-
On this page
Published 03 September 2024
Part 1: Executive summary
1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Australian Digital Health Agency’s (ADHA) my health mobile application (my health app) and its compliance with requirements in the Australian Privacy Principles (APPs).
1.2 The my health app is owned and operated by the ADHA, who are also the My Health Record (MHR) system operator. At the time of assessment, the my health app’s privacy policy stated the app ‘allows you to access, download, store and share your health information from your My Health Record. If you are an authorised representative (such as a parent, guardian, or carer) or a nominated representative for another person with a My Health Record, you can access that person’s health information via the ‘my health’ app.’[1]
1.3 The scope of this assessment considered the ADHA’s handling of personal information in relation to the MHR system through the my health app in accordance with APP 1.2 (open and transparent management of personal information), APPs 1.3 & 1.4 (clearly expressed and up-to-date APP Privacy Policy about how the entity manages personal information) and APP 5 (notification of the collection of personal information).
1.4 The assessment found the privacy policy and collection notices informed users of the collection and use of personal information. The OAIC also found the ADHA put in place security measures to support the handling of data as outlined in the privacy policy, but we did not assess the effectiveness of those measures. The OAIC did not identify any compliance risks associated with the my health app’s information collection notices.
1.5 However, the assessment also identified 3 medium privacy risks regarding the my health app privacy policy’s compliance with APPs 1.3 and 1.4 and made 3 recommendations accordingly. Specifically, the OAIC recommended:
- OAIC Recommendation 1: The ADHA should provide greater clarity around overseas disclosure of personal information, and ensure that information about these disclosures in the policy reflects current practice.
- OAIC Recommendation 2: The ADHA should update the language used in the my health app privacy policy to ensure users can consistently differentiate between the my health app and the user’s My Health Record. Additionally, at point 2.0 in the my health app privacy policy the word ‘collect’ should be changed to the words ‘permanently store’.
- OAIC Recommendation 3: The ADHA should review the my health app privacy policy to consider the relevance of the content included in the policy to the management of personal information.
Part 2: Introduction
Background
MHR System
2.1 The MHR system is the Australian Government’s digital health record system, which provides registered healthcare recipients, healthcare professionals and healthcare providers with access to a summary of the registered healthcare recipient’s key health information.
2.2 The MHR system operates under the My Health Records Act 2012 (MHR Act), which establishes the role and functions of the MHR system operator, the ADHA, the registration framework for individuals and entities to participate in the MHR system, and the privacy framework surrounding the collection, use and disclosure of MHR information.
2.3 The OAIC is funded by the Australian Government to oversee the privacy aspects of the MHR system, including providing independent privacy assessment services to the ADHA.
2.4 While many individuals who are registered healthcare recipients interface directly with the MHR system to access their MHR data through the Australian Government’s myGov portal, others may rely on commercial or non-commercial service providers who act as intermediaries to facilitate that access through software products and services.
2.5 A ‘registered portal operator’ (RPO) is a person who is the operator of an electronic interface that facilitates access to the MHR system and is registered to participate in the MHR system as a Portal Operator.
2.6 RPOs develop authorised mobile applications designed to allow individuals to view their own record, or access records in their capacity as another individuals’ representative, by providing secure ‘view only’ access through the MHR system’s mobile gateway.
my health app
2.7 The my health app launched in March 2023 and is owned and operated by the ADHA. The ADHA is the System Operator of MHR system in accordance with the MHR Act. The ADHA developed the my health app, with Chamonix IT Management Consulting (SA) Pty Ltd (Chamonix) providing development and support services.
2.8 The my health app is a product developed to enable individuals and their representatives to access, download, store and share their health information from the MHR system. The my health app acts as an application programming interface (API) which facilitates the exchange of data between the MHR system and a user’s device. The my health app allows for MHR information held on the MHR system, to be displayed on the app user’s mobile device.
Part 3: Findings
3.1 The key observations and findings of the OAIC’s assessment of the my health app are set out below.
3.2 The OAIC reviewed the my health app privacy policy,[2] collection notice[3] and a number of other documents provided by the ADHA.
3.3 The assessment examined:
- the my health app privacy policy and evidence of adherence to this policy
- the steps taken by the ADHA to implement practices, procedures and systems to ensure that personal information is dealt with in accordance with its privacy policy and information collection notice
- the information flows for the my health app, including as between Chamonix and the ADHA
- privacy collection notices (including in-app notifications and notices)
- consent notices and practices when using the app (including any information, notices or notifications on signing-up and in relation to changes of in-app permissions that may be relevant to the handling of personal information).
