Draft Concept of Operations: Relating to the introduction of a personally controlled electronic health record (PCEHR) system

Submission to the Department of Health and Ageing (June 2011)

Submission by Timothy Pilgrim, Australian Privacy Commissioner

Contents

• Recommendations.
• Executive summary.
• Introduction.
• Comments on the draft Concept of Operations.
  • Section 2 of the draft Concept of Operations: Introduction.
    • Secondary uses.
  • Section 3 of the draft Concept of Operations: Participation.
    • Opt-in model
    • Informed consent and notice.
    • Access to personal information.
    • Nominated representatives.
    • Healthcare provider participation.
    • Contracted service providers, conformant portal and conformant repository providers
    • Education and Training.
  • Section 4 of the draft Concept of Operations: Managing PCEHR information.
    • Data quality.
    • Data retention.
  • Section 5 of the draft Concept of Operations: Privacy and security.
    • Legislation.
    • Privacy Impact Assessments (PIAs)
    • Data security.
    • Offshore data storage.
    • Access controls.
    • Audit trails.
    • Automatic uploads.
    • Automatic downloads.
  • Section 7 of the draft Concept of Operations: Operating model
    • Complaint Handing.
    • Desirable features of a governance model
  • Section 8 of the draft Concept of Operations: Implementation.
  • Section 9 of the draft Concept of Operations: Outcomes evaluation.

Recommendations

Introduction - section 2 of the Draft Concept of Operations: relating to the introduction of a personally controlled electronic health record (draft Concept of Operations)

Secondary uses

Recommendation 2.1

Secondary uses or disclosures of personal information contained in personally controlled electronic health records (PCEHRs) should be subject to a robust governance framework contained in legislation, and occur in accordance with National Privacy Principle 2.

(see paras 24-31)

Participation – section 3 of the draft Concept of Operations

Individual participation

Recommendation 3.1

Terms and conditions for participation should be framed to ensure that individuals are able to understand and agree to the various ways in which their personal information will be handled within the PCEHR System (the System).

(see paras 35-40)

Recommendation 3.2

The Office of the Australian Information Commissioner (the OAIC) suggests that as functionality is added, individuals should be notified and given the ability to ‘opt-in’ to secondary uses and disclosures where appropriate.

(see paras 35-40)

Nominated representative access

Recommendation 3.3

Offering individuals a choice about the type of access they grant to nominated representatives would provide a desirable further level of personal control over access to their PCEHR.

(see paras 42-43)

Conformant repositories

Recommendation 3.4

The OAIC suggests that the data security implications of the use of conformant repositories and other contracted service providers could be further considered in light of the concerns regarding the current ability of cloud solutions to deliver adequate privacy protections.

(see paras 47-51)

Healthcare provider rights and responsibilities

Recommendation 3.5

The OAIC recommends that healthcare provider ‘rights and responsibilities’ should:

• contain clear accuracy, access and security obligations
• be accepted by healthcare providers as a condition of participation in the System (this requirement could be included in legislation).
• (see paras 44-45)

Education and training

Recommendation 3.6

The OAIC recommends that any education and training provided to users of the PCEHR System address obligations under the legislative framework and the Privacy Act 1988 (Cth) (the Privacy Act).

Recommendation 3.7

The OAIC recommends that the legislative framework require healthcare provider organisations, as a condition of participation in the System, to provide training to their employees on the appropriate access to and use of PCEHRs.

Recommendation 3.8

The OAIC recommends that the regulator(s) develop a range of guidance material to assist healthcare providers to meet compliance obligations.

Recommendation 3.9

The office recommends that the System Operator should develop a suite of educational materials for different audiences that outline the way the System will operate.

(see paras 52-55)

Managing PCEHR Information – section 4 of the draft Concept of Operations

National Privacy Principle 3 (NPP 3) – Data quality

Recommendation 4.1

The OAIC suggests that the governance framework should require healthcare providers to comply with the requirements of NPP 3:

• to ensure System records are accurate, complete and up-to-date
• a protocol should be created to notify any parties who have viewed inaccurate data to ensure they are aware it was erroneous.
• (see paras 57-61)

National Privacy Principle 4 (NPP 4) – Data security

Recommendation 4.2

In recognition of existing requirements in states and territories, the OAIC submits that the retention period for personal information contained in the System should not exceed the maximum period set by any state or territory legislation and should be set by legislation.

(see paras 63-65)

National Privacy Principle 6 (NPP) – Access and correction

Recommendation 4.3

The office suggests that the governance framework should require healthcare providers to comply with the requirements of NPP 6.6 by including a mechanism to incorporate statements where there is a disagreement about the accuracy of information.

(see para 62)

(see also Recommendation 5.8)

Data breach notification

Recommendation 4.4

To ensure data breaches are managed appropriately and the associated risks are minimised, the OAIC recommends that the governance frame workmake reference to the data breach notification methodology set out in the OAIC’s Guide to handling personal information security breaches[1](subject to any legislative reform arising from the Australian Law Reform Commission’s review of privacy). (see para 61)

Privacy and Security – section 5 of the draft Concept of Operations

Enabling legislation

Recommendation 5.1

The OAIC recommends that draft enabling legislation be made available for comment as soon as possible.

(see paras 68-69)

Privacy impact assessments (PIAs)

Recommendation 5.2

Any privacy impact assessment should ideally be publicly available shortly after completion. The OAIC’s Privacy Impact Assessment Guide[2] emphasises that consultation with key stakeholders is basic to the PIA process. (see paras 73-74)

Clinical documents - access and content control

Recommendation 5.3

The OAIC suggests consideration be given to enhancing access controls over clinical documents by allowing individuals to:

• apply ‘limited access’ and ‘no access’ labels to all clinical documents, including the Shared Health Summary
• have control of the content of consolidated documents such as the Shared Health Summary and the Consolidated View
• select from set levels of access for different kinds of healthcare provider.
• (see paras 84-88)

‘Particularly sensitive data’

Recommendation 5.4

The office suggests that the following points relating to ‘particularly sensitive data’ would benefit from further clarification:

• the definition of this term
• the process for assessing the sensitivity of data
• the nature of the stronger e-Authentication requirements that will apply in relation to this information.

(see paras 89-90)

‘Limited access’ and ‘no access’ features

Recommendation 5.5

As core personal control features, the OAIC considers that the ‘limited access’ and ‘no access’ functionality should be built into the System from the first release.

Recommendation 5.6

The OAIC recommends that legislative protections be put in place to ensure that where individuals choose to use the limited access feature or ‘no access’ features, they will not be disadvantaged by doing so.

Recommendation 5.7

The office recommends that individuals be provided with a clear explanation of the ‘limited access’ and ‘no access’ functionality, including that these labels can only be applied after documents have been uploaded to an individual’s PCEHR (if this is the case).

(see paras 91-94)

‘Include list’ and ‘exclude list’

Recommendation 5.8

The OAIC suggests that the implications and operation of the access grant feature should be made clear to individuals at the time they opt in to the System.

