Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Memorandum of Understanding between the Department of Health and Ageing and the Office of the Australian Information Commissioner (Nov 2012)

Dated:

Between:

 

The Office of the Australian Information Commissioner ("the OAIC")

ABN: 85 249 230 937

and

The Department of Health and Ageing ("the Department")

ABN 83 605 426 759

(each a "Party")

 

In relation to

Activities under the Privacy Act 1988 ("Privacy Act"), the Healthcare Identifiers Act 2010 ("HI Act") and the Personally Controlled Electronic Health Records Act 2012 ("PCEHR Act")

_____________________________________________________________________

This Memorandum of Understanding sets out the shared goals and funding arrangements between the Parties in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010. This Memorandum of Understanding sets out the principles under which they will work together, the contribution each

Dated:

Between:

 

The Office of the Australian Information Commissioner ("the OAIC")

ABN: 85 249 230 937

and

The Department of Health and Ageing ("the Department")

ABN 83 605 426 759

(each a "Party")

 

In relation to

Activities under the Privacy Act 1988 ("Privacy Act"), the Healthcare Identifiers Act 2010 ("HI Act") and the Personally Controlled Electronic Health Records Act 2012 ("PCEHR Act")

_____________________________________________________________________

This Memorandum of Understanding sets out the shared goals and funding arrangements between the Parties in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010. This Memorandum of Understanding sets out the principles under which they will work together, the contribution each Party will make in pursuit of these goals, and the means by which the Parties will ensure that they satisfy the accountability obligations to which they are subject.

 

The Parties agree to carry out their respective obligations in accordance with this Memorandum of Understanding.

 

Signed on behalf of the Office of the Australian Information Commissioner by:

 

Signed on behalf of the Department of Health and Ageing by:

 

………………………………………

 

……………………………………………

Signature

Signature

Professor John McMillan

Australian Information Commissioner

    

November 2012

Fionna Granger

First Assistant Secretary

eHealth Division

November 2012

  1. COMMENCEMENT AND TERM

    1.1 This Memorandum of Understanding ("MOU") commences on the date it is signed by both Parties and will continue until 30 June 2014.

  2. PURPOSE

    2.1 The purpose of this MOU is to set out the operational and funding arrangements that will guide cooperation between the OAIC and the Department in relation to:

    1. delivering an independent regulatory service in relation to the handling of Healthcare Identifiers and the operation of the HI Service as provided by the Privacy Act and the HI Act.
    2. delivering an independent regulatory service in relation to the handling of personal information within the PCEHR System as provided by the Privacy Act and the PCEHR Act.

    2.2 This MOU details how the Parties will work together and the ways in which financial resources will be utilised and risks managed. It itemises overall principles and obligations, including accountability requirements, while taking into account the OAIC's role as an independent adviser to the Australian Government and as an independent statutory office with regulatory functions.

    2.3 The Activities to be implemented under this MOU will be agreed in writing between the Parties and will form two separate Schedules to this MOU.

  3. INTERPRETATION

    3.1 Definitions

    The following definitions apply in this MOU:

    Activity

    means the activity described in the Schedule, for which funds are provided by the Department.

    Commonwealth

    means the Commonwealth of Australia.

    Confidential Information

    means information that:

    1. is designated by either Party as confidential; or
    2. each Party knows or could reasonably be expected to know is confidential.

    Department

    means the Commonwealth as represented by the Department of Health and Ageing.

    Department Personnel

    means personnel either employed by the Department, or engaged by the Department on a sub-contract basis, or agents of the Department engaged in the Activity.

    HI

    Intellectual Property

    means Healthcare Identifiers.

    means business names, copyrights, patents, trademarks, service marks, trade names, designs and similar industrial, commercial and intellectual property.

    Law

    means any applicable statute, regulation, by-law, ordinance or subordinate legislation in force from time to time anywhere in Australia, whether made by a State, Territory, the Commonwealth or a local government, and includes the common law as applicable from time to time.

    MOU

    means this Memorandum of Understanding, and includes the Schedule and attachments.

    OAIC

    means the Office of the Australian Information Commissioner established by section 5 of the Australian Information Commissioner Act 2010.

    OAIC Personnel

    means personnel either employed by the OAIC, or engaged by the OAIC, on a contract basis, or agents of the OAIC, engaged in the Activity.

    Party

    means the OAIC or the Department as the context requires.

    PCEHR

    means Personally Controlled Electronic Health Record.

    Privacy Act

    means the Privacy Act 1988.

    Schedule

    means the schedules to this MOU which set out the written agreement of the Parties in respect of the Activity.

    3.2 In this MOU, unless a contrary intention appears:

    1. reference to an attachment is a reference to an attachment to this MOU;
    2. words in the singular include the plural and vice versa;
    3. a reference to the word "including" in any form is not to be construed or interpreted as a work of limitation; and
    4. words importing one gender include each of the other genders.
  4. POLICY PRINCIPLES

    4.1 The Parties will work towards shared goals in accordance with the principles and procedures set out in the Privacy Act 1988 ("Privacy Act"), the Healthcare Identifiers Act 2010 ("HI Act") and the Personally Controlled Electronic Health Records Act 2012 ("PCEHR Act").

  5. ACCOUNTABILITY FRAMEWORK

    5.1 Each Party will cooperate in advancing best practice in implementing Activities noting the OAIC's ultimate responsibility to account for and report on the funds made available for the Activities funded under this MOU.

  6. JOINT RESPONSIBILITIES

    6.1 Achieving greater coordination in policy advice and program and service delivery is a high priority of public administration in Australia.  Whole of government denotes public service agencies working across portfolio boundaries to achieve a shared goal and an integrated government response to particular issues.

    6.2 In this context, setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

    6.3 The Parties have an obligation to assist each other in meeting their accountability obligations including:

    1. appearances before Parliamentary and Cabinet Committees;
    2. relevant discussions and negotiations with other portfolios; and
    3. providing assistance necessary to respond to Parliamentary and Ministerial correspondence.

    6.4 The Parties recognise that the OAIC is an independent regulator established under the Australian Information Commissioner Act 2010, and agree that this clause 6:

    1. is directed towards the development of good policy and procedures, efficient and effective use of public money, and the provision of complete and accurate information to Parliament; and
    2. does not impose any obligation on the OAIC to the extent it would be inconsistent with its role as an independent regulator.

    6.5 The Parties recognise that the Department has obligations to provide advice and support to the Minister for Health in relation to obligations under the Administrative Arrangements Order to administer specific legislation, including the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

  7. THE DEPARTMENT'S RESPONSIBILITIES

    7.1 The Department will perform the Activities as agreed in the Schedules as in place from time to time.

    7.2 The Department will not represent the OAIC as endorsing or approving any proposal in connection with the Activities unless the OAIC has specifically done so in writing unless in the particular circumstances it is impracticable to await or provide a proposal in writing.

    7.3 The Department will act in good faith and use its best endeavours to cooperate with the OAIC's accountability requirements for the funds, including the provision of funding as agreed in the Schedule.

    7.4 In furtherance of the specific Activity objectives, the Department will:

    1. provide appropriately qualified and experienced Department Personnel in order to perform its obligations under this MOU; and
    2. be responsible for the performance and conduct of all Department Personnel involved with the Activities, including taking all reasonable endeavours to ensure that, in the course of carrying out the Activities, Department Personnel comply with Australian Public Service Values, the Australian Public Service Code of Conduct and the Public Service Act 1999 to the extent they are required to do so.
  8. OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONERS RESPONSIBILITIES

    8.1 The OAICwill perform the Activities as agreed in the Schedules.

    8.2 The OAICwill comply fully with the Department'srequirements for accountability for the funds, including provision of assistance with forward estimates for budgets, and other expenditure updates as required.

    8.3 The OAICwill provide the Department with timely written advice on any proposed changes to the Activity work program.

    8.4 The OAICwill:

    1. provide appropriately qualified and experienced Personnel in order to perform its obligations under this MOU;
    2. be responsible for the performance and conduct of all Personnel involved with the Activities and will take all reasonable endeavours to ensure that, in the course of carrying out the Activities, OAIC Personnel comply with Australian Public Service Values, the Australian Public Service Code of Conduct and the Public Service Act 1999 to the extent they are required to do so.
  9. RISK ASSESSMENT AND MANAGEMENT

    9.1 The Parties acknowledge that there are identifiable risks to the successful achievement of the objectives of this MOU as set out in the risk management plans at Annexures 1 and 2.

    9.2 The Parties each agree to monitor, report on, and manage the risks in respect of which they have been assigned responsibility in the relevant risk management plan and to update this risk management plan accordingly.    

  10. REPORTING, MONITORING AND EVALUATION

    10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed.  Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

  11. SUB-CONTRACTING

    11.1 It is the intention of the Parties that neither Party will sub-contract to any entity or individual any part of the services or works which are the subject of this MOU without consultation with and the approval of the other Party.

    11.2 Where the Parties have agreed that one or both Parties may enter into sub-contracts under this clause, the Party sub-contracting will be solely responsible for all matters in connection with the sub-contracts including without limitation:

    1. compliance with all legal and regulatory requirements in relation to such contracting (including without limitation the Commonwealth Procurement Guidelines); and
    2. the engagement, management, coordination and payment of, and all communications with, sub-contractors.
  12. FINANCIAL ARRANGEMENTS AND PAYMENTS

    12.1 Financial Arrangements

    1. The Department agrees to provide funding to the OAICfor each Activity as set out in the relevant Schedule.

    12.2 Payments and Invoices

    1. The Department will make payment of the funds specified in the relevant Schedule within 30 days of receipt of a correctly rendered invoice from the OAIC.
    2. A correctly rendered invoice is one that contains:
    3. the name of the Activity and all services and works provided, and records the amount payable in respect of each category of services and works described in the relevant Schedule;
    4. a claim for the amount of funds properly required and calculated correctly in accordance with entitlements under the relevant Schedule;
    5. the name of the Department's Contact Officer; and
    6. a tax invoice.
    7. If an invoice is rendered incorrectly, any underpayment or overpayment will be recoverable by or from the Department and may be offset against or added to amounts subsequently due from the Department.

