National Repositories Service — eHealth record System Operator: Audit report
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988
Draft report issued: May 2014
Final report issued: November 2014
Part 11 — Summary of recommendations
Recommendation 1 — use of appropriate definitions
- employ the terms ‘personal information and ‘sensitive information’ as defined in the Privacy Act
- take into account recent amendments to the Privacy Act.
Recommendation 2 — emphasise Privacy Act obligations
Recommendation 3 — review for readability
- providing more contextual information as to the relationship between the documents (such as the related documents’, ‘intended audience’ and ‘document map’ tables described above)
- ensuring the content of the documents is consistent, up to date, easy to follow, explains key concepts and terms and reflects current practice.
Recommendation 4 — implement overall privacy control mechanism
Recommendation 5 — manage collaboration risks
- general risk profile — undertaking a TRA and a PIA on the use of the IMS and the System Operator’s EDRMS system for eHealth activities, with particular reference to their adequacy in the eHealth incident management context and the effectiveness of their access controls
- policy risk — ensuring consistency of protocols used by each stakeholder that govern the use of the IMS
- access risk — considering smaller restricted IMS communities and if possible restrict access to tickets containing personal or sensitive information to personnel in the community who need access
- access risk/trusted insider risk — utilising dynamic passwords and/or other forms of authentication (for example RSA tokens)
- access risk/trusted insider risk — ensuring all personnel accessing incident information on the IMS have the necessary baseline clearance
- trusted insider risk — if possible limiting or preventing downloading of material from the IMS
- trusted insider risk/Monitoring risk — if possible and appropriate, the System Operator could consider real time monitoring of IMS usage, especially as the amount of incident information held in the IMS increases over time
- shadow data base risk — considering whether the information in the IMS and in the System Operator’s EDRMS system can be destroyed or de-identified in accordance with the Archives Act 1983.
- relocating incident information (from both the IMS and the System Operator’s EDRMS system) to a location within the NRS
- implementing its own incident tracking system, under the direct control of the System Operator and used solely for managing eHealth system incidents.
I wonder what an audit of the overall PCEHR program would reveal if this was what was found with a very constrained and limited paper review?