(see paras 95-100)

Emergency access

Recommendation 5.9

The OAIC suggests that the privacy impact of emergency access to PCEHRs could be reduced by:

• ensuring that emergency access overrides are temporary
• ensuring emergency access is recorded in the audit trail
• defining and limiting the circumstances in which emergency access can be granted (it may be appropriate to include these matters in enabling legislation)
• making individuals aware of the operation of the emergency access feature of the PCEHR at the time of opt-in.
• (see paras 101-103)

Audit trail

Recommendation 5.10

The OAIC suggests that the audit trail should:

• record the same amount of detail about access to the PCEHR via consumer and other conformant portals as is recorded about other means of accessing the PCEHR
• include records of data modifications, including details of the individual and organisation that modified data, and how and when data was modified.

Recommendation 5.11

The office suggests that individuals should be made aware that when information is downloaded from the PCEHR into local records, the PCHER audit trail in relation to that information effectively ends. The OAIC notes, however, that healthcare providers have obligations under the NPPs to ensure that appropriate records management procedures are in place.

Recommendation 5.12

In the OAIC’s view, where individuals formally request full details of the audit trail, this information should be provided:

• in line with the requirements of NPP 6 or the Freedom of Information Act 1982 (Cth) (whichever is relevant), particularly in relation to appropriate access charges
• within an appropriate period of time, which could be set by legislation. (see paras 108-109)

Data breach notification

(see para 111, see also Recommendation 4.4)

Access for compliance purposes

Recommendation 5.13

To ensure that access to PCEHRs for compliance purposes is consistent with the general System information handling practices, the OAIC suggests that:

• individuals opting in to the System should be made aware of the potential access of their PCEHR for compliance purposes
• access to the System for compliance purposes should be recorded in the audit trail.
• (see paras 110-112)

Upload of clinical documents

Recommendation 5.14

To enable the upload of clinical documents to occur in a way that is acceptable to individuals, the OAIC suggests that:

• guidance for healthcare providers about what information may be inappropriate for upload to the PCEHR should be developed
• the obligation on healthcare providers to consider and advise individuals about what information may be suitable for upload could be strengthened by inclusion in the healthcare provider ‘rights and responsibilities’
• the possibility of enabling individuals to limit permission for the upload of documents to the PCEHR, for example by provider or episode of care, should be considered.
• (see paras 114-119)

Access and download of information from the PCEHR

Recommendation 5.15

The OAIC suggests that the requirement for PCEHR users to download only information that is required to support the delivery of an individual’s care, or to ensure that medico-legal integrity requirements are addressed, should be included in healthcare provider ‘rights and responsibilities’ and legislation.

(see paras 120-121)

Operating Model – section 7 of the draft Concept of Operations

Governance

Recommendation 7.1

The OAIC suggests that details of the proposed governance model and regulatory arrangements should be made available for public comment as soon as possible.

(see paras 122-123)

Complaint-handling

Recommendation 7.2

The OAIC suggests that it is the most appropriate body to oversee privacy complaints arising from the PCEHR System (except for those originating from State and Territory government agencies where there is an existing regulator. In those States where there is not a regulator, similar arrangements as those in place for the Individual Health Identifier could be adopted).

(see paras 126-127)

Implementation – section 8 of the draft Concept of Operations

Consultation

Recommendation 8.1

The OAIC suggests that:

• a wide cross-section of the community should be consulted in the development stage of the PCEHR System
• other opportunities for encouraging community consultation and participation in the development of PCEHR System should be explored, including the use of Gov 2.0 strategies
• (see paras 130-134)

Outcomes evaluation – section 9 of the draft Concept of Operations

Recommendation 9.1

The OAIC suggests that the evaluation of PCEHR outcomes should include an assessment of privacy outcomes.

(see para 135)

Executive summary

1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Draft Concept of Operations: relating to the introduction of a personally controlled electronic health record (draft Concept of Operations).
2. Gaining community confidence and trust in the PCEHR System (the System) is essential to its success. While individuals may welcome the potential benefits of shared electronic health records, they may be hesitant to participate if key privacy protections are lacking or are not apparent. As the office has previously stated, the assurance that privacy is protected will be fundamental to the overall success of any electronic health record system.[3]
3. The OAIC recognises that the successful implementation of the System (the System) has the potential to greatly enhance the provision of healthcare to individuals. The model proposed will potentially involve the drawing together of health records from a variety of sources, in a way not previously possible. While this consolidation of information has considerable benefits from a healthcare perspective, the PCEHR’s capacity to allow access by many healthcare providers to a large quantity of sensitive personal information involves privacy risks. Overall, the office is supportive of the System, provided that it offers individuals appropriate control over the handling of their personal information, and employs a robust information handling and legislative governance framework.
4. In the OAIC’s view, personal control will be central to the success of the PCEHR and key to community participation of the System. Providing choice and control to individuals about how their personal information is handled is a fundamental aspect of good privacy practice. The decision to implement the PCEHR on an express consent approach (an ‘opt-in’ model) offers important privacy benefits.
5. The draft Concept of Operations demonstrates that privacy has been an important consideration in the development of the PCEHR model. Privacy issues have generally been clearly identified in the draft Concept of Operations, and some good strategies for addressing those issues have been proposed. However, in a number of areas, the details of some of the privacy-enhancing measures remain unclear. In other areas further consideration and exploration is required.
6. The recommendations in this submission focus on a number of issues the office considers would benefit from further consideration:
   • ensuring that the PCEHR realises, as far as possible, the aim of being genuinely ‘personally controlled’
   • the importance of educating individuals and healthcare providers about the operation of the System
   • the need for the ‘terms and conditions’ of participation for individuals to provide clear notice of the ways in which personal information will be handled by the System
   • the importance of educating healthcare providers and other users about compliance obligations
   • issues raised by the involvement of contracted service providers
   • data security issues raised by the proposed PCEHR model
   • the need for information about enabling legislation and the governance framework.
7. As more detail of the PCEHR model is made available, the OAIC would welcome the opportunity to provide further input, subject to the availability of resources.

Introduction

1. The Office of the Australian Information Commissioner (the OAIC) was established by the Australian Information Commissioner Act 2010 (Cth) (the AIC Act) and commenced operation on 1 November 2010.
2. The OAIC is an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.
3. The former Office of the Privacy Commissioner was integrated into the OAIC on 1 November 2010.
4. The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information (FOI) in one agency, to advance the development of consistent workable information policy across all Australian government agencies.
5. The Commissioners of the OAIC share two broad functions:
   • the FOI functions, set out in s 8 of the AIC Act – providing access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth), and
   • the privacy functions, set out in s 9 of the AIC Act – protecting the privacy of individuals in accordance with the Privacy Act 1988 (Cth) (the Privacy Act) and other legislation.
6. The Information Commissioner also has the information commissioner functions, set out in s 7 of the AIC Act. Those comprise strategic functions relating to information management by the Australian Government.

