Download print version of full report

Executive summary

This annual report sets out the Australian Information Commissioner’s (Information Commissioner) digital health compliance and enforcement activity during 2021–22, in accordance with s 106 of the My Health Records Act 2012 and s 30 of the Healthcare Identifiers Act 2010 (HI Act).

The report provides information about digital health activities led by the Office of the Australian Information Commissioner (OAIC), including our assessment program, handling of My Health Record data breach notifications, development of guidance material, provision of advice and liaison with key stakeholders.

This was the 10th year of operation of the My Health Record system and the 12th year of the Healthcare Identifiers Service (HI Service), a critical enabler for the My Health Record system and digital health generally.

The management of personal information is at the core of both the My Health Record system and the HI Service (which are collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Information Commissioner oversees compliance with those privacy provisions.

The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get and share their My Health Record. In 2017, the Australian Government announced the creation of a My Health Record for every Australian. Following an opt-out period that ended on 31 January 2019, a My Health Record was created for everyone who had not opted out of the system.

In 2021–22, the OAIC received 14 privacy complaints relating to the My Health Record system with 10 remaining open at the end of the reporting period. We finalised 5 My Health Record system complaints, including 1 complaint from previous reporting periods.

We received 11 privacy complaints relating to the HI Service in 2021–22. We finalised 1 of those complaints received in 2021–22. There were no HI Service complaints from the previous reporting period.

Over the reporting period, there was a marked increase in the OAIC’s policy work in relation to the HI Service as well as an increase in complaints and enquiries about healthcare identifiers. This increase is primarily attributed to the inclusion of healthcare identifiers on COVID-19 vaccine certificates and the subsequent increased collection and overall visibility of healthcare identifiers. To help ensure compliance with the HI Act and encourage best privacy practice in relation to the handling of healthcare identifiers, the OAIC published privacy guidance to assist entities and individuals that collect a person’s COVID-19 digital vaccination certificate which contains an Individual Healthcare Identifier (IHI).

We received 3 data breach notifications during the reporting period in relation to the My Health Record system and closed 3 notifications.

We also carried out other digital health-related work including:

  • commencing one privacy assessment and progressing another assessment commenced in the previous reporting period
  • providing advice to stakeholders, including the Australian Digital Health Agency (ADHA), Services Australia and the Department of Health and Aged Care, on privacy-related matters relevant to the My Health Record system and HI Service
  • developing and promoting guidance materials, including publishing new resources about IHIs and developing and conducting consultation on guidance and a new template for healthcare providers to help them comply with security and access policy requirements under the My Health Records Rule 2016
  • presenting a webinar to healthcare providers on the OAIC’s Privacy and My Health Record assessments and providing panel members for a Q&A session, and
  • monitoring developments in digital health, the My Health Record system and the HI Service.