Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Annual report of the Australian Information Commissioner’s activities in relation to digital health 2016–17

Part 1: Executive summary

From 1 July 2016, national digital health governance arrangements and My Health Record system operations transitioned from the Department of Health and the National E-Health Transition Authority to a new body, the Australian Digital Health Agency (the Agency).

This annual report sets out the Australian Information Commissioner’s digital health compliance and enforcement activity during 2016–17, in accordance with s 106 of the My Health Records Act 2012 (My Health Records Act) and s 30 of the Healthcare Identifiers Act 2010 (Cth) (HI Act), as outlined in the 2016–17 memorandum of understanding (MOU) between the Office of the Australian Information Commissioner (OAIC) and the Agency.

The report also provides information about the OAIC’s other digital health activities, including its assessment program, development of guidance material, provision of advice, and liaison with key stakeholders.

More information about the MOU is provided below in section 2 of this report. The MOU can also be accessed on the OAIC’s website www.oaic.gov.au.

This was the fifth year of operation of the My Health Record system and the seventh year of the Healthcare Identifiers (HI) Service, a critical enabler for the My Health Record system and digital health generally.

The management of personal information is at the core of both the My Health Record system and the HI Service (collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Australian Information Commissioner oversees compliance with those provisions and is the independent regulator of the privacy aspects of the My Health Record system and the HI Service.

The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get their My Health Record. In March 2016, the Australian Government commenced a trial of opt-out system participation in Far North Queensland and in the Nepean Blue Mountains region of New South Wales. A My Health Record was created for each individual living in those areas, unless the individual chose to opt-out of participating in the trial.

Changes to the My Health Records Act introduced by the Health Legislation Amendment (eHealth) Act 2015 enabled the trial to be undertaken. That amendment Act also introduced a number of other changes across digital health legislation and the Privacy Act 1988 (Privacy Act), including streamlining the personal information handling authorisations, and introducing additional civil and criminal penalties for privacy breaches. An independent evaluation of the trials commissioned by the Department of Health was conducted to look at the outcomes from these trials.

In the May 2017 Budget, the Australian Government announced the creation of a My Health Record for every Australian to begin nationally from mid–2018.

In 2016–17, the OAIC received 35 mandatory data breach notifications. These notifications recorded 140 separate breaches affecting a total of 152 healthcare recipients, 144 of whom had a My Health Record at the time of the breaches. Five of these notifications remain open at the end of the reporting period. The OAIC received two complaints regarding the My Health Record system and no complaints relating to the HI Service. In addition to handling data breach notifications, the OAIC carried out a full program of digital health-related work, including:

  • commencement of one privacy assessment and completion of two assessments from the previous year
  • liaising with the Agency and the Department of Health on the decision for national expansion of My Health Record in 2018
  • making submissions to various stakeholders on matters directly related to or associated with the My Health Record system. This included a submission to the Agency on the development of the National Digital Health Strategy
  • providing advice to stakeholders, including the Agency, on privacy related matters relevant to the My Health Record system
  • developing, revising and updating guidance materials for a range of audiences, including the development of My Health Record related multimedia resources for healthcare providers
  • participation in the Privacy and Security Advisory Committee, one of the advisory committees established by the Agency to support the Agency’s Board
  • monitoring developments in digital health, the My Health Record system and the HI Service.

Back to Contents

Part 2: Introduction

Many Australians view their health information as being particularly sensitive. This sensitivity has been recognised in the My Health Records Act and HI Act, which regulate the collection, use and disclosure of information, and give the Australian Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act which treats health information as ‘sensitive information’.

The Australian Information Commissioner is the independent regulator for the privacy aspects of the My Health Record system and HI Service, and plays a crucial role in overseeing compliance with privacy provisions. However, the OAIC’s role is not limited to compliance and enforcement. During the 2016–17 financial year, the OAIC also worked proactively on digital health activities under its MOU with the Agency.

The MOU covers activities related to both the My Health Record system and the HI Service. It sets out a program of work that included business as usual activities (such as responding to requests for advice and investigating privacy complaints relating to digital health), and project-based work (such as developing guidance materials and conducting assessments). Information about these activities is set out in sections 3 and 4 of this report. Further information about the OAIC’s MOU activities can be found in its Biannual Reports under the MOU, available on the OAIC website www.oaic.gov.au.

