Tim Kelsey Keeps On Repeating An Apparent Fib? I Wonder Why?

July 18, 2018
This is a re-print of a late May 2018 blog.

He keeps saying there have been no security breaches when the OAIC says there have been. Who do you believe?

-----

Is Tim Kelsey Telling An Untruth Here Or Am I Missing Something?

At the National Press Club last week Mr. Kelsey said the following in his prepared speech:
----- Begin Extract.
Tim Kelsey:                         My Health Record has a range of protocols which mean that all instances of access by a clinician are attributable directly to that person and recorded in real time. Unauthorised access is subject to a custodial prison sentence of up to two years. Trust is the essence of medicine. Digital services can support confidentiality and not undermine it. My Health Record operates to the highest cyber security standards in Australia, and is independently audited on that basis by a number of organisations, including the Australian Signals Directorate. The agency has set up a national cyber security centre to ensure constant multi-layered surveillance of My Health Record. Since the system was launched in 2012, there has been no breach. But, real time vigilance, of course, remains our highest priority. People are quite rightly concerned about the security of their privacy information, and that's why they have a right to make a choice. That's why the Australian government was absolutely right to introduce opt-out into this measure.
----- End Extract.
Here we have the Office of The Australian Information Commissioner (OAIC) Report for 2016-17.

Annual report of the Australian Information Commissioner’s activities in relation to digital health 2016–17

Part 1: Executive summary

From 1 July 2016, national digital health governance arrangements and My Health Record system operations transitioned from the Department of Health and the National E-Health Transition Authority to a new body, the Australian Digital Health Agency (the Agency).
This annual report sets out the Australian Information Commissioner’s digital health compliance and enforcement activity during 2016–17, in accordance with s 106 of the My Health Records Act 2012 (My Health Records Act) and s 30 of the Healthcare Identifiers Act 2010 (Cth) (HI Act), as outlined in the 2016–17 memorandum of understanding (MOU) between the Office of the Australian Information Commissioner (OAIC) and the Agency.
The report also provides information about the OAIC’s other digital health activities, including its assessment program, development of guidance material, provision of advice, and liaison with key stakeholders.
More information about the MOU is provided below in section 2 of this report. The MOU can also be accessed on the OAIC’s website www.oaic.gov.au.
This was the fifth year of operation of the My Health Record system and the seventh year of the Healthcare Identifiers (HI) Service, a critical enabler for the My Health Record system and digital health generally.
The management of personal information is at the core of both the My Health Record system and the HI Service (collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Australian Information Commissioner oversees compliance with those provisions and is the independent regulator of the privacy aspects of the My Health Record system and the HI Service.
The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get their My Health Record. In March 2016, the Australian Government commenced a trial of opt-out system participation in Far North Queensland and in the Nepean Blue Mountains region of New South Wales. A My Health Record was created for each individual living in those areas, unless the individual chose to opt-out of participating in the trial.
Changes to the My Health Records Act introduced by the Health Legislation Amendment (eHealth) Act 2015 enabled the trial to be undertaken. That amendment Act also introduced a number of other changes across digital health legislation and the Privacy Act 1988 (Privacy Act), including streamlining the personal information handling authorisations, and introducing additional civil and criminal penalties for privacy breaches. An independent evaluation of the trials commissioned by the Department of Health was conducted to look at the outcomes from these trials.
In the May 2017 Budget, the Australian Government announced the creation of a My Health Record for every Australian to begin nationally from mid–2018.
In 2016–17, the OAIC received 35 mandatory data breach notifications. These notifications recorded 140 separate breaches affecting a total of 152 healthcare recipients, 144 of whom had a My Health Record at the time of the breaches. Five of these notifications remain open at the end of the reporting period. The OAIC received two complaints regarding the My Health Record system and no complaints relating to the HI Service. In addition to handling data breach notifications, the OAIC carried out a full program of digital health-related work, including:
  • commencement of one privacy assessment and completion of two assessments from the previous year
  • liaising with the Agency and the Department of Health on the decision for national expansion of My Health Record in 2018
  • making submissions to various stakeholders on matters directly related to or associated with the My Health Record system. This included a submission to the Agency on the development of the National Digital Health Strategy
  • providing advice to stakeholders, including the Agency, on privacy related matters relevant to the My Health Record system
  • developing, revising and updating guidance materials for a range of audiences, including the development of My Health Record related multimedia resources for healthcare providers
  • participation in the Privacy and Security Advisory Committee, one of the advisory committees established by the Agency to support the Agency’s Board
  • monitoring developments in digital health, the My Health Record system and the HI Service.
----- End Extract.
Here is the link:
I am unable to reconcile the two bolded sentences and would be interested to know how they can be reconciled (channeling Rowena Orr QC of the Royal Commission). When is a breach not a breach etc?
Interestingly there were similar findings the previous year:
“In 2015–16, the OAIC received 16 mandatory data breach notifications. These notifications recorded 94 separate breaches affecting a total of 103 healthcare recipients, 98 of whom had a My Health Record at the time of the breaches.”
Here is the link:
I look forward to views on this repeated claim (of a breach free system)  which must make us wonder what else we are told we can take as the full and precise truth?
David.

Share this

Related Posts

Previous
Next Post »