Fundamental privacy considerations

7. The OAIC welcomes the opportunity to comment on the draft Concept of Operations. This submission seeks to highlight the critical importance of appropriate privacy protections in supporting a shared electronic health record system.
8. The office has actively engaged on the privacy issues relating to electronic health records over a number of years. In 2008 the office made a submission to the Consultation on the Privacy Blueprint for the Individual Electronic Health Record (the Blueprint) conducted by the National E-Heatlh Transition Authority (NeHta). In 2009 the office made a submission on Person-controlled Electronic Health Records to the National Health and Hospitals Reform Commission.
9. The OAIC has been closely involved in the development of the Healthcare Identifier Service and is currently solely responsible for providing regulatory oversight of that scheme.
10. The draft Concept of Operations represents the first opportunity to comment publicly on the design of the PCEHR System. In preparing this submission, the OAIC has drawn on the understanding of the privacy issues associated with electronic health records that it has developed over the course of its past engagement. Many of the issues highlighted in previous submissions remain relevant and are discussed again in this submission. Examples include concerns about secondary uses of personal information stored in electronic health records and the importance of enabling legislation and appropriate governance.
11. Providing choice and control to individuals about how their personal information is handled is a fundamental aspect of effective personal information handling practices. The OAIC is particularly supportive of the emphasis on personal control of information that is implied by the inclusion of the description ‘personally controlled’ in the name of the PCEHR. Also welcome is the decision to implement the PCEHR on an express consent approach (i.e. as an ‘opt-in’ model).
12. In the OAIC’s view, it is important that individuals are able to choose whether to have a PCEHR, and if they choose to have a PCEHR, that they are able to choose what information will be included and who will have access to it, to the extent practicable. The Minister for Health and Ageing’s commitment to building privacy into the design of the system ‘from the ground up’ is a welcome indication of the importance that has been accorded to privacy considerations.[4]
13. The OAIC observes that the design of the PCEHR model proposed in the draft Concept of Operations will pose new challenges for information privacy. The PCEHR will bring together sensitive personal information from a wide range of sources, and access to this information may be granted to many healthcare providers. Strong access controls will be necessary to appropriately protect the sensitive personal information contained in PCEHRs.
14. The draft Concept of Operations also points to a need for careful consideration and management of data security. The PCEHR design proposes that sensitive personal information will be communicated between, and physically stored in, different locations, including a data repository owned by the Australian Government and a range of other ‘conformant repositories’. It will be important for robust data security protections to apply to all repositories and for the security of information to be protected in transmission.
15. The Minister for Health and Ageing has also acknowledged that privacy is a key concern for individuals.[5] The comments provided in this submission are intended to contribute to the successful implementation and uptake of the PCEHR System by ensuring that the privacy protections required to engender trust in the System are in place. As the draft Concept of Operations recognises, ‘trust is critical for the success of the rollout and uptake of the PCEHR System’.
16. The OAIC notes that its comments in this submission are informed by the office’s role as the regulator of the Privacy Act. Throughout the submission, the office has referred to the requirements of the Privacy Act. Many of these requirements will be familiar to private sector healthcare providers, who are currently obliged to comply with the National Privacy Principles (NPPs); however the actions of State and Territory authorities do not generally fall within the jurisdiction of the Privacy Act.
17. The OAIC understands that enabling legislation for the PCEHR System is currently being developed by the Department for Health and Ageing (DoHA). This legislation may create particular standards for information handling practices in the context of the PCEHR. However, in the absence of any information regarding the enabling legislation, the OAIC suggests that the requirements of the Privacy Act, and the NPPs in particular, represent a useful reference point in the discussion of appropriate of privacy standards.
18. Private sector healthcare providers using the system will already be bound by the NPPs when handling the personal information held within the PCEHR System. Commonwealth government agencies will be bound by the Information Privacy Principles.Entities contracted to provide services to the Commonwealth government will be contractually bound to information handling standards at least comparable to the IPPs.
19. The office notes that under NPP 10 of the Privacy Act, higher privacy standards apply to the handling of sensitive information. Health information is one kind of sensitive information, and is subject to additional protections. The OAIC flags that that significant amendments to the Privacy Act are likely to occur in the future, including the introduction of a single set of Australian Privacy Principles to apply to both private sector organisations and Australian Government agencies, and health-specific amendments. [6]
20. The OAIC’s ability to comment fully on the privacy protections offered by the System design described in the draft Concept of Operations has been constrained by the level of detail currently available regarding the governance arrangements and the regulatory framework. The office notes that the technical design of the system, as set out in the draft Concept of Operations, is only one aspect of a comprehensive approach to privacy. The protections provided by legislation and governance play an equally important role.
21. The OAIC would welcome the opportunity to have further input into the development of the PCEHR System. Throughout this submission, the office has flagged its willingness to engage further on particular issues. However, the OAIC notes that its ability to engage further may be constrained by budgetary considerations.
22. The OAIC recognises that the PCEHR is a major initiative with significant privacy implications. The Office seeks to provide high quality input on all aspects of its development. However, the OAIC is a small agency with responsibility for providing advice and guidance on privacy, FOI and government information management issues to Australian Government agencies, private sector organisations and individuals. In the absence of dedicated resourcing, the OAIC’s ability to engage intensively on large initiatives such as the PCEHR, while meeting its other obligations, may be limited.

Comments on the draft Concept of Operations

Section 2 of the draft Concept of Operations: Introduction

23. With appropriate privacy settings, the System has the potential to enhance the privacy of individuals. This is because it offers greater control over the flows of the health information that has been available under existing medical records systems.

Secondary uses

24. The most effective assessment of a project’s privacy risks begins with a clear description of the project’s scope.[7] Potential secondary uses should be considered as part of the initial assessment; otherwise it is difficult to assess all privacy implications.
25. The draft Concept of Operations raises a number of potential enhancements. One particular enhancement may be made to ‘the reporting service to support a wider range of approved uses’.[8] It is not clear what these uses may be, or in what sense they would be ‘approved’.
26. A secondary use involves using information stored in the PCEHR System for a purpose other than the primary purpose of collection. The OAIC considers the primary purpose of collection is to facilitate the enhanced delivery of healthcare through improved sharing of selected health information. As the OAIC noted in its submission to the National E-Health Transition Authority (NeHTA) regarding the Privacy Blueprint for the Individual Electronic Health Record[9], secondary uses of health information should be:
    • carefully balanced with individual privacy, and
    • managed by the PCEHR System Operator and regulated by law.
27. Given that the PCEHR is a personally-controlled record, it is important that personal information is used and disclosed in ways that individuals expect. Qualitative research conducted by AC Nielsen has illustrated sensitivity around secondary uses of health information. The results indicated a strong preference for health information to be solely used for the direct clinical care of the individual, with any other uses being premised on obtaining the individual’s informed consent.[10]
28. The OAIC notes that the term ‘use’ has a particular meaning under the Privacy Act, referring to the handling of personal information within an organisation. ‘Disclosure’, on the other hand, refers to releasing personal information to others outside the organisation. National Privacy Principle 2 (NPP 2) regulates the use and disclosure of personal information. The draft Concept of Operations does not explain what is meant by a ‘wider range of approved uses’ consequently it is unclear whether it is referring to secondary uses or secondary disclosures. It would be beneficial for secondary uses and disclosures to be clearly identified, limited and included in the governance documents from the outset.
29. Any secondary uses and disclosures of personal information must be consistent with the obligations in NPP 2. The OAIC would welcome further detail on how secondary uses and disclosures of personal information will be managed. For example, will individuals have the opportunity to opt out of any possible secondary uses or disclosures of their information, particularly in relation to uses beyond medical care? What notice will individuals be given about secondary uses at the time of enrolment?
30. The OAIC suggests that permitted secondary uses or disclosures be prescribed in the enabling legislation. It may also be appropriate to consult publicly and establish a framework for Parliamentary scrutiny of the expansion of secondary uses or disclosures to limit function creep.[11]
31. Alternatively, mandatory guidelines or legislatively supported participation agreements could provide more detailed guidance on permitted secondary uses or disclosures within the healthcare sector.[12] To ensure adequate oversight of any expansion of secondary uses or disclosures, the office suggests that it may be appropriate for enabling legislation to require consultation with appropriate regulatory bodies, including the OAIC.

