Agreement with System Operator: information sharing and complaint referral for the eHealth record system

1. Background

1.1 The Personally Controlled Electronic Health (eHealth) Record System, as part of Australia’s national eHealth strategy, aims to facilitate the secure sharing of health information between a consumer’s healthcare providers, while enabling the consumer to control who can access their eHealth record. The Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act) establishes a privacy regime specific to the eHealth record system which generally operates concurrently with Commonwealth, state and territory privacy laws.

1.2 Section 15(j) of the PCEHR Act requires the System Operator to establish a complaints handling mechanism for the eHealth record system. The explanatory memorandum further explains that the complaint handling mechanism will ‘provide national arrangements for consumers and participants to make complaints relating to the eHealth record system, although consumers will still have the ability to lodge complaints with other appropriate bodies such as national or state privacy or health information regulators’.

1.3 The Office of the Australian Information Commissioner (OAIC) has an important role to play in receiving, investigating and resolving privacy complaints about possible contraventions of the PCEHR Act. The PCEHR Act confers on the Information Commissioner investigative and enforcement powers to carry out this role.

1.4 The OAIC agreed under the 2011/2012 Memorandum of Understanding (MOU) with the Department of Health (Health) to liaise with Health and its delivery partners to develop effective and consistent complaint handling and enquiry referral processes and communications. Under that MOU, a workflow and guiding principles for the complaint handling scheme were agreed. The workflow and principles were then included as an attachment to the 2012/2014 MOU between the OAIC and Health. The workflow outlines the high level processes for referring eHealth record system complaints between the OAIC, the System Operator and state and territory regulators. (See Attachment B to this agreement for a copy of the workflow and principles.)

1.5 While the workflow provides a useful overview, more detailed processes for complaint handling and information sharing between the OAIC and the System Operator are required to ensure that the complaint handling scheme is effective and as seamless as possible. This agreement aims to set out those processes.

1.6 Ensuring that an effective privacy complaint handling system is established is an important element in obtaining and maintaining public confidence in the eHealth record system. An effective agreement between the OAIC and the System Operator has the potential to resolve systemic issues and mitigate the impact of such issues, to provide expedient and appropriate remedies to consumers who have experienced an interference with their privacy and to encourage participant compliance with the regulatory framework.

2. Purpose of this agreement

2.1 The purpose of this agreement is to establish a strategic relationship to deliver mutually agreed outcomes. Generally, this agreement is intended to promote liaison, cooperation, assistance and the exchange of information, to the extent permitted by legislation, between the OAIC and the System Operator so that complainants can have their concerns dealt with effectively and efficiently.

2.2 Specifically, the aims of this agreement are to:

reflect that cooperation between the OAIC and the System Operator is desirable to discharge their respective functions in relation to the eHealth record system and maximise the effectiveness of their powers
establish steps so that the activities of the OAIC and the System Operator are not duplicated unnecessarily and are complementary
where the OAIC and the System Operator are required to consider the same issues or facts, set out high level protocols and allow for sharing that information
set out how the OAIC and the System Operator will assist and support each other in relation to eHealth complaint activities.

2.3 Nothing in this agreement is intended to:

create binding obligations, or affect existing obligations under Commonwealth, state or territory law
create obligations or expectations of cooperation that would exceed a party’s scope of authority and jurisdiction.

3. Definitions

3.1 In this Agreement the following definitions apply:

‘agreement’ means this document, Agreement for Information Sharing and Complaint Referral Relating to the Personally Controlled Electronic Health (eHealth) Record System.

‘authorised representative’ has the meaning given in s 6 of the PCEHR Act.

‘complaint’

for the OAIC — means a complaint that meets the requirements of s 36 of the Privacy Act 1988 (Cth), and
for the System Operator — means an expression of dissatisfaction about the eHealth record system made by an individual (including an individual on behalf of an entity) to the System Operator.

‘consumer’ means an individual who has received, receives or may receive healthcare.

‘eHealth record’ means a personally controlled electronic health record, as defined in s 5 of the PCEHR Act.

‘entity’ has the meaning given in s 5 of the PCEHR Act which is:

a person; or
a partnership; or
any other unincorporated association or body; or
a trust; or
a part of an entity (under a previous application of this definition).

‘Health’ means the Department of Health. health information has the meaning given in s 5 of the PCEHR Act.

‘individual’ means a natural person. nominated representative has the meaning given in s 7 of the PCEHR Act.

‘OAIC’ means the Office of the Australian Information Commissioner. organisation has the meaning given in s 6C of the Privacy Act.

‘participant’ in the PCEHR has the meaning given in s 5 of the PCEHR Act which is:

the System Operator;
a registered healthcare provider organisation;
the operator of the National Repositories Service;
a registered repository operator;
a registered portal operator; or
a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.

‘party’ means one of the parties to this agreement. PCEHR Act means the Personally Controlled Electronic Health Records Act 2012 (Cth).

‘personal information’ has the meaning given in s 6 of the Privacy Act.