    12.3 Accounts, Records and Access

    1. Each Party will keep proper and detailed accounts and records in relation to any services or works performed, or expenditure incurred by them, under this MOU. Each Party will maintain such accounts and records for a minimum period of seven years following the completion of the services or works performed.
    2. Each Party will provide the other with sufficient financial management information on request to enable the other to monitor expenditure, resolve queries, complete internal audit processes and comply with regulatory requirements and procedures including without limitation those imposed by the Financial Management and Accountability Act1997 and the Australian National Audit Office.
    3. Without limiting the methods which may be used to ensure proper financial accountability, the Parties agree that having discrete cost codes for funding under this MOU would be desirable.
  13. INTELLECTUAL PROPERTY

    13.1 The full legal rights to all Intellectual Property arising out of the Activities will vest in the Commonwealth.

  14. DISPUTE RESOLUTION

    14.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith.  Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

  15. TERMINATION AND SUSPENSION

    15.1 Activities may be terminated due to a change in government policy.

    15.2 Either Party may terminate this MOU by providing 90 days written notice to the other Party.

    15.3 Where either Party is prevented from performing its obligations in a Schedule by circumstances or events reasonably beyond its control, it will promptly notify the other Party and take all reasonable steps to mitigate the impact (financial or otherwise) on Activities.  The Parties will discuss the circumstances or events and may agree that further implementation of Activities (or an Activity) should be suspended or terminated.

    15.4 Upon termination or suspension under this clause 15, the Parties will discuss in good faith the financial and other arrangements applicable to the termination or suspension. The Department will pay the OAICsuch amount as is fair and reasonable in the circumstances based upon the proportion of work completed or reasonable and substantiated costs incurred by the OAIC prior to such termination or suspension and otherwise in accordance with the relevant Schedule. The Department will not be liable to pay any amount in excess of the amount of funds remaining unpaid under this MOU at the date of termination.

  16. USE OF MOU INFORMATION

    16.1 The Parties may disclose matters relating to this MOU, including this MOU, except where such disclosure will breach the Privacy Act or any other Law, only to Commonwealth departments and agencies, Ministers and Parliamentary Secretaries, and to Parliament, including responding to requests for information from Parliamentary Committees or inquiries, and if required by Law.

  17. CONFIDENTIALITY, PUBLIC COMMENT AND ACKNOWLEDGMENT

    17.1 Neither Party will, without the prior written approval of the other Party, make public or disclose to any other person any Confidential Information.  In granting its written approval, a Party may impose such terms and conditions as it deems appropriate.

    17.2 The Parties will discuss the nature, form, content and manner of publicity of any Activity.

  18. CONFLICT OF INTEREST

    18.1 The Parties acknowledge that it is imperative that the OAIC is able to conduct the Activities in an independent and proper matter.

    18.2 Each Party confirms that no conflict of interest exists or is likely to arise in relation to the performance of its obligations under this MOU.  Each Party will use its best endeavors to ensure that no such conflict of interest, or perceived conflict of interest, arises and will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs. In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

  19. NOTICES

    19.1 The officer currently holding the nominated contact Position for each Party and each Party's address for the service of notices under this MOU as listed below.

    19.2 The Parties may change the officer holding their nominated contact Position, and address for the service of notices, by letter signed by their respective authorised representative.

The Department:

 

Contact Name & Position:

Nerida Lawrentin

Director

Legislative Policy Section

Telephone:

02 6289 4907

Facsimile:

02 6289 5673

Email Address:

Postal Address:

nerida.lawrentin@health.gov.au

MDP 1003

GPO Box 9848

CANBERRA ACT 2601

Street Address:

Sirius Building

Furzer Street, Woden ACT 2606

 

Office of the Australian Information Commissioner:

 

Contact Name & Position:

Melanie Drayton

Director

Policy Section

Telephone:

02 9284 9682

Facsimile:

02 9284 9666

Email Address

Postal Address:

melanie.drayton@OAIC.gov.au

GPO Box 5218

SYDNEY NSW 2001

Street Address:

Level 2

175 Pitt Street

SYDNEY NSW 2001

  1. AMENDMENTS

    20.1 The Parties may amend or vary this MOU at any time by agreement in writing signed by their respective authorised representative.

    20.2 The Parties may amend or vary a Schedule at any time by substituting the Schedule in its entirety with the amended or varied Schedule as agreed by the Parties in writing.


 

ATTACHMENT A

Schedule 1 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 ("Privacy Act"), the Healthcare Identifiers Act 2010 ("HI Act") and the Personally Controlled Electronic Health Records Act 2012 ("PCEHR Act")

This Schedule 1 sets out the shared goals of the Parties in relation to theOAIC privacy oversight functions for thePersonally Controlled Electronic Health Record (PCEHR) system (Activity)which will be implemented under theMemorandum of Understanding signed by the Parties on 29 November 2012 (MOU). This Schedule (including any Attachments) itemises the scope of the Activity, contributions of each Party to the Activity and sets out the accountability obligations of each Party, including the means for monitoring and evaluation. Unless otherwise stated in this Schedule, the terms and conditions of the MOU will apply.

 

OAIC Regulatory Privacy Oversight Functions for the Personally Controlled Electronic Health Record (PCEHR) system (Activity)

S1 COMMENCEMENT AND COMPLETION DATES

S1.1 The Activity will commence on the date this MOU is signed by both Parties and end on 30 June 2014.

S2 ACTIVITY GOAL AND OBJECTIVES

S2.1 The Office of the Australian Information Commissioner will deliver an independent regulatory service in relation to the privacy and management of personal and health information in relation to the personally controlled electronic health record (PCEHR) system. It will ensure privacy issues are addressed and are in line with national privacy requirements in relation to private and sensitive health information associated with the PCEHR.

S3 DESCRIPTION

S3.1 In relation to the PCEHR system the OAIC will:

  1. Investigate acts and practices that may be a contravention of the PCEHR Act in connection with health information contained in a consumer's PCEHR or a provision of Part 4 or 5 of the Privacy Act by Commonwealth agencies, private sector organisations, individuals or state and territory public authorities (where applicable);
  2. Accept data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative requirements;
  3. Investigate failures to notify data breaches (where empowered to do so);
  4. If the Commissioner considers it appropriate to do so, conduct own motion investigations;
  5. If the Commissioner considers it appropriate to do so, attempt by conciliation, to effect a settlement of the matters that gave rise to the investigation;
  6. Exercise a range of enforcement powers available in relation to PCEHR contraventions including:
    1. the power to seek civil penalties
    2. the power to seek an injunction to prohibit or require particular conduct
    3. the power to accept enforceable undertakings
  7. If the Commissioner considers it appropriate to do so, seek enforceable undertakings as an alternative to seeking a civil penalty or seek that the court impose an enforceable undertaking;
  8. Advise participants on their obligations in relation to PCEHR System and liaise with state and territory regulators;
  9. Conduct up to 2 audits of the PCEHR System operator during the period covered by this MOU
  10. Conduct up to 2 audits of agencies and organisations (on invitation) during the period covered by this MOU;
  11. Will develop and agree on a protocol for processes, procedures and service standards with the PCEHR System Operator for the exchange of information and advice in relation to complaints about the PCEHR system and referral of privacy complaints and complex privacy enquiries. These processes will be based on the complaint handling workflow and guiding principles set out in Annex 3 to this Schedule;
  12. Update the complaint handling manual and other internal reference materials;
  13. Respond to requests for advice on the appropriate handling of PCEHR information from Commonwealth agencies, WA and SA public authorities, private sector organisations and individuals;
  14. Provide telephone and written guidance to individuals and participants on their privacy compliance obligations in relation to the PCEHR System;
  15. Liaise and coordinate on privacy related PCEHR activities with key agencies (DoHA, NeHTA and DHS-Medicare);
  16. Liaise and coordinate on privacy related PCEHR activities with the System Operator;
  17. Prepare PCEHR-related briefing material, speeches and media comment on privacy matters;
  18. Comment on draft legislation that may interact with the Personally Controlled Electronic Health Records Act 2012 (where appropriate); and
  19. Formulate guidance for exercising the powers conferred on the Information Commissioner by the Personally Controlled Electronic Health Records Act 2012.
  20. Monitor developments in eHealth to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR System in the broader eHealth context; and
  21. Monitor eHealth developments related to the PCEHR System to ensure that the OAIC is aware of the implications of any developments for the PCEHR system, and is able to ensure compatibility with the privacy aspects of the PCEHR system.

S3.2 The risks associated with this Activity are outlined in the Risk Management matrix at Annex 1 to this Schedule.

S3.3 The OAIC will provide the Department with quarterly reports as agreed in Annex 2 to this Schedule within 5 five working days of each quarter's end. The Parties will meet within a fortnight of each quarterly report being provided to discuss the outcomes associated. 

S3.4 The Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Commissioner's activities during the financial year relating to the PCEHR system. The report must include:

  1. statistics of the following:
    1. complaints received by the Commissioner in relation to the PCEHR system;
    2. investigations undertaken by the Commissioner in relation to PCEHRs or the PCEHR system;
    3. enforceable undertakings accepted by the Commissioner under this Act;
    4. proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
  2. any other matter prescribed by the regulations.

S3.5 The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.

S3.6 The OAIC will provide the Department with an Annual Financial Acquittal.

S3.7 The OAIC and the Department have developed a complaint handling workflow accompanied by guiding principles that set out how privacy complaints and complex privacy enquiries will be dealt with to ensure a coordinated approach and experience for the complainant. The agreed framework document is included at Annex 3 to this Schedule.

S3.8 The Department and the OAIC will follow the agreed framework included at Annex 3 to this Schedule when dealing with privacy complaints relating to the PCEHR system, and ensure that complainants are fully informed of the avenues available to resolve a privacy matter.

