Skip to main content
SpringerLink
Log in

National Electronic Health Record Systems and Consent to Processing of Health Data in the European Union and Australia

  • Chapter
Book cover Legal Tech and the New Sharing Economy

Part of the book series: Perspectives in Law, Business and Innovation ((PLBI))

Abstract

This study focuses on the single most important regulatory aspect of data processing, namely consent to data processing. It compares approaches to consent under the General Data Protection Regulation (EU 2016/679) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (and on the free movement of such) (GDPR) in the context of European Union (EU) national electronic health record (NEHR) schemes (also referred to as “national digital health networks”) with the approach of the Australian national health record scheme called My Health Record (MHR). The GDPR, subject to derogation in limited circumstances, is binding on all 27 EU member countries. Under Articles 168 (2) and (7) of the Treaty on the Functioning of the European Union (2007), while the EU has a duty to “encourage cooperation between the Member States…to improve the complementarity of their health services in cross-border areas,” the European Union Member States retain the power to manage their own health services. However, in doing so, subject to narrow derogations, the management of their NEHR systems must conform to the GDPR. The GDPR governs the processing of data in any form including data contained in national electronic health systems (European Commission Recommendation on a European Electronic Health Record exchange format (C(2019)800) of 6 February 2019. Available at: https://ec.europa.eu/digital-single-market/en/news/recommendation-european-electronic-health-record-exchange-format. Accessed 13 May 2019). Given that, unlike the Australian MHR scheme, national electronic medical/health records systems of EU Member States are at different stages of development, and that derogations enable a measure of variance in compliance, individual European systems will not be discussed. Australia is a non-EU jurisdiction, and does not have the European Commission’s certificate of adequate level of data protection (GDPR Article 45 empowers the European Commission to determine whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. For further discussion, see below). One of the reasons for the absence of certification might be the effectively non-consensual nature of the My Health Record system that administers, collects, stores, and provides access to health and clinical data of Australians.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 139.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Roman law denied juridical personality to slaves. Helmholz (2012), p. 29.

  2. 2.

    This would allow actions in rem concerning the title to status of the individual’s medical data as property.

  3. 3.

    Hickey (2012), p. 227. See also, Honoré (2006), p. 132.

  4. 4.

    WHO, Report of the Third Global Survey on eHealth 2016, p. 94. Available at:

    http://apps.who.int/iris/bitstream/10665/252529/1/9789241511780-eng.pdf#page=118. Accessed 13 May 2019.

  5. 5.

    As of 2 June 2017, an NEHR system, as per the definition provided in the 2015 WHO Global eHealth Survey, existed in 29 countries of the European region: Albania, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina; Cyprus, Denmark, Estonia, Finland, Iceland, Israel, Italy, Kazakhstan, Kirgizstan, Lithuania, Luxemburg, Montenegro, Norway, Portugal, Montenegro, Republic of Moldova, Romania, Russian Federation, San Marino, Spain, Tajikistan, Turkey, Turkmenistan, Uzbekistan (notably, France and Germany did not participate in the Survey). Available at: https://gateway.euro.who.int/en/indicators/ehealth_survey_84-has-a-national-ehr-system/visualizations/#id=31759&tab=table. Accessed 13 May 2019. In the rest of the world, Australia, Botswana, Cabo Verde, Cambodia, Canada, Chile, China, Costa Rica, El Salvador, Ethiopia, Iran, Jamaica, Jordan, Kiribati, Lesotho, Malawi, Malaysia, Mexico, Mongolia, Oman, Pakistan, Panama, Paraguay, Peru, Singapore, Timor-Leste, Uruguay, Zambia responded as having implemented a NEHR system. WHO Atlas of eHealth Country Profiles. Available at: http://apps.who.int/iris/bitstream/10665/204523/1/9789241565219_eng.pdf. Accessed 13 May 2019.

  6. 6.

    As of 2 June 2017, a NEHR system, as defined in the 2015 WHO Global eHealth Survey, existed in 29 countries of the European region: Albania, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina; Cyprus, Denmark, Estonia, Finland, Iceland, Israel, Italy, Kazakhstan, Kirgizstan, Lithuania, Luxemburg, Montenegro, Norway, Portugal, Montenegro, Republic of Moldova, Romania, Russian Federation, San Marino, Spain, Tajikistan, Turkey, Turkmenistan, Uzbekistan (France and Germany did not participate in the Survey). Available at: https://gateway.euro.who.int/en/indicators/ehealth_survey_84-has-a-national-ehr-system/visualizations/#id=31759&tab=table. Accessed 13 May 2019.

