Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation draft: PCEHR (Information Commissioner Enforcement Powers) Guidelines 2015

Part 1     Preliminary

1         Name of instrument

This instrument is the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2015.

2         Commencement

2.1 This instrument takes effect on the day following the day of its registration in the Federal Register of Legislative Instruments maintained under section 20 of the Legislative Instruments Act 2003.

2.2 The PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 (Federal Register of Legislative Instruments No. F2013L01085 is repealed when this PCEHR (Information Commissioner Enforcement Powers) Guidelines 2015 commences.

Note: Section 33(3) of the Acts Interpretation Act 1901 (Cth) provides that when an Act confers a power to make, grant or issue an instrument of a legislative or administrative character, the power shall be construed as including a power to repeal, rescind, revoke, amend or vary any such instrument.

2.3 From the date of commencement, the Information Commissioner will have regard to this instrument when exercising enforcement powers or investigative powers under both the PCEHR Act and the Privacy Act, in relation to the PCEHR system.

3         Definitions

3.1 Unless the contrary intention appears, terms used in these guidelines have the same meaning as in the PCEHR Act.

3.2 In this instrument:

agency has the same meaning as in section 6 of the Privacy Act.

AIC Act means the Australian Information Commissioner Act 2010.

Commissioner initiated investigation is an investigation initiated by the Information Commissioner under subsection 40(2) of the Privacy Act.

Court means:

  1. the Federal Court of Australia;
  2. the Federal Circuit Court of Australia; or
  3. a court of a State or Territory that has jurisdiction in relation to matters arising under the PCEHR Act.

Information Commissioner means the person appointed as Australian Information Commissioner under subsection 14(1) of the AIC Act, or under subsection 21(1) of that Act.

Note: For acting appointments, section 33A of the Acts Interpretation Act 1901 also applies.

PCEHR National Repositories Service means the National Repositories Service referred to in paragraph 15(i) of the PCEHR Act.

participant in the PCEHR system means any of the following:

  1. the System Operator;
  2. a registered healthcare provider organisation;
  3. the operator of the National Repositories Service;
  4. a registered repository operator;
  5. a registered portal operator; or
  6. a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.

PCEHR means a personally controlled electronic health record.

PCEHR Act means the Personally Controlled Electronic Health Records Act 2012.

PCEHR Rules means rules made under section 109 of the PCEHR Act.

PCEHR system means the personally controlled electronic health record system established under the PCEHR Act, and as defined in section 5 of that Act.

PCEHR System Operator has the meaning given by section 14 of the PCEHR Act.

Privacy Act means the Privacy Act 1988.

registered repository operator means a person that:

  1. holds, or can hold, records of information included in personally controlled electronic health records for the purposes of the PCEHR system; and
  2. is registered as a repository operator under section 49 of the PCEHR Act.

4         Introduction

The Information Commissioner

4.1 The Information Commissioner is a statutory office holder appointed by the Governor-General under subsection 14(1) of the AIC Act, or appointed pursuant to s 21(1) of the AIC Act. The Information Commissioner performs functions and exercises powers conferred on the Information Commissioner by the AIC Act and other Acts.

4.2 The PCEHR Act and the Privacy Act both confer functions and powers on the Information Commissioner in relation to the PCEHR system.

Overview of the PCEHR system

4.3 The PCEHR system is established under and is regulated by the PCEHR Act. The PCEHR system aims to enable the secure sharing of health information between a consumer's registered healthcare provider organisations, while enabling the consumer to control who can access his or her PCEHR.

4.4 The PCEHR system is decentralised, with a consumer's health information held in repositories across multiple locations and able to be accessed online by the consumer and their registered healthcare provider organisation(s). The PCEHR National Repositories Service holds key records about consumers, including the consumer's shared health summary (created by a nominated healthcare provider and uploaded to the PCEHR National Repositories Service), discharge summaries, event summaries and consumer entered information.

4.5 Private and public sector bodies may also register as repository operators. When a registered healthcare provider organisation wishes to and is authorised to access a consumer's health information that is contained in a repository (other than the PCEHR National Repositories Service), that information may be able to be called up and viewed by the healthcare provider organisation, although its location remains with the relevant public or private sector body repository. For example, a healthcare provider organisation can view a pathology report for a consumer that is located at a particular pathology lab, if that pathology lab is a registered repository operator.

