Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

eHealth record system – OAIC Enforcement Guidelines

Consultation paper

August 2012

Closing date for comment 18 September 2012

(PDF)

Contents

Purpose
How to make comments
Privacy collection statement
Background

The eHealth record system
Privacy and the eHealth record system
The Australian Information Commissioner’s powers
Enforcement Guidelines
Proposed guidelines
Draft Enforcement Guidelines
Overview of approach
Stimulus questions


Purpose

The Office of the Australian Information Commissioner (OAIC) is the independent regulator of privacy aspects of Australia’s personally controlled electronic health (eHealth) record system.

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) requires the Australian Information Commissioner to formulate guidelines outlining how the Commissioner will approach enforcement issues relating to the eHealth record system (the OAIC’s Enforcement Guidelines).

The OAIC has prepared draft Enforcement Guidelines for public consultation, together with this consultation paper, to assist interested parties in preparing comments in response to the OAIC’s proposed guidelines and approach.

The draft Enforcement Guidelines are available in PDF, RTF and Word versions.

How to make comments

The Australian Information Commissioner invites your comments on the OAIC’s draft Enforcement Guidelines. The closing date for comment is 18 September 2012.

Submissions can be made by email to consultation@oaic.gov.au or by post to GPO Box 5218 Sydney NSW 2001. Electronic lodgement of submissions is preferred.

Note: The OAIC intends to make all submissions publicly available. Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (Cth).

To assist the OAIC to meet its obligations with respect to accessibility requirements, it is requested that emailed submissions be made in HTML, Rich Text Format (.rtf) or Microsoft Word (.doc or .docx) format.

Privacy collection statement

The OAIC will use the personal information it collects in the course of this consultation only for the purpose of revising and finalising the OAIC’s Enforcement Guidelines.


Background

The eHealth record system

From July 2012, Australians can choose to register for their own personally controlled eHealth record.

An eHealth record is an electronic summary of an individual’s key health information. Initially an eHealth record will contain basic information. As the system develops, healthcare providers will be able to add more information like treatments, medications and allergies.

Individuals can control their own eHealth record, including by choosing to restrict which healthcare provider organisations can access it and what information is included.

More information about the eHealth record system can be found at www.ehealth.gov.au.

Privacy and the eHealth record system

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the Personally Controlled Electronic Health Records Regulation 2012 create the legislative framework for the eHealth record system.

The legislation limits when and how health information included in an eHealth record can be collected, used and disclosed. Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy for the purposes of the Privacy Act 1988.

The OAIC regulates privacy aspects of the eHealth record system. This includes regulating the handling of eHealth record system information by individuals, Commonwealth government agencies, private sector organisations and some state and territory agencies (in particular circumstances).

The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s eHealth record. The OAIC can also conduct ‘own motion investigations’.

More information about privacy and the eHealth record system can be found on the OAIC’s website at www.privacy.gov.au/law/other/the-ehealth-record-system.

The Australian Information Commissioner’s powers

The PCEHR Act confers on the Australian Information Commissioner a range of enforcement powers following an investigation, including:

  • the power to seek a civil penalty from the Courts
  • the power to seek an injunction to prohibit or require particular conduct
  • the power to accept enforceable undertakings.

In addition, the OAIC has a role in accepting data breach notifications from certain eHealth record system participants.

In addition to the powers conferred by the PCEHR Act, the Information Commissioner’s existing Privacy Act investigative and enforcement powers will be available. This includes complaint conciliation and the power to make formal determinations, as well as the investigative powers and procedures contained in Part V of the Privacy Act. These Privacy Act mechanisms are triggered by section 73 of the PCEHR Act, which provides that certain contraventions of the PCEHR Act are 'taken to be: (a) for the purposes of the Privacy Act 1988, an interference with the privacy of a consumer; and (b) covered by section 13 or 13A of that Act'.

Enforcement Guidelines

Section 111 of the PCEHR Act requires the Information Commissioner to issue guidelines outlining how the OAIC will approach enforcement issues under the PCEHR Act and related legislation. The Information Commissioner must have regard to these guidelines when exercising functions and powers under the legislation.

The legislation requires the OAIC’s Enforcement Guidelines to be made by legislative instrument. The Legislative Instruments Act 2003 requires the Information Commissioner to undertake appropriate consultation before making the instrument.


Proposed guidelines

Draft Enforcement Guidelines

In order to fulfil the requirements of section 111 of the PCEHR Act, the OAIC has prepared draft Enforcement Guidelines which outline how the OAIC will approach enforcement issues in connection with the eHealth record system.

The draft Enforcement Guidelines are available on the OAIC’s website at www.oaic.gov.au/news/consultations.html#current_consultations.

Overview of approach

The OAIC’s intended approach to PCEHR Act enforcement activities is as follows:

  • Complaints will generally be accepted under the Privacy Act and investigated using the investigative powers and processes contained in Part V of the Privacy Act. The OAIC will attempt to facilitate conciliated outcomes between the parties and, where appropriate, will pursue enforcement mechanisms available under either the PCEHR Act or the Privacy Act.
  • Own motion investigations will generally be conducted under the Privacy Act using the investigative powers and processes contained in Part V.
  • The Commissioner retains a discretion to investigate conduct using the investigative power in s 73(4) of the PCEHR Act where the Commissioner considers it appropriate. In such cases, the Commissioner will adopt an investigative process which, wherever possible, mirrors the investigative process contained in Part V of the Privacy Act.

Stimulus questions

The OAIC has prepared the following questions which are intended to stimulate comments and reflections on the OAIC's draft Enforcement Guidelines. The questions are not intended to confine the issues that may be raised. You may wish to respond to some or all questions, or to raise other issues you consider relevant.

  • Substance: The OAIC’s draft Enforcement Guidelines outline how the Commissioner will approach enforcement matters relating to the eHealth record system. Do you agree with the Commissioner’s proposed approach to eHealth record system enforcement?
  • Format: Do the OAIC’s draft Enforcement Guidelines set out the Commissioner’s proposed approach in a clear manner which is informative for PCEHR system participants? If not, how can they be improved?