‘Privacy Act’ means the Privacy Act 1988 (Cth).

‘state and territory regulator’ means a state or territory health and/or privacy regulator.

‘System Operator’ means the eHealth Record System Operator established by s 14 of the PCEHR Act. Currently the System Operator is the Secretary of the Department of Health.

4. Role of the Office of the Australian Information Commissioner

4.1 The OAIC is the independent regulator of privacy aspects of the eHealth record system. This involves regulating the handling of health information included in a consumer’s eHealth record by individuals, Australian government agencies, private sector organisations and some state and territory agencies (in particular circumstances).

4.2 A contravention of the PCEHR Act (in connection with health information included in a consumer’s PCEHR) or a provision of Part 4 or 5 of the PCEHR Act is an interference with privacy for the purposes of the Privacy Act. The Information Commissioner has the power to investigate these contraventions under the Privacy Act. The Privacy Act sets out investigative powers and procedures and the power to make formal determinations, and provides for complaint conciliation (see Part V).

4.3 The Information Commissioner also has an investigatory power under s 73(4) of the PCEHR Act to do all things necessary or convenient to investigate an alleged contravention of the PCEHR Act in relation to the PCEHR system, either in connection with health information in a consumer’s PCEHR or as a result of a breach of a civil penalty provision. Under the PCEHR Act, the Information Commissioner may also attempt by conciliation to effect a settlement of the matters that gave rise to the investigation, where appropriate.

4.4 Under s 75 of the PCEHR Act, the Information Commissioner has the role of receiving data breach notifications under the PCEHR Act. Where an entity has not reported a suspected notifiable data breach, the Information Commissioner may investigate that failure to notify. The Information Commissioner may also investigate the circumstances of the data breach under either the Part V of the Privacy Act or s 73(4) of the PCEHR Act.

4.5 The PCEHR Act confers on the Information Commissioner a range of enforcement powers, which may be used following investigation under either the Privacy Act or PCEHR Act, including:

the power to seek a civil penalty from the courts
the power to seek an injunction to prohibit or require particular conduct
the power to accept enforceable undertakings (see the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 at www.oaic.gov.au).

5. Role of the System Operator

5.1 The System Operator is responsible for establishing and running the eHealth record system, and has specific functions, including in relation to registration of consumers and participants, maintaining the National Repositories Service, system access controls, an index service and audit trail service. These functions are set out in s 15 of the PCEHR Act.

5.2 In particular, s 15(j) of the PCEHR Act requires the System Operator to establish a mechanism for handling complaints about the operation of the eHealth record system.

5.3 The System Operator must also accept data breach notifications under s 75(2) of the PCEHR Act, investigate those incidents if necessary and notify the affected individuals and the OAIC of the breach (ss 75(3) and (4)(c)).

5.4 The System Operator also has some compliance powers, for example, the power to cancel, suspend or vary an entity or consumer’s PCEHR system registration (s 51). Under ss 94 to 96 of the PCEHR Act, the System Operator may also accept undertakings, and apply to a court to enforce such undertakings (ss 94, 95) or for an injunction to restrain or compel certain behaviour in relation to the PCEHR system.

6. Guiding principles for the agreement

6.1 The terms of this agreement are underpinned by the following guiding principles. The System Operator and the OAIC will:

work towards ensuring that the complaints resolution process is as seamless as possible for individuals. That is, consumers should not be ‘bounced around’ between regulators unnecessarily and a consistent approach and message should be adopted
aim to work cooperatively and remove the barriers to effective complaint handling to address complex eHealth complaints and to ensure that systemic problems are identified
undertake to give consistent, clear and accurate advice to the public on how to complain about eHealth issues, including by promoting the eHealth Helpline (operated by DHS-Medicare) as the primary initial point of contact for complaints (many complaints will be dealt with promptly at this initial contact point, especially if the complaint is in the nature of a request for information or clarification)
take steps to seek consent and ensure that consumers will be made aware if personal information is shared or transferred between parties in the course of dealing with their eHealth complaint
commit to attending regular liaison meetings to discuss complaint issues and trends, determine their own jurisdiction and clearly communicate this through this agreement and as part of consultations regarding eHealth complaints.

7. Complaint handling and enquiries

7.1 General approach to complaints

7.1.1 Generally complaints from consumers and other participants will be directed to the System Operator in the first instance via the eHealth Helpline (1800 723 471). This does not preclude complaints being made directly to the OAIC or a state or territory regulator. However, in general the OAIC will not investigate a complaint if the consumer has not first complained to the respondent to the complaint or the System Operator (as applicable).

7.1.2 The System Operator has responsibility for responding to enquiries and resolving complaints it receives. Complaints that fall outside the jurisdiction of the OAIC (and cannot be referred to a state or territory regulator) will also be dealt with by the System Operator, for example, complaints about technical system issues such as operational issues, functionality and specifications, some aspects of registration and participation agreements.

7.1.3 Where complaints cannot be resolved by the System Operator, they may be referred to the OAIC as appropriate and where the OAIC has jurisdiction.

