The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission to the Department of Health and Ageing (DoHA) on the Personally Controlled Electronic Health Record System: Legislation Issues Paper (the Issues Paper).

In this submission, the OAIC makes the following comments and recommendations:

1. The Personally Controlled Electronic Health Record System (PCEHR) legislation should not only enable information flows necessary to verify the identity of individuals, it should also clearly describe:

a) the type of information that will be used and disclosed to verify an individual's identity
b) who the information may be used by or disclosed to and
c) the purpose for which this information may be used and disclosed (proposal 2) (see p. 6 of this submission).

2. The OAIC welcomes the proposal to create legally recognised 'rights and responsibilities' for individuals and suggests that these should support individual choice, consent and control at all stages of transacting with the PCEHR system (proposal 2) (p. 6 of this submission).

3. The PCEHR legislation should prescribe standards with which healthcare provider organisations (and nominated healthcare providers) need to comply in handling personal information. As an alternative, the office suggests that at a minimum, consistent standards should apply to healthcare provider organisations participating in the PCEHR system (and nominated healthcare providers) and these should be publicly available and subject to a review mechanism (proposals 10 and 12) (see pp. 7 – 8 of this submission).

4. In principle, the OAIC welcomes the proposal that a repository operator must be a legal entity within Australia and that all health information used for PCEHR system purposes must be held in Australia. The office seeks clarification about whether these requirements would apply to other providers that host information on behalf of the PCEHR system, such as contracted service providers (proposal 17) (see p. 9 of this submission).

5. The OAIC seeks clarification about whether any standards or requirements will be included in the PCEHR legislation to regulate personal information handling by portal providers (proposal 22) (see p. 10 of this submission).

6. The OAIC seeks clarification of any proposed process for destroying, de-identifying or archiving data on an individual's PCEHR, and whether such a process will be provided for in the legislation or by another mechanism (proposal 24) (see p.10 of this submission).

7. The OAIC suggests that consideration be given to comments made in its recent submission to DoHA on the draft Concept of Operations relating to the PCEHR system, about matters which could be included in the patient-centred access regime (proposal 25) (see p. 11 of this submission).[1]

8. The PCEHR legislation should permit individuals to nominate a representative to view their PCEHR, for a particular period or on an indefinite basis (proposal 27) (see p. 11 of this submission).

9. The PCEHR legislation should clearly define and limit the circumstances in which access control settings can be overridden in an emergency situation (proposal 30) (see p. 12 of this submission).

10. The OAIC supports the proposal that the system operator and portal operators be subject to the Privacy Act 1988, as this will ensure that consistent privacy laws apply to these operators (proposal 31) (see p. 12 of this submission).

11. The Issues Paper states that consideration is being given to applying Commonwealth, state or territory privacy laws to repository operators depending on jurisdiction (proposal 32) (see p. 13 of this submission). The office seeks clarification of the policy reasons for distinguishing between the privacy regimes applicable to repository operators, the system operator and portal operators.

12. The PCEHR legislation should include minimum, consistent privacy protections which apply to personal information handled within the PCEHR system (these are outlined in more detail in subsequent recommendations) (proposal 33) (see pp.13- 14 of this submission).

13. The PCEHR legislation should complement the principles-based protections in privacy laws, by clearly prescribing who may collect personal information from the PCEHR system and the primary purpose(s) for which this information may be collected. In addition the legislation could also broadly specify how the system operator, registry operators and portal providers may use and disclose personal information within the PCEHR system.

14. The PCEHR legislation should include processes for parliamentary scrutiny and approval of any future proposed purposes for which personal information may be collected from the PCEHR system (and, in the case of the system operator, repository operator and portal providers, future proposed uses or disclosures). The legislation should also require consultation with appropriate regulatory bodies and policy agencies on any such proposed new purposes (proposal 34) (see p. 15 of this submission).

15. The PCEHR legislation should include a data security provision modelled on National Privacy Principle 4.1. This could apply to the system operator, portal operators and repository operators. NPP 4.1 in schedule 3 of the Privacy Act states that 'an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure' (proposal 35) (see pp. 15 - 16 of this submission).

16. The PCEHR legislation could include penalties for serious breach of data security requirements (proposal 36) (see p. 16 of this submission).