4.6 The PCEHR System Operator is responsible for the operation of the PCEHR system.

Regulation of health information

4.7 The PCEHR Act and regulations and rules made under that Act regulate the collection, use and disclosure of health information contained in a consumer's PCEHR.

4.8 In addition to the requirements in the PCEHR Act, the PCEHR System Operator is subject to the Privacy Act.

4.9 In addition to the requirements in the PCEHR Act, other participants in the PCEHR system are subject to the Privacy Act and relevant State and Territory privacy laws.

Functions of the Information Commissioner in relation to PCEHR System

4.10 The Information Commissioner's functions in the PCEHR system include investigating alleged contraventions of the PCEHR Act and seeking to address contraventions as appropriate through conciliation, education and enforcement action.

4.11 Alleged contraventions of the PCEHR Act may be brought to the Information Commissioner's attention by a range of avenues including:

  1. a complaint by an individual or other notification from an individual or a participant in the PCEHR system;
  2. as the result of a data breach notification provided in accordance with section 75 of the PCEHR Act;
  3. as a result of a voluntary data breach notification made by an entity not covered by section 75 of the PCEHR Act;
  4. as a referral from another regulator in certain circumstances;
  5. as a result of media reporting;
  6. as a result of information provided by an informant;
  7. as a result of information provided by a law enforcement agency;
  8. as a result of information received from the PCEHR System Operator;
  9. during the course of an assessment or investigation conducted by the Information Commissioner.

The role of these guidelines

4.12 Section 111 of the PCEHR Act requires the Information Commissioner to formulate, and have regard to, guidelines regarding the exercise of the Information Commissioner's powers under the PCEHR Act or a power under another Act that is related to such a power. The Privacy Act is a related Act.

4.13 These guidelines are made under section 111 of the PCEHR Act. These guidelines set out the Information Commissioner's general approach to the exercise of enforcement powers and investigative powers under both the PCEHR Act and the Privacy Act, in relation to the PCEHR system.

4.14 While these guidelines seek to provide guidance to participants in the PCEHR system, the Information Commissioner has a discretion to exercise the available powers that he or she considers most appropriate in the particular circumstances of each case.

Back to Contents

Part 2     General principles relating to enforcement action and the exercise of investigative powers under the PCEHR Act and the Privacy Act

5         Types of enforcement powers and investigative powers available to the Information Commissioner

5.1 The Information Commissioner has a range of enforcement powers and investigative powers under both the PCEHR Act and the Privacy Act in relation to the PCEHR system. These powers are based on an escalation model. The general approach the Information Commissioner will take when determining which Act to apply is set out in sections 6 and 7 of these guidelines.

Investigative powers under the PCEHR Act

5.2 The Information Commissioner has power under subsection 73(4) of the PCEHR Act to do all things necessary or convenient to investigate an alleged contravention of the PCEHR Act in relation to the PCEHR system, either in connection with health information in a consumer's PCEHR or as a result of a breach of a civil penalty provision. The civil penalty provisions in the PCEHR Act are listed below at subsection 13.2 of these guidelines. 

Investigative powers under the Privacy Act

5.3 As a contravention of the PCEHR Act in connection with health information included in a consumer’s PCEHR or a provision of Part 4 or 5 is an interference with privacy for the purposes of the Privacy Act, the Information Commissioner may investigate the act or practice under the Privacy Act.

5.4 Part V of the Privacy Act sets out the investigative powers and processes available when the Information Commissioner conducts an investigation under the Privacy Act into an alleged contravention of the PCEHR Act.

5.5 The range of powers given to the Information Commissioner under Part V of the Privacy Act in relation to the conduct of investigations include powers to investigate a matter following a complaint or on the Commissioner’s own initiative, attempt to conciliate a complaint, conduct preliminary inquiries to determine whether or not to open an investigation, require information or a document to be produced, require a person to attend before the Commissioner to answer questions under oath or affirmation, enter premises to examine documents and, in certain circumstances, to hold a hearing, examine witnesses or call compulsory conferences. Part V also provides detail on how an investigation should be conducted, including procedural elements.

Enforcement powers under the PCEHR Act

5.6 The Information Commissioner has enforcement powers under the PCEHR Act that include the ability to do one or more of the following:

  1. accept an enforceable undertaking;
  2. apply to a Court for an order to enforce an enforceable undertaking ;
  3. apply to a Court for an injunction to require a person to do, or to restrain a person from doing, specified actions;
  4. apply to a Court for an order that a person who is alleged to have contravened a civil penalty provision in the PCEHR Act pay the Commonwealth a pecuniary penalty.

