It may be surprising to some that, in Australia at least, there is no fundamental right to privacy. There are laws that protect aspects of your confidential information, including the Privacy Act 1988 (Cth) and associated Privacy Principles, that impose sanctions on those who fail to properly deal with private data. Common law remedies also exist in theory, however there is no readily accessible statutory cause of action that allows a privacy breach victim to claim their emotional distress and other damages. This gap in our law was the subject of a 2014 Australian Law Reform Commission Report, to which the Australian government has never formally responded.
Instead, since late February 2018 we now have a mandatory requirement for various entities including government and larger businesses, to report breaches of privacy. If your data is compromised (accessed by those who are not authorised), you must be notified and suggestions offered on ways to mitigate any impact. If your credit card details are leaked, for example, a suggestion might be to cancel those cards to prevent unauthorised use.
Under this new law, you will know exactly when your privacy was compromised. Cold comfort perhaps, however the intent is that a process of reporting will ultimately lead to better protections.
Of course, not all private information is the same. It is hard to imagine what should be done to mitigate the impact of a breach of personal medical information. Once disclosed, such information cannot simply be cancelled – it remains true, sensitive and open to abuse no matter what is done in response.
Which brings us to yet another crossroads in the privacy debate. As of the end of 2018, all Australians will have their own online e-health record – known as My Health – unless we each take action to opt-out within a specified 3-month window, yet to be announced. Once created, private medical information will be continually uploaded by GPs, pharmacies, medical specialists, pathologists and the like, to create what is intended to be a comprehensive record of your health history. This then becomes accessible by other medical professionals, to assist in providing your improved future health care. The information is also said to be used in a more general sense, to provide data and therefore potential insights into various issues of national significance and beyond.
Of course, the system is said to be protected by various levels of sophisticated security. This claim must be tempered by the view of some IT commentators that true data security is no longer possible – that all data is ultimately accessible to those who seek it. The health sector is currently responsible for over a quarter of all notifiable data breaches, as outlined in the first report under the new disclosure legislation. The federal Health Department itself has also been in direct breach of privacy law, when in mid-2016 it released de-identified health data on 2.9 million people – 10% of all Australians – that was able to be re-identified using information readily available elsewhere.
One thing is clear: the law is not able to physically protect your private information. It can only respond to breaches that have already occurred. Allowing your private information to exist outside of your direct personal control then becomes a question of risk versus benefit.
We advocate that everyone should be aware of the facts on the collection, storage and use of their private information, to enable informed decisions and where possible, the knowledge to control that process.
For more information regarding My Health records and your rights, visit myhealthrecord.gov.au.