The Department of Health welcomes the Information Commissioner’s final report following his investigation into the department’s release of a sample of data from the Medicare Benefits Scheme (MBS) and Pharmaceutical Benefits Scheme (PBS).
This action was taken by the department with the intention of supporting medical research and policy development, and with the belief that the privacy of individuals had been protected.
The Commissioner has found the department:
- did not breach APP6 of the Privacy Act 1988 regarding the personal information of patients;
- was in breach of APP 6 of the Privacy Act in relation to the personal information of medical providers; and
- did not comply with APP 1 or APP 11 of the Privacy Act in the course of preparing the dataset for publication.
The Commissioner noted that any non-compliance was unintentional and that the department acted in good faith in the steps it took before release of the dataset to protect the information. The Commissioner also noted that once the department was alerted to the issue the steps it took were quick and comprehensive.
To ensure the department continued to comply with the Australian Privacy Principles as well as other requirements, it offered to the Commissioner an Enforceable Undertaking under section 33E of the Privacy Act. The Commissioner considered the Enforceable Undertaking was an appropriate regulatory outcome for his investigation, and this Undertaking is now in place.
It is important to note that the Department is not aware of any individual or provider having been identified through this release of data.