Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Memorandum of Understanding between the Australian Digital Health Agency and the Office of the Australian Information Commissioner (October 2016)

Memorandum of Understanding

Between:

The Office of the Australian Information Commissioner (“the OAIC”)
ABN: 85 249 230 937

and

Australian Digital Health Agency (“the Agency”)
ABN 84 425 496 912

(each a “Party”)

In relation to
Activities under the Privacy Act 1988 (Cwth) (“Privacy Act”), the Healthcare Identifiers Act 2010 (Cwth) (“HI Act”) and the My Health Records Act 2012 (Cwth) (“My Health Records Act”)


This Memorandum of Understanding sets out the shared goals and funding arrangements between the Parties in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010. This Memorandum of Understanding sets out the contribution each Party will make in pursuit of these goals, and the means by which each Party will ensure that it satisfies the accountability obligations.

The Parties agree to carry out their respective obligations in accordance with this Memorandum of Understanding.

Signed on behalf of the Office of the Australian Information Commissioner by:

[signed]

Mr Timothy Pilgrim
Acting Australian Information Commissioner

DATE 23/9/2016

Signed on behalf of the Australian Digital Health Agency by:

[signed]

Mr Tim Kelsey
Chief Executive Officer
Australian Digital Health Agency

DATE 7/10/2016

 

1. Commencement and term

1.1 This Memorandum of Understanding (“MOU”) commences on the date of execution and will continue until 30 June 2017.

Back to Contents

2. Purpose

2.1 The purpose of this MOU is to set out the operational and funding arrangements that will guide cooperation between the OAIC and the Agency in relation to:

  1. delivering an independent regulatory service in relation to the handling of Healthcare Identifiers and the operation of the HI service as provided by the Privacy Act and the HI Act; and
  2. delivering an independent regulatory service in relation to the handling of personal information within the My Health Record system as provided by the Privacy Act and the My Health Records Act.

2.2 This MOU details how the Parties will work together and the ways in which financial resources will be utilised and risks managed. It itemises overall goals and Party obligations, including accountability requirements, while taking into account the Australian Information Commissioner’s role as an independent regulator and an independent adviser to the Australian Government, and the OAIC’s role as an independent statutory office with regulatory functions.

2.3 The Activities to be implemented under this MOU will be agreed in writing between the Parties and will form two separate Schedules to this MOU.

Back to Contents

3. Interpretation

3.1 Definitions

The following definitions apply in this MOU:

Activity means the activity described in Schedules 1 and 2 to this MOU, for which funds are provided by the Agency.

Agreement means ‘Agreement for information sharing and complaint referral relating to the My Health Records system between the OAIC and the System Operator’ that has been developed to address information sharing and complaint referral matters relating to the My Health Record system.

Commonwealth means the Commonwealth of Australia.

Confidential Information means information that:

  1. is designated by either Party as confidential; or
  2. each Party knows or could reasonably be expected to know is confidential.

Contact Officer means the officer who at that time is holding the nominated contact position for a Party to this MOU.

Agency means the Australian Digital Health Agency.

Agency Personnel means personnel either employed by the Agency, or engaged by the Agency on a sub-contract basis, or agents of the Agency engaged in the Activity.

HI means Healthcare Identifiers, as defined in the HI Act.

HI Act means Healthcare Identifiers Act 2010 (Cwth)

Intellectual Property means business names, copyrights, patents, trademarks, service marks, trade names, designs and similar industrial, commercial and intellectual property.

Law means any applicable statute, regulation, by-law, ordinance or subordinate legislation in force from time to time anywhere in Australia, whether made by a State, Territory, the Commonwealth or a local government, and includes the common law as applicable from time to time.

MOU means this Memorandum of Understanding, and includes the Schedule and attachments.

My Health Record has the same meaning as in the My Health Records Act

My Health Record system has the same meaning as in the My Health Records Act.

OAIC means the Office of the Australian Information Commissioner established by section 5 of the Australian Information Commissioner Act 2010.

