Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Memorandum of Understanding between the Department of Health and the Office of the Australian Information Commissioner (June 2015)

pdfPrintable version220.91 KB

Memorandum of Understanding

Dated:

Between:

The Office of the Australian Information Commissioner (“the OAIC”)
ABN: 85 249 230 937

and

The Department of Health (“the Department”)
ABN 83 605 426 759

(each a “Party”)

In relation to
Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the Personally Controlled Electronic Health Records Act 2012 (“PCEHR Act”)


This Memorandum of Understanding sets out the shared goals and funding arrangements between the Parties in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010. This Memorandum of Understanding sets out the contribution each Party will make in pursuit of these goals, and the means by which each Party will ensure that it satisfies the accountability obligations.

The Parties agree to carry out their respective obligations in accordance with this Memorandum of Understanding.

Signed on behalf of the Office of the Australian Information Commissioner by:

[signed]

Mr Timothy Pilgrim
Australian Privacy Commissioner
26 June 2015

Signed on behalf of the Department of Health by:

[signed]

Ms Bettina Konti
First Assistant Secretary
eHealth Division
30 June 2015

 

1. Commencement and term

1.1 This Memorandum of Understanding (“MOU”) commences on the date of execution and will continue until 30 June 2016.

Back to Contents

2. Purpose

2.1 The purpose of this MOU is to set out the operational and funding arrangements that will guide cooperation between the OAIC and the Department in relation to:

  1. delivering an independent regulatory service in relation to the handling of Healthcare Identifiers and the operation of the HI service as provided by the Privacy Act and the HI Act; and

  2. delivering an independent regulatory service in relation to the handling of personal information within the PCEHR system as provided by the Privacy Actand the PCEHR Act.

2.2 This MOU details how the Parties will work together and the ways in which financial resources will be utilised and risks managed. It itemises overall goals and Party obligations, including accountability requirements, while taking into account the OAIC’s role as an independent adviser to the Australian Government and as an independent statutory office with regulatory functions.

2.3 The Activities to be implemented under this MOU will be agreed in writing between the Parties and will form two separate Schedules to this MOU.

Back to Contents

3. Interpretation

3.1 Definitions

The following definitions apply in this MOU:

Activity means the activity described in the Schedule, for which funds are provided by the Department.

Agreement means ‘Agreement for information sharing and complaint referral relating to the personally controlled electronic health (eHealth) record system between the OAIC and the System Operator’ that has been developed to address information sharing and complaint referral matters relating to the PCEHR system.

Commonwealth means the Commonwealth of Australia.

Confidential Information means information that:

  1. is designated by either Party as confidential; or
  2. each Party knows or could reasonably be expected to know is confidential.

Contact Officer means the officer who at that time is holding the nominated contact position for a Party to this MOU.

Department means the Commonwealth as represented by the Department of Health.

Department Personnel means personnel either employed by the Department, or engaged by the Department on a sub-contract basis, or agents of the Department engaged in the Activity.

HI means Healthcare Identifiers.

HI Act means Healthcare Identifiers Act 2010.

Intellectual Property means business names, copyrights, patents, trademarks, service marks, trade names, designs and similar industrial, commercial and intellectual property.

Law means any applicable statute, regulation, by-law, ordinance or subordinate legislation in force from time to time anywhere in Australia, whether made by a State, Territory, the Commonwealth or a local government, and includes the common law as applicable from time to time.

MOU means this Memorandum of Understanding, and includes the Schedule and attachments.

OAIC means the Office of the Australian Information Commissioner established by section 5 of the Australian Information Commissioner Act 2010.

OAIC Personnel means personnel either employed by the OAIC, or engaged by the OAIC, on a contract basis, or agents of the OAIC, engaged in the Activity.

Party means the OAIC or the Department as the context requires.

PCEHR means Personally Controlled Electronic Health Record.

PCEHR Act means Personally Controlled Electronic Health Records Act 2012.

Privacy Act means the Privacy Act 1988.

