MOU with ADHA

1 July 2020

Commencement date: 1 July 2020

Memorandum of Understanding

Between:

The Office of the Australian Information Commissioner (“the OAIC”)
ABN: 85 249 230 937

and

Australian Digital Health Agency (“the Agency”)
ABN: 84 425 496 912

(each a “Party”)

In relation to

Activities under the Privacy Act 1988 (Cth) (“Privacy Act”), the Healthcare Identifiers Act 2010 (Cth) (“HI Act”) and the My Health Records Act 2012 (Cth) (“My Health Records Act”)

This Memorandum of Understanding sets out operational and funding arrangements between the Parties in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.

The Parties agree to carry out their respective obligations in accordance with this Memorandum of Understanding.

Signed on behalf of the Office of the Australian Information Commissioner by:

Angelene Falk
Australian Information Commissioner and Privacy Commissioner
Office of the Australian Information Commissioner

Date: 24 June 2020

Signed on behalf of the Australian Digital Health Agency by:

Bettina McMahon
Interim Chief Executive Officer
Australian Digital Health Agency

Date: 26 June 2020

1. Commencement and term

This Memorandum of Understanding (“MOU”) is effective on and from 1 July 2020 and will continue until 30 June 2021.

2. Purpose

2.1 The purpose of this MOU is to set out the operational and funding arrangements between the OAIC and the Agency, by which the OAIC will provide advice, assistance and an independent regulatory service for the handling and management of personal information and Healthcare Identifiers in relation to and within the My Health Record system and the Healthcare Identifiers service in accordance with the Privacy Act, My Health Records Act and HI Act.

2.2 More specifically, this MOU sets out the amount of Funds that the Agency agrees to pay the OAIC for the period of the MOU in order for the OAIC to carry out the Activities.

2.3 The Parties recognise the OAIC’s role as an independent adviser to the Australian Government, and that the Australian Information Commissioner is an independent regulator appointed under the Australian Information Commissioner Act 2010. The parties agree that this MOU does not impose any obligation on the Australian Information Commissioner or the OAIC to the extent it would be inconsistent with the Australian Information Commissioner’s role as an independent regulator.

2.4 This MOU details how the Parties will work together and itemises obligations and the ways in which financial resources will be utilised.

2.5 The Activities to be implemented under this MOU as at the date of this MOU are set out in Schedule 1 to this MOU.

3. Definitions

The following definitions apply in this MOU:

Activity

means each activity described in Schedule 1 to this MOU, for which Funds are paid by the Agency, or such other activities as the parties may agree in writing.

Agency

means the Australian Digital Health Agency.

Agency Personnel

means personnel either employed by the Agency, or engaged by the Agency on a contract basis, or agents of the Agency engaged in the Activity.

Commonwealth

means the Commonwealth of Australia.

Confidential Information

means information (other than the terms of this Agreement) that:

a) is designated by either Party as confidential; or

b) each Party knows or could reasonably be expected to know is confidential; and

c) would satisfy the confidentiality test in the Department of Finance’s publication “Confidentiality Throughout the Procurement Cycle”,

as agreed by the Parties.

Contact Officer

means the officer who at that time is holding the nominated contact position for a Party to this MOU.

Funds or Funding

means the maximum amount of money payable as fees by the Agency to the OAIC under this MOU to carry out the Activities, as set out in Schedule 1.

HI

means Healthcare Identifiers, as defined in the Healthcare Identifiers Act 2010 (Cth) (HI Act).

HI Act

means Healthcare Identifiers Act 2010 (Cth).

Information Sharing Agreement

means ‘Agreement for information sharing and complaint referral relating to the My Health Record system between the OAIC and the System Operator’ that has been developed to address information sharing and complaint referral matters relating to the My Health Record system.

Intellectual Property

means business names, copyrights, patents, trademarks, service marks, trade names, designs and similar industrial, commercial and intellectual property.

Law

means any applicable statute, regulation, by-law, ordinance or subordinate legislation in force from time to time anywhere in Australia, whether made by a State, Territory, the Commonwealth or a local government, and includes the common law as applicable from time to time.

MOU

means this Memorandum of Understanding, and includes its Schedules.

My Health Record

has the same meaning as in the My Health Records Act.

My Health Records Act

means the My Health Records Act 2012 (Cth).

My Health Record system

has the same meaning as in the My Health Records Act.

OAIC

means the Office of the Australian Information Commissioner established by section 5 of the Australian Information Commissioner Act 2010.

OAIC Personnel

means personnel either employed by the OAIC, or engaged by the OAIC, on a contract basis, or agents of the OAIC, engaged in the Activity.

Party

means the OAIC and/or the Agency as the context requires.

Privacy Act

means the Privacy Act 1988 (Cth).

