Commonwealth Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]

PRIVACY AMENDMENT (SOUTH AUSTRALIA MY HEALTH RECORDS ACCESS) REGULATIONS 2021 (F2021L01760)

Privacy ameNdment (south australia my health records access) Regulations 2021

EXPLANATORY STATEMENT

Issued by authority of the Attorney-General

in compliance with section 15J of the Legislation Act 2003

Purpose and operation of the Instrument

The purpose of the Privacy Amendment (South Australia My Health Records Access) Regulations 2021 (the new Regulations) is to amend the Privacy Regulation 2013 (the Principal Regulation) to prescribe the Department of the Premier and Cabinet of South Australia (as an authority of South Australia) as an organisation under section 6F of the Privacy Act 1988 (the Act).

The Act regulates the handling of personal information about individuals. The Act contains 13 Australian Privacy Principles (APPs) which regulate the collection, use, disclosure and storage of individuals' personal information. The APPs apply to Commonwealth government agencies, private sector organisations with an annual turnover of over $3 million, and certain smaller organisations.

Subsection 100(1) of the Act provides that the Governor-General may make regulations, not inconsistent with the Act, prescribing matters required or permitted by the Act to be prescribed, or necessary or convenient to be prescribed, for carrying out or giving effect to the Act.

Section 6F of the Act allows State or Territory governments to request the Commonwealth to make regulations to prescribe a State or Territory government authority or instrumentality as an organisation for the purposes of the Act. It also allows for a prescription to modify the application of the Act to a State or Territory authority or instrumentality. The Principal Regulation contains State and Territory entities that have been prescribed as organisations under section 6F.

The new Regulations will apply the Act to the Department of the Premier and Cabinet of South Australia to the extent that their acts and practices are in relation to the access and subsequent handling of information from the My Health Record system for the purposes of managing risks arising from the coronavirus known as COVID-19.

In order to handle information in the My Health Record system (and become registered as a 'portal operator' under paragraph 48(d) of the My Health Records Act 2012), a State authority must be bound by a 'designated privacy law' or be prescribed under section 6F of the Act. As South Australia does not have standalone privacy law that could be designated, the Premier of South Australia requested that Department of the Premier and Cabinet of South Australia be prescribed under section 6F of the Act.

The new Regulations enable the Department of the Premier and Cabinet of South Australia to be registered as a portal operator under paragraph 48(d) of the My Health Records Act 2012 and operate a My Health Record portal which will allow individuals to consent to the disclosure of their My Health Record data for the purposes of managing risks from the coronavirus known as COVID-19 (for example, for the purposes of facilitating home quarantine for individuals who have been directed to quarantine and processing cross-border travel exemptions for domestic arrivals).

Documents incorporated by reference

The new Regulations do not incorporate any documents by reference.

Consultation

Paragraph 6F(3)(a) of the Act provides that before the Governor-General can make regulations prescribing a State authority, the Minister must be satisfied that the relevant State authority has requested to be prescribed for the purposes set out in the regulation. The Attorney-General, Senator the Hon Michaelia Cash, received a letter from the Premier of South Australia, the Hon Steven Marshall MP, requesting the prescription on 22 October 2021.

Paragraph 6F(3)(b) of the Act provides that before the Governor-General can prescribe a State authority as an organisation under the Act, the Attorney-General must consult the Australian Information Commissioner about the desirability of regulating under the Act the collection, holding, use, correction and disclosure of personal information by the State authority. This requirement has been satisfied and the Australian Information Commissioner did not raise any concerns about the new Regulations.

Consistent with section 17 of the Legislation Act 2003, the Office of the Australian Information Commissioner, the Department of the Premier and Cabinet of South Australia, the Department of Health and the Australian Digital Health Agency were consulted on the text of the new Regulations.

Regulation Impact Statement

The Office of Best Practice Regulation (OBPR) was consulted and advised that a Regulation Impact Statement is not required. OBPR advised that the new Regulations are unlikely to have a regulatory impact on business, individuals or community organisations. The OBPR reference is ID OBPR21-01055.

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

This Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Disallowable Legislative Instrument

The Disallowable Legislative Instrument amends the Privacy Regulation 2013 to prescribe the Department of the Premier and Cabinet of South Australia (an authority of South Australia) as an organisation under section 6F of the Act. The Act would apply to the Department of the Premier and Cabinet of South Australia to an act done, or a practice engaged in, in relation to the access and subsequent handling of information from the My Health Records system for the purposes of managing risks from the coronavirus known as COVID-19.

South Australia does not have its own privacy legislation. Without this prescription, the Department of the Premier and Cabinet of South Australia are unable to be registered as a My Health Record portal operator under paragraph 48(d) of the My Health Records Act 2012.

The new Regulations require the Department of the Premier and Cabinet of South Australia to comply with the obligations under the Act, including the Australian Privacy Principles. Prescription of the Department of the Premier and Cabinet of South Australia also provides a mechanism for the Office of the Australian Information Commissioner to investigate privacy incidents in relation to the access and subsequent handling of information from the My Health Record system by the Department of the Premier and Cabinet of South Australia to for the purposes of managing risks arising from the coronavirus known as COVID-19.  

Human Rights Implications

The new Regulations engage Article 17 of the International Covenant on Civil and Political Rights, which provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks.

The new Regulations protect against arbitrary interference with privacy by prescribing the Department of the Premier and Cabinet of South Australia as an organisation for the purposes of the Act. The new Regulations require the Department of the Premier and Cabinet of South Australia to handle information from the My Health Record system in accordance with the Act and Australian Privacy Principles, and to provide affected individuals with legally enforceable complaint rights.

Conclusion

This Disallowable Legislative Instrument engages the protection against arbitrary interference with privacy. It is compatible with human rights because it promotes the protection of the right to privacy.

Attachment A

NOTES ON SECTIONS

Section 1 - Name of Regulations

This section provides that the title of the new Regulations is the Privacy Amendment (South Australia My Health Records Access) Regulations 2021.

Section 2 - Commencement

The section provides that the new Regulations commence on the day after the instrument is registered on the Federal Register of Legislation.

Section 3 - Authority

This section provides that the Privacy Amendment (South Australia My Health Records Access) Regulations 2021 are made under the Privacy Act 1988.

Section 4 - Schedules

This section provides that each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

SCHEDULE 1 - Amendments

Item [1] - at the end of section 8

Section 8 of the Principal Regulation sets out the current State authorities that have been prescribed under subsection 6F(1) of the Act.

This item inserts a new subsection (5) under the South Australia heading. Paragraph 8(5)(a) provides that for the purposes of subsection 6F(1) of the Act, the Department of the Premier and Cabinet of South Australia is prescribed. Paragraph 8(5)(b) provides that the prescription would be limited by the modification in proposed subsection 8(6). The effect of new paragraph 8(5)(b) is that the application of the Act to the Department of the Premier and Cabinet of South Australia is limited to the specific acts and practices outlined in new subsection 8(6).

Subsection 8(6) modifies the application of the Act in relation to the Department of the Premier and Cabinet of South Australia so that its prescription is limited to acts or practices in relation to the access and subsequent handling of information from the My Health Record system (within the meaning of the My Health Records Act 2012) for the purposes of managing risks arising from the coronavirus known as COVID-19. This modification does not include an exempt act or exempt practice under section 7B and 7C of the Act.