Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Australian Digital Health Agency MOU Biannual report 2016 – 2017 for the period ending 30 June 2017

pdfPrintable version673.98 KB

Australian Digital Health Agency
Memorandum of Understanding
Biannual report
2016 – 2017
For the period ending 30 June 2017

Mr Tim Kelsey
Chief Executive Officer
Australian Digital Health Agency
Level 25, 56 Pitt Street
Sydney NSW 2000

Dear Mr Kelsey

I am pleased to provide you with the biannual report for the period ending 30 June 2017, in accordance with section 3.3 of Schedule 1, section 3.3 of Schedule 2 and section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Australian Digital Health Agency, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report, please contact Melanie Drayton, Assistant Commissioner, Regulation and Strategy on [contact details removed].

Yours sincerely

Angelene Falk
Deputy Commissioner

20 September 2017

Section 1 — Advice, guidance, liaison and other activities

The Office of the Australian Information Commissioner (OAIC) is required to report biannually under the Memorandum of Understanding (MOU) with the Australian Digital Health Agency (the Agency) in relation to the My Health Record system and Healthcare Identifiers (HI) system activities.

Section 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported in section 1 of this report relate to work performed on activities listed in section 3.1 of Schedule 1 and section 3.1 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the My Health Record system

Advice

S3.1(g) – Respond to enquiries and requests for advice on the appropriate handling of My Health Record information and other privacy compliance obligations in relation to the My Health Record system
  • The OAIC responded to an enquiry from a health industry consulting practice on re-identification risks, in the context of developing a framework for the secondary uses of My Health Record data.
  • The OAIC further considered a request for advice from a state government body about the application and interpretation of certain provisions of the My Health Records Act.
  • The OAIC received one written enquiry and one telephone enquiry regarding the My Health Record system. Each of these enquiries related to the process of opting-out of the My Health Record system.

Guidance

S3.1(h) – Prepare and/or update written guidance materials for individuals and participants in the My Health Record system on the appropriate handling of My Health Record information and other privacy compliance obligations in relation to the My Health Record system
  • Recently, the OAIC has considered and implemented a more contemporary approach to developing guidance materials for healthcare providers to ensure information and messages were better tailored to this target audience. In line with this new approach, the OAIC engaged a marketing and design company, ZOO Group, to develop the OAIC’s My Health Record multimedia resources for healthcare providers. These resources will be published on the OAIC website in the coming months and consist of:
    • a video that summarises the role of the OAIC in the My Health Record system. This video resource is based on an existing fact sheet currently available on the OAIC’s website.
    • a video that explains the mandatory data breach notification requirements in the My Health Records Act to healthcare providers. This video provides a succinct and easy to understand snapshot of these requirements.
    • an infographic for healthcare providers on the mandatory data breach notification requirements under the My Health Record system. This will accompany the video described above and will complement the OAIC’s existing Guide to mandatory data breach notification in the My Health Record system.
    • a video that provides an overview of the legislative requirements and privacy best practice when it comes to handling sensitive information in the My Health Record system. This video will complement two written business resources for healthcare providers that have been developed but not yet published on the website. One of these written resources covers the legislative requirements that apply to handling a patient’s personal information when using the My Health Record system. The second resource provides tips on how to protect a patient’s privacy when using the My Health Record system. These business resources will be published on the OAIC website with the videos.
    • a dedicated website landing page to host the new My Health Record resources (the three videos, written business resources and infographic detailed above).
    • a media distribution strategy to communicate the new My Health Record resources.
  • The OAIC finalised its revisions to the Guide to mandatory data breach notification in the My Health Record system to reflect changes to the mandatory data breach notification requirements under section 75 of the My Health Records Act. The revised guide will be published on the OAIC website by the end of August 2017.
  • In January 2017, the OAIC published two fact sheets for healthcare recipients. While these facts sheets are not specific to the My Health Record System, they relate to health privacy issues including privacy protection of health information and access to, and correction of, health information.
  • The OAIC worked to finalise its new draft guidance dealing with health care providers’ privacy obligations under the Privacy Act when handling health information, including information in the My Health Record system. This guidance follows a public consultation process and brings together sector specific guidance for health service providers.
S3.1(i) – Update guidance for exercising the powers conferred on the Information Commissioner by the My Health Records Act as required
  • The OAIC prepared updates to its Guide to privacy regulatory action to reflect changes to the My Health Records Actenforcement powers, as a result of the Health Legislation Amendment (eHealth) Act 2015.

