Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, November 04, 2020

The Office Of The Australian Information Commissioner Has Had A Busy Week Or Two.

For a quick review of what they do – here is the homepage link:

https://www.oaic.gov.au/

In terms of what is going on we had 2 interesting reports.

First this:

Privacy Act review to examine privacy tort, direct action rights, and GDPR compliance

The Attorney-General's Department will look at carve-outs, harmonisation with states and other nations, and a right to erase for Australians.

By Chris Duckett | October 30, 2020 -- 06:19 GMT (17:19 AEDT) | Topic: Security

Australia's Attorney-General Christian Porter announced on Friday the terms of reference and issues paper that his department will use as a basis for its review of the Privacy Act.

The wide-ranging review will consider the definition of personal information; whether existing exemptions for small businesses, political parties, and the storing of employee records to comply with the Act should remain; whether individuals should gain the power to drag privacy violators to court; and whether a privacy tort should be created.

The review was agreed to as part of the Commonwealth's response to the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry.

In posing 67 questions for submissions to respond to, the Attorney-General's Department (AGD) has asked whether the definition of personal information should be extended to inferred personal information as well as whether additional protections should be extended to de-identified, anonymised, and pseudonymised information.

Of particular interest in the paper was the failure of Australian privacy laws to be compatible with those in Europe, especially the General Data Protection Regulation (GDPR), with exemptions created in the Australian law two decades ago being a roadblock.

"The [Australian Law Reform Commission (ALRC)] noted that no other comparable jurisdiction (the United Kingdom, New Zealand, Canada, and the European Union) exempts small businesses from the general privacy law," the paper said.

"The Senate Committee inquiry further recommended the removal of the exemption given the privacy regimes in overseas jurisdictions have operated effectively without a small business exemption and that the existence of the exemption was one of the key outstanding issues preventing Australia from seeking adequacy with the EU.

"[The ALRC] also noted that the United Kingdom does not exempt employee records and that removing the exemption may facilitate recognition of the adequacy of Australian privacy law by the EU."

On the flip side, the paper pointed out that only UK and Germany were in Australia's top 15 two-way trading partners while other economies around the Asia-Pacific made up 72% of trade. The EU only accounted for 13.5%.

"As less trade is undertaken with the EU than within the APEC region, the government's recent priority has been to ensure adequate privacy protections within and between APEC economies," the AGD said.

"Requiring businesses to comply with different information handling requirements under the Act, [Cross-Border Privacy Rules] and GDPR could result in a regulatory landscape that is overly complex. On the other hand, compliance with the GDPR may give businesses a competitive advantage in engendering consumer trust."

Currently in Australia, if a business has revenue under AU$3 million, it is exempt from the Act, and the paper wrestled with the idea of whether a threshold should remain, and if so, what should it be since businesses under that threshold could handle sensitive personal information yet maintaining the threshold could increase compliance costs for those businesses.

Lots more here:

https://www.zdnet.com/article/privacy-act-review-to-examine-privacy-tort-direct-action-rights-and-gdpr-compliance/

And as a bit of counterpoint we had this:

Privacy office faces ‘remarkable’ drop in funding

Denham Sadler
Senior Reporter

26 October 2020

The federal opposition has questioned a “remarkable” drop in support for the national privacy office in the coming years, with the organisation left waiting on whether government funding will be renewed or if it will face a near-50 per cent cut in resourcing.

The Office of the Australian Information Commissioner (OAIC) was provided $23.565 million in 2020-21 in this month’s federal budget, a slight decrease from the previous year.

There are concerns among privacy and civil rights advocates that the office is “severely underfunded”, despite an increased workload and an increasingly prominent role.

But the OAIC is also facing a potentially significant funding cut in the forward estimates. The budget outlined a small drop to $21.108 million in funding for the 2021-22 financial year, but a significant drop to $13.361 million the following year. This is set to remain stable in 2023-24 at $13.564 million.