  7. 7.

    See, e.g., the German Appointment Service and Supply Act (TSVG), adopted on 14th March 2019, which requires the German statutory health insurance funds to provide policyholders from 1 January 2021 with electronic health records.

  8. 8.

    See, e.g., Fragidisn and Chatzoglou (2017), pp. 125–126; De Pietro and Francetic (2018), p. 70; Hodge and Callahan (2017); eHealth Taskforce Report (2012) Redesigning health in Europe for 2020. Available at: https://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=2650. Accessed 13 May 2019.

  9. 9.

    European Commission Recommendation on a European Electronic Health Record exchange format (EU) 2019/243 of 6 February 2019 para 11.

  10. 10.

    See, e.g., Kierkegaard (2015), p. 151.

  11. 11.

    Garrety et al. (2016).

  12. 12.

    GDPR Article 4 (15). Data concerning health also includes genetic data, biometric data, and information regarding the provision of health care services.

  13. 13.

    It would be clearly inapposite for the controller to seek a data subject’s consent to some of the technical operations (structuring in the sense of formatting files, alignment or combination of files) listed in Article 4 (2); however, other operations will require valid consent.

  14. 14.

    Guidelines on Consent under Regulation 2016/679 Revised and Adopted on 10 April 2018 (WP259), p. 3.

  15. 15.

    See, e.g., Wee et al. (2013), p. 344; Budin-Ljøsne et al. (2017), pp. 2–3; Johnsson and Eriksson (2016), p. 472; Steinsbekk, Myskja and Solberg (2013), pp. 897–898; Kaye et al. (2015), pp. 142–143.

  16. 16.

    GDPR Article 9 (1), “Processing of special categories of personal data.”

  17. 17.

    GDPR Recital 7.

  18. 18.

    Guidelines on Consent under Regulation 2016/679 Revised and Adopted on 10 April 2018 (WP259), p. 5.

  19. 19.

    Five other grounds for lawful processing listed in GDPR Article 6 (1) include legal obligations under contracts, and “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”; the necessity to protect “the vital interests of the data subject or of another natural person”; and necessity based on “the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data…Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.”

  20. 20.

    For example, collection, storage, adaptation or alteration, retrieval, disclosure by transmission, dissemination or otherwise making available, erasure or destruction of the data subject’s personal information.

  21. 21.

    If “the controller (NEHR authority/agency/operator) has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom.” Guidelines on Consent under Regulation 2016/679, p. 10.

  22. 22.

    Unless there is another lawful basis under GDPR Article 6 (1) that is more appropriate in the situation. See fn 48); though this would be very rare in cases where controller is a public authority.

  23. 23.

    Guidelines on Consent under Regulation 2016/679 Revised and Adopted on 10 April 2018 (WP259), p. 10. For example, it would be inappropriate to seek consent from a person suffering from advanced Dementia. See also, Recital 32, “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”

  24. 24.

    Guidelines on Consent under Regulation 2016/679 Revised and Adopted on 10 April 2018 (WP259), p. 13.

  25. 25.

    Guidelines on Consent under Regulation 2016/679, pp. 13–14.

  26. 26.

    See also, GDPR Recital 42: “For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”

  27. 27.

    GDPR, Article 4 (4) defines “profiling” as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

  28. 28.

    Controllers using automated and semi-automated processes must demonstrate that: (a) they are necessary under certain contractual circumstances; or (b) authorization “by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests”, or (c) “data subject’s explicit consent.”

  29. 29.

    “Solely automated decision-making is the ability to make decisions by technological means without human involvement.” Guidelines on Automated Individual Decision-making and Profiling for the Purposes of Regulation 2016/679 Adopted on 3 October 2017, p. 7.

  30. 30.

    Apart from affecting legal rights and legal status, the term “legal effects” encompasses “automated decisions that mean someone is: entitled to or denied a particular social benefit granted by law, such as child or housing benefit; refused entry at the border; subjected to increased security measures or surveillance by the competent authorities; or automatically disconnected from their mobile phone service for breach of contract because they forgot to pay their bill before going on holiday.” Guidelines on Automated Individual Decision-making and Profiling for the Purposes of Regulation 2016/679 Adopted on 3 October 2017, p. 10.

  31. 31.

