Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Department of Health and Ageing MOU Quarterly Report For the period ending 30 June 2013

pdfDoHA OAIC MOU Quarterly Report – 30 June 2013675.88 KB

Mr Matthew Corkhill
Assistant Secretary
eHealth System Operations Branch
Department of Health and Ageing
GPO Box 9848
CANBERRA CITY ACT 2601

Dear Mr Corkhill

I am pleased to provide you with the quarterly report for the period ending 30 June 2013, in accordance with:

  • section 3.3 of Schedule 1
  • section 3.6 of Schedule 2
  • section 10.1

to the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health and Ageing in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report please contact Jacob Suidgeest, Director Regulation and Strategy on (02) 9284 9809 or by email to jacob.suidgeest@oaic.gov.au

Yours sincerely

 

Timothy Pilgrim
Australian Privacy Commissioner

    July 2013

1. Advice, guidance, liaison and other activities under the MOU

Section 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed. 

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.6 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR System

Advice

Activity Item

Activity Description

Work Performed

 S.3.1 (m)

Respond to requests for advice on the appropriate handling of PCEHR   information from Commonwealth agencies, WA and SA public authorities, private   sector organisations and individuals

  • Responded to two written enquiries   from the Australian Privacy Foundation about the OAIC's consumer privacy fact   sheets, complaints process, the Independent Advisory Council and the OAIC's MOU arrangements with DoHA.
  • Responded to phone and written enquiries from Consumers eHealth Alliance on various privacy aspects of the   eHealth record system including the OAIC's MOU arrangements with DoHA,   consumer privacy fact sheets, record accuracy and correction and the registration processes.
  • The OAIC Enquiries Line responded to two phone calls about the PCEHR system: one from an aged care facility   wishing to know whether the PCEHR Act applied to its record-keeping activities; the other from an individual who received an eHealth brochure   with their new Medicare card and wanted to know whether PCEHRs were compulsory.

 S.3.1 (r)

Comment on draft legislation that may interact with the Personally   Controlled Electronic Health Records Act 2012 (where appropriate)

  • No draft legislation received.

 

Guidance

Activity Item

Activity Description

Work Performed

 S3.1 (h)

Advise participants on their obligations in relation to PCEHR System and liaise with state and territory regulators

  • Finalised the Information Sharing and Complaint Handling Arrangement between OAIC and state and territory regulators (see S3.1(k) below).
  • Currently liaising with parties to the Arrangement to share information about each party's jurisdiction in relation to the eHealth system.
  • Advised state and territory health and privacy regulators that the OAIC had published six consumer fact sheets.
  • Continued to revise the draft guide to mandatory data breach notification under the PCEHR system, taking into   account the possible effect of the mandatory breach notification bill. Explored options for a 'smart form' for breach notifications.

 S.3.1 (n)

Provide telephone and written guidance to individuals and participants in the health care industry on their privacy compliance obligations in   relation to the PCEHR System

  • Finalised six consumer fact sheets on privacy and the eHealth system and uploaded those fact sheets to the OAIC   website on 5 June 2013.

 S.3.1 (s)

Formulate Enforcement Guidelines for exercising the powers conferred on the Information Commissioner by the Personally Controlled Electronic Health Records Act 2012

  • Finalised the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 and lodged the Guidelines with the Federal Register of Legislative Instruments on 19 June 2013.

 

Liaison

Activity Item

Activity Description

Work Performed

 S.3.1 (o)

Liaise and coordinate on privacy related PCEHR activities with key   stakeholder agencies (DoHA, NeHTA and DHS-Medicare)

  • Prepared quarterly MOU report to 31 March 2013.
  • Attended quarterly meeting with DoHA on 18 April 2013.
  • Met with NeHTA on 18 April 2013 for an update on developments in the PCEHR system.
  • Met with DoHA on 2 May 2013 to discuss Release 3 of the PCEHR system and other new developments, including an imminent Privacy Impact Assessment of the system.

 S.3.1 (p)

Liaise and coordinate on privacy related PCEHR activities with PCEHR System operator

  • Provided comments to DoHA on 7 May 2013 regarding new and revised privacy notices associated with Release 3 of   the PCEHR system.

 

Other activities

Activity Item

Activity Description

Work Performed

 S3.1 (b)

Accept data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative requirements

  • None received.

 S3.1 (c)

Investigate failures to notify data breaches (where empowered to do so)

  • None required.

 S3.1 (k)

Develop protocol with the System Operator for the referral of complaints and complex privacy enquiries

  • Developed a draft Information Sharing and Complaint Agreement between the OAIC and DoHA and sent the Agreement to DoHA for comment on 7 May 2013. On receiving DoHA's response,   the OAIC will finalise the draft and proceed with internal Executive level clearance.
  • Circulated the final Information Sharing and Complaint Handling Arrangement between OAIC and state and territory regulators with regulators on 15 April 2013, inviting participation in the Arrangement. As at 30 June 2013, parties to the arrangement include the Office of the Information Commissioner, Qld; the Health Services Commissioner, ACT; Health Services Commissioner for Victoria; and South Australian Health and Community Services Complaints Commissioner. The Arrangement was uploaded   to the OAIC website on 20 June 2013.

