The eHealth system
1.1 The personally controlled electronic health record system (eHealth system) commenced operation on 1 July 2012. The system was established by, and is regulated under, the Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act), the PCEHR Rules 2012 (Cth) (PCEHR Rules) and the Personally Controlled Electronic Health Records Regulation 2012 (Cth). The PCEHR (Assisted Registration) Rules 2012 (Cth) (AR Rules) set out requirements for conducting assisted registrations in the eHealth system.
1.2 The System Operator (currently the Secretary of the Department of Health) is responsible for the operation and management of the eHealth system. Consumers can apply to the System Operator to register for a personally controlled electronic health record (eHealth record). When a consumer registers for an eHealth record they are consenting to have their health information uploaded to their eHealth record by healthcare provider organisations (HPOs) involved in their care.
The Privacy Act and the APPs
1.3 The Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) (Privacy Act) generally regulate a HPO’s handling of consumers’ personal information. In addition, the PCEHR Rules, the AR Rules and conditions imposed by the System Operator (s 43, PCEHR Act) outline privacy obligations in the context of the eHealth system.
Western Sydney Medicare Local (WSML)
1.4 WSML is funded by the System Operator to assist individuals to register for an eHealth record. Operating as WentWest Ltd, WSML undertakes a number of other business functions including providing education, awareness and training on the eHealth system for organisations (such as medical practices) and for particular consumer groups (such as those living in aged care facilities).
1.5 Assisted registration is a process through which a HPO assists a consumer to register for an eHealth record. It is an alternative to other methods of registration (online, in person, in writing or over the phone).
1.6 A HPO conducting an assisted registration must give the consumer a copy of the Essential Information about assisted registration and your privacy in the eHealth system brochure developed by the System Operator to read and understand. The consumer then completes and signs a one-page form, Assisted registration: application to register for a PCEHR. HPOs must verify the consumer’s identity, either by confirming that they are a known customer of the HPO, or through a 100 point identity check.
1.7 HPOs can use the assisted registration tool (ART) software provided by the System Operator to enter and submit the consumer’s details electronically to the System Operator. The HPO must either store the signed registration forms for a period of at least three years or send the forms to the System Operator, or both (AR Rule 7(3)).
1.8 During an assisted registration HPOs collect personal information required to identify the consumer and register them for an eHealth record and to enable the System Operator to manage the eHealth system, including:
- name, date of birth and sex (gender)
- Medicare card number or Department of Veterans’ Affairs (DVA) file number
- email address and/or mobile phone number if a consumer wishes to receive an identity verification code (IVC) to access their eHealth record online
- Aboriginal or Torres Strait Islander status (optional).
1.9 HPOs also collect the consumer’s consent to uploading health information about the consumer to the eHealth system by healthcare providers involved in their care. Consumers may also choose to provide consent for the inclusion of Medicare and pharmaceutical benefits claims information in their record.
Part 2 — Description of assessment
Objective and scope
2.1 The assessment was conducted pursuant to s 33C(1)(a) of the Privacy Act which allows the OAIC to assess whether personal information held by an APP entity is being maintained and handled in accordance with the APPs. WSML is an APP entity under the Privacy Act.
2.2 The objective of this assessment was to assess the extent to which WSML, in the course of conducting assisted registration, handles personal information in accordance with the following APPs:
- APP 3 in respect of the fairness and lawfulness of collection of personal information and consent from consumers during the assisted registration process
- APP 5 in respect of the notification of particular matters upon the collection of personal information
- APP 11 in respect of the information security of personal information collected, in particular its storage, retention and destruction.
2.3 The scope of the assessment is limited to a review of WSML’s policies and procedures applicable to the assisted registration process, in the context of the handling of personal information, as well as the implementation of these policies and procedures.
2.4 The assessment did not include a physical review or testing of the technical capabilities of the IT systems used by WSML.
Timing, location and methodology
2.5 The assessors conducted the fieldwork component of the assessment on 8 May 2014 at the office of WSML in Sydney. The assessment fieldwork included:
- review of documents, including policies and procedures provided by WSML
- interviews with the following WSML staff:
- Primary Health Care Services Manager (responsible for oversight of the assisted registration program)
- eHealth Implementation Manager
- Privacy Officer
- Consumer Registration Assistant (CRA)
- Registrations Clerk
- IT systems contractor
- Manager of Strategy and Projects
- a mock assisted registration of a consumer.
