Allowing call centres to access MyHealthRecord data is “a privacy disaster waiting to happen”
Allowing call centres to access MyHealthRecord data is “a privacy disaster waiting to happen”, according to the Australian Privacy Foundation
Despite the federal health minister’s insistence that patients would have ultimate control over who accessed their information, the system’s reliance on call centres to help individuals manage their accounts exposes a privacy vulnerability, the foundation says.
This security flaw was identified in 2011 by the law firm Minter Ellison, who recommended the government develop regulations to control what system operators could view.
Dr Bernard Robertson-Dunn, chair of the Australian Privacy Foundation’s health committee, said that the department had not yet done this nor enforced the “clear and robust framework required for the operation of the PCEHR system Call Centre” that was recommended in 2011.
A spokeswoman for the Federal Department of Health said the operators could view only sufficient information for registration purposes, and could not access health information.
She said the staff operating and maintaining the system were appropriately vetted and underwent police checks, and
that access to the MyHealthRecord system was monitored in order
to detect suspicious or inappropriate behaviour.
But Dr Robertson-Dunn pointed to the data leaks which had occurred in high security organisations by authorised users such as Bradley (now Chelsea) Manning and Edward Snowden.
“It only takes a one in a million chance of things going wrong for 20 Australians a year to have a serious data breach,” he said.