5.7 The Information Commissioner's use of each of these enforcement powers is discussed below at section 8 (enforceable undertakings), section 11 (injunctions) and section 13 (civil penalty orders).

Enforcement powers under the Privacy Act

5.8 The Information Commissioner has enforcement powers under the Privacy Act that include the ability to do one or more of the following:

  1. accept an enforceable undertaking
  2. apply to the Federal Court or the Federal Circuit Court for an order to enforce an enforceable undertaking
  3. make a non-binding determination;
  4. apply to the Federal Court or the Federal Circuit Court for an order to enforce a determination;
  5. apply to the Federal Court or the Federal Circuit Court for an injunction to require a person to do, or restrain a person from doing, specified actions
  6. apply to the Federal Court or the Federal Circuit Court for an order that a person who is alleged to have contravened a civil penalty provision in the Privacy Act pay the Commonwealth a pecuniary penalty.

5.9 The Information Commissioner's use of these enforcement powers is discussed below at section 9 (enforceable undertakings), section 10 (determinations), section 12 (injunctions) and section 14 (civil penalty orders).

6         Investigations – general principles

6.1 When investigating an alleged contravention and deciding whether to take enforcement action (see section 7), the Information Commissioner will act consistently with general principles of good decision making, as explained in the Best Practice Guides published by the Administrative Review Council in 2007. In particular, the Information Commissioner will act fairly, transparently, and in accordance with principles of natural justice (or procedural fairness).

General approach to complaints

6.2 A complaint received by the Information Commissioner relating to the PCEHR system will, unless there is a reason to accept the complaint and act under the PCEHR Act, be treated as a complaint made under section 36 of the Privacy Act, and will be investigated under the provisions of Part V of the Privacy Act. If a complaint is made under the Privacy Act, any investigation must be in accordance with the Privacy Act.

6.3 When investigating a complaint relating to the PCEHR system under the Privacy Act, the Information Commissioner must make a reasonable attempt to conciliate the complaint. The Information Commissioner may decline to investigate or further investigate a complaint if there is no reasonable likelihood of a conciliated outcome. Following a complaint investigation, the Commissioner may decide to take enforcement action under the PCEHR Act or the Privacy Act.

General approach to Commissioner initiated investigations

6.4 The Commissioner may, on his or her own initiative, decide to investigate an act or practice that may be an interference with the privacy of an individual. The Commissioner may decide to commence a Commissioner initiated investigation following a complaint or data breach notification, or may commence a Commissioner initiated investigation independently of any complaint or notification.

6.5 A Commissioner initiated investigation relating to the PCEHR system will be conducted under Part V of the Privacy Act rather than under the PCEHR Act, unless there is a reason to conduct the investigation under the latter Act.

6.6 Following a Commissioner initiated investigation under the Privacy Act, the Information Commissioner may decide to take enforcement action under the Privacy Act or the PCEHR Act.

General approach to conducting investigations under section 73 of the PCEHR Act

6.7 Where the Information Commissioner decides to conduct an investigation under section 73 of the PCEHR Act (as an alternative to an investigation under Part V of the Privacy Act), the Commissioner will follow a process that, so far as practicable, corresponds with the investigative processes set out in Part V of the Privacy Act.

6.8 Upon completing an investigation under section 73 of the PCEHR Act, the Information Commissioner may take enforcement action under that Act. The Commissioner will consider the suitability of attempting by conciliation to effect a settlement of a matter under paragraph 73(3)(a) of the PCEHR Act before deciding to take other enforcement action.

7         Enforcement action – general principles

Factors taken into account

7.1 Factors the Information Commissioner may take into account in deciding whether to take enforcement action against a person in relation to the PCEHR system and what action to take, include the following:

  1. the object of the PCEHR Act;
  2. the objects of the Privacy Act;
  3. whether the investigation was completed under the PCEHR Act or the Privacy Act;
  4. the seriousness of the incident or conduct to be investigated, including:
    1. the number of persons potentially affected;
    2. the adverse consequences caused or likely to be caused to one or more persons arising from an incident or conduct;
    3. whether disadvantaged or vulnerable groups may have been or may be particularly adversely affected or targeted;
    4. whether conduct was deliberate or reckless;
    5. the seniority and level of experience of the person or persons responsible for the conduct;
  5. the level of public interest or concern relating to the conduct (with enforcement action more likely to be taken where significant public interest or concern exists);
  6. whether the burden on the individual or entity likely to arise from the enforcement action is justified by the risk posed to the protection of personal information;
  7. the specific and general educational, deterrent or precedential value of the particular enforcement action, including whether pursuing court action (where applicable) would test or clarify the law;
  8. whether the individual or entity responsible for the incident or conduct has been the subject of prior compliance or enforcement action in relation to the PCEHR system or by the Information Commissioner, and the outcome of that action;
  9. the likelihood of the individual or entity contravening the PCEHR Act or Privacy Act in the future;
  10. whether the conduct is an isolated instance, or whether it indicates a potential systemic issue (either with the individual or entity concerned or within an industry) or an increasing issue which may pose ongoing compliance or enforcement issues;
  11. action taken by the individual or entity to remedy and address the consequences of the conduct, including whether the individual or entity attempted to conceal a contravention or data breach, and whether the individual or entity has co-operated with the Information Commissioner during containment and any investigation of the contravention;
  12. whether the conduct has affected the security or integrity of the PCEHR system or impacted on healthcare provider or consumer confidence in the PCEHR system;
  13. the time since the conduct occurred;
  14. the cost and time required to achieve an appropriate remedy through enforcement action;
  15. whether there is adequate evidence available and admissible in a court to prove a contravention on the balance of probabilities;
  16. any other factors which the Information Commissioner considers relevant in the circumstances, including factors which are relevant to the specific regulatory power being used.

7.2 It is open to the Information Commissioner to use a combination of enforcement powers to address a particular contravention.

Administrative action of the PCEHR System Operator

7.3 Section 73A of the PCEHR Act authorises the Information Commissioner to disclose to the PCEHR System Operator any information or documents that relate to an investigation that the Information Commissioner conducts because of the operation of section 73 of that Act, if the Information Commissioner is satisfied that to do so will enable the PCEHR System Operator to monitor or improve the operation or security of the PCEHR system.

7.4 A disclosure under section 73A of the PCEHR Act may also assist the PCEHR System Operator in exercising the power to cancel, suspend or vary a person's registration with the PCEHR system in certain circumstances in accordance with the PCEHR Act.

General litigation principle

7.5 In any litigation, the Information Commissioner will act in accordance with the Commonwealth’s model litigant obligations within the meaning under Appendix B of the Legal Services Directions 2005.

Publication of use of enforcement powers

7.6 The Information Commissioner may communicate publicly information about his or her use of enforcement powers under the Privacy Act or PCEHR Act.

7.7 In relation to enforceable undertakings accepted under s 33E of the Privacy Act or s 94 of the PCEHR Act, the Information Commissioner will generally publish accepted enforceable undertakings.

7.8 The Information Commissioner will publish determinations made under section 52 of the Privacy Act. The Commissioner will generally publish the name of the respondent. However, the Commissioner will generally not publish the names of complainants, respondent individuals or any third party individuals.

Back to Contents

Part 3     Use of enforcement powers under the PCEHR Act and Privacy Act

8         Enforceable undertakings under the PCEHR Act

Legislative basis for accepting undertakings

8.1 Under section 94 of the PCEHR Act, the Information Commissioner may accept a written undertaking in relation to the PCEHR Act given by a person that the person will:

  1. take specified action in order to comply with the PCEHR Act;
  2. refrain from taking specified action, in order to comply with the PCEHR Act; or
  3. take specified action directed towards ensuring that the person does not contravene the PCEHR Act, or is unlikely to contravene the PCEHR Act, in the future.

Giving an enforceable undertaking

 8.2 The individual giving and executing the undertaking must have the authority to negotiate on behalf of, and bind, the respondent person.

Terms of an undertaking

8.3 To be acceptable to the Information Commissioner, the terms of an enforceable undertaking should:

  1. describe the alleged contravention(s) about which the Information Commissioner is concerned;
  2. outline specified steps the person will take to rectify the contravention, and ensure that it is not repeated or continued. This will usually include a requirement for the person to complete reviews and establish a monitoring and reporting framework;
  3. contain dates by which the person is required to complete each step
  4. be capable of implementation and include action which is capable of being measured or tested objectively;
  5. be certain and capable of enforcement.

