Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Memorandum of Understanding between the Australian Digital Health Agency and the Office of the Australian Information Commissioner (December 2017)

Memorandum of Understanding

Between:

The Office of the Australian Information Commissioner (“the OAIC”)
ABN: 85 249 230 937

and

Australian Digital Health Agency (“the Agency”)
ABN 84 425 496 912

(each a “Party”)

In relation to
Activities under the Privacy Act 1988 (Cth) (“Privacy Act”), the Healthcare Identifiers Act 2010 (Cth) (“HI Act”) and the My Health Records Act 2012 (Cth) (“My Health Records Act”)


This Memorandum of Understanding sets out operational and funding arrangements between the Parties in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.

The Parties agree to carry out their respective obligations in accordance with this Memorandum of Understanding.

Signed on behalf of the Office of the Australian Information Commissioner by:

[signed]

Mr Timothy Pilgrim
Australian Information Commissioner
Office of the Australian Information Commissioner

DATE: 4 December 2017

Signed on behalf of the Australian Digital Health Agency by:

[signed]

Mr Tim Kelsey
Chief Executive Officer
Australian Digital Health Agency

DATE: 20 December 2017

 

1. Commencement and term

This Memorandum of Understanding (“MOU”) is effective on and from 1 October 2017 and will continue until 30 June 2019.

Back to Contents

2. Purpose

2.1 The purpose of this MOU is to set out the operational and funding arrangements between the OAIC and the Agency, by which the OAIC will provide advice, assistance and an independent regulatory service for the handling and management of personal information and Healthcare Identifiers in relation to and within the My Health Record system and the Healthcare Identifiers service in accordance with the Privacy Act, My Health Records Act and HI Act.

2.2 More specifically, this MOU sets out the amount of Funds that the Agency agrees to pay the OAIC for the period of the MOU in order for the OAIC to carry out the Activities.

2.3 The Parties recognise the OAIC’s role as an independent adviser to the Australian Government, and that the Australian Information Commissioner is an independent regulator appointed under the Australian Information Commissioner Act 2010. The parties agree that this MOU does not impose any obligation on the Australian Information Commissioner or the OAIC to the extent it would be inconsistent with the Australian Information Commissioner’s role as an independent regulator.

2.4 This MOU details how the Parties will work together and itemises obligations and the ways in which financial resources will be utilised.

2.5 The Activities to be implemented under this MOU as at the date of this MOU are set out in Schedule 1 to this MOU.

Back to Contents

3. Definitions

The following definitions apply in this MOU:

TermDefinition

Activity

means each activity described in Schedule 1 to this MOU, for which Funds are paid by the Agency, or such other activities as the parties may agree in writing.

Agency

means the Australian Digital Health Agency.

Agency Personnel

means personnel either employed by the Agency, or engaged by the Agency on a contract basis, or agents of the Agency engaged in the Activity.

Commonwealth

means the Commonwealth of Australia.

Confidential Information

means information (other than the terms of this Agreement) that:

  1. is designated by either Party as confidential; or
  2. each Party knows or could reasonably be expected to know is confidential; and
  3. would satisfy the confidentiality test in the Department of Finance’s publication “Confidentiality Throughout the Procurement Cycle”,

as agreed by the Parties.

Contact Officer

means the officer who at that time is holding the nominated contact position for a Party to this MOU.

Funds or Funding

means the maximum amount of money payable by the Agency to the OAIC under this MOU to carry out the Activities, as set out in Schedule 2.

HI

means Healthcare Identifiers, as defined in the Healthcare Identifiers Act 2010 (Cth) (HI Act).

HI Act

means Healthcare Identifiers Act 2010 (Cth).

Information Sharing Agreement

means ‘Agreement for information sharing and complaint referral relating to the My Health Record system between the OAIC and the System Operator’ that has been developed to address information sharing and complaint referral matters relating to the My Health Record system.

Intellectual Property

means business names, copyrights, patents, trademarks, service marks, trade names, designs and similar industrial, commercial and intellectual property.

Law

 

means any applicable statute, regulation, by-law, ordinance or subordinate legislation in force from time to time anywhere in Australia, whether made by a State, Territory, the Commonwealth or a local government, and includes the common law as applicable from time to time.

MOU

means this Memorandum of Understanding, and includes the Schedules.

My Health Record

has the same meaning as in the My Health Records Act.

My Health Records Act

means the My Health Records Act 2012 (Cth).

My Health Record system

has the same meaning as in the My Health Records Act.

OAIC

means the Office of the Australian Information Commissioner established by section 5 of the Australian Information Commissioner Act 2010.

OAIC Personnel

means personnel either employed by the OAIC, or engaged by the OAIC, on a contract basis, or agents of the OAIC, engaged in the Activity.

Party

means the OAIC and/or the Agency as the context requires.

Privacy Act

means the Privacy Act 1988 (Cth).

Schedule

means the schedules to this MOU which sets out the Activities the OAIC will undertake under this MOU and the corresponding Funding to be paid by the Agency for the performance of those Activities.

Back to Contents

4. Interpretation

4.1 Each Party acknowledges that nothing in this MOU supersedes or overrides the Laws governing their organisation.

4.2 In the event of any inconsistency between the terms and conditions contained in the clauses of the MOU and/or part of the Schedules then the terms and conditions of the clauses shall take precedence to the extent of the inconsistency.

4.3 In this MOU, unless a contrary intention appears:

  1. reference to an attachment is a reference to an attachment to this MOU;
  2. words in the singular include the plural and vice versa;
  3. a reference to the word “including” in any form is not to be construed or interpreted as a work of limitation; and
  4. words imparting a gender include any other gender.

Back to Contents

5. The Agency’s responsibilities

5.1 The Agency will pay the OAIC the Funds specified in Schedule 2 in consideration for the OAIC performing the Activities in in accordance with the Milestones set out in S3 of Schedule 2.

5.2 In furtherance of the Activity objectives, the Agency will:

  1. provide appropriately qualified and experienced Agency Personnel in order to perform its obligations under this MOU; and
  2. take all reasonable endeavours to provide assistance and information as the OAIC requests where this is necessary to enable the OAIC to perform the Activities.

5.3 The Agency will not represent the OAIC as endorsing or approving any proposal in connection with the Activities, unless the OAIC has specifically done so in writing. If in the particular circumstances it is impracticable to await or provide a proposal in writing, verbal endorsement or approval must be sought.

5.4 The Agency will consult with the OAIC prior to releasing any public document or press release in connection with the Activities which attributes a regulatory or policy position to the OAIC.

Back to Contents

6. Office of the Australian Information Commissioner’s responsibilities

6.1 The OAICwill perform the Activities set out in Schedule 1. The ability of the OAIC to perform these Activities in a timely manner may depend on the Agency’s compliance with clause 5.2(b) of this MOU.

6.2 The OAICwill provide the Agency with timely written advice on any proposed changes to the Activity work program.

6.3 The OAICwill provide appropriately qualified and experienced OAIC Personnel in order to perform its obligations under this MOU.

Back to Contents

7. Joint responsibilities

7.1 The Parties have an obligation to assist each other in meeting their accountability obligations, including:

  1. appearances before Parliamentary and Cabinet Committees;
  2. relevant discussions and negotiations with other portfolios; and
  3. providing assistance necessary to respond to Parliamentary and Ministerial correspondence.

7.2 Each Party will co-operate in advancing best practice in relation to the Activities, noting the OAIC’s ultimate responsibility to account to the Agency on the conduct of the Activities. The OAIC will provide to the Agency an annual financial acquittal report on the use of the Funds paid to it for the performance of the Activities.

7.3 The Parties acknowledge their obligations under the My Health Records Act and the HI Act to prepare annual reports each financial year on the relevant activities during the financial year, so far as they relate to these Acts.

7.4 If, at the conclusion of the Activity, any part of the Funds have not been spent by the OAIC (the unexpired sum), the Parties will decide jointly whether some or all of the unexpired sum is to be refunded to the Agency or carried over into a successive MOU in respect of jointly agreed additional activities.

7.5 The Parties will alert each other to matters relating to this MOU that have attracted or are likely to attract media attention.

Back to Contents

8. Financial arrangements and payments

8.1 Financial Arrangements

The Agency agrees to provide Funding to the OAICfor the Activities set out in Schedule 2 and in accordance with the Milestones set out in S3 of Schedule 2.

8.2 Payments and Invoices

  1. The Agency will make payment of the Funds specified in Schedule 2 within 30 days of receipt of a correctly rendered invoice from the OAIC.
  2. A “correctly rendered invoice” is an invoice that:
    1. relates only to performance of an Activity and is payable in accordance with a milestone set out in S3 of Schedule 2;
    2. claims the amount of Funds properly payable and calculated in accordance with Schedule 2;
    3. the name of the Agency’s Contact Officer; and
    4. a valid tax invoice in accordance with the GST Act.
  3. If an invoice is rendered incorrectly, any underpayment or overpayment will be recoverable by or from the Agency and may be offset against or added to amounts subsequently due from the Agency.
  4. For the purposes of this clause, “GST Act” means A New Tax System (Goods and Services Tax) Act 1999 and any applicable rulings of the Australian Taxation Office.

8.3 Accounts, Records and Access

  1. Each Party will keep proper and detailed accounts and records in relation to each Activity performance and expenditure incurred by them under this MOU. Each Party will maintain such accounts and records for a minimum period of seven years following the completion of all the Activities.

  2. Each Party will provide the other with sufficient information to enable the other to monitor expenditure, resolve queries, complete internal audit processes and comply with regulatory requirements and procedures, including, without limitation, those imposed by the Public Governance, Performance and Accountability Act 2013 (Cth)and the Australian National Audit Office.

Back to Contents

9. Intellectual property

9.1 The title to and ownership of all Intellectual Property in all material arising out of the Activities will vest in the Commonwealth. The OAIC grants to the Agency a fee free, non-exclusive, perpetual, irrevocable, world-wide licence to use the Intellectual Property, in all material arising out of the Activities, for and in relation to the Agency’s functions and powers.

Back to Contents

10. Dispute resolution

10.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith. Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

Back to Contents

11. Termination and suspension

11.1 Activities may be terminated due to a change in government policy.

11.2 Either Party may terminate this MOU by providing six months written notice to the other Party.

11.3 Where either Party is prevented from performing its obligations in the Schedules by circumstances or events reasonably beyond its control, it will promptly notify the other Party and take all reasonable steps to mitigate the impact (financial or otherwise) on the Activities. The Parties will discuss the circumstances or events and may agree that further implementation of Activities (or an Activity) should be suspended or terminated.

11.4 Upon termination or suspension under this clause 11, the Parties will discuss in good faith the financial and other arrangements applicable to the termination or suspension. The Agency will pay the OAICsuch amount as is fair and reasonable in the circumstances based upon the proportion of work completed or reasonable and substantiated costs incurred by the OAIC prior to such termination or suspension and otherwise in accordance with the Schedules. The Agency will not be liable to pay any amount in excess of the amount of Funds remaining unpaid for the next relevant milestone set out in Schedule 2 under this MOU at the date of termination.

Back to Contents

12. Information sharing

12.1 The Parties agree to work together to share information relating to their respective roles and obligations under this MOU, subject to the Information Sharing Agreement, and the requirements of any relevant Law.

Back to Contents

13. Confidentiality

13.1 For public transparency and accountability purposes, the terms of the MOU are not confidential.

13.2 If it is necessary to deal with Confidential Information, the Parties will have regard to any applicable Law.

13.3 Neither Party will, without the prior written approval of the other Party, make public or disclose to any other person any Confidential Information. In granting its written approval, a Party may impose such terms and conditions as it deems appropriate.

