1 March 2019
Our File Reference: 190218
Mr Justin Warren
xxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxx.xxx.xx
Dear Mr Warren,
Your Freedom of Information Request No: FOI 190218
Notice of Decision
The purpose of this letter is to give you a decision about access to documents that you requested under the
Freedom of Information Act 1982 (the FOI Act).
Summary
I, Bettina McMahon, am an officer authorised under section 23(1) of the FOI Act to make decisions in
relation to FOI requests and this letter sets out the decision on your request for access.
On 18 February 2019 you requested access to documents held by the Australian Digital Health Agency (the
Agency) under the FOI Act relating to technical explanations of how the Agency will delete My Health
Records.
In your FOI request you sought access to:
“As at 1 Feb 2018, the technical explanation of how the My Health Record system ensures that when
a person cancels their My Health Record that any record that includes health information that is
included in the My Health Record of the person is destroyed, including any backups, copies, or
previous versions.”
Documents identified
The Agency has identified one document that falls within the scope of your request. I have decided to
exempt this document from release. The decision is set out in ful at Attachment A: Schedule of Documents.
Material taken into account
In making my decision, I had regard to:
• the terms of your application;
• the content of the documents to which you sought access;
• relevant publicly available information;
• relevant provisions of the FOI Act (specifically s.47E); and
• the guidelines published by the Office of the Australian Information Commissioner (OAIC) under
section 93A of the FOI Act (the Guidelines).
Australian Digital Health Agency ABN 84 425 496 912, Level 25, 175 Liverpool Street, Sydney, NSW 2000
Pho
ne +61 2 8298 2600 Facsimile +61 2 8298 2666
www.digitalhealth.gov.au OFFICIAL
Decision
The schedule indicates the document to which access is refused. My reasons for refusing access are given
below.
Exemptions
Conditional exemptions
Documents to which section 47E applies
I have decided that document 1 contains material that is fully exempt from disclosure under section 47E of
the FOI Act as set out in the attached schedule.
Sub section 47E(d) of the FOI Act concerns documents that may affect certain operations of agencies and it
provides:
A document is conditional y exempt if its disclosure under this Act would, or could reasonably be
expected to, do any of the fol owing:
….
(d) have a substantial adverse effect on the proper and efficient conduct of the operations of
an agency.
I note that paragraph 6.123 of the OAIC Guidelines state that any predicted substantial adverse effect must
‘bear on the agency’s proper and efficient operations, that is the agency is undertaking its expected
activities in an expected manner’.
I have found that the Agency’s operations would be substantial y affected if the information in the above
document was disclosed. The information regarding the technical operation system for the deletion
processes contained in this document is such that, if it were released, the Agency’s My Health Record
(MHR) and ICT systems would be vulnerable to potential exploitation and other cyber security risks.
To divulge that level of technical information, would compromise the security and integrity of the MHR
system. It would undermine the Agency’s ICT systems control, operations and processes for the
management of the MHR and potentially weaken the Agency’s ICT capability into the future. Authors of
operational information may limit the detail included in this material to reveal less about the system and
the way it operates in case the information is made publicly available.
I am satisfied that the document identified above attracts the subsection 47E(d) exemption because the
Agency’s operations would be compromised.
After determining that the documents are conditional y exempt in accordance with subsection 47E(d), I am
required to consider the Public Interest test (section 11A(5)).
Public interest considerations
Disclosure of the deliberative material would facilitate the objects of the FOI Act, by providing the applicant
with access to information held by the Commonwealth Government (the Government) and increasing
scrutiny of the Government’s activities. However, I consider that release of this information could
reasonably obstruct the future development of ICT operational systems from being honestly expressed and
recorded. It is also of equal importance that a level of integrity and confidence is maintained for the
continued free flow of ideas and that operational platforms are protected. It is important that officers are
able to give ful and uncensored consideration to opinions, advice and outcomes when engaging in
operational functionalities. The ability and willingness of officers to thoroughly consider all options would
2
be adversely affected if the document could then be disclosed to the public for debate and comment
outside of official operational processes.