8.4 The Information Commissioner will not accept an enforceable undertaking that:

  1. denies responsibility for an alleged contravention of the PCEHR Act or Privacy Act;
  2. merely undertakes to comply with the law without explaining how compliance will be achieved;
  3. seeks to impose terms or conditions on the Information Commissioner.

General approach to accepting undertakings

8.5 When deciding whether to accept an undertaking, the Information Commissioner may take into account:

  1. the particular circumstances of the matter;
  2. the factors referred to at subsection 7.1 of these guidelines;
  3. whether the Information Commissioner believes that the respondent has the ability to, and genuinely intends to, comply with the terms of the undertaking.

Withdrawing, varying or cancelling an undertaking accepted by the Information Commissioner

8.6 The person may withdraw or vary the undertaking at any time, but only with the written consent of the Information Commissioner.

8.7 The Information Commissioner may cancel the undertaking by written notice.

8.8 The Information Commissioner generally will only consent to the variation or withdrawal of an undertaking if:

  1. compliance with the enforceable undertaking is subsequently found to be impractical; or
  2. there has been a material change in the circumstances which led to the undertaking being given, meaning that variation or withdrawal are appropriate in the circumstances; and
  3. the Information Commissioner is satisfied that an appropriate regulatory outcome will still be achieved in the circumstances.

General approach to enforcing undertakings

8.9 Under section 95 of the PCEHR Act, if the Information Commissioner considers that a person has breached an undertaking accepted under section 94, and that undertaking has not been withdrawn or cancelled, the Information Commissioner may apply to a Court for one or more of the orders listed in that section:

  1. an order directing the person to comply with the undertaking;
  2. an order directing the person to pay to the Commonwealth an amount up to the amount of any financial benefit that the person has obtained directly or indirectly and that is reasonably attributable to the breach;
  3. any order that the Court considers appropriate directing the person to compensate any other person who has suffered loss or damage as a result of the breach;
  4. any other order that the Court considers appropriate.

8.10 When deciding whether to seek an order from a Court to enforce an undertaking, the Information Commissioner may take into account:

  1. the particular circumstances of the matter;
  2. the factors referred to at subsection 7.1 of these guidelines;
  3. the Commonwealth's model litigant obligations referred to at subsection 7.5 of these guidelines.

9         Enforceable undertakings under the Privacy Act

9.1 Under section 33E of the Privacy Act, the Information Commissioner may accept a written undertaking given by an entity that an entity will:

  1. take specified action in order to comply with the Privacy Act;
  2. refrain from taking specified action, in order to comply with the Privacy Act;
  3. take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.

Giving an enforceable undertaking

9.2 The individual giving and executing the undertaking must have the authority to negotiate on behalf of, and bind, the respondent entity or person.

Terms of an undertaking

9.3 For an undertaking to be acceptable to the Information Commissioner, it should include the terms listed at subsection 8.3 of these guidelines.

9.4 The Information Commissioner will not accept an enforceable undertaking under the Privacy Act that includes any of the terms listed at subsection 8.4 of these guidelines.

General approach to acceptance of an undertaking

9.5 In deciding whether to accept an undertaking under the Privacy Act, the Information Commissioner may consider those matters referred to in subsection 8.5 of these guidelines.

Withdrawing an undertaking accepted by the Information Commissioner

9.6 The person may withdraw or vary the undertaking at any time, but only with the written consent of the Information Commissioner.

9.7 The Information Commissioner may cancel the undertaking by written notice.

9.8 When considering whether to consent to the withdrawal or variation of an undertaking, the Information Commissioner may consider those matters referred to in subsection 8.8 of these guidelines.

General approach to enforcing undertakings

9.9 Under section 33F of the Privacy Act, if the Information Commissioner considers that the entity has breached an undertaking they have given under section 33E, and that undertaking has not been withdrawn or cancelled, the Information Commissioner may apply to the Federal Court or the Federal Circuit Court for one or more of the orders listed in that section:

  1. an order directing the entity to comply with the undertaking;
  2. any order that the court considers appropriate directing the entity to compensate any other person who has suffered loss or damage as a result of the breach;
  3. any other order that the court considers appropriate.

9.10 When determining whether to seek an order from the Federal Court or the Federal Circuit Court to enforce an undertaking, the Information Commissioner may consider those matters referred to in subsection 8.10 of these guidelines.

