She’ll be right mate: Privacy edition

With the royal commission showing that bank staff are busy working out how to keep billing dead customers, or busy coming up with reasons to explain why they have charged fees for services not provided, its no wonder that there isn’t enough time to train staff in Australia properly:

No. 1 by a country mile!

Now, I am a believer that the imminent My Health Record benefits will outweigh the privacy issues. I also am not sure how much more at risk my records are sitting in a government database vs sitting in a variety of different doctor’s homemade systems and/or filing cabinets.

But I suspect that this is not the right post to try to convince you not to opt out…

Follow me

Damien Klassen

Damien has a wealth of experience across international equities (Schroders), asset allocation (Wilson HTM) and he helped create one of Australia’s largest independent research firms, Aegis Equities. He lectured for over a decade at the Securities Institute, Finsia and Kaplan and spent many of those years as the external Chair for the subject of Industrial Equity Analysis.
Follow me

Latest posts by Damien Klassen (see all)


  1. reusachtigeMEMBER

    No way I’m having my health records available online! What if someone I’m having relations with gets hold of them on the dark web?

    • All it takes is for someone in the data center in India to backup the entire database to a USB stick. This will not trigger any notification.

      This is how Telstra lost its customer database five years ago, and why Telstra customers are targeted by spam callers, often telling them their Internet can be upgraded or their PC has a virus.

      Recent government tenders say that 20-30% of the work must be offshored to save money. Your data will be used and abused outside Australia.

  2. darklydrawlMEMBER

    Whilst I agree that the security on the Government site is likely better than many local GP’s and clinics, it is much, much more complicated pulling all that data together than having it all accessible at a single point.

    Do you really what that hot girl / guy you just met on Tinder (who happens to work in health) being able to pull up your enitre medical record? “oooh, had a few STD checks… interesting….”. or “How many abortions?!!”. Too many fingers in a single pie for my tastes – (hmmm, this maybe why I never get invited to Reus’s parties)…..

    • You get notified if anyone looks at your record and that person then has to explain why they looked if there aren’t obvious reasons, they’d probably lose their job in such case…but you know, they’d know you had that weird drug resistant gonorrhoea.

      • The Penske FileMEMBER

        Being notified that your privacy has been breached doesn’t make it right. Pretty ordinary argument.

      • @The Penske File
        Didn’t say anything about ‘making it right’, just indicating there are repercussions for the person that goes poking around without consent.

      • You get notified IF the system works as designed and IF it has no backdoors.

        Sadly, systems rarely work as designed and governments love backdoors. Sending out emails on every “read” operation that occurs on a record would spam the crap out of Australia. So they’ll scope it so that only if a non-government person calls a ‘read’ on that data. Then that risks embarrassing their private partners, so they’ll scope it as “Non-Government, non-trusted companies”.

        The reality is that once the data is stolen, its basically public domain. Some people will try stealing the data just for the cred that comes with being the guy who stole the data. So we can’t even rely on the hope that at least if its a malicious actor, maybe they’re not interested in us specifically.

      • You get notified if anyone looks at your record and that person then has to explain why they looked if there aren’t obvious reasons, they’d probably lose their job in such case…but you know, they’d know you had that weird drug resistant gonorrhoea.

        Getting a request to access you have to approve, would be a much better idea, and hardly difficult to implement in this day and age.

  3. Small doctors office records are easiet to break in and steal but reward is so small that none will ever try (it’s not worth to waste one hour to get access to hundred records of anonymous people ). On the other side spending months to get millions of records including those from famous people sounds attractive .

    Data centralization is bad

    • This is exactly right.

      …although I’m not 100% sure I agree with the point you make about soendung nonths.

    • reminds me of that part of wall street where charlie sheens character breaks into a law office disguised as a janitor to steal their records

  4. proofreadersMEMBER

    “No. 1 by a country mile!” Gold, gold, gold again to Straya – we are just soooooooooooo good at everything?

  5. Ronin8317MEMBER

    In future, employers will force job applicants to show their ‘My Health Record’ to get employed. It is not a privacy issue if you are showing it to them ‘of your own will’, right?