OAIC Personnel means personnel either employed by the OAIC, or engaged by the OAIC, on a contract basis, or agents of the OAIC, engaged in the Activity.

Party means the OAIC and/or the Agency as the context requires.

Privacy Act means the Privacy Act 1988 (Cwth).

Schedule means the schedules to this MOU which set out the written agreement of the Parties in respect of the Activity.

3.2 In this MOU, unless a contrary intention appears:

  1. reference to an attachment is a reference to an attachment to this MOU;
  2. words in the singular include the plural and vice versa;
  3. a reference to the word “including” in any form is not to be construed or interpreted as a work of limitation; and
  4. words importing one gender include each of the other genders.

Back to Contents

4. Policy principles

4.1 The Parties will work towards shared goals in accordance with the principles and procedures set out in the Privacy Act, the HI Act and the My Health Records Act.

Back to Contents

5. Accountability framework

5.1 Each Party will cooperate in advancing best practice in implementing Activities noting the OAIC’s ultimate responsibility to account for and report on the funds made available for the Activities funded under this MOU.

Back to Contents

6. Joint responsibilities

6.1 Achieving greater coordination in policy advice and program and service delivery is a high priority of public administration in Australia. Whole of government denotes public service agencies working across portfolio boundaries to achieve a shared goal and an integrated government response to particular issues.

6.2 In this context, setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

6.3 The Parties have an obligation to assist each other in meeting their accountability obligations including:

  1. appearances before Parliamentary and Cabinet Committees;
  2. relevant discussions and negotiations with other portfolios; and
  3. providing assistance necessary to respond to Parliamentary and Ministerial correspondence.

6.4 The Parties recognise that the Australian Information Commissioner is an independent regulator appointed under the Australian Information Commissioner Act 2010, and agree that this MOU:

  1. is directed towards the development of good policy and procedures, efficient and effective use of public money, and the provision of complete and accurate information to Parliament; and
  2. does not impose any obligation on the Australian Information Commissioner or the OAIC to the extent it would be inconsistent with the Australian Information Commissioner’s role as an independent regulator.

6.5 The Parties recognise that the Agency has obligations to provide advice and support to the Minister for Health in relation to obligations under the Administrative Arrangements Order to administer specific legislation, including the My Health Records Act and the HI Act.

Back to Contents

7. The Agency’s responsibilities

7.1 The Agency will perform the Activities as agreed in the Schedules as in place from time to time.

7.2 The Agency will not represent the OAIC as endorsing or approving any proposal in connection with the Activities unless the OAIC has specifically done so in writing unless in the particular circumstances it is impracticable to await or provide a proposal in writing.

7.3 The Agency will act in good faith and use its best endeavours to cooperate with the OAIC’s accountability requirements for the funds, including the provision of funding as agreed in the Schedule.

7.4 In furtherance of the specific Activity objectives, the Agency will:

  1. provide appropriately qualified and experienced Agency Personnel in order to perform its obligations under this MOU; and
  2. be responsible for the performance and conduct of all Agency Personnel involved with the Activities, including taking all reasonable endeavours to ensure that, in the course of carrying out the Activities, Agency Personnel comply with Australian Public Service Values, the Australian Public Service Code of Conduct and the Public Service Act 1999 to the extent they are required to do so.

Back to Contents

8. Office of the Australian Information Commissioner’s responsibilities

8.1 The OAIC will perform the Activities as agreed in the Schedules.

8.2 The OAIC will comply fully with the Agency’s requirements for accountability for the funds, including provision of assistance with forward estimates for budgets, and other expenditure updates as required.

8.3 The OAIC will provide the Agency with timely written advice on any proposed changes to the Activity work program.

8.4 The OAIC will:

  1. provide appropriately qualified and experienced OAIC Personnel in order to perform its obligations under this MOU; and
  2. be responsible for the performance and conduct of all OAIC Personnel involved with the Activities and will take all reasonable endeavours to ensure that, in the course of carrying out the Activities, OAIC Personnel comply with Australian Public Service Values, the Australian Public Service Code of Conduct and the Public Service Act 1999 to the extent they are required to do so.

