[LINK] From secrecy to dignity: trust and policy implications of shifting attitudes to privacy
https://nsc.crawford.anu.edu.au/department-news/13675/secrecy-dignity-trust-and-policy-implications-shifting-attitudes-privacy -- Kim Holburn IT Network & Security Consultant T: +61 2 61402408 M: +61 404072753 mailto:k...@holburn.net aim://kimholburn skype://kholburn - PGP Public Key on request ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
[LINK] MHR - letter to local paper
For what it's worth, I just sent this to my local paper for publication (I hope) on Wednesday 30/1/2019. Regards, K ~ Get out while you still can The last possible day to opt-out of the My Health Record system is Thursday this week (31/1/2019). After that, you will get a record whether you want one or not. If you have a My Health Record, the information in it will be available to any Government agency that wants it, for any reason at all. That includes the ATO, Centrelink and law enforcement. The legislation also makes clear that your medical information can be provided to commercial third parties. You have almost no ability to control who sees what. You cannot control what is recorded. With minor exceptions you cannot change or remove what has been recorded, even if it was uploaded without your consent. Once you have a My Health Record, you cannot delete it, only "cancel" it. A cancelled record remains available to the Government. The Government says it will delete your record on request, but the sad fact is that they will probably not be able to. This is not a party-political matter. Both sides of politics seem perfectly happy to put your sensitive medical information on the internet. The security is a nonsense; with hundreds of thousands of people authorised to look at it, anyone who wants it will be able to get it. Get out while you still can. Search for "opt-out-my-health-record". If you discover (as thousands have) that a My Health Record has already been created for you without your knowledge or consent, cancel it. If you have children, opt them out too. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75 Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
Re: [LINK] MHR - letter to local paper
On Monday, 28 January 2019 10:45:51 AEDT Karl Auer wrote: > If you have a My Health Record, the information in it will be available to > any Government agency that wants it, for any reason at all. That includes the > ATO, Centrelink and law enforcement. The legislation also makes clear that > your medical information can be provided to commercial third parties. I mentioned that to my very competent and well-informed GP, although not the bit about third-parties, however she claimed it was not true. Where is the most authoritative source reference? David L. ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
Re: [LINK] MHR - letter to local paper
On 28/01/2019 10:45 AM, Karl Auer wrote: For what it's worth, I just sent this to my local paper for publication (I hope) on Wednesday 30/1/2019. They claim the laws were passed in November. It's even on their website!! ;) https://twitter.com/MyHealthRec/status/1089699572392386561 https://twitter.com/MyHealthRec/status/1089699572392386561https://twitter.com/MyHealthRec/status/1089699572392386561 https://twitter.com/MyHealthRec/status/108969957239238 -- Melbourne, Victoria, Australia jw...@janwhitaker.com Twitter: @JL_Whitaker Blog: www.janwhitaker.com Sooner or later, I hate to break it to you, you're gonna die, so how do you fill in the space between here and there? It's yours. Seize your space. ~Margaret Atwood, writer _ __ _ ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
Re: [LINK] MHR - letter to local paper
On Monday, 28 January 2019 10:45:51 AEDT Karl Auer wrote: > If you have a My Health Record, the information in it will be available to > any Government agency that wants it, for any reason at all. That includes the > ATO, Centrelink and law enforcement. The legislation also makes clear that > your medical information can be provided to commercial third parties. I'm not convinced the following can be taken at face value but, for what it's worth, the agency claims the legislation "My Health Records Amendment (Strengthening Privacy) Bill 2018" ensures: - see https://www.myhealthrecord.gov.au/for-you-your-family/howtos/frequently-asked-questions - QUOTES o Which doctors and other healthcare providers can look at my health information? Only healthcare provider organisations involved in your care, who are registered with the My Health Record System Operator, are allowed by law to access your My Health Record. This may include GPs, pharmacies, pathology labs, hospitals, specialists and allied health professionals. o Can the police, Centrelink and ATO access my record? Under new Health Record privacy laws, no information can be released to law enforcement or a government agency without your consent or an order from a judicial officer. o Can an insurance company or my employer access my record? Under new laws, no-one is permitted to access, or ask you to disclose, any information within your My Health Record for insurance or employment purposes. o Can My Health Record data be used for commercial purposes? Under new laws, the My Health Record system cannot be privatised or used for commercial purposes. Only a government organisation will ever be able to manage the My Health Record system. END QUOTES However I detect the presence of weasel words in the second & fourth items quoted. The second would have little force if some other piece of legislation gives a security agency, for example, unfettered access because a "judicial officer" would then have no choice. And in any case, I wonder whether there are any limitations on the circumstances when access can be given. The last point, as explained in that FAQ, doesn't distinguish between the system per se and the information it contains and doesn't explain what "manage" actually means - can the Health Department outsource the hosting of MyHealthRecord? NSW has an act "Health Records and Information Privacy Act 2002 No 71" intended to regulate the whole general area which includes specific exemptions: QUOTE This Act does not apply to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the NSW Police Force, the Law Enforcement Conduct Commission, the Inspector of the Law Enforcement Conduct Commission, the staff of the Inspector of the Law Enforcement Conduct Commission and the New South Wales Crime Commission, except in connection with the exercise of their administrative and educative functions. UNQUOTE Call me a cynic, but I'm out of it... David L. ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
