Here is the Executive Summary:
Annual report of the Australian Information Commissioner’s activities in relation to digital health 2021–22
Executive summary
This annual report sets out the Australian Information Commissioner’s (Information Commissioner) digital health compliance and enforcement activity during 2021–22, in accordance with s 106 of the My Health Records Act 2012 and s 30 of the Healthcare Identifiers Act 2010 (HI Act).
The report provides information about digital health activities led by the Office of the Australian Information Commissioner (OAIC), including our assessment program, handling of My Health Record data breach notifications, development of guidance material, provision of advice and liaison with key stakeholders.
This was the 10th year of operation of the My Health Record system and the 12th year of the Healthcare Identifiers Service (HI Service), a critical enabler for the My Health Record system and digital health generally.
The management of personal information is at the core of both the My Health Record system and the HI Service (which are collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Information Commissioner oversees compliance with those privacy provisions.
The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get and share their My Health Record. In 2017, the Australian Government announced the creation of a My Health Record for every Australian. Following an opt-out period that ended on 31 January 2019, a My Health Record was created for everyone who had not opted out of the system.
In 2021–22, the OAIC received 14 privacy complaints relating to the My Health Record system with 10 remaining open at the end of the reporting period. We finalised 5 My Health Record system complaints, including 1 complaint from previous reporting periods.
We received 11 privacy complaints relating to the HI Service in 2021–22. We finalised 1 of those complaints received in 2021–22. There were no HI Service complaints from the previous reporting period.
Over the reporting period, there was a marked increase in the OAIC’s policy work in relation to the HI Service as well as an increase in complaints and enquiries about healthcare identifiers. This increase is primarily attributed to the inclusion of healthcare identifiers on COVID-19 vaccine certificates and the subsequent increased collection and overall visibility of healthcare identifiers. To help ensure compliance with the HI Act and encourage best privacy practice in relation to the handling of healthcare identifiers, the OAIC published privacy guidance to assist entities and individuals that collect a person’s COVID-19 digital vaccination certificate which contains an Individual Healthcare Identifier (IHI).
We received 3 data breach notifications during the reporting period in relation to the My Health Record system and closed 3 notifications.
We also carried out other digital health-related work including:
- commencing one privacy assessment and progressing another assessment commenced in the previous reporting period
- providing advice to stakeholders, including the Australian Digital Health Agency (ADHA), Services Australia and the Department of Health and Aged Care, on privacy-related matters relevant to the My Health Record system and HI Service
- developing and promoting guidance materials, including publishing new resources about IHIs and developing and conducting consultation on guidance and a new template for healthcare providers to help them comply with security and access policy requirements under the My Health Records Rule 2016
- presenting a webinar to healthcare providers on the OAIC’s Privacy and My Health Record assessments and providing panel members for a Q&A session, and
- monitoring developments in digital health, the My Health Record system and the HI Service.
For the full report please Download the print version.
End Exec. Summary.
The report is all of 16 pages and has a rich spread of white space and pictures so the document is hardly content rich.
Disappointingly the report says the things is did but not much about outcomes. An example is that is reviewed 300 GP practices for #myHR security but did not say what the outcome that I could see!
The report focussed on the #myHR and the HI Service and hardly looked at the Health Sector in general which as the last few weeks have revealed was a rather ‘head in the sand’ approach – with breaches of Medibank and Australian Clinical Labs in the last 2-3 weeks.
It is clear the regulatory scope needs to be rapidly reviewed and funding provided to a much expanded role – given the experience of the last month.
It seems clear action is on the way – see here:
Fast track for data shield
6:45PM October 25, 2022
Labor will expedite its watershed data and privacy laws as an emergency response to the Medibank data breach, after Australia’s largest private health insurance company revealed that the personal health records of four million current and all its former customers may have been stolen.
Attorney-General Mark Dreyfus is seeking to legislate significantly increased penalties for “serious or repeated” data breaches and to give the Information Commissioner sweeping powers amid concern that current laws are “hopelessly outdated”.
The Australian understands the government on Tuesday was moving to fast-track its privacy laws into the lower house as early as Wednesday morning in response to Medibank’s “distressing development” that its cyber attack affecting consumer data was much wider than originally thought.
A fortnight after a major telecommunications data breach at Optus, the insurance provider was forced to defer its premium increases following the cybercrime event, which included theft of data from its Medibank brand.
Previously, the company believed only data from its sub-brand ahm and insurance for international students had been taken. The deferments could cost the company more than $50m.