13.4 Clause 13.2 does not apply to the extent that Confidential Information:

  1. is disclosed by a Party to its personnel, solely to enable effective management of this MOU and the provision of privacy-related services under the Privacy Act, the My Health Records Act and the HI Act;
  2. is disclosed by a Party to a responsible Minister;
  3. is disclosed by a Party in response to a request by a House or a Committee of Parliament; or
  4. is authorised or required by Law to be disclosed.

Back to Contents

14. Sub-contracting

14.1 The OAIC must make available to the Agency the details of any subcontractors engaged to provide the Activities under this MOU.

Back to Contents

15. Work plan and meetings

15.1 The Parties will formally meet biannually either through teleconferencing, video conferencing or face-to-face meetings to discuss:

  1. the Parties progress against a work plan for the purposes of undertaking the Activities in Schedule 1; and
  2. any other engagement between the Agency and the OAIC in relation to the Activities during that six months.

15.2 The Parties may informally arrange additional meetings to discuss issues as they arise.

Back to Contents

16. Amendments

16.1 The Parties may amend or vary this MOU at any time by agreement in writing signed by their respective authorised representative.

16.2 The Parties may amend or vary a Schedule at any time by substituting the relevant Schedule in its entirety with the amended or varied Schedule as agreed by the Parties in writing.

16.3 An amendment or variation to this MOU takes effect on the date it is signed by the Parties or on a date agreed by the Parties in writing.

Back to Contents

17. Conflict of interest

17.1 The Parties acknowledge that it is imperative that the OAIC is able to conduct the Activities in an independent and proper manner.

17.2 Each Party confirms that no conflict of interest exists or is likely to arise in relation to the performance of its obligations under this MOU. Each Party will use its best endeavors to ensure that no such conflict of interest, or perceived conflict of interest, arises and will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs. In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Back to Contents

18. Notices

18.1 Any notice under this MOU may be in written or electronic form and delivered by the most appropriate means determined by the sending Party.

18.2 The Contact Officer for each Party and each Party’s address for the service of notices under this MOU is listed below.

18.3 The Parties may change the Contact Officer and address for the service of notices by letter signed by their respective authorised representative.

18.4 All communication about the operation of this MOU is to be made through the nominated Contact Officer.

The Agency
Contact Name & Position: Kim Webber
General Manager, Strategy
Telephone: [contact details removed]
Facsimile: [contact details removed]
Email Address: [contact details removed]
Street Address: Level 25/56 Pitt Street SYDNEY NSW 2000
Office of the Australian Information Commissioner
Contact Name & Position: Sarah Ghali
Director
Regulation and Strategy
Telephone: [contact details removed]
Facsimile: N/A
Email Address: [contact details removed]
Postal Address: GPO Box 5218
Sydney NSW 2001
Street Address: Level 3
175 Pitt Street
Sydney NSW 2000

Back to Contents

SCHEDULE 1 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the My Health Records Act 2012 (“My Health Records Act”)

This Schedule 1 sets out the Activities the OAIC will perform in relation to providing advice, assistance and an independent regulatory oversight functions for the My Health Record system and the Healthcare Identifiers service (HI service), which will be implemented under this Memorandum of Understanding.

Activity number

Description of Activity

1.

The OAIC will respond to complaints received relating to the privacy aspects of the My Health Record system and the HI service as the Information Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint.

2.

The OAIC will investigate on the Information Commissioner’s own initiative where appropriate, acts and practices that may be a misuse of Healthcare Identifiers, or a contravention of the My Health Records Act in connection with health information contained in a consumer’s My Health Record or a provision of Part 4 or 5 of the My Health Records Act by Commonwealth agencies, private sector organisations, individuals or state and territory public authorities (where applicable).

3.

The OAIC will receive data breach notifications relating to the My Health Record system and the HI service and assist affected entities to deal with data breaches in accordance with the My Health Record legislative requirements.

