Publication date: 30 April 2021

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of Telstra Health’s handling of personal information through its mobile application (app) ‘HealthNow’, conducted in September 2020.

1.2 This assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth), which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

1.3 This assessment was also conducted pursuant to the Memorandum of Understanding between the Office of the Australian Information Commissioner and Australian Digital Health Agency 2019/20 (ADHA MoU) which requires the OAIC to conduct assessments during the period covered by that MoU in relation to the My Health Record (MHR) System or the Healthcare Identifier (HI) Service.

1.4 The scope of this assessment considered Telstra Health’s handling of personal information in relation to the MHR system through the HealthNow app in accordance with APP 1.2 (open and transparent management of personal information) and APP 5 (notification of the collection of personal information).

1.5 This assessment found that Telstra Health is taking reasonable steps to document and implement practices, procedures and systems to ensure the compliance of Telstra Health with the APPs, and to enable the effective handling of privacy inquiries and complaints in relation to the HealthNow app.

1.6 This assessment also found that Telstra Health is taking reasonable steps to notify users of the HealthNow app of APP 5 matters, and ensure those users’ understanding of APP 5 matters in relation to the collection of personal information by the HealthNow app.

1.7 Despite Telstra Health’s mature privacy framework, the OAIC identified several opportunities for improvement to ensure best privacy practice in relation to the HealthNow app; these areas of improvement related to one medium privacy risk associated with the handling of personal information through the HealthNow app, in addition to five low privacy risks.

1.8 The OAIC has therefore made one recommendation - that Telstra Health revises the HealthNow Privacy Statement and in-app notifications to clearly delineate between the collection, use and disclosure of MHR data, and the collection, use and disclosure of other types of personal information collected by the HealthNow app.

1.9 This recommendation, the OAIC’s suggestions, and Telstra Health’s responses, may be found in Part 3 and Part 4 of this report.

Part 2: Introduction

Background

My Health Record, System Operator and Registered Portal Operators

My Health Record

2.1 The MHR system is the Australian Government’s digital health record system, which provides registered healthcare recipients, healthcare professionals and healthcare providers with access to a summary of the registered healthcare recipient’s key health information.

2.2 The MHR system is accessed routinely by a range of different entities (known as ‘participants in the MHR System’)[i], including entities responsible for operating the system and those seeking access or provisioning access to personal information stored in the My Health Record system for a range of different purposes.

System Operator

2.3 The MHR system operates under the My Health Records Act 2012 (MHR Act), which establishes the role and functions of the MHR system operator, the Australian Digital Health Agency (ADHA), the registration framework for individuals and entities to participate in the MHR system, and the privacy framework surrounding the collection, use and disclosure of MHR information.

Registered Portal Operators

2.4 While many individuals who are registered healthcare recipients interface directly with the MHR system to access their MHR data through the Australian Government’s myGov portal,[ii] others may rely on commercial or non-commercial service providers who act as intermediaries to facilitate that access through software products and services.

2.5 A registered portal operator (RPO) is a person who is the operator of an electronic interface that facilitates access to the MHR system, and is registered to participate in the MHR system.[iii]

2.6 RPOs develop authorised mobile applications designed to provide individuals with the ability to view their own record content by providing secure ‘view only’ access through the MHR system’s ‘mobile gateway’[iv].

2.7 As with other MHR entities, RPOs are subject to stringent legal and technical requirements, including those legislative requirements set out under the MHR Act, the My Health Records Rule 2016 (Cth), and My Health Records Regulation 2012(Cth).

2.8 The primary non-legislative governance mechanism imposing those requirements are ‘Registered Portal Operator Agreements’ which contain ‘interoperability requirements’ setting out standards that must be met by the entity and product in relation to operations, security and consent.

Telstra Health and HealthNow

2.9 Telstra Health Pty Ltd is an RPO for the MHR system and operates the HealthNow mobile health application (HealthNow app), which is the subject of this privacy assessment.

Telstra Health Pty Ltd

2.10 Telstra Health Pty Ltd (Telstra Health) is an Australian eHealth[v] company providing a range of digital health solutions (including digital services, products and platforms).

2.11 Telstra Health’s digital health solutions are varied, and span across multiple different healthcare subsectors including primary and community healthcare, aged care and disability services, pharmacy services and public health analysis.

2.12 Telstra Health is a wholly owned subsidiary of Telstra Corporation Limited (Telstra Corporation), which is one of Australia’s largest telecommunications and technology companies. Telstra Corporation is the controlling entity of multiple telecommunications and technology companies, with the Telstra Corporation and several of its controlled entities collectively forming the ‘Telstra Group’.[vi]

2.13 As a wholly owned subsidiary of Telstra Corporation and member of the Telstra Group, Telstra Health maintains its own corporate governance and risk management systems, but leverages some, but not all, of the larger Telstra Group’s governance frameworks.

Telstra health privacy governance and reporting diagram

Telstra health privacy governance and reporting diagram

HealthNow mobile health application

2.14 The HealthNow app is owned and operated by Telstra Health, and that is available for both Android and iOS operating systems. Within Telstra Health the HealthNow App is managed by the Virtual Health Business Unit.

2.15 HealthNow provides a range of eHealth services to users, including the facilitation of ‘view-only’ access to a user’s MHR information and the MHR information of persons for whom the users is a nominated representative.

2.16 The OAIC understood from documentary evidence and fieldwork that MHR is accessed by HealthNow for the purpose of displaying that information to the users but is not collected in a way that would allow the use or disclosure of that information for any other purpose.

2.17 The HealthNow app has other functions including, but not limited to:

  • appointment scheduling services
  • prescription management services
  • facilitating access to vaccination records
  • virtual telehealth services.

HealthNow application functions diagram

HealthNow application functions diagram

2.18 In conducting fieldwork for this privacy assessment, assessors were informed by Telstra Health that monetisation of HealthNow is achieved through partnerships with client organisations in relation to other functions listed in paragraph 2.17. In particular, the HealthNow App generates income by partnering with health service providers to provide their services through the HealthNow app to their existing clients. Telstra Health advised that they currently partner with outpatient departments in hospitals and provide telehealth services to clients.

2.19 The OAIC was informed that MHR information is not now, nor is it intended to be directly monetised in future. Telstra Health stated that they do not use any data for any of their products for market or public relations purposes. Instead, Telstra Health generates income by charging service providers for the ability to offer their services to their existing clients through the application.

Part 3: Findings

Our approach

3.1 The key findings of this assessment are set out below under the following headings which are based on the assessment’s scope (discussed in Part 5):

  • APP 1.2 – Implementing practices, procedures and systems to ensure APP compliance and deal with enquiries and complaints
  • APP 5 – Notification of the collection of personal information

3.2 For each issue, we have provided a summary of the OAIC’s observations, the privacy risks arising from the observations, followed by recommendations or suggestions to address those privacy risks.

3.3 As part of this assessment the OAIC had regard to:

  • Chapters 1 and 5 of the APP Guidelines, in its consideration of the reasonable steps that the Telstra Health has taken to address the requirements of APP 1.2 and APP 5. The APP Guidelines outline the mandatory requirements of the APPs, the way in which the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act
  • the Privacy Management Framework, which details steps that Telstra Health is expected to take to meet its ongoing compliance obligations under APP 1.2.

3.4 The APP Guidelines informed the OAIC’s judgment of what is ‘reasonable’ in the circumstances, noting that reasonableness is also informed by contextual facts surrounding a particular act or practice.

APP 1.2 – Implementing practices, procedures and systems

3.5 APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will:

  • ensure that the entity complies with the APPs; and
  • enable the entity to deal with privacy related enquiries or complaints from individuals.

3.6 This section examines key practices, procedures and systems of Telstra Health and the HealthNow app, which ensure Telstra Health’s compliance with APP 1.2 and which relate directly or indirectly to the MHR system, including:

  • governance and culture
  • documented policies and procedures
  • risk management and Privacy Impact Assessments (PIAs)
  • training
  • systems for handling privacy inquiries and complaints.

Governance and culture

3.7 Robust corporate governance and a strong privacy culture ensure the effective oversight and accountability of decision-makers who are responsible for reviewing and approving changes to the handling of personal information which may affect the privacy of individuals.

3.8 Given the sensitivity of personal information collected by the HealthNow app, the association of the HealthNow app with the MHR system, and the additional resources and assistance provided by the Telstra Group to Telstra Health, the OAIC expected to see advanced privacy governance frameworks in operation and a strong privacy culture at Telstra Health.

