The Parliamentary Joint Committee on Human Rights in its latest
report has questioned the MyHR (formerly PCEHR) megaproject -
The Health Legislation Amendment (eHealth) Bill 2015 (the bill) seeks to amend the law relating to the personally controlled electronic health record system (PCEHR). The PCEHR (to be renamed 'My Health Record') provides an electronic summary of an individual's health records. Currently, under legislation governing the PCEHR, an individual's sensitive health records are only uploaded on to the register if the individual expressly consents (or 'opts-in').
The bill will enable opt-out trials to be undertaken in defined locations, whereby an individual's health records will be automatically uploaded onto the My Health Record system unless that individual takes steps to request that their information not be uploaded. The bill would allow the opt-out process to apply nationwide following a trial.
The bill seeks to simplify the privacy framework by revising the way that permissions to collect, use and disclose information are presented, and will include new permissions to reflect how entities engage with one another. The bill also seeks to introduce new criminal and civil penalties for breaches of privacy; provide that enforceable undertakings and injunctions are available; and extend mandatory data breach notification requirements.
Measures raising human rights concerns or issues are set out below.
Automatic inclusion of health records on the My Health Record system: 'opt-out' process
As set out above, the bill seeks to remove the requirement for the express consent of an individual before their personal health records are uploaded onto the PCEHR. Rather, an individual will need to expressly advise that they do not wish to participate (to 'opt-out').
The committee considers that the bill, in enabling the uploading of everyone's personal health records onto a government database without their consent, engages and limits the right to privacy.
Right to privacy
Article 17 of the International Covenant on Civil and Political Rights (ICCPR) prohibits arbitrary or unlawful interferences with an individual's privacy, family, correspondence or home. The right to privacy includes respect for informational privacy, including:
the right to respect for private and confidential information, particularly the storing, use and sharing of such information; and
the right to control the dissemination of information about one's private life.
However, this right may be subject to permissible limitations which are provided by law and are not arbitrary. In order for limitations not to be arbitrary, they must seek to achieve a legitimate objective and be reasonable, necessary and proportionate to achieving that objective.
Compatibility of the measure with the right to privacy
The statement of compatibility acknowledges that the bill limits the right to privacy, however, it concludes that the limitation on the right to privacy is reasonable, necessary and proportionate. It explains the overall objective of the My Health Record system:
The objective of the system is to address the fragmentation of information across the Australian health system and provide healthcare providers the information they need to inform effective treatment decisions.
The statement of compatibility also explains that the bill responds to recommendations made from a review of the PCEHR system and addresses issues identified in the early years of operating the system.2 It explains that the opt-out model is intended to drive the use of My Health Records by healthcare providers as part of normal healthcare in Australia:
Increased participation by individuals is anticipated to drive increased and meaningful use by healthcare providers. Combined with other measures to improve the usability of the system and the clinical content of My Health Records, if nearly all individuals have a My Health Record, healthcare providers will be more likely to commit to using and contributing to the My Health Record system, thereby increasing the utility of the system by increasing the amount of clinically valuable information.
The committee notes that the overall objective of the My Health Record system, in seeking to provide healthcare providers with the necessary information to inform effective treatment decisions, is likely to be considered a legitimate objective for the purposes of international human rights law. However, it is questionable whether the objective behind the bill, in amending the system to an opt-out model, would be considered a legitimate objective for the purposes of international human rights law. To be capable of justifying a proposed limitation of human rights, a legitimate objective must address a pressing or substantial concern and not simply seek an outcome regarded as desirable or convenient. Increasing the number of people using the My Health Record system, in an attempt to drive increased use by healthcare providers, may be regarded as a desirable or convenient outcome but
may not be addressing an area of public or social concern that is pressing and substantial enough to warrant limiting the right.
Even if the opt-out model, and the corresponding limitation on the right to privacy, is considered to be seeking to achieve a legitimate objective, it must also be demonstrated that the limitation is proportionate to the objective being sought.
The statement of compatibility sets out a number of safeguards in place for the use and disclosure of healthcare information held on the database, noting:
Individuals who have a My Health Record can control who can access their information and what information can be accessed, and can elect to be notified when someone accesses their My Health Record. Individuals can set the access controls on their My Health Record online or over the phone. They can limit which healthcare providers can access their My Health Record…They can effectively remove records that have been uploaded…Once they have a My Health Record an individual can cancel their registration.