Liaison

S3.1(j) – Liaise and coordinate on privacy-related My Health Record activities with the System Operator and other key agencies (i.e. Department of Health and Department of Human Services – Medicare)
  • The OAIC prepared a biannual report under the MOU between the Agency and the OAIC for the period ending 30 June 2017.
  • The OAIC worked to finalise an annual report setting out the OAIC’s activities in relation to the My Health Record system during 2016 – 2017, in accordance with section 106 of the My Health Records Act.
  • The OAIC participated in the Privacy and Security Advisory Committee, which is one of the advisory committees established by the Agency to support the Agency’s Board.
  • The OAIC liaised with the Department of Health about the next phase of the My Health Record system, following the conclusion of the opt-out trials and the finalisation of the evaluation process.
  • The OAIC also liaised with the Agency following the decision to move to a national opt-out participation arrangement for the My Health Record system.
  • The OAIC and the Agency liaised on the Agency’s development of mobile apps that connect to the My Health Record system.
  • OAIC staff met with Agency staff to receive information about, and discuss, the work of the Agency’s Digital Health Cyber Security Centre.
S3.1(k) – Liaise and coordinate on privacy related My Health Record activities with state and territory regulators
  • None required.

Other activities

S3.1(l) – Prepare My Health Record related briefing material, speeches, articles and media comment on privacy matters
  • OAIC staff prepared briefing material for the Deputy Commissioner’s attendance at the Agency’s Privacy and Security Advisory Committee.
  • OAIC staff prepared briefing material for the Deputy Commissioner for the Hickson’s Health Law Forum in March 2017.
  • The Deputy Commissioner made a speech at the Hickson’s Health Law Forum giving an overview of the OAIC’s role in the My Health Record system and of the specific information handling provisions of the My Health Records Act.
  • OAIC staff prepared briefing material for the Assistant Commissioner’s participation in a panel discussion as part of CeBIT, the annual business technology conference and exhibition. The panel discussion focused on digital health data, information management and clinical informatics. It included discussion on ensuring privacy, protection and data integrity requirements.
  • The OAIC hosted the Consumer Privacy Network meeting on 3 March 2017, which focused on health. The Consumer Privacy Network is a forum that assists the OAIC to further understand and respond to contemporary privacy issues affecting consumers. Attendees were provided with an overview of the OAIC’s role and work relating to digital health and the My Health Record system. Members also provided information on issues and concerns for consumers in the privacy and health space and provided valuable feedback on communication strategies for reaching stakeholders.
  • The OAIC conducted its Australian Community Attitudes to Privacy Survey again in 2017. The results of the survey show that there are some issues to overcome as part of improving community confidence in the digital and data agenda. One of these is that 83% of Australians think that online environments are inherently more risky than offline. While this figure may not represent the true risk of online transactions, it does reflect a real perception that needs to be recognised and managed, including within the digital health space. The survey findings also show that the highest levels of trust were for health service providers. This survey and results helps inform the OAIC’s priorities and direction for the coming years as it works towards ensuring that Australian communities gain increased confidence that their personal information is respected and protected.
  • In preparation for the creation of the multimedia resources (detailed above) the OAIC presented detailed information to ZOO Group – the marketing and design company – about the My Health Record system, privacy and the OAIC’s regulatory role in the system.
  • The OAIC responded to seven media enquiries on privacy and the My Health Record system.
S3.1(m) – Comment on draft legislation that may interact with the My Health Records Act (where appropriate)
  • None required.
S3.1(n) – Participate in consultations and comment on digital health developments that relate to the My Health Record system
