Since its inception, AHPRA has been able to access both doctor and patient metadata without a warrant.
Australian Doctor investigates the investigators to find out if this power is justified.
There has been a big political stink over the state’s access to metadata: the details about when and where individuals make a call, send a text, browse the web or the phone numbers they ring.
The Federal Government has argued crime enforcement agencies need this information to keep Australians safe from terrorists and criminals.
So last year, it introduced a raft of new laws, including a demand that telecommunications firms retain metadata.
In an apparent compromise over complaints about the erosion of civil liberties, the government declared that non-criminal “enforcement” agencies would be denied automatic access to the information, unless they had a warrant issued by a court.
This meant AHPRA would lose its power to obtain warrantless access to metadata, which it had had since its inception in 2010.
However, there was a clause in the new rules.
AHPRA, along with a string of other government agencies, including the Department of Health, could seek permission from the Attorney-General to access metadata without a warrant.
In January, AHPRA requested guidance from the Attorney-General about whether the agency needs the powers. A judgement is still pending.
In this interview, we talk with AHPRA about its use of metadata.
Australian Doctor: Please explain what powers AHPRA had before the introduction of the metadata legislation last year.
AHPRA: Before the legislation, we were recognised as an enforcement agency within the meaning of the Telecommunications (Interception and Access) Act 1979.
This meant in specific circumstances, we could access information or documents about telecommunications data.
When seeking to use these powers, we have used information cautiously and infrequently, in a small number of investigations into individual registered health practitioners. Most often, these investigations related to allegations of boundary violations between patients and practitioners.
AD: Who makes the decision to access metadata about a patient or a doctor?
A: Applications were authorised on behalf of AHPRA’s executive director, regulatory operations, who reports to the CEO.
AD: When making that decision, what criteria are used?
A: The powers were used sparingly, for example, when it was important to establish either the existence of a personal relationship or its start date.
It’s important to remember that AHPRA didn’t get access to the content of any calls or messages, only evidence that there had been calls or messages.
In some cases, phone calls between people can show the existence of a personal relationship, outside of normal arrangements for booking appointments or patient contact.
The volume of calls or messages can be relevant, as can the time of calls and the location.
The information can provide corroborating evidence to support witness evidence about whether a sequence of events occurred on the balance of probabilities.
AD: The powers allowed AHPRA to access patient metadata. What is the justification for the breach of patient privacy when they have done nothing wrong?
A: AHPRA regulates registered health practitioners and therefore its investigations relate to registered health practitioners. AHPRA always operates lawfully, including consistency with any privacy requirements.
AD: If a decision is made to access metadata what happens next?
A: If AHPRA’s request was granted, we sought the metadata records from the relevant telecommunications provider/s.
AD: Do telecommunications company refuse?
A: No, these requests have not been refused.
AD: Can AHPRA ever access the content of texts or phone calls. Would it require a warrant from a court?
A: No AHPRA can’t access the content of texts or phone calls or web interaction. The law gives us the power to seek a search warrant in some cases, for example to access personal computers or enter premises, but this must first be granted by a magistrate.
AD: Can you give details of when these warrants have been requested?
A: There are limits on how we can answer this question as we have to protect the integrity of our regulatory operations.
But as an example, we sought and were granted search warrants in 2015 in Victoria when we were investigating a complaint that a man purporting to be a dentist, who was not registered, had given a woman serious dental procedures that were unhygienic and unsafe.
AHPRA prosecuted this case through the magistrates court and the man was convicted of a number of offences.
AD: How many times did AHPRA request metadata under its former powers?
Twenty-two times in 2014/15 and 23 times in 2013/14.
AD: Does AHPRA believe having the powers is useful?
A: AHPRA has asked for guidance from the Attorney-General about whether the government believes we should continue to have access to these powers.
We have outlined how we have used them in the past and await the advice of government.
We have used these powers sparingly in the past, especially when there are allegations of boundary violations. And yes, they have been a useful investigative tool.
Sometimes practitioners concede something has happened when confronted by evidence, sometimes the evidence corroborates either the patients’ or the doctors’ statements.
In a small number of matters each year, access to [metadata] is the determining factor in whether or not allegations can properly be made out.
