The Office of the Australian Information Commissioner (OAIC) is requesting feedback from the Australian public on its draft Enforcement Guidelines for the Personally Controlled Electronic Health Records System (PCEHR) Act.
To help Australians prepare comments, the OAIC has published a consultation paper (PDF) called eHealth record system OAIC Enforcement Guidelines on its website.
According to the draft Enforcement Guidelines, the OAIC has a range of enforcement powers following an investigation into alleged contraventions of the PCEHR Act including the power to seek a civil penalty from the courts, seek an injunction to prohibit or require particular conduct and the power to accept enforceable undertakings.
“The OAIC also has a role in accepting data breach notifications from certain e-health records system participants,” read the Guidelines.
The OAIC’s intended approach to PCEHR Act enforcement activities include:
- Complaints will generally be accepted under the Privacy Act and investigated using the investigative powers and processes contained in Part V of the Privacy Act. The OAIC will attempt to facilitate conciliated outcomes between the parties and, where appropriate, will pursue enforcement mechanisms available under either the PCEHR Act or the Privacy Act.
- OAIC own motion investigations will generally be conducted under the Privacy Act using the investigative powers and processes contained in Part V.
- The Commissioner retains a discretion to investigate conduct using the investigative power in section 73(4) of the PCEHR Act where the Commissioner considers it appropriate. In such cases, the Commissioner will adopt an investigative process which, wherever possible, mirrors the investigative process contained in Part V of the Privacy Act.
The Guidelines include two questions for Australians as part of the consultation.
“Do you agree with the Commissioner’s proposed approach to eHealth record system enforcement?”
“Do the OAIC’s draft Enforcement Guidelines set out the Commissioner’s proposed approach in a clear manner which is informative for PCEHR system participants? If not, how can they be improved?” read the Guidelines.
Comments on the draft Guidelines must be made by Tuesday, 18 September 2012.
Australians can have their say by email firstname.lastname@example.org or by post to GPO Box 5218, Sydney NSW 2001.
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.