Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Department of Health and Ageing MOU Quarterly Report For the period ending 30 September 2013

pdfDoHA OAIC MOU Quarterly Report 30 Sept 20131006.08 KB

Mr Matthew Corkhill
Assistant Secretary
eHealth System Operations Branch
Department of Health
GPO Box 9848
CANBERRA CITY ACT 2601

Dear Mr Corkhill

I am pleased to provide you with the quarterly report for the period ending 30 September 2013, in accordance with:

  • section 3.3 of Schedule 1
  • section 3.6 of Schedule 2
  • section 10.1

to the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report please contact Jacob Suidgeest, Director Regulation and Strategy on (02) 9284 9809 or by email to jacob.suidgeest@oaic.gov.au.

Yours sincerely

 

Angelene Falk

Assistant Commissioner
Regulation and Strategy Branch

    October 2013

1. Advice, guidance, liaison and other activities under the MOU

Section 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed. 

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.6 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR System

Advice

Activity Item

Activity Description

Work Performed

S.3.1 (m)

Respond to requests for advice on the appropriate handling of PCEHR information from Commonwealth agencies, WA and SA public authorities, private sector organisations and individuals

  • Responded to two written enquiries from Consumers eHealth Alliance on various privacy aspects of the eHealth record system including the accuracy of PBS information contained in the PCEHR; the publication of quarterly reports under the MOU; and the use of myGov in the PCEHR registration process.
  • The OAIC Enquiries Line responded to one phone call about the PCEHR system regarding the operation of the eHealth portal. The caller was referred to the System Operator.

S.3.1 (r)

Comment on draft legislation that may interact with the Personally Controlled Electronic Health Records Act 2012 (where appropriate)

  • No draft legislation received.

 

Guidance

Activity Item

Activity Description

Work Performed

S3.1 (h)

Advise participants on their obligations in relation to PCEHR System and liaise with state and territory regulators

  • Continued to revise the draft guide to mandatory data breach notification under the PCEHR system, taking into account the possible effect of the Privacy Amendment (Privacy Alerts) Bill 2013.  
  • Explored options for a 'smart form' for breach notifications

S.3.1 (n)

Provide telephone and written guidance to individuals and participants in the health care industry on their privacy compliance obligations in   relation to the PCEHR System

  • Commenced work on the development of factsheets for healthcare providers on privacy and the eHealth system

S.3.1 (s)

Formulate Enforcement Guidelines for exercising the powers conferred on the Information Commissioner by the Personally Controlled Electronic Health Records Act 2012

  • Completed in previous quarter

 

Liaison

Activity Item

Activity Description

Work Performed

S.3.1 (o)

Liaise and coordinate on privacy related PCEHR activities with key   stakeholder agencies (DoH, NeHTA and DHS-Medicare)

  • Prepared quarterly MOU report to 30 June 2013.
  • Met with NeHTA on 25 July 2013 regarding the upcoming PCEHR system audit.
  • Attended quarterly meeting with DoH on 2 August 2013. This meeting included discussion and accuracy of PBS information in consumer PCEHRs.
  • Visited PCEHR system 'clean room' on 2 August 2013 to build OAIC understanding of the role of the clean room in the PCEHR system.
  • Visited Sydney data centre hosting the PCEHR system on 26 September 2013 to build OAIC understanding of security an back-up mechanisms in place for protection of PCEHR system data.

S.3.1 (p)

Liaise and coordinate on privacy related PCEHR activities with PCEHR System operator

  • Sought briefing from DoH regarding alleged PCEHR data breach reported by ABC news.

 

Other activities

Activity Item

Activity Description

Work Performed

S3.1 (b)

Accept data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative   requirements

  • None received.

S3.1 (c)

Investigate failures to notify data breaches (where empowered to do so)

  • None required.

S3.1 (k)

Develop protocol with the System Operator for the referral of complaints and complex privacy enquiries

  • Received DoH comments on draft Information Sharing an   Complaint Agreement between the OAIC and DoH on 8 August 2013. The OAIC will now provide a final draft to DoH for formal exchange.

S.3.1 (l)

Update internal reference materials

  • Continued research and drafting of an internal OAIC guide in relation to the acceptance of enforceable undertakings under the PCEHR Act.
  • Developing training presentations for OAIC Dispute Resolution staff on developments in eHealth and the Enforcement Guidelines.
  • Fifteen OAIC staff from Regulation and Strategy, Dispute Resolution and Legal Services participated in Australian Government Solicitor training on PCEHR legislation on 31 July and 1 August 2013.

S.3.1 (q)

Prepare privacy related PCEHR-related committee briefing material, speeches and media comment

  • Provided media comment to zdnet.com on 18 September 2013 regarding alleged PCEHR system data breach.