Schedule means the schedules to this MOU which set out the written agreement of the Parties in respect of the Activity.

3.2 In this MOU, unless a contrary intention appears:

  1. reference to an attachment is a reference to an attachment to this MOU;
  2. words in the singular include the plural and vice versa;
  3. a reference to the word “including” in any form is not to be construed or interpreted as a work of limitation; and
  4. words importing one gender include each of the other genders.

Back to Contents

4. Policy principles

4.1 The Parties will work towards shared goals in accordance with the principles and procedures set out in the Privacy Act, the HI Act and the PCEHR Act.

Back to Contents

5. Accountability framework

5.1 Each Party will cooperate in advancing best practice in implementing Activities noting the OAIC’s ultimate responsibility to account for and report on the funds made available for the Activities funded under this MOU.

Back to Contents

6. Joint responsibilities

6.1 Achieving greater coordination in policy advice and program and service delivery is a high priority of public administration in Australia. Whole of government denotes public service agencies working across portfolio boundaries to achieve a shared goal and an integrated government response to particular issues.

6.2 In this context, setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.

6.3 The Parties have an obligation to assist each other in meeting their accountability obligations including:

  1. appearances before Parliamentary and Cabinet Committees;
  2. relevant discussions and negotiations with other portfolios; and
  3. providing assistance necessary to respond to Parliamentary and Ministerial correspondence.

6.4 The Parties recognise that the OAIC is an independent regulator established under the Australian Information Commissioner Act 2010, and agree that this MOU:

  1. is directed towards the development of good policy and procedures, efficient and effective use of public money, and the provision of complete and accurate information to Parliament; and
  2. does not impose any obligation on the OAIC to the extent it would be inconsistent with its role as an independent regulator.

6.5 The Parties recognise that the Department has obligations to provide advice and support to the Minister for Health in relation to obligations under the Administrative Arrangements Order to administer specific legislation, including the PCEHR Act and the HI Act.

Back to Contents

7. The Department’s responsibilities

7.1 The Department will perform the Activities as agreed in the Schedules as in place from time to time.

7.2 The Department will not represent the OAIC as endorsing or approving any proposal in connection with the Activities unless the OAIC has specifically done so in writing unless in the particular circumstances it is impracticable to await or provide a proposal in writing.

7.3 The Department will act in good faith and use its best endeavours to cooperate with the OAIC’s accountability requirements for the funds, including the provision of funding as agreed in the Schedule.

7.4 In furtherance of the specific Activity objectives, the Department will:

  1. provide appropriately qualified and experienced Department Personnel in order to perform its obligations under this MOU; and

  2. be responsible for the performance and conduct of all Department Personnel involved with the Activities, including taking all reasonable endeavours to ensure that, in the course of carrying out the Activities, Department Personnel comply with Australian Public Service Values, the Australian Public Service Code of Conduct and the Public Service Act 1999 to the extent they are required to do so.

Back to Contents

8. Office of the Australian Information Commissioner’s responsibilities

8.1 The OAIC will perform the Activities as agreed in the Schedules.

8.2 The OAIC will comply fully with the Department’srequirements for accountability for the funds, including provision of assistance with forward estimates for budgets, and other expenditure updates as required.

8.3 The OAIC will provide the Department with timely written advice on any proposed changes to the Activity work program.

8.4 The OAIC will:

  1. provide appropriately qualified and experienced OAIC Personnel in order to perform its obligations under this MOU; and

  2. be responsible for the performance and conduct of all OAIC Personnel involved with the Activities and will take all reasonable endeavours to ensure that, in the course of carrying out the Activities, OAIC Personnel comply with Australian Public Service Values, the Australian Public Service Code of Conduct and the Public Service Act 1999 to the extent they are required to do so.

Back to Contents

9. Risk assessment and management

9.1 The Parties acknowledge that there are identifiable risks to the successful achievement of the objectives of this MOU as set out in the risk management plans at Attachment C.

9.2 The Parties each agree to monitor, report on, and manage the risks in respect of which they have been assigned responsibility in the relevant risk management plan and to update this risk management plan accordingly.