3.9 Due to Telstra Health’s position as a wholly owned subsidiary of Telstra Corporation, the OAIC considered it necessary to evaluate governance frameworks at both group and entity level. This assessment therefore considered:

  • group governance frameworks
  • entity-level (Telstra health) governance frameworks
  • privacy culture (group and entity-level).
Group privacy governance

3.10 The Telstra Corporation has developed and implemented mature and robust privacy governance frameworks which apply in varying degrees to most entities in the Telstra Group, including Telstra Health.

3.11 In reviewing governance documents and conducting interviews with key risk staff from Telstra Group and Telstra Health, the OAIC found that Telstra Group’s governance frameworks clearly:

  • designate privacy positions at group and entity level
  • document key privacy roles and responsibilities
  • establish lines of accountability and communication processes
  • embed a strong culture of privacy awareness.

3.12 The Telstra Group’s privacy governance framework is maintained centrally by staff in the Telstra Corporation central privacy function, who are assisted from time to time by subject matter experts (SME) drawn from across the group in relation to cybersecurity, data governance, and international compliance matters.

3.13 The OAIC found no privacy risks in relation to the Telstra Group privacy governance framework, noting however that the implementation of the group privacy framework is a responsibility of and subject to the discretion of function privacy managers, who are risk professionals within each Telstra business unit responsible for privacy within that entity.

Entity-level privacy governance

3.14 Within Telstra Health, the OAIC found that the function privacy manager role was one of several roles and responsibilities attributed to the Telstra Health Risk and Compliance Lead.

3.15 There is no strict requirement for APP entities who are organisations to maintain designated privacy positions,[vii]however, the OAIC would typically expect to see dedicated privacy roles in organisations handling larger volumes of personal information, routinely handling sensitive information, or in organisations whose core business involves dealing in personal information.

3.16 While the role of the Telstra Health Risk and Compliance Lead carries multiple responsibilities in addition to the function privacy manager role, the OAIC was satisfied that the Telstra Health Risk and Compliance Lead was adequately supported in the function privacy manager role and was able to draw upon additional resources as required from within Telstra Health, from the central privacy function at Telstra Corporation and from across the wider Telstra Group.

3.17 Representatives of both Telstra Corporation and Telstra Health acknowledged that not all elements of the Telstra privacy framework had been implemented by Telstra Health, however, in most circumstances Telstra Health was able to provide satisfactory reasons for the decision not to apply the group framework, including the implementation of alternative frameworks or the use of equivalent measures based on unique organisational requirements at entity level.

3.18 Generally, the OAIC is satisfied that Telstra Health and Telstra Corporation have established clear procedures for oversight, communication and accountability of decisions regarding personal information collected, used or disclosed by the HealthNow app.

Telstra privacy awareness and culture

3.19 At group level, Telstra (inclusive of Telstra Health) demonstrated a commitment to privacy awareness and a positive privacy culture, including through the design and implementation of multi-tiered privacy training (discussed below), the conduct of privacy events – such as Privacy Awareness Week (PAW), the creation of privacy resources for function privacy managers, including a privacy community of practice (a network of privacy professionals across the organisation), and the development of group privacy principles.

3.20 The OAIC confirmed through interviews with staff that group level initiatives were implemented at the entity level.  During interviews Telstra Health staff demonstrated a strong awareness of privacy considerations and privacy risks around the collection, use and disclosure of personal information within the HealthNow app, and an understanding of the resources available to support them in the event of uncertainty around privacy.

3.21 The OAIC found that while the assessment was into Telstra Health, the OAIC observed a mature privacy culture that was implemented from the group level to Telstra Health an no cultural privacy risks were identified.

Documented policies and procedures

3.22 Documented policies and procedures ensure compliance with the APPs by clearly articulating to staff, employees and contractors any information handling requirements that apply to personal information, and the processes that should be followed to comply with those requirements.

3.23 Telstra Health appeared to have implemented most group level policies, or tailored versions of those policies, in relation to privacy, cybersecurity and information management.

