A detailed Privacy Impact Assessment (PIA) into the My Health Record system was undertaken by Minter Ellison Lawyers and Salinger Privacy in 2011.
The assessment report made 112 recommendations.
Following consideration of the report by the Department of Health and Ageing:
- 77 recommendations were accepted or supported in full
- 26 recommendations were accepted in principle or in part
- eight recommendations were not accepted
- one recommendation was subject to further consideration.
Of the eight recommendations not accepted, the department would seek views of the Senate Community Affairs Committee on six where an implementation would be feasible. For the remaining two, the department considers that implementing these recommendations would not deliver their intended objectives.
Privacy Impact Assessment Report 2015 – Opt-Out Model
This PIA analyses the potential privacy risks and impacts of implementing an opt-out approach for participation in the My Health Record system at a national level, which was a recommendation from the Review of the Personally Controlled Electronic Health Record (PCEHR). The PIA was commissioned following the stakeholder consultations held between July and September 2014, and was intended to inform the consideration of options for the implementation of the opt-out recommendation.
In conducting this PIA, a range of assumptions were used to determine the possible flows of information as well as the processes for communication and opting out of the system. The report made recommendations for managing, minimising or eliminating negative impacts on the privacy of an individual’s personal information.
The PIA identified a number of key privacy risks relating to the Opt-Out model, including ensuring that:
- individuals are made aware of how their personal information will be handled and how to opt-out or adjust privacy control settings so they can make informed decisions; and
- there is legislative authority for the use and disclosure of identifying information and healthcare identifiers.
The PIA made 46 recommendations that would be appropriate at a national level, to address these key privacy risks including:
- amendments to the Personally Controlled Electronic Health Records Act 2012 and Health Care Identifiers Act 2010 Act;
- developing appropriate forms of communication to better inform and reach vulnerable and disadvantaged individuals;
- further consultation and publishing of the consultation and PIA reports to increase transparency about privacy risks and benefits of the Opt-Out participation model; and
- re-designing the labelling, layout and explanation of various privacy control settings such that it is clear, neutral, explicit and easy for individuals to understand.
Many of the findings in this PIA have been used in forming the approach to trialing participation arrangements, including opt-out as announced in the 2015-16 Federal Budget. It has also been used to frame the proposed legislative amendments and planning for the trials.
You can find privacy fact sheets on The My Health Record on Office of the Australian Information Commissioner's website