Register for a My Health Record myGov iconSign in with myGov

Last updated 12 April 2016

Setting the record straight!

Published 12 April 2016


There are a number of positive and negative assertions circulating the media, so each month we will be ‘setting the record straight’ and highlighting which My Health Record rumours are facts and which are not, so you can be confident when dealing with your customers. This month we set the record straight on privacy.

Here are some of the misrepresentations, along with the actual facts:

Assertion: Individuals cannot control who sees their My Health Record

Not true. Individuals can ask their healthcare provider not to upload certain information to their My Health Record and can also choose to be notified when their My Health Record is accessed. They can also set controls to restrict access to certain information in their My Health Record or to prevent certain healthcare provider organisations from seeing anything in their My Health Record. For example, individuals may want to restrict access or ask a provider not to upload their sensitive health information, such as sexual or mental health issues accessible by all healthcare providers.

Assertion: Government agencies will be able to access people’s personal data

There are very limited circumstances where anyone, including the Government, may access someone’s My Health Record. Those circumstances are narrower than under existing laws like the Privacy Act 1988, so My Health Record actually provides more protection of sensitive health information than exists for health records outside of the system. Limited circumstances include:

  • For the purpose of providing healthcare to an individual, including in an emergency;
  • For law enforcement purposes – in line with current powers under the Privacy Act, enforcement bodies may access information for particular investigations;
  • For the purpose of a healthcare provider’s indemnity cover – for example as part of a provider’s defence (or that of their medical indemnity insurer, acting on their behalf) in proceedings of negligence. This reflects longstanding rights of providers to use health information in records they hold in their own systems as part of proceedings.

Assertion: Personal information won’t be safe - the My Health Record system is a gold mine for hackers and blackmailers

The privacy of people’s personal information is taken extremely seriously. A range of legislative and technical mechanisms work together to ensure the privacy and security of people’s information in the My Health Record system.

My Health Record uses bank-strength security including strong encryption and firewalls, secure logins and audit trails. It meets Australian Government Security Standards and is regularly tested for security compliance and vulnerability. These standards are regularly updated to address emerging cyber-threats. The staff who operate and maintain the My Health Record system are vetted and undergo police checks, consistent with government standards.

Further, the unauthorised collection, use or disclosure of information in the My Health Record system, is subject to both civil and criminal penalties where an action is deliberate or reckless. These penalties do not apply where a mistake has been made – for example, if a healthcare provider inadvertently or accidently accesses an individual’s My Health Record. The penalty for not complying with the My Health Records Rules is $18,000 for individuals and $90,000 for bodies corporate.

Further information about the My Health Record system’s privacy and security policies can be found on the My Health Record website

You can find image sources on the website

You can also find more image sources on website

Last updated 12 April 2016