Back to Contents

10. Reporting, monitoring and evaluation

10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed. Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

Back to Contents

11. Sub-contracting

11.1 It is the intention of the Parties that neither Party will sub-contract to any entity or individual any part of the Activities which are the subject of this MOU without consultation with and the approval of the other Party.

11.2 Where the Parties have agreed that one or both Parties may enter into sub-contracts under this clause, the Party sub-contracting will be solely responsible for all matters in connection with the sub-contracts including without limitation:

  1. compliance with all legal and regulatory requirements in relation to such contracting (including without limitation the Commonwealth Procurement Rules); and

  2. the engagement, management, coordination and payment of, and all communications with, sub-contractors.

Back to Contents

12. Financial arrangements and payments

12.1 Financial Arrangements

  1. The Department agrees to provide funding to the OAICfor each Activity as set out in the relevant Schedule.

12.2 Payments and Invoices

  1. The Department will make payment of the funds specified in the relevant Schedule within 30 days of receipt of a correctly rendered invoice from the OAIC.
  2. A correctly rendered invoice is one that contains:
    1. the name of the Activity provided;
    2. a claim for the amount of funds properly required and calculated correctly in accordance with entitlements under the relevant Schedule;
    3. the name of the Department’s Contact Officer; and
    4. a tax invoice.
  3. If an invoice is rendered incorrectly, any underpayment or overpayment will be recoverable by or from the Department and may be offset against or added to amounts subsequently due from the Department.

12.3 Accounts, Records and Access

  1. Each Party will keep proper and detailed accounts and records in relation to any Activity items performed, or expenditure incurred by them, under this MOU. Each Party will maintain such accounts and records for a minimum period of seven years following the completion of the services or works performed.

  2. Each Party will provide the other with sufficient financial management information to enable the other to monitor expenditure, resolve queries, complete internal audit processes and comply with regulatory requirements and procedures including without limitation those imposed by the Public Governance, Performance and Accountability Act 2013 and the Australian National Audit Office.

  3. Without limiting the methods which may be used to ensure proper financial accountability, the Parties agree that having discrete cost codes for funding under this MOU would be desirable.

Back to Contents

13. Intellectual property

13.1 The title to and ownership of all Intellectual Property in all material arising out of the Activities will vest in the Commonwealth.

Back to Contents

14. Dispute resolution

14.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith. Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

Back to Contents

15. Termination and suspension

15.1 Activities may be terminated due to a change in government policy.

15.2 Either Party may terminate this MOU by providing 90 days written notice to the other Party.

15.3 Where either Party is prevented from performing its obligations in a Schedule by circumstances or events reasonably beyond its control, it will promptly notify the other Party and take all reasonable steps to mitigate the impact (financial or otherwise) on Activities. The Parties will discuss the circumstances or events and may agree that further implementation of Activities (or an Activity) should be suspended or terminated.

15.4 Upon termination or suspension under this clause 15, the Parties will discuss in good faith the financial and other arrangements applicable to the termination or suspension. The Department will pay the OAICsuch amount as is fair and reasonable in the circumstances based upon the proportion of work completed or reasonable and substantiated costs incurred by the OAIC prior to such termination or suspension and otherwise in accordance with the relevant Schedule. The Department will not be liable to pay any amount in excess of the amount of funds remaining unpaid under this MOU at the date of termination.

Back to Contents

16. Use of MOU information

16.1 The Parties agree to work together to share information relating to their respective roles and obligations under this MOU, subject to the Agreement, and the requirements of any relevant law.

Back to Contents

17. Confidentiality and public comment

17.1 If it is necessary to deal with Confidential Information, the Parties will have regard to any applicable legislation and the general law.

17.2 Neither Party will, without the prior written approval of the other Party, make public or disclose to any other person any Confidential Information. In granting its written approval, a Party may impose such terms and conditions as it deems appropriate.

