Reports on the operation of acts and programs
Standing Order 25(20) does not provide for the consideration of reports
on the implementation or operation of acts or programs. The committee is not required
to include them in its report on the examination of annual reports; however, as
on previous occasions, the committee has chosen to examine such reports. The
committee has examined the annual report of the Australian Information
Commissioner's activities in relation to digital health for 2017–18.
Subsection 106(1) of the My Health Records Act 2012 (My Health
Records Act) requires that the commissioner prepare a report on the commissioner's
activities during the financial year relating to the My Health Record system.
Subsection 106(2) of the My Health Records Act states that the report must
include the following information:
- statistics of the following:
- complaints received by the
Commissioner in relation to the My Health Record system;
- investigations made by the
Commissioner in relation to My Health Records or the My Health Record system;
- enforceable undertakings
accepted by the Commissioner under this Act;
- proceedings taken by the
Commissioner in relation to civil penalty provisions, enforceable undertakings
or injunctions; and;
- any other matter prescribed
by the regulations.
Section 30 of the Healthcare Identifiers Act 2010 (Healthcare
Identifiers Act) also states that the commissioner must prepare a report
on its compliance and enforcement activities under the Healthcare Identifiers
Act during the relevant financial year.
The commissioner must provide a copy of the reports to the minister and
the ministerial council by no later than 30 September at the end of the
relevant financial year. The minister is then required to table a copy in each
House of Parliament within 15 sitting days after the commissioner provides
the report to the minister.
The report combines the requirements from both the My Health Records Act
and the Healthcare Identifiers Act into one report. The report was submitted to
the minister on 28 September 2018 and received by the minister on 17 October
2018. The report was then tabled by the minister in both the House of
Representatives and the Senate on 5 December 2018 in accordance with the
requirements of both of the relevant Acts.
The report sets out the commissioner's digital health compliance and
enforcement activity during 2017–18. The report states that during the
reporting period the Office of the Australian Information Commissioner (OAIC)
received 28 mandatory data breach notifications, which recorded 42
separate breaches affecting a total of 65 healthcare recipients, 47 of whom had
a My Health Record at the time of the breaches. Four of the notifications
remained open at the end of the reporting period.
The OAIC received eight complaints regarding the My Health Record system,
and no complaints about the Healthcare Identifiers Service (HI Service).
Section 40(2) of the Privacy Act 1988 states that the commissioner
has the discretion to investigate an act or practice that may be an interference
with privacy, on the commissioner's own initiative. No investigations were
initiated or conducted during the reporting period.
The OAIC conducted one assessment relating to the My Health Record
system during 2017–18, and continues to progress one assessment that began in
the previous reporting period.
The commissioner also reported that the OAIC had carried out a program
of digital health-related work, including:
a briefing by the Australian Digital Health Agency and the
Department of Health in relation to the process for the national rollout of
optional opt-out of the My Health Record planned for 2018;
providing a submission to HealthConsult regarding the development
of the Framework to guide the secondary use of My Health Record system data;
the provision of advice to stakeholders in relation to
privacy-related matters regarding the My Health Record system;
the development, revision and update of guidance materials for a
broad range of audiences in relation to the My Health Record system and the
upcoming commencement of the opt-out period, including multimedia and new
'frequently asked questions'; and
participating in the Privacy and Security Advisory Committee.
No enforceable undertakings accepted by the commissioner were reported
for the reporting period. Additionally, the annual report does not report any
proceedings taken by the commissioner in relation to civil penalty proceedings,
enforceable undertakings or injunctions.
Table 1: Summary of activities
undertaken by OAIC in 2017–18 in relation to My Health Record and HI Service
||My Health Record
|Policy advices (incl. submissions)
|Assessments completed or in progress
|Mandatory data breach notifications received
The committee is satisfied that the annual report has met the
requirements of both the My Records Act and the Healthcare Identifiers Act.
Navigation: Previous Page | Contents | Next Page