Back to Contents

9. Risk assessment and management

9.1 The Parties acknowledge that there are identifiable risks to the successful achievement of the objectives of this MOU as set out in the risk management plans at Attachment C.

9.2 The Parties each agree to monitor, report on, and manage the risks in respect of which they have been assigned responsibility in the relevant risk management plan and to update this risk management plan accordingly.

Back to Contents

10. Reporting, monitoring and evaluation

10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed. Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

Back to Contents

11. Sub-contracting

11.1 It is the intention of the Parties that neither Party will sub-contract to any entity or individual any part of the Activities which are the subject of this MOU without consultation with and the approval of the other Party.

11.2 Where the Parties have agreed that one or both Parties may enter into sub-contracts under this clause, the Party sub-contracting will be solely responsible for all matters in connection with the sub-contracts including without limitation:

  1. compliance with all legal and regulatory requirements in relation to such contracting (including without limitation the Commonwealth Procurement Rules); and
  2. the engagement, management, coordination and payment of, and all communications with, sub-contractors.

Back to Contents

12. Financial arrangements and payments

12.1 Financial Arrangements

  1. The Agency agrees to provide funding to the OAIC for each Activity as set out in the relevant Schedule.

12.2 Payments and Invoices

  1. The Agency will make payment of the funds specified in the relevant Schedule within 30 days of receipt of a correctly rendered invoice from the OAIC.
  2. A correctly rendered invoice is one that contains:
    1. the name of the Activity provided;
    2. a claim for the amount of funds properly required and calculated correctly in accordance with entitlements under the relevant Schedule;
    3. the name of the Agency’s Contact Officer; and
    4. a tax invoice.
  3. If an invoice is rendered incorrectly, any underpayment or overpayment will be recoverable by or from the Agency and may be offset against or added to amounts subsequently due from the Agency.

12.3 Accounts, Records and Access

  1. Each Party will keep proper and detailed accounts and records in relation to any Activity items performed, or expenditure incurred by them, under this MOU. Each Party will maintain such accounts and records for a minimum period of seven years following the completion of the services or works performed.
  2. Each Party will provide the other with sufficient financial management information to enable the other to monitor expenditure, resolve queries, complete internal audit processes and comply with regulatory requirements and procedures including without limitation those imposed by the Public Governance, Performance and Accountability Act 2013 and the Australian National Audit Office.
  3. Without limiting the methods which may be used to ensure proper financial accountability, the Parties agree that having discrete cost codes for funding under this MOU would be desirable.

Back to Contents

13. Intellectual Property

13.1 The title to and ownership of all Intellectual Property in all material arising out of the Activities will vest in the Commonwealth. The OAIC grants to the Agency a fee free, non-exclusive, perpetual, irrevocable, world-wide licence to use the Intellectual Property, in all material arising out of the Activities, for and in relation to the Agency’s functions and powers,

Back to Contents

14. Dispute resolution

14.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith. Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

Back to Contents

15. Termination and suspension

15.1 Activities may be terminated due to a change in government policy.

15.2 Either Party may terminate this MOU by providing 90 days written notice to the other Party.

15.3 Where either Party is prevented from performing its obligations in a Schedule by circumstances or events reasonably beyond its control, it will promptly notify the other Party and take all reasonable steps to mitigate the impact (financial or otherwise) on Activities. The Parties will discuss the circumstances or events and may agree that further implementation of Activities (or an Activity) should be suspended or terminated.

15.4 Upon termination or suspension under this clause 15, the Parties will discuss in good faith the financial and other arrangements applicable to the termination or suspension. The Agency will pay the OAIC such amount as is fair and reasonable in the circumstances based upon the proportion of work completed or reasonable and substantiated costs incurred by the OAIC prior to such termination or suspension and otherwise in accordance with the relevant Schedule. The Agency will not be liable to pay any amount in excess of the amount of funds remaining unpaid under this MOU at the date of termination.