Section 3 of the draft Concept of Operations: Participation

32. As noted in the OAIC’s 2008 submission to the NeHta consultation on the Privacy Blueprint for the Individual Electronic Health Record, the office supports the express consent approach to PCEHR participation.[13] The office is pleased that individuals will be able to choose whether they have a PCEHR and that they will be able to deactivate their PCEHR at any time.
33. The draft Concept of Operations describes a range of privacy-enhancing features of the proposed PCEHR model. These include the ability for individuals to:
    • set controls around healthcare provider access,
    • choose which information is published and accessible, and
    • see which individual healthcare providers have accessed their PCEHR.

Opt-in model

34. The OAIC welcomes the draft Concept of Operations’ commitment to the creation of a PCEHR on an opt-in basis.[14] This approach offers important privacy benefits to individuals by ensuring the individual has provided active and express consent before enrolling in the System.

Informed consent and notice

Terms and conditions

35. NPP 1.3 requires organisations bound by the Privacy Act to take reasonable steps to notify an individual of, amongst other things, the purposes for which their personal information is collected, organisations to which it is usually disclosed, and the main consequences (if any) for the individual if all or some information requested is not provided.[15] NPP 2 governs the way that personal information can be used and disclosed for secondary purposes.
36. In a practical sense, these principles require individuals to be notified about how personal information will be collected into their PCEHR, how it will be used and to whom it will usually be disclosed (e.g. it will be viewed and downloaded by health practitioners).
37. DoHA should consider how the terms and conditions could be framed to ensure that individuals can understand and provide informed consent to the various ways in which information can be handled in the PCEHR System. A layered notice format may assist individuals to provide informed consent, given the complexity of the PCEHR system.[16]
38. In the OAIC’s view, notice should not be couched in terms so general as to facilitate very wide information sharing. The terms and conditions should also be available in a range of languages other than English. More discussion about secondary uses can be found at page 6.
39. The draft Concept of Operations indicates that additional functionality will be progressively added to the core System. The OAIC suggests that it may be appropriate to notify individuals as functionalities are added, to advise of any changes to the way that their personal information is handled.
40. The OAIC would welcome the opportunity to provide input into the development of the terms and conditions for participation in the PCEHR System.[17]

Access to personal information

41. The OAIC believes that one of the clear benefits of the System will be free and enhanced access to an individual’s health information. The Office supports the inclusion of a number of measures to facilitate access in a range of different situations, including for individuals who do not have access to the Internet, individuals requiring support in languages other than English, and for individuals with disabilities.[18]

Nominated representatives

42. The proposed PCEHR model will allow individuals (who have legal capacity) to nominate representatives to assist them to manager their PCEHR. The OAIC recognises the convenience that selecting this option could provide. However, the office observes that the decision to share the ability to ‘manage’ a PCEHR for an indefinite period carries with it significant privacy risks.
43. The OAIC suggests that individuals may find it beneficial to have some choice about the type of access they grant to nominated representatives. For example, individuals may wish to grant access to their PCEHR on an indefinite basis to their partner, or for a defined period to a professional carer.

Healthcare provider participation

44. The OAIC is supportive of the commitment to informing healthcare provider organisations of their ‘rights and responsibilities’ in relation to the System at the time of registration.[19] The OAIC would also welcome clarification of the healthcare provider registration process. The office suggests that healthcare providers should be required to formally accept their ‘rights and responsibilities’ in relation to the PCEHR System at the time of registration. These obligations should address accuracy, access and security obligations and could be included in legislation.
45. The office would welcome the opportunity to comment on these rights and responsibilities and suggests it may be appropriate to make them available for public comment.

Contracted service providers, conformant portal and conformant repository providers

46. The draft Concept of Operations indicates that healthcare organisations will be able to use third party contracted service providers (CSPs) to deliver web-based health software and other services. CPSs may also store PCEHR information if they meet the additional requirements for conformant repository providers.
47. The OAIC acknowledges the consideration DoHA has given to the privacy issues associated with the use of CPSs, conformant portals and conformant repository providers. Requirements for CPSs to register a Responsible Officer and Organisation Maintenance Officer, and undergo a conformance assessment process are positive measures. The requirements for CPSs to be operating in Australia and subject to Australian law are particularly important. This will ensure that the privacy protections provided by Australian law will apply to the information handling actions of these organisations.
48. NPP 9 limits the circumstances under which organisations are permitted to transfer personal information overseas. In the simplest terms healthcare providers will be prevented from disclosing personal information to someone in a foreign country that is not subject to a comparable information privacy scheme, except where it has the individual’s consent or some other circumstances including where:
    • the transfer is for the benefit of the individual and the organisation can show grounds for a belief that if it were practicable to obtain consent the individual would be likely to give it, or
    • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party.
49. The OAIC shares AGIMO’s concerns regarding the current ability of cloud solutions to deliver adequate privacy protections. [20] The security of data stored by conformant repositories could be further enhanced by the inclusion in the legislative framework of a requirement for data to be stored within Australia. The storage of data in other jurisdictions may reduce the security of data, for example, where local laws authorise access to information.
50. It may be appropriate to further consider the suitability of cloud options for the storage of sensitive personal information. A privacy impact assessment may be an effective means of assessing the risks associated with web-based services.
51. Individuals opting in to the PCEHR System should be made aware of the potential role of CPSs, conformant portal and conformant repository providers in handling PCEHR data.

Education and Training

52. The Office welcomes the commitment to the provision of education and training to users[21] of the System.[22]. All participants in the PCEHR System will require an understanding of how the System will operate. This knowledge will allow individuals and healthcare providers to make an informed decision about participating in the PCEHR System.
53. The OAIC recommends that any education and training provided to users of the PCEHR System should address obligations under the legislative framework and the Privacy Act. The office also recommends that the legislative framework require healthcare provider organisations to provide training to staff on appropriate access and use of PCEHRs.
54. To assist healthcare providers and contracted service providers to the meet their compliance obligations, the OAIC recommends that the regulator(s) develop a range of guidance material.
55. The System Operator will be ideally placed to develop a suite of educational materials for different audiences that outline the way the System will operate. Where this advice intersects with privacy issues, this Office would be pleased to provide input.

Section 4 of the draft Concept of Operations: Managing PCEHR information

56. The following comments address the ‘Related topics’ discussed at Section 4.6, which raises data quality and data retention issues.

Data quality

57. Under NPP 3, organisations must take reasonable steps to make sure that the personal information they collect, use or disclose is accurate, complete and up-to-date. The OAIC supports the implementation of a data quality management framework, embedded within a broader clinical governance model and Service Level Agreement, and be subject to performance management and continuous improvement.[23]
58. Robust data quality controls will encourage both providers and individuals to place trust in the utility of the data. The OAIC acknowledges that the issue of data quality presents considerable challenges for a large-scale, shared System that is maintained by multiple parties.