4.

The OAIC will investigate failures to notify My Health Record system data breaches (where empowered to do so).

5.

The OAIC will exercise, as the Information Commissioner considers appropriate, a range of enforcement powers available in relation to contraventions of the My Health Records Act or contraventions of the Privacy Act relating to the My Health Record system including:

  1. the power to make a determination;
  2. the power to accept an enforceable undertaking and, if the Information Commissioner considers that a person has breached an undertaking, apply to a Court for an order directing the person to comply with the undertaking or any other order that the Court considers appropriate;
  3. the power to seek an injunction to prohibit or require particular conduct; and
  4. the power to seek civil penalties.
6.

The OAIC will conduct a minimum of four and up to six assessments during the period covered by this MOU in relation to the My Health Record system and the HI service. These will be subject to a work plan developed by the OAIC in consultation with the Agency.

7.

The OAIC will respond to enquiries and requests for advice on the appropriate handling of Healthcare Identifiers and My Health Record information and other privacy compliance obligations in relation to the HI service and the My Health Record system.

8.

The OAIC will prepare and/or update written guidance materials for individuals and participants in the healthcare industry and the My Health Record system on the appropriate handling of HIs and My Health Record information and other privacy compliance obligations in relation to the HI service and the My Health Record system. This includes guidance for exercising the powers conferred on the Information Commissioner by the My Health Records Act as required. It also includes internal reference materials, such as those used for staff training.

9.

The OAIC will liaise and coordinate on privacy related HI and My Health Record activities with key agencies, including state and territory regulators, where appropriate.

10.

The OAIC will prepare HI related and My Health Record related briefing material, speeches, articles and media comment on privacy matters.

11.

The OAIC will participate in consultations and comment on digital health developments that relate to the HI service and My Health Record system, including commenting on draft legislation that may interact with the HI Act and the My Health Records Act.

12.

The OAIC will monitor developments in digital health, the HI service and the My Health Record system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the HI service and My Health Record system and the broader digital health context.

Back to Contents

SCHEDULE 2 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the My Health Records Act 2012 (“My Health Records Act”)

Financial arrangements

S1 This Schedule 2 sets out the Funds payable under this MOU that must be applied to the OAIC’s performance of the Activities.

S2 The maximum amount of Funds payable by the Agency in respect of the Activity during the term of this MOU is $3,622,500.00 (GST exclusive). The Agency will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount. However, the Parties acknowledge that the maximum amount of funds to be provided by the Agency to the OAIC in respect of the Activities or related to the Activities during the period 1 July 2017 to 30 June 2019 is $4,140,250.00 (GST exclusive) which maximum amount includes the Funds payable under this MOU and the payment of an amount of $517,750.00 pursuant to the letter arrangement between the Parties dated 21 August 2017 in respect of the period 1 July 2017 to 30 September 2017.

S3 The Agency will pay the OAIC the Funds in accordance with the timetable set out below.

Milestone

Due Date

Payment Amount (exclusive of GST)

End of Q2 of 2017-18

31 December 2017

$517,500.00

End of Q3 of 2017-18

31 March 2018

$517,500.00

End of Q4 of 2017-18

30 June 2018

$517,500.00

End of Q1 of 2018-19

30 September 2018

$517,500.00

End of Q2 of 2018-19

31 December 2018

$517,500.00

End of Q3 of 2018-19

31 March 2019

$517,500.00

End of Q4 of 2018-19

30 June 2019

$517,500.00

Grand Total

 

$3,622,500.00

S4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 8 of the MOU. Claims will be forwarded to:

Ms Kim Webber
General Manager, Strategy
Australian Digital Health Agency
[contact details removed]
Level 25/56 Pitt Street SYDNEY NSW 2000

S6 Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

S7 The parties recognise that the intention is for the Activities in this Schedule and the financial arrangements to apply from 1 October 2017.

Back to Contents