The Agency provided the OAIC with $2,076,649.94 (GST exclusive) in 2016–17 to carry out activities in accordance with the MOU.[1]

The Australian Information Commissioner’s digital health functions

The My Health Record system

The Australian Information Commissioner has the following roles and responsibilities under the My Health Records Act and Privacy Act:

  • respond to complaints received relating to the privacy aspects of the My Health Record system as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
  • investigate, on the Commissioner’s own initiative, acts and practices that may be a contravention of the My Health Records Act in connection with health information contained in a healthcare recipient’s My Health Record or a provision of Part 4 or 5 of the My Health Records Act
  • receive data breach notifications and assist affected entities to deal with data breaches in accordance with the My Health Record legislative requirements
  • investigate failures to notify data breaches
  • exercise, as the Commissioner considers appropriate, a range of enforcement powers available in relation to contraventions of the My Health Records Act or contraventions of the Privacy Act relating to the My Health Record system, including making determinations, accepting enforceable undertakings, seeking injunctions and seeking civil penalties
  • conduct assessments
  • provide a range of advice and guidance material
  • comment on draft legislation that may interact with the My Health Records Act
  • maintain guidance for exercising the powers available to the Commissioner in relation to the My Health Record system.

Healthcare Identifiers Service

The Australian Information Commissioner has the following roles and responsibilities under the HI Act andPrivacy Act:

  • respond to complaints received relating to the privacy aspects of the HI Service as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
  • investigate, on the Commissioner’s own initiative, acts and practices that may be a misuse of healthcare identifiers
  • receive data breach notifications and respond as appropriate
  • conduct assessments
  • provide a range of advice and guidance material
  • comment on draft legislation that may interact with the HI Act.

Year in review — a summary

During the 2016–17 financial year, the OAIC undertook the following activities:

Table 1: OAIC My Health Record and HI Service activities 2016–17
Activity My Health Record HI Service
Telephone enquiries 2 0
Written enquiries 4 1
Complaints finalised 2 0
Policy advices[2] 11 2
Assessments completed 1 1
Mandatory data breach notifications received 35 n/a
Media enquiries 8 0

Back to Contents

Part 3: OAIC and the My Health Record system

The OAIC performs a range of functions in relation to the My Health Record system. These functions include compliance and enforcement activities and other activities set out under the MOU, including providing privacy related advice and developing guidance materials for internal and external stakeholders.

Compliance and enforcement activities include:

  • receiving and investigating complaints about alleged interferences with the privacy of a healthcare recipient in relation to the My Health Record system
  • conducting assessments of participants in the system to ensure they are complying with their privacy obligations
  • receiving mandatory data breach notifications from system participants.

Information about the OAIC’s enforcement and compliance activities is set out below.

The OAIC is also responsible for producing statutory and regulatory guidance for consumers and other participants such as healthcare providers, registered repository operators and the System Operator. In addition, the OAIC responds to enquiries and requests for policy advice from a broad range of stakeholders about the privacy framework for the My Health Record system and the appropriate handling of My Health Record information. These activities are an important component of the OAIC’s regulatory role under the My Health Record system.

To deliver these outcomes, the OAIC liaised with external stakeholders including professional industry bodies in the health sector and consumer organisations. Information about the OAIC’s activities in relation to providing advice, developing guidance material and liaison with key stakeholders is provided below.

OAIC enforcement and compliance activities

Complaints and investigations relating to the My Health Record system

The OAIC received two complaints about the My Health Record system during 2016–17, one of which has been finalised. A complaint from the previous reporting period was also finalised during 2016–17. The OAIC is undertaking preliminary inquiries relating to the ongoing complaint.

Under s 40(2) of the Privacy Act,the Australian Information Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy, on the Commissioner’s own initiative (without first receiving a complaint from an individual).

During 2016–17, the Australian Information Commissioner did not carry out any Commissioner initiated investigations into the My Health Record system.

Assessments relating to the My Health Record system

Under the MOU with the Agency, the OAIC was required to conduct up to two assessments in 2016–2017 from the following targets:

  • the My Health Record System Operator, and
  • agencies and organisations participating in the My Health Record system.

The OAIC initiated one assessment relating to the My Health Record system in 2016–17, and finalised one assessment commenced in the previous reporting period.