S4 FINANCIAL ARRANGEMENTS

S4.1 The financial arrangements outlined below will apply to the Activity.

S4.2 The maximum amount of funds payable by the Department in respect of the Activity is $3,282,080.00(GST exempt). The Department will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount.

S4.3 The Department will pay the OAIC the sums in accordance with the budget and timetable set out below.  The unexpended part of advances paid by the Department must be refunded to the Department at the conclusion of the Activity.

Schedule of payments

Milestone

Due Date

Payment amount

Commencement of this MOU

On signing of the MOU

$555,653

Q1 Report 2012/13

30 November 2012

$250,000

Q2 Report 2012/13

30 December 2012

$250,000

Q3 Report 2012/13

31 March 2013

$250,000

Q4 Report 2012/13

30 June 2013

$250,000

Sub total

 

$1,555,653

Q1 Report 2013/14

30 September 2013

$431,606

Q2 Report 2013/14

30 December 2013

$431,606

Q3 Report 2013/14

31 March 2014

$431,606

Q4 Report 2013/14

30 June 2014

$431,609

Sub total

 

$1,726,427

Grand Total

 

$3,282,080.00

S4.4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S4.5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 12 of the MOU. Claims will be forwarded to:

 

Ms Nerida Lawrentin
Director Legislative Policy
nerida.lawrentin@health.gov.au
MDP 1003
GPO Box 9848
CANBERRA ACT 2601

S4.6     Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

 

ANNEX 1

 

RISK MANAGEMENT MATRIX

Risk

Consequence

Likelihood

Degree of Impact

Party Managing

Management Strategy

Change of policy direction following the next election

Activities under the MOU may be discontinued

Possible

Severe

Department, OAIC

Parties discuss and reassess merit of MOU Activities already completed, or underway.

Clause 15.1 Activities may be terminated due to a change in government policy.

Poor coordination in policy advice and program and service delivery

Community confidence in the Activities may be affected.

Possible

Major

Department, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

Lack of effective communication between OAIC and the Department

  • Knowledgeable staff are not available for the Parties to perform Activities as expected
  • Parties are unable to complete Activities in required timeframe
  • Activities are not co-ordinated to promote a whole-of-government approach to eHealth.

Possible

Major

Department, OAIC

To promote co-operation between the OAIC and the Department, regular meetings should be held between the Parties with regard to operational and policy matters.

The Parties should establish procedures to facilitate regular contact between officers of the Parties on routine operational matters.

In order to ensure effective liaison, the Parties may exchange lists of Contact Officers.

A dispute arises between the parties about the terms, priorities or outcomes of the MOU

Parties are unable to reach agreement about the nature of work to be undertaken or the outcomes of Activities under the MOU.

Very Low

Major/Severe

Department, OAIC

If disputes cannot be resolved by negotiation, Parties should assess whether the area of dispute will affect the successful delivery of the Activities, and whether the dispute can be quarantined to ensure the continuation of work under the MOU.

Clause 14.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith.  Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

Provision of funding is delayed

  • Resources are not available for the OAIC to perform Activities as expected
  • OAIC has insufficient resources to complete all required Activities
  • OAIC is unable to complete Activities in required timeframe

Possible

Major

Department, OAIC

Parties should advise one another in a reasonable time frame if funding is delayed and if Activities cannot be performed as expected.

Clause 12 in the MOU outlines processes in relation to invoicing and payments.

A conflict of interest arises

The OAIC is unable to conduct the Activities in an independent and proper matter.

Unlikely

Moderate

Department, OAIC

Parties to have a mechanism to identify any potential conflicts of interest and discuss to ensure the continuation of work under the MOU.

Clause 18.2 Each Party …will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs.  In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Delivery of any activities under the MOU are delayed to accommodate other MOU priorities

The outcomes of the Activities are unable to be properly assessed by both Parties.

Possible

Minor

OAIC

Parties should negotiate about the priority that is to be given to Activities under the MOU.

Paragraph S3.3 of Schedule 1 and Paragraph S3.6 of Schedule 2 to the MOU requires the OAIC to submit quarterly reports.

The Department represents the OAIC as endorsing or approving a proposal in connection with the Activity

The OAIC's role as an independent regulator may be undermined.

Unlikely

Major

Department, OAIC

Clause 7.2 of the MOU prohibits the Department from representing the OAIC as endorsing or approving any proposal in connection with the Activities.

Parties discuss appropriate remediation e.g. public retraction and clarification to ensure the continuation of work under the MOU.

Factors external to the MOU may arise that impact on the ability of the OAIC to undertake the Activities of the MOU

  • Conflicting priorities between the Parties may occur.
  • Actions by external delivery partners negatively impact on OAIC/DoHA's ability to perform Activities as expected

Possible

Moderate

OAIC

Parties should negotiate in good faith if a dispute arises in relation to this clause.

 

Clause 8.3 The OAIC will provide the Department with timely written advice on any proposed changes to the Activity work program.

Processes for managing complaints are ineffective

  • Overlap and inconsistency between the Parties may occur.
  • Individuals are unclear about where to take complaints.
  • Community confidence in the eHealth Record System may be affected.

Possible

Major

Department, OAIC

Parties should liaise regularly to reassess and discuss priorities / responsibilities under the MOU and work collaboratively on the established information sharing agreement and protocol.

Clause 10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed.  Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

Lack of coordination in compliance processes or readiness

  • Community confidence in the eHealth Record System may be affected.
  • Complaints are unable to be handled efficiently and effectively
  • Parties are unable to complete Activities in required timeframe

Possible

Major

Department, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

Lack of significant uptake of the system

  • Adverse media coverage
  • Community confidence in the eHealth Record System may be affected.
  • Provision of funding is reviewed

Possible

Major

Department, OAIC

Parties should liaise regularly to reassess and discuss priorities / responsibilities under the MOU and work collaboratively on the established information sharing agreement and protocol.

 

 

 

 

 

 

 

Suggested classifications:

Likelihood

Degree of Impact

Almost certain - expected to occur in most circumstances

Severe - would stop achievement of functional goals and objectives

Likely - will probably occur in most circumstances

Major - would threaten goals and objectives; requires close management

Possible - might occur at some time

Moderate - would necessitate significant adjustment to the overall function

Unlikely - could occur at some time

Minor - would threaten an element of the function

Very Low - may occur only in exceptional circumstances

Negligible - routine procedures sufficient to deal with the consequences

Department of Health and Ageing Memorandum of Understanding Quarterly Report

Template of report is attached in:

 

ANNEX 3

Guiding Principles and Assumptions for the handling of PCEHR Privacy Complaints

  1. The most important foundation principle that should guide all agencies and regulators involved in the PCEHR complaints handling scheme is that the process should be as seamless as possible for individuals. That is, individuals should not be 'bounced around' between regulators unnecessarily and a consistent approach and message should be adopted by all agencies and regulators involved.
  2. Government agencies and regulators aim to work cooperatively and remove the barriers to effective complaint handling to address complex PCEHR complaints.
  3. The central point of contact for all complaints is the PCEHR Call Centre (operated by DHS). Many complaints will be dealt with promptly at this initial contact point, especially if the complaint is in the nature of a request for information or clarification.
  4. The System Operator will maintain a coordination role and will track the resolution of complaints which are handled by other agencies or regulators.
  5. Agencies and regulators handling PCEHR complaints will adopt a protocol that clearly explains how complaints about the PCEHR will be handled, including how and when complaints are to be transferred between agencies and regulators and whether the complainant's consent should be sought before transfer.
  6. Consumers will be made aware if personal information is shared or transferred between agencies or regulators in the course of dealing with their PCEHR complaint.
  7. The System Operator will maintain an up-to-date list (or network) of agency and regulator liaison officers.
  8. Agencies and regulators handling PCEHR complaints will attend regular liaison meetings to discuss complaint issues and trends. They will work together to ensure that systemic problems are identified and complaints are effectively handled.
  9. All agencies and regulators will give consistent, clear and accurate advice to the public on how to complain about PCEHR issues.
  10. Agencies and regulators will determine their own jurisdiction and clearly communicate this to other agencies and regulators handling PCEHR complaints.
    • Note: The OAIC will have jurisdiction to handle privacy complaints about agencies, organisations or individuals in connection with health information included in a consumer's PCEHR or in connection with Parts 4 or 5 of the PCEHR Bill. For personal information outside the PCEHR system, the OAIC generally has jurisdiction over Australian and ACT government agencies and private sector organisations covered by the Privacy Act.

 

ATTACHMENT B

Schedule 2 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 ("Privacy Act"), the Healthcare Identifiers Act 2010 ("HI Act") and the Personally Controlled Electronic Health Records Act 2012 ("PCEHR Act")

 

This Schedule 2 sets out the shared goals of the Parties in relation to theOAIC privacy oversight functions for theHealthcare Identifiers (HI) Service (Activity)which will be implemented under theMemorandum of Understanding signed by the Parties on29 November 2012 (MOU). This Schedule (including any Attachments) itemises the scope of the Activity, contributions of each Party to the Activity and sets out the accountability obligations of each Party, including the means for monitoring and evaluation. Unless otherwise stated in this Schedule, the terms and conditions of the MOU will apply.

OAIC Regulatory Privacy Oversight Functions for the Healthcare Identifiers (HI) Service(Activity)

S1 COMMENCEMENT AND COMPLETION DATES

S1.1 The Activity will commence on the date this MOU is signed by both Parties and end on 30 June 2014.

S2 ACTIVITY GOAL AND OBJECTIVES

S2.1 The Office of the Australian Information Commissioner will deliver an independent regulatory service in relation to the Healthcare Identifiers Service. It will ensure privacy issues are addressed an are in line with national privacy requirements in relation to private and sensitive health information associated with healthcare identifiers.

