The ADHA says it'll refuse access to medical records without a court order or warrant. But the law allows that policy to change at any time.

Around 20,000 people already opted out of My Health Record, Australia's centralised digital health records system, on Monday. It was day one of the three-month window for opting out before records are to be created automatically.

The figure was cited by Prime Minister Malcolm Turnbull on Melbourne radio 3AW on Tuesday morning. He dismissed privacy and security concerns, confirming that he won't be opting out himself.

"We'll have the highest security on it, and the penalties for breaching it are very, very high. So if somebody were to breach that security, they would find themselves spending a lot of time contemplating their folly in jail," Turnbull said.

The Australian Digital Health Agency (ADHA), which operates the My Health Record system, has also been hosing down concerns. That includes fears that individuals' health records could be accessed by a wide range of law enforcement and other agencies without a warrant, and without notification to either the individual or their medical practitioners.

On Monday night, the @MyHealthRecord Twitter account tweeted a series of FAQs, including one on law enforcement access: "@AuDigitalHealth will only consider a request from a law enforcement agency to access a My Health Record where there is a requirement by law, such as a court order or other enforceable legal instrument."

This would seem to be at odds with the much broader access powers granted in section 70 of the My Health Records Act 2012.

The Act authorises ADHA to use or disclose health information if it "reasonably believes" it is "reasonably necessary" for any one of various things done by, or on behalf of, an "enforcement body". They include:

(a) the prevention, detection, investigation, prosecution, or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; (b) the enforcement of laws relating to the confiscation of the proceeds of crime; (c) the protection of the public revenue; (d) the prevention, detection, investigation, or remedying of seriously improper conduct or prescribed conduct

The law also allows ADHA to disclose medical records in relation to "the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal", but under stricter conditions.

The "enforcement bodies" with access are defined in section 6 of the Privacy Act 1988. This list is much broader than those defined as "enforcement agencies" for warrantless access to retained telco metadata under the Telecommunications (Interception and Access) Act 1979.

As well as all the usual police and anti-corruption agencies, they include the Immigration Department (now absorbed into the Department of Home Affairs), or any government minister or department "to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law", or "to the extent that it is responsible for administering a law relating to the protection of the public revenue".

The definitions of agency and State or Territory authority are such that they could encompass almost any government body, from senior ministers and their departments, down through state-level organisations, to local governments.

It isn't clear whether the ADHA tweet is confirming a policy of doing less than the agency is allowed to under section 70. In any event, such a policy could be changed at any time, according to Anna Johnston, director of consultancy Salinger Privacy.

"While any policy by ADHA to limit the exercise of its powers under the legislation is welcome, the fact remains that the legislation governing the My Health Record does give the operator of the system very wide discretion to release health information about individuals to a wide range of enforcement bodies, which is not just law enforcement agencies like police but also includes the Immigration Department for example," Johnston told ZDNet.

"The law allows disclosure not only in response to a court order or warrant, but also under a 'reasonable belief' test relating to matters beyond just criminal law offences."

According to Darren O'Donovan, senior lecturer in administrative law at La Trobe University, a "'reasonable belief' of 'reasonable necessity' is [a] pretty forgiving standard".

Some medical professionals are concerned about the possibility of such easy access to patients' medical records.

"Uploading a shared summary which is legislatively allowed to be used for the investigation of recovery of public monies without the knowledge or consent of doctors is incompatible with our ethical requirement to maintain confidentiality," tweeted Dr Trent Yarwood, an infectious diseases physician representing Future Wise on ehealth and privacy matters.

My Health Record has been years in the making, but Australians are now in a curious position. We know exactly which agencies can access our metadata and phone history, and under what circumstances. But when it comes to our health records, arguably our most personal data of all, all we know is that employees of government agencies -- from federal departments all the way down to your local council secretary -- could potentially rummage through our digital medical records on the basis of an unpaid fine.

The ADHA says it'll refuse access without a court order or warrant, but the law says they can change that policy any time they like.

These basic issues should have been locked down before the system went live. Why they weren't uncovered during the lengthy trial involving a million people is, for this writer, a deep mystery.

It's almost as if the government prefers crisis communications to competent project governance.

ZDNet has sought clarification on these and other issues from ADHA and the Department of Health.

Related Coverage

My Health Record systems collapse under more opt-outs than expected

When citizens rush to opt out of an Australian government service, it says something about their levels of trust. When the system falls over under heavy load, it proves them right.

Cancelled My Health Record data to be kept in limbo

Those choosing to opt-out of the My Health Record service will still have their data visible if they reactivate their account.

Less than 2 percent of My Health Record trial users opted out

Perhaps more worryingly, the use of privacy controls is sitting under the 0.1 percent mark.

My Health Record stands up cybersecurity centre to monitor access

Those who choose to keep their My Health Record will also have a real-time log of who has accessed their information.

Australian Department of Health using blockchain for medical research records

Australian secure cloud provider Vault Systems and blockchain startup Agile Digital have combined forces to provide the department with an immutable record for tracking health data research.