Assessments conducted in 2016–17
Assessment subject No. entities assessed Year opened Closed
1. Follow up assessment of the 2014 audit of the National Repositories Service – APP 11 1 2015–2016 September 2016
2. Assessment of DHS as a contractor to the System Operator for services related to the My Health Record System – APP 1.2 1 2016–2017 Ongoing
Follow up assessment of the 2014 audit of the National Repositories Service

The OAIC undertook an assessment of the System Operator’s implementation of recommendations made by the OAIC in its previous audit of the System Operator against Information Privacy Principle 4. The previous audit examined how the System Operator protected personal information held on the National Repositories Service.

Assessment of the Department of Human Services as a contractor to the System Operator for services related to the My Health Record system

The OAIC has conducted an assessment of the Department of Human Services (DHS) as a contractor to the System Operator for services related to the My Health Record system. In particular, the assessment focused on DHS’s privacy management and governance arrangements. Fieldwork was conducted in late March 2017. A draft report is being prepared.

Receiving mandatory data breach notifications

Notifying party Received in the period Closed in the period Open at 30 June
Number of data breach notifications Number of healthcare recipients affected Number data breach notifications Number of healthcare recipients affected Number of data breach notifications Number of healthcare recipients affected
System Operator 6 11[3] 5 9[3] 1 2[3]
DHS 29 141[3] 30 200[3] 4 8[3]

The OAIC received six data breach notifications from the System Operator under s 75 of the My Health Records Act. They involved the unauthorised access of a healthcare recipient’s My Health Record by a third party.

The OAIC also received 29 notifications under s 75 of the My Health Records Act from the Chief Executive of Medicare in their capacity as a registered repository operator under s 38 of the My Health Records Act.

  • Twenty notifications resulted from findings under the Medicare compliance and data integrity programs that certain Medicare claims made in the name of a healthcare recipient but not by that healthcare recipient were uploaded to their My Health Record. These notifications totalled 123 breaches, each of which affected a separate healthcare recipient.
  • Nine notifications, each reporting a single breach affecting two healthcare recipients related to healthcare recipients with similar demographic information having their Medicare records intertwined. As a result, Medicare claims belonging to another healthcare recipient were made available in the My Health Record of the record owner.

Of the 29 received, four notifications remain open as at the end of the reporting period. The OAIC expects to close these notifications following further clarification of the circumstances of the breaches contained within those notifications.

My Health Record system advice, guidance, liaison and other activities

Advice

My Health Record system enquiries

The OAIC’s Enquiries Team received six enquiries about the My Health Record system during the reporting period. These enquiries related to general information about the My Health Record system, access to the records of children and the opt-out process.

Policy advice to stakeholders and members of the public

During the reporting period, the OAIC provided three policy advices related to the My Health Record system to various stakeholders. These included:

  • a response to an enquiry from a health industry consulting practice on re-identification risks, in the context of developing a framework for the secondary uses for My Health Record data
  • comments to the Department of Health on a draft privacy impact assessment on the proposed National Cancer Screening Register. The comments included an explanation of the My Health Record system’s access controls and an overview of how information is authorised, by the My Health Records Act 2012 (My Health Records Act), to be uploaded to the system
  • providing a response to questions taken on notice following the Commissioner’s appearance before the Senate Standing Committee on Community Affairs regarding the National Cancer Screening Register Bill 2016. The response included an explanation of the penalties in the My Health Records Act for mishandling personal information in an individual’s My Health Record, and information regarding the way in which the My Health Records Act refers to its interaction with the Privacy Act.

The OAIC further considered a request for advice from a State government body about the application and interpretation of certain provisions of the My Health Records Act.

Policy advice to the Australian Digital Health Agency

Under its MOU with the Agency, the OAIC liaised and coordinated with the My Health Record System Operator on privacy related matters in relation to the system, including providing feedback and advice on proposals and projects with a possible privacy impact. During the reporting period, the OAIC provided three policy advices to the Agency. These were:

  • comments to the Agency on a draft privacy impact assessment relating to third party development of mobile applications which will enable consumers to include information from their My Health Record system in an app
  • comments to the Agency on its draft ‘My Health Record informed consent requirements and guidelines,’ which outlined requirements for app developers to meet when seeking and obtaining an individual’s consent to connect with and access information in their My Health Record
  • policy advice to the Agency on the application of certain provisions of the Privacy Act 1988 (Privacy Act) and the Freedom of Information Act 1982.
Submissions

The OAIC made five submissions which either directly related to, or touched upon, the My Health Record system during the reporting period. These included a submission to the Agency on the development of the National Digital Health Strategy. In its submission, the OAIC expressed support for initiatives that seek to maximise and enhance the use of data in the public interest, provided that privacy is a central consideration. The OAIC noted that the success of the National Digital Health Strategy will depend largely on transparency and establishing trust as to how personal health data will be used, strong community support for new health data activities, and the ability of individuals to have control over how their data will be used.

