My Health Records Amendment (Strengthening Privacy) Act 2018
No. 154, 2018
An Act to amend the My Health Records Act 2012, and for related purposes
Contents
1 Short title
2 Commencement
3 Schedules
Schedule 1—Amendments
My Health Records Act 2012
My Health Records (National Application) Rules 2017
Schedule 2—Amendments commencing on Proclamation
My Health Records Act 2012
My Health Records Amendment (Strengthening Privacy) Act 2018
No. 154, 2018
An Act to amend the My Health Records Act 2012, and for related purposes
[Assented to 10 December 2018]
The Parliament of Australia enacts:
This Act is the My Health Records Amendment (Strengthening Privacy) Act 2018.
(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
Commencement information | ||
Column 1 | Column 2 | Column 3 |
Provisions | Commencement | Date/Details |
1. Sections 1 to 3 and anything in this Act not elsewhere covered by this table | The day this Act receives the Royal Assent. | 10 December 2018 |
2. Schedule 1 | The day after this Act receives the Royal Assent. | 11 December 2018 |
3. Schedule 2 | A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 12 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. | 10 December 2019 |
Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.
(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.
Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.
Note: The provisions of the My Health Records (National Application) Rules 2017 amended or inserted by this Act, and any other provisions of those rules, may be amended or repealed by rules made under section 109 of the My Health Records Act 2012 (see subsection 13(5) of the Legislation Act 2003).
1AA Section 3
After “national”, insert “public”.
1AB Section 4
After “system is a”, insert “national public”.
1 Section 5 (definition of enforcement body)
Repeal the definition.
1A Section 5
Insert:
prohibited purpose has the meaning given by section 70A.
1BA Subsection 6(1) (heading)
Omit “18”, substitute “14”.
1BB Subsection 6(1)
Omit “18”, substitute “14”.
1B After subsection 6(1)
Insert:
(1A) Despite subsection (1), a person who has parental responsibility for a healthcare recipient aged under 18 is not the authorised representative of the healthcare recipient if the System Operator is satisfied that:
(a) under a court order or a law of the Commonwealth or a State or Territory, the person must be supervised while spending time with the healthcare recipient; or
(b) the life, health or safety of the healthcare recipient or another person would be put at risk if the person were the authorised representative of the healthcare recipient.
1CA Subsection 6(2)
Omit “18”, substitute “14”.
1C Subsection 6(2)
After “If there is no person who the System Operator is satisfied has parental responsibility for a healthcare recipient aged under 18,”, insert “or the only such persons are covered by subsection (1A),”.
1DA Subsection 6(3)
Repeal the subsection, substitute:
Healthcare recipients aged between 14 and 17
(3) For the purposes of this Act, a person is the authorised representative of a healthcare recipient aged between 14 and 17 years if the healthcare recipient, by written notice given to the System Operator in the approved form, nominates the person to be his or her authorised representative.
1D At the end of subsection 7(2)
Add:
Note: Despite this subsection, a nominated representative must not use information for a prohibited purpose within the meaning of section 70A (even though a healthcare recipient may do so): see subsections 59A(2), 70B(2), 71A(4) and 71B(3).
1E After section 15
Insert:
16 Research or public health purposes
The System Operator’s function under paragraph 15(ma) does not include providing de‑identified data to a private health insurer (within the meaning of the Private Health Insurance Act 2007) or any other insurer.
2 Section 17 (heading)
After “Retention”, insert “and destruction”.
3 Before subsection 17(1)
Insert:
Records
4 Before subsection 17(2)
Insert:
Retention of records
5 At the end of paragraph 17(2)(b)
Add:
; or (iii) if, under subsection (3), the record is required to be destroyed because of the cancellation of registration of the healthcare recipient—when the System Operator is required to destroy the record under subsection (4).