Therefore, it is reasonably foreseeable that allowing public access to documents concerning the operations
of the Agency would undermine the functioning of the Agency, its ICT systems and its conduct in
discharging Commonwealth business.
I consider that, on balance, the public interest factors against disclosure outweigh the factors for disclosure
of the exempt material contained in the documents. Therefore, I have decided that it would be contrary to
the public interest to release the information considered exempt under section 47E(d) of the FOI Act.
In accordance with section 11B(4) of the FOI Act, I have not taken any irrelevant factors into account when
making my decision.
Additional information
In relation to your request, there is legislation and publicly available information that explains the
technical dimensions of the record destruction of MHRs.
A MHR that was cancelled in the past (and archived) will be permanently deleted. If you cancel a
record at any time it will be permanently deleted. See:
https://www.myhealthrecord.gov.au/about/legislation-and-governance/summary-privacy-
protections] The Australian Parliament passed the
My Health Records Amendment (Strengthening Privacy) Act
2018 on the 26 November 2018. See:
https://www.aph.gov.au/Parliamentary_Business/Bills_LEGislation/Bills_Search_Results/Result?bId=r6169
As at 1 February 2018 consumer’s cancelling records were archived in the MHR System. The MHR website
holds information on permanently deleting your record, permanent deletion of a cancelled My Health
Record, recent changes now allow permanent deletion of a MHR and previously cancel ed records. Please
s
ee https://www.myhealthrecord.gov.au/for-you-your-family/howtos/cancel-your-record. Please note: Any MHR that has previously been cancel ed wil also be permanently deleted from the
system.
The process to permanently delete these records started on 23 January 2019 and is expected to take up to
90 days. There is no archived or back up of these deletions and that information will not be able to be
recovered.
Your review rights
If you are dissatisfied with my decision, you may apply for an internal review or an OAIC review of the
decision. We encourage you to seek internal review as a first step as it may provide a more rapid resolution
of your concerns.
Internal review
Under section 54 of the FOI Act, you may apply in writing to the Agency for an internal review of my
decision.
The internal review application must be made within 30 days of the date of this letter, and be lodged in one
of the following ways:
Email:
xxx@xxxxxxxxxxxxx.xxx.xx
Post: Freedom of Information
3
Scarborough House
Level 7, 1 Atlantic Street
Woden ACT 2606 Australia
Where possible please attach reasons why you believe the review of the decision is necessary. The internal
review will be carried out by another officer within 30 days.
Information Commissioner review
Under section 54L of the FOI Act, you may apply to the OAIC to review my decision. An application for
review by the OAIC must be made in writing within 60 days of the date of this letter, and be lodged in one
of the following ways:
Online:
OAIC FOI Review
Phone: 1300 363 992
Email:
xxxxxxxxx@xxxx.xxx.xx
Post: GPO Box 5218 Sydney NSW 2001
In person: Level 3, 175 Pitt Street Sydney NSW 2000
Contact officer
If you would like to ask any questions, the contact officer for your request is Cecilia who can be telephoned
on (02) 6223 0780 or email at
xxx@xxxxxxxxxxxxx.xxx.xx. Yours sincerely
Bettina McMahon
Authorised Decision-Maker
Attachments
Attachment A: Schedule of documents
4
Attachment A: Schedule of documents – Freedom of Information Request no: FOI 190218
Document
No
Date
Pages
Nos
Author
Addressee
Description of Document
Decision on access
Exemption
Australian
September
Accenture
Digital Health
1
176
Australia Pty Ltd
Design specification manual
Exempt in ful
s.47E(d)
2018
Agency
(the Agency)
Australian Digital Health Agency ABN 84 425 496 912, Level 25, 175 Liverpool Street, Sydney, NSW 2000
Pho
ne +61 2 8298 2600 Facsimile +61 2 8298 2666
www.digitalhealth.gov.au OFFICIAL