The committee accepts that the safeguards contained in the My Health Record system, as a whole, are likely to mean that the limitation on the right to privacy, for those who actively register for a My Health Record and choose to have their private health records uploaded to the database, is likely to be proportionate to the overall objective of maintaining the My Health Record system.
However, the statement of compatibility gives little information about the proportionality of the proposed opt-out process. It explains that the opt-out process will be initially trialled in specific locations, meaning 'My Health Records will be created for people living in specified locations unless they say they do not want one'. Little detail is given as to how people in these specified locations will be notified that their personal health information will be automatically uploaded on a national register unless they take active steps to opt out.
Further information is provided in the explanatory memorandum (EM) to the bill as to how the opt-out arrangements might work in practice. It states:
In any opt-out arrangements, it is intended that healthcare recipients would be given a reasonable amount of notice before opt-out is implemented so they could learn about the My Health Record system, and would be given a reasonable amount of time to decide whether or not to opt-out. Various methods would be made available to healthcare recipients to opt-out, for example, online, in person or by phone.
However, the bill itself does not set out any safeguards to ensure that healthcare recipients would be given reasonable notice or a reasonable amount of time to decide whether to opt-out. Rather, a person's health records would automatically be registered on the system if the System Operator 'is satisfied' that the healthcare recipient 'has been given the opportunity' not to be registered (not a 'reasonable' opportunity).
When a healthcare recipient elects not to be registered they must do so in 'the approved form' and if the rules so require it, to do so 'within a period, or on the occurrence of an event' specified in the rules. There is no requirement in the bill that this period of time be within a reasonable time after an individual is notified that their personal health records are being uploaded onto the national database–nor is there any requirement in the legislation to notify individuals that their personal health records will be automatically uploaded onto the register unless they actively opt-out.
In addition, once an individual's personal details are included on the My Health Record there is no ability for the person to erase their record from the register – all they can do is ensure that the personal health information stored on the database will not be authorised for disclosure.
The EM states that there will be 'various channels' available for people to opt-out, including online or as a tick-box on an application form to register newborns or immigrants with Medicare. However, these are not set out in the legislation.
The EM also states that for those without online access, with communication disabilities, or without the required identity documents, 'other channels will be available, such as phone and in person'. No information is given as to how this would work in practice. There are no legislative safeguards in the bill to ensure that people will be appropriately notified.
The committee's interpretation of international human rights law is that, where a measure limits a human right, discretionary or administrative safeguards alone are likely to be insufficient for the purpose of a permissible limitation. This is because administrative and discretionary safeguards are less stringent than the protection of statutory processes and can be amended at any time.
In considering whether the limitation on the right to privacy is proportionate to the stated objective it is also necessary to consider whether there are other less restrictive ways to achieve the same aim. In order to achieve the objective of having
more people register for the My Health Record system it is not clear, on the basis of the information provided, why the current opt-in model has not succeeded. The committee notes that the Regulatory Impact Statement (RIS) attached to the EM for the bill weighed up a number of legislative options. No explicit consideration of the right to privacy is included in the RIS and there is no evidence that the option set out in the bill is in fact the least rights restrictive.
The bill also provides that once the opt-out trial has taken place the Minister for Health can, by making rules, apply the opt-out model to all healthcare recipients in Australia. In making this decision the bill provides that the minister 'may' take into account the evidence obtained in applying the opt-out model and any other matter relevant to the decision. There is no requirement that the minister consider the privacy implications of this decision or whether people in the trials were given an appropriate and informed opportunity to opt-out.
The committee's assessment of the opt-out model provided for by the bill against article 17 of the International Covenant on Civil and Political Rights (right to privacy) raises questions as to whether the opt-out model is a justifiable limitation on the right to privacy.