6 At the end of section 17
Add:
Destruction of records after cancellation on request
(3) If the System Operator is required to cancel the registration of the healthcare recipient under subsection 51(1) (cancellation on request), the System Operator must destroy any record that includes health information that is included in the My Health Record of the healthcare recipient, other than the following information:
(a) the name and healthcare identifier of the healthcare recipient;
(b) the name and healthcare identifier of the person who requested the cancellation, if different from the healthcare recipient;
(c) the day the cancellation decision takes effect under subsection 51(7).
(4) The System Operator must comply with subsection (3):
(a) as soon as practicable after the cancellation decision takes effect under subsection 51(7); or
(b) if any of the following requirements apply before the records are destroyed under paragraph (a)—as soon as practicable after the conclusion of the matter to which the requirement relates:
(i) a court order requires the System Operator not to destroy records of the healthcare recipient;
(ii) the System Operator is required to disclose records of the healthcare recipient under section 69 or 69A;
(iii) the System Operator is required to disclose records of the healthcare recipient under a law covered by subsection 65(3).
(5) To avoid doubt, if the System Operator is required under subsection (3) to destroy a record that includes health information, the System Operator must also destroy the following:
(a) any copy of the record;
(b) any previous version of the record;
(c) any back‑up version of the record.
6A Subsection 59(3) (penalty)
Repeal the penalty, substitute:
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
6B Subsection 59(4) (penalty)
Repeal the penalty, substitute:
Civil penalty: 1,500 penalty units.
6C After section 59
Insert:
(1) A person must not use health information included in a healthcare recipient’s My Health Record for a prohibited purpose, if the person obtained the information by using or gaining access to the My Health Record system.
Note: For prohibited purpose, see section 70A.
Civil penalty: 1,500 penalty units.
(2) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).
6D Subsection 60(3) (penalty)
Repeal the penalty, substitute:
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
6E Subsection 60(4) (penalty)
Repeal the penalty, substitute:
Civil penalty: 1,500 penalty units.
7 Section 63 (note)
After “69”, insert “, 69A”.
8 Subsection 65(1)
Omit “Commonwealth, State or Territory law”, substitute “a Commonwealth, State or Territory law covered by subsection (3)”.
9 At the end of subsection 65(1)
Add:
Note: No State or Territory laws are covered by subsection (3).
10 At the end of section 65
Add:
(3) This subsection covers the following laws:
(a) this Act;
(b) the Auditor‑General Act 1997;
(c) the Ombudsman Act 1976;
(d) a law of the Commonwealth to the extent that the law requires or authorises the collection, use or disclosure of information for the purposes of performing the Information Commissioner’s functions in relation to the My Health Record system.
11 Section 67 (note)
Omit “may be limited”, substitute “on request may be limited because of the retention and destruction requirements under section 17”.
12 After section 69
Insert:
69A Disclosure to designated entity under order by judicial officer
Disclosure to designated entity under order by judicial officer
(1) If an entity that is:
(a) an agency, or a State or Territory authority, within the meaning of the Privacy Act 1988; and
(b) not a court, tribunal or coroner;
(a designated entity) presents to the System Operator an order made under this section, the System Operator must comply with the order.
(2) Except as mentioned in subsection (1) or in accordance with a law covered by subsection 65(3), a participant in the My Health Record system, or a healthcare recipient, cannot be required to disclose health information included in a healthcare recipient’s My Health Record to a designated entity.
(3) This section does not authorise the System Operator to use or disclose healthcare recipient‑only notes.
(4) If the System Operator uses or discloses personal information under this section, it must make a written note of the use or disclosure.
Application for and making of order
(5) A designated entity may apply to any of the following judicial officers:
(a) a magistrate of a State or Territory;
(b) a judge who is eligible under subsection 69B(2);
for an order under this section in relation to the disclosure, to the entity, of health information included in a healthcare recipient’s My Health Record.