 S.3.1 (l)

Update internal reference materials

  • Revised the OAIC's complaint handling procedures manual in relation to PCEHR matters – revisions in internal   clearance.
  • Finalised FAQs for internal use by the OAIC's Enquiries Line staff.
  • Revised internal guidance on the assessment of PCEHR complaints. The revised document is in internal   clearance.
  • Preparted written guidance on data collection in relation to PCEHR enquiries.
  • Prepared written guidance on data collection during the assessment of PCEHR complaints. The guidance is in internal clearance.
  • Commenced research and drafting of an internal OAIC guide in relation to the acceptance of enforceable undertakings under the PCEHR Act.
  • Refresher training session delivered to OAIC Enquiries Line staff which provided an update on PCEHR system   functionality, and an outline of the revised FAQs and data collection procedures.

 S.3.1 (q)

Prepare privacy related PCEHR-related committee briefing material, speeches and media comment

  • Prepared speaking points and   background material on eHealth for the meeting of the Information Advisory   Committee on 21 May 2013 and the teleconference of the Privacy Authorities of   Australia group on 7 May 2013.

 S.3.1 (t)

Monitor developments in eHealth to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR System in the broader eHealth context

  • OAIC staff continued to monitor news clips and subscribe to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.

 S3.1 (u)

Monitor eHealth developments related to the PCEHR System to ensure   that the OAIC is aware of the implications of any developments for the PCEHR system, and is able to ensure compatibility with the privacy aspects of the PCEHR system

  • Considered implications of media reports alleging inaccuracies in pharmaceutical information held in PCEHRs   with a view to seeking a briefing from DoHA at the next quarterly meeting.
  • Sought a briefing from DoHA on 15 April 2013 regarding assisted registration issues raised in media reports.
  • Continued to monitor assisted  registration and possible privacy risks and sought further information from DoHA on 27 June 2013.

 

Activities relating to the HI Service

Advice

Activity Item

Activity Description

Work Performed

 S3.1 (d)

Advise on obligations in relation to HI's and liaise with State and Territory privacy regulators as appropriate

  • None required.

 S3.1 (f)

Respond to requests for advice on the appropriate handling of HI's from Commonwealth agencies, private sector organisations or individuals

  • Responded to one request for advice regarding use of the Medicare number and provided some additional information   about use of HIs.

 S3.1 (m)

Comment on draft legislation that may interact with the HI Act

  • No draft legislation received.

 

Guidance

Activity Item

Activity Description

Work Performed

 S3.1 (g)

Provide guidance to individuals and participants in the healthcare industry on their privacy compliance obligations in relation to HI's including, where appropriate, the development of information sheets, Frequently Asked Questions and articles in industry magazines

  • No new HI guidance developed.

 

Liaison

Activity Item

Activity Description

Work Performed

 S3.1 (l)

Liaise and coordinate with key agencies (DoHA, NeHTA and DHS-Medicare)

  • Met with key agencies to discuss eHealth (see S3.1(o) in relation to PCEHR above).

 S3.1 (n)

Participate in consultation and comment on eHealth developments that relate to the HI Scheme

  • No consultations occurred.

 

Other activities

Activity Item

Activity Description

Work Performed

 S3.1 (j)

Receive Data Breach Notifications and undertake, where appropriate, action

  • None received.

 S3.1 (k)

Develop internal training material and train staff

  • Induction training in relation to PCEHR and HI was delivered to new OAIC staff.
  • All staff currently involved in   conducting audits under this MOU attended the three-day training course 'Fundamentals of Internal Auditing' conducted by the Institute of Internal   Auditors.

 

2. Compliance and enforcement activities

The Office of the Australian Information Commissioner (OAIC) is required to undertake a range of compliance and enforcement activities under the Memorandum of Understanding (MOU) with the Department of Health and Ageing (DoHA). 

Section 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the Personally Controlled Electronic Records (PCEHR) system which, at a minimum, provide a summary of:

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated
  2. any investigations commenced within the period and the findings and recommendations associated
  3. any audits commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has statutory reporting obligations under section 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) (the PCHER Act). [1]

Section 3.6 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the Healthcare Identifiers (HI) Service which, at a minimum, provide a summary of:

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any audits commenced within the period and the findings and any recommendations associated
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has statutory reporting obligations under section 30 of the Healthcare Identifiers Act 2010 (Cth) (the HI Act). [2]

For consistency purposes, the quarterly reports will contain the same statistical reporting fields as the Commissioner's statutory reporting requirements under the PCEHR Act and the HI Act. 

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in quarterly reports. Full details about compliance and enforcement activities (complaints, investigations and audits) may not be available for quarterly reports where these matters are still being assessed for investigation or auditing.     

