As mentioned at the beginning of this submission, Australian unions believe that the MHR system can bring real benefits to Australians both as patients and workers in the health system. The issues we have outlined above are not intended as arguments against why such a system should be implemented, but as a list of issues to address. To this end, our proposed solutions to some of these issues can be found below:

  • Directly including a clause similar to s14(2) Healthcare Identifiers Act 2010’s (Cth) into the MHR Act that excludes access for the purposes described in that clause. The exclusion should clearly apply irrespective of how the MHR is accessed (i.e. using a IHI or Medicare number, etc) and also cover access during employment and not just recruitment.Some allowance has to be made for the sharing of information based on consent from the patient, but consent needs to be clearly delineated in the legislation and needs to rely on clear, informed consent of what the patient is agreeing to. Consent also needs to be purpose-based and be considered to expire when the purpose does;
  • ‘enforcement bodies’ should include only crime enforcement agencies seeking access for the purpose of investigating crime and authorisation should require a court order;
  • Non-compliance with MHR requirements around privacy must include significant penalties for both organisations and individuals;
  • Legislative obligations around data security, privacy, probity etc must also apply to the holder of the database, not just those accessing it;
  • Legislative safeguards against privatisation or commercialisation of the database;
  • Clearer and easier to use controls over data upload;
  • Taking measures aimed at increasing the default privacy settings for those automatically opted-in;
  • Consideration should be given to the longevity of MHR data and the impacts that new data types being included in MHRs may have;
  • The legislation ought to be amended to remove the System Operator’s capacity to delegate access to individuals’ personal health information other than to those entities already prescribed in s98. Further, contractors providing services to registered healthcare providers should not gain access without a patient’s explicit consent; and
  • In light of the above, the opt-out date should be extended to allow these issues to be addressed.