(6) The judicial officer may make the order if:
(a) the designated entity satisfies the judicial officer, by information on oath or affirmation, that:
(i) the designated entity has powers or duties of the kind mentioned in subsection (7); and
(ii) if the designated entity has powers of the kind mentioned in paragraph (7)(a)—the designated entity has exercised or purported to exercise its power to require the System Operator to disclose information to which the order will relate; and
(iii) in all the circumstances, the particular disclosure of the particular information to the designated entity is reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity; and
(iv) there is no effective means for the designated entity to obtain the particular information, other than an order under this section; and
(b) the judicial officer is satisfied that, having regard to the matter mentioned in subparagraph (a)(iii) and the privacy of the healthcare recipient, the disclosure of the information would not, on balance, unreasonably interfere with the privacy of the healthcare recipient.
(7) A designated entity has powers or duties of the kind mentioned in this subsection if:
(a) the designated entity has power under a law of the Commonwealth or a State or Territory (other than a law covered by subsection 65(3)) to require persons to give information to the designated entity; or
(b) officers of the designated entity are, in the ordinary course of their duties, authorised to execute warrants to enter premises and seize things found, including documents.
(8) The judicial officer must not make the order unless the designated entity or some other person has given the judicial officer, either orally or by affidavit, such further information (if any) as the judicial officer requires concerning the grounds on which the order is being sought.
(9) The order must:
(a) identify the healthcare recipient; and
(b) specify the particular information to be disclosed; and
(c) authorise one or more officers of the designated entity (whether or not named in the order) to obtain the information from the System Operator and require the System Operator to disclose the information to the designated entity; and
(d) specify the day (not more than 6 months after the making of the order) on which the order ceases to have effect; and
(e) state the purpose for which the order is made.
69B Judicial officers for orders under section 69A
Eligible judge of a court created by the Parliament
(1) A judge of a court created by the Parliament may, by writing, consent to be nominated by the Attorney‑General under subsection (2).
(2) The Attorney‑General may, by writing, nominate a judge of a court created by the Parliament in relation to whom a consent is in force under subsection (1) to be eligible for the purposes of paragraph 69A(5)(b).
(3) A nomination under subsection (2) is not a legislative instrument.
Magistrates
(4) A magistrate need not accept the functions conferred by section 69A.
(5) The Governor‑General may:
(a) arrange with the Governor of a State for the performance, by all or any of the persons who from time to time hold office as magistrates of that State, of the functions of a magistrate conferred by section 69A; or
(b) arrange with the Chief Minister of the Australian Capital Territory for the performance, by all or any of the persons who from time to time hold office as magistrates of the Australian Capital Territory, of the functions of a magistrate conferred by section 69A; or
(c) arrange with the Administrator of the Northern Territory for the performance, by all or any of the persons who from time to time hold office as Judges of the Local Court of the Northern Territory, of the functions of a magistrate conferred by section 69A.
Judicial officers exercising powers in personal capacity
(6) The functions conferred on a judicial officer by section 69A are conferred on the judicial officer:
(a) in a personal capacity; and
(b) not as a court or a member of a court.
(7) A judicial officer performing a function conferred by section 69A has the same protection and immunity as if the judicial officer were performing the function:
(a) as the court of which the judicial officer is a member; or
(b) as a member of the court of which the judicial officer is a member.
13 Section 70 (heading)
Omit “for law enforcement purposes, etc.”, substitute “in relation to unlawful activity”.
14 Subsections 70(1) and (2)
Repeal the subsections.
15 Subsection 70(3)
After “to use or”, insert “(subject to subsection (3A))”.
16 After subsection 70(3)
Insert:
(3A) The System Operator is authorised to disclose under subsection (3) only the information the relevant person or authority mentioned in paragraph (3)(b) needs to identify the matter or concerns mentioned in that paragraph with sufficient certainty to:
(a) initiate consideration of the matter or concerns; and
(b) if necessary, apply for an order under section 69A in relation to the matter or concerns.
