Data matching conducted by the Department of Health and Aged Care: Practice Incentives Program eHealth Incentives Compliance Program

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the data matching[1]activities undertaken by the Department of Health and Aging (Health) as a part of the Practice Incentives Program eHealth Incentives (ePIP) compliance program.[2]

1.2 The objective of this assessment is to determine whether the matching of information and handling of information related to that matching, conducted under Health’s ePIP program, is in accordance with Part VIIIA of the National Health Act 1953 (Cth) (NH Act), including the National Health (Data-matching Principles) 2020 (Cth) (DM Principles)[3] made by the Minister under subsection 132F(1) of NH Act. This is both a compliance and risk-based assessment.

1.3 While Health has generally complied with the DM Principles, the assessment found that it has only partially complied with its obligations relating to its technical standards report and maintenance of records relating to the deletion of data matching information. The assessment makes recommendations and one suggestion in relation to these compliance issues.

1.4 The assessment also makes one recommendation in relation to an identified high privacy risk concerning the deletion of data matching information under Part 5 of the DM Principles and one recommendation in response to a medium risk concerning the correction of personal information under Part 6 of the DM Principles.

Part 2: Introduction

Background

2.1 The ePIP is an incentives program, administered by Services Australia on behalf of Health, which aims to encourage general practitioners (GPs) to keep up to date with the latest developments in digital health and adopt new digital health technology as it becomes available. Incentive payments are made to general practices that participate in continuous quality improvement activities and submit data to their local Primary Health networks on a quarterly basis.[4]

2.2 Health’s ePIP data matching program involves Health matching information with the Australian Digital Health Agency (ADHA) and Services Australia[5] to identify GP practices ineligible for the ePIP incentive payment under the ePIP Incentive Guidelines. The ePIP data matching program occurs as part of a broader ePIP compliance program which aims to identify errors in awarding the incentive.

2.3 This program occurs pursuant to Part VIIIA of the NH Act which enables the Chief Executive Medicare (CEM) to match certain information for permitted purposes.[6] Data matching must also occur in accordance with the DM Principles made under s 132F of the NH Act.[7]

Part 3: Findings

3.1 The key findings of the OAIC’s assessment of data matching activities undertaken in respect of the ePIP data matching program are set out below.

3.2 While the data matching by Health was not conducted under the OAIC’s voluntary Guidelines on Data Matching in Australian Government Administration (the Data Matching Guidelines), several of the obligations in the DM Principles are similar to the OAIC’s the Data Matching Guidelines. [8] Accordingly, when assessing Health’s obligations under the DM Principles, the OAIC has had regard to the Data Matching Guidelines. The OAIC has also had regard to the Australian Privacy Principles (APP) Guidelines where appropriate.

Part VIIIA of the NH Act

3.3 Section 132B of the NH Act provides that the CEM may match the types of information specified in that section for a permitted purpose. Subsection 132B(1) specifies the types of information that the CEM may match. This includes the information that is held or has been obtained by the CEM for the purpose of a medicare program.

3.4 The relevant permitted purposes are defined under s 132A of the NH Act and include the purpose of identifying whether a person may have, under a medicare program, claimed or been paid a benefit that exceeds the amount of the benefit that was payable to the person, and recovering overpayments of benefits under a medicare program.

3.5 The ePIP data matching program involves Health matching information with ADHA and Services Australia to identify GP practices ineligible for the ePIP under the eHealth Incentive Guidelines.

3.6 Health conduct data matching activities as delegates of the CEM. Functions conferred on the CEM are delegated to Health staff under s 8AC of the Human Services (Medicare) Act 1973 (HSM Act), which provides that the CEM may delegate his or her functions under the HSM Act or any other Act to a Department employee which, as per the Administrative Arrangements Order, is an employee of Health.

3.7 Health has provided evidence that the ePIP data matching program is occurring for the legislated permitted purposes under ss 132A(a), (b), (c), (e) and (f) of the NH Act. Additionally, as the ePIP incentive is a medicare program, this is a type of information specified in s 132B(1)(a) of the NH Act as information held or obtained by the CEM for the purpose of a medicare program. Based on the information provided the OAIC is satisfied that this data matching is occurring in accordance with Part VIIIA of the NH Act.

Data Matching Principles

Good privacy practice (Part 2, s 5-7)

Section 5 – Publishing information about authorised information-matching

3.8 Part 2 of the DM Principles concerns good privacy practice and outlines the requirements regarding publishing, the technical standards and the evaluation of privacy practices.

3.9 Section 5 of the DM Principles requires the CEM to publish materials prescribed in that section on the internet. Health provided evidence that the information required in s 5 of the DM Principles has been published on the Health website.[9]

3.10 The assessment found that Health is compliant with s 5 of the DM Principles.

Section 6 – Technical standards for authorised data-matching programs

3.11 Section 6 of the DM Principles requires the CEM to prepare and maintain written technical standards to govern the conduct of each data matching program. The technical standards must include the information prescribed in ss 6(2)(a)- 6(2)(e) of the DM Principles. The assessment found that while Health has a technical standards report (TSR) for the ePIP compliance program, it has only partially complied with the requirements of the DM Principles.

3.12 Paragraph 6(2)(b) of the DM Principles requires the TSR to include the specification for each matching algorithm used for the program.

3.13 The TSR provided by Health contains a section titled ‘Matching Procedure’. This section sets out the process for the data matching at a high level, including combining several tables of information to create a master list. Reports are created from this master list which are used to identify GP practices for potential enforcement action. The TSR, however, contains little detail about the matching algorithm used in the program such as specific details of how this process is practically carried out. While Health provided evidence that the data matching conducted in respect of the ePIP data matching program is not particularly complex (in comparison to other data matching activities) as it utilises limited data points, s 6(2)(b) of the DM Principles requires that the specification for each matching algorithm for the program is included in the TSR. Further information is required to understand the specific details of how this process is practically carried out or to be able to replicate the results of the matching.

3.14 To fully satisfy s 6(2)(b) of the DM Principles, the OAIC recommends that Health amend the TSR to specify the matching algorithm used for the program. In these circumstances, this could include providing more information about the specific techniques or programs used to generate and combine the tables used in the process, which we understand involved the merging of spreadsheets to compare the dataset supplied by Services Australia with that held by Health.

3.15 Paragraph 6(2)(c) of the DM Principles requires the TSR to include any risks that have been identified in relation to the program and how these risks will be addressed. While the technical standards report provided by Health discusses risks at a high level, it lacks detailed risk analysis, including the basis for the determination that there are no data quality or integrity risks associated with the matching.

3.16 To fully satisfy s 6(2)(c), the OAIC recommends that Health amend the TSR to provide more detailed risk analysis, including the basis for the determination that there are no data quality or integrity risks associated with the matching.

3.17 Additionally, s 6(2)(d) requires the TSR to include information about the controls used to ensure the continued integrity of the information used for the program and the system for the program. Relevant considerations for the integrity of the information used during the program include security, confidentiality and accuracy. Health’s TSR provides an overview of the security and confidentiality safeguards in place to minimise access to personal information and ensure the integrity of the system and the information used in the program. During the fieldwork Health provided evidence that spot checks of the data are conducted. The TSR could be updated to specifically outline the steps taken to ensure the accuracy of the information used in the program.

Section 7 – Evaluation of privacy practices for authorised information-matching

3.18 Section 7 of the DM principles requires Health to conduct an evaluation of privacy practices relating to authorised matching within 3 years of the commencement of that matching. As the ePIP data matching program commenced in 2021, Health is not required to finalise an evaluation at this time.

Publicly available register (Part 3, ss 8 – 10)

3.19 Sections 8 of the DM Principles requires the CEM to establish and maintain a publicly available register of the kinds of information matched by the CEM. Section 9 prescribes the types of information that be included on that register.

3.20 Health have provided evidence of this register and the OAIC is satisfied that Health is compliant with Part 3 of the DM Principles.[10]

Record-keeping (Part 4, ss 11 – 14)

3.21 Section 11 of the DM Principles requires the CEM to keep records of the information matched under s 132B(1) of the NH Act. Section 12 sets out specific records that must be maintained in relation to authorised data-matching programs.

3.22 Health provided evidence of the maintenance of records to satisfy s 11 and ss 12(1)(a)- (d) and 12(2) of the DM Principles. This includes evidence of records of the description of the information matched, the frequency of matching and the permitted purpose of the matching.

3.23 However, s 12(1)(e) of the DM Principles requires Health to keep a record of the date on which information was received from another entity for the purpose of facilitating the matching. Health advised that it does not currently record when the data is received from ADHA or Services Australia The OAIC recommends that Health keep a record of the date on which the information is received to ensure compliance with s 12(1)(e).

3.24 Subsection 13(1) of the DM Principles requires Health as the delegate of the CEM to keep records of personal information destroyed under ss 15(1), 16(1) and 17(1) of the DM Principles.

3.25 Health was unable to provide records to demonstrate that personal information has been destroyed in accordance with the section. Health provided evidence that information has yet to be destroyed. The reasons for this are set out in more detail below.

3.26 Health advised that the systems currently in use do not provide a record of when data is destroyed. The OAIC recommends that Health should amend its procedures to ensure that a record is kept of when personal information is destroyed. Health suggested that amendments could be made to its process to include the date on which the data was received and a check box relating to destruction.

Destruction of personal information and results of matching (Part 5, ss 15 – 17)

3.27 Subsections 15(1), 16(1) and 17(1) of the DM Principles require Health as the delegate of the CEM to take reasonable steps to destroy personal information that has been matched, the results of that matching and personal information that is determined not to be required for matching within 90 days of that information no longer needed for any purpose.

3.28 As a part of the ePIP compliance program, Health holds information that has been matched (s 15(1) of the DM Principles) and the results of that matching (s 16(1) of the DM Principles). The OAIC is reasonably satisfied, however, that Health has a purpose for the retention of this information beyond the 90 day period contemplated in Part 5 of the DM Principles. Specifically, Health advised that the ‘master list’ created as a result of the matching is the original source of data relied upon for compliance decisions and that these decisions can be challenged for several years after the matching has taken place. Even where the matching indicates that a GP has validly received a compliance payment, this information may still be relevant to compliance decisions in future years.

3.29 However, during the fieldwork, there was uncertainty as to whether Health must retain the information for 7 or 10 years, and the basis for these timeframes. Health stated that the information must be retained for 7 years for compliance purposes. However, Health also suggested that its systems are set up to retain information for 10 years. Health was unable to provide specific basis for why a 7 or 10 year time period is necessary to retain the information for a compliance purpose, such as a statutory limitation period where Health’s compliance action relevant to the ePiP compliance program can be challenged.

3.30 While the evidence provided by Health suggests that there is a business reason to retain the information described in s 15 (1) and s 16(1) of the DM Principles, the failure to substantiate the time period for retaining this information creates a high privacy risk that the information will be kept for longer than needed. The OAIC recommends that Health must undertake a review to determine the appropriate period of time that the information can be retained under s 15 and 16 of the DM principles, including identifying the basis for that retention. As a result of that review, Health must also update its policies and procedures to include the timeframes for destruction.

3.31 During fieldwork, Health have provided a draft ‘Data Destruction Plan’ which will aim to address these issues when finalised. At the time of this assessment, this plan has yet to be endorsed.

3.32 The OAIC understands that all information obtained by Health as part of the ePIP data matching program is intended to be matched. This means that Health is not required to destroy personal information under s 17 of the DM Principles.

Accuracy, completeness and currency of personal information (Part 6, s 18)

3.33 Part 6 of the DM Principles requires Health, as the CEM Medicare, to take reasonable steps to ensure that personal information that is matched is accurate, complete and up to date. These steps must include quality assurance checks. Additionally, where personal information is matched and an individual requests to correct the information, the CEM must also take steps as are reasonable to correct information.

