Greenleaf, G --- "The 'Doctor's Area' of the ID Card - The Crippling Complexity and Cost of "Voluntary" Medical and Emergency Information', submission 5 to the Access Card Consumer and Privacy Taskforce" [2007] ALRS 4

Last Updated: 5 August 2010

22 March 2007

Professor Allan Fels, AO

Chair, Consumer and Privacy Taskforce

Department of Human Services

Dear Professor Fels,

Submission #5: The ‘Doctor’s Area’ of the ID Card –

The Crippling Complexity and Cost of “Voluntary” Medical and Emergency Information

I refer to the Access Card Consumer and Privacy Taskforce’s Discussion Paper N 2 ‘ Voluntary Medical and Emergency Information’, 21 February 2007.

I have had the opportunity to read the submission by the Australian Privacy Foundation, and wish to endorse the following points made in that submission:

• Inclusion of medical information on the card and chip should be dropped entirely from the proposal.
• These function is unrelated to the card’s statutory purposes and constitutes built-in function creep.
• The government’s stated policy is that all information on the chip is to be replicated in the Register. The Discussion Paper does not address the relationship between this aspect of the chip and the Register. The Taskforce should do so, as it has major privacy implications.

I make the following submissions which deal primarily with the complexity and cost of including this function on the proposed card.

1 The apparently closed provisions of cl 30 have already been undermined by the Taskforce’s proposal that the card could contain on its surface ‘some symbol (such as the caduceus) to indicate that emergency medical data is stored on the chip’. How does the Taskforce propose that cl 30 be changed?

2 A consequential issue which the Taskforce does not discuss is whether, if a person chooses to have emergency medical data added to their card after the card is issued, a new card will have to be issued to them. If not, their card would be misleading (and potentially life-threatening) in that its surface would not indicate that it contains emergency medical data. What does the Taskforce propose?

3 The government has sought to create the impression that ‘your area’ will be under the cardholder’s control. It has done so through the cl 33 assertion that ‘the information in the chip in your access card consists of two parts’: that in ‘your area’ and that in the ‘Commonwealth’s area’ (cl 33). The Explanatory Memorandum states:

‘It is proposed that card owner will be able to include in their area of the chip area any information that they choose to include (subject to the physical capacity of the chip and any legal restraints). It is expected that card owners will be able to customise their card to include additional information such as organ donor status or emergency contact details. To the extent necessary these matters will be dealt with in subsequent legislation.’

The Taskforce’s Discussion Paper shows that cl 33 is oversimplified and misleading, because the Taskforce proposes ‘a two-tiered system of emergency and health information’. The ‘first tier’ (Tier 1) is to include ‘only that data which is absolutely necessary [for] emergency health treatment in a crisis situation’, which is to be ‘accessible to anyone with an approved reader’ and therefore ‘effectively, [put] into the public domain’. The ‘second tier’ (Tier 2) can include ‘other medical and health data’, but will be PIN protected against access without consent. The Taskforce then recommends ‘That no voluntary medical information be entered into any part of the access card without verification of the accuracy of that information by an approved medical or other practitioner.’ It then underlines what it means, in flat contradiction of the Explanatory Memorandum:

‘This has a clear implication that the entry of such information cannot be done by the individuals themselves since this would allow the bypassing of the verification process. It means, at least for Tier 1 information, data entry can be done only at an approved location and only from an approved and authenticated form’.

Although the Taskforce’s recommendations are not clear in relation to its ‘Tier 2’, the implication of its recommendations are that there are at least three very separate parts of the chip, one of them being the part to which only ‘an approved medical or other practitioner’ can write data. Furthermore the ‘Tier 1’ part of the chip (which may be only a sub-part of the doctor-writeable part), will have quite different access conditions than ‘Tier 2’ which is PIN-protected. At the least there will be three distinct parts to the chip: the Commonwealth’s part, ‘your part’, and ‘your Doctor’s part’. How does the Taskforce propose that the Bill and Explanatory Memorandum be changed to state the truth if its recommendations are adopted?

4 Despite the Taskforce’s above ‘public domain’ remark, it makes the seemingly inconsistent comment that the highest priority must be given to ‘ensuring that there are effective sanctions available and applied in relation to people and organisations who breach privacy requirements inherent in the management of sensitive data’. What recommendations does the Taskforce make concerning the complex legislative balancing act that the legislation will apparently have to include?

5 For example, if a person disagrees with the medical information that a doctor has entered into Tier 1 of the ‘doctor’s part’ of their chip. The doctor may refuse to change the information. The cardholder is locked out of changing this part of ‘their’ card. The problem is that the cardholder must produce the card to every subsequent medical practitioner with whom they deal in order for them to obtain Medicare benefits, but this ‘essential’ medical information is ‘in the public domain’ so every such medical practitioner can see it. This has never been the case before: if your doctor writes something you did not like on your file, you do not have to produce that file to every subsequent doctor with whom you deal. The Taskforce’s Discussion Paper does not raise this issue.

6 The Taskforce proposes that for Tier 1 information ‘a robust system of authentication and verification must be incorporated into the storage process’. How is Australia to suddenly acquire a system by which ‘data entry can be done only at an approved location and only from an approved and authenticated form’ such that there is ‘verification of the accuracy of that information by an approved medical or other practitioner’? What is the cost of such a recommendation? How is any third party who intends to rely on this information supposed to be able to ‘verify’ that it has been entered under such circumstances? The Taskforce also ducks the questions of (i) what is ‘absolutely necessary’ medical data; (ii) who is to decide what is necessary if the Taskforce won’t; or (iii) what ‘other practitioners’ will be entitled to write to the card and who will decide? Unless the Taskforce proposes answers to all these questions, meaningful legislation will not be possible. Unless the Taskforce makes some attempt to cost what it is proposing, it will be impossible to know whether this element of the scheme will by itself blow the government’s budget for this scheme out of the water.

7 Medical information, even limiting it to that which is ‘essential’, is more transient than a person’s name, signature or photo. What are the cost implications of the fact that once a person has some information entered on their card, whether it is in Tier 1 in the clear or on Tier 2 behind a password, they will feel impelled to keep it up to date? What will these costs be and who will bear them?

8 The Taskforce makes the vague gesture in its Recommendation 4 that some ‘medico-legal issues’ must be dealt with in ‘future legislation’. This is not good enough. The Taskforce only has until June 2007 to tell the government how these medico-legal issues must be dealt with in the consolidated Bill the government intends to then present to deal with every aspect of this ID scheme. That is an essential part of consume and privacy protection against these proposals.

9 The Taskforce must consider the question of whether, in order to make its proposals economically feasible, the government needs to abandon completely any proposals for a non-Government area of the card due to the complexity and intractable difficulties that the proposed uses of those parts of the card raise.

This submission will shortly be available on the Cyberspace Law & Policy Centre website.

Your sincerely,

Graham Greenleaf

Co-Director

Cyberspace Law & Policy Centre

Cc: Mr Chris Puplick; Mr John Wood