A lesson from the Australian Government.
Privacy missteps are eroding the public’s trust in the Government’s ability to achieve ambitious digital projects, and risking trust in the very notion of government itself.
The corrosive effects of privacy debacles are cumulative, with hashtag-worthy government disasters like #Censusfail colliding in public consciousness with the re-identification of MBS/PBS data, bumping up against the cruelty of #Robodebt and the stupidity of declaring a war on maths, and flaring into outrage at a Minister’s unpunished disclosure of a welfare recipient’s personal information to a journalist.
Each privacy catastrophe eats away at the public’s trust in successive government projects, before they even get off the ground. Reasons people have given for opting out of the My Health Record system have included fear of misuse by the government of the day, citing both Robodebt and the weaponisation of Centrelink records by Minister Tudge. And then in turn, mistrust in My Health Record has been referenced in multiple submissions to PM&C’s Issues Paper on the proposed Data Sharing & Release Bill, as a way of illustrating the dangers of proceeding without caution and due respect for privacy and security.
As tech commentator Stilgherrian noted on the day the opt-out process opened – and the system crashed because of the level of demand – “When citizens rush to opt out of an Australian government service, it says something about their levels of trust. When the system falls over under heavy load, it proves them right”.
Waleed Aly has drawn together the Government’s disregard for the privacy of individual citizens with recent revelations about political interference with the ABC: “the pact is broken… this is a time of unprecedented demands, unprecedented capitulations and inevitably, unprecedented dysfunction”. Regardless of whether you care about privacy as a human right, we all should care about the decline of community faith in democracy and our public institutions.
So how did we get here?
Taking the unfolding disaster that is My Health Record as an example, let’s examine exactly how a government manages to lose its social licence to hold or use our data.
Step 1: Shift responsibility for risk management on to the individual
Research into community expectations about privacy has shown, time and time again, that the majority of people believe that a shared electronic health record should be something a patient chooses to have. And, by the way, when asked, the majority would choose not to have one.
Why would anyone not want all the benefits of a shared electronic health record? Well, for lots of reasons, it turns out.
People who might face discrimination, harassment, family shaming, blackmail or loss of employment as a result of the sharing of their health records include mental health patients, sexual health patients, HIV patients, teenagers, women who have had terminations, people in family court disputes, and people undergoing employment-related health checks.
In some cases, it won’t necessarily be clinical records which create the risk for an individual, but the potential exposure of their home address to hundreds of thousands of people, some of whom could be intent on doing harm. This can pose a risk for victims of family violence, serving police officers, members of the armed forces or the judiciary, public figures, and foster parents and the children in their care.
The decision to shift the enrolment model for My Health Record from opt-in to opt-out was always going to be controversial, but in my view for some people it will be downright dangerous.
Without a fully informed decision by every competent individual about where their personal risk-to-benefit ratio sits, an opt-out system is a ticking time bomb. Someone is going to get hurt.
Does the government really think that every Australian adult knows that they are going to have their health information shared if they don’t opt-out by mid-November?
Some Australians will be pushed into this scenario of heightened privacy and safety risks by a government program they don’t even know existed. Others might know the program exists, but won’t have understood the extent to which the sharing of their My Health Record could create risks for them, because they have been lulled into a false sense of security by hollow promises about privacy protections.
And this is the central problem with making the system opt-out. It takes responsibility for making a critical decision out of the hands of the individual most affected by it. An opt-out approach to a shared eHealth record is paternalistic government, and paternalistic healthcare, at its worst.
But it also shifts responsibility for managing privacy risks onto the individual, who did not necessarily choose to be in the system, and who may not be fully informed about the risks. Because to be fully informed, we as citizens, and we as patients, need thorough explanations about how the system works, and how it might impact on each of us, both good and bad. Those explanations need to be available in multiple languages, for teenagers, for the elderly, for people with intellectual disabilities. Not ads on buses, or substance-free glossy brochures gathering dust on the GP’s reception desk.
Step 2: When people raise privacy concerns, talk about security instead
This tactic is straight from the #Censusfail playbook. Whenever anyone, from journalists to members of the public to privacy advocates, start to ask questions about privacy (like: Why should you have my information? and What are you going to do with it? and Who will have access to it, under what conditions, for what purposes?), completely ignore those valid questions and talk about information security instead.
Step 3: When people keep raising privacy concerns, give them spin instead of truth
Of course, it turns out that those claims by Health Minister Greg Hunt about bank-grade security and military-grade security are just spin. Worse, the Minister’s claims that there have been ‘no data breaches’ are demonstrably false.