17. The OAIC believes that there are strong reasons to include compliance and audit mechanisms in the PCEHR legislation and seeks clarification of whether this is proposed (proposal 36) (see pp. 16 - 17 of this submission).

18. The office suggests consideration be given to including a duty of confidentiality in the PCEHR legislation that is similar to s 15 of the Healthcare Identifiers Act 2010 (proposal 38) (see p. 17 of this submission).

19. The Issues Paper states that individuals have the ability to escalate privacy complaints about the PCEHR system operator, repository operator or a portal operator to the Information Commissioner if they are not satisfied with the operator's response (p. 37). The OAIC is unclear about two aspects of this proposal. Firstly, the office could only handle complaints within the Commissioner's jurisdiction. Secondly, the Commissioner would not have power to investigate a complaint about a repository operator, if the Privacy Act does not apply to that operator (see proposal 32). The office seeks clarification of whether the PCEHR legislation is intended to extend the Commissioner's existing jurisdiction to investigate complaints.

20. In principle, the OAIC supports the proposal to develop a single entry point for PCEHR privacy complaints, which would then be referred to the appropriate regulator. There would need to be clear procedures established for referring complaints, to clarify responsibility at any point in time for progressing a complaint. The office considers that it has the appropriate skills to adopt this role, subject to clarifying its scope in more detail and considering the associated resourcing implications (proposal 41) (see p. 18 of this submission).

Introduction

The Office of the Australian Information Commissioner (the OAIC) was established by the Australian Information Commissioner Act 2010 (Cth) and commenced operation on 1 November 2010.

The OAIC is an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.

The former Office of the Privacy Commissioner was integrated into the OAIC on 1 November 2010.

The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information (FOI) in one agency, to advance the development of consistent workable information policy across all Australian government agencies.

The Commissioners of the OAIC share two broad functions:

the FOI functions, set out in s8 of the AIC Act - providing access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth), and
the privacy functions, set out in s9 of the AIC Act - protecting the privacy of individuals in accordance with the Privacy Act 1988 (Cth) (the Privacy Act) and other legislation.

The Information Commissioner also has the information commissioner functions, set out in s 7 of the AIC Act. Those comprise strategic functions relating to information management by the Australian Government.

The OAIC appreciates the opportunity to make a submission to the Department of Health and Ageing (DoHA) on the Personally Controlled Electronic Health Record System: Legislation Issues Paper (the Issues Paper).[2]

In this submission the OAIC draws on its understanding of privacy issues associated with the personally controlled electronic health record (PCEHR) system. The office has developed this understanding throughout its engagement with the PCEHR and Individual Healthcare Identifiers initiative. For example, the office has made submissions to:

DoHA on the draft Concept of Operations relating to the introduction of a PCEHR system (the draft Concept of Operations), in June 2011[3]
the National Health and Hospitals Reform Commission on the Person-controlled Electronic Health Records - Supplementary Paper, in May 2009[4]
the National E-Health Transition Authority's consultation on the Privacy Blueprint for the Individual Electronic Health Record, in August 2008.[5]

In the course of its engagement, the OAIC has consistently supported enabling legislation to accompany the PCEHR system. Ensuring that this legislation appropriately protects individuals' personal information is an important element in establishing and maintaining public confidence in the system. It may also facilitate greater public participation.

The OAIC therefore welcomes the proposal to introduce legislation supporting the PCEHR system. In the office's view, such legislation should contain clear privacy protections and should clarify how different Commonwealth, state and territory privacy laws will apply.

The OAIC cannot provide comprehensive comment on the privacy protections offered by the proposed legislation as there is limited detail about these protections in the Issues Paper. The OAIC would welcome the opportunity to make comments on the exposure draft PCEHR legislation at an early stage.

Comments on the Issues Paper

Section 3.2 of the Issues Paper - Participation

3.2.1 Individuals

Proposal 2: Legislation would enable the information flows necessary to verify the identity of individuals, and to create legally recognised rights and responsibilities for individuals

The OAIC suggests that the PCEHR legislation not only enable information flows necessary to verify the identity of individuals, but clearly describe:

the type of information that will be used and disclosed to verify an individual's identity
who the information may be used by or disclosed to, and
the specific purpose for which it may be used and disclosed.

This would ensure that individuals have a clear understanding of how their personal information may be handled. Individuals could then make an informed choice about their interaction with the PCEHR system. Also, it would help operators to understand the purpose this identity information may be used and disclosed for. Such measures would also limit the risk of function creep (see the office's comments in relation to section 3.4.1).

The OAIC welcomes the proposal to create legally recognised 'rights and responsibilities' for individuals. From a privacy perspective, these should support individual choice, consent and control at all stages of transacting with the PCEHR system. For example, the legislation could confirm that individuals' choices about participating in the PCEHR system cannot adversely affect their access to health services, Medicare or health insurance payments in any way. The OAIC would appreciate the opportunity to comment on these 'rights and responsibilities' when the exposure draft legislation is available.

Proposal 8: The PCEHR system will support the creation and use of a PCEHR using a pseudonymous identity and healthcare identifier

The OAIC supports giving individuals the clear option to transact pseudonymously to protect their privacy, where this is lawful and practicable.[6]

The office would welcome the opportunity to review and comment on this aspect of the exposure draft legislation when it is available.

3.2.2 Healthcare provider organisations

Proposal 9: Legislation would specify that in order to be eligible to register for the PCEHR system a healthcare provider organisation must:

have a HPI-O;
conform to specified technological requirements; and
agree to prescribed terms and conditions.

Proposal 10: Legislation would provide a framework for standards with which healthcare provider organisations must comply.

Proposal 11: Legislation would provide authority for the making of terms and conditions which will apply to a healthcare provider organisation regarding the authorisation and identification of eligible users of the PCEHR system within the organisation. The legislation will describe that, to be eligible as an authorised user:

healthcare providers must have an HPI-I and be identifiable in the healthcare provider organisation's local system; and
other individuals within a healthcare provider organisation, such as contracted service providers and administrative staff, must be identifiable in the healthcare provider organisation's local system and have a legitimate need to access the PCEHR system.

The OAIC understands from proposal 10, that legislation would not prescribe standards with which a healthcare provider organisation would need to comply, but would contain a framework for making those standards. The standards would be prescribed elsewhere.

In the office's view it would be preferable for standards relating to personal information handling, to be included in the proposed legislation (or in a legislative instrument). This would facilitate broad consultation about which standards are appropriate, as well as parliamentary scrutiny of these standards. It may also form the legislative basis for an appropriate offences and remedies regime for breaching an applicable rule or standard.

As an alternative, the OAIC suggests that at a minimum, consistent standards apply to healthcare provider organisations participating in the PCEHR system. These standards should be publicly available and subject to a review mechanism. This would give individuals greater certainty about the way different organisations will handle their personal information, even if these organisations are based in different states and territories. The standards could, among other things:

support the accuracy of personal information in the PCEHR system (consistent with National Privacy Principle 3 (referred to as the NPPs))[7]
require healthcare provider organisations to have appropriate data security protections in place to protect personal information accessed through the PCEHR system (consistent with NPP 4.1) [8]
require healthcare provider organisations to have a complaint handling process in place for complaints relating to privacy, and
require healthcare provider organisations to ensure that eligible users have undertaken appropriate privacy training.

The OAIC notes that proposals 9 and 11 refer to, but do not describe in detail the eligibility criteria for participating in the PCEHR system. The office would appreciate the opportunity to comment on these criteria when exposure draft legislation is available.

Nominated healthcare providers

Proposal 12: Legislation would provide a framework for rules and standards with which a nominated healthcare provider must comply in authoring and managing a shared health summary.

Proposal 13: The legislation may set out a framework for the rules and standards that relate to the authorship of other PCEHR documents.

The OAIC understands that the legislation would not describe criteria or specific functions for the role of the nominated provider. Instead, it would provide a framework for rules and standards with which a nominated provider must comply in managing a shared health summary.[9]

As noted in the office's comments on proposal 10, the office considers that it would be preferable to include rules and standards relating to personal information handling in the legislation (or in a legislative instrument).

For the reasons discussed in relation to proposal 10, the OAIC suggests as an alternative that at a minimum, these rules and standards be consistent, publicly available and subject to a review mechanism.

3.2.3 PCEHR system operator

Proposal 14: The legislation would establish the PCEHR system operator, prescribe the operator's functions and responsibilities and establish the administrative framework for setting the service levels and operational rules that the PECHR system operator would need to meet

The OAIC agrees with the proposal to prescribe the PCEHR system operator's functions and responsibilities in legislation.