As set out above, the opt-out model engages and limits the right to privacy. The statement of compatibility does not sufficiently justify that limitation for the purposes of international human rights law. The committee therefore seeks the advice of the Minister for Health as to: whether there is reasoning or evidence that establishes that the stated objective addresses a pressing or substantial concern or whether the proposed changes are otherwise aimed at achieving a legitimate objective; whether there is a rational connection between the limitation and that objective; and whether the limitation is a reasonable and proportionate measure for the achievement of that objective, in particular whether the opt-out model is the least rights restrictive approach and whether there are sufficient safeguards in the legislation.
Automatic inclusion of children's health records on the My Health Record system
Currently under the Personally Controlled Electronic Health Records Act 2012 a person under the age of 18 years is automatically assigned an 'authorised representative' who has the power to manage the child's health records. The authorised representative can be any person who has parental responsibility for the
child. A parent is considered to be the child's authorised representative until the child turns 18 years of age or until the child takes control of their record. A child who wishes to take control of their health record needs to satisfy the System Operator that they want to manage his or her own PCEHR and are capable of making decisions for themselves.
The committee considers that automatically uploading the private health records of all children in Australia, unless their parent chooses to opt-out of the register, engages and both promotes and limits the rights of the child.
Rights of the child
Children have special rights under human rights law taking into account their particular vulnerabilities. Children's rights are protected under a number of treaties, particularly the Convention on the Rights of the Child (CRC). All children under the age of 18 years are guaranteed these rights. The rights of children include:
the right to develop to the fullest; the right to protection from harmful influences, abuse and exploitation;
family rights; and
the right to access health care, education and services that meet their needs.
State parties to the CRC are required to ensure to children the enjoyment of fundamental human rights and freedoms and are required to provide for special protection for children in their laws and practices. In interpreting all rights that apply to children, the following core principles apply: rights are to be applied without discrimination; the best interests of the child are to be a primary consideration; there must be a focus on the child's right to life, survival and development, including their physical, mental, spiritual, moral, psychological and social development; and there must be respect for the child's right to express his or her views in all matters affecting them.
Compatibility of the measure with the rights of the child
The statement of compatibility for the bill recognises that the rights of the child are engaged by the bill but states:
The existing arrangements allowing parents or other appropriate people to act on behalf of a child (section 6 of the My Health Records Act) are not affected by the Bill. … [T]he privacy of children is protected as representatives such as parents and legal guardians can set the privacy controls such as removing information or restricting access to content...
The My Health Records Act continues to allow a child who is capable of making decisions for themselves to take control of their My Health Record, set access controls or cancel their registration (if already registered) if they choose to do so. The Bill will enable a child who is capable of making decisions for themselves to, like other individuals, opt themselves out of registration in the My Health Record system. …
[T]he Bill shifts the duty of authorised representatives for children from being required to act in the 'best interests' of an individual, to a duty to give effect to the 'will and preferences' of the individual. This change realises the principle that children with appropriate maturity have an equal right to make decisions and to have those decisions respected…
As noted above at [1.50] an attempt to drive increased use by healthcare providers, may be regarded as a desirable or convenient outcome but may not address an area of public or social concern that is pressing and substantial enough to warrant limiting the rights of the child.
In addition, the committee considers that the opt-out model may not be regarded as a proportionate means of achieving that objective. As discussed above, the amendments in the bill will enable the collection of all children's personal sensitive health information to be automatically included on the My Health Record, unless their authorised representative opts-out of this process, or they can prove to the Systems Operator that they should not have an authorised representative and so can opt-out themselves. Similarly to the discussion above at paragraphs [1.48] to [1.62], this significantly limits the child's right to privacy and, in so doing, limits the rights of the child. In particular, as the UN Committee on the Rights of the Child has noted, the child has the right to the protection of their confidential health-related information:
In order to promote the health and development of adolescents, States parties are also encouraged to respect strictly their right to privacy and confidentiality, including with respect to advice and counselling on health matters (art. 16). Health-care providers have an obligation to keep confidential medical information concerning adolescents, bearing in mind the basic principles of the Convention. Such information may only be disclosed with the consent of the adolescent, or in the same situations applying to the violation of an adult's confidentiality. Adolescents deemed mature enough to receive counselling without the presence of a parent or other person are entitled to privacy and may request confidential services, including treatment.