Schedule

means the schedules to this MOU which sets out the Activities the OAIC will undertake under this MOU and the corresponding Funding to be paid by the Agency for the performance of those Activities.

4. Interpretation

4.1 Each Party acknowledges that nothing in this MOU supersedes or overrides the Laws governing their organisation.

4.2 In the event of any inconsistency between the terms and conditions contained in the clauses of the MOU and/or part of the Schedules then the terms and conditions of the clauses shall take precedence to the extent of the inconsistency.

4.3 In this MOU, unless a contrary intention appears:

  1. reference to an attachment is a reference to an attachment to this MOU;
  2. words in the singular include the plural and vice versa;
  3. a reference to the word “including” in any form is not to be construed or interpreted as a word of limitation; and
  4. words imparting a gender include any other gender.

5. The agency’s responsibilities

5.1 The Agency will pay the OAIC the Funds specified in Schedule 2 in consideration for the OAIC performing the Activities set out in Schedule 1.

5.2 In furtherance of the Activity objectives, the Agency will:

  1. provide appropriately qualified and experienced Agency Personnel in order to perform its obligations under this MOU; and
  2. undertake all reasonable endeavours to provide assistance and information to the OAIC where this is requested and is necessary to enable the OAIC to perform the Activities.

5.3 The Agency will not represent the OAIC as endorsing or approving any proposal in connection with the Activities, unless the OAIC has specifically done so in writing.

5.4 The Agency will consult with the OAIC prior to releasing any public document or press release in connection with the Activities which attributes a regulatory or policy position to the OAIC.

6. Office of the Australian Information Commissioner’s responsibilities

6.1 The OAIC will perform the Activities set out in Schedule 1. The ability of the OAIC to perform these Activities in a timely manner may depend on the Agency’s compliance with clause 5.2(b) of this MOU.

6.2 The OAIC will provide the Agency with timely written advice on any proposed changes to the Activity work program.

6.3 The OAIC will provide appropriately qualified and experienced OAIC Personnel in order to perform its obligations under this MOU.

7. Joint responsibilities

7.1 The Parties have an obligation to assist each other in meeting their accountability obligations, including:

  1. appearances before Parliamentary and Cabinet Committees;
  2. relevant discussions and negotiations with other portfolios; and
  3. providing assistance necessary to respond to Parliamentary and Ministerial correspondence.

7.2 Each Party will co-operate in advancing best practice in relation to the Activities, noting the OAIC’s ultimate responsibility to account to the Agency on the conduct of the Activities.

7.3 The Parties acknowledge their obligations under the My Health Records Act and the HI Act to prepare annual reports each financial year on the relevant activities during the financial year, so far as they relate to these Acts.

7.4 The Parties will alert each other to matters relating to this MOU that have attracted or are likely to attract media attention.

8. Financial arrangements and payments

8.1 Financial Arrangements

The Agency agrees to provide Funding to the OAIC for the Activities set out in Schedule 1 and in accordance with Schedule 2. The Funding represents all costs, expenses, disbursements, any applicable taxes and levies, and the actual costs and disbursements. The Agency will not be liable for any amount, costs or expenditure incurred by the OAIC in excess of the Funding. All taxes, duties and charges imposed or levied in connection with the performance of every Activity will be borne by the OAIC.

8.2 Payments and Invoices

  1. The Agency will make payment of the Funds specified in Schedule 2 within 30 days of receipt of a correctly rendered invoice from the OAIC.
  2. A “correctly rendered invoice” is an invoice that:
    1. relates only to performance of an Activity and is payable in accordance with Schedule 2;
    2. claims the amount of Funds properly payable and calculated in accordance with this MOU;
    3. is addressed to the Agency’s Contact Officer; and
    4. a valid tax invoice in accordance with the GST Act.
  3. The OAIC will provide the Agency with an adjustment note if required by the GST Act, including where the OAIC repays the Agency some or all of the Funds.
  4. A payment of some or all of the Funds by the Agency to the OAIC is not evidence that the obligations under this MOU are accepted, evidence of the value of the obligations performed by the OAIC or an admission of liability, but is payment on account only.
  5. To the extent that the OAIC cannot or does not perform an Activity or cannot or does not satisfactorily perform an Activity, the OAIC will, to the extent that the incomplete or unsatisfactory performance of an Activity is not permitted by the operation of clause 11 and is not due to the Agency’s failure to fulfil its obligations under this MOU, repay to the Agency a proportion of the Funds that:
    1. represents a reduction in the Funds to reflect the provision of a lower level of service or a smaller scope of Activity than is required under this MOU;
    2. is an appropriate protection of the Agency's legitimate interests in relation to the performance of this MOU; and
    3. does not exceed the total amount of the Funds payable to the OAIC under this MOU.
  6. If an invoice is rendered incorrectly, any underpayment or overpayment will be recoverable by or from the Agency and may be offset against or added to amounts subsequently due from the Agency.
  7. For the purposes of this clause, “GST Act” means A New Tax System (Goods and Services Tax) Act 1999 and any applicable rulings of the Australian Taxation Office.