The office would like the opportunity to comment on these functions and responsibilities when the exposure draft legislation is available.

3.2.4 Repository operators

Proposal 16: The legislation would define repository operators to include registry operators and provide a framework for the regulation of PCEHR-conformant repositories, including:

a framework for allocating identifiers to PCEHR conformant repositories;
requiring that all health information used for PCEHR system purposes must be held in Australia; and
requiring that repository operators are a legal entity within Australia.

Proposal 17: The legislation would establish the role of the National Repositories Service, identify its operator and provide any unique criteria which will apply to the National Repositories Service.

In principle, the OAIC welcomes the proposal that a repository operator must be a legal entity within Australia and that all health information used for PCEHR system purposes must be held in Australia. As discussed in the office's submission on the draft Concept of Operations, the storage of data in other jurisdictions may reduce the security of data where for example, local laws authorise access to that information.[10] The office also agrees that storing information outside Australia may limit individuals' avenues for redress in the event this information is misused or mishandled.[11]

The OAIC seeks clarification about whether these requirements would apply to other providers that host information on behalf of the PCEHR system, such as contracted service providers.[12]

The OAIC also offers in principle support to proposal 17, that legislation contain any unique criteria applying to the National Repositories Service. The office generally agrees that the standards and requirements applying to repository operators should be set out in regulation (whether primary legislation alone or in conjunction with other mechanisms such as contracts), and that this should provide for accountability, conformance, retention of records, penalties and address circumstances where a repository fails.[13]

The office would appreciate the opportunity to review and make comment on the proposed standards, requirements and criteria referred to in these proposals.

3.2.5 Trusted data source providers

Proposal 19: The legislation will authorise the use of data held by Medicare Australia, DVA and the Department of Defence as trusted data sources for identity verification purposes.

Proposal 20: The legislation will allow for future trusted data sources to be identified through regulations

The OAIC supports the proposal that legislation specifies trusted data sources and provides a mechanism for adding any new trusted data sources by regulation.

The office repeats the comments made in relation to proposal 2, that the PCEHR legislation clearly describe the kind of information from trusted data sources that may be used and disclosed and the purpose/s for which it may be used and disclosed.

3.2.6 Portal providers

Proposal 21:The legislation will provide for the participation of portal providers.

Proposal 22:The legislation will provide a framework for the regulation of PCEHR-conformant portals, including:

a framework for allocating identifiers to PCEHR conformant portals;
requiring that all servers used for PCEHR system purposes and all demographic information used for PCEHR system purposes must be held in Australia; and
requiring that portal providers are a legal entity within Australia.

In principle, the OAIC supports proposals 21 and 22. However, the OAIC notes that the Issues Paper does not refer to any legislative (or other) standards or requirements with which the portal provider must comply in handling personal information. The office seeks clarification about whether any such standards or requirements will be included in the PCEHR legislation or elsewhere.

3.2.8 Health records management

Proposal 24: The legislation would require retention of documents which have been indexed/accessed by the PCEHR system for 15 years since last action on record (or in the case of a minor, until they are 30 years of age).

Where legislation prescribes a minimum data retention period, it is the OAIC's preference that data be destroyed or permanently de-identified at the end of this period if it is no longer needed for a permitted purpose. This is consistent with NPP 4.2 which generally requires organisations to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for a permitted purpose.

However, the OAIC also appreciates the policy reasons for applying the longest minimum jurisdictional data retention period for documents in the PCEHR system (while ensuring that it is clear to healthcare providers that if they need to comply in their records management with legislation or guidelines for specific information, then they are responsible for doing so).[14] In particular it is recognised that there are significant practical advantages in applying a consistent data retention regime across the various jurisdictions participating in the PCEHR system (just as, in the office's view, there are significant practical advantages for individuals, in including some minimum, consistent privacy protections in the PCEHR legislation (see the office's comments on section 3.4.1)).

The OAIC would welcome clarification of the proposed process for destroying, de-identifying or archiving data on an individual's PCEHR, and whether such process will be provided for in the PCEHR legislation or by another mechanism.

Section 3.3 of the Issues Paper - Access

3.3.1 Individuals

Proposal 25: Legislation would set out the individual's role in setting access controls, authorising others to access their PCEHR, choosing which information is published to and accessible through their PCEHR, viewing an activity history for their PCEHR and making enquiries and complaints.