Under the proposed opt-out arrangements in the bill a child must rely on their parent taking active steps to ensure the child's record is not automatically
included on the My Health Record. As set out above at paragraphs [1.54] to [1.61] there are particular problems with the way in which the current opt-out arrangements are provided for in the bill. There is also no additional information as to how a child, who wishes to take control of their own record, is able to do so. No information is given as to what a child needs to do in order to satisfy the Systems Operator that their parent should not be considered to be their authorised representative. No information is given as to what timeframe the Systems Operator makes the decision as to whether the child is capable of managing their own affairs and whether this would occur within sufficient time to allow the child to exercise their opt-out rights.
The committee notes that the bill does impose an obligation on an authorised representative to give effect to the will and preferences of the child, unless to do so would pose a serious risk to the child's personal and social wellbeing. While this is a welcome measure, there is nothing in the legislation that makes this requirement binding, as there are no consequences in the legislation if the parent does not give effect to the child's will and preferences. In addition, even if a child does manage to become responsible for their own health records, it appears that the child's parent will be notified when that occurs.
The committee's assessment of the automatic inclusion of all children's health records on the My Health Record register against the Convention on the Rights of the Child (rights of the child) raises questions as to whether the automatic inclusion of the health records of all children on the register is compatible with the rights of the child.
As set out above, automatic inclusion of the health records of all children on the register engages and limits the rights of the child. The statement of compatibility does not sufficiently justify that limitation for the purposes of international human rights law. The committee therefore seeks the advice of the Minister for Health as to:
whether there is reasoning or evidence that establishes that the stated objective addresses a pressing or substantial concern or whether the proposed changes are otherwise aimed at achieving a legitimate objective; whether there is a rational connection between the limitation and that objective; and whether the limitation is a reasonable and proportionate measure for the achievement of that objective, in particular whether the opt-out model is the least rights restrictive approach and whether there are sufficient safeguards in the legislation to protect the rights of the child.
Automatic inclusion of the health records of persons with disabilities on the My Health Record system
Currently under the Personally Controlled Electronic Health Records Act 2012 (the PCEHR Act) a healthcare recipient can apply to the System Operator to register for the PCEHR, thereby opting-in to have their health care records included on the register. A person with disabilities can do so on an equal basis with other healthcare recipients. However, where the Systems Operator of the PCEHR is satisfied that a person aged over 18 years is not capable of making decisions for him or herself, another person will be considered to be the authorised representative of that person, and only that person will be able to manage the person's health records.
The committee considers that automatically uploading the private health records of all persons with disabilities in Australia, unless they or an authorised representative choose to opt-out of the register, engages and limits the rights of persons with disabilities.
Rights of persons with disabilities
The Convention on the Rights of Persons with Disabilities (CRPD) sets out the specific rights owed to persons with disabilities. It describes the specific elements that state parties are required to take into account to ensure the right to equality before the law for people with disabilities, on an equal basis with others, and to participate fully in society.
Article 4 of the CRPD states that in developing and implementing legislation and policies that concern issues relating to persons with disabilities, states must closely consult with and actively involve persons with disabilities, through their representative organisations.
Article 5 of the CRPD guarantees equality for all persons under and before the law and the right to equal protection of the law. It expressly prohibits all discrimination on the basis of disability.
Article 12 of the CRPD requires state parties to refrain from denying persons with disabilities their legal capacity, and to provide them with access to the support necessary to enable them to exercise their legal capacity.
Article 22 requires state parties to protect the privacy of the personal, health and rehabilitation information of persons with disabilities on an equal basis with others.
Compatibility of the measure with the rights of persons with disabilities
The statement of compatibility for the bill recognises that the rights of persons with disabilities are engaged by the bill, but states:
Consistent with Article 12, people with a disability are provided equal opportunity to participate in the My Health Record system and make decisions about access to their personal information. Continuing current arrangements, authorised representatives can support people to interact with the My Health Record system and act on behalf of the individual if they are unable to act for themselves. These arrangements allow for people with a disability to participate in the My Health Record system, control access to their personal information and withdraw participation in the My Health Record system if they choose to do so. This functionality also supports Article 22 of the CRPD protecting the privacy of people with a disability.