  • The OAIC made a submission to the Agency on the development of the National Digital Health Strategy. The OAIC was supportive of initiatives that seek to maximise and enhance the use of data in the public interest, provided that privacy was a central consideration. The OAIC noted that the success of the National Digital Health Strategy will depend largely on transparency and establishing trust as to how personal health data will be used, strong community support for new health data activities, and the ability of individuals to have control over how their data will be used.
  • The OAIC responded to a letter from Standards Australia regarding participation in Standards Australia’s review of two Australian standards relating to paper-based and digital health records.
  • The OAIC made a submission to the Australian Law Reform Commission’s (ALRC) inquiry on elder abuse. In its submission, the OAIC noted its view that enduring documents should not be uploaded to an individual’s My Health Record as these documents are not solely about healthcare and treatment, but can also include other sensitive information such as financial information. The ALRC held a similar view, which was further detailed in the Elder Abuse Discussion Paper.
  • The OAIC prepared material for the 47th Asia Pacific Privacy Authority (APPA) Forum, to be held in Sydney on 10 – 11 July 2017. The material included information about the penalty provisions relevant to the My Health Records Act and the Healthcare Identifiers Act 2010 (HI Act)
S3.1(o) – Update internal reference materials and provide staff training as necessary
  • The OAIC developed a training package for OAIC staff on digital health and the OAIC’s digital health regulatory oversight role.
  • The OAIC conducted induction training in digital health and the OAIC’s digital health regulatory oversight role for all new OAIC staff.
  • The OAIC conducted an in-depth digital health induction and training for one new staff member working in the OAIC’s digital health team.
S3.1(p) – Monitor developments in digital health and the My Health Record system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the My Health Record system and the broader digital health context
  • OAIC staff monitored news clips, relevant parliamentary committees and digital health and related websites and blogs, such as Pulse+IT.
  • OAIC staff attended a question and answer webcast hosted by the Agency on the future of digital healthcare in Australia.
  • An OAIC staff member attended the digital health stream of the Australia Healthcare Week conference, which included a roundtable discussion on building the backbone for the future of healthcare, and presentations by the Agency, state and Commonwealth agencies, academics and business representatives.
  • An OAIC staff member attended the Privacy Matters Forum hosted by the NSW Office of the Privacy Commissioner. The topic of the forum was ‘Your health privacy in the digital era – now and into the future’.
  • OAIC staff attended a workshop facilitated by the International Association of Privacy Professionals (iappANZ) in Sydney, which focused on privacy and security in digital health.
  • An OAIC staff member attended a Privacy Awareness Week 2017 webcast organised by the Office of the Information Commissioner, Queensland, which had a section focussing on electronic health records.
  • An OAIC staff member attended a webinar on privacy and confidentiality for general practice, which was hosted by HotDoc, an online service that streamlines how general practitioners and patients communicate health information.

Activities relating to the Healthcare Identifiers Service

Advice

S3.1(e) – Respond to enquiries and requests for advice on the appropriate handling of Healthcare Identifiers and other privacy compliance obligations in relation to the HI Service
  • The OAIC provided advice to the Agency on provisions of the HI Act relating to the handling of healthcare identifiers.
  • The OAIC received one written enquiry regarding healthcare identifiers. The enquiry related to the use of healthcare identifiers by medical practitioners.

Guidance

S3.1(f) – Prepare and/or update written guidance materials for individuals and participants in the healthcare industry on the appropriate handling of Healthcare Identifiers and other privacy compliance obligations in relation to the HI Service
  • Following a review, and targeted consultation, of the healthcare identifier resources available on the OAIC’s website, the OAIC updated its healthcare identifier resource material to better meet stakeholder needs. The updated healthcare identifier information will be available on the OAIC website by the end of August 2017.