AD: What safeguards have been in place to ensure that the metadata powers granted to AHPRA were not abused?
A: Information AHPRA has obtained is held in a secure AHPRA database. The information is only available to AHPRA staff or other persons where this is required or authorised by law.
AHPRA staff are under a duty of confidentiality regarding their access to, use of, and disclosure of the information, and must only use it in the course of their duties.
Given that all applications for the use of these powers must be signed off by the CEO, their use is not open to abuse.
We are also subject to the provisions of the Commonwealth Privacy Act and we have an independent Privacy Commissioner if there are any concerns raised.
What is metadata?
It’s a murky area, but metadata is widely understood by government officials to include:
• Telephone numbers
• The time and length of phone calls
• The IP addresses of computers from which messages are received or sent
• Location of parties making phone calls
• To and from email addresses on emails
• Logs of visitors to chat rooms online
• Status of chat sites — whether they are active and how many people are participating
• Chat room aliases or identifiers
• Start and finish times of internet sessions
• The location of an individual involved in communications
• The name of the application someone uses online and when, where and for how long used
Metadata is not:
• The content of a communication, such as a phone call or an email
• The subject line of an email
• The content of the discussion in a chat room online
• The content of a mobile phone text message
• Attachments to emails, such as photos or videos
• Web camera transmissions
• Website browsing histories
• The name of a website a person visits
• The substance of a person’s social media posts
• Source: Sydney Morning Herald.
An expert legal view
Professor Bruce Baer Arnold is assistant professor at the school of law at the University of Canberra. He questions the absence of judicial scrutiny over AHPRA’s access to metadata.
The difficult question is proportionality. Does AHPRA need warrantless access to data in order to ensure public safety? Just because something is bureaucratically convenient, doesn’t mean it’s necessary and imperative.
My sense is that most lawyers and doctors are quite happy for AHPRA to engage in surveillance if — and it’s the fundamental IF — that surveillance occurs within a lawful, accountable and proportionate framework.
That means having meaningfully independent supervision: someone who’s outside the magic circle, who is vigorous, who is expert and who isn’t dependent on information fed to them by AHPRA or a similar agency.
It also means use of warrants rather than simply requesting information from a telco that is always going to say yes. The warrant process through the courts is important because it provides some independence and scrutiny.
Contrary to popular belief, warrants don’t take weeks or months to obtain. If they’re necessary and properly prepared, they are available quite quickly. There’s no reason AHPRA shouldn’t rely on warrants rather than back doors in the legislation.
A warrant could cover the metadata and the content of the communication. Courts considering requests for warrants look at factors such as the seriousness of the alleged offence, evidence that there has been an offence, whether evidence is otherwise unobtainable, and the scope of the warrant (what it covers, who it covers, how long it runs for and so forth).
They’ll be conscious of the fact that people who request warrants are sometimes well-meaning but poorly advised. They’ll also be conscious that problems with warrants may mean that evidence is legally inadmissible and therefore cause a prosecution to fall over.
Do people get told that their metadata is being accessed? No. In that sense, we’re all suspects. We won’t get told who — if anyone — has been looking at our phone records, why they were looking and when they were looking.
Was it for a legitimate investigation or just curiosity or a stalker working in the agency that’s allowed to request? We don’t get told. We are supposed to trust. But we’d trust more if there was greater transparency.
In practice, there’s not much transparency.
What do MDOs say?
Avant says it is concerned about giving powers to AHPRA to obtain metadata without a warrant.
“The data retention laws passed last year limited access to telecommunications data to agencies investigating serious criminal offences and undertaking national security investigations,” says Dr Georgie Haysom (pictured), Avant’s head of advocacy. “AHPRA and the Health Care Complaints Commission in NSW already have the power to obtain information for the purpose of investigating a disciplinary matter or an alleged offence under their respective legislation.
“[But] AHPRA and the HCCC are healthcare regulators not criminal law enforcement agencies.
“If healthcare regulators, such as AHPRA and the HCCC, want access to metadata held by telecommunications services providers, they should be required to follow the regime outlined in their own governing legislation, such as issuing notices and obtaining warrants.”