Updating personal information

59. Where local systems are operating in parallel to the PCEHR System, there is a risk that healthcare providers updating local records may not make corresponding updates to the PCEHR System. Consideration will need to be given to how healthcare providers could be mandated to update individuals’ PCEHRs.

Errors

60. The OAIC welcomes the assurance that clinical documents will be validated and only loaded onto the system when identity details and document structure correspond with the PCEHR and template. The provision of a process for the removal of incorrectly loaded clinical documents is a further positive measure.[24]
61. In the event that an individual’s personal information is loaded onto another individual’s PCEHR in error, the OAIC suggests that any individual whose personal information was improperly disclosed should be notified, in accordance with the OAIC’s Guide to handling personal information security breaches.[25] Further, a protocol should be created to notify any parties who have viewed the inaccurate data to ensure they are not relying upon inaccurate information.

Correction

62. The process outlined in the draft Concept of Operations for the correction of clinical documents appears appropriate. The OAIC notes that NPP 6.6 requires that where an individual and an organisation disagree about the accuracy, completeness or currency of a record, the organisation must take reasonable steps to attach a statement from the individual to the record claiming its inaccuracy.

Data retention

63. The draft Concept of Operations indicates that the question of how long PCEHR data will be retained is under consideration and will be addressed through legislation.[26] Many private healthcare providers have existing data retention obligations under state and territory laws. In recognition of existing requirements in states and territories, the OAIC suggests that the retention period for personal information in PCEHRs should not exceed the maximum period set by any state or territory legislation.
64. At the end of any retention period imposed by law, it may be necessary to destroy or permanently de-identify the personal information contained in a PCEHR. NPP 4.2 requires organisations to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2.
65. The office would welcome clarification of the process for destroying, de-identifying or archiving data on an individual’s PCEHR. Access controls and data security measures should continue to apply to any archived data.

Section 5 of the draft Concept of Operations: Privacy and security

66. The OAIC supports the aim of aligning the privacy concepts underpinning the System with the NPPs.[27] In the OAIC’s view, in the absence of enabling legislation setting different standards, the NPPs are an appropriate standard to apply, particularly given that private healthcare providers will be familiar with them as information handling benchmarks.
67. The OAIC understands that many aspects of the System’s privacy and security framework are still under development. For example, the draft Concept of Operations does not provide details of the proposed Security and Access Framework or the System’s governance and legislative framework. The office would welcome the opportunity to engage further in these areas as details of these and other aspects of the System become available. The office provides some comments on particular issues raised in this section of the draft Concept of Operations below.

Legislation

68. The OAIC supports the System being accompanied by enabling legislation. This is consistent with the Australian Government’s First Stage Response[28] to the Australian Law Reform Commissioner’s (ALRC) inquiry[29] into Australian privacy law and consistent with the recommendations of the National Health and Hospitals Reform Commission’s (NHHRC) Report into the future of the Australian health system. [30]
69. As the office suggested in its submission to the NHHRC,[31] given the lack of uniform privacy regulation across federal, state and territory jurisdictions, it is important that national projects potentially involving the sensitive information of most Australians have dedicated, project-specific legislation which make reference to the Privacy Act to ensure consistency of privacy protections. This is also consistent with the ALRC’s view that legislation relating to shared electronic health systems ‘should deal with those issues that fall outside existing privacy regulation and provide more stringent rules where necessary’.[32] The OAIC recommends that draft enabling legislation be made available for comment as soon as possible.
70. The office understands that the Department of Health and Ageing is currently working with jurisdictions to develop a consistent privacy regime that will apply to the PCEHR System irrespective of the location of the individual or healthcare provider.[33] The OAIC suggests that, as the current regulator of the NPPs and the HI Service, it may be well placed to contribute to this work.
71. The office notes that it has previously suggested that enabling legislation, could appropriately address the following matters: [34]
    • identification of an entity with clear responsibility for management of the PCEHR and the health information held in it
    • authorised and permitted information flows
    • prohibition of specific uses and disclosures of PCEHRs to avoid function creep
    • provisions for management of secondary uses
    • specific sanctions and remedies for privacy breaches
    • transparent and accountable governance mechanisms
    • requirements for unique health identifiers in the PCEHR
    • outline minimum terms and conditions/rights and responsibilities for participation in the PCEHR by individuals and healthcare providers
    • provide for uniform complaint-handling mechanisms.
72. The OAIC has made a number of other suggestions regarding specific matters it considers could be addressed by enabling legislation throughout this submission.[35]

Privacy Impact Assessments (PIAs)

73. The draft Concept of Operations states that the development of privacy protections under the System will be informed by the ongoing utilisation of PIAs.[36] The OAIC is strongly supportive of this commitment, as PIAs are a valuable tool for identifying, assessing and managing privacy impacts. In the case of complex projects such as the PCEHR System, it can be beneficial to undertake multiple linked PIAs, or a single PIA involving multiple sub-PIAs to address different aspects of the project. PIAs will generally require ongoing review as the project evolves.
74. PIAs build community confidence and allay concerns by involving the community in early consultations. Ideally, PIAs should be publicly available shortly after completion. The OAIC would welcome being consulted in the development of PIAs.

Data security

75. In terms of data security, private sector healthcare providers will be required to comply with NPP 4.1 when handling personal information within the System. NPP 4.1 requires organisations to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.
76. The sensitivity of the health information will be important in the consideration of what security measures will constitute ‘reasonable steps’ in the circumstances. Given that the PCEHR will contain health information, including often extremely sensitive health information, meeting the requirements of NPP 4.1 will require the implementation of measures that provide a high level of data security.
77. The OAIC notes that IEHR model outlined in NeHta’s 2008 Privacy Blueprint for the Individual Electronic Health Record proposed that data would be stored in a ‘secure, centrally-managed repository’.[37] The PCEHR model proposed in the draft Concept of Operations will involve the use of a number of conformant repositories, in addition to a central repository, to store PCEHR data. This, together with the likely use of ‘software as service’ contracted service providers and conformant portals, poses additional risks to the security of data.
78. This model will require strong authentication controls, measures to ensure the security of data in transmission and measures to ensure the physical security of data where it is stored. The draft Concept of Operations appears to reflect significant consideration of these issues.
79. The draft Concept of Operations states that it will aim to protect the personal information it holds through authentication of individuals and users, access controls, encryption, auditing, proactive monitoring, system standards and legal requirements, security testing, investigation of unauthorised information access or modification, and educating and training users.
80. The OAIC notes that the specifics of these controls are still under development and the level of privacy protection offered will depend on their final form.

Offshore data storage

81. The potential use of conformant repositories and ‘software as a service’ contracted service providers in the PCEHR System raises the possibility that data may be stored offshore. The data security implications of this are outlined in this submission’s discussion of Section 3 of the draft Concept of Operations (see ‘Contracted service providers and conformant portal and repository providers’).
82. The office notes that proposed amendments to the Privacy Act are likely to introduce a number of changes relating to cross-border information flows.