8.3 Accounts, Records and Access

Each Party will provide the other with sufficient information to enable the other to resolve queries, complete internal audit processes and comply with regulatory requirements and procedures, including, without limitation, those imposed by the Public Governance, Performance and Accountability Act 2013 (Cth) and the Australian National Audit Office.

9. Intellectual property

9.1 The title to and ownership of all Intellectual Property in all material arising out of the Activities will vest in the Commonwealth. The OAIC grants to the Agency a fee free, non-exclusive, perpetual, irrevocable, world-wide licence to use the Intellectual Property, in all material arising out of the Activities, for and in relation to the Agency’s functions and powers.

10. Dispute resolution

10.1 Where any dispute arises between Parties under this MOU the Parties will take all necessary steps to resolve the dispute by negotiation in good faith. Wherever possible disputes should be resolved at the lowest level through direct negotiations bearing in mind whole of government principles.

11. Termination

11.1 Activities may be terminated due to a change in government policy.

11.2 Either Party may terminate this MOU by providing six months written notice to the other Party.

11.3 Where either Party is prevented from performing its obligations in the Schedules by circumstances or events reasonably beyond its control, it will promptly notify the other Party and take all reasonable steps to mitigate the impact (financial or otherwise) on the Activities. The Parties will discuss the circumstances or events and may agree that further implementation of Activities (or an Activity) should be terminated.

11.4 Upon termination under this clause 11, the Parties will discuss in good faith the financial and other arrangements applicable to the termination.

11.5 Where the Parties cannot reach agreement in relation to the applicable financial arrangements upon termination under clause 11, the Parties will take steps to resolve the matter in accordance with clause 10.

12. Information sharing

12.1 The Parties agree to work together to share information relating to their respective roles and obligations under this MOU, subject to the Information Sharing Agreement, and the requirements of any relevant Law.

13. Confidentiality

13.1 For public transparency and accountability purposes, the terms of the MOU are not confidential.

13.2 If it is necessary to deal with Confidential Information, the Parties will have regard to any applicable Law.

13.3 Neither Party will, without the prior written approval of the other Party, make public or disclose to any other person any Confidential Information. In granting its written approval, a Party may impose such terms and conditions as it deems appropriate.

13.4 Clause 13.2 does not apply to the extent that Confidential Information:

  1. is disclosed by a Party to its personnel, solely to enable effective management of this MOU and the provision of privacy-related services under the Privacy Act, the My Health Records Act and the HI Act;
  2. is disclosed by a Party to a responsible Minister;
  3. is disclosed by a Party in response to a request by a House or a Committee of Parliament; or
  4. is authorised or required by Law to be disclosed.

14. Sub-contracting

14.1 The OAIC must make available to the Agency the details of any subcontractors engaged to provide the Activities under this MOU.

15. Work plan and meetings

15.1 The Parties will formally meet biannually either through teleconferencing, video conferencing or face-to-face meetings to discuss:

  1. the Parties progress against a work plan for the purposes of undertaking the Activities in Schedule 1; and
  2. any other engagement between the Agency and the OAIC in relation to the Activities during that six months.

15.2 The Parties may informally arrange additional meetings to discuss issues as they arise.

16. Amendments

16.1 The Parties may amend or vary this MOU at any time by agreement in writing signed by their respective authorised representative.

16.2 The Parties may amend or vary a Schedule at any time by substituting the relevant Schedule in its entirety with the amended or varied Schedule as agreed by the Parties in writing.

16.3 An amendment or variation to this MOU takes effect on the date it is signed by the Parties or on a date agreed by the Parties in writing.

17. Conflict of interest

17.1 The Parties acknowledge that it is imperative that the OAIC is able to conduct the Activities in an independent and proper manner.

17.2 Each Party confirms that no conflict of interest exists or is likely to arise in relation to the performance of its obligations under this MOU. Each Party will use its best endeavors to ensure that no such conflict of interest, or perceived conflict of interest, arises and will notify the other Party promptly in the event that a potential or actual conflict of interest arising out of performance under this MOU occurs. In such circumstances the Parties will discuss and agree to the taking of such actions as may be necessary to ensure that the conflict of interest is resolved or avoided.

18. Notices

18.1 Any notice under this MOU may be in written or electronic form and delivered by the most appropriate means determined by the sending Party.

18.2 The Contact Officer for each Party and each Party’s address for the service of notices under this MOU is listed below.

18.3 The Parties may change the Contact Officer and address for the service of notices by letter signed by their respective authorised representative.

