"With the move to opt-out, there has been heightened community awareness of the My Health Record system and the personal information that’s included.
“I acknowledge that there have been a number of issues that have been raised by the community and I have been in discussions with the Minister for Health [Greg Hunt] ... [and] the Australian Digital Health [Agency] in terms of those issues."
Australians rightly are asking questions around the security and privacy.
Australia's Acting Privacy Commissioner Angelene Falk
The commissioner added that it was her “expectation that” security requirements for the My Health Record System would "continue to be reviewed and enhanced, as they should be”.
Asked whether the Turnbull government had struck the right privacy and security balance with My Health Record, Ms Falk said: "I think what the debate has done is bring that balance to the forefront and we know that Australians — certainly at the moment — have a very heightened awareness of how their personal information and data is being handled."
Ms Falk said she supported Prime Minister Malcolm Turnbull's comments from Friday, in which he told ABC's AM radio program "we are obviously going to do everything we can to reassure concerns".
"I have welcomed the comments by the Prime Minister that these matters are getting serious concern by government and I am in active discussions in relation to the matter," Ms Falk said.
Ms Falk's comments came as a new report from her office, the Office of the Australian Information Commissioner (OAIC), revealed that the private healthcare sector had the highest number of reportable data breaches, with 25 per cent of all reported breaches involving health information.
The OAIC received 242 notifications under the Notifiable Data Breaches (NDB) scheme in the period April 1 until June 30, according to the second quarterly statistical report, released on Tuesday. Since the scheme started on February 22, the OAIC has received 305 notifications in total.
Loading
The private healthcare industry was the top sector for reporting data breaches under the NDB scheme, with 49 notifications in the quarter, followed by the finance sector with 36 notifications. The OAIC said the healthcare notifications did "not relate to the My Health Records system".
The report said the main causes of data breaches were malicious or criminal attacks (142 notifications or 59 per cent), followed by human error (88 notifications or 36 per cent). The majority of malicious or criminal breaches reported were the result of compromised credentials, and the most common human error was sending emails containing personal information to the wrong recipient.
But Anna Johnston, director of privacy consultancy Salinger Privacy and a former NSW deputy privacy commissioner, said the report did not paint a full picture of the Australian data breach landscape, as public state-based hospitals and state-based law-enforcement agencies are not covered by the NDB scheme as they are exempt from the federal Privacy Act.
Loading
"That the healthcare sector is the number one sector reporting data breaches that are likely to result in serious harm is bad enough, but when you consider that this is only half of the story, then the state of data protection compliance is presumably a lot worse in the healthcare sector than this report suggests," Ms Johnston said.
To get a true picture of the state of data protection compliance across Australia, Johnston said Australia "would need either harmonised privacy laws, or at least a harmonised breach reporting scheme".
This was a point the commissioner acknowledged.
"[The report] paints an accurate picture of the organisations who have an obligation under law to report [a breach] to the OAIC," Ms Falk said.
But not a picture of the entire nation, Fairfax inquired.
"That’s right," Ms Falk said.
Name and shame
Loading
Another criticism of the Notifiable Data Breaches scheme by privacy advocates is that the OAIC has chosen not to name companies who report breaches to it. Former Privacy Commissioner Timothy Pilgrim told Fairfax Media in February that he had deliberately decided not to "name and shame".
"For the first 12 months, we will be providing statistical information on the number of breaches," he said at the time. "We won't be publishing every breach at this stage."
But Ms Falk said this could change after a review is held next year.
"I certainly haven’t ruled it out and I have said that we will review that as time goes by," Ms Falk said, adding that she wanted to ensure Australia was in step with international laws "because ... publication in [one] country for a global entity is going to be publication to the world at large".
"I ... will be looking to see the developments that are happening in the EU and the timing of when, and if, the EU decides to publish names of their data breach reporting scheme," Ms Falk said.
"I want to be satisfied that our scheme has had an opportunity to develop and for the maturity of organisations to develop."
Johnston said it was still too early to assess the effectiveness of the mandatory data breach reporting scheme in terms of whether a name and shame approach should be taken up.
"I suspect that many organisations are still not aware of their reporting obligations, and so these figures will likely rise over time," Johnston said of the number of reported breaches.
"Even small businesses need to be aware that they can be caught by this new reporting scheme, and they should have a data breach response plan in place, as well as strategies to reduce the risk of data breaches, including regular privacy training for all staff," she said.
Australians who want to opt-out of My Health Record can do so using their Medicare details and personal identification through the My Health Record website, help line 1800 723 471 or print forms at post offices.