2.6 The assessors acknowledge the contribution WSML staff made in giving their time, expertise and assistance to the OAIC in undertaking the assessment which was conducted in a collaborative and positive manner.
Information obtained during the assessment
2.7 WSML provided numerous documents prior to and during the fieldwork for this assessment. These included recent versions of the WSML’s internal processes, policies and procedures documents relevant to its assisted registration program. A full list of the documentation provided by WSML is at Appendix A.
2.8 The assessors are of the opinion that the processes and procedures implemented by WSML for handling personal information in the conduct of its assisted registration program allow it to maintain its records of personal information in accordance with APPs 3, 5 and 11.
2.9 Detailed observations made during the assessment are set out in Parts 3, 4, 5 and 6 of this report.
2.10 The assessors have made one recommendation on page 14.
2.11 A recommendation is a suggested course of action or a control measure that, if put in place by the agency, will (in the opinion of the OAIC) minimise the risks identified around how personal information is handled against the relevant criterion.
2.12 During the assessment, the assessors also made suggestions for some additional measures WSML could consider. These measures could, in the opinion of the OAIC, further minimise any potential privacy risks and strengthen existing mitigation strategies around how personal information is handled against the requirements in the relevant APPs. These suggested measures are set out throughout this report.
2.13 A number of the suggestions made in the report relate to WSML fully documenting its policies and procedures in relation to processes that could impact on privacy compliance. The suggestions are made for the purpose of capturing corporate knowledge about privacy risk mitigation measures and ensuring the continuation of privacy risk mitigation practices.
2.14 To the extent possible, the OAIC publishes final assessment reports in full or in an abridged version on its website: www.oaic.gov.au. It is sometimes inappropriate to publish all or part of a report because of statutory secrecy provisions or for reasons of privacy, confidentiality, security or privilege. This report has been published in full.
Part 3 — WSML’s privacy function and staff roles
Staff roles (relevant to assisted registration)
3.1 The assessors observed that WSML’s structure in relation to its assisted registration program had clear roles and responsibilities. We have provided greater details for the benefit of other organisations conducting assisted registration activities. There are no privacy issues relating to this section.
3.2 The Privacy Officer is the central point of coordination for quality assurance and risk management functions across WSML, including compliance with the Privacy Act. The Privacy Officer is responsible for reporting information on quality assurance and risk management as appropriate to WSML’s board, including the CEO.
Primary Health Care Services Manager
3.4 It was observed that managing privacy compliance for the assisted registration program, including ensuring that appropriate policies and procedures were in place to comply with privacy legislation, was the responsibility of the Primary Health Care Services Manager.
3.5 This role has ownership of all documents at the program level, and develops any privacy policies and procedures developed by WSML for the assisted registration program.
3.6 It was observed that the Primary Health Care Services Manager was considered by WSML to be an in-house privacy expert in terms of understanding the legislative requirements relevant to the program. This role also provided ad hoc internal training on the privacy requirements to the eHealth Project Manager and other managerial staff.
eHealth Implementation Manager
3.7 The eHealth Project Manager manages the consumer registration assistants (CRAs), registration clerk and the eHealth project officers. This role is also responsible for issues management regarding CRAs’ work and coordination of weekly meetings with CRAs to discuss and resolve issues.
3.8 The CRAs are responsible for conducting assisted registrations. The Registration Clerk is responsible for following up on unsuccessful registrations and forwarding completed registration forms to the System Operator. The eHealth project officers are responsible for project work across the eHealth programs run by WSML, including assisted registration.
WSML general procedures relevant to privacy
3.9 The Privacy Officer described WSML procedures relevant to privacy to the assessors. The assessors consider that, in general, the approach adopted by WSML demonstrates integration of privacy into its business and operations. There are no privacy issues in this section of the report.
Internal audit and quality improvement processes
3.11 The quality improvement area audits WSML’s businesses processes and program areas regularly to identify opportunities for improvement. Privacy matters are considered in the audit process.
3.12 WSML’s risk management plan contains control strategies for addressing privacy issues. This plan is reviewed every three months, and the results are presented to the board.
3.13 WSML’s risk register includes the risk of non-compliance with privacy laws (recorded as a medium risk level due to the low likelihood of the risk occurring, but with high level of impact on the business if it was to occur).
Privacy training for WSML staff
3.14 Privacy training across WSML is being updated. WSML is planning to implement a new eLearning management system this financial year, which would include a privacy training module designed for staff across WSML. Team leaders have been briefed on legislative updates in relation to privacy.
Managing and reporting privacy complaints
3.15 Privacy incidents are reported through WSML’s risk management system. The reporting is configured so that staff can report issues anonymously. Any privacy complaints received would go to the privacy officer for consideration.
3.16 WSML has developed an incident reporting form for CRAs to use to record any unprecedented scenarios when conducting assisted registrations, including any privacy issues.
WSML policies relevant to assisted registration
3.17 WSML provided the following policies which relate to the handling of personal information in its assisted registration program:
- PCEHR assisted registration policy (required under AR Rule 9)
- IT infrastructure policy
- Staff internet and email use policy.
3.18 The assessors observed that WSML staff at all levels interviewed had a good understanding of the policies and procedures relevant to assisted registration and how to implement them.
3.19 The assessors understand that WSML’s Quality Improvement Framework requires regular review of all of WSML’s policies and procedures, including policies relevant to assisted registration. This helps to ensure the currency of policies.
3.20 The assessors suggest that WSML consider including reference to the timeframes for reviewing all policies relevant to assisted registration and the date of currency of each policy in the policy documents themselves. This will increase public confidence that policies are current and regularly reviewed.
3.21 There are no privacy issues in this section of the report.
Part 4 — WSML’s assisted registration program
WSML’s assisted registration program
Observations — WSML’s assisted registration activities
4.1 WSML’s assisted registration program has been in place since October 2012. WSML implemented use of the ART in March 2013.
4.2 WSML conducts assisted registrations primarily on site at general practices, which has been the most successful activity in terms of registration rates. WSML advised that this may be because people are thinking about their health in this setting, and it is a more supportive environment for consumers. The practices also allow for better privacy protection; for example, by having a separate room to conduct the registration and discuss a consumer’s queries.
4.3 WSML has trialled assisted registrations in other locations, such as shopping centres. However these locations were considered unsuitable for reasons including a lack of privacy, and trials resulted in low numbers of registrations.
4.4 WMSL has also worked with aged care facilities. A challenge in this context is ensuring the capacity of the consumer to provide informed consent. As a result, WSML advised it generally found these types of locations to be more suitable for education and awareness about the eHealth record system. WSML advised that assessing a consumer’s ability to provide consent has not presented difficulties in the general practice setting to date.
Observations — WSML’s assisted registration program in medical practices
4.5 Once a practice is ‘eHealth ready’ (the practice has a HPI-O, is registered under the eHealth system and to undertake assisted registrations, and has received training on the eHealth system), WSML negotiates with the practice to have a CRA placed at the practice for four to six weeks to conduct assisted registrations for consumers of the medical practice.
4.6 WSML also negotiates resources for use by the CRA, including a separate room if possible, or an alternative space with some level of privacy if no room is available.
4.7 When working within practices, CRAs wear uniforms and ID badges. They are required to follow the policies and procedures of the practice. When approaching consumers, CRAs introduce themselves as being from WSML.
4.8 Undertaking assisted registration activities in unsuitable locations may put at risk the ability of an HPO to meet its obligations under APP 11 to take reasonable steps to protect information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
4.9 When registering for an eHealth record, the consumer is providing a standing consent for the upload of their health information into their eHealth record, where it may be accessed by health professionals involved in their care. Therefore, it is important that any consent obtained is an informed consent.
4.10 If an HPO seeks to register consumers who may not have capacity to provide consent, there is a risk that the HPO may not be obtaining an informed and effective consent as required by APP 3.
4.11 In the assessors’ opinion, WSML has developed an effective strategy to mitigate both of these risks in its use of general practices as the primary setting for assisted registration activity and the way it undertakes that activity.
WSML’s approach to the recruitment of CRAs and ongoing support
4.12 The assessors understand that WSML was the first Medicare Local to introduce a consumer registration assistant team. The assessors observed that the recruitment process for CRAs is rigorous, with two rounds of interviews in addition to a literacy test and psychometric testing. A high emphasis was placed by WSML on recruiting CRAs with strong interpersonal skills.
