Arrangement with state and territory health and privacy regulators — information sharing and complaint referral for the eHealth record system
1.1. The Personally Controlled Electronic Health (eHealth) Record System, as part of Australia’s national eHealth strategy, aims to enable the secure sharing of health information between a consumer’s healthcare providers, while enabling the consumer to control who can access their eHealth record. The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) establishes a privacy regime for the eHealth record system which generally operates concurrently with Commonwealth, state and territory privacy laws.
1.2. The way that the PCEHR Act operates means that circumstances may arise where the Office of the Australian Information Commissioner (OAIC), the eHealth record System Operator and/or state and territory health and privacy regulators (S&T regulators) have overlapping or concurrent jurisdiction to handle privacy complaints about the eHealth record system. There may also be instances where complaints about the eHealth record system are not made to the appropriate regulator.
1.3. Ensuring effective privacy complaint handling is an important element in maintaining public confidence in the eHealth record system. An effective arrangement between privacy regulators has the potential to resolve systemic issues, provide expedient and appropriate remedies to individuals who have experienced an interference with their privacy and encourage participant compliance with the regulatory framework.
2. Objectives of this Arrangement
2.1. Under a Memorandum of Understanding (MOU) with the Department of Health (Health), the OAIC agreed to liaise with Health and S&T regulators to develop an agreed protocol for referral and handling of eHealth record system complaints. The protocol would establish a process for dealing with an eHealth complaint falling into the jurisdiction of more than one regulator, or made to the wrong regulator. This Arrangement gives effect to that agreement under the MOU.
2.2. The goals of this Arrangement are to:
- assist information sharing between the OAIC and S&T regulators, in relation to the eHealth record system;
- describe the circumstances in which complaints will be referred by the System Operator to the OAIC or a S&T regulator; and
- establish mechanisms to promote effective cooperation between the OAIC, the System Operator and S&T regulators on privacy enforcement in relation to the eHealth record system, including through referrals of complaints and through parallel or joint investigations or enforcement actions.
2.3. Nothing in this Arrangement is intended to:
- create binding obligations, or affect existing obligations under Commonwealth, state or territory law; or
- create obligations or expectations of cooperation that would exceed a party’s scope of authority and jurisdiction.
3.1. This Arrangement will come into effect between the OAIC, and the relevant S&T regulator on the date on which the S&T regulator provides its written and express advice to the OAIC of its agreement to be a party to this Arrangement.
3.2. The Arrangement may be modified by the OAIC to include other S&T regulators who become parties to the Arrangement during the period of the arrangement (as set out in clause 7).
In this Arrangement the following definitions apply:
‘Arrangement’ means this document, the Information Sharing and Complaint Referral Arrangements for the Personally Controlled Electronic Health (eHealth) Record System.
‘complaint’ means a complaint that meets the requirements of section 36 of the Privacy Act or the requirements in the relevant state or territory legislation.
‘consumer’ means an individual who has received, receives or may receive healthcare, as set out in section 5 of the PCEHR Act
‘Health’ means the Commonwealth Department of Health.
‘eHealth record’ means a personally controlled electronic health record of a consumer as set out in s 5 of the PCEHR Act, that is, the record of information that is created and maintained by the System Operator in relation to the consumer and the information that can be obtained by means of that record.
‘health information’ has the meaning set out in section 5 of the PCEHR Act:
- information or an opinion about:
- the health or a disability (at any time) of an individual; or
- an individual’s expressed wishes about the future provision of health services to him or her; or
- healthcare provided, or to be provided, to an individual;
- that is also personal information; or
- other personal information collected to provide, or in providing, healthcare; or
- other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
- genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual
It is substantially the same as the definition in section 6 of the Privacy Act.
‘individual’ means a natural person.
‘OAIC’ means the Office of the Australian Information Commissioner.
‘organisation’ has the meaning set out in section 6C of the Privacy Act and, in general, includes all businesses and non-government organisations with an annual turnover of more than $3 million, all health service providers and a limited range of small businesses (see sections 6D and 6E of the Privacy Act).
‘participant’ means any of the following:
- the System Operator;
- a registered healthcare provider organisation;
- the operator of the National Repositories Service;
- a registered repository operator;
- a registered portal operator;
- a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.
‘party means the OAIC and any state and territory health and/or privacy regulator that is a signatory to this Arrangement.
‘PCEHR Act’ means the Personally Controlled Electronic Health Records Act 2012 (Cth).
‘personal information’ has the meaning as set out in section 6 of the Privacy Act:
information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
‘Privacy Act’ means the Privacy Act 1988 (Cth).
‘S&T regulator’ means state and territory health and/or privacy regulator who may choose to become a party to this Arrangment.
‘S&T party’ means state and territory health and/or privacy regulator that is a signatory to this Arrangement as named in the Schedule to this Arrangement.