3.24 Telstra Health also appeared to have documented personal information handling processes, in addition to practices, procedures and systems that support compliance with the APPs including:

  • Privacy Compliance Plan (group level)
  • Data Breach Response Plan (or incident response plan) (group and entity level)
  • privacy impact assessments (PIAs), and Privacy Compliance Questionnaires (group Level)
  • cybersecurity controls, including access control and audit logging (entity level)
  • Training (discussed below), including:
    • Business Essentials Training (group level)
    • Function Specific Training (entity)

3.25 The OAIC found appropriate audit monitoring and logging procedures in place for the Virtual Health Business Unit which manages HealthNow and confirmed that Telstra Health follows the NIST Framework[viii] and ISO 27001 standards, which the OAIC consider to constitute reasonable ICT security policies and procedures in the circumstances.

3.26 The OAIC found that generally, Telstra Health’s key privacy policies and procedures were well documented and appeared suitable to ensure the compliance of the entity with the APPs.

Risk management and PIAs

3.27 The accurate assessment and appropriate escalation of privacy risks allows them to be effectively managed and mitigated. Implementing effective risk reporting and management procedures and systems commensurate with the type and scale of personal information collection is essential to ensure compliance with the APPs.

3.28 The OAIC expected to see strong risk reporting and management processes for Telstra Health embedded at both group and entity level. The OAIC also expected to find established processes for the proactive identification reporting of privacy and security risks to key stakeholders within the MHR system due to the position of trust occupied by Telstra Health as a registered portal operator.

3.29 Due to Telstra Health’s situation within the broader Telstra Group and its role as a registered portal operator within the MHR System, this assessment considered:

  • Group risk management and reporting
  • Entity-level risk management and reporting
  • Risk reporting to external parties
Group risk management and reporting

3.30 The Telstra Group has implemented strong risk management and reporting procedures which include regular reporting on privacy through both informal and formalised channels.

3.31 Informally, the Telstra Group Privacy Unit maintains regular contact with business functions through a number of communications and risk reporting channels. Regular communication was supplemented by a range of privacy resources, developed by the central privacy function team within Telstra Corporation including PIAs and compliance questionnaires to assist entities across the Telstra Group in the proactive identification of privacy risks.

3.32 In particular, the PIA template used by all Telstra Group business functions appeared to embody best-practice methodology, requiring the business function user to consult widely on privacy matters within the Group, including by referring cybersecurity, data governance, and jurisdictional privacy matters to relevant SMEs for consideration, advice and sign-off.

3.33 The OAIC found that the risk reporting processes established by the central privacy function team appeared to operate effectively and allowed for a two-way dialogue with staff and facilitated further discussions between entities and the central privacy function in relation to matters affecting privacy.

3.34 More formally, the OAIC also found that privacy issues and risks are reported to the Telstra Group Audit and Risk Committee (ARC) by the Chief Privacy Officer via established reporting processes. The OAIC found logical risk reporting procedures and hierarchies which ensure entities conduct an environmental scan of privacy risks on a regular basis, and report those risks at group level when appropriate.

3.35 In considering these formalised risk reporting arrangements, the OAIC did however note that there is no documented threshold at which privacy risks should be escalated from business function to group level.

3.36 Information gathered through the interview process indicates that there are informal processes and discretionary thresholds applied to the escalation of privacy issues between the function privacy manager at Telstra Health and central privacy function staff. However, documenting thresholds for escalation would provide additional assurance that reporting frameworks will function effectively. The OAIC suggests that Telstra Health clearly documents the escalation of privacy risks from Telstra Health to the central privacy function team.

Entity-level risk management and reporting

3.37 Within Telstra Health, the OAIC observed documented processes for the management and reporting of risks which leverage the Telstra Group risk management framework and feed into the group risk management and reporting processes.

3.38 The OAIC found that Telstra Health staff were aware of and encouraged to use group privacy risk resources to proactively identify privacy risks associated with changes to the way in which personal information was handled by business units. The OAIC found that risks identified through these means were reported to the business function privacy manager regularly, and that key risks were passed on to the central privacy function.

3.39 The OAIC also found that Telstra Health undertook regular risk monitoring, aligned with broader risk practices across the Telstra Group; it appeared that business units conducted risk assessments based on changes to operations, in addition to regular environmental scans on at least an annual basis. Based on information provided by Telstra Health staff, it appeared that key risks were escalated appropriately through business unit managers, and to the Risk and Compliance lead as necessary.