    The effect on data subjects can be significant (as against trivial) even where no legal (statutory or contractual) rights or obligations are specifically affected, for example, denial of a bank loan. Article 22 (4): “Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9 (1), unless point (a) or (g) of Article 9 (2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.” Available at: http://www.privacy-regulation.eu/en/article-22-automated-individual-decision-making-including-profiling-GDPR.htm. Accessed 12 May 2019.

  32. 32.

    Controllers using these processes must demonstrate also that: (a) they are necessary under certain contractual circumstances; or (b) authorization “by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests,” or (c) “data subject’s explicit consent.”

  33. 33.

    GDPR Recital 42.

  34. 34.

    Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679 (WP 251), p. 25.

  35. 35.

    See also, Opinion 15/2011 of the Article 29 Data Protection Working Party on the definition of consent, (WP187), pp. 19–20.

  36. 36.

    See Article 7 (3) GDPR.

  37. 37.

    “If the controller does not provide accessible information, user control becomes illusory and consent will be an invalid basis for processing.” Guidelines on Consent under Regulation 2016/679 (WP259), p. 13. Available at: file:///C:/Users/Home/Documents/000%20My%20Word%20Documents/ELECTRONIC%20HEALTH%20RECORDS/2018%20GDPR%20Opinion%20on%20Consent.pdf. Accessed 12 May 2019.

  38. 38.

    Mendelson and Wolf (2016), pp. 288–290.

  39. 39.

    As amended by My Health Records Amendment (Strengthening Privacy) Act 2018 (Cth).

  40. 40.

    Including National Health Reform Act 2011 (Cth); Private Health Insurance Act 2007 (Cth); National Health Security Act 2007 (Cth); Health Insurance Act 1973 (Cth); Census and Statistics Act 1905 (Cth); National Health Act 1953 (Cth); Australian Bureau of Statistics Act 1975 (Cth); Freedom of Information Act 1982 (Cth); Privacy Amendment (Private Sector) Act 2000 (Cth); Human Services Legislation Amendment Act 2011(Cth); Australian Institute of Health and Welfare Act 1987 (Cth); Australian Information Commissioner Act 2010 (Cth).

  41. 41.

    My Health Records Rule 2016; My Health Records (Assisted Registration) Rule 2015; and My Health Records (National Application) Rules 2017; My Health Records Regulation 2012; Healthcare Identifiers Regulations 2010; My Health Records (Information Commissioner Enforcement Powers) Guidelines 2016.

  42. 42.

    ADHA was previously known as the National E-Health Transition Authority (NeHTA).

  43. 43.

    Under contract with the System Operator, a private company, Accenture Australia Holdings Pty Ltd (a subsidiary of Accenture Holdings plc), acts as the National Infrastructure Operator (NIO) of the system. Accenture provides and manages the National Repositories Service database system, “which holds the key data sets which make up a My Health Record, including shared health summaries, event summaries, discharge summaries, specialist letters, consumer entered health summaries and consumer notes.”

  44. 44.

    Neither “collection” nor “disclosure” is defined in the legislation; however, according to My Health Record Act 2012 (Cth) s 5, the verb “use” includes “accessing the information; viewing the information; modifying the information and deleting the information.”

  45. 45.

    My Health Records Act 2012 (Cth) s 58. Other registered repository operators (entities that hold, “or can hold, records of information included in My Health Records for the purposes of the My Health Record system”) and portal operators (operators of an electronic interface that facilitates access to the My Health Record system); as well as the Chief Executive of Medicare, the Department of Veterans’ Affairs, the Department of Defence and the department for responsible for aged care can collect use and disclose identifying information. My Health Records Act 2015 (Cth) s 5, s 49, 50D, and s 58A.

  46. 46.

    A subsidiary of Accenture Holdings plc.

  47. 47.

    In addition, the MHR system draws upon information held in other repositories around Australia, operated by a mix of private and public sector organizations. The Department of Health, Personally Controlled Electronic Health Record System Operator: Annual Report 20122013, “Registration of repository operators.” Available at: http://www.health.gov.au/internet/publications/publishing.nsf/Content/pcehr-system-operator-annual-report-2012-2013-toc~3-operation-of-the-eHealth-record-system~3.2-registration~3.2.3-registration-of-repository-operators. Accessed 12 May 2019.

  48. 48.

    My Health Records Act 2012 (Cth) s 15(i).

  49. 49.

    Australian Digital Health Agency, “My Health Record”, “Glossary.” Available at:

    https://www.myhealthrecord.gov.au/glossary. Accessed 12 May 2019.

  50. 50.