7.1.4 The OAIC complaint investigation will generally be handled in line with the OAIC’s existing complaint handling process detailed in the OAIC’s ‘Privacy complaints practice and procedure manual’ and the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013, which are available on the OAIC’s website. Attachment A — eHealth enquiry and complaint referrals: the OAIC’s approach – provides detail on how the OAIC will deal with eHealth enquiries and complaints, and when the OAIC will contact the System Operator for input or resolution.

7.2 Requests for information by the OAIC

7.2.1 The Privacy Act empowers the OAIC to make preliminary enquiries to ascertain whether a complaint is within jurisdiction or whether the Commissioner should exercise discretion not to investigate the complaint. In addition, once the OAIC has commenced an investigation, the Privacy Act empowers the OAIC to obtain information and make enquiries to assist with that investigation.

7.2.2 The OAIC may contact the System Operator to request information in response to a complainant’s allegations against a respondent.

7.2.3 During preliminary enquiries or as part of an investigation, the OAIC may need to seek information from the System Operator including:

relevant details from a consumer’s audit trail
confirmation that a participant is/was registered and the type of registration
details regarding a participant’s interaction with the PCEHR system
confirmation or evidence that an individual is/was a consumer, nominated representative or authorised representative for the purposes of the PCEHR Act
information relating to access settings at relevant points in time
any information relevant to the acts and practices complained about.

7.2.4 The System Operator will support the OAIC’s requests for information by endeavouring to provide the requested information, in a timely manner.

7.3 Referring a complaint or enquiry

7.3.1 If either the OAIC or the System Operator receives a complaint or enquiry, whether directly or by referral, that it considers could be more effectively or appropriately dealt with by the other party, it will consult the other party with a view to referring the complaint or enquiry. Preferably, consent from the individual should be obtained prior to disclosing personal information to the other party (also see clause 9.1.4).

7.3.2 If either the OAIC or the System Operator is referring a complaint or enquiry, it will obtain the consent of the complainant prior to referring the complaint or enquiry, and subject to clause 9.1.4.

7.3.3 If either the OAIC or the System Operator receives a complaint that covers issues under the responsibilities of both parties, the parties will consult and agree upon the most appropriate approach to handle the complaint. This may include:

identifying the issues relevant to each party and, if practicable, separating the relevant parts of the complaint to allow each party to investigate the matters under their area of responsibility
consulting with the other party and the complainant to provide advice to the complainant on which is the more appropriate party to handle the complaint
considering whether to suspend investigating one part of the complaint until the other party has concluded their investigation.

7.3.4 As appropriate, the OAIC and the System Operator may consult each other in relation to matters where the other party has a specific expertise or qualification that is relevant to an investigation.7.3.5 If either the OAIC or the System Operator becomes aware during an investigation that the other party is also considering a complaint about the same matter, then the first party will advise the designated contact officer, subject to clause 9.1.4.

7.4 Complaints received by the OAIC about the System Operator

7.4.1 Where the OAIC receives a complaint about the System Operator, the OAIC may decline the complaint if the complainant did not complain to the System Operator before making the complaint to the Commissioner.

7.4.2 In such cases, the OAIC will refer the complaint to the System Operator where the complainant consents to the referral.

7.4.3 Where the complainant does not consent or consent cannot be obtained, the OAIC will advise the complainant to complain directly to the System Operator and allow at least 30 days for the System Operator to deal with the matter.

7.4.4 If the complainant is not satisfied with the System Operator’s response, they can return to the OAIC.

7.4.5 Where the OAIC is investigating a complaint against the System Operator or conducting preliminary enquiries into a complaint against the System Operator, the OAIC may seek information from the System Operator in response to the allegations, including the information outlined under the above heading ‘Requests for information by the OAIC’.

8. Policy advice

8.1.1 The System Operator may seek policy advice about privacy from the OAIC relating to complaints it receives about the eHealth record system.

8.1.2 Such requests must be directed to the OAIC’s eHealth contact officer listed in clause 19 of the MOU, or as otherwise advised from time to time.

8.1.3 The advice provided by the OAIC will be general policy advice from the OAIC’s eHealth policy team, and will not be in the form of legal advice or deal with specific facts or personal information. The advice would not fetter the Information Commissioner’s discretion should a complaint be made to the OAIC.

9. Information sharing

9.1 Guiding principles

9.1.1 The parties will each, subject to any restrictions imposed by law and clause 9.1.4, share information that they believe would be of assistance to the other in undertaking their respective responsibilities under the PCEHR Act.

9.1.2 The OAIC may, under s 73A of the PCEHR Act, disclose to the System Operator any information or documents that relate to an investigation the OAIC conducts if it is satisfied that to do so will enable the System Operator to monitor or improve the operation or security of the eHealth record system.