In principle, the OAIC supports proposal 25, and considers that effective, patient-centred access controls are one of the key elements of the PCEHR system. Without these controls, there is a risk that personal information will be more widely available than the individual intended.

The office notes however that the Issues Paper provides limited detail about the proposed access regime. In its recent submission on the draft Concept of Operations, the office made substantive comments about matters which could be included in the access regime.[15] The office suggests that consideration be given to these comments in preparing the exposure draft legislation.

Nominated representatives

Proposal 27: The legislation would allow an individual to nominate one or more persons to be their nominated representative for the purpose of viewing the individual's PCEHR.

Q17. Are there any other essential or additional requirements or obligations of a nominated representative that should be supported in the PCEHR legislative framework?

The OAIC welcomes the proposal that a nominated representative be able to view, but not manage an individual's PCEHR on behalf of the individual.

To enhance individuals' control over this form of access to their PCEHR, the office suggests that the PCEHR legislation permit individuals to nominate a representative for a particular period if they choose, or on an indefinite basis.

3.3.2 Healthcare provider organisations

Proposal 29: Legislation is required to define authorised users who may access a PCEHR when they have been granted permission to do so by the healthcare provider organisation they work for and in line with the access control settings established by the individual.

The OAIC would appreciate the opportunity to comment on these proposed provisions when further detail is available in the exposure draft legislation.

Emergency access

Proposal 30: Emergency PCEHR access is already provided under existing privacy and health legislation.

Q. 21: Should there be additional legislative provisions for emergency access to PCEHR information?

The OAIC recognises that there are certain specific circumstances where it is appropriate to override access controls in emergency situations. This approach is consistent with NPP 2.1(e) [16], which regulates the use and disclosure of personal information by organisations in emergency situations, as well as NPP 10.1(c), which regulates the collection of sensitive information (including health information) in emergency situations.[17]

The office recognises that this proposal imposes a limitation on the extent to which an individual has control over their access settings. It may be difficult for individuals to understand the circumstances in which their access control settings may be overridden, as different privacy laws will apply in different jurisdictions.

The office suggests that the PCEHR legislation clearly define and limit the circumstances in which access control settings can be overridden in an emergency situation. This will help individuals to make informed choices about whether and how to use the PCEHR system.

Section 3.4 of the Issues Paper - Privacy Coverage

Existing framework

Proposal 31: In relation to the system operator and portal operators, the legislation should ensure that a body may not perform that role unless it is subject to the Privacy Act.

The OAIC supports this proposal, as it will ensure that consistent privacy laws apply to the system operator and portal operators. This in turn, will help operators to understand their privacy obligations and will also ensure that uniform protections apply to the personal information they handle.

Proposal 32: In relation to repository operators, the legislation should ensure that a body may not perform that role unless it is subject to privacy obligations under Australian law.

Q22. Will this provide the necessary level of protection for personal information uploaded to the PCEHR system?

Q23. What privacy legislation should apply to repository operators?

The OAIC understands that the Commonwealth is considering whether repository operators should be required to comply with:

the Privacy Act (similar to the system operator and portal operator) or
the Privacy Act or state or territory privacy laws as currently applicable. Where no privacy laws currently apply, it is proposed that the PCEHR legislation provide a framework which either applies the Privacy Act to the relevant repository operator, or requires the body to opt-in to, and maintain coverage by the Privacy Act in order to be eligible to participate as a repository operator.[18]

The office notes that the Privacy Act is proposed to apply to the system operator and portal operators (proposal 31), while under the second approach outlined above, repository operators would be covered by either Commonwealth, state or territory privacy laws depending on jurisdiction.

The office seeks clarification of the policy reasons for distinguishing between the privacy regimes applicable to repository operators, the system operator and portal operators.

Privacy coverage of healthcare providers

Proposal 33: Healthcare providers will be subject to the privacy coverage provided by existing law

The Issues Paper proposes that healthcare providers will be covered by the following existing privacy laws and arrangements:

private sector and Commonwealth healthcare providers would be covered by the Privacy Act as currently applicable (as well as in some cases, applicable state or territory legislation)
public sector healthcare providers which are currently covered by state or territory privacy law, would be covered by those laws and
public sector healthcare providers not currently covered by existing privacy laws, would be covered by existing health law and administrative arrangements for the protection of personal information.[19]

The office understands that this approach reflects current privacy arrangements when clinical information is shared between sectors in different jurisdictions. While this approach may make transition to the PCEHR system easier for providers, in the office's view the absence of clearly stated privacy protections in PCEHR legislation may make it difficult for individuals to understand the privacy protections that will apply to personal information included in the PCEHR. In turn, this may reduce individuals' ability to make an informed choice about participation in the PCEHR system.