S.3.1 (t)

Monitor developments in eHealth to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR System in the broader eHealth context

  • OAIC staff continued to monitor news clips and subscribe to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.

S3.1 (u)

Monitor eHealth developments related to the PCEHR System to ensure that the OAIC is aware of the implications of any developments for the PCEHR system, and is able to ensure compatibility with the privacy   aspects of the PCEHR system

  • Met with Safety in eHealth area of the Australian Commission on Safety and Quality in Health Care regarding their PCEHR   clinical audits program on 16 September 2013.
  • Continued to consider assisted registration and possible   privacy risks. Considered information received from DoH on 11 July 2013 and documents provided for the PCEHR system audit currently underway.
  • Monitored media reports regarding alleged PCEHR data   breach and sought further information from DoH.
  • Continued to monitor media reports alleging inaccuracies   in pharmaceutical information held in PCEHRs and sought further information from DoH at August quarterly meeting.

 

Activities relating to the HI Service

Advice

Activity Item

Activity Description

Work Performed

S3.1 (d)

Advise on obligations in relation to HI's and liaise with State and Territory privacy regulators as appropriate

  • None required.

S3.1 (f)

Respond to requests for advice on the appropriate handling of HI's from Commonwealth agencies, private sector organisations or   individuals

  • The OAIC Enquiries Line responded to one phone call about the HI Service from an individual concerned about repeated access to the   individual's healthcare identifier by a health service provider. The individual was provided with information about making a complaint to the   OAIC. (See Complaints relating to the HI Service, below.)

S3.1 (m)

Comment on draft legislation that may interact with the HI Act

  • No draft legislation received.

 

Guidance

Activity Item

Activity Description

Work Performed

S3.1 (g)

Provide guidance to individuals and participants in the healthcare industry on their privacy compliance obligations in relation to HI's including, where appropriate, the development of information sheets, Frequently Asked Questions and articles in industry magazines

  • See 3.1(n) in relation to PCEHR above.

 

Liaison

Activity Item

Activity Description

Work Performed

S3.1 (l)

Liaise and coordinate with key agencies (DoHA, NeHTA and DHS-Medicare)

  • Met with key agencies to discuss eHealth (see S3.1(o) in relation to PCEHR above).
  • Met with Australian National Audit Office to discuss its audit of Medicare customer data and the extent it crosses over with the OAIC audit program.

S3.1 (n)

Participate in consultation and comment on eHealth developments that relate to the HI Scheme

  • No consultations occurred.

 

Other activities

Activity Item

Activity Description

Work Performed

S3.1 (j)

Receive Data Breach Notifications and undertake, where appropriate, action

  • None received.

S3.1 (k)

Develop internal training material and train staff

  • See 3.1(l) in relation to PCEHR above.

 

2. Compliance and enforcement activities

The Office of the Australian Information Commissioner (OAIC) is required to undertake a range of compliance and enforcement activities under the Memorandum of Understanding (MOU) with the Department of Health (DoH).

Section 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the Personally Controlled Electronic Records (PCEHR) system which, at a minimum, provide a summary of:

a. any complaints or compliance issues within the period and the outcomes or conciliation activities associated
b. any investigations commenced within the period and the findings and recommendations associated
c. any audits commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has statutory reporting obligations under section 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) (the PCHER Act).  [1]

Section 3.6 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the Healthcare Identifiers (HI) Service which, at a minimum, provide a summary of:

a. any investigations commenced within the period and the findings and recommendations associated
b. any audits commenced within the period and the findings and any recommendations associated
c. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has statutory reporting obligations under section 30 of the Healthcare Identifiers Act 2010 (Cth) (the HI Act).  [2]

For consistency purposes, the quarterly reports will contain the same statistical reporting fields as the Commissioner's statutory reporting requirements under the PCEHR Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in quarterly reports. Full details about compliance and enforcement activities (complaints, investigations and audits) may not be available for quarterly reports where these matters are still being assessed for investigation or auditing.

 

Complaints relating to the PCEHR System

This section contains information on complaints made by individuals. Complaints received about the PCEHR system will be assessed under the provisions of the PCEHR Act and the Privacy Act to determine the most appropriate course of regulatory action. In some cases the Commissioner will decline to investigate a complaint, in other cases preliminary inquiries will need to be made before deciding whether to proceed to investigation.

Complaints subject to investigation are also mentioned under the section titled 'Investigations under section 40(1) of the Privacy Act'.

Table A Complaints received and finalised during the reporting period

Complaints

1 July – 30 September

Received during period

0

Finalised during period

0

Complaints open at 30 September

0

Complaints received during the reporting period

NIL

Complaints finalised during the reporting period

NIL

Complaints commenced in the previous reporting period but still underway

NIL

 

Investigations in relation to the PCEHR system

Under the Privacy Act 1988 (Cth), the Commissioner will undertake investigations that arise from a complaint made by an individual about an act or practice that may be an interference with privacy. The Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy on his own motion.