16A At the end of Division 2 of Part 4
Add:
70A Definition of prohibited purpose
(1) Information included in a healthcare recipient’s My Health Record is used for a prohibited purpose if the person who uses the information does so for any one or more of the following purposes:
(a) the purpose of:
(i) underwriting a contract of insurance that covers the healthcare recipient; or
(ii) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or
(iii) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or
(iv) an employer employing, or continuing or ceasing to employ, the healthcare recipient;
(b) a purpose prescribed by the regulations.
(2) If the person uses information for purposes that include, or for a purpose that includes, a purpose mentioned in subsection (1), the person is taken to be using the information for a prohibited purpose.
(3) To avoid doubt, use of information is not for a prohibited purpose if the use is solely for:
(a) the purpose of providing healthcare to the healthcare recipient; or
(b) purposes relating to the provision of indemnity cover for a healthcare provider.
(5) References in paragraph (1)(a) to insurance do not include State insurance that does not extend beyond the limits of the State concerned.
(6) For the purposes of this section, using information for a purpose includes requesting or requiring the information for that purpose.
70B Use for prohibited purpose is unauthorised
(1) Despite Subdivisions A and B, a person is not authorised under this Division to use health information included in a registered healthcare recipient’s My Health Record for a prohibited purpose.
(2) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).
16B After Division 3 of Part 4
Insert:
In this Division:
My Health Record of a healthcare recipient includes a My Health Record of the healthcare recipient that has been cancelled or suspended.
use information for a purpose includes request or require the information for that purpose.
71A Offence for use of My Health Record‑derived information for prohibited purpose
(1) A person commits an offence if:
(a) the person uses information; and
(b) the person does so for a prohibited purpose, and the person knows or is reckless as to that fact; and
(c) the information is health information; and
(d) the information is or was included in a healthcare recipient’s My Health Record; and
(e) the person is not the healthcare recipient.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
(2) Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.
Note: A defendant bears an evidential burden in relation to the matter in subsection (2): see subsection 13.3(3) of the Criminal Code.
(3) Strict liability applies to paragraphs (1)(d) and (e).
Note: For strict liability, see section 6.1 of the Criminal Code.
(4) Despite paragraph (1)(e) and subsection 7(2), subsection (1) of this section applies to a person who is the nominated representative of the healthcare recipient.
71B Civil penalty for use of My Health Record‑derived information for prohibited purpose
(1) A person must not use health information that is or was included in a healthcare recipient’s My Health Record for a prohibited purpose.
Civil penalty: 1,500 penalty units.
(2) Subsection (1) does not apply if the information was not collected from, and is not derived from a disclosure that was made by, a person who obtained the information by using or gaining access to the My Health Record system. For this purpose, it does not matter whether or not any collection or disclosure of the information was authorised under this Act or any other law.
Note: A person bears an evidential burden in relation to the matter in subsection (2): see section 96 of the Regulatory Powers (Standard Provisions) Act 2014.
(3) Subsection (1) does not apply if the person is the healthcare recipient, but does apply if the person is the nominated representative of the healthcare recipient (despite subsection 7(2)).
16C Subsection 75(2) (penalty)
Repeal the penalty, substitute:
Civil penalty: 1,500 penalty units.
16D Section 76 (penalty)
Repeal the penalty, substitute:
Civil penalty: 1,500 penalty units.
16E Subsection 77(2A) (penalty)
Repeal the penalty, substitute:
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
16F Subsection 77(2B) (penalty)
Repeal the penalty, substitute:
Civil penalty: 1,500 penalty units.
16G After subsection 97(2)
Insert:
(2A) However, the System Operator is not required to give notice of the decision to a person if the System Operator is satisfied that doing so would put at risk the life, health or safety of a person.
16H Paragraph 98(1)(b)
Omit “Medicare;”, substitute “Medicare.”.
16J Paragraph 98(1)(c)
Repeal the paragraph.
16K Subsection 105(3)
After “disclosure of” (wherever occurring), insert “de‑identified data or”.
16L After paragraph 105(3)(b)
Insert:
(ba) in connection with insurance, other than State insurance that does not extend beyond the limits of the State concerned; or
16M Subsection 105(4)
After “disclosure of”, insert “de‑identified data or”.
