A Bill for an Act to amend the My Health Records Act 2012, and for related purposes
The Parliament of Australia enacts:
1 Short title
This Act is the My Health Records Amendment (Strengthening Privacy) Act 2018.
2 Commencement
(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
| Commencement information |
| Column 1 | Column 2 | Column 3 |
| Provisions | Commencement | Date/Details |
| 1. The whole of this Act | The day after this Act receives the Royal Assent. | |
Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.
(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.
3 Schedules
Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.
Schedule 1—Amendments
My Health Records Act 2012
1 Section 5 (definition of enforcement body)
Repeal the definition.
2 Section 17 (heading)
After “Retention”, insert “and destruction”.
3 Before subsection 17(1)
Insert:
Records
4 Before subsection 17(2)
Insert:
Retention of records
5 At the end of paragraph 17(2)(b)
Add:
; or (iii) if, under subsection (3), the record is required to be destroyed because of the cancellation of registration of the healthcare recipient—when the System Operator is required to destroy the record under subsection (4).
6 At the end of section 17
Add:
Destruction of records after cancellation on request
(3) If the System Operator is required to cancel the registration of the healthcare recipient under subsection 51(1) (cancellation on request), the System Operator must destroy any record that includes health information that is included in the My Health Record of the healthcare recipient, other than the following information:
(a) the name and healthcare identifier of the healthcare recipient;
(b) the name and healthcare identifier of the person who requested the cancellation, if different from the healthcare recipient;
(c) the day the cancellation decision takes effect under subsection 51(7).
(4) The System Operator must comply with subsection (3):
(a) as soon as practicable after the cancellation decision takes effect under subsection 51(7); or
(b) if any of the following requirements apply before the records are destroyed under paragraph (a)—as soon as practicable after the conclusion of the matter to which the requirement relates:
(i) a court order requires the System Operator not to destroy records of the healthcare recipient;
(ii) the System Operator is required to disclose records of the healthcare recipient under section 69 or 69A;
(iii) the System Operator is required to disclose records of the healthcare recipient under a law covered by subsection 65(3).
7 Section 63 (note)
After “69”, insert “, 69A”.
8 Subsection 65(1)
Omit “Commonwealth, State or Territory law”, substitute “a Commonwealth, State or Territory law covered by subsection (3)”.
9 At the end of subsection 65(1)
Add:
Note: No State or Territory laws are covered by subsection (3).
10 At the end of section 65
Add:
(3) This subsection covers the following laws:
(a) this Act;
(b) the Auditor‑General Act 1997;
(c) the Ombudsman Act 1976;
(d) a law of the Commonwealth to the extent that the law requires or authorises the collection, use or disclosure of information for the purposes of performing the Information Commissioner’s functions in relation to the My Health Record system.
11 Section 67 (note)
Omit “may be limited”, substitute “on request may be limited because of the retention and destruction requirements under section 17”.
12 After section 69
Insert:
69A Disclosure to designated entity under order by judicial officer
Disclosure to designated entity under order by judicial officer
(1) If an entity that is:
(a) an agency, or a State or Territory authority, within the meaning of the Privacy Act 1988; and
(b) not a court, tribunal or coroner;
(a designated entity) presents to the System Operator an order made under this section, the System Operator must comply with the order.
(2) Except as mentioned in subsection (1) or in accordance with a law covered by subsection 65(3), a participant in the My Health Record system, or a healthcare recipient, cannot be required to disclose health information included in a healthcare recipient’s My Health Record to a designated entity.
(3) This section does not authorise the System Operator to use or disclose healthcare recipient‑only notes.
(4) If the System Operator uses or discloses personal information under this section, it must make a written note of the use or disclosure.
Application for and making of order
(5) A designated entity may apply to any of the following judicial officers:
(a) a magistrate of a State or Territory;
(b) a judge who is eligible under subsection 69B(2);
for an order under this section in relation to the disclosure, to the entity, of health information included in a healthcare recipient’s My Health Record.
