this Act; and

 (b)  after the health information was so obtained, it was stored in
such a way that it could be obtained other than by means of the My
Health Record system; and

 (c)  the person subsequently obtained the health information by those
other means.

Note:    For example, information that is included in a registered
healthcare recipient’s My Health Record may be downloaded into the
clinical health records of a healthcare provider and later obtained from
those records.

On 28/01/2019 2:20 pm, David wrote:
> On Monday, 28 January 2019 10:45:51 AEDT Karl Auer wrote:
>> If you have a My Health Record, the information in it will be available to 
>> any Government agency that wants it, for any reason at all. That includes 
>> the ATO, Centrelink and law enforcement. The legislation also makes clear 
>> that your medical information can be provided to commercial third parties.
> I'm not convinced the following can be taken at face value but, for what it's 
> worth, the agency claims the legislation "My Health Records Amendment 
> (Strengthening Privacy) Bill 2018" ensures:
> - see 
>  -
> o   Which doctors and other healthcare providers can look at my health 
> information?
> Only healthcare provider organisations involved in your care, who are 
> registered with the My Health Record System Operator, are allowed by law to 
> access your My Health Record.  This may include GPs, pharmacies, pathology 
> labs, hospitals, specialists and allied health professionals.
> o   Can the police, Centrelink and ATO access my record?
> Under new Health Record privacy laws, no information can be released to law 
> enforcement or a government agency without your consent or an order from a 
> judicial officer.
> o   Can an insurance company or my employer access my record?
> Under new laws, no-one is permitted to access, or ask you to disclose, any 
> information within your My Health Record for insurance or employment purposes.
> o   Can My Health Record data be used for commercial purposes?
> Under new laws, the My Health Record system cannot be privatised or used for 
> commercial purposes.  Only a government organisation will ever be able to 
> manage the My Health Record system.
> However I detect the presence of weasel words in the second & fourth items 
> quoted.
> The second would have little force if some other piece of legislation gives a 
> security agency, for example, unfettered access because a "judicial officer" 
> would then have no choice.  And in any case, I wonder whether there are any 
> limitations on the circumstances when access can be given.
> The last point, as explained in that FAQ, doesn't distinguish between the 
> system per se and the information it contains and doesn't explain what 
> "manage" actually means - can the Health Department outsource the hosting of 
> MyHealthRecord?
> NSW has an act "Health Records and Information Privacy Act 2002 No 71" 
> intended to regulate the whole general area which includes specific 
> exemptions:
> This Act does not apply to the Independent Commission Against Corruption, the 
> Inspector of the Independent Commission Against Corruption, the staff of the 
> Inspector of the Independent Commission Against Corruption, the NSW Police 
> Force, the Law Enforcement Conduct Commission, the Inspector of the Law 
> Enforcement Conduct Commission, the staff of the Inspector of the Law 
> Enforcement Conduct Commission and the New South Wales Crime Commission, 
> except in connection with the exercise of their administrative and educative 
> functions.
> Call me a cynic, but I'm out of it...
> David L.
> _______________________________________________
> Link mailing list
> ---
> This email has been checked for viruses by AVG.



Bernard Robertson-Dunn
Canberra Australia

Link mailing list

Reply via email to