The Department of Human Services fields thousands of requests for Pharmaceutical Benefits Scheme (PBS) and Medicare Benefits Schedule (MBS) data from state and federal policing agencies each year, complying with the vast majority of them.

The information released can, if detailed enough, paint a picture of a person’s medical history, including, for example, any history of mental health issues, HIV, abortion or sexually transmitted diseases.

No warrant required

And unlike My Heath Record, no warrant or court order is needed for the Department to release the information. Instead, it uses its own internal guidelines to decide how it will respond to a police request. These guidelines, which were created more than a decade ago, have not been updated and are not available to public.

Until recently, there has been no imperative to release these guidelines until The Medical Republic, a specialist media publication, won a freedom of information battle to have them brought out into the open.

According to the guidelines, department officials are required to consider whether the disclosure of private health data is necessary, and not merely convenient or helpful. They are also meant to check whether the information is available through other channels.

Department officials are also supposed to consider whether releasing the private health information is in the public interest as distinct from any private interests of the person seeking the information.

In the guidelines, the “public interest” is broadly defined as anything relating to national security, major crime, the administration of criminal law, or public safety.

The guidelines give concrete examples of situations where disclosing private health data to police is in the public interest, such as to assist with police investigations into serious criminal offences, but also states that “these examples are not to be read as in any way limiting the circumstances in which the release of information may be regarded as necessary in the public interest”.

Vague guidelines spark privacy concerns

It is precisely the vague nature of the guidelines that has privacy and civil liberties advocates concerned. While the Department says it takes it’s privacy responsibilities “very seriously” and complies with all the relevant legislation, many remain at risk of having personal information disclosed without their consent or even knowledge.

There are calls for the guidelines to be updated in line with legislation which governs My Health Record privacy and disclosure. In that regard, laws were introduced in 2009 which require police to obtain a court order to access My Health Record data.

The Department of Human Services website, which covers the agencies: Centrelink, Medicare and Child Support, outlines its privacy policy as follows:

“We are bound by strict confidentiality and secrecy provisions in social security, families, health, child support, redress and disability services law. These provisions limit how we use your information and when and to whom it can be released. We also have obligations under the Privacy Act 1988.”

When you dig deeper into the policy by following relevant page links, the Department discloses how it collects information (including via monitoring the website pages you visit as well as social media), and who it shares that information with. The list is extensive.

Your right to privacy

The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and other businesses and organisations handle our personal information.

The Act contains 13 Australian Privacy Principles which regulate collection, storage, access to and disclosure of personal information.

Under the Act, personal information is only meant to be collected for a lawful purpose, and your stated rights include:

  • Being informed what kind of information is being collected about you and how that information is collected.
  • Understanding why your personal data is collected
  • Being able to access your personal information, review it and have it corrected if it is incorrect.
  • To have your data stored securely, protected from interference or misuse, and to be informed of any data breaches that affect you.

The Freedom of Information Act 1982 enables individuals to access their personal information that is held by a business or a government organisation.