The OAIC has a role as compliance reviewer of the HI Service Operator. The OAIC is also responsible for investigating any potential misuses of Healthcare Identifiers by Commonwealth agencies, private sector organisations or individuals. The functions of the Commissioner in relation to the HI Service are defined in section 27A of the Privacy Act.
To date, two audits of the Service have been conducted. No privacy issues were identified in either audit. Only one formal complaint has been received by the OAIC in the period the Service has been operating. Following investigation it was found that there had been no breach. In 2010/11 DHS received and resolved three complaints; on investigation two were queries and only one was a complaint which was subsequently resolved. In 2011/12 one complaint was received and resolved.
It should be noted however that the usage of the HI Service over this period was very low. The number of complaints may rise as usage of the Service increases.
The nature of the audits conducted by the OAIC is anticipated to undergo a minor change as a result of the Privacy Act reforms which is proposing the removal of section 27(1)(h) of the Privacy Act. The audit function is to be replaced by a similar role, undertaking privacy performance assessments.
Section 29(3) of the HI Act provides that: “For the purpose of paragraph 27(1)(h) of the Privacy Act (about audits), a healthcare identifier is taken to be personal information”. Following the proposed Privacy Act reforms (Privacy Amendment (Enhancing Privacy Protection) Act 2012), the OAIC’s audit powers under s 27(1)(h) will no longer exist. This authority will be replaced with the power under the new Act for the OAIC to do ‘privacy performance assessments’ on Australian Privacy Principle (APP) entities which will include agencies and organisations. This will require an amendment to section 29(3) of the HI Act.
Under the current Act the OAIC only has jurisdiction to audit agencies’ compliance against the Information Privacy Principles (IPPs). With the current definition of an agency in the Privacy Act this means that the OAIC cannot audit the handling of Healthcare Identifiers by private sector or State and Territory bodies. The OAIC believes that AHPRA currently falls outside their jurisdiction as it is a body established by State and Territory legislation and that they cannot audit AHPRA in relation to the assigning of HPI-Is. This creates a gap in their effectiveness as the regulator of the Service given that AHPRA is responsible for assigning the majority of Healthcare Provider Identifiers - Individual (HPI-Is).
An assessment of this situation was undertaken by Minter Ellison during this Review. They advise that section 6C(1) of the Privacy Act defines an 'organisation' to include a body corporate which is not a 'State or Territory authority'26. While section 23(1) of the National Law makes clear that AHPRA is a body corporate, AHPRA will be excluded from being an 'organisation' on account of its status as a 'State or Territory authority' because:
- A 'State or Territory authority' is defined under section 6(3) of the Privacy Act to include "a body established or appointed for a public purpose by or under a law of a State or Territory, other than an incorporated company, society or association..."; and
- It appears that AHPRA falls within the definition of a 'State or Territory authority' on the basis that AHPRA:
- Is established under subsection 23(1) of the National Law, which is a law of each State and Territory
- Is established for a public purpose, being the establishment and administration of applications for registration as a health practitioner and other matters relating to the registration of registered health practitioners27
- Is not registered as a company and appears to be subject only to reporting and other requirements specified in the National Law,28 and not to the equivalent requirements contained in the Corporations Act 2001 (Cth).
The advice indicates that the Information Commissioner's privacy assessment power under subsection 33C(1) of the amending act applies only to APP entities. As AHPRA is neither an agency nor an organisation, it is not an APP entity for the purposes of the Privacy Act, and the Information Commissioner will be unable to exercise the assessment power in relation to AHPRA.
To allow AHPRA to be subject to audit/assessment by the Information Commissioner it is recommended that Part 4 of the HI Act be amended to include a provision that ensures that for the purpose of applying Parts IV and V of the Privacy Act in connection with a Healthcare Identifier, or an act or practice relating to a Healthcare Identifier, the National Registration Authority is to be treated as if it were an agency (within the meaning of the Privacy Act).
In treating a National Registration Authority (i.e. AHPRA) as an agency under the Privacy Act, the Information Commissioner would be able to exercise the audit power under subsection 27(1)(h) of the Privacy Act and after the commencement of the Amending Act, exercise the assessment power under subsection 33C(1) of the Privacy Act (as an agency falls within the ambit of an 'APP entity').
Recommendation 15 – Alignment of Healthcare Identifiers Act and Privacy Act reforms
It is recommended that section 29(3) of the HI Act be amended in line with the Privacy Act reforms.