3.40 The OAIC did not find any privacy risks associated with Telstra-Health’s entity-level risk management and reporting processes.

Risk reporting to external parties

3.41 The risk reporting and management frameworks at both group and entity level, acknowledged the privacy regulatory landscape surrounding the handling of personal information and for the main part, these frameworks included appropriate notification and reporting procedures to external parties (including the OAIC) in relation to data breaches through the Group’s Privacy Breach Response Guidelines, and through Telstra Health’s own major incident manual.

3.42 While the OAIC was satisfied that risk reporting procedures exist which appear to satisfy the requirements of the Privacy Act, the OAIC noted that similar formalised risk reporting procedures were not in place to notify the ADHA of serious privacy incidents, even where these may not be seen as directly relating to the MHR System. Given the strong safeguards imposed by the Australian Parliament in respect of MHR Data, the OAIC considers that any privacy incident, whether directly or indirectly related to the MHR System should be reported to the System Operator, the AHDA, because such incidents are likely to affect public trust in the MHR System, and may cause indirect harm to its users.

3.43 Telstra Health indicated that they reported to the ADHA on an ad hoc basis, however the OAIC believes this creates a low privacy risk that matters affecting the personal information of My Health Record users may not be communicated in a timely manner to the ADHA for consideration.

3.44 For this reason, the OAIC suggests that Telstra Health establishes more formal and regular meetings with the ADHA to ensure the effective communication of privacy risks and issues regarding HealthNow to the ADHA.

Training

3.45 Training supports APP entity compliance with the APPs by embedding a strong privacy culture within the organisation and operationalising key privacy policy and procedures.

3.46 Within the Telstra Group, privacy training appeared to be a co-responsibility, shared between the central privacy function and each business function privacy manager, with each function responsible for delivering different elements of the privacy training program.  The OAIC therefore examined both:

  • group level training
  • entity specific training.
Group level training

3.47 At a group level, all Telstra group staff, including those employed by Telstra Health, are required to undertake ‘Business Essentials’ training annually.

3.48 ‘Business Essentials’ training includes a module related to privacy and is managed centrally by the Telstra Corporation privacy function. Telstra Health representatives noted that attendance at ‘Business Essentials’ training was actively monitored by Human Resources Unit within Telstra Health to ensure all staff completed the training on an annual basis.

3.49 Business function privacy managers also had additional privacy training available to them on an annual basis through the Telstra privacy community of practice, in addition to the opportunity to share key privacy learnings at bi-monthly meetings.

Entity specific training

3.50 In addition to group level training, Telstra Health staff, employees and contractors are also required to undertake function specific training based on their roles and responsibilities. Function specific training is completed during induction, with content developed by the business function privacy manager in coordination with the business function legal unit.

3.51 While function specific training was formerly delivered in-person, it has recently transitioned to online delivery which enables monitoring of completion by staff.

3.52 Outside of formal training, Telstra Health staff - particularly those involved in technical implementation - noted that they received on-the-job training, which included consideration of privacy risks and issues where appropriate.

3.53 On balance, the OAIC considered the combination of group and function training for Telstra Health staff, employees and contractors to be reasonable in the circumstances and the OAIC did not detect any privacy risks arising in relation to training.

Systems for handling privacy inquiries and complaints

3.54 APP 1.2 requires APP entities to ensure they have practices, procedures and systems in place to enable the entity to deal with privacy related inquiries or complaints from individuals about the entity’s compliance with the APPs.

3.55 Telstra Health displayed that it has in place practices, procedures and systems that enable it to deal with inquiries or complaints from individuals about the entity’s compliance with the APPs, including:

  • a call Line for customers to contact Telstra Health (entity level)
  • in-app, and web-based complaints portals (product specific)
  • a complaint ticketing system using JIRA software (product specific)
  • documented procedures for managing complaints about the HealthNow App (product specific), and
  • procedures for escalating major incidents, including clinical incidents and privacy matters (entity level).

3.56 The OAIC observed, however, that Telstra Health does not have formalized or documented procedure for referring inquiries, complaints or incidents to the ADHA where required. The OAIC considers this to constitute a low privacy risk, however, this is covered in suggestions above (see paragraphs 3.44-3.45).

