Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy fact sheet 18: The OAIC and the My Health Record system

pdfPrintable version194.76 KB

March 2016

This fact sheet sets out the powers and functions of the Office of the Australian Information Commissioner (OAIC) when investigating complaints about the My Health Record system.

What is a My Health Record?

A My Health Record is an online summary of your health information, such as medicines you are taking, any allergies you may have and treatments you have received. It was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.

Your My Health Record allows your doctors, hospitals and other healthcare providers (such as physiotherapists) to view your health information, in accordance with your access controls. You are also able to access it online yourself.

In most parts of Australia you need to actively register for a My Health Record. However, people whose registered Medicare address is in Northern Queensland or the Nepean Blue Mountains will have a My Health Record automatically created for them by the Australian Government. If you are registered as living in either of these areas and don’t want a My Health Record, you will need to opt-out by 27 May 2016.

You can use the postcode checker on the My Health Record website to see if your registered Medicare address is in one of these areas. If it is, you should also receive a letter and brochure from the Australian Government with further information.

This fact sheet is for everyone who already has or will soon have a My Health Record and anyone else who is thinking of registering for one. This includes people whose registered Medicare address is in Northern Queensland and the Nepean Blue Mountains region.

What is the role of the OAIC?

The OAIC is the independent regulator of the privacy aspects of the My Health Record system. Personal information in My Health Records may only be collected, used and disclosed in ways specifically permitted under the My Health Records Act 2012 (My Health Records Act). The OAIC regulates the privacy provisions of the My Health Records Act. The OAIC has a range of functions under the My Health Record system, including:

  • investigating complaints about the mishandling of personal information in a My Health Record
  • providing education and guidance about privacy for individuals, healthcare providers, the System Operator and other participants in the system
  • accepting data breach notifications from participants in the My Health Record system.

The OAIC also has a range of enforcement powers under the Privacy Act 1988 (Privacy Act) and My Health Records Act, including:

  • accepting enforceable undertakings to restrain or require particular conduct
  • using Privacy Act enforcement mechanisms, such as making determinations
  • seeking an injunction to restrain or require particular conduct
  • seeking a civil penalty order from a Court.

Complaints

You can complain to the OAIC if you believe that the personal information in your My Health Record may have been mishandled. The OAIC can accept complaints about the acts or practices of Australian government agencies and private sector organisations (including all healthcare providers).

Complaint handling framework

In some cases state and territory privacy regulators may also have a role in regulating state and territory entities under the My Health Record system. Complaints made to the OAIC about a state or territory entity may be transferred to a state or territory privacy or health regulator if the entity is outside the OAIC’s jurisdiction.

Complaint handling process

Before making a complaint to the OAIC, you should contact the agency, organisation or individual directly to try to resolve your concerns.

If you are not satisfied with the response, you can make a complaint to the OAIC or the System Operator. The OAIC may decide not to investigate your complaint if you have not raised your concerns with the respondent first.

You must also give the individual, agency or organisation a reasonable time (usually 30 days) to respond to your complaint. In some cases the OAIC may not investigate the complaint immediately where the respondent has advised that it is taking action.

A complaint to the OAIC must be in writing. After receiving a complaint, the OAIC will assess whether it has jurisdiction and if so, whether to conduct an investigation. There may be situations where the OAIC will decide not to investigate, or to discontinue an investigation.

For more information on how to make a complaint, go to the OAIC’s privacy complaints page.

The OAIC will attempt to conduct a conciliation between the parties and, where appropriate, will pursue enforcement mechanisms available under either the My Health Records Act or the Privacy Act. For more information see What happens to your privacy complaint.

Commissioner initiated investigations

The OAIC can also conduct investigations without first receiving a complaint from an individual.

An investigation of this type (sometimes called a ‘Commissioner initiated investigation’) could be opened in a situation where the Commissioner hears about a privacy issue (for example through the media) but no complaints have been received.

Enforcement guidelines

The OAIC’s My Health Records Enforcement Guidelines set out its general approach to using enforcement and investigatory powers under both the My Health Records Act and the Privacy Act. They also set out some of the factors the OAIC may consider when deciding the appropriate enforcement response.

Mandatory data breach notification guide

Under the My Health Records Act, participants are required to report data breaches that occur in relation to the My Health Record system to the OAIC and the System Operator. If a data breach is not reported, this could be a breach of the My Health Records Act and civil penalties may apply.

The OAIC has prepared a guide about mandatory data breach notifications under the My Health Records Act which is available on the OAIC website.

 

For further information

telephone: 1300 363 992

email: enquiries@oaic.gov.au

write: GPO Box 5218, Sydney NSW 2001

Or visit our website at www.oaic.gov.au