4.13 The assessors observed that WSML provides ongoing support to CRAs, who are mostly operating in off-site locations. This includes weekly CRA meetings where CRAs discuss issues, seek advice from managers, undergo training, and express requests for changes to processes or further training on particular issues.
4.14 The assessors were shown a selection of agendas from these meetings, which listed emotional sustainability training and managing difficult customers training as agenda items.
4.15 CRAs are provided with ongoing support from the eHealth Project Manager. If CRAs have questions or are unable to resolve issues on site they can contact their manager for support and advice by phone or email.
4.16 WSML does not structure its employment terms to CRA staff to include targets for numbers of registrations undertaken or bonuses or other incentives for registering consumers.
4.17 The use of bonus or other incentive systems based on the number of registrations undertaken raises a risk that unfair collection behaviours by CRAs may occur and compliance with APP 3 compromised. WSML has mitigated this risk by not introducing such remuneration structures and providing support to CRAs when needed.
WSML’s approach to staff training
Observations — training CRAs in WSML’s approach to assisted registration
4.19 There is also a discussion of privacy matters that are relevant to the work of CRAs (for example, collection, access and security). Training also emphasises the importance of consumers providing valid and informed consent to the registration.
4.20 Following the training, CRAs are placed with more experienced CRAs for one week, so that new CRAs can observe how to approach customers, answer questions and undertake other elements of their role.
4.21 WSML emphasises training CRAs to understand the need for consumers to be well informed before agreeing to register by assisted registration, including ensuring that consumers:
- understand that there are other forms of registration
- understand that registration is not compulsory
- understand that their personal details are being collected by WSML for the purpose of registering them for an eHealth record
- understand that their health records will be uploaded to their eHealth record and who will be able to access that record, including access in emergency situations
- receive answers to any questions they have about eHealth records, including privacy concerns and use of the access control functions available, before being registered
- are not to be registered if they are having difficulty understanding any of the information provided
- understand there are no time limits for registration and that they could take time to consider whether to register (whether by assisted registration, or by other methods).
Observations — training on the Privacy Act
4.22 It was observed that WSML have chosen not to provide detailed training to CRAs on all aspects of the APPs under the Privacy Act due to the scope of their role. Instead, the CRA privacy training focuses on WSML’s policies and procedures relating to privacy and how CRAs should implement those in practice when conducting assisted registrations.
4.23 In addition, ad hoc training is provided to CRAs during their weekly meetings at WSML offices. This training is driven by the CRAs’ needs as well as external factors, such as changes in legislation (for example, recent changes to the Privacy Act).
4.25 Training should cover the HPO’s approach to meeting the requirements for information to be collected by ‘lawful and fair means’ under APP 3, for consumers to be advised of the matters required under APP 5, and for reasonable steps to be taken to protect the security of that information under APP 11.
4.26 HPOs do not necessarily need to provide detailed training on every aspect of the Privacy Act and the PCEHR Act and Rules to CRAs provided that privacy considerations are dealt with in the processes used and job specific training. It would assist CRAs to have a basic understanding of the privacy requirements and how these are met by the HPO’s approach to handling personal information. Managers may need a more detailed level of understanding.
4.27 The training provided by WMSL meets the matters noted above. However, in some cases the content of the training has not been put in writing. The assessors suggest that a written record be maintained of the content of privacy training provided to staff.
Part 5 — Assisted registrations at general practices
5.1 The assessors observed that, overall, WSML’s process incorporated many good privacy practices, which would effectively mitigate the privacy risks that arise in an assisted registration context. There is one recommendation in relation to this part. For the benefit of other persons conducting assisted registrations, this part is set out in some detail.
Provision of information and collection notice
5.2 During the staged registration process and when interviewed by the assessors, the CRA showed a good understanding of the training provided by WSML described in Part 4 above.
5.4 CRAs provide further information about the collection in response to consumer questions. If the CRA does not know the answer to a question, they call or email the eHealth project manager. CRAs are instructed not to register consumers who have unanswered queries.
5.6 Appropriate notification is important to ensuring consumers understand why their personal information is being collected and how it will be used and disclosed. Where consumers are not sufficiently informed, the risk of privacy complaints increases. For assisted registration, the APP 5 notice is reasonably expected to be provided prior to, or concurrently with, the collection of personal information. When given concurrently, sufficient time should be given for the consumer to consider the notice.