Complaints relating to the PCEHR System

The section contains information on complaints made by individuals. Complaints received about the PCEHR system will be assessed under the provisions of the PCEHR Act and the Privacy Act to determine the most appropriate course of regulatory action. In some cases the Commissioner will decline to investigate a complaint, in other cases preliminary inquiries will need to be made before deciding whether to proceed to investigation.

Complaints subject to investigation are also mentioned under the section titled 'Investigations under section 40(1) of the Privacy Act'.

Table A Complaints received and finalised during the reporting period

Complaints

1 April – 30 June

 Received during period

0

 Finalised during period

0

 Complaints open at 30 June

0

Complaints received during the reporting period

NIL

Complaints finalised during the reporting period

NIL

Complaints commenced in the previous reporting period but still underway

NIL

 

Investigations in relation to the PCEHR system

Under the Privacy Act 1988 (Cth), the Commissioner will undertake investigations that arise from a complaint made by an individual about an act or practice that may be an interference with privacy. The Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy on his own motion.

Given that individual complaints may be the subject of investigation, there may be some matters reported under 'Complaints relating to the PCEHR System' that are also listed below.

Investigations under section 40(1) of the Privacy Act

Table B   Investigations received and finalised during the reporting period (Section 40 (1))

Investigations

1 April – 30 June

 Received during period

0

 Finalised during period

0

 Investigations open at 30 June

0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period but still underway

NIL

 

Own motion investigations under section 40(2) of the Privacy Act

Table C   Investigations received and finalised during the reporting period (Section 40 (2))

Investigations

1 April – 30 June

 Received during period

0

 Finalised during period

0

 Investigations open at 30 June

0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period but still underway.

NIL

 

Audits relating to the PCEHR system

Audits commenced and ongoing during the reporting period

Audit: The OAIC has commenced an audit of the PCEHR System Operator. The scope of the audit is the System Operator's policies and procedures for the collection of personal information during the PCEHR consumer registration process. During the reporting period the OAIC determined an appropriate audit target and audit methodology, developed the audit scope, objectives and assessment criteria, sent a formal notification letter to the System Operator, sought documentation from the System Operator, and conducted an initial review of those documents prior to commencing the fieldwork.

Status: Ongoing – Fieldwork is scheduled for 3-4 July 2013. Auditors will prepare a a draft report following the fieldwork.

Training

All staff currently involved in conducting audits under this MOU attended the three-day training course 'Fundamentals of Internal Auditing' conducted by the Institute of Internal Auditors.

Audits closed during the reporting period

NIL

Audits commenced in previous reporting periods but still underway

NIL

 

Complaints relating to the HI Service

Table B   Complaints received and finalised during the reporting period

Complaints

1 April – 30 June

 Received during period

0

 Finalised during period

0

 Complaints open at 30 June

0

Complaints received during the reporting period

NIL

Complaints finalised during the reporting period

NIL

Complaints commenced in the previous reporting period but still underway

NIL

 

Investigations relating to the HI Service

Investigations under section 40(1) of the Privacy Act

Table D   Investigations received and finalised during the reporting period

Investigations

1 April – 30 June

 Received during period

0

 Finalised during period

0

 Investigations open at 30 June

0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the the previous reporting period by still underway

NIL

 

Own motion Investigations under section 40(2) of the Privacy Act

Table C   Investigations received and finalised during the reporting period (Section 40 (2))

Investigations

1 April – 30 June

 Received during period

0

 Finalised during period

0

 Investigations open at 30 June

0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period by still underway.

NIL

 

Audits relating to the HI Service

Audits commenced and ongoing during the reporting period

Audit: The OAIC commenced an audit of the Healthcare Identifiers Service Operator. The audit is focusing on the collection, use and disclosure of Individual Healthcare Identifiers and Healthcare Provider Identifiers-Individual.

During the reporting period the OAIC determined an appropriate audit target and audit methodology, developed the audit scope, objectives and assessment criteria, sent a formal notification letter to the Service Operator, sought documentation from the Service Operator, and conducted an initial review of those documents prior to commencing the  fieldwork. Fieldwork for this audit was conducted on 18-19 June 2013, and the draft report is currently being prepared.

Status: Ongoing – draft report currently being prepared.

Training

All staff currently involved in conducting audits under this MOU attended the three-day training course 'Fundamentals of Internal Auditing' conducted by the Institute of Internal Auditors.

Audits closed during the reporting period

NIL

Audits commenced in previous reporting periods but still underway

NIL


 

 [1] Under section 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) the Information Commissioner (the Commissioner) is required to prepare an annual report setting out the compliance and enforcement activities undertaken in relation to the PCEHR Act.  This report must include:

  1. statistics of the following:

(i) complaints received by the Commissioner in relation to the PCEHR system;

(ii) investigations made by the Commissioner in relation to PCEHRs or the PCEHR system;

(iii) enforceable undertakings accepted by the Commissioner under this Act;

(iv) proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and

(b) any other matter prescribed by the regulations.  

 [2] Section 30 Healthcare Identifiers Act 2010 (Cth) requires the Commissioner to prepare an annual report setting out the compliance and enforcement activities undertaken during the period.