9.1.3 The OAIC and the System Operator recognise that each party may from time to time request the other to provide information relevant to the exercise of its functions and powers under the PCHER Act. If such a request is made, the party receiving the request will endeavour to provide the information in a timely manner, subject to any relevant legal and operational considerations and any conditions or caveats that the providing party might place upon the use or disclosure of the information, such as claims of legal professional privilege.

9.1.4 Consent from the individual should be obtained prior to disclosing personal information to the other party, unless the disclosure is otherwise permitted under the Privacy Act.

9.2 Data breach notifications

9.2.1 The OAIC has the role of receiving data breach notifications under the PCEHR Act from the System Operator, registered repository operators (RROs) and registered portal operators (RPOs). The OAIC may also provide advice to these entities to assist them in meeting their data breach notification obligations under the PCEHR Act. In the event of a breach or suspected breach, the OAIC may investigate the contravention, event or circumstances associated with the breach and/or the entity’s compliance with the data breach notification provisions under s 75 of the PCEHR Act. The OAIC may take enforcement action where the circumstances warrant it.

9.2.2 The System Operator also has the role of receiving notifications of data breaches from RROs and RPOs. The System Operator will liaise with the OAIC and may investigate, take corrective actions and help the RRO or RPO to mitigate any loss or damage that may result from the breach. Where the System Operator is aware of the data breach, the System Operator is required to notify affected individuals and, where a significant number of people are affected, the general public. If an RRO or RPO fails to report a notifiable data breach to the System Operator and the OAIC as required under s 75(2) of the PCEHR Act (such failure can be subject to a civil penalty), the System Operator can take any action which it deems appropriate in the circumstances, including cancelling, suspending or varying the registration of a RRO or RPO or accepting an undertaking.

9.2.3 If the OAIC receives a data breach notification from a state or territory authority or instrumentality, the OAIC will advise the entity to contact the System Operator and the OAIC will consult the System Operator to ensure the notification was received. If either party receives a data breach notification from an entity other than a state or territory authority or instrumentality and has reason to believe that the entity has not notified the other party as required under s 75, the receiving party will direct the entity to notify the other party and will consult with the other party to confirm the notification was received.

9.2.4 The OAIC and the System Operator may consult each other when carrying out their respective roles in relation to a data breach notifications, as appropriate.

9.2.5 Both parties will inform each other of the data breach notifications they receive which may be relevant to the other party, as soon as practicable.

10. Liaison between agencies

10.1.1 To promote cooperation between the OAIC and the System Operator, regular liaison meetings will be held between the parties with regard to operational and policy matters. These liaison meetings should occur at least every six months, or as the agencies from time to time agree.

10.1.2 In order to ensure effective liaison, the parties may exchange lists of contact officers.

11. Disputes

11.1.1 Where there is disagreement over any matter related to issues covered by this agreement, the parties will seek to resolve the issue by negotiation at operational level. If these negotiations fail, the matters will be escalated to Executive officers.

12. General

12.1.1 The OAIC and the System Operator agree that they should work together to share information and experience in relation to their respective roles in regulating the eHealth record system. Each party will keep the other informed of recent developments that may be of interest to the other, within the scope of this agreement, and to the extent permitted by the relevant legislation governing both parties.

12.1.2 The OAIC and the System Operator will assist each other, wherever possible, in the distribution of general material to target audiences and the community generally about how to make complaints.

12.1.3 This agreement will come into effect on the date it is agreed by the last party.

12.1.4 This agreement will be reviewed within two years of the date of agreement by the parties, and every two years thereafter.

12.1.5 This agreement may be amended at any time by agreement of the parties.

Attachment A — eHealth enquiry and complaint referrals

The Office of the Australian Information Commissioner’s approach

Non-privacy issues

Issue	Examples of enquiry/allegations	How the Office of the Australian Information Commissioner (OAIC) will deal with the matter
Technical issues about the system including operational issues, functionality and specifications	Including: System outages Problems with obtaining access Problems uploading documents to the Personally Controlled Electronic Health Record (PCEHR) system How do I set up my access controls? How does the system work? Where is my health information stored? How does the PCEHR system protect health information?	Refer all non-privacy matters to PCEHR System Operator (System Operator) Telephone enquiries OAIC will advise enquirer to call the eHealth Helpline directly on 1800 723 471 Written enquiries (including email): With the enquirer’s consent to referral – the OAIC will refer written enquiries about non‑privacy issues to the System Operator Where the enquirer does not consent to referral or consent cannot be obtained, the OAIC will advise enquirer to contact the eHealth Helpline directly: 1800 723 471 Personally Controlled eHealth Records, GPO Box 9942, In Your Capital City Written ‘non-privacy complaints’ (including email): With the complainant’s consent to referral — the OAIC will refer written ‘non-privacy complaints’ to the System Operator Where the complainant does not consent to the referral or consent cannot be obtained,[1] the OAIC will advise the complainant to contact the eHealth Helpline directly: 1800 723 471 Personally Controlled eHealth Records, GPO Box 9942, In Your Capital City
Registration	Including: What information do I need to give to register? I don’t agree with the System Operator’s decision to register/not register me/my representative/my health practitioner What are the eligibility requirements for registration?
Participation Agreements	Including: A registered health service provider has breached the terms and conditions of the participation agreement
Audit trail	Including: I need help to understand my audit trail My audit trail shows someone has accessed my PCEHR and I want to know who it was
Alleged contraventions of the PCEHR Act which are NOT ‘in connection with health information included in a consumer’s PCEHR’ or Parts 4 or 5.	Example: A consumer’s authorised representative has not acted in the consumer’s best interests as required by s 6(9) PCEHR Act