The Bill shifts the duty of authorised representatives from being required to act in the 'best interests' of an individual, to a duty to give effect to the 'will and preferences' of the individual. This change realises the principle that people with disability have an equal right to make decisions and to have those decisions respected…
As noted above at [1.50], an attempt to drive increased use by healthcare providers, may be regarded as a desirable or convenient outcome but may not address an area of public or social concern that is pressing and substantial enough to warrant limiting the rights of persons with disabilities.
In addition, the committee considers that the opt-out model may not be regarded as a proportionate means of achieving that objective. As discussed above, the amendments in the bill will enable the collection of the personal sensitive health information of all persons with disabilities to be automatically included on the My Health Record register, unless they or their authorised representative opts-out of this process. Similar to the discussion above at paragraphs [1.48] to [1.62], this significantly limits the right to privacy of persons with disabilities. The processes proposed by the bill also do not appear to provide persons with disabilities the support necessary to enable them to exercise their legal capacity.
In particular, the current law provides that whenever the Systems Operator is satisfied that a healthcare recipient 'is not capable of making decisions for himself or herself' the Systems Operator will deem whomever they are satisfied is an appropriate person to be the healthcare recipient's authorised representative. Once an authorised representative is stated by the Systems Operator to be acting for a healthcare recipient, that authorised representative is authorised to do anything the healthcare recipient can do and the healthcare recipient is not entitled to have any role in managing their health records.
However, article 12 of the CRPD affirms that all persons with disabilities have full legal capacity. While support should be given where necessary to assist a person with disabilities to exercise their legal capacity, it cannot operate to deny the person legal capacity by substituting another person to make decisions on their behalf. The UN Committee on the Rights of Persons with Disabilities has considered the basis on which a person is often denied legal capacity, which includes where a person's decision-making skills are considered to be deficient (known as the functional approach). It has described this approach as flawed:
The functional approach attempts to assess mental capacity and deny legal capacity accordingly. It is often based on whether a person can understand the nature and consequences of a decision and/or whether he or she can use or weigh the relevant information. This approach is flawed for two key reasons: (a) it is discriminatorily applied to people with disabilities; and (b) it presumes to be able to accurately assess the inner-workings of the human mind and, when the person does not pass the assessment, it then denies him or her a core human right — the right to equal recognition before the law. In all of those approaches, a person's disability and/or decision-making skills are taken as legitimate grounds for denying his or her legal capacity and lowering his or her status as a person before the law. Article 12 does not permit such discriminatory denial of legal capacity, but, rather, requires that support be provided in the exercise of legal capacity.
The current PCEHR Act, by denying a person the right to manage any of their health records as soon as the Systems Operator makes an assessment that the person lacks the capacity to make decisions for him or herself, removes the person's right to legal capacity.
The amendments in the bill, in requiring an authorised representative to make reasonable efforts to ascertain the healthcare recipient's will and preferences in relation to their My Health Record, are important in respecting the rights of persons with disabilities. However, the design of the current legislation is such that the authorised representative would always be exercising substitute decision-making, rather than supported decision-making. In addition, while the bill imposes an obligation on an authorised representative to give effect to the will and
preferences of the healthcare recipient, there is nothing in the legislation that makes this requirement binding, as there are no consequences in the legislation if the authorised representative does not give effect to the person's will and preferences. The statement of compatibility states that a failure of the representative to meet these duties 'may result in their appointment being suspended or cancelled, or access to the individual's My Health Record being blocked under the My Health Records Rules'. However, it is not clear how this would work in practice.
The use of substitute decision-making through the authorised representative process in the bill is of particular concern from an international human rights law perspective. As the UN Committee on the Rights of Persons with Disabilities has explained:
Substitute decision-making regimes, in addition to being incompatible with article 12 of the Convention, also potentially violate the right to privacy of persons with disabilities, as substitute decision-makers usually gain access to a wide range of personal and other information regarding the person. In establishing supported decision-making systems, States parties must ensure that those providing support in the exercise of legal capacity fully respect the right to privacy of persons with disabilities.
The Australian Law Reform Commission (ALRC) has identified a number of Commonwealth laws that are not fully compliant with article 12 of the CRPD and has made recommendations to bring legislation into line with international law. The recommendations could relevantly inform the drafting of the bill in a matter consistent with international law.
