Mandatory Data Breach Notification in the Ehealth Record System

25 September 2012

Office of the Australian Information Commissioner
GPO Box 5218

SYDNEY NSW 2001

Dear Sir/Madam

Mandatory data breach notification in the eHealth record system

The Consumers Health Forum of Australia (CHF) welcomes the opportunity to provide a submission to the Office of the Australian Information Commissioner (OAIC) on the draft guide to mandatory data breach notifications under the Personally Controlled Electronic Health Record (PCEHR) system.

CHF is the national peak body representing the interests of Australian healthcare consumers. CHF works to achieve safe, quality, timely healthcare for all Australians, supported by accessible health information and systems.

CHF and its members have a strong interest in the PCEHR system, and have participated in numerous consultations during the development of the system, including in relation to the supporting legislation for the system. Consumers consulted by CHF have argued strongly that consumers should be informed of any data breach affecting their record, to ensure transparency in the system and so that consumers will be aware of how data breaches relating to their record are managed.

CHF welcomes the development of guidance to help entities meet their mandatory data breach notification reporting obligations, and to respond effectively to data breaches. On the whole, we are supportive of the contents of the draft guide. We particularly welcome guidance that:

• the System Operator is the entity responsible for notifying affected consumers
• entities must report all notifiable data breaches that they are involved in, regardless of their seriousness
• entities must report notifiable data breaches as soon as practicable after becoming aware of the breach, but not so that reporting the breach is at the expense of initial efforts to contain it
• data breach reports to the OAIC should not include information that would identify the affected consumer(s)
• the System Operator’s notification to consumers should be issued ‘in such a way that the consumer can be expected to receive it’, recognising that notifications should be issued by more than one method in some cases and should not be bundled with other materials.

CHF also welcomes the detailed outline of information that could be included in the System Operator’s notification of a breach to affected consumers. Important elements in this list include:

• information about steps taken to contain the breach, any risk evaluation and actions taken (or proposed) to prevent recurrence
• information about how the breach may impact the individual and what steps they can take to avoid or reduce the risk of harm or to further protect themselves
• contact information for areas or personnel within the System Operator or the entity that reported the breach that can answer questions or provide further information, or to which the affected consumer can make a complaint.

CHF notes that the telephone number provided to report a data breach to the System Operator is 1800 723 471. This is the general number for public inquiries regarding the PCEHR system. CHF questions whether this is the most appropriate number for reporting data breaches. If this number is to be used, we strongly recommend thatcall centre staff must receive specific training about how they should respond to callers reporting a data breach, and that there should be some method of prioritising calls regarding data breach notifications, particularly if there is a high volume of calls.

CHF appreciates the opportunity to provide a submission to this consultation. If you would like to discuss these comments in more detail, please contact CHF Deputy Chief Executive Officer, [redacted].

Yours sincerely

signed

Carol Bennett

CHIEF EXECUTIVE OFFICER