17 Application of amendments
(1) The amendments of section 17 of the My Health Records Act 2012 made by this Schedule apply in relation to a cancellation of registration of a healthcare recipient on request, whether the cancellation takes effect before or after the commencement of this Schedule.
(2) However, the amendments do not apply in relation to a cancellation that took effect before the commencement of this Schedule if, after the cancellation took effect and before the commencement of this Schedule, the healthcare recipient applied for registration.
(3) The amendments made by items 6C, 16A and 16B of this Schedule apply in relation to the use of information after this Schedule commences, regardless of whether the information was collected before or after that commencement.
My Health Records (National Application) Rules 2017
18 Paragraph 6(3)(b)
Repeal the paragraph, substitute:
(b) the period is the period beginning on the day on which this Part commences and ending on 31 January 2019.
Schedule 2—Amendments commencing on Proclamation
1 Section 5
Insert:
data custodian means the Australian Institute of Health and Welfare.
2 Paragraph 15(ma)
Repeal the paragraph, substitute:
(ma) in accordance with the guidance and direction of the Board established under section 82, to prepare and provide de‑identified data, and, with the consent of the healthcare recipient, health information, for research or public health purposes;
3 Section 16
After “de‑identified data”, insert “or health information”.
4 Part 5 (heading)
After “Other”, insert “offences and”.
5 After section 77
Insert:
77A Enforceable requirements in My Health Records Rules must not be contravened: offence
(1) An entity commits an offence if:
(a) the entity does an act or omits to do an act; and
(b) the result is that the entity contravenes a requirement imposed on the entity by My Health Records Rules made for the purposes of subsection 109(7A) and the entity is reckless as to that result; and
(c) the My Health Records Rules provide that the requirement is enforceable for the purposes of this paragraph; and
(d) the entity is not the System Operator, the Data Governance Board established by section 82 or the data custodian.
Penalty: 100 penalty units.
(2) Strict liability applies to paragraphs (1)(c) and (d).
Note: For strict liability, see section 6.1 of the Criminal Code.
6 Section 78 (at the end of the heading)
Add “: civil penalty”.
7 Section 78
Before “A person”, insert “(1)”.
8 At the end of section 78
Add:
(2) An entity (other than the System Operator, the Data Governance Board established by section 82 or the data custodian) must not contravene a requirement imposed on the entity by My Health Records Rules made for the purposes of subsection 109(7A), if the My Health Records Rules provide that the requirement is enforceable for the purposes of this subsection.
Civil penalty: 100 penalty units.
9 After Part 6
Insert:
Division 1—Establishment and functions
The Data Governance Board is established by this section.
(1) The functions of the Data Governance Board are:
(a) to oversee the operation of the framework prescribed by My Health Records Rules made for the purposes of subsection 109(7A), including by:
(i) assessing applications for the collection, use or disclosure of de‑identified data and health information for research or public health purposes; and
(ii) guiding and directing the System Operator in the performance of its function under paragraph 15(ma) (preparing and providing de‑identified data and health information); and
(iii) taking steps to ensure the ongoing protection of de‑identified data and health information used by, or disclosed to, persons for research or public health purposes and that the data and information is being used and disclosed only for those purposes; and
(b) any other functions conferred on the Board by this Act or the My Health Records Rules.
(2) The Board does not have any functions, and must not perform any role, in relation to the day‑to‑day operation of the My Health Record system.
The Data Governance Board consists of the following members:
(a) the Chair of the Data Governance Board;
(b) the Deputy Chair of the Data Governance Board;
(c) at least 7, and no more than 10, other members.
(1) Members are to be appointed by the Minister by written instrument, on a part‑time basis.
(2) The Minister must appoint one member to be the Chair and another member to be the Deputy Chair.
86 Qualifications and experience
(1) The Minister must appoint the following as members:
(a) a person who represents the System Operator;
(b) a person who represents the data custodian;
(c) a person who is an Aboriginal person or a Torres Strait Islander.