Legitimate concerns have been raised about access to the record by third parties, from medical professionals not involved in the patient’s care, to law enforcement agencies and insurance companies. (Insurance companies have not done the government any favours, with both NIB and Medibank openly salivating at the prospect.)
The official line has been to hose down those concerns, suggesting that no such thing is possible. But note the slippery language used by both the Minister and the Australian Digital Health Agency (ADHA) on this issue. They talk about who “can” or who is “allowed” or “authorised” to access a patient’s My Health Record, which is not the same as “for whom it is actually possible”. For example, in response to questions about insurers gaining access, ADHA told the media that the “only healthcare providers authorised to access a healthcare recipient’s information in a My Health Record are those who are providing healthcare to the individual.” Similarly, the main My Health Record information page for individuals says only that “any providers who are involved in your care can see this information”; it doesn’t explain how the system knows (or doesn’t know) who is actually ‘involved in your care’, and doesn’t explain whether providers not involved in your care are also capable of accessing your record.
As the journalist noted, ADHA “did not respond to a question about whether a health fund with a member’s consent and with the purpose of providing health advice, could access that person’s My Health Record”. Given the scope of section 66 of the My Health Records Act, the privacy concerns about this type of scenario seem entirely valid.
But to my mind, even more worrying is the ease with which something like 900,000 people who work in the healthcare system will have access to patient records in the My Health Record system. While the law says that those workers should only access your file if you happen to be their patient at the time, the system has not actually been designed that way. The controls on access are much looser than the public has been led to believe.
Journalists have exposed the reality. The only details that one of those 900,000 or so healthcare workers needs to know about you, in order to gain access to your My Health Record, are your name, gender and date of birth.
(While in theory, the authorised user also needs to know your Individual Healthcare Identifier, they can find that out from the first nine digits of your Medicare card number. And if they don’t know your Medicare card number, they can use a different system, HPOS, to look up your Medicare card number, based only on your name, date of birth and gender. It was the ease of access via HPOS which led to Medicare card details being found for sale on the dark web.)
Just let that sink in for a bit. Name, date of birth and gender is all that stands between your health record and its misuse. If I was a nurse for example, I would already know, or be able to quickly find out, the name, date of birth and gender of my ex-partner; certainly my friends and family members; maybe my neighbours, colleagues, members of my basketball team or book club, and perhaps even that teacher who has been giving my kid bad grades; and no doubt plenty of celebrities, politicians and sports stars. And as a result, I could look up their My Health Record, even if they had never set foot in the hospital where I work.
We all know that the law is not enough to stop privacy breaches. Some people will be motivated by curiosity, greed, revenge, jealousy, hatred or the pursuit of power or a political agenda to look up and misuse a patient’s record, even when they know they are not supposed to. Even when the law says it is illegal. Even when they have been warned they could be sacked. It happens in hospitals now. It happens in police forces. It happens in banks.
Some people will do the wrong thing. If you really care about protecting customers’ privacy, you build in technical controls, and enforce a security culture, to make attempted misuse as difficult as possible. But that’s not the way My Health Record has been designed.
For ADHA to respond to these risks with the statement that “It is illegal for non-authorised staff to access medical information of any sort” is disingenuous at best, and downright misleading and dangerous at worst.
It is about as naïve and useless as building a bank vault with an unlocked door and no alarms, but telling customers their money will be safe because it is illegal to steal.
Making something illegal isn’t enough; the My Health Record system design should actively prevent the likelihood of misuse with proper security controls.
Step 4: Pressure or silence critics
When claims by the Minister and ADHA that law enforcement access would require a warrant were contradicted by everyone who could be bothered reading what the legislation actually allowed, from the Queensland Police Union to journalists, advocates and the non-partisan Australian Parliamentary Library, the Department of Health complained and had the Library remove then edit its article to remove elements contradicting the Minister, while the Minister called journalists to tell them they were wrong.
Of course, the critics were right, and the Minister had to quickly draw up legislation to amend the law so that it would do what he had said it already did.
Mind you, Minister Hunt only acted once the peak medical profession bodies started articulating for patient privacy in relation to law enforcement access. The medical profession has not been so strong on advocating for better access controls on doctors themselves, so that issue has been ignored.
The back-downs by critics has been achieved even at an individual level. Coalition MP Tim Wilson caused a stir when on 23 July he announced he had opted out, and said “my instinctive position should always be as a Liberal that systems should be opt-in and people should be able to freely choose to opt into a system rather than have to go through the process of opting out”.