Moreover, the PCEHR system will transform the way in which health information is shared across jurisdictions. Individuals' health information will be much more easily transferred between, and accessible to, individual healthcare providers, healthcare provider organisations and operators located across Australia. Individuals will therefore have an interest in consistent privacy protections applying to their health information within the PCEHR system, irrespective of where it is uploaded to the system, or accessed from the system. In the following sections of this submission, the OAIC outlines some consistent, minimum privacy protections which could be included in the PCEHR legislation.

The OAIC considers these proposals to be consistent with existing privacy legislation. The office also notes that the Government accepted, in principle, the ALRC's recommendation that enabling legislation for a shared electronic health record should address information privacy issues including 'permitted and prohibited uses and linkages of the personal information held in the systems'.[20]

3.4.1 Privacy- use and disclosure of information

Proposal 34: The legislation would not displace the exceptions to the prohibition on use and disclosure of health information in the Privacy Act.

The Issues Paper states that 'secondary uses and disclosures of personal information permitted under the Privacy Act will continue to be allowed in the PCEHR system'.[21] Under the Privacy Act, organisations may only use or disclose personal information about an individual for the primary purpose for which that information was collected unless an exception listed in NPP 2.1 applies. This provides individuals with control over the handling of their personal information - as individuals can understand at the time their information is collected, what their information will be used for.

However, the office notes that some operators and providers would not be covered by the Privacy Act.[22] For example, it is proposed that repository operators be covered by the Privacy Act or equivalent state or territory privacy legislation.[23] It is also proposed that public sector healthcare providers (other than Commonwealth healthcare providers) be covered by applicable state or territory privacy legislation or administrative arrangements.[24]

The office therefore seeks clarification of how the secondary uses and disclosures permitted under the Privacy Act would apply to repository operators and healthcare providers that are not covered by the Privacy Act.

Moreover, as noted in relation to proposal 33 above, the PCEHR system will transform the way in which health information is shared across jurisdictions. In this context, the OAIC considers that the PCEHR legislation should complement existing principle-based privacy protections, by including some minimum, consistent privacy protections to information handled within the PCEHR system.

In particular the PCEHR legislation should clearly describe who may collect personal information (including health information) from the PCEHR system and the primary purpose(s) for which this information may be collected. The PCEHR legislation could also broadly specify how the system operator, registry operators and portal providers may use and disclose personal information within the PCEHR system.

The office understands that a similar approach has been taken in the Healthcare Identifiers Act 2010 (HI Act).[25]

There are four main reasons for adopting this approach:

to provide some degree of certainty for individuals about how their personal information will be handled in the PCEHR system. This will assist individuals to make an informed choice about how they participate in the PCEHR system
to ensure that there is a broad and consistent understanding among operators, providers and individuals about the purpose for which personal information may be collected (and used and disclosed within the PCEHR system) in circumstances where different privacy laws and arrangements would otherwise apply
to facilitate broad consultation and parliamentary scrutiny of the purpose for which personal information in the PCEHR system may be collected, and how it may be used and disclosed by operators within the PCEHR system, and
to limit the risk of function creep - where legislative measures progressively and incrementally expand in scope to have greater affect including on individuals' rights than was initially envisaged.

To further limit the risk of function creep, the OAIC suggests that the PCEHR legislation include processes for parliamentary scrutiny and approval of any proposed changes to the permitted purposes specified in the legislation. The legislation should also require consultation with appropriate regulatory bodies and policy agencies on any such future proposals.

Section 3.5 of the Issues Paper - Security

Proposal 35: The legislation will provide a framework to support ongoing security of the PCEHR system, but will not set technical requirements, to allow for quick and flexible responses to technological change

The OAIC suggests that the PCEHR legislation should include a data security provision applying to the system operator, portal operators and repository operators. This provision could be modelled on NPP 4.1 in the Privacy Act, which states 'an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure'. [26]

The office considers that imposing a positive, consistent data security requirement would reinforce the importance of protecting the security of individuals' health information, in circumstances where different privacy laws may otherwise apply. It could also form the legislative basis for an appropriate offences and remedies regime for serious breach of data security requirements to apply uniformly across all jurisdictions, thereby ensuring that individuals throughout Australia have access to the same protections.

3.5.1 Offences and penalties

Proposal 36: Criminal offences would be included in PCEHR legislation covering officeholders or other legal entities involved in the management or control of the healthcare provider, to address:

failure of a registered healthcare provider to notify the PCEHR system operator within a specified period when it ceases to meet the requirements for registration to participate in the PCEHR system;
requests for and receipt of a record from the PCEHR system by a healthcare provider, when the provider or her/his requesting employer or contractor is not authorised to do so; and
failure of a registered healthcare provider to meet audit trail or other record-keeping obligations imposed by the legislation.

The OAIC supports criminal and civil penalties for unauthorised use or disclosure of information in the PCEHR system, where these relate to sufficiently serious misconduct. The office would appreciate the opportunity to comment further on these proposed offences when more detail is available in the exposure draft legislation.

The OAIC suggests that PCEHR legislation could include penalties for serious breach of data security requirements (see the office's comments in relation to proposal 35). There is no offence in the Privacy Act for breaching the data security provision in NPP 4.1. In the office's view, including such an offence provision in the PCEHR legislation would reflect the significant privacy risks associated with misuse, loss, unauthorised access, modification or disclosure of personal information (including sensitive, health information) in the PCEHR system.

The Issues Paper does not propose any compliance mechanisms where there is a breach of the PCEHR legislation. Nor does the Issues Paper propose mechanisms for auditing the personal information handling practices of operators who participate in the PCEHR system.

The OAIC seeks clarification of whether any such mechanisms will be included in the PCEHR legislation along the lines of the HI Act[27], or whether these will be included elsewhere. In the office's opinion, there are strong reasons for incorporating such mechanisms in the PCEHR legislation, including for example that compliance mechanisms aid the detection of unauthorised information access or modification, and any other breach of information security.

Proposal 38: The legislation may not include an obligation of confidentiality on the PCEHR system operator or its employees or contractors. Instead, inappropriate handling of personal information would be dealt with under existing privacy, disciplinary or criminal law.

The HI Act refers to a duty of confidentiality in relation to certain types of uses and disclosures of information, as well as offences for breaching that duty.[28] The office suggests consideration be given to whether a similar duty of confidentiality should be included in the PCEHR legislation, which could apply to the PCEHR system operator and its employees and contractors.

Section 3.6 of the Issues Paper - Governance

3.6.1 Principles for long-term governance

Q33. What are your views about the preferred governance structures for the PCEHR system and national e-health elements more broadly?

In its submission on the draft Concept of Operations, the OAIC suggested the following as desirable features of a governance model:

personal information handled in the PCEHR system should be regulated by an independent regulatory body or bodies
these functions could possibly be undertaken by existing regulatory and accountability agencies such as the OAIC and equivalent state government oversight bodies (where these exist)
if there is more than one regulator, the number of regulatory bodies should be minimised
if uniform complaint handling mechanisms are not established by legislation, consumers should be made aware that protections they are afforded may vary between jurisdictions
as the health sector is already regulated by multiple jurisdictions, if the PCEHR system is to be regulated by additional regulators, it will be important to ensure that the regulatory framework is compatible and consistent with regulatory frameworks currently in place. This includes ensuring that an appropriate framework applies to all individuals participating in the system, and that these individuals can seek redress in the event of a privacy breach
the regulatory framework will need to effectively manage any cross-jurisdictional issues and could usefully provide for formal structures designed to ensure ongoing consultation and liaison among jurisdictions, and
management and rule-setting functions of the governing body should be separated from accountability and oversight functions.[29]

3.6.2 Complaints handling scheme

Proposal 41: The Commonwealth, in collaboration with the states and territories, will develop proposals for a single entry point for PCEHR privacy complaints which are then referred to the appropriate regulator(s).

Q34. What would be your preferred single entry point for PCEHR privacy complaints?