3.4 The ADHA provided the OAIC with evidence of practices, procedures and systems that seek to ensure the entity’s compliance with the APPs. This included Systems Security Plans, my health app Privacy Policy, screen transitions and error handling documents and a Privacy Impact Assessment. Additionally, the ADHA provided a large volume of security procedures regarding risk management, disaster recovery and intrusion prevention.
3.5 The ADHA also provided documentation regarding the my health app’s development and maintenance.
APP 1.2 – implementation of practices, procedures and systems
3.6 This assessment sought to determine whether the ADHA is taking reasonable steps under APP 1.2 to implement practices, procedures and systems to handle personal information in accordance with its APP privacy policy and privacy notice required under APPs 1.3-1.4 and APP 5 respectively. This includes a focus on the way that information flows through the app and the security of this information.
Security of the my health app
3.7 The assessment team found that the following constituted reasonable steps taken under APP 1.2 in relation to the security of the my health app:
- documentation that demonstrated that reasonable steps had been taken to implement practices, procedures and systems relating to the security of the app, including a Privacy Impact Assessment and a System Security Plan
- the app is subject to security testing. This included penetration testing, code review and security assessments
- the app utilized several security measures, including firewalls, encryption, access restrictions and attack surface reduction along with documented policies
- the ADHA provided information and documents concerning the governance structures in place to support system security, including a system security plan.
3.8 Specifically, the system security plan includes the following:
- a continuous monitoring plan
- incident response plans
- disaster recovery plans
- security and penetration testing
- software code reviews
- Infosec Registered Assessors Program (IRAP) assessment of the app
- standard operating procedures around administration and patch management.[4]
Information flows
3.9The my health privacy policy describes the my health app as a method by which you may access your health information from the MHR system. The privacy policy states that the health information you access through the ‘my health’ app can be viewed in the app for as long as the app is open and that no health information you access will be retained on the device when you log out or close the app. The assessment found the my health app operates in the way described in the privacy policy in the following ways:
- a data flow diagram and a security boundary diagram demonstrated the flow of personal information between the my health app and MHR environments
- the systems diagram indicated Chamonix tests and deploys the my health app software code. It only has access to the vendor test environment, not to MHR data
- the my health app displayed data from the MHR system based on what part of the MHR the app user seeks to access. All MHR information is hosted by the system operator (ADHA) and is displayed in the app on the user’s mobile device
- Chamonix does not collect, use or hold personal information from the app or MHR. The ADHA’s documentation demonstrated that the personal information displayed via the app came from the MHR environment and was not contained within the app, only displayed there to be viewed when an individual is using the app.
3.10 The my health app utilises the MyGov system to facilitate login to the app.[5] This may also include a MyGov ID. When accessing the my health app login screen, users will be directed to login in using MyGov. Users are then taken out of the my health app environment and directed to the MyGov login screen. Once they have successfully logged in to MyGov, users are brought back to the my health app and are able to view MHR information.
3.11 The documentation provided by ADHA, specifically the my health app’s system security plan, security boundary diagrams, data flow diagrams, along with interviews with relevant staff, indicates that personal information is not retained by the my health app. This evidence also indicates that upon the user closing the app or logging out, the information is not stored in the app.
APPs 1.3 and 1.4 – my health app privacy policy
3.12 This assessment seeks to determine whether the ADHA has outlined the information described in APP 1.4 in a clearly expressed and up-to-date privacy policy as required under APP 1.3.
3.13 The OAIC identified 3 medium privacy risks associated with the my health app's privacy policy and have made 3 recommendations below to address these privacy risks.
3.14 The ADHA advised that the privacy policy was written in consultation with various stakeholders within the ADHA including communications, legal, privacy, product owners and user testing areas.
3.15 The my health app privacy policy is ambiguous around the disclosure of personal information to overseas entities in that it is inconsistent in relation to overseas disclosure. At point 9.1 the policy states:
There is no requirement in Australian privacy law for the disclosure of your personal information stored on your ‘my health’ app to any overseas entity.
3.16 At point 10, the policy lists authorised collections, uses and disclosures of personal information, then states:
All of these types of disclosures are permitted under the Privacy Act 1988 (Cth) and would usually be made to an Australian entity but may, in unusual circumstances, be made to an overseas entity.
