This annual report sets out the Australian Information Commissioner’s digital health compliance and enforcement activity during 2017–18, in accordance with section 106 of the My Health Records Act 2012 (My Health Records Act) and section 30 of the Healthcare Identifiers Act 2010 (HI Act), as outlined in the 2017–19 memorandum of understanding (MOU) between the Office of the Australian Information Commissioner (OAIC) and the Australian Digital Health Agency (the Agency).
The report also provides information about the OAIC’s other digital health activities, including its assessment program, development of guidance material, provision of advice, and liaison with key stakeholders.
In the May 2017 Budget, the Australian Government announced the creation of a My Health Record for every Australian to begin nationally from mid‑2018. In May 2018, it was announced that a three month opt‑out period for individuals would run from 16 July to 15 October 2018. This period has since been extended to 15 November 2018.
In 2017–18, the OAIC received 28 mandatory data breach notifications. These notifications recorded 42 separate breaches affecting a total of 65 healthcare recipients, 47 of whom
had a My Health Record at the time of the breaches. Four of these notifications remain open at the end of the reporting period. The OAIC received eight complaints regarding the My Health Record system and no complaints relating to the HI Service. In addition to handling data breach notifications, the OAIC carried out a program of digital health‑related work, including:
- Commencement of one privacy assessment, completion of one assessment from the previous year and progression of one assessment from the previous year.
- Being briefed by the Agency and the Department of Health on the process for national opt‑out of My Health Record in 2018.
- Making a submission to HealthConsult on the development of the Framework to guide the secondary use of My Health Record system data.
- Providing advice to stakeholders, including the Agency, on privacy related matters relevant to the My Health Record system.
- Developing, revising and updating guidance materials for a range of audiences, including the publication of My Health Record related multimedia resources for healthcare providers and new Frequently Asked Questions for consumers, to coincide with the commencement of the opt‑out period.
- Participation in the Privacy and Security Advisory Committee, one of the advisory committees established by the Agency to support the Agency’s Board.
- Monitoring developments in digital health, the My Health Record system and the HI Service.