The second submission was to the Australian Law Reform’s inquiry on elder abuse. In its submission, the OAIC noted its view that enduring documents should not be uploaded to an individual’s My Health Record as these documents are not solely about healthcare and treatment, but can also include other sensitive information, such as financial information. The ALRC held a similar view, which was further detailed in the Elder Abuse Discussion Paper.

In March 2017, the OAIC made a submission to the Department of Health on the draft National Health Genomics Policy Framework, which highlighted the information handling provisions of the My Health Records Act in response to the discussion about how genomics data may be shared and stored.

The OAIC provided comments to the Royal Australian College of General Practitioners on the second draft of the Standards for general practices (5th edition). The comments included a recommendation to clarify references to health records so that it was clear whether certain parts of the Standards referred to local patient health records or to the My Health Record system.

In September 2016, the OAIC made a submission to the Senate Standing Committee on Community affairs on the National Cancer Screening Register Bill 2016. The submission recommended that consistent language be used to describe the process of withdrawing participation in the Register with withdrawing participation in the My Health Record system (i.e. the language around ‘opting-out). The submission also suggested that the Register operator’s security requirements could be strengthened by requiring the operator to report data breaches and specifying requirements around the handling of data breaches in a manner consistent with the data breach requirements in section 75 of the My Health Records Act. Consistency with the My Health Records Act requirements is particularly important if the Register will link to the My Health Record system and if information in the Register will be made available through that system.

Guidance

For healthcare providers

The OAIC has implemented a more contemporary approach to developing guidance materials, producing a range of multimedia resources for healthcare providers.

Three videos have been developed. One summarises the role of the OAIC in the My Health Record system and is based on an existing fact sheet currently available on the OAIC’s website. The second explains the mandatory data breach notification requirements in the My Health Records Act to healthcare providers. The third provides an overview of the legislative requirements and privacy best practice when it comes to handling sensitive information in the My Health Record system. The third video will complement two new written business resources for healthcare providers covering the legislative requirements that apply to handling a patient’s personal information when using the My Health Record system and tips on how to protect a patient’s privacy.

An infographic for healthcare providers on the mandatory data breach notification requirements under the My Health Record system will accompany the videos described above and will complement the OAIC’s existing Guide to mandatory data breach notification in the My Health Record system.

These resources will be published on the OAIC website in the coming months and distributed via media.

For consumers

In January 2017, the OAIC published two fact sheets for consumers. While these facts sheets are not specific to the My Health Record system, they relate to health privacy issues including privacy protection of health information and access to, and correction of, health information.

External engagement

The Consumer Privacy Network assists the OAIC to further understand and respond to contemporary privacy issues affecting consumers. In March 2017 a forum was held with a specific focus on health. Attendees were provided with an overview of the OAIC’s role and work relating to digital health and the My Health Record system. Members also provided information on issues and concerns for consumers in the privacy and health space and provided valuable feedback on strategies for communicating with stakeholders.

The Deputy Commissioner spoke at the Hickson’s Health Law Forum, providing an overview of the OAIC’s role in the My Health Record system and of the specific information handling provisions of the My Health Records Act. Also, the Assistant Commissioner participated in a panel discussion as part of CeBIT, the annual business technology conference and exhibition. The panel discussion focused on digital health data, information management and clinical informatics. It included discussion on ensuring privacy, protection and data integrity requirements.

The OAIC also attended the 46th Asia Pacific Privacy Authorities (APPA) Forum in Mexico on 30 November to 2 December 2016 and provided an enforcement report, which included an outline of the penalty provisions relevant to the My Health Records Act and the Healthcare Identifiers Act2010 (HI Act). A similar report was prepared for the 47th APPA Forum.

Liaison

Liaison with the System Operator

The OAIC liaised regularly with the Agency to discuss MOU activities and other matters relating to the My Health Record system.

