A policy paper from the Australian Privacy Foundation (APF) submitted this week to the Office of the Australian Information Commissioner (OAIC)
The Australian Privacy Foundation (APF) is the country’s leading privacy advocacy organisation. I write as Chair of the Health Sub Committee of the APF and refer to the eHealth record system OAIC Enforcement Guidelines consultation paper, August 2012. The APF welcomes this opportunity to influence the important eHealth record system Office of the Australian Information Commissioner (OAIC) Enforcement Guidelines instrument.
The eHealth record system OAIC Enforcement Guidelines instrument can provide a useful way to support community confidence in the Personally Controlled Electronic Health Record (PCEHR) system. It outlines several sensible and appropriate matters for OAIC intervention. However the instrument is fatally flawed as currently drafted. It proposes a set of guidelines, not regulations, allowing the OAIC, headed by the Privacy Commissioner/Information Commissioner (IC), to decide whether to
- follow up complaints about a breach or not
- publish information about proven breaches, and
- decide the nature of compensation to affected people suffering a proven breach
The instrument provides no direction or accountability for the OAIC in regard to a PCEHR system enforcement function. There is scope for the IC to choose not to act on proven breaches in the guidelines and not to publish information about said breaches. The IC can also decide the nature of appropriate restitution, if any at all, without “hearing” the complainant.
Read more of APF’s submission on their site.