3.34 The ePIP data matching program involves Health matching information received from the ADHA and Services Australia to identify GP practices ineligible for the ePIP under the eHealth Incentive Guidelines. Health provided evidence that information is manually spot checked and also provided a number of procedures which ensure that the codes and systems are operating as predicted. Additionally, Health has a process to allow individuals to request a review for decisions made under the ePIP data matching program.

3.35 Given the limited amount of personal data that is being matched, the OAIC is satisfied that Health is taking reasonable steps to ensure the personal information that is matched is accurate, complete and up to date.

3.36 Subsection 18(6) of the DM Principles requires that if information matched by the CEM is personal information, and an individual makes a request to correct that information, the CEM must take such steps (if any) as are reasonable in the circumstances to correct the information.

3.37 Health provided evidence that the information matched for the purposes of the ePIP compliance program does not contain personal information. The TSR, however, indicates that the data sets to be matched contains personal information in the form of contact information which could be the subject of a correction request.

3.38 Health provided evidence that it has procedures in place to facilitate the correction of personal information, including in its data matching notice which refers individuals to the Department’s Privacy Officer to make correction requests. GPs are also provided with the ability to advise Services Australia about incorrect information and are informed that they can update information themselves via the Health Professional Online Services portal.[11]

3.39 Health’s internal Data Matching Directives specifically address data corrections and notes that it must take reasonable steps to correct or update personal information it holds. Where data is shared between agencies, Health’s Data Matching Directives require relevant sharing agreements to address responsibility for ensuring correction requirements are met. However, while the Data Matching Directives note that the Department must correct personal information it holds, the guidelines also state that where copies of data have been shared between agencies, it is typically the responsibility of the agency that holds the original dataset to correct or update the personal information.

3.40 Subsection 18(6) requires Health to, on request from an individual, correct information that it matches which is personal information. The guidance in Health’s internal Data Matching Directives to notify the agency that holds the original dataset for the information of any correction requests alone will not satisfy s 18(6), and Health itself must still take steps as are reasonable in the circumstances to correct relevant information that it has matched. The guidance in the Data Matching Directive creates a medium privacy risk that Health will not take reasonable steps to correct matched information that is personal information.[12]

3.41 Accordingly, the OAIC recommends that Health should update its internal policies and procedures, including the Data Matching Directive, to clarify that Health must take steps as are reasonable in the circumstances to correct matched information that is personal information within its own records. While not the subject of this assessment, the correction requirements in APP 13 would also apply to Health and contains similar obligations to s 18(6) of the DM Principles. The OAIC’s guidance on APP 13 sets out special considerations that may apply to the correction of Commonwealth records as defined in the Archives Act 1983 (Cth). The definition is likely to include, in almost all cases, all personal information held by agencies.[13]

Decisions about matching of information (Part 7, ss 19-20)

3.42 Part 7 of the DM Principles requires Health to consider the purpose of the matching and the data fields required to accurately conduct the matching. In particular, it requires the CEM to decide whether the data fields in a dataset are necessary for the matching, and the data subjects in a dataset are necessary for matching. It also requires the CEM to consider how the data fields and data subjects necessary for the matching, as well as the use of personal information, can be minimised.

3.43 Health provided evidence that the delegate of the CEM Medicare has considered whether information should be matched and the fields required for the matching. The OAIC is satisfied that the CEM has given appropriate consideration to the requirements under s 20 of the DM Principles, including the minimisation of information used in the data matching program.

Part 4: Recommendations and responses

4.4 OAIC recommendation 1

Health should amend the technical standards to include:

• The specification of the matching algorithm used to conduct the data matching;
• An analysis of the risks identified in the program, including basis for the determination that there are no data quality or integrity risks associated with the matching.

4.5 Health response

• Accepted.
  
  ePIP Data Matching: the department will add to the ePIP Data Matching Program approval documentation, additional technical details as considered relevant.
  
  General data matching: the data matching approval template will be updated under technical standards to include prompts with examples of technical details to include from this point forward.
  
  Timing: by the end of 2023

• Accepted
  
  ePIP Data Matching: the department will update the ePIP Data Matching Program approval documentation, to include an analysis of the risks identified in the program, including the basis for the determination that there are no data quality or integrity risks associated with the matching.
  