17.3 Clause 17.2 does not apply to the extent that Confidential Information:

  1. is disclosed by a Party to its personnel, solely to enable effective management of this MOU and the provision of privacy-related services under the Privacy Act, the PCEHR Act and the HI Act;
  2. is disclosed by a party to a responsible Minister;
  3. is disclosed by a party in response to a request by a House or a Committee of Parliament; or
  4. is authorised or required by law to be disclosed.

17.4 The Parties will discuss and agree to the nature, form, content and manner of publicity of any Activity.

17.5 The Parties will alert each other to matters relating to this MOU that have attracted or are likely to attract media attention.

Back to Contents

18. Conflict of interest

18.1 The Parties acknowledge that it is imperative that the OAIC is able to conduct the Activities in an independent and proper matter.

18.2 Each Party confirms that no conflict of interest exists or is likely to arise in relation to the performance of its obligations under this MOU. Each Party will use its best endeavors to ensure that no such conflict of interest, or perceived conflict of interest, arises and will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs. In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Back to Contents

19. Notices

19.1 Any notice under this MOU may be in written or electronic form and delivered by the most appropriate means determined by the sending Party.

19.2 The Contact Officer for each Party and each Party’s address for the service of notices under this MOU is listed below.

19.3 The Parties may change the Contact Officer and address for the service of notices by letter signed by their respective authorised representative.

19.4 All communication about the operation of this MOU is to be made through the nominated Contact Officer.

Contact detailsThe DepartmentOffice of the Australian Information Commissioner

Contact Name & Position:

Kerri Burden
Director
PCEHR Compliance Section

Jacob Suidgeest
Director
Regulation and Strategy

Telephone:

[contact details removed]

[contact details removed]

Facsimile:

[contact details removed]

[contact details removed]

Email Address: [contact details removed] [contact details removed]

Postal Address:

MDP 1003
GPO Box 9848
CANBERRA ACT 2601

GPO Box 5218
Sydney NSW 2001

Street Address:

Sirius Building
Furzer Street
Woden ACT 2606

Level 3
175 Pitt Street
Sydney NSW 2001

Back to Contents

20. Amendments

20.1 The Parties may amend or vary this MOU at any time by agreement in writing signed by their respective authorised representative.

20.2 The Parties may amend or vary a Schedule at any time by substituting the Schedule in its entirety with the amended or varied Schedule as agreed by the Parties in writing.

20.3 An amendment or variation to this MOU takes effect on the date it is signed by the Parties or on a date agreed by the Parties in writing.

Back to Contents

21. Future MOU arrangements

21.1 The Parties note that a bill is before parliament to disband the OAIC at a date yet to be determined. If the OAIC is disbanded, Activities under this MOU will be performed by a new Office of the Privacy Commissioner or similar body. The Parties will liaise and agree on any amendments required to this MOU to reflect the changed arrangements.

The Parties note that subject to passage of the relevant legislation during the term of this MoU, the PCEHR Act will be renamed to My Health Records Act 2012. Some other changes such as the establishment of the Australian Commission on eHealth are also likely to occur during the term of this MoU. The Parties will liaise and agree on any amendments required to this MoU to reflect the changed arrangements.

Back to Contents

Attachment A — Schedule 1 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the Personally Controlled Electronic Health Records Act 2012 (“PCEHR Act”)

This Schedule 1 sets out the shared goals of the Parties in relation to theOAIC privacy oversight functions for thePersonally Controlled Electronic Health Record (PCEHR) system (Activity)which will be implemented under theMemorandum of Understanding signed by the Parties and taking effect on execution (MOU). This Schedule (including any Attachments) itemises the scope of the Activity, contributions of each Party to the Activity and sets out the accountability obligations of each Party, including the means for monitoring and evaluation. Unless otherwise stated in this Schedule, the terms and conditions of the MOU will apply.

OAIC Regulatory Privacy Oversight Functions for the Personally Controlled Electronic Health Record (PCEHR) system (Activity)

S1 Commencement and completion dates

S1.1 The Activity will commence on the date of execution and end on 30 June 2016.