Privacy enquiries

Issue	Examples of enquiry	How the OAIC will deal with the enquiry
All privacy issues	Including: How can health providers use the information in my PCEHR? What can be done if information in my PCEHR is inaccurate? Someone I don’t know has accessed my PCEHR, what can I do?	The OAIC will provide general information in response to all privacy enquiries The OAIC will also suggest that enquirers obtain further details, as appropriate, from: the eHealth Helpline on 1800 723 471 www.ehealth.gov.au

Issue

Examples of enquiry

How the OAIC will deal with the enquiry

All privacy issues

Including:

How can health providers use the information in my PCEHR?
What can be done if information in my PCEHR is inaccurate?
Someone I don’t know has accessed my PCEHR, what can I do?

The OAIC will provide general information in response to all privacy enquiries

The OAIC will also suggest that enquirers obtain further details, as appropriate, from:

the eHealth Helpline on 1800 723 471
www.ehealth.gov.au

Privacy complaints[2] about the System Operator

Issue	Examples of allegations	How the OAIC will deal with the complaint
The System Operator’s handling of personal information collected during the registration process Please refer to the Information Privacy Principles and the Australian Privacy Principles from 12 March 2014	Complaint allegations may include: I was asked to give more personal details than were actually necessary The questions I was asked were not relevant to the registration process The personal details I gave during registration were used for a different purpose	Complaints will be assessed to determine what action the OAIC will take Decline to investigate The OAIC may decline to investigate a complaint if the complainant has not given the System Operator an opportunity to deal with the matter in the first instance. Where a complainant gives consent, the OAIC will refer the privacy complaint to the System Operator to deal with in the first instance. Where the complainant does not consent or consent cannot be obtained, the OAIC will advise the complainant to complain directly to the System Operator and to give the System Operator at least 30 days in which to respond. Personally Controlled eHealth Records, GPO Box 9942, In Your Capital City If the person is not satisfied with the System Operator’s response, they can return to the OAIC. In these circumstances the OAIC will ask the person to provide a copy of their complaint and any response from the System Operator. The OAIC may determine from the information provided by the complainant (this may or may not include complaint correspondence from the System Operator) that it will not investigate the matter because, for example, it appears that there is no interference with privacy or the System Operator has adequately dealt with the matter, etc. In these circumstances, the OAIC may not need to make enquiries of the System Operator. Preliminary enquiries and/or investigation The OAIC may conduct preliminary enquiries or open an investigation if there is a possible interference with privacy. To seek information in response to the allegations, the OAIC will contact the System Operator. Resolution Where the OAIC’s investigation determines that a breach of the Privacy Act has occurred, the Information Commissioner (Commissioner) may facilitate conciliation between the System Operator and the complainant with a view to resolving the complaint. However, it is also noted that the Commissioner may take steps to facilitate resolution of the complaint at any time during the complaints process where this is appropriate. Determination Following investigation under the Privacy Act, the Commissioner has the power to make a determination under s 52 of the Privacy Act. Enforcement action under the PCEHR Act Where the complaint involves an alleged contravention of the PCEHR Act, the Commissioner may also be able to accept a voluntary enforceable undertaking, seek an injunction and/or seek a civil penalty in relation to contraventions of Parts 4 or 5.
Allegations of unauthorised collection, use and disclosure of health information included in a consumer’s PCEHR by the System Operator (using the PCEHR system) See ss 59 and 60 of the PCEHR Act	Complaint allegations may include: My audit trail shows the System Operator read my PCEHR on three occasions on the one day, but there was no reason for it to look at my medical records
Other privacy issues relating to the handling of health information included in a consumer’s PCEHR by the System Operator (using the PCEHR system)	Complaints may relate to issues covered by the security, access, accuracy or correction (but not collection, use and disclosure) privacy principles NB Section 73B of the PCEHR Act may have relevance to complaints regarding the System Operator’s obligations in relation to correction and alteration
Alleged contraventions of Part 5 of the PCEHR Act by the System Operator	Examples: Taking records outside Australia Failing to report a data breach Failing to comply with PCEHR Rules
Alleged contraventions by the System Operator of provisions under the PCEHR Act ‘in connection with health information included in a consumer’s PCEHR’	Where a complaint involves an alleged contravention of a provision other than a provision in Parts 4 or 5 of the PCEHR Act, the OAIC will assess on a case-by-case basis whether or not that contravention is ‘in connection with health information included in a consumer’s PCEHR’.