10      Determinations under the Privacy Act

Legislative basis for making a determination

10.1 Upon completing the investigation of a complaint made under section 36 of the Privacy Act, the Information Commissioner may, under section 52 of that Act, make a determination that either dismisses the complaint or, if the Information Commissioner has found the complaint to be substantiated, make one or more of the declarations specified in paragraph 52(1)(b) of the Privacy Act. 

10.2 Upon completing a Commissioner initiated investigation, the Information Commissioner may make a declaration specified in subsection 52(1A).

Legislative basis for enforcing determination

10.3 Under section 55A of the Privacy Act, the Information Commissioner may apply to the Federal Court or the Federal Circuit Court for an order to enforce a determination made under section 52 against a person or entity.

Legislative basis for enforcing determination against an agency

10.4 Under section 62 of the Privacy Act, the Information Commissioner may apply to the Federal Court or the Federal Circuit Court for an order to enforce a determination made under section 52 against an agency.

10.5 The Information Commissioner may only make an application under section 62 if the agency has failed to comply with its obligations under section 58 of the Privacy Act. Section 58 requires an agency that is the respondent to a section 52 determination to refrain from conduct that has been declared to be an interference with privacy, and to perform any act or course of conduct that was declared, in the determination, to be appropriate to redress any loss or damage.

General approach to making determinations

10.6 The Information Commissioner has a discretion, after investigating a complaint made under section 36 of the Privacy Act, to make a determination under subsection 52(1) of the Privacy Act which either dismisses the complaint or finds that the complaint is substantiated..

10.7 When investigating a complaint relating to the PCEHR system under the Privacy Act, the Information Commissioner must make a reasonable attempt to conciliate the complaint. .

10.8 When deciding whether to make a determination under section 52 of the Privacy Act in response to a complaint under section 36, the Information Commissioner may consider:

  1. the particular facts of the matter;
  2. the factors referred to at subsection 7.1 of these guidelines;
  3. whether it appears there is a prima facie interference with privacy, the parties are unable to resolve the matter through conciliation and the matter cannot otherwise be finalised;
  4. whether one or both of the parties has requested that the matter be finalised by way of a determination and the Information Commissioner considers that making a determination would be the appropriate resolution in the particular circumstances;
  5. whether the issues raised by the complaint are complex and/or systemic
  6. whether the investigation process has been able to resolve whether an interference with privacy has occurred, and whether it is likely that the determination process would resolve that question.

10.9 The Information Commissioner has a discretion, after an investigation on the Commissioner’s own initiative, to make a determination under subsection 52(1A) of the Privacy Act.

10.10 When deciding whether to make a determination following a Commissioner initiated investigation, the Information Commissioner may consider:

  1. the particular facts of the matter;
  2. the factors referred to at subsection 7.1 of these guidelines;
  3. whether it appears there is a prima facie interference with privacy;
  4. whether the person has cooperated with the Information Commissioner’s enquiries or investigation, and if not, whether the Commissioner believes that it is necessary to make formally binding declarations that the person must take certain steps to address the interference with privacy
  5. whether there is a disagreement between the Information Commissioner and the person about whether an interference with privacy has occurred and, if so, the determination would allow that question to be resolved;
  6. whether there is a public interest in the Information Commissioner making a declaration setting out his or her reasons for finding that an interference with privacy has occurred.

General approach to enforcing determinations

10.11 Where a respondent has failed to comply with the terms of a determination made under section 52 of the Privacy Act, the Information Commissioner will consider whether to commence proceedings in the Federal Court or the Federal Circuit Court to enforce the determination.

10.12 When deciding whether to commence proceedings to enforce a determination, the Information Commissioner may take into account:

  1. the particular facts of the matter;
  2. the factors referred to at subsection 7.1 of these guidelines;
  3. the Commonwealth's model litigant obligations referred to at subsection 7.5 of these guidelines.

11      Injunctions under the PCEHR Act

Legislative basis for injunctions

11.1 Under section 96 of the PCEHR Act, the Information Commissioner may apply to a Court for an injunction:

  1. seeking an interim order pending final determination of the matter;
  2. requiring a person to do an act or thing, if the refusal or failure to do that act or thing would be a contravention of the PCEHR Act;
  3. requiring a person to do an act or thing, if the person has engaged, is engaging or is proposing to engage in conduct contravening the PCEHR Act;
  4. restraining a person from engaging in conduct that constituted, constitutes or would constitute a contravention of the PCEHR Act.

