Wednesday, September 05, 2012

The Office Of The Australian Information Commissioner Provides Draft Enforcement Guidelines for E-Health Records. Seem Fairly Sensible But Will Need To Work in Practice!

First some background from the Information Memorandum:

Privacy and the eHealth record system

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the Personally Controlled Electronic Health Records Regulation 2012 create the legislative framework for the eHealth record system.
The legislation limits when and how health information included in an eHealth record can be collected, used and disclosed. Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy for the purposes of the Privacy Act 1988.
The OAIC regulates privacy aspects of the eHealth record system. This includes regulating the handling of eHealth record system information by individuals, Commonwealth government agencies, private sector organisations and some state and territory agencies (in particular circumstances).
The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s eHealth record. The OAIC can also conduct ‘own motion investigations’.
More information about privacy and the eHealth record system can be found on the OAIC’s website at www.privacy.gov.au/law/other/the-ehealth-record-system.

The Australian Information Commissioner’s powers

The PCEHR Act confers on the Australian Information Commissioner a range of enforcement powers following an investigation, including:
·         the power to seek a civil penalty from the Courts
·         the power to seek an injunction to prohibit or require particular conduct
·         the power to accept enforceable undertakings.
In addition, the OAIC has a role in accepting data breach notifications from certain eHealth records system participants.
In addition to the powers conferred by the PCEHR Act, the Information Commissioner’s existing Privacy Act investigative and enforcement powers will be available. This includes complaint conciliation and the power to make formal determinations, as well as the investigative powers and procedures contained in Part V of the Privacy Act. These Privacy Act mechanisms are triggered by section 73 of the PCEHR Act, which provides that certain contraventions of the PCEHR Act are “taken to be: (a) for the purposes of the Privacy Act 1988, an interference with the privacy of a consumer; and (b) covered by section 13 or 13A of that Act.

Enforcement Guidelines

Section 111 of the PCEHR Act requires the Information Commissioner to issue guidelines outlining how the OAIC will approach enforcement issues under the PCEHR Act and related legislation. The Information Commissioner must have regard to these guidelines when exercising functions and powers under the legislation.
The legislation requires the OAIC¡¦s Enforcement Guidelines to be made by legislative instrument. The Legislative Instruments Act 2003 requires the Information Commissioner to undertake appropriate consultation before making the instrument.

Proposed guidelines

Draft Enforcement Guidelines

In order to fulfil the requirements of section 111 of the PCEHR Act, the OAIC has prepared draft Enforcement Guidelines which outline how the OAIC will approach enforcement issues in connection with the eHealth record system.
The draft Enforcement Guidelines are available on the OAIC’s website at www.oaic.gov.au/news/consultations.html#current_consultations

Overview of approach

The OAIC’s intended approach to PCEHR Act enforcement activities is as follows:
·         Complaints will generally be accepted under the Privacy Act and investigated using the investigative powers and processes contained in Part V of the Privacy Act. The OAIC will attempt to facilitate conciliated outcomes between the parties and, where appropriate, will pursue enforcement mechanisms available under either the PCEHR Act or the Privacy Act.
·         Own motion investigations will generally be conducted under the Privacy Act using the investigative powers and processes contained in Part V.
·         The Commissioner retains a discretion to investigate conduct using the investigative power in s 73(4) of the PCEHR Act where the Commissioner considers it appropriate. In such cases, the Commissioner will adopt an investigative process which, wherever possible, mirrors the investigative process contained in Part V of the Privacy Act.
The draft enforcement guidelines are found here:
What I found useful was the following from Page 5.
----- Begin Extract
Alleged contraventions of the PCEHR Act may be brought to the Information Commissioner's attention by a range of avenues including:
a) a complaint by an individual;
b) as the result of a data breach notification provided in accordance with section 75 of the PCEHR Act;
c) as a result of a voluntary data breach notification made by an entity not covered by section 75 of the PCEHR Act;
d) as a referral from another regulator in certain circumstances;
e) as a result of media communications;
f) as a result of communications by an informant;
g) during the course of an investigation conducted by the Information Commissioner.
---- End Extract.
The key to Section 75 of the PCEHR Act appears to be the following reasons for notification to the Information Commissioner .
----- Begin Extract.
(b)  the entity becomes aware that:
(i)  a person has, or may have, contravened this Act in a manner involving an unauthorised collection, use or disclosure of health information included in a consumer’s PCEHR; or
(ii)  an event has occurred or circumstances have arisen (whether or not involving a contravention of this Act) that compromise, or may compromise, the security or integrity of the PCEHR system; and
(c)  the contravention, event or circumstances directly involved, may have involved or may involve the entity.
----- End Extract.
To me all this makes it pretty clear that anyone who feels there has been information leakage can complain to the OIC and that, within resources, it will be followed up. The various other sources of information to alert the OAIC seems sensible. What is a little more problematic is just how the relationship between the poacher and the gamekeeper (DoHA System Operator and the OAIC) will work in practice and how much transparency there will be in practice.
All in all I think this looks pretty reasonable. The test will be in implementation given the UK experience reported here:

UK data-blurt cockups soared 1,000 PER CENT over last five years

That was supposed to be a secret but it got out
The number of times Brits' sensitive data has been lost or leaked in the UK has risen 1,000 per cent over the past five years. Councils recorded the biggest increase in breaches of data protection law, according to figures obtained by a Freedom of Information Act request.
The stats from the Information Commissioner’s Office (ICO) revealed a huge jump in the number of self-reported bungles each year since 2007. Local government data law breaches increased by 1,609 per cent over that period of time. The average increase across Blighty's private and public sectors is 1,014 per cent.
Incidents of lost or leaked information in the private sector grew 1,159 per cent in that five-year period. NHS record breaches increased 935 per cent over the same period while central government data cock-ups increased 132 per cent.
Only the telecoms sector delivered a decrease in the number of info blunders from year to year, falling from six breaches in 2010/11 to zero in 2011/2012.
The latest full-year figures log 821 data breaches in the UK in 2011/2012. Precisely how many individuals were affected by each breach was not disclosed. The most recent quarterly results show that the NHS was responsible for the most incidents in Q2 2012 with 61 breaches, closely followed by local government (59) and private business (26).
Lots more here:
Reads like a huge mess we need to avoid.
Some press comments have also appeared on the Draft Guidelines. Here is one:

OAIC: Are our eHealth breach requirements enough?

Summary: The Office of the Australian Information Commissioner has drafted its guide on how eHealth service providers must respond to data breaches, and is seeking public comment to ensure nothing is missed.
By Michael Lee |
The Office of the Australian Information Commissioner has released its draft guide (PDF) on how mandatory data breach notifications should be handled under the personally controlled electronic health record (PCEHR) system, and is once again polling the public on whether its approach to the issue is adequate.
The draft guide states that organisations dealing with eHealth records must notify the System Operator (SO) — currently, the Secretary of the Department of Health and Ageing — and the OAIC, as soon as they are aware of a data breach occurring. The SO is the only entity that is permitted to inform customers of the breach.
The SO is able to put in place administrative sanctions and cancel, suspend, or vary the offending service provider's registration in the PCEHR system, but it is unable to put in place civil penalties. Instead, the role of issuing penalties will be given to the OAIC, which will for the first time, under the PCEHR legislation, be able to fine organisations for not reporting data breaches. Penalties will be AU$11,000 for an individual, and up to AU$55,000 for organisations.
Unless the organisation is a state or territory entity (which is only required to report breaches to the SO), failing to report to both the SO and the OAIC constitutes as a failure to notify.
If the SO, itself, is involved in a data breach, it must report it to the OAIC, but there are no penalties if the SO fails to do so. However, the OAIC is free to investigate the SO if it suspects that a breach has occurred and has not been reported.
Lots more here:
The author makes a good point about breach disclosure. If it is not automatic all breaches should certainly be the subject of say a monthly public report or similar. The System Operator keeping breaches secret is not on!
I have provided details on how to comment here:
David.

1 comment:

Paul Fitzgerald said...

My reading of this is that the SO is not bound by the rules like we mere mortals. They are not compelled to report breaches.