    Office of the Australian Information Commissioner, National Repositories Service: Implementation of recommendationsMy Health Record System Operator Final Report (September 2016), 2.5. Available at: https://www.oaic.gov.au/privacy-law/assessments/national-repositories-service-implementation-of-recommendations-my-health-record-system-operator. Accessed 12 May 2019.

  51. 51.

    In 2015, only approximately 2.1 million individuals, about one per cent of Australian population, registered for a PCEHR. The government (and the opposition) were concerned that not only patients, but also healthcare providers lacked “any incentive to adopt and contribute to the system.” See, the Parliament of the Commonwealth of Australia House of Representatives, Health Legislation Amendment (eHealth) Bill 2015, Explanatory Memorandum, p. 6. Available at:

    https://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r5534_ems_211631f6-fc59-4890-8ab0-a99237f40152/upload_pdf/503821.pdf;fileType=application%2Fpdf. Accessed 12 May 2019.

  52. 52.

    Wolf and Mendelson (2019), p. 3.

  53. 53.

    My Health Records (National Application) Rules 2017 sch 1, r 5 and r 8(1).

  54. 54.

    My Health Records (National Application) Rules 2017, r 7; My Health Records Regulation 2012, reg 1.1.7.

  55. 55.

    My Health Records (National Application) Rules 2017, Department of Health, My Health Record: National Opt-out (15 November 2018). Available at: http://www.health.gov.au/internet/main/publishing.nsf/Content/my-health-record-national-opt-out. Accessed 10 May 2019.

  56. 56.

    Senate Standing Committees on Community Affairs, Report on “My Health Records Amendment (Strengthening Privacy) Bill 2018” 12 October 2018. Available at:

    https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/MyHealthRecords/Report/c01 and https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/MyHealthRecords/Report/c02. Accessed 10 May 2019.

  57. 57.

    My Health Records Amendment (Strengthening Privacy) Act 2018 (Cth) sch 1, cls 5 and 6 inserting ss 17 (2) (b) and 17 (3) of the My Health Records Act 2012 (Cth).

  58. 58.

    My Health Record Act 2012 (Cth) ss 17 (3), (4).

  59. 59.

    Although My Health Record 2012 (Cth) s 17 (3) provides that upon cancellation, the System Operator “must destroy any record that includes health information that is included in the My Health Record of the healthcare recipient” other than the person’s name and date of cancellation, it is silent in relation to the “preparatory information.”

  60. 60.

    It has been argued that the number of persons who have opted out is much higher, see Australian Privacy Foundation, “My Health Record.” Available at: https://privacy.org.au/campaigns/myhr/. Accessed 10 May 2019.

  61. 61.

    Gothe-Snape (2019) “My Health Record opt-outs top 2.5 m as service moves to ‘evolving’ choice” ABC News 20 Feb 2019, 8:05 p.m. Available at: https://www.abc.net.au/news/2019-02-20/my-health-record-opt-outs-top-2.5-million/10830220. Accessed 12 May 2019.

  62. 62.

    Mendelson (2010), pp. 662–663.

  63. 63.

    For example, the Australian Digital Health Agency on its site states “My Health Record lets you control your health information securely, in one place. This means your important health information is available when and where it’s needed, including in an emergency.” Available at: https://www.myhealthrecord.gov.au/for-you-your-family. Accessed 14 May 2019.

  64. 64.

    Cooksley et al. (2018), p. 88.

  65. 65.

    However, while patient is being attended, a request for previous hospital records should be urgently made, the next of kin or bystanders able to describe what has happened should also be contacted. Cooksley et al. (2018), p. 89; see also, Braun et al. (2016).

  66. 66.

    AMA Guide to Medical Practitioners on the use of the Personally Controlled Electronic Health Record System 2.8.2 (30 August 2012). Available at:

    https://ama.com.au/system/tdf/documents/AMA%20Guide%20to%20using%20the%20PCEHR%20Final%20June%202012%20Formatted%20300812.pdf?file=1&type=node&id=36028. Accessed 12 May 2019.

  67. 67.

    The My Health Record registration form for the child is given to mothers in the first days after childbirth. Available at: https://www.myhealthrecord.gov.au/sites/default/files/hd106_mhr_newborn_factsheet_a4.pdf?v=1524052601. Accessed 13 May 2019.

  68. 68.

    My Health Record Act 2012 (Cth) refers to the Privacy Act 1988 (Cth) s 6, which states that “consent means express consent or implied consent.”

  69. 69.