Liaison

S3.1(g) – Liaise and coordinate on privacy related HI activities with key agencies (i.e. Department of Health and Department of Human Services – Medicare)
  • The OAIC prepared a biannual report under the MOU between the Agency and the OAIC for the period ending 30 June 2017.
  • The OAIC is working to finalise an annual report setting out the OAIC’s activities in relation to the HI Service during 2016 – 2017, in accordance with section 30 of the HI Act.
  • The OAIC liaised with the Agency on healthcare identifier legislation and the requirements for handling healthcare identifiers.
S3.1(h) – Liaise and coordinate on privacy related HI activities with state and territory regulators
  • None required.

Other activities

S3.1(i) – Prepare HI-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(j) – Comment on draft legislation that may interact with the HI Act (where appropriate)
  • The OAIC commented on draft legislation relating to the use of the healthcare identifiers of healthcare providers.  
S3.1(k) – Participate in consultations and comment on digital health developments that relate to the HI Service
  • None required.
S3.1(l) – Update internal reference materials and provide staff training as necessary
  • The OAIC has developed a training package for OAIC staff on digital health and the OAIC’s digital health regulatory oversight role.
  • The OAIC conducted induction training in digital health and the OAIC’s digital health regulatory oversight role for all new OAIC staff.
  • The OAIC conducted in-depth digital health induction and training for one new staff member working in the OAIC’s digital health team.
S3.1(m) – Monitor developments in digital health and the HI Service to ensure the OAIC is aware of the implications of any developments for the HI Service and able to offer informed advice about privacy aspects of the operation of the HI Service in the broader digital health context.
  • OAIC staff monitored news clips, relevant parliamentary committees and digital health and related websites and blogs, such as Pulse+IT.
  • OAIC staff attended a question and answer webcast, hosted by the Agency on the future of digital health care in Australia.
  • An OAIC staff member attended the digital health stream of the Australia Healthcare Week conference, which included a roundtable on building the backbone for the future of health care, and presentations by the Agency, state and Commonwealth agencies, academics and business representatives.

Back to Contents

Section 2 — Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU.

Section 3.3 of Schedule 1 of the MOU requires the OAIC to produce a biannual report about activities related to the My Health Record system which, at a minimum, provide a summary of

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated
  2. any investigations commenced within the period and the findings and recommendations associated, and
  3. any assessments commenced within the period and the findings and recommendations associated.

The Information Commissioner also has annual statutory reporting obligations under section 106 of the My Health Records Act.

Section 3.3 of Schedule 2 of the MOU requires the OAIC to produce a biannual report about activities related to the HI Service which, at a minimum, provide a summary of

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any assessments commenced within the period and the findings and any recommendations associated, and
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has annual statutory reporting obligations under section 30 of the HI Act.

For consistency purposes, the biannual reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the My Health Records Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in biannual reports. Full details about compliance and enforcement activities (complaints, investigations and assessments) may not be available for biannual reports where these matters are still undergoing investigation or assessment.

Compliance activities relating to the My Health Record system

Table A: Matters commenced and finalised during the reporting period 1 January 2017 to 30 June 2017.

 

Received/commenced during period

Finalised during period

Open at 30 June

Assessments

Nil

Nil

1

Complaints

2

1

1

Commissioner-initiated investigations

Nil

Nil

Nil

Table B: Data breach notifications (DBNs) received and closed during the reporting period 1 January 2017 to 30 June 2017.[1]

Notifying party

Received in the period

Closed in the period

Open at 30 June

 

Number of DBNs

Number of healthcare recipients affected

Number of DBNs

Number of healthcare recipients affected

Number of DBNs

Number of healthcare recipients affected

System Operator

4

7[2]

5

9[2]

1

2[2]

DHS[2]

11

35[3]

16

45[2]

4

8[2]

Details of assessments relating to the My Health Record system

Assessments commenced during the reporting period

None.

Assessments closed during the reporting period

None.

Assessments commenced in previous reporting periods and still underway

Assessment: The OAIC has conducted an assessment of the Department of Human Services (DHS) as a contractor to the System Operator for services related to the My Health Record system. In particular, the assessment focused on DHS’s privacy management and governance arrangements.