(2) A person (including a person appointed in accordance with subsection (1)) is not eligible for appointment as a member of the Data Governance Board unless the person has skills or experience in, or knowledge of, one or more of the following fields:
(a) population health and epidemiology;
(b) medical or health research;
(c) health services delivery;
(d) technology;
(e) data science;
(f) data governance;
(g) privacy;
(h) consumer advocacy.
(1) The Minister may, by written instrument, appoint a person to act as the Chair:
(a) during a vacancy in the office of Chair (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the Chair:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.
(2) The Minister may, by written instrument, appoint a person to act as the Deputy Chair:
(a) during a vacancy in the office of Deputy Chair (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the Deputy Chair:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.
88 Term of appointment and other terms and conditions
(1) A member of the Data Governance Board holds office for the period specified in the instrument of appointment. The period must not exceed 5 years.
(2) A member of the Data Governance Board holds office on the terms and conditions (if any) in relation to matters not covered by this Part that are determined by the Minister.
(1) A member of the Data Governance Board is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the member is to be paid the remuneration that is prescribed by an instrument made under subsection (4).
(2) A member is to be paid the allowances that are prescribed by an instrument made under subsection (4).
(3) This section has effect subject to the Remuneration Tribunal Act 1973.
(4) The Minister may, by legislative instrument, prescribe:
(a) remuneration for the purposes of subsection (1); and
(b) allowances for the purposes of subsection (2).
(1) A member of the Data Governance Board may resign the member’s appointment by giving the Minister a written resignation.
(2) The resignation takes effect on the day it is received by the Minister or, if a later day is specified in the resignation, on that later day.
(1) The Minister may terminate the appointment of a member of the Data Governance Board:
(a) for misbehaviour; or
(b) if the member is unable to perform the duties of the member’s office because of physical or mental incapacity.
(2) The Minister may terminate the appointment of a member of the Data Governance Board if:
(a) the member:
(i) becomes bankrupt; or
(ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or
(iii) compounds with the member’s creditors; or
(iv) makes an assignment of the member’s remuneration for the benefit of the member’s creditors; or
(b) the member is absent, except on leave of absence, from 3 consecutive meetings of the Board; or
(c) the member engages in paid work (within the meaning of section 93) that, in the Minister’s opinion, conflicts or could conflict with the proper performance of the member’s duties (see section 93); or
(d) the member fails, without reasonable excuse, to comply with section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) or rules made for the purposes of that section.
The Minister may grant leave of absence to any member of the Data Governance Board on the terms and conditions that the Minister determines.
(1) A member of the Data Governance Board must not engage in any paid work that, in the Minister’s opinion, conflicts or could conflict with the proper performance of the member’s duties.
(2) In subsection (1):
paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise).
Division 3—Meetings of the Data Governance Board
(1) The Data Governance Board must hold such meetings as are necessary for the efficient performance of its functions.
(2) The Chair of the Data Governance Board:
(a) may convene a meeting at any time; and
(b) must convene a meeting within 30 days after receiving a written request to do so from another member of the Board.
(1) The Chair of the Data Governance Board must preside at all meetings at which the Chair is present.
(2) If the Chair is not present at a meeting at which the Deputy Chair is present, the Deputy Chair must preside.
(3) If neither the Chair nor the Deputy Chair is present at a meeting, the other members present must appoint one of themselves to preside.
(1) At a meeting of the Data Governance Board, a quorum is constituted by a majority of members of the Board.
(2) However, if:
(a) a member of the Board is required by rules made for the purposes of section 29 of the Public Governance, Performance and Accountability Act 2013 not to be present during the deliberations, or to take part in any decision, of the Board with respect to a particular matter; and
(b) when the member leaves the meeting concerned there is no longer a quorum present;
the remaining members at the meeting constitute a quorum for the purpose of any deliberation or decision at that meeting with respect to that matter.
(1) A question arising at a meeting of the Data Governance Board is to be determined by a majority of the votes of the members of the Board present and voting.
