Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Professor Bill Lane, Faculty of Law and Jodie Siganto, PhD Student

advertisement 
Submission to the Office of the Australian Information
Commissioner concerning the Draft “Guide to Mandatory Data
Breach Notification Under the Personally Controlled Electronic
Health Record Systems – September 2012”
Professor Bill Lane, Faculty of Law QUT
Jodie Siganto, PhD Student, Faculty of Law, QUT
25 September 2012
1
2
OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER
RESPONSE TO CONSULTATION PAPER: DRAFT “GUIDE TO MANDATORY
DRAFT RBEACH NOTIFICATION UNDER THE PERSONALLY CONTROLLED
ELECTRONIC HEALTH RECORD SYSTEM”
SEPTEMBER 2012
Introduction and background
Thank you for the invitation to provide a submission in response to the Consultation Paper
issued by the Office of the Australian Information Commissioner (OAIC) seeking comments
on the OAIC’s draft guide: A Guide to Mandatory Data Breach Notification in the Personally
Controlled Electronic Record System (the draft Guide).
Our interest in providing this submission stems from the fact that the QUT School of Law has
considerable research strengths in the area of privacy & information security, as well as in
the area of health law - including the emerging world of e-health. Published research
arising from a completed Australian Research Council (ARC) Discovery Grant, DP0879015 “A
New Legal Framework for Identifying and Reporting Australian Data Breaches” (CIs
Professors Lane and von Nessen) examined the legal regimes in a number of jurisdictions
which establish mandatory reporting of data security breaches. As well as this, the recently
established QUT Health Law Research Centre (http://www.hlrc.qut.edu.au/) is engaged in a
number of significant research projects, including in relation to e-health information – see
eg. ARC Discovery Grant Application DP130103253 “Digitised Healthcare in Australia:
Developing an Information Accountability Framework (IAF) to enable an electronic
Community of Care (eCoC)” (CIs Professor Lane and Dr Sahama) .
3
Observations and Suggestions
The following points made seek to accord with the "Stimulus Questions" in the Consultation
Paper:
Preliminary
To begin with, we strongly support the OAIC's initiative in publishing the guidelines.
The Personally Controlled Electronic Health Records Act 2012 (PCEHR) introduces a
significant new system for the collection, storage, use and sharing of personal health records which
seeks to bring major improvements in health care outcomes for all Australians.
At the same time, there are legitimate community concerns regarding the privacy and security of the
sensitive health data dealt with by new system and it is fundamental that all stakeholders in the
PCEHR system fully understand their roles and responsibilities. These concerns are recognised
in the PCEHR which, among other things, provides for the OAIC to engage in oversight and
regulatory functions under the PCEHR system.
Secondly and in that respect, the OAIC is to be commended on the content and form of the
guidelines. In our view, they make transparent the manner in which the OAIC generally
expects stakeholders to meet their compliance obligations. They provide invaluable
assistance for stakeholders developing best practice methods of ensuring compliance.
The guidelines also assist in understanding the relatively complex arrangements involving
State and Commonwealth bodies with different reporting responsibilities and the different
types of participants within the e-Health system.
4
Comments
Key Messages:
In our view, it would be beneficial to highlight in the “Key Messages” section the very
different nature of the PCEHR notification regime. This is because it is likely that a number
of relevant stakeholders will be reasonably familiar with the existing voluntary reporting
regime for ‘non-PCEHR data breaches’ relevant to the OAIC’s “Guide to Personal
Information Security Breaches (April 2012).” 1 On that basis, it would be useful to point out
two features:
(i)
that s.75 of the PCEHR establishes a statutory obligation to report a notifiable
data breach – something significantly different from the voluntary reporting
regime for ‘non-PCEHR data breaches’ addressed in the OAIC’s “Guide to
Personal Information Security Breaches (April 2012).” 2
(ii)
that the obligation established by s.75 of the PCEHR is cast in absolute terms that is, it applies regardless of the severity or likely consequences of the breach
(unlike the reporting expectation within the voluntary data breach notification
regime, the “Guide to Personal Information Security Breaches” where the
notification threshold requirement is a “reasonable risk of serious harm” as a
result of the data breach.)
Notifiable data breaches:
It would be beneficial to amplify the listed examples of what could constitute a “notifiable data
breach” - as well as what could constitute an event “which has or may compromise the security
or integrity of the PCEHR system.”
1
The Office of the Australian Information Commissioner, ‘Draft Voluntary Information Security Breach
Notification Guide,’ April 2012
http://www.oaic.gov.au/publications/guidelines/privacy_guidance/data_breach_notification_guide_april2012.
html#_Toc301281684
2
The Office of the Australian Information Commissioner, ‘Draft Voluntary Information Security Breach
Notification Guide,’ April 2012
http://www.oaic.gov.au/publications/guidelines/privacy_guidance/data_breach_notification_guide_april2012.
html#_Toc301281684
5
This is because, generally speaking, the reference in the statute to an event “which has or may
compromise the security or integrity of the PCEHR system” effectively broadens the range of
incidents potentially capable of falling within the term - which may not have been envisaged or
considered relevant in previous guidance concerning data breach notification. (it is also worth
noting that s.75 of the PCEHR does not expressly refer to “unauthorised access” as a specific
type of notifiable breach - yet an “unauthorised access” would appear capable of being
embraced as an event “which has or may compromise the security or integrity of the PCEHR
system.”)
Similarly, some form of guidance on what is envisaged by the term “security … of the PCEHR
system” may be beneficial. Would it generally require that the entire or a substantial part of the
PCEHR system has been threatened – or would any breach of security be reportable (for
example, loss of an access card to the secure computer room)?
What to include in a notifiable data breach report:
Consideration could be given to a two stage process of reporting. This is because the low
threshold nature of the trigger activating the obligation to report (any event that is a notifiable
data breach) gives rise to the possibility of a substantial number of OAIC-lodged notifications, as
well as notifications by the SO to affected parties. Many notifications may thus relate to
breaches likely to have no or minimal consequences for the consumers whose data have been
affected. And this could obviously become a resource issue for the OAIC, given the need to
identify and prioritise more serious breaches. On that basis, a possible two-stage process could
specify:

