A detailed Privacy Impact Assessment (PIA) into the My Health Record system was undertaken by Minter Ellison Lawyers and Salinger Privacy in 2011.
The assessment report made 112 recommendations.
Following consideration of the report by the Department of Health and Ageing:
- 77 recommendations were accepted or supported in full
- 26 recommendations were accepted in principle or in part
- eight recommendations were not accepted
- one recommendation was subject to further consideration.
Of the eight recommendations not accepted, the department would seek views of the Senate Community Affairs Committee on six where an implementation would be feasible. For the remaining two, the department considers that implementing these recommendations would not deliver their intended objectives.
Privacy Impact Assessment Report 2015 – Opt-Out Model
This PIA analyses the potential privacy risks and impacts of implementing an opt-out approach for participation in the My Health Record system at a national level, which was a recommendation from the Review of the Personally Controlled Electronic Health Record (PCEHR). The PIA was commissioned following the stakeholder consultations held between July and September 2014, and was intended to inform the consideration of options for the implementation of the opt-out recommendation.
In conducting this PIA, a range of assumptions were used to determine the possible flows of information as well as the processes for communication and opting out of the system. The report made recommendations for managing, minimising or eliminating negative impacts on the privacy of an individual’s personal information.
The PIA identified a number of key privacy risks relating to the Opt-Out model, including ensuring that:
- individuals are made aware of how their personal information will be handled and how to opt-out or adjust privacy control settings so they can make informed decisions; and
- there is legislative authority for the use and disclosure of identifying information and healthcare identifiers.
The PIA made 46 recommendations that would be appropriate at a national level, to address these key privacy risks including:
- amendments to the Personally Controlled Electronic Health Records Act 2012 and Health Care Identifiers Act 2010 Act;
- developing appropriate forms of communication to better inform and reach vulnerable and disadvantaged individuals;
- further consultation and publishing of the consultation and PIA reports to increase transparency about privacy risks and benefits of the Opt-Out participation model; and
- re-designing the labelling, layout and explanation of various privacy control settings such that it is clear, neutral, explicit and easy for individuals to understand.
Many of the findings in this PIA have been used in forming the approach to trialing participation arrangements, including opt-out as announced in the 2015-16 Federal Budget. It has also been used to frame the proposed legislative amendments and planning for the trials.
Privacy Impact Assessment Report 2017 – National Opt-Out Model Implementation
Following the government’s decision to expand the My Health Record system to opt out, in July 2017 the Agency commissioned an additional PIA – the My Health Record National Opt-Out Model Implementation (NOO PIA).
The NOO PIA to assesses the proposed processes to implement the national opt-out model, which analysed changes in the method and approach between the trials and the national roll out. The NOO PIA built on the previous PIAs and focused on material changes made to the approaches considered in two other Privacy Impact Assessments commissioned by the Department of Health.
In December 2017 the Agency published an initial response to the 11 recommendations made in the NOO PIA on our website. The Agency’s initial response outlined what actions had already been taken, or would occur during the My Health Record Expansion Program, to respond to the recommendations. Over the course of 2018, the Agency addressed the remainder of the recommendations and implemented these in the system before records were created. In February 2019, management completed an internal review of our response to the recommendations. This review confirmed that each of the 11 recommendations had been actioned and closed by the Agency as part of implementing the national opt-out model.
You can find privacy fact sheets on The My Health Record on Office of the Australian Information Commissioner's website.