Privacy complaints[3] about state or territory entities

Issue	Examples of allegations	How the OAIC will deal with the complaint
The handling of health information included in a consumer’s PCEHR by a state or territory entity (using the PCEHR system). (Excluding repository operators and portal operators prescribed under s 6F of the Privacy Act — see complaints about ‘organisations’ below)	All issues	Refer to state or territory regulator (if applicable) or System Operator Where a complainant gives consent, the OAIC will refer the privacy complaint to the relevant state or territory privacy or health regulator (if applicable) in accordance with the Information Sharing and Complaint Referral Arrangements for the PCEHR system between the OAIC and state and territory health and privacy regulators. Where the complainant does not consent or consent cannot be obtained, the OAIC will advise the complainant to complain directly to the relevant state or territory privacy or health regulator. Where there is no applicable state or territory regulator and the complainant gives consent, the OAIC will refer the privacy complaint to the System Operator. Where the complainant does not consent or consent cannot be obtained, the OAIC will advise the complainant to complain directly to the System Operator. 1800 723 471 Personally Controlled eHealth Records GPO Box 9942 In Your Capital City
The handling of personal information outside of the PCEHR system by a state or territory entity	All issues	In accordance with its usual practices, the OAIC will advise the complainant to contact the relevant state or territory privacy or health regulator (if applicable).

Issue

Examples of allegations

How the OAIC will deal with the complaint

The handling of health information included in a consumer’s PCEHR by a state or territory entity (using the PCEHR system).

(Excluding repository operators and portal operators prescribed under s 6F of the Privacy Act — see complaints about ‘organisations’ below)

All issues

Refer to state or territory regulator (if applicable) or System Operator

Where a complainant gives consent, the OAIC will refer the privacy complaint to the relevant state or territory privacy or health regulator (if applicable) in accordance with the Information Sharing and Complaint Referral Arrangements for the PCEHR system between the OAIC and state and territory health and privacy regulators.

Where the complainant does not consent or consent cannot be obtained, the OAIC will advise the complainant to complain directly to the relevant state or territory privacy or health regulator.

Where there is no applicable state or territory regulator and the complainant gives consent, the OAIC will refer the privacy complaint to the System Operator.

Where the complainant does not consent or consent cannot be obtained, the OAIC will advise the complainant to complain directly to the System Operator.

1800 723 471
Personally Controlled eHealth Records
GPO Box 9942 In Your Capital City

The handling of personal information outside of the PCEHR system by a state or territory entity

All issues

In accordance with its usual practices, the OAIC will advise the complainant to contact the relevant state or territory privacy or health regulator (if applicable).

Privacy complaints[4] about agencies[5]

Issue	Examples of allegations	How the OAIC will deal with the complaint
The handling of health information included in a consumer’s PCEHR by Australian government agencies (using the PCEHR system)	Complaints may relate to issues covered by: Parts 4 and 5 of the PCEHR Act as applicable Provisions of the PCEHR Act ‘in connection with health information included in a consumer’s PCEHR’ The privacy principles (excluding principles relating to collection/use/disclosure)	Complaints will be assessed to determine what action the OAIC will take During preliminary enquiries or investigation, the OAIC will communicate directly with the agency. However, the OAIC may need to seek, preferably with the complainant’s consent, the following from the System Operator to assist in its enquiries/investigation: relevant details from a consumer’s audit trail confirmation that PCEHR participant is/was registered and type of registration confirmation that consumer, nominated representative/authorised representative is/was registered and type of registration information relating to access settings at relevant points in time information relevant to acts and practices specified in Part 5 The OAIC will also seek the consumer’s consent where possible to collect and disclose the following identification details to the System Operator for the purpose of obtaining information about their PCEHR if it may assist the OAIC to deal with the complaint: consumer’s full name address (as held by Medicare) date of birth Medicare card or Veterans Affairs card number (including individual reference number) The System Operator will support the OAIC’s requests for information by endeavouring to provide the requested information in a timely manner through: In the first instance: Director, PCEHR Compliance If the Director, PCEHR Compliance cannot be reached: Director, PCEHR System Management
The handling of personal information outside of the PCEHR system by Australian government agencies	Complaints may relate to issues covered by the privacy principles	The OAIC will deal with complaints according to its usual practices (see the OAIC’s Privacy complaints practice and procedure manual at www.oaic.gov.au).