The OAIC engaged with both the Agency and the Department of Health about the decision to move to an opt-out participation arrangement for the My Health Record system, following the conclusion of the opt-out trials and the finalisation of the evaluation process.

OAIC staff also met with Agency staff to receive information about, and discuss, the work of the Agency’s Digital Health Cyber Security Centre.

The OAIC participated in the Privacy and Security Advisory Committee, one of the advisory committees established by the Agency to support the Agency’s Board.

In addition, the OAIC also reported to the Agency on activities performed in relation to the My Health Record system through its two biannual reports. The biannual reports are published on the OAIC website.

Liaison with other key stakeholders

In addition to liaising with the Agency and the Department of Health, the Privacy Commissioner and OAIC staff participated in a preliminary consultation with Health Consult to discuss the development of a framework for secondary uses of My Health Record data.

Other activities

Strengthening internal expertise

Throughout 2016–17, the OAIC continued to develop its internal expertise relating to its functions and powers in connection with the My Health Record system. This involved ensuring new staff received induction training in digital health and the OAIC’s regulatory oversight role. Staff who are new to working specifically on digital health receive extensive on-the- job training to ensure that they acquire the necessary digital health subject matter knowledge.

To assist OAIC staff in developing a comprehensive understanding of digital health policy issues and initiatives, the My Health Record system, and the OAIC’s regulatory role, a training package was developed and delivered to staff.

The Australian Community Attitudes to Privacy Survey

The OAIC conducted the Australian Community Attitudes to Privacy Survey (ACAPS) again in 2017. ACAPS is the longest standing and most in-depth study of how Australian attitudes to privacy have evolved.

A significant finding this year was that 83 per cent of Australians think that online environments are inherently more risky than offline. Sixty-nine per cent of Australians say they are more concerned about their online privacy than they were five years ago. While this figure may not represent the true risk of online transactions, it does reflect a real perception to manage.

The survey also revealed that the highest level of trust shown by the community is for health service providers (79 per cent).

Given the desirability – for efficiency, policy and service delivery – of promoting online transactions, building greater community comfort with online environments such as the My Health Record system remains vital.

Monitoring developments in digital health and the My Health Record system

Under the MOU with the Agency, the OAIC is required to monitor developments in digital health and the My Health Record system to ensure it is able to provide informed advice about privacy aspects of the operation of the system and the broader digital health context. During the reporting period, staff attended:

  • the annual Health Informatics Conference in Melbourne which included presentations by executive staff of the Agency and presentations on issues such as cyber-security and health data
  • the Royal Australian College of General Practitioners’ eHealth forum (via live streaming), which included discussions about digital health and the use of patient data to improve health outcomes
  • the Health Data Analytics conference in Brisbane, organised by the Health Informatics Society of Australia and covered developments in the health IT industry. This included presentations on the use of big data in healthcare and on cyber-security
  • a number of Agency webinars on topics such as how to embed patient registration processes for the My Health Record in a practice’s workflow, event summaries and shared health summaries in the My Health Record system, the National Digital Health Strategy, and a question and answer on the future of digital health care in Australia
  • the digital health stream of the Australia Healthcare Week conference, which included a roundtable on building the backbone for the future of health care, and presentations by the Agency, state and Commonwealth agencies, academics and business representatives
  • the Privacy Matters Forum ‘your health privacy in the digital era – now and into the future’ hosted by the NSW Office of the Privacy Commissioner
  • a Privacy Awareness Week 2017 webcast from the Queensland’s Office of the Information Commissioner which had a section on electronic health records
  • a workshop facilitated by the International Association of Privacy Professionals (iappANZ) in Sydney on privacy and security in digital health
  • a webinar on privacy and confidentiality for general practice, hosted by HotDoc, an online service that streamlines how general practitioners and patients communicate health information.

In addition, OAIC staff:

  • reviewed the World Health Organisation (WHO) report ‘From innovation to implementation – eHealth in the WHO European region’ (2016), which describes trends in electronic health in the WHO European Region
  • the Australian Commission on Safety and Quality in Health Care’s Fifth and Sixth Clinical Safety Review reports of the My Health Record system
  • monitored news clips, relevant parliamentary committees and digital health and related websites and blogs.
Media

The OAIC responded to eight media enquiries regarding digital health and the My Health Record system during 2016–17. The media outlets were Australian Doctor (x2 enquiries), CeBIT, Channel Nine, Healthcare IT News Australia, News.com.au, The Medical Republic, and Radio 5AA.

