The Senate has passed a bill enabling the federal government's planned national cancer screening register after the government agreed to fix privacy holes pointed out by the Information Commissioner.
Legislation backing the the register - which will be run by Telstra under a $220 million deal - went to parliamentary committee for scrutiny after Labor and the Greens raised issues with its drafting.
The Senate standing committee on community affairs this week tabled its report on the legislation, recommending the government "closely consider" amending the bill in line with the advice of Information Commissioner Timothy Pilgrim, who raised a number of privacy concerns.
Pilgrim pointed out the draft legislation authorised the use of personal information contained in the register for research purposes, bypassing a framework within the Privacy Act set up to grant exemptions for data access in the case of health research.
He said the bill also allowed the register to collect comprehensive Medicare claims information, rather than just information related to bowel and cervical cancer screening.
"Considering the sensitivity of Medicare claims information, only the specific Medicare claims information necessary for the purposes of the register should be collected," Pilgrim advised.
The bill similarly allowed register data to be handled for any purpose that is "incidental" to the register's stated purpose. Pilgrim said this presented a risk that "information may be used or disclosed for more expansive purposes than initially intended".
Noting the controversy around Telstra's appointment as the outsourced operator, Pilgrim said it would be worthwhile considering extra data breach reporting requirements under the the Privacy Act, in line with those already required under the My Health Records Act.
The government agreed to update the draft legislation to address the concerns, adopting all of Pilgrim's recommendations, and the bill subsequently passed the upper house today.
Among the legislative changes is a requirement Telstra notifies the Department of Health and Information Commissioner when it becomes aware of a data breach.
The bill passed the Senate despite both Labor and the Greens raising objections against the appointment of Telstra as the service provider.
The parties took issue with the register being handed to a private sector entity rather than a government organisation, but were knocked back in their attempts to change the law to prohibit the register from being operated by a for-profit business.