5.7 Taken collectively, the provision of the relevant documents and the CRAs’ ability to answer questions posed by consumers constitutes an APP 5 notification.
- to rename it so that it is clearly identified as a collection notice for the purposes of APP 5
- to specify that personal information collected by WSML during the assisted registration process will be disclosed to the System Operator. Implementing this suggestion would ensure comprehensive notification by WSML to consumers of all the required matters.
5.10 The assessors understand that since the date of their attendance at the WSML offices, these suggestions have been taken up by WSML.
Completing the assisted registration form
5.11 Consumers are given the choice of whether they want to complete the form themselves or have the CRA fill it in for them.
5.12 When completing the form, the CRA explains what each part of the form is and the information required to be recorded on it. They explain to the consumer the meaning of giving consent to include Medicare and pharmaceutical benefits claim history.
5.13 CRAs confirm the consumer’s name, date of birth and Medicare number as these have to be identical with Medicare records for the registration to be successful.
5.14 If the consumer wishes to receive an IVC by email or text message to enable them to access their record online, the CRA will collect an email address or mobile phone number and record it in the space provided for that purpose on the form and will upload that information to the ART.
5.15 CRAs also collect an additional contact number from the consumer. The consumer is informed that this phone number is collected only for the purposes of contacting the consumer if their registration is unsuccessful. This number is typically noted in the ‘Authorised staff member notes’ box at the bottom of the form. No other information is collected during the AR process.
5.16 The assisted registration process generally requires a 100 point ID check. CRAs usually ask to sight the consumer’s driver’s licence and Medicare card, as most people tend to have these documents with them. These are not copied. If consumers do not have a driver’s licence, CRAs refer to a list of acceptable proof of identity documents.
5.17 APP 3 requires that personal information should only be collected if it is necessary for an APP entity’s functions or activities. CRAs’ handling of consumers’ identity documents demonstrates good privacy practice by only sighting the documents, as collection of copies or other details is not required for the assisted registration process.
5.18 The collection of a phone number to contact a consumer if a registration is unsuccessful is recommended in the training materials provided by the System Operator. The form does not have a section for this information but the Health training material suggests it be incorporated on the form in the ‘Authorised staff member notes’ section.
5.19 WSML does not use this number unless a registration has been unsuccessful and it is necessary to contact the consumer. However, all hard copy forms that are sent to the System Operator include this contact number.
5.20 All the other information on the form is disclosed to the System Operator through the ART, but the ART does not collect the contact phone number. When WSML sends the hard copy form to the System Operator, they are disclosing information to the System Operator which is not required in the registration process.
Recommendation — treatment of contact details if a registration is unsuccessful
5.21 The assessors recommend that WSML redact this contact number before the form is sent to the System Operator.
Other uses of personal information
5.22 While this is not a standard part of the assisted registration process, CRAs may assist a consumer to set up their eHealth record if requested by the consumer. This may involve the CRA setting up an email account for the consumer to receive their IVC, accessing the consumer’s email account to assist them in retrieving their IVC, or assisting the consumer to log in to their record to set up the consumer’s access controls as requested by the consumer. These activities involve further collections and uses of the consumer’s personal information by the CRA.
5.23 WSML has developed a consent form for the additional collections and uses of personal information that may occur when a consumer requests the CRA’s assistance with setting up their eHealth record. Both the consumer and the CRA sign this form, which states that the information will not be used for any other purpose or disclosed to other organisations.
5.24 Keeping a record of consent for collection and use of personal information, as WSML have done, is good privacy practice.
Use of the ART and laptop IT security
5.25 The CRAs use the ART to lodge registration information with the System Operator. There are no privacy issues in this section of the report. The processes show good practices supporting WSML’s compliance with APP 11.
5.26 CRAs have WMSL laptops with the ART software preloaded. Upgrades from the System Operator for the ART are implemented by the IT contractor as required.
5.27 A wireless USB is used to connect the laptop to the internet in order to use the ART. Information from the assisted registration form is entered into the ART and then submitted to the System Operator. Information submitted to the System Operator via the ART is encrypted and no information from the assisted registration forms is retained on the laptop.