S3 DESCRIPTION

S3.1 In relation to the HI Service the OAIC will:

  1. Perform a range of work in relation to policy development, compliance and operations of the HI Service, further specified in item S3.2 to 3.4;
  2. Investigate acts and practices that may be a misuse of HI's by Commonwealth agencies, private sector organisations, individuals or state and territory public sector bodies (where applicable);
  3. If considered appropriate by the Commissioner to attempt a conciliation, to effect a settlement of the matters that give rise to the investigation;
  4. Advise on obligations in relation to HI's and liaise with State and Territory privacy regulators as appropriate;
  5. Conduct up to two (2) audits of the HI Service Operator (DHS-Medicare) during the period covered by this MOU;
  6. Respond to requests for advice on the appropriate handling of HI's from Commonwealth agencies, private sector organisations or individuals;
  7. Provide guidance to individuals and participants in the healthcare industry on their privacy compliance obligations in relation to HI's including, where appropriate, the development of information sheets, Frequently Asked Questions and articles in industry magazines;
  8. Conduct investigations and conciliations regarding State and Territory public bodies, where applicable:
  9. Conduct up to two (2) audits agencies/organisations or State and Territory authorities during the period covered by this MOU;
  10. Receive Data Breach Notifications and undertake, where appropriate, action;
  11. Develop internal training material and train staff;
  12. Liaise and coordinate with key agencies (DoHA, NeHTA and DHS-Medicare);
  13. Comment on draft legislation that may interact with the HI Act; and
  14. Participate in consultation and comment on eHealth developments that relate to the HI Scheme.

S3.2 In relation to HI Service policy the OAIC will:

  1. develop further guidance materials and revise existing materials as required
  2. review privacy-related materials prepared by DoHA, NeHTA and DHS-Medicare
  3. liaise with DoHA, NeHTA and DHS-Medicare to coordinate approach to privacy guidance materials and enquiries
  4. respond to HI-related privacy enquiries referred by DoHA, NeHTA and DHS-Medicare
  5. provide privacy advice to agencies, organisations and states and territories
  6. prepare HI-related committee briefing material, speeches and media comment as appropriate
  7. monitor developments in eHealth to ensure the OAIC is able to offer informed advice about the privacy aspects of the operation of the HI scheme in the broader eHealth context
  8. participate in consultations and comment on eHealth developments that relate to the HI scheme, including the PCEHR, to ensure that the OAIC is aware of the implications of any developments for the HI scheme, and is able to ensure compatibility with the privacy aspects of the HI scheme
  9. comment on draft legislation that may interact with the HI Act.

S3.3 In relation to HI Service compliance the OAIC will:

  1. respond to public enquiries
  2. investigate complaints in relation to agencies and organisations
  3. conduct up to two (2) audits of HI Service operator during the period covered by this MOU
  4. conduct up to two (2) audits of agencies / organisations or State or Territory authorities during the period covered by this MOU
  5. initiate own motion investigations as appropriate
  6. receive Data Breach Notifications and undertake associated follow up action (where appropriate)
  7. liaise with state and territories on jurisdiction and approach to privacy related investigations
  8. ongoing 'on the job' training
  9. update of complaint handling manual and other internal reference materials
  10. investigate privacy complaints in relation to state and territory authorities

S3.4 Where appropriate in relation to HI Service operations the OAIC will:

  1. develop and deliver internal training
  2. respond to media enquiries
  3. prepare speeches
  4. publish guidance material
  5. publish training material
  6. prepare committee papers
  7. maintain privacy and FOI contact officer networks

S3.5 The risks associated with this Activity are outlined in the Risk Management matrix at Attachment D.

S3.6 The OAIC will provide the Department with quarterly reports as specified in the reporting template agreed with DoHA and included at Annex 2 to this Schedule within 5 five working days of each quarter's end.

S3.7 The Parties will meet within a fortnight of each quarterly report being provided to discuss the outcomes associated.

S3.8 The OAIC must, as soon as practicable after the end of each financial year, prepare an Annual Report on the Information Commissioner's compliance and enforcement activities under the Healthcare Identifiers Act 2010 during the financial year. The Information Commissioner must give a copy of the report to the Minister for Health, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.

S3.9 The OAIC will provide the Department with an Annual Financial Acquittal.

S3.10 In relation to the HI Service the Department will discuss with the OAIC the outcomes of the HI Review commencing 1 July 2012 and ending 30 June 2013. The Department will not implement any changes to this MOU that are based on these outcomes prior to a discussion with the OAIC.

S4 FINANCIAL ARRANGEMENTS

S4.1 The financial arrangements outlined below will apply to the Activity.

S4.2 The maximum amount of funds payable by the Department in respect of the Activity is $1,347,790.00(GST exempt). The Department will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount.

S4.3 The Department will pay the OAIC the sums in accordance with the budget and timetable set out below. The unexpended part of advances paid by the Department must be refunded to the Department at the conclusion of the Activity.

Milestone

Due Date

Payment Amount

Commencement of this MOU

On signing of the MOU

$67,925

Q1 Report 2012/13

30 November 2012

$150,000

Q2 Report 2012/13

30 December 2012

$150,000

Q3 Report 2012/13

31 March 2013

$150,000

Q4 Report 2012/13

30 June 2013

$150,000

Sub total

 

$667,925

Q1 Report 2013/14

30 September 2013

$169,966

Q2 Report 2013/14

30 December 2013

$169,966

Q3 Report 2013/14

31 March 2014

$169,966

Q4 Report 2013/14

30 June 2014

$169,967

Sub total

 

$679,865

Total

 

$1,347,790.00

 

S4.4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S4.5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 12 of the MOU. Claims will be forwarded to:

Ms Nerida Lawrentin
Director Legislative Policy
nerida.lawrentin@health.gov.au
MDP 1003
GPO Box 9848
CANBERRA ACT 2601

S4.6 Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

 

ANNEX 1

RISK MANAGEMENT MATRIX

Risk

Consequence

Likelihood

Degree of Impact

Party Managing

Management Strategy

Change of policy direction following the next election

Activities under the MOU may be discontinued

Possible

Severe

Department, OAIC

Parties discuss and reassess merit of MOU Activities already completed, or underway.

 

Clause 15.1 Activities may be terminated due to a change in government policy.

Poor coordination in policy advice and program and service delivery

Community confidence in the Activities may be affected.

Possible

Major

Department, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

Lack of effective communication between OAIC and the Department

  • Knowledgeable staff are not available for the Parties to perform Activities as expected
  • Parties are unable to complete Activities in required timeframe
  • Activities are not co-ordinated to promote a whole-of-government approach to eHealth.

Possible

Major

Department, OAIC

To promote co-operation between the OAIC and the Department, regular meetings should be held between the Parties with regard to operational and policy matters.

The Parties should establish procedures to facilitate regular contact between officers of the Parties on routine operational matters.

In order to ensure effective liaison, the Parties may exchange lists of Contact Officers.

A dispute arises between the parties about the terms, priorities or outcomes of the MOU

Parties are unable to reach agreement about the nature of work to be undertaken or the outcomes of Activities under the MOU.

Very Low

Major/Severe

Department, OAIC

If disputes cannot be resolved by negotiation, Parties should assess whether the area of dispute will affect the successful delivery of the Activities, and whether the dispute can be quarantined to ensure the continuation of work under the MOU.

 

Clause 14.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith.  Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

Provision of funding is delayed

  • Resources are not available for the OAIC to perform Activities as expected
  • OAIC has insufficient resources to complete all required Activities
  • OAIC is unable to complete Activities in required timeframe

Possible

Major

Department, OAIC

Parties should advise one another in a reasonable time frame if funding is delayed and if Activities cannot be performed as expected.

 

Clause 12 in the MOU outlines processes in relation to invoicing and payments.

A conflict of interest arises

The OAIC is unable to conduct the Activities in an independent and proper matter.

Unlikely

Moderate

Department, OAIC

Parties to have a mechanism to identify any potential conflicts of interest and discuss to ensure the continuation of work under the MOU.

 

Clause 18.2 Each Party …will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs.  In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Delivery of any activities under the MOU are  delayed to accommodate other MOU priorities

The outcomes of the Activities are unable to be properly assessed by both Parties.

Possible

Minor

OAIC

Parties should negotiate about the priority that is to be given to Activities under the MOU.

 

Paragraph S3.3 of Schedule 1 and Paragraph S3.6 of Schedule 2 to the MOU requires the OAIC to submit quarterly reports.

The Department represents the OAIC as endorsing or approving a proposal in connection with the Activity

The OAIC's role as an independent regulator may be undermined.

Unlikely

Major

Department, OAIC

Clause 7.2 of the MOU prohibits the Department from representing the OAIC as endorsing or approving any proposal in connection with the Activities.

Parties discuss appropriate remediation e.g. public retraction and clarification to ensure the continuation of work under the MOU.

 

 

Factors external to the MOU may arise that impact on the ability of the OAIC to undertake the Activities of the MOU

  • Conflicting priorities between the Parties may occur.
  • Actions by external delivery partners negatively impact on OAIC/DoHA's ability to perform Activities as expected

Possible

Moderate

OAIC

Parties should negotiate in good faith if a dispute arises in relation to this clause.

 

Clause 8.3 The OAIC will provide the Department with timely written advice on any proposed changes to the Activity work program.

Processes for managing complaints are ineffective

  • Overlap and inconsistency between the Parties may occur.
  • Individuals are unclear about where to take complaints.
  • Community confidence in the eHealth Record System may be affected.

Possible

Major

Department, OAIC

Parties should liaise regularly to reassess and discuss priorities / responsibilities under the MOU and work collaboratively on the established information sharing agreement and protocol.

 

Clause 10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed. Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

Lack of coordination in compliance processes or readiness

  • Community confidence in the eHealth Record System may be affected.
  • Complaints are unable to be handled efficiently and effectively
  • Parties are unable to complete Activities in required timeframe

Possible

Major

Department, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

 

 

Lack of significant uptake of the system

  • Adverse media coverage
  • Community confidence in the eHealth Record System may be affected.
  • Provision of funding is reviewed

Possible

Major

Department, OAIC

Parties should liaise regularly to reassess and discuss priorities / responsibilities under the MOU and work collaboratively on the established information sharing agreement and protocol.