    The Parliament of the Commonwealth of Australia House of Representatives Health Legislation Amendment (Ehealth) Bill 2015, Explanatory Memorandum 32. Available at:

    http://www.austlii.edu.au/au/legis/cth/bill_em/hlab2015323/. Accessed 14 May 2019.

  70. 70.

    The Parliament of the Commonwealth of Australia House of Representatives Health Legislation Amendment (Ehealth) Bill 2015, Explanatory Memorandum 32.

  71. 71.

    The Parliament of the Commonwealth of Australia House of Representatives Health Legislation Amendment (Ehealth) Bill 2015, Explanatory Memorandum 72 (emphasis by the author).

  72. 72.

    Australian Digital Health Agency. Available at: https://www.digitalhealth.gov.au/using-the-my-health-record-system/maintaining-digital-health-in-your-practice/patient-consent. Accessed 26 March 2019.

  73. 73.

    AMA Guide to Medical Practitioners on the Use of the Personally Controlled Electronic Health Record System 4.5.3.1 (30 August 2012). Available at:

    https://ama.com.au/system/tdf/documents/AMA%20Guide%20to%20using%20the%20PCEHR%20Final%20June%202012%20Formatted%20300812.pdf?file=1&type=node&id=36028. Accessed 14 May 2019.

  74. 74.

    AMA Guide to Medical Practitioners on the Use of the Personally Controlled Electronic Health Record System 4.5.3.2 (30 August 2012).

  75. 75.

    AMA Guide to Medical Practitioners on the Use of the Personally Controlled Electronic Health Record System 4.5.3.4 (30 August 2012).

  76. 76.

    My Health Record Act 2012 (Cth) s 41(3A).

  77. 77.

    My Health Record Act 2012 (Cth) s 41(3).

  78. 78.

    Personally Controlled Electronic Health Records Regulation 2012 reg 3.1.1.

  79. 79.

    Public Health Act 2010 (NSW) ss 56, 92; Public Health Act 2005 (Qld) ss 55, 77 to 79, 105 to 107, 175 to 177, 220 to 222, 238 to 240 and 266 to 268; Public Health Act 1997 (ACT) ss 110 and 111.

  80. 80.

    My Health Records Act 2012 (Cth) s 15 (b) (i) and ss s15 (c) (i) and (ii); My Health Records Rule 2016 (Cth) r 5(e); rr 6(1)(c), (2)(a). However, My Health Records Rule 2016 rr 7 and 8 allow, in certain emergency circumstances, healthcare provider organizations to use the emergency access function that overrides patient’s imposed access controls in order to read or retrieve information in the relevant MHR. The use of the emergency access function is monitored.

  81. 81.

    For a more comprehensive discussion of access to MHRs by registered healthcare providers and patients’ control over their MHRs (or effective lack thereof) see Wolf and Mendelson (2019).

  82. 82.

    ADHA, My Health Record Statistics. Available at:

    https://www.myhealthrecord.gov.au/sites/default/files/my_health_record_dashboard_-_7_apr_2019_0.pdf?v=1557190079. Accessed 13 May 2019.

  83. 83.

    My Health Record Act 2012 (Cth) s 13A (1).

  84. 84.

    Fairfield (2017), p. 1.

References

  • Ben-Assuli O (2015) Electronic health records, adoption, quality of care, legal and privacy issues and their implementation in emergency departments. Health Policy 119:287–297

    Article  Google Scholar 

  • Braun M et al (2016) Coma of unknown origin in the emergency department: implementation of an in-house management routine. Scand J Trauma Resuscitation Emerg Med 24:61. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4848793/. Accessed 12 May 2019

  • Budin-Ljøsne I et al (2017) Dynamic consent: a potential solution to some of the challenges of modern biomedical research. BMC Med Ethics 18(1):4

    Article  Google Scholar 

  • Cooksley T, Rose S, Holland M (2018) A systematic approach to the unconscious patient. R Coll Phys Clin Med (Lond) 18(1):88–93

    Google Scholar 

  • De Pietro C, Francetic I (2018) E-health in Switzerland: the laborious adoption of the Federal Law on Electronic Health Records (EHR) and Health Information Exchange (HIE) networks. Health Policy 122:69–74

    Article  Google Scholar 

  • Fairfield JAT (2017) Owned. Property, privacy, and the new digital Serfdom. cambridge University Press, Cambridge

    Google Scholar 

  • Fragidisn LL, Chatzoglou PD (2017) Development of Nationwide Electronic Health Record (ΝEHR): an international survey health. Policy Technol 6:124–133