Issue

Examples of allegations

How the OAIC will deal with the complaint

The handling of health information included in a consumer’s PCEHR by Australian government agencies (using the PCEHR system)

Complaints may relate to issues covered by:

Parts 4 and 5 of the PCEHR Act as applicable
Provisions of the PCEHR Act ‘in connection with health information included in a consumer’s PCEHR’
The privacy principles (excluding principles relating to collection/use/disclosure)

Complaints will be assessed to determine what action the OAIC will take

During preliminary enquiries or investigation, the OAIC will communicate directly with the agency. However, the OAIC may need to seek, preferably with the complainant’s consent, the following from the System Operator to assist in its enquiries/investigation:

relevant details from a consumer’s audit trail
confirmation that PCEHR participant is/was registered and type of registration
confirmation that consumer, nominated representative/authorised representative is/was registered and type of registration
information relating to access settings at relevant points in time
information relevant to acts and practices specified in Part 5

The OAIC will also seek the consumer’s consent where possible to collect and disclose the following identification details to the System Operator for the purpose of obtaining information about their PCEHR if it may assist the OAIC to deal with the complaint:

consumer’s full name
address (as held by Medicare)
date of birth
Medicare card or Veterans Affairs card number (including individual reference number)

The System Operator will support the OAIC’s requests for information by endeavouring to provide the requested information in a timely manner through:

In the first instance:
Director, PCEHR Compliance
If the Director, PCEHR Compliance cannot be reached:
Director, PCEHR System Management

The handling of personal information outside of the PCEHR system by Australian government agencies

Complaints may relate to issues covered by the privacy principles

The OAIC will deal with complaints according to its usual practices (see the OAIC’s Privacy complaints practice and procedure manual at www.oaic.gov.au).

Privacy complaints[6] about organisations[7]

Issue	Examples of allegations	How the OAIC will deal with the complaint
The handling of health information included in a consumer’s PCEHR by organisations for the purposes of the Privacy Act (using the PCEHR system)	Complaints may relate to issues covered by: Parts 4 and 5 of the PCEHR Act as applicable Provisions of the PCEHR Act ’in connection with health information included in a consumer’s PCEHR’ The privacy principles (excluding principles relating to collection/use/disclosure)	Complaints assessed to determine what action the OAIC will take During preliminary enquiries or investigation, the OAIC will communicate directly with the organisation. However, the OAIC may need to seek, preferably with the complainant’s consent, the following from the System Operator to assist in its enquiries/investigation: relevant details from a consumer’s audit trail confirmation that PCEHR participant is/was registered and type of registration confirmation that consumer, nominated representative/authorised representative is/was registered and type of registration information relating to access settings at relevant points in time information relevant to acts and practices specified in Part 5. The OAIC will also seek the consumer’s consent where possible to collect and disclose the following identification details to the System Operator for the purpose of obtaining information about their PCEHR if it may assist the OAIC to deal with the complaint: consumer’s full name address (as held by Medicare) date of birth Medicare card or Veterans Affairs card number (including individual reference number). The System Operator will support the OAIC’s requests for information by endeavouring to provide the requested information in a timely manner through: In the first instance: Director, PCEHR Compliance If the Director, PCEHR Compliance cannot be reached: Director, PCEHR System Management
The handling of personal information outside of the PCEHR system by organisations for the purposes of the Privacy Act	Complaints may relate to issues covered by the privacy principles including the handling of health information: before upload to the PCEHR system after download to local systems	The OAIC will deal with complaints according to its usual practices (see the OAIC’s Privacy complaints practice and procedure manual at www.oaic.gov.au). It may also refer these matters to the relevant state or territory regulator if applicable.

Issue

Examples of allegations

How the OAIC will deal with the complaint

The handling of health information included in a consumer’s PCEHR by organisations for the purposes of the Privacy Act (using the PCEHR system)

Complaints may relate to issues covered by:

Parts 4 and 5 of the PCEHR Act as applicable
Provisions of the PCEHR Act ’in connection with health information included in a consumer’s PCEHR’
The privacy principles (excluding principles relating to collection/use/disclosure)

Complaints assessed to determine what action the OAIC will take

During preliminary enquiries or investigation, the OAIC will communicate directly with the organisation. However, the OAIC may need to seek, preferably with the complainant’s consent, the following from the System Operator to assist in its enquiries/investigation:

relevant details from a consumer’s audit trail
confirmation that PCEHR participant is/was registered and type of registration
confirmation that consumer, nominated representative/authorised representative is/was registered and type of registration
information relating to access settings at relevant points in time
information relevant to acts and practices specified in Part 5.

consumer’s full name
address (as held by Medicare)
date of birth
Medicare card or Veterans Affairs card number (including individual reference number).

The System Operator will support the OAIC’s requests for information by endeavouring to provide the requested information in a timely manner through:

In the first instance:
Director, PCEHR Compliance
If the Director, PCEHR Compliance cannot be reached:
Director, PCEHR System Management

The handling of personal information outside of the PCEHR system by organisations for the purposes of the Privacy Act

Complaints may relate to issues covered by the privacy principles including the handling of health information:

before upload to the PCEHR system
after download to local systems

The OAIC will deal with complaints according to its usual practices (see the OAIC’s Privacy complaints practice and procedure manual at www.oaic.gov.au).

It may also refer these matters to the relevant state or territory regulator if applicable.