 

 

Suggested classifications

Likelihood

Degree of Impact

Almost certain — expected to occur in most circumstances

Severe — would stop achievement of functional goals and objectives

Likely — will probably occur in most circumstances

Major — would threaten goals and objectives; requires close management

Possible — might occur at some time

Moderate — would necessitate significant adjustment to the overall function

Unlikely — could occur at some time

Minor — would threaten an element of the function

Very Low — may occur only in exceptional circumstances

Negligible — routine procedures sufficient to deal with the consequences

 

Department of Health and Ageing Memorandum of Understanding Quarterly Report

Template of report is attached in:

 

Party will make in pursuit of these goals, and the means by which the Parties will ensure that they satisfy the accountability obligations to which they are subject.

 

 

The Parties agree to carry out their respective obligations in accordance with this Memorandum of Understanding.

 

Signed on behalf of the Office of the Australian Information Commissioner by:

 

Signed on behalf of the Department of Health and Ageing by:

 

………………………………………

 

……………………………………………

Signature

Signature

Professor John McMillan

Australian Information Commissioner

    

November 2012

Fionna Granger

First Assistant Secretary

eHealth Division

November 2012

  1. COMMENCEMENT AND TERM

    1.1 This Memorandum of Understanding ("MOU") commences on the date it is signed by both Parties and will continue until 30 June 2014.

  2. PURPOSE

    2.1 The purpose of this MOU is to set out the operational and funding arrangements that will guide cooperation between the OAIC and the Department in relation to:

    1. delivering an independent regulatory service in relation to the handling of Healthcare Identifiers and the operation of the HI Service as provided by the Privacy Act and the HI Act.
    2. delivering an independent regulatory service in relation to the handling of personal information within the PCEHR System as provided by the Privacy Act and the PCEHR Act.

    2.2 This MOU details how the Parties will work together and the ways in which financial resources will be utilised and risks managed. It itemises overall principles and obligations, including accountability requirements, while taking into account the OAIC's role as an independent adviser to the Australian Government and as an independent statutory office with regulatory functions.

    2.3 The Activities to be implemented under this MOU will be agreed in writing between the Parties and will form two separate Schedules to this MOU.

  3. INTERPRETATION

    3.1 Definitions

    The following definitions apply in this MOU:

    Activity

    means the activity described in the Schedule, for which funds are provided by the Department.

    Commonwealth

    means the Commonwealth of Australia.

    Confidential Information

    means information that:

    1. is designated by either Party as confidential; or
    2. each Party knows or could reasonably be expected to know is confidential.

    Department

    means the Commonwealth as represented by the Department of Health and Ageing.

    Department Personnel

    means personnel either employed by the Department, or engaged by the Department on a sub-contract basis, or agents of the Department engaged in the Activity.

    HI

    Intellectual Property

    means Healthcare Identifiers.

    means business names, copyrights, patents, trademarks, service marks, trade names, designs and similar industrial, commercial and intellectual property.

    Law

    means any applicable statute, regulation, by-law, ordinance or subordinate legislation in force from time to time anywhere in Australia, whether made by a State, Territory, the Commonwealth or a local government, and includes the common law as applicable from time to time.

    MOU

    means this Memorandum of Understanding, and includes the Schedule and attachments.

    OAIC

    means the Office of the Australian Information Commissioner established by section 5 of the Australian Information Commissioner Act 2010.

    OAIC Personnel

    means personnel either employed by the OAIC, or engaged by the OAIC, on a contract basis, or agents of the OAIC, engaged in the Activity.

    Party

    means the OAIC or the Department as the context requires.

    PCEHR

    means Personally Controlled Electronic Health Record.

    Privacy Act

    means the Privacy Act 1988.

    Schedule

    means the schedules to this MOU which set out the written agreement of the Parties in respect of the Activity.

    3.2 In this MOU, unless a contrary intention appears:

    1. reference to an attachment is a reference to an attachment to this MOU;
    2. words in the singular include the plural and vice versa;
    3. a reference to the word "including" in any form is not to be construed or interpreted as a work of limitation; and
    4. words importing one gender include each of the other genders.
  4. POLICY PRINCIPLES

    4.1 The Parties will work towards shared goals in accordance with the principles and procedures set out in the Privacy Act 1988 ("Privacy Act"), the Healthcare Identifiers Act 2010 ("HI Act") and the Personally Controlled Electronic Health Records Act 2012 ("PCEHR Act").

  5. ACCOUNTABILITY FRAMEWORK

    5.1 Each Party will cooperate in advancing best practice in implementing Activities noting the OAIC's ultimate responsibility to account for and report on the funds made available for the Activities funded under this MOU.

  6. JOINT RESPONSIBILITIES

    6.1 Achieving greater coordination in policy advice and program and service delivery is a high priority of public administration in Australia.  Whole of government denotes public service agencies working across portfolio boundaries to achieve a shared goal and an integrated government response to particular issues.

    6.2 In this context, setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

    6.3 The Parties have an obligation to assist each other in meeting their accountability obligations including:

    1. appearances before Parliamentary and Cabinet Committees;
    2. relevant discussions and negotiations with other portfolios; and
    3. providing assistance necessary to respond to Parliamentary and Ministerial correspondence.

    6.4 The Parties recognise that the OAIC is an independent regulator established under the Australian Information Commissioner Act 2010, and agree that this clause 6:

    1. is directed towards the development of good policy and procedures, efficient and effective use of public money, and the provision of complete and accurate information to Parliament; and
    2. does not impose any obligation on the OAIC to the extent it would be inconsistent with its role as an independent regulator.

    6.5 The Parties recognise that the Department has obligations to provide advice and support to the Minister for Health in relation to obligations under the Administrative Arrangements Order to administer specific legislation, including the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

  7. THE DEPARTMENT'S RESPONSIBILITIES

    7.1 The Department will perform the Activities as agreed in the Schedules as in place from time to time.

    7.2 The Department will not represent the OAIC as endorsing or approving any proposal in connection with the Activities unless the OAIC has specifically done so in writing unless in the particular circumstances it is impracticable to await or provide a proposal in writing.

    7.3 The Department will act in good faith and use its best endeavours to cooperate with the OAIC's accountability requirements for the funds, including the provision of funding as agreed in the Schedule.

    7.4 In furtherance of the specific Activity objectives, the Department will:

    1. provide appropriately qualified and experienced Department Personnel in order to perform its obligations under this MOU; and
    2. be responsible for the performance and conduct of all Department Personnel involved with the Activities, including taking all reasonable endeavours to ensure that, in the course of carrying out the Activities, Department Personnel comply with Australian Public Service Values, the Australian Public Service Code of Conduct and the Public Service Act 1999 to the extent they are required to do so.
  8. OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONERS RESPONSIBILITIES

    8.1 The OAICwill perform the Activities as agreed in the Schedules.

    8.2 The OAICwill comply fully with the Department'srequirements for accountability for the funds, including provision of assistance with forward estimates for budgets, and other expenditure updates as required.

    8.3 The OAICwill provide the Department with timely written advice on any proposed changes to the Activity work program.

    8.4 The OAICwill:

    1. provide appropriately qualified and experienced Personnel in order to perform its obligations under this MOU;
    2. be responsible for the performance and conduct of all Personnel involved with the Activities and will take all reasonable endeavours to ensure that, in the course of carrying out the Activities, OAIC Personnel comply with Australian Public Service Values, the Australian Public Service Code of Conduct and the Public Service Act 1999 to the extent they are required to do so.
  9. RISK ASSESSMENT AND MANAGEMENT

    9.1 The Parties acknowledge that there are identifiable risks to the successful achievement of the objectives of this MOU as set out in the risk management plans at Annexures 1 and 2.

    9.2 The Parties each agree to monitor, report on, and manage the risks in respect of which they have been assigned responsibility in the relevant risk management plan and to update this risk management plan accordingly.    

  10. REPORTING, MONITORING AND EVALUATION

    10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed.  Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

  11. SUB-CONTRACTING

    11.1 It is the intention of the Parties that neither Party will sub-contract to any entity or individual any part of the services or works which are the subject of this MOU without consultation with and the approval of the other Party.

    11.2 Where the Parties have agreed that one or both Parties may enter into sub-contracts under this clause, the Party sub-contracting will be solely responsible for all matters in connection with the sub-contracts including without limitation:

    1. compliance with all legal and regulatory requirements in relation to such contracting (including without limitation the Commonwealth Procurement Guidelines); and
    2. the engagement, management, coordination and payment of, and all communications with, sub-contractors.
  12. FINANCIAL ARRANGEMENTS AND PAYMENTS

    12.1 Financial Arrangements

    1. The Department agrees to provide funding to the OAICfor each Activity as set out in the relevant Schedule.

    12.2 Payments and Invoices

    1. The Department will make payment of the funds specified in the relevant Schedule within 30 days of receipt of a correctly rendered invoice from the OAIC.
    2. A correctly rendered invoice is one that contains:
    3. the name of the Activity and all services and works provided, and records the amount payable in respect of each category of services and works described in the relevant Schedule;
    4. a claim for the amount of funds properly required and calculated correctly in accordance with entitlements under the relevant Schedule;
    5. the name of the Department's Contact Officer; and
    6. a tax invoice.
    7. If an invoice is rendered incorrectly, any underpayment or overpayment will be recoverable by or from the Department and may be offset against or added to amounts subsequently due from the Department.

    12.3 Accounts, Records and Access

    1. Each Party will keep proper and detailed accounts and records in relation to any services or works performed, or expenditure incurred by them, under this MOU. Each Party will maintain such accounts and records for a minimum period of seven years following the completion of the services or works performed.
    2. Each Party will provide the other with sufficient financial management information on request to enable the other to monitor expenditure, resolve queries, complete internal audit processes and comply with regulatory requirements and procedures including without limitation those imposed by the Financial Management and Accountability Act1997 and the Australian National Audit Office.
    3. Without limiting the methods which may be used to ensure proper financial accountability, the Parties agree that having discrete cost codes for funding under this MOU would be desirable.
  13. INTELLECTUAL PROPERTY

    13.1 The full legal rights to all Intellectual Property arising out of the Activities will vest in the Commonwealth.

  14. DISPUTE RESOLUTION

    14.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith.  Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

  15. TERMINATION AND SUSPENSION

    15.1 Activities may be terminated due to a change in government policy.

    15.2 Either Party may terminate this MOU by providing 90 days written notice to the other Party.

    15.3 Where either Party is prevented from performing its obligations in a Schedule by circumstances or events reasonably beyond its control, it will promptly notify the other Party and take all reasonable steps to mitigate the impact (financial or otherwise) on Activities.  The Parties will discuss the circumstances or events and may agree that further implementation of Activities (or an Activity) should be suspended or terminated.

    15.4 Upon termination or suspension under this clause 15, the Parties will discuss in good faith the financial and other arrangements applicable to the termination or suspension. The Department will pay the OAICsuch amount as is fair and reasonable in the circumstances based upon the proportion of work completed or reasonable and substantiated costs incurred by the OAIC prior to such termination or suspension and otherwise in accordance with the relevant Schedule. The Department will not be liable to pay any amount in excess of the amount of funds remaining unpaid under this MOU at the date of termination.

  16. USE OF MOU INFORMATION

    16.1 The Parties may disclose matters relating to this MOU, including this MOU, except where such disclosure will breach the Privacy Act or any other Law, only to Commonwealth departments and agencies, Ministers and Parliamentary Secretaries, and to Parliament, including responding to requests for information from Parliamentary Committees or inquiries, and if required by Law.

  17. CONFIDENTIALITY, PUBLIC COMMENT AND ACKNOWLEDGMENT

    17.1 Neither Party will, without the prior written approval of the other Party, make public or disclose to any other person any Confidential Information.  In granting its written approval, a Party may impose such terms and conditions as it deems appropriate.

    17.2 The Parties will discuss the nature, form, content and manner of publicity of any Activity.

  18. CONFLICT OF INTEREST

    18.1 The Parties acknowledge that it is imperative that the OAIC is able to conduct the Activities in an independent and proper matter.

    18.2 Each Party confirms that no conflict of interest exists or is likely to arise in relation to the performance of its obligations under this MOU.  Each Party will use its best endeavors to ensure that no such conflict of interest, or perceived conflict of interest, arises and will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs. In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

  19. NOTICES

    19.1 The officer currently holding the nominated contact Position for each Party and each Party's address for the service of notices under this MOU as listed below.

    19.2 The Parties may change the officer holding their nominated contact Position, and address for the service of notices, by letter signed by their respective authorised representative.

The Department:

 

Contact Name & Position:

Nerida Lawrentin

Director

Legislative Policy Section

Telephone:

02 6289 4907

Facsimile:

02 6289 5673

Email Address:

Postal Address:

nerida.lawrentin@health.gov.au

MDP 1003

GPO Box 9848

CANBERRA ACT 2601

Street Address:

Sirius Building

Furzer Street, Woden ACT 2606

 

Office of the Australian Information Commissioner:

 

Contact Name & Position:

Melanie Drayton

Director

Policy Section

Telephone:

02 9284 9682

Facsimile:

02 9284 9666

Email Address

Postal Address:

OAIC.gov.au">melanie.drayton@OAIC.gov.au

GPO Box 5218

SYDNEY NSW 2001

Street Address:

Level 2

175 Pitt Street

SYDNEY NSW 2001

  1. AMENDMENTS

    20.1 The Parties may amend or vary this MOU at any time by agreement in writing signed by their respective authorised representative.

    20.2 The Parties may amend or vary a Schedule at any time by substituting the Schedule in its entirety with the amended or varied Schedule as agreed by the Parties in writing.


 

ATTACHMENT A

Schedule 1 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 ("Privacy Act"), the Healthcare Identifiers Act 2010 ("HI Act") and the Personally Controlled Electronic Health Records Act 2012 ("PCEHR Act")

This Schedule 1 sets out the shared goals of the Parties in relation to theOAIC privacy oversight functions for thePersonally Controlled Electronic Health Record (PCEHR) system (Activity)which will be implemented under theMemorandum of Understanding signed by the Parties on 29 November 2012 (MOU). This Schedule (including any Attachments) itemises the scope of the Activity, contributions of each Party to the Activity and sets out the accountability obligations of each Party, including the means for monitoring and evaluation. Unless otherwise stated in this Schedule, the terms and conditions of the MOU will apply.

 

OAIC Regulatory Privacy Oversight Functions for the Personally Controlled Electronic Health Record (PCEHR) system (Activity)

S1 COMMENCEMENT AND COMPLETION DATES

S1.1 The Activity will commence on the date this MOU is signed by both Parties and end on 30 June 2014.

S2 ACTIVITY GOAL AND OBJECTIVES

S2.1 The Office of the Australian Information Commissioner will deliver an independent regulatory service in relation to the privacy and management of personal and health information in relation to the personally controlled electronic health record (PCEHR) system. It will ensure privacy issues are addressed and are in line with national privacy requirements in relation to private and sensitive health information associated with the PCEHR.

S3 DESCRIPTION

S3.1 In relation to the PCEHR system the OAIC will:

  1. Investigate acts and practices that may be a contravention of the PCEHR Act in connection with health information contained in a consumer's PCEHR or a provision of Part 4 or 5 of the Privacy Act by Commonwealth agencies, private sector organisations, individuals or state and territory public authorities (where applicable);
  2. Accept data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative requirements;
  3. Investigate failures to notify data breaches (where empowered to do so);
  4. If the Commissioner considers it appropriate to do so, conduct own motion investigations;
  5. If the Commissioner considers it appropriate to do so, attempt by conciliation, to effect a settlement of the matters that gave rise to the investigation;
  6. Exercise a range of enforcement powers available in relation to PCEHR contraventions including:
    1. the power to seek civil penalties
    2. the power to seek an injunction to prohibit or require particular conduct
    3. the power to accept enforceable undertakings
  7. If the Commissioner considers it appropriate to do so, seek enforceable undertakings as an alternative to seeking a civil penalty or seek that the court impose an enforceable undertaking;
  8. Advise participants on their obligations in relation to PCEHR System and liaise with state and territory regulators;
  9. Conduct up to 2 audits of the PCEHR System operator during the period covered by this MOU
  10. Conduct up to 2 audits of agencies and organisations (on invitation) during the period covered by this MOU;
  11. Will develop and agree on a protocol for processes, procedures and service standards with the PCEHR System Operator for the exchange of information and advice in relation to complaints about the PCEHR system and referral of privacy complaints and complex privacy enquiries. These processes will be based on the complaint handling workflow and guiding principles set out in Annex 3 to this Schedule;
  12. Update the complaint handling manual and other internal reference materials;
  13. Respond to requests for advice on the appropriate handling of PCEHR information from Commonwealth agencies, WA and SA public authorities, private sector organisations and individuals;
  14. Provide telephone and written guidance to individuals and participants on their privacy compliance obligations in relation to the PCEHR System;
  15. Liaise and coordinate on privacy related PCEHR activities with key agencies (DoHA, NeHTA and DHS-Medicare);
  16. Liaise and coordinate on privacy related PCEHR activities with the System Operator;
  17. Prepare PCEHR-related briefing material, speeches and media comment on privacy matters;
  18. Comment on draft legislation that may interact with the Personally Controlled Electronic Health Records Act 2012 (where appropriate); and
  19. Formulate guidance for exercising the powers conferred on the Information Commissioner by the Personally Controlled Electronic Health Records Act 2012.
  20. Monitor developments in eHealth to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR System in the broader eHealth context; and
  21. Monitor eHealth developments related to the PCEHR System to ensure that the OAIC is aware of the implications of any developments for the PCEHR system, and is able to ensure compatibility with the privacy aspects of the PCEHR system.

S3.2 The risks associated with this Activity are outlined in the Risk Management matrix at Annex 1 to this Schedule.

S3.3 The OAIC will provide the Department with quarterly reports as agreed in Annex 2 to this Schedule within 5 five working days of each quarter's end. The Parties will meet within a fortnight of each quarterly report being provided to discuss the outcomes associated. 

S3.4 The Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Commissioner's activities during the financial year relating to the PCEHR system. The report must include:

  1. statistics of the following:
    1. complaints received by the Commissioner in relation to the PCEHR system;
    2. investigations undertaken by the Commissioner in relation to PCEHRs or the PCEHR system;
    3. enforceable undertakings accepted by the Commissioner under this Act;
    4. proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
  2. any other matter prescribed by the regulations.

S3.5 The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.

S3.6 The OAIC will provide the Department with an Annual Financial Acquittal.

S3.7 The OAIC and the Department have developed a complaint handling workflow accompanied by guiding principles that set out how privacy complaints and complex privacy enquiries will be dealt with to ensure a coordinated approach and experience for the complainant. The agreed framework document is included at Annex 3 to this Schedule.

S3.8 The Department and the OAIC will follow the agreed framework included at Annex 3 to this Schedule when dealing with privacy complaints relating to the PCEHR system, and ensure that complainants are fully informed of the avenues available to resolve a privacy matter.

S4 FINANCIAL ARRANGEMENTS

S4.1 The financial arrangements outlined below will apply to the Activity.

S4.2 The maximum amount of funds payable by the Department in respect of the Activity is $3,282,080.00(GST exempt). The Department will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount.

S4.3 The Department will pay the OAIC the sums in accordance with the budget and timetable set out below.  The unexpended part of advances paid by the Department must be refunded to the Department at the conclusion of the Activity.

