Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Investigation into Professional Services Review concludes: Statement from Timothy Pilgrim, Australian Privacy Commissioner

16 September 2011

"I have closed my investigation into Professional Services Review finding that there was a breach of the Privacy Act. I found that PBS and MBS claims information were being stored in the same database and this was in contravention of PSR's obligations under the Privacy Guidelines for Medicare Benefits and Pharmaceutical Benefits Program.

To resolve this matter, the Office of the Australian Information Commissioner and PSR have worked together to develop a solution that ensures MBS and PBS information will be stored separately in PSR's system. PSR has also updated its IT Security policy and procedures as part of the solution. I am pleased that PSR has undertaken to implement these systems changes. As part of my investigation I also examined whether PSR had reasonable security safeguards in place to protect the information it holds from unauthorised access, use, modification or disclosure. I am satisfied that PSR has appropriate security safeguards in place."

Background Information

Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Program (the Guidelines).

The purpose of the Guidelines is to give effect to section 135AA of the Health Act. The Guidelines provide specific standards and safeguards for the way that individuals' MBS and PBS claims information is handled by Australian Government agencies when stored in computer databases. These standards are in addition to any requirements that may be imposed by the Information Privacy Principles (IPPs) contained in section 14 of the Privacy Act.

The primary objectives of the Guidelines are to ensure the separation of claims information collected under the Medicare Benefits Program and the Pharmaceutical Benefits Program, as well as establishing the circumstances under which this information may be linked and retained in linked form. 

The Guidelines also prescribe the circumstances in which claims information may be retained in various forms, such as where it is required to be separated from personal identifying components (that is 'de-identified').  The establishment of regular reporting requirements and a framework for limited retention periods is intended to ensure that the linkage and retention of claims information does not result in the de facto combination of the two databases.

A breach of the Guidelines constitutes an interference with privacy under section 13 of the Privacy Act.  In turn, an individual may complain to the Privacy Commissioner about an alleged interference with their privacy.

The Guidelines can be accessed at: