Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

PCEHR system mandatory data breach notification consultation paper

 

Closing date for comment: 25 September 2012

(PDF version)

 

Contents

Purpose

How to make comments

Privacy collection statement

Background

Stimulus questions

 

 Purpose

The Office of the Australian Information Commissioner (OAIC) is the independent regulator of privacy aspects of Australia's personally controlled electronic health (eHealth) record system.

Section 75 of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) requires certain types of entities to report data breaches which occur within the eHealth record system and to take specified actions in response to a breach. The OAIC has termed such data breaches 'notifiable data breaches'.

The data breach notification obligations under the eHealth system are new obligations. This is the first time data breach notification will be mandatory in Australia. The OAIC can seek a civil penalty if a notifiable data breach is not reported.

The OAIC has prepared a draft guide to data breach notification (the guide), to help entities comply with their obligations. The guide, titled Mandatory data breach notification in the eHealth record system is available in HTML and PDF versions. It is available at www.oaic.gov.au/news/consultations.html#current_consultations

Entities with reporting obligations under section 75 of the PCEHR Act include the eHealth record System Operator (SO), registered repository operators (RROs) and registered portal operators (RPOs). While all RROs and RPOs have reporting obligations, only those who are Australian government agencies or private sector organisations must report breaches to the OAIC. State and territory RROs and RPOs must report breaches to the SO rather than the OAIC, however as their reporting obligations are similar they may find the guide useful.

This consultation paper explains the background to the guide, including the distinction between mandatory data breach notification under the eHealth system and current voluntary data breach reporting practices under the Privacy Act 1988 (Cth) (Privacy Act). The consultation paper poses a series of stimulus questions to assist interested parties in preparing comments in response to the guide.

 How to make comments

The Australian Information Commissioner invites your comments on the OAIC's draft guide: Mandatory data breach notification in the eHealth record system. The closing date for comment is 25 September 2012.

The OAIC is seeking comments on the guide from industry groups, entities or individuals with an interest or expertise in the eHealth record system. Anyone from the general public may also make a submission.

Although the guide is aimed at entities that have mandatory data breach reporting obligations under the PCEHR Act, the OAIC welcomes comments by other interested parties who may be affected by the guide.

Submissions can be made by email to consultation@oaic.gov.au or by post to GPO Box 5218 Sydney NSW 2001. Electronic lodgement of submissions is preferred.

Note: The OAIC intends to make all submissions publicly available. Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (Cth).

To assist the OAIC to meet its obligations with respect to accessibility requirements, we request that emailed submissions be made in HTML, Rich Text Format (.rtf) or Microsoft Word (.doc or .docx) format.

 Privacy collection statement

The OAIC will only use the personal information it collects during this consultation for the purpose of revising and finalising the guide.

 Background

 The eHealth record system

From July 2012, Australians can choose to register for their own personally controlled eHealth record.

An eHealth record is an electronic summary of an individual's key health information. Initially an eHealth record will contain basic information. As the system develops, healthcare providers will be able to add more information like treatments, medications and allergies.

Individuals can control their own eHealth record, including by choosing to restrict which healthcare provider organisations can access it and what information is included.

More information about the eHealth record system can be found atwww.ehealth.gov.au/.

 Privacy and the eHealth record system

The PCEHR Act and the Personally Controlled Electronic Health Records Regulation 2012 create the legislative framework for the eHealth record system.

The legislation limits when and how health information included in an eHealth record can be collected, used and disclosed. Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy for the purposes of the Privacy Act.

The OAIC regulates privacy aspects of the eHealth record system. This includes regulating the handling of eHealth record system information by individuals, Commonwealth government agencies, private sector organisations and some state and territory agencies (in particular circumstances).

The OAIC's role includes investigating complaints about the mishandling of health information in an individual's eHealth record. The OAIC can also conduct ‘own motion investigations' without receiving complaints from individuals, at its discretion.

More information about privacy and the eHealth record system can be found on the OAIC's website at www.privacy.gov.au/law/other/the-ehealth-record-system.

 Data breach notification under the eHealth record system

The guide explains the requirements for data breach notification under the PCEHR Act. The steps that entities must take in response to a breach, stipulated under section 75 of the PCEHR Act, were based upon the steps contained in the OAIC's voluntary data breach notification guide:A guide to handling personal information security breaches.

There are important differences between mandatory data breach notification under the PCEHR Act and current data breach reporting practices under the Privacy Act. Those distinctions are explained in the guide. In summary, data breaches are currently reported under the Privacy Act voluntarily and may be reported by all entities covered by the Privacy Act. Data breaches reported under the PCEHR Act are mandatory (notifiable data breaches) and are only required to be reported by certain kinds of entities covered by the PCEHR Act (the SO, RROs and RPOs).

Other entities participating in the eHealth record system, such as healthcare providers, may continue to voluntarily report data breaches to the OAIC if they have obligations under the Privacy Act. They may also be required to report data breaches to the SO by their Participation Agreements with the SO, but this is not required under the PCEHR Act.

Data breaches reported under the PCEHR Act include unauthorised collections, uses and disclosures of personal information, as well as events or circumstances that compromise or may compromise the security or integrity of the eHealth record system (such as data security breaches).

 Language used in the guide

The term ‘data breach', which is used throughout the guide, is not used in the PCEHR Act. However it has entered into common usage in Australia and in various other jurisdictions, and is used in the OAIC's voluntary data breach notification guide.

Similarly, the term ‘notifiable data breach', which is used throughout the guide, is not used in the PCEHR Act. The term was chosen by the OAIC because it signifies a legal requirement to report a data breach to the relevant authority. It aims to distinguish breaches that are mandatory to report under the PCEHR Act from breaches that may be reported voluntarily.

 Proposed changes to data breach notification under the Privacy Act

In its inquiry into the Privacy Act, the Australian Law Reform Commission recommended that the Privacy Act impose a mandatory obligation to notify the Privacy Commissioner and affected individuals of a data breach if the breach could give rise to a ‘real risk of serious harm' to the individuals.[1] The OAIC strongly supports this recommendation.

 Stimulus questions

The OAIC has prepared the following questions which are intended to stimulate comments and reflections on the draft data breach notification guide. The questions are not intended to confine the issues that may be raised. You may wish to respond to some or all questions, or to raise other issues you consider relevant.

  • Substance: The OAIC's data breach notification guide is intended to set out entities' reporting obligations under the PCEHR Act. Will the draft guide assist entities to meet their obligations? Are there any ways the guide could better assist entities to meet their obligations?
  • Substance: Are there any other factors, not covered in the guide, which entities should consider when taking steps to respond to a data breach? (see ‘Responding to a notifiable data breach')
  • Substance: Is the language used in the guide sufficiently clear and informative for the target audience? If not, how could the language be improved?
  • Format: Is the guide structured in a clear manner which is informative for the target audience? If not, how could the structure be improved?
  • Education: Are there any other ways the OAIC could help entities meet their data breach notification reporting obligations under the PCEHR Act?

[1] See ALRC Report 108: For Your Information: Australian Privacy Law and Practice (Recommendation 51-1) available at www.austlii.edu.au/au/other/alrc/publications/reports/108/.