Access controls

83. Effective, patient-centred access controls are one of the key elements of the PCEHR. They are crucial to the success of the System, and fundamental to its architecture. Without effective access controls, there is the risk that personal information will be more widely available than the individual intended.

Access to clinical documents

84. The proposal that individuals be provided with the ability to control access to specific clinical documents is welcome. However, the OAIC notes that it is not clear whether these access controls will be available in relation to all types of clinical document in their PCEHR. For example, it appears that individuals will be unable to set specific access controls for different providers in relation to information contained in the Shared Health Summary. Once a provider is on an individual’s ‘include’ list, that provider will automatically have access to all the information in the individual’s Shared Health Summary.
85. This central clinical document within the PCEHR contains a significant amount of information, including an individual’s medical history and details of medications. The OAIC recognises the clinical value of access to this document for healthcare providers, but notes that some individuals may nevertheless wish to have the option of limiting access to certain types of documents, including the Shared Health Summary.
86. The OAIC also queries whether there will be scope to control access to clinical documents that consolidate information from a range of sources, such as the Shared Health Summary and the Consolidated View documents. The privacy-enhancing ability to restrict access to specific clinical documents through the ‘limited access’ and ‘no access’ options is reduced by the inability to control access to elements of the Shared Health Summary. For example, an individual’s attempt to limit access to information concerning a particular condition in their PCEHR may be frustrated by the inclusion of details of prescribed medications in the Shared Health Summary that point to the existence of the condition.
87. The office also suggests that individuals may wish to grant different levels of access for different types of practitioners. For example, an individual may wish to allow broader access to their general practitioner and more narrow access to their pharmacist or podiatrist. The creation of a number of pre-set access levels which can be applied to different providers may be one way of providing individuals with this type of control. Individuals would need to be advised of the implications of limiting access to healthcare providers.
88. Effective access control measures will be vital to engendering consumer confidence in the PCEHR’s information handling practices. The OAIC looks forward to receiving further clarification of the operation of access controls in the course of future consultations.

Access to ‘particularly sensitive data’

89. The draft Concept of Operations indicates that there may be stronger e-Authentication requirements for particularly sensitive data.[38] The OAIC would welcome clarification of the meaning of ‘particularly sensitive data’ and the process for assessing the sensitivity of data.
90. The office notes that all health information is defined as sensitive information by the Privacy Act.

‘Limited access’ and ‘no access’ feature

91. An effective ‘limited access’ and ‘no access’ feature will be central to providing adequate privacy control. This feature may encourage individuals to opt-in to the System by giving them control over access to particular items of information. The draft Concept of Operations indicates that further consultation will be undertaken on this feature due to its complexity but does not indicate whether this will be settled before the first release of the System.[39]
92. As it has indicated in previous submissions, the OAIC takes the view that it is important that this feature be built into the System from the first release. Privacy controls should generally be built into the system from the start, rather than developed and added later.
93. The office suggests that these controls will be central to encouraging consumer confidence. Early inclusion will allow these features to benefit from the same testing in the design phase as the rest of the System’s components. [40] This approach would also be consistent with the Minister for Health and Ageing’s public commitment to building privacy into the design of the system ‘from the ground up’.[41]
94. The office recommends that guarantees be put in place to ensure that where individuals choose to use the limited access feature or ‘no access’ features, that they will not be disadvantaged by doing so, for example by being refused care.

‘Include’ and ‘exclude’ lists – organisational access

95. A critical consideration for many individuals deciding to opt-in to the System will be the number of people who could potentially access their PCEHR. Given the PCEHR will be a shared record bringing together information from diverse sources, it will make a greater amount of information more readily available to more people than has previously been possible. Like all information repositories, the System has the potential to be misused. The System will need appropriate access controls to reduce the privacy risks and satisfy consumers that their personal information is secure within the system.
96. The draft Concept of Operations indicates that access to the PCEHR will be granted or denied at organisational level, rather than at the level of the individual healthcare provider.[42] The OAIC appreciates that this approach may be necessary to allow PCEHRs to be used effectively in large organisations. It will be important for organisations to ensure that only those employees who require access for the delivery of healthcare services access an individual’s PCEHR. It may be appropriate to require healthcare provider organisations, as a condition of participation in the System, to provide training to their employees on the appropriate access and use of PCEHRs.
97. The office suggests that the inclusion in enabling legislation of penalties for unauthorised access and misuse of PCEHRs could support the appropriate access and use of PCEHRs by healthcare providers.
98. The implications of the access granted (i.e. the ‘include list’) feature should be made clear to individuals. The OAIC suggests that it will be important for individuals to be made aware that the concept of granting access to employees of healthcare provider organisations who are ‘engaged in your care’ may extend beyond those clinical staff directly engaged in their care to a wide range of employees who are involved in their care in a less direct way.[43]
99. Similarly, the office suggests that individuals should be notified that where they grant access to an organisation, ‘by inference’ access will also be granted to ‘all network HPI-Os beneath the participating organisation HPI-O’.[44] A failure to raise awareness of these aspects of the PCEHR may lead to potentially negative community reactions.
100. Clarification on the management of access for clinicians who work at multiple organisations would also be welcome.

Emergency access

101. The OAIC recognises that there are certain specific circumstances where it is appropriate to override access controls in emergency situations but submits that some limitations should be placed on this type of access.
102. The office suggests that emergency access controls could be enhanced by ensuring that emergency access overrides are temporary in nature and do not last longer than the emergency period. The OAIC assumes that this type of access will be fully recorded in the audit trail. Further, it is suggested that the circumstances in which emergency access can be granted should be clearly defined and limited. Inclusion of these matters in legislation may be appropriate.
103. As with other elements of the PCEHR, providing a clear explanation of the operation of the PCEHR in the event of an emergency will allow to make informed choices about whether and how to use the PCEHR System.

Audit trails

104. As the office highlighted in its submission to the Australian Health Minister’s Conference regarding healthcare identifiers and privacy, maintaining a record of all access to PCEHRs is a key accountability measure and safeguard. It will encourage appropriate use of information and deter and detect security breaches. Audit trails increase transparency and can engender consumer confidence through enhancing oversight capabilities.[45]
105. The OAIC welcomes the inclusion of an audit facility that will record all activity on the national eHealth infrastructure services and PCEHR-conformant repositories. Recording individual staff members’ access, details of what is accessed, and the data and time of access are positive measures that will enhance data security and also facilitate compliance activities.[46]

Access to audit trail information

106. The draft Concept of Operations proposes that individuals will be able see a summary of the audit trail on the System Operator’s website. This will display all the information recorded in the audit trail except the detail of what was accessed and by whom. To obtain this information, individuals will need to make a formal request to the PCEHR Operator.[47]
107. The OAIC would generally prefer that this information about the handling of individuals’ personal information was available without the need for a formal request. However, the office recognises that some healthcare providers may have legitimate privacy and personal security concerns about ready access to their names via website accessible audit trails. The OAIC therefore considers that, with the caveat that audit trail information is generally provided free of charge and within a reasonable period of time, the process proposed in the draft Concept of Operations represents an acceptable compromise.[48] The OAIC suggests that an appropriate period of time for the provision of access could be set by legislation.