Schedule of payments

Milestone

Due Date

Payment amount

Commencement of this MOU

On signing of the MOU

$555,653

Q1 Report 2012/13

30 November 2012

$250,000

Q2 Report 2012/13

30 December 2012

$250,000

Q3 Report 2012/13

31 March 2013

$250,000

Q4 Report 2012/13

30 June 2013

$250,000

Sub total

 

$1,555,653

Q1 Report 2013/14

30 September 2013

$431,606

Q2 Report 2013/14

30 December 2013

$431,606

Q3 Report 2013/14

31 March 2014

$431,606

Q4 Report 2013/14

30 June 2014

$431,609

Sub total

 

$1,726,427

Grand Total

 

$3,282,080.00

S4.4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S4.5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 12 of the MOU. Claims will be forwarded to:

 

Ms Nerida Lawrentin
Director Legislative Policy
nerida.lawrentin@health.gov.au
MDP 1003
GPO Box 9848
CANBERRA ACT 2601

S4.6 Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

 

ANNEX 1

 

RISK MANAGEMENT MATRIX

Risk

Consequence

Likelihood

Degree of Impact

Party Managing

Management Strategy

Change of policy direction following the next election

Activities under the MOU may be discontinued

Possible

Severe

Department, OAIC

Parties discuss and reassess merit of MOU Activities already completed, or underway.

 

Clause 15.1 Activities may be terminated due to a change in government policy.

Poor coordination in policy advice and program and service delivery

Community confidence in the Activities may be affected.

Possible

Major

Department, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

Lack of effective communication between OAIC and the Department

  • Knowledgeable staff are not available for the Parties to perform Activities as expected
  • Parties are unable to complete Activities in required timeframe
  • Activities are not co-ordinated to promote a whole-of-government approach to eHealth.

Possible

Major

Department, OAIC

To promote co-operation between the OAIC and the Department, regular meetings should be held between the Parties with regard to operational and policy matters.

The Parties should establish procedures to facilitate regular contact between officers of the Parties on routine operational matters.

In order to ensure effective liaison, the Parties may exchange lists of Contact Officers.

A dispute arises between the parties about the terms, priorities or outcomes of the MOU

Parties are unable to reach agreement about the nature of work to be undertaken or the outcomes of Activities under the MOU.

Very Low

Major/Severe

Department, OAIC

If disputes cannot be resolved by negotiation, Parties should assess whether the area of dispute will affect the successful delivery of the Activities, and whether the dispute can be quarantined to ensure the continuation of work under the MOU.

 

Clause 14.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith.  Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

Provision of funding is delayed

  • Resources are not available for the OAIC to perform Activities as expected
  • OAIC has insufficient resources to complete all required Activities
  • OAIC is unable to complete Activities in required timeframe

Possible

Major

Department, OAIC

Parties should advise one another in a reasonable time frame if funding is delayed and if Activities cannot be performed as expected.

 

Clause 12 in the MOU outlines processes in relation to invoicing and payments.

A conflict of interest arises

The OAIC is unable to conduct the Activities in an independent and proper matter.

Unlikely

Moderate

Department, OAIC

Parties to have a mechanism to identify any potential conflicts of interest and discuss to ensure the continuation of work under the MOU.

 

Clause 18.2 Each Party …will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs.  In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Delivery of any activities under the MOU are  delayed to accommodate other MOU priorities

The outcomes of the Activities are unable to be properly assessed by both Parties.

Possible

Minor

OAIC

Parties should negotiate about the priority that is to be given to Activities under the MOU.

 

Paragraph S3.3 of Schedule 1 and Paragraph S3.6 of Schedule 2 to the MOU requires the OAIC to submit quarterly reports. 

The Department represents the OAIC as endorsing or approving a proposal in connection with the Activity

The OAIC's role as an independent regulator may be undermined.

Unlikely

Major

Department, OAIC

Clause 7.2 of the MOU prohibits the Department from representing the OAIC as endorsing or approving any proposal in connection with the Activities.

Parties discuss appropriate remediation e.g. public retraction and clarification to ensure the continuation of work under the MOU.

 

 

Factors external to the MOU may arise that impact on the ability of the OAIC to undertake the Activities of the MOU

  • Conflicting priorities between the Parties may occur.
  • Actions by external delivery partners negatively impact on OAIC/DoHA's ability to perform Activities as expected

Possible

Moderate

OAIC

Parties should negotiate in good faith if a dispute arises in relation to this clause.

 

Clause 8.3 The OAIC will provide the Department with timely written advice on any proposed changes to the Activity work program.

Processes for managing complaints are ineffective

  • Overlap and inconsistency between the Parties may occur.
  • Individuals are unclear about where to take complaints.
  • Community confidence in the eHealth Record System may be affected.

Possible

Major

Department, OAIC

Parties should liaise regularly to reassess and discuss priorities / responsibilities under the MOU and work collaboratively on the established information sharing agreement and protocol.

 

Clause 10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed.  Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

 

Lack of coordination in compliance processes or readiness

  • Community confidence in the eHealth Record System may be affected.
  • Complaints are unable to be handled efficiently and effectively
  • Parties are unable to complete Activities in required timeframe

Possible

Major

Department, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

 

 

Lack of significant uptake of the system

  • Adverse media coverage
  • Community confidence in the eHealth Record System may be affected.
  • Provision of funding is reviewed

Possible

Major

Department, OAIC

Parties should liaise regularly to reassess and discuss priorities / responsibilities under the MOU and work collaboratively on the established information sharing agreement and protocol.

 

 

 

 

 

 

 

 

Suggested classifications:

Likelihood

Degree of Impact

Almost certain - expected to occur in most circumstances

Severe - would stop achievement of functional goals and objectives

Likely - will probably occur in most circumstances

Major - would threaten goals and objectives; requires close management

Possible - might occur at some time

Moderate - would necessitate significant adjustment to the overall function

Unlikely - could occur at some time

Minor - would threaten an element of the function

Very Low - may occur only in exceptional circumstances

Negligible - routine procedures sufficient to deal with the consequences


Department of Health and Ageing Memorandum of Understanding Quarterly Report

Template of report is attached in:

  • word format
  • pdf format

 

ANNEX 3

Guiding Principles and Assumptions for the handling of PCEHR Privacy Complaints

  1. The most important foundation principle that should guide all agencies and regulators involved in the PCEHR complaints handling scheme is that the process should be as seamless as possible for individuals. That is, individuals should not be 'bounced around' between regulators unnecessarily and a consistent approach and message should be adopted by all agencies and regulators involved.
  2. Government agencies and regulators aim to work cooperatively and remove the barriers to effective complaint handling to address complex PCEHR complaints.
  3. The central point of contact for all complaints is the PCEHR Call Centre (operated by DHS). Many complaints will be dealt with promptly at this initial contact point, especially if the complaint is in the nature of a request for information or clarification.
  4. The System Operator will maintain a coordination role and will track the resolution of complaints which are handled by other agencies or regulators.
  5. Agencies and regulators handling PCEHR complaints will adopt a protocol that clearly explains how complaints about the PCEHR will be handled, including how and when complaints are to be transferred between agencies and regulators and whether the complainant's consent should be sought before transfer.
  6. Consumers will be made aware if personal information is shared or transferred between agencies or regulators in the course of dealing with their PCEHR complaint.
  7. The System Operator will maintain an up-to-date list (or network) of agency and regulator liaison officers.
  8. Agencies and regulators handling PCEHR complaints will attend regular liaison meetings to discuss complaint issues and trends. They will work together to ensure that systemic problems are identified and complaints are effectively handled.
  9. All agencies and regulators will give consistent, clear and accurate advice to the public on how to complain about PCEHR issues.
  10. Agencies and regulators will determine their own jurisdiction and clearly communicate this to other agencies and regulators handling PCEHR complaints.
    • Note: The OAIC will have jurisdiction to handle privacy complaints about agencies, organisations or individuals in connection with health information included in a consumer's PCEHR or in connection with Parts 4 or 5 of the PCEHR Bill. For personal information outside the PCEHR system, the OAIC generally has jurisdiction over Australian and ACT government agencies and private sector organisations covered by the Privacy Act.

 

ATTACHMENT B

Schedule 2 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 ("Privacy Act"), the Healthcare Identifiers Act 2010 ("HI Act") and the Personally Controlled Electronic Health Records Act 2012 ("PCEHR Act")

 

This Schedule 2 sets out the shared goals of the Parties in relation to theOAIC privacy oversight functions for theHealthcare Identifiers (HI) Service (Activity)which will be implemented under theMemorandum of Understanding signed by the Parties on29 November 2012 (MOU). This Schedule (including any Attachments) itemises the scope of the Activity, contributions of each Party to the Activity and sets out the accountability obligations of each Party, including the means for monitoring and evaluation. Unless otherwise stated in this Schedule, the terms and conditions of the MOU will apply.

 

 

 

OAIC Regulatory Privacy Oversight Functions for the Healthcare Identifiers (HI) Service(Activity)

S1 COMMENCEMENT AND COMPLETION DATES

S1.1 The Activity will commence on the date this MOU is signed by both Parties and end on 30 June 2014.

S2 ACTIVITY GOAL AND OBJECTIVES

S2.1 The Office of the Australian Information Commissioner will deliver an independent regulatory service in relation to the Healthcare Identifiers Service. It will ensure privacy issues are addressed an are in line with national privacy requirements in relation to private and sensitive health information associated with healthcare identifiers.

S3 DESCRIPTION

S3.1 In relation to the HI Service the OAIC will:

  1. Perform a range of work in relation to policy development, compliance and operations of the HI Service, further specified in item S3.2 to 3.4;
  2. Investigate acts and practices that may be a misuse of HI's by Commonwealth agencies, private sector organisations, individuals or state and territory public sector bodies (where applicable);
  3. If considered appropriate by the Commissioner to attempt a conciliation, to effect a settlement of the matters that give rise to the investigation;
  4. Advise on obligations in relation to HI's and liaise with State and Territory privacy regulators as appropriate;
  5. Conduct up to two (2) audits of the HI Service Operator (DHS-Medicare) during the period covered by this MOU;
  6. Respond to requests for advice on the appropriate handling of HI's from Commonwealth agencies, private sector organisations or individuals;
  7. Provide guidance to individuals and participants in the healthcare industry on their privacy compliance obligations in relation to HI's including, where appropriate, the development of information sheets, Frequently Asked Questions and articles in industry magazines;
  8. Conduct investigations and conciliations regarding State and Territory public bodies, where applicable:
  9. Conduct up to two (2) audits agencies/organisations or State and Territory authorities during the period covered by this MOU;
  10. Receive Data Breach Notifications and undertake, where appropriate, action;
  11. Develop internal training material and train staff;
  12. Liaise and coordinate with key agencies (DoHA, NeHTA and DHS-Medicare);
  13. Comment on draft legislation that may interact with the HI Act; and
  14. Participate in consultation and comment on eHealth developments that relate to the HI Scheme.