In addition, there is no information as to how persons with disabilities will be notified appropriately about their right to opt-out of the scheme. As the UN Committee on the Rights of Persons with Disabilities has noted:
Lack of accessibility to information and communication and inaccessible services may constitute barriers to the realization of legal capacity for some persons with disabilities, in practice. Therefore, States parties must make all procedures for the exercise of legal capacity, and all information and communication pertaining to it, fully accessible. States parties must review their laws and practices to ensure that the right to legal capacity and accessibility are being realized.
The committee's assessment of the automatic inclusion of the health records of all persons with disabilities on the My Health Record register against the Convention on the Rights of Persons with Disabilities (rights of persons with disabilities) raises questions as to whether the automatic inclusion of the health records of all persons with disabilities on the register is compatible with the rights of persons with disabilities.
As set out above, automatic inclusion of the health records of all persons with disabilities on the register engages and limits the rights of persons with disabilities. The statement of compatibility does not sufficiently justify that limitation for the purposes of international human rights law. The committee therefore seeks the advice of the Minister for Health as to: whether there is reasoning or evidence that establishes that the stated objective addresses a pressing or substantial concern or whether the proposed changes are otherwise aimed at achieving a legitimate objective; whether there is a rational connection between the limitation and that objective; and whether the limitation is a reasonable and proportionate measure for the achievement of that objective, in particular whether the opt-out model is the least rights restrictive approach and whether there are sufficient safeguards in the legislation to protect the rights of persons with disabilities.
Civil penalty provisions
The bill introduces a number of new civil penalty provisions to apply when a person improperly uses or discloses personal information from the My Health Record system or fails to give up-to-date and complete information for the register.
For example, proposed new section 26 makes it an offence to, unless authorised, use or disclose identifying information from the My Health Records system. The penalty for the criminal offence is two years imprisonment or 120 penalty units (or both). Proposed new subsection 26(6) also applies a civil penalty to the same conduct, on the basis of recklessness, with an applicable civil penalty of 600 penalty units.
The committee considers that this measure engages and may limit the right to a fair trial as the civil penalty provisions may be considered to be criminal in nature under international human rights law and may not be consistent with criminal process guarantees.
Right to a fair trial and fair hearing rights
The right to a fair trial and fair hearing is protected by article 14 of the ICCPR. The right applies to both criminal and civil proceedings, to cases before both courts and tribunals. The right is concerned with procedural fairness, and encompasses notions of equality in proceedings, the right to a public hearing and the requirement that hearings are conducted by an independent and impartial body.
Specific guarantees of the right to a fair trial in the determination of a criminal charge guaranteed by article 14(1) are set out in article 14(2) to (7). These include the presumption of innocence (article 14(2)) and minimum guarantees in criminal proceedings, such as the right not to incriminate oneself (article 14(3)(g)) and a guarantee against retrospective criminal laws (article 15(1)).
Compatibility of the measure with the right to a fair trial and fair hearing rights
Under international human rights law civil penalty provisions may be regarded as 'criminal' if they satisfy certain criteria. The term 'criminal' has an 'autonomous' meaning in human rights law. In other words, a penalty or other sanction may be 'criminal' for the purposes of the ICCPR even though it is considered to be 'civil' under Australian domestic law. If so, such provisions would engage the criminal process rights under articles 14 and 15 of the ICCPR.
There is a range of international and comparative jurisprudence on whether a 'civil' penalty is likely to be considered 'criminal' for the purposes of human rights law. The committee's Guidance Note 2 sets out some of the key human rights compatibility issues in relation to provisions that create offences and civil penalties.
The statement of compatibility states that the civil penalty provisions in the bill should not be classified as criminal under human rights law:
Under the civil penalty provisions, proceedings are instituted by a public authority with statutory powers of enforcement in a court. A finding of culpability precedes the imposition of a penalty. This might make the penalties appear "criminal" however this is not determinative. While the provisions are deterrent in nature, these penalties generally do not apply to the public at large. Only a specific group of users, being healthcare providers and other participants in the My Health Record system with access to sensitive information will generally be impacted by these penalties. Further, the severity of the penalties is not too high, with the highest pecuniary penalty that can be imposed being only 600 units. This penalty is justified as the My Health Record system deals with privacy sensitive information and the misuse of this information needs to have proportionate penalties to the potential damage to healthcare recipients. In light of this analysis, the nature and application of the civil penalty provisions suggest that they should not be classed as criminal under human rights law.