S2 Activity goal and objectives

S2.1 The Office of the Australian Information Commissioner will deliver an independent regulatory service in relation to the privacy and management of personal and health information in relation to the personally controlled electronic health record (PCEHR) system. It will ensure privacy issues are addressed and are in line with national privacy requirements in relation to private and sensitive health information associated with the PCEHR system.

S3 Description

S3.1 In relation to the PCEHR System the OAIC will:

  1. Respond to complaints received relating to the privacy aspects of the PCEHR system as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint;

  2. Investigate on the Commissioner’s own initiative where appropriate, acts and practices that may be a contravention of the PCEHR Act in connection with health information contained in a consumer’s PCEHR or a provision of Part 4 or 5 of the PCEHR Act by Commonwealth agencies, private sector organisations, individuals or state and territory public authorities (where applicable);

  3. Receive data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative requirements;

  4. Investigate failures to notify data breaches (where empowered to do so);

  5. Exercise as the Commissioner considers appropriate a range of enforcement powers available in relation to contraventions of the PCEHR Act or contraventions of the Privacy Act relating to the PCEHR system including:

    1. the power to make a determination;

    2. the power to accept an enforceable undertaking and, if the Commissioner considers that a person has breached an undertaking, apply to a Court for an order directing the person to comply with the undertaking or any other order that the Court considers appropriate;

    3. the power to seek an injunction to prohibit or require particular conduct; and

    4. the power to seek civil penalties;

  6. Conduct up to two assessments during the period covered by this MOU. These will be subject to a work plan developed by the OAIC in consultation with Health and will be from the following targets:

    1. the PCEHR System Operator; and

    2. agencies and organisations participating in the PCEHR system;

  7. Respond to enquiries and requests for advice on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system;

  8. Prepare and/or update written guidance materials for individuals and participants in the PCEHR system on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system. These will include individuals and participants who will be covered under the two opt-out trial sites and the wider community where opt-in arrangements will continue to apply;

  9. Update guidance for exercising the powers conferred on the Information Commissioner by the PCEHR Act as required;

  10. Liaise and coordinate on privacy related PCEHR activities with the System Operator and other key agencies (Health, NeHTA and DHS-Medicare);

  11. Liaise and coordinate on privacy related PCEHR activities with state and territory regulators;

  12. Prepare PCEHR-related briefing material, speeches, articles and media comment on privacy matters;

  13. Comment on draft legislation that may interact with the PCEHR Act(where appropriate);

  14. Participate in consultations and comment on eHealth developments that relate to the PCEHR system;

  15. Update internal reference materials and provide staff training as necessary; and

  16. Monitor developments in eHealth and the PCEHR system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR system and the broader eHealth context.

S3.2 The risks associated with this Activity are outlined in the Risk Management matrix at Attachment C.

S3.3 The OAIC will provide the Department with bi-annual reports in an agreed format within 10 working days of each period’s end. The Parties will meet within 30 days of each bi-annual report being provided or as otherwise agreed.

S3.4 As required in s106 of the PCEHR Act, the Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Commissioner’s activities during the financial year relating to the PCEHR system. The report must include:

  1. statistics of the following:
    1. complaints received by the Commissioner in relation to the PCEHR system;
    2. investigations undertaken by the Commissioner in relation to PCEHRs or the PCEHR system;
    3. enforceable undertakings accepted by the Commissioner under this Act; and
    4. proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
  2. any other matter prescribed by the regulations.

S3.5 The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.

S3.6 The OAIC will provide the Department with an Annual Financial Acquittal.

S3.7 The Department and the OAIC will follow the agreed framework in the Agreement when dealing with privacy complaints relating to the PCEHR system, and ensure that complainants are fully informed of the avenues available to resolve a privacy matter.

S4 Financial arrangements

S4.1 The financial arrangements outlined below will apply to the Activity.

S4.2 The maximum amount of funds payable by the Department in respect of the Activity is $1,783,000(GST exempt). The Department will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount.