Status: Fieldwork was conducted in late March 2016. A draft report is being prepared.

Details of mandatory data breach notifications relating to the My Health Record system

Mandatory data breach notifications received during the reporting period

The OAIC received four mandatory data breach notifications from the System Operator during the reporting period. They involved the unauthorised access of a healthcare recipient’s My Health Record by a third party.

The OAIC also received 11 mandatory data breach notifications from DHS during the reporting period.

  • Nine notifications resulted from findings under the Medicare compliance and data integrity programs that certain Medicare claims made in the name of a healthcare recipient but not by that healthcare recipient were uploaded to their My Health Record. These notifications totalled 31 breaches, each of which affected a separate healthcare recipient.
  • Two notifications, each reporting a single breach affecting two healthcare recipients related to healthcare recipients with similar demographic information having their Medicare records intertwined. As a result, Medicare claims belonging to another healthcare recipient were made available in the My Health Record of the record owner.

Mandatory data breach notifications closed during the reporting period

The OAIC completed its enquiries into three data breach notifications received from the System Operator in the reporting period and two from the previous reporting period. One data breach notification from the current reporting period remained open at 30 June 2017.

The OAIC completed its enquiries into seven data breach notifications received from DHS in the reporting period and nine from the previous reporting period. Four data breach notifications, all from the current reporting period, remained open at 30 June 2017.

Mandatory Data breach notifications received in previous reporting periods and still open

None.

Details of complaints relating to the My Health Record system

Complaints received or finalised during, or still open at the end of the reporting period

The OAIC received two complaints during the reporting period. One complaint was finalised during the reporting period and the other remains open.

The finalised complaint related to operational issues regarding the My Health Record system. Following preliminary inquiries, the OAIC determined it did not amount to an interference with privacy and was closed on the grounds that there was no breach of the Privacy Act 1988. The matter was subsequently referred to the Agency, as System Operator for the My Health Record system. The Agency has responsibility for managing complaints concerning the My Health Record system, including complaints relating to operational issues and functionality of the system, as well as participant’s use of the system.

The OAIC is undertaking preliminary inquiries relating to an ongoing complaint. The complaint relates to concerns about the creation of a record and the opt-out process following the National expansion of the My Health Record system in 2018.

Compliance activities relating to the Healthcare Identifiers Service

Table C: Matters commenced and finalised during the reporting period 1 January to 30 June 2017.
 

Received/commenced during period

Finalised during period

Open at 30 June

Complaints

Nil

Nil

Nil

Commissioner-initiated investigations

Nil

Nil

Nil

Assessments

Nil

Nil

Nil

Details of assessments relating to the Healthcare Identifiers Service

Assessments commenced during the reporting period

None.

Assessments commenced in previous reporting periods and still underway

None.

Assessments commenced in previous reporting periods and still underway

None.

Other activities

The OAIC has initiated contact with the assessment target for an assessment relating to the handling of individual healthcare identifiers.

Back to Contents

Footnotes

[1] Since the publication of the biannual report for the reporting period 30 June 2016 to 31 December 2016 the DBN figures for that period have been adjusted to reflect that four further DBNs, all notified by DHS, were closed in that period. These DBNs affected 25 individuals, each of which had a My Health Record.

[2] Department of Human Services.

[3] The total number of healthcare recipients affected by the DBNs include individuals with and without a My Health Record at the time of the breach. Accordingly, for DHS, there were 34 affected individuals with a My Health Record in the DBNs received in the period, 37 affected individuals with a My Health Record in the DBNs closed in the period and 7 affected individuals with a My Health Record in the DBNs that remained open as at 30 June 2016. For the System Operator, there were 7 affected individuals with a My Health Record in the DBNs received, 8 affected individuals with a My Health Record in the DBNs closed in the period and 2 affected individuals with a My Health Record in the DBNs that remained open as at 30 June 2017.

Back to Contents