‘System Operator’ means the eHealth Record System Operator, prescribed by section 14 of the PCEHR Act, as:
- the Secretary of the Department; or
- if a body established by a law of the Commonwealth is prescribed by the regulations to be the System Operator — that body.
5. The Office of the Australian Information Commissioner
5.1. The OAIC is the independent regulator of privacy aspects of the eHealth record system. The OAIC has a range of functions and powers relating to the eHealth record system which include investigating certain complaints about the mishandling of personal information in a consumer’s eHealth record.
5.2. These functions and powers are triggered by section 73 of the PCEHR Act which provides that certain contraventions of the PCEHR Act are ‘…taken to be: (a) for the purposes of the Privacy Act, an interference with the privacy of a consumer; and (b) covered by section 13 or 13A of that Act’.
5.3. Under the Privacy Act, the OAIC has powers to investigate complaints about an act or practice that may be an interference with the privacy of an individual. Section 73 of the PCEHR Act expands the circumstances which may constitute ‘an interference with privacy’ under the Privacy Act to include complaints about:
- an act or practice that contravenes the PCEHR Act in connection with health information included in a consumer’s eHealth record; or
- an act or practice that contravenes the PCEHR Act in connection with a provision of Part 4 or 5 of the PCEHR Act.
5.4. Parts 4 and 5 of the PCEHR Act cover unauthorised collection, use or disclosure of health information included in a consumer’s eHealth record and other civil penalty provisions.
5.5. Where the complaint relates to a respondent within the OAIC’s jurisdiction, the OAIC will accept and consider the complaint for investigation. The OAIC will generally be able to investigate eHealth record system complaints about:
- Commonwealth agencies
- organisations such as private sector healthcare providers
- state or territory authorities or instrumentalities prescribed under section 6F of the Privacy Act.
6. The System Operator
6.1. The System Operator is responsible for establishing and running the eHealth record system, as well as performing the functions described in section 15 of the PCEHR Act. One of the functions is to establish a complaints handling mechanism (subsection 15(j)) which provides national arrangements for consumers and participants to make complaints about the operation of the eHealth record system.
6.2. Generally, complaints from consumers and other participants will be made to the System Operator in the first instance via the eHealth Helpline (1800 723 471). However, complaints may also be made directly to the OAIC or a S&T regulator. The System Operator has responsibility for responding to enquiries and resolving complaints it receives via the eHealth Helpline where possible. Where complaints cannot be resolved by the System Operator, they may be escalated to the OAIC and S&T regulators, as appropriate and where they have jurisdiction.
6.3. Complaints that fall outside the jurisdiction of the OAIC and S&T regulators, such as complaints about system integrity, registration and participation agreements will be dealt with by the System Operator.
7. State and Territory Health and/or privacy regulators
7.1. The S&T regulators that are eligible to be parties to this Arrangement are the bodies within those jurisdictions that have the power to regulate the handling of individuals’ health information.
7.2. Privacy and health information is regulated differently across state and territory jurisdictions. For example, some jurisidictions have health laws which are administered by a privacy regulator, such as the Health Records and Information Privacy Act 2000 (NSW). In other jurisdictions, a specific health regulator has responsibility for managing complaints from users about services provided by the health sector including the handling of health information, for example the Victorian Health Services Commissioner in terms of the Health Records Act 2001 (Vic). All state and territory regulators with responsibility for managing complaints about the handling of health information may agree to be a party to this Arrangement.
7.3. S&T regulators will be a party to this Arrangement by advising the OAIC in writing (including by email) of their intention to be part of and covered by the Arrangement. S&T regulators should nominate a contact officer in their communication.
7.4. S&T regulators that are parties to this Arrangement will be named in the Schedule.
8.1. Parties to this Arrangement endeavour to uphold the following principles:
- The process should be as seamless as possible for consumers - consumers should not be transferred unnecessarily between regulators
- Parties aim to work cooperatively and remove barriers to effective complaint handling to address eHealth record system complaints
- Parties will give consistent, clear and accurate advice to the public on how to make a complaint about their eHealth record
- Parties will determine their own jurisdiction and clearly communicate this to other parties handling eHealth record system complaints
- Unnecessary duplication of investigation activity should be avoided, especially where there is no benefit to the complainant in conducting parallel investigations.
Referring a complaint
8.2. An S&T party may receive a complaint about the eHealth record system, or have a complaint referred to it by the System Operator, which it does not have jurisdiction to handle. Where that is the case and the OAIC appears to have jurisdiction as described in this Arrangement, the S&T party will discuss the complaint with the OAIC’s contact officer. If agreed by both parties, the S&T party will refer the complaint to the OAIC.