Given that individual complaints may be the subject of investigation, there may be some matters reported under 'Complaints relating to the PCEHR System' that are also listed below.

Investigations under section 40(1) of the Privacy Act

Table B   Investigations received and finalised during the reporting period (Section 40 (1))

Investigations

1 July – 30 September

Received during period

0

Finalised during period

0

Investigations open at 30 September

0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period but still underway

NIL

 

Own motion investigations under section 40(2) of the Privacy Act

Table C   Investigations received and finalised during the reporting period (Section 40 (2))

Investigations

1 July – 30 September

Received during period

0

Finalised during period

0

Investigations open at 30 September

0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period but still underway.

NIL

 

Audits relating to the PCEHR system

Audits commenced and ongoing during the reporting period

Audit: The OAIC is undertaking an audit of the PCEHR System Operator. The scope of the audit is the System Operator's policies and procedures for the collection of personal information during the PCEHR consumer registration process. During the reporting period the OAIC undertook fieldwork (3­–5 July 2013) and commenced drafting of the audit report.

Status: Ongoing. A draft audit report is currently being finalised internally.

Audit: The terms of the second audit in relation to the PCEHR System Operator are being considered.

Status: Ongoing.Initial internal scoping underway.

Training

OAIC staff involved in handling complaints and conducting audits under the MOU participated in Australian Government Solicitor training on PCEHR legislation on 31 July and 1 August 2013. 

Audits closed during the reporting period

NIL

Audits commenced in previous reporting periods but still underway

1

 

Complaints relating to the HI Service

Table B  Complaints received and finalised during the reporting period

Complaints

1 July – 30 September

Received during period

2

Finalised during period

0

Complaints open at 30 September

2

 Complaints received during the reporting period

The OAIC received two related complaints during the reporting period on 5 September 2013.

In the first complaint, the complainant alleged that the respondent, a state health healthcare provider, had inappropriately accessed the complainant's individual healthcare identifier (IHI) on multiple occasions. The complainant believed that the IHI had been accessed inappropriately because they had not received any services from the healthcare provider and due to the frequency of access during a short period.

In the second complaint, the complainant alleged that the respondent, an Australian government department, had collected the information accessed by the first respondent and used it in the assessment of a case concerning the complainant.

Complaints finalised during the reporting period

NIL

Complaints commenced in the previous reporting period but still underway

NIL

 

Investigations relating to the HI Service

Investigations under section 40(1) of the Privacy Act

Table D   Investigations received and finalised during the reporting period

Investigations

1 July – 30 September

Received during period

0

Finalised during period

0

Investigations open at 30 September

0

Investigations received during the reporting period

NIL [The complaints listed above may result in investigations.]

Investigations finalised during the reporting period

NIL

Investigations commenced in the the previous reporting period by still underway

NIL

 

Own motion Investigations under section 40(2) of the Privacy Act

Table C   Investigations received and finalised during the reporting period (Section 40 (2))

Investigations

1 July – 30 September

Received during period

0

Finalised during period

0

Investigations open at 30 September

0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period by still underway.

NIL

 

Audits relating to the HI Service

Audits commenced and ongoing during the reporting period

Audit: The OAIC is undertaking an audit of the Healthcare Identifiers Service Operator. The audit is focusing on the collection, use and disclosure of Individual Healthcare Identifiers and Healthcare Provider Identifiers – Individual.

During the reporting period the OAIC prepared a draft report, which was provided to the HI Service Operator on 31 July 2013. Comments received from the HI Service Operator have been incorporated. A revised report has been provided to the HI Service Operator, and the OAIC is awaiting for the auditee to add its responses to the recommendations before the document is published.  

Status: Ongoing. Awaiting auditee response.

Audit: The terms of a second audit in relation to the HI Service are being considered.

Status: Ongoing.Initial internal scoping underway.

Training

NIL

Audits closed during the reporting period

NIL

Audits commenced in previous reporting periods but still underway

1


 [1] Under section 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) the Information Commissioner (the Commissioner) is required to prepare an annual report setting out the compliance and enforcement activities undertaken in relation to the PCEHR Act.  This report must include:

  1. statistics of the following:

(i) complaints received by the Commissioner in relation to the PCEHR system;

(ii) investigations made by the Commissioner in relation to PCEHRs or the PCEHR system;

(iii) enforceable undertakings accepted by the Commissioner under this Act;

(iv) proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and

(b) any other matter prescribed by the regulations.  

 [2] Section 30 Healthcare Identifiers Act 2010 (Cth) requires the Commissioner to prepare an annual report setting out the compliance and enforcement activities undertaken during the period.