This drop in funding is due to the $25.1 million over three years provided to the OAIC in the 2019 budget for privacy complaints coming to an end.

At a Senate Estimates hearing on Thursday, Australian Information Commissioner Angelene Falk confirmed the office is yet to get a funding guarantee for this going forward, but this may be a part of a review of the Privacy Act that is slated to take place soon.

“It will be a matter I continue to work through with the government. As part of that we will be looking at the legislative framework and also my functions and powers in relation to the Privacy Act resourcing that’s required to deliver on any reforms that will be part of the discussions. That needs to occur at that time,” Ms Falk told the Senators.

“That will have a significant impact on the functions of the agency and accordingly I will be in discussions with government well ahead of that time with efforts to ensure that the increased funding received in recent years is continued,” she said.

“There’s a review of the Privacy Act which is imminent and I think this is an opportunity to think about the type of regulator that’s needed in the digital age.”

Another aspect of the apparent funding drop is an OAIC Memorandum of Understanding with the Australian Digital Health Agency for its function overseeing the My Health Record scheme, worth more than $2 million, which is renewed yearly.

Currently, the OAIC will experience a significant funding cut in the 2022-23 financial year unless it is provided further cash.

More here:

https://www.innovationaus.com/privacy-office-faces-remarkable-drop-in-funding/

Interesting that a pretty complex review is underway while the threat of funding cut(s) seems to be very much on the table.

Closer to home we had this appear:

Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2019–20

Publication date: 2020 (Signed 24 Sept 2020)

Download the print version

Part 1: Executive Summary

This report provides information about the OAIC’s digital health activities, including its assessment program, handling of My Health Record data breach notifications, development of guidance material, provision of advice, and liaison with key stakeholders.

This was the eighth year of operation of the My Health Record system and the tenth year of the Healthcare Identifiers Service (HI Service), a critical enabler for the My Health Record system and digital health generally.

The management of personal information is at the core of both the My Health Record system and the HI Service (which are collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Australian Information Commissioner oversees compliance with those privacy provisions.

The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get and share their My Health Record. In 2017, the Australian Government announced the creation of a My Health Record for every Australian. Following an opt-out period that ended on 31 January 2019, a My Health Record was created for every Australian who had not opted out of the system.

In 2019–20, the OAIC received 10 privacy complaints relating to the My Health Record system with 1 remaining open at the end of the reporting period. We also finalised 19 complaints from the previous reporting period.

Three privacy complaints were received relating to the HI Service in 2019–20 with 1 remaining open at the end of the reporting period.

Six Commissioner-initiated investigations were opened during the reporting period, 5 of which were finalised with 1 remaining open at the end of the period.

The OAIC received 1 data breach notification in relation to the My Health Record system during 2019–20. This matter was closed at the end of the reporting period.

We also carried out digital health-related work including:

  • commencing 1 privacy assessment, closing 4 privacy assessments and progressing 1 assessment from the reporting period
  • providing advice to stakeholders, including the ADHA and the Department of Health, on privacy- related matters relevant to the My Health Record system
  • updating and promoting guidance materials including the OAIC’s Guide to health privacy
  • monitoring developments in digital health, the My Health Record system and the HI Service.

The much fuller report follows and is found here:

https://www.oaic.gov.au/about-us/our-corporate-information/annual-reports/digital-health-annual-reports/annual-report-of-the-australian-information-commissioners-activities-in-relation-to-digital-health-2019-20/

An interesting item a little further down is that the OAIC receives about $2 Million from the ADHA for regulating privacy of the HI service and the #myHealthRecord.

Overall I find this report rather frustrating as it says the are complaints and issue but does not explain what they are! A bit useless in some aspects I reckon!

As always with an Agency like this there is always some concern about one Agency regulating another – especially when being paid to do it. I am not sure that actually passes the ‘pub test’?

The Privacy Act review looks pretty huge but just how much is about privacy and how much is about commerce is rather an open question. I think I would prefer more person and less commerce in the balance.

David.

No comments: