As part of its role in providing primary oversight of the My Health Record system, the Office of the Australian Information Commissioner (OAIC) has informed the College that it intends to commence assessment of General Practices, starting this month.   

The OAIC will conduct two separate but related privacy assessments: 

  1. An initial survey of a large sample of GP clinics across Australia assessing their compliance with the requirement to have a written access security policy under Rule 42(1) of the My Health Records Rule 2016, noting the OAIC considers access security policies are a reasonable step to take in complying with Australian Privacy Principles (APPs) 1.2 and 11.1 in Schedule 1 to the Privacy Act, and
  2. A subsequent qualitative assessment of a smaller sample of GP clinics across Australia, assessing their access security policies against the substantive requirements of Rule 42 and APPs 1.2 and 11.1. 

The OAIC has powers under the Privacy Act 1988 to conduct privacy assessments to provide an independent and systematic appraisal of how well an agency or organisation (or discrete part of an agency/organisation) complies with all or part of its privacy obligations.   

These requirements relate to the need for GP clinics that access the MHR system to have practices, procedures and systems in place for protecting personal information and to have a written access security policy in place. Further information about the requirements of Rule 42 and APPs 1.2 and 11.1 can be found in the OAIC’s Rule 42 guidance and the APP Guidelines.  

More information about the conduct of privacy assessments and previous assessments reports are available on the OAIC privacy assessments page. 

Should you have any questions or concerns, please email Andre Castaldi, Director, Assessments, OAIC at andre.castaldi@oaic.gov.au