5.28 Sometimes CRAs will enter the form details into the ART at the time of the registration, if the consumer wants to receive their IVC in writing immediately. Otherwise, the CRA will enter information into the ART in quiet periods between registrations. Once a consumers’ information is submitted via the ART, an IVC is sent automatically to the consumer by email or SMS.
5.29 CRAs will always seek to use a private room to enter the forms into the ART. If a room is not available, CRAs will enter the forms in a quiet area, away from the main waiting area.
5.30 CRAs have their own log in and password for their laptops. To access the ART software on the laptop, CRAs use WSML’s NASH certificate number and password every time the application is opened.
5.31 WSML’s IT contractor is able to access CRAs’ laptops remotely. CRAs are instructed to close down the ART if the IT contractor needs remote access to their computer.
Physical security of forms and laptops by CRAs
5.32 WSML has instituted processes for the CRAs to protect the physical security of the completed forms and laptops. As described to the assessors, these processes help WSML to meet its obligations under APP 11.
5.33 Once a form is completed, it is stored in a plastic sleeve, which is kept with the CRA until it is transferred to a lockable satchel. This locked satchel is kept out of sight and view (in a locked trolley bag), and the keys are kept with the CRA at all times.
5.34 Forms are stored in a separate folder in the satchel organised by date, GP practice, and successful and unsuccessful registrations. The CRA completes a tally sheet outlining this information (which includes no personal information), and the final counts for a specific day. The folder contains a declaration that CRAs must sign which states that CRAs have correctly identified the consumers and sighted their ID (100 points).
5.35 CRAs also secure their WSML laptops in the locked trolley bags when not in use.
5.36 The assessors were informed that it is not practical from the CRAs’ or WSML’s perspective to require the CRA to return the locked trolley bag to WSML each evening, as the CRAs are not office based and often work in remote locations. Therefore, CRAs take the locked trolley bag (containing the locked satchel and laptop) home with them each evening.
5.37 Completed registration forms are taken to WSML head office once per week for processing by the Registrations Clerk.
5.38 Under APP 11 an APP entity must take reasonable steps to protect information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Storing registration forms in a home does create a privacy risk.
5.39 In other circumstances, it would be preferable if CRAs could visit the WSML office more regularly than once a week to return completed forms, particularly if CRAs are working close to the WSML office. However, WSML has advised that implementing this procedure would have a significant impact on the success of the program, as CRAs would be required to spend a considerable amount of time travelling to and from the WSML office, limiting the amount of time they could spend conducting assisted registrations.
5.40 The assessors note that WSML has identified this risk and have balanced the risk against its ability to successfully implement the assisted registration program in a cost effective manner. WSML has mitigated the risk by using locked satchels and trolley bags, good accounting of the assisted registration forms and clear processes.
5.41 WSML may seek to revisit this issue from time to time to consider whether these risks could be further mitigated, including by the application of new technologies or work practices where appropriate.
5.42 It would also be preferable for CRAs to be allocated a private room in all locations they are working in. WSML will need to consider on a case by case basis whether assisted registration should be conducted at a location where a separate room is not available. This will depend on all the circumstances including the layout of the location.
Part 6 — Assisted registration procedures at WSML office
Handling of registration forms and consumer information
6.1 Once per week, CRAs come to WSML’s head office and provide the completed forms to the Registration Clerk.
6.2 The Registration Clerk stores the completed forms in a locked drawer when not in use. The key to the drawer is kept by the Registration Clerk. The office manager has a master key for emergency access.
6.3 For forms that have been successfully entered into ART, the Registration Clerk sends the forms by express post to the System Operator. Generally this occurs within a few days of the forms being brought to the office.
6.4 If a consumer’s registration could not be completed through the ART, the Registration Clerk will attempt to contact the consumer. The assessors were informed that usually up to three attempts are made to contact the consumer (observations relating to consumer contact are below).
6.5 The Registration Clerk enters the names of consumers whose registration have been unsuccessful into an excel spread sheet, in order to record attempts that are made to contact consumers. Once the Registration Clerk has completed processing the unsuccessful forms (either because registration has subsequently been successful or because no further attempts will be made to register the consumer), the consumer’s name is deleted from the spread sheet. Contact phone numbers and other personal information are not entered onto the spread sheet at any time.
6.6 The assessors understand that this is the only consumer personal information relating to assisted registrations that is kept in the WSML IT environment.