APP 5 - Notification of collection of personal information

APP 5.1 – Reasonable steps to provide notice of collection

3.57 APP 5.1 requires that APP entities that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters (APP 5 matters - discussed below).

3.58 Importantly, the OAIC’s APP Guidelines outline that an individual may be notified or made aware of APP 5 matters through a variety of formats, provided that the matters are expressed clearly.

3.59 The OAIC observed that Telstra Health (assisted by Telstra Corporation) took a number of steps to inform users of the HealthNow app of the collection of their personal information, including:

  • ‘in-app’ statements and FAQ style notices which precede consent to collect personal information
  • links within the HealthNow app, at points when the user makes a decision, to the Telstra Health Privacy Policy, and HealthNow Privacy Statement
  • multiple APP Privacy Policy which cross reference each other, specifically:
    • the Telstra Privacy Statement
    • the Telstra Health Privacy Policy
    • HealthNow Privacy Statement (which acts as an APP privacy policy for most of the app’s other functions
    • the HealthNow Virtual Clinical Services Privacy Statement (which acts as the APP 1 privacy policy for the telehealth functions of the HealthNow app).

3.60 The OAIC considered that some forms of notification, such as the Telstra Privacy Statement, and Telstra Health Privacy Policy were less suitable as a collection notice under APP 5, as these statements were too general to be considered effective notice by themselves because they do not make users aware of the specific circumstances of collection by the HealthNow app.

3.61 However, when viewed in totality, the OAIC found that across the multiple steps taken by Telstra Health, which included those notification steps taken within the HealthNow app (statements, FAQ notices, and links), and those taken external to it (Telstra Privacy Statement, Telstra Health Privacy Policy, HealthNow Privacy Statement), that reasonable steps had been taken by Telstra Health to notify, or otherwise ensure that individuals using the HealthNow app were aware of relevant APP 5 matters.

APP 5.2 – Content of notices of collection (APP 5 Matters)

3.62 APP 5.2 lists the APP 5 matters that must be notified to an individual or of which they must be made aware. The APP 5 matters include:

  • the APP entity’s identity and contact details
  • the fact and circumstances of collection of personal information
  • whether the collection of personal information is required or authorised by law
  • the purposes of collection of personal information
  • the consequences if personal information is not collected
  • how the entity usually discloses personal information of the kind collected by the entity
  • information about the entity’s APP Privacy Policy
  • whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

3.63 To ensure that users of the HealthNow app are notified, or made aware of the APP 5 matters, across the range of collection notices employed by Telstra Health, the OAIC examined each notice separately, and in combination.

Collection notice – ‘In-App’ statements and FAQ style notices

3.64 To examine the effectiveness of collection notices within the HealthNow app (in-app notices), the OAIC interviewed key development staff and undertook a product demonstration of the app’s set-up process.

3.65 The OAIC found that the HealthNow app contains two sets of ‘FAQ style’ notices which display information relating to APP 5 matters.

3.66 The first set of notices is managed by the HealthNow product team within Telstra Health, and addresses most of the matters set out under APP 5.2.

3.67 These notices are presented clearly to the user at key points during the setup process of the HealthNow app when the user is required to make a decision and are available to the user at later stages through the app landing screen once the app has been successfully set up.

3.68 The second set of notices links to content pages managed by the ADHA. The OAIC understands that the display of these notices is an interoperability requirement imposed by the System Operator, ADHA, and that Telstra Health is unable to edit the content of these notices.

3.69 In examining the collection notices managed by Telstra Health, the OAIC found several low privacy risks arising from the way in which information was presented to users of the app.

3.70 For example, APP 5 requires users to be informed of the consequences of a failure to collect their personal information however, currently it is inferred that failure of a user to agree to the HealthNow app’s terms and conditions and privacy statement is an acknowledgement by the user that they are unable to use the app without providing their information. The OAIC did not see a reference to overseas disclosures in the notifications.

3.71 The OAIC considers that a low privacy risk exists in that a user may not understand the consequences of failing to provide their personal information. The OAIC suggests that Telstra Health review the in-app notifications to ensure that they cover all matters in APP 5.2, including overseas disclosure and the consequences of failing to provide information.

3.72 In making this observation, the OAIC acknowledges that the HealthNow app and other RPOs ‘access’ My Health Record data on a ‘read only’ basis, and that it is outside of the control of Telstra Health to edit that MHR data or arrange for its access and correction through the ADHA.