Back to Contents

16. Use of MOU information

16.1 The Parties agree to work together to share information relating to their respective roles and obligations under this MOU, subject to the Agreement, and the requirements of any relevant law.

Back to Contents

17. Confidentiality and public comment

17.1 If it is necessary to deal with Confidential Information, the Parties will have regard to any applicable legislation and the general law.

17.2 Neither Party will, without the prior written approval of the other Party, make public or disclose to any other person any Confidential Information. In granting its written approval, a Party may impose such terms and conditions as it deems appropriate.

17.3 Clause 17.2 does not apply to the extent that Confidential Information:

  1. is disclosed by a Party to its personnel, solely to enable effective management of this MOU and the provision of privacy-related services under the Privacy Act, the My Health Records Act and the HI Act;
  2. is disclosed by a party to a responsible Minister;
  3. is disclosed by a party in response to a request by a House or a Committee of Parliament; or
  4. is authorised or required by law to be disclosed.

17.4 The Parties will discuss and agree to the nature, form, content and manner of publicity of any Activity while still recognising the Australian Information Commissioner’s role as an independent regulator. The Parties will comply with clause 14 in attempting to agree to any matter under this clause.

17.5 The Parties will alert each other to matters relating to this MOU that have attracted or are likely to attract media attention.

Back to Contents

18. Conflict of interest

18.1 The Parties acknowledge that it is imperative that the OAIC is able to conduct the Activities in an independent and proper matter.

18.2 Each Party confirms that no conflict of interest exists or is likely to arise in relation to the performance of its obligations under this MOU. Each Party will use its best endeavors to ensure that no such conflict of interest, or perceived conflict of interest, arises and will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs. In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Back to Contents

19. Notices

19.1 Any notice under this MOU may be in written or electronic form and delivered by the most appropriate means determined by the sending Party.

19.2 The Contact Officer for each Party and each Party’s address for the service of notices under this MOU is listed below.

19.3 The Parties may change the Contact Officer and address for the service of notices by letter signed by their respective authorised representative.

19.4 All communication about the operation of this MOU is to be made through the nominated Contact Officer.

Contact detailsThe AgencyOffice of the Australian Information Commissioner
Contact name & position

Kerri Burden
Director
Compliance and Conformance Section
Core Services Systems Operations Division
Australian Digital Health Agency

Melanie Drayton
Director
Regulation and Strategy

Telephone: [contact details removed] [contact details removed]
Facsimile: [contact details removed] [contact details removed]
Email address: [contact details removed] [contact details removed]
Postal address:

MDP 807
GPO Box 9848
CANBERRA ACT 2601

GPO Box 5218
SYDNEY NSW 2001

Street address:

Sirius Building
Furzer Street,
Woden ACT 2606

Level 3
175 Pitt Street
SYDNEY NSW 2001

Back to Contents

20. Amendments

20.1 The Parties may amend or vary this MOU at any time by agreement in writing signed by their respective authorised representative.

20.2 The Parties may amend or vary a Schedule at any time by substituting the Schedule in its entirety with the amended or varied Schedule as agreed by the Parties in writing.

20.3 An amendment or variation to this MOU takes effect on the date it is signed by the Parties or on a date agreed by the Parties in writing.

Back to Contents

Attachment A — Schedule 1 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the My Health Records Act 2012 (“My Health Records Act”)

This Schedule 1 sets out the shared goals of the Parties in relation to the OAIC privacy oversight functions for the My Health Record system (Activity) which will be implemented under the Memorandum of Understanding signed by the Parties and taking effect on its execution by both Parties (MOU). This Schedule1 (including any Attachments) itemises the scope of the Activity, contributions of each Party to the Activity and sets out the accountability obligations of each Party, including the means for monitoring and evaluation. Unless otherwise stated in this Schedule 1, the terms and conditions of the MOU will apply.

OAIC Regulatory Privacy Oversight Functions for the My Health Record system (Activity)

S1 Commencement and completion dates

S1.1 The Activity will commence on the date of execution and end on 30 June 2017.