S4.3 The Department will pay the OAIC the sums in accordance with the budget and timetable set out below. If, at the conclusion of the Activity, any part of the Grand Total in the following table has not been spent by the OAIC, the Department and the OAIC will decide jointly whether some or all of that unexpired sum is to be refunded to the Department or to be carried over into a successive MOU in respect of jointly agreed additional activities.

MilestoneDue DatePayment Amount
End of Q1 of 2015/16 30 September 2015 $398,000
First bi-annual report for the period 1 July 2015 to 31 December 2015 31 December 2015 $398,000
End of Q3 of 2015/16 31 March 2016 $398,000
Second bi-annual report for the period 1 January 2016 to 30 June 2016 30 June 2016 $589,000
Grand Total   $1,783,000

S4.4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S4.5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 12 of the MOU. Claims will be forwarded to:

Ms Kerri Burden
Director PCEHR Compliance
[contact details removed]
MDP 1003
GPO Box 9848
CANBERRA ACT 2601

S4.6 Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

Back to Contents

Attachment B — Schedule 2 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the Personally Controlled Electronic Health Records Act 2012 (“PCEHR Act”)

This Schedule 2 sets out the shared goals of the Parties in relation to theOAIC privacy oversight functions for theHealthcare Identifiers (HI) Service (Activity) which will be implemented under theMemorandum of Understanding signed by the Parties and taking effect on execution (MOU). This Schedule (including any Attachments) itemises the scope of the Activity, contributions of each Party to the Activity and sets out the accountability obligations of each Party, including the means for monitoring and evaluation. Unless otherwise stated in this Schedule, the terms and conditions of the MOU will apply.

OAIC Regulatory Privacy Oversight Functions for the Healthcare Identifiers (HI) Service (Activity)

S1 Commencement and completion dates

S1.1 The Activity will commence on the date of execution and end on 30 June 2015.

S2 Activity goal and objectives

S2.1 The Office of the Australian Information Commissioner will deliver an independent regulatory service in relation to the Healthcare Identifiers Service (HI service). It will ensure privacy issues are addressed and are in line with national privacy requirements in relation to private and sensitive health information associated with healthcare identifiers.

S3 Description

S3.1 In relation to the HI service the OAIC will:

  1. Respond to complaints received relating to the privacy aspects of the HI service as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint;

  2. Investigate on the Commissioner’s own initiative where appropriate, acts and practices that may be a misuse of HIs by Commonwealth agencies, private sector organisations, individuals and state and territory public bodies (where applicable);

  3. Receive data breach notifications and respond as appropriate;

  4. Conduct one assessment during the period covered by this MOU. This will be subject to a work plan developed by the OAIC in consultation with Health and will be from the following targets:

    1. the HI Service Operator (DHS-Medicare); and

    2. agencies/organisations or State and Territory authorities using healthcare identifiers;

  5. Respond to enquiries and requests for advice on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service;

  6. Prepare and/or update written guidance materials for individuals and participants in the healthcare industry on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service. These will include individuals and participants who will be covered under the two opt-out trial sites and the wider community where opt-in arrangements will continue to apply;

  7. Liaise and coordinate on privacy related HI activities with key agencies (Health, NeHTA and DHS-Medicare);

  8. Liaise and coordinate on privacy related HI activities with state and territory regulators;

  9. Prepare HI-related briefing material, speeches, articles and media comment on privacy matters;

  10. Comment on draft legislation that may interact with the HI Act(where appropriate);

  11. Participate in consultations and comment on eHealth developments that relate to the HI service;

  12. Update internal reference materials and provide staff training as necessary; and

  13. Monitor developments in eHealth and the HI service to ensure the OAIC is aware of the implications of any developments for the HI service and able to offer informed advice about privacy aspects of the operation of the HI Service in the broader eHealth context.

S3.2 The risks associated with this Activity are outlined in the Risk Management matrix at Attachment C.

S3.3 The OAIC will provide the Department with bi-annual reports in an agreed format within 10 working days of each period’s end.