(2) The person presiding at a meeting of the Board has a deliberative vote and, if the votes are equal, a casting vote.
The Data Governance Board may, subject to this Division, regulate proceedings at its meetings as it considers appropriate.
Note: Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which members of the Board may participate in meetings.
The Data Governance Board must keep minutes of its meetings.
96D Decisions without meetings
(1) The Data Governance Board is taken to have made a decision at a meeting if:
(a) without meeting, a majority of the members of the Board entitled to vote on the proposed decision indicate agreement with the decision; and
(b) that agreement is indicated in accordance with the method determined by the Board under subsection (2); and
(c) all the members were informed of the proposed decision, or reasonable efforts were made to inform all the members of the proposed decision.
(2) Subsection (1) applies only if the Board:
(a) has determined that it may make decisions of that kind without meeting; and
(b) has determined the method by which members are to indicate agreement with proposed decisions.
(3) For the purposes of paragraph (1)(a), a member is not entitled to vote on a proposed decision if the member would not have been entitled to vote on that proposal if the matter had been considered at a meeting of the Board.
(4) The Board must keep a record of decisions made in accordance with this section.
Note: Section 33B of the Acts Interpretation Act 1901 contains further information about the ways in which members of the Board may participate in meetings.
Division 4—Other matters relating to the Data Governance Board
(1) In performing the function mentioned in paragraph 15(ma), the System Operator must comply with a direction from, and follow the guidance of, the Data Governance Board.
(2) If rules made for the purposes of subsection 109(7A) require the Data Governance Board to take steps to ensure that de‑identified data and health information disclosed to persons for research or public health purposes is being used only for those purposes, the System Operator must not take any steps of its own to ensure that the data and information is being used only for those purposes.
(3) Subsection (2) does not imply that the System Operator has a duty to take steps in relation to use of data and information at a time when there are no rules of the kind mentioned in subsection (2).
(1) The Data Governance Board may establish a committee or committees to assist in carrying out the functions of the Board.
(2) The Board may dissolve a committee at any time.
(3) The functions of a committee are as determined by the Board.
(4) In performing its functions, a committee must comply with any directions given to the committee by the Board.
(5) A question arising at a meeting of a committee is to be determined by a majority of the votes of committee members present.
(6) A committee must inform the other members of the Board of its decisions.
(7) A committee may regulate proceedings at its meetings as it considers appropriate.
(8) A committee must ensure that minutes of its meetings are kept.
(1) If the Secretary of the Department consents to the Data Governance Board delegating functions to APS employees in the Department, the Board may delegate any or all of its functions to such an APS employee.
Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
(2) If the chief executive officer (however described) of the data custodian consents to the Board delegating functions to members of the staff mentioned in subsection 19(1) of the Australian Institute of Health and Welfare Act 1987, the Board may delegate all or any of its functions to such a member of staff.
Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
(3) In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Board.
(4) The delegation continues in force despite a change in the membership of the Board.
(5) The delegation may be varied or revoked by the Board (whether or not there has been a change in the membership of the Board).
(1) As soon as practicable after the end of each financial year, the Data Governance Board must prepare and give a report to the Minister, for presentation to the Parliament, on the Board’s activities during the financial year.
Note: See also section 34C of the Acts Interpretation Act 1901, which contains extra rules about annual reports.
(2) A report on the Department’s activities given under section 46 of the Public Governance, Performance and Accountability Act 2013 does not need to include a report on the activities of the Board.
96J Board is part of the Department
For the purposes of paragraph (a) of the definition of Department of State in section 8 of the Public Governance, Performance and Accountability Act 2013, the Data Governance Board is prescribed in relation to the Department.
10 Subsection 105(2)
After “System Operator”, insert “, Data Governance Board and data custodian”.
