Legal Insights

Privacy Perspectives: Review of Data-Matching Program Guidelines and National Health (Privacy) Rules, and privacy impacts of proposed legislation

By Katherine Armytage, Indi Prickett, Olivia Crisp, Tara Dhanushkoti & Gabriela Freeman

• 10 June 2021 • 7 min read

Following a busy and successful Privacy Awareness Week 2021, the Office of the Australian Information Commissioner (OAIC) is undertaking a number of interesting review and reform projects. In addition, the Australian Government has proposed legislation which may have potential privacy impacts for your entity. This latest update will give you more information about:

  • the review of the Data-Matching Program (Assistance and Tax) Guidelines 1994 (Data-Matching Program Guidelines);
  • the review and possible remaking of the National Health (Privacy) Rules 2018 (National Health Rules);
  • the privacy impacts of the proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (Critical Infrastructure Bill), which is currently before the House of Representatives; and
  • the Senate Committee’s review of the Data Availability and Transparency Bill 2020 (Cth) (DAT Bill).

Review of the Data-Matching Program Guidelines

Key takeaways:

  • The Data-Matching Program Guidelines regulate how the Australian Taxation Office (and other specified agencies) uses tax file numbers to compare personal information so it can detect incorrect payments.
  • The OAIC is currently conducting a review of the Data-Matching Program Guidelines which are due to sunset on 1 October 2021, and are proposed to be remade as the Data-Matching Program (Assistance and Tax) Rules 2021 (Data-Matching Rules).
  • Accordingly, the OAIC has sought submissions from interested stakeholders to understand whether:
    • the draft Data-Matching Rules are clear, relevant and practical;
    • the draft Data-Matching Rules will help relevant agencies to understand their obligations under the Rules; and
    • there are any other measures that should be included to enhance the Data-Matching Rules.
  • Once made, the new Data-Matching Rules are likely to represent the best practice standard for Commonwealth agencies handling personal information data sets that have been received from multiple sources, including when undertaking data matching and data analytics activities.

Submissions for this consultation have closed, but please let us know if you would like us to send you further analysis as this reform progresses.

Review and possible remaking of the National Health Rules

Key takeaways:

  • The National Health Rules set out how Australian Government agencies may use, store, disclose and link Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) claims information.
  • The OAIC has the opportunity to revisit and remake the National Health Rules before they sunset on 1 April 2022. As such, the OAIC is currently conducting a review of the National Health Rules to ensure they remain ‘fit-for-purpose’.
  • The OAIC has sought submissions from interested stakeholders to understand a range of issues, including:
    • whether the Rules strike an appropriate balance between the protection of privacy and the use of claims information;
    • how the Rules could be updated to better accommodate current information technology and data practices, while still protecting individuals’ privacy;
    • whether additional privacy requirements should apply to MBS and PBS information (e.g. requirements over and above those set out in the Australian Privacy Principles);
    • how the Rules can be modernised, or made more effective, while remaining within the parameters of the primary legislation;
    • how the Rules could be amended to better align with Government policies regarding information use and disclosure, while still protecting individuals’ privacy;
    • whether the requirement to have MBS claims information stored separately from PBS claims information should be reconsidered;
    • whether there should be detailed technical standards for the MBS and PBS claims databases;
    • the appropriateness of the provisions regarding the creation, use and disclosure of Medicare personal identifier numbers;
    • whether the disclosure provisions strike the appropriate balance between enabling data sharing and protecting the privacy of individuals;
    • whether the data retention requirements are appropriate; and
    • whether the reporting arrangements are appropriate.
  • When these are published it will be interesting to see if they reflect any changes to community attitudes on Commonwealth agencies’ handling of health information since the National Health Rules were made in 2018 (noting the impact of COVID-19 and community awareness of privacy issues).

Submissions for this consultation have closed, but please let us know if you would like us to send you further analysis as this reform progresses.

Proposed changes to security legislation

Key takeaways:

  • The Critical Infrastructure Bill was introduced to expand the existing regulatory regime (Regime) for managing risks relating to critical infrastructure under the Security of Critical Infrastructure Act 2018 (Cth), by increasing the number of sectors classified as “critical infrastructure sectors”, introducing positive security obligations and enhanced cyber security obligations, and creating a “government assistance regime” to respond to cyber-attacks on critical infrastructure. The Critical Infrastructure Bill also envisages that information-sharing between regulatory agencies will be set out in the rules made under the relevant Act (if the Critical Infrastructure Bill successfully passes through Parliament).
  • The Department of Home Affairs is currently undertaking a staged consultation to consider and implement the changes to the Regime proposed by the Critical Infrastructure Bill (including to consider any potential privacy impacts).
  • The “government assistance regime” will provide the Australian Government with broad discretionary powers to protect assets during or following a significant cyber-attack. The Secretary of Home Affairs will have power to compel relevant entities to produce information that may assist with determining whether a power should be exercised (which may include personal information, including sensitive information, as defined in the Privacy Act 1988 (Cth) (Privacy Act)).
  • If the Critical Infrastructure Bill is passed and your agency handles personal information in connection with a critical infrastructure sector:
    • your agency may be required to disclose personal information, which may trigger an exception to the handling of personal information under various Australian Privacy Principles (APPs) (e.g. APP 6 permits use and disclosure of personal information if required or authorised by an Australian law); and
    • your agency may wish to review its privacy policy and collection notices, to ensure they reflect any potential additional uses or disclosures that will be permitted if the Critical Infrastructure Bill successfully passes through.

Please contact us if you would like us to send you further information about this reform, or if we can help you consider your agency’s privacy documents.

Senate Committee Release Final Report on the Data Availability and Transparency Bill 2020

Key takeaways:

  • The Senate Finance and Public Administration Legislation Committee has concluded its inquiry into the Data Availability and Transparency Bill 2020 (DAT Bill), and its final report (Report) is available here.
  • The Committee made recommendations about the importance of:
    • enshrining significant matters, such as privacy safeguards for data sharing, in the DAT Bill, unless a sound justification for the use of delegated legislation is provided;
    • ongoing oversight by security agencies of data sharing agreements and potential security risks, and the need for continued engagement with the national security community in relation to the management of those risks;
    • in particular, identified national security risks for the Australian higher education and research sector being used to inform additional data codes and guidance material; and
    • additional guidance regarding privacy protections being introduced, particularly about de-identifying personal data (noting the OAIC indicated support for the principle that data custodians should not share personal information if the data sharing purpose can reasonably be met by sharing de-identified data).
  • Agencies should continue to carefully monitor the progress of the DAT Bill to see whether it, and/or its accompanying Explanatory Memorandum, are amended to reflect the Committee’s recommendations, and whether further guidance is provided by the Office of the National Data Commissioner.

Please contact us if you would like us to deliver a free seminar to your agency about the DAT Bill.

Looking for further information on the proposed reforms?

Contact our Privacy team

By Katherine Armytage, Indi Prickett, Olivia Crisp, Tara Dhanushkoti & Gabriela Freeman

  • Share

Related articles

Online Access