But once the Minister said he would introduce legislation about limiting law enforcement access, Wilson suddenly changed his tune and on 31 July tweeted “Elated the Health Minister will fix Labor’s flawed MyHealth legislation. These changes address the principle concerns I had with MyHealth”.
Wilson’s position ignores the fact that it was his own Government which made the switch from opt-in to opt-out that he had ‘instinctively’ reacted against, and the ‘fixes’ proposed by Minister Hunt didn’t reverse that position at all.
Step 5: Bring down the shutters on transparency
According to ZDNet, after the first day of the opt-out period, when so many people attempted to opt-out that the system crashed and phone lines were jammed, but nonetheless embarrassingly for the government 20,000 people managed to opt-out, the government stopped releasing statistics. Indeed, Stilgherrian alleged that the government “has even stopped collecting the statistics, so they can’t subsequently be obtained under freedom of information laws.”
However when giving evidence before a Senate inquiry, the CEO of ADHA admitted that at least 900,000 people had opted out by 12 September.
Step 6: Ignore the security warning bells
The Chief Information Security Officer of ADHA has described the weakest link, in terms of the information security risks of the My Health Record, as the systems used in GP clinics, over which neither the federal nor State governments have any control. He described the risk as having My Health Records “sitting on a Windows XP machine that has vulnerabilities up the kazoo”.
Add to this the undermining of access controls via HPOS, warnings about lax security culture in hospitals, and evidence of appallingly poor data security practices within aged care, and you have a perfect storm of information security risks.
But sure, make healthcare providers sign something saying they will look after data security, and ADHA can wash its hands of the issue.
Step 7: Don’t learn any lessons from other failed projects
Australia Card. Access Card. Google Buzz. Google+. Cambridge Analytica.
The lessons are there: privacy matters to voters and consumers more than politicians, public servants and Big Tech ever seem to realise. And so we are doomed to repeat the same mistakes.
Step 8: Fail to heed expert advice
A Privacy Impact Assessment was commissioned in 2014 on the proposal to switch from opt-in to opt-out. But many of its recommendations were not followed. Critically, a proper communications campaign to target every single affected individual, to warn them about the system and the choice they should made, was not funded. And given the report was prepared prior to public knowledge about the HPOS lookup system undermining key security controls on access to the My Health Record system, you could question the extent to which the assumptions upon which the report’s findings rested are even still valid.
(Full disclosure: I was a member of the team that worked on that PIA report. So by all means take my comments as sour grapes with a grain a salt, so to speak.)
Step 9: Don’t read the mood
Everything has changed, in terms of attitudes to privacy, since the decision was made in 2014/15 to switch to opt-out.
Since 2014 we have had Censusfail, Robodebt, mandatory data retention, the federal police swiftly breaching their own limitations on accessing telco data, a welfare card linked to drug testing, a Minister releasing information about a welfare recipient to the press, the OAIC’s defence of that practice as lawful under the Privacy Act, Medicare numbers for sale on the dark web, dodgy health apps which link to My Health Record data, and now Bills to allow covert access to our smartphones and other devices, and override all privacy and secrecy laws protecting personal information held by government.
Add to these recent own goals the Facebook / Cambridge Analytica revelations, which served to remind us that political parties exempted themselves from the Privacy Act’s requirements of fairness, accuracy, transparency and data security – a situation described by one Twitter commentator as “trust sulphuric acid”.
Throw in the commencement of the GDPR, and you can understand why public concerns and expectations about privacy protection have risen to a whole new level.
As Fairfax economics editor Peter Martin warned, when analysing the impact of the Centrelink ‘robodebt’ program, the failed promises and the targeting of dissenters: “Eventually we will become so sceptical that we will become impossible to win over, no matter how good the budget.”
People either no longer believe anything they hear from politicians, or they have stopped listening entirely. Polling in 2017 indicated that only 26% of respondents thought the government could be trusted, “the lowest level since the poll began this measure in 1969.”
This loss of trust is not just about privacy, but has profound implications for the future of our democratic system of government. For government programs, agencies and democratic institutions which rely on voluntary participation and compliance – everything from voting to taxation – you need the public to trust that their personal information will not be misused by government.
So to introduce dramatic shifts in the nature of the relationship between government and citizen –let alone between doctor and patient –you need a clear social licence. In other words, you need community trust and acceptance.
But the social licence that the Australian Government had in 2014 does not exist any more. They blew it, like a P plater speeding through a red light with an open bottle of beer.
They are going to have a tough time earning it back.
Photograph (c) Anna Johnston