Privacy complaints[8] about individuals[9]

Issue	Examples of allegations	How the OAIC will deal with the complaint
The handling of personal information by individuals using the PCEHR system	Complaints may relate to issues covered by: Part 4 of the PCEHR Act Provisions of the PCEHR Act ‘in connection with health information included in a consumer’s PCEHR’	The OAIC may need to seek, preferably with the complainant’s consent, the following from the System Operator to assist in its enquiries/investigation: relevant details from a consumer’s audit trail confirmation that PCEHR participant is/was registered and type of registration confirmation that consumer, nominated representative/authorised representative is/was registered and type of registration information relating to access settings at relevant points in time. The OAIC will also seek the consumer’s consent where possible to collect and disclose the following identification details to the System Operator for the purpose of obtaining information about the consumer’s PCEHR if it may assist the OAIC to deal with the complaint: full name address (as held by Medicare) date of birth Medicare card or Veterans Affairs card number (including individual reference number). The System Operator will support the OAIC’s requests for information by endeavouring to provide the requested information in a timely manner through: In the first instance: Director, PCEHR Compliance If the Director, PCEHR Compliance cannot be reached: Director, PCEHR System Management

Issue

Examples of allegations

How the OAIC will deal with the complaint

The handling of personal information by individuals using the PCEHR system

Complaints may relate to issues covered by:

Part 4 of the PCEHR Act
Provisions of the PCEHR Act ‘in connection with health information included in a consumer’s PCEHR’

The OAIC may need to seek, preferably with the complainant’s consent, the following from the System Operator to assist in its enquiries/investigation:

relevant details from a consumer’s audit trail
confirmation that PCEHR participant is/was registered and type of registration
confirmation that consumer, nominated representative/authorised representative is/was registered and type of registration
information relating to access settings at relevant points in time.

The OAIC will also seek the consumer’s consent where possible to collect and disclose the following identification details to the System Operator for the purpose of obtaining information about the consumer’s PCEHR if it may assist the OAIC to deal with the complaint:

full name
address (as held by Medicare)
date of birth
Medicare card or Veterans Affairs card number (including individual reference number).

The System Operator will support the OAIC’s requests for information by endeavouring to provide the requested information in a timely manner through:

In the first instance:
Director, PCEHR Compliance
If the Director, PCEHR Compliance cannot be reached:
Director, PCEHR System Management

Attachment B — Guiding principles and assumptions for the handling of PCEHR privacy complaints

1 The most important foundation principle that should guide all agencies and regulators involved in the PCEHR complaints handling scheme is that the process should be as seamless as possible for individuals. That is, individuals should not be ‘bounced around’ between regulators unnecessarily and a consistent approach and message should be adopted by all agencies and regulators involved.

2 Government agencies and regulators aim to work cooperatively and remove the barriers to effective complaint handling to address complex PCEHR complaints.

3 The central point of contact for all complaints is the PCEHR Call Centre (operated by the Department of Human Services (DHS)). Many complaints will be dealt with promptly at this initial contact point, especially if the complaint is in the nature of a request for information or clarification.

4 The System Operator will maintain a coordination role and will track the resolution of complaints which are handled by other agencies or regulators.

5 Agencies and regulators handling PCEHR complaints will adopt a protocol that clearly explains how complaints about the PCEHR will be handled, including how and when complaints are to be transferred between agencies and regulators and whether the complainant’s consent should be sought before transfer.

6 Consumers will be made aware if personal information is shared or transferred between agencies or regulators in the course of dealing with their PCEHR complaint.

7 The System Operator will maintain an up-to-date list (or network) of agency and regulator liaison officers.

8 Agencies and regulators handling PCEHR complaints will attend regular liaison meetings to discuss complaint issues and trends. They will work together to ensure that systemic problems are identified and complaints are effectively handled.

9 All agencies and regulators will give consistent, clear and accurate advice to the public on how to complain about PCEHR issues.

10 Agencies and regulators will determine their own jurisdiction and clearly communicate this to other agencies and regulators handling PCEHR complaints.

The OAIC will have jurisdiction to handle privacy complaints about agencies, organisations or individuals in connection with health information included in a consumer’s PCEHR or in connection with Parts 4 or 5 of the PCEHR Act. For personal information outside the PCEHR system, the OAIC generally has jurisdiction over Australian and ACT government agencies and private sector organisations covered by the Privacy Act.

PCEHR flow chart: referral of privacy complaints

Download the referral of privacy complaints flow chart

Footnotes

[1] If the complainant does not provide a phone number or email address, the OAIC will write to the person advising that with their consent, the OAIC can refer the complaint to the System Operator, or that the person can contact the System Operator directly.

[2] See s 36 of the Privacy Act

[3] See s 36 of the Privacy Act

[4] See s 36 of the Privacy Act

[5] See s 6 of the Privacy Act for definition

[6] See s 36 of the Privacy Act

[7] See s 6C of the Privacy Act for definition. This definition includes individual private healthcare providers and private sector repository operators.

[8] See s 36 of the Privacy Act

[9] See s 73(2) of the PCEHR Act. 'Individuals' in this context does not include individual health care providers (which are treated as organisations) or employees of agencies or organisations acting in the scope of their employment (whose actions are treated as the actions of the agency or organisation)