11 After paragraph 105(6)(a)
Insert:
(aa) the Data Governance Board;
(ab) the data custodian;
12 Subsection 109(7A)
Repeal the subsection, substitute:
My Health Records Rules may relate to research or public health purposes
(7A) The My Health Records Rules may, in accordance with section 109A, prescribe a framework to guide the collection, use and disclosure of de‑identified data and, with the consent of healthcare recipients, health information, for research or public health purposes.
13 Subsection 109(9)
Omit “the My Health Records Rules”, substitute “My Health Records Rules made for purposes other than subsection (7A)”.
14 After section 109
Insert:
109A My Health Records Rules relating to data for research or public health purposes
Examples of what the rules may do
(1) Without limiting subsection 109(7A), My Health Records Rules made for the purposes of that subsection (the rules) may do any or all of the following:
(a) impose requirements on the System Operator, the Data Governance Board established by section 82, the data custodian and other entities, including procedures that must be followed, in relation to preparing, providing, collecting, accessing, using and disclosing health information and de‑identified data;
(b) provide that any or all such requirements are enforceable for the purposes of paragraph 77A(1)(c) or subsection 78(2);
(c) make provision in relation to the performance of the Board’s functions set out in paragraph 83(1)(a);
(d) authorise the Board to make written policies and guidelines to be followed by other entities for the purposes of giving effect to the prescribed framework.
Functions of data custodian
(2) The data custodian has the following functions, and the rules may make provision in relation to the performance of those functions:
(a) under the direction of the Data Governance Board and in accordance with this Act—helping to implement the prescribed framework by:
(i) receiving de‑identified data and health information from the My Health Record system; and
(ii) as necessary—de‑identifying health information; and
(iii) as necessary—providing data linkage services (within the meaning of the rules); and
(iv) preparing and providing de‑identified data and health information to users of data and information whose use has been approved by the Data Governance Board; and
(v) ensuring that users of de‑identified data and health information are subject to conditions of use;
(b) any other functions conferred on the data custodian by this Act or the rules.
Limits on rules
(3) The rules:
(a) must not allow the health information of a healthcare recipient to be collected, used or disclosed otherwise than with the consent of the healthcare recipient; and
(b) must not allow de‑identified data or health information to be provided to a private health insurer (within the meaning of the Private Health Insurance Act 2007) or any other insurer (with or without the consent of the healthcare recipient); and
(c) must not provide that any of the following is enforceable for the purposes of paragraph 77A(1)(c) or subsection 78(2):
(i) a provision of a policy, guideline or other instrument made under the rules;
(ii) a provision of the rules that requires an entity to comply with such a policy, guideline or instrument.
Constitutional limits on rules
(4) If the rules make provision for the disclosure of de‑identified data or health information obtained by using or gaining access to the My Health Record system, the rules must have the effect that the data or information is to be disclosed only:
(a) by means of a postal, telegraphic, telephonic or other like service; or
(b) by or to a corporation to which paragraph 51(xx) of the Constitution applies; or
(c) by or to a person within a Territory or a place acquired by the Commonwealth for a public purpose; or
(d) by or to the Commonwealth or an authority of the Commonwealth.
(5) The rules may make other provision in relation to de‑identified data or health information only:
(a) to ensure that collection, use and disclosure of data or information does not result in an interference with privacy of the kind the Commonwealth has international obligations to protect against, including under the International Covenant on Civil and Political Rights (in particular Article 17 of the Covenant); or
Note: The text of the Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23). In 2018, a text of a Covenant in the Australian Treaties Series was accessible through the Australian Treaties Library on the AustLII website (http://www.austlii.edu.au).
(b) for purposes related to collecting, preparing, analysing or publishing statistics; or
(c) by providing for data or information to be collected from or by, used by or disclosed by or to, any of the following:
(i) a corporation to which paragraph 51(xx) of the Constitution applies;
(ii) a person within a Territory or a place acquired by the Commonwealth for a public purpose;
(iii) the Commonwealth or an authority of the Commonwealth.
[Minister’s second reading speech made in—
House of Representatives on 22 August 2018
Senate on 19 September 2018]
(173/18)