3.17 The ADHA advised that this inconsistent approach in the policy was intentional to allow for situational responsiveness and to avoid breaching the policy.
3.18 The OAIC recommends that the my health app privacy policy provide greater clarity around overseas disclosure of personal information and consistently describe the approach to overseas disclosures to ensure the policy meets the requirements of APP 1.4(f) and (g). If no overseas disclosures are occurring, then the privacy policy should clearly state this.
3.19 Further, APP 1 requires policies to be up to date. Presently, the ADHA does not disclose personal information overseas and does not foresee this position changing in the immediate future. Accordingly, the policy cannot be said to reflect current practices.
OAIC Recommendation 1: The ADHA should provide greater clarity around overseas disclosure of personal information, and ensure that information about these disclosures in the policy reflects current practice.
3.20 The my health app privacy policy both differentiates and conflates the functionality of the my health app and the MHR. This could lead to confusion and ambiguity in terms of what personal information is handled by the app. The use of interchangeable language about the my health app and the MHR conflates these separate concepts.
3.21 ADHA should consider the open and transparent management of personal information by ensuring the app and MHR are not referred to in a conflated manner. Interchangeable referencing, irrespective of whether they operate together, does not meet the requirement for a clearly expressed and up to date policy about the management of personal information.
3.22 The ADHA should consider taking a layered approach to the my health app privacy policy by referring the reader to the MHR privacy policy for information concerning the MHR and the my health app privacy policy dealing solely with the app’s handling of personal information to avoid confusion.
3.23 Furthermore, the evidence provided by the ADHA demonstrates that the my health app’s functionality reflects that of an API described in the my health app privacy policy. The ADHA described the app as a ‘tunnel’ for conveying MHR information to the user. The information is viewable via the app indicating that the app is temporarily collecting personal information to facilitate access to the users MHR but is not retained in the app itself.
3.24 However, the my health app privacy policy states that the app does not collect or use personal information. Under the Privacy Act, an APP entity ‘collects’ personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication.’ This concept applies broadly, and includes gathering, acquiring, or obtaining personal information from any source and by any means. Information being viewable on an electronic device via the my health app may be considered a temporary collection despite the information not being permanently retained. Therefore, the ADHA should change the word ‘collect’ at point 2.0 of the my health app privacy policy to the word ‘permanently store’. This would more accurately describe the functioning of the app and avoid confusion around the technical meaning of the word ‘collection’.
OAIC Recommendation 2: The ADHA should update the language used in the my health app privacy policy to ensure users can consistently differentiate between the my health app and the user’s My Health Record. Additionally, at point 2.0 in the my health app privacy policy the word ‘collect’ should be changed to the word ‘permanently store’.
3.25 The my health app privacy policy is a lengthy document with repetitive content. For example, points 4.0 and 5.0 of the policy both state that an authorised representative may access the MHR of another user. There is a significant amount of operational and instructional information in the privacy policy regarding the set up and functioning of the my health app which arguably is not relevant to the management of personal information by the ADHA. Further the policy includes information relating to the operation of the MHR as opposed to the my health app.
3.26 At a minimum, a clearly expressed policy should be easy to understand (avoiding jargon, legalistic and in-house terms), easy to navigate, and only include information that is relevant to the management of personal information by the entity.
3.27 ADHA should review the my health app privacy policy to consider the relevance of the material in the policy to the management of personal information in relation to the my health app.
OAIC Recommendation 3: The ADHA should review the my health app privacy policy to consider the relevance of the content included in the policy to the management of personal information.
APP 5 – my health app collection notice
3.28 The assessment seeks to determine whether the ADHA is taking reasonable steps to notify individuals of the collection of personal information in accordance with APP 5.1 and has privacy notices (including in-app notifications) that address the matters listed in APP 5.2.
3.29 The ADHA has taken a number of steps to notify individuals of the collection of personal information in accordance with APP 5.1. One such step is ‘In-App’ statements which precede consent to collect personal information. At the point of signup to the app and in the process of setting up accounts, the assessment found that adequate notices were provided to ensure awareness of the collection of personal information. The content of these notices was sufficient to address matters outlined in APP 5.2. Additionally, the In-App statement links to the my health app privacy policy and terms of use were provided to users during the setup process in a timely manner.