6.7 This document is password protected and kept on a shared WSML drive. We understand that the password is not changed regularly.
6.8 Any unsuccessful forms are put into a secure shredding bin. No copies are taken of the forms. Generally, the maximum period of retention is estimated to be around four weeks; however, no timetable has been formalised.
6.9 WSML uses secure destruction bins for destruction of completed unsuccessful registration forms. WSML has a contract with a security destruction company which it has verified to its satisfaction as secure.
6.10 We understand that WSML maintains an over-arching process instruction ‘Control of Documents and Records’ as part of the Quality Framework. This includes a section specifically relating to archiving and destruction of records that have been dormant for 12 months. Otherwise, destruction is left up to program areas.
6.11 Under APP 11.2 an APP entity must take reasonable steps to destroy personal information it no longer requires. Not disposing of personal information securely and/or retaining personal information for longer than is necessary will not be considered to be taking reasonable steps.
6.12 In the case of assisted registration, the assessors suggest that WSML create a specific destruction policy for documents containing personal information to avoid the risk of it retaining personal information for longer than is necessary in contravention of APP 11.2. The assessors suggest this may be formalised as part of a written process setting out the responsibilities of the Registration Clerk regarding the handling of the forms.
6.13 Although the personal information kept on the excel spread sheet may appear minimal, the risk remains that if there is a data breach of the personal information on the spread sheet that WSML may be considered to have failed to take reasonable steps to protect that information as required by APP 11. The issue of weak password protection should be addressed and WSML may wish to consider limiting access to the spread sheet to a small number of specified users.
6.14 The assessors suggest that a process be documented setting out the frequency that the password is changed and WSML consider limiting access to the spread sheet to a small number of specified users.
6.15 If a consumer’s registration cannot be processed using the ART, the Registration Clerk makes further attempts to register the consumer by contacting the consumers to verify the information included on the form. Registration issues are often due to errors in the date of birth or spelling of names.
6.16 If the consumer cannot be registered, the consumer will be notified that the registration was unsuccessful (usually by phone) and the clerk will also send information about other registration options in the mail to the consumer.
6.17 WSML has identified the risks around accidental disclosure of personal information if leading questions are asked when seeking to confirm a consumer’s identity. When making contact with consumers, the Registration Clerk will identify themselves and the reason for calling, and confirm the identity of the consumer, by asking (for example), ‘Is this Jane?’. The Registration Clerk will also ask the consumer to repeat their birthdate as a secondary means of verification.
6.18 The approach taken by WSML to avoid leading questions appears to be appropriate in these circumstances. However, there is no written script for these telephone calls. We suggest a script be prepared and used to reduce the risk of inadvertent disclosures.
IT security policies and procedures of WSML
6.19 Other than the limited retention of consumer names described above, the assessors understand there is no personal information relating to the assisted registration program retained on WSML’s IT systems. The assessors consider that the processes described below are reasonable in the context of assisted registration. There are no privacy issues in this section of the report.
6.20 WSML outsources their IT services to a contractor. WSML developed its IT policy with the IT contractor’s input and advice and also using the Royal Australian College of General Practitioners’ Computer and Information Security Standards as a resource. The policy was put in place to measure activities and is reviewed and updated as necessary. The contractor provides advice to WSML on the implementation, monitoring of compliance and review of the IT policy in addition to providing IT services. WSML meets monthly with the contractor to discuss any issues.
6.21 Audit trails are kept of individual’s access to the WSML system but these are only checked if there is an issue.
6.22 In accordance with the IT policy, WSML uses firewalls and other IT security measures such as antivirus software which is updated every 15 minutes via cloud services.
6.23 CRAs do not have remote access to WSML’s internal shared drives, only to WSML’s email server. There are six laptops with the ART tool installed for use by CRAs, and a further four used within head office. The contractor runs a check of the software on all WSML devices quarterly. There is no audit log kept of access to the ART by CRAs or other WSML staff. Laptop users are unable to download software packages onto the laptop.
Part 7 — Recommendation
7.1 The assessors recommend that WSML either redact this contact number before the form is sent to the System Operator.
7.2 The assessors’ recommendation was noted at the time of the assessment. WSML immediately implemented a procedure to redact the contact number entered in the ‘Authorised staff member notes’ section of the registration form.