Information recorded in the audit trail

108. The draft Concept of Operations does not clearly indicate what information will be recorded in consumer portal and other conformant portals audit trails. The audit trails should record the same information about access to the PCEHR via consumer other conformant portals as will be recorded about access to the PCEHR via other means.
109. To enhance data quality and transparency, the audit trail should be include records of who has modified data, how it has been modified and when it has been modified.

Detection of breaches and accessing the System for compliance purposes

110. The office supports the use of the information in the audit trail to aid the detection of unauthorised information access or modification, and any other breach of information security, as well as the intention to notify appropriate parties of potential breaches.[49] The OAIC assumes the regulator(s) will be advised.
111. If a breach is established, the office generally recommends that affected individuals be notified. The OAIC has developed a Guide to handling personal information security breaches that may be a useful reference in developing guidelines for data breach notifications.[50]
112. Individuals opting in to the System should be made aware of the potential for their PCEHR to be accessed for compliance purposes. The office submits that this type of access to the System should also be recorded in the audit trail, although it may be appropriate to limit access to this information by providers, who may be subject to investigation.

Limitations of the audit trail

113. The OAIC notes that where information is downloaded from the PCEHR into local records, the PCEHR System audit trail in relation to that information effectively ends. The monitoring of the handling of the information after that point will then depend on the information handling practices of the healthcare provider organisation. It may be appropriate to make individuals aware of this limitation of the audit trail functionality. The OAIC notes that healthcare providers have obligations under the NPPs to ensure that appropriate records management procedures are in place.

Automatic uploads

114. The draft Concept of Operations states that the onus is on the individual to inform their healthcare provider that they do not want a clinical document uploaded into their PCEHR.[51] However, it is also suggested that healthcare providers should inform the individual if a clinical document may not be appropriate to upload. The OAIC suggests that healthcare providers should be provided with guidance about what information may not be appropriate for upload.
115. The OAIC notes that for this process to offer individuals genuine control over the content of their PCEHR, both individuals and providers will need to be aware of their rights and responsibilities. In the case of providers, the office suggests that their obligation to consider and advise individuals what might be inappropriate for upload may be strengthened by guidance in the terms and conditions.
116. The draft Concept of Operations does not clarify precisely how documents associated with an episode of treatment will be uploaded to the System. As discussed above, it appears that the consent of individuals to the upload of documents by healthcare providers will be assumed, in the absence of a request to the contrary.
117. The OAIC would appreciate clarification of potential situations where there is no opportunity for an individual to request that upload does not occur. This situation may arise, for example, in the context of a hospitalisation, where the individual is not able to have input about the upload of the result of each test that is ordered. The office observes that information that is automatically uploaded in this way will be instantly available to all providers on the individual’s ‘include list’.
118. The individual’s ability to apply ‘limited access’ or ‘no access’ protections to this information appears to be available only following the upload of the information to their PCEHR. There will therefore be a window of time during which this information is accessible by all healthcare providers on the ‘include list’. This may provide less protection to particular documents than individuals might expect of these functionalities. The OAIC queries whether it would be possible to permit upload of documents in a limited way, for example by time, provider or episode of care.
119. The OAIC recognises that it may not be practical to provide an alternative approach to this issue. As the Office has suggested throughout this submission, the key to developing trust and uptake of the PCEHR will be providing sufficient information about the operation of the System to allow individuals to make informed choices.

Automatic downloads

120. The OAIC suggests that when downloading information from the PCEHR into local systems, private healthcare providers should bear in mind the obligation under NPPs 1.1 and 10.1 when collecting sensitive personal information.
121. The Office supports the statement in the draft Concept of Operations that users should only download and/or print information from the PCEHR that is required to support the delivery of the individual’s care or to ensure that medico-legal integrity requirements are addressed.[52] The OAIC suggests this requirement be included in the terms and conditions.

Section 7 of the draft Concept of Operations: Operating model

122. The OAIC welcomes the statement in the draft Concept of Operations that health information in the PCEHR System will be protected through a combination of legislation, governance arrangements and security and technology measures.[53] As this statement recognises, legislation and governance arrangements are key elements of a comprehensive approach to privacy protection.
123. The OAIC would welcome clarification of the different roles of the ‘governing body (or bodies)’ referred to at page 87 and the ‘investigative bodies’ referred to at page 25 of the draft Concept of Operations.Further information regarding the relationship of these bodies to the PCEHR System Operator, and their respective roles, would also be useful. The office suggests that details of the proposed governance model and regulatory arrangements should be made available for public comment as soon as possible.
124. The office understands that these elements of the PCEHR System are currently under development and would be happy to contribute to any future discussion about these aspects of the System.
125. The draft Concept of Operations indicates that DoHA is currently consulting with States and Territories and relevant Council of Australian Government committees to determine the System’s governance model and appropriate body for investigations.[54] Given its role in regulating private healthcare providers and the Healthcare Identifiers Scheme, the OAIC suggests that it could contribute usefully to these discussions.

Complaint Handing

126. The OAIC welcomes the commitment to a complaint handling process in which complaints will be dealt with by the PCEHR System Operator in the first instance, and escalated to an investigative body where individuals are not satisfied with the response. The office has held the view that the governing body should attempt to resolve individuals’ complaints in the first instance. However it should not be the final arbiter of such complaints.[55]
127. The OAIC considers that it is the appropriate body to oversee privacy complaints arising from the PCEHR System (except for those originating from State and Territory government agencies where there is an existing regulator. In those States where there is not a regulator, similar arrangements as those in place for the Individual Healthcare Identifier could be adopted). The office notes it is currently the complaint handling body for complaints relating to private sector health service providers and Commonwealth government agencies.

Desirable features of a governance model

128. The OAIC recognises that the governance model is currently being developed and details are not yet available for comment. The office makes the following general comments regarding the governance model.
129. The OAIC suggests that:
     • the PCEHR System should be regulated by an independent regulatory body or bodies
     • these functions could possibly be undertaken by existing regulatory and accountability agencies such as the Ombudsman and the Office of the Privacy Commissioner and equivalent state government oversight bodies in regard to state government agencies (where these exist)
     • if there is more than one regulator, the number of regulatory bodies should be minimised
     • if uniform complaint handling mechanisms are not established by legislation, consumers should be made aware that protections they are afforded may vary between jurisdictions
     • as the health sector is already regulated by multiple jurisdictions, if the System is to be regulated by additional regulators, it will be important to ensure that the regulatory framework is compatible and consistent with regulatory frameworks currently in place
     • the regulatory framework will need to effectively manage any cross-jurisdictional issues and could usefully provide for formal structures designed to ensure ongoing consultation and liaison among jurisdictions
     • management and rule-setting functions of the governing body should be separated from accountability and oversight functions.

