Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Department of Health MOU Quarterly Report for the period ending 30 September 2014

pdfPrintable version564.43 KB

Ms Teressa Ward
Assistant Secretary
eHealth Change & Adoption Branch
Department of Health
GPO Box 9848
CANBERRA ACT 2601

Dear Ms Ward

I am pleased to provide you with the quarterly report for the period ending 30 September 2014, in accordance with Section 3.3 of Schedule 1, Section 3.3 of Schedule 2 and Section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report please contact Andrew Solomon on [contact details removed].

Yours sincerely

Angelene Falk
Assistant Commissioner
October 2014

Section 1 — Advice, guidance, liaison and other activities

The Office of the Australian Information Commissioner (OAIC) is required to report quarterly under the Memorandum of Understanding (MOU) with the Department of Health (Health) in relation to Personally Controlled Electronic Health Records (PCEHR) system and Healthcare Identifiers (HI) system activities.

Clause 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.3 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR system

Advice

S3.1(g) – Respond to enquiries and requests for advice on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The OAIC received an enquiry from Australian Privacy Foundation (APF) regarding Health’s use of survey monkey for the PCEHR Review survey. The OAIC has requested further information from Health and provided an interim response to the APF. The OAIC will respond in full to the APF once further information is received from Health. The OAIC also responded to a request for media comment on this enquiry.

Guidance

S3.1(h) – Prepare and/or update written guidance materials for participants in the PCEHR system on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The OAIC made minor revisions to its seven PCEHR consumer fact sheets, to reflect amendments to the Privacy Act 1988 (Privacy Act), reflect PCEHR system updates and improve readability. 
  • The OAIC continued the development of draft resources for healthcare providers on privacy and the PCEHR system.
S3.1(i) – Update guidance for exercising the powers conferred on the Information Commissioner by the PCEHR Act as required
  • The OAIC continued work on revising the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 to incorporate the Information Commissioner’s new enforcement powers under the Privacy Act and to ensure that the Guidelines are consistent with the draft OAIC’s Privacy regulatory action policy.
  • The OAIC also continued work on developing the Guide to the OAIC’s privacy regulatory action. This Guide is relevant to the OAIC’s powers under both the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the Privacy Act and will provide stakeholders with a more detailed understanding of when and how the OAIC will exercise particular powers.
  • The OAIC continued work on the draft guide to mandatory data breach notification under the PCEHR System following consultation, including analysis of issues arising from feedback and how comments have been addressed in the guide.

Liaison

S3.1(j) – Liaise and coordinate on privacy-related PCEHR activities with the System Operator and other key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC provided written comments for Health to consider on the PCEHR privacy policy at www.ehealth.gov.au.
  • The OAIC responded to an enquiry from Health on the OAIC’s ‘Privacy fact sheet 15: Ten tips for protecting the personal information in your eHealth record’.
  • The OAIC provided comments on Health’s revised draft of the Assisted Registration: A Guide for Healthcare Provider Organisations.
  • The OAIC attended a quarterly MOU meeting with Health on 30 July 2014.
  • The OAIC prepared a quarterly MOU report for the period ending 31 July 2014.
  • The OAIC produced an Annual Report of the Information Commissioner’s activities during 2013–14 in relation to the PCEHR system, in accordance with s 106 of the PCEHR Act.
S3.1(k) – Liaise and coordinate on privacy-related PCEHR activities with state and territory regulators
  • None required.

Other activities

S3.1(l) – Prepare PCEHR-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(m) – Comment on draft legislation that may interact with the PCEHR Act (where appropriate)
  • No draft legislation was received.
S3.1(n) – Participate in consultations and comment on eHealth developments that relate to the PCEHR system
  • The OAIC provided a submission to Health’s consultation on Pathology and the PCEHR System and Diagnostic Imaging and the PCEHR System which proposed models for the inclusion of pathology and diagnostic imaging results in the PCEHR system.
  • The OAIC attended stakeholder consultations on recommendations of the PCEHR review. These included a consumer-focused consultation in Canberra on 25 July 2014, and a provider-focused consultation in Sydney on 29 July 2014.
  • The OAIC attended a teleconference with Health relating to the PCEHR review.
  • The OAIC made a submission in response to the Australian Law Reform Commission’s discussion paper on Equality, Capacity and Disability in Commonwealth Laws, which included proposals for changes to the terminology used to describe authorised and nominated representatives in the PCEHR Act.
S3.1(o) – Update internal reference materials and provide staff training as necessary
  • As noted above under S3.1(i), the OAIC continued development of the Guide to the OAIC’s privacy regulatory action, which will be an internal reference for OAIC staff as well as providing guidance for external stakeholders.
S3.1(p) – Monitor developments in eHealth and the PCEHR system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR system and the broader eHealth context
  • The OAIC attended the Health Informatics Society of Australia’s digital health, eHealth and health informatics conference in Melbourne on 13 and 14 August 2014.
  • OAIC staff continued to monitor news clips and subscribe to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.

Activities relating to the Healthcare Identifiers service

Advice

S3.1(e) – Respond to enquiries and requests for advice on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • None required.