The Issues Paper states that complaints about the way personal information is handled will be dealt with by the relevant PCEHR system operator, repository operator, portal operator or private sector healthcare provider in the first instance, and will then be escalated to the Australian Information Commissioner where individuals are not satisfied with the response.^{^[30]}

The OAIC agrees that the operators should be required by legislation, to attempt to resolve an individual's complaint in the first instance.

However, the OAIC is unclear about two aspects of this proposal. Firstly, the office could only handle complaints within the Commissioner's jurisdiction, for example complaints about an interference with privacy under the Privacy Act. Secondly, the Commissioner would not have power to investigate a complaint about a repository operator, if the Privacy Act does not apply to that operator (see proposal 32). The office seeks clarification of whether the PCEHR legislation is intended to extend the Commissioner's existing jurisdiction to investigate complaints.

In principle, the OAIC supports proposal 41. This will simplify the complaint process for individuals where there are multiple regulators. The relevant body could also play a co-ordinating and unifying role in the complaint handling process. There would need to be clear procedures established for referring complaints, to clarify responsibility at any point in time for progressing a complaint.

The office considers that it has the appropriate skills to adopt this role, subject to clarifying its scope in more detail and considering the associated resourcing implications.

[1] See pp. 25 - 28, http://www.oaic.gov.au/publications/submissions/2011-06%20Submission%20on%20PCEHR%20ConOps%20FINAL.html

[2] See http://www.yourhealth.gov.au/internet/yourhealth/publishing.nsf/Content/pcehr-legals

[3] See http://www.oaic.gov.au/publications/submissions/2011-06%20Submission%20on%20PCEHR%20ConOps%20FINAL.html

[4] See http://www.privacy.gov.au/materials/types/submissions?sortby=65

[5] See http://www.privacy.gov.au/materials/types/submissions/view/6697

[6] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Discussion Paper 72, Chapter 17 (see http://www.privacy.gov.au/law/reform)

[7] NPP 3 in Schedule 3 of the Privacy Act states that 'an organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date'

[8] NPP 4.1 states that 'an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure'. See also the office's Guide to Handling Personal Information Security Breaches (2008), which provides general guidance on key steps and factors for agencies and organisations to consider when responding to a personal information security breach, (http://www.privacy.gov.au/materials/types/guidelines)

[9] Issues Paper, p. 19

[10] OAIC submission to DoHA on the draft Concept of Operations, p. 18

[11] Issues Paper, p. 18

[12] The draft Concept of Operations refers to contracted service providers hosting information on behalf of the PCEHR system, p. 28

[13] Issues Paper, p. 21

[14] Issues Paper, p. 24

[15] OAIC submission to DoHA on the draft Concept of Operations, pp. 25 - 28

[16] NPP 2.1(e) generally states that an organisation must not use or disclose personal information for a secondary purpose unless the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent (i) a serious and imminent threat to an individual's life, health or safety or (ii) a serious threat to public health or public safety

[17] NPP 10.1(c) states that an organisation must not collect sensitive information about an individual unless the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns (i) is physically or legally incapable of giving consent to the collection or (ii) physically cannot communicate consent to the collection

[18] Issues Paper, p. 30

[19] Issues Paper, p. 30

[20] Australian Government, Enhancing National Privacy Protection - First Stage Response to ALRC Report 108, p. 131 (http://www.dpmc.gov.au/privacy/reforms.cfm)

[21] Issues Paper, p. 31

[22] Issues Paper, proposals 32 and 33

[23] Issues Paper, proposal 32

[24] Issues Paper, proposal 33

[25] See for example, ss 16 to 24 of the Healthcare Identifiers Act 2010 (Cth)

[26] See also s 27 of the Healthcare Identifiers Act 2010

[27] Section 29(1) of the HI Act generally gives the Privacy Commissioner power to investigate an act or practice that contravenes the HI Act in connection with an individual's healthcare identifier. Section 29(3) of the HI Act gives the Commissioner an audit function to ascertain whether healthcare identifier records are maintained according to the Information Privacy Principles.

[28] Section 15 of the HI Act

[29] OAIC Submission to DoHA on the draft Concept of Operations, p. 33

[30] Issues Paper, p. 37

Personally Controlled Electronic Health Record (PCEHR) System: Legislation Issues Paper

Submission to the Department of Health and Ageing - August 2011

Submission by Timothy Pilgrim, Australian Privacy Commissioner

Recommendations