Back to Contents

Part 4: OAIC and the Healthcare Identifiers Service

The HI Service is a foundation service for a range of digital health initiatives in Australia, particularly the My Health Record system. Accordingly, the use of healthcare identifiers has increased since the launch of the My Health Record system on 1 July 2012. Under the My Health Record system, healthcare identifiers:

  • are used to identify healthcare recipients who register for a My Health Record
  • enable the My Health Record System Operator to authenticate the identity of all individuals who access a My Health Record and record activity through the audit trail
  • help ensure the correct health information is associated with the correct healthcare recipient’s My Health Record
  • registration with the HI Service is a prerequisite for a healthcare provider organisation to be registered for the My Health Record system.

OAIC compliance and enforcement activities

Complaints relating to the HI Service

No complaints were received during the reporting period.

Investigations relating to the HI Service

No complaint investigations or CIIs were commenced or finalised during the reporting period. At 30 June 2017, there were no HI investigations open.

Assessments relating to the HI Service

Under the MOU with the Agency, the OAIC was required to conduct at least one assessment in 2016–17 from the following targets:

  • the HI Service Operator (DHS-Medicare), and
  • agencies or organisations or state and territory authorities using healthcare identifiers.

The OAIC finalised one assessment in 2016–17 that was commenced in the previous reporting period. The OAIC has initiated contact with an assessment target for an assessment relating to the handling of individual healthcare identifiers.

Assessment subject No. entities assessed Year opened Closed
Assessment of the Australian Health Practitioner Regulation Agency – APP 10 and 11 1 2015–2016 October 2016
Assessment of the Australian Health Practitioner Regulation Agency

The OAIC conducted an assessment into the handling of personal information by the Australian Health Practitioner Regulation Agency (AHPRA) in its role as a national registration authority for healthcare practitioners. The assessment focused on AHPRA’s handling of healthcare identifiers and associated identifying information under APPs 10 (data quality) and 11 (security).

Healthcare identifiers advice, guidance, liaison and other activities

Advice

In relation to the Healthcare Identifiers service, the OAIC provided advice to:

  • the Agency on provisions of the Healthcare Identifiers Act 2010 (HI Act) relating to the handling healthcare identifiers
  • the Department of Health on a draft privacy impact assessment on the National Cancer Screening Register. The comments included an overview of the provisions of the HI Act that authorise the handling of healthcare identifiers
  • a member of the public relating to an enquiry regarding the use of healthcare identifiers by medical practitioners.

Guidance

Review of existing resources

Following consultation and a review of the healthcare identifier resources available on the OAIC’s website, the OAIC updated its healthcare identifier resource material to better meet stakeholder needs. The updated healthcare identifier information will be available on the OAIC website.

Other activities

Monitoring developments in digital health and the HI Service

Under the MOU with the Agency, the OAIC is required to monitor developments in digital health and the HI Service to ensure the OAIC is aware of the implications of any developments for the HI Service and is able to offer informed advice about privacy aspects of the HI Service in the broader digital health context. During the reporting period, the OAIC:

  • monitored developments relating to digital health and the HI Service through news clips and digital health websites and blogs
  • as outlined above in relation to the My Health Record system, attended various conferences related to digital health.
Reporting on activities

In addition to liaison meetings with the Agency to discuss MOU activities, the OAIC also reported to the Agency on activities performed in relation to the HI Service through its two biannual reports. The biannual reports are published on the OAIC website.

SIGNED

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

30 September 2017

Back to Contents

Footnotes

[1] This figure is also included in the OAIC’s Annual Report 2016–17.

[2] This includes submissions. Also, one policy advice related to both the My Health Record system and HI Service and is included in both columns.

[3] The total number of healthcare recipients affected by the DBNs include individuals with and without a My Health Record at the time of the breach. Accordingly, for DHS, there were 134 affected individuals with a My Health Record in the DBNs received in the period, 192 affected individuals with a My Health Record in the DBNs closed in the period and 7 affected individuals with a My Health Record in the DBNs that remained open as at 30 June. For the System Operator, there were 10 affected individuals with a My Health Record in the DBNs received, 8 affected individuals with a My Health Record in the DBNs closed in the period and 2 affected individuals with a My Health Record in the DBNs that remained open as at 30 June.

Back to Contents