General approach to seeking injunctions

11.2 In deciding whether to seek an injunction from a Court, the Information Commissioner may consider:

  1. the particular facts of the matter;
  2. the factors referred to at subsection 7.1;
  3. the Commonwealth's model litigant obligations referred to at subsection 7.5.

12      Injunctions under the Privacy Act

12.1 Under section 98 of the Privacy Act, the Information Commissioner may apply to the Federal Court or the Federal Circuit Court for an injunction:

  1. seeking an interim order restraining a person from engaging in conduct pending final determination of a matter;
  2. requiring a person to do an act or thing, if the refusal or failure to do that act or thing would be a contravention of the Privacy Act;
  3. requiring the person to do any act or thing if the person has engaged, is engaging or is proposing to engage in conduct contravening the Privacy Act;
  4. restraining a person from engaging in conduct that constituted, constitutes or would constitute a contravention of the Privacy Act.

12.2 In deciding whether to seek an injunction from the Federal Court or the Federal Circuit Court, the Information Commissioner may consider those matters referred to in subsection 11.2 of these guidelines.

13      Civil penalties under the PCEHR Act

Legislative basis for seeking a civil penalty order

13.1 Under section 79 of the PCEHR Act, the Information Commissioner may apply to a Court for an order that a person who is alleged to have contravened a civil penalty provision pay a pecuniary penalty to the Commonwealth. The Information Commissioner must make the application within six years of the alleged contravention.

13.2 An overview of the civil penalty provisions in the PCEHR Act is provided below:

  1. sections 59 and 60 – unauthorised collection, use or disclosure, as well as secondary disclosure, of health information in a consumer's PCEHR;
  2. section 74 –a registered healthcare provider organisation providing insufficient information to identify the individual who requests access to a consumer's PCEHR on behalf of the registered healthcare provider organisation;
  3. section 75 – failure of an entity which is, or has at any time been, a registered repository operator or registered portal operator to report either a suspected contravention of the PCEHR Act or an actual or suspected data breach or event compromising the security or integrity of the PCEHR system;
  4. section 76 – failure to notify the PCEHR System Operator, within the required timeframe in writing of becoming ineligible to be registered as a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider;
  5. section 77 – certain system participants holding or taking PCEHR records outside Australia;
  6. section 78 – contravention of the PCEHR Rules by a person who is, or has been, a registered repository operator or a registered portal operator.

13.3 Subsection 79(5) of the PCEHR Act specifies the maximum pecuniary penalty that a Court may impose.

General approach to civil penalties

13.4 In deciding whether to seek an order imposing a civil penalty, the Information Commissioner may consider:

  1. the particular facts of the matter;
  2. the factors referred to at subsection 7.1 of these guidelines;
  3. the Commonwealth's model litigant obligations referred to at subsection 7.5 of these guidelines;
  4. the guiding principle that the Information Commissioner is unlikely to seek a civil penalty order for minor or inadvertent contraventions, where the person responsible for the contravention has co‑operated with the investigation and taken steps to avoid future contraventions.

14      Civil penalties under the Privacy Act

Legislative basis for seeking a civil penalty order

14.1 Under section 80W(1) of the Privacy Act, the Information Commissioner may apply to the Federal Court or the Federal Circuit Court for an order that a person who is alleged to have contravened a civil penalty provision of that Act pay a pecuniary penalty to the Commonwealth.

14.2 A contravention of the PCEHR Act in connection with health information included in a consumer’s PCEHR or a provision of Part 4 or 5 is an interference with privacy for the purposes of the Privacy Act. Section 13G of the Privacy Act, relating to serious and repeated interferences with privacy, is a civil penalty provision. Therefore, particular conduct may contravene both a civil penalty provision in the PCEHR Act and the ‘serious or repeated interference with privacy’ civil penalty provision in the Privacy Act. In these circumstances, the Information Commissioner may decide to seek a civil penalty under the Privacy Act for an interference with privacy arising from a contravention of the PCEHR Act.

14.3 In deciding whether to seek a civil penalty order under the Privacy Act, the Information Commissioner may consider the matters referred to in subsection 13.4 of these guidelines.

Back to Contents

Note

1. All legislative instruments and compilations are registered on the Federal Register of Legislative Instruments kept under the Legislative Instruments Act 2003. See www.comlaw.gov.au.

Back to Contents