He keeps saying there have been no security breaches when the OAIC says there have been. Who do you believe?
-----
Is Tim Kelsey Telling An Untruth Here Or Am I Missing Something?
At the National Press Club last week Mr. Kelsey said the following in his prepared speech:
----- Begin Extract.
Tim Kelsey: My
Health Record has a range of protocols which mean that all instances of
access by a clinician are attributable directly to that person and
recorded in real time. Unauthorised access is subject to a custodial
prison sentence of up to two years. Trust is the essence of medicine.
Digital services can support confidentiality and not undermine it. My
Health Record operates to the highest cyber security standards in
Australia, and is independently audited on that basis by a number of
organisations, including the Australian Signals Directorate. The agency
has set up a national cyber security centre to ensure constant
multi-layered surveillance of My Health Record. Since the system was launched in 2012, there has been no breach.
But, real time vigilance, of course, remains our highest priority.
People are quite rightly concerned about the security of their privacy
information, and that's why they have a right to make a choice. That's
why the Australian government was absolutely right to introduce opt-out
into this measure.
----- End Extract.
Here we have the Office of The Australian Information Commissioner (OAIC) Report for 2016-17.
Annual report of the Australian Information Commissioner’s activities in relation to digital health 2016–17
Part 1: Executive summary
From 1 July 2016, national digital health governance arrangements and My
Health Record system operations transitioned from the Department of
Health and the National E-Health Transition Authority to a new body, the
Australian Digital Health Agency (the Agency).
This annual report sets out the Australian Information Commissioner’s
digital health compliance and enforcement activity during 2016–17, in
accordance with s 106 of the My Health Records Act 2012 (My Health Records Act) and s 30 of the Healthcare Identifiers Act 2010
(Cth) (HI Act), as outlined in the 2016–17 memorandum of understanding
(MOU) between the Office of the Australian Information Commissioner
(OAIC) and the Agency.
The report also provides information about the OAIC’s other digital
health activities, including its assessment program, development of
guidance material, provision of advice, and liaison with key
stakeholders.
More information about the MOU is provided below in section 2 of this
report. The MOU can also be accessed on the OAIC’s website www.oaic.gov.au.
This was the fifth year of operation of the My Health Record system and
the seventh year of the Healthcare Identifiers (HI) Service, a critical
enabler for the My Health Record system and digital health generally.
The management of personal information is at the core of both the My
Health Record system and the HI Service (collectively referred to as
‘digital health’ in this report). In recognition of the special
sensitivity of health information, the My Health Records Act and the HI
Act contain provisions that protect and restrict the collection, use and
disclosure of personal information. The Australian Information
Commissioner oversees compliance with those provisions and is the
independent regulator of the privacy aspects of the My Health Record
system and the HI Service.
The My Health Record system commenced in 2012 as an opt-in system where
an individual needed to register in order to get their My Health Record.
In March 2016, the Australian Government commenced a trial of opt-out
system participation in Far North Queensland and in the Nepean Blue
Mountains region of New South Wales. A My Health Record was created for
each individual living in those areas, unless the individual chose to
opt-out of participating in the trial.
Changes to the My Health Records Act introduced by the Health Legislation Amendment (eHealth) Act 2015
enabled the trial to be undertaken. That amendment Act also introduced a
number of other changes across digital health legislation and the Privacy Act 1988 (Privacy Act),
including streamlining the personal information handling
authorisations, and introducing additional civil and criminal penalties
for privacy breaches. An independent evaluation of the trials
commissioned by the Department of Health was conducted to look at the
outcomes from these trials.
In the May 2017 Budget, the Australian Government announced the creation
of a My Health Record for every Australian to begin nationally from
mid–2018.
In 2016–17, the OAIC received
35 mandatory data breach notifications. These notifications recorded 140
separate breaches affecting a total of 152 healthcare recipients, 144
of whom had a My Health Record at the time of the breaches. Five of
these notifications remain open at the end of the reporting period. The
OAIC received two complaints regarding the My Health Record system and
no complaints relating to the HI Service. In addition to handling data
breach notifications, the OAIC carried out a full program of digital
health-related work, including:
- commencement of one privacy assessment and completion of two assessments from the previous year
- liaising with the Agency and the Department of Health on the decision for national expansion of My Health Record in 2018
- making submissions to various stakeholders on matters directly related to or associated with the My Health Record system. This included a submission to the Agency on the development of the National Digital Health Strategy
- providing advice to stakeholders, including the Agency, on privacy related matters relevant to the My Health Record system
- developing, revising and updating guidance materials for a range of audiences, including the development of My Health Record related multimedia resources for healthcare providers
- participation in the Privacy and Security Advisory Committee, one of the advisory committees established by the Agency to support the Agency’s Board
- monitoring developments in digital health, the My Health Record system and the HI Service.
----- End Extract.
Here is the link:
I am unable to
reconcile the two bolded sentences and would be interested to know how
they can be reconciled (channeling Rowena Orr QC of the Royal
Commission). When is a breach not a breach etc?
Interestingly there were similar findings the previous year:
“In 2015–16, the OAIC received 16 mandatory data breach notifications.
These notifications recorded 94 separate breaches affecting a total of
103 healthcare recipients, 98 of whom had a My Health Record at the time
of the breaches.”
Here is the link:
I look forward to views on this repeated claim (of a breach free system) which must make us wonder what else we are told we can take as the full and precise truth?
David.
No comments:
Post a Comment