The committee considers that a penalty of up to 600 penalty units is a substantial penalty that could result in an individual being fined up to $108 000. This is in a context where the individual made subject to the penalty may be a healthcare provider, such as a nurse, or an administrator working for a healthcare provider. The maximum civil penalty is also substantially more than the financial penalty available under the criminal offence provision, which is restricted to a maximum of 120 penalty units (or $21 600).
When assessing the severity of a pecuniary penalty the committee has regard to the amount of the penalty, the nature of the industry or sector being regulated and the maximum amount of the civil penalty that may be imposed relative to the penalty that may be imposed for a corresponding criminal offence. Having regard to these matters the committee considers that the civil penalty provisions imposing a maximum of 600 penalty units may be considered to be 'criminal' for the purposes of international human rights law.
The consequence of this is that the civil penalty provisions in the bill must be shown to be consistent with the criminal process guarantees set out in articles 14 and 15 of the ICCPR. However, civil penalty provisions are dealt with under the civil law in Australia and a civil penalty order can be imposed on the civil standard of proof – the balance of probabilities.
In addition, the committee notes that proposed new section 31C of the bill provides that each civil penalty provision under the bill is enforceable under Part 4 of the Regulatory Powers (Standard Provisions) Act 2014. This Act provides that criminal proceedings may be commenced against a person for the same, or substantially the same, conduct, even if a civil penalty order has already been made against the person. If the civil penalty provision is considered criminal in nature, this raises concerns under article 14(7) of the ICCPR which provides that no one is to be tried or punished again for an offence for which he or she has already been finally convicted or acquitted (double jeopardy).
The committee also notes that the civil penalty and offence provisions in the bill also allow for a reversal of the burden of proof, requiring the defendant to bear an evidential burden in relation to the defences in the bill. An offence provision which requires the defendant to carry an evidential or legal burden of proof with regard to the existence of some fact will engage the presumption of innocence because a defendant's failure to discharge the burden of proof may permit their conviction despite reasonable doubt as to their guilt. Neither the statement of compatibility nor the EM justifies the need for the reversal of the burden of proof.
The statement of compatibility states that the objective of the penalty regime is to protect the private sensitive information held on the My Health Record system 'and the misuse of this information needs to have proportionate penalties to the potential damage to healthcare recipients'. The committee considers that the protection of private sensitive information is a legitimate objective for the purposes of international human rights law. However, the objective behind including civil penalties of up to 600 penalty units (substantially more than the penalty available under the criminal offence provision) without the usual protections available to those charged with a criminal offence, and the reversal of the burden of proof, has not been explained in the statement of compatibility.
The statement of compatibility also does not explain how the civil penalty provisions, which are likely to be considered 'criminal' for the purposes of international human rights law, are proportionate to their objective. The committee's usual expectation where a measure may limit a human right is that the accompanying statement of compatibility provide a reasoned and evidence-based explanation of how the measure supports a legitimate objective for the purposes of international human rights law. To be capable of justifying a proposed limitation of human rights, a legitimate objective must address a pressing or substantial concern and not simply seek an outcome regarded as desirable or convenient. Additionally, a limitation must be rationally connected to, and a proportionate way to achieve, its legitimate objective in order to be justifiable in international human rights law.
The committee's assessment of the civil penalty provisions in the bill against article 14 of the International Covenant on Civil and Political Rights (right to a fair hearing) raises questions as to whether the provisions are criminal for the purposes of international human rights law and, if so, whether any limitation on the right to a fair hearing is justifiable.
As set out above, the civil penalty provisions engage and may limit the right to a fair hearing. The statement of compatibility does not sufficiently justify that limitation for the purposes of international human rights law. The committee therefore seeks the advice of the Minister for Health as to:
whether there is reasoning or evidence that establishes that the stated objective addresses a pressing or substantial concern or whether the proposed changes are otherwise aimed at achieving a legitimate objective;
whether there is a rational connection between the limitation and that objective; and
whether the limitation is a reasonable and proportionate measure for the achievement of that objective.