3.30 The OAIC did not identify any compliance risks associated with APP 5.
3.31 The my health app has the functionality to allow users to download their health information to their personal device or to share this information with another user. This means that the data is no longer held by the ADHA and becomes the responsibility of the user. When users download MHR information from the app or share their personal information as a file, a notification requires them to confirm that they want to save a copy or confirm their intention to share the information. These notifications and prompts provide adequate notice that the personal information will now be stored on the device.
3.32 While the app is not collecting personal information in this process and a notification is not strictly required, the ADHA demonstrated a user centric approach through creating notifications and prompts to raise user awareness of protecting personal information.
Part 4: Recommendations and responses
OAIC Recommendation 1: The ADHA should provide greater clarity around overseas disclosure of personal information, and ensure that information about these disclosures in the policy reflects current practice.
ADHA response: Accept
The Agency will review the my health app’s privacy policy to align the elements concerning possible overseas disclosure of personal information.
OAIC Recommendation 2: The ADHA should update the language used in the my health app privacy policy to ensure users can consistently differentiate between the my health app and the user’s My Health Record. Additionally, at point 2.0 in the my health app privacy policy the word ‘collect’ should be changed to the word ‘permanently store’.
ADHA response: Accept
The Agency will review the my health app’s privacy policy in accordance with this recommendation.
OAIC Recommendation 3: The ADHA should review the my health app privacy policy to consider the relevance of the content included in the policy to the management of personal information.
ADHA response: Accept.
The Agency will review the my health app’s privacy policy to consider the relevance of content, informed by the need for the continuing provision of an optimal user experience.
Part 5: Description of the Assessment
Objective and Scope
5.1This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.
5.2This assessment considered the following APPs:[8]
- APP 1.2 – the entity (ADHA) takes reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and any binding registered APP code;
- APP 1.3 and 1.4 – the entity has a clearly expressed and up-to-date APP Privacy Policy about how the entity manages personal information; and
- APP 5 – the entity must take reasonable steps to notify an individual of the collection of personal information.
5.3Specifically, the assessment considered whether the ADHA:
- is taking reasonable steps under APP 1.2 to implement practices, procedures and systems to handle personal information in accordance with its APP privacy policy and privacy notice required under APPs 1.3-1.4 and APP 5 respectively:
- has outlined the information described in APP 1.4 in a clearly expressed and up-to-date privacy policy as required under APP 1.3:
- is taking reasonable steps to notify individuals of the collection of personal information in accordance with APP 5.1; and
- has privacy notices (including in-app notifications) that address the matters listed in APP 5.2.
5.4The scope of this assessment is limited to the handling of the personal information (including MHR information) of registered healthcare recipients in the my health app.
Privacy risks
5.5Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (see Appendix A), the OAIC makes recommendations to the ADHA about how to address those risks. These recommendations are set out in Part 4 of this report.
5.6The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinion are only applicable to the time period in which the assessment was undertaken.
5.7For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 9 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.
Conduct of the assessment
5.8The OAIC conducted a risk-based assessment of the ADHA’s handling of personal information (including MHR information) of registered healthcare recipients in its relation to the APPs.
5.9The assessment involved the following:
- review of relevant documents provided by the ADHA
- fieldwork, which included in virtual interviews of key members of staff through videoconferencing platforms on 31 July 2023.
Reporting
5.10 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.
Assumptions and Caveats
5.11 This report is not an endorsement of the my health app by the OAIC, or any other ADHA or Chamonix product or service.
Part 6: Appendices
Appendix A – Privacy risk guidance
Privacy risk rating | Entity action required | Likely outcome if risk is not addressed |
---|---|---|
High risk Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation | Immediate management attention is required This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects |
|
Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy and related legislation | Timely management attention is expected This is an internal control or risk management issue that may lead to the following effects |
|
Low risk Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation | Management attention is suggested This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed |
|
[1] The ADHA has advised that the my health app is intended to be a Digital Health app, not simply an MHR app. The my health app’s functionality is intended to expand to include additional non-MHR functionality, such as the functionality to store electronic prescriptions, and access and manage Active Script List.
[3] As of 7 February 2023.
[4] An IRAP assessment is an independent assessment of the implementation, appropriateness and effectiveness of a system's security controls.
[5] For information about the operation of MyGov and the way MyGov handles personal information, consult the MyGov Privacy Notice: myGov privacy notice.
[6] Section 6(1) Privacy Act.
[7] See chapter 3, paragraph 3.5 of the OAIC’s APP guidelines.
[8] Please see the Australian Privacy Principles for full version.