S2 Activity goal and objectives

S2.1 The Office of the Australian Information Commissioner will deliver an independent regulatory service in relation to the privacy and management of personal and health information in relation to the My Health Record system. It will ensure privacy issues are addressed and are in line with national privacy requirements in relation to private and sensitive health information associated with the My Health Record system.

S3 Description

S3.1 In relation to the My Health Record system the OAIC will:

  1. Respond to complaints received relating to the privacy aspects of the My Health Record system as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint;
  2. Investigate on the Commissioner’s own initiative where appropriate, acts and practices that may be a contravention of the My Health Records Act in connection with health information contained in a consumer’s My Health Record or a provision of Part 4 or 5 of the My Health Records Act by Commonwealth agencies, private sector organisations, individuals or state and territory public authorities (where applicable);
  3. Receive data breach notifications and assist affected entities to deal with data breaches in accordance with the My Health Record legislative requirements;
  4. Investigate failures to notify data breaches (where empowered to do so);
  5. Exercise as the Commissioner considers appropriate a range of enforcement powers available in relation to contraventions of the My Health Records Act or contraventions of the Privacy Act relating to the My Health Record system including:
    1. the power to make a determination;
    2. the power to accept an enforceable undertaking and, if the Commissioner considers that a person has breached an undertaking, apply to a Court for an order directing the person to comply with the undertaking or any other order that the Court considers appropriate;
    3. the power to seek an injunction to prohibit or require particular conduct; and
    4. the power to seek civil penalties;
  6. Conduct up to two assessments during the period covered by this MOU. These will be subject to a work plan developed by the OAIC in consultation with Health and will be from the following targets:
    1. the My Health Record System Operator (as defined in the My Health Records Act); and
    2. agencies and organisations participating in the My Health Record system;
  7. Respond to enquiries and requests for advice on the appropriate handling of My Health Record information and other privacy compliance obligations in relation to the My Health Record system;
  8. Prepare and/or update written guidance materials for individuals and participants in the My Health Record system on the appropriate handling of My Health Record information and other privacy compliance obligations in relation to the My Health Record system;
  9. Update guidance for exercising the powers conferred on the Information Commissioner by the My Health Records Act as required;
  10. Liaise and coordinate on privacy related My Health Record activities with the System Operator and other key agencies;
  11. Liaise and coordinate on privacy related My Health Record activities with state and territory regulators;
  12. Prepare My Health Record related briefing material, speeches, articles and media comment on privacy matters;
  13. Comment on draft legislation that may interact with the My Health Records Act(where appropriate);
  14. Participate in consultations and comment on digital health developments that relate to the My Health Record system;
  15. Update internal reference materials and provide staff training as necessary; and
  16. Monitor developments in digital health and the My Health Record system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the My Health Record system and the broader digital health context.

S3.2 The risks associated with this Activity are outlined in the Risk Management matrix at Attachment C.

S3.3 The OAIC will provide the Agency with bi-annual reports in an agreed format within 10 working days of each period’s end. The Parties will meet within 30 days of each bi-annual report being provided or as otherwise agreed.

S3.4 As required in s106 of the My Health Records Act, the Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Commissioner’s activities during the financial year relating to the My Health Record system. The report must include:

  1. statistics of the following:
    1. complaints received by the Commissioner in relation to the My Health record system;
    2. investigations undertaken by the Commissioner in relation to My Health Records or the My Health record system;
    3. enforceable undertakings accepted by the Commissioner under the My Health Records Act; and
    4. proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
  2. any other matter prescribed by the regulations.

S3.5 The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council (being the council, however described) established by the Council of Australian Governments that has responsibility for health matters), no later than 30 September after the end of the financial year to which the report relates.

S3.6 At the end of the term of this MOU, the OAIC will provide the Agency with an annual financial acquittal, being a statement of receipts and expenditure of the funds provided to the OAIC under this Schedule 1.

S3.7 The Agency and the OAIC will follow the agreed framework in the Agreement when dealing with privacy complaints relating to the My Health Record system, and ensure that complainants are fully informed of the avenues available to resolve a privacy matter.

