The Australian Digital Health Agency, overseer of the My Health Record, has expressed concern at the number and type of "potential" data breaches it is being forced to disclose.
In a submission to the Privacy Act review [pdf], the agency (ADHA) asks for changes to the My Health Records Act under which it operates, and for “harmonisation” of data breach rules with those in the Privacy Act.
ADHA said the Act under which it operates requires both “actual and potential breaches” to be reported, a “first of its kind in national legislation”.
“The My Health Record data breach scheme was intended to provide transparency for consumers and the public about the safety and reliability of the My Health Record system,” ADHA said in its submission.
“However, the definition of a breach under section 75 of the My Health Records Act 2012 is very broad and substantially differs from what the community may reasonably consider to be a ‘breach’.
“It also differs substantially from the notifiable data breach scheme requirements under the Privacy Act.
“One key difference is that mandatory reporting of data breaches under the My Health Records Act are required even where there may be no adverse impact or likely to result in harm to a consumer. This may also require notification to individuals if they are affected by the notifiable breach – even where there is no risk of harm.”
Under the current law, ADHA and its health partners that interact with My Health Records must disclose even unsuccessful access attempts and false positives.
That has meant that in years past ADHA has had to report - and declare - dozens of “breaches”.
The agency said in the Privacy Act review submission that it “would support some harmonisation of the My Health Record data breach requirements with those under the Privacy Act.”
ADHA said later in the same submission that while “it is appropriate that the privacy protections in the My Health Records Act continue alongside the broader protections set out in the Privacy Act, nevertheless [it] considers that some changes to the My Health Records Act should be canvassed, including further alignment with Privacy Act concepts.”
Some changes may already be in-train, with the Department of Health raising similar arguments in a review of the My Health Records legislation that ran for about a month late last year.
A report stemming from that review is already with the Health Minister, according to the department's website.
In a consultation paper [pdf] released for the review, Health said that one of the “criticisms” of the health record scheme “is that the MHR Act requirements are more demanding and indeterminate than the Privacy Act requirements.”
“The key criterion in the Privacy Act is that a data breach could result in ‘serious harm’ to an individual. That aligns with a central purpose of a DBN [data breach notification] obligation – to notify individuals who may be affected by a data breach so that they are properly informed and can if necessary take precautionary action,” the department said.
“By contrast, it may be unclear or speculative whether an event may compromise the ‘security or integrity’ of the MHR 'system'. Nor is there any requirement that the matter being notified to the OAIC [Office of the Australian Information Commissioner] posed any risk to a healthcare recipient.
“It is said that many MHR matters notified to the OAIC posed no such risk and were inconsequential so far as personal privacy protection risks were concerned.
“Examples are an incorrect Medicare data entry that was promptly rectified, and an unauthorised but unsuccessful attempted data entry on an administrative support system.”
Privacy watchdog's opposition
The OAIC is largely against ADHA's proposal, and believes My Health Record should remain subject to the more stringent data breach reporting standards.
"The OAIC is concerned that the lower data breach notification threshold required for information held in the MHR system was designed as a privacy enhancing measure, given that the MHR system is a searchable network of connected registered repositories storing sensitive personal information," it said in a submission [pdf] to the Department of Health review.
"The lower threshold [also] ensures data breach reporting that may not relate to incidents giving rise to serious harm, but which may point to systemic issues in the ecosystem.
"For example, most notifications to the OAIC related to intertwined Medicare records. While a test of serious harm to affected individuals may not have been met, it did point to system faults that required remediation.
"The requirement to report these provides accountability of the system operator in remediating these issues."
The OAIC added that if data breach notifications were "harmonised" in the future, as ADHA advocates, "other measures would need to be established to counter any resultant risks."