S3.2 In relation to HI Service policy the OAIC will:

  1. develop further guidance materials and revise existing materials as required
  2. review privacy-related materials prepared by DoHA, NeHTA and DHS-Medicare
  3. liaise with DoHA, NeHTA and DHS-Medicare to coordinate approach to privacy guidance materials and enquiries
  4. respond to HI-related privacy enquiries referred by DoHA, NeHTA and DHS-Medicare
  5. provide privacy advice to agencies, organisations and states and territories
  6. prepare HI-related committee briefing material, speeches and media comment as appropriate
  7. monitor developments in eHealth to ensure the OAIC is able to offer informed advice about the privacy aspects of the operation of the HI scheme in the broader eHealth context
  8. participate in consultations and comment on eHealth developments that relate to the HI scheme, including the PCEHR, to ensure that the OAIC is aware of the implications of any developments for the HI scheme, and is able to ensure compatibility with the privacy aspects of the HI scheme
  9. comment on draft legislation that may interact with the HI Act.

S3.3 In relation to HI Service compliance the OAIC will:

  1. respond to public enquiries
  2. investigate complaints in relation to agencies and organisations
  3. conduct up to two (2) audits of HI Service operator during the period covered by this MOU
  4. conduct up to two (2) audits of agencies / organisations or State or Territory authorities during the period covered by this MOU
  5. initiate own motion investigations as appropriate
  6. receive Data Breach Notifications and undertake associated follow up action (where appropriate)
  7. liaise with state and territories on jurisdiction and approach to privacy related investigations
  8. ongoing 'on the job' training
  9. update of complaint handling manual and other internal reference materials
  10. investigate privacy complaints in relation to state and territory authorities

S3.4 Where appropriate in relation to HI Service operations the OAIC will:

  1. develop and deliver internal training
  2. respond to media enquiries
  3. prepare speeches
  4. publish guidance material
  5. publish training material
  6. prepare committee papers
  7. maintain privacy and FOI contact officer networks

S3.5 The risks associated with this Activity are outlined in the Risk Management matrix at Attachment D.

S3.6 The OAIC will provide the Department with quarterly reports as specified in the reporting template agreed with DoHA and included at Annex 2 to this Schedule within 5 five working days of each quarter's end.

S3.7 The Parties will meet within a fortnight of each quarterly report being provided to discuss the outcomes associated.

S3.8 The OAIC must, as soon as practicable after the end of each financial year, prepare an Annual Report on the Information Commissioner's compliance and enforcement activities under the Healthcare Identifiers Act 2010 during the financial year. The Information Commissioner must give a copy of the report to the Minister for Health, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.

S3.9 The OAIC will provide the Department with an Annual Financial Acquittal.

S3.10 In relation to the HI Service the Department will discuss with the OAIC the outcomes of the HI Review commencing 1 July 2012 and ending 30 June 2013. The Department will not implement any changes to this MOU that are based on these outcomes prior to a discussion with the OAIC.

S4 FINANCIAL ARRANGEMENTS

S4.1 The financial arrangements outlined below will apply to the Activity.

S4.2 The maximum amount of funds payable by the Department in respect of the Activity is $1,347,790.00(GST exempt). The Department will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount.

S4.3 The Department will pay the OAIC the sums in accordance with the budget and timetable set out below. The unexpended part of advances paid by the Department must be refunded to the Department at the conclusion of the Activity.

Milestone

Due Date

Payment Amount

Commencement of this MOU

On signing of the MOU

$67,925

Q1 Report 2012/13

30 November 2012

$150,000

Q2 Report 2012/13

30 December 2012

$150,000

Q3 Report 2012/13

31 March 2013

$150,000

Q4 Report 2012/13

30 June 2013

$150,000

Sub total

 

$667,925

Q1 Report 2013/14

30 September 2013

$169,966

Q2 Report 2013/14

30 December 2013

$169,966

Q3 Report 2013/14

31 March 2014

$169,966

Q4 Report 2013/14

30 June 2014

$169,967

Sub total

 

$679,865

Total

 

$1,347,790.00

 

S4.4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S4.5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 12 of the MOU. Claims will be forwarded to:

Ms Nerida Lawrentin
Director Legislative Policy
nerida.lawrentin@health.gov.au
MDP 1003
GPO Box 9848
CANBERRA ACT 2601

S4.6 Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

 

ANNEX 1

RISK MANAGEMENT MATRIX

Risk

Consequence

Likelihood

Degree of Impact

Party Managing

Management Strategy

Change of policy direction following the next election

Activities under the MOU may be discontinued

Possible

Severe

Department, OAIC

Parties discuss and reassess merit of MOU Activities already completed, or underway.

Clause 15.1 Activities may be terminated due to a change in government policy.

Poor coordination in policy advice and program and service delivery

Community confidence in the Activities may be affected.

Possible

Major

Department, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

Lack of effective communication between OAIC and the Department

  • Knowledgeable staff are not available for the Parties to perform Activities as expected
  • Parties are unable to complete Activities in required timeframe
  • Activities are not co-ordinated to promote a whole-of-government approach to eHealth.

Possible

Major

Department, OAIC

To promote co-operation between the OAIC and the Department, regular meetings should be held between the Parties with regard to operational and policy matters.

The Parties should establish procedures to facilitate regular contact between officers of the Parties on routine operational matters.

In order to ensure effective liaison, the Parties may exchange lists of Contact Officers.

A dispute arises between the parties about the terms, priorities or outcomes of the MOU

Parties are unable to reach agreement about the nature of work to be undertaken or the outcomes of Activities under the MOU.

Very Low

Major/Severe

Department, OAIC

If disputes cannot be resolved by negotiation, Parties should assess whether the area of dispute will affect the successful delivery of the Activities, and whether the dispute can be quarantined to ensure the continuation of work under the MOU.

 

Clause 14.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith.  Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

Provision of funding is delayed

  • Resources are not available for the OAIC to perform Activities as expected
  • OAIC has insufficient resources to complete all required Activities
  • OAIC is unable to complete Activities in required timeframe

Possible

Major

Department, OAIC

Parties should advise one another in a reasonable time frame if funding is delayed and if Activities cannot be performed as expected.

 

Clause 12 in the MOU outlines processes in relation to invoicing and payments.

A conflict of interest arises

The OAIC is unable to conduct the Activities in an independent and proper matter.

Unlikely

Moderate

Department, OAIC

Parties to have a mechanism to identify any potential conflicts of interest and discuss to ensure the continuation of work under the MOU.

 

Clause 18.2 Each Party …will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs.  In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Delivery of any activities under the MOU are  delayed to accommodate other MOU priorities

The outcomes of the Activities are unable to be properly assessed by both Parties.

Possible

Minor

OAIC

Parties should negotiate about the priority that is to be given to Activities under the MOU.

 

Paragraph S3.3 of Schedule 1 and Paragraph S3.6 of Schedule 2 to the MOU requires the OAIC to submit quarterly reports. 

The Department represents the OAIC as endorsing or approving a proposal in connection with the Activity

The OAIC's role as an independent regulator may be undermined.

Unlikely

Major

Department, OAIC

Clause 7.2 of the MOU prohibits the Department from representing the OAIC as endorsing or approving any proposal in connection with the Activities.

Parties discuss appropriate remediation e.g. public retraction and clarification to ensure the continuation of work under the MOU.

 

 

Factors external to the MOU may arise that impact on the ability of the OAIC to undertake the Activities of the MOU

  • Conflicting priorities between the Parties may occur.
  • Actions by external delivery partners negatively impact on OAIC/DoHA's ability to perform Activities as expected

Possible

Moderate

OAIC

Parties should negotiate in good faith if a dispute arises in relation to this clause.

 

Clause 8.3 The OAIC will provide the Department with timely written advice on any proposed changes to the Activity work program.

Processes for managing complaints are ineffective

  • Overlap and inconsistency between the Parties may occur.
  • Individuals are unclear about where to take complaints.
  • Community confidence in the eHealth Record System may be affected.

Possible

Major

Department, OAIC

Parties should liaise regularly to reassess and discuss priorities / responsibilities under the MOU and work collaboratively on the established information sharing agreement and protocol.

Clause 10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed. Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

Lack of coordination in compliance processes or readiness

  • Community confidence in the eHealth Record System may be affected.
  • Complaints are unable to be handled efficiently and effectively
  • Parties are unable to complete Activities in required timeframe

Possible

Major

Department, OAIC

Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

 

 

Lack of significant uptake of the system

  • Adverse media coverage
  • Community confidence in the eHealth Record System may be affected.
  • Provision of funding is reviewed

Possible

Major

Department, OAIC

Parties should liaise regularly to reassess and discuss priorities / responsibilities under the MOU and work collaboratively on the established information sharing agreement and protocol.

 

Suggested classifications

Likelihood

Degree of Impact

Almost certain — expected to occur in most circumstances

Severe — would stop achievement of functional goals and objectives

Likely — will probably occur in most circumstances

Major — would threaten goals and objectives; requires close management

Possible — might occur at some time

Moderate — would necessitate significant adjustment to the overall function

Unlikely — could occur at some time

Minor — would threaten an element of the function

Very Low — may occur only in exceptional circumstances

Negligible — routine procedures sufficient to deal with the consequences

 

Department of Health and Ageing Memorandum of Understanding Quarterly Report

Template of report is attached in:

  • word format
  • pdf format