18.4 All communication about the operation of this MOU is to be made through the nominated Contact Officer.

Australian Digital Health Agency

Contact Position:

Chief Digital Officer

Email Address: [Contact details removed]

Street Address:

Level 25
175 Liverpool St
Sydney NSW 2000

Office of the Australian Information Commissioner:

Contact Position:

Assistant Commissioner, Regulation and Strategy

Email Address:

[Contact details removed]

Postal Address:

GPO Box 5218
Sydney NSW 2001

Street Address:

Level 3
175 Pitt Street
Sydney NSW 2000

Schedule 1 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the My Health Records Act 2012 (“My Health Records Act”)

This Schedule 1 sets out the Activities the OAIC will perform in relation to providing advice, assistance and independent regulatory oversight functions for the My Health Record system and the Healthcare Identifiers service (HI service),which will be implemented under this Memorandum of Understanding.

1. Complaints, Investigation and Notifications

The Office of the Australian Information Commissioner will perform regulatory activities in relation to the My Health Record system and the HI Service, such as:

  • responding to complaints received relating to the privacy aspects of the My Health Record system and the HI service as the Information Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint.
  • investigations on the Information Commissioner’s own initiative where appropriate, acts and practices that may be a misuse of Healthcare Identifiers, or a contravention of the My Health Records Act in connection with health information contained in a consumer’s My Health Record or a provision of Part 4 or 5 of the My Health Records Act by Commonwealth agencies, private sector organisations, individuals or state and territory public authorities (where applicable)
  • receiving data breach notifications relating to the My Health Record system and the HI service and assist affected entities to deal with data breaches in accordance with the My Health Record legislative requirements
  • investigating failures to notify My Health Record system data breaches (where empowered to do so).
  • Exercising, as the Information Commissioner considers appropriate, a range of enforcement powers available in relation to contraventions of the My Health Records Act or contraventions of the Privacy Act relating to the My Health Record system including:
    1. the power to make a determination;
    2. the power to accept an enforceable undertaking and, if the Information Commissioner considers that a person has breached an undertaking, apply to a Court for an order directing the person to comply with the undertaking or any other order that the Court considers appropriate;
    3. the power to seek an injunction to prohibit or require particular conduct; and
    4. the power to seek civil penalties.

    Where appropriate, the OAIC will liaise and coordinate on privacy related HI and My Health Record activities with key agencies, including state and territory regulators to support these activities.

2. Assessments

The OAIC will conduct a minimum of two assessments during the period covered by this MOU in relation to the My Health Record system and the HI service. These will be subject to a work plan developed by the OAIC in consultation with the Agency.

Where appropriate to support these activities, the OAIC will liaise and coordinate on privacy related HI and My Health Record activities with key agencies, including state and territory regulators.

3. Provision of Guidance and Advice

The OAIC will provide guidance and advice to support the implementation and use of the My Health Record system and HI service through activities such as:

  • responding to enquiries and requests for advice on the appropriate handling of Healthcare Identifiers and My Health Record information and other privacy compliance obligations in relation to the HI service and the My Health Record system.
  • participate in consultations and comment on digital health developments that relate to the HI service and My Health Record system, including commenting on draft legislation that may interact with the HI Act and the My Health Records Act.
  • development of written guidance materials for individuals and participants in the healthcare industry and the My Health Record system on the appropriate handling of HIs and My Health Record information and other privacy compliance obligations in relation to the HI service and the My Health Record system.
  • written briefing materials, speeches and media content

To support the provision of advice, the OAIC will monitor developments in digital health, the HI service and the My Health Record system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the HI service and My Health Record system and the broader digital health context.

Where appropriate to support these activities, the OAIC will liaise and coordinate on privacy related HI and My Health Record activities with key agencies, including state and territory regulators.

Schedule 2 to the Memorandum of Understanding

In Relation to Activities under the Privacy Act 1988 (“Privacy Act”), the Healthcare Identifiers Act 2010 (“HI Act”) and the My Health Records Act 2012 (“My Health Records Act”)

Financial arrangements

S1 This Schedule 2 sets out the Funds payable under this MOU that must be applied to the OAIC’s performance of the Activities.

S2 The Agency will pay the OAIC the Funds in accordance with correctly rendered invoices issued by the OAIC as outlined in the timetable set out below.

MilestoneDue DatePayment Amount (exclusive of GST)
Execution On Execution of this MOU $690,000
Schedule 1 activities up until 31 March 2021. 31 October 2020 $690,000
Schedule 1 activities up until 30 June 2021. 31 March 2021 $690,000

S3 The execution payment listed in S2, recognises the cost to the OAIC of retaining and attracting the staff and resources required to deliver the Activities and to undertake planning activities prior to commencement.