Medibank chief executive David Koczkar said the company was operating under the possibility that all four million of its customers – as well as millions of former consumers – could have been affected by the breach.
morning in response to Medibank’s ‘distressing development’ that its cyber attack affecting consumer data was much wider than originally thought. Picture: Paul Jeffers
Medibank does not know how many former customers’ records have been kept but is required by law to retain the health information of adults for at least seven years, and children’s details until they reach the age of 25.
“We are dealing with a very serious criminal act and we are now operating with the knowledge that there is data that has been stolen which includes customer data from Medibank,” Mr Koczkar told The Australian.
“To me, there is no doubt this attack has been very deliberate, and done to cause maximum fear and damage to our vulnerable members of our community.
Lots more here:
It is also clear that whatever is done is well considered and actually works!
Why higher penalties for privacy breaches aren’t enough
While raising fines for data breaches will grab the headlines, companies simply don’t know enough about their data handling practices to keep customer information safe.
Michael Swinson and Kirsten Bowe
Updated Oct 24, 2022 – 10.53am, first published at 12.00am
In the wake of the Optus and Medibank data breaches, a loud chorus has called for an overhaul of Australian privacy laws and for higher penalties to be introduced. The more important discussion should be on compliance.
The focus on penalties is hardly surprising. Successive governments have for several years now been promising to increase fines for breaches of the Privacy Act. Indeed, this week the Albanese government will introduce legislation to increase the maximum penalty for serious or repeated breaches of privacy laws from $2.2 million to the greater of $50 million; three times any benefit obtained from the misuse of data; or 30 per cent of adjusted revenue in the relevant period.
However, what is less often discussed is that the regulator, the Office of the Australian Information Commissioner (OAIC), has hardly ever sought to enforce the existing penalties already available under the Act.
What’s more, while many aspects of the Act could certainly be modernised and improved, it already contains requirements that in theory address the primary concerns raised by the Optus data breach. These include requirements for organisations to only collect personal information that they reasonably need, to take reasonable steps to keep the information they do hold secure, and to delete or de-identify that information when it is no longer needed.
Increasing maximum penalties will no doubt focus the attention of executive teams and their boards, but will not of itself deliver better outcomes for Australians who are concerned about the management of their personal information. The real focus needs to be on the far more boring topic of compliance.
Our experience suggests that the problem isn’t that organisations are being blasé about existing penalties, but rather that they simply don’t know enough about their data handling practices to be able to design and implement appropriate compliance processes.
More here:
https://www.afr.com/technology/why-higher-penalties-for-privacy-breaches-won-t-work-20221023-p5bs5c
It is important to get the scope and depth of action right given the sensitivity of all this data!
We have all had a wake up call and we need
to act! Times have changed and the risks have risen. Time for the Privacy Commission to step up!
David.
9 comments:
One simple rule would do a lot to reduce the risks.
Only keep the data you need for your current operations in operational systems. Historical data can be retained but only accessible via mechanisms not connected to operational systems.
This means that MyHR, which is not required for Federal Government operations, should be decommissioned. ADHA can keep its non-health data (e.g. Health Identifiers etc) but no patient data at all.
But, of course that's too sensible.
As a report it did fall flat. Still a result of previous management, I am sure the Albo and Penny show will breathe life into what government are actually for -protecting its people and their sovereignty. So much could be achieve for so little if privacy was practically protected.
> Only keep the data you need for your current operations in operational systems
Are you familiar with any operational information systems that actually work this way?
Probably similar levels as to systems you can actually opt out of and the information magically vaporises.
On serious note it is difficult, digital information is hard to purge, so many copies and so poorly labelled. The challenge is that those who understand it rarely have the ability to translate the problem in a language that boards and senior exec understand.
Are you familiar with any operational information systems that actually work this way?
Is that an attempt to dismiss the requirement because it does not have implemented examples - processes to manage ROT are not theories.
Laziness plain and simple, the governments to date have been asleep at the
wheel, corporate boards and CEO's don't give a dam about their customers
data. The best system in the world is not going to make a difference why
those pulling the strings are indifferent.
It's more incompetence. Bureaucrats, managers, techos and journalists - all out of their depth but keen to push their narrow minded ideas.
@2:52 PM Sooo, if all those you have nominated are all out of their depth then given that some of them are in charge and the others are advising them it seems reasonable to conclude there is no hope of ever making progress unless .........
@12:53Pm "there is no hope of ever making progress unless ......... " they stop trying to do something they have repeatedly failed at. Those whose role is to set national health funding and healthcare policy are the wrong people to regulate privacy.
There are others in government who actually understand security and privacy - leave it up to them.
Post a Comment