Section 8 of the draft Concept of Operations: Implementation

130. As the draft Concept of Operations acknowledges, ‘trust is critical for the success of the rollout and uptake of the PCEHR’.[56] The OAIC notes that an important means of engendering trust is involving the stakeholders in consultations about the implementation of the System.
131. To date, NeHta has conducted targeted consultation with four Reference groups: clinicians, consumers, jurisdictions, and software vendors. Participation in the consumer consultation events arranged to date has been on an ‘invitation only’ basis. The OAIC notes that many of the consumer groups invited to participate in these events represent individuals who have a high level of engagement in the health system.
132. While the OAIC recognises the significant potential benefit of the PCEHR to individuals who regularly interact with the health system, the office notes that the views of these groups may not necessarily reflect those of the broader community. Individuals who interact less frequently with the health system may have a different perspective on the appropriate balance between privacy and potential health benefits.
133. The OAIC suggests a process be implemented that facilitates an appropriately wide cross-section of the community being consulted in the development stage of the System. As the draft Concept of Operations acknowledges, early communication regarding privacy options and a comprehensive communication and engagement strategy will be essential.[57] Early engagement with a wide range of the community has the potential to proactively address the concerns of a large number of stakeholders and therefore to enhance the long term uptake of the System.
134. The OAIC notes that making the draft Concept of Operations available on DoHA’s National Health Reform website may not be an effective means of attracting the attention of the broader community. Other opportunities for encouraging community consultation and collaboration in the development of policies relating to the PCEHR could be explored, including the use of Gov 2.0 strategies.

Section 9 of the draft Concept of Operations: Outcomes evaluation

135. The OAIC notes that privacy and personal control are not referred to in the outcomes, benefits, or key performance indicators mentioned in this section. As outlined above, it is the office’s view that adequate privacy controls will be central to the success of a personally-controlled record, and ultimately key to community uptake of the System. The OAIC suggests that the evaluation of outcomes should include an assessment of privacy outcomes.

---

---

Footnote

[1] Guide to handling personal information security breaches, Office of the Privacy Commissioner, August 2008.

[2] Privacy Impact Assessment Guide, Office of the Privacy Commissioner, revised May 2010.

[3] p 2, Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority, Office of the Privacy Commissioner, August 2008.

[4] Opening Address to the E-Health Conference, Revolutionising Australia’s Health Care, speech delivered by the Hon Nicola Roxon, Minister for Health and Ageing, Melbourne, 30 November 2010.

[5] Opening Address to the E-Health Conference, Revolutionising Australia’s Health Care, speech delivered by the Hon Nicola Roxon, Minister for Health and Ageing, Melbourne, 30 November 2010.

[6] The Australian Government's draft legislative changes, implementing its response to the ALRC's privacy inquiry, are currently being considered by the Senate Finance and Public Administration Committee with a final reporting date of 1 July 2011. The draft legislation is to be released and subject to the Committee's scrutiny in 4 stages. The Australian Privacy Principles will be part of the First Stage. Health and research provisions will be part of the Third Stage.

[7] p 13, Privacy Impact Assessment Guide, Office of the Privacy Commissioner, revised May 2010.

[8] p 18 of the draft Concept of Operations.

[9] See pp 14-17, Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority, Office of the Privacy Commissioner, August 2008.

[10] p 8, AC Nielsen, Community Consultation: Health Information Privacy: A Research Report, 1998.

[11] The office made this recommendation at p 16, Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority , Office of the Privacy Commissioner, August 2008.

[12] The office made this recommendation atp 14, Healthcare identifiers and privacy: Discussion paper on proposals for legislative support, Submission to the Australian Health Ministers’ Conference, Office of the Privacy Commissioner, August 2009.

[13] p 2, Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority, Office of the Privacy Commissioner, August 2008.

[14] p 19 of the draft Concept of Operations

[15] For full details see NPP 1.3 under Schedule 3 of the Privacy Act

[16] See for example the OAIC’s Condensed Privacy Policy August 2006, http://www.privacy.gov.au/privacy-policy. This condensed policy includes the most important information that individuals need and want to know about the office’s information handling practices. If individuals would like more information, the condensed policy contains a link to the office’s full privacy policy.

[17] See paragraphs 20 and 21 of this submission

[18]p 22 of the draft Concept of Operations.

[19] p 26 and 51 of the draft Concept of Operations

[20] AGIMO’s April 2011 Australian Government Cloud Computing Strategic Direction paper suggests that ‘Transitioning citizen (personal) information to the public cloud is not expected to be a viable option within the next several years until the security and privacy concerns highlighted in this document are adequately addressed’.

[21] The OAIC assumes that ‘users’ includes individuals, all categories of healthcare service provider and contracted service providers.

[22] For example, p. 8 of the draft Concept of Operations

[23] p 47 of the draft Concept of Operations

[24] p 46-47 of the draft Concept of Operations

[25] Guide to handling personal information security breaches, Office of the Privacy Commissioner, August 2008.

[26] p 48 of the draft Concept of Operations.

[27] p 49 of the draft Concept of Operations.

[28] See p. 131 of Enhancing National Privacy Protection, Australian Government First Stage Response

to the Australian Law Reform Commission Report 108, For Your Information: Australian Privacy Law and Practice, October 2009.

[29] For Your Information: Australian Privacy Law and Practice (ALRC Report 108), Australian Law Reform Commission, May 2008.

[30] See pp 8, 29 and 113 of A Healthier Future for all Australians, National Health and Hospitals Reform Commission, June 2009.

[31] See pp 8-9 Healthcare identifiers and privacy: Discussion paper on proposals for legislative support; Submission to the Australian Health Ministers Conference, Office of the Privacy Commissioner, August 2009.

[32] ALRC Report 108, For Your Information: Australian Privacy Law and Practice, Australian Law Reform Commission, May 2008.

[33] p 49 of the draft Concept of Operations.

[34] p 4, Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority, Office of the Privacy Commissioner, August 2008.

[35] See Recommendations 2.1, 3.4, 3.5, 3.7, 4.1, 4.2, 4.3, 4.4, 5.6, 5.9, 5.12 and 5.15.

[36] p 51 of the draft Concept of Operations

[37] p 4 Privacy Blueprint for the Individual Electronic Health Record, NeHta, 2008.

[38] p 54 of the draft Concept of Operations.

[39] p 58 of the draft Concept of Operations.

[40] p 13, Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority, Office of the Privacy Commissioner, August 2008.

[41] Opening Address to the E-Health Conference, Revolutionising Australia’s Health Care, speech delivered by the Hon Nicola Roxon, Minister for Health and Ageing, Melbourne, 30 November 2010.

[42] See for example pp 54-58 of the draft Concept of Operations.

[43] p 55 of the draft Concept of Operations.

[44] p 54 of the draft Concept of Operations states that the ‘include’ and ‘exclude list’ contain the ‘participating organisation’ HPI-O and by inference includes all network HPI-Os beneath the participating organisation HPI-O.

[45] p 15, Healthcare identifiers and privacy: Discussion paper on proposals for legislative support, Submission to the Australian Health Ministers’ Conference, Office of the Privacy Commissioner, August 2009.

[46] p 60-61 of the draft Concept of Operations.

[47] p 61 of the draft Concept of Operations.

[48] Note that NPP 6 sets some limitations on the right to access of personal information.

[49] p 61 of the draft Concept of Operations.

[50] Guide to handling personal information security breaches, Office of the Privacy Commissioner, August 2008.

[51] p 56 of the draft Concept of Operations.

[52] p 33 of the draft Concept of Operations.

[53] p 8 of the draft Concept of Operations

[54] p 25, 61 and 84 of the draft Concept of Operations

[55] p 8, Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority, Office of the Privacy Commissioner, August 2008.

[56] p 93 of the draft Concept of Operations.

[57] p 111 of the draft Concept of Operations.