Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Privacy fact sheet 18: The OAIC and the My Health Record system

This fact sheet sets out the powers and functions of the Office of the Australian Information Commissioner (OAIC) when investigating complaints about the My Health Record system.

What is a My Health Record?

A My Health Record is an online summary of your health information, such as medicines you are taking, any allergies you may have and treatments you have received. It was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.

Your My Health Record allows your doctors, hospitals and other healthcare providers (such as physiotherapists) to view your health information, in accordance with your access controls. You are also able to access it online yourself.

The My Health Record system opt-out period commenced on 16 July 2018, and you now have until 15 November 2018 to advise the Australian Digital Health Agency if you do not want a My Health Record to be automatically created for you. Although the My Health Record system has previously been a self-register model, every individual with a Medicare or Department of Veterans’ Affairs card who does not already have a record will now be automatically registered to have a My Health Record, unless they choose not to have one.

For further information about the My Health Record and what to do if you don’t want a record created, visit the My Health Record website or call the My Health Record Help line on 1800 723 471. You can also read the OAIC’s opt-out FAQs.

What is the role of the OAIC?

The OAIC is the independent regulator of the privacy aspects of the My Health Record system. Personal information in My Health Records may only be collected, used and disclosed in ways specifically permitted under the My Health Records Act 2012 (My Health Records Act). The OAIC regulates the privacy provisions of the My Health Records Act. The OAIC has a range of functions under the My Health Record system, including:

  • investigating complaints about the mishandling of personal information in a My Health Record
  • providing education and guidance about privacy for individuals, healthcare providers, the System Operator (the Australian Digital Health Agency) and other participants in the system
  • accepting data breach notifications from participants in the My Health Record system.

The OAIC also has a range of enforcement powers under the Privacy Act 1988 (Privacy Act) and My Health Records Act, including:

  • accepting enforceable undertakings to restrain or require particular conduct
  • using Privacy Act enforcement mechanisms, such as making determinations
  • seeking an injunction to restrain or require particular conduct
  • seeking a civil penalty order from a Court.

Complaints

You can complain to the OAIC if you believe that the personal information in your My Health Record may have been mishandled. The OAIC can accept complaints about the acts or practices of Australian government agencies and private sector organisations (including all healthcare providers).

Complaint handling framework

In some cases state and territory privacy regulators may also have a role in regulating state and territory entities under the My Health Record system. Complaints made to the OAIC about a state or territory entity may be transferred to a state or territory privacy or health regulator if the entity is outside the OAIC’s jurisdiction.

Complaint handling process

Before making a complaint to the OAIC, you should contact the agency, organisation or individual directly to try to resolve your concerns.

If you are not satisfied with the response, you can make a complaint to the OAIC or the Australian Digital Health Agency. The OAIC may decide not to investigate your complaint if you have not raised your concerns with the respondent first.

You must also give the individual, agency or organisation a reasonable time (usually 30 days) to respond to your complaint. In some cases the OAIC may not investigate the complaint immediately where the respondent has advised that it is taking action.

A complaint to the OAIC must be in writing. After receiving a complaint, the OAIC will assess whether it has jurisdiction and if so, whether to conduct an investigation. There may be situations where the OAIC will decide not to investigate, or to discontinue an investigation.

For more information on how to make a complaint, go to the OAIC’s privacy complaints page.

The OAIC will attempt to conduct a conciliation between the parties and, where appropriate, will pursue enforcement mechanisms available under either the My Health Records Act or the Privacy Act. For more information see What happens to my complaint.

Commissioner initiated investigations

The OAIC can also conduct investigations without first receiving a complaint from an individual.

An investigation of this type (sometimes called a ‘Commissioner initiated investigation’) could be opened in a situation where the Commissioner hears about a privacy issue (for example through the media) but no complaints have been received.

Enforcement guidelines

The OAIC’s My Health Records Enforcement Guidelines set out its general approach to using enforcement and investigatory powers under both the My Health Records Act and the Privacy Act. They also set out some of the factors the OAIC may consider when deciding the appropriate enforcement response.

Mandatory data breach notification guide

Under the My Health Records Act, participants are required to report data breaches that occur in relation to the My Health Record system to the OAIC and the Australian Digital Health Agency. If a data breach is not reported, this could be a breach of the My Health Records Act and civil penalties may apply.

The OAIC has prepared a guide about mandatory data breach notifications under the My Health Records Act which is available on the OAIC website.