    Article  Google Scholar 

  • Helmholz RH (2012) The law of slavery and the European Ius Commune. In: Allain J (ed) The legal understanding of slavery: from the historical to the contemporary. Oxford University Press, Oxford, pp 17–39

    Chapter  Google Scholar 

  • Hickey R (2012) Seeking to understand the definition of slavery. In: Allain J (ed) The legal understanding of slavery: from the historical to the contemporary. Oxford University Press, Oxford

    Google Scholar 

  • Garrety K et al (2016) National electronic health record systems as ‘wicked projects’: the Australian experience. Inf Polity 21:367–381

    Article  Google Scholar 

  • Hodge SD Jr, Callahan J (2017) Understanding medical records in the twenty-first century. Barry Law Rev 22:273–294

    Google Scholar 

  • Honoré AM (2006) Property and ownership: marginal comments. In: Endicott T et al (eds) Properties of law: essays in honour of Jim Harris. Oxford University Press, Oxford

    Google Scholar 

  • Johnsson L, Eriksson S (2016) Autonomy is a right, not a feat: how theoretical misconceptions have muddled the debate on dynamic consent to biobank research. Bioethics 30(7):471–478

    Article  Google Scholar 

  • Kaye J et al (2015) Dynamic consent: a patient interface for twenty-first century research networks. Eur J Hum Genet 23(2):141–146

    Article  Google Scholar 

  • Kierkegaard P (2015) Interoperability after deployment: persistent challenges and regional strategies in Denmark. Int J Qual Health Care 27(2):147–153

    Google Scholar 

  • Mendelson D (2010) Healthcare identifiers legislation: a whiff of fourberie. J Law Med 17(5):660–676

    Google Scholar 

  • Mendelson D (2018) The European Union General Data Protection Regulation (EU 2016/679) and the Australian My Health Record Scheme—a comparative study of consent to data processing. JLM 26:23–38

    Google Scholar 

  • Mendelson D, Wolf G (2016) My [electronic] health record—Cui Bono (for whose benefit)? JLM 24:283–296

    Google Scholar 

  • Mendelson D, Wolf G (2017) Privacy and confidentiality. In: Freckelton I, Petersen I (eds) Tensions and traumas in health law. Federation Press, Sydney, pp 266–282

    Google Scholar 

  • Steinsbekk KS, Myskja BK, Solberg B (2013) Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? Eur J Hum Genet 21(9):897–902

    Article  Google Scholar 

  • Wee R, Henaghan M, Henaghan M (2013) Dynamic consent in the digital age of biology: online initiatives and regulatory considerations. J Primary Health Care 5(4):341–347

    Article  Google Scholar 

  • Wolf G, Mendelson D (2019) The my health record system: potential to undermine the paradigm of patient confidentiality? UNSWLJ 42(2):619–651

    Google Scholar 

Download references

Acknowledgements

This chapter was based on Mendelson (2018) The European Union General Data Protection Regulation (EU 2016/679) and the Australian My Health Record scheme—a comparative study of consent to data processing. JLM 26:23–38.

Author information

Authors and Affiliations

  1. Deakin Law School, Deakin University, Melbourne, VIC, Australia

    Danuta Mendelson

Authors
  1. Danuta Mendelson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Danuta Mendelson .

Editor information

Editors and Affiliations

  1. Center for Advanced Studies in Biomedical Innovation Law (CeBIL), Faculty of Law, University of Copenhagen, Copenhagen, Denmark

    Marcelo Corrales Compagnucci

  2. Department of Innovation and Digitalisation in Law, University of Vienna, Vienna, Austria

    Nikolaus Forgó

  3. Faculty of Law, Kyushu University, Fukuoka, Japan

    Toshiyuki Kono

  4. Faculty of Law, Kyushu University, Fukuoka, Japan

    Shinto Teramoto

  5. Department of Business Law, Tilburg University, Tilburg, The Netherlands

    Erik P. M. Vermeulen

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Singapore Pte Ltd.

About this chapter

Cite this chapter

Mendelson, D. (2020). National Electronic Health Record Systems and Consent to Processing of Health Data in the European Union and Australia. In: Corrales Compagnucci, M., Forgó, N., Kono, T., Teramoto, S., Vermeulen, E.P.M. (eds) Legal Tech and the New Sharing Economy. Perspectives in Law, Business and Innovation. Springer, Singapore. https://doi.org/10.1007/978-981-15-1350-3_6

Download citation

Publish with us

Policies and ethics

Search

Navigation