3.73 Nonetheless, the OAIC considers that a low privacy risk exists for users of the app, in that they may be unaware of the process for accessing and correcting their MHR data and may not be able to readily find that information thereby dissuading them from pursuing their privacy rights under APPs 12 and 13 in relation to access and correction.

3.74 The OAIC found that the HealthNow app would benefit from further details in relation to the access and correction of personal information collected by the app, including MHR data. The OAIC suggests Telstra Health consider additional text in their ‘in-app’ notice relating to accessing and correcting their MHR information, including the processes for accessing and correcting their MHR data.

3.75 Lastly, the OAIC found that in relation to collection notices managed by ADHA, there is no mechanism within the HealthNow app to notify users of changes to the underlying MHR system such as changes to the collection, use or disclosure of their MHR information by the System Operator, or changes to the MHR collection notice(s) once the application has been set up.

3.76 Where users rely on HealthNow as their sole source of access to the MHR system, it is reasonably foreseeable that users may miss out on important notifications regarding these matters.

3.77 The OAIC viewed this a presenting a low privacy risk to users of the HealthNow app, and suggests that Telstra Health work with ADHA to ensure the best way to notify customers of changes to the MHR system, and MHR component of the HealthNow App.

Collection notice – ‘In-App’ links to Telstra Health Privacy Policy, HealthNow Privacy Statement

3.78 In addition to ‘in-app’ collection notices, the OAIC found that links to the Telstra Health Privacy Policy, and HealthNow Privacy Statement were provided to users of the app at points where the HealthNow app requires a decision or consent from the user, as a form of collection notice. Telstra Health also indicated through the interview process that the HealthNow Privacy Statement also serves as the primary APP 5 Collection Notice.

3.79 The APP 5 Guidelines provide advice on the use of APP Privacy Policies as collection notices, and state ‘where it is not reasonable to notify or ensure awareness of the full range of APP 5 matters, an entity could alert the individual to specific sections of its APP Privacy Policy.’

3.80 The guidance goes on to state however, that ‘before doing so, the entity should consider whether the information in the APP Privacy Policy sufficiently covers the APP 5 matters as they relate to the particular collection, as the APP Privacy Policy may only describe the general information practices of the entity’.

3.81 The OAIC considers that the Telstra Health Privacy Policy is too general to constitute a reasonable collection notice for the HealthNow app, however, when viewed in conjunction with the HealthNow Privacy Statement, which is tailored and adapted to the HealthNow application and its collection practices, the two policies do cover the APP 5 matters relating to collection of personal information by the HealthNow app.

3.82 However, while a separate collection notice exists for the virtual telehealth service functionality of the HealthNow app, the OAIC observed that the HealthNow Privacy Statement and the in-app collection notices did not distinguish between the treatment of MHR data and other personal information collected by the HealthNow app. Neither HealthNow’s privacy statement nor its in-app notifications sufficiently distinguish between the collection, use and disclosure of MHR information, and the collection, use and disclosure of other personal information, including ‘health information’, that is collected by the HealthNow App.

3.83 The OAIC considers that this lack of specificity and differentiation in the HealthNow Privacy Statement and the in-app collection notices constitutes a medium privacy risks to users of the HealthNow app, because users may fail to understand that their personal information is collected outside of the MHR access functionality.

Recommendation 1

Telstra Health should revise its HealthNow privacy statement, and in-app notifications, to clearly state the purpose of the collection, use and disclosure of MHR information, and the collection, use and disclose of other personal information collected by the HealthNow Application.

Part 4: Recommendations and responses

Recommendation 1

OAIC recommendation

4.1 The OAIC recommends that Telstra Health should revise its HealthNow privacy statement, and in-app notifications, to clearly state the purpose of the collection, use and disclosure of MHR information, and the collection, use and disclose of other personal information collected by the HealthNow Application.

Response by Telstra Health to the recommendation

4.2 Agreed. Telstra Health will revise the HealthNow privacy statement to clearly delineate the collection of personal information for MHR purposes versus personal information collected for the purpose of registering and using other services on the HealthNow App. Telstra Health also commits to providing additional in-app notification to inform consumers on the difference between how personal information is collected, used and disclosed in the HealthNow App in relation to both the MHR and the other services accessible through the HealthNow app.