S4 Financial arrangements

S4.1 The financial arrangements outlined below will apply to the Activity.

S4.2 The maximum amount of funds payable by the Agency in respect of the Activity is $2,071,000 (GST exempt). The Agency will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount.

S4.3 The Agency will pay the OAIC the sums in accordance with the budget and timetable set out below. If, at the conclusion of the Activity, any part of the Grand Total in the following table has not been spent by the OAIC, the Agency and the OAIC will decide jointly whether some or all of that unexpired sum is to be refunded to the Agency or to be carried over into a successive MOU in respect of jointly agreed additional activities.

Milestone

Due Date

Payment Amount

End of Q1 of 2016/17

30 September 2016

$517,750.00

First bi-annual report for the period 1 July 2016 to 31 December 2016

31 December 2016

$517,750.00

End of Q3 of 2016/17

31 March 2017

$517,750.00

Second bi-annual report for the period 1 January 2017 to 30 June 2017

30 June 2017

$517,750.00

Grand Total

 

$2,071,000

S4.4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S4.5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 12 of the MOU. Claims will be forwarded to:

Ms Kerri Burden
Director Compliance and Conformance
Core Services Systems Operations Division
Australian Digital Health Agency
[contact details removed]
MDP 807
GPO Box 9848
CANBERRA ACT 2601

S4.6 Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

Back to Contents

Attachment B — Schedule 2 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the My Health Records Act 2012 (“My Health Records Act”)

This Schedule 2 sets out the shared goals of the Parties in relation to theOAIC privacy oversight functions for the Healthcare Identifiers (HI) Service (Activity)which will be implemented under theMemorandum of Understanding signed by the Parties and taking effect on its execution by both Parties (MOU). This Schedule 2 (including any Attachments) itemises the scope of the Activity, contributions of each Party to the Activity and sets out the accountability obligations of each Party, including the means for monitoring and evaluation. Unless otherwise stated in this Schedule 2, the terms and conditions of the MOU will apply.

OAIC Regulatory Privacy Oversight Functions for the Healthcare Identifiers (HI) Service (Activity)

S1 Commencement and completion dates

S1.1 The Activity will commence on the date of execution and end on 30 June 2017.

S2 Activity goal and objectives

S2.1 The Office of the Australian Information Commissioner will deliver an independent regulatory service in relation to the Healthcare Identifiers Service (HI service). It will ensure privacy issues are addressed and are in line with national privacy requirements in relation to private and sensitive health information associated with healthcare identifiers.

S3 Description

S3.1 In relation to the HI service the OAIC will:

  1. Respond to complaints received relating to the privacy aspects of the HI service as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint;
  2. Investigate on the Commissioner’s own initiative where appropriate, acts and practices that may be a misuse of HIs by Commonwealth agencies, private sector organisations, individuals and state and territory public bodies (where applicable);
  3. Receive data breach notifications and respond as appropriate;
  4. Conduct one assessment during the period covered by this MOU. This will be subject to a work plan developed by the OAIC in consultation with the Agency and will be from the following targets:
    1. the HI Service Operator (DHS-Medicare); and
    2. agencies/organisations or State and Territory authorities using healthcare identifiers;
  5. Respond to enquiries and requests for advice on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service;
  6. Prepare and/or update written guidance materials for individuals and participants in the healthcare industry on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service;
  7. Liaise and coordinate on privacy related HI activities with key agencies;
  8. Liaise and coordinate on privacy related HI activities with state and territory regulators;
  9. Prepare HI-related briefing material, speeches, articles and media comment on privacy matters;
  10. Comment on draft legislation that may interact with the HI Act(where appropriate);
  11. Participate in consultations and comment on digital health developments that relate to the HI service;
  12. Update internal reference materials and provide staff training as necessary; and
  13. Monitor developments in digital health and the HI service to ensure the OAIC is aware of the implications of any developments for the HI service and able to offer informed advice about privacy aspects of the operation of the HI Service in the broader digital health context.

