e-Health Record System – OAIC Enforcement Guidelines

Comment by the Office of the Information Commissioner Queensland

General comment

The Queensland Office of the Information Commissioner (OIC) acknowledges the work of the Office of the Australian Information Commissioner (OAIC) in developing the framework for dealing with privacy issues arising out of the e-Health Record System.

OIC supports the general approach proposed in the Enforcement Guidelines (Guidelines), and considers them to be clear and informative. Some further specific comments and suggestions are set out below.

Interaction with state government entities and state privacy laws

OIC’s primary comment is that the Guidelines do not detail how the enforcement framework will work where state government entities are involved. It is acknowledged that the Guidelines are designed to outline how the OAIC will approach enforcement issues and not to detail the technicalities of a complaints referral scheme. However,users of the e-Health Record System along with state regulators may benefit from some further detail on how state government entities and referral of complaints from state regulators fit into the enforcement framework.

As an example, state government registered repository operators,may be the subject of a complaintabout an act or practice which is an alleged contravention of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act).

It seems that a state government registered repository operator would remain subject to any applicable state privacy laws (clause 4.9 of the Guidelines), and also be subject to the investigative and enforcement powers in thePrivacy Act 1988 (Privacy Act) and the PCEHR Act.

It is understood that where a complaint might be pursued in more than one jurisdiction, the preference of the consumer will influence how the complaint is dealt with. However, as it currently stands, a state government registered repository operator would be subject to civil penalty provisions in the PCEHR Act, and might also incur a penalty or be subject to a particular order in its own state jurisdiction.It is clear that there is a degree of flexibility and discretion on the part of the OAIC to accept complaints and utilise enforcement powers, and it may be that in practicecomplaints could rarely be pursued in multiple jurisdictions. However, this is not made entirely clear in the Guidelines.

Nor do the Guidelines address how disputes about jurisdiction will be resolved. It might be imagined that a state government entity would prefer to have a complaint against it be dealt with in a state jurisdiction where there are no civil penalty provisions, but a consumer may consider that a civil penalty is the appropriate remedy and wish it to be dealt with under the Privacy Act or the PCEHR Act.

In addition, the Guidelines set out that an avenue by which an alleged contravention may be brought to the attention of the Information Commissioner is referral from another regulator in certain circumstances. It is not yet clear how a referral from a state regulator, for example, will occur.

Further clarity on the application of the investigation and enforcement powers for state government agencies may also assist consumers with privacy concerns or complaints. It may allow consumers to better understand their options for making a complaint and what remedies may be available to them. It may reduce both thepropensity for consumers to be bounced between jurisdictions, and the time taken to resolve their issues.

OIC understands that the complaints handling and referral framework remains under development, and that OAIC is working with state regulators to finalise this work. However, OIC considers that further clarity around how the enforcement guidelines will affect state government participants in the e-Health Record System may be of benefit.