The Privacy Commission Has Released Its 2021-22 Report On Digital Health Privacy.

Here is the Executive Summary:

Annual report of the Australian Information Commissioner’s activities in relation to digital health 2021–22

Executive summary

This annual report sets out the Australian Information Commissioner’s (Information Commissioner) digital health compliance and enforcement activity during 2021–22, in accordance with s 106 of the My Health Records Act 2012 and s 30 of the Healthcare Identifiers Act 2010 (HI Act).

The report provides information about digital health activities led by the Office of the Australian Information Commissioner (OAIC), including our assessment program, handling of My Health Record data breach notifications, development of guidance material, provision of advice and liaison with key stakeholders.

This was the 10th year of operation of the My Health Record system and the 12th year of the Healthcare Identifiers Service (HI Service), a critical enabler for the My Health Record system and digital health generally.

The management of personal information is at the core of both the My Health Record system and the HI Service (which are collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Information Commissioner oversees compliance with those privacy provisions.

The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get and share their My Health Record. In 2017, the Australian Government announced the creation of a My Health Record for every Australian. Following an opt-out period that ended on 31 January 2019, a My Health Record was created for everyone who had not opted out of the system.

In 2021–22, the OAIC received 14 privacy complaints relating to the My Health Record system with 10 remaining open at the end of the reporting period. We finalised 5 My Health Record system complaints, including 1 complaint from previous reporting periods.

We received 11 privacy complaints relating to the HI Service in 2021–22. We finalised 1 of those complaints received in 2021–22. There were no HI Service complaints from the previous reporting period.

Over the reporting period, there was a marked increase in the OAIC’s policy work in relation to the HI Service as well as an increase in complaints and enquiries about healthcare identifiers. This increase is primarily attributed to the inclusion of healthcare identifiers on COVID-19 vaccine certificates and the subsequent increased collection and overall visibility of healthcare identifiers. To help ensure compliance with the HI Act and encourage best privacy practice in relation to the handling of healthcare identifiers, the OAIC published privacy guidance to assist entities and individuals that collect a person’s COVID-19 digital vaccination certificate which contains an Individual Healthcare Identifier (IHI).

We received 3 data breach notifications during the reporting period in relation to the My Health Record system and closed 3 notifications.

We also carried out other digital health-related work including:

•  commencing one privacy assessment and progressing another assessment commenced in the previous reporting period
• providing advice to stakeholders, including the Australian Digital Health Agency (ADHA), Services Australia and the Department of Health and Aged Care, on privacy-related matters relevant to the My Health Record system and HI Service
• developing and promoting guidance materials, including publishing new resources about IHIs and developing and conducting consultation on guidance and a new template for healthcare providers to help them comply with security and access policy requirements under the My Health Records Rule 2016
• presenting a webinar to healthcare providers on the OAIC’s Privacy and My Health Record assessments and providing panel members for a Q&A session, and
•  monitoring developments in digital health, the My Health Record system and the HI Service.

For the full report please Download the print version.

End Exec. Summary.

The report is all of 16 pages and has a rich spread of white space and pictures so the document is hardly content rich.

Disappointingly the report says the things is did but not much about outcomes. An example is that is reviewed 300 GP practices for #myHR security but did not say what the outcome that I could see!

The report focussed on the #myHR and the HI Service and hardly looked at the Health Sector in general which as the last few weeks have revealed was a rather ‘head in the sand’ approach – with breaches of Medibank and Australian Clinical Labs in the last 2-3 weeks.

It is clear the regulatory scope needs to be rapidly reviewed and funding provided to a much expanded role – given the experience of the last month.

It seems clear action is on the way – see here:

Fast track for data shield

Jess Malcolm

6:45PM October 25, 2022

Labor will expedite its watershed data and privacy laws as an emergency response to the Medibank data breach, after Australia’s largest private health insurance company revealed that the personal health records of four million current and all its former customers may have been stolen.

Attorney-General Mark Dreyfus is seeking to legislate significantly increased penalties for “serious or repeated” data breaches and to give the Information Commissioner sweeping powers amid concern that current laws are “hopelessly outdated”.

The Australian understands the government on Tuesday was moving to fast-track its privacy laws into the lower house as early as Wednesday morning in response to Medibank’s “distressing development” that its cyber ­attack affecting consumer data was much wider than originally thought.

A fortnight after a major telecommunications data breach at Optus, the insurance provider was forced to defer its premium increases following the cybercrime event, which included theft of data from its Medibank brand.

Previously, the company believed only data from its sub-brand ahm and insurance for international students had been taken. The deferments could cost the company more than $50m.

Medibank chief executive David Koczkar said the company was operating under the possibility that all four million of its customers – as well as millions of former consumers – could have been affected by the breach.

morning in response to Medibank’s ‘distressing development’ that its cyber ­attack affecting consumer data was much wider than originally thought. Picture: Paul Jeffers

Medibank does not know how many former customers’ records have been kept but is required by law to retain the health information of adults for at least seven years, and children’s details until they reach the age of 25.

“We are dealing with a very ­serious criminal act and we are now operating with the knowledge that there is data that has been stolen which includes customer data from Medibank,” Mr Koczkar told The Australian.

“To me, there is no doubt this attack has been very deliberate, and done to cause maximum fear and damage to our vulnerable members of our community.

 Lots more here:

https://www.theaustralian.com.au/nation/fast-track-for-data-shield/news-story/2a32df8a42d63d23dbde4c839668f75c

It is also clear that whatever is done is well considered and actually works!

Why higher penalties for privacy breaches aren’t enough

While raising fines for data breaches will grab the headlines, companies simply don’t know enough about their data handling practices to keep customer information safe.

Michael Swinson and Kirsten Bowe

Updated Oct 24, 2022 – 10.53am, first published at 12.00am

In the wake of the Optus and Medibank data breaches, a loud chorus has called for an overhaul of Australian privacy laws and for higher penalties to be introduced. The more important discussion should be on compliance.

The focus on penalties is hardly surprising. Successive governments have for several years now been promising to increase fines for breaches of the Privacy Act. Indeed, this week the Albanese government will introduce legislation to increase the maximum penalty for serious or repeated breaches of privacy laws from $2.2 million to the greater of $50 million; three times any benefit obtained from the misuse of data; or 30 per cent of adjusted revenue in the relevant period.

However, what is less often discussed is that the regulator, the Office of the Australian Information Commissioner (OAIC), has hardly ever sought to enforce the existing penalties already available under the Act.

What’s more, while many aspects of the Act could certainly be modernised and improved, it already contains requirements that in theory address the primary concerns raised by the Optus data breach. These include requirements for organisations to only collect personal information that they reasonably need, to take reasonable steps to keep the information they do hold secure, and to delete or de-identify that information when it is no longer needed.

Increasing maximum penalties will no doubt focus the attention of executive teams and their boards, but will not of itself deliver better outcomes for Australians who are concerned about the management of their personal information. The real focus needs to be on the far more boring topic of compliance.

Our experience suggests that the problem isn’t that organisations are being blasé about existing penalties, but rather that they simply don’t know enough about their data handling practices to be able to design and implement appropriate compliance processes.

More here:

https://www.afr.com/technology/why-higher-penalties-for-privacy-breaches-won-t-work-20221023-p5bs5c

It is important to get the scope and depth of action right given the sensitivity of all this data!

We have all had a wake up call and we need to act! Times have changed and the risks have risen. Time for the Privacy Commission to step up!

David.