[LINK] Data Sovereignty questions
Suppose ADHA, who run My Health Record, wanted to use Akamai CDN services for all the usual reasons. Questions. Would Akamai have to use Australian servers to store the cached, static data? or could they use overseas servers? Would Akamai have to use edge servers in Australia? or could they use USA based edge servers What is the current status of USA law regarding USA companies having to hand over foreign data that they (the companies) store to their government? -- Regards brd Bernard Robertson-Dunn Canberra Australia email: b...@iimetro.com.au web: www.drbrd.com web: www.problemsfirst.com ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
Re: [LINK] Data Sovereignty questions
On 28/1/19 14:52, Bernard Robertson-Dunn wrote: Suppose ADHA, who run My Health Record, wanted to use Akamai CDN services for all the usual reasons. Questions. Would Akamai have to use Australian servers to store the cached, static data? or could they use overseas servers? Would Akamai have to use edge servers in Australia? or could they use USA based edge servers No specific answers, sorry; but here's the publicly-provided information-base that enables answers to be developed: 1. The Objects of the Privacy Act include: http://www8.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s2a.html >(f) to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected; and The primacy of economics, and the secondary, mere constraint of a bit of respect for privacy, are cemented in, as with all OECD-derived d.p. laws. Put another way, if an agency found it cheaper to export the data, the onus would be on proponents of national sovereignty to argue the case for it *not* to be exported. And of course, even if such a discussion were ever held, there's no representation of the public interest in the room. (The OAIC doesn't have any right to be in the room, and is in any case an administering and facilitating agency, not a protector of the public interest). 2. APP8 https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-privacy-principles#australian-privacy-principle-8-cross-border-disclosure-of-personal-information "take such steps as are reasonable in the circumstances" "does not apply ... if [long list of loose and open-ended circumstances]" A trainee lawyer could drive a bus through it. 3. OAIC Guidelines on APP8 https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information Expensive lawyers paid for out of the OAIC budget wrote over 6,000 words to assist aforesaid trainee lawyers to find said gaps of bus-width. My short answer is that I reckon any agency can do absolutely anything it likes, without any risk even of it being in breach, let alone of any sanctions applying or retribution being taken. (IANAL, and I haven't wasted the time doing enough hard yards to remove "I reckon"). > What is the current status of USA law regarding USA companies having to hand over foreign data that they (the companies) store to their government? AFAIK, few effective constraints apply to the assertions (under several laws) of US extra-territorial powers, which mean that the data doesn't even have to be in the US, merely in the possession of a US corporation. -- Roger Clarkemailto:roger.cla...@xamax.com.au T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Visiting Professor in the Faculty of LawUniversity of N.S.W. Visiting Professor in Computer ScienceAustralian National University ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
Re: [LINK] MHR - letter to local paper
One thing they (ADHA) never talks about is the section in the legislation that effectively cripples the whole privacy protection stuff: TL;DR If the data can be got elsewhere, all bets are off. FYI, the system is designed to get copies of data held elsewhere. This is exactly what the legislation says: Division 3—Prohibitions and authorisations limited to My Health Record system 71 Prohibitions and authorisations limited to health information collected by using the My Health Record system (1) The prohibitions and authorisations under Divisions 1 and 2 in respect of the collection, use and disclosure of health information included in a healthcare recipient’s My Health Record are limited to the collection, use or disclosure of health information obtained by using the My Health Record system. (2) If health information included in a healthcare recipient’s My Health Record can also be obtained by means other than by using the My Health Record system, such a prohibition or authorisation does not apply to health information lawfully obtained by those other means, even if the health information was originally obtained by using the My Health Record system. Information stored for more than one purpose (3) Without limiting the circumstances in which health information included in a healthcare recipient’s My Health Record and obtained by a person is taken not to be obtained by using or gaining access to the My Health Record system, it is taken not to be so obtained if: (a) the health information is stored in a repository operated both for the purposes of the My Health Record system and other purposes; and (b) the person lawfully obtained the health information directly from the repository for those other purposes. Note: For example, information that is included in a registered healthcare recipient’s My Health Record may be stored in a repository operated by a State or Territory for purposes related to the My Health Record system and other purposes. When lawfully obtained directly from the repository for those other purposes, the prohibitions and authorisations in this Part will not apply. Information originally obtained by means of My Health Record system (4) Without limiting the circumstances in which health information included in a healthcare recipient’s My Health Record and obtained by a person is taken not to be obtained by using or gaining access to the My Health Record system, it is taken not to be so obtained if: (a) the health information was originally obtained by a participant in the My Health Record system by means of the My Health Record system in accordance with this Act; and (b) after the health information was so obtained, it was stored in such a way that it could be obtained other than by means of the My Health Record system; and (c) the person subsequently obtained the health information by those other means. Note: For example, information that is included in a registered healthcare recipient’s My Health Record may be downloaded into the clinical health records of a healthcare provider and later obtained from those records. On 28/01/2019 2:20 pm, David wrote: > On Monday, 28 January 2019 10:45:51 AEDT Karl Auer wrote: > >> If you have a My Health Record, the information in it will be available to >> any Government agency that wants it, for any reason at all. That includes >> the ATO, Centrelink and law enforcement. The legislation also makes clear >> that your medical information can be provided to commercial third parties. > I'm not convinced the following can be taken at face value but, for what it's > worth, the agency claims the legislation "My Health Records Amendment > (Strengthening Privacy) Bill 2018" ensures: > - see > https://www.myhealthrecord.gov.au/for-you-your-family/howtos/frequently-asked-questions > - > > QUOTES > o Which doctors and other healthcare providers can look at my health > information? > Only healthcare provider organisations involved in your care, who are > registered with the My Health Record System Operator, are allowed by law to > access your My Health Record. This may include GPs, pharmacies, pathology > labs, hospitals, specialists and allied health professionals. > > o Can the police, Centrelink and ATO access my record? > Under new Health Record privacy laws, no information can be released to law > enforcement or a government agency without your consent or an order from a > judicial officer. > > o Can an insurance company or my employer access my record? > Under new laws, no-one is permitted to access, or ask you to disclose, any > information within your My Health Record for insurance or employment purposes. > > o Can My Health Record data be used for commercial purposes? > Under new laws, the My Health Record system cannot be privatised or used for > commercial purposes. Only a government organisation will ever be able to > manage the My Health Record system. > END QUOTES > > However I detect the presen
Re: [LINK] MHR - letter to local paper
On 28/01/2019 10:45 AM, Karl Auer wrote: Once you have a My Health Record, you cannot delete it, only "cancel" it. A cancelled record remains available to the Government. The Government says it will delete your record on request, but the sad fact is that they will probably not be able to. I got push back from MyHealth Record on twitter again re deletion, saying they implemented the delete function on 24 January. https://twitter.com/MyHealthRec/status/1089734951757664258 "Hi there, yes the ability to permanently delete a My Health Record, including any backups, was made available on 24 January 2019. For more details, see:" (their website) Next? Jan -- Melbourne, Victoria, Australia jw...@janwhitaker.com Twitter: @JL_Whitaker Blog: www.janwhitaker.com Sooner or later, I hate to break it to you, you're gonna die, so how do you fill in the space between here and there? It's yours. Seize your space. ~Margaret Atwood, writer _ __ _ ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
Re: [LINK] MHR - letter to local paper
On Monday, 28 January 2019 15:37:55 AEDT Bernard Robertson-Dunn wrote: > If the data can be got elsewhere, all bets are off. FYI, the system is > designed to get copies of data held elsewhere. That certainly seems to be the case. The Amendments are enacted separately, and the legislation would be easier to understand if "My Health Records Act 2012" (the Act) were updated so everything could be read in context. The Amendments appear to insert a new Sc. 69A into the Act "Disclosure to designated entity under order by judicial officer" which begins: --- (1) If an entity that is: (a) an agency, or a State or Territory authority, within the meaning of the Privacy Act 1988; and (b) not a court, tribunal or coroner; (a designated entity) presents to the System Operator an order made under this section, the System Operator must comply with the order. --- Presumably that means the state police forces are designated entities. But as Bernard points out, once the data is on their system the MyHealthRecord restrictions no longer apply. Furthermore, the NSW "Health Records and Information Privacy Act 2002 No 71" exempts the NSW Police so they're conveniently free to acquire MyHealthRecord data, and I'm sure they'd be happy to pass it on to any Commonwealth agency. David L. ___ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