S3.2 The risks associated with this Activity are outlined in the Risk Management matrix at Attachment C.

S3.3 The OAIC will provide the Agency with bi-annual reports in an agreed format within 10 working days of each period’s end.

The Parties will meet within 30 days of each bi-annual report being provided or as otherwise agreed.

S3.4 As required in s30 of the HI Act, the OAIC must, as soon as practicable after the end of each financial year, prepare an Annual Report on the Information Commissioner’s compliance and enforcement activities under HI Act during the financial year. The Information Commissioner must give a copy of the report to the Minister for Health, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.

S3.5 At the end of the term of this MOU, the OAIC will provide the Agency with an annual financial acquittal, being a statement of receipts and expenditure of the funds provided to the OAIC under this Schedule 2.

S3.6 In relation to the HI Service the Agency will discuss with the OAIC the outcomes of the 2013 Review of the HI Act. The Agency will not implement any changes to this MOU that are based on these outcomes prior to a discussion with the OAIC.

S4 Financial arrangements

S4.1 The financial arrangements outlined below will apply to the Activity.

S4.2 The maximum amount of funds payable by the Agency in respect of the Activity is $570,000.00(GST exempt). The Agency will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount.

S4.3 The Agency will pay the OAIC the sums in accordance with the budget and timetable set out below. If, at the conclusion of the Activity, any part of the Grand Total in the following table has not been spent by the OAIC, the Agency and the OAIC will decide jointly whether some or all of that unexpired sum is to be refunded to the Agency or to be carried over into a successive MOU in respect of jointly agreed additional activities.

Milestone

Due Date

Payment Amount

End of Q1 of 2016/17

30 September 2016

$142,500.00

First bi-annual report for the period 1 July 2016 to 31 December 2016

31 December 2016

$142,500.00

End of Q3 of 2016-17

31 March 2017

$142,500.00

Second bi-annual report for the period 1 January 2017 to 30 June 2017

30 June 2017

$142,500.00

Grand Total

 

$570,000.00

S4.4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S4.5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 12 of the MOU. Claims will be forwarded to:

Ms Kerri Burden
Director Compliance and Conformance
Core Services Systems Operations Division
Australian Digital Health Agency
[contact details removed]
MDP 807
GPO Box 9848
CANBERRA ACT 2601

S4.6 Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

Back to Contents

Attachment C — Risk Management Matrix

Risk management matrix

Risk

Consequence

Likelihood

Degree of Impact

Party Managing

Management Strategy

Change of policy direction resulting in discontinuation of My Health Record system

Activities under the MOU may be discontinued

Unlikely

Severe

Agency, OAIC

Parties discuss and reassess merit of MOU Activities already completed, or underway.

(Clause 15.1 Activities may be terminated due to a change in government policy).

Machinery of Government changes

Agency may be discontinued.

Possible

Major

Agency, OAIC

Strong and effective communication strategy to affected staff.

(Clause 15.1 Activities may be terminated due to a change in government policy).

Change in My Health Record system participation model following Government response to review of the My Health Record system

  • Activities under the MOU may require adjustment
  • Depending on model, resource level might be insufficient to support necessary regulatory and policy activity

Unlikely

Major

Agency, OAIC

Parties discuss quantum of funding available under the MOU and negotiate about the priority that is to be given to Activities under the MOU.

Unlikely over the time of this MOU.

Poor coordination in policy advice and program and service delivery

Community confidence in the Activities may be affected

Possible

Major

Agency, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

No knowledge transfer to the Agency

Agency support for activities is impacted due to new staff overseeing the MOU

Unlikely

Minor

Agency, OAIC

Early and stronger engagement between parties in the event of major staff changes.

Lack of effective communication between OAIC and the Agency

  • Knowledgeable staff are not available for the Parties to perform Activities as expected
  • OAIC does not have necessary information to target regulatory activities
  • Parties are unable to complete Activities in required timeframe
  • Activities are not co-ordinated to promote a whole-of-government approach to digital health

Possible

Major

Agency, OAIC

To promote co-operation between the OAIC and the Agency, regular meetings should be held between the Parties with regard to operational and policy matters.