8.3. Where the OAIC receives a complaint which it does not have jurisdiction to handle, the OAIC will discuss the complaint with the contact officer of the relevant S&T party to determine whether the S&T party can handle the complaint. If agreed by both parties, the OAIC will refer the complaint to the S&T party.
8.4. Where the OAIC and an S&T party determine that neither party can handle a complaint about the eHealth record system, the party that received the complaint will raise the issue with the System Operator.
8.5. Where an S&T party receives a complaint that appears to be within its jurisdiction but also appears to be within the jurisdiction of the OAIC, or vice versa, the parties will consult with each other and the complainant to determine which party is more suitable to handle the complaint before proceeding further with their investigation. Factors that should be considered are:
- the seriousness of the complaint and the possible enforcement action that might be taken in the relevant jurisdictions
- the possible outcomes available to the complainant in each jurisdiction
- any views or preference expressed by the complainant.
8.6. Where an S&T party receives a complaint that appears to be partly within its jurisdiction and partly within the jurisdiction of the OAIC, or vice versa, the parties will consult with each other to determine whether it is possible to:
- conduct a concurrent investigation, where each party handles different issues arising from the same set of facts;
- decide that one party handle the entire complaint; or
- suspend investigation of part of the complaint, pending completion of the other party’s handling of the matter.
Complaints made to multiple regulators
8.7. Where an S&T party or the OAIC becomes aware that the complainant has complained to multiple regulators, the parties will consult each other and discuss this matter with the complainant to determine which party should continue to handle the complaint or whether one of the complaints should be closed or suspended until the other party has completed their investigation.
8.8. The factors set out above in relation to complaints where concurrent and overlapping jurisdiction exists will be relevant factors in deciding what action to take where two or more regulators receive the same complaint.
9. Information Sharing
Circumstances in which information is shared
9.1. The parties agree to work together to share information in relation to their respective roles in handling eHealth record complaints, subject to clause 10.4. Parties will keep other relevant parties informed of recent developments that may be of interest, are within the scope of this Arrangement, and to the extent permitted by the relevant legislation governing the parties.
9.2. The parties undertake to share information with each other, to the extent necessary and in accordance with Part 8 of this Arrangement, in the following circumstances:
- where a party requests the disclosure of information reasonably necessary to assist it to carry out its functions relating to a matter within its jurisdiction
- where a party is referring a complaint to another party as described in this Arrangement
- where the OAIC and another party have overlapping or concurrent jurisdictions and the parties agree to share information, regularly or in appropriate circumstances, in order for the parties to carry out their functions in an efficient manner.
9.3. Teleconferences will be held as required involving representatives from each party to discuss matters relating to the eHealth record system. The teleconferences will provide a forum for parties to:
- discuss any functionality or policy developments in the eHealth record system that may affect parties’ regulatory responsibilities
- discuss recent complaints and investigations relating to the eHealth record system
- inform other parties of any guidance, educational or training material published in relation to the eHealth record system
- report on any other developments that may impact on the discharge of the other parties’ responsibilities.
10. Disclosure and consent
10.1. Where it is necessary to disclose an individual’s personal information during discussions between parties, the individual’s consent must be obtained.
10.2. Where a party decides that a complaint should be referred in part or full to another party, the complainant’s consent must be obtained. An exception may apply where existing statutory powers enable referral of a complaint without such consent.
10.3. Where it is not possible to obtain the complainant’s consent to refer a complaint, the party that initially received the complaint will advise the complainant how to make a complaint to the relevant party.
10.4. Where the parties share information for the purposes of this Arrangement, it is acknowledged that any disclosure of personal information must be within the statutory framework that exists for each party.
11. Contact officer
11.1. Parties shall nominate a designated contact officer for the purposes of this Arrangement.
12. Review and amendment of Arrangement
12.1. The Arrangement will be reviewed on 30 June 2014, and every two years thereafter.
12.2. The Arrangement may be amended at any time by agreement of the parties.
12.3. Parties may withdraw from this Arrangement at any time by providing written notice (including by email) to the OAIC.
12.4. The OAIC will update the Schedule as required and advise parties of additional signatories or any withdrawals from the Arrangement.
|S & T Regulator||Date of effect|
Office of the Information Commissioner, Queensland |
Contact Officer: Lemm Ex
|18 April 2013|
Health Services Commissioner, ACT Human Rights Commission |
Contact Officer: Matt Hingston
|30 April 2013|
Office of the Health Services Commissioner, Victoria |
Contact Officer: Angela Palombo
|28 May 2013|
South Australian Health and Community Services Complaints Commissioner |
Contact Officer: Lucy Avard
|5 June 2013|
Information and Privacy Commissioner, New South Wales|
Contact Officer: Sonia Minutillo
|14 April 2014|
The full definition is set out in s 5 of the Personally Controlled Electronic Health Records System Act 2012 (Cth)