Part 5: Description of assessment

Role of the OAIC

5.1 The OAIC oversees the privacy aspects of the MHR system, including:

  • investigating the mishandling of health information in an individual’s MHR
  • giving privacy guidance to users of the MHR system
  • accepting and assessing data breach notifications in relation to MHR data
  • conducting privacy assessments.

5.2 The OAIC provides independent privacy assessment services to the System Operator, the ADHA in accordance with the ADHA MoU which requires the OAIC to conduct assessments during the period covered by that MoU in relation to the MHR System or the HI Service.

Objective and scope of the assessment

5.3 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.

5.4 The objective of this assessment was to determine whether Telstra Health is handling personal information of registered healthcare recipients in accordance with APPs 1.2 and 5. Specifically, the assessment considered whether Telstra Health:

  • is taking reasonable steps in accordance with APP 1.2 to implement practices, procedures and systems that will ensure compliance with the APPs
  • is taking reasonable steps to notify individuals of the collection of personal information in accordance with APP 5.1, and
  • has privacy notices that address the matters listed in APP 5.2.

5.5 The scope of the assessment is limited to steps taken by Telstra Health to comply with APPs 1.2 and 5, when handlingthe personal information (including My Health Record information) of registered healthcare recipients as a Registered Portal Operator as defined by the MHR Act.

Privacy risks

5.6 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (Appendix A refers), the OAIC makes recommendations to Telstra Health about how to address those risks. These recommendations are set out in Part 4 of this report.

5.7 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinion are only applicable to the time period in which the assessment was undertaken.

5.8 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Timing, location and assessment techniques

5.9 The OAIC conducted a risk-based assessment of Telstra Health’s handling of personal information (including My Health Record information) of registered healthcare recipients in its relation to the APPs.

5.10 The assessment involved the following:

  • review of relevant policies and procedures provided by Telstra Health
  • in light of travel restrictions relating to the COVID-19 pandemic, fieldwork, which included virtual interviews of key members of staff through videoconferencing platforms on 9 and 10 September 2020.

Reporting

5.11 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Assumptions and caveats

5.12 The OAIC reviewed the Telstra Privacy Statement, the Telstra Health Privacy Policy, HealthNow Privacy Statement and HealthNow Virtual Telehealth Services Privacy Statement against the requirements of APP 5. Assessors did not consider these APP Privacy Policies against the requirements of APP 1.3-1.5 as this is outside the scope of this privacy assessment.

5.13 The OAIC did not review subfunctions of the HealthNow app that do not relate to the MHR System. Readers must not take this report as an endorsement of the HealthNow product by the OAIC, or any other Telstra Health product or service.

5.14 APP 1.2 requires that APP entities have processes, procedures and systems in place to ensure compliance with the APPs. This privacy assessment considered whether processes, procedures and systems are in place – it did not examine the compliance of Telstra Health with any specific APP except APPs 1.2 and 5.

Appendix A: Privacy risk guidance

Footnotes

[i] Section 5 of the My Health Records Act 2012 (Cth) (MHR Act), defines a ‘participant in the My Health Record System’ as:

  1. the System Operator
  2. a registered healthcare provider organisation
  3. the operator of the National Repositories Services
  4. a registered repository operator
  5. a registered portal operator
  6. a registered contracted services provider, so far as the contracted service provider provides services to a registered healthcare provider.

[ii] MyGov is an online digital identity service operated by Services Australia, which provides users with access to select Australian Government online services.

[iii] See https://www.myhealthrecord.gov.au/glossary/ (accessed 17 February 2021)

[iv] Mobile gateway is an industry term for the software or hardware that provides the secure communication between a mobile application and a network (such as the MHR system).

[v] eHealth refers to the use of information and communications technology to improve or enable health care.

[vii] The Australian Government Agencies Privacy Code 2017 (Cth) does however contain such requirements at entity level, including the requirement to appoint a Privacy Officer and Privacy Champion in each agency.

[viii] The National Institute of Standards and Technology (NIST) a non-regulatory agency of the United States Department of Commerce, developed a Cybersecurity Framework (NIST Framework) which provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber-attacks. For more information see: https://www.nist.gov/cyberframework.