  General data matching: the data matching approval template will be updated under technical standards to include prompts with examples of technical details to include from this point forward.
  
  Timing: by the end of 2023

4.6 OAIC Suggestion 1

Health could amend the technical standards to specifically outline the steps taken to ensure the accuracy of the information used in the program.

4.7 Health response

• Accepted.
  
  ePIP Data Matching: the department will update the ePIP Data Matching Program approval documentation, to specifically outline steps taken to ensure the accuracy of information used in the data matching program
  
  General data matching: the data matching approval template will be updated under technical standards to include steps taken to ensure the accuracy of information used in data matching programs from this point forward.
  
  Timing: by the end of 2023

4.8 OAIC Recommendation 2

To comply with s 12 and 13 of the DM Principles, Health must amend its procedures to ensure that:

• A record is kept of when data matching information is received; and
• A record is kept of when personal information is destroyed.

4.9 Health response

• Accepted.
  
  The department will update the data matching procedures to include a record be kept of when data matching information is received and where the record must be stored. The business and technical areas will write these updates into their standard operating procedures.
  
  Timing: by the end of 2023

• Accepted.
  
  The department will update the data matching procedures to include a record be kept of when personal information is destroyed and where the record must be stored. The business and technical areas will write these updates into their standard operating procedures.
  
  Timing: by the end of 2023

4.10 OAIC Recommendation 3

Health must:

• undertake a review to determine the appropriate period of time that the information can be maintained under s 15 and 16 of the DM principles, including identifying the basis for that retention; and
• as a result of that review, update its policies and procedures to include the timeframes for deletion.

4.11 Health response

• Partially accepted.
  
  The department does not accept key finding, “the failure to substantiate the time period for retaining information creates a high privacy risk that this information will be retained when no longer needed under s 15 and 16 of the DM Principles”.
  
  As an Australian Government agency, the Department of Health and Aged care is bound by the Privacy Act 1988 and the requirements of the Australian Privacy Principles. Further, we do not keep information that we no longer need for the purpose it was collected, unless the law requires us to do so. It is either destroyed or de-identified as required under the Archives Act 1983.
  
  At the point in time of this assessment, review of the retention and destruction requirements had already been conducted and the development of more explicit guidance for the destruction of data matching results was drafted and provided to the Office of the Australian Information Commissioner.
  
  Once approved, the business and technical areas will write the destruction requirements into their standard operating procedures.
  
  Timing: by end of 2023

• Partially accepted
  
  At the point in time of this assessment, review of the retention and destruction requirements had already been conducted and the development of more explicit guidance for the destruction of data matching results was drafted and provided to the Office of the Australian Information Commissioner.
  
  Once approved, the business and technical areas will write the destruction requirements into their standard operating procedures.
  
  Timing: by end of 2023

4.12 OAIC Recommendation 4

Health should update its internal policies and procedures, including the Data Matching Directive, to clarify that Health must take steps as are reasonable in the circumstances to correct matched information that is personal information within its own records.

4.13 Health response

• Accepted.
  
  The department will add to written processes, "...as are reasonable in the circumstances to correct matched information that is personal information that it holds".
  
  Timing: by end of 2023

Part 5: Description of assessment

Objective and scope of assessment

Timing, location and assessment techniques

5.1 The OAIC conducted both a risk-based and a compliance-based assessment. It focused on whether Health, in undertaking data matching under its ePIP Program, complied with the requirements of Part VIIIA of the NH Act, including the DM Principles made by the Minister under subsection 132F(1) of NH Act. In relation to Parts 5 and 6 of the DM Principles, the assessment focused on identifying privacy risks relevant to these obligations.

5.2 This assessment involved the following activities:

• review of relevant policies, procedures and technical documentation provided by Health
• fieldwork, which included interviewing key members of staff at within Health during December 2022 and January 2023.

5.3 Where the OAIC identified privacy risks and considered those risks to be high risks, the OAIC made recommendations about how to address those risks. For more information about OAIC privacy risk ratings, refer to the Appendix A of this report or the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 9 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Part 6: Appendices

Appendix A – Privacy risk guidance