    • Know Your Enemy

      Don’t think I’d want to work for a company that asks for that.

      I work in health and had to disclose a bunch of personal health info (mandatory health check) anyway.

      • It starts at the fringes. I remember arguing with people when Facebook became all-public instead of just colleges. They were very sure that HR people are too out of touch and old to ever figure out how to look up a profile.

        Drug testing, security clearance requirements (government work) all spread from initial reasonable sources.

        I worked for a company which decided they wanted to generate a lot of interest….so they nicely suggested to staff that we all go ‘like’ their posts (about boring business stuff). It becomes pretty hard to say ‘no’ when you’ve got too much debt.

        Of course, once my debt level went down, I did say ‘no’.

      • Know Your Enemy

        Have had a think about this today and changed my position (and that is from the position of a well engaged health consumer, and someone who works in eHealth/IT/privacy) – agree with you.

        Spoke to a colleague and really the only people will access ever should be clinicians and family members/carers/those you give access to, or the hospital for break glass situations

        I think, too, people are forgetting that you can withdraw consent for GPs to upload stuff – so confidential stuff is not uploaded.
        Hospital discharge summaries (I think) can be deleted (remembering you can tell the hospital to exclude your DS from being sent to MHR and to your GP)
        Of course the two above points rely on super informed consumers – the change management team have failed on this and the operating principle should perhaps be consent is assumed not given until its explicitly obtained (at all points in health system)(

      • Don’t think I’d want to work for a company that asks for that.

        Eventually, you wouldn’t get a choice (assuming you want to be hired) unless you’re lucky enough to be in the few who can afford to say “no”.

        This would, of course, still be perfectly fine with the Libertarians.

  6. My mother works along the team that developed the eHealthRecord.
    Everyone on that team has opted out and made sure their families opted out!

    Speaks volumes

    • Know Your Enemy

      Deeply involved in ehealth privacy security space including MHR

      Neither I nor my family are opting out

      speaks volumes

      • The private health funds need the opt in’s to gouge first. One day your health is good and the next it’s not so how that works out for premiums and likewise for life insurance,etc.

      • The current Government has form on dipping into their databases to leverage your personal information (see Centrelink fiasco last year).
        The current Government clearly didn’t see a problem with police being able to access your data sans warrant.

        Does this not bother you ?

        To be clear, I think in principle MHR would be an immensely useful tool, but with little in the way of meaningful technical limitations controlling access and only marginally more in terms of governance and legislation, I’m steering clear of it.

  7. Let’s write to all MPs and ask them to confirm that they, personally, WILL NOT be opting out of myHealthRecord or not.

    Then collate and publish the data. Showing “yes” “no” and “did not respond” outcomes.

    Damien Klassen – can yo do that on behalf of the MB readership?

    • +100
      This is what Nassim Taleb is talking about when he bangs on about ‘skin in the game’.

      A simple concept, but powerful.

    • My experience is that small medical practices in rural, remote areas have low/poor IT security and may be a target for a back door entry into larger corporate / government schemes. Of course, the government has tried its best to limit this risk by limiting internet connectivity in these areas.

  8. Every financial planning firm, and ever broking firm in the country, is receiving commissions/trails on product, from clients they have never spoken to in many years.
    It is just a never ending joke.

  9. “I also am not sure how much more at risk my records are sitting in a government database vs sitting in a variety of different doctor’s homemade systems and/or filing cabinets.”
    You cant be serious ?
    The risk is that just like the census data the Feds will starve the Health Dept of funds who will then look at this huge treasure trove of data and sell it to private sector. The MSM wont report it until after its all done.

    • Know Your Enemy

      I’m not trying to say the issues raised above aren’t valid, but lets not assume your very, very enriched record sitting at the GPs with your longitudinal health record sitting in your GPs system is perfectly secure.

      If you are truly worried about your privacy, you are perfectly entitled to have an anonymous treatment (including at IHI level) and if that is impractical (i.e. Medicare does not AFAIK allow icoginito accounts for obvious reasons) i.e. due to chronic care and multi disciplinary care, then you opt out until they fix the obvious privacy issues.

      Is everyone satisfied at the security of the ATOs IT? DHS? etc?