(6) The judicial officer may make the order if:
(a) the designated entity satisfies the judicial officer, by information on oath or affirmation, that:
(i) the designated entity has powers or duties of the kind mentioned in subsection (7); and
(ii) if the designated entity has powers of the kind mentioned in paragraph (7)(a)—the designated entity has exercised or purported to exercise its power to require the System Operator to disclose information to which the order will relate; and
(iii) in all the circumstances, the particular disclosure of the particular information to the designated entity is reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity; and
(iv) there is no effective means for the designated entity to obtain the particular information, other than an order under this section; and
(b) the judicial officer is satisfied that, having regard to the matter mentioned in subparagraph (a)(iii) and the privacy of the healthcare recipient, the disclosure of the information would not, on balance, unreasonably interfere with the privacy of the healthcare recipient.
(7) A designated entity has powers or duties of the kind mentioned in this subsection if:
(a) the designated entity has power under a law of the Commonwealth or a State or Territory (other than a law covered by subsection 65(3)) to require persons to give information to the designated entity; or
(b) officers of the designated entity are, in the ordinary course of their duties, authorised to execute warrants to enter premises and seize things found, including documents.
(8) The judicial officer must not make the order unless the designated entity or some other person has given the judicial officer, either orally or by affidavit, such further information (if any) as the judicial officer requires concerning the grounds on which the order is being sought.
(9) The order must:
(a) identify the healthcare recipient; and
(b) specify the particular information to be disclosed; and
(c) authorise one or more officers of the designated entity (whether or not named in the order) to obtain the information from the System Operator and require the System Operator to disclose the information to the designated entity; and
(d) specify the day (not more than 6 months after the making of the order) on which the order ceases to have effect; and
(e) state the purpose for which the order is made.
69B Judicial officers for orders under section 69A
Eligible judge of a court created by the Parliament
(1) A judge of a court created by the Parliament may, by writing, consent to be nominated by the Attorney‑General under subsection (2).
(2) The Attorney‑General may, by writing, nominate a judge of a court created by the Parliament in relation to whom a consent is in force under subsection (1) to be eligible for the purposes of paragraph 69A(5)(b).
(3) A nomination under subsection (2) is not a legislative instrument.
Magistrates
(4) A magistrate need not accept the functions conferred by section 69A.
(5) The Governor‑General may:
(a) arrange with the Governor of a State for the performance, by all or any of the persons who from time to time hold office as magistrates of that State, of the functions of a magistrate conferred by section 69A; or
(b) arrange with the Chief Minister of the Australian Capital Territory for the performance, by all or any of the persons who from time to time hold office as magistrates of the Australian Capital Territory, of the functions of a magistrate conferred by section 69A; or
(c) arrange with the Administrator of the Northern Territory for the performance, by all or any of the persons who from time to time hold office as Judges of the Local Court of the Northern Territory, of the functions of a magistrate conferred by section 69A.
Judicial officers exercising powers in personal capacity
(6) The functions conferred on a judicial officer by section 69A are conferred on the judicial officer:
(a) in a personal capacity; and
(b) not as a court or a member of a court.
(7) A judicial officer performing a function conferred by section 69A has the same protection and immunity as if the judicial officer were performing the function:
(a) as the court of which the judicial officer is a member; or
(b) as a member of the court of which the judicial officer is a member.
13 Section 70 (heading)
Omit “for law enforcement purposes, etc.”, substitute “in relation to unlawful activity”.
14 Subsections 70(1) and (2)
Repeal the subsections.
15 Subsection 70(3)
After “to use or”, insert “(subject to subsection (3A))”.
16 After subsection 70(3)
Insert:
(3A) The System Operator is authorised to disclose under subsection (3) only the information the relevant person or authority mentioned in paragraph (3)(b) needs to identify the matter or concerns mentioned in that paragraph with sufficient certainty to:
(a) initiate consideration of the matter or concerns; and
(b) if necessary, apply for an order under section 69A in relation to the matter or concerns.
17 Application of amendments
(1) The amendments of section 17 of the My Health Records Act 2012 made by this Schedule apply in relation to a cancellation of registration of a healthcare recipient on request, whether the cancellation takes effect before or after the commencement of this Schedule.
(2) However, the amendments do not apply in relation to a cancellation that took effect before the commencement of this Schedule if, after the cancellation took effect and before the commencement of this Schedule, the healthcare recipient applied for registration.