Chapter 2


Reports on the operation of acts and programs

2.1        Standing Order 25(20) does not provide for the consideration of reports on the implementation or operation of acts or programs. The committee is not required to include them in its report on the examination of annual reports; however, as on previous occasions, the committee has chosen to examine such reports. The committee has examined the annual report of the Australian Information Commissioner's activities in relation to digital health for 2017–18.

Digital health

2.2        Subsection 106(1) of the My Health Records Act 2012 (My Health Records Act) requires that the commissioner prepare a report on the commissioner's activities during the financial year relating to the My Health Record system. Subsection 106(2) of the My Health Records Act states that the report must include the following information:

  1. statistics of the following:
    1. complaints received by the Commissioner in relation to the My Health Record system;
    2. investigations made by the Commissioner in relation to My Health Records or the My Health Record system;
    3. enforceable undertakings accepted by the Commissioner under this Act;
    4. proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and;
  2. any other matter prescribed by the regulations.

2.3        Section 30 of the Healthcare Identifiers Act 2010 (Healthcare Identifiers Act) also states that the commissioner must prepare a report on its compliance and enforcement activities under the Healthcare Identifiers Act during the relevant financial year.

2.4        The commissioner must provide a copy of the reports to the minister and the ministerial council by no later than 30 September at the end of the relevant financial year. The minister is then required to table a copy in each House of Parliament within 15 sitting days after the commissioner provides the report to the minister.[1]

2.5        The report combines the requirements from both the My Health Records Act and the Healthcare Identifiers Act into one report. The report was submitted to the minister on 28 September 2018 and received by the minister on 17 October 2018. The report was then tabled by the minister in both the House of Representatives and the Senate on 5 December 2018 in accordance with the requirements of both of the relevant Acts.[2]

2.6        The report sets out the commissioner's digital health compliance and enforcement activity during 2017–18. The report states that during the reporting period the Office of the Australian Information Commissioner (OAIC) received 28 mandatory data breach notifications, which recorded 42 separate breaches affecting a total of 65 healthcare recipients, 47 of whom had a My Health Record at the time of the breaches. Four of the notifications remained open at the end of the reporting period.

2.7        The OAIC received eight complaints regarding the My Health Record system, and no complaints about the Healthcare Identifiers Service (HI Service).[3]

2.8        Section 40(2) of the Privacy Act 1988 states that the commissioner has the discretion to investigate an act or practice that may be an interference with privacy, on the commissioner's own initiative. No investigations were initiated or conducted during the reporting period.[4]

2.9        The OAIC conducted one assessment relating to the My Health Record system during 2017–18, and continues to progress one assessment that began in the previous reporting period.[5]

2.10      The commissioner also reported that the OAIC had carried out a program of digital health-related work, including:

  • a briefing by the Australian Digital Health Agency and the Department of Health in relation to the process for the national rollout of optional opt-out of the My Health Record planned for 2018;
  • providing a submission to HealthConsult regarding the development of the Framework to guide the secondary use of My Health Record system data;
  • the provision of advice to stakeholders in relation to privacy-related matters regarding the My Health Record system;
  • the development, revision and update of guidance materials for a broad range of audiences in relation to the My Health Record system and the upcoming commencement of the opt-out period, including multimedia and new 'frequently asked questions'; and
  • participating in the Privacy and Security Advisory Committee.[6]

2.11      No enforceable undertakings accepted by the commissioner were reported for the reporting period. Additionally, the annual report does not report any proceedings taken by the commissioner in relation to civil penalty proceedings, enforceable undertakings or injunctions.

Table 1: Summary of activities undertaken by OAIC in 2017–18 in relation to My Health Record and HI Service[7]

Activity My Health Record HI Service
Telephone enquiries 9 1
Written enquiries 8 1
Complaints finalised 5 0
Policy advices (incl. submissions) 13 0
Assessments completed or in progress 2 1
Mandatory data breach notifications received 28 N/A
Media enquiries 1 0

2.12      The committee is satisfied that the annual report has met the requirements of both the My Records Act and the Healthcare Identifiers Act.

Senator Amanda Stoker
Chair

Navigation: Previous Page | Contents | Next Page