The Parties will meet within 30 days of each bi-annual report being provided or as otherwise agreed.

S3.4 As required in s30 of the HI Act, the OAIC must, as soon as practicable after the end of each financial year, prepare an Annual Report on the Information Commissioner’s compliance and enforcement activities under HI Act during the financial year. The Information Commissioner must give a copy of the report to the Minister for Health, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.

S3.5 The OAIC will provide the Department with an Annual Financial Acquittal.

S3.6 In relation to the HI Service the Department will discuss with the OAIC the outcomes of the 2013 Review of the HI Act. The Department will not implement any changes to this MOU that are based on these outcomes prior to a discussion with the OAIC.

S4 Financial arrangements

S4.1 The financial arrangements outlined below will apply to the Activity.

S4.2 The maximum amount of funds payable by the Department in respect of the Activity is $700,000(GST exempt). The Department will not be liable for any amount, costs or expenditure incurred by the OAICin excess of this amount.

S4.3 The Department will pay the OAIC the sums in accordance with the budget and timetable set out below. If, at the conclusion of the Activity, any part of the Grand Total in the following table has not been spent by the OAIC, the Department and the OAIC will decide jointly whether some or all of that unexpired sum is to be refunded to the Department or to be carried over into a successive MOU in respect of jointly agreed additional activities.

MilestoneDue DatePayment Amount
End of Q1 of 2015/16 30 September 2015 $175,000
First bi-annual report for the period 1 July 2015 to 31 December 2015 31 December 2015 $175,000
End of Q3 of 2015-16 31 March 2016 $175,000
Second bi-annual report for the period 1 January 2016 to 30 June 2016 30 June 2016 $175,000
Grand Total   $700,000

S4.4 All taxes, duties and charges imposed or levied in connection with the performance of this Activity will be borne by the OAIC.

S4.5 Claims for payment of sums due and payable in respect of the Activity will be submitted in a form identifiable with the services and in accordance with clause 12 of the MOU. Claims will be forwarded to:

Ms Kerri Burden
Director PCEHR Compliance
[contact details removed]
MDP 1003
GPO Box 9848
CANBERRA ACT 2601

S4.6 Except as otherwise specified, these amounts are inclusive of all costs, expenses, disbursements, levies and taxes and the actual costs and expenses.

Back to Contents

Attachment C — Risk Management Matrix

Risk Management Matrix
RiskConsequenceLikelihoodDegree of ImpactParty ManagingManagement Strategy
Change of policy direction resulting in discontinuation of PCEHR system Activities under the MOU may be discontinued Unlikely Severe Department, OAIC

Parties discuss and reassess merit of MOU Activities already completed, or underway.

Clause 15.1 Activities may be terminated due to a change in government policy.

Change in PCEHR participation model following Government response to review of the PCEHR system
  • Activities under the MOU may require adjustment
  • Depending on model, resource level might be insufficient to support necessary regulatory and policy activity
Possible Major Department, OAIC Parties discuss quantum of funding available under the MOU and negotiate about the priority that is to be given to Activities under the MOU.
Poor coordination in policy advice and program and service delivery Community confidence in the Activities may be affected Possible Major Department, OAIC Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.
Lack of effective communication between OAIC and the Department
  • Knowledgeable staff are not available for the Parties to perform Activities as expected
  • OAIC does not have necessary information to target regulatory activities
  • Parties are unable to complete Activities in required timeframe
  • Activities are not co-ordinated to promote a whole-of-government approach to eHealth
Possible Major Department, OAIC

To promote co-operation between the OAIC and the Department, regular meetings should be held between the Parties with regard to operational and policy matters.

The Parties should establish procedures to facilitate regular contact between officers of the Parties on routine operational matters, including agreed timeframes for responding to information requests.

In order to ensure effective liaison, the Parties may exchange lists of Contact Officers.