Guidance

S3.1(f) – Prepare and/or update written guidance materials for participants in the healthcare industry on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • The OAIC made minor revisions to its three HI business resources and one HI agency resource, to reflect amendments to the Privacy Act, reflect system updates and improve readability.

Liaison

S3.1(g) – Liaise and coordinate on privacy related HI activities with key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC attended a quarterly meeting with Health on 30 July 2014.
  • The OAIC prepared a quarterly MOU report for the period ending 31 July 2014.
  • The OAIC produced an Annual Report of the Information Commissioner’s activities during 2013–14 in relation to the HI service, in accordance with s 30 of the Healthcare Identifiers Act 2010 (HI Act).
S3.1(h) – Liaise and coordinate on privacy related HI activities with state and territory regulators
  • None required.

Other activities

S3.1(j) – Prepare HI-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(k) – Comment on draft legislation that may interact with the HI Act (where appropriate)
  • No draft legislation was received.
S3.1(l) – Participate in consultations and comment on eHealth developments that relate to the HI service
  • None required.
S3.1(m) – Update internal reference materials and provide staff training as necessary
  • None required.
S3.1(n) – Monitor developments in eHealth and the HI service to ensure the OAIC is aware of the implications of any developments for the HI service and able to offer informed advice about privacy aspects of the operation of the HI service in the broader eHealth context.
  • The OAIC attended the Health Informatics Society of Australia’s digital health, eHealth and health informatics conference in Melbourne on 13 and 14 August 2014.
  • OAIC staff continued to monitor news clips and subscribe to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.

Section 2 — Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU.

Clause 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the PCEHR system which, at a minimum, provide a summary of

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated.
  2. any investigations commenced within the period and the findings and recommendations associated; and
  3. any assessments commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has annual statutory reporting obligations under section 106 of the PCEHR Act.

Clause 3.3 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the HI Service which, at a minimum, provide a summary of

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any assessments commenced within the period and the findings and any recommendations associated; and
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has annual statutory reporting obligations under section 30 of the HI Act.

For consistency purposes, the quarterly reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the PCEHR Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in quarterly reports. Full details about compliance and enforcement activities (complaints, investigations and assessments) may not be available for quarterly reports where these matters are still undergoing investigation or assessment.

Compliance activities relating to PCEHR system

Table A: Matters commenced and finalised during the reporting period 1 July to 30 September
 Received/commenced during periodFinalised during periodOpen at 30 September
Complaints Nil Nil Nil
Commissioner-initiated investigations Nil Nil Nil
Assessments Nil 2 1
Mandatory Data breach notifications 4 Nil 5

Details of assessments relating to the PCEHR system

Assessments commenced during the reporting period

Assessment: Nil

Status: The OAIC is currently considering the scope of further assessments. These assessments will commence in the next quarter.

Assessments closed during the reporting period

Assessment: The OAIC has completed its assessment of the Western Sydney Medicare Local (WSML). The scope of the assessment was WSML’s assisted registration practices. During the reporting period, the OAIC finalised the assessment report.

Status: Completed.

Assessment: The OAIC completed its first audit of the PCEHR System Operator. The scope of the audit was the System Operator’s policies and procedures for the collection of personal information during the PCEHR consumer registration process. During the reporting period the OAIC received comments from the System Operator and finalised the report.

Status: Completed.

Assessments commenced in previous reporting periods and still underway

Assessment: The OAIC has continued its assessment of the assisted registration policies of ten healthcare provider organisations undertaking assisted registration. The scope of the assessment is how these policies address the privacy obligations set out in Australian Privacy Principles 3 and 11, relating to the collection and security of personal information. During the reporting period the OAIC provided a further draft assessment report to the System Operator following the System Operator’s earlier comments.

Status: Awaiting comments from the System Operator.

Details of mandatory data breach notifications relating to the PCEHR system

Mandatory data breach notifications received during the reporting period

During the reporting period the OAIC received four data breach notifications each affecting one individual from the Chief Executive Medicare in their capacity as a registered repository operator under s 38 of the PCEHR Act. The notifications resulted from data integrity activity initiated by the Department of Human Services to identify intertwined Medicare records. An intertwined Medicare record exists when by error two consumers share the same Medicare record.

In each of the notified cases, one of the two consumers holding the intertwined Medicare record created an eHealth record and caused the MBS and PBS data of both consumers to be uploaded from the Medicare record to that eHealth record. The OAIC is seeking further information on this issue.

Mandatory data breach notifications closed during the reporting period

Nil

Mandatory Data breach notifications received in previous reporting periods and still open

The OAIC is continuing its enquiries into the data breach notification received from the System Operator in the previous reporting period. This notification was referred to in the last quarterly report.

Compliance activities relating to Healthcare Identifiers service

Table B: Matters commenced and finalised during the reporting period 1 July to 30 September
 Received/commenced during periodFinalised during periodOpen at 30 September
Complaints Nil Nil Nil
Commissioner-initiated investigations Nil Nil Nil
Assessments Nil Nil Nil