a shorter notice with more limited detail to be provided for breaches where it is obvious
that there is no reasonable risk of a resultant unauthorised disclosure. Details in such a
notice could be limited to a description of the incident, its impact and steps taken to
contain and recover from the breach; and

a more detailed notice requirement for the reporting of all other breaches.
It may also be appropriate to provide different contact details for breaches assessed as high risk
so they are immediately made known to the relevant resources within the OAIC and are also
able to be treated with a higher degree of confidentiality. The contact details included in the
6
Guide for the notification of breaches are the contract details available to the public on the OAIC
website for making enquiries and all other contact with the OAIC.
Responding to a notifiable data breach:
In the paragraph commencing “Additional resources” in the section headed “Responding to a
notifiable data breach”, consideration could be given to including references to the following
additional sources of information for private organisations:

Accepted international standards such as ISO 27001: Information Security Management
System Specification and ISO 27002: Information Security Management – Code of
Practice and those published by National Institute of Standards and Technology such as:
o
NIST Special Publication 800-61 “Computer Security Incident Handling Guide”; and
o
NIST Special Publication 800-122 “Guide to Protecting the Confidentiality of
Personally Identifiable Information”

Industry standards such as the Payment Card Industry Security Standards Council
“Payment Card Industry Data Security Standard” and the Australian Prudential
Regulation Authority “Prudential Practice Guide 234: Management of Security Risk in
Information and Information Technology”

Professional group publications such as ISACA’S “COBIT: Framework for IT Governance
and Control.”
Format

It may be more useful to shorten the Key Terms section – and move the majority of
the terms included in the Key Terms section to the end of the document.

Given the very different definition in the PCEHR of “notifiable breaches”, the inclusion of
the definition of “data breach” in the Key Terms section could give rise to confusion.

It would be useful to include a diagram showing how the PCERH system works in
terms of the uploading and sharing of information and the relationships between the
different participants (including the SO, RPO and RRPs as well as consumers..

Similarly, a diagram showing the reporting structure would also be of use, as the
relationships between the different parties are complex. It could show, for example,
the reporting relationship between the SO and the OAIC and State and Territory
entities, as well as private organisations and Commonwealth entities.
7

A numbering system for the different sections and sub-sections would assist in
navigating around the document and identifying relevant parts.
 In the section headed “Regulation of notifiable data breach reporting” it could be
useful to include references to the Sections of the Act that give the Information
Commissioner the powers referred to.

It could be useful to include a standard form for reporting notifiable Data Breaches
on the OAIC’s website, in the Contact Section where other Online Forms are
available?
Conclusion
As indicated at the outset, the Office of the Australian Information Commissioner is to be
commended on taking the initiative in preparing the Guide. In our view, it will provide useful
guidance for agencies and organisations and play an important role in management of
privacy and security concerns regarding the new e-Health system.
8
Related documents
Implications of the European Data Protection
Implications of the European Data Protection
security risks
security risks
Best Practices for Insuring Medical Practices from Cyber Risk
Best Practices for Insuring Medical Practices from Cyber Risk
054 - Federation of Ethnic Communities
054 - Federation of Ethnic Communities
Healthcare - Chuck Easttom
Healthcare - Chuck Easttom
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
Remedies for Breach of Contract pages 210-214
Remedies for Breach of Contract pages 210-214
Form 2 - Cost estimate
Form 2 - Cost estimate
Download
advertisement