A dispute arises between the parties about the terms, priorities or outcomes of the MOU Parties are unable to reach agreement about the nature of work to be undertaken or the outcomes of Activities under the MOU Very Low Major/Severe Department, OAIC

If disputes cannot be resolved by negotiation, Parties should assess whether the area of dispute will affect the successful delivery of the Activities, and whether the dispute can be quarantined to ensure the continuation of work under the MOU.

Clause 14 sets out a process for dispute resolution.

Provision of funding is delayed
  • Resources are not available for the OAIC to perform Activities as expected
  • OAIC has insufficient resources to complete all required Activities
  • OAIC is unable to complete Activities in required timeframe
Possible Major Department, OAIC

Parties should advise one another in a reasonable time frame if funding is delayed and if Activities cannot be performed as expected.

Clause 12 in the MOU outlines processes in relation to invoicing and payments.

A conflict of interest arises The OAIC is unable to conduct the Activities in an independent and proper matter Unlikely Moderate Department, OAIC

Parties to have a mechanism to identify any potential conflicts of interest and discuss to ensure the continuation of work under the MOU.

Clause 18.2 Each Party …will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs.  In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

Delivery of any activities under the MOU are  delayed to accommodate other MOU priorities The outcomes of the Activities are unable to be properly assessed by both Parties Possible Minor OAIC

Parties should negotiate about the priority that is to be given to Activities under the MOU.

Paragraph S3.3 of Schedule 1 and Paragraph S3.3 of Schedule 2 to the MOU requires the OAIC to submit bi-annual reports. 

The Department represents the OAIC as endorsing or approving a proposal in connection with the Activity The OAIC’s role as an independent regulator may be undermined Unlikely Major Department, OAIC

Clause 7.2 of the MOU prohibits the Department from representing the OAIC as endorsing or approving any proposal in connection with the Activities.

Parties discuss appropriate remediation e.g. public retraction and clarification to ensure the continuation of work under the MOU.

Factors external to the MOU may arise that impact on the ability of the OAIC to undertake the Activities of the MOU
  • Conflicting priorities between the Parties may occur
  • Actions by external delivery partners negatively impact on OAIC/Health’s ability to perform Activities as expected
Possible Moderate OAIC

Parties should negotiate in good faith if a dispute arises in relation to this clause.

Clause 8.3 The OAIC will provide the Department with timely written advice on any proposed changes to the Activity work program.

Processes for managing complaints are ineffective
  • Overlap and inconsistency between the Parties may occur
  • Individuals are unclear about where to take complaints
  • Community confidence in the eHealth Record System may be affected
Possible Major Department, OAIC

Parties should liaise regularly to reassess and discuss priorities/responsibilities under the MOU and work collaboratively as per the Agreement.

Clause 10.1 The Parties agree that it is essential to ensure that the performance and impact of the specific Activities under this MOU are adequately and effectively monitored and assessed.  Each Activity will be monitored and evaluated in accordance with the framework set out in the relevant Schedule unless the Parties agree that it is not required.

Lack of coordination in compliance processes or readiness
  • Community confidence in the eHealth Record System may be affected
  • Complaints are unable to be handled efficiently and effectively
  • Parties are unable to complete Activities in required timeframe
Possible Major Department, OAIC Setting objectives, priorities and performance indicators for the Activities is the joint responsibility of the Parties.  
Lack of significant uptake of the system
  • Adverse media coverage
  • Community confidence in the eHealth Record System may be affected.
  • Provision of funding is reviewed
Possible Major Department, OAIC Parties should liaise regularly to reassess and discuss priorities/responsibilities under the MOU and work collaboratively as per the Agreement.
Suggested classifications
LikelihoodDegree of Impact

Almost certain — expected to occur in most circumstances

Severe — would stop achievement of functional goals and objectives

Likely — will probably occur in most circumstances

Major — would threaten goals and objectives; requires close management

Possible — might occur at some time

Moderate — would necessitate significant adjustment to the overall function

Unlikely — could occur at some time

Minor — would threaten an element of the function

Very Low — may occur only in exceptional circumstances

Negligible — routine procedures sufficient to deal with the consequences

Back to Contents