The Parties should establish procedures to facilitate regular contact between officers of the Parties on routine operational matters, including agreed timeframes for responding to information requests.

In order to ensure effective liaison, the Parties may exchange lists of Contact Officers.

A dispute arises between the parties about the terms, priorities or outcomes of the MOU

Parties are unable to reach agreement about the nature of work to be undertaken or the outcomes of Activities under the MOU

Very Low

Major/Severe

Agency, OAIC

If disputes cannot be resolved by negotiation, Parties should assess whether the area of dispute will affect the successful delivery of the Activities, and whether the dispute can be quarantined to ensure the continuation of work under the MOU.

Clause 14 sets out a process for dispute resolution.

Provision of funding is delayed

  • Resources are not available for the OAIC to perform Activities as expected
  • OAIC has insufficient resources to complete all required Activities
  • OAIC is unable to complete Activities in required timeframe

Possible

Major

Agency, OAIC

Parties should advise one another in a reasonable time frame if funding is delayed and if Activities cannot be performed as expected.

Clause 12 in the MOU outlines processes in relation to invoicing and payments.

A conflict of interest arises

The OAIC is unable to conduct the Activities in an independent and proper matter

Unlikely

Moderate

Agency, OAIC

Parties to have a mechanism to identify any potential conflicts of interest and discuss to ensure the continuation of work under the MOU.

Clause 18.2 Each Party …will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs.  In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Delivery of any activities under the MOU are  delayed to accommodate other MOU priorities

 

The outcomes of the Activities are unable to be properly assessed by both Parties

 

Possible

Minor

OAIC

Parties should negotiate about the priority that is to be given to Activities under the MOU.

Paragraph S3.3 of Schedule 1 and Paragraph S3.3 of Schedule 2 to the MOU requires the OAIC to submit bi-annual reports. 

The Agency represents the OAIC as endorsing or approving a proposal in connection with the Activity

 

The Australian Information Commissioner’s role as an independent regulator may be undermined

 

Unlikely

Major

Agency, OAIC

 

Factors external to the MOU may arise that impact on the ability of the OAIC to undertake the Activities of the MOU

  • Conflicting priorities between the Parties may occur
  • Actions by external delivery partners negatively impact on OAIC/Health’s ability to perform Activities as expected

Possible

Moderate

OAIC

Parties should negotiate in good faith if a dispute arises in relation to this clause.

Clause 8.3 The OAIC will provide the Agency with timely written advice on any proposed changes to the Activity work program.

Existing processes for managing complaints are ineffective

  • Overlap and inconsistency between the Parties may occur
  • Individuals are unclear about where to take complaints
  • Community confidence in the My Health Record System may be affected

Possible

Major

Agency, OAIC

Parties should liaise regularly to reassess and discuss priorities/responsibilities under the MOU and work collaboratively as per the Agreement.

Clause 10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed.  Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

Lack of coordination in compliance processes or readiness

  • Community confidence in the My Health Record System may be affected
  • Complaints are unable to be handled efficiently and effectively
  • Parties are unable to complete Activities in required timeframe

Possible

Major

Agency, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

Lack of significant uptake of the system

  • Adverse media coverage
  • Community confidence in the digital health system may be affected.
  • Provision of funding is reviewed

Possible

Major

Agency, OAIC

Parties should liaise regularly to reassess and discuss priorities/responsibilities under the MOU and work collaboratively as per the Agreement.

Suggested classifications:

Likelihood

Degree of Impact

Almost certain - expected to occur in most circumstances

Severe - would stop achievement of functional goals and objectives

Likely - will probably occur in most circumstances

Major - would threaten goals and objectives; requires close management

Possible - might occur at some time

Moderate - would necessitate significant adjustment to the overall function

Unlikely - could occur at some time

Minor - would threaten an element of the function

